Huge Security Alert: LastPass Suffers Major Data Breach - Here's What You Need to Know to Protect Yourself!

[Skroob]

1password stores passwords in encrypted files. Even so they have a better security policies they did not address the main problem. Anything that stored in a file can be hacked, stolen, damaged, confiscated, broken,etc.

A simple solution is to not store passwords in any place and generate them on demand when they are needed. In this case they can not be hacked even with quantum computers. It is not possible to find a black cat in a black room if there are no cats in this room.

All security is mitigation. Nothing is 100% secure, so you do your best and have a backup plan for when/if it falls apart.

You're right in that the best password is one that doesn't actually exist, and this is along the lines of what hardware 2FA keys and Apple's new Passkey stuff does. But I'm not sure I'd call entirely abandoning the concept of passwords worldwide and replacing them a "simple solution".

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[ZackerySprague]

I guess I need to switch password managers now. Over the years of collecting. I have hundreds.

 

[eliquid]

You are right!

The problem with all these passwords managers is that they store passwords in encrypted files. These files can be hacked, damaged, stolen, broken, confiscated, etc.

A simple solution is to use new passwords managers that do not store passwords in any place. Instead they generate passwords when they are needed.

If you do not store the new password you generated ( on demand ) anywhere, how will you ever be able to remember it to log into something?

The password has to be stored somewhere.

After about 5 new passwords, you can't remember them in your mind alone.

Where are you going to store them?

Any answer you give will have security issue

 

[Practic]

If you do not store the new password you generated ( on demand ) anywhere, how will you ever be able to remember it to log into something?

The password has to be stored somewhere.

After about 5 new passwords, you can't remember them in your mind alone.

Where are you going to store them?

Any answer you give will have security issue

"If you do not store the new password you generated ( on demand ) anywhere, how will you ever be able to remember it to log into something?"

This is the main advantage of generated on demand passwords. You generate them when you need them. You do not need to remember them. For example, go to dynpass.online, enter "qwerty" into the key field and any date for example 2022/2/2. The generator will generate 40 different strong password you can use for 40 online accounts or sites (if you need more get private DPG or a customized version). You do not need to remember or store these passwords in any place. You will be able to recreate them (by repeating the procedure above) when you need them.
Outside the time interval when you generate or use them they do not exist in the real world, therefore it is not possible to hack, stole, damage, confiscate, etc. them. If you want to increase security of passwords you can use two different generators and create new passwords as combinations from sub-strings in the generated passwords.

Another advantage of such passwords is that you copy/paste them in a web browser and do not type from a keyboard. This is very useful when you use public computers or other devices that may have keyloggers, spyware or malware.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Practic]

All security is mitigation. Nothing is 100% secure, so you do your best and have a backup plan for when/if it falls apart.

You're right in that the best password is one that doesn't actually exist, and this is along the lines of what hardware 2FA keys and Apple's new Passkey stuff does. But I'm not sure I'd call entirely abandoning the concept of passwords worldwide and replacing them a "simple solution".

"You're right in that the best password is one that doesn't actually exist, and this is along the lines of what hardware 2FA keys and Apple's new Passkey stuff does."

2FA was broken several years ago Two-factor authentication is broken: What comes next? | Computer Weekly.

In a theory you are right, but on practice not.
See this procedure, which describe procedure for generation of quantum computers resistant {"unhackanle" ) passwords.

https://www.publish0x.com/simple-solutions-to-complex-problems/a-simple-way-to-create-unhackable-passwords-xeenglp

 

[ZackerySprague]

Oof. Do I really have to go through my millions of credential entries now? Your talking years and year's of storing. Haha!

 

[Skroob]

"You're right in that the best password is one that doesn't actually exist, and this is along the lines of what hardware 2FA keys and Apple's new Passkey stuff does."

2FA was broken several years ago Two-factor authentication is broken: What comes next? | Computer Weekly.

In a theory you are right, but on practice not.
See this procedure, which describe procedure for generation of quantum computers resistant {"unhackanle" ) passwords.

https://www.publish0x.com/simple-solutions-to-complex-problems/a-simple-way-to-create-unhackable-passwords-xeenglp

So nothing in that article indicates that 2FA has been “broken” in a cryptographic sense. Using both is vastly more secure than standard passwords. It feels like you’re arguing from a vague point in the future, where quantum computers are available and stable and have already made modern cryptography irrelevant, and I just don’t think it’s likely anytime soon.

