1. #1

    Should I be worried?

    vBulletin forums hacked
    Over 800,000 user account details stolen from vulnerable forums running vBulletin – HOTforSecurity

    I do not use the same password anywhere so I'm not concerned about someone getting this password and being able to get in any place else. It isn't going to happen.

    To those that reuse passwords - DON'T DO IT!


    • Ad Bot

      advertising
      Beep.

        
       

  2. #2
    Digerati's Avatar
    Join Date
    Aug 2012
    Location
    Nebraska, USA
    Posts
    2,742
    • specs System Specs
      • Manufacturer:
        BrightWorks Systems
      • Model Number:
        BWS-6 E-IV
      • Motherboard:
        Gigabyte GA-Z170-HD3
      • CPU:
        Intel Core i5-6600 Skylake Pushed to 3.9GHz
      • Memory:
        2 X 8GB Corsair Vengeance DDR4 3000
      • Graphics:
        MSI Radeon R7 370 2GD5T OC 2GB 256-Bit GDDR5
      • Sound Card:
        Integrated
      • Hard Drives:
        None
      • Disk Drives:
        Samsung 850 Pro 256GB SSD, 850 EVO 250GB SSD, Blu-ray R/W
      • Power Supply:
        EVGA Supernova 550W Gold
      • Case:
        Fractal Design Define R4 Mid Tower w/Window
      • Cooling:
        2 x 140mm case fans, OEM CPU Cooler
      • Display:
        2 x Samsung S24E650BW 24 inch WS
      • Operating System:
        Windows 10 Pro 64-Bit

    Re: Should I be worried?

    To those that reuse passwords - DON'T DO IT!
    Excellent advice. But this is, admittedly a real PITA. And writing them down is a mistake too. So for sure, I highly recommend the use of a good software based password safe or manager. With a password safe you only have to remember one (ideally, very strong) password, the one into your safe. Recommended safes include, Password Safe, KeePass Password Safe, and RoboForm is a favorite of many.
    Bill (AFE7Ret)
    Freedom is NOT Free!
    MS MVP Windows and Devices for IT, 2007 - 2017

    Heat is the bane of all electronics!

  3. #3

    Join Date
    Dec 2013
    Location
    World, Europe, Italy
    Posts
    1,344

    Re: Should I be worried?

    Quote Originally Posted by Digerati View Post
    I highly recommend the use of a good software based password safe or manager. With a password safe you only have to remember one (ideally, very strong) password, the one into your safe. Recommended safes include, Password Safe, KeePass Password Safe, and RoboForm is a favorite of many.
    What do you think about Zoho Vault (click)?
    Just today, there's an offer for the enterprise version on giveawayoftheday.com (click).

  4. #4
    Digerati's Avatar
    Join Date
    Aug 2012
    Location
    Nebraska, USA
    Posts
    2,742
    • specs System Specs
      • Manufacturer:
        BrightWorks Systems
      • Model Number:
        BWS-6 E-IV
      • Motherboard:
        Gigabyte GA-Z170-HD3
      • CPU:
        Intel Core i5-6600 Skylake Pushed to 3.9GHz
      • Memory:
        2 X 8GB Corsair Vengeance DDR4 3000
      • Graphics:
        MSI Radeon R7 370 2GD5T OC 2GB 256-Bit GDDR5
      • Sound Card:
        Integrated
      • Hard Drives:
        None
      • Disk Drives:
        Samsung 850 Pro 256GB SSD, 850 EVO 250GB SSD, Blu-ray R/W
      • Power Supply:
        EVGA Supernova 550W Gold
      • Case:
        Fractal Design Define R4 Mid Tower w/Window
      • Cooling:
        2 x 140mm case fans, OEM CPU Cooler
      • Display:
        2 x Samsung S24E650BW 24 inch WS
      • Operating System:
        Windows 10 Pro 64-Bit

    Re: Should I be worried?

    I don't like recurring fees. Recurring fees are like a constant debt looming overhead for me.

    What happens if you forget a payment, or are incapacitated due to some serious injury or illness for several months? So no way would I go for one of the subscription plans. If the free version serves your needs, then I suppose that is fine - if you trust cloud storage. I don't.

