Password Manager OneLogin Breached

R

rgMekanic

[H]ard|News
Joined
May 13, 2013
Messages
6,943
Password management service OneLogin stated "Today we detected unauthorized access to OneLogin data in our US region," Those affected have been advised to visit a registration-only support page, outlining the steps they need to take. The list of steps needed to take is quite long.

A quick look around their website says that they serve over 2000+ enterprise customers in many different fields, some of which are Pinterest, Yelp, and Stanford University. This could be a very wide reaching security breach. "Customer data was compromised, including the ability to decrypt encrypted data," according to a message OneLogin sent to customers.

While our investigation is still ongoing, we have already reached out to impacted customers with specific recommended remediation steps and are actively working to determine how best to prevent such an incident from occurring in the future and will update our customers as these improvements are implemented.
 
It's only a matter of time as they say. I never thought it would be a great idea to digitally store all passwords in one time and this is a good reinforcement of that mindset.
 
  • Like
Reactions: M76
like this
Cloud based password managers are stupid.

I have zero problem storing all my passwords in a OnePassword vault and having that vault on a cloud drive that all my devices can access... because I'm the only one that has, and will ever have, the master password for that vault. And it's a master password that is long enough and picked in a truly random way to not be an issue. It's the only thing I have to remember, so that it is five words isn't a big deal.

For a cloud based password manager to work they have to know your secret too. And then stuff like this story can happen.

Convenience or security - choose wisely!
 
DocNo said:
For a cloud based password manager to work they have to know your secret too. And then stuff like this story can happen.

Convenience or security - choose wisely!
Click to expand...

Do they? I think (could be wrong) LastPass stores only encrypted data, when you authenticate using the master key (your email + your password combined), it transfers encrypted data to the client to be decrypted. The master key is never sent to LP, only a hash of it is, and since they claim to not store that, I assume it's used to check "does this hash solve this crypt" test file (if readable, send encrypted data to client for decryption) or something.

It's the same type of thing Mega does. If you've used Mega to store files, you know it takes longer to log on versus Dropbox because of the extra crypt steps.

At least that's what they claim.
 
Last edited:
Wait, so, people actually use an online password management service?!?!?!

With the risk of compromise in the online world, this baffles me.
 
Hey I have a great idea lets setup this website that gets people to enter their passwords for all their information. Nothing ever will go wrong with it! We promise. You can trust us just like you can trust the police....
 
I will not use a Cloud based password manager. I just started using Keepass on Windows and Android, and that is as far as I would go in terms of password managers.
 
*reads the story*
*looks at the piece of paper under his desk with a metric crap ton of logins and passwords*
*sighs* good ol' PENCIL (movie reference)

Seriously, the steps are to change all your passwords, yeah that's not up there with trying to recall which cards you had in your wallet that got "lost" that you need to cancel.
 
sfsuphysics said:
*reads the story*
*looks at the piece of paper under his desk with a metric crap ton of logins and passwords*
*sighs* good ol' PENCIL (movie reference)

Seriously, the steps are to change all your passwords, yeah that's not up there with trying to recall which cards you had in your wallet that got "lost" that you need to cancel.
Click to expand...

Well you do have a list of logins and locations in you password manager so dont relly have to rely on memory.


also KEEPASS KEEPASS KEEPASS.
Opensource. Not depending on some third party to take proper care of your data.
 
SvenBent said:
Well you do have a list of logins and locations in you password manager so dont relly have to rely on memory.


also KEEPASS KEEPASS KEEPASS.
Opensource. Not depending on some third party to take proper care of your data.
Click to expand...

Or you just do what I do and memorize every single password.
 
I used to get laughed at when I said "Hey...what if..."

Glad I didnt take all those articles stating "One Major Way To Improve Your Online Safety" seriously.
 
kju1 said:
Hey I have a great idea lets setup this website that gets people to enter their passwords for all their information. Nothing ever will go wrong with it! We promise. You can trust us just like you can trust the police....
Click to expand...

You know there are countries where you actually CAN trust the police.
 
SvenBent said:
yeah...no
That is a very easy way to have bad password to begin with. to short. not random. and not uniqiue
Click to expand...
A different approach is you use a small pool of passwords which is what i did before i dedicated myself to using keepass.
A low-care password used for any site and places that won't handle my money or information, low risk if breached
A high security password used for things that can access my money
A totally separate main email password for my actual email account, the one that gets all the forwards and is not used as login info anywhere else.
A totally separate password for directly interacting with a bank.

