RealHJ

Exactly! This by the very nature of it is a major risk factor for password managers: they do not log you into a site directly, they have to decrypt your password first and then enter it plain text. The moment there is a mechanism for decryption, as I was explaining earlier, there is a heavier risk of a backdoor, or your password to unlock the password manager being exposed. All it takes is for a keylogger to log your password into the password manager and they have access to ALL your passwords, not just the one site you were logging into (unless the password manager also requires a physical hardware key or such...potentially 2FA. but only if configured and set securely, as too often it's not). As I said, it is for lazy people who like to feel good, while all to often needlessly endangering their security and doing quite of the opposite of what they imagine their are doing in their infinite wisdom.

That being said, there are, of course, different grades of password managers. All have some major core risks, but some have a lot more risk factors than others.

The best password manager? Still your mind.

defrosted

Agreed, if you do it correctly. Although I would argue most people have less net risk using a password manager versus typical weak passwords.

pvn

You're almost certainly massively overestimating the security of xkcd-style passphrases.

Since I'm using a password manager and not trying to remember them, I don't need to use "weak" random character passwords (there's no limit on how long I can make them since I don't have to remember them and there's zero chance I'll reuse them).

xkcd-style passwords are certainly better than "password" and maybe even better than eight random characters.

I have a pretty decent memory but there's no way I can remember 200 different four-word phrases, especially considering a high percentage of those are sites I might only visit once a year (but have a very high cost if they're compromised).

pvn

It's certainly possible that the password manager is compromised but the likelihood my particular info is breached is small (I use keePassX which is offline and open source). For someone to get my passwords they'd have to both get access to my physical devices and be able to decrypt the database.

That's EXTREMELY unlikely unless I'm targeted by state-level organizations, which is definitely not the threat model I'm worried about (if it comes to that, I've already got a lot more things to worry about).

pvn

If you get hit by a key logger then your passwords in your head that you actually use are compromised too. And if you're using an offline manager then the attacker still doesn't have access to your database.

I mean it's not like these keyloggers only work once and then self-destruct.

If you're using a password manager, you're also immune to physical keyloggers.

RealHJ

You're right, yes, that an off-line password manager, esp. with 2FA and individual encryption of each password (with unique keys), is a pretty solid way to go.

Many, however, use online password managers with dubious security measures.

MinnTee

I am so sorry this happened to you (along with the other issues I read about further on). I am sorry that I cannot help in any way, but I wanted to thank you for posting, because it made me go in and change my password on Delta.com (I have almost 2 million miles accumulated). I had not changed it since 2014 and it was a common one I used back in the day and probably still have active on other websites. While that doesn't help you, once again, thank you for posting.

TheHorta

spamkiller

No, you are wrong. If a key logger is being used, it will log the login to the key logger. A key logger does not intercept web traffic, but it hooks into the keyboard input. Probably using SetWindowsHookEx(WH_KEYBOARD_LL,...); The would do this in a small program that does gets called as a startup or set it up as a service. Actually, I'd set up a second service that will handle sending the data, and a 3rd to make sure that the other programs and services were not messed with. This is mostly off the top of my head since I never had to write a full keylogger, just something to monitor the Windows and Alt keys for a terminal server client which uses a high speed proprietary protocol.

But as an added layer of security, I use unique e-mail addresses for everything.

slidergirl

I am the only one with access to my MacBook and iPhone. Advantage of living alone. I have a malware program that runs frequently on a schedule, once a week. Yet, I was one of quite a few who had miles drained that day. And, as I've had a little more time to look for crumbs (I used to be a network software engineer that tested software), I've kind of been led to some things that I will investigate further for the non-Delta issues. No one gets out cleanly...

pvn

I guess you should re-read my post, since my claim of a password manager giving immunity against keyloggers was specifically qualified to physical keyloggers.

slidergirl

An update: This is getting silly. Yes, it's not millions of miles, but there are MY miles and I want them back and access to my account.

Since I had received ZERO responses from Delta, I decided to call again. Once again, the phone program did not recognize my FF#, so shot me to an random agent. I went through the whole thing again and said that I had not received any responses yet. The agent looked at my account and said "well it is locked for a security issue." I said "yes I reported this 3 weeks ago." She can't see any documentation that anything was being investigated. She then said "you need to send us a copy of your Drivers License for us to proceed." Why the Hell did someone tell me this earlier??? So, she points me to the "contact us" page to send another email. It won't let me enter my FF# because it is "unknown". She can't understand why, since she can see it and the account. So she says to send it without the number, put the number as the first line of the comment, and attach a photo of my DL. I do that. THEN, she says it will take 3-4 weeks to get this resolved. I said it's already been 3 weeks - she says the clock starts again and it will be 3-4 weeks before I know IF I GET MY ACCOUNT BACK.

I've got flights out on Nov.1 - I'm just waiting to get "dinged" at the gate and taken away for being a fraud.... Maybe if I were a Diamond MMer, this would have been fixed quickly. But, this is really poor service for a lowly SM member...

TheHorta

pulpfiction78

On your upcoming flight do you perhaps have access to a lounge? Here's what I would try. Write out everything that's happened with dates in short bullet points. Whomever you talk to, be it an agent on the phone or in person, be very precise and polite- forget your frustration for a moment. If you have access to a lounge, pay the fee to enter and see a customer service rep in person. Maybe by speaking to someone in person they can offer you better assistance.

By the sound of it your account seems to be in a lockdown status from access due to the compromise and drainage of miles. They seem to be taking caution to make sure that when they reactivate it they do so to the rightful owner.

pulpfiction78

A quick edit to say that I regret trying to stoke the fire on the security discussion. I will leave my original quote, below, but also say that let's try to focus on the original issue. None of us here know how the account got compromised so it's hard to offer advice in that sense. In hindsight, a plausible cause of Delta compromises could just be a successful phishing attack. They are very sophisticated these days. Happy weekend, everyone!


By the way, there is a lot of silly advice on password security here (I'm looking at you, who claims remembering 30 different passwords is a laughably easy feat). Most compromises happen from a shared password. Focus more on using unique passwords for each service and when available use 2 factor authentication. In terms of how you store your passwords use a password manager, or even allow Google to do it (if you do, make certain you use 2 factor authentication on Google itself). If you somehow get compromised with doing that there's probably not a lot you could have done to prevent it in the first place.