Go Back   Forums @ The Digital Fix > Gadgets and Gizmos > Computing Forum

Reply
 
Thread Tools Display Modes
Old 21-02-2021, 13:14   #161
Tempest
Trusted User
 
Tempest's Avatar
 
Join Date: Jun 2000
Location: Horley (Gatwick)
Posts: 27,931
Thanks: 1,344
Thanked 1,009 Times in 607 Posts
Looks like Apple are/have got on top of warning about other apps looking at what you copy/paste via your clipboard on an iPhone:

https://www.schneier.com/blog/archiv..._apps_ste.html


So many apps are watching your clipboard, hence so many warnings:


I hope Google is going to do the same and let Android users know what other apps are looking at without you being aware they are.

I will admit I was naļve and always had this thought that copy/past was always just a local a private thing that nothing was able to see.
Shows how wrong I was
Tempest is offline   Reply With Quote
Old 21-02-2021, 14:26   #162
Tempest
Trusted User
 
Tempest's Avatar
 
Join Date: Jun 2000
Location: Horley (Gatwick)
Posts: 27,931
Thanks: 1,344
Thanked 1,009 Times in 607 Posts
Perhaps I'm being dumb here, something copied over from lastPass in a funny way, or I just need to edit a setting, or it just does this sometimes!

I'm finding my Natwest card is being shown as a possible selection when I'm not understanding why.

An example screenshot. I'm on my Amazon main front page, and as you can see, it's obviosly detecting this and offering me the choice of 2 Amazon accounts I have recorded, which is great.

However as you can see it's also offering my Natwest card as something I may wish to enter also, and I don't see why.

Any thoughts why it may be showing the Natwest option also?

Tempest is offline   Reply With Quote
Old 21-02-2021, 14:47   #163
shteve
[o]EvilTwinkle
 
shteve's Avatar
 
Join Date: Sep 2002
Location: Cov
Posts: 6,581
Thanks: 597
Thanked 892 Times in 633 Posts
Quote:
Originally Posted by zantarous View Post
But your original post said non of this nor did it have a link.

The link says the hackers need a photograph of your finger print plus access you your phone, a very edge case. So the actual headline is quite hyperbolic.
My post didn't mention anything about your fingerprint being stored on the device, but you ran with that anyway . I was just pointing out that using biometrics is all well and good, but if that gets compromised you can't change it. The link was just the first google hit I found which showed it was possible. I can't argue it would be a targeted attack rather than a drive by download of an accidentally exposed hashed password DB. And yes they needed access to the phone, but then that's what they were getting in to. If your finger print scanner was what locked your front door, they'd need access to your front door. If it was your banking app that allowed access via your finger print, they'd not need your phone, just the app installed.
__________________
I've got a signature and an avatar :p
shteve is online now   Reply With Quote
Old 21-02-2021, 14:48   #164
shteve
[o]EvilTwinkle
 
shteve's Avatar
 
Join Date: Sep 2002
Location: Cov
Posts: 6,581
Thanks: 597
Thanked 892 Times in 633 Posts
Quote:
Originally Posted by Tempest View Post
Perhaps I'm being dumb here, something copied over from lastPass in a funny way, or I just need to edit a setting, or it just does this sometimes!

I'm finding my Natwest card is being shown as a possible selection when I'm not understanding why.

An example screenshot. I'm on my Amazon main front page, and as you can see, it's obviosly detecting this and offering me the choice of 2 Amazon accounts I have recorded, which is great.

However as you can see it's also offering my Natwest card as something I may wish to enter also, and I don't see why.

Any thoughts why it may be showing the Natwest option also?
Maybe as a payment option for when you buy something?
__________________
I've got a signature and an avatar :p
shteve is online now   Reply With Quote
Old 21-02-2021, 14:53   #165
Tempest
Trusted User
 
Tempest's Avatar
 
Join Date: Jun 2000
Location: Horley (Gatwick)
Posts: 27,931
Thanks: 1,344
Thanked 1,009 Times in 607 Posts
Quote:
Originally Posted by shteve View Post
Maybe as a payment option for when you buy something?
Yeah, you may be right, though it's not the card I use on Amazon.
I do only have this one single card in Bitwarden under the CARDS section, so I'll add more in there and see if they are all listed.

As you suggest, perhaps it just thinks it's being helpful?

