Slashdot Mirror
Ask Slashdot: Should You Use Password Managers?
New submitter informaticsDude writes: What do Slashdot users recommend regarding the use of password managers? The recent election underscored the hackability of many personal accounts. One solution is to use different passwords for every digital experience. But, of course, humans are lousy at remembering large numbers of large random strings. Another solution is to use a password manager. However, password managers have been hacked in the past, in which case you lose everything. How do Slashdot users balance the competing risks? What is a person to do?
Yes.
http://keepass.info/
I have been using 1Password for the past few years and since I keep everything local to wither my Mac or iPhone (using WiFi to sync) the only way I'll get hacked is if the attacker is already in my local network and if that's the case I'm already screwed. The data files have a master password that I have to remember, but it's much easier to remember 1 password and not hundreds, especially when different email accounts are also used. Is there a 100% secure system out there for passwords? Yes, but I'm sure a photogenic memory is super uncommon. :)
"It's not like your minds are as open as the source you love..." - Me to the majority of Slashdot.
I keep my passwords in an encrypted file on an encrypted USB drive (with different passwords for both). The file never leaves the drive except for backups, which are also encrypted and stored securely.
I don't trust another company to not (ever) steal, sell, or just plain lose my information.
I also (as many do) tend to reuse passwords with minor variations. Most of my passwords (even in the file) are "shorthand" passwords that wouldn't work as listed in the document.
Non network connected pass
word manager with no RFconnectivity of any kind
job done
Not web nor cloud based. You make a master password, it stores a file on your hard drive containing your encrypted stuff. You can move that file anywhere and, if keypass is installed, get your passwords on that platform.
I don't trust cloud-based password managers. Use KeePass and encrypt your keyfile with a really strong password. If you want to access your keyfile from multiple devices, sync it to the cloud with box/dropbox/gdrive/etc. Even if the keyfile is stolen, it'd be very difficult to compromise if you use a strong password.
There's several options.
(1) Don't use a lot of password protected services; that way: less to remember.
(2) Live with being occasionally hacked.
(3) The Bratva solution: someone hacks you, send someone to shoot them in the head.
I don't know about you, but I'm kind of partial to #1, with #3 being a close second. I don't particularly like #2.
Use a password manager = yes. Storing passwords online = no. If you must store in the cloud, use different providers for the encryption as the storage.
Website Just Down For Me? Find out
Some password managers rely on remote servers or the cloud to store your password. That is risky for two reasons. (1) A service holding passwords for many users is a more likely target for hackers than your own individual computer. (2) If the server or cloud service goes down even temporarily, you are stuck without your passwords.
You should choose a password manager application that is installed within your computer and does not rely on you having an Internet connection. The application should use a master password -- actually a master pass-phrase -- to encrypt the individual passwords. That master pass-phrase itself is not stored anywhere. Instead, if it is entered incorrectly, it fails to decrypt any passwords. By "pass-phrase", I mean a longer expression containing blanks, punctuation, etc.
Note that Mozilla-based applications have internal password managers that reflect my second paragraph above.
I like one called Pass (https://www.passwordstore.org/). It's dead simple; each password lives inside a GPG encrypted file and it's a command line tool, so it's great for dealing with remote machines, ssh, etc. It may not be as convenient as the ones that offer online/"cloud" options/browser extensions/etc but the inconvenience is balanced by the added security. Not for everyone, but I think many Slashdot readers would find it handy.
say like the sites name and select the letters and add in numbers. I use a couple different patterns depending on the type of site. That way I can remember 10's of passwords. 99% of the time it ends up no where near a dictionary word and they are all 8+ characters long.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
Why is lastpass a piece of crap, exactly?
You should have very few passwords, don't sign up for accounts for anything completely necessary.
You should be able to remember several complex passwords for the few accounts you create.
Never-ever trust those password services.
+1 for 1Password.
I don't have strong enough words to endorse their Watchtower service, which tracks recent breaches, affected sites, and warns you about it so you can change your passwords on affected sites. It also reports about duplicate passwords used multiple places, last time they were changed, etc. That functionality of 1Password alone is worth the cost, especially if you have hundreds or thousands of passwords.