Meanwhile, your ephemeral password idea would still require a massive world-bending shift in every piece of software that‘s ever needed a password. As it stands, what your second link proposes is just a password generator. Sure, it won’t be stored in your own local/cloud store, but it suffers from every other problem that plagues passwords, plus a new one: What happens if your chosen generator site goes down? Or changes its generator algorithm? Or gets hacked itself, and starts generating compromised passwords?

I’m not trying to run down your idea, I’m trying to emphasize that ALL security measures have weaknesses. You have to know that going in, nothing is perfectly safe all the time. You do your best to keep things as secure as possible, and have a contingency plan in case something goes wrong.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Practic]

So nothing in that article indicates that 2FA has been “broken” in a cryptographic sense. Using both is vastly more secure than standard passwords. It feels like you’re arguing from a vague point in the future, where quantum computers are available and stable and have already made modern cryptography irrelevant, and I just don’t think it’s likely anytime soon.

Meanwhile, your ephemeral password idea would still require a massive world-bending shift in every piece of software that‘s ever needed a password. As it stands, what your second link proposes is just a password generator. Sure, it won’t be stored in your own local/cloud store, but it suffers from every other problem that plagues passwords, plus a new one: What happens if your chosen generator site goes down? Or changes its generator algorithm? Or gets hacked itself, and starts generating compromised passwords?

I’m not trying to run down your idea, I’m trying to emphasize that ALL security measures have weaknesses. You have to know that going in, nothing is perfectly safe all the time. You do your best to keep things as secure as possible, and have a contingency plan in case something goes wrong.

"What happens if your chosen generator site goes down? Or changes its generator algorithm? Or gets hacked itself, and starts generating compromised passwords?"

There are backups generators hosted in different countries and on different continents. In a very unlikely event that all servers will be down there are portable offline versions.

There is no need to change anything in current practices except elimination of storing passwords in any place. The current practice is to generate random passwords with random passwords generators and store them in encrypted files of passwords managers. With dynamical passwords generated on demand users do not need to remember or store passwords in any place. They recreate them (via a key and a date) when they need these passwords.
This approach is a simplification of the existing practice which also result in a better security.

It is super easy to manage changes of multiple passwords by changing a date (if for example users are required to change multiple passwords often).

 

[Skroob]

There is no need to change anything in current practices except elimination of storing passwords in any place.

Except the main stores that password leaks come from isn't password manager apps, it's hacked websites. It would eliminate this one, specific, exceedingly rare issue, introducing a new level of complexity with its own potential issues, and not actually addressing the real problem. It's making people take their shoes off at the airport.

 

[Practic]

Except the main stores that password leaks come from isn't password manager apps, it's hacked websites. It would eliminate this one, specific, exceedingly rare issue, introducing a new level of complexity with its own potential issues, and not actually addressing the real problem. It's making people take their shoes off at the airport.

"not actually addressing the real problem"

Probably we are talking about different problems.

The problem is that if passwords stored in any place (server, computer, paper, etc.) they can be hacked in some way.
Dynamical passwords solve this problem (of storing passwords in any place) and eliminate risks of hacking from storage (encrypted files) regardless of a place where they are stored.

What real problem you talk about?

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Skroob]

"not actually addressing the real problem"

Probably we are talking about different problems.

The problem is that if passwords stored in any place (server, computer, paper, etc.) they can be hacked in some way.
Dynamical passwords solve this problem (of storing passwords in any place) and eliminate risks of hacking from storage (encrypted files) regardless of a place where they are stored.

What real problem you talk about?

Okay, so I'm signing up for an account on thesidewalkmessageboard.net. The signup form asks me for a creative username (MakeMoneyFast69), and a password. I use your method to generate a password. Great, it's not stored anywhere on my side, but that password still goes into the website's database. And if they get hacked and that password gets cracked, the hackers still have access to that account, same as they would if I used a generated password in a password manager. You've eliminated one area of storage, but it's not the one that causes the most breaches. (Historically, anyway.)

