github - cracked

[Adam Howard]

So for those of you who use github for your project, I would draw your attention to this

https://github.com/blog/1698-weak-passwords-brute-forced

I really don't call these "hacks" as technically, they are more of "cracking" a system and not really hacking one. But never underestimate the value of a good password, perhaps with a good password manager (last pass for example)

 

[Adam Howard]

Someone asked me via pm, what is Last Pass?

(actually, their question was; "what do you mean by last pass?")

I guess it would have helped if I had properly used correct syntax (ie.. grammar) and had typed that in caps like I should have. Then someone would know that it was in fact a name and not just trailing words on a page (site).

This is Last Pass (LastPass) https://lastpass.com/

It works in every browser, every OS.

 

[MattW]

I've started using DashLine : https://www.dashlane.com/en/

 

[Sador]

Someone asked me via pm, what is Last Pass?

(actually, their question was; "what do you mean by last pass?")

I guess it would have helped if I had properly used correct syntax (ie.. grammar) and had typed that in caps like I should have. Then someone would know that it was in fact a name and not just trailing words on a page (site).

This is Last Pass (LastPass) https://lastpass.com/

It works in every browser, every OS.

Actually, I've considered Last Pass but I feel there are some issues with this.

First of all, it seems to want to store your (encrypted) passwords online so it's easy to synchronize with other computers. Which of course sounds wonderful, but what's protecting théir server?

Secondly, it stores the (encrypted) passwords on your pc, which could be a rather attractive target for virusses, as you basically have all your passwords stored in one place. While keyloggers are obviously also a risk, having one central place to keep your passwords seems risky too.

Thirdly, it uses a master password system. However, what is stopping those same keyloggers you are trying to outsmart from stealing thát password and making your efforts pointless? See also my previous point.

Lastly, it seems to encourage you to make difficult passwords which are more secure and the program will remember them for you. But what happens if you for some reason get locked out and can't access any of these passwords anymore?

I've never actually used LastPass so I obviously might be very wrong about some of these points (feel free to correct me where needed), but I feel this is a bit of a security risk on its own. It's nice for easily remembering passwords, but I'm not entirely convinced on the security part of it.

Any thoughts?

 

[Teapot]

Kinda an excessively scaremongering thread title, really - GitHub haven't been compromised or cracked, they've just had a spate of skiddies trying to brute force weak passwords.

Either way, strong passwords are really important, especially somewhere like GitHub - this is just a reminder that there are nefarious people out there trying to cause chaos where they can, so don't make yourself an easy target.

 

[KenSmith]

First of all, it seems to want to store your (encrypted) passwords online so it's easy to synchronize with other computers. Which of course sounds wonderful, but what's protecting théir server?

The good news is that your LastPass decryption key never leaves your machine, and the data stored on the LastPass servers would be worthless even if it were stolen via a hack.
However, your concerns about keyloggers and the like are valid. Still, I think LastPass is more secure than any other option available today.

 

[Sador]

The good news is that your LastPass decryption key never leaves your machine, and the data stored on the LastPass servers would be worthless even if it were stolen via a hack.
However, your concerns about keyloggers and the like are valid. Still, I think LastPass is more secure than any other option available today.

But would it? There was a time that MD5 encryption was considered to be uncrackable. It's good that it's encrypted and it's probably currently more effort to try and steal the data & decrypt it than is worth it. But I do not have the illusion that if it's stored online, it's ever truly save.

I'm mostly just wondering if it's really all that save ánd an improvement over just remembering your passwords.

 

[akia]

I've started using DashLine : https://www.dashlane.com/en/

I find lass pass to be quite annoying with its pop us all the time. Is Dashline a improvement on this.

 

[OSS 117]

But would it? There was a time that MD5 encryption was considered to be uncrackable. It's good that it's encrypted and it's probably currently more effort to try and steal the data & decrypt it than is worth it. But I do not have the illusion that if it's stored online, it's ever truly save.

I'm mostly just wondering if it's really all that save ánd an improvement over just remembering your passwords.

Let the NSA, CIA and other world-wide global security agencies know when you get around to cracking AES 256 and remotely grabbing everyone's decryption key.

https://lastpass.com/whylastpass_technology.php?fromwebsite=1

Last time I checked with my premium account, I was able to restrict master login or initiating a login key unless the IP was from the United States and down to the ISP or state (Was a year ago, don't quite remember.)

I found out this the hard way when I tried to login to a site with a password I can't remember from Canada during a two day business trip. It simply denied me from accessing the accounts, even using Verizon's network. They wouldn't release the control on it when I called either.