Phishers are getting sophisticated

[Zundfolge]

So I got one of those scam emails "I hacked your email account, so send me bitcoin or I'll show the world the porn you look at" ... it had my email address and said what the password was. While that's not the PW for that email address it is one I've used other places (although not in a long time since I let LastPass generate them now).

I think the guy doesn't have anything on me but it is disconcerting.

My guess is he got a list of usernames (many sites use your email address) and pws and is just assuming that a lot of people use just one or two pws so he'd get lucky frightening someone. But it does illustrate why a pw manager is the way to go and you should NEVER re-use passwords.


I downloaded my password list off LastPass and cross referenced all the sites I used that combination of password and email-address-as-username ... and found about a dozen. Only a couple of which are sites I actually use (so I changed those).



Anyway Justin sent me the following link when I talked to him about it https://haveibeenpwned.com/ and it looks like I had been "pwned" and two of the web sites I use had been breached (disqus and plex). So glad I changed those PWs today.

[Irving]

Can you post more about LastPass? How easy is it to use? Is it a cloud thing? Do you pay for it?

[Zundfolge]

Can you post more about LastPass? How easy is it to use? Is it a cloud thing? Do you pay for it?

LastPass is free and easy to use ... although they also have a "premium" version (not sure what that gives you).

basically you set up one password to LastPass and it will automatically generate complex passwords for you and store all those passwords online so you can access them any time you need them.

The important thing is that it allows you to use a different password on every site you log into so you aren't reusing passwords (which is bad opsec).

https://www.lastpass.com

[CS1983]

How is that sophisticated?

I had an interesting one a few weeks ago when trying to sell some tires on CL. Had someone who said they wanted to buy. OK, cool. Then I get a Google Voice verification text. The guy then immediately texts he wants me to tell him the number to verify I'm real. HA! So basically they were trying to get people to verify their own phone numbers in order to get new Google voice numbers for further scams.

I use KeePass. Free. Can export the DB. Easy to use.

[Skip]

Yup.

Got the "we turned your webcam on" one too. I don't have a webcam on my primary dev desktop machine and my laptop is blocked out all the time. I don't do video conferencing, ever.

Another tip I learned is to incorporate the site/name in the PW. Again, my PWs are never the same and complex but I will put the initials or short name of the site somewhere in there so if it's compromised I know which one was hit. You can still use a PW vault with this too!

[davsel]

So, what happens when LastPass gets hacked?

[O2HeN2]

So, what happens when LastPass gets hacked?

Assuming it works like 1Password.com that I use, nothing. They don't have anything but encrypted data that even they can't decrypt. I'll give more details when I'm on a real keyboard.

O2

[davsel]

Assuming it works like 1Password.com that I use, nothing. They don't have anything but encrypted data that even they can't decrypt. I'll give more details when I'm on a real keyboard.

O2

If someone figures out your password to 1Password, LastPass, etc, they have access to ALL of your accounts. Encrypted or not.

ALL your eggs in one basket.

[Zundfolge]

If someone figures out your password to 1Password, LastPass, etc, they have access to ALL of your accounts. Encrypted or not.

ALL your eggs in one basket.

That's why you should change it regularly. The online password managers are still many orders of magnitude safer than most people's opsec ... especially considering the fact that most people use the same login and password on all their online accounts (and the password is something simple like a pet's name).

Don't let the perfect be the enemy of the good.

[O2HeN2]

If someone figures out your password to 1Password, LastPass, etc, they have access to ALL of your accounts. Encrypted or not.

ALL your eggs in one basket.

Not entirely true, but this is one misunderstanding that kept me from getting on board with a password manager for years.

Here's how 1Password.com works:

1Password generates a long key when you signup.

You need to install that key on whatever devices you wish to use 1Password on. This step can be a PITA but it's a one time deal per device and the QR code (or was it a barcode? I don't remember) that 1Password can generate of the key helps.

Here's security feature 1: That key AND your password are BOTH necessary to decrypt your information. So if someone "figures out your password" as you stated, without the key they have nothing UNLESS they also have one of your devices and/or your key as well.

Security feature 2: Your password is never send to 1Password, so even they don't have it. Your information remains encrypted until it's ON your device and then it's decrypted there using your password and key.

So no decrypted information is stored on 1Password's side nor does any decrypted information move through the network.

Downside is don't expect any "Password recovery" option from 1Password. If you forget it, you're SOL. This is a feature, not a bug, serioiusly.

Nice thing is that when you setup your 1Password account it prints out a nice sheet of paper with your key on it and space to write your password.

I have two copies of this, one in my safe deposit box and the other in the GF's safe deposit box.

So, to recap:

• If someone gets your password they can't get into your stuff.
• If someone steals one of your devices they can't get into your stuff.
• If someone gets your key they can't get into your stuff.

Only if they have the key AND your password can they access your stuff.

Use a good passowrd, something cryptic but easy to remember like "F0ur$c0r3@nd" and everything will be very, very secure and safe.

O2