You can't 100% trust anything on the internet.

Evidence:


https://arstechnica.com/gadgets/2021/04/hackers-backdoor-corporate-password-manager-and-steal-customer-data/

Backdoored password manager stole data from as many as 29K enterprises
Compromised update mechanism for Passwordstate pushes malware that steals data.


Dan Goodin - 4/24/2021, 7:55 AM


https://media.gab.com/system/preview_cards/images/011/447/994/original/17a68861c43c1703.jpeg



As many as 29,000 users of the Passwordstate password manager downloaded a malicious update that extracted data from the app and sent it to an attacker-controlled server, the app-maker told customers.

In an email, Passwordstate creator Click Studios told customers that bad actors compromised its upgrade mechanism and used it to install a malicious file on user computers. The file, named “moserware.secretsplitter.dll,” contained a legitimate copy of an app called SecretSplitter, along with malicious code named "Loader," according to a brief writeup from security firm CSIS Group.

"Bad actors" eh?

I blame this guy:

http://res.cloudinary.com/ybmedia/image/upload/c_crop,h_1200,w_1800,x_0,y_0/c_scale,f_auto,q_auto,w_700/v1/m/b/3/b3a8aab9cc6c86d7f66e0e5ef4197d098cf9abab/chuck-norris.jpg


He may have had an accomplice ...

http://res.cloudinary.com/ybmedia/image/upload/c_crop,h_720,w_1280,x_0,y_0/c_scale,f_auto,q_auto,w_700/v1/m/9/a/9af0d257ebe2ab1fe8c129a7eb47b23d2fcc5997/steven-seagal.jpg

Who trusts password managers?

Bobby. wrote on Oct 17^th, 2022 at 1:30pm:

Who trusts password managers?

Two iphones ago I was using an encrypted one.  It was good, I thought I was clever and organised.

Then I bought a new phone, restored the last backup onto it then dealt with the usual exceptions.  It said that the pwd manager was no longer supported by the supplier and that the last version did not work on the latest iOS.  I lost the lot probably about 40 -> 50 at the time.

I have not used one since.

I have used Roboform for many years ...No Issues so far!

random wrote on Oct 17^th, 2022 at 2:11pm:

Bobby. wrote on Oct 17th, 2022 at 1:30pm: Who trusts password managers? Two iphones ago I was using an encrypted one.  It was good, I thought I was clever and organised. Then I bought a new phone, restored the last backup onto it then dealt with the usual exceptions.  It said that the pwd manager was no longer supported by the supplier and that the last version did not work on the latest iOS.  I lost the lot probably about 40 -> 50 at the time. I have not used one since.

You were ripped off.

Redmond Neck wrote on Oct 17^th, 2022 at 2:14pm:

I have used Roboform for many years ...No Issues so far!

https://cybernews.com/best-password-managers/roboform-review/


Is RoboForm safe?

Yes, RoboForm is extremely secure. Its server is encrypted with AES256, which is about the strongest encryption around. All RoboForm data is encrypted and decrypted locally, never on servers. This is the case whether you’re accessing your data via the RoboForm web portal, the local application, or your browser extension. A single master password, which you must set and remember, holds the key to all of your data. Finally, RoboForm has a range of security features to help keep your passwords safe.

This does not mean it is infallible though. Hackers always look for weaknesses while the best password managers fight to improve. The most obvious weakness is the user. After all, if you don’t use a strong master password, or give it up to someone untrustworthy, then you may well be in trouble.

Bobby. wrote on Oct 17^th, 2022 at 1:30pm:

Who trusts password managers?

I don't trust them, but I do use the Samsung inbuilt one on my phone.

For the PC - I use an ancient piece of software called PassKeep

It encrypts the manually added passwords. I don't trust my banking passwords to a cloud based password store but I have no real alternative for the ones on the phone.


My master password is 16 characters long so it is "fairly difficult" to crack. and no, it is NOT "fairly_difficult"  ;D

129,629,238,163,050,258,624,287,932,416 possible combinations.


Edit: correction, it is 16 characters long.