    I am sure they have sufficient backup to ensure your passwords won't get lost. But with all the successful hacks of companies we would expect to be unhackable, I just don't trust my passwords could not be compromised.

    I actually use SplashID. I've been using it for about 25 years. I started using it when I had my Palm Pilot PDA. It consisted of a Palm and "Desktop" version for Windows and every time you synced up the Palm, it would sync the encrypted password database too. Thus instant backup. I got rid of my last Palm PDA years ago but I still use the Windows version of the safe. For a backup, I simply copy the encrypted data base to my notebook. Splash now has smartphone versions that sync with Windows, but they've gone to a recurring fee basis too, so I have not upgraded to the latest version and don't plan to since this old version works great with W10.

    With SplashID, I also keep other information in there, including PINs and such for credit cards, insurance and social security numbers for my kids and grandkids, and bank account information and such. This means I don't need Internet or cell phone access to get a PIN or account number. I like that.
    Bill (AFE7Ret)
    Freedom is NOT Free!
    MS MVP Windows and Devices for IT, 2007 - 2017

    Heat is the bane of all electronics!

  5. #5

    Join Date
    Dec 2013
    Location
    World, Europe, Italy
    Posts
    1,344

    Re: Should I be worried?

    Quote Originally Posted by Digerati View Post
    If the free version serves your needs, then I suppose that is fine - if you trust cloud storage. I don't.
    ;-)

  6. #6
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    7,785

    Re: Should I be worried?

    We have two-factor authentication for admin and mod accounts so, although I doubt any website is completely impenetrable, we are in good shape.


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

  7. #7
    satrow's Avatar
    Join Date
    Apr 2012
    Location
    Cymru
    Posts
    667
    • specs System Specs
      • Motherboard:
        ASRock Z77E-ITX
      • CPU:
        E3-1230 V2 3.3GHz
      • Memory:
        16GB G.Skill DDR3 2400
      • Graphics:
        Asus GTX 970
      • Sound Card:
        Onboard
      • Hard Drives:
        3x250GB SSDs, 1x 2.5 1TB HDD
      • Power Supply:
        XFX 450 Bronze
      • Case:
        BitFenix Prodigy Black
      • Cooling:
        Be Quiet Shadow Rock Topflow + 2x case fans
      • Display:
        Dell U2412M 1900x1200 x2(3)
      • Operating System:
        W7 x64 Pro

    Re: Should I be worried?

    Martin Brinkmann at ghacks reported on a study of Android password managers a couple of days ago:

    ...
    The team's conclusion should have anyone worried who implements a password manager on Android. While it is unclear whether other password manager applications for Android have vulnerabilities as well, there is at least a chance that this is indeed the case.

    "The overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials. Instead, they abuse the users` confidence and expose them to high risks."

    At least one security vulnerability was identified in each of the apps the researchers analyzed. This went as far as some applications storing the master key in plain text, and others using hard-coded cryptographic keys in code. In another case, installation of a simple helper application extracted the passwords stored by the password application.

    Three vulnerabilities were identified in LastPass alone. First a hard-coded master key, then data leaks in browser search, and finally a vulnerability affecting LastPass on Android 4.0.x and lower which allows attackers to steal the stored master password.
    ...

  8. #8
    Digerati's Avatar
    Join Date
    Aug 2012
    Location
    Nebraska, USA
    Posts
    2,742
    • specs System Specs
      • Manufacturer:
        BrightWorks Systems
      • Model Number:
        BWS-6 E-IV
      • Motherboard:
        Gigabyte GA-Z170-HD3
      • CPU:
        Intel Core i5-6600 Skylake Pushed to 3.9GHz
      • Memory:
        2 X 8GB Corsair Vengeance DDR4 3000
      • Graphics:
        MSI Radeon R7 370 2GD5T OC 2GB 256-Bit GDDR5
      • Sound Card:
        Integrated
      • Hard Drives:
        None
      • Disk Drives:
        Samsung 850 Pro 256GB SSD, 850 EVO 250GB SSD, Blu-ray R/W
      • Power Supply:
        EVGA Supernova 550W Gold
      • Case:
        Fractal Design Define R4 Mid Tower w/Window
      • Cooling:
        2 x 140mm case fans, OEM CPU Cooler
      • Display:
        2 x Samsung S24E650BW 24 inch WS
      • Operating System:
        Windows 10 Pro 64-Bit

    Re: Should I be worried?

