1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Saved Passwords vs Security

Discussion in 'Off Topic' started by =MGN=RedEagle, Apr 12, 2013.

  1. =MGN=RedEagle

    =MGN=RedEagle Well-Known Member

    Hi guys, I get hacked often due to the size of my sites and the related low budget of the sites. For the first time 3 days ago, someone used a tmp/image file to put a key logger down on my computer and steal my password. I have formatted my PC as a result. I am wondering, if a hacker gets a program on your computer, can they get access to all of chrome's passwords? I am wondering if I should be using chrome's password saver at all.
  2. Slavik

    Slavik XenForo Moderator Staff Member


    Having a low budget isn't an excuse to get hacked? Many extremely powerful tools and practices are available for free to prevent any such issues.

    If you use any "auto fill" or password saving systems, if your PC is comprimised, they can be obtained. However just as likely, if your PC is hacked you can be keylogged, so using them is user choice. One isn't more secure than the other.
    tenants likes this.
  3. Sador

    Sador Well-Known Member

    Let's not forget that if your computer gets hacked (especially more than once), you have some -serious- issues regardless of how you put in passwords.
  4. ManagerJosh

    ManagerJosh Well-Known Member

    Why are you storing passwords in Google Chrome? It's like painting a giant bullseye on your passwords saying "HEY COME AND GET IT!"

    There are a number of free tools that can easily decrypt Google Chrome passwords, including: http://securityxploded.com/chromepassworddecryptor.php
  5. =MGN=RedEagle

    =MGN=RedEagle Well-Known Member

    This is the only time my PC has been hacked. However, my servers have had issues with different things.
  6. ManagerJosh

    ManagerJosh Well-Known Member

    Correction: This is the only known instance of your PC being compromised.
    tenants likes this.
  7. Mr.Rick

    Mr.Rick Active Member

    Encrypt your passwords on your desktop. However, if you are being keylogged even locking the passwords in an encrypted file wont help.
    Kaspersky Password Manager I use myself.

    Use a good virus scanner and stop clicking the FREE.HoT-b@be-wallpapers.exe's that pop up on the sites you frequent :p
  8. ManagerJosh

    ManagerJosh Well-Known Member

    I would go one step further and use unique passwords for certain types of services. I would even say use two factor authentication when possible and or something like a Yubikey.
  9. Slavik

    Slavik XenForo Moderator Staff Member

    I hate people pushing FUD like this...
    Maulss, Kim and Biker like this.
  10. Mr.Rick

    Mr.Rick Active Member

    Yea, always unique password for everything service.

    This is a typical password that I would create and use.
    Only thing that sucks is some services use 4 character passwords... outrageous i know!

    Side story...
    A couple years ago a supermod we had on our site was really lax on his passwords. I mean, his gmail, forums etc were all like <name-dob> as his pass.
    A spin off site started and they started poaching members. We watched pms, censored, etc. But people had Blackberry groups, chats, myspace etc so some people migrated. But the spin off site guy was dodgy and was a known scammer (scraping content from people, rehosting etc) and was able to write a script that when a certain user entered his username and password, it would write to a text file. So of course my one mod went over to the site, tried to log in 2x, it failed, on 3rd try it worked. The scammer guy took the details, logged in and deleted 100k and around 150k attachments. All the posts were recovered but we didnt have 100% success with the attachments. We had server logs showing the originating ip and he was a former member. It all matched up but what can you do.... we resolved the issue over the course of a couple hours.

    My favorite part was my mods having a discussion in the admin area as to if they should call me and wake me or wait and see. The transcript was awesome, something like this over the course of 4 hours...

    guy 1 - dude just deleted a whole section
    guy 2 - should we call rick?
    guy 1 - maybe its rick doing it, clean site up?
    guy3 - I dont think rick would delete this stuff
    guy1 - OMFG ALL MY POSTS ARE GONE!!!!!!!!!!!!!!!!
    guy 2 - rick is sleeping should we call???
    guy 1 - why would that mod delete my posts, wheres rick?
    guy 2 - should we call Rick?
    guy 3 - anyone notice the how to section is gone?
    guy 2 - should we call rick?
    guy 1 - im sending rick a pm
    guy 2 - hes prolly sleeping
    guy 3 - LOL, classifieds are gone
    guy 1 - wow, thats like 25k threads so far!!!!
  11. ManagerJosh

    ManagerJosh Well-Known Member

    It's not FUD. As a penetration tester, if I get access to a computer during an engagement and I can dump the SQLite databases for Firefox and Chrome, and any other browsers I can find, I'm going to dump them and decrypt the passwords.

    I've done that more than once.
  12. Slavik

    Slavik XenForo Moderator Staff Member

    If I get access to a computer I place a silent keylogger and get the passwords anyway without the need to decrypt them.

    The point being, if your computer is compromised, it doesn't matter if you use stored passwords or not, if someone wants your passwords, they can get them one way or another.
  13. Adam Howard

    Adam Howard Well-Known Member

    The answer your question......

    Yes. (Sorry) :(

    Doesn't matter what you have or are using. If someone has a key logger on your computer, they see everything you type. Key loggers normally have trojan habits which also give people access to your computer beyond just what you type or click. So any data file was also likely up for grabs.

    Google does save your passwords on their server (if you used that option). But again, whatever you typed someone else likely saw.

    I would strongly recommend you activate 2 step verification and also change all your passwords. You might have found it 3 days ago, but that may only have been when you found something.
  14. SneakyDave

    SneakyDave Well-Known Member

    I think your worries are in the wrong place.

    A hacker can do anything he wants if he/she gets a program on your computer, your chrome passwords might be the least of your worries.
  15. ManagerJosh

    ManagerJosh Well-Known Member

    assuming one can get a keylogger installed. too many antivirus programs are too trigger happy to the point where it's just difficult to get a keylogger on there.

    And it's noisy too. It could set off too many alarms in a corporate environment.
  16. erich37

    erich37 Well-Known Member

  17. Slavik

    Slavik XenForo Moderator Staff Member

    I've got to laugh Josh, your clutching at straws here. Lets take your example.

    If in a corporate environment, I was able to remotely access and dump the relevent files, I would equally be able to put a keylogger onto the system and keep it hidden (and if you go onto any blackhat site nowdays, you'll find keyloggers and crypters available for a few bucks which can bypass all but the strictest antivirus and firewall definitions, but i'm sure your already aware of this)

    If I was able to walk into a corporate building, and do the same, then the corporate policies are in dire need of updating.

    Now in a more relevent example of someones home computer, do you think that if someone has gained access, remotely or otherwise, to a home PC, that not storing passwords is realy going to help?

    If someones gained access to your PC in the first place, thats where your problem lies, it doesn't matter if you store passwords or not.
  18. ManagerJosh

    ManagerJosh Well-Known Member

    Let's see you run pwdump against Symantec Endpoint or any other antivirus solution.

    The only one I've been recently able to sneak by is Trend Micro.
  19. Biker

    Biker Well-Known Member

    Ugh. I wish people would get off the old school BS of alphanumeric characters for passwords that are virtually impossible to remember. It's not needed, and it's more than just a pain for the end user.
  20. Pipelin

    Pipelin Member

    Use Lastpass, problem fixed.

Share This Page