Leo Leporte Corrects 'CBS Sunday Morning' Segment on Passwords


Recommended Posts

[Things regarding LastPass]

 

LastPass: "We only had the salted hash in our database, so they'd have to guess password, compute the salted hash, and then compare it to the value stored in the database. But even if they managed to do this they still don't have access to your actual encrypted data. We secured against this threat by locking down all user accounts. Specifically, if a user tries to log into their LastPass vault from a new location (an IP address from which they never logged in before), then we would deny them access. To gain access, they have to prove to us that they are who they say they are by clicking on an link that we send them by email."

 

 

Yeah, to the LastPass Cracker who some how managed to get their hands on LastPass's database, ready for a brute-force session: Good luck, buddy.

According to you guys, that means nothing. Remember, just use this magical thing you call brute force and your master password is there for all to know. So which is it? Can't be both like you are claiming.

 

Not all of us 'guys' think that.

Link to comment
Share on other sites

Okay really?  Have you ever used LastPass?  It is highly recommended by A LOT of people.  So that is ALMOST AS BAD as posting you passwords IN PLAIN TEXT in FaceBook?  Okay....whatever you say.

 

For the people that use the same passwords over and over and over again, or have passwords like Tony96, LastPass is a good option since it generates a secure password that you do not need to memorize.  All you will need to do is remember ONE password.  And if you make just THAT ONE safe and secure, you do not have to worry about somebody getting into it.  Yes if you make your LastPass password Tony96 it would cause issues.

yup store you're passwords online at lastpass and all a hacker has to do is hack lastpass and they will have all your passwords. :rofl:

Link to comment
Share on other sites

LastPass: "We only had the salted hash in our database, so they'd have to guess password, compute the salted hash, and then compare it to the value stored in the database. But even if they managed to do this they still don't have access to your actual encrypted data. We secured against this threat by locking down all user accounts. Specifically, if a user tries to log into their LastPass vault from a new location (an IP address from which they never logged in before), then we would deny them access. To gain access, they have to prove to us that they are who they say they are by clicking on an link that we send them by email."

 

 

Yeah, to the LastPass Cracker who some how managed to get their hands on LastPass's database, ready for a brute-force session: Good luck, buddy.

 

Not all of us 'guys' think that.

Thats my point. Brute force is not something that works like they seem to think they do. You will never be able to brute force your way into a online bank account. Mine locks up after 5 guesses and the only way to unlock it is to physically go to the bank. Brute force has no meaning. Like I said, its great that a brute force attack in theory can make its way through millions of possible passwords, but it doesn't change the fact that in real life, a brute force gets less than 10 guesses.

yup store you're passwords online at lastpass and all a hacker has to do is hack lastpass and they will have all your passwords. :rofl:

No they don't. They just have to do some social engineering for that one password and now they have all of your passwords. That simple. There is a reason you NEVER store your passwords in a central location. Nobody brute forces websites anymore. They use social engineering so they only "guess" once. You can't brute force a website that locks the account in less than 10 tries. It's just not happening.

Link to comment
Share on other sites

Thats my point. Brute force is not something that works like they seem to think they do. You will never be able to brute force your way into a online bank account. Mine locks up after 5 guesses and the only way to unlock it is to physically go to the bank. Brute force has no meaning. Like I said, its great that a brute force attack in theory can make its way through millions of possible passwords, but it doesn't change the fact that in real life, a brute force gets less than 10 guesses.

 

Apparently you don't know how brute force works, the irony is staggering.

Link to comment
Share on other sites

Apparently you don't know how brute force works, the irony is staggering.

You do know the internet is a thing right? Definitions are very easy to look up. Or just take a security course which so many people seem to not have done. But again, all of my passwords are clearly weak and bad. I mean, I don't know how I can live with myself constantly having to reset passwords because I just get hacked.....sooo....much... But again, social engineering and you have given all your passwords away because you thought writing them down in one location is somehow a good idea. Even Leo says that if you fall for that, all bets are off. You are arguing against the very guy you are trying to defend.

Link to comment
Share on other sites

You do know the internet is a thing right? Definitions are very easy to look up. Or just take a security course which so many people seem to not have done.

