__SKYe wrote:
6t8k wrote:
Of course there is something that can be done -- for starters, users should use strong passwords and programmers/sysadmins should use best practices for password storage and security in general. This is their job.
No disagreement here. My comment was only in regard to what the user can control -- their password -- and with the assumption that it would have no involvement on what led to the breach.
It may lead a bit off-topic now, but for completeness sake, even as a user you can do a lot. It's unfortunately not a matter of course that training + management are always going to sustain a standard you'd be happy with in that regard (two emblematic examples:
[1] [2]).
As a user you have to demand security too instead of putting up with everything. You have leverage this way because users/customers imminent to leave is naturally one of the things companies listen to the most.
Generally speaking, if society wouldn't demand it, that would basically mean a carte blanche to wreak havoc.
One also shouldn't dismiss that there are many consumer protection / civil rights organizations / NGOs the potential of which is not to be understimated and there's the option of supporting them. Sometimes these can celebrate large successes, but even if they don't, they help in an indirect way due to the fact that they're there applying pressure/acting as a corrective.
There's enough questionable developments like companies simply pricing in the expected cost of data breaches (fines they have to pay to authorities + expenses for internal clean-up, partially even including loss of public image) instead of actually turning towards the causes, which is only possible due to corresponding societal/political incentives, or states hoarding vulnerabilities because they want to use them to surveil individuals or to "hack back" other states, but as I don't want to go completely off-topic, let me just point to one example that's not only relevant to the topic but also current:
For example, in Germany, there was just a proposal by the ministry of justice for a law amendment to obligate online service providers to provide user's passwords as part of a request for information for the purpose of criminal prosecution. As per that amendment, no court order shall be necessary and the affected user shall not be informed by the service provider. This is quite bold for the reason alone that storing passwords in plaintext would be illegal due to existing law and counter many recent achievements that went into the different direction in Europe, for example due diligence established by the GDPR among other things. It was even said explicitly that online password managers would be included.
__SKYe wrote:
All I've written before, about using chained words as passwords (I'll henceforth simply refer to them as longword passwords [ed.: passphrase is the established term]) hinges on the idea that if someone is going to do it then they will do it right. Just because most people botch the process of choosing them (ie. using common words/phrases/lyrics/names/places, using leet speak substitutions, etc.) doesn't mean it can't be done right. [...] I have always had the informed user in mind and if I've left anyone with the idea that I meant otherwise, I apologise.
It's always nice seeing individual people manage doing their homework and find solutions that work for them. In all seriousness though, I'd question the value of an approach if it's that hard to get right.
In light of that, I can't unconditionally recommend your passage about constructing/transforming a passphrase out of public info surrounding the site the password is for, even when not using a password manager.
__SKYe wrote:
Let it be noted that I believe that good longword passwords are not vulnerable to even offline cracking; not anytime soon anyway.
A tautology - they wouldn't be good if they didn't resist offline attacks

Bassa-Bassa wrote:
The problem with something like KeePass is that you can't log in if you're not on your PC where the app is, can you? You're tied to it for everything once you start using it. Cloud storage will never be an alternative for many people.
KeePass is on smartphones/tablets with multiple variants for Android and iOS, there's a non-exhaustive list
here. I wouldn't say you're locked in, you can migrate to virtually any other manager by exporting CSV/XML in KeePass.
KeePass(XC) stores everything locally, so you have to care for synchronization yourself if you need it. You could simply copy the file to all your devices after changing passwords, but depending on how many devices you need them on and how often you change passwords, that may not be a viable option. There are other managers that come with cloud storage and can automatically do the synchronization for you.
Having backups is important, HDDs/SSDs can fail prematurely. When you have your password database file on multiple devices you may be fine, but you could also go the cloud storage route - which is fine since the file is encrypted (although they'll probably learn your activity profile this way due to when you login) - and it may simplify synchronization at the same time.
If you're a little more enterprising you can replace the mentions of cloud storage above with self-hosted storage.
ulti wrote:
I did the whole "forgotten password" email thing and something stuck out to me. Instead of giving you a link to enter a new password yourself, the email gives you a link to activate a password that it gives to you.
Passwords being sent through email is already really not a good idea, but the fact that it's possible in this case means there's a possibility that the passwords for this forum are stored in plain text. Are any admins able to confirm this not being the case? I would be happy to be proven wrong.
I very much doubt it, I don't know exactly which version of phpBB is running here, but 3.1 and 3.2 hash the password using bcrypt/blowfish by default, which is not the best, but serviceable. 3.3 can use Argon2 if the PHP it's running on supports it, which is really nice.
If it's 3.0 though, then it's not outright stored in plaintext, yet it's still pretty catastrophic. I sincerely hope we're not running 3.0, that version does not receive updates anymore since Nov 2015.
As for the password being sent to you, that's no witchcraft at all without it being stored in plain text! The new password is generated, then the email is sent, then the password is hashed, and then the hash is written over the old one for which you forgot the corresponding password.
@ZellSF: I think we agree here

Though when using a password manager, I can imagine people who aren't familiar with that concept just typing in and saving a self-invented one instead of clicking the "generate button".
So it's still important that they indeed use long and random passwords, otherwise they waste a main benefit.