Saved Passwords vs Security

=MGN=RedEagle

=MGN=RedEagle

Well-known member
Hi guys, I get hacked often due to the size of my sites and the related low budget of the sites. For the first time 3 days ago, someone used a tmp/image file to put a key logger down on my computer and steal my password. I have formatted my PC as a result. I am wondering, if a hacker gets a program on your computer, can they get access to all of chrome's passwords? I am wondering if I should be using chrome's password saver at all.
 
FaithFirst said:
Hi guys, I get hacked often due to the size of my sites and the related low budget of the sites. For the first time 3 days ago, someone used a tmp/image file to put a key logger down on my computer and steal my password. I have formatted my PC as a result. I am wondering, if a hacker gets a program on your computer, can they get access to all of chrome's passwords? I am wondering if I should be using chrome's password saver at all.
Click to expand...

Errrr.....

Having a low budget isn't an excuse to get hacked? Many extremely powerful tools and practices are available for free to prevent any such issues.

If you use any "auto fill" or password saving systems, if your PC is comprimised, they can be obtained. However just as likely, if your PC is hacked you can be keylogged, so using them is user choice. One isn't more secure than the other.
 
Let's not forget that if your computer gets hacked (especially more than once), you have some -serious- issues regardless of how you put in passwords.
 
FaithFirst said:
Hi guys, I get hacked often due to the size of my sites and the related low budget of the sites. For the first time 3 days ago, someone used a tmp/image file to put a key logger down on my computer and steal my password. I have formatted my PC as a result. I am wondering, if a hacker gets a program on your computer, can they get access to all of chrome's passwords? I am wondering if I should be using chrome's password saver at all.
Click to expand...


Why are you storing passwords in Google Chrome? It's like painting a giant bullseye on your passwords saying "HEY COME AND GET IT!"

There are a number of free tools that can easily decrypt Google Chrome passwords, including: http://securityxploded.com/chromepassworddecryptor.php
 
Sador said:
Let's not forget that if your computer gets hacked (especially more than once), you have some -serious- issues regardless of how you put in passwords.
Click to expand...
This is the only time my PC has been hacked. However, my servers have had issues with different things.
 
Encrypt your passwords on your desktop. However, if you are being keylogged even locking the passwords in an encrypted file wont help.
Kaspersky Password Manager I use myself.

Use a good virus scanner and stop clicking the FREE.HoT-b@be-wallpapers.exe's that pop up on the sites you frequent :p
 
Mr.Rick said:
Encrypt your passwords on your desktop. However, if you are being keylogged even locking the passwords in an encrypted file wont help.
Kaspersky Password Manager I use myself.

Use a good virus scanner and stop clicking the FREE.HoT-b@be-wallpapers.exe's that pop up on the sites you frequent :p
Click to expand...


I would go one step further and use unique passwords for certain types of services. I would even say use two factor authentication when possible and or something like a Yubikey.
 
ManagerJosh said:
I would go one step further and use unique passwords for certain types of services. I would even say use two factor authentication when possible and or something like a Yubikey.
Click to expand...

Yea, always unique password for everything service.

This is a typical password that I would create and use.
%LVfs4CUa&Sp0Rz@2itB8
Only thing that sucks is some services use 4 character passwords... outrageous i know!

Side story...
A couple years ago a supermod we had on our site was really lax on his passwords. I mean, his gmail, forums etc were all like <name-dob> as his pass.
A spin off site started and they started poaching members. We watched pms, censored, etc. But people had Blackberry groups, chats, myspace etc so some people migrated. But the spin off site guy was dodgy and was a known scammer (scraping content from people, rehosting etc) and was able to write a script that when a certain user entered his username and password, it would write to a text file. So of course my one mod went over to the site, tried to log in 2x, it failed, on 3rd try it worked. The scammer guy took the details, logged in and deleted 100k and around 150k attachments. All the posts were recovered but we didnt have 100% success with the attachments. We had server logs showing the originating ip and he was a former member. It all matched up but what can you do.... we resolved the issue over the course of a couple hours.

My favorite part was my mods having a discussion in the admin area as to if they should call me and wake me or wait and see. The transcript was awesome, something like this over the course of 4 hours...

guy 1 - dude just deleted a whole section
guy 2 - should we call rick?
guy 1 - maybe its rick doing it, clean site up?
guy3 - I dont think rick would delete this stuff
guy1 - OMFG ALL MY POSTS ARE GONE!!!!!!!!!!!!!!!!
guy 2 - rick is sleeping should we call???
guy 1 - why would that mod delete my posts, wheres rick?
guy 2 - should we call Rick?
guy 3 - anyone notice the how to section is gone?
guy 2 - should we call rick?
guy 1 - im sending rick a pm
guy 2 - hes prolly sleeping
guy 3 - LOL, classifieds are gone
guy 1 - wow, thats like 25k threads so far!!!!
 
Slavik said:
I hate people pushing FUD like this...
Click to expand...


It's not FUD. As a penetration tester, if I get access to a computer during an engagement and I can dump the SQLite databases for Firefox and Chrome, and any other browsers I can find, I'm going to dump them and decrypt the passwords.

