Agreed. Anti-encryption people scare me. I also really hate that argument of "if you have nothing to hide, you have nothing to worry about". We use the Internet for SO MUCH SHIT. We store SO MUCH information on our computers, tablets, and phones. I like to protect my personal information. (Plus, I store all my passwords in LastPass so I can generate random 30-character passwords that I would NEVER be able to memorize. If they successfully weaken encryption--unlikely--my passwords are pretty fucked)
Found this link in a comment on https://www.ozbargain.com.au/node/158285 It seems to work indefinitely, I still have not gotten the email but my existing account was extended to January 2016: https://lastpass.com/promo.php?n=AppSumo&h=5395864c42a0ae0fe571f914852e9dd2bc5b5b218e9d15bee277029d8d0a81c5&code=R7RNOM5
ps. to see your current account details go here: https://lastpass.com/my.php
Edit: Thanks for the gold! wasn't expecting that :-)
If you have LastPass, they scan through your passwords and tell you which sites were vulnerable. Took me five minutes to change them.
EDIT: LastPass is free, if you didn't know. https://lastpass.com/
Ultraprotip: Use Lastpass. You won't know your password, so you can't give it away by accident - and if Lastpass doesn't fill it in for you, then you know it's not the real site.
I just want to reply to say, if you choose to use a cloud-based password manager, then you should be utilising two factor authentication (e.g. Google Authenticator). LastPass supports Google Authenticator on both free and premium accounts.
They also support:
All of this on the free accounts.
It's worth noting that it's not a good idea to change your passwords for websites until after they have patched their SSL and revoked and been reissued their certifications.
An important distinction:
From the article I think they hash 100k times to make it computationally expensive to brute force the hashes.
Test your sites here: http://filippo.io/Heartbleed/
EDIT: This tool checks to see if a site COULD have been vulnerable: https://lastpass.com/heartbleed
The last link I posted will tell you if the technology running the site was potentially vulnerable, thus could have been compromised.
Since there is no way to know if you (or your site) were compromised, I completely agree with /u/twistedLucidity in that you should just reset your passwords to be safe.
And if you run a site with an SSL cert and Apache, it's probably best to get it re-issued.
As an end user, if you are concerned about your exposure while using the web, get Chrome and install Chromebleed. It puts a nifty little icon in your browser to tell you if the site you are on is vulnerable to attack using this vector. I don't know if there is a Firefox variant of this. If anyone knows of an add-on, please link it.
>my skype was changed
Do you use the same password for everything?
For the future I highly recommend two factor authentication for gmail with a 16+ unique password and a password manager such as open source KeePass for offline password manager or LastPass for online. With these generate 16-32 character unique passwords with upper, lower, special, and numbers for anything of significance you sign up for.
Also, if your gmail was compromised fix that first then assume any account you ever used your gmail to sign up with is compromised. You should lock down email first using two factor which will also sign others out of your gmail first then work on changing all your other passwords.
Use something like LastPass to store all your logins and passwords. This way you can pick random login names for most accounts and your password can be 20+ random characters. Turn on google authenticator and you just need your email address, passphrase, and phone to log into everything.
LastPass extension. Secure passwords that you never have to remember (except for the master one). For mobile use you have to pay for a premium version but its something around $1/month.
Time to export your data
You can go to your LastPass Icon > More Options > Advanced > Export in order to export your usernames and passwords to a .csv file (comma separated value)
Lastpass uses 256-bit AES encryption. Here's a thread on how long it would take to crack. And that's just one part of its security.
I've used it for five years and whole heartedly recommend it.
Really? Their FAQ says there is a small buffer period.
>Q: When is the new Premium price going into effect?
>A: The new price for LastPass Premium will go into effect for new customers starting August 3rd. For existing LastPass Premium customers, the new price is effective September 1st and you will receive a renewal notification via email in advance of your renewal date.
No, because it's all client-side (happens in the browser) and isn't necessarily sent over the network. It will be sent when the form is submitted, but filling a field with JS is no more or less secure than typing into the field manually.
There is a security concern with the way it's stored (e.g. storing credentials in a bookmarklet wouldn't be good) and I'd massively recommend using something like LastPass that's a bit more hardcore when it comes to security.
Source: Web developer
To stay secure, you should use a password manager, and generate a different random password for each site you use. The passwords should be as long and complex (e.g., including symbols) as the given site allows. The advantage of password managers is that you won't need to remember. Also, turn on 2FA on all your important accounts, and wherever it's possible, prefer app based 2FA over text-based (hackers regularly trick mobile providers into reassigning your account to a different SIM) I work for LastPass, so I'm obviously biased when it comes to selecting a product (but it's free so no risk to try). From the security point of view, you should prefer products that guarantee zero knowledge, which means that it encrypts your password vault (saved credentials) on your computer or phone, before it uploads to the cloud. So even if there's a breach, if you use a strong master password, you're safe. UI and UX are also important. Ideally, you will be using your password manager all the time and across multiple devices, so it has to work really well for you. Otherwise, you'll quickly fall back to bad password practices :)
Hey all,
I believe this compilation of passwords is from a leak that occurred quite awhile ago. We have not stored passwords in plaintext since I've worked on HoN (more than 2 years), and the leak that I do know happened with plaintext we announced and forced password resets.
