PC Ekspert Forum
Stranica 4 od 5 123 4 5
Show 40 post(s) from this thread on one page

PC Ekspert Forum (https://forum.pcekspert.com/index.php)
-   Aplikacije (https://forum.pcekspert.com/forumdisplay.php?f=37)
-   -   Password Manager (https://forum.pcekspert.com/showthread.php?t=216268)

xlr 25.01.2023. 17:30
Ako su iste kao onda - svakako bih promjenio.

The Exiled 28.02.2023. 11:10
Friški nastavak LastPass sage ...
Citiraj:
Citiraj:
The company has now disclosed how the threat actors performed this attack, stating that they used information stolen in an August breach, information from another data breach, and a remote code execution vulnerability to install a keylogger on a senior DevOps engineer's computer. As only four LastPass DevOps engineers had access to these decryption keys, the threat actor targeted one of the engineers. Ultimately, the hackers successfully installed a keylogger on the employee's device by exploiting a remote code execution vulnerability in a third-party media software package. As part of today's disclosure, LastPass has released more detailed information on what customer information was stolen in the attack. Depending on the particular customer, this data is wide and varied, ranging from Multifactor Authentication (MFA) seeds, MFA API integration secrets, and to Split knowledge component (“K2”) Key for Federated business customers.
Ukratko, pokradeno im je sve moguće.:hitthewal::stoopid:

Dottore 28.02.2023. 11:25
Ja sam otišao od 10mj i još nisam imao problema.

Neo-ST 17.05.2023. 14:11
Keepass vulnerability:

https://nvd.nist.gov/vuln/detail/CVE-2023-32784

The Exiled 17.05.2023. 19:24
Citiraj:
  • For the PoC tool to work, you need the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys) or a RAM dump of the entire system.

  • It has been fixed in the test versions of KeePass v2.54 – the official release is expected by July 2023.

  • KeepassXC – a fork of KeePassX, which is a cross-platform port of KeePass – is not affected.
:chears::frend:

Neo-ST 23.05.2023. 13:14
Opet Keepass? https://twitter.com/ghidraninja/stat...60231111598080

The Exiled 23.05.2023. 13:37
Nema veze s KeePassom, ovo je neki/nečiji iOS KeePass, dok je ovdje popis pravih službenih iOS aplikacija.

Night 24.05.2023. 09:31
Citiraj:
Autor Neo-ST (Post 3676562)

Najnezgodniji dio je ovo što navodno može ostaviti plaintext password u pagefile.sys, još jedna preporuka za koristiti full-disk encryption.
Probao sam runati PoC kod na jednom pagefile.sys dumpu sa kompa koji ima KeePass ali nije mi ništa izbacio, memory dump još nisam testirao.
Autoru kao da se baš ne žuri sa ispravkom ovog dosta ozbiljnog propusta.

The Exiled 03.06.2023. 20:27
KeePass 2.54 released:frend:
Citiraj:
New Features:
  • Triggers, global URL overrides, password generator profiles and a few more settings are now stored in the enforced configuration file.
  • Added dialog 'Enforce Options (All Users)' (menu 'Tools' → 'Advanced Tools' → 'Enforce Options'), which facilitates storing certain options in the enforced configuration file.
  • Export confirmation dialog banners now have a yellow-orange background.
  • In export confirmation dialogs, the text of the 'OK' button is now changed to 'Confirm Export'.
  • In report dialogs, passwords (and other sensitive data) are now hidden using asterisks by default (if hiding is activated in the main window); the hiding can be toggled using the new '***' button in the toolbar.
  • The 'Print' command in most report dialogs now requires the 'Print' application policy flag, and the master key must be entered if the 'Print - No Key Repeat' application policy flag is deactivated.
  • The 'Export' command in most report dialogs now requires the 'Export' application policy flag, and the master key must be entered.
  • Single line edit dialogs now support hiding the value using asterisks.
  • On Unix-like systems, commands that require elevation now have a shield icon (like on Windows).
  • TrlUtil: added 'Move Selected Unused Text to Dialog Control' command.
Citiraj:
Improvements:
  • Improved process memory protection of secure edit controls.
  • The content mode of the configuration elements '/Configuration/Application/TriggerSystem', '/Configuration/Integration/UrlSchemeOverrides' and '/Configuration/PasswordGenerator/UserProfiles' is now 'Replace' by default.
  • The built-in override for the 'ssh' URI scheme is now deactivated by default (it can be activated in the 'URL Overrides' dialog).
  • When opening the password generator dialog without a derived profile, the '(Automatically generated passwords for new entries)' profile is now selected by default, if profiles are enabled (otherwise the default profile is used).
  • Improved UI update performance in the password generator dialog.
  • Improved and renamed dialog banner styles.
  • The separator line of light dialog banners is gray now.
  • Improved serialization/deserialization of custom configuration settings (used by plugins).
  • Improved reporting of unknown database header fields.
  • On Unix-like systems, the clipboard workarounds are now disabled by default (they are not needed anymore on most systems).
  • Improved clipboard clearing on Unix-like systems.
  • Improved starting of an elevated process on Unix-like systems.
  • TrlUtil: improved keyboard shortcut assignment and toolbar construction.
  • Installer: the desktop shortcut is now created for all users (if the option 'Create a desktop shortcut' is activated).
  • Installer: removed the Quick Launch shortcut option.
  • Upgraded installer.
  • Various UI text improvements.
  • Various code optimizations.
  • Minor other improvements.

