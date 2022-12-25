 Skip to content
Turns out that storing all your passwords in the cloud is a bad idea
51
TWX [TotalFark]
‘’ 4 hours ago  
I wonder how long it'll be until the various social media influencers that peddled their password storing system are sued.

/don't endorse a product unless you're prepared to be part of the lawsuit
 
mofa [TotalFark]
‘’ 4 hours ago  
Just a note: the password vaults were encrypted with each user's master password. They may have been negligent, but they weren't outrageously negligent.

// As a defense contractor, I had as many as 8 IT security briefings per year, one for each classified program. How many times per year do security firm employees get such briefings? I sure hope it's at least one.
 
bostonguy [TotalFark]
‘’ 3 hours ago  
Everything stored "in the cloud" will eventually get hacked.

/ it's just someone else's server
 
DannyBrandt [TotalFark]
‘’ 3 hours ago  
Love98761234
 
DannyBrandt [TotalFark]
‘’ 3 hours ago  
Wait, f*ck, I was trying to log in. Mods, please delete.
 
yellowjester [TotalFark]
‘’ 2 hours ago  
Security on the internets a phallacy
 
Nintenfreak [TotalFark]
‘’ 1 hour ago  
I could have told you that.  Glad I never used Last Pass.  Kinda knew this shiat was inevitable though
 
ImmutableTenderloin [BareFark]
‘’ 1 hour ago  
I have a client that uses a dedicated enterprise password protection cloud application. They swear by it. Their government entity. Pass the popcorn please
 
IRestoreFurniture
‘’ 1 hour ago  

bostonguy: Everything stored "in the cloud" will eventually get hacked.

/ it's just someone else's server


Imagine the disappointment when I inform people it's called the cloud because in a network diagram, the internet is represented by a cloud.
 
stuhayes2010
‘’ 1 hour ago  
Under the pump?
 
toraque [TotalFark] [OhFark]
‘’ 1 hour ago  

DannyBrandt: Wait, f*ck, I was trying to log in. Mods, please delete.


Oh, come on. If that was your real password fark would have hidden it behind asterisks.

See: **********
 
bostonguy [TotalFark]
‘’ 1 hour ago  

toraque: DannyBrandt: Wait, f*ck, I was trying to log in. Mods, please delete.

Oh, come on. If that was your real password fark would have hidden it behind asterisks.

See: **********


Someone see if it's the same combination on his luggage.
 
thealgorerhythm
‘’ 1 hour ago  
And that's why I just keep everything on a piece of yellow paper next to my monitor
 
Nikan1 [BareFark]
‘’ 1 hour ago  
These bastards wrecked my Christmas Eve.

My GF and I spent our day replacing passwords and migrating to a different password storage system instead of hanging out together.
 
whatisaidwas [BareFark] [OhFark]
‘’ 1 hour ago  

thealgorerhythm: And that's why I just keep everything on a piece of yellow paper next to my monitor


Modern humans are actually pretty good at managing small slips of paper such as money so if you have your password written on a similar size piece in your wallet maybe it's fairly safe.
 
Frederf
‘’ 56 minutes ago  

thealgorerhythm: And that's why I just keep everything on a piece of yellow paper next to my monitor


People like to make fun of that but a Post-It is orders of magnitude more secure than computer-based forms of password storage outside of obvious things like coworkers or family members looking at it.
 
Fart And Smunny
‘’ 53 minutes ago  
Well. Good thing I've been ignoring those emails from my work about the lastpass account they got for employees.
 
flucto [TotalFark]
‘’ 51 minutes ago  
Personally I think it's appropriate to apply a very high standard for gross negligence with regard to officers and directors but:

"
Intriguingly, LastPass has now also admitted that what it describes as a "password vault" isn't actually a scrambled BLOB (an amusingly descriptive jargon word meaning binary large object) consisting only and entirely of encrypted, and therefore unintelligible, data.

Those "vaults" include unencrypted data, apparently including the URLs for the websites that go with each encrypted username and password.

that certain seems like the gross side of any standard. Fry those bastards.
 
