My email was hacked on Sunday... my beloved realised this...(as he received an email apparently from me in the Ukraine...asking for money.)
We tried to warn all the people on my contacts list ..that I wasn't stranded in the Ukraine having had all my money etc stolen at GUN point...and begging friends to send money so that we and the family could return home...however the hackers had jammed my account...and I was unable to send or receive. I received many kind telephone calls telling me that I'd been hacked...but one friend made the mistake of answering the email and saying that she was sure it was a scam...to which the hackers replied that it really wasn't and that although some money had been sent...it wasn't enough!!!
I managed to put a message on facebook warning my friends...and eventually my beloved deleted my old email account details...and set me up with a new one. However it's been a long winded task...emailing every one with my new email address.
Fortunately my bank details were not tampered with...but please if the same thing happens to you...and you receive an email asking for help from one of your friends...don't reply...as this gives the hackers access into your contacts.
I've changed my details here on SFN...so hopefully this will be back to normal.
Here's the next worry....
John, they don't have my password. Indeed they never do, not my LastPass master password and not any of my other passwords either. All of that is encrypted locally on my PC or tablet.
I have read the detailed analyses of how it works, and its very secure. I'd much rather take the very low risk that something goes wrong and have the benefit of different strong passwords for every site I visit than the much bigger risk of problems if I use the same passwords across multiple sites.
The difference with LastPass is that you know that what you send them is encrypted. With any other site to which you send your password you usually have little clue how it is transmitted and more importantly how it is stored.
Ian, I am always dubious of doing anything like that, giving a web site your password to work out how easy it is to crack. It's a lot easier now they have your password!
Yes, if you've encrypted it yourself, and you are not at all using the cloud, it will be, but once you use a generator, alogrithm, or online, or buyable encryption system, you can not say you're not 100 percent safe.
but not everyone can write code.
even your nifty calculator states in large lettering that all passwords are crackable.
Incidentally if anyone wants to see how long their password will take to crack then this calculator will tell you. Watch how the time increases as you add different character types, and as you add characters.
Zoe, no, I disagree. Password hashes and encryption are two different things.
If you know what the hashed password is, and if there was salt that you know what that was too, then you can brute force crack it by simply trying all possible variations of the first character, then all possible characters at position 2 for all possibles at position 1, then all possibles for char 3 for all possible combinations of char 1 and char 2 etc etc. The thing is that you know what the end result looks like, and you are trying to find the input that gets you there. If there was salt and you don't know what that was then I doubt you could brute force the password.
Bear in mind that the brute force time gets exponentially longer as you add each character.
For example, these are estimates of brute force times using one hundred trillion guesses per second:
ABC999-a : 1.12 minutes
ABC999-ab : 1.77 hours
ABC999-abc : 1.00 weeks
ABC999-abcd : 1.83 years
ABC999-abcde : 1.74 centuries
ABC999-abcdef : 165 centuries
So it's not that hard to make a password unfeasibly difficult to brute force. Note that I have upper and lower case and symbols and digits.
That's hashing.
Encryption is quite different because in order to crack it you need to do it the easy way and get hold of the keys - which the NSA does for tome stuff - or you need a back door in the algorithm - which the NSA has succeeded in doing for SSL - or you need to know what at least some of the cleartext looks like.
If you have taken some piece of ordinary text and encrypted it with your own strong PGP keys, which have never left your PC, then it will be essentially impossible to crack.
It's kind of academic. It's like your car. If someone wants it badly enough they'll steal it. If the NSA or whomever want your stuff badly enough then it's likely they will find a way somehow. But that way is very unlikely to involve decryption through brute force if you take the right steps, and that's exactly why the NSA hangs on to encrypted stuff that it can't read today in case something changes in future and either they have some amazing breakthrough on the maths of cryptography OR they get the keys somehow.
Ian, yiou said it yourself "then they cannot decrypt that except using brute force"... If someone capable of finding your password actually wants it, they WILL have it. Even with PGP. Wwhen it comes to brute force, with a GPU, it can often prove easy as pie.
David, take a look at LastPass (www.lastpass.com) or Keepass.
They both help you to manage all these passwords. Personally I use LastPass, and find it does the job very well.
I did a check today and found that I have over 60 passwords/codes etc. No wonder I thought life was becoming difficult. I sort of grade them into most secure down to why do I really need a password on this. Of course I can't remember them all anyway. Maybe we should all write in vpfr?
Exactly John. Safest is to use a different password for every site, and never ever use your email password as a password for any other.
Apologies as I haven't read the whole thread but here is a true story.
The French Expo that takes place each year in London sponsored by another well known forum advertised for tickets. They wanted loads of information (presumably to be sold on) and I got a little fed up. I made my password "Piss off with all the questions" A few days later I needed to call the company with the tickets to add one extra. I said sorry I can't remember my password (I was out shopping at the time) "Oh, it's Piss off with all the questions" the girls said, "we all had a good laugh at that"
So when you actually join these things don't assume any of your information is private.
They do not have the capability to decrypt everything. If you use your own key with PGP or something like that then they cannot decrypt that except using brute force. If you use a long key it's impossible to crack.
Where they can decrypt everything, we think, is SSL because the NSA forced RSA to use a compromised random number generator in their security suite. But that's SSL, it's not by any means any and all encryption.
