Storing Passwords?

[UsernameIssues]

If you don't have passwords on your computer they can't be hacked.

Not true in all cases. If I were to write on a Rolodex card in a location that my laptop's camera could see, then a hacked camera could steal that password.

Not a hack, but as you know: writing on a pad can leave info on the next sheet. I've found some interesting info on hotel pads.

 

[Layback Bear]

That is surly one thing I didn't think of for computer security.

Not a hack, but as you know: writing on a pad can leave info on the next sheet. I've found some interesting info on hotel pads.

 

[paulyjames]

Okay so i have keepass 2 in my laptop and also have it saved it to a usb. My issue though now is how do i input this same keepass 2 program to my iphone 4s? Thus all the passwords i have in my keepass 2 are very long thus generated by keepass itself. I cannot log into any of my email accounts etc b/c i cant just copy and paste the username/password from my laptop or usb to it. Can someone tell me how i can do this?

Apparently theres a mini-keepass program for the iphone but is it the same or not same thing? I can't imagine you guys manually typing each password into mini keepass on the iphone so how are you guys doing this?

How do you copy the file from desktop version of keepass to the phone? I just copied and then clicked paste on my iphone in my computer and that doesn't work at all... shows error.


I read online that i could download dropbox to do this though? I downloaded dropbox then put the keepass2.0 on it. Then i downloaded dropbox on iphone4s, then signed on... then i see the 2kb of the keepass there. However, how do i get it to minikeepass? It shows file is not viewable. I clicked on open file in ... then it give me option of only google drive. So im confused why this is happening.

 

[paulyjames]

Anyone with keepass2.0 can explain how to get it to work on iphone? Not sure why there is error.

 

[townsbg]

Anyone with keepass2.0 can explain how to get it to work on iphone? Not sure why there is error.

It might help to know the error.

 

[UsernameIssues]

I will make this clear. I don't care what you use to secure your passwords. I recommend Lastpass because the folks behind it take security seriously, they are up front and open with every issue. They dont wait weeks to fix it.

Perhaps those using this service should at least change their master password:
http://www.sevenforums.com/security...-hacked-time-change-your-master-password.html

 

[logicearth]

Perhaps those using this service should at least change their master password:
http://www.sevenforums.com/security...-hacked-time-change-your-master-password.html

If you want to. But that is not needed. Your Master password does not reside on the Lastpass servers an attacker would never get it by attacking them.

 

[UsernameIssues]

The hash of your master password resides on their end.
The salts reside on their end.
Both appear to have been exposed.

Sure, it is unlikely that the hash can be turned back into a password...
...but, I would not say never.

Perhaps I'm reading things wrong, but LastPass seems to want users to change their master password...

We will also be prompting all users to change their master passwords.

...as does Krebs, Sophos and every other article that I read.

 

[margrave]

If LastPass seems risky, just use KeePass.

 

[logicearth]

The hash of your master password resides on their end.
The salts reside on their end.
Both appear to have been exposed.

What resides on their end is an authentication hash that is made in-part with your password but it goes though so many iterations you cannot get your master password from it. It goes though thousands of iterations on the client side before sending to Lastpass. It then goes though several more iterations before being stored. The sole purpose of that authentication hash is just to say "yes you are the owner of this data." An attacker cannot use it to decrypt your data or to your account.

Of course you can read all about in the Lastpass blog.

And btw, the salt is just for their end on storing the authentication hash. Overkill but still adds some strength to the stored hash.

Sure, it is unlikely that the hash can be turned back into a password...
...but, I would not say never.

Is it never. It is mathematically impossible, that is not even a debate. It goes though so many iterations it can never be turned back to the source material.

You can read more about the iteration mechanism they are using here: https://en.wikipedia.org/wiki/PBKDF2

Perhaps I'm reading things wrong, but LastPass seems to want users to change their master password...

We will also be prompting all users to change their master passwords.

...as does Krebs, Sophos and every other article that I read.

Of course they would say that, it is a smart thing to say. But doesn't mean it is necessary.

You can add even more security to your account by adding multifactor authentication to the mix as well. I bought a Yubikey and a subscription to Lastpast just for that.

 

[carwiz]

I keep my passwords in and on a manila folder.

Multifactor Authentication and Security is handled by Smith & Wesson.

 

[GokAy]

Texan and their guns!

Even famous at this part of the world.

 

[carwiz]

I didn't mention the "G" word. It's against forum policy but Texas is not unique in that regard.

We are unique in that we have our own water, gas, oil, electric, food and fuel so it matters not.

You missed a good series on the History Channel the last few weeks. It was about how the "country" of Texas was formed and the beginning of the Texas Rangers (law enforcement, not the baseball club).

An official was once asked why he sent only one Ranger to handle a riot. He replied; "It was only one riot".

 

[Tookeri]

What resides on their end is an authentication hash that is made in-part with your password but it goes though so many iterations you cannot get your master password from it. It goes though thousands of iterations on the client side before sending to Lastpass. It then goes though several more iterations before being stored. The sole purpose of that authentication hash is just to say "yes you are the owner of this data." An attacker cannot use it to decrypt your data or to your account.

Of course you can read all about in the Lastpass blog.

And btw, the salt is just for their end on storing the authentication hash. Overkill but still adds some strength to the stored hash.

Sure, it is unlikely that the hash can be turned back into a password...
...but, I would not say never.

Is it never. It is mathematically impossible, that is not even a debate. It goes though so many iterations it can never be turned back to the source material.

Using iterations in general only means it will be more time consuming to generate the hashes. Both for users and hackers. It doesn't mean it's impossible to crack.
Sure, you can't revert a hash to its source but there are other ways. The hackers will redo all steps needed to create the hash(including iterations, any salt etc). Then they do this for all possible password combinations and run it millions or billions of times on multiple and powerful CPU/GPUs. When they finally end up with a generated hash that matches the hacked hash, they know what the password is. Simplified example:

Hacked hash: sldjkfh345se
Re-generated hash for password "Test": fjeiojri334jikk
Re-generated hash for password "Test1": ejeiud837fgk
Re-generated hash for password "Test2": sldjkfh345se
Match found! Password is "Test2"

The salt isn't overkill as it makes any successful crack attempts useless on all other hacked accounts and they need to start the process over for every account. Or maybe even give up...

My advice is to use a master password that's at least 20 characters long. That's too much to generate hashes for.

 

[Luisn]

Keepas is the way to go! I use it to manage my client accounts and even personal accounts. just be careful not to forget the master password otherwise everything is gone.