patrick.net

CaptainShuddup says

Is anyone surprised?

I'm only surprised that it didn't happen sooner. Previously, I felt surprised by all the talking heads exhorting everyone to use these services and the credulous "news" channels relaying that advice, but maybe some of them were working for the hackers, and in this dot-con bubble maybe an over funded money losing startup financed a PR campaign to get their app into the "news".

I've heard them talking as well. I overheard someone at my brother's Christmas bash last year telling another guest how he uses it, and his whole company uses it.
I have a habit of pissing people off, when I speak the inevitable truth. So I just kept quiet.

So what the hell do we do? What is the best way of remembering all those passwords, especially for an absent minded, disorganized person like me.

It's time to revise America's security model, it's an exercise in stupidity.

The truth is, it's not the "abc123" passwords that are getting hacked. Well NOT on the end user side, when it's something as simple as admin or default password not being changed. Then that's a whole different story rather than Jane the secretary's simple "abc123" password. Systems are more venerable to system wide attacks where users whole life is stored. Are all due to the systems them selves that have all of the information in one place. Then to tempt Irony they cancel your password every 30 days, and make you renew it, to something you don't remember. So you call up a call center, with some guy you don't know, named David but his real name is Sahir, where he has access to a database, he then resets your password, you write a new one down on post It note, then tack it to your monitor, and continue on your way.
The lady with "abc123" never forgets, and doesn't have to call a call center in New Deli every time she forgot to log into a system and change her password before 30 days was up. I like passwordless systems that relies on other information to know it's you other than your input. If NSA knows every site you go to, then damn it, those sites can know who in the hell you are with out giving hackers a chance to steal your credentials due to the unnecessary security prompts. Windows Authentication Provider is great, it should be used more than it is, for enterprise level application authentication. Creating a separate SQL database for Forms Authentication is insane. It's too bad Windows users or domain users don't integrate better with IIS to be able to create users that are for web authentication only, with out windows log on privileges. Other things I use are random obfuscated field names for each request. Register mac addresses. And never use .net controls, just regular html and code. Have a virtual machine that mimics a bogus network that you redirect all suspicious network requests to. No User name and pass word required, just seamless security. Badguys never get to crack the password.

CaptainShuddup says

I have a habit of pissing people off, when I speak the inevitable truth.

Captain, I have a simple suggestion to alleviate that issue. As you mentioned you voted for Ralph Nader, you might benefit from reading his opinion on something before jumping to any conclusions about what the "inevitable truth" will be. For example, in 2010, he called Obamacare "a disaster," but he had also been campaigning for marriage equality since at least as far back as 2000, when both the Democrats and the Republicans opposed it. Nader's opinions on both of those issues are the majority opinions today. (You can see for yourself here and here.) It seems to me that sometimes you get angry at the Democrats or the Republicans or both, and in that mode you say things that even Nader would reject. In those circumstances, just as everyone is fallible, you might want to consider that Nader is correct.

this all seemed inevitable to me too.

Strategist says

So what the hell do we do? What is the best way of remembering all those passwords, especially for an absent minded, disorganized person like me.

keep a pgp-encrypted file of your passwords. https://en.wikipedia.org/wiki/Pretty_Good_Privacy

then you have to remember just one password to use it, but unlike those other services, the password file is always on your computer alone.

and be sure to delete the unencrypted version of file after every time you decrypt to retrieve a password. just in case someone steals or gets into your computer.

unlike those other services, the password file is always on your computer alone.

Isn't that the case with 1Password?

https://thedailyscroll.substack.com/p/what-happened-today-september-12-d73

LastPass, a digital password protection service, hasn’t been so safe for crypto holders who stored their vault backup passwords with the service. Several digital security researchers have now concluded that a series of large cryptocurrency thefts, claiming 150 victims and snatching $35 million, can be traced back to two hacks against LastPass in August and November last year.

I wonder how to manage all of my passwords? The only "password manager" I use is Firefox and that's for things which are not financial.

clambo says

I wonder how to manage all of my passwords? The only "password manager" I use is Firefox and that's for things which are not financial.

Use axcrypt and keep passwords in a text document which should be encrypted every time you open it. Then you have to remember only one password. Caveat - I am no computer specialist so this might not be the best solution.

clambo says

I wonder how to manage all of my passwords? The only "password manager" I use is Firefox and that's for things which are not financial.

@clambo See https://patrick.net/post/1281913/2015-06-16-lastpass-password-single-sign-on?start=1#comment-1202807 above.

Basically, just create a text file with your passwords, encrypt it with pgp, and delete the original.