kreso75 04.06.2023. 09:50
Citiraj:
Autor The Exiled (Post 3679733)

Jesu ispravili sigurnosni propust da se može doći do master passworda na Windowsima?
Iz opisa na "New features" i "Imporvements" mi se ne čini da su to naveli...

The Exiled 04.06.2023. 12:20
Da, popravljeno (1 - 2) je i to nekih dva mjeseca prije od planiranog.:)
Citiraj:
The vulnerability was assigned CVE-2023-32784 and fixed in KeePass 2.54. Thanks again to Dominik Reichl for his fast response and creative fix!
Citiraj:
EDIT:
Citiraj:
Users of KeePass 1.x, Strongbox, or KeePassXC are not impacted by CVE-2023-32784 and, thus, do not need to migrate to a newer release. To fix the vulnerability, KeePass is now using a Windows API to set or retrieve data from text boxes, preventing the creation of managed strings that can potentially be dumped from memory. Reichl also introduced "dummy strings" with random characters into the memory of the KeePass process to make it harder to retrieve fragments of the password from memory and combine them into a valid master password. KeePass 2.54 also introduces other security enhancements, such as moving 'Triggers,' 'Global URL overrides,' and 'Password generator profiles' into the enforced configuration file, which provides additional security from attacks that modify the KeePass configuration file.
Izvor: BleepingComputer

The Exiled 24.06.2023. 20:25
LastPass users furious after being locked out due to MFA resets:kafa:
Citiraj:
LastPass password manager users have been experiencing significant login issues starting early May after being prompted to reset their authenticator apps. The company first announced that users might need to log back into their LastPass account and reset their multifactor authentication preference due to planned security upgrades on May 9. However, since then, numerous users have been locked out of their accounts and unable to access their LastPass vault, even after successfully resetting their MFA applications (e.g., LastPass Authenticator, Microsoft Authenticator, Google Authenticator). Compounding the problem, affected customers cannot seek assistance from support since reaching out to LastPass support requires logging into their accounts which they can't do because they're locked in an infinite loop of being prompted to reset their MFA authenticator. LastPass says the MFA resets were announced via in-app messages for "several weeks" before the initial announcement.​
Izvor: BleepingComputer

Night 26.06.2023. 11:31
Nakon što su im procurili master kodovi sa developerovog Plexa jer je valjda normalna stvar koristiti istu mašinu za pornjavu i za master keyeve ... onaj tko je ostao na LastPassu je teška klasa Optimist :)

The Exiled 07.09.2023. 17:09
Citiraj:
Experts fear crooks are cracking keys stolen in LastPass breach:kafa:
Citiraj:
Taylor Monahan is lead product manager of MetaMask, a popular software cryptocurrency wallet used to interact with the Ethereum blockchain. Since late December 2022, Monahan and other researchers have identified a highly reliable set of clues that they say connect recent thefts targeting more than 150 people, Collectively, these individuals have been robbed of more than $35 million worth of crypto. Monahan has been documenting the crypto thefts via Twitter/X since March 2023, frequently expressing frustration in the search for a common cause among the victims. Then on Aug. 28, Monahan said she’d concluded that the common thread among nearly every victim was that they’d previously used LastPass to store their “seed phrase,” the private key needed to unlock access to their cryptocurrency investments. Armed with your secret seed phrase, anyone can instantly access all of the cryptocurrency holdings tied to that cryptographic key, and move the funds to anywhere they like.

