As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/

[Computer Security Thread] Lastpass Compromised (Again)

18889909294

Posts

  • Inquisitor77Inquisitor77 2 x Penny Arcade Fight Club Champion A fixed point in space and timeRegistered User regular
    Theoretically there isn't really an issue with using spaces in passwords. The password string is being hashed, and the input for the hashing function accepts spaces just fine. A space is a character that is represented by bytes. Therefore it can be hashed. The issue in the past has been one of technical limitations, but assuming a modern implementation with modern standards, there are no technical issues with supporting spaces anymore.

    However, I will say that in today's world the primary reason you may not want to support spaces in a password is because of user error. If someone tries to copy/paste a password, for example, they may add an inadvertent space or carriage return to the beginning or end of the string. From a user experience perspective, the easiest way to address this is to trim any inputs or to prevent such characters from being used in the password input field.

    It's also worth noting that given password managers have to support the widest possible range of password implementations, it makes sense for them to have a default configuration which does not support spaces. (However, a password manager you are paying for which doesn't let you toggle that functionality is probably not worth paying for.) Similarly, many password managers default to a generator configuration which forces a lowercase, uppercase, number, and symbol, but also allow corresponding toggles when you do want them included.

    Honestly it's an argument that is really only relevant to pedants. If you want a space in your password and the system in question supports it, then great. If not, then don't use one. Either way the inclusion or exclusion in the vast majority of cases, particularly the ones relevant to you and your personal security, is equivalent to the relevance of a single grain of sand in the beach. And if you are a system administrator looking to implement standards, then per above the real question you need to be asking yourself is one of user experience and how that impacts user/system security.

    DrovekOrcafurlionNaphtaliShadowfirethatassemblyguyTrajan45
  • furlionfurlion Riskbreaker Lea MondeRegistered User regular
    Theoretically there isn't really an issue with using spaces in passwords. The password string is being hashed, and the input for the hashing function accepts spaces just fine. A space is a character that is represented by bytes. Therefore it can be hashed. The issue in the past has been one of technical limitations, but assuming a modern implementation with modern standards, there are no technical issues with supporting spaces anymore.

    However, I will say that in today's world the primary reason you may not want to support spaces in a password is because of user error. If someone tries to copy/paste a password, for example, they may add an inadvertent space or carriage return to the beginning or end of the string. From a user experience perspective, the easiest way to address this is to trim any inputs or to prevent such characters from being used in the password input field.

    It's also worth noting that given password managers have to support the widest possible range of password implementations, it makes sense for them to have a default configuration which does not support spaces. (However, a password manager you are paying for which doesn't let you toggle that functionality is probably not worth paying for.) Similarly, many password managers default to a generator configuration which forces a lowercase, uppercase, number, and symbol, but also allow corresponding toggles when you do want them included.

    Honestly it's an argument that is really only relevant to pedants. If you want a space in your password and the system in question supports it, then great. If not, then don't use one. Either way the inclusion or exclusion in the vast majority of cases, particularly the ones relevant to you and your personal security, is equivalent to the relevance of a single grain of sand in the beach. And if you are a system administrator looking to implement standards, then per above the real question you need to be asking yourself is one of user experience and how that impacts user/system security.

    That is a great response and i appreciate you taking the time to write it up. I use KeePass which does indeed have a toggle for spaces and other lesser used characters. I knew about hashing and salting which is why i couldn't really think of a good reason not to allow them, but your explanation about the potential user error put that into perspective. Using spaces might make a password more secure if i was trying to memorize it but given that my average password length is at least 12 characters, unless forced to use fewer, and stored in my vault, it is probably moot in actual practice.

    sig.gif Gamertag: KL Retribution
    PSN:Furlion
  • Inquisitor77Inquisitor77 2 x Penny Arcade Fight Club Champion A fixed point in space and timeRegistered User regular
    Glad you found it helpful!

