mrken30

Transferwise was affected along with many other sites by the cloudbleed bug.

https://github.com/pirate/sites-usin...ster/README.md

tom169

It's worth while saying that if you don't already, please use a password manager with unique passwords.

SultanOfSwing

Also, did you know that if you type your password within the tags [PWORD][/PWORD] it will appear like this on screen: ************?

Try it. It works with credit card numbers, too!

Please don't really try it. I don't want to get in trouble.

tom169

****

Steerpike

For those not entirely tech savvy, isn't the use of a password manager an even greater vulnerability, if the password manager itself gets hacked? I personally use a local password manager, and disable all 'automation' (ie, don't let it match sites and pre-fill usernames and passwords), but I've seen many password managers that are themselves hosted, and are quite 'clever' in that they will detect the site you are on, and pre-fill the relevant info as a user convenience ... very convenient but also susceptible to hacking.

I don't even store 'actual' passwords in the manager, but rather, a derivative, so that if the password manager were hacked, the hacker wouldn't get the goods.

What's the point ... where would you type this and why?

mrken30

The password managers that pre-fill are better for the not so tech savvy. If you land on a phishing site it will not pre fill the fields and alert the person that something has changed. So good and bad.

Also a lot of people will now use apps on multiple devices, having a local password manager can make this difficult for some people.

Steerpike

Oh, no doubt - but - I think that a sophisticated solution that is externally hosted (cloud based) is just an even bigger problem waiting to happen. In order to support the user on multiple devices, every one of those devices has to be supported, and any one of them could have a vulnerability. I have installed my tool on my phone, so no matter what device I'm using I can pull up my phone and find the password.

This truly is one of the bigger challenges facing the internet today ... so many sites, so many logins, so many different rules on different sites.

mrken30

If you got malware on your device how easy would it be for all your password to be compromised?
A hosting company will have higher level security than most people have on their home PC, but a hosting company will be a bigger target.
Email password are the most valuable, so use MFA whenever possible.

tom169

The key point is not re-using passwords and keeping passwords strong. The best solution would be remember them all in your head, but that isn't possible for most people.

Password managers that store the information remotely so that it can be syndicated across devices generally have some key that isn't stored on the server, but instead on the device. That means that if the server is compromised then all what someone would see is the encrypted passwords.

2 factor authentication should be in place using a secured device for both accessing the password manager and any website (where possible).

tom169

Yeah, for most people getting access to the email is game over. Forgot passwords, security question resets etc.

mrken30

We should also stop using the word password and use passphrase instead. It's an old habit to break

steveq

My password generation method relies on my memory of a good length of poetry and patterns within it.

Bob

Keepass run off a thumb drive? Can save the database on dropbox if you have multiple devices that have the app installed if you didn't have it on a thumb drive I suppose.

mrken30

Dropbox has had security issues in the past, it's not a security focused product

https://www.theguardian.com/technolo...8m-data-breach

There is an update for keepass

The automatic update feature in KeePass 2.33 and earlier allows man-in-the-middle attackers to execute arbitrary code by spoofing the version check response and supplying a crafted update.

https://web.nvd.nist.gov/view/vuln/s...pe=all&cves=on

jambey2510

It's more fun when you have 10 different passphrases memorised in your head, but after a while away from some sites, you'll forget which of those you used!!

I know a lot of people who use passphrase apps etc, but I wouldn't trust it myself at all!