Slashdot Mirror

I wouldn't call this a crutch...

Why would you have to remember them? Just use something like Password Safe or KeePass to remember your passwords for you. Not only do you not have to remember your passwords, but because you don't have to remember them, you can have much longer and more complex passwords.

I use a password manager to solve this problem. It stores all (or a large set of) my passwords in an encrypted database.

I see. And where, pray tell, is this database stored?

I ask, because I do (say) banking both at home and at my workplace. It would be useful if I could bring this database with me. I wouldn't want it network-connected; that would be insecure. But if I could store it on a device that I always carry with me, perhaps one that would fit in my pocket, that'd be fabulous.

I use a password manager to solve this problem. It stores all (or a large set of) my passwords in an encrypted database. I have one very strong password that lets me access the database. The passwords it stores are all strong (sometimes hard to remember) passwords that I do not have to store in my head.

I still have all of my eggs in one basket, but that basket is sealed in a solid iron box.

KeePass

Requires .NET Framework 2.0. Or does it work in Mono? What password managers have Linux users found useful?

Q: "What was the name of your first dog?"
A: oiq387jhoxzlpo8q )7y9l;iop;a jnls7ul.l

Keepass is your friend.

Keepass combined with SpiderOak is your portable, mobile, goes-everywhere-you-go friend :)

Hey, I have an idea. Let's stop using non-secret information as authentication credentials. Address, birthday, mother's maiden name, last 4 digits of CC or SSN, CVV, childhood pet's name are NOT AUTHENTICATION. Authentication information should never be printed, emailed, or typed in the clear.

Personally, I've been putting random numbers in all those fields for years, and if the account contains sensitive information, recording that information in an encrypted way in the event that it is ever needed. So far, I've never needed such information (because I also record and encrypt my randomly-generated passwords).

Get KeePass and enable two factor authentication. Then, call your bank and CC company and tell them the security on your credit card is absurd. Because who cares how good your Google password is if the guy standing behind you at 7/11 can get all the info he needs to defraud you by holding out his camera-phone while you buy your Gatorade?

If I ever get filthy rich, I'm doing a large scale PSA on this because people are dumb and just don't get it.

Anything done on company property, that includes their computers and networks, is not private and should be considered like one is broadcasting their private information loudly for everyone to hear. Just because it's personal and/or done on non-company time doesn't mean it's private when on company property.

Never have your web browser save any information, especially passwords and sensitive information! I know it makes life easier, but just don't. If one is having a hard time remembering that stuff, use KeePass and make sure to use a password, not a windows account, and make a few backups.

If one absolutely must do private stuff while at work, use a smartphone, tablet, or a laptop. If that's not an option, there's plenty of ways to remote into one's computer at home. I personally use RDP over an SSH tunnel since it doesn't require installing any software, PuTTY is easily downloadable, and the RDP client is installed by Windows by default. I know I could just do RDP strait, but I like the added security SSH adds. I know there are some routers that will do the SSH tunneling natively (most SOHO on stock firmware can't) or you can just build your own with something like pfSense.

That's about as useful as saying magic unicorns protect your security.

Unless it's open source, you're still depending on the good graces of a third party to not do something else with your password. A black box with AES stamped on the outside garners the same level of trust as a black box with ROT13 stamped on the outside. How do you know they're not AES encrypting the username, and keeping passwords in plaintext? (through incompetence, malice, or just simply a bug)

Go with KeePass instead, and keep everything on your computer. Upload the KeePass database to cloud storage, if you desire. The database itself is encrypted.

This serves as yet another reminder of the value of using a password manager that can generate unique passwords for each and every site and then store them securely. That way, when the inevitable happens, as it did here, only that one password is compromised, and it comes at no hassle to you.

I've been using 1Password for years, but a number of folks here seem to like KeePass, and I'm sure a few kind folks will reply with more suggestions below.