  • syndalissyndalis Getting Classy On the WallRegistered User, Loves Apple Products regular
    another reasonto argue on the side of spaces is that it allows for the use of strong passwords that are inherently human-friendly; the passphrase.

    Being able to recall "That one time in Paris, 1989" is waaaaaay easier than trying to remember s!25%Pp_3 and actually more secure, due to length of phrase and no need for you to write it down somewhere.

    SW-4158-3990-6116
    Let's play Mario Kart or something...
    TetraNitroCubaneShadowfirefurlionhiraethTamerBillthatassemblyguydesc
  • DisruptedCapitalistDisruptedCapitalist I swear! Registered User regular
    The problem I've been having with pass phrases is that it's still hard to remember them when I need to have a unique one for every website. Generally I try to limit them for stuff that I really need to keep secure but still need to have memorized but inevitably it's still too many and I forget which one I used for this website.

    "Simple, real stupidity beats artificial intelligence every time." -Mustrum Ridcully in Terry Pratchett's Hogfather p. 142 (HarperPrism 1996)
  • Mr_RoseMr_Rose 83 Blue Ridge Protects the Holy Registered User regular
    That’s why you have one passphrase – the master key to your password generator.

    ...because dragons are AWESOME! That's why.
    Nintendo Network ID: AzraelRose
    DropBox invite link - get 500MB extra free.
    DrovekShadowfirefurlionsyndalisOrcaBanzai5150thatassemblyguyTrajan45
  • DrovekDrovek Registered User regular
    syndalis wrote: »
    another reasonto argue on the side of spaces is that it allows for the use of strong passwords that are inherently human-friendly; the passphrase.

    Being able to recall "That one time in Paris, 1989" is waaaaaay easier than trying to remember s!25%Pp_3 and actually more secure, due to length of phrase and no need for you to write it down somewhere.

    You can still have that passphrase but without spaces.

    It's far more likely these days to run into "maximum 14 characters!" types of limits for some Lorb forsaken reason.

    steam_sig.png( < . . .
  • ShadowfireShadowfire Vermont, in the middle of nowhereRegistered User regular
    Drovek wrote: »
    syndalis wrote: »
    another reasonto argue on the side of spaces is that it allows for the use of strong passwords that are inherently human-friendly; the passphrase.

    Being able to recall "That one time in Paris, 1989" is waaaaaay easier than trying to remember s!25%Pp_3 and actually more secure, due to length of phrase and no need for you to write it down somewhere.

    You can still have that passphrase but without spaces.

    It's far more likely these days to run into "maximum 14 characters!" types of limits for some Lorb forsaken reason.

    Those sites with tight limits on character usage are trying to avoid a visit from Little Bobby Tables, change my mind.

    WiiU: Windrunner ; Guild Wars 2: Shadowfire.3940 ; PSN: Bradcopter
    SiliconStewNaphtaliDisruptedCapitalistOrcathatassemblyguy
  • LD50LD50 Registered User regular
    So uh, World of Warcraft doesn't differentiate between upper and lower case characters, so that's cool.

  • MugsleyMugsley DelawareRegistered User regular
    LD50 wrote: »
    So uh, World of Warcraft doesn't differentiate between upper and lower case characters, so that's cool.

    It has always been this way, unfortunately. The Authenticator app does add a layer of security.

    Shadowfire
  • EchoEcho ski-bap ba-dapModerator mod
    LD50 wrote: »
    So uh, World of Warcraft doesn't differentiate between upper and lower case characters, so that's cool.

    Oh, does it still silently cap the password length too? :rotate:

  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    The really frustrating thing is that you can replace "World Of Warcraft" in this instance with the name of a number of major financial institutions, and it'll still be accurate.

    Oh yeah, and said financial institutions tend to exclusively go with SMS for 2FA solutions.

    this is fine dot png

    VuIBhrs.png
    EchoDisruptedCapitalistIncenjucarMr_RoseOrcaShadowfireDrovekFremthatassemblyguyPhoenix-D
  • nexuscrawlernexuscrawler Registered User regular
    The really frustrating thing is that you can replace "World Of Warcraft" in this instance with the name of a number of major financial institutions, and it'll still be accurate.

    Oh yeah, and said financial institutions tend to exclusively go with SMS for 2FA solutions.

    this is fine dot png

    Wonder what they'll do when MS drops support for SMS and Call MFA. they're talking about doing ti soon.

  • LD50LD50 Registered User regular
    The really frustrating thing is that you can replace "World Of Warcraft" in this instance with the name of a number of major financial institutions, and it'll still be accurate.

    Oh yeah, and said financial institutions tend to exclusively go with SMS for 2FA solutions.

    this is fine dot png

    Wonder what they'll do when MS drops support for SMS and Call MFA. they're talking about doing ti soon.

    I wonder if they're even using azure for their MFA configuration.

  • ShadowfireShadowfire Vermont, in the middle of nowhereRegistered User regular
    The really frustrating thing is that you can replace "World Of Warcraft" in this instance with the name of a number of major financial institutions, and it'll still be accurate.

    Oh yeah, and said financial institutions tend to exclusively go with SMS for 2FA solutions.

    this is fine dot png

    Wonder what they'll do when MS drops support for SMS and Call MFA. they're talking about doing ti soon.

    They used to support voice lines for MFA but got rid of it without telling anyone. I've had a few clients who lost access to their Microsoft accounts because the 2fa was linked to a landline phone so it couldn't send texts to the phone.

    WiiU: Windrunner ; Guild Wars 2: Shadowfire.3940 ; PSN: Bradcopter
  • FremFrem Registered User regular
    So, laptop fingerprint readers have a special encrypted protocol they’re supposed to use to communicate authentication information with Windows. It prevents an attacker from trivially spoofing the fingerprint reader. But using the encrypted protocol isn’t mandatory for some reason. So vendors aren’t turning it on. Vendors like Microsoft.

    https://arstechnica.com/gadgets/2023/11/researchers-beat-windows-hello-fingerprint-sensors-with-raspberry-pi-and-linux/

    IncenjucarDisruptedCapitalistMr_RosethatassemblyguyMugsleyDonnictonTrajan45
  • CarpyCarpy Registered User regular
    The dell attack portion of the write up is pretty interesting https://blackwinghq.com/blog/posts/a-touch-of-pwn-part-i/

    Shadowfire
  • ShadowfireShadowfire Vermont, in the middle of nowhereRegistered User regular
    Yep, gotta love that clear text communication!

    WiiU: Windrunner ; Guild Wars 2: Shadowfire.3940 ; PSN: Bradcopter
    TetraNitroCubaneOrca
  • Mr_RoseMr_Rose 83 Blue Ridge Protects the Holy Registered User regular
    Especially Microsoft failing to even implement their own security method/policy. Sounds like you could develop a device with a slimline form factor that sits between their “Smart Cover” and the tablet, and has the same magnetic connector on both sides, to MitM and spoof the connection. The user might not even notice the extra slip of plastic.

    ...because dragons are AWESOME! That's why.
    Nintendo Network ID: AzraelRose
    DropBox invite link - get 500MB extra free.
  • SiliconStewSiliconStew Registered User regular
    edited November 2023
    Mr_Rose wrote: »
    Especially Microsoft failing to even implement their own security method/policy. Sounds like you could develop a device with a slimline form factor that sits between their “Smart Cover” and the tablet, and has the same magnetic connector on both sides, to MitM and spoof the connection. The user might not even notice the extra slip of plastic.

    There's no reason to do that. The vulnerability allows an attacker with physical access to log in as a user account that already exists on the machine. They don't gain anything by surreptitiously MitM a legitimate user's usage. They'd get much more useful info out of such a hidden device that simply captured keystrokes.

    SiliconStew on
    Just remember that half the people you meet are below average intelligence.
    ShadowfireLD50
  • nexuscrawlernexuscrawler Registered User regular
    Mr_Rose wrote: »
    Especially Microsoft failing to even implement their own security method/policy. Sounds like you could develop a device with a slimline form factor that sits between their “Smart Cover” and the tablet, and has the same magnetic connector on both sides, to MitM and spoof the connection. The user might not even notice the extra slip of plastic.

    There's no reason to do that. The vulnerability allows an attacker with physical access to log in as a user account that already exists on the machine. They don't gain anything by surreptitiously MitM a legitimate user's usage. They'd get much more useful info out of such a hidden device that simply captured keystrokes.

    So someone finds a lost or stolen machine and they can get access to your account? thats a massive security hole.

    thatassemblyguyFrem
  • SiliconStewSiliconStew Registered User regular
    Mr_Rose wrote: »
    Especially Microsoft failing to even implement their own security method/policy. Sounds like you could develop a device with a slimline form factor that sits between their “Smart Cover” and the tablet, and has the same magnetic connector on both sides, to MitM and spoof the connection. The user might not even notice the extra slip of plastic.

    There's no reason to do that. The vulnerability allows an attacker with physical access to log in as a user account that already exists on the machine. They don't gain anything by surreptitiously MitM a legitimate user's usage. They'd get much more useful info out of such a hidden device that simply captured keystrokes.

    So someone finds a lost or stolen machine and they can get access to your account? thats a massive security hole.

    Yes it is. But as a general rule if an attacker has physical access to your machine it will be compromised.

    Just remember that half the people you meet are below average intelligence.
    schussNaphtaliMvrck
  • schussschuss Registered User regular
    Mr_Rose wrote: »
    Especially Microsoft failing to even implement their own security method/policy. Sounds like you could develop a device with a slimline form factor that sits between their “Smart Cover” and the tablet, and has the same magnetic connector on both sides, to MitM and spoof the connection. The user might not even notice the extra slip of plastic.

    There's no reason to do that. The vulnerability allows an attacker with physical access to log in as a user account that already exists on the machine. They don't gain anything by surreptitiously MitM a legitimate user's usage. They'd get much more useful info out of such a hidden device that simply captured keystrokes.

    So someone finds a lost or stolen machine and they can get access to your account? thats a massive security hole.

    Anytime someone has physical access to a machine, it's just a matter of time until they're able to access the data. More security = longer time period and more complexity. This is why many organizations are switching to more zero trust frameworks with less data sitting on the edge (IE on the laptop), as in that scenario you've scored yourself a sweet laptop but no data or intrusion channels as it's flagged as invalid to access the network/accounts once reported stolen.

    ShadowfireTrajan45
  • nexuscrawlernexuscrawler Registered User regular
    There's still a significant difference between a unsecured thumbprint scanner and someone taking the time to crack full disk encryption.

    LD50Phoenix-D
  • DonnictonDonnicton Registered User regular
    Speaking of Microsoft, there are reports of the HP Smart App automatically installing on computers that access the Windows Store whether or not the computer is an HP.

    https://www.techspot.com/news/101024-hp-smart-app-mysteriously-appears-non-hp-windows.html
    Reports of the HP Smart app appearing in the new apps section of the Windows Start menu have been popping up on Reddit. "Checking the event log for the Microsoft Store shows that it installed earlier today, but I definitely did request or initiate it because I do not have any devices from HP," wrote one user. "No HP printers or other devices have been connected to my computer or network, ever."

    The HP Smart app allows users to manage HP printers and is usually installed on HP PCs. It's certainly not supposed to appear on PCs that aren't connected to an HP device such as a printer.

    While only some users are finding the app has mysteriously appeared, it seems to be automatically installing on all versions of Windows that use the Microsoft Store. Windows Latest reports that it auto-installed on a Lenovo Legion laptop running Windows 10 and on a virtual machine running Windows 11 using a different Microsoft account. Again, this was despite neither system ever being connected to an HP product.

    Microsoft has confirmed that it is aware of the reports of these automatic installations of the HP Smart app and will share more details soon. It's speculated that this could be an error linked to the Windows Update feature, though we won't know for certain until Microsoft confirms what's going on.

    The good news is that uninstalling the HP Smart app is as simple as removing any other application from Windows – this is still an official piece of software and not something shady. Nevertheless, it's another annoyance for users and has been worrying those who feared the app's appearance was related to a sinister event.

    Naphtali
  • MugsleyMugsley DelawareRegistered User regular
    HP pulling more HP bullshit

    Shadowfire
  • LD50LD50 Registered User regular
    Yeah, it showed up on my custom rig, and I don't have any HP printers.

    Naphtali
  • DonnictonDonnicton Registered User regular
    lmao so they figured out why it was happening.

    https://www.xda-developers.com/windows-update-bug-renaming-printers-m101-m106/
    A few days ago, we spotted that the HP Smart App was being installed on people's PCs without their consent. Even worse, the app would reappear if users tried to uninstall it or clean-installed Windows. Now, the cause has finally been identified: a recent Windows 10 and 11 update is renaming everyone's printers to "HP LaserJet M101-M106" regardless of what model it actually is.

    As reported on Windows Latest, the latest update for Windows 10 and 11 seems to think that people's printers are an HP LaserJet model, regardless of their actual brand. It's believed that the bug appeared after HP pushed its latest metadata to Windows Update, but something went awry in the code and caused other printers to be labeled as HP LaserJet printers.

    This explains why the HP Smart App has been sneaking onto people's computers without their consent. A key part of Windows Update is keeping third-party drivers and devices updated, including downloading any apps that the devices depend on. After the printer metadata incorrectly identified everyone's printers as HP LaserJet printers, Windows installed all the software needed for an HP printer to work smoothly, including the HP Smart App.

    Fortunately, the bug only affects the metadata for the printer. While the printer may show up with a different name on your system, you should still be able to send print jobs to it. Microsoft has since removed the fault metadata from Windows Update, so anyone performing a clean install from now on should get their original printer's name back and stop the HP Smart App from re-downloading.

    If you're not keen on performing a clean install just to reset a printer's name, Microsoft should be releasing an update in the future that corrects this problem.

    ShadowfirethatassemblyguyDrovekIanatorfurlionMugsleyFremzagdrob
  • SiliconStewSiliconStew Registered User regular
    Changing the model metadata on the built in Microsoft print to PDF printer explains why it was showing up on systems without any real printers installed, including clean installs.

    Just remember that half the people you meet are below average intelligence.
    furlion
  • Phoenix-DPhoenix-D Registered User regular
    CVEs for SSH? Oh this has the potential to be real chaos inducing

    https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/

    Fortunately it's a little limited (required a man in the middle attack) but yeah that's not great

    Shadowfirethatassemblyguy
  • DisruptedCapitalistDisruptedCapitalist I swear! Registered User regular
    Mitm attacks are just the sort of thing governments can do... :/

    "Simple, real stupidity beats artificial intelligence every time." -Mustrum Ridcully in Terry Pratchett's Hogfather p. 142 (HarperPrism 1996)
  • Trajan45Trajan45 Registered User regular
    Have any of the password managers makers added a 'phrase' option for their password generators? Sometimes I still have to type in manually and it might be nice if they could auto generate something like PlaceSymbolObjectSymbolColorNumber.

    Origin ID\ Steam ID: Warder45
  • Inquisitor77Inquisitor77 2 x Penny Arcade Fight Club Champion A fixed point in space and timeRegistered User regular
    Trajan45 wrote: »
    Have any of the password managers makers added a 'phrase' option for their password generators? Sometimes I still have to type in manually and it might be nice if they could auto generate something like PlaceSymbolObjectSymbolColorNumber.

    1Password has a setting called "Memorable Password" that is similar.

    Trajan45Frem
  • OrcaOrca Also known as Espressosaurus WrexRegistered User regular
    Strongbox (Keepass-DB-compatible iOS client) has passphrase generation

  • TomantaTomanta Registered User regular
    Bitwarden has one too, but every time I try to use it the site I'm creating a password for says "lol, no, try these obscure rules. Also use a symbol but not these symbols we picked at random".

    ShadowfireOrcaMr_RoseMugsleyThawmusCaedwyr
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    edited January 10
    Today in examples of isolated but extremely "Excuse Me, What the Actual FUCK" security audit interactions.
    A security auditor for our servers has demanded the following within two weeks:
    • A list of current usernames and plain-text passwords for all user accounts on all servers
    • A list of all password changes for the past six months, again in plain-text
    • A list of "every file added to the server from remote devices" in the past six months
    • The public and private keys of any SSH keys
    • An email sent to him every time a user changes their password, containing the plain text password

    Wow. Wow.

    Knowing that people like this are out there auditing IT security really makes it clear why we have a new high-profile breach every other week.

    TetraNitroCubane on
    VuIBhrs.png
    OrcaEchoDizzenIanatorTrajan45Phoenix-DFremthatassemblyguyJazzPolaritieMvrck
  • DisruptedCapitalistDisruptedCapitalist I swear! Registered User regular
    edited January 10
    Also shows why its so hard to get a job in security. Companies don't want to spend the money on prevention, so instead they shell out the big bucks to elite disaster response firms every few years whenever they get caught with their pants down

    EDIT: can I also say I'm glad I put a freeze on my credit. There were at least five separate companies that notified me of breaches last year and I just got a notice from fucking Mr. Cooper yesterday that they fucked up too. (I haven't even had a loan with them in years but of course they still keep all my data just waiting to get stolen. Fuckers.)

    DisruptedCapitalist on
    "Simple, real stupidity beats artificial intelligence every time." -Mustrum Ridcully in Terry Pratchett's Hogfather p. 142 (HarperPrism 1996)
    TetraNitroCubanethatassemblyguy
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    Also shows why its so hard to get a job in security. Companies don't want to spend the money on prevention, so instead they shell out the big bucks to elite disaster response firms every few years whenever they get caught with their pants down

    For sure.

    It's been said before, but security is every company's lowest priority - until it very suddenly becomes their highest priority.

    VuIBhrs.png
    DisruptedCapitalist
  • BlazeFireBlazeFire Registered User regular
    Today in examples of isolated but extremely "Excuse Me, What the Actual FUCK" security audit interactions.
    A security auditor for our servers has demanded the following within two weeks:
    • A list of current usernames and plain-text passwords for all user accounts on all servers
    • A list of all password changes for the past six months, again in plain-text
    • A list of "every file added to the server from remote devices" in the past six months
    • The public and private keys of any SSH keys
    • An email sent to him every time a user changes their password, containing the plain text password

    Wow. Wow.

    Knowing that people like this are out there auditing IT security really makes it clear why we have a new high-profile breach every other week.

    Today but 12 years ago, based on the date?

  • NaphtaliNaphtali Hazy + Flow SeaRegistered User regular
    BlazeFire wrote: »
    Today in examples of isolated but extremely "Excuse Me, What the Actual FUCK" security audit interactions.
    A security auditor for our servers has demanded the following within two weeks:
    • A list of current usernames and plain-text passwords for all user accounts on all servers
    • A list of all password changes for the past six months, again in plain-text
    • A list of "every file added to the server from remote devices" in the past six months
    • The public and private keys of any SSH keys
    • An email sent to him every time a user changes their password, containing the plain text password

    Wow. Wow.

    Knowing that people like this are out there auditing IT security really makes it clear why we have a new high-profile breach every other week.

    Today but 12 years ago, based on the date?

    uh yeah, dude was talking about running red hat 5 servers. this is oooold

    Steam | Nintendo ID: Naphtali | Wish List
Sign In or Register to comment.