Oh... and to clarify why I am posting this (now):

2 high profile forums have just recently been hacked that run vBulletin.

Macrumors (a massive apple forum)
and
vbulletin.com

i.e., the forum for the support of the forum software. The Macrumors hack resulted in 860,000 users having their passwords, email addresses, etc. exposed. Doesn't matter how good your password is, the way most forum software stores it is reasonably easy to break (it isn't very hard encryption to break for speed purposes so the forums can cope with so many hits).

And nobody knows exactly why yet. There is no patch out yet. and given vBulletin's home site just got hacked, it could be some time in coming. Which means the PSB forum (and others) are probably right now insecure.

But this isn't a problem exclusive to vBulletin. PHPBB has repeatedly been hacked. As have most other forums. Adobe just recently got hacked, and 129 million account details (including passwords) were leaked. PSN has been hacked. Evernote recently hacked. Linkedin got hacked, LivingSocial, etc.

Assuming your password is safe anywhere on the internet is folly. Assume that it will be stolen (along with your email address) via a hack, wherever you use it, sooner or later.


Given that, the only sane stance is to use unique passwords for each site.... because I guarantee that people use the same email address for multiple forum signups, and it doesn't take a rocket-scientist hacker to assume that maybe the email and password you used for say, PSB is the same one you used for say, perthriders, macrumors, or maybe your email account, iTunes account, eBay, Amazon, motomummy, etc.

- Have your own domain name, eg thro.com.au
- Have catch-all email hosting, ie everything that goes to thro.com.au still gets through.
- Use a different email address for each web site that requires an email address, eg psb @ thro.com.au
- It's not perfect... actually, it's bugger all... but it's at least something. Also means that you can trace and filter spam easily.

So where it says enter PASSWORD and then retype PASSWORD am I supposed to be typing something else?

I was just following the directions....

Those damn Russians

(Back in the good old days)

EWallet is another good app. You can back up to your desktop or the cloud. But why use cloud backup when that's where the hackers are?

Interesting [MENTION=7023]thro[/MENTION].

Because everything I've been reading lately has suggested not using generators, that the best way is to come up with a personal method of creating a long password for any particular site.

For example, there's a hell of a lot more entropy in "gippoisafuckingidiotbutrichhasniceeyes" than there is in "299Akskdje0)@!:"

And, if you come up with some method of creating a site password that's unique to you, that's easily repeatable and that's unlikely to create lots of variants, then all you have to remember is that method and you have super secure passwords for everything that you don't have to remember for each place.

Plus, what if it's fine? How can you access your stuff if it's in the cloud but there's no clouds. Worse still what if it starts to rain. Other people could see your private stuff if it falls from the cloud.
I dunno, this cloud stuff sounds very shaky to me.

Entropy is a function of character set and length.

There is more entropy in 32 (or 64 - or 1024, etc. - keepass has no fixed limit on password length, it can generate/store as big as the remote site will take) totally random characters than a human will come up with and remember (the XKCD comic is actually not really correct any more).

if you have to remember them, shorter (than 32 character fully random or whatever) passwords generated via a method known to you makes them able to be remembered, but if you are not remembering them (and with a password manager, you don't have to), 100% random is better.

If your password has words in it (even mutated via numbers) it will fall a lot more quickly to dictionary based attacks than otherwise.

But, these days crackers also have tables of basically every hash for a few common algorithms (e.g.,. MD5) - from memory the entire key-space for X characters (where X = I can't remember how many, but something like 8-9 or more) will fit on a 1.5tb drive, "cracking" a password is simply a case of looking up the hash in some cases now. There are also on-line services using amazon cloud services to brute force passwords (i.e., far more horsepower available than an individual has using their own computers).

The main point is to make sure your passwords are unique between sites. UNIQUE is far more important than making them difficult these days - difficulty is just a matter of how long until the hash is broken once a site is hacked (one minute, one hour, one day, one week, etc.). If you don't re-use that password elsewhere, a cracker having the hash that they can potentially crack isn't going to impact any of your other log-ins, no matter how quickly or slowly he breaks it.

Hypothetical example: If someone breaks into PSB and cracks your PSB password's hash - if it is unique all he can use it for is PSB. Which he hacked anyway....

Or make them unique between classes of sites.

If someone gets my password for PSB, do I really give a shit that they can now log into three or four other forums?

What happens when Keepass gets hacked .

This is what I always think, I dont know fuck all but it seems to me having a treasure chest of passwords seems like they just need to crack one and they get them all. Rather than just cracking one site. Maybe it has awesome security though.

Also how do I know you arent a Nigerian scammer [MENTION=7023]thro[/MENTION] and keepass is your site to steal all my info?

• Keepass does not store anything other than a single file on your computer
• An attacker needs to get hold of your keepass database file, which is 256bit AES encrypted
• when you set up keepass, you can select how many encryption "rounds" it will perform on your database. by default it picks a number that ensures that it will take one second per decryption attempt on your current machine (this means it will take one second to unlock your database, which isn't a big impact to you, but slows down brute-force massively (1 attempt per second or so, instead of several billion per second). To brute force your keepass database would take several hundred trillion years at current processing speeds. This can be bumped up as processors get faster. A 1 second delay isn't a problem for a password manager, but for a web forum the encryption couldn't be that slow or it would slow the site down massively.

You can also set up 2 factor authentication, so that Keepass requires either a file, or to be running on the Windows account associated with your accounts Windows SID. Which is a 128 bit GUID number that is unique to your windows account on your computer.

So in summary: if your KeePass database gets stolen, you have quite some time before somebody breaks the encryption (in theory via brute force, at least a trillion years or so even if they only searched 1% of the key-space). If it is stolen, you'd still be recommended to change your passwords, but the likelihood of them being obtained is very low.

As far as being a scammer? Keepass has been around over 7 years, and is open source. Anyone is free to inspect the source code to verify that it does what it says and nothing else.

We're having a security audit at work at the moment, by ex DSD (Australian version of the NSA) and ex GCHQ (UK's NSA) staff. I asked them which password manager they use. They use Keepass.


But hey, write them down on paper, use LastPass or 1password or Excel, or Notepad or whatever if you don't trust it.

it surprises me that sites dont protect themselves from brute force attacks. you know something like only one attempt permitted within a given time and enforce a minimum length, to reduce probability of successful attempt to something very very small. same as web search tools protect themselves from getting bot spammed 1 search per user per 10 seconds ect.

Ahh this is a misconception. Yes, most sites limit log-ins to a limit of 3 failed attempts per hour or whatever.

However, if someone has previously broken into the site via security vulnerability and stolen the password hashes, these can be brute-forced offline (i.e., no login attempts).

Once the plaintext is found to generate the hash they stole, they know that this is the password. Which can then either be used to log into the site as that user, or tried on other sites that they haven't hacked yet, and quite often used as the same password on different sites by the user.