With KeePass 2.x, a database can be stored on a shared network drive and used by multiple users. When attempting to save, KeePass first checks whether the file on disk has been modified since it was loaded. If yes, KeePass asks whether to synchronize or overwrite the file (see image on the right). By synchronizing, changes made by other users (file on disk) and changes made by the current user are merged. After the synchronization process has finished, the current user also sees the changes made by others (i.e. the data in the current KeePass instance is up-to-date). If there is a conflict (multiple users edited the same entry), KeePass uses the latest version of the entry based on the last modification time.

We use Keepass on a CIFS share. It locks the password file when multiple people have it open so you don't have write problems.

You can also put the file up on a LAMP style website with Web-Keepass.

http://keepass.info/

KeePass and one strong password is all you need. It's portable, cross platform and easily backed up.

Or amongst a choice of others, my personal favourite, KeePass. It's free, open source and has ports for pretty much any desktop / mobile OS out there.

KeePass is also available for PocketPC, Winodws Phone 7, iPhone/iPad (multiple versions), Android, J2ME, BlackBerry, PalmOS, Linux, Max OS X, Windows 98 thought 7 + Wine + Mono, and there are libs that tie into several programming lanuages.

I read through the article, the linked PDF, and the PDF linked from the PDF to find out they didn't even test KeePass, which, AFAIK, is one of the most popular and widely available password managers out there.

I really hate it when someone claims to do a thorough test on something and states something like either "Of all the X we tested, none of them passed" or "Of all the X we tested, only one came close to passing". The former makes me think they should get off their high horse and write it themselves if it's so obvious. The latter that they're just trolling to push one product... especially when there are glaring holes in the tests.

This isn't one of the ones they tested, but does anyone know how safe KeePass is?

I use this on my desktop and Droid, which is pretty convenient since I can share the database file between them.

I use KeePass for the same thing. There's implementations for Windows, Linux, and Android. I keep the encrypted password file synched via Dropbox.

KeePass for your PC (runs fine with Mono under Fedora/RedHat-ish distros) + KeePassDroid for your Android device(s) + Rsync 4 Android to sync it (or just manually pop the memory card in to transfer it).

I have a different KeePass Database file for Personal (high-security items) and Work. I wouldn't trust Dropbox to move the file around as some propose. If you absolutely insist on using an insecure transport like Dropbox, at least add the Key File method when you generate your databases and transport the Key File OOB (not via Dropbox).

I hear from a co-worker that KeeFox is a nice Firefox + KeePass integration. I may move all my low-security sites' passwords to another KeePass database if this works well so that I could also have all of them available on my phone.

For now, I use SyncPlaces (stored to a local file) + Dropbox to keep my low-security sites' passwords and bookmarks synced (as they change and are added to very often).

Try this:
    http://keepass.info/

Works in Linux, Windows, and I believe OSX

I believe it also is available as part of portableapps
    http://portableapps.com/

You can save encrypted databases of passwords. You need the master PW to access the database, from which you can then save/load a list of URL's, userid's, passwords, etc.

Use a password manager like LastPass or KeePass, or, as I do, keep an encrypted file of your sites+logins+passwords.

You really need to manage your passwords. Reusing the same pass in multiple places is just a problem waiting to happen.

If we can get the Adult Industry to sell their .COMs and go to .XXX it would make an easier to manage Internet. Especially if you are searching for name of an old XWindows software you were looking for.

Not just old software, I have this problem constantly:

• Keep ass
• Clam ass, ass in
• Ball view
• The L.A. Stripper

Use a password manager and you can getaway with remembering one, this is the case for me these days.

Local files with syncing:
http://keepass.info/ http://passwordsafe.sourceforge.net/

Hosted
http://clipperz.com/ (can host it yourself if you rather want that) http://sourceforge.net/projects/webkeepass/

Furthermore, if you are developing apps, an easy way to (currently) protect against bruteforce is to use something like PBKDF2 with 10 000 or more loops (provided there is a sane password policy behind).
The SHA2 functions are made for speed, a GTX-400 series card with oclHashcat can easily reach 300million SHA2-256 / sec.

I really hope it's not called "keepass".