Not terribly difficult to create and remember long random passwords only needed a handful. The only pain was actually remembering my account names as I made sure each account name was unique when ever possible for the high security sites an easier way to avoid username and password being stolen from one site or phishing attempt bleeding over into security breaches on the other sites, which more often than not required me to maintain emails for only one site which is why I ended up forwarding all my emails to a totally separate main email account. Although eventually I got around trying to remember usernames by just using a form autofill did that for years without any issue.

I would never trust a password cloud service to manage my passwords. Although I do have my kbdx file on a cloud service that's only because i know they don't carry any info for opening it themselves so the file getting stolen is no big deal as it's properly encrypted to hell.
 
Semantics said:
A different approach is you use a small pool of passwords which is what i did before i dedicated myself to using keepass.
A low-care password used for any site and places that won't handle my money or information, low risk if breached
A high security password used for things that can access my money
A totally separate main email password for my actual email account, the one that gets all the forwards and is not used as login info anywhere else.
A totally separate password for directly interacting with a bank.

Not terribly difficult to create and remember long random passwords only needed a handful. The only pain was actually remembering my account names as I made sure each account name was unique when ever possible for the high security sites an easier way to avoid username and password being stolen from one site or phishing attempt bleeding over into security breaches on the other sites, which more often than not required me to maintain emails for only one site which is why I ended up forwarding all my emails to a totally separate main email account. Although eventually I got around trying to remember usernames by just using a form autofill did that for years without any issue.

I would never trust a password cloud service to manage my passwords. Although I do have my kbdx file on a cloud service that's only because i know they don't carry any info for opening it themselves so the file getting stolen is no big deal as it's properly encrypted to hell.
Click to expand...

Using a small pool off password still have a issues with reuseability and short password compared to what you can use a manager for.
But i agree if people decide to use only a few password to remember them. They need to seperate. bank/emaill/stuff. It will help a good amount.
 
SvenBent said:
Using a small pool off password still have a issues with reuseability and short password compared to what you can use a manager for.
But i agree if people decide to use only a few password to remember them. They need to seperate. bank/emaill/stuff. It will help a good amount.
Click to expand...
What i've found to be a problem since i've changed to using a password manager is maximum password lengths and character restrictions, capping even good random passwords to be 8, 12, 14 or 16(16 is fine in my mind) max stuff I could memorize on my own some sites promote weak passwords if they aren't hashed and salted properly could easily be breached through brute force methods available today. That and plenty of sites don't use https during log-ins at which point the password is more like a courtesy and I don't have much hope for anything being saved there to be that secure.

It's like people only use 4 numbers for their pin number on their debt/credit cards I always try to use the max, It's actually amazing how little people know you can use more than 4 numbers for alot of banks/companies.
 
I use passwords of around 20-25 characters just made up of random verbs and nouns.

Oh and I keep them in a book...on paper.

Bastards at least have to break into my home to get them and find them.
 
I always thought password managers defeated the purpose of having different passwords anyway.
 
I keep all passwords in Lastpass except password for my main email address at google. At least if Lastpass is compromised they cannot access my email
 
Semantics said:
What i've found to be a problem since i've changed to using a password manager is maximum password lengths and character restrictions, capping even good random passwords to be 8, 12, 14 or 16(16 is fine in my mind) max stuff I could memorize on my own some sites promote weak passwords if they aren't hashed and salted properly could easily be breached through brute force methods available today. That and plenty of sites don't use https during log-ins at which point the password is more like a courtesy and I don't have much hope for anything being saved there to be that secure.

It's like people only use 4 numbers for their pin number on their debt/credit cards I always try to use the max, It's actually amazing how little people know you can use more than 4 numbers for alot of banks/companies.
Click to expand...

I CAN USE MORE THAN $ NUMBERS FOR MY PIN? GDI i didn't know that. i need to adress that shit soon.
and what is up with credits card acces beeing based on zip code... så 5 numbes that are easier to get than a 4 pin code... seriously..

an yes way to many sites restricts password to something as low as 16 characters. which i can't fathom any reason for such crappy limitations


anyway in regards to bad login is exactly the reason why you want a password manager so you have unique password. Uniqueness is not a protection against breaking the login, but agains one broken login and all others logins you have.
 
kju1 said:
Or you just do what I do and memorize every single password.
Click to expand...