If anyone has questions or concerns regarding this, please feel free to reply and I'll do my best to answer.
As a side note, it doesn't hurt to change your password every so often anyway, so while I don't think its strictly necessary, you can change it here: https://www.heroesofnewerth.com/support/
Finally, I've used https://lastpass.com/ for quite awhile now, and would highly recommend it, it's helped me be a lot less concerned about these sorts of things purely from a user standpoint.
>Reading through this thread has also inspired me to create a brand new, totally unique password. I guess I'm guilty of the "It'll never happen to me" mentality, seeing some people here with accounts that look like they may have been compromised, kinda hit home.
Just a recommendation, but look into Lastpass or Keepass. They manage your passwords so you can have completely unique passwords for everything and never forget anything. I prefer Lastpass, but they're both good and both free. Lastpass is stored in the cloud (the folks over there have been pretty good with keeping your passwords secure) and is very convenient. You can always access everything from anywhere, and there's a fantastic browser plugin with auto-fill functionality that is much more secure than Firefox's remembering of passwords (which is NOT secure). Keepass is offline so you have to manage your password database file manually (don't worry, it's all encrypted so you keep a master password). Keepass is a little less convenient but you can store your database file in something like Dropbox and get a similar effect to Lastpass without disclosing your unencrypted passwords to a third party.
And I'm completely with you on the $60 as an Aussie, +respect for anyone who sells a AAA game here without charging +50%.
To anyone putting website logins and/or passwords on paper anywhere: stop. Inevitably, the question will turn from "what would you do if your notebook was lost?" to "what do I do now since my notebook was lost?" You can be the most cautious person in the world, but I can guarantee you'll either misplace your notebook someday or someone will snoop around and get all this info easily.
I would highly recommend investing in a password manager like 1Password or LastPass for this purpose.
Edit: Just to touch on the security aspect of it, it's basically as strong as you make it. To gain access to your passwords you use a master password, the stronger it is, the safer you are (as they are simply storing an encrypted blob on their servers for you). They also have several methods of two factor authentication you can use.
Found a way to get an ADDITIONAL 6 MONTHS FREE:
Edit: Deal has now expired, but /u/najodleglejszy found another method (bit more difficult, but works):
> if you're a student or work at university or school etc., try this for YET ANOTHER 6 MONTHS, works with .edu e-mails and reportedly with several others too https://lastpass.com/edupromo.php[1] > so far .edu.pl, .eur.nl and .ac.uk are confirmed working.
/u/neoKushan found a way to get a. edu email: >If you DON'T have a .edu email, you can get one by going here and signing up using Alumni number 0000217100 or 0000217900. Use your own conscience with this one.
In case that's not obvious: change your password right now. If you can, enable two-step verification. Check your PC for malware, or just reinstall Windows entirely (or go for Ubuntu if that floats your boat).
edit If you want to go for even better security to prevent this in the future, I recommend you start using either an open source program like KeePass to store generated, random and most important, separate passwords for all your sites in an encrypted database. If you lose one site, no other site is compromised. You can put your KeePass database file on Dropbox, or you could use an integrated browser solution like LastPass (I prefer LastPass, but it's not as open).
Here's 1 year of LastPass for any new users.
Edit: Someone redeemed it. Thanks for playing!
Ok, security stuff first:
Change your passwords again. I suggest checking out Last Pass, it creates highly encrypted passwords then gives you 1 easy password to access them. If you have any personal device such as that laptop, make sure there's a password on it, and if you have security questions for email or Facebook with anything like a pet's name/mother's maiden name etc. change it! That would be the easiest way for him to access your accounts.
Catching him:
When someone sends you an email they have to send it from the IP address of their computer. When he logged in to your account the same IP address was registered. So, assuming it hasn't changed, ask him to email you something and compare the IP address using this tutorial, and the one on your "recently logged in" email section. If they match, then he's the one who logged in.
Even if it wasn't him or you can't prove that it was, it sounds like it's best to remove him from your life. You shouldn't have to feel afraid of him visiting. If you can prove it was him you can even get a restraining order if you want. Hope I helped, good luck out there!♥
LastPass, it's free for the desktop, costs if you want mobile ($20/yr when bundled with xmarks). Advantage: if you have internet, you can find your passwords, Disadvantage: if you have a weak master password it's even worse than writing your passwords down.