Many years ago I listened carefully to Edward Snowden.
When he worked in the USA for the Govt. -
he was able to read anyone's email in the world – even the POTUS.
Also – any company can be forced by the Govt. to assist them to spy on you.
Read the terms and conditions of any site and there always an admission
that they will comply with all legal requests by Govts. or courts.
You have to assume that your computer and everything you do online
is compromised by Govt. authorities and that hackers can also use
some of their techniques to break in as well since there are
secret back doors on all software – even if indirectly via Windows and Microsoft.

random wrote on Oct 17^th, 2022 at 2:11pm:

Bobby. wrote on Oct 17th, 2022 at 1:30pm: Who trusts password managers? Two iphones ago I was using an encrypted one.  It was good, I thought I was clever and organised. Then I bought a new phone, restored the last backup onto it then dealt with the usual exceptions.  It said that the pwd manager was no longer supported by the supplier and that the last version did not work on the latest iOS.  I lost the lot probably about 40 -> 50 at the time. I have not used one since.

Oh WOW !!!!!!!!!!

I have thought, what if you forget your password manager password?

Captain Nemo wrote on Oct 17^th, 2022 at 2:35pm:

Bobby. wrote on Oct 17th, 2022 at 1:30pm: Who trusts password managers? I don't trust them, but I do use the Samsung inbuilt one on my phone. For the PC - I use an ancient piece of software called PassKeep It encrypts the manually added passwords. I don't trust my banking passwords to a cloud based password store but I have no real alternative for the ones on the phone. My master password is 16 characters long so it is "fairly difficult" to crack. and no, it is NOT "fairly_difficult"  ;D 129,629,238,163,050,258,624,287,932,416 possible combinations. Edit: correction, it is 16 characters long.

Snap. I run it from a usb stick and of couse a long pw is needed to open passkeep :)

I've been looking at a password manager that doesn't include external(to me and out of my control) data and thought this may be the way to go if you have your own "cloud services" to host it your self..

https://www.xbrowsersync.org/

Setanta wrote on Oct 17^th, 2022 at 6:46pm:

I've been looking at a password manager that doesn't include external(to me and out of my control) data and thought this may be the way to go if you have your own "cloud services" to host it your self.. https://www.xbrowsersync.org/

You have to ask yourself -
why would anyone spend so much time and effort to
write complicated encryption software and then give it away for free?   :-/

Bobby. wrote on Oct 17^th, 2022 at 7:02pm:

Setanta wrote on Oct 17th, 2022 at 6:46pm: I've been looking at a password manager that doesn't include external(to me and out of my control) data and thought this may be the way to go if you have your own "cloud services" to host it your self.. https://www.xbrowsersync.org/ You have to ask yourself - why would anyone spend so much time and effort to write complicated encryption software and then give it away for free?   :-/

You would have to ask yourself why people publish their code under GPL LGPL or BSD licenses.

Setanta wrote on Oct 17^th, 2022 at 7:14pm:

Bobby. wrote on Oct 17th, 2022 at 7:02pm: Setanta wrote on Oct 17th, 2022 at 6:46pm: I've been looking at a password manager that doesn't include external(to me and out of my control) data and thought this may be the way to go if you have your own "cloud services" to host it your self.. https://www.xbrowsersync.org/ You have to ask yourself - why would anyone spend so much time and effort to write complicated encryption software and then give it away for free?   :-/ You would have to ask yourself why people publish their code under GPL LGPL or BSD licenses.

Would you know if they were opening any ports and
downloading all the secrets from your hard drive including your passwords?

Bobby. wrote on Oct 17^th, 2022 at 7:24pm:

Setanta wrote on Oct 17th, 2022 at 7:14pm: Bobby. wrote on Oct 17th, 2022 at 7:02pm: Setanta wrote on Oct 17th, 2022 at 6:46pm: I've been looking at a password manager that doesn't include external(to me and out of my control) data and thought this may be the way to go if you have your own "cloud services" to host it your self.. https://www.xbrowsersync.org/ You have to ask yourself - why would anyone spend so much time and effort to write complicated encryption software and then give it away for free?   :-/ You would have to ask yourself why people publish their code under GPL LGPL or BSD licenses. Would you know if they were opening any ports and downloading all the secrets from your hard drive including your passwords?