AlphaG33k
‘’ 48 minutes ago  
The cloud is just someone else's computer.

You are putting your unencrypted files, on someone else's PC, who has full admin access.

My password notebook remains secure.
 
maxandgrinch [TotalFark] [OhFark]
‘’ 47 minutes ago  
Thought one was to never go full 2FA.  Is that cool now, or do you need to wash first?
 
AlphaG33k
‘’ 46 minutes ago  
Lastpass  is aptly named. It will be the last password you use, as everything gets compromised.

Enjoy explaining that to the bank, insurance company, and everyone else.

Don't worry! you may qualify for free credit monitoring! They will monitor it, as it goes from 715 to 300 to 0.

Enjoy paying cash for everything and being treated like a pariah.
 
The Exit Stencilist
‘’ 45 minutes ago  
Had several clients try to get me to use LastPass and others. I always refused, informing them that use of such a third party service meant not just trusting that service to be benign, but to actually be secure and that the damage do to a breach and all your access credentials in one place would be monumental and a real shiatstorm

They'd always roll their eyes, nod their heads and let me not use the password hoarding service while muttering some ignorant BS about how their security was bulletproof or what not

I hope those clueless idiots think back to our conversation while they reset their entire farking infrastructure

And these were tech companies in SF. They should damn well know better, but this is what happens when you start sucking your own cock out of hubris
 
erik-k [OhFark]
‘’ 42 minutes ago  

DannyBrandt: Wait, f*ck, I was trying to log in. Mods, please delete.


If you post your social security # Fark automatically censors it. Look:

****-**-****
 
gyruss
‘’ 40 minutes ago  

flucto: Personally I think it's appropriate to apply a very high standard for gross negligence with regard to officers and directors but:

"
Intriguingly, LastPass has now also admitted that what it describes as a "password vault" isn't actually a scrambled BLOB (an amusingly descriptive jargon word meaning binary large object) consisting only and entirely of encrypted, and therefore unintelligible, data.

Those "vaults" include unencrypted data, apparently including the URLs for the websites that go with each encrypted username and password.

that certain seems like the gross side of any standard. Fry those bastards.


URLs, usage history, form fill data, usernames, emails, basically everything except the passwords themselves.

The username and email associations are going to lead to a lot of password reset phishing. All that form fill data has a doxxer's gold mine of address and personal contact information. Wonder how many politicians'home addresses are in there?
 
bostonguy [TotalFark]
‘’ 38 minutes ago  
And my web browsers keep prompting me to save my credit card details and other personal information on them.

Uh, NO.
 
sitesmithscott
‘’ 37 minutes ago  

mofa: Just a note: the password vaults were encrypted with each user's master password. They may have been negligent, but they weren't outrageously negligent.

// As a defense contractor, I had as many as 8 IT security briefings per year, one for each classified program. How many times per year do security firm employees get such briefings? I sure hope it's at least one.


IT guy in the private world who is pursuing his CISSP cert.

It is a shiatshow.  More places are understaffed and undertrained and so poorly organized that a breech may not be detected for months if subtle.  I get one security training a year and is a 15 min video that tells you not to share passwords and how to freak out properly when you get a suspicious email.  Real staff and processes cost money.

A company's greatest liability is it's ownership. For security purposes, we should form unions that enforce supporting a companies infrastructure and if they can't comply - take it away from them and give it to the people that deserve it - the employees and the customers.
 
cyberspacedout [recently expired TotalFark]
‘’ 32 minutes ago  

toraque: DannyBrandt: Wait, f*ck, I was trying to log in. Mods, please delete.

Oh, come on. If that was your real password fark would have hidden it behind asterisks.

See: **********


That looks like 10 characters, so it must also work with Social Security Numbers.
 
GalFisk
‘’ 28 minutes ago  

toraque: DannyBrandt: Wait, f*ck, I was trying to log in. Mods, please delete.

Oh, come on. If that was your real password fark would have hidden it behind asterisks.