I've been into the card details and there is nothing in there which looks odd or set/recorded wrong.

###SIDE NOTE###

This discussion on this topic has been really great so far, and I wish to thank everyone for adding to this topic and of course all those why have answered anything specifically posted by me.

But can I PLEASE make a tiny and hopeful request that we all do our best to hold off from any little point scoring, or petty arguments of who said this, and picking apart what someone else said.
Be nice if we can remain friendly at all times if possible

Last edited by Tempest; 21-02-2021 at 14:56.
Tempest is offline   Reply With Quote
Old 21-02-2021, 14:59   #166
zantarous
Xbox Live tag: wargame
 
zantarous's Avatar
 
Join Date: Oct 2002
Location: London
Posts: 10,946
Thanks: 153
Thanked 305 Times in 221 Posts
Quote:
Originally Posted by shteve View Post
My post didn't mention anything about your fingerprint being stored on the device, but you ran with that anyway
Where else is your fingerprint being stored then? Honestly I don't understand what you are saying at this point, why would you need to change your finger print?

Edit: Ok I guess you are saying if someone creates a mould of your fingerprint?

Quote:
If your finger print scanner was what locked your front door, they'd need access to your front door. If it was your banking app that allowed access via your finger print, they'd not need your phone, just the app installed.
You mean like a locksmith could open my door without a key? Not saying a biometric is a good idea for a front door but a lock is just as hackable.

If they don't have your phone how do they get to the app? And they still need to create a mould of some sort of my fingerprint in the first place. Yes it is doable but unless you are some sort of CIA level target it is very unlikely.

Last edited by zantarous; 21-02-2021 at 15:09.
zantarous is offline   Reply With Quote
Old 21-02-2021, 15:08   #167
zantarous
Xbox Live tag: wargame
 
zantarous's Avatar
 
Join Date: Oct 2002
Location: London
Posts: 10,946
Thanks: 153
Thanked 305 Times in 221 Posts
Quote:
Originally Posted by Tempest View Post
Looks like Apple are/have got on top of warning about other apps looking at what you copy/paste via your clipboard on an iPhone:

https://www.schneier.com/blog/archiv..._apps_ste.html


So many apps are watching your clipboard, hence so many warnings:


I hope Google is going to do the same and let Android users know what other apps are looking at without you being aware they are.

I will admit I was naļve and always had this thought that copy/past was always just a local a private thing that nothing was able to see.
Shows how wrong I was
I am trying to think about this logically and I am not sure this is an issue, as scary as it looks. Apps maybe able to see it but they have no context to what it is unless the data is then being pulled to a server where they start collecting huge amounts of data on you to track your usage habits and build a profile of what usernames you copy or URLs.

I think this one looks and sounds more scary then it is, but I will admit I know very little about this area. I see on iOS the implementation of LastPass filling in log in details is far superior then Android. It never seems to fail to detect log in fields and I don't think I have ever copied a password on my work iPhone.

On Android they simply don't seem to be able to use the inbuilt system to do the same.
zantarous is offline   Reply With Quote
Thanked once by:
Tempest (21-02-2021)
Old 21-02-2021, 15:35   #168
Tempest
Trusted User
 
Tempest's Avatar
 
Join Date: Jun 2000
Location: Horley (Gatwick)
Posts: 27,931
Thanks: 1,344
Thanked 1,009 Times in 607 Posts
Quote:
Originally Posted by shteve View Post
Maybe as a payment option for when you buy something?
Looks like you were right.
I added a second card into the CARDS section using the desktop app.
looked to see if anything had changed when on an Amazon page and still there was just the NatWest card listed.

I was just about to delete the Natwest card and re-enter it, but I got side-tracked for a while.
Then went back to re-check and it seems there is some delay between data entered into the desktop app, and this working it's way thru the system into the webpage extension, as now both cards are showing up.

So, yeah, as you say, it seems like Bitwarden is simply showing any CARDS on such a shopping site to be helpful.

Good to know nothing is acting weird.
Tempest is offline   Reply With Quote
Old 21-02-2021, 15:36   #169
shteve
[o]EvilTwinkle
 
shteve's Avatar
 
Join Date: Sep 2002
Location: Cov
Posts: 6,581
Thanks: 597
Thanked 892 Times in 633 Posts
Quote:
Originally Posted by zantarous View Post
Where else is your fingerprint being stored then? Honestly I don't understand what you are saying at this point, why would you need to change your finger print?