    ...some applications storing the master key in plain text


    I am glad I don't live off my smartphone. Consequently, I don't keep any passwords on my phone. What I also find disturbing is the study didn't mention any password manager that was safe to use.

    At least on the source site, in their bold red it says, !! Update 2017-03-01: All reported vulnerabilities are fixed by the vendors !!

    As a side note, most browsers let users save passwords. I NEVER let that happen. In fact, the first time any browser offers to save my password, I always say no, then check the option to, "Don't ask me again!"

    Best if users asked themselves, "What happens if a bad guy steals my computer or smartphone?" "What if I lose my phone or leave my notebook at the cafe?"
    Bill (AFE7Ret)
    Freedom is NOT Free!
    MS MVP Windows and Devices for IT, 2007 - 2017

    Heat is the bane of all electronics!

  9. #9
    satrow's Avatar
    Join Date
    Apr 2012
    Location
    Cymru
    Posts
    667
    • specs System Specs
      • Motherboard:
        ASRock Z77E-ITX
      • CPU:
        E3-1230 V2 3.3GHz
      • Memory:
        16GB G.Skill DDR3 2400
      • Graphics:
        Asus GTX 970
      • Sound Card:
        Onboard
      • Hard Drives:
        3x250GB SSDs, 1x 2.5 1TB HDD
      • Power Supply:
        XFX 450 Bronze
      • Case:
        BitFenix Prodigy Black
      • Cooling:
        Be Quiet Shadow Rock Topflow + 2x case fans
      • Display:
        Dell U2412M 1900x1200 x2(3)
      • Operating System:
        W7 x64 Pro

    Re: Should I be worried?

    Quote Originally Posted by Digerati View Post
    Best if users asked themselves, "What happens if a bad guy steals my computer or smartphone?" "What if I lose my phone or leave my notebook at the cafe?"
    For non-mobile home users you might ask "What if someone steals my password list stashed somewhere in my home?", writing down passwords can be safer than the hardware is.

  10. #10
    Digerati's Avatar
    Join Date
    Aug 2012
    Location
    Nebraska, USA
    Posts
    2,742
    • specs System Specs
      • Manufacturer:
        BrightWorks Systems
      • Model Number:
        BWS-6 E-IV
      • Motherboard:
        Gigabyte GA-Z170-HD3
      • CPU:
        Intel Core i5-6600 Skylake Pushed to 3.9GHz
      • Memory:
        2 X 8GB Corsair Vengeance DDR4 3000
      • Graphics:
        MSI Radeon R7 370 2GD5T OC 2GB 256-Bit GDDR5
      • Sound Card:
        Integrated
      • Hard Drives:
        None
      • Disk Drives:
        Samsung 850 Pro 256GB SSD, 850 EVO 250GB SSD, Blu-ray R/W
      • Power Supply:
        EVGA Supernova 550W Gold
      • Case:
        Fractal Design Define R4 Mid Tower w/Window
      • Cooling:
        2 x 140mm case fans, OEM CPU Cooler
      • Display:
        2 x Samsung S24E650BW 24 inch WS
      • Operating System:
        Windows 10 Pro 64-Bit

    Re: Should I be worried?

    writing down passwords can be safer than the hardware is.
    Well, maybe.

    Physical security is an often overlooked area of computer security. I cannot tell you how many times I have gone on trouble calls only to look under the keyboard, in the computer desk drawer, or in a recipe card file box sitting next to the monitor to find the lists of passwords the users wrote down. A bad guy breaking into your home or office is likely to search within arm's reach of the computer chair for such lists too - and grab that, and any external drive (often a user's only backup ) along with the computer too.
    Bill (AFE7Ret)
    Freedom is NOT Free!
    MS MVP Windows and Devices for IT, 2007 - 2017

    Heat is the bane of all electronics!

