Page 1 of 2 12 LastLast
Results 1 to 50 of 53

Thread: Password Managers

  1. #1
    Fixture ddrueding's Avatar
    Join Date
    Feb 2002
    Location
    Monterey, CA
    Age
    37
    Posts
    19,118

    Password Managers

    Start with the news: LastPass was recently hacked

    Their response to this was so impressive that I signed up almost immediately. I've known I should be using some kind of password manager for quite some time, but this pushed me into it.

    The software and interface are way better than I had anticipated, allowing automated changing of passwords on some sites and notifying you of password breaches on sites you use, prompting you to change them.

    Anyone else here using a similar service?
    Work1: i7-5930K@4.57Ghz, 64GB, 512GB Samsung XP941, 2x 290X
    Home1: i7-7700k@5Ghz, 32GB, 1TB 960 Evo, 2x 1080
    Home2: i7-6700k@4.4Ghz, 32GB@3Ghz, 2x SM951, 2x Titan X

  2. #2
    Serial computer killer Hairy Aussie CougTek's Avatar
    Join Date
    Jan 2002
    Location
    Québec, Québec
    Posts
    8,692
    I've used Keepass for the last few years. It's ok. One problem I've had with it is more admin-related than anything else : I often forget the passwords I've written to open some seldom used keepass files. So these are unusable when I end up needing them.

    I've never used lastpass.

  3. #3
    Fixture ddrueding's Avatar
    Join Date
    Feb 2002
    Location
    Monterey, CA
    Age
    37
    Posts
    19,118
    Lastpass has an application and browser plug-in. So long as those are installed it does a great job tracking password changes. I'm actually spending some of today going into all my major services and having LastPass generate brutally long random strings as the new passwords, where there is no way I'd be able to login without using their service. This should help me remember to use the service when changing those passwords.

    Another fun part of their tool was that it scanned all the local browsers, imported any saved credentials into the system, and then wiped them from the machine while disabling the built-in password manager.
    Work1: i7-5930K@4.57Ghz, 64GB, 512GB Samsung XP941, 2x 290X
    Home1: i7-7700k@5Ghz, 32GB, 1TB 960 Evo, 2x 1080
    Home2: i7-6700k@4.4Ghz, 32GB@3Ghz, 2x SM951, 2x Titan X

  4. #4
    Wannabe Storage Freak
    Join Date
    Jul 2007
    Posts
    1,281
    I've been thinking about some type of password manager for a while now because some of my passwords are just too hackable.

    I guess I could google the answers.

    But anyways...Does Lastpass create backups of your PW file in case primary is lost/corrupted? Does it allow you to print a copy of your sites and passwords in case backup files/computers are lost/stolen?

    I'd like a manager that prints out a simple list with: <site name> <url> <username> <password> <comment field1> <comment field2>

    Even better a PW manager that has source code that one of you guys could check for back-doors and compile it for me ;))
    - 3770k, 212 EVO, Z77X-UD4H, 32GB, 660w, Titan, 840 Pro/256GB, 2TB & 1TB, Define R4, P4317Q & ZR24w, Unicomp/104, Win7 Pro x64.

    - Nikon D610 w/grip, 50mm/1.4G, 16-35mm/4G, 105mm/2.8G micro, 200-500mm/5.6E.

  5. #5
    Storage? I am Storage! Tea's Avatar
    Join Date
    Jan 2002
    Location
    27a No Fixed Address, Oz.
    Age
    8
    Posts
    3,703
    That's the thing, isn't it Snowhiker. How can you trust the password manager?
    Mein Elefant hat einen Kater

  6. #6
    Hairy Aussie timwhit's Avatar
    Join Date
    Jan 2002
    Location
    Chicago, IL
    Posts
    5,245
    I've used LastPass for almost a year. It's decent, but not perfect. It kind of sucks on my Android phone. Maybe I don't know how to use it correctly though.