For events like these i'd like to recommend last pass. The last password you'll ever need :) After my old hotmail account got hacked i considered it but did nothing, but then gawker was hacked i finally said enough and installed it. The inital time was a little boring, generating passwords and such but after that it just makes everything so easy. If you are logged into the browser extension it just fills out everything for you. They store their stuff extremely well and know what they're doing. And for like 10$ a year you can get the mobile app and additional features. Supports all major OSes and Browers.
Regardless of the actual encryption / volatility of the leaked data, it's still probably a good idea to change your password, very much so if you do something silly like using the same or similar passwords on multiple sites.
EDIT: Ebay apparently pulled the same garbage as PayPal where they won't let you copy-paste your passwords from a password database (hilariously enough it works on the login page, but not the change form). This does nothing but encourage bad password practices. Unless you're actively using Ebay for anything, you might want to think about closing your account.
EDIT 2: "Unfortunately, we can't close your account yet, because it has been suspended, restricted, or is otherwise not meeting minimum seller standards." I haven't used the account in more than a year and it has nothing but positive feedback and no restrictions or outstanding fees. Oh boy, this sounds like it's going to be fun.
Obligatory pitch for LastPass.
Seriously, use a password manager (doesn't have to be LastPass in particular, I just like that one) and generate random passwords for every site. I don't even know what my RPS forum password was, and I don't care at all that it's compromised, it won't give access to anything else.
I use LastPass regularly. It is very easy to use and very convenient. You can use it on mobile too. Also you can access all your passwords from anywhere in the world through the website if you want.
All your data is also is encrypted and protected with a master password you set up yourself. This means no one gets to access the content of your saved data except you.
It was also not affected during the famous Heartbleed incident.
Lastpass saved me from this sort of situation. Also, using separate 100-character passwords that contain symbols for different sites and not having to remember them all is so freeing.
I've been a user of LastPass for a few years on my desktop via their chrome extension, but recently moved over to a premium service which gives you access to the service on your phone/tablet via their LastPass Password Manager Android app. In addition to working with websites, it will also hook into your device as an input method. This lets you use the service for your apps, just not the web. It will also let you generate new, secure passwords as you sign up for new services/sites/apps.
I use LastPass though I'm a fairly big open source fanatic.
Here's why:
LastPass has released a simple, fully offline decryption tool for their blobs. This tool has fairly readable javascript source. https://lastpass.com/js/enc.php
LastPass has always been forthcoming about security issues in their product and has shown (to my moderate applied cryptography knowledge and to many better known cryptographers) that they have some idea what they're doing.
Easy magic sync. No thought involved. Can use 2-factor authentication on sign-in too, which could save you in a few attack scenarios.
And here's why I don't use KeePass:
If I recall correctly, key derivation under KeePass was questionably weak last time I checked. I'll examine this again to check.
The state of synchronization with KeePass is absolute shit last time I used it
The lack of browser extensions which work properly on Linux for KeePass made it simply useless to me
EDIT: Verified that bit about KeePass's key derivation. Seems different than last time I saw it, but it uses 6000 iterations of a custom AES-based key derivation function. AES executes extremely fast and most modern processors can perform accelerated AES computation. And they chose this instead of a major standard like PBKDF2 or scrypt... Key derivation fucking matters. Please stick to the well accepted standards.
LastPass uses PBKDF2, Password Safe (a more secure looking open source solution) uses a method developed by Schneier which looks pretty good, http://www.schneier.com/paper-low-entropy.pdf. Unfortunately, for me, Password Safe is only just now beginning to get Linux support and the browser extension support for it seems non-existant.
The bottom line is make sure you're using LastPass or Password Safe or some similar program to generate and store unique complex passwords for every website.
I started using LastPass about a year ago, and not only are my passwords far, far safer, but it also makes logging into websites so much faster (much more reliable than the remember password feature built into web browsers).
Use this (or another password manager) and make long, obnoxiously hard passwords.
On important sites, like banking/paypal/etc, change them every few months.
With a password manager, you won't have to worry about remembering them, so they can be along the lines of ETj%LJjWXS476hIrNfk&af7#Gzj^Lo
Use gmail? Enable two-factor auth as well. (gmail's not the only one that has this, so check settings if you use hotmail or such) This makes it nearly impossible to access your email account, which is what a lot of hacks rely on as well; they'll get into your email, then use 'forgot password' anywhere they want to access.
Potentially.
Depending on the program you use, it's an encrypted database file to which you only have access to by password, Windows credentials, keyfile, private signed certificate, other, or a combination (for extra paranoid mode).
It's helpful in that you don't necessarily have to remember or type proper strong passwords ever again. An integrated password generator can create them for you, you store them in the db and the program will even type/copy the login info into login fields for you. If you've lots of passwords, and odds are you do as practically anything web based requires it, this is immensely helpful to stay secure instead of using a default PW for everything.
I myself prefer Keepass, I store the program/database on my USB on my keychain and sync it with my cloud storage, which is in turn accessible through mobile apps. Others are solely cloud based or both. You can save the file wherever you like.