Edit: Ok I guess you are saying if someone creates a mould of your fingerprint?



You mean like a locksmith could open my door without a key? Not saying a biometric is a good idea for a front door but a lock is just as hackable.

If they don't have your phone how do they get to the app? And they still need to create a mould of some sort of my fingerprint in the first place. Yes it is doable but unless you are some sort of CIA level target it is very unlikely.
Indeed, the front door was just an example. The fingerprint hacking link I found was about gaining access to a phone, so yes they'd need physical access to the phone. As to the banking app, I'm pretty sure banks don't tailor make each app for each customer so you could download the same app as your target from the phone's appstore. But yes, any hacker would need more info than just your fingerprint, and as I said it's a lot more work than cracking a database of lots of passwords. At the mo, we don't use fingerprint security for much, but if we start to, it might well become more targetable and I'll still want some form of MFA.
__________________
I've got a signature and an avatar :p
shteve is online now   Reply With Quote
Old 21-02-2021, 15:37   #170
Tempest
Trusted User
 
Tempest's Avatar
 
Join Date: Jun 2000
Location: Horley (Gatwick)
Posts: 27,931
Thanks: 1,344
Thanked 1,009 Times in 607 Posts
Quote:
Originally Posted by zantarous View Post
I am trying to think about this logically and I am not sure this is an issue, as scary as it looks. Apps maybe able to see it but they have no context to what it is unless the data is then being pulled to a server where they start collecting huge amounts of data on you to track your usage habits and build a profile of what usernames you copy or URLs.

I think this one looks and sounds more scary then it is, but I will admit I know very little about this area. I see on iOS the implementation of LastPass filling in log in details is far superior then Android. It never seems to fail to detect log in fields and I don't think I have ever copied a password on my work iPhone.

On Android they simply don't seem to be able to use the inbuilt system to do the same.
I hope you are right and it's a lot of worry over nothing.
I suppose I was just jumping to the conclusion that if they can view your clipboard, then they'd also probably be able to see the page you were on also, which would give them both parts they needed.
Tempest is offline   Reply With Quote
Old 21-02-2021, 16:22   #171
Tempest
Trusted User
 
Tempest's Avatar
 
Join Date: Jun 2000
Location: Horley (Gatwick)
Posts: 27,931
Thanks: 1,344
Thanked 1,009 Times in 607 Posts
I may be talking a lot of "poo poo" but I'm not sure I agree with these online password checkers, as I don't think they are being as clever as the code used to check/crack passwords.
Given than Humans are really really sneaky apes
I'm sure such programmers have already though of typical easy to remember and type passwords that people may be using and are checking for such things as opposed to basic letter by letter checks.

Easy to type patterns on a keyboard for example.

Are we to believe this password I made up is as strong as is suggested?



I tried the same password on another site:



Also here:


Last edited by Tempest; 21-02-2021 at 16:26.
Tempest is offline   Reply With Quote
Old 21-02-2021, 17:00   #172
Chris Locke
Making a 1% improvement
 
Join Date: Sep 2000
Location: Essex, UK
Posts: 7,481
Thanks: 613
Thanked 1,811 Times in 630 Posts
Quote:
Originally Posted by Tempest
Are we to believe this password I made up is as strong as is suggested?
Why isn't it secure? Its 48 characters long. Its not 12345678910 which is eleven characters long. Or are you just looking at the difference in time to crack it?
Don't forget, a password hashed is simply 1CDF85EEA65E211DFF86 (etc). Why would a password guesser choose your phrase above 'its sunny outside on wednesdays' ?

Quote:
Originally Posted by Tempest
Perhaps I'm being dumb here, something copied over from lastPass in a funny way, or I just need to edit a setting, or it just does this sometimes!
BitWarden always shows cards, regardless of the site. Even here, it shows credit cards, and identities.
There is a delay between syncing, so if you add a password (or amend one) on the desktop, it'll take 'time' before you see that password/change on other devices. Updates are automatic and instant (obviously) but syncing isn't.

On the desktop, you can turn on/off the cards/identities. Unsure about the mobile app.