  7. #7
    Fatwah on Western Digital Fixture Mercutio's Avatar
    Join Date
    Jan 2002
    Location
    I am omnipresent
    Posts
    20,329
    Lastpass uses salted hash lookups based on your master password to store everything. If you change your master password, it changes the salt value and the software has to rehash all your passwords. Even if someone got everything they store, they still can't see anything unless they want to sit there and recompute the values of their cracking dictionary or rainbow tables entries by an individual user's particular salt. It's very strong from a security standpoint.
    Keepass and Roboform are other products in the same category. I think Roboform is possibly the best overall tool from a utility standpoint, since it will fill forms anywhere in your OS, but I don't know how secure it truly is.

    I like to demo lastpass for general use password storage, especially for the sort of person who is offended at the idea that they might have to remember more than one password for anything. Also of note is its ability to generate on-demand high entropy passwords. That's extremely useful for those people who would just use the same thing over and over.

    All in all I think it's a good tool for personal needs, but I can't bring myself to rely on it for business data, so I tend to use other memory tricks for dealing with admin passwords and the like on customer systems.

  8. #8
    I can't believe I'm a Fixture LunarMist's Avatar
    Join Date
    Jan 2003
    Location
    USA
    Posts
    13,695
    So a company provides a terrible service and you reward them with more business? That'll teach 'em. :doh:
    --Lunar

  9. #9
    Fatwah on Western Digital Fixture Mercutio's Avatar
    Join Date
    Jan 2002
    Location
    I am omnipresent
    Posts
    20,329
    They don't provide terrible service. They had a security leak. They disclosed it and communicated the extent of user exposure. That's substantially more than a lot of companies are willing to do. As it happens, exposure it this case is pretty limited unless the guys who got the data are targeting specific Lastpass user accounts and feel like throwing exahertz of compute cycles at cracking each of them. It's possible that they could extract some high-value passwords out of those individual accounts, but it's extremely unlikely they could do that for more than a very small number of accounts given the limitations of computing and the warning that users have now had that it might be a good idea to update their stored passwords.

  10. #10
    Fixture ddrueding's Avatar
    Join Date
    Feb 2002
    Location
    Monterey, CA
    Age
    37
    Posts
    19,118
    Quote Originally Posted by LunarMist View Post
    So a company provides a terrible service and you reward them with more business? That'll teach 'em. :doh:
    You don't know how good a company is until something goes wrong. Anyone should be able to look great when things go to plan, but a company willing to do what they can in a pinch is worth aligning yourself with.

    <Anecdote> When I was having hardwood installed in the entire house, I took delivery of 6 pallets of the material and followed the directions on the box (tear open all the boxes and stack the material so that it acclimates before installation). I didn't notice until 2 days later that it was actually the wrong product. Within 2 hours the reseller was hand-loading the opened boxes into their own truck, drove it all the way to the mfgr (12 hours away), and hand-unloaded the right stuff 2 days later. They lost money to keep me happy. This is a company I can recommend. </Anecdote>
    Work1: i7-5930K@4.57Ghz, 64GB, 512GB Samsung XP941, 2x 290X
    Home1: i7-7700k@5Ghz, 32GB, 1TB 960 Evo, 2x 1080
    Home2: i7-6700k@4.4Ghz, 32GB@3Ghz, 2x SM951, 2x Titan X

  11. #11
    I can't believe I'm a Fixture LunarMist's Avatar
    Join Date
    Jan 2003
    Location
    USA
    Posts
    13,695
    Great standards we have nowadays. :eyes: How about rewarding a company that is not f*cked up to begin with?
    --Lunar

  12. #12
    Fixture ddrueding's Avatar
    Join Date
    Feb 2002
    Location
    Monterey, CA
    Age
    37
    Posts
    19,118
    Quote Originally Posted by LunarMist View Post
    Great standards we have nowadays. :eyes: How about rewarding a company that is not f*cked up to begin with?
    Who would that be? Is there a single company with more than 1M users that hasn't had a data breach?
    Work1: i7-5930K@4.57Ghz, 64GB, 512GB Samsung XP941, 2x 290X
    Home1: i7-7700k@5Ghz, 32GB, 1TB 960 Evo, 2x 1080
    Home2: i7-6700k@4.4Ghz, 32GB@3Ghz, 2x SM951, 2x Titan X

