Domain: agilebits.com
Stories and comments across the archive that link to agilebits.com.
Comments · 10
-
Re:Lovely
It's fine that you don't, but those of us who are aren't really worried. Client side encryption means not trusting the transport layer - even https.
No 1Password data is put at any risk through the bug reported about CloudFlare. 1Password does not depend on the secrecy of SSL/TLS for your security. The security of your 1Password data remains safe and solid.
https://blog.agilebits.com/201...
(I use LastPass myself)
The security I get from having unique 14+ char completely random passwords for _every_ site by far outweighs the slight possibility that access to both my encrypted binary as well as my master password slips out. The by far easiest attack vector for that would be hacking my systems, and if that happens any system I log on to can be snooped then and there as well.
-
Re:Wah wah...
KeePass is free and open source, and easy to use. Its interface is fairly basic, but it gets the job done. It can generate strong passwords, it has a password strength checker, some fairly decent management and organization options, etc. It's aimed primarily at Windows but it can function in Linux and BSD (including OS X) under Mono, and fully supports this. We use this at my workplace and it serves its purpose.
However, I personally am a fan (and long-time user) of 1Password, which is my vault of choice. It's got a highly polished and very easy to use interface, very active development, it's cross-platform Windows, OS X, iOS, and Android. It has plug-ins for all the major web browsers. It supports a range of features KeePass lacks, and also some third party support (like DropBox, for keeping your vault synced over all devices). It's also got a good community--I've found a few bugs myself, and the developers were very accessible and responsive to my posts in their 1P forum they have available for such things. The only downside with 1P, of course, is that it is not free nor is it open source (though the schema and design of their vault file format is fully open and documented, and has been audited in the past). However, I think it is worth its price, and I'm happily a paid user. -
Re:Not a good solution
Many password managers have a means to synchronize their databases between multiple instances of the application. Many of these do in fact use cloud services.
For instance 1Password supports synchronizing through DropBox (one of many approaches) and seemingly iCloud. I currently use DropBox (and yes it is on my short-list to re-evaluate the decision). The database itself is encrypted using your master password so the contents are presumably inaccessible even if someone were to gain access to your DropBox account. Additionally the database itself can be decrypted in a standard web browser by browsing the files locally using a web-page they package into your database. AgileBits has a detailed security analysis on their site and blog if you are interested.
This means that you can retrieving a passwords when logging in from a device you don't own by logging into DropBox, and viewing/decrypting the password database in your browser. You need to remember your dropbox and 1password passwords to do so enabling you to not know 99% of the credentials for your other accounts.
But even that is too inconvenient. If I am compelled to use a device I don't own (a rare occurrence), I just look up what I need from my phone which is also synchronized and type in the relevant credentials.
-
Re:1Password
-
Re:Forcing strong passwords in the first place.
1Password by agilebits supports all of those except linux, and syncs between them all using a couple different methods including an AES encrypted files on dropbox. If you need it on linux, they have a way that you can do it, but it's not as nice.
-
Re:You need more than 16 char
I would hope that large systems are taking measures against theoretical systems that could theoretically guess 100 billion passwords a second, such as by using PBKDF2:
Now I await someone much more knowledgeable in this area to come in and tell me why I'm wrong. (I welcome it, too; I don't want to be wrong any longer than I have to be.)
-
Re:Weak security questions
Dropbox, yes, yes, no. I personally use 1Password, but there are plenty of other strong-crypto password vaults to choose from.
-
Re:Low expectations
This serves as yet another reminder of the value of using a password manager that can generate unique passwords for each and every site and then store them securely. That way, when the inevitable happens, as it did here, only that one password is compromised, and it comes at no hassle to you.
I've been using 1Password for years, but a number of folks here seem to like KeePass, and I'm sure a few kind folks will reply with more suggestions below.
-
Re:My account was among those compromised.
I was thinking of something simpler such as "echo MyPassword69! slashdot.org|md5sum" and then "aaa53a64cbb02f01d79e6aa05f0027ba" using that as my password since many sites will take 32-character long passwords or they will truncate for you. More generalized than PasswordMaker and easier to access but no alpha-num+symbol translation and only (32) 0-9af characters but that should be random enough, or you can do sha1sum instead for a little longer hash string.
DO NOT DO THIS. I don't mean this disrespectfully, but you don't know what you're doing. That's OK! People not named "Bruce" generally suck at secure algorithms. Crypto is hard and has unexpected implications until you're much more knowledgeable on the subject than you (or I) currently are. For example, suppose that hypothetical site helpfully truncates your password to 8 chars. By storing only 8 hex digits, you've reduced your password's keyspace to just 32 bits. If you used an algorithm with base64 encoding instead, you'd get the same complexity in only 5.3 chars.
Despite what you claim, you're really much better off using a secure storage app that generates truly random passwords for you and stores them in a securely encrypted file. In another post here I mention that I use 1Password, but really any reputable app will get you the same protections. Your algorithm is a "security by obscurity" system; if someone knows your algorithm, gaining your master password gives them full access to every account you have. Contrast with a password locker where you can change your master password before the attacker gets access to the secret store, and in the worst case scenario provides you with a list of accounts you need to change.
I haven't used PasswordMaker but I'd apply the same criticisms to them. If an attacker knows that you use PasswordMaker, they can narrow down the search space based on the very few things you can vary:
- URL (the attacker will have this)
- character set (dropdown gives you 6 choices)
- which of nine hash algorithms was used (actually 13 - the FAQ is outdated)
- modifier (algorithmically, part of your password)
- username (attacker will have this or can likely guess it easily)
- password length (let's say, likely to be between 8 and 20 chars, so 13 options)
- password prefix (stupid idea that reduces your password's complexity)
- password suffix (stupid idea that reduces your password's complexity)
- which of nine l33t-speak levels was used
- when l33t-speak was applied (total of 28 options: 9 levels each at three different "Use l33t" times, plus "not at all")
My comments about the modifier being part of your password? Basically you're concatenating those strings together to create a longer password in some manner. There's not really a difference, and that's assuming you actually use the modifier.
So, back to our attack scenario where a hacker has your master password, username, and a URL they want to visit: disregarding the prefix and suffix options, they have 6 * 13 * 13 * 28 = 28,392 possible output passwords to test. That should keep them busy for at least a minute or two. Oh, and when you've found out that your password is compromised? Hope you remember every website you've ever used PasswordMaker on!
Seriously, please don't do this stuff. I'd much rather see you using pwgen to create truly random passwords and then using something like GnuPG to store them all in a strongly-encrypted file.
-
Re:How hard are the passwords to crack?
Use a passphrase unless there's some stupid limit on password length.
I use 1Password to generate and store unique passwords for every site and service I use (but any other secure generator would do as well). Assuming a site uses hashes correctly, good luck cracking passwords like "rdLRslj67aqJ".