Password Manager - Stranica 5

xlr · 25.01.2023., 17:30

Ako su iste kao onda - svakako bih promjenio.

The Exiled · 28.02.2023., 11:10

Friški nastavak LastPass sage ...

Citiraj:

The company has now disclosed how the threat actors performed this attack, stating that they used information stolen in an August breach, information from another data breach, and a remote code execution vulnerability to install a keylogger on a senior DevOps engineer's computer. As only four LastPass DevOps engineers had access to these decryption keys, the threat actor targeted one of the engineers. Ultimately, the hackers successfully installed a keylogger on the employee's device by exploiting a remote code execution vulnerability in a third-party media software package. As part of today's disclosure, LastPass has released more detailed information on what customer information was stolen in the attack. Depending on the particular customer, this data is wide and varied, ranging from Multifactor Authentication (MFA) seeds, MFA API integration secrets, and to Split knowledge component (“K2”) Key for Federated business customers.

Ukratko, pokradeno im je sve moguće.

Dottore · 28.02.2023., 11:25

Ja sam otišao od 10mj i još nisam imao problema.

Neo-ST · 17.05.2023., 14:11

Keepass vulnerability:

https://nvd.nist.gov/vuln/detail/CVE-2023-32784

The Exiled · 17.05.2023., 19:24

Citiraj:

For the PoC tool to work, you need the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys) or a RAM dump of the entire system.
It has been fixed in the test versions of KeePass v2.54 – the official release is expected by July 2023.
KeepassXC – a fork of KeePassX, which is a cross-platform port of KeePass – is not affected.

Neo-ST · 23.05.2023., 13:14

Opet Keepass? https://twitter.com/ghidraninja/stat...60231111598080

The Exiled · 23.05.2023., 13:37

Nema veze s KeePassom, ovo je neki/nečiji iOS KeePass, dok je ovdje popis pravih službenih iOS aplikacija.

Night · 24.05.2023., 09:31

Citiraj:

Autor Neo-ST

Keepass vulnerability:

https://nvd.nist.gov/vuln/detail/CVE-2023-32784

Najnezgodniji dio je ovo što navodno može ostaviti plaintext password u pagefile.sys, još jedna preporuka za koristiti full-disk encryption.
Probao sam runati PoC kod na jednom pagefile.sys dumpu sa kompa koji ima KeePass ali nije mi ništa izbacio, memory dump još nisam testirao.
Autoru kao da se baš ne žuri sa ispravkom ovog dosta ozbiljnog propusta.

The Exiled · 03.06.2023., 20:27

KeePass 2.54 released

Citiraj:

New Features:

Triggers, global URL overrides, password generator profiles and a few more settings are now stored in the enforced configuration file.
Added dialog 'Enforce Options (All Users)' (menu 'Tools' → 'Advanced Tools' → 'Enforce Options'), which facilitates storing certain options in the enforced configuration file.
Export confirmation dialog banners now have a yellow-orange background.
In export confirmation dialogs, the text of the 'OK' button is now changed to 'Confirm Export'.
In report dialogs, passwords (and other sensitive data) are now hidden using asterisks by default (if hiding is activated in the main window); the hiding can be toggled using the new '***' button in the toolbar.
The 'Print' command in most report dialogs now requires the 'Print' application policy flag, and the master key must be entered if the 'Print - No Key Repeat' application policy flag is deactivated.
The 'Export' command in most report dialogs now requires the 'Export' application policy flag, and the master key must be entered.
Single line edit dialogs now support hiding the value using asterisks.
On Unix-like systems, commands that require elevation now have a shield icon (like on Windows).
TrlUtil: added 'Move Selected Unused Text to Dialog Control' command.

Citiraj:

Improvements:

Improved process memory protection of secure edit controls.
The content mode of the configuration elements '/Configuration/Application/TriggerSystem', '/Configuration/Integration/UrlSchemeOverrides' and '/Configuration/PasswordGenerator/UserProfiles' is now 'Replace' by default.
The built-in override for the 'ssh' URI scheme is now deactivated by default (it can be activated in the 'URL Overrides' dialog).
When opening the password generator dialog without a derived profile, the '(Automatically generated passwords for new entries)' profile is now selected by default, if profiles are enabled (otherwise the default profile is used).
Improved UI update performance in the password generator dialog.
Improved and renamed dialog banner styles.
The separator line of light dialog banners is gray now.
Improved serialization/deserialization of custom configuration settings (used by plugins).
Improved reporting of unknown database header fields.
On Unix-like systems, the clipboard workarounds are now disabled by default (they are not needed anymore on most systems).
Improved clipboard clearing on Unix-like systems.
Improved starting of an elevated process on Unix-like systems.
TrlUtil: improved keyboard shortcut assignment and toolbar construction.
Installer: the desktop shortcut is now created for all users (if the option 'Create a desktop shortcut' is activated).
Installer: removed the Quick Launch shortcut option.
Upgraded installer.
Various UI text improvements.
Various code optimizations.
Minor other improvements.