 

[Practic]

Okay, so I'm signing up for an account on thesidewalkmessageboard.net. The signup form asks me for a creative username (MakeMoneyFast69), and a password. I use your method to generate a password. Great, it's not stored anywhere on my side, but that password still goes into the website's database. And if they get hacked and that password gets cracked, the hackers still have access to that account, same as they would if I used a generated password in a password manager. You've eliminated one area of storage, but it's not the one that causes the most breaches. (Historically, anyway.)

I agree with you that dynamical passwords do not eliminate risks of hacking on merchants sites. But these risks are very small (according to you belief that encryption can not be quickly hacked). If there is a breach on a merchant site (it means that some encrypted files were hacked but were not decrypted) users have some time to replace the passwords.

The most significant risk is when users passwords are hacked and they do not know about this. Dynamical passwords eliminate this significant risk.

The passwords databases on merchants sites are hacked via compromised masterpasswords, which are stored in some encrypted files. If these masterpasswords will be generated with DPGs this will solve the problem you had pointed out.

 

[Skroob]

I agree with you that dynamical passwords do not eliminate risks of hacking on merchants sites. But these risks are very small (according to you belief that encryption can not be quickly hacked). If there is a breach on a merchant site (it means that some encrypted files were hacked but were not decrypted) users have some time to replace the passwords.

The most significant risk is when users passwords are hacked and they do not know about this. Dynamical passwords eliminate this significant risk.

The passwords databases on merchants sites are hacked via compromised masterpasswords, which are stored in some encrypted files. If these masterpasswords will be generated with DPGs this will solve the problem you had pointed out.

Good encryption can't be quickly hacked. Not everyone does it well. Some places don't even bother, which is why things like the RockYou wordlist exist.

Anyway, I feel like we're talking in circles here. I'm clearly not convincing you of anything, so I'm gonna stop trying. If this is something you're working on, please do keep me informed though!

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Practic]

Good encryption can't be quickly hacked. Not everyone does it well. Some places don't even bother, which is why things like the RockYou wordlist exist.

Anyway, I feel like we're talking in circles here. I'm clearly not convincing you of anything, so I'm gonna stop trying. If this is something you're working on, please do keep me informed though!

Even so we disagree on how strong encryption defenses are, it seems that you agree that solutions which prepared for era of quantum computers are better than the current solutions.

"If this is something you're working on, please do keep me informed though!"

Yes, I am working in this direction and looking for practical applications of this approach to different problems that exist now or will be in the near future.

 

[Practic]

Even so we disagree on how strong encryption defenses are, it seems that you agree that solutions which prepared for era of quantum computers are better than the current solutions.

"If this is something you're working on, please do keep me informed though!"

Yes, I am working in this direction and looking for practical applications of this approach to different problems that exist now or will be in the near future.

Now PayPal was hacked.

Thousands Of PayPal Accounts Breached—Is Yours One Of Them?

It has been confirmed that thousands of PayPal accounts were accessed by credential stuffing attackers between December 6 and 8, 2022.

www.forbes.com

PayPal accounts breached in large-scale credential stuffing attack

PayPal is sending out notices of a data breach to thousands of users who had their accounts accessed by credential stuffing actors, resulting in the compromise of some personal data.

www.bleepingcomputer.com

 

[c4n]

Now PayPal was hacked.

Not hacked, credential stuffing.

In other words: people were using the same username/password for PayPal as they did for other services. So when the attackers got their username/password from another hacked service, they tried the same combination in PayPal. And it worked for 30k+ accounts.

Moral of the story: don't reuse your passwords.

On a related note... I'm through changing 80% of the 200+ passwords I had at LastPass... what a great way to spend my Sunday...

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Practic]

Not hacked, credential stuffing.

In other words: people were using the same username/password for PayPal as they did for other services. So when the attackers got their username/password from another hacked service, they tried the same combination in PayPal. And it worked for 30k+ accounts.

Moral of the story: don't reuse your passwords.

On a related note... I'm through changing 80% of the 200+ passwords I had at LastPass... what a great way to spend my Sunday...

"Not hacked, credential stuffing."

Credential stuffing is a method of hacking.