I've done that more than once.
 
ManagerJosh said:
It's not FUD. As a penetration tester, if I get access to a computer and I can dump the SQLite databases for Firefox and Chrome, and any other browsers I can find, I'm going to dump them and decrypt the passwords.
Click to expand...

If I get access to a computer I place a silent keylogger and get the passwords anyway without the need to decrypt them.

The point being, if your computer is compromised, it doesn't matter if you use stored passwords or not, if someone wants your passwords, they can get them one way or another.
 
FaithFirst said:
Hi guys, I get hacked often due to the size of my sites and the related low budget of the sites. For the first time 3 days ago, someone used a tmp/image file to put a key logger down on my computer and steal my password. I have formatted my PC as a result. I am wondering, if a hacker gets a program on your computer, can they get access to all of chrome's passwords? I am wondering if I should be using chrome's password saver at all.
Click to expand...
The answer your question......

Yes. (Sorry) :(

Doesn't matter what you have or are using. If someone has a key logger on your computer, they see everything you type. Key loggers normally have trojan habits which also give people access to your computer beyond just what you type or click. So any data file was also likely up for grabs.

Google does save your passwords on their server (if you used that option). But again, whatever you typed someone else likely saw.

I would strongly recommend you activate 2 step verification and also change all your passwords. You might have found it 3 days ago, but that may only have been when you found something.
 
I think your worries are in the wrong place.
I am wondering, if a hacker gets a program on your computer, can they get access to all of chrome's passwords?
Click to expand...


A hacker can do anything he wants if he/she gets a program on your computer, your chrome passwords might be the least of your worries.
 
Slavik said:
If I get access to a computer I place a silent keylogger and get the passwords anyway without the need to decrypt them.

The point being, if your computer is compromised, it doesn't matter if you use stored passwords or not, if someone wants your passwords, they can get them one way or another.
Click to expand...


assuming one can get a keylogger installed. too many antivirus programs are too trigger happy to the point where it's just difficult to get a keylogger on there.

And it's noisy too. It could set off too many alarms in a corporate environment.
 
ManagerJosh said:
assuming one can get a keylogger installed. too many antivirus programs are too trigger happy to the point where it's just difficult to get a keylogger on there.

And it's noisy too. It could set off too many alarms in a corporate environment.
Click to expand...

I've got to laugh Josh, your clutching at straws here. Lets take your example.

If in a corporate environment, I was able to remotely access and dump the relevent files, I would equally be able to put a keylogger onto the system and keep it hidden (and if you go onto any blackhat site nowdays, you'll find keyloggers and crypters available for a few bucks which can bypass all but the strictest antivirus and firewall definitions, but i'm sure your already aware of this)

If I was able to walk into a corporate building, and do the same, then the corporate policies are in dire need of updating.

Now in a more relevent example of someones home computer, do you think that if someone has gained access, remotely or otherwise, to a home PC, that not storing passwords is realy going to help?

If someones gained access to your PC in the first place, thats where your problem lies, it doesn't matter if you store passwords or not.
 
Slavik said:
I've got to laugh Josh, your clutching at straws here. Lets take your example.

If in a corporate environment, I was able to remotely access and dump the relevent files, I would equally be able to put a keylogger onto the system and keep it hidden (and if you go onto any blackhat site nowdays, you'll find keyloggers and crypters available for a few bucks which can bypass all but the strictest antivirus and firewall definitions, but i'm sure your already aware of this)

If I was able to walk into a corporate building, and do the same, then the corporate policies are in dire need of updating.

Now in a more relevent example of someones home computer, do you think that if someone has gained access, remotely or otherwise, to a home PC, that not storing passwords is realy going to help?

If someones gained access to your PC in the first place, thats where your problem lies, it doesn't matter if you store passwords or not.
Click to expand...


Let's see you run pwdump against Symantec Endpoint or any other antivirus solution.

The only one I've been recently able to sneak by is Trend Micro.
 
Mr.Rick said:
Yea, always unique password for everything service.

This is a typical password that I would create and use.
%LVfs4CUa&Sp0Rz@2itB8
Click to expand...

Ugh. I wish people would get off the old school BS of alphanumeric characters for passwords that are virtually impossible to remember. It's not needed, and it's more than just a pain for the end user.
 

Similar threads

TimWilson
Identifying ACTUAL inactive accounts, and requiring 2FA
Replies
4
Views
421
woody
woody
Stuart Wright
  • Suggestion Suggestion
Security lock (password reset) in user criteria for notices and elsewhere
Replies
5
Views
1K
woody
woody
1966Mustang
Password controls - Banning bad passwords - i.e. rockyou.txt
Replies
3
Views
572
Paul B
P
naia
Fixed Force Terms & Rules conflicts with Password Security lockout
Replies
1
Views
416
XF Bug Bot
XF Bug Bot
Chernabog
  • Question Question
XF 2.1 Error when trying to enable Authy for 2FA from Passwords and Security on site...
Replies
7
Views
1K
Anomandaris
Anomandaris
Back
Top Bottom