You can store your key database in multiple different places, you just have to choose the one you think is most secure. :)
That is what I do. Whenever I create an account I enter the password as the user name and my username as the password. I am so clever.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Hey, that's my Password (1Password) it satisifes all the usual criteria uper/ lowercase letters, including a # and length => 8 char.
(j/k of course)
How much is your data worth? Back it up now.
If you think that makes a good password, you're doing it wrong.
While I use a password manager, password safe, it's offline and it's primarily only a vault and backup as I remember nearly all of the 100s of unique passwords I have to use. I don't share a single password with any platform, site, service, etc.
Why the hate for cloud storage? Lastpass encrypts your passwords with your own key, that you select, and this has been proven as they released the source of their client.
Yes. I recommend Firefox's password manager which can encrypt passwords stored in your browser with a master password. Then add to that Mozilla's sync feature to store an encrypted copy of your passwords on Mozilla's server. They are stored encrypted and cannot be recovered without the sync password and e-mail access. If you don't trust Mozilla's server, despite the passwords being encrypted, they provide the open source software so you can run your own server to sync your encrypted passwords to.
If someone (you or hacker) does not know the sync password and resets the password with access to your e-mail account, it will not give them access to the passwords that were sync'd previously. This is good because it keeps a hacker from being able to just hack your e-mail account then use that to get access to all your passwords.
The issues with KeePass generally is synchronization of your password database. You can put it into a USB stick and it gets out of sync, or you can put it up in the cloud, but then it's sort of our of your control..
I use KeePass for my password database and then Syncthing to sync it on all my devices. It's light enough to work on a Raspberry Pi, so it's easy to setup a Syncthing cluster. Resilio (previously known as Bittorent Sync) works too, but I've never tried it personally.
The result is an Open Source password manager, with a database that's synchronized between all my devices and in my control.
Works great and I don't have to care about some site out of my control getting hacked. I can get to it from phone or PC under a URL only I know on a server I own and I use a yubikey as part of a password to unlock it. Which is good enough for me.
Was the solution I went to after around 10 years ago I had some old registrar account I was no longer using hacked and around 1000 dollars in charges made on an expired card they had saved. That was a fairly minor inconvenience but was still enough of a pita that I'd never want to go through that or worse. Now every account is randomly generated password with maximum length they allow if it's under 32-64 characters. I'm experimenting with 2FA a bit, but right now it's more hassle than I want to accept in the case I lose my second factor.
> Lastpass is a piece of crap.
And that's the end of the rant? Aww.
I continue to recommend Lastpass. 1Password (for 70$), not at all.
I'm in IT and have something like 30+ account passwords memorized. It's easier than you think. Use passphrases rather than passwords.
Example: Instead of something hideous like: !@#!Hncdj*lkkj
Use a passphrase made up of the first letter from a phrase, such as: MGai4meO... is "My Gmail account is for my eyes only" (the periods are simply extra fluff which add to the complexity
You could substitute the G for Y for Yahoo or anything else. If you have 2 Gmail accounts, use G2 to signify second account.
I've been using LastPass for years. I tried pwsafe (nice, but at the time, didn't support Mac well) and KeePass (which I didn't like for reasons that I don't quite recall now; ended up moving back to pwsafe) before I switched to LastPass.
The deciding factors were (1) LastPass Premium works on Android. (And, now, you don't need Premium; the free version also works on Android.) (2) Syncs password changes across all devices, and (3) Professional Paranoid Steve Gibson gave it his seal of approval.
Some of the others also have a way to sync across all devices now, but I haven't come across any compelling reason to switch. Though LetMeIn may be working on that one.
Yep, Keepass is my choice.
Another option is to write your passwords down. The chances of someone breaking into your home/office looking for your passwords are pretty low. Just don't do anything stupid like stick them up on the wall behind where you sit at your computer.
Use a program like Keepass and place the database file on a thumb drive that you keep offline. We were offered Keepass to use at work but they didn't require the offline database file - I did that myself to add an extra layer of security.
If you REALLY want security, commit all passwords to memory and of course use a different password for each login, changing them all on a monthly basis. I think if I did that I would spend all my time working on memorizing passwords and not get anything else done.
Just keep a tiny address book in your wallet.
Any important passwords you keep there.
The unimportant stuff can use a common password.