35,000 PayPal Accounts Hacked - IT Security Guru

A security notification released to PayPal customers this morning has revealed that up to 35,000 customers have fallen victim to a credential stuffing attack. Credential stuffing attacks involve bad actors systematically trying username and password combinations in order to break into an...

www.itsecurityguru.org

If the users would used dynamical passwords these would not happen.

 

[c4n]

Credential stuffing is a method of hacking.

It was not PayPal that was hacked (it wasn't a security vulnerability exploited on their infrastructure), the accounts were hacked (passwords guessed). I know, semantics, but big difference.

 

[c4n]

If the users would used dynamical passwords these would not happen.

I don't understand something. Example:
- you create an account at thefastlaneforum.com
- you use a dynamic password when registering (using the website you link to)
- the next day, you come back to thefastlaneforum.com and want to log in; how do you know what password to use so you can login?

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[eliquid]

- the next day, you come back to thefastlaneforum.com and want to log in; how do you know what password to use so you can login?

This..

Also, @Practic mention that

If the users would used dynamical passwords these would not happen.

But I use the dynamical password on FLF and then I use it on 10 other sites... if one of those 10 sites get's hacked and the password leaked, the other sites are now all going to get "hacked" as well with credential stuffing.

I don't see the benefit here compared to just using a regular random password per site, on something like excel on my desktop ( password protected ).

In the end the password is stored somewhere ( on the website you used it on ) even if you use dynamical.

 

[Practic]

I don't understand something. Example:
- you create an account at thefastlaneforum.com
- you use a dynamic password when registering (using the website you link to)
- the next day, you come back to thefastlaneforum.com and want to log in; how do you know what password to use so you can login?

First, you generate strong passwords for all your 200 accounts with a simple key (for example c4n and your birthday as a date. You do not need to remember them or store them in any place. You recreate them when you need them.
In your example, suppose that the 1st generated password is for thefastlaneforum.com.
Then you repeat the procedure above to create your strong passwords with key=c4n and date=your birthday and use the first generated password (It will be the same each time for the same input parameters).

 

[Practic]

This..

Also, @Practic mention that



But I use the dynamical password on FLF and then I use it on 10 other sites... if one of those 10 sites get's hacked and the password leaked, the other sites are now all going to get "hacked" as well with credential stuffing.

I don't see the benefit here compared to just using a regular random password per site, on something like excel on my desktop ( password protected ).

In the end the password is stored somewhere ( on the website you used it on ) even if you use dynamical.

"But I use the dynamical password on FLF and then I use it on 10 other sites... if one of those 10 sites get's hacked and the password leaked, the other sites are now all going to get "hacked" as well with credential stuffing."

You generate strong different dynamical passwords for ALL your websites/accounts with a simple key and date.

"In the end the password is stored somewhere ( on the website you used it on ) even if you use dynamical."

No, you do not remember or store these passwords in any place. Your recreate them when you need them by repeating the procedure above. You do not have control of what is going on other websites, but you have full control to not store your passwords on your side.

Instead of the traditional method: 1-generate random passwords with random passwords generators, 2-store these passwords in encrypted files of passwords managers you use a new method: create ALL your passwords when you need them using your key and date.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[c4n]

First, you generate strong passwords for all your 200 accounts with a simple key (for example c4n and your birthday as a date. You do not need to remember them or store them in any place. You recreate them when you need them.
In your example, suppose that the 1st generated password is for thefastlaneforum.com.
Then you repeat the procedure above to create your strong passwords with key=c4n and date=your birthday and use the first generated password (It will be the same each time for the same input parameters).

So all someone needs to get access to a list of ALL my passwords is to brute-force the short key (and my birthday)?

One vulnerable website is all you need to use brute force to guess the single key, then you have access to all my passwords.

 

[Practic]

So all someone needs to get access to a list of ALL my passwords is to brute-force the short key (and my birthday)?

One vulnerable website is all you need to use brute force to guess the single key, then you have access to all my passwords.

If you use a private dynamical password generator you will avoid this scenario.
If you need to increase security use this method https://www.publish0x.com/simple-so...le-way-to-create-unhackable-passwords-xeenglp

 

[c4n]

If you use a private dynamical password generator you will avoid this scenario.

