Jump to content



Photo

Leo Leporte Corrects 'CBS Sunday Morning' Segment on Passwords

video

  • Please log in to reply
52 replies to this topic

#46 Garnet H.

Garnet H.

    astropheed

  • 1,620 posts
  • Joined: 08-December 11
  • Location: Sydney, AU

Posted 16 July 2013 - 05:20

You are still avoiding telling me how putting your passwords all on one site is safe when one phishing email makes you lose it all.

 

When did I say it was safe? I said it is usually safe enough.

 

I'm going to be honest with you, I'm done with this conversation, I'm contributed much more than I needed to and I feel as if walking away if the only proper course of action. If you want to feel like you're right, then no one is going to stop you (in your eyes). I think you're wrong.




#47 ILikeTobacco

ILikeTobacco

    Neowinian Senior

  • 4,789 posts
  • Joined: 08-July 10

Posted 16 July 2013 - 05:23

When did I say it was safe? I said it is usually safe enough.

 

I'm going to be honest with you, I'm done with this conversation, I'm contributed much more than I needed to and I feel as if walking away if the only proper course of action. If you want to feel like you're right, then no one is going to stop you (in your eyes). I think you're wrong.

You said it when you entered into the conversation because that is what it has been about this entire time. Storing all your passwords in one place so that once your account is compremised, you lose it all. You think I am wrong that all it takes is a single successful phish attack and you lose everything? Come on now, you are just arguing for the sake of arguing.



#48 xWhiplash

xWhiplash

    Neowinian Senior

  • 1,587 posts
  • Joined: 07-March 08

Posted 16 July 2013 - 12:41

We of course it is not a good decision if you make your LastPass password Tony96.  That is not a secure password.  That is the point.  Instead of doing things the RIGHT WAY for dozens and dozens of sites (which the general user will NOT do), they only have the do the RIGHT THING for ONE....ONE site.  Change the password every so often, make your LastPass something like buybUYGU*&G87o.

 

Why are you arguing against LastPass?  Is it their fault if people make their LastPass an easy password like Tony96 (which I think they will not allow that since it is not safe enough)?

 

Is it LastPass's fault if you give out that password due to social engineering?

 

You do know that most people use the same password right?  So if somebody gives out their gmail password due to social engineering, chances are they would have used that same password elsewhere.

 

It is not a fault on LastPass.  That is why Leo specifically said make LastPass master password a SAFE and SECURE password.  All you need to do is make ONE really safe and really secure password.  Change it every so often.  Just ONE.  Instead of telling people to make hundreds of secure passwords, where they would write them down.



#49 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • 25,876 posts
  • Joined: 30-November 01
  • Location: Iowa

Posted 16 July 2013 - 13:59

You said it when you entered into the conversation because that is what it has been about this entire time. Storing all your passwords in one place so that once your account is compremised, you lose it all. You think I am wrong that all it takes is a single successful phish attack and you lose everything? Come on now, you are just arguing for the sake of arguing.

 

 

Personally, I use roboform and not lastpass. But as far as social enenering goes there are 2 separate passwords. 1 password for syncing and logging into your roboform account. The 2nd password is of course the master password. I can't really see how I'd ever get social engineered to give up my syncing password. The only time I ever use it is to configure roboform on a new device.

 

People who use roboform or last pass are accustom to pulling down the list of sites they have saved passwords for and choosing the site they wish to log into. It then takes them to the correct site and puts in their password. if they go to a site which wants their login information they go up to the toolbar and if on the correct site (Example Paypal.com) the name paypal will appear for you to have the roboform or last pass toolbar put in your login information.

 

nqji.jpg

 

If you are on paypall.com the name "Paypal" would not appear in the toolbar for you to log in, because the domain would not match, thus protecting you from social engineering. Because these programs generate passwords that the user does not know, they rely on the toolbar. They can't blindly enter information into a phishing website because they have no idea what their password is. They would have to use the toobar and if the domain doesn't match you know something is up real quick.