 

They don't brute force a login form on a webpage, they dump the database and brute force the hashs (if they need to at all). Speaking of Google and learning..................

Link to comment
Share on other sites

They don't brute force a login form on a webpage, they dump the database and brute force the hashs (if they need to at all). Speaking of Google and learning..................

So once again, you say that having a strong password means nothing. I can't beleive people are on a tech site claiming that knowing how to make a strong password is a waste of time. The stupidity of that argument baffles me.

 

You do realize you just said that you agree that people should store all of there passwords in a single database for someone to dump and then brute force... you got that right? You just proved my point for me. You don't store all your passwords in one place.

Link to comment
Share on other sites

So once again, you say that having a strong password means nothing. I can't beleive people are on a tech site claiming that knowing how to make a strong password is a waste of time. The stupidity of that baffles me.

 

Are you literally avoiding everything I say and mixing me in with everyone else?

 

You're way out of your element here. The fact you continue to refer to these malicious people as 'hackers' just further strengthens my argument. Calm down, go back, read my wall of text on what a good password is (that oddly enough goes completely against what you just said that I said), understand I know a lot more on this subject than you do, and post a rational response showcasing your capability to admit in certain situations some people know more than you do. Or, continue to be a stubborn child and pretend you can talk to the grown-ups.

 

You're wrong, I'm sorry. This isn't about me winning, it's about the proper information being propagated on a website devoted to these types of things. Please, stop trying. 

Link to comment
Share on other sites

So once again, you say that having a strong password means nothing. I can't beleive people are on a tech site claiming that knowing how to make a strong password is a waste of time. The stupidity of that argument baffles me.

Passwords generated by LastPass are not common words (or variation of common words) that a brute force using word lists can easily generate. So for those who do not/cannot remember those awesome algorithms that alters easily remembered terms/words/whatever, services such as LastPass may be good enough.

Link to comment
Share on other sites

Passwords generated by LastPass are not common words (or variation of common words) that a brute force using word lists can easily generate. So for those who do not/cannot remember those awesome algorithms that alters easily remembered terms/words/whatever, services such as LastPass may be good enough.

 

eS2k956R85eKoBs

Link to comment
Share on other sites

Are you literally avoiding everything I say and mixing me in with everyone else?

 

You're way out of your element here. The fact you continue to refer to these malicious people as 'hackers' just further strengthens my argument. Calm down, go back, read my wall of text on what a good password is (that oddly enough goes completely against what you just said that I said), understand I know a lot more on this subject than you do, and post a rational response showcasing your capability to admit in certain situations some people know more than you do. Or, continue to be a stubborn child and pretend you can talk to the grown-ups.

 

You're wrong, I'm sorry. This isn't about me winning, it's about the proper information being propagated on a website devoted to these types of things. Please, stop trying. 

I read what you said and thats what it translates to in the real world. If they dump the database, then the password strength will no longer matter. Just the number of computers they have to brute force it. You are once again left with the only issue I really have. You don't ever store all of your passwords in one location. You claim to know about security and you still agree with storing all of your passwords in one location?

 

Also, I never claimed to know everything about anything. That is just one of the basic truths that everyone knows. Storing all of them in one locations means one person has to screw up and all of your passwords are out in the open. Every single year we here about websites having their entire database downloaded. Yet magically this one website is so hacker proof that you can trust anything and everything you own to it. How is that sound advice? You claim to know about security and which means you should know better.

 

Also, I use the term hacker because most people here don't care to distingiush between cracker, script kiddie, white hat or black hat hackers.

Link to comment
Share on other sites

Passwords generated by LastPass are not common words (or variation of common words) that a brute force using word lists can easily generate. So for those who do not/cannot remember those awesome algorithms that alters easily remembered terms/words/whatever, services such as LastPass may be good enough.

Again, it has absolutely nothing to do with the password its generates and everything to do with all of those generated passwords are in one place. If you are so forgetful that you have to write down your passwords, you never put them all in one place ever. That logic is right there with putting it on your desk on a piece of paper. You are betting that nobody will ever get to it even though you have no way of knowing it except you've made it worse because its not just one password to one place, its every single password you have to your entire life.