Nope, that is exactly what happens. You reduce the security of hundreds of passwords to a single short, easy-to-remember key.

Consider this example:

1. I use the website you mention and my key to generate 200 passwords
2. I want to buy something from the website yellow-widgets.com
3. I register at yellow-widgets.com, and I use generated password #183, which is "MyStrongPassword"
4. the website yellow-widgets.com uses an insecure method to store passwords; they store "MyStrongPassword" as an MD5 hash or even as plain text (you have no idea what security measures websites have in place)
5. yellow-widgets.com gets hacked; the hacker gets "MyStrongPassword" from the database
6. the hacker brute-forces the "dynamical password generator" until one of the generated passwords is "MyStrongPassword"
7. now the hackers knows my single key and has access to all of my 200 passwords

The above is just a simple illustration of how you reduce the security of all your passwords to a single key that can be brute-forced. And that is no more secure than using LastPass for example.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Practic]

Nope, that is exactly what happens. You reduce the security of hundreds of passwords to a single short, easy-to-remember key.

Consider this example:

1. I use the website you mention and my key to generate 200 passwords
2. I want to buy something from the website yellow-widgets.com
3. I register at yellow-widgets.com, and I use generated password #183, which is "MyStrongPassword"
4. the website yellow-widgets.com uses an insecure method to store passwords; they store "MyStrongPassword" as an MD5 hash or even as plain text (you have no idea what security measures websites have in place)
5. yellow-widgets.com gets hacked; the hacker gets "MyStrongPassword" from the database
6. the hacker brute-forces the "dynamical password generator" until one of the generated passwords is "MyStrongPassword"
7. now the hackers knows my single key and has access to all of my 200 passwords

The above is just a simple illustration of how you reduce the security of all your passwords to a single key that can be brute-forced. And that is no more secure than using LastPass for example.

The hacker can do this with public DPGs, but she/he can not do this with private DPGs. (step 6 is not possible)
If you use the last mentioned method (unhackable passwords) hackers will not be able to brute-force your passwords even with quantum computers.

 

[c4n]

The hacker can do this with public DPGs, but she/he can not do this with private DPGs. (step 6 is not possible)
If you use the last mentioned method (unhackable passwords) hackers will not be able to brute-force your passwords even with quantum computers.

Well, where do you store your private DPG then?
And what happens when that computer fails?
And how do you give billions of users worldwide each their own unique cryptographically secure DPG?

Seems to me you're adding layers of complexity and inconvenience but gaining no real advantage over using a unique password for each service and storing it in Excel, for example.

 

[GPM]

I think the best way to go around fixing the password issue is to just tattoo them all over your body. Problems solved.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Practic]

Well, where do you store your private DPG then?
And what happens when that computer fails?
And how do you give billions of users worldwide each their own unique cryptographically secure DPG?

Seems to me you're adding layers of complexity and inconvenience but gaining no real advantage over using a unique password for each service and storing it in Excel, for example.

"Well, where do you store your private DPG then?"
Private DPGs are generators of passwords locations to which (URLs) are known only to users.
Private DPGs as well as public DPGs do not store passwords in any place.

"And what happens when that computer fails?"
Private DPGs are hosted on multiple servers in multiple countries, so if some fail other will work.
In a very unlikely event if all servers will be down a user will have portable offline versions, which can be run on any computer.

"And how do you give billions of users worldwide each their own unique cryptographically secure DPG?"
It is a simple combinatorics. If there will be 100 trillions people on the planet, they will have private DPGs which
will generate unique set of passwords for each of them.

"and storing it in Excel, for example."

It seems that it is hard for you to understand that the generated passwords are not stored in any place (on your side), therefore they can not be hacked, stolen, damaged, confiscated, etc. Storing passwords in Excel is a huge security risk, even if you encrypt your file.

 

[c4n]

It seems that it is hard for you to understand that the generated passwords are not stored in any place (on your side), therefore they can not be hacked, stolen, damaged, confiscated, etc. Storing passwords in Excel is a huge security risk, even if you encrypt your file.

If you have an algorithm that generates the same passwords for the same input every single time, the end result is the same as storing them in a file.