They HAVE the capability to decrypt already.
we're all screwed if we're opening phishing scams, drinking cool aid, and watching the mainstream media.
Yeah, well we're all screwed. One way or another.
The good thing about encrypting your stuff though is that the NSA keep those bits for later, because they reason that you must have encrypted for a reason, and so they will hang on to the stuff in case they acquire a capability to decrypt it at some point in the future.
The reason companies like that get hacked is to try to get them to take security seriously, all major hackings are done for the same two reasons, people want to see how easy it is, and prove security is lax, or they want to teach the company a lesson.
The NSA have google in thier pocket, the showboating about being "pissed off" is tosh. Google, youtube, facebook, and many others are pandering to the NSA in terms of propaganda, censorship, and giving out user information.
It's not because they're 'Murikan, it's simply because they have weak people at the top of management.
I agree that they're not after your password, thet's too pointless a goal, but the information that you can gain once you have a person's password is key. Phish someone a fake facebook frontpage, and you have a mine of information, and almost limitless control over their account, and to some degree, their life.
Get someone's sign on credentials for their bank, and you can pretty much wire money, change the address, or simply have their TV/phone/electricity companies cut off, just for fun.
Most hackers are happy to send pizza deliveries to their victims... the real people to look out for are the people paid by your taxes to monitor your calls, mails and texts.
Having read how it works I'm pretty happy that the security of my vault is very strong. To my knowledge they have never had a large breach, and if they did I might reconsider. But a company that is looking closely and sees something fishy and reacts, that's a company I would be more likely to trust.
I agree that everyone needs to be careful. Clicking on strange links in equally strange emails is a recipe for disaster. In the same boat I would now place people who use the same password everywhere, also a very bad practice.
As for the NSA, no, I don't think they are in bed with them. If you think about it LastPass isn't that interesting to them. If you are of interest to them as an individual, you are pretty much toast. That much is abundantly clear. However, for the rest of us they want to be able to monitor everything on the web. But that doesn't mean knowing what your passwords are, it means being able to decrypt all the traffic on the web that uses SSL. We know that they are able to do that, or rather we have grounds for very strong suspicion.
So if you really really want to avoid any suspicion then stop using the internet as far as possible, and when you do make sure you encrypt anything locally before you send it. Personally I don't think it's worth going to that level.
It's also not true to say that anything American means NSA. Remember that Google were seriously pissed off when they discovered the NSA were eavesdropping on their internal company networks and they have now closed that door. The founder of Lavabit shut his email service rather than do what the NSA asked. It's not all bad.
I wouldn't be impressed to know that someone trusted with your details somehow managed to cough them up to a hacker.
your vault is, whatever way you look at it, accessible from the internet. Besides, the people whining about "being hacked" are people who have opened a phishing page, or let themselves download a keylogger. Once you do that, no password generator, and no anti-spyware can save you. I'm just saying, we are all responsible for internet safety... opening a "Hi, it's Adriana, remember me" e-mail, or clicking on a "OMG, you won't believe.." link is the fault of the end user, and it's not up to Kaspersky, lastpass, or Norton to save us.
Lastpass is weak up against GPUs, who can crack a lot more efficiently than a regular old puters
Whydo I think they're in bed with the NSA?? They're American, and in the security business... also... Prism.
I remember being forced to change my master password because of that incident. I changed it, and it was fine, but I was impressed by that rather than worried. Contrast with the way Adobe slowly gradually admitted to their huge breach.
As for for being able to send people their forgotten passwords, no, they don't and can't do that. What does happen is that a set of emergency cryptographic keys are stored locally on your PC if you choose to do that. These keys allow you to change your password, under their control, should you forget your master password.
If you use LastPass to generate a password for a particular site and forget it then that's your problem, but LastPass does save generated passwords in your vault so that you are usually able to find them. That is not an issue because they are protected just as wall as all your other details.
What makes you think that they are working with the NSA?
Sorry, my bad, the first link should have been this one, I was copy/pasting URLs in the wrong threads, and have posted the wrong one now on another site, lol.http://www.pcworld.com/article/227268/lastpass_ceo_exclusive_interview.html
I wouldn't use lastpass simply because they're working with the NSA.
the theory is that the hacker would have to hack every individual user, at their own end of the line, for it to be a sucessful hack, but lastpass ARE storing your passwords.
Keepass aren't, yet, somehow I prefer to change and use my own passwords for my online mincing about. Lastpass once posted about how many people generate passwords, and then don't remember them. Lastpass had a facility to send people their forgotten passwords.
Lastpass themselves posted this
"We noticed an issue yesterday and wanted to alert you to it. As a precaution, we're also forcing you to change your master password.
We take a close look at our logs and try to explain every anomaly we see. Tuesday morning we saw a network traffic anomaly for a few minutes from one of our non-critical machines. These happen occasionally, and we typically identify them as an employee or an automated script.
In this case, we couldn't find that root cause. After delving into the anomaly we found a similar but smaller matching traffic anomaly from one of our databases in the opposite direction (more traffic was sent from the database compared to what was received on the server). Because we can't account for this anomaly either, we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed. We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs."
http://blog.lastpass.com/2011/05/lastpass-security-notification.html
obviously they don't want to alarm people, and so are holding back on certain information, but looks pretty hacky to me.