  • Like 1
Link to comment
Share on other sites

I read what you said and thats what it translates to in the real world. If they dump the database, then the password strength will no longer matter. Just the number of computers they have to brute force it. You are once again left with the only issue I really have. You don't ever store all of your passwords in one location. You claim to know about security and you still agree with storing all of your passwords in one location?

 

Also, I never claimed to know everything about anything. That is just one of the basic truths that everyone knows. Storing all of them in one locations means one person has to screw up and all of your passwords are out in the open. Every single year we here about websites having their entire database downloaded. Yet magically this one website is so hacker proof that you can trust anything and everything you own to it. How is that sound advice? You claim to know about security and which means you should know better.

 

The difference between sites who have all their passwords dumped and last pass is, the information on lastpass is encrypted up the ass. Yes throwing computers at that will speed it up. So now instead of taking 200 years it will take 190 years.

Link to comment
Share on other sites

The difference between sites who have all their passwords dumped and last pass is, the information on lastpass is encrypted up the ass. Yes throwing computers at that will speed it up. So now instead of taking 200 years it will take 190 years.

And the bigger difference is that you don't have to decrypt all the data. You only have to decrypt one password that gives you access to the rest. On another site, you decrypt the data and you have information about one user and one password. In this case, that one password means every password for that user on every site is now yours. Spend a year getting your one password and now they have 280 of your passwords.

Link to comment
Share on other sites

Hell, I will make it simple because everyone is still using the most complicated path. Social engineering. Send out a few hundred thousand phished emails and end up with someones LastPass account info. Account info that potentionally contains someones entire life. There is a reason phishing attacks are so popular and there is a reason one of the basic rules for security is never store your passwords in one place.

Link to comment
Share on other sites

Again, it has absolutely nothing to do with the password its generates and everything to do with all of those generated passwords are in one place. If you are so forgetful that you have to write down your passwords, you never put them all in one place ever. That logic is right there with putting it on your desk on a piece of paper. You are betting that nobody will ever get to it even though you have no way of knowing it except you've made it worse because its not just one password to one place, its every single password you have to your entire life.

 

You seem to think that if you get the database than you get the passwords.... This is not correct. You will now need to crack every single hash in that database, and considering that hash derives from a complex password generated by LastPass the probability of you even cracking one person's password is so low that it basically amounts to zero.

 

For example, let's say my password from LastPass is: N*&nH839j879h&*N which hashed with a salt in the LastPass Database is say 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 when hashed with some random salt. Now, the way in which a cracker would go about finding this password is:

 

First they know the hash, since they have the database. They now need to figure out which string of characters generates that Hash (once they find that then they have your password, or a statistically unlikely variation that also generates that identical hash). They do this by first making some assumptions of your password and using that logic applied to brute forcing certain traditional formations of typical passwords. The problem here is nothing is typical, LastPass uses a weird non-human like password, so basically no assumptions can be made, they need to crack each ascii character in a size up to the max password size LastPass creates (I don't know what that it, let's assume it's 16).

 

Now let's apply the the number of permutations from the maximum string size and figure out how long it'll take to crack a SINGLE password in LastPass's database assuming they generated a 16-character password.... Hmm not a year, not 100 years, not a million years....Not a hundred million years..... damn this number is getting large... Per password....

 

How likely is it that that password is yours? Well, how many people use LastPass * AverageAmountOfPasswordsPerPerson

 

You're right, that's terribly insecure....

 

You're welcome.

 

EDIT: This is assuming within the billion years LastPass doesn't change their salt.

Link to comment
Share on other sites

You seem to think that if you get the database than you get the passwords.... This is not correct. You will now need to crack every single hash in that database, and considering that hash derives from a complex password generated by LastPass the probability of you even cracking one person's password is so low that it basically amounts to zero.

 

For example, let's say my password from LastPass is: N*&nH839j879h&*N which hashed with a salt in the LastPass Database is say 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 when hashed with some random salt. Now, the way in which a cracker would go about finding this password is:

 

First they know the hash, since they have the database. They now need to figure out which string of characters generates that Hash (once they find that then they have your password, or a statistically unlikely variation that also generates that identical hash). They do this by first making some assumptions of your password and using that logic applied to brute forcing certain traditional formations of typical passwords. The problem here is nothing is typical, LastPass uses a weird non-human like password, so basically no assumptions can be made, they need to crack each ascii character in a size up to the max password size LastPass creates (I don't know what that it, let's assume it's 16).