Check them out for yourself:
I would go a step further and recommend people use Lastpass Password Manager, its free and can create random passwords for you and store them in a secure encrypted database. I don't know of the top of my head any of my passwords as they are all randomly generated.
Dude, LastPass. Ik gebruik het en kan het van harte aanraden. We kunnen inmiddels alles via internet doen, dus de veiligheid ervan moet je serieus nemen. Met de gratis versie kom je al een heel eind en Premium kost een knaak per maand. Als je op de uni zit, kan je ook een gratis premium trial van 6 maanden krijgen.
>Is LastPass safe enough eventhough it's in the cloud?
Yes.
Personally I use KeePass but I could use Lastpass as well and sleep well at night. Would LastPass even be in business if they leaked passwords?
Honestly LastPass Enterprise is probably one of the best options out there, and while I hate per-user annual pricing it's the way the market is going now and at least with LP you don't have to run your own server.
Other options include Pleasant Password Server which is a self-hosted solution built on top of KeePass and TeamPass which is FOSS but more barebones.
Hijacking top comment for PSA:
For those concerned about this sort of thing (which should be everyone) I implore you to look into a password manager. The idea is it will generate a random password for every site and store them in an encrypted, cloud accessible database so you have access to all your accounts, anywhere, anytime, and you only need to remember a single password (which you should never use for anything else). You install them via a browser plugin or app.
When Ticketek is breached and their database leaked, you'll rest easy knowing the password next to your email address was random, meaningless, and doesn't work for anything else.
Here are some links:
This is how to do passwords right.
Lastpass.
Browser extension for Chrome, firefox, IE, Safari, and Opera on the Mac Linux and Windows platforms. It also supports WebOS, iPhone OS, Symbian, Android, WP7, and Blackberry. I don't think that it will be an issue for compatibility.
It has been my favorite password manager for years, it autofills things, makes sure everything is set, and remembers my passwords. Its quite nice. It work amazingly for me and I highly recommend it.
They have a nice breakdown on their site. https://lastpass.com/go-premium/
I have it for syncing up with my iPhone and iPad. I couldn't justify spending 1Password as it would take me 4 years worth of lastpass premium before it broke even and by that time there'll probably be multiple new version of 1Password where lastpass will always be the most updated version.
I've sworn by LastPass for a long time now. Great with the YubiKey.
https://www.yubico.com/applications/password-management/consumer/lastpass/
However, I'm staying vigilant on their progression from them being recently bought out by LogMeIn. As long as LogMeIn doesn't screw with their process, it's my go to password manager and one I recommend.
So, the procedure to delete your LastPass account:
Go to https://lastpass.com/delete_account.php
There's an option there to export your data.
Then cross your fingers that part of the deal wasn't to record a snapshot of accounts before the deal was announced.
I'll just recommend LastPass. It can generate extremely secure passwords (up to 100 characters in length) and save them for you. I believe everybody should have this installed as priority.
A lot of people in this thread have been suggesting https://lastpass.com/ as a way to securely store long alpha numeric passwords that are unique to each site they have an account with.
Proponents of Lastpass argue that all data is encrypted client side, so Lastpass doesn’t have access to your passwords, but since it isn’t open source there is no way to confirm that. With the Lavabit case, it came to our attention that the US government uses secret court orders to compel US based companies to provide backdoors to otherwise secure systems while issuing gag orders to prevent the exposure of the backdoor to thepublic. Since Lastpass is a US based company, this is a real possibility, and I strongly suggest not to use them.
You are essentially putting all of your eggs(passwords and usernames) in one basket that is easily accessible to the US government and its allies.
People who truly value their security and privacy should use KeePass instead. It is essentially Lastpass but it is open source so the code can be inspected for backdoors by the community. You can download it herehttp://keepass.info/ . Conveniently, Keepass is included in the Tails live linux operating system, which is a privacy focused OS that is intended to leave no trace on any computer you use it on. You can download Tails and find more info on it here: https://tails.boum.org/ .
Firefox can remember passwords, but I've never used this feature; I use LastPass instead. As far as the search engine trick is concerned, you can definitely do this in Firefox. Probably the easiest way is to right click on a search field, then click on "Add a Keyword for this search..."
Yet another longtime Lastpass Premium user. While i like it a lot in general, it's fair to mention the disadvantages:
In short, it's likely okay and hella convenient, but there's a nonzero chance that there could be security trouble. If that bothers you, better go with an offline password manager like Keepass or others, and always a free software one.
If you use a password based blocker use the Lastpass Password Generator and create a password which fits maximum capacity of the blocker i.e. 15 characters, then change the password and email it to your self using Future Me then clear your clipboard. This will make it much harder for you to unblock the blocker and relapse.
I use LastPass. It keeps an encrypted copy of your passwords on your local machine, as well as an encrypted copy on their servers. That way, you can access your passwords either locally while offline, or through their server while online from any machine.
