Server Encryption

How do you access this site (or any other site) from places you do not have that program installed?

I haven't used LastPass. I believe there's a way to access your saved credentials just with your user name/master password - which is why you'd want to add some form of multi-factor authentication to your account.

I prefer KeyPass2 because absolutely everything is saved locally. Just need to store an encrypted version of the database and key file somewhere that you can always access, in case anything happens.

Now, to clarify, you wouldn't need something like this in place for literally everything that you log into. I set it up for coh2.org after discovering that they transmit everything in clear text, but I wouldn't really need it for like... Reddit and Twitch and YouTube and all those sorts of places where an attacker wouldn't gain a lot from compromising my account.

But for stuff like your email, bank account, PayPal, Amazon, eBay, etc. That's where you'd want to use it.

I use LastPass for the convenience. I have 3 laptops, 1 desktop, and 2 phones. If I were ultra paranoid I'd use KeyPass with a local vault and hack together some sort of makeshift way to synchronize all my devices. Knowing that I have all my passwords stored in one spot I've got a YubiKey for a 2nd factor of authentication.

If for whatever reason you don't have the LastPass plugin installed you could just go to your vault and copy the username/password out.

My Password is Password123 is that a pretty good password? what do you think? I'm thinking about switching over to Password123! haven't decided yet though.

I use LastPass for the convenience. I have 3 laptops, 1 desktop, and 2 phones. If I were ultra paranoid I'd use KeyPass with a local vault and hack together some sort of makeshift way to synchronize all my devices. Knowing that I have all my passwords stored in one spot I've got a YubiKey for a 2nd factor of authentication.

If for whatever reason you don't have the LastPass plugin installed you could just go to your vault and copy the username/password out.

Sounds like you're more than fine unless the NSA decides to come after you, and even then you'll be better off than most. I don't see any reason to switch to keepass given your setup.

by the way, what does that mean the usernames and passwords are out in the open, is there like a url that links to a txt file with all the stuff in plain sight?

They're not "out in the open", they're hashed and salted on the server, they're just posted in plaintext from the browser to the server. Which is not good practice, agreed, but it's nowhere near the level of vulnerability you claim it is. The main implication of this is if someone is sniffing packets from your machine (because they're on the same network as you or you're connecting over an insecure access point), they will be able to see the password you send to the server when you login.

Regardless, the appropriate people have been made aware of this. I haven't worked with the code in a long time, so I'm not in a position to fix it.

The OP doesn't really know what he's talking about, he's just parroting what someone else said and exaggerating. The current situation is not ideal, but also won't give anyone your password unless they're reading your network traffic.

by the way, what does that mean the usernames and passwords are out in the open, is there like a url that links to a txt file with all the stuff in plain sight?

The credentials are passing over cleartext channels when you are authenticating to coh2.org. Somebody could sniff these out IF they had a method of listening in on the communication channel.

Seeing as how I work with keeping CCTransactions (terminal and web) secure for thousands upon thousands of people the best advice has already been stated by Ciez. BTW if you really wanted security just get a password that's is a guid and very long and write it down on a piece of paper, then all you have to really worry about is either the NSA(or like agency) and someone stealing the paper

The credentials are passing over cleartext channels when you are authenticating to coh2.org. Somebody could sniff these out IF they had a method of listening in on the communication channel.

Listening is trivial.

Having access to listen can be more difficult, but still isn't even that hard depending on the type of wireless/network security being employed.

The worst-case scenario as I can see it would be some one getting to listen in on the incoming connections to coh2.org's server. I don't know anything about their server other than a few small things I've discovered on my own (IP address, some open ports, OS version, etc). I purposely did not poke around any more because I wasn't, and don't want, to attack coh2.org... so I don't know how easy/hard it would be for an outsider to get access to the server. (Would be a fun/interesting pen test if I had some sort of written/signed consent from Ami though! Otherwise I'm not touching it any more than I have.)

All in all, as Inverse said, it isn't a high risk vulnerability (in this case). In all likelihood some one would have to specifically target your home network in order to exploit it at all - and even that can be entirely mitigated by simply using a different password for coh2.org than you use anywhere else. Even if some one got access to your coh2.org account... what are they gonna do? Troll the forums I guess? And probably try your password on other sites - like your bank account/email/paypal/amazon/etc which is why you should use a different password.

As far as Das points out with the piece of paper. In terms of storing your password, yes that's technically the most safe since some one would have to break into your house to retrieve it. But with the way passwords are passed along the internet you still want a good password. Even if your password is written down, if I see: dc647eb65e6711e155375218212b3964 come up as an MD5 hash anywhere, I can crack it in a matter of seconds and find out that your password is: "Password"

As compared to something like this: 316d314d194256c3a5c7c591d51cf6e0 which probably won't get cracked ever. Well... I say that but it is an MD5 hash and MD5 kinda sucks in today's day and age. So yeah, it's still probably crackable, but a lot harder.

The site is now using https.

Not sure if you're talking about lastpass, or if you thought keepass2 was a web-based password management app buttttttttttt I'll try and ease your mind a little/enlighten you...

As long as the database in which your password(s) are stored on any given web server, even if that server is compromised, your passwords (in the environment of a properly managed database) will be secure. Part of this is your responsibility to make a strong password, no realistic amount of help is going to fix a weak password.

In simple terms this is what is going to happen: you give mywebsite.com your user name/password, they shouldn't need that information for anything other than authentication, therefore they will hash the password (preferably with some sort of salt), and store the hashed value of your password. When you authenticate in the future, they only compare the hash your browser sends them, to the hash they have stored - if they match, congrats you entered the same password and you're let in. Without going into the details of attacking something like this, suffice it to say that if your password is weak and the database is compromised, it will be trivial to crack your password. But if it strong, odds are your password is safe from anyone other than a state-backed actor.

Not to mention that it'll be exponentially more difficult to attack a properly hardened webserver than most people's local machines/home networks.

Now... I haven't done my research on lastpass because I don't use it but I'd be willing to bet that your passwords are safe there...

As for KeePass - all the passwords are only ever stored locally on your machine. You set up a master password and have the option of adding a key file and OS user account as additional layers of authentication to access your password database. You then get to set up your list of passwords, which KeePass will randomly generate for you if you'd like (yay copy/pasta) and never have to worry about remembering anything other than 1) your master password and 2) the location of your key file.

In order to compromise this an attacker would need full access to your local machine, they'd have to know where your key file is located, and they'd have to be logged in as you (well I guess that part is easy if your Windows/Linux/OS X password sucks). Anyways, the point being... the odds of this happening are incredibly low unless you derp up.

Edit: https://blog.lastpass.com/2010/07/lastpass-gets-green-light-from-security.html/

^ If lastpass is good enough for Steve Gibson, it's good enough for me. I'll stick with KeePass because I already have it set up, but there's some more reading material for those interested.

Agree with most you said apart from 'they only compare the hash your browser sends them' pretty sure your browser sends the password in normal format and the webserver hashes the submitted password and compares it to the store password.