Author Topic: Cell Phone question  (Read 1754 times)

0 Members and 1 Guest are viewing this topic.

Offline daniel1948

  • Isn’t a
  • Reef Tank Owner
  • *********
  • Posts: 8261
  • I'd rather be paddling
Re: Cell Phone question
« Reply #15 on: April 08, 2019, 09:10:34 PM »
... you can and should have your data backed up so that if that happens you can always restore it.

That's the crux of it. It always baffles me when people lose data because of a crash or a hacker, and they have not backed up. I remember when backing up your computer was an hour-long process of inserting one 5 1/2 inch floppy after another and waiting for each to write. Now it's a couple of clicks or just set it to happen on a schedule. Or with a phone, it happens automatically unless you tell it not to or never bother to set it up in the first place.

But yet people don't back up their data.
Daniel
----------------
"Anyone who has ever looked into the glazed eyes of a soldier dying on the battlefield will think long and hard before starting a war."
-- Otto von Bismarck

Offline brilligtove

  • Too Much Spare Time
  • ********
  • Posts: 7107
  • Ignorance can be cured. Stupidity, you deal with.
Re: Cell Phone question
« Reply #16 on: April 08, 2019, 11:48:59 PM »
The whole point of a passcode lock is to make access to the phone impossible without the passcode. Why on earth would there be a way to bypass it?

Sure, but Forget your bank or credit card health plan password and you can get a new one by means of verification. I would think that a service provider would be able to do the same.

It isn't obvious, but these are quite different situations. In the case of the bank of credit card you have a third party that controls your access to a resource that they own. In the case of the phone, you are the only one who has control over access to a resource you own. YOU are the bank in this scenario.

If you want a third party to be able to unlock your phone, you essentially give them access to everything you can access through that device. Who made you phone? Apple, or Samsung, or Huawei, or Google? If they can circumvent your password, they have access to everything that your phone has access to. Oh, and that minimum wage employee in India or Brazil who got around your password? She could too.

ETA: This is a little hyperbolic and inaccurate but not wrong - in the same way that the models of the atom that you learned first were wrong, but not *wrong* wrong.
evidence trumps experience | performance over perfection | responsibility – authority = scapegoat | emotions motivate; data doesn't

Offline daniel1948

  • Isn’t a
  • Reef Tank Owner
  • *********
  • Posts: 8261
  • I'd rather be paddling
Re: Cell Phone question
« Reply #17 on: April 09, 2019, 10:25:23 AM »
^ Good points.

I like The Latinist's idea: A phone with no recovery method, and back up your data. Of course then you have the issue of the security of your back-up.  ::)  Do you store it locally? What happens if you lose that password? Do you store it in the cloud and trust the cloud company? And what about that password?

I don't really have anything important on my phone. My phone book can be replaced. My apps can be replaced. Pictures on my phone are just copies so I can show people.

Daniel
----------------
"Anyone who has ever looked into the glazed eyes of a soldier dying on the battlefield will think long and hard before starting a war."
-- Otto von Bismarck

Offline bimble

  • Seasoned Contributor
  • ****
  • Posts: 659
Re: Cell Phone question
« Reply #18 on: April 09, 2019, 10:44:47 AM »
unless you're expecting these people to be breaking into your accounts from your home, just keep your passwords on a piece of paper near your computer...

Offline Belgarath

  • Forum Sugar Daddy
  • Technical Administrator
  • Poster of Extraordinary Magnitude
  • *****
  • Posts: 11809
Re: Cell Phone question
« Reply #19 on: April 09, 2019, 11:36:13 AM »
The whole point of a passcode lock is to make access to the phone impossible without the passcode. Why on earth would there be a way to bypass it?

Sure, but Forget your bank or credit card health plan password and you can get a new one by means of verification. I would think that a service provider would be able to do the same.

I don't trust apple nor any of the droid companies to have my personal unlock code.  Last Pass has a business model ready to handle this, I don't think they can see any of my codes/passwords other than the master. I could see a phone company doing the same but they haven't yet as far as I know.

Minor nit:

LastPass cannot derive your master password, nor do they know it at all.  They only know an algorithmic hash of it which cannot be reverse engineered in a reasonable amount of time.  Now, they DO allow for a method to recover your account, but that does weaken the protection provided by last pass.  They apply a waiting period and do their best to ensure that it REALLY is you trying to gain access.  But the way they do this is that they essentially have a SECOND password to your account that allows them in if certain conditions are met.

https://support.logmeininc.com/lastpass/help/recover-your-lost-master-password-lp020010

BTW: I strongly strongly recommend that you DISABLE any sort of account recovery using SMS on ANY account you have.  SMS is totally insecure.  SMS messages are NOT encrypted end to end in transit and the encryption that IS used (from cell tower to your phone) is very weak.

