Lastpass customer vaults taken in last attack.

[callthatgirl]

Last pass still makes me more money sadly. Passwords are never updated as clients hope, so we spend more time fiddling with last pass and then give up and reset it.

I'm still using notepad lol

 

[frase]

Excel's defenses are a joke.

We just took over a customer, the previous IT company left an Excel sheet on their domain controller that looked interesting, I cracked it using the above process and POOF every admin password to every firewall, switch, and server all mine.

Now, I had domain admin for the server, and could get to the file. So you do have some mitigating control if you can retain the access to the file itself. But if someone ever gets a copy of that sheet, the encryption is not helpful.

I am not one to be targeted for ransom, I am not on a domain controller or within a domain, I am a one person business. I would never allow my security information to be available to a service on the internet, as all security is able to be bypassed. As I said there would be no reason as to why a hacker or whatever one wishes to define them as, would target a one person business unless I opened the door for them. There is no real potential for $$$. I keep the sheet on my system for reasons being I have so many passwords, these are not for businesses I manage. For businesses I manage I create documentation in a folio with all other relevant information regarding their I.T infrastructure and they keep the documentation.

 

[britechguy]

I said there would be no reason as to why a hacker or whatever one wishes to define them as, would target a one person business unless I opened the door for them. There is no real potential for $$$.

That's what it boils down to. The proverbial juice has to be worth the squeeze.

Script kiddie hackers aren't the threats I concern myself with because the defenses I use have proven, over the course of decades, to either be beyond what they can break through or, more likely, they're just not interested. This class of hacker does "smash and grab" stuff only, and if they can't easily smash, they can't easily grab.

Operators who are looking for big money aren't interested in me, at all. They spend months to years very carefully planning and plotting their strategies and picking their targets. Social engineering is almost always involved as well.

I do use a password manager, Password Safe, and my encrypted vault is stored on Google Drive so that I have access to it on all of my laptops and my smartphone. It has served me well for heading into 20 years. Unless someone were to somehow guess my vault's master password, which at 13 characters is very unlikely, having that file is not of any use whatsoever.