LastPass declined to answer questions about the research highlighted in this story, citing an ongoing law enforcement investigation and pending litigation against the company in response to its 2022 data breach. LastPass has always emphasized that if you lose this master password, that’s too bad because they don’t store it and their encryption is so strong that even they can’t help you recover it. But experts say all bets are off when cybercrooks can get their hands on the encrypted vault data itself — as opposed to having to interact with LastPass via its website. These so-called “offline” attacks allow the bad guys to conduct unlimited and unfettered “brute force” password cracking attempts against the encrypted data using powerful computers that can each try millions of password guesses per second.
Izvor: Krebs on Security

The Exiled 24.10.2023. 14:20
Citiraj:
1Password discloses security incident linked to Okta breach:kafa:
Citiraj:
1Password, a popular password management platform used by over 100,000 businesses, suffered a security incident after hackers gained access to its Okta ID management tenant. On Friday, Okta disclosed that threat actors breached its support case management system using stolen credentials. In a report released Monday afternoon, 1Password says threat actors breached its Okta tenant using a stolen session cookie for an IT employee. According to the report, a member of the 1Password IT team opened a support case with Okta and provided a HAR file created from the Chrome Dev Tools. This HAR file contains the same Okta authentication session used to gain unauthorized access to the Okta administrative portal. However, there appears to be some confusion about how 1Password was breached, as Okta claims that their logs do not show that the IT employee's HAR file was accessed until after 1Password’s security incident. 1Password states that they have since rotated all of the IT employee's credentials and modified their Okta configuration, including denying logins from non-Okta IDPs, reducing session times for administrative users, tighter rules on MFA for administrative users, and reducing the number of super administrators.
Izvor: BleepingComputer

tintin 13.02.2024. 10:54
Ima koji lokalni password manager da je ok i da se može instalirati kao docker container?
Maknuo bi se konačno od LastPassa...

RainZG 13.02.2024. 11:01
keeweb
pwm
passbolt

to je ono za kaj ja znam
da li su OK ili ne ovisi o tome sto ti treba.
Ja sam vec godinama na Dashlaneu, placam godisnju pretplatu za njega i zadovoljan sam

The Exiled 13.02.2024. 11:25
Citiraj:
Autor tintin (Post 3728294)
Ima koji lokalni password manager da je ok i da se
Bitwarden.:)

xlr 13.02.2024. 11:36
Citiraj:
Autor The Exiled (Post 3728297)
Bitwarden.:)
Preporucio bih Vaultwarden, jer Bitwarden je malo tlaka setupirati na svom hardveru. Trosi vise resursa i odrzavanje je kompliciranije. Ovaj spomenuti koristim godinama i nema greske. Ako uz to rijesis i backup (enkriptirani, da ne bi bilo), onda bi trebao biti miran godinama:

https://github.com/dani-garcia/vaultwarden
https://github.com/Bruceforce/vaultwarden-backup

Za selfhosted Bitwarden ti treba domena sa validnim certifikatom. Mozda se moze sloziti domena samo lokalno, kroz kucni dns resolver (npr. pihole), bez izlaganja Bitwardena prema netu, ali svakako treba pravi certifikat, ne self-signed/staging certifikat.

kvaju 13.02.2024. 15:28
Citiraj:
Autor tintin (Post 3728294)
Ima koji lokalni password manager da je ok i da se može instalirati kao docker container?
Maknuo bi se konačno od LastPassa...

Radi to već danas, i pobriši sve s lastpassa ako već nisi, čitam po tw da dosta korisnika ima problema da su im leak passwordi sa njega.

Ja šta bi uradio, prvo promjenio masterpassword na lastpass, i onda ga izbrisao i sve s njega.

Preporuka za Bitwarden.


Sent from my iPhone using Tapatalk Pro

kvaju 13.02.2024. 17:45
Citiraj:
Autor kvaju (Post 3728348)
Radi to već danas, i pobriši sve s lastpassa ako već nisi, čitam po tw da dosta korisnika ima problema da su im leak passwordi sa njega.

https://x.com/neerajka/status/1753160121687888168?s=46


Ja šta bi uradio, prvo promjenio masterpassword na lastpass, i onda ga izbrisao i sve s njega.