  13. #13
    I can't believe I'm a Fixture LunarMist's Avatar
    Join Date
    Jan 2003
    Location
    USA
    Posts
    13,695
    Quote Originally Posted by LunarMist View Post
    Great standards we have nowadays. :eyes: How about rewarding a company that is not f*cked up to begin with?
    Suppose I release product to market and it is defective and people die. Which is more important, the quality of product or how the dead bodies are cleaned up and families compensated afterwards?
    --Lunar

  14. #14
    I can't believe I'm a Fixture LunarMist's Avatar
    Join Date
    Jan 2003
    Location
    USA
    Posts
    13,695
    Quote Originally Posted by ddrueding View Post
    Who would that be? Is there a single company with more than 1M users that hasn't had a data breach?
    I think it is worse than a typical data breach (and rather ironic) since the core business is to secure passwords. It looks like a password list locked in the desk is more secure.
    --Lunar

  15. #15
    Fixture ddrueding's Avatar
    Join Date
    Feb 2002
    Location
    Monterey, CA
    Age
    37
    Posts
    19,118
    Not sure if you've looked into this (or read Mercs analysis) that closely. It is incredibly unlikely that anyone's actual passwords were compromised. At the same time, using this service means that changing all the passwords becomes pretty darn easy.

    Keeping a single list locked up would be more secure, but it wouldn't work for most people as they need to access things from multiple places.
    Work1: i7-5930K@4.57Ghz, 64GB, 512GB Samsung XP941, 2x 290X
    Home1: i7-7700k@5Ghz, 32GB, 1TB 960 Evo, 2x 1080
    Home2: i7-6700k@4.4Ghz, 32GB@3Ghz, 2x SM951, 2x Titan X

  16. #16
    Storage? I am Storage! Tea's Avatar
    Join Date
    Jan 2002
    Location
    27a No Fixed Address, Oz.
    Age
    8
    Posts
    3,703
    Quote Originally Posted by LunarMist View Post
    So a company provides a terrible service and you reward them with more business? That'll teach 'em. :doh:
    Hey, it worked for Microsoft.
    Mein Elefant hat einen Kater

  17. #17
    Storage? I am Storage! Tea's Avatar
    Join Date
    Jan 2002
    Location
    27a No Fixed Address, Oz.
    Age
    8
    Posts
    3,703
    Quote Originally Posted by LunarMist View Post
    Suppose I release product to market and it is defective and people die. Which is more important, the quality of product or how the dead bodies are cleaned up and families compensated afterwards?
    Neither, you dummy. It's all about the main game, which is of course the quality of the press release, and the effective massaging of the press corps so that they spin the headlines just right. Don't you know nuffin about running a business?
    Mein Elefant hat einen Kater

  18. #18
    Allergic to Sunlight Storage is cool sedrosken's Avatar
    Join Date
    Nov 2013
    Location
    The Sticks
    Age
    19
    Posts
    950
    I use the same two passwords for everything. It's probably really insecure, but I have nothing that is absolutely mission-critical. Except the StorageForum account, of course. In all seriousness, when I start doing online banking and stuff like that, I'll need to look into software like this because all of a sudden I'll be on this big ol' kick to get everything secured, which means different passwords for everything.
    Phone: Moto Z Droid Force (didn't pay for it, can't complain) 32GB, 128GB microSD -- on my uncle's plan with Verizon.
    T450: 4300U, 16GB 3L-1600, HD 4400, 14" 1366x768, 128GB M.2 SSD/320GB SATA HDD, Win10Ent64, 6-cell extended batt (10hr avg)
    Eastham: ASRock Z68Extreme7Gen3, 3570K, 16GB DDR3-1600 (soon 32GB), GT730 2GB GDDR5 (core @ 1.17GHz), 240GB SSD/4TB HDD, Bluray burner/hotswap bay, EVGA 600BQ, Win10Ent64