kreso75 · 04.06.2023., 09:50

Citiraj:

Autor The Exiled

KeePass 2.54 released

Jesu ispravili sigurnosni propust da se može doći do master passworda na Windowsima?
Iz opisa na "New features" i "Imporvements" mi se ne čini da su to naveli...

The Exiled · 04.06.2023., 12:20

Da, popravljeno (1 - 2) je i to nekih dva mjeseca prije od planiranog.

Citiraj:

The vulnerability was assigned CVE-2023-32784 and fixed in KeePass 2.54. Thanks again to Dominik Reichl for his fast response and creative fix!

Citiraj:

EDIT:

Citiraj:

Users of KeePass 1.x, Strongbox, or KeePassXC are not impacted by CVE-2023-32784 and, thus, do not need to migrate to a newer release. To fix the vulnerability, KeePass is now using a Windows API to set or retrieve data from text boxes, preventing the creation of managed strings that can potentially be dumped from memory. Reichl also introduced "dummy strings" with random characters into the memory of the KeePass process to make it harder to retrieve fragments of the password from memory and combine them into a valid master password. KeePass 2.54 also introduces other security enhancements, such as moving 'Triggers,' 'Global URL overrides,' and 'Password generator profiles' into the enforced configuration file, which provides additional security from attacks that modify the KeePass configuration file.

Izvor: BleepingComputer

The Exiled · 24.06.2023., 20:25

LastPass users furious after being locked out due to MFA resets

Citiraj:

LastPass password manager users have been experiencing significant login issues starting early May after being prompted to reset their authenticator apps. The company first announced that users might need to log back into their LastPass account and reset their multifactor authentication preference due to planned security upgrades on May 9. However, since then, numerous users have been locked out of their accounts and unable to access their LastPass vault, even after successfully resetting their MFA applications (e.g., LastPass Authenticator, Microsoft Authenticator, Google Authenticator). Compounding the problem, affected customers cannot seek assistance from support since reaching out to LastPass support requires logging into their accounts which they can't do because they're locked in an infinite loop of being prompted to reset their MFA authenticator. LastPass says the MFA resets were announced via in-app messages for "several weeks" before the initial announcement.

Izvor: BleepingComputer

Night · 26.06.2023., 11:31

Nakon što su im procurili master kodovi sa developerovog Plexa jer je valjda normalna stvar koristiti istu mašinu za pornjavu i za master keyeve ... onaj tko je ostao na LastPassu je teška klasa Optimist

The Exiled · 07.09.2023., 17:09

Citiraj:

Experts fear crooks are cracking keys stolen in LastPass breach

Citiraj:

Taylor Monahan is lead product manager of MetaMask, a popular software cryptocurrency wallet used to interact with the Ethereum blockchain. Since late December 2022, Monahan and other researchers have identified a highly reliable set of clues that they say connect recent thefts targeting more than 150 people, Collectively, these individuals have been robbed of more than $35 million worth of crypto. Monahan has been documenting the crypto thefts via Twitter/X since March 2023, frequently expressing frustration in the search for a common cause among the victims. Then on Aug. 28, Monahan said she’d concluded that the common thread among nearly every victim was that they’d previously used LastPass to store their “seed phrase,” the private key needed to unlock access to their cryptocurrency investments. Armed with your secret seed phrase, anyone can instantly access all of the cryptocurrency holdings tied to that cryptographic key, and move the funds to anywhere they like.

LastPass declined to answer questions about the research highlighted in this story, citing an ongoing law enforcement investigation and pending litigation against the company in response to its 2022 data breach. LastPass has always emphasized that if you lose this master password, that’s too bad because they don’t store it and their encryption is so strong that even they can’t help you recover it. But experts say all bets are off when cybercrooks can get their hands on the encrypted vault data itself — as opposed to having to interact with LastPass via its website. These so-called “offline” attacks allow the bad guys to conduct unlimited and unfettered “brute force” password cracking attempts against the encrypted data using powerful computers that can each try millions of password guesses per second.