Preporuka za Bitwarden.


Sent from my iPhone using Tapatalk Pro

Sent from my iPhone using Tapatalk Pro

medo 13.02.2024. 19:12
KeePass

domy_os 13.02.2024. 20:02
Bitwarden ima očajno loš UX pa tako:

- autofill često ne radi
- često se sam odjavi
- svako malo baca na vrh liste dok se nešto editira
- history praktički ne postoji, ni u organizaciji
- izvedba foldera koma
- prebacivanje unosa u/iz organizacije ne postoji
- loš exclusion u kojem treba tipkati full app name
- autoupdate sam jedva "ubio" na PC-u
- šećer na kraju, 2FA trebaš platiti 10 eura godišnje

Nakon više od godinu dana korištenja Bitwardena i dalje poželim KeePassov UI i funkcionalnost. Zbog posla sam prešao na cloud, što je, tu je.

xlr 13.02.2024. 21:49
Da ne bi bilo zabune, 2FA login u Bitwarden account je free. Podrska za 2FA (TOTP) za sve one accounte cije passworde cuvate u Bitwardenu - se placa.

Za 2FA mi ne Aegis jos uvijek bog i batina.

Autofill je musicav na Androidu, ali ne znam je li to kriv BW, Android ili aplikacija. Na kompu koristim browser ekstenziju i tu nema greske.

Web UI uopce ne palim. Jednom sam poslagao foldere, par puta godisnje updejtam to i uredim liste, so far so good. Koristimo ga samo zena i ja (selfhosted s dva profila).

d0X 13.02.2024. 22:58
Citiraj:
Autor xlr (Post 3728418)
Autofill je musicav na Androidu, ali ne znam je li to kriv BW, Android ili aplikacija. Na kompu koristim browser ekstenziju i tu nema greske.
Možeš probati "Use accessibility" i "Use draw-over" pod "Auto-fill" u BW-u. Meni generalno radi ok, nisam imao problema.

domy_os 13.02.2024. 23:04
Na mobitelu je autofill još i OK osim što mi fali jednostavan exclude za neke app, problem je na desktopu. Znam lupati CTRL+SHIFT+L bezbroj puta i ne radi, i na svim browserima tako. Neko vrijeme radi dobro pa se zblesira.

1v@n 14.02.2024. 00:01
I dalje imam mjesta na Dashlaneu kad vam dosade ova polurješenja koja cure na sve strane :D

xlr 14.02.2024. 00:35
Citiraj:
Autor d0X (Post 3728432)
Možeš probati "Use accessibility" i "Use draw-over" pod "Auto-fill" u BW-u. Meni generalno radi ok, nisam imao problema.
To je sve popaljeno, ali pamtim da mi svako malo neki app/web ne ponudi autofill pop-up. Nije tako cesto, dovoljno da zapamtim :)

Nisam na kompu koristio global shortcut, budem bas probao kako se ponasa.

Night 15.02.2024. 10:15
Trebao bi mi neki 2FA (TOTP) autentikator da radi na Windowsima, ali da se editiranje i gledanje seeda može zaključati nekim admin passwordom.
Znači ideja je da ja kao admin unesem seed, korisnik može dobiti šestoznamenkasti broj kad hoće, ali ne može vidjeti koji je seed i kopirati ga u neki svoj autentikator.
Authy nije opcija.

tintin 15.02.2024. 10:56
Nikako da mi proradi vaultwarden u kombinaciji sa caddy-em.
Mislim da je problem što su mi portovi 80 i 443 na severu zauzeti, a ne uspijevam to upoginiti preko drugih portova.
Radio sam po ovim uputama.

Night 15.02.2024. 11:15
Citiraj:
Autor tintin (Post 3728682)
Nikako da mi proradi vaultwarden u kombinaciji sa caddy-em.
Mislim da je problem što su mi portovi 80 i 443 na severu zauzeti, a ne uspijevam to upoginiti preko drugih portova.
Radio sam po ovim uputama.

Možeš li koristiti druge portove s obzirom da su 80 i 443 zauzeti, npr. ako hoćeš da ti bude na 8080 i 8443 staviš u yml fajl ovo :

ports:
- 8080:80
- 8443:443

xlr 15.02.2024. 11:22
Brzinskim pregledom vidim da je compose fajl za caddy malo pogresan, ali to si vjerojatno i sam skuzio kod kreiranja kontejnera. Za caddy je naveden "networks: bitwarden_network" umjesto prethodno kreirani "vaultwarden_network".