  11. #11
    satrow's Avatar
    Join Date
    Apr 2012
    Location
    Cymru
    Posts
    667
    • specs System Specs
      • Motherboard:
        ASRock Z77E-ITX
      • CPU:
        E3-1230 V2 3.3GHz
      • Memory:
        16GB G.Skill DDR3 2400
      • Graphics:
        Asus GTX 970
      • Sound Card:
        Onboard
      • Hard Drives:
        3x250GB SSDs, 1x 2.5 1TB HDD
      • Power Supply:
        XFX 450 Bronze
      • Case:
        BitFenix Prodigy Black
      • Cooling:
        Be Quiet Shadow Rock Topflow + 2x case fans
      • Display:
        Dell U2412M 1900x1200 x2(3)
      • Operating System:
        W7 x64 Pro

    Re: Should I be worried?

    Your average bad guy is more likely to grab an armful of valuable items, like the EHD/Tower/half a dozen bottles of hard liquor and get out fast, looking for scraps of paper in unlikely places is a job for specialists, not opportunists.

  12. #12
    Digerati's Avatar
    Join Date
    Aug 2012
    Location
    Nebraska, USA
    Posts
    2,742
    • specs System Specs
      • Manufacturer:
        BrightWorks Systems
      • Model Number:
        BWS-6 E-IV
      • Motherboard:
        Gigabyte GA-Z170-HD3
      • CPU:
        Intel Core i5-6600 Skylake Pushed to 3.9GHz
      • Memory:
        2 X 8GB Corsair Vengeance DDR4 3000
      • Graphics:
        MSI Radeon R7 370 2GD5T OC 2GB 256-Bit GDDR5
      • Sound Card:
        Integrated
      • Hard Drives:
        None
      • Disk Drives:
        Samsung 850 Pro 256GB SSD, 850 EVO 250GB SSD, Blu-ray R/W
      • Power Supply:
        EVGA Supernova 550W Gold
      • Case:
        Fractal Design Define R4 Mid Tower w/Window
      • Cooling:
        2 x 140mm case fans, OEM CPU Cooler
      • Display:
        2 x Samsung S24E650BW 24 inch WS
      • Operating System:
        Windows 10 Pro 64-Bit

    Re: Should I be worried?

    looking for scraps of paper in unlikely places is a job for specialists, not opportunists.
    Not all burglars are simple opportunists looking for quick drug money.

    Note I said "within arm's reach". That's only takes a couple seconds and "under the keyboard", the "computer desk drawer", and an "index card box next to the monitor" are hardly "unlikely places". Those places are by far, the most obvious and likely. I've even seen password lists thumb-tacked to cork boards next to the user's desk.

    BTW, I was taught that in a security awareness class by a cyber crime specialist with the FBI as part of the required training I needed to get my access certifications to support secured US State Dept networks. Writing down passwords just isn't a good idea. If you have to, keep them in a secure place, preferably off-site, locked in a safe! But it is better to use a "good" password manager. Then you only have to remember one password.
    Bill (AFE7Ret)
    Freedom is NOT Free!
    MS MVP Windows and Devices for IT, 2007 - 2017

    Heat is the bane of all electronics!

  13. #13
    satrow's Avatar
    Join Date
    Apr 2012
    Location
    Cymru
    Posts
    667
    • specs System Specs
      • Motherboard:
        ASRock Z77E-ITX
      • CPU:
        E3-1230 V2 3.3GHz
      • Memory:
        16GB G.Skill DDR3 2400
      • Graphics:
        Asus GTX 970
      • Sound Card:
        Onboard
      • Hard Drives:
        3x250GB SSDs, 1x 2.5 1TB HDD
      • Power Supply:
        XFX 450 Bronze
      • Case:
        BitFenix Prodigy Black
      • Cooling:
        Be Quiet Shadow Rock Topflow + 2x case fans
      • Display:
        Dell U2412M 1900x1200 x2(3)
      • Operating System:
        W7 x64 Pro

    Re: Should I be worried?

    Quote Originally Posted by Digerati View Post
    looking for scraps of paper in unlikely places is a job for specialists, not opportunists.
    Not all burglars are simple opportunists looking for quick drug money.
    I didn't say they were.

    Note I said "within arm's reach". That's only takes a couple seconds and "under the keyboard", the "computer desk drawer", and an "index card box next to the monitor" are hardly "unlikely places". Those places are by far, the most obvious and likely. I've even seen password lists thumb-tacked to cork boards next to the user's desk.
    In a home burglary scenario, it would still need a specialist to discover and make profit from stolen passwords.