Never used something like wireshark?

Setanta wrote on Oct 17^th, 2022 at 8:05pm:

Never used something like wireshark?

No.

Wireshark for ethical hackers.

https://www.udemy.com/course/wireshark-for-ethical-hackers/

Here's a good test.

Go to

https://www.grc.com/intro.htm

click shields up

click shields up  again on the list

click proceed

click common ports

see if they are all stealth

go back one page
click all service ports

see if they are all stealth


Also - there are many other good tests on that website.

Bobby. wrote on Oct 17^th, 2022 at 1:30pm:

Who trusts password managers?

Not me.      [....and especially, 'managing' passwords controlling access to important sh it.   banking, etc.]


Always suspicious of persons who have a solution to a problem, which can provide a super convenience to myself.

And your precious PW's are all protected by some super clever protocol, hidden inside a BLACK BOX, which is created, managed,  ...with supervised updates and or fixes, offered by some kind anonymous soul, who you do not know from a bar of soap.

Come on !        ;D




Protect my own PW's ?

Can't tell how i do it.
.....that would be silly.

Setanta wrote on Oct 17^th, 2022 at 7:14pm:

Bobby. wrote on Oct 17th, 2022 at 7:02pm: Setanta wrote on Oct 17th, 2022 at 6:46pm: I've been looking at a password manager that doesn't include external(to me and out of my control) data and thought this may be the way to go if you have your own "cloud services" to host it your self.. https://www.xbrowsersync.org/ You have to ask yourself - why would anyone spend so much time and effort to write complicated encryption software and then give it away for free?   :-/ You would have to ask yourself why people publish their code under GPL LGPL or BSD licenses.

I used to back in the day - not everything is about money

Spot

Don't write down your passwords. Just convert something you'll remember to Base 16 or even Base 18 or some other obscure base. then you can generate your password any time you want. 

Security systems that require complex passwords force people to store their passwords on their computers, which makes them less secure.

123456789 becomes 194gh7f in Base 21
AustralianPoliticsForum in base 36 becomes 7iaf2dcf64d01dh87bd618ed46g  in base 21

http://extraconversion.com/base-number

@ Reply #20,

Good post, food for thought.

Yadda wrote on Oct 17^th, 2022 at 9:33pm:

Bobby. wrote on Oct 17th, 2022 at 1:30pm: Who trusts password managers? Not me.      [....and especially, 'managing' passwords controlling access to important sh it.   banking, etc.] Always suspicious of persons who have a solution to a problem, which can provide a super convenience to myself. And your precious PW's are all protected by some super clever protocol, hidden inside a BLACK BOX, which is created, managed,  ...with supervised updates and or fixes, offered by some kind anonymous soul, who you do not know from a bar of soap. Come on !        ;D Protect my own PW's ? Can't tell how i do it. .....that would be silly.

Good post - that's what I've always thought.

Online scam quiz on the ABC website.

https://www.abc.net.au/news/2022-10-17/would-you-fall-for-these-scams-take-the-test/101500782

I just keep all of my passwords in a text document which is encrypted with Windows 10 Professional's built in encryption system.

I always use a Standard user account for daily use and that's the account I've encrypted the text document with. I can click on and open it exactly the same as if it wasn't encrypted and copy and paste my passwords when I'm logging in to forums such as this one but I can only open it from the Standard account, I can't even open it from the main Administrator account.

You can see the lock symbol in the attached image.

And, I always have a different password for every place that I log in to online. Some people use the same password for everywhere - bad idea.

(Oh, "Thumbsup Horse" contains a link to a funny animation which I'm planning to use on aquascoot as soon as the opportunity presents itself).  [smiley=evil.gif]

---

Frank wrote on Oct 18^th, 2022 at 10:06am:

Online scam quiz on the ABC website. https://www.abc.net.au/news/2022-10-17/would-you-fall-for-these-scams-take-the-test/101500782

Some of the questions are a bit dodgy.