Why

http://keepass.info/

'You can't really prevent these [brute force] attacks: nothing prevents an attacker to just try all possible keys and look if the database decrypts. But what we can do (and KeePass does) is to make it harder: by adding a constant work factor to the key initialization, we can make them as hard as we want."

To protect its database (of passwords), the program actually performs N rounds of AES encryption, with N being a large number of your choice, chosen so that these rounds take "a lot of time", say 1 second. This way, the attacker will only test 1 password per second.

Does this make sense ?

Maybe I'm paranoid, but I really don't like copying passwords to the clipboard. I'd much prefer some kind of automatic key pressing function.

From http://keepass.info/help/v2/autotype_obfuscation.html:

"The Auto-Type feature of KeePass is very powerful: it sends simulated keypresses to other applications. This works with all Windows applications and for the target applications it's not possible to distinguish between real keypresses and the ones simulated by Auto-Type. This at the same time is the main disadvantage of Auto-Type, because keyloggers can eavesdrop the simulated keys. That's where Two-Channel Auto-Type Obfuscation (TCATO) comes into play.

TCATO makes standard keyloggers useless. It uses the Windows clipboard to transfer parts of the auto-typed text into the target application. Keyloggers can see the Ctrl-V presses, but do not log the actual contents pasted from the clipboard.

Clipboard spies don't work either, because only parts of the sensitive information is transferred on this way.

Anyway, it's not perfectly secure (and unfortunately cannot be made by theory). None of the currently available keyloggers or clipboard spies can eavesdrop an obfuscated auto-type process, but it is theoretically possible to write a dedicated spy application that specializes on logging obfuscated auto-type."

Ahem.

Hint: try scrolling down. It's probably already in the repository for your distro if you use Linux.

KeePass is really the best tool for handling passwords. Open source, crypted database, easy to use (CTRL+B for username to clipboard, CTRL+C for password), contains grouping and generates safe different passwords for every site. It's actually a great example of a well done open source project.

Using an online service for something like your passwords is just incredibly stupid. It's a really well known place to hack for someone who wants lots of passwords. Backup your encrypted password container to your own place, but never something like this.

What kind of a genius must one be to divulge something just because someone asks nicely? It's like social engineering without the 'engineering' part. I routinely give randomly generated answers to various privacy invading "security" questions on bank sites: it's none of their damn business what is the name of my first girlfriend. On pretty much every non-governmental, non-credit-related form, I always use a made up number when asked for the SSN. They are too lazy to figure out what artificial keys are? I give them one.

Stupid parents give out their kids' SSN numbers without thinking. What's new? Google isn't really to blame, I don't think.

If only there was some government sponsored secure key system for passwords, enabling the average user to have a secure key with one strong password to access all their others

Yeah, because I want to government to be in control of my keys to ...

OR AM I HIDING SOMETHING DAMN PEDOPHILE TERRORIST?!

http://agilewebsolutions.com/downloads
http://keepass.info/

http://keepass.info/ -free, open source and solves most of these password problems well. Version 1 has Linux, Mac, Windows, Andriod and IPhone clients. Works great in conduction with dropbox.

As long as you aren't wrapping your own OS (and apps, and web sites...), you've already accepted you have to trust some people. Adding one more in a third-party password manager is just another, albeit potentially dangerous, step forward. Set the criteria that are important for you, and go from there. It's better than having a number of weak passwords you memorize and don't change, or a number of moderate passwords you probably can't change.
KeePass met my criteria.

I'd use the same password for everything if they all had the same basic requirements.

Keepass. You're welcome.

You can generate and store passwords to your heart's content and only ever have to type one when you open the database. It will also auto-type most forms.

Doesn't access to your workstation == access to your password == logging on as you? Consider how trivial it would be for one of those contractors to slip in an unobtrusive hardware keylogger onto your computer and then harvest everything you type from the next room?

NB: this is one reason why I now do most of my passwords using KeePass - it effectively makes 1 factor authentication into 2 factor which at least stops incidental / opportunistic keylogging attacks.

Use Keypass

Problem solved

http://keepass.info/ and it's a great sw package.