You should never use SMS as a second factor except if you're forced to do so by the provider.  Having it as a second factor (but NOT an account recovery) is a bit more secure, but it's much better to use OTP apps.
#non-belief denialist

Offline The Latinist

  • Cyber Greasemonkey
  • Technical Administrator
  • Too Much Spare Time
  • *****
  • Posts: 7390
Re: Cell Phone question
« Reply #20 on: April 09, 2019, 12:26:48 PM »
On my phone I use iCloud backup, a strong passphrase, and TouchId. My phone is set to wipe its memory after 10 unsuccessful passphrase attempts.  I keep all of my passwords (randomly-generated and long) in a Lastpass vault with secondary authentication through an app on my phone.  There is no passcode recovery option on my Lastpass vault.
I would like to propose...that...it is undesirable to believe in a proposition when there is no ground whatever for supposing it true. — Bertrand Russell

Offline daniel1948

  • Isn’t a
  • Reef Tank Owner
  • *********
  • Posts: 8261
  • I'd rather be paddling
Re: Cell Phone question
« Reply #21 on: April 09, 2019, 12:39:54 PM »
LastPass cannot derive your master password, nor do they know it at all.  They only know an algorithmic hash of it which cannot be reverse engineered in a reasonable amount of time.  Now, they DO allow for a method to recover your account, but that does weaken the protection provided by last pass.  They apply a waiting period and do their best to ensure that it REALLY is you trying to gain access.  But the way they do this is that they essentially have a SECOND password to your account that allows them in if certain conditions are met.

So a crooked employee or someone who hacks Lastpass could get that second password and get into your accounts?

The whole concept seems to involve trade-offs: It lets you have unique, long, very secure passwords for your log-ins to all your web sites, but it means that anybody who hacks your Lastpass account gets access to everything. It puts all your eggs in one basket.

And of course if you are using fingerprint ID, a bad guy could just force your finger onto the sensor. Face ID even easier. Not to mention the Hollywood super-villain solution of cutting off your finger.
Daniel
----------------
"Anyone who has ever looked into the glazed eyes of a soldier dying on the battlefield will think long and hard before starting a war."
-- Otto von Bismarck

Offline daniel1948

  • Isn’t a
  • Reef Tank Owner
  • *********
  • Posts: 8261
  • I'd rather be paddling
Re: Cell Phone question
« Reply #22 on: April 09, 2019, 12:51:38 PM »
... There is no passcode recovery option on my Lastpass vault.

Does this mean they have not created a secondary password, or merely that there's no way for you to recover it? I.e., is it in there where a hacker or crooked employee could get it?

I figure no lock is perfect. The lock just makes it more difficult to open the front door than to smash the window. A password to your accounts just has to make it more difficult to access the account via the password than to convince the account administrator that the thief is you. You probably don't need a 50-character random string to achieve that. But with a password manager, a thief only has to obtain one password to get access to all your accounts.
Daniel
----------------
"Anyone who has ever looked into the glazed eyes of a soldier dying on the battlefield will think long and hard before starting a war."
-- Otto von Bismarck

Offline The Latinist

  • Cyber Greasemonkey
  • Technical Administrator
  • Too Much Spare Time
  • *****
  • Posts: 7390
Re: Cell Phone question
« Reply #23 on: April 09, 2019, 03:20:50 PM »
... There is no passcode recovery option on my Lastpass vault.

Does this mean they have not created a secondary password, or merely that there's no way for you to recover it? I.e., is it in there where a hacker or crooked employee could get it?

My password vault is encrypted on my computer/phone using 256-bit AES encryption with a key that never leaves my computer.  LastPass never sees the unencrypted vault and does not have access to my key.  They store only the encrypted vault, which they allow me to download if I enter my password.

They also never see my password.  On their server, they store only a cryptographic hash of my password (the result of a one-way function performed on my password on my computer).  And that hash is again hashed on their servers before storage.