    BTW, I was taught that in a security awareness class by a cyber crime specialist with the FBI as part of the required training I needed to get my access certifications to support secured US State Dept networks. Writing down passwords just isn't a good idea. If you have to, keep them in a secure place, preferably off-site, locked in a safe! But it is better to use a "good" password manager. Then you only have to remember one password.
    State Dept. networks are more likely to be attacked by specialists.
    Off-site and in a safe, for home users, or just the rich, retired home users?
    One of those "good" password managers that only get patched after there's been some bad publicity?

  14. #14
    Digerati's Avatar
    Join Date
    Aug 2012
    Location
    Nebraska, USA
    Posts
    2,742
    • specs System Specs
      • Manufacturer:
        BrightWorks Systems
      • Model Number:
        BWS-6 E-IV
      • Motherboard:
        Gigabyte GA-Z170-HD3
      • CPU:
        Intel Core i5-6600 Skylake Pushed to 3.9GHz
      • Memory:
        2 X 8GB Corsair Vengeance DDR4 3000
      • Graphics:
        MSI Radeon R7 370 2GD5T OC 2GB 256-Bit GDDR5
      • Sound Card:
        Integrated
      • Hard Drives:
        None
      • Disk Drives:
        Samsung 850 Pro 256GB SSD, 850 EVO 250GB SSD, Blu-ray R/W
      • Power Supply:
        EVGA Supernova 550W Gold
      • Case:
        Fractal Design Define R4 Mid Tower w/Window
      • Cooling:
        2 x 140mm case fans, OEM CPU Cooler
      • Display:
        2 x Samsung S24E650BW 24 inch WS
      • Operating System:
        Windows 10 Pro 64-Bit

    Re: Should I be worried?

    One of those "good" password managers that only get patched after there's been some bad publicity?
    Well, I don't use any of those! I use SplashID that encrypts the master password, and the database too. This version only works with Windows, not Android as all those in that report did. And it does not backup to the cloud either.

    That said, those in that report would still take someone with some tech savvy to hack - assuming they determined a password safe was being used. Passwords written on a piece of paper under the keyboard (seen when he steals the keyboard), only takes someone who can read know what they are, and then use them.

    In a home burglary scenario, it would still need a specialist to discover and make profit from stolen passwords.
    Umm, no it wouldn't. As I have shown several times now, if the user is writing down the passwords on a piece of paper, discovering them is easy. If users are writing them down, they are not going to hide this piece of paper downstairs on the opposite end of the house in a hallowed out book. They are going to be within convenient, easy arm's reach.

    And once a bad guy knows the passwords to your bank or Paypal account, he can steal your money. Or just be mischievous and change your passwords.

    State Dept. networks are more likely to be attacked by specialists.
    That's immaterial. This training class was about the physical security of all computers, not just government owned computers. And the information the special agent gave was from cyber crime statistics - not State Department policies.

    Off-site and in a safe, for home users, or just the rich, retired home users?
    Off site can be at a trusted neighbors. That works in case of fire or flood too. And you don't have to be rich to have a safe deposit box at your bank. Mine costs $40 per year (and is tax deductible too). I keep original copies of birth certificates, insurance papers, living will and other important documents in it, a hard drive with a fairly recent backup of all my computers, and a flash drive with copies of other files, including an encrypted copy of my password safe.

    I really don't understand your position in this discussion. You seem intent in rationalizing and justifying writing down passwords, or at least suggesting writing them down is just as secure as using a password safe. Sorry, but I'm not ever going to buy it. Users need to use unique passwords and PINs on all their accounts and then properly secure those passwords and PINs. For most people that would mean many, perhaps dozens or more passwords and PINs. Not to mention lock combinations too.

    Odds are our homes will never be robbed, flooded, burned down, or blown away by a tornado. But those things happen to others every day!
    Bill (AFE7Ret)
    Freedom is NOT Free!
    MS MVP Windows and Devices for IT, 2007 - 2017

    Heat is the bane of all electronics!