 

Now let's apply the the number of combinations into a formula into the maximum string size and figure out how long it'll take to crack a SINGLE password in LastPass's database assuming they generated a 16-character password.... Hmm not a year, not 100 years, not a million years....Not a hundred million years..... damn this number is getting large... Per password....

 

How likely is it that that password is yours? Well, how many people use LastPass * AverageAmountOfPasswordsPerPerson

 

You're right, that's terribly insecure....

 

You're welcome.

Why are you trying to hack the passwords that is stored on the account? You are making it intentionally hard for no reason. You get the password for the account and you have free reign. The password that is not "a weird non-human password" so your entire logic about how a traditional formation is not usable is out the window. You are hung on the fact that only the generated passwords are overly secure. Not the account password. Stop going for the hard stuff and get the low hanging fruit. Like I said, you store all your passwords in one place and then a phish email gets you. All lost. We are not hacking every single password like you are trying to argue. We are hacking the one single LastPass account password. The one that Whiplash claims is Tony96, not some 16 character random string.

Link to comment
Share on other sites

The passwords are encrypted.

 

1. Make your own account and password with them and crack your own knowing the outcomes. Encryption is not as hard as people think. And with a goldmine like that database, the resources would be used to do it. I think people watched a few to many movies and think encryption is magic. Do you really think that a free website uses extremely expensive methods of encrytion. Please keep it in reality here, not this fantasy world were brute force attacks work on websites, phishing emails don't exist or work, and encryption is 100% secure.

2. You are still avoiding telling me how putting your passwords all on one site is safe when one phishing email makes you lose it all.

 

Remember, we are talking about people who are bad with passwords to begin with because of people like Leo who are claiming you shouldn't waste your time learning how to make a good password. These are the exact same people uneducated enough to fall for phishing emails and the argument here is these same people should store all of there information in one location.

Link to comment
Share on other sites

You are still avoiding telling me how putting your passwords all on one site is safe when one phishing email makes you lose it all.

 

When did I say it was safe? I said it is usually safe enough.

 

I'm going to be honest with you, I'm done with this conversation, I'm contributed much more than I needed to and I feel as if walking away if the only proper course of action. If you want to feel like you're right, then no one is going to stop you (in your eyes). I think you're wrong.

Link to comment
Share on other sites

When did I say it was safe? I said it is usually safe enough.

 

I'm going to be honest with you, I'm done with this conversation, I'm contributed much more than I needed to and I feel as if walking away if the only proper course of action. If you want to feel like you're right, then no one is going to stop you (in your eyes). I think you're wrong.

You said it when you entered into the conversation because that is what it has been about this entire time. Storing all your passwords in one place so that once your account is compremised, you lose it all. You think I am wrong that all it takes is a single successful phish attack and you lose everything? Come on now, you are just arguing for the sake of arguing.

Link to comment
Share on other sites

We of course it is not a good decision if you make your LastPass password Tony96.  That is not a secure password.  That is the point.  Instead of doing things the RIGHT WAY for dozens and dozens of sites (which the general user will NOT do), they only have the do the RIGHT THING for ONE....ONE site.  Change the password every so often, make your LastPass something like buybUYGU*&G87o.

 

Why are you arguing against LastPass?  Is it their fault if people make their LastPass an easy password like Tony96 (which I think they will not allow that since it is not safe enough)?

 

Is it LastPass's fault if you give out that password due to social engineering?

 

You do know that most people use the same password right?  So if somebody gives out their gmail password due to social engineering, chances are they would have used that same password elsewhere.

 

It is not a fault on LastPass.  That is why Leo specifically said make LastPass master password a SAFE and SECURE password.  All you need to do is make ONE really safe and really secure password.  Change it every so often.  Just ONE.  Instead of telling people to make hundreds of secure passwords, where they would write them down.

Link to comment
Share on other sites

You said it when you entered into the conversation because that is what it has been about this entire time. Storing all your passwords in one place so that once your account is compremised, you lose it all. You think I am wrong that all it takes is a single successful phish attack and you lose everything? Come on now, you are just arguing for the sake of arguing.