  19. #19
    Fatwah on Western Digital Fixture Mercutio's Avatar
    Join Date
    Jan 2002
    Location
    I am omnipresent
    Posts
    20,329
    Quote Originally Posted by LunarMist View Post
    I think it is worse than a typical data breach (and rather ironic) since the core business is to secure passwords. It looks like a password list locked in the desk is more secure.
    In a typical data breach, you'd find out that internal safeguards don't exist or weren't actually being followed. Personally Identifying Information stored in an unencrypted format would be stolen and, since this is the USA, the only reason anyone would be notified of the issue is if the data breach included data about residents of California, since no other state or federal provision requires notification of stole private information collected by a third party. How long did it take Target to even figure out what the hell happened during its 2013 data breach?

  20. #20
    Storage? I am Storage! Howell's Avatar
    Join Date
    Feb 2003
    Location
    Chattanooga, TN
    Posts
    4,725
    keepass is perfectly adequate for everything I do on my phone and computer, and can share the same database between them. I've used lastpass right after they bought xmarks but stopped because it didn't provide enough utility for me. There are several companies who provide that kind of service and the ability to have the service change your passwords on a schedule and otherwise fully manage your passwords is cool.

  21. #21
    Storage Freak Will Rickards's Avatar
    Join Date
    Jan 2002
    Location
    Here
    Posts
    1,964
    I use keepass on my computer and phone.
    The small problem is keeping them in sync. I can't bring myself to store the kdbx file with all my password on dropbox.
    Also I can't trust all my passwords in the cloud, salted hashes or not.

  22. #22
    Storage? I am Storage! Buck's Avatar
    Join Date
    Feb 2002
    Location
    Blurry.
    Posts
    4,514
    I use about a half dozen passwords with about 12 characters each that I change every few months. I just remember them.
    Do wat du wolt, die Lut snakt doch.

  23. #23
    Storage is cool Bartender's Avatar
    Join Date
    Feb 2002
    Location
    Behind the Bar
    Posts
    736
    Quote Originally Posted by Buck View Post
    I use about a half dozen passwords with about 12 characters each that I change every few months. I just remember them.
    You remember them? My ass...you have one 4 digit password that you can never remember and so had it tattooed on your backside.
    Help Wanted: Bar Hand
    Must be able to lift 5 times your own weight and have opposable thumbs on all four limbs.

  24. #24
    Storage is cool Bartender's Avatar
    Join Date
    Feb 2002
    Location
    Behind the Bar
    Posts
    736
    The Grammar Police briefly raised the security issue of passwords in this thread, to which P5 responded.
    Help Wanted: Bar Hand
    Must be able to lift 5 times your own weight and have opposable thumbs on all four limbs.

  25. #25
    NVIDIA> AMD Fixture Handruin's Avatar
    Join Date
    Jan 2002
    Posts
    12,382
    Quote Originally Posted by Bartender View Post
    You remember them? My ass...you have one 4 digit password that you can never remember and so had it tattooed on your backside.
    I hope his backside never gets breached!

  26. #26
    Fixture ddrueding's Avatar
    Join Date
    Feb 2002
    Location
    Monterey, CA
    Age
    37
    Posts
    19,118
    Quote Originally Posted by sedrosken View Post
    I use the same two passwords for everything. It's probably really insecure, but I have nothing that is absolutely mission-critical. Except the StorageForum account, of course. In all seriousness, when I start doing online banking and stuff like that, I'll need to look into software like this because all of a sudden I'll be on this big ol' kick to get everything secured, which means different passwords for everything.
    This seems almost entirely legit. I didn't really find myself in trouble regarding passwords until I had to start diversifying my finances. Once the number of accounts exceeded a dozen or so I knew I was in trouble.
    Work1: i7-5930K@4.57Ghz, 64GB, 512GB Samsung XP941, 2x 290X
    Home1: i7-7700k@5Ghz, 32GB, 1TB 960 Evo, 2x 1080
    Home2: i7-6700k@4.4Ghz, 32GB@3Ghz, 2x SM951, 2x Titan X