For online access, you simply install the extension for your browser, and they have automatic form filling, password generation, etc. If you're on a public machine without the extension, you can log into their website (via onscreen keyboard, if you're worried about keystroke thiefs), and then have access to all your passwords.
It's free, but the mobile version (for smartphones) requires a premium account. Only costs $12/year though.
You guys bitching about making complicated passwords really need to start using a password manager.
Last Pass is free. It will generate and remember all of your passwords and is very simple to use.
I use 1Password ($49 covers all my computers, phone and iPad.) All my passwords are encrypted in the cloud and available to me where ever I am and on all my devices.
Both Last Pass and 1Password do so much more than simply generate and store passwords. You can store software serial numbers, store your name and address to fill in on websites with one click, store secure notes, etc.
It's 2012. Stop writing your passwords down, stop using the same password for multiple sites and stop having to figure out new passwords for yourself.
Like t0ny7 said export it to CSV then import to Keepass. In the Keepass desktop app I think you have to create a database then import the CSV.
Export to CSV like this: LastPass Icon > Tools > Advanced Tools > Export To. If that doesn't work right I used Lastpass Pocket to export my data to CSV.
Totally not related to your relationship, but you should never have the same password on all your accounts - especially with so many big companies' firewalls tumbling down. LastPass is a highly recommended site to create strong passwords for each site you use... that LastPass keeps track of for you, so you only have to remember the password to LastPass.
Totally about your relationship - I understand fearing the "shame" of a "failed marriage" (I'm divorced) but don't live a facade of a life because you don't want people thinking badly of you. Much better to have a happy life with others frowning than others smiling while you are dying.
But really, change to using a secure password system.
I like LastPass. It works on multiple browsers and sync passwords online. It's free for browser plugins, but mobile app and desktop app support have a small (I think yearly) fee. It's definitely the easiest that I've tried. It offers to generate passwords when you're at a registration form and can autofill remembered sites. Since it syncs to the cloud it's also the best when it comes to using on multiple computers or if one is broken/stolen.
I used lastpass
https://lastpass.com/f?2065906
Not only a great way to manage you passwords and make things easier, it also has an Emergency Access switch. Basically if you die it allows someone to access your vault. You tell your trusted friend/family to access the vault and lastpass puts the account on hold of set amount of time and if you don't reply to say you are ok then the vault is released..
If you're going to game on it, you should use Throttlestop to avoid fan noise.
I also suggest getting a microfiber cloth and something like this, for external cleanness.
Of course you should get rid of Lenovo's bloatware, I think I merely uninstalled most of it on Programs and Features.
I don't think it's still a thing (it was 4 years ago) but do check this website
I've never did a clean installation so I can't help you with that...
Do consider running an AMA in a couple of months at /r/laptopama
Btw, when it arrives can you confirm that the build inside and outside is full metal?
They dont have your passwords, if that's what's you're asking. The encryption/decryption runs on your own machine, and you can access them if you wanted even without the service's website being online, as long as you've used that device before.
For example, here's LastPass explaining it:
I have used LastPass for about 5 years now. It sounds like you may be able to make use of their enterprise package that offers the features you may be looking for. If cost is an issue then perhaps an open-source service like KeePass could be used. When all else fails and you cannot be afforded specific software then you have the old spreadsheet kept in a secure location (safe) maneuver.
It sounds like you're interested in using a VM for your everyday computing, which isn't really what they are meant for. The security benefits of running a VM come from the fact that they are "sandboxed" from the normal computing environment which means that they cannot affect (or even detect) files or programs outside of their little virtual space. If you are running everything within your VM then you might as well not be using the VM because it's just using more resources for nothing.
I can't think of any reason for a typical user to run a VM at all. If you are interested in making your computer and online activities safer, your time would be much better spent reading a couple articles about computer and internet safety.
Also I can't recommend highly enough that you use a password manager like LastPass or KeePass. They will allow you to use extremely strong passwords and never have to remember any of them again. Using weak passwords and reusing passwords across services is one of the worst, and unfortunately most common mistakes that people make when it comes to securing their data.
Your account was hacked, says its closed, closed as someone deleted it, change your passwords on everything, and never use same password you use for google anywhere else, use google passwords on google services only.
This has nothing to do with a copyright strike.
Use something like a https://lastpass.com / Randamize the passwords, and set a Master Password you dont use anywhere else.
Your computer is infected.
Your traffic was hijacked and rerouted thru a proxy some time ago without you noticing. Something changed on the hijacker-owned proxy server, and now it's prompting for a password that didn't used to exist, causing you to see this.
You should assume that the accounts for any website you use on that laptop is compromised. Clean the computer, remove the proxy settings, and change your passwords IN THAT ORDER. It is important that you do not change the password while the computer is still infected, it would defeat the purpose.
Consider taking the oppourtunity to start using a centralized password manager, such as LastPass or KeePass. They help you manage your passwords easily, and can make recovering from things like this much easier in the future.