See: **********


Cool, let me try: hunter2
 
Fano
‘’ 26 minutes ago  

Frederf: thealgorerhythm: And that's why I just keep everything on a piece of yellow paper next to my monitor

People like to make fun of that but a Post-It is orders of magnitude more secure than computer-based forms of password storage outside of obvious things like coworkers or family members looking at it.


I mean, a post it in your house isn't getting brute forced 5000 times an hour every hour of the day and every day of the year
 
Russ1642
‘’ 24 minutes ago  
They got encrypted data. So, as always, the only people vulnerable are those with weak passwords.
 
hlehmann
‘’ 24 minutes ago  

thealgorerhythm: And that's why I just keep everything on a piece of yellow paper next to my monitor


You fool! Keep it on a post-it under your keyboard. That way they'll never find it.
 
Some Junkie Cosmonaut [TotalFark]
‘’ 22 minutes ago  

bostonguy: And my web browsers keep prompting me to save my credit card details and other personal information on them.

Uh, NO.


I'll go ahead and let sites that I shop on save them, because otherwise I'd just by typing them on those sites every time I made a purchase.  Letting them save them makes no reasonable difference when were I not saving them I'd just be retyping them every time.  Same net presence on their servers result as close as it matters.  Otherwise, no - I don't need that shiat saved thanks
 
Glorious Golden Ass [OhFark]
‘’ 21 minutes ago  
I'm not defending Lastpass, but it doesn't feel like I should be anymore worried than everything that is allowed by lax privacy laws.  Yes, someone knows who I am, where I live, the computer I use, and the websites I go to, but...

That's pretty much the data Google, Facebook, Tiktok, Fark, ever service provider, and every single data broker knows and sells on an open market.  What you do on the internet is not a secret.
 
Oreamnos
‘’ 20 minutes ago  
Any farkers use KeePass? It was recommended to me once, a while ago.
 
clawsoon
‘’ 19 minutes ago  
Glad I'm not in IT anymore.  Lotta IT practitioners going to their VPs right now saying something like, "We were following industry standard best practises, but unfortunately..."
 
AlphaG33k
‘’ 18 minutes ago  

Russ1642: They got encrypted data. So, as always, the only people vulnerable are those with weak passwords.


so, 95% of the customers.
 
thealgorerhythm
‘’ 17 minutes ago  

whatisaidwas: thealgorerhythm: And that's why I just keep everything on a piece of yellow paper next to my monitor

Modern humans are actually pretty good at managing small slips of paper such as money so if you have your password written on a similar size piece in your wallet maybe it's fairly safe.


I accidentally stuck all the company's passwords into a stripper's panties!
 
AlphaG33k
‘’ 16 minutes ago  

sitesmithscott: mofa: Just a note: the password vaults were encrypted with each user's master password. They may have been negligent, but they weren't outrageously negligent.

// As a defense contractor, I had as many as 8 IT security briefings per year, one for each classified program. How many times per year do security firm employees get such briefings? I sure hope it's at least one.

IT guy in the private world who is pursuing his CISSP cert.

It is a shiatshow.  More places are understaffed and undertrained and so poorly organized that a breech may not be detected for months if subtle.  I get one security training a year and is a 15 min video that tells you not to share passwords and how to freak out properly when you get a suspicious email.  Real staff and processes cost money.

A company's greatest liability is it's ownership. For security purposes, we should form unions that enforce supporting a companies infrastructure and if they can't comply - take it away from them and give it to the people that deserve it - the employees and the customers.


Ah, a union. Old jimmy has been here for 25 years, he started as the janitor, moved on to head janitor, and is now the chief security officer, sleep tight!

That was probably how a "musicologist" got the chief security job at the credit bureau.
 
ChrisDe
‘’ 15 minutes ago  

thealgorerhythm: And that's why I just keep everything on a piece of yellow paper next to my monitor


You know what's never been hacked? My 42 Post-it Notes.
 
NeoCortex42
‘’ 13 minutes ago  
I use KeePass since it's stored locally.  One copy on the computer I use, a backup copy on a thumb drive, and a hardcopy periodically printed and put in a safe.