  27. #27
    Fatwah on Western Digital Fixture Mercutio's Avatar
    Join Date
    Jan 2002
    Location
    I am omnipresent
    Posts
    20,329
    Quote Originally Posted by Bartender View Post
    You remember them? My ass...you have one 4 digit password that you can never remember and so had it tattooed on your backside.
    There are tricks you can do to remember passwords. I'm fond of using short pass phrases that are based on quotations from some particular media (e.g. poems of Robert Louis Stevenson or lines from the movie Clerks) that I associate with that customer as a seed for what I use. I might use the first letter of each word of a sentence or perhaps just a three or four word quote, depending on need, and I find that shifting the typed characters up one row on the keyboard can add a great deal of apparent entropy if the password rules require it.

  28. #28
    Storage? I am Storage! Clocker's Avatar
    Join Date
    Jan 2002
    Location
    USA
    Posts
    3,522
    I'm thinking about taking the leap to a password manager. Cost is not a factor, within reason, but ease of use and security are important if course. The paid versions of Dashlane and Lastpass are on my shortlist. Anymore feedback on either?


    DD...what are your thoughts on Lastpass now that you're about 3 months in? Anything about Dashlane sound particularly interesting to you?

  29. #29
    Fixture ddrueding's Avatar
    Join Date
    Feb 2002
    Location
    Monterey, CA
    Age
    37
    Posts
    19,118
    Totally stoked about Lastpass still, in fact I've helped a few other people integrate it into their lives and am investigating the enterprise version for work. Dashlane seems fine, all the features seem to be there. One of the things I like about Lastpass is how well they handled their security breach, good to know that if it happens again they will likely take the right steps.
    Work1: i7-5930K@4.57Ghz, 64GB, 512GB Samsung XP941, 2x 290X
    Home1: i7-7700k@5Ghz, 32GB, 1TB 960 Evo, 2x 1080
    Home2: i7-6700k@4.4Ghz, 32GB@3Ghz, 2x SM951, 2x Titan X

  30. #30
    NVIDIA> AMD Fixture Handruin's Avatar
    Join Date
    Jan 2002
    Posts
    12,382
    I still keep my passwords in a local Keepass database vs using a utility similar to Lastpass. For times when I need a password, I copy the Keepass database from my encrypted backup to my phone and then retrieve it that way. It's less convenient but I feel (maybe foolishly) that it's a little more secure.

  31. #31
    Fixture ddrueding's Avatar
    Join Date
    Feb 2002
    Location
    Monterey, CA
    Age
    37
    Posts
    19,118
    Lastpass made switching phones and reinstalling my main laptop much easier. I was also just informed that one of my vendors had a data breach, knowing that that password was unique and easily changed made that a much less stressful situation.
    Work1: i7-5930K@4.57Ghz, 64GB, 512GB Samsung XP941, 2x 290X
    Home1: i7-7700k@5Ghz, 32GB, 1TB 960 Evo, 2x 1080
    Home2: i7-6700k@4.4Ghz, 32GB@3Ghz, 2x SM951, 2x Titan X

  32. #32
    Storage? I am Storage! Clocker's Avatar
    Join Date
    Jan 2002
    Location
    USA
    Posts
    3,522
    I see that KeePass requires me to install software on my PC. This is ok for me at home but I'm prevented from doing so at work on my laptop. I do need to be able to access my password protected sites while at work. Does Lastpass have the same software installation requirement?

    Note: I am able to install th Lastpass Chrome plug in at work it appears.

    Note 2: Chrome has a KeePass 'App' available as well.
    Last edited by Clocker; 10-02-2015 at 01:43 PM.