Decrypt only when you need it, and delete the plain text version immediately after use.

I even have a cron job which deletes the plain text version at regular intervals in case I forget.

https://www.openpgp.org/

One big risk is that openpgp itself may have been hacked in some way.

The bigger risk with this method is neglecting to delete the file in a meaningful way. Simply emptying your trash does not overwrite the disk space. This seems needlessly risky when there are perfectly good local solutions like Keepass. Or if you prefer convenience, use an open source app like Bitwarden.

Browser password storage I would imagine to be very insecure. Just because software can be made to do something doesn't mean that's the design, or that you should do it. Right tool for the job.

Tenpoundbass says

Is anyone surprised? what kind of moron would create a account with one web site, just to give that website the your user name and password information for every online service/site that you use.

This can be made uncrackable. It's already been done where Javascript, or Java itself, will be able to take in one password with a bunch of encrypted data, and decrypt that password offline so that the holder of the encrypted data, has no way to decrypt the encrypted password data. This is not hard. Java and Javascript run locally, not on a server, it's running on your own computer.

But how do you make money doing this?

The purpose of centralized password sites, is to gather passwords.

The problem I constantly run into is there are people that tell me "haha, why would the government care what I do??? You're paranoid!!" Well, over a decade I bet they can find something on you that is at least embarrassing, once you get into a position they want to exploit. If not you, your spouse, your kid, your parent, your nephew, your boss...

Strategist says

So what the hell do we do? What is the best way of remembering all those passwords, especially for an absent minded, disorganized person like me.

have only one standard password that is strong...then on every site that you use it on, all the first 3 letter of the site name to it..for example if your password is JoeBlow00/ then for patnet it would be patJoeBlow00/....for gmail it would be gmaJoeBlow00/

Strategist says

So what the hell do we do? What is the best way of remembering all those passwords, especially for an absent minded, disorganized person like me.

I can solve this problem. Will you pay me anything to do it?

Strategist says

So what the hell do we do? What is the best way of remembering all those passwords, especially for an absent minded, disorganized person like me.

@Strategist If you keep a pgp file of passwords, then you do not need to remember them.

I deliberately make my passwords unmemorable now. I just create a random md5 hash, like a82ed74b7987c50455ba5963b6f53a6e

Even if someone tortured me, I couldn't tell them my passwords, except the one to the file.

Patrick says

Strategist says

So what the hell do we do? What is the best way of remembering all those passwords, especially for an absent minded, disorganized person like me.

Strategist If you keep a pgp file of passwords, then you do not need to remember them.

I deliberately make my passwords unmemorable now. I just create a random md5 hash, like a82ed74b7987c50455ba5963b6f53a6e

Even if someone tortured me, I couldn't tell them my passwords, except the one to the file.

The solution I have is SHA256SUM (password + website). It's uncrackable without the original password.

BUT nobody will pay for it so...

I only care about my financial stuff, insurance and online retailers. Any other site I'm on is meaningless to me. Go ahead and hack it. If it has my CC info it's two step verification or whatever it's called. You'd physically need me present AND get me to open my password protected phone. And then still know my password to said site. AND I only use credit cards with fraud protection. Hasn't failed me yet. And yes, my CC's do get hacked, but that's the banks fault and I've never owed a dime.

Hack my patnet account. Enjoy. Hack my FB (can't) enjoy. If a site doesn't have a text service or authenticator I generally don't use it unless it's a place like patnet. I've said stupid shit here, but enjoy reading what would likely be a 2k page book if not more. Reality is don't do stupid shit on the internet. My wife knows I've watched porn on the web. We've done it together. I really have nothing to be embarrassed about in my history. Anything I put online I'd say to somenone's face. That should be a general rule if you're on social media or forums like this. Don't be a keyboard warrior. No different then don't commit crime. Life is easy if you follow some basic 5th grade level rules.

Write it down on a piece of paper.

komputodo says

have only one standard password that is strong...then on every site that you use it on, all the first 3 letter of the site name to it..for example if your password is JoeBlow00/ then for patnet it would be patJoeBlow00/....for gmail it would be gmaJoeBlow00/

So once I hack you in place, I know have your password for everything. Not a good idea.

richwicks says

The solution I have is SHA256SUM (password + website). It's uncrackable without the original password.

But how does this help him remember a password?

Patrick says

Even if someone tortured me, I couldn't tell them my passwords, except the one to the file.

My passwords are all random, all stored on a local db file that Keepass creates. To unlock the file I need to insert a USB with a key. NOTHING else will unlock it. I destroy the usb, you can rubber hose me all day long, I CANNOT give the information because it's been destroyed.