Your Operating System has Poor Operational Security

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > Haus of Tech Support > Your Operating System has Poor Operational Security

pr0zac: Jan 18, 2004; ~*lukecagefan69*~; Pillbug

Carthoris posted:

Can you elaborate on the reasoning for this? Any theoretical vulnerabilities with LastPass? Assuming you have a strong pass-phrase that isn't used anywhere else and use TFA what is wrong with LastPass that local password management like KeePass solves?

I understand that ideally you would want an attacker to need access to your password database and that you can control that if you don't hand it to a third party but if you aren't dealing with a nation state level attacker I don't see how they are going to get through AES-256 with a 30 character passphrase and TFA. Keepass alone without more stringent browser security isn't going to keep you from entering you password on a XSS compromised page while LastPass has that functionality built in.

* For the sake of argument lets say that an attacker can pwn your personal computer just as easily as they can pwn LastPass's server so they have access to your password DB either way. If we go from that assumption what advantages does KeePass have over LastPass in terms of security?

To provide a second point of view, its not that LastPass is bad per se, just that there are plenty of better choices, including a completely free one, that lack a lot of the worries around LastPass that theres no good reason to use it over the alternatives.

# ¿ Aug 11, 2015 15:12

Adbot: ADBOT LOVES YOU

# ¿ May 2, 2024 05:37

pr0zac: Jan 18, 2004; ~*lukecagefan69*~; Pillbug

Geemer posted:

Serious question: Why is everyone so convinced using a password manager is a good idea? To me it just seems like putting all your eggs in one basket.
Secondary question: Other than syncing across devices, what good are they over in-browser password storage? I never use it for similar reasons, and doesn't stuff like Firefox Sync or its Chrome counterpart that I am sure exists also do the trick?

It doesn't matter how complex your password for the meatspin.com forums is if someone can get to your password vault. Especially when that's protected by a password you're supposed to remember yourself instead of letting the computer generate a hash of correct horse battery staple.
Yes, I know your password vault will not be stored on the sites you use it for, but you should be using unique passwords anyway*.

*I use unique passwords for important stuff, throwaway accounts for things I don't care about are just that.

Whats harder for most people, remembering one complex password thats computationally impossible to crack or multiple complex passwords that are all computationally impossible to crack? In which situation are most people more likely to slack off and reuse passwords or use weak ones?

My point is, yes, the best possible method is memorizing dozens of randomly generated passwords, however very close to no one is able to do that in real life. Password managers provide a solution that improves security over the current real world method most people use by allowing them an easy way to use a different highly complex password for every website, while only minimally reducing security compared to the best possible method through having a single password protecting all of them.

That its "one basket" doesn't matter very much if the basket is securely made. Take for example, 1password which uses PBKDF2-HMAC-SHA512 with at default 25,000 iterations. Lets say you have a copy of my 1password vault for which the current password is 16 characters long and only made of letters and numbers. Currently, oclHashcat64 the fastest hash cracking software, gets about 1000 guesses a second on a top of the line graphics card against 1password vaults. Lets assume you spin up 100,000 AWS instances with comparable power because you really wanna crack this drat thing and have a ton of money to burn on it.

So you're getting 100 million guesses a second. It will take (36^16)/(100,000,000*60*60*24*365) or about 2,523,674,882 to try every possible guess, for a statistical likely hood of finding my password in 1,261,837,441 years. I'm happy to send you my 1password vault if you wanna test it for yourself.

# ¿ Sep 16, 2015 19:26

pr0zac: Jan 18, 2004; ~*lukecagefan69*~; Pillbug

Geemer posted:

Thanks for the replies, it makes a bunch more sense when you put it like that.

What about the second question, though?

(Ignoring the generation of a strong password.) "Other than syncing across devices, what good are they over in-browser password storage? I never use it for similar reasons, and doesn't stuff like Firefox Sync or its Chrome counterpart that I am sure exists also do the trick?"

These aren't bad, and are comparable to other password managers, though in general they use less secure methods for storing the passwords. Like hooah alluded to, last I checked Chrome stored the passwords in plain text unless you're on OSX where it uses Keychain. Safari uses Keychain on OSX as well. Firefox uses a master password with 3DES which is a bit better as its not tied to the system password.

One other benefit is other than syncing across devices, things like 1password/keepass are also easier to use across applications. I pretty regularly use Firefox, Safari, and Chrome, so being able to use 1password from all of them is pretty nice. Also makes it easier to store passwords for applications like Skype/Steam/etc.

# ¿ Sep 16, 2015 20:43

pr0zac: Jan 18, 2004; ~*lukecagefan69*~; Pillbug

turbomoose posted:

Recently when browsing SA and some other websites (usually news articles) my screen will go blank and then come back at the top of the webpage. So if it's a long webpage it will be scrolled to the top. I want to stress that the page has not been refreshed due to this, just changed how far down I have scrolled.

I have a screenshot of the blank screen and it has an interesting address at the bottom in hovertext.

it's something to the effect of vindicosuite.com which after googling sounds like it's a problem with a site plugin for counting users but this has been happening on multiple sites so I can't help but feel like it's a problem on my end.

This isn't really the correct thread for tech support but good lord update to Windows 10 already.

# ¿ Mar 30, 2016 23:31

pr0zac: Jan 18, 2004; ~*lukecagefan69*~; Pillbug

Non Serviam posted:

When I had a Mac, I used an app called "little snitch," and which allowed me to monitor and/or kill any outbound connection. So far my search for a windows alternative has been fruitless.

Do you guys know of something like this, or whether it's even useful?

Netlimiter https://www.netlimiter.com/

Glasswire https://www.glasswire.com/

Windows10 FirewallControl http://www.sphinx-soft.com/Vista/order.html

Regarding usefulness, I personally find running one constantly annoying as hell and just results in security warning fatigue where you just click allow blindly every time it pops a notification.

That said I have up to date licenses for Little Snitch and Netlimiter cause I find them really useful for tracking down weird network behavior. The latest example was a buggy Adobe updater that burned my fiancée's entire month of data in three days downloading the same file over and over.

# ¿ Sep 3, 2016 02:34

pr0zac: Jan 18, 2004; ~*lukecagefan69*~; Pillbug

hello what is this thread doing in the yospos

# ¿ Jan 20, 2017 21:31

Adbot: ADBOT LOVES YOU

# ¿ May 2, 2024 05:37

pr0zac: Jan 18, 2004; ~*lukecagefan69*~; Pillbug

apseudonym posted:

Your phone is far more secure than your desktop, its fine really.

This. Unless you're running a rooted phone and installing a bunch of sketchy non-Play Store apps in which case stop doing that.

# ¿ Aug 28, 2017 22:43

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > Haus of Tech Support > Your Operating System has Poor Operational Security