 

 

Personally, I use roboform and not lastpass. But as far as social enenering goes there are 2 separate passwords. 1 password for syncing and logging into your roboform account. The 2nd password is of course the master password. I can't really see how I'd ever get social engineered to give up my syncing password. The only time I ever use it is to configure roboform on a new device.

 

People who use roboform or last pass are accustom to pulling down the list of sites they have saved passwords for and choosing the site they wish to log into. It then takes them to the correct site and puts in their password. if they go to a site which wants their login information they go up to the toolbar and if on the correct site (Example Paypal.com) the name paypal will appear for you to have the roboform or last pass toolbar put in your login information.

 

nqji.jpg

 

If you are on paypall.com the name "Paypal" would not appear in the toolbar for you to log in, because the domain would not match, thus protecting you from social engineering. Because these programs generate passwords that the user does not know, they rely on the toolbar. They can't blindly enter information into a phishing website because they have no idea what their password is. They would have to use the toobar and if the domain doesn't match you know something is up real quick.

 

ygtr.jpg

 

In the case of Roboform for someone to get social engineered, they would have to land on a fake site, see the name paypal is not there, go out of their way to go into their password list, edit their pass card, enter their master password, copy the password and manually paste it into the fake site. If someone is that fracking stupid all hope is lost.

Link to comment
Share on other sites

  • 3 weeks later...

I have a different password for every website and all of them are similar but have a specific variation based on the website.

 

I heard this question on the latest Q&A of Security Now and thought of you :)

 

Leo: Marcus in Calgary is wondering about making his own secure passwords: I saw somebody suggest that you use a personalized set of rules when making passwords. That way you just have to know the rules, and you can figure out what the password was. For example, say I sign up with Amazon, and I set up these rules - and of course these are just example rules: Take first seven letters from the name of website after the www. and before the next dot. If less than seven letters, then just add 1, 2, 3, and so forth. Place a 5 between each character from Step 1. Replace all vowels with FluffyKitty27. If there are no vowels, just place FluffyKitty27 at the end. And then add a bang, an exclamation mark, after every lowercase or uppercase "F." What do you think, good way to generate a secure password?

Steve: Okay. That would be a good way to generate exactly one secure password. Because the problem is, anyone who were to capture that password, if Amazon.com were to lose control of their database...

Leo: Which happens all the time. Not with Amazon, but with others.

Steve: Not with Amazon, but unfortunately it's all too common. They could scrutinize that, knowing what domain it came from, and reverse engineer your funky little algorithm. That's why I went to all the trouble of developing the Off The Grid system, which I still need to finish the - it's all done, I mean, it's all documented. We did a podcast on it and everything. I just never took the pages public because I wanted to give it one final reading and solve a couple other - and, like, beef up the FAQ a little bit further.

But the whole concept with Off The Grid was that it was a similarly non-computer - it was an experiment. Can I develop a paper-based approach where each website encodes to something completely unique so that seeing one of them tells you nothing about any of the others. And so that's - certainly using a pseudorandom sequence and a database gives you that, no association between them. My system was a cryptographic, a paper-based cryptographic association which was strong cryptographically.

But the problem, Marcus, with your approach is that, as we said, if you saw one or a couple, you could figure out what the algorithm was and then guess your password for some other website in order to break in. And that's the weakness.

Leo: Yeah. You know, you don't have to stretch too far. It's well known how to do this. Get LastPass, which you've vetted.

Steve: Yup.

Leo: And, boy, the more I use it, the more I love it.

Steve: Same way. It is my go-to solution.

Leo: Have it generate completely random long passwords.

Steve: And then it remembers them.

Leo: And let it remember them. You don't have to. I don't know my password for anything anymore except LastPass. And that's one where you could make it something that you can generate, and that's what I do.

Steve: Really screwball.

Leo: You know, I'll use this as an example because I read it once, and I certainly don't use it. But if you go through the last eight presidents, let's say, or make it 16 presidents of the United States, uppercase the Republicans, lowercase the Democrats, and then add a number for the number of years their term stretched, now, that's a good example of you're going to have a nice long password.

Steve: And we're going to give you an "A" in political science if you've even able to do that.

 

Link to comment
Share on other sites

This topic is now closed to further replies.