OneLogin Users - They've Been Hacked

[theGinsue]

For those of you who are users of the password & account management site OneLogin, you need to be aware that they've been hacked. I don't use this service, or others like it for this very reason.

According to everything I've read, the hackers were able to decrypt encrypted passwords, making all of your information on any linked site vulnerable. If you use the OneLogin site, particularly to access this site, CHANGE YOUR PASSWORDS IMMEDIATIELY!

Hackers have gained access to OneLogin, an online password manager that offers a single sign-on to multiple websites and services.OneLogin said in a blog post that it couldn't rule out the possibility that hackers got keys to reading encrypted data, such as stored passwords.

Published reports, however, say OneLogin informed customers that the hackers indeed got that capability. OneLogin didn't immediately respond to a request for comment.

Password managers help people keep track of passwords for a growing array of websites and services that require one. Instead of having to remember complex passwords for each one, people can just remember a master password. The password service then unlocks other accounts as needed.

You can read more info on this breach from an online Security site:
https://krebsonsecurity.com/2017/06/...-decrypt-data/

[ray1970]

Might have to let my step dad know. Not sure what it is he uses but it's something similar.

[th3w01f]

WOW, that would really suck. I use roboform and two days ago I lost one login/pass combo on an airsoft site and had to change about 50 passwords. I have over 500 in roboform so that would be a really long night. The one I lost was my most common but one I don't use on important sites like this one.

[CS1983]

I use a host based password program which requires me to login to it w/ a master password to access individual passwords.

It's not as convenient, but it's also, hopefully, safer.

[Gman]

From the articles I was reading, the passwords were being stored in plain text. I'm not a fan of these 'put all of my eggs in one basket in the cloud' strategies.

I do use Password Safe on my NAS at home to keep some of my info.

[Aloha_Shooter]

My passwords are all in one place -- my head. If someone cracks that, they deserve to post on Disqus or here as me. If they want to access my bank account, they'll need more than just the password ...

BTW, even sites that claim they're secure because they store hashes instead of the password in plain text are really vulnerable. https://blog.codinghorror.com/hacker-hack-thyself/

Length is better than plain "complexity". Fixed rules suck.

[asmo]

Repeat after me: Do not use cloud based password managers. All cloud based password managers are evil. If you must use a password manager, it needs to be locally resident and not on someone else's computer.

[Grant H.]

Repeat after me: Do not use cloud based password managers. All cloud based password managers are evil. If you must use a password manager, it needs to be locally resident and not on someone else's computer.

This.

I have a text file on an encrypted NAS that I can access from anywhere that I use to keep obscure passwords written down. Even then, I don't write the password out, I just give myself a text based hint/clue as to what the password is.

Example:

Site: XYZ.com
Username: abc123
Password: Password 1, first Cap, Last cap, + SC1 and SC2

I have used the same 3 passwords, with dozens of variations for years. I've never had a password get "hacked".

Works great, and the security level is fantastic. Someone manages to breach my personal network (highly unlikely), then crack the 256-bit AES encryption on the NAS (extremely unlikely), and then guess my passwords anyway...

[Jer]

Repeat after me: Do not use cloud based password managers. All cloud based password managers are evil. If you must use a password manager, it needs to be locally resident and not on someone else's computer.

I couldn't agree more. The admins that think they're making the world safer by forcing frequent password changes and specific characters that require users to then use a 3rd party host to track all of their passwords are actually creating more problems. All my passwords are in my dome and I sleep tight at night knowing that nobody has them but me.