Things like you have received the overpayment but then they change the parameters in the answer to be that you didn't receive the money.

Also, an email trail from a known client turns into a "fake letterhead"?

Pfft.

Carl D wrote on Oct 18^th, 2022 at 10:22am:

I just keep all of my passwords in a text document which is encrypted with Windows 10 Professional's built in encryption system. I always use a Standard user account for daily use and that's the account I've encrypted the text document with. I can click on and open it exactly the same as if it wasn't encrypted and copy and paste my passwords when I'm logging in to forums such as this one but I can only open it from the Standard account, I can't even open it from the main Administrator account. You can see the lock symbol in the attached image. And, I always have a different password for every place that I log in to online. Some people use the same password for everywhere - bad idea. (Oh, "Thumbsup Horse" contains a link to a funny animation which I'm planning to use on aquascoot as soon as the opportunity presents itself).  [smiley=evil.gif]

Did you know that over 20 years ago that Windows put out
their latest version of the Microsoft Outlook email client which
had an encryption feature for your emails?
Apparently there was a backdoor put on it for the NSA and Govt. authorities
so they could read any encrypted emails.
Customers were never told the truth at the time.

Microsoft cannot be trusted.

John_Taverner wrote on Oct 18^th, 2022 at 8:51am:

Don't write down your passwords. Just convert something you'll remember to Base 16 or even Base 18 or some other obscure base. then you can generate your password any time you want.  Security systems that require complex passwords force people to store their passwords on their computers, which makes them less secure. 123456789 becomes 194gh7f in Base 21 AustralianPoliticsForum in base 36 becomes 7iaf2dcf64d01dh87bd618ed46g  in base 21 http://extraconversion.com/base-number

John_Taverner,

That system of a 'hands-on-generation' of a personal p/w code has potential.



Q.
What if the BASE CALCULATOR site you have used previously 'goes down' [is no longer available] ?

For 1/ consistent [same source calculation] and 2/ an 'always available', calculation,     maybe we would have to D/L a stand alone BASE CALCULATOR tool [to your computer] ? ]



Check out the base-36 to base-21 calculation from these 3 diff sites, for the code;
AustralianPoliticsForum

Two produced the same code.    But one calculated a completely different code from the other two !!!

That is worrying.

----- >

http://extraconversion.com/base-number#conversion
AustralianPoliticsForum base-36 to base-21
7iaf2dcf64d01dh87bd618ed46g

https://math.tools/calculator/base/36-21
AustralianPoliticsForum base-36 to base-21
7IAF2DCF64CKG7988EI2B7G35KG


https://www.asknumbers.com/BaseNumberConversion.aspx
AustralianPoliticsForum base-36 to base-21
7IAF2DCF64CKG7988EI2B7G35KG


1st, 2nd, 3rd...
7iaf2dcf64d01dh87bd618ed46g
7IAF2DCF64CKG7988EI2B7G35KG
7IAF2DCF64CKG7988EI2B7G35KG

Carl D wrote on Oct 18^th, 2022 at 10:22am:

I just keep all of my passwords in a text document which is encrypted with Windows 10 Professional's built in encryption system. I always use a Standard user account for daily use and that's the account I've encrypted the text document with. I can click on and open it exactly the same as if it wasn't encrypted and copy and paste my passwords when I'm logging in to forums such as this one but I can only open it from the Standard account, I can't even open it from the main Administrator account. You can see the lock symbol in the attached image. And, I always have a different password for every place that I log in to online. Some people use the same password for everywhere - bad idea. (Oh, "Thumbsup Horse" contains a link to a funny animation which I'm planning to use on aquascoot as soon as the opportunity presents itself).  [smiley=evil.gif]

Good idea

Bobby. wrote on Oct 17^th, 2022 at 8:08pm:

Setanta wrote on Oct 17th, 2022 at 8:05pm: Never used something like wireshark? No. Wireshark for ethical hackers. https://www.udemy.com/course/wireshark-for-ethical-hackers/

Wireshark is just a network capable packet analyser it isn't primarily a hacking tool. You need to set your interface to promiscuous mode to enable network packets to be captured. You will get the TCP/IP packets which require a fair amount of knowledge to understand. I have never even looked at IP6 packets.