I've already had my Chrome saved passwords compromised once.  After that, I stopped saving passwords and set up 2FA on every single account that has it as an option.
 
The Exit Stencilist
‘’ 13 minutes ago  

bostonguy: And my web browsers keep prompting me to save my credit card details and other personal information on them.

Uh, NO.


To be fair, that's stored locally, not on a 3rd party service. By your logic, you shouldn't allow your browser to store your passwords for you either
 
NeoCortex42
‘’ 10 minutes ago  

The Exit Stencilist: To be fair, that's stored locally, not on a 3rd party service. By your logic, you shouldn't allow your browser to store your passwords for you either


If you're using something like Chrome and it's linked to a Google Account, it stores passwords and such in the cloud.
 
Wine Sipping Elitist [TotalFark]
‘’ 7 minutes ago  
Using LastPass makes as much sense as using random VPN providers to remain "private".
 
gyruss
‘’ 7 minutes ago  

clawsoon: Glad I'm not in IT anymore.  Lotta IT practitioners going to their VPs right now saying something like, "We were following industry standard best practises, but unfortunately..."


At the end of the day this is what cyber insurance is for. Just like property risk, nobody actually takes it seriously until they can't get an insurance policy written for it

All of our clients' insurers are having us go through every website they visit to turn on multi factor authentication by the end of next year.
 
gyruss
‘’ 5 minutes ago  

The Exit Stencilist: bostonguy: And my web browsers keep prompting me to save my credit card details and other personal information on them.

Uh, NO.

To be fair, that's stored locally, not on a 3rd party service. By your logic, you shouldn't allow your browser to store your passwords for you either


You shouldn't. Look up Redline Stealer.
 
The Exit Stencilist
‘’ 4 minutes ago  

sitesmithscott: mofa: Just a note: the password vaults were encrypted with each user's master password. They may have been negligent, but they weren't outrageously negligent.

// As a defense contractor, I had as many as 8 IT security briefings per year, one for each classified program. How many times per year do security firm employees get such briefings? I sure hope it's at least one.

IT guy in the private world who is pursuing his CISSP cert.

It is a shiatshow.  More places are understaffed and undertrained and so poorly organized that a breech may not be detected for months if subtle.  I get one security training a year and is a 15 min video that tells you not to share passwords and how to freak out properly when you get a suspicious email.  Real staff and processes cost money.

A company's greatest liability is it's ownership. For security purposes, we should form unions that enforce supporting a companies infrastructure and if they can't comply - take it away from them and give it to the people that deserve it - the employees and the customers.


Honestly, I think the government needs to step the fark up, declare this a national security issue and enforce standards & practices and regulation

The amount of industrial espionage we let China get away with is sickening. And that's before we even begin to talk about ransomware
 
Chajeungna
‘’ 2 minutes ago  

Oreamnos: Any farkers use KeePass? It was recommended to me once, a while ago.


I use it on PC and iOS devices. File shared via Dropbox. Works well. Long master password plus a keyfile for max security.
 
asymptonic [TotalFark]
‘’ 2 minutes ago  

Oreamnos: Any farkers use KeePass? It was recommended to me once, a while ago.


Yeah, I work in security/cryptography, so it's my go to.  I have a tiny USB thumb drive on my keys with a KeePass database.  It only gets connected to a computer when I need it, much less the cloud.
 
Some Junkie Cosmonaut [TotalFark]
‘’ 1 minute ago  

The Exit Stencilist: The amount of industrial espionage we let China get away with is sickening. And that's before we even begin to talk about ransomware


Every bit of better security worldwide decreases our own governmental ability to spy on people - whether in be domestic or otherwise.  Now wonder again why big governments don't step up to mandate truly serious ubiquitous security
 
Misch [TotalFark] [OhFark]
‘’ less than a minute ago  

Oreamnos: Any farkers use KeePass? It was recommended to me once, a while ago.


Yes, highly recommend it.
 