  33. #33
    Fixture ddrueding's Avatar
    Join Date
    Feb 2002
    Location
    Monterey, CA
    Age
    37
    Posts
    19,118
    If you use Chrome, the plug in is all you need. There is a plug in for Firefox as well (which is all I use). IIRC, the Chrome plugin has more functionality.
    Work1: i7-5930K@4.57Ghz, 64GB, 512GB Samsung XP941, 2x 290X
    Home1: i7-7700k@5Ghz, 32GB, 1TB 960 Evo, 2x 1080
    Home2: i7-6700k@4.4Ghz, 32GB@3Ghz, 2x SM951, 2x Titan X

  34. #34
    Storage? I am Storage! Clocker's Avatar
    Join Date
    Jan 2002
    Location
    USA
    Posts
    3,522
    Interesting podcast on the breech. https://www.youtube.com/watch?v=ujDAYTXTpaM

  35. #35
    Storage? I am Storage! Clocker's Avatar
    Join Date
    Jan 2002
    Location
    USA
    Posts
    3,522
    So I've moved to Lastpass and I'm liking it. The convenience is great and knowing that I have strong passwords on everything is reassuring.

    DD, have you considered any two factor authentication methods? I was looking at the yubikey but it seems like it might be a pita to use with a smart phone. I guess it would only matter when I am logging in from an untrusted device, which is never and would not apply to my smartphone.

  36. #36
    Fixture ddrueding's Avatar
    Join Date
    Feb 2002
    Location
    Monterey, CA
    Age
    37
    Posts
    19,118
    Quote Originally Posted by Clocker View Post
    So I've moved to Lastpass and I'm liking it. The convenience is great and knowing that I have strong passwords on everything is reassuring.

    DD, have you considered any two factor authentication methods? I was looking at the yubikey but it seems like it might be a pita to use with a smart phone. I guess it would only matter when I am logging in from an untrusted device, which is never and would not apply to my smartphone.
    My new smartphone (LG G4) doesn't have a fingerprint reader on it (sad). If it did I wouldn't bother, but now you have me thinking it would be a nice thing to have. I'll have to look into whether the YubiKey Neo will allow me to unlock my phone and activate Lastpass via NFC. That could be really neat.
    Work1: i7-5930K@4.57Ghz, 64GB, 512GB Samsung XP941, 2x 290X
    Home1: i7-7700k@5Ghz, 32GB, 1TB 960 Evo, 2x 1080
    Home2: i7-6700k@4.4Ghz, 32GB@3Ghz, 2x SM951, 2x Titan X

  37. #37
    Storage? I am Storage! Clocker's Avatar
    Join Date
    Jan 2002
    Location
    USA
    Posts
    3,522
    I'm currently using Google Authenticator which is free.

  38. #38
    Fixture ddrueding's Avatar
    Join Date
    Feb 2002
    Location
    Monterey, CA
    Age
    37
    Posts
    19,118
    I also use Google Authenticator for some stuff, but a physical key to unlock the smartphone seems like a great idea to me.

    Another thing I just found out about is Intel True Key. Looks interesting.
    Work1: i7-5930K@4.57Ghz, 64GB, 512GB Samsung XP941, 2x 290X
    Home1: i7-7700k@5Ghz, 32GB, 1TB 960 Evo, 2x 1080
    Home2: i7-6700k@4.4Ghz, 32GB@3Ghz, 2x SM951, 2x Titan X

  39. #39
    Wotty wot wot. Storage Is My Life Chewy509's Avatar
    Join Date
    Nov 2006
    Location
    Gold Coast Hinterland, Australia
    Age
    40
    Posts
    2,746
    I don't suffer from insanity, I enjoy every minute of it.

  40. #40
    Serial computer killer Hairy Aussie CougTek's Avatar
    Join Date
    Jan 2002
    Location
    Québec, Québec
    Posts
    8,692
    I've read it too yesterday. I don't use Lastpass, but if I did, I don't think I would be too happy about this.