If you don't have 100% confidence in your ability to do any part of this properly, you should take your computer to your local Apple store for assistance.
Message me if you need more info, I'd be happy to help.
(And before someone comes to say "But OS X dosen't get viruses like Windoze!!1!1!!one!": You are wrong. It is possible.)
You could use a program like Lastpass as a password manager. If you can remember a single, very strong password to your Lastpass files, it will encrypt the rest.
Just one suggestion.
You should never write your passwords. Rather than writing them use something like LastPass or KeePass and a secure 16+ character master password with uppercase, lowercase, and special characters that are not basic dictionary words.
Then for all other sites you can generate 16+ character randomly generated secure passwords. This way if something is compromised you can just generate a new password. The only exception I would make is with your main email account which you should use two factor authentication from because that way if you forget your master password you are still able to reset each of your passwords.
duosecurity.com is most certainly legitimate. They make a (rather nice) two factor authentication solution.
There also most certainly has been a very, very large password dump from adobe.com, and it's certainly been published, and security researchers have very much been trawling through it.
Given that the link seems to go a reputable site (does it actually go to duosecurity.com? I don't believe Gmail lets you spoof things), that whois does show duo-labs.com and duosecurity.com to be rather similar, that Google confirms the two to be related, and that the advice is true (two factor authentication would stop exposure from password reuse) it appears to be legit marketing for a security product. You can check whether the accounts were present in the adobe.com breach at various places around the net, including lastpass. If you have been exposed those users should most definitely follow the advice on that page immediately - and you may want to consider looking into two factor authentication for users that have credentials worth protecting. If you're not qualified to judge that maybe suggest to your CEO that y'all engage a security consultant.
The bits that answer my question:
> “if your name is on the list, you could be sent push notifications, apps could theoretically know your home address or phone number. Companies that are looking to build a profile off you will now have even more complete data for those 12 million,”
> “When I looked at this issue [in the past], I showed how using only a UDID, it was possible to get access to private user information including friends lists, geolocation, information on what games you were playing and who you were chatting to. I was even able to take over Facebook and Twitter accounts, again using just a UDID,” he says.
Also, the great people at LastPass have put up a more secure UDID checker.
Have you looked at LastPass? It runs as an extension in Chrome and several other browsers. They also have free mobile apps available for all of the popular platforms, but you need to be a premium customer for them to function ($12/year).
I personally use it and I love it.
It's certainly not infinitely stronger, but length makes the search space size grow very quickly. In this case, since that password is so much longer than the other, the fact that it's only alpha + spaces (26 + 1 possibilities) outweighs the other password's greater alphabet (which could be up to all 94 printable ascii + spaces as well). One thing that is a little problematic about using english words separated by spaces is if hackers start adding this construction mechanism (valid grammatical constructions, common words, etc..) each word would then become a possible letter in an alphabet of search possibilities which is constrained by proper grammatical construction. It's not perfect, but assuming a "dumb" search of the password space it works.
Frankly I think I somewhat prefer Steve Gibson's concept of password padding (nice search space meter there as well) where one starts with a shorter password containing mixed case, digits, symbols, etc.. then pad that out with low entropy using some mechanism you choose yourself. Under this condition an attacker will have to search a huge alphabet up to the length of the password you've padded in order to brute force it.
As a mixed alternative, instead of padding the password with repeats of a given symbol or simple patterns you could also do something like this
S&3i love protecting my bitcoin wallet
and that would probably be even a bit better, assuming one chooses a phrase of good length.
Edit: Also, LastPass is awesome and quite well designed from a security perspective.
> Why does Lastpass not use the mobile number as a backup option?
Because SMS is inherently insecure, and cannot be used to transmit cryptographic data. Also because LastPass does not (and should not) know your encryption key, so recovery is impossible without local information saved on the user's end. The easier the recovery, the worse the security. This is just an unavoidable trade off.
Can you explain what exactly you mean by "recovery doesn't work" and "revert option ... doesn't work"? What exactly happened when you tried to do that? What's your OS and browser?
You can also contact support by opening a ticket. They cannot help with recovery, but they should be able to help with revert password change.
This is expected behavior and addressed in the official FAQ: Why does LastPass fill credentials on my site before prompting for 2 Factor Authentication?
Your master password is used for encryption and authentication, whereas 2FA is only used for authentication but not encryption. When there's a local copy on your computer, authentication is not needed to access your local data.
I use it. I wouldn't say it's seamless.
I find for a few sites that it won't fill in the fields properly. In those cases you can copy and paste the password from the app or browser plugin. In a few rare cases I have to hand enter the password which can be pain especially for something like netflix on appletv.
However, for me it is worth this inconvenience for the increased security of having a strong randomly generated password for each site.
It was also a bit unnerving for me at the start to not know any of my passwords except for of course the one used to unlock lastpass.