You should use an app that is encrypted and password protected to store all of your login info.

Suggestions?

KeePass Password Safe works like a charm, even on multiple platforms.

Who the hell can remember a new eight-digit string of nonsense every month?

For many of us, it isn't one new password. It's dozens of passwords! In my case somewhere between 60 and 70, on servers running various operating systems and with varying sets of password rules.

If it wasn't for KeePass, I'd be lost. And yes, my KeePass password is a fairly strong one. :-)

I use Keepass/KeepassX (depending on the platform I am on). It has a built-in password generator with parameters you can set (length, special characters, spaces, etc...). Below is an actual password I use, generated out of Keepass.

RtpPNm"%6JgN_r@Yqz2/`

That is why they make wonderful little FOSS programs like keypass my friend. The only thing the "bad admin" is gonna get is the single password for the single site he/she has access to, nothing more. Put in on a thumbstick and you are good to go, and even if someone gets it thanks to AES good luck getting your passwords out of it.

I've been using KeePass Password Safe for years. I keep it installed on a thumb drive and take it with me pretty much everywhere I go. The KeePass files also get backed up to my desktop every time I insert the thumb drive or modify the password file. If I lose it, no big deal, no ones going to guess the master password and I always have a backup. There are builds for just about any OS people are using these days, so you shouldn't have to worry about retrieving your passwords cross-platform.

http://keepass.info/download.html

I use foxmarks (or Xmarks, as they call themselves now) for all the web passwords that I'm willing to let Firefox remember. AES encrypted, available everywhere Firefox is. Nice. Simple. Easy and Works.

The passwords that I put in there are variations of a few basic passwords. The passwords are simple plain english words, 3 to 8 characters long, and each letter maps to a random 2 letter assignment. This map is generated by going to GRC's password generator page and taking the first two letters in the ascii printable list and assigning it to "a", the next two to "b" and so on. I then follow with the numbers. The is also a lower/alpha/number list which I do the same thing in case I run across a site that can't take special characters.

For example, when I went to the page for this post. I got the following string: "=f^9]pnLE70:uS6XYhev/ExPy%)Ax}" In this case a := "=f" b := "^9", etc. For the password base I would choose something like sea, which would then get translated into: DeE7=f I would then add a simple (ie: 2-3 char plain text easy to remember), prefix or postfix to the password for the site.

At work I keep the alphabet list printed out and taped to the bottom of the center drawer of my desk. This is secure because people would have to get past the armed guards and two locked doors to get to it. Even if this wasn't the case, they would have to know what the base password is.

For non web based passwords I use KeePassSafe. Even I don't really know what the password is for keepass, as I use both a keyfile, and a statically generated 32 character password (I use a Yubikey in static mode for this. I'm not concerned about losing the file, but if something happened to the key, I admit I'd be screwed. Mostly I use it for the geek factor. Before I got the yubikey, I used the above method with an 8 character base (and the keyfile)

I use http://keepass.info/
Does everything I want it to do.

http://keepass.info/ we use it at the company i work. It offers some safety in keeping your passwords together and secure.

Check out Keepass and KeepassX ; both open source password managers.

Remember one master password, link it with an external password file and no-one will be possible to view your gems .....

You can even put your pincodes, cards and other sensitive stuff in it.

Personally, I use a KeePass database which is synced between multiple computers online through DropBox. As long as you're accessing from computers that you own (win/linux/OSX) or online, you should be fine.

There is also an iphone keepass viewer available for online files, including through Drop Box (for the old 1.x format).

http://keepass.info/download.html

KeePass 2 is the favored encrypted password vault application for my company and other security administrators like myself. It can also be scripted to autologon to any application or website... after entering in your master password.

Keepass works well, and has been ported to almost every platform. Win, Lin, Mac, iphone, droid, winmo, even the old fashioned blackberry.

http://keepass.info/

Keepass Password Safe should be the first tool you check out. It's superb. I *highly* recommend it. I see that plenty of other /.ers share my opinion.

http://keepass.info/