Za reverse proxy (Caddy) i za dobivanje certifikata bi trebao imati forwardane portove 80 i 443 prema caddyju (odnosno prema docker hostu). Ako ti server to vec koristi, napravi macvlan subnet u dockeru i na njega nakaci vaultwarden i caddy. Caddy i vaultwarden ce dobiti svoj vlastiti IP, potpuno nevezan za server. Macvlan je odlican za takve stvari kada server ima zauzete portove, a ne mozes koristiti alternativne.

E sad, nadam se da nece biti problema s otvaranjem portova 80/443 prema dvije lokacije na mrezi, to nisam probao. Ako ti server samo koristi te portove, ali ih nisi otvarao na ruteru prema netu, onda ce ti ovo sto sam naveo raditi sigurno bez problema (imao sam takav setup dugo vremena).

Prouci macvlan i kako se kreira (moras ici kroz terminal, bit ce jedna komanda, nemoj ga raditi kroz portainer GUI). Kada slozis macvlan mrezu, onda na slican nacin povezes kontejner s tom mrezom.

U nastavku cu ti dodati svoj compose, samo da ga sredim pa cu editirati post.

EDIT:
Night je u pravu, sad vidim u tvom linku da se koristi 80:80. Možeš to riješiti kako je rekao. Onda na ruteru kada budeš forwardao portove 80/443, moraš ih usmjeriti interno na portove koje si definirao za Caddy (npr. 8080/8443).


Ako jako zapneš javi, jer sad ne uspijevam naći što sam htio. Postoji mogućnost da sam prebrisao taj macvlan setup jer sam ga prestao koristiti, ali mogao bi izvući makar neke linkove. Ako baš jako zapneš :)

tintin 15.02.2024. 12:03
Stavio sam portove kako je napisano i u routeru napravio port forward, ali ne uspijeva se spojiti i pokupiti certifikat.
Nešto radim krivo :hitthewal:

xlr 15.02.2024. 12:15
Na kakvom hardveru vrtis docker, NAS ili nesto drugo? Synology? Koja mu je IP adresa u LAN-u?

Znaci pratis upute s linka, uz izmjenu portova u compose fajlu kako je Night napisao?

Mozes poslati screenshot kako si forwardao portove u ruteru?

tintin 15.02.2024. 12:19
DIY NAS sa Openmediavaltom

Na ruter je portforward tcp 8080 na 8080 i tcp/udp 8443 na 8443 prema NASu
Ako stavim npr 8080 na 80 onda me baca na Openmediavault gui

xlr 15.02.2024. 12:26
Port forward ti radi ispravno, to je dobro.

Trebas staviti 80 na 8080 i 443 na 8443. Ruter mora slusati ispravne portove.

tintin 15.02.2024. 12:31
Napravio sam tako i sad je pokupio certifikat, ali se i dalje ne mogu spojiti.
I ovo je veliki pomak na bolje.

xlr 15.02.2024. 12:52
Ok, caddy ocito funkcionira obostrano prema netu. Meni je caddy setup skroz nepoznat pa nemam pojma ni odakle bi krenuo s debagiranjem. Mozda uleti netko iskusniji.

Koristis portainer? Znas iscitati docker logove od caddyja kada recimo pokusavas pristupiti vaultu preko domene? Mislim da bi tamo trebalo nesto pisati, neka greska, bilo sto...

tintin 15.02.2024. 13:35
Bacim oko malo na to

tintin 16.02.2024. 11:07
Nisam uspio ne znam iz kojeg razloga na ovom serveru pa sam pokušao na drugom (jača mašina sa više rama) i sve proradilo, ali sam fw portova na routeru morao postaviti kako sam naveo u par postova prije:
tcp 8080 na 8080 i tcp/udp 8443 na 8443 prema NASu, a docker container radi fw porta prema portovima 443 i 80 (8080:80, 8443:443)

Kad pristupam vaultwardenu moram upisati i port... my.dns.address:8443


Sva vremena su GMT +2. Sada je 22:24.
Stranica 4 od 5 123 4 5
Show 40 post(s) from this thread on one page

Powered by vBulletin®
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.
© 1999-2024 PC Ekspert - Sva prava pridržana ISSN 1334-2940
Ad Management by RedTyger