Another concern people have is what if the service disappears, but they address that: https://lastpass.com/support.php?cmd=getfeaturefaq&feature=feataure_16
The only thing I trust LP about is making my encrypted data available to me on multiple platforms for a low monthly fee. My client decrypts/encrypts the data - they never have access to any unencrypted information. They have had a security breech in the past, and clients were safe because attackers gained access to nothing but useless encrypted data.
You are in a maze of AES-256-encrypted blobs of data, all different.
details for nerds: https://lastpass.com/support.php?cmd=showfaq&id=6926
KeePass (keepass.info) (PC, Mac, Linux, Android, iOS, etc, etc, etc..) http://keepass.info/download.html
Personally, I used to use this for the longest time while putting the master database in a Dropbox location. It works great and they automation they offered to auto-login is something I cant replicate (easily) in other products. It just works.
When I did team-based sharing, I used a file server to hold the database and used password + keyfile for locking. The issue here is the ability for keepass to work while 3 people are in at the same time. Sometimes you get syncing errors that are usually easy to fix.
LastPass (web based) https://lastpass.com/
If you want to share within a group that is easy and seamless, this is where I would go. That being said, the Enterprise version does have a cost associated with the subscription which I think you might want here.
I personally have a Yubikey (TFA) which got me an Enterprise license for 1 year. https://www.yubico.com/product/lastpass-bundles/
*edit Links
Here's some real advice that almost nobody in this thread is giving you.
Do not pay this guy. There is no gurantee you are going to get your account back- You are trusting a thief to give you something back that he stole from you.
Reinstall windows. You do not seem very technical, so I do not think you will be able to reliably remove the trojan virus that was placed into your system. You need to make sure this system is clean- The best way is to completely reinstall windows. Backup the data you need, but start fresh.
2a. As you are reinstalling windows follow this article from Steam to reclaim your account (this will take time so start ASAP).
I've done this once in the past when I stupidly got my account stolen. This was almost 8 years ago, so the policy may be different, but all I needed to do was prove that I owned the account by providing steam support with credit card credentials from a purchase (something that the hacker won't have).
If you have any questions or need help PM me or respond here. I'm not a big participator in reddit, but I know how to get your account back if you follow these steps, and I also know the fear and anxiety you are going through. If you follow all of these steps you will get your account back within a week as well as having secured your systems from this hacker.
There is actually a decent write up on yahoo that can explain it to the masses:
It includes a link to a resource that checks if a site is/was vulnerable:
Using LastPass will make it easy to have unique passwords for every site. It can import saved password data that's already in your browser, then as you visit sites you can use the built-in password generator to generate a unique secure password.
A legitimate concern and one lastpass addresses very well in their webpage -- if you chose just one good say 16 character password, even if it was 6 random alphanumeric followed by a string of 10 of the same punctuation, realistically speaking you won't be cracked.
A hacker could somehow use a keylogger, or you could write that one password down, but that's human error and you are screwed anyway.
Personally I can enter my pw using an onscreen keyboard and lastpass will log me in automatically, so with my current setup I am immune to most keyloggers.
Better than the alternative and it is an incredible timesaver.
My understanding with LastPass is that your stored passwords are encrypted with your master password. Your master password is not stored on their servers and the other passwords you’ve stored there are unintelligible without your master password to act as the key.
That, coupled with ideal usage (unique pw for each site) makes it much safer imo.
More details here https://lastpass.com/whylastpass_technology.php
Maybe try a password manager - Dashlane, 1Password,KeePass - I personally use LastPass, because I can have it sync to my phone, and I like the Chrome integration.
I'd never keep track of all my stuff without it.
Another great tool that I really love is lastpass. They have a similar random password generator but the added convenience of automatically saving it for you and auto-filling it when you login to the sites through a browser plugin. They also support two-factor authentication for added security and strongly recommend it for some extra protection.
It's also not stored locally in a plain text file so you are a little more protected assuming you use a strong master password.
It stores the passwords online, I'm not sure what he's talking about with the locally thing.
edit: I found this on their website though...
>>Local-Only Decryption
>>All sensitive data is encrypted and decrypted locally before syncing with LastPass. Your key never leaves your device, and is never shared with LastPass. Your data stays accessible only to you.
Read more about how they keep your information secure in this article - How is LastPass secure and how does it encrypt/decrypt my data safely?
>That particular issue is only present if the user has remember password checked, which is not recommended and the person has to click through a warning before enabling.
> a Lenovo that's a few years old
Then you're likely fine. Lenovo's practice is a rather recent change (maybe a year old at most?) affecting just a few models. You can click this to check your system:
https://lastpass.com/superfish/
It's a simple page that'll let you know if you have the Superfish malware present. If you do, you can follow the instructions to remove it.
Imagus, hands down.
Its alternative to hover zoom.
You remember hoverfree that popped up when hoverzoom started to collect users data?