At worst someone at LastPass or a hacker could gain access to my encrypted password vault or the hashed version of my password (which, even if they could find a hash collision, would only give them the ability to download my encrypted password vault, not the ability to decrypt that vault.  Without my encryption key, the last estimates I saw were on the order of 10e38 years to brute force.
I would like to propose...that...it is undesirable to believe in a proposition when there is no ground whatever for supposing it true. — Bertrand Russell

Offline brilligtove

  • Too Much Spare Time
  • ********
  • Posts: 7107
  • Ignorance can be cured. Stupidity, you deal with.
Re: Cell Phone question
« Reply #24 on: April 09, 2019, 04:27:51 PM »
... There is no passcode recovery option on my Lastpass vault.

Does this mean they have not created a secondary password, or merely that there's no way for you to recover it? I.e., is it in there where a hacker or crooked employee could get it?

I figure no lock is perfect. The lock just makes it more difficult to open the front door than to smash the window. A password to your accounts just has to make it more difficult to access the account via the password than to convince the account administrator that the thief is you. You probably don't need a 50-character random string to achieve that. But with a password manager, a thief only has to obtain one password to get access to all your accounts.

There are a few problems with this assessment.

"I figure no lock is perfect."
Digital locks are effectively perfect. They make it impossible to open the door in the lifetime of the universe. There is no window to break when the door doesn't open. There is no wall to cut through. If you have a strong master password, you could publish your entire password vault on the internet for everyone to see with complete confidence that it will never every be decrypted by anyone. The information is utterly and completely protected unless you have the secret key that turns it from noise to signal.

The services that LastPass provides are, in order of priority:
1. Locally installed programs that store passwords in a local secure file.
2. A service that synchronizes local secure files across devices.
3. A web interface providing secure access to an online copy of the secure file.

"A password to your accounts just has to make it more difficult to access the account via the password than to convince the account administrator that the thief is you.
The thousands of companies that have had customer data stolen are able to unlock your account because they have essentially unfettered access to your data. Your data is not protected: your password is protecting access to your data. A criminal can use social engineering to circumvent the password on your account because the employees have their own access to your data.

A system like LastPass is utterly invulnerable to this sort of social hacking because the lock is perfect and they do not have the key.

"But with a password manager, a thief only has to obtain one password to get access to all your accounts."
This is true, as far as it goes. It just ignores the sad reality of human capacity to use passwords. Specifically, we can't remember unique passwords for every site, and we can't remember passwords that have enough entropy to be useful protection. In practice, we use passwords that are easy to remember - which means they are easy to hack. And because we can't manage hundreds of unique passwords, chances are very good that learning one of a person's passwords means learning many of them - maybe all of them.

So sure, it's true that a hacker who gets a hold of my LastPass master password has access to everything - but that hacker has to have physical access to me to do that, and at that point passwords are not going to protect anything. In the real world a password manager is vastly superior protection.
evidence trumps experience | performance over perfection | responsibility – authority = scapegoat | emotions motivate; data doesn't

Offline seamas

  • Frequent Poster
  • ******
  • Posts: 2369
Re: Cell Phone question
« Reply #25 on: April 09, 2019, 05:24:53 PM »
OK thanks all.

Just to clarify, this is not my phone, it is my 12 year old daughter's phone. Just about all the data was just photos, so i'll just have to do a factory reset. She's only had it since October or so.

The strange thing is, she is 100% certain that she is keying in the right swipe code and that she hasn't changed it.

Offline wastrel

  • Great poster... or greatest poster?
  • Technical Administrator
  • Poster of Extraordinary Magnitude
  • *****
  • Posts: 13409
  • Science: A cold-hearted bitch with a 14" strap-on
Re: Cell Phone question
« Reply #26 on: April 09, 2019, 06:36:11 PM »
"But with a password manager, a thief only has to obtain one password to get access to all your accounts."
This is true, as far as it goes. It just ignores the sad reality of human capacity to use passwords. Specifically, we can't remember unique passwords for every site, and we can't remember passwords that have enough entropy to be useful protection. In practice, we use passwords that are easy to remember - which means they are easy to hack. And because we can't manage hundreds of unique passwords, chances are very good that learning one of a person's passwords means learning many of them - maybe all of them.

So sure, it's true that a hacker who gets a hold of my LastPass master password has access to everything - but that hacker has to have physical access to me to do that, and at that point passwords are not going to protect anything. In the real world a password manager is vastly superior protection.

That's why I use "password" as my master password, so I'll never forget it.

Offline daniel1948

  • Isn’t a
  • Reef Tank Owner
  • *********
  • Posts: 8261
  • I'd rather be paddling
Re: Cell Phone question
« Reply #27 on: April 09, 2019, 07:43:46 PM »
... There is no passcode recovery option on my Lastpass vault.