  41. #41
    Fixture ddrueding's Avatar
    Join Date
    Feb 2002
    Location
    Monterey, CA
    Age
    37
    Posts
    19,118
    Not happy, but not planning an exit yet either. If this deal had happened before I bought in I wouldn't have done so. I'm still optimistic that it takes at least a year for them to damage the product or brand enough that I jump ship.
    Work1: i7-5930K@4.57Ghz, 64GB, 512GB Samsung XP941, 2x 290X
    Home1: i7-7700k@5Ghz, 32GB, 1TB 960 Evo, 2x 1080
    Home2: i7-6700k@4.4Ghz, 32GB@3Ghz, 2x SM951, 2x Titan X

  42. #42
    Storage? I am Storage! Clocker's Avatar
    Join Date
    Jan 2002
    Location
    USA
    Posts
    3,522
    Some are not quite so negative about it: https://www.reddit.com/r/Lastpass/co...o_lock_in_the/

  43. #43
    Storage? I am Storage! Clocker's Avatar
    Join Date
    Jan 2002
    Location
    USA
    Posts
    3,522
    It seems to me that the weak link in a system like LP is the integration with the browser. Are there any best practices or settings that can be useed to minimize browser related vulnerabilities when using LastPass?

  44. #44
    Hairy Aussie timwhit's Avatar
    Join Date
    Jan 2002
    Location
    Chicago, IL
    Posts
    5,245
    I'd turn on two factor auth.

  45. #45
    Storage? I am Storage! Clocker's Avatar
    Join Date
    Jan 2002
    Location
    USA
    Posts
    3,522
    Got that turned on, already. Thanks!

  46. #46
    Storage? I am Storage! mubs's Avatar
    Join Date
    Nov 2002
    Location
    Somewhere in time.
    Posts
    4,908
    KeePass hacked. Other password managers may be at risk.

  47. #47
    Storage? I am Storage! Clocker's Avatar
    Join Date
    Jan 2002
    Location
    USA
    Posts
    3,522
    Quote Originally Posted by mubs View Post
    KeePass hacked. Other password managers may be at risk.
    I always thought anything goes when a computer is already compromised, like this hack requires.

  48. #48
    NVIDIA> AMD Fixture Handruin's Avatar
    Join Date
    Jan 2002
    Posts
    12,382
    I don't understand that article or the title is misleading. So if my PC is compromised AND my password database is unlocked I'm at risk?

    When it runs on a computer where a logged in user has the KeePass database unlocked, KeeFarce decrypts the entire database and writes it to a file that the hacker can easily access.

  49. #49
    Storage Freak Will Rickards's Avatar
    Join Date
    Jan 2002
    Location
    Here
    Posts
    1,964
    My understanding is that yes they still need the keepass database open, which requires the master password.
    So in order for this 'hack' to have any effect you would need to leave it open and have your machine hacked in the first place.
    It uses simple dll injection, which is a process in windows where you get a running program to load your dll. Then the dll code essentially runs in the process space.
    This is similar to hooking up a debugger to the process and then inspecting the memory or causing one of methods to run.

    So there is nothing to see here. They just made something you could do already on a compromised machine, easier.

    I believe there are things you can do to make code resistant to dll injection. But I'm not sure you can fully protect against it. It is built-in to the windows framework.

  50. #50
    Fixture ddrueding's Avatar
    Join Date
    Feb 2002
    Location
    Monterey, CA
    Age
    37
    Posts
    19,118
    Yup. No news. "Vault vulnerable while door is open and intruder in room".
    Work1: i7-5930K@4.57Ghz, 64GB, 512GB Samsung XP941, 2x 290X
    Home1: i7-7700k@5Ghz, 32GB, 1TB 960 Evo, 2x 1080
    Home2: i7-6700k@4.4Ghz, 32GB@3Ghz, 2x SM951, 2x Titan X

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •