Author Topic: One password for everything  (Read 25067 times)

Offline avromie7

  • Dansdeals Lifetime Presidential Platinum Elite
  • *********
  • Join Date: Feb 2014
  • Posts: 8188
  • Total likes: 2713
  • DansDeals.com Hat Tips 6
    • View Profile
  • Location: Lakewood
Re: One password for everything
« Reply #40 on: January 08, 2015, 02:09:57 PM »
I wonder what people who type "u" instead of "you" do with all their free time.

Offline yesitsme

  • Dansdeals Lifetime Presidential Platinum Elite
  • *********
  • Join Date: Dec 2014
  • Posts: 5020
  • Total likes: 2237
  • DansDeals.com Hat Tips 4
  • Gender: Male
    • View Profile
Re: One password for everything
« Reply #41 on: January 08, 2015, 02:30:11 PM »
In my hble understanding what these programs are doing are sotoring your passwords on your computer probably in a excel file...

do you think that chase.com  or ebay.com  or perpetualtalk.com or any other normal site out there has a ready to read database of everyones user-name and password

no they dont it's hashed with salt before it get's to them
« Last Edit: January 08, 2015, 02:35:09 PM by yesitsme »
["-"]

Offline BAHayman

  • Administrator
  • Dansdeals Lifetime Platinum Elite
  • **********
  • Join Date: Mar 2010
  • Posts: 1939
  • Total likes: 28
  • DansDeals.com Hat Tips 0
    • View Profile
Re: One password for everything
« Reply #42 on: January 08, 2015, 02:31:23 PM »
do you think that chase.com  or ebey.com  or perpetualtalk.com or any other normal site out there has a ready to read database of everyones user-name and password

no they dont it's hashed with salt before it get's to them
You would think so, but sadly that is not the case.

Offline dudi

  • Dansdeals Lifetime Platinum Elite
  • *******
  • Join Date: Nov 2013
  • Posts: 1621
  • Total likes: 5
  • DansDeals.com Hat Tips 10
    • View Profile
  • Programs: Star Alliance Gold, Skyteam Elite Plus
Re: One password for everything
« Reply #43 on: January 08, 2015, 02:38:40 PM »
do you think that chase.com  or ebay.com  or perpetualtalk.com or any other normal site out there has a ready to read database of everyones user-name and password

no they dont it's hashed with salt before it get's to them
I was talking more about computer based programs

Offline yesitsme

  • Dansdeals Lifetime Presidential Platinum Elite
  • *********
  • Join Date: Dec 2014
  • Posts: 5020
  • Total likes: 2237
  • DansDeals.com Hat Tips 4
  • Gender: Male
    • View Profile
Re: One password for everything
« Reply #44 on: January 08, 2015, 02:39:05 PM »
You would think so, but sadly that is not the case.

you're reminding me of a website i once bumped into forgot username / password they send it to you in a E-mail, how professional.
["-"]

Offline noturbizniss

  • Dansdeals Lifetime Presidential Platinum Elite
  • *********
  • Join Date: Dec 2012
  • Posts: 7116
  • Total likes: 140
  • DansDeals.com Hat Tips 4
  • Gender: Male
    • View Profile
  • Location: North Jersey
Re: One password for everything
« Reply #45 on: January 08, 2015, 02:44:10 PM »
Except that a ton of websites wouldn't even let you use the horse password. Which is backwards of course, but whatever...
So you do the one with the substitutions and then add random words too.
READ THE DARN WIKI!!!!

Chuck Norris...
...can still do FT method
...READS THE WIKI!!!

Offline BAHayman

  • Administrator
  • Dansdeals Lifetime Platinum Elite
  • **********
  • Join Date: Mar 2010
  • Posts: 1939
  • Total likes: 28
  • DansDeals.com Hat Tips 0
    • View Profile
Re: One password for everything
« Reply #46 on: January 08, 2015, 02:45:30 PM »
you're reminding me of a website i once bumped into forgot username / password they send it to you in a E-mail, how professional.
A lot of websites still do that. Banks are horrible. Maybe they don't store the passwords in plaintext but most of them do strip out quite a bit of entropy by converting them to lowercase and/or only checking the first x number of characters.

Also, passwords aren't hashed client side and then sent, they are sent in plaintext and hashed server side to compare to the hash on file.

Offline yesitsme

  • Dansdeals Lifetime Presidential Platinum Elite
  • *********
  • Join Date: Dec 2014
  • Posts: 5020
  • Total likes: 2237
  • DansDeals.com Hat Tips 4
  • Gender: Male
    • View Profile
Re: One password for everything
« Reply #47 on: January 08, 2015, 02:52:17 PM »
A lot of websites still do that. Banks are horrible. Maybe they don't store the passwords in plaintext but most of them do strip out quite a bit of entropy by converting them to lowercase and/or only checking the first x number of characters.

Also, passwords aren't hashed client side and then sent, they are sent in plaintext and hashed server side to compare to the hash on file.

  • Banks likely true with usernames not passwords
  • thats why ssl is important google is starting to enforce it by ranking ( also) by ssl
["-"]

Offline BAHayman

  • Administrator
  • Dansdeals Lifetime Platinum Elite
  • **********
  • Join Date: Mar 2010
  • Posts: 1939
  • Total likes: 28
  • DansDeals.com Hat Tips 0
    • View Profile
Re: One password for everything
« Reply #48 on: January 08, 2015, 02:57:47 PM »
  • Banks likely true with usernames not passwords
  • thats why ssl is important google is starting to enforce it by ranking ( also) by ssl
Chase allows the lowercase version of your password.
Schwab allows lowercase and you only need first 8 characters! A password like CorrectHorseBatteryStaple would only need to be entered as: correcth. And that's an upgrade! Until a couple of months ago you could authenticate by using the digits on the phone corresponding to the first 8 characters of your password!

Yes, SSL is definitely important for that reason.

Offline yesitsme

  • Dansdeals Lifetime Presidential Platinum Elite
  • *********
  • Join Date: Dec 2014
  • Posts: 5020
  • Total likes: 2237
  • DansDeals.com Hat Tips 4
  • Gender: Male
    • View Profile
Re: One password for everything
« Reply #49 on: January 08, 2015, 03:04:13 PM »
Chase allows the lowercase version of your password.
Schwab allows lowercase and you only need first 8 characters! A password like CorrectHorseBatteryStaple would only need to be entered as: correcth. And that's an upgrade! Until a couple of months ago you could authenticate by using the digits on the phone corresponding to the first 8 characters of your password!

Yes, SSL is definitely important for that reason.

Wow! shocking i just logged in chase.com upper=lower & lower=upper ===> login successful

At least they do double verification the 1st time you login from specific device/browser
["-"]

Offline an613

  • Dansdeals Platinum Elite
  • ****
  • Join Date: Apr 2010
  • Posts: 319
  • Total likes: 2
  • DansDeals.com Hat Tips 1
    • View Profile
Re: One password for everything
« Reply #50 on: January 08, 2015, 03:11:52 PM »

Yes, SSL is definitely important for that reason.

Definitely a step up but also not entirely safe. I'm no hacker but I was easily able to intercept traffic over SSL and view username/password in clear text between my phone and at least 4 different major financial institutions. It made my life easier cause I was able to reverse their apis but drives home the importance of having different passwords for different services.

Offline BAHayman

  • Administrator
  • Dansdeals Lifetime Platinum Elite
  • **********
  • Join Date: Mar 2010
  • Posts: 1939
  • Total likes: 28
  • DansDeals.com Hat Tips 0
    • View Profile
Re: One password for everything
« Reply #51 on: January 08, 2015, 03:23:34 PM »
Definitely a step up but also not entirely safe. I'm no hacker but I was easily able to intercept traffic over SSL and view username/password in clear text between my phone and at least 4 different major financial institutions. It made my life easier cause I was able to reverse their apis but drives home the importance of having different passwords for different services.
That's because they didn't implement it correctly. They should use certificate pinning to prevent MITM even when you have the ability to add certificates to the trust root.

Offline AnonymousUser

  • Dansdeals Presidential Platinum Elite
  • ********
  • Join Date: Feb 2013
  • Posts: 3001
  • Total likes: 13
  • DansDeals.com Hat Tips 0
    • View Profile
Re: One password for everything
« Reply #52 on: January 08, 2015, 03:28:55 PM »
I was talking more about computer based programs
Those use encryption too.

Offline BAHayman

  • Administrator
  • Dansdeals Lifetime Platinum Elite
  • **********
  • Join Date: Mar 2010
  • Posts: 1939
  • Total likes: 28
  • DansDeals.com Hat Tips 0
    • View Profile
Re: One password for everything
« Reply #53 on: January 08, 2015, 03:29:09 PM »
Getting back on topic, a password manager is a necessity these days. I personally use and trust LastPass. The password file is encrypted and decrypted locally using a key derived from your master password.