  15. #15
    satrow's Avatar
    Join Date
    Apr 2012
    Location
    Cymru
    Posts
    667
    • specs System Specs
      • Motherboard:
        ASRock Z77E-ITX
      • CPU:
        E3-1230 V2 3.3GHz
      • Memory:
        16GB G.Skill DDR3 2400
      • Graphics:
        Asus GTX 970
      • Sound Card:
        Onboard
      • Hard Drives:
        3x250GB SSDs, 1x 2.5 1TB HDD
      • Power Supply:
        XFX 450 Bronze
      • Case:
        BitFenix Prodigy Black
      • Cooling:
        Be Quiet Shadow Rock Topflow + 2x case fans
      • Display:
        Dell U2412M 1900x1200 x2(3)
      • Operating System:
        W7 x64 Pro

    Re: Should I be worried?

    I'm not trying to sell you anything, just trying to point out that one size doesn't fit all.

  16. #16
    Digerati's Avatar
    Join Date
    Aug 2012
    Location
    Nebraska, USA
    Posts
    2,742
    • specs System Specs
      • Manufacturer:
        BrightWorks Systems
      • Model Number:
        BWS-6 E-IV
      • Motherboard:
        Gigabyte GA-Z170-HD3
      • CPU:
        Intel Core i5-6600 Skylake Pushed to 3.9GHz
      • Memory:
        2 X 8GB Corsair Vengeance DDR4 3000
      • Graphics:
        MSI Radeon R7 370 2GD5T OC 2GB 256-Bit GDDR5
      • Sound Card:
        Integrated
      • Hard Drives:
        None
      • Disk Drives:
        Samsung 850 Pro 256GB SSD, 850 EVO 250GB SSD, Blu-ray R/W
      • Power Supply:
        EVGA Supernova 550W Gold
      • Case:
        Fractal Design Define R4 Mid Tower w/Window
      • Cooling:
        2 x 140mm case fans, OEM CPU Cooler
      • Display:
        2 x Samsung S24E650BW 24 inch WS
      • Operating System:
        Windows 10 Pro 64-Bit

    Re: Should I be worried?

    One size? ??? I have no clue what that means in the context of this discussion. The only absolute I contend is passwords should never be written down unless they are then locked up in a secure place out of sight and out of arm's reach of the computer.
    Bill (AFE7Ret)
    Freedom is NOT Free!
    MS MVP Windows and Devices for IT, 2007 - 2017

    Heat is the bane of all electronics!

  17. #17

    Join Date
    Dec 2013
    Location
    World, Europe, Italy
    Posts
    1,344

    Re: Should I be worried?


  18. #18
    Digerati's Avatar
    Join Date
    Aug 2012
    Location
    Nebraska, USA
    Posts
    2,742
    • specs System Specs
      • Manufacturer:
        BrightWorks Systems
      • Model Number:
        BWS-6 E-IV
      • Motherboard:
        Gigabyte GA-Z170-HD3
      • CPU:
        Intel Core i5-6600 Skylake Pushed to 3.9GHz
      • Memory:
        2 X 8GB Corsair Vengeance DDR4 3000
      • Graphics:
        MSI Radeon R7 370 2GD5T OC 2GB 256-Bit GDDR5
      • Sound Card:
        Integrated
      • Hard Drives:
        None
      • Disk Drives:
        Samsung 850 Pro 256GB SSD, 850 EVO 250GB SSD, Blu-ray R/W
      • Power Supply:
        EVGA Supernova 550W Gold
      • Case:
        Fractal Design Define R4 Mid Tower w/Window
      • Cooling:
        2 x 140mm case fans, OEM CPU Cooler
      • Display:
        2 x Samsung S24E650BW 24 inch WS
      • Operating System:
        Windows 10 Pro 64-Bit

    Re: Should I be worried?

    It seems like it will work. It has some decent reviews too.
    Bill (AFE7Ret)
    Freedom is NOT Free!
    MS MVP Windows and Devices for IT, 2007 - 2017

    Heat is the bane of all electronics!

  19. #19

    Re: Should I be worried?

    I see there is a free version which is perfect for those of us who do a) not want to sync devices and b) store anything in the cloud.
    Sticky Password’s free password manager helps you organize and securely store your passwords. Upgrade to Premium to sync and backup automatically.

Log in

Log in