So I got one of those scam emails "I hacked your email account, so send me bitcoin or I'll show the world the porn you look at" ... it had my email address and said what the password was. While that's not the PW for that email address it is one I've used other places (although not in a long time since I let LastPass generate them now).

I think the guy doesn't have anything on me but it is disconcerting.

My guess is he got a list of usernames (many sites use your email address) and pws and is just assuming that a lot of people use just one or two pws so he'd get lucky frightening someone. But it does illustrate why a pw manager is the way to go and you should NEVER re-use passwords.


I downloaded my password list off LastPass and cross referenced all the sites I used that combination of password and email-address-as-username ... and found about a dozen. Only a couple of which are sites I actually use (so I changed those).



Anyway Justin sent me the following link when I talked to him about it https://haveibeenpwned.com/ and it looks like I had been "pwned" and two of the web sites I use had been breached (disqus and plex). So glad I changed those PWs today.

Can you post more about LastPass? How easy is it to use? Is it a cloud thing? Do you pay for it?

How is that sophisticated?

I had an interesting one a few weeks ago when trying to sell some tires on CL. Had someone who said they wanted to buy. OK, cool. Then I get a Google Voice verification text. The guy then immediately texts he wants me to tell him the number to verify I'm real. HA! So basically they were trying to get people to verify their own phone numbers in order to get new Google voice numbers for further scams.

I use KeePass. Free. Can export the DB. Easy to use.

Can you post more about LastPass? How easy is it to use? Is it a cloud thing? Do you pay for it?

LastPass is free and easy to use ... although they also have a "premium" version (not sure what that gives you).

basically you set up one password to LastPass and it will automatically generate complex passwords for you and store all those passwords online so you can access them any time you need them.

The important thing is that it allows you to use a different password on every site you log into so you aren't reusing passwords (which is bad opsec).

https://www.lastpass.com

Yup.

Got the "we turned your webcam on" one too. I don't have a webcam on my primary dev desktop machine and my laptop is blocked out all the time. I don't do video conferencing, ever.

Another tip I learned is to incorporate the site/name in the PW. Again, my PWs are never the same and complex but I will put the initials or short name of the site somewhere in there so if it's compromised I know which one was hit. You can still use a PW vault with this too!

So, what happens when LastPass gets hacked?

So, what happens when LastPass gets hacked?

Assuming it works like 1Password.com that I use, nothing. They don't have anything but encrypted data that even they can't decrypt. I'll give more details when I'm on a real keyboard.

O2

Does last pass just autofill the passwords when you go to the site like Google will (if you allow)? I'll have to check it out when I get home. My current system of keeping track of passwords is likely less than desirable. What do you do for a spouse to have access in the event of your death? Keep the LastPass password written down in a separate location?

Does last pass just autofill the passwords when you go to the site like Google will (if you allow)? I'll have to check it out when I get home. My current system of keeping track of passwords is likely less than desirable. What do you do for a spouse to have access in the event of your death? Keep the LastPass password written down in a separate location?

I keep a copy of my lastpass password on a tiny slip of paper in my wallet.

I've heard rumors of people using realistic sounding voice recordings to say kids have been kidnapped, but nothing I can confirm. And with AI face replacement stuff scammers can and will be getting more sophisticated, but it also makes denying stuff easier IMO.

Even more fun is the Indian Windows Support scammers. Rajnish, I'm on Linux. Go away.

Assuming it works like 1Password.com that I use, nothing. They don't have anything but encrypted data that even they can't decrypt. I'll give more details when I'm on a real keyboard.

O2

If someone figures out your password to 1Password, LastPass, etc, they have access to ALL of your accounts. Encrypted or not.

ALL your eggs in one basket.

KeePass is not cloud based, btw. At least the version I have. So they'd have to get physical access to my machine, guess the PW for the hard disk, guess log on PW, guess KeePass Master, and then find themselves utterly bored.

So I got one of those scam emails "I hacked your email account, so send me bitcoin or I'll show the world the porn you look at" ... it had my email address and said what the password was. While that's not the PW for that email address it is one I've used other places (although not in a long time since I let LastPass generate them now).

I think the guy doesn't have anything on me but it is disconcerting.

I get several of these a week. They sometimes come in waves where I might get a dozen in one day, all with different subject lines. They go straight to my spam folder and are never opened.

I'm a big fan of 1Password. It also has features for tracking hacked accounts, highlighting duplicate passwords (from before I bought it), generating strong passwords, autofill, etc. Syncs to my iPhone so I can open it with a thumbprint.

Even more fun is the Indian Windows Support scammers. Rajnish, I'm on Linux. Go away.

Several months ago I stumbled across a YouTube page of a guy who made sport out of taking the bait from these scammers and then hacking and destroying their computer/internal networks.

Basically he'd spin up a bunch of VMs, give the scammers access to the VM, and do something like leave a PDF or Excel file on the desktop named something juicy like "financial account data" or the like.

The scammers, of course, would copy the files, which were shot through with malware. Listening to the scammers become increasingly angry as their systems would blink out one after the other was pretty hilarious.

Several months ago I stumbled across a YouTube page of a guy who made sport out of taking the bait from these scammers and then hacking and destroying their computer/internal networks.

Basically he'd spin up a bunch of VMs, give the scammers access to the VM, and do something like leave a PDF or Excel file on the desktop named something juicy like "financial account data" or the like.

The scammers, of course, would copy the files, which were shot through with malware. Listening to the scammers become increasingly angry as their systems would blink out one after the other was pretty hilarious.