Last edited by Chris Locke; 21-02-2021 at 17:10.
Chris Locke is offline   Reply With Quote
Old 21-02-2021, 18:21   #173
Tempest
Trusted User
 
Tempest's Avatar
 
Join Date: Jun 2000
Location: Horley (Gatwick)
Posts: 27,931
Thanks: 1,344
Thanked 1,009 Times in 607 Posts
^ I'm thinking that programmers who write code intended to guess/crack passwords, like Dictionary attacks, will think of things humans will tent to write and try, and pre-program in routines? that try commonly used methods of an easy password as opposed to only mindless brute force.

For example, and apparently as I tried it

two thousand and one
two thousand and ten

Are both, one of of the checking sites regarded as bad, easily hackable passwords.
Presumably as they are known be everyone as common names of movies.
Hence me saying people who write these systems will have this type of thing checked for.

Hence me thinking (and may well be wrong) "one two three four five" whilst many characters, it well be pre-known by any clever person this is the type of thing people might try and hence be checked for, before going to brute force.

Just a thought, but makes sense does it not?
Tempest is offline   Reply With Quote
Old 21-02-2021, 18:42   #174
Chris Locke
Making a 1% improvement
 
Join Date: Sep 2000
Location: Essex, UK
Posts: 7,481
Thanks: 613
Thanked 1,811 Times in 630 Posts
I can see where you're coming from, but combination-wise, there are two many permutations to be worthwhile. If my password was 'Chris One Two Three', a password cracker can't see the 'One Two Three' and starts filling in the blanks like WOPR on 'WarGames' ("She's got six characters ... only two more and we break into Chris's account on PornHub!!")
Chris Locke is offline   Reply With Quote
Old 21-02-2021, 20:57   #175
Tempest
Trusted User
 
Tempest's Avatar
 
Join Date: Jun 2000
Location: Horley (Gatwick)
Posts: 27,931
Thanks: 1,344
Thanked 1,009 Times in 607 Posts
Quote:
Originally Posted by Chris Locke View Post
I can see where you're coming from, but combination-wise, there are two many permutations to be worthwhile. If my password was 'Chris One Two Three', a password cracker can't see the 'One Two Three' and starts filling in the blanks like WOPR on 'WarGames' ("She's got six characters ... only two more and we break into Chris's account on PornHub!!")
Indeed. I certainly need to change my MasterPassword as whilst the guts of the password are things I know, I've added in many !^~# type symbols which makes it pretty dam hard to remember how to type.

I guess I was, and still do think that almost every password generator says the best passwords are basically random characters and throw in a lot of !"£$%^ type stuff also, and stay away from real words for dictionary attacks.

I need to work on it
Tempest is offline   Reply With Quote
Old 21-02-2021, 22:02   #176
Tempest
Trusted User
 
Tempest's Avatar
 
Join Date: Jun 2000
Location: Horley (Gatwick)
Posts: 27,931
Thanks: 1,344
Thanked 1,009 Times in 607 Posts
Found this, which is, so was said pretty much "THE" article on the subject of password creation.
If you fancy a bit of an in depth, but easy to read article on the subject:

JEFF YAN
Chinese
University of
Hong Kong

ALAN
BLACKWELL,
ROSS
ANDERSON,
AND ALASDAIR
GRANT
Cambridge
University


https://prof-jeffyan.github.io/jyan_ieee_pwd.pdf

A good read

Last edited by Tempest; 21-02-2021 at 22:06.
Tempest is offline   Reply With Quote
Old 21-02-2021, 22:30   #177
Chris Locke
Making a 1% improvement
 
Join Date: Sep 2000
Location: Essex, UK
Posts: 7,481
Thanks: 613
Thanked 1,811 Times in 630 Posts
Quote:
Originally Posted by Tempest View Post
I guess I was, and still do think that almost every password generator says the best passwords are basically random characters and throw in a lot of !"£$%^ type stuff also
As my earlier comment said - if they can rattle through billions of combinations per second, adding in more characters (or sets of) makes it longer for them to crack. all-lowercase is obviously the worst, and sQuIfFyCaSe is going to take longer than ALL-UPPERCASE - depending on which direction the process takes...
Even if you have a password of 'tempest-98', the dash adds in an extra layer, is easy to type, remember, etc.
Chris Locke is offline   Reply With Quote
Thanked once by:
Tempest (21-02-2021)
Old 21-02-2021, 22:42   #178
Tempest
Trusted User
 