Also, enable 2 factor authentication for all services that offer it. (Google, LastPass, Dropbox, etc.)

Can't understand why Banks don't support it :(

Offline yesitsme

  • Dansdeals Lifetime Presidential Platinum Elite
  • *********
  • Join Date: Dec 2014
  • Posts: 5020
  • Total likes: 2237
  • DansDeals.com Hat Tips 4
  • Gender: Male
    • View Profile
Re: One password for everything
« Reply #54 on: January 08, 2015, 03:35:59 PM »
i told someone the story i had today

TIP
if you ever get a email with a link to sign in dont click the link just enter it manually in the browser
Today my friends email was hacked, i received the following:

"Hello,

View the documents i have attached for you using Drop Box. Please let me know your opinion.

Click here to view http//dropbox .com/login/documents log on with your email for immediate access to view.

Regards,"

the link was actually sending me to http://www .deltagroup .com .my/deltagroup/images/les/fox/dropbox/index .php

it looks just like dropbox when you submit the redirect you to dropbox.com after they got all your info (i spaced the link it shouldn't be accessible )

looks like the domain name is .com and deltagroup is the sub domain interesting

and that's why 2 step ver' is important he tells me "i didn't know what it is i was afraid google will hack into my phone"
["-"]

Offline BAHayman

  • Administrator
  • Dansdeals Lifetime Platinum Elite
  • **********
  • Join Date: Mar 2010
  • Posts: 1939
  • Total likes: 28
  • DansDeals.com Hat Tips 0
    • View Profile
Re: One password for everything
« Reply #55 on: January 08, 2015, 03:41:38 PM »
i told someone the story i had today

TIP
if you ever get a email with a link to sign in dont click the link just enter it manually in the browser
Today my friends email was hacked, i received the following:

"Hello,

View the documents i have attached for you using Drop Box. Please let me know your opinion.

Click here to view http//dropbox .com/login/documents log on with your email for immediate access to view.

Regards,"

the link was actually sending me to http://www .deltagroup .com .my/deltagroup/images/les/fox/dropbox/index .php

it looks just like dropbox when you submit the redirect you to dropbox.com after they got all your info (i spaced the link it shouldn't be accessible )

looks like the domain name is .com and deltagroup is the sub domain interesting

and that's why 2 step ver' is important he tells me "i didn't know what it is i was afraid google will hack into my phone"
.my is the ccTLD for Malaysia and allows registration under certain second level domains such as com.my. So the domain name is really deltagroup.com.my.

Offline etech0

  • Dansdeals Lifetime 10K Presidential Platinum Elite
  • *******
  • Join Date: Dec 2013
  • Posts: 12863
  • Total likes: 3321
  • DansDeals.com Hat Tips 1
    • View Profile
  • Location: not lakewood
  • Programs: DDF
Workflowy. You won't know what you're missing until you try it.

Offline belighted

  • Dansdeals Gold Elite
  • ***
  • Join Date: Mar 2014
  • Posts: 192
  • Total likes: 0
  • DansDeals.com Hat Tips 0
  • Gender: Male
    • View Profile
  • Location: Monsey NY
Re: One password for everything
« Reply #57 on: January 13, 2015, 01:33:44 PM »
I've been using kepass for the last little while and I'm really happy with it ➕ I have it synced with my phone through drop box

Offline etech0

  • Dansdeals Lifetime 10K Presidential Platinum Elite
  • *******
  • Join Date: Dec 2013
  • Posts: 12863
  • Total likes: 3321
  • DansDeals.com Hat Tips 1
    • View Profile
  • Location: not lakewood
  • Programs: DDF
Re: One password for everything
« Reply #58 on: January 13, 2015, 01:34:31 PM »
I've been using kepass for the last little while and I'm really happy with it ➕ I have it synced with my phone through drop box
A maila of keypass is that AFAIK nothing is stored on their servers - only on your computer (or usb drive or whatever you sync it to, manually). That makes it a good choice for people who are afraid of the internet.
Workflowy. You won't know what you're missing until you try it.

Offline eAge

  • Dansdeals Platinum Elite
  • ****
  • Join Date: Dec 2014
  • Posts: 276
  • Total likes: 0
  • DansDeals.com Hat Tips 0
    • View Profile
  • Location: Brooklyn
Re: One password for everything
« Reply #59 on: January 13, 2015, 07:45:49 PM »

I don't know for sure, but I assume that the passwords are stored online in an encrypted form. They probably don't even have the decryption key; it can only be unlocked by your master password.
+1