Protect yourself against password breaches with Chrome’s hidden password manager

vbimport

#1

We’ve just posted the following news: Protect yourself against password breaches with Chrome’s hidden password manager[newsimage]http://www.myce.com/wp-content/images_posts/2016/06/myce-chrome-browser-password-manager-95x75.gif[/newsimage]

Recently there have been numerous password breaches which underlines how important it is to use a different and safe password for every site. There are many third-party solutions for this but not many know that the Google Chrome browser has a simple built-in password manager that should prevent you from being the victim of a password breach.

            Read the full article here: [http://www.myce.com/news/protect-password-breaches-chromes-hidden-password-manager-79606/](http://www.myce.com/news/protect-password-breaches-chromes-hidden-password-manager-79606/)

            Please note that the reactions from the complete site will be synched below.

#2

First of all, I will have to warn people not to use this feature in Chrome or password managers in browsers general as it poses a possible security breach in itself, preferably also do not save passwords for automatic login.
Keep your password manager external to the browser and if security is of concern, I would advice using a portable alternative not connected to the computer when not in use and if possible, one not too widespread as they are more likely to be targetted should your machine become infected.

Chrome has generally been considered an insecure browser for the last few years with both known and unknown vulnerabilities being exploited. It is true that Google now is putting down tremendous work to correct the flaws, but it is way early to recommend using any features turned off by default.


#3

If you want true password protections use KeePass portable that you can make Master password and only if you input the password can you access the KeePass contents passwords listing. I can believe one would say a Browser is more secure compare to a USB portable that once protected unless they break the password as opposed to insecurity in Browser makes them more targeted by hackers.

Take a look…

http://keepass.info/

I have it and it stores all my passwords/Login on my computer and USB that I can sync and not worry if I update one did it update to the USB version. So anyone thinking Browser password manager is secure I got valuable land in Putin Land I can sell for you.


#4

[QUOTE=coolcolors;2775685]If you want true password protections use KeePass portable that you can make Master password and only if you input the password can you access the KeePass contents passwords listing. I can believe one would say a Browser is more secure compare to a USB portable that once protected unless they break the password as opposed to insecurity in Browser makes them more targeted by hackers.

Take a look…

http://keepass.info/

I have it and it stores all my passwords/Login on my computer and USB that I can sync and not worry if I update one did it update to the USB version. So anyone thinking Browser password manager is secure I got valuable land in Putin Land I can sell for you.[/QUOTE]

Wasn’t KeePass found vulnerable, something about the database being encrypted with AES in CBC/PKCS7 mode without proper authentication?


#5

Look at it this way, if you use KeePass on a well-hidden flash drive, that alone will help keep you protected. After all, a password stealer would need physical access to the building you keep your flash drive in (assuming you don’t simply bury it in the ground) in order to crack KeePass. Of course, when you put it in your computer, any malware on your computer could conceivably start cracking it. Even then, however, you probably won’t be leaving the drive in your machine for too long, so said malware will only have a limited amount of time (unless you prefer to properly dismount your flash drive before removing it, in which case, I wish you the best of luck).


#6

I’ve used Access Manager 2 for quite some time now. I also have Last Pass installed.

http://www.accessmanager.co.uk/

:slight_smile:


#7

OT:
It was not my intention to spread FUD and TSJnachos117 is correct, as long as it is portable on-demand on a USB-stick not connected to your computer at all times, even a simple crackable BlowFish encryption will do given a reasonable master password. When installed or part of your browser, the security aspect suddenly becomes way more complicated.

It was more a question to coolcolors if he had checked into it and not meant to confuse other readers, KeePass is more than a decent password keeper :flower:


#8

[QUOTE=Xercus;2775731]Wasn’t KeePass found vulnerable, something about the database being encrypted with AES in CBC/PKCS7 mode without proper authentication?[/QUOTE]
That was LastPass a online password keeper that was hacked. This one maintains no online presence.


#9

No, they never got the LastPass database, only a hashed copy of the user’s email, not the passwords.
It was related to KeePass and so I checked into it myself just now… Some of the security concerns seem to have been addressed with the latest 2.34 release. :flower:


#10

[QUOTE=Xercus;2776087]No, they never got the LastPass database, only a hashed copy of the user’s email, not the passwords.
It was related to KeePass and so I checked into it myself just now… Some of the security concerns seem to have been addressed with the latest 2.34 release. :flower:[/QUOTE]LastPass was master password that was the stolen.

And it has to assume the other person is given access to another users computer. So without this access that program can’t do much. And the person has to run it and assuming the user will let you use their computer let alone install something onto their computer. And it loads from memory so if they reboot and not running Keepass that program can’t do anything as well. So this program requires total free access without the user being there for this to work and for Keepass loaded and closed to work so without these two conditions met the program also is dead in the water.


#11

[QUOTE=coolcolors;2776109]LastPass was master password that was the stolen.

And it has to assume the other person is given access to another users computer. So without this access that program can’t do much. And the person has to run it and assuming the user will let you use their computer let alone install something onto their computer. And it loads from memory so if they reboot and not running Keepass that program can’t do anything as well. So this program requires total free access without the user being there for this to work and for Keepass loaded and closed to work so without these two conditions met the program also is dead in the water.[/QUOTE]

The LifeHacker story was written June 15, 2015, but if you follow the link from the article to their blog (same as my link above), you will find an update from June 16, 2015:

[B]Was my master password exposed? [/B]
No, LastPass never has access to your master password. We use encryption and hashing algorithms of the highest standard to protect user data. We hash both the username and master password on the user’s computer with 5,000 rounds of PBKDF2-SHA256, a password strengthening algorithm. That creates a key, on which we perform another round of hashing, to generate the master password authentication hash. That is sent to the LastPass server so that we can perform an authentication check as the user is logging in. We then take that value, and use a salt (a random string per user) and do another 100,000 rounds of hashing, and compare that to what is in our database. In layman’s terms: Cracking our algorithms is extremely difficult, even for the strongest of computers.


[B]
Were passwords or other data stored in my vault exposed? [/B]
No, your data is safe. Encrypted user vaults were not compromised, so no data stored in your vault is at risk (including form fill profiles, secure notes, site usernames and passwords). However if you used your master password for any other website, we do advise changing it – on LastPass as well as on the other websites. Note that you should never reuse passwords – especially your LastPass master password!