 

ygtr.jpg

 

In the case of Roboform for someone to get social engineered, they would have to land on a fake site, see the name paypal is not there, go out of their way to go into their password list, edit their pass card, enter their master password, copy the password and manually paste it into the fake site. If someone is that fracking stupid all hope is lost.



#50 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • 25,876 posts
  • Joined: 30-November 01
  • Location: Iowa

Posted 05 August 2013 - 15:30

I have a different password for every website and all of them are similar but have a specific variation based on the website.

 

I heard this question on the latest Q&A of Security Now and thought of you :)

 

Leo: Marcus in Calgary is wondering about making his own secure passwords: I saw somebody suggest that you use a personalized set of rules when making passwords. That way you just have to know the rules, and you can figure out what the password was. For example, say I sign up with Amazon, and I set up these rules - and of course these are just example rules: Take first seven letters from the name of website after the www. and before the next dot. If less than seven letters, then just add 1, 2, 3, and so forth. Place a 5 between each character from Step 1. Replace all vowels with FluffyKitty27. If there are no vowels, just place FluffyKitty27 at the end. And then add a bang, an exclamation mark, after every lowercase or uppercase "F." What do you think, good way to generate a secure password?

Steve: Okay. That would be a good way to generate exactly one secure password. Because the problem is, anyone who were to capture that password, if Amazon.com were to lose control of their database...

Leo: Which happens all the time. Not with Amazon, but with others.

Steve: Not with Amazon, but unfortunately it's all too common. They could scrutinize that, knowing what domain it came from, and reverse engineer your funky little algorithm. That's why I went to all the trouble of developing the Off The Grid system, which I still need to finish the - it's all done, I mean, it's all documented. We did a podcast on it and everything. I just never took the pages public because I wanted to give it one final reading and solve a couple other - and, like, beef up the FAQ a little bit further.

But the whole concept with Off The Grid was that it was a similarly non-computer - it was an experiment. Can I develop a paper-based approach where each website encodes to something completely unique so that seeing one of them tells you nothing about any of the others. And so that's - certainly using a pseudorandom sequence and a database gives you that, no association between them. My system was a cryptographic, a paper-based cryptographic association which was strong cryptographically.

But the problem, Marcus, with your approach is that, as we said, if you saw one or a couple, you could figure out what the algorithm was and then guess your password for some other website in order to break in. And that's the weakness.

Leo: Yeah. You know, you don't have to stretch too far. It's well known how to do this. Get LastPass, which you've vetted.

Steve: Yup.

Leo: And, boy, the more I use it, the more I love it.

Steve: Same way. It is my go-to solution.

Leo: Have it generate completely random long passwords.

Steve: And then it remembers them.

Leo: And let it remember them. You don't have to. I don't know my password for anything anymore except LastPass. And that's one where you could make it something that you can generate, and that's what I do.

Steve: Really screwball.

Leo: You know, I'll use this as an example because I read it once, and I certainly don't use it. But if you go through the last eight presidents, let's say, or make it 16 presidents of the United States, uppercase the Republicans, lowercase the Democrats, and then add a number for the number of years their term stretched, now, that's a good example of you're going to have a nice long password.

Steve: And we're going to give you an "A" in political science if you've even able to do that.

 



#51 ILikeTobacco

ILikeTobacco

    Neowinian Senior

  • 4,789 posts
  • Joined: 08-July 10

Posted 05 August 2013 - 17:19

To simplistic. Why do people always use strawmen for their arguments.



#52 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • 25,876 posts
  • Joined: 30-November 01
  • Location: Iowa

Posted 07 August 2013 - 04:49

To simplistic. Why do people always use strawmen for their arguments.

 

I thought he explained it perfectly.



#53 ILikeTobacco

ILikeTobacco

    Neowinian Senior

  • 4,789 posts
  • Joined: 08-July 10

Posted 07 August 2013 - 13:09

I thought he explained it perfectly.

He definitely explained it, but the method of coming up with a password he listed is bad. If you can look at the password and figure out the pattern, it is to simplistic and pointless.





Click here to login or here to register to remove this ad, it's free!