Decentlady wrote:How safe is LastPass. It being an online thing is also prone to hacking I believe. How about keeping all passwords locked in a portable hard/pen drive?
LastPass is remarkably safe... If used correctly. Firstly everything is encrypted on their servers and each users password vault needs that users master password to decrypt it meaning that if someone compromises their servers, it will take a long time to get into each vault.
http://www.pcworld.com/article/2936621/ ... t-for.htmlSpeaking of which, cracking that master code is going to take a long time unless your LastPass password is unbelievably weak, such as 1234LastPass or something similar. To crack your master password, hackers first have to get past your authentication hash—which includes 100,000 rounds of PBKDF2-SHA256 hashing—on the LastPass servers. Hashing uses an algorithm to convert one string of text into a longer string so that is difficult to reverse engineer and discover what the original text was.
One security expert told Ars Technica that he’s so confident in LastPass’ hashing that he doesn’t even feel compelled to change his master password.
I can say though that I have dealt with many cases where users accounts have been taken over by other people. Most cases was down to password reuse. That is so dangerous. All it takes is one site to be compromised and the password to be leaked and then it can be used to target your accounts on all sites. One easy way also to get passowrds of users is by setting up fake sites that harvest passwords. All passwords of users at ForumCoin are encrypted and stored in the database by our forum software (phpBB) but I have seen sites that have been set up by known malicious people that change this and logs the passwords in clear text. It is actually really simple to do with only a small code change. If I were malicious, I could have done this and got every users passwords in clear text that they user here. I also have their usernames and emails. I could then use this to try and login to the email account or other accounts on other sites. Users who reuse passwords would find alot of their accounts compromised simply because they reused passwords. I would never do this but some sites are set up for this purpose and this does happen.
Best ways to protect yourself is
1) Have a specific email for important stuff like internet banking and paypal and be very careful where you give this out. Use emails you don't really care about on regular sites.
2) Use a different password on every site
3) Use 2 step authentication on all sites that allow it.
4) Don't store passwords in browsers or on your desktop in a file or anything like that. There are viruses that can steal this data and send it back to the malicious people.
5) Don't give out passwords. You will be surprised how many people ask help with their site and post on a public forum that they will hand out the login details to their site if someone can help. That is like standing in the street asking passes by if they can fix your leaking tap and you will give them your keys to fix it while you are at the shops.
6) Trust your instincts. If a site looks dodgy or if a login pages looks different from normal, don't use it. Think you did something silly and put your login details into a fake copy of a site? Change your password quickly.
This will probably keep you 99% secure. You can never be 100% secure but you can be close.
Also writing down passwords is not secure either. Family, friends etc can steal them. Also your details can be stolen by keyloggers etc so when you type them in, they are recorded. Services like Lastpass do autofill them which can avoid keyloggers as you don't type them in. Offline is not always more secure than storing them online.
by jonjenkins » 18 May 2016, 18:41 