Tempest's Avatar
 
Join Date: Jun 2000
Location: Horley (Gatwick)
Posts: 27,931
Thanks: 1,344
Thanked 1,009 Times in 607 Posts
Quote:
Originally Posted by Chris Locke View Post
As my earlier comment said - if they can rattle through billions of combinations per second, adding in more characters (or sets of) makes it longer for them to crack. all-lowercase is obviously the worst, and sQuIfFyCaSe is going to take longer than ALL-UPPERCASE - depending on which direction the process takes...
Even if you have a password of 'tempest-98', the dash adds in an extra layer, is easy to type, remember, etc.
I still do wish we could, on our computers as with the phones.
When you fire up something like Bitwarden on your PC via the desktop app, the web app or the browser extension.
you'd just click in the input box, tap your finger on your USB connected fingerprint reader and, poof, it's done.
How much easier would that be.......

Actually now I said this, I see there is an "Unlock with Biometrics" tickbox on the Browser Extension drop down box, so perhaps this is possible?
So next question............ Is there a cheap(ish) USB fingerprint reader I can buy to plug into my Windows 10 PC to do this?


This aside the instructions do seem a tad unclear:
https://bitwarden.com/help/article/b...ock-in-desktop

Seems to say you can get access via biometrics to the web extension.
Then goes onto say something about needing to have the desktop app loaded up and unlocked also.
But I may be reading it wrong, it's not super clear to me

Last edited by Tempest; 21-02-2021 at 23:13.
Tempest is offline   Reply With Quote
Old 22-02-2021, 05:45   #179
Chris Locke
Making a 1% improvement
 
Join Date: Sep 2000
Location: Essex, UK
Posts: 7,481
Thanks: 613
Thanked 1,811 Times in 630 Posts
"Actually now I said this, I see there is an "Unlock with Biometrics" tickbox on the Browser Extension"

I think that means to unlock the actual vault (ie, log in) - not log into a website. Certainly on my phone, a 'standard' app (eg, Asda) only lets me log in using BitWarden (add in the passwords), not use the fingerprint reader.

"So next question............ Is there a cheap(ish) USB fingerprint reader I can buy "

There is a monitor on kickstarter you might be interested in - its got loads of bells 'n whistles and includes a fingerprint reader (and phone charger, Wifi adapter, extender, blah blah blah)

Last edited by Chris Locke; 22-02-2021 at 05:48.
Chris Locke is offline   Reply With Quote
Thanked once by:
Tempest (22-02-2021)
Old 23-02-2021, 20:08   #180
Tempest
Trusted User
 
Tempest's Avatar
 
Join Date: Jun 2000
Location: Horley (Gatwick)
Posts: 27,931
Thanks: 1,344
Thanked 1,009 Times in 607 Posts
Ok, well after looking at the dam things, and reading user questions and reviews for the last 3 days I've bitten the bullet and purchased a small USB Windows Hello fingerprint reader, and a USB extension lead which will hold this device facing up on my desk.

Supposed to be totally Windows 10 compatible and possible Plug and Play as windows will detect it and it will just work.
Or it won't do that at all and you need to mess looking for drivers.
One of those two things, depending on which review you read.
(some dell users suspecting dell may have done something to their machines to cause issues)....?

Anyhoo...... My ideal world is this will allow me to log into Windows 10 itself with a tap of the finger, and also to allow access to Bitwarden to at least fill in passwords, even if not to actually go in and edit stuff.

Be interesting to see how it goes
Tempest is offline   Reply With Quote
Thanked once by:
Wooglie (23-02-2021)
Reply

Bookmarks

Tags
hacking, passwords, Phishing, threat

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
It's time to update my web site.... Guest 17513 Computing Forum 42 15-03-2012 15:21
Nokia: Auto-update of date & time Guest 20850 Mobile Phone and Satellite Navigation Forum 11 02-11-2008 01:18
SE W950i time update problem MaleStrom Mobile Phone and Satellite Navigation Forum 1 17-04-2007 19:11
Windows Update time again internetuser Computing Forum 10 10-02-2005 01:33

All times are GMT. The time now is 16:13.


Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2021, vBulletin Solutions, Inc.qq
Copyright ©2000 - 2021 Network N Ltd.