SvenBent said:
yeah...no
That is a very easy way to have bad password to begin with. to short. not random. and not uniqiue
Click to expand...

You assume a bit quick huh? I have several passwords made up of lots of different phrases that I usually said at one point or another mixed with the typical extra symbol characters to comply with most websites. Take a hint from XKCD on this one: https://www.xkcd.com/936/

At worst I will write down one word on paper attached to the site name. This will allow me to figure out the rest. At best it's just memorized completely. Haven't had issues yet and some of my accounts have been part of database breaches in the past.
 
Goodlookinguy said:
You assume a bit quick huh? I have several passwords made up of lots of different phrases that I usually said at one point or another mixed with the typical extra symbol characters to comply with most websites. Take a hint from XKCD on this one: https://www.xkcd.com/936/

At worst I will write down one word on paper attached to the site name. This will allow me to figure out the rest. At best it's just memorized completely. Haven't had issues yet and some of my accounts have been part of database breaches in the past.
Click to expand...

If assuming you mean believing that a computer are better at remembering long complex strings of characters. then yes i assume.
Funny enough is that Exactly what xkcd is saying is that its card for humans to have complex password. not they they bad. just short is not good. you are really proving the opposite of what you are trying to argue about.
besides dictionary attacks likes.
The purpose if xkcd is not that remembering stuff is good. Its that you need long passwords.
and also he refuter a lot of peoples misconceptions about it. just like yours

You have you method that fine. But tryings to put it off as you password is even getting close to the security of a proper password managers ability, is just not valid.
 
Last edited:
I have no misconceptions about what that comic is about. You my friend are what I would classify as paranoid. I worked in the security field for a few years, so I do understand this stuff pretty well. You've come to the illogical conclusion that only randomized passwords saved by a computer are the key to safety. My point was to show you that you're going overboard in your thinking. Dictionary attacks are worthless against passwords that have, for instance, a symbol inside the word, such as "RedBu+nnygrE-enBuNny". Meaning that long phrases with symbols and numbers inserted inside words is perfectly acceptable and strong against attacks. Another weakness is unknown/made up words, or spellings that look like a word. "Ball" -> "Baal", "Happy" -> "Haapi". Furthermore, password strings as a whole are weak. Everyone's passwords, including your randomized passwords, will fall to quantum computers and the algorithms that can figure out hash collisions in the, probably near, future. So if your choice is to be overly paranoid by randomizing your passwords, that's your choice, but it doesn't actually make you any securer than what I do.

Edit: I should mention, the other major weakness of dictionary attacks is non-english words. I write some words in another language that I know (non-latin based) making it even more ridiculous to try to reverse it with a dictionary attack.
Edit: And I should mention that, yes, it is actually quite easy to remember phrases and have these alterations to them that makes it hard for attacks against them. So...yup...gonna keep on memorizing.
 
Last edited:
oh no the dreaded " let me not quote who im talking to anymore so they can't get an alarm and come back to answers. Because i sooo much wants the last word" technique :rolleyes:.
also no going on to namecalling.. nice and mature:whistle:.

Please enlighten men how my 64 characters random password is not at least the same or better than your lesse random and very shorter password.
I sincerely hope we can agree that on a full blow brute force attack. 64charcte random password would be safer then you "RedBu+nnygrE-enBuNny" wher ealmsot 50% of the charctes are from thetop used characters in most languages.
If you worked in securty you would know how certain characters are less secure due to the same way we break substution coding and your password consinst of nearly 50% of those. leaving you way more insecure against a weighted bruteforce attack.
So you password is weaker against certain attack. and upholds not benefits.
also still didn't fix you limitation of reuse with password. but kinda nicely avoided going into that issue.

Also Dictionary attacks is only in English now?

again you can do whatever you want, im not your boos nor your mom.
Yoru logic is just flawed.

-- edit --
correction you password consist of more than 50% of the top used characters in most languages. Drastically reducing the keyspace you have to go through with a weighted bruteforce attack.

just remember Guns and Roses: Estranged those are 9 most used characters in most languages
and also you example is EXaCTLY what the XKCD comic you used as argument is against... so you must have totally missed the point
 
Last edited:
You must log in or register to reply here.
Back
Top