Izvor: Krebs on Security

The Exiled · 24.10.2023., 14:20

Citiraj:

1Password discloses security incident linked to Okta breach

Citiraj:

1Password, a popular password management platform used by over 100,000 businesses, suffered a security incident after hackers gained access to its Okta ID management tenant. On Friday, Okta disclosed that threat actors breached its support case management system using stolen credentials. In a report released Monday afternoon, 1Password says threat actors breached its Okta tenant using a stolen session cookie for an IT employee. According to the report, a member of the 1Password IT team opened a support case with Okta and provided a HAR file created from the Chrome Dev Tools. This HAR file contains the same Okta authentication session used to gain unauthorized access to the Okta administrative portal. However, there appears to be some confusion about how 1Password was breached, as Okta claims that their logs do not show that the IT employee's HAR file was accessed until after 1Password’s security incident. 1Password states that they have since rotated all of the IT employee's credentials and modified their Okta configuration, including denying logins from non-Okta IDPs, reducing session times for administrative users, tighter rules on MFA for administrative users, and reducing the number of super administrators.

Izvor: BleepingComputer

tintin · 13.02.2024., 10:54

Ima koji lokalni password manager da je ok i da se može instalirati kao docker container?
Maknuo bi se konačno od LastPassa...

RainZG · 13.02.2024., 11:01

keeweb
pwm
passbolt

to je ono za kaj ja znam
da li su OK ili ne ovisi o tome sto ti treba.
Ja sam vec godinama na Dashlaneu, placam godisnju pretplatu za njega i zadovoljan sam

The Exiled · 13.02.2024., 11:25

Citiraj:

Autor tintin

25.01.2023., 17:30	#121
xlr 49%winner Moj komp Datum registracije: Sep 2007 Lokacija: PU Postovi: 8,789	Ako su iste kao onda - svakako bih promjenio. __________________ ♕ Keep calm and fastboot oem unlock. ♕

28.02.2023., 11:25	#123
Dottore Extrema Thule Moj komp Datum registracije: Feb 2005 Lokacija: 「 ✖ ✖ ✖ 」 Postovi: 7,316	Ja sam otišao od 10mj i još nisam imao problema. __________________

23.05.2023., 13:37	#127
The Exiled McG Moj komp Datum registracije: Feb 2014 Lokacija: Varaždin Postovi: 6,772	Nema veze s KeePassom, ovo je neki/nečiji iOS KeePass, dok je ovdje popis pravih službenih iOS aplikacija. __________________ AMD Ryzen 7 Pro 4750G + Vega iGPU \| be quiet! Pure Rock 2 Black \| MSI B450 Tomahawk Max II \| 32GB G.Skill DDR4-2666 Value \| 256GB AData SX8200 Pro NVMe \| 2x4TB WD Red Plus \| Fractal Define 7 Compact \| Corsair CX450M

13.02.2024., 11:01	#137
RainZG Premium Moj komp Datum registracije: Jan 2008 Lokacija: Zagreb Postovi: 526	keeweb pwm passbolt to je ono za kaj ja znam da li su OK ili ne ovisi o tome sto ti treba. Ja sam vec godinama na Dashlaneu, placam godisnju pretplatu za njega i zadovoljan sam Zadnje izmijenjeno od: RainZG. 13.02.2024. u 11:18.

17.05.2023., 14:11	#124
Neo-ST Buying Bitcoin Moj komp Datum registracije: Feb 2007 Lokacija: Croatia Postovi: 7,976	Keepass vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2023-32784

23.05.2023., 13:14	#126
Neo-ST Buying Bitcoin Moj komp Datum registracije: Feb 2007 Lokacija: Croatia Postovi: 7,976	Opet Keepass? https://twitter.com/ghidraninja/stat...60231111598080

26.06.2023., 11:31	#133
Night Premium Datum registracije: Oct 2008 Lokacija: Dbk Postovi: 989	Nakon što su im procurili master kodovi sa developerovog Plexa jer je valjda normalna stvar koristiti istu mašinu za pornjavu i za master keyeve ... onaj tko je ostao na LastPassu je teška klasa Optimist

13.02.2024., 10:54	#136
tintin Premium Moj komp Datum registracije: Aug 2007 Lokacija: negdje Postovi: 1,693	Ima koji lokalni password manager da je ok i da se može instalirati kao docker container? Maknuo bi se konačno od LastPassa...