It seized development and recommends imagus which originally was only opera extension but now is on all major browsers with exception of IE.
Also cant believe no one yet mentioned LastPass
I think the real value is ensuring you're not using the same password on another site. We've had plenty of non-internet-savvy users on the network who do this, including people with higher access privileges, like TAs and teachers. It doesn't matter how complex your password is if you used it on several other sites, so while having crazy rules is still annoying, the frequency that you change it will at least cut down on the time between when some other site's passwords are compromised and when it's inevitably used on Tech's networks. If having a complex password annoys you, get LastPass or Mitro or the many other solutions for credential management.
Anyone who's not using an encrypted password DB with unique passwords for each site is risking this kind of thing.
Using 2 factor where available for important things like gmail etc is also a good idea.
https://lastpass.com/adobe/ would seem to be a good place to check if your email was included.
I store all my clients info in a password manager (e.g. LastPass).
That way I can generate random, secure passwords and don't have to worry about losing them or not having them on another device when I need access to them. It also has secure "notes", so storing IPs etc is no issue either.
We try not to store personal information wherever possible.
Have you thought about purchasing creddits? They can be used anytime you'd gift someone gold and the cost works out to less per gilding.
You could also use a password manager like lastpass which can securely store form fills for you.
I use LastPass though I'm a fairly big open source fanatic.
Here's why:
LastPass has released a simple, fully offline decryption tool for their blobs. This tool has fairly readable javascript source. This has been reviewed by many security conscious individuals. https://lastpass.com/js/enc.php
LastPass has always been forthcoming about security and any issues with it in their product and has shown (to my moderate applied cryptography knowledge and to many better known cryptographers) that they have some idea what they're doing.
Easy magic sync. No thought involved. Can use 2-factor authentication on sign-in too, which could save you in a few attack scenarios.
And here's why I don't use KeePass:
If I recall correctly, key derivation under KeePass was questionably weak last time I checked. I'll examine this again to check.
The state of synchronization with KeePass is absolute shit last time I used it
The lack of browser extensions which work properly on Linux for KeePass made it simply useless to me
EDIT: Verified that bit about KeePass's key derivation. Seems different than last time I saw it, but it uses 6000 iterations of a custom AES-based key derivation function. AES executes extremely fast and most modern processors can perform accelerated AES computation. And they chose this instead of a major standard like PBKDF2 or scrypt... Key derivation fucking matters. Please stick to the well accepted standards in the cryptography community.
LastPass uses PBKDF2, Password Safe (a more secure looking open source solution) uses a method developed by Schneier which looks pretty good, http://www.schneier.com/paper-low-entropy.pdf. Unfortunately, for me, Password Safe is only just now beginning to get Linux support and the browser extension support for it seems non-existant.
Malwarebytes can't do shit for you in this case because this is a server side bug, not malware. What you can do is make sure any websites you browse using https have taken appropriate steps to fix the problem. Sites that have been using the vulnerable version of OpenSSL should have installed the latest patch and changed their SSL/TLS certificate in the last few days.
There are some sites to help check this: link. You should be able to find an announcement on a particular site's blog/newsfeed regarding the bug.
I would recommend not using any https enabled sites (ie. Amazon, Facebook etc.) unless they have addressed the issue by either proving that they were never vulnerable by not using OpenSSL or can show that they have taken the necessary steps to protect themselves and their visitors.
Lastpass or 1Password are popular options for encrypted, multiplatform password managers.
Just don't forget your master password, and use their password generator to create unique passwords for every site.
So much easier than the 'brain list of mutilated password combinations' that I relied on for years :)
My fellow shibes! If I can make a suggestion, I would say to use LastPass to come up with obscure/impossible to guess passwords. There are also browser extensions that will auto-login to sites as you visit them if you so choose. So its far more secure (generating crazy passwords for every site) and extremely convenient!
Example pass I just generated: fg3uIe$Y&fI4tWt
wow much convenience so obscure very protected
edit: ~~Is there a link somewhere for a tutorial on how to use/setup /u/dogetipbot ? How does it work ? This newb shibe would like to help out!~~ nvm I can read the sidebar..
I used to use lastpasss but when I recevied this email last year in May I imediately wiped my account and never went back.
>Dear LastPass User, > >On May 3rd, we discovered suspicious network activity on the LastPass internal network. After investigating, we determined that it was possible that a limited amount of data was accessed. All LastPass accounts were quickly locked down, preventing access from unknown locations. We then announced our findings and course of action on our blog and spoke with the media. > >As you know, LastPass does not have access to your master password or your confidential data. To further secure your account, LastPass now requires you to verify your identity when logging in. You will be prompted to validate your email if you try to log in from a new location. This prompt will continue to appear until you change your master password or indicate that you are comfortable with the strength of your master password. > >Please visit https://lastpass.com/status for more information. > >Thanks, >The LastPass Team
I now use dropbox + keepass.