Thursday 22 October 2015

LastPassがセキュリティーブリーチだってよ。1Passwordは大丈夫かいな?

LastPassがハックされてユーザーの皆様のアカウント&パスワードがダダ漏れのようですね。大至急マスターパスを変更して二段階認証を適用しましょう。というか、1Passwordに乗り換えて、keychainを自分で管理した方がいいんじゃね? クラウドに大事なパスワードを預けるなんて恐ろしいこと、とても僕にはできませんよ。

Password Manager LastPass Warns of Breach
http://krebsonsecurity.com/2015/06/password-manager-lastpass-warns-of-breach/

Hack of cloud-based LastPass exposes hashed master passwords
http://arstechnica.com/security/2015/06/hack-of-cloud-based-lastpass-exposes-encrypted-master-passwords/

LastPass Security Notice - LastPass Blog
https://blog.lastpass.com/2015/06/lastpass-security-notice.html/


ところで、ちょうど昨日、1Passwordのセキュリティーに関してこんな煽り記事があって話題になってたけど、これってよくよく読んでみたら全くもって問題なしという結論じゃないですか。

1Password Leaks Your Data
http://myers.io/2015/10/22/1password-leaks-your-data/

When a Leak Isn’t a Leak
https://blog.agilebits.com/2015/10/19/when-a-leak-isnt-a-leak/

というわけで、いちおう僕が1Passwordをより安全に使うためにやってることを、ここでチラ見せしておくよ。会社のSlackに投稿するために書いた内容だから全部英語だけどね。英語苦手な人はせいぜい頑張ってね。それと内容は全てMacユーザ向けだけどね。Winの人はMacを買って出なおしてねー。

Here are some tips what I have done to make my 1Password security more robust:
  • Use OPVault format for your keychain file: for more info → https://support.1password.com/switch-to-opvault/
  • Hide your keychain file by changing the location, file name & extension: ie. If you change the keychain file name from 1Password.opvault to test.app, it’s more difficult for hackers to notice that it's a keychain of 1password. Also I put my keychain file inside a hidden folder (just add dot at the head of the folder name).
  • Update your master password periodically: ie, if you include some numbers based on calendar, such as 'somepassword2015-10!', you can update your password monthly without forgetting your new password!
  • Apply 2 factor authentication on Dropbox if you'd like to put your keychain file on Dropbox to share on multiple devices. Also don't forget to hide the keychain file (as mentioned above) in your Dropbox.
  • Turn on the FireWall and FileVault on your Mac: System Preferences > Security & Privacy > Firewall > Turn On Firewall

Furthermore, in my case…
  • I completely block any network traffic (both incoming & outgoing) of 1Password.app by using LittleSnitch, as I don’t even trust 1Password.app (engineers in AgileBits could potentially implement some malicious code in their app to leak your passwords).


Do you think this is too much? Maybe it sounds like paranoia…?
However, I’m pretty sure that no cyber security measure is perfect; any encryption or passwords will be compromised sooner or later, and we cannot be too careful.

というわけで、お気をつけてー
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)