Does this mean they have not created a secondary password, or merely that there's no way for you to recover it? I.e., is it in there where a hacker or crooked employee could get it?

My password vault is encrypted on my computer/phone using 256-bit AES encryption with a key that never leaves my computer.  LastPass never sees the unencrypted vault and does not have access to my key.  They store only the encrypted vault, which they allow me to download if I enter my password.

They also never see my password.  On their server, they store only a cryptographic hash of my password (the result of a one-way function performed on my password on my computer).  And that hash is again hashed on their servers before storage.

At worst someone at LastPass or a hacker could gain access to my encrypted password vault or the hashed version of my password (which, even if they could find a hash collision, would only give them the ability to download my encrypted password vault, not the ability to decrypt that vault.  Without my encryption key, the last estimates I saw were on the order of 10e38 years to brute force.

Someone upthread mentioned that if you choose to implement it, Lastpass has a backup password. My question was whether they create this password for all accounts and just hide it if you don't implement that avenue of recovery, or whether they don't even create it unless you implement that recovery avenue.

The only thing Lastpass does is encrypt data on your phone and, optionally, store the encrypted file. But the whole point of strong passwords is to protect access to accounts elsewhere, such as your bank. There are many avenues a thief might use to try to get access to your bank account. One is to guess or otherwise obtain your password. Let's assume that Lastpass makes it impossible for them to do this. They still have other avenues of attack: Pretend to be you, hack the bank, hack e.g. Target who has (or had) your credit card information on insecure severs. Another way is to kidnap you and hurt you until you give up the information.

If your password is strong enough that any of these other routes are easier for a thief, then your password is as good as a perfect, uncrackable password. No lock is perfect because they can always torture you until you give them the key. An uncrackable password is no better than a password that's good enough that the thief would rather use physical force against you, or use other, subtler methods of impersonating you. And it's been demonstrated that impersonating people is not all that hard, in most cases. If a really strong password was all you need, there would be no market for bulletproof cars.

Just as fingerprint ID makes your phone less secure by creating an additional way in (you can use the fingerprint OR the passcode) so it seems to me that password programs are providing one more route into your accounts.

Of course, for most people it's moot because they use such bad passwords. I had a friend whose password was her dog's name. And she was in other respects an extremely intelligent person. (I know her password because she told me, so that I could get some work-related information she wanted me to have access to.) As far as I know, she didn't change her password after the work was done. Though I never tried it after that.

Daniel
----------------
"Anyone who has ever looked into the glazed eyes of a soldier dying on the battlefield will think long and hard before starting a war."
-- Otto von Bismarck

Offline daniel1948

  • Isn’t a
  • Reef Tank Owner
  • *********
  • Posts: 8261
  • I'd rather be paddling
Re: Cell Phone question
« Reply #28 on: April 09, 2019, 07:52:41 PM »
... because we can't manage hundreds of unique passwords, chances are very good that learning one of a person's passwords means learning many of them - maybe all of them.

So sure, it's true that a hacker who gets a hold of my LastPass master password has access to everything - but that hacker has to have physical access to me to do that, and at that point passwords are not going to protect anything. In the real world a password manager is vastly superior protection.

First, I only have 2 or 3 sites that any hacker would have any motive to attack, and I can easily remember three very difficult-to-guess passwords. Other sites don't need difficult passwords because there's nothing of any value on them. And he would not need physical access to you: He'd just need to know your Lastpass log-in name and password. I can certainly see that Lastpass has real utility for someone who needs to protect a lot of accounts. I just think there are trade-offs, and that no system is perfect.

But I note that you complain that re-use of passwords is a problem because a person who gets one of your passwords will have access to many or all of your accounts. But that's precisely my complaint about password managers: If a thief gets that one master password, he has access to ALL your accounts.
Daniel
----------------
"Anyone who has ever looked into the glazed eyes of a soldier dying on the battlefield will think long and hard before starting a war."
-- Otto von Bismarck

Offline arthwollipot

  • Reef Tank Owner
  • *********
  • Posts: 8628
  • Observer of Phenomena
Re: Cell Phone question
« Reply #29 on: April 09, 2019, 08:59:36 PM »
First, I only have 2 or 3 sites that any hacker would have any motive to attack...

Any site is worth hacking, if your intent is to set up a zombie cloud to run DDOS attacks. The only prerequisite for that is that it be on the internet.
Self-described nerd. Pronouns: He/Him.
Quantum materiae materietur marmota monax si marmota monax materiam possit materiarii?

 

personate-rain