Did you see the one where the screen went into some sort of fractal mind warp of opening files on the scammers machine and crashed their network through propagating the file everywhere, or something? They somehow timed it so the scammer accepted a remote request and then dropped the file on the desktop. In the background you hear nothing but yelling indians.

It's going to show my porn to the world???
Oh well, so I like Tits & Ass...SHOCKING!!![panic]

If someone figures out your password to 1Password, LastPass, etc, they have access to ALL of your accounts. Encrypted or not.

ALL your eggs in one basket.

That's why you should change it regularly. The online password managers are still many orders of magnitude safer than most people's opsec ... especially considering the fact that most people use the same login and password on all their online accounts (and the password is something simple like a pet's name).

Don't let the perfect be the enemy of the good.

Did you see the one where the screen went into some sort of fractal mind warp of opening files on the scammers machine and crashed their network through propagating the file everywhere, or something? They somehow timed it so the scammer accepted a remote request and then dropped the file on the desktop. In the background you hear nothing but yelling indians.

[LOL]

Link it if you got it.

I love those guys! Every second they keep a scammer occupied is a second they don't have to rip off grandma.

If someone figures out your password to 1Password, LastPass, etc, they have access to ALL of your accounts. Encrypted or not.

ALL your eggs in one basket.

Not entirely true, but this is one misunderstanding that kept me from getting on board with a password manager for years.

Here's how 1Password.com works:

1Password generates a long key when you signup.

You need to install that key on whatever devices you wish to use 1Password on. This step can be a PITA but it's a one time deal per device and the QR code (or was it a barcode? I don't remember) that 1Password can generate of the key helps.

Here's security feature 1: That key AND your password are BOTH necessary to decrypt your information. So if someone "figures out your password" as you stated, without the key they have nothing UNLESS they also have one of your devices and/or your key as well.

Security feature 2: Your password is never send to 1Password, so even they don't have it. Your information remains encrypted until it's ON your device and then it's decrypted there using your password and key.

So no decrypted information is stored on 1Password's side nor does any decrypted information move through the network.

Downside is don't expect any "Password recovery" option from 1Password. If you forget it, you're SOL. This is a feature, not a bug, serioiusly.

Nice thing is that when you setup your 1Password account it prints out a nice sheet of paper with your key on it and space to write your password.

I have two copies of this, one in my safe deposit box and the other in the GF's safe deposit box.

So, to recap:

If someone gets your password they can't get into your stuff.
If someone steals one of your devices they can't get into your stuff.
If someone gets your key they can't get into your stuff.

Only if they have the key AND your password can they access your stuff.

Use a good passowrd, something cryptic but easy to remember like "F0ur$c0r3@nd" and everything will be very, very secure and safe.

O2

O2 is correct, its not as simple as someone just figuring out your password.

I tried to log into my LastPass account from work because I needed to get my email password. But it wouldn't let me in directly, it sent a verification email to my email address and wouldn't let me access my LastPass vault until I clicked the link in the verification email (and of course I didn't have the email account password with me so I couldn't get into LastPass).


So in order for a third party to get access to your LastPass vault, they'd have to have both your LastPass password AND know the email address and password of the email account you have associated with your LP account.

...and you can store other stuff in 1Password.com (I'm sure other products are similar). You can store simple text notes (for instance, my safe combo), documents (my NFA Trust documents), my public and private RSA keys, passport number, etc.

...and notes on what to do upon my death.

I had a huge epiphany as I started to use 1Password: It gives someone a one-stop place to go find out all your important information in case you're gone.

1Password is $36/year for an individual (they have a family plan for $60 too, where you can share common and isolate passwords too). IMHO it's worth every penny.

O2

Eventually I'll probably break down and get one of these. https://www.themooltipass.com



https://www.youtube.com/watch?v=w2RzVxxr5gM

Eventually I'll probably break down and get one of these. https://www.themooltipass.com



https://www.youtube.com/watch?v=w2RzVxxr5gM


9jWGbvemTag

Ginsue! Exactly what I 'heard' too

Ginsue! Exactly what I 'heard' too

And that's exactly what its creators were referring to.

I got this one a while back, It was funny so I sent it a coworker. Sounds legit [Roll1]

A month ago, I wanted to lock your device and ask for a not big amount of btc to unlock.
But I looked at the sites that you regularly visit, and I was shocked by what I saw!!!
I'm talk you about sites for adults.

I want to say - you are a BIG pervert. Your fantasy is shifted far away from the normal course!

And I got an idea....
I made a screenshot of the adult sites where you have fun (do you understand what it is about, huh?).
After that, I made a screenshot of your joys (using the camera of your device) and glued them together.
Turned out amazing! You are so spectacular!

To hack me they'll have to get to the Post-It notes along the bottom of my screen.

I got this one a while back, It was funny so I sent it a coworker. Sounds legit [Roll1]

A month ago, I wanted to lock your device and ask for a not big amount of btc to unlock.
But I looked at the sites that you regularly visit, and I was shocked by what I saw!!!
I'm talk you about sites for adults.

I want to say - you are a BIG pervert. Your fantasy is shifted far away from the normal course!

And I got an idea....
I made a screenshot of the adult sites where you have fun (do you understand what it is about, huh?).
After that, I made a screenshot of your joys (using the camera of your device) and glued them together.
Turned out amazing! You are so spectacular!

Ha! the one I got had that EXACT borderline Engrish phrasing.

Did you understand what it was about, huh?

Ha! the one I got had that EXACT borderline Engrish phrasing.You Big Pervert too! :)

See this pisses me off. I try to show people the porn I look at and I get “banned.” The P in PTA doesn’t stand for “professional”.