I remember when I was trained in TCP /IP they the trainer had been a contractor to NASA and the US military. He said that he intended to retire when IP 6 became prevalent. I have a fair idea of what is going on in an IP4 network, IP6 no idea.

Carl D wrote on Oct 18^th, 2022 at 10:22am:

I just keep all of my passwords in a text document which is encrypted with Windows 10 Professional's built in encryption system. I always use a Standard user account for daily use and that's the account I've encrypted the text document with. I can click on and open it exactly the same as if it wasn't encrypted and copy and paste my passwords when I'm logging in to forums such as this one but I can only open it from the Standard account, I can't even open it from the main Administrator account. You can see the lock symbol in the attached image. And, I always have a different password for every place that I log in to online. Some people use the same password for everywhere - bad idea. (Oh, "Thumbsup Horse" contains a link to a funny animation which I'm planning to use on aquascoot as soon as the opportunity presents itself).  [smiley=evil.gif]

Do you have an external copy of the encryption key and an external copy of the PW document?

bit locker may store a backup key in your Microsoft account, you can have it in a document on your computer or a USB drive (set up when bit locker is activated). If on a Azure domain it can be in azure AD and accessible by an admin.

Encryption is much better these days but overall encrypted files and documents has probably lost well over ten times more documents than it has saved.

People have come to me with a bunch of critical encrypted files and no key.

With access to the original system you can occasionally recover the key if the disk was not the system failure but other than that it is game over.

Dnarever wrote on Oct 19^th, 2022 at 11:15pm:

Do you have an external copy of the encryption key and an external copy of the PW document?

I don't have the encryption key but I do have 2 copies of the unencrypted text document saved on external drives.

I also have it printed out and hidden away in case of the unlikely event of losing all 3.

Carl D wrote on Oct 19^th, 2022 at 11:28pm:

Dnarever wrote on Oct 19th, 2022 at 11:15pm: Do you have an external copy of the encryption key and an external copy of the PW document? I don't have the encryption key but I do have 2 copies of the unencrypted text document saved on external drives. I also have it printed out and hidden away in case of the unlikely event of losing all 3.

Sounds like how I would do it, they would in my case be unlikely to be always synced but close enough in an emergency. If Bit locker and you use a Microsoft account there may be a copy of the key there. you can go into bit locker in control panel and backup the key from there.

https://arstechnica.com/information-technology/2022/12/lastpass-says-hackers-have-obtained-vault-data-and-a-wealth-of-customer-info/


LastPass users: Your info and password vault data are now in hackers’ hands
Password manager says breach it disclosed in August was much worse than thought.

Dan Goodin - 12/23/2022, 9:43 AM


https://media.gab.com/system/preview_cards/images/033/247/765/original/c0a1ba413411ea7d.jpeg





LastPass, one of the leading password managers, said that hackers obtained a wealth of personal information belonging to its customers as well as encrypted and cryptographically hashed passwords and other data stored in customer vaults.

The revelation, posted on Thursday, represents a dramatic update to a breach LastPass disclosed in August. At the time, the company said that a threat actor gained unauthorized access through a single compromised developer account to portions of the password manager's development environment and "took portions of source code and some proprietary LastPass technical information." The company said at the time that customers’ master passwords, encrypted passwords, personal information, and other data stored in customer accounts weren't affected.
Sensitive data, both encrypted and not, copied

In Thursday’s update, the company said hackers accessed personal information and related metadata, including company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses customers used to access LastPass services. The hackers also copied a backup of customer vault data that included unencrypted data such as website URLs and encrypted data fields such as website usernames and passwords, secure notes, and form-filled data.

“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture,” LastPass CEO Karim Toubba wrote, referring to the Advanced Encryption Scheme and a bit rate that’s considered strong. Zero Knowledge refers to storage systems that are impossible for the service provider to decrypt. The CEO continued:

    As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client. For more information about our Zero Knowledge architecture and encryption algorithms,