I like this solution, probably a little too un-'user friendly' for most though.
https://www.passwordstore.org/
Good use for an old PDA from pre-wifi. Of course if it craps out you're in deep. So make that two old PDAs from pre-wifi. You can sync it with irda or serial, which has the advantage of only working when you want it to (if that).
Liberty - Security - Laziness - Pick any two.
Humans are also lousy at typing them.
Why do people still think passwords should be random?
If I can type a pass phrase that is 2-3X as long as a random password in half the time, which do you think is more secure? Which one doesn't get mistyped? Which is smarter? Which saves money in the long run?
1. I*g4fD@0Jqq7
or
2. Fuck y0ur stupid random passwords!
I can remember one of these and type it really quickly and accurately. Now if you are thinking that the 2nd will be cracked by a dictionary attack.. yeah, the only way that happens is if an account using it gets compromised and the phrase gets added to a dictionary... or if it gets mined out of this post and added to a dictionary.
As it is the financial impact of random passwords is a huge invisible loss to the world economy as time is wasted remembering and typing them, outages are extended, and brand damage occurs due to the first two issues..
For any normal person (not rich, famous, or powerful), just storing hints in a document is good enough. Something like:
EBay kxxxxbxxxx3xxx
Where the mask character x is not precisely replacing characters.
It's enough to remind me, but not enough to aid a casual attacker.
Strange things are afoot at the Circle-K.
In as tech, Linux, and retro community as Slashdot, I give a particular shout to "pass" (passwordstore.org). Takes a little time to realize how simply powerful it is. And, it's literally nothing but GPG, Git, and a long but easy-to-read Bash script. Also, works really, really well for a team that needs a secrets vault. Back when we did that with KeePass, we'd always get out of sync. Now? It's a git-merge, just like the code.
Want more advanced security than that? My teams' GPG keys (and SSH keys for Git) are on a smartcards (Yubikeys to be specific) which means the actual private keys are never on our (day to day) computers.
In the broader sense of the question, yes, you should use a password manager. I have 300+ passwords (and password-like little bits of info). All different, all randomly generated. I never forget one. Not sure how you do that without a pw manager.
https://chriszarate.github.io/...
SuperGenPass is a different kind of password solution. Instead of storing your passwords on your hard disk or online—where they are vulnerable to theft and data loss—SuperGenPass uses a hash algorithm to transform a master password into unique, complex passwords for the Web sites you visit.
SuperGenPass is a bookmarklet and runs right in your Web browser. It never stores or transmits your passwords, so it’s ideal for use on multiple and public computers. It’s also completely free and open-sourced on GitHub.
+1 for 1Password.
I would have said the same a month ago, but 1Password is changing their pricing to $36 a year subscription.
I'm switching to LastPass.
Update 2017-03-01: All reported vulnerabilities are fixed by the vendors: https://team-sik.org/trent_portfolio/password-manager-apps/
I use a password manager that has Windows, Linux, Android and IOS clients. They all use the same encrypted data file that I keep on my dropbox.. I keep my day to day non-user critical account passwords in there so I can access them easily and quickly no matter where I find myself. But I don't put the important passwords (finical accounts and the like) in there, I just remember them.
But the PRIMARY thing you can do to keep yourself safe is to "DON'T use the same password on multiple sites!" Never, EVER use the same password in your "fun" accounts and your financial logins... This is because a breach at one of these "we don't care about your security" sites is a lot bigger risk than at your bank, but if you have the same password, you just gave the crooks a very important piece of information.
Secondary to that, is keeping passwords hard to guess. If you have a manager that generates passwords for you, use it for the throw away accounts.
So, in summary. Sure, use a password manager for the trivial junk accounts, use complex passwords and keep them different. But NO, don't put your important passwords in an online storage... Develop a way to remember them and Keep those in your head.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Just use a short word/number, like dog or d0g. Then add this before or after the name of the site.
For example, slashdotd0g or d0gslashdot.
This gives a unique password for every single site. You never have to write it down anywhere. You never have to think of a new password. Make an account on eBay? Your password is ebayd0g.
And no, if they get your password for one site, they won't have your password for every site. They don't work like that. You'd have to see several examples form different sites to work out the key was d0g.
Haha, no. For the same reason you don't keep all your valuables in one safe.
I mean, you can probably live without for a while...
I always joke that you should write you passwords on a $100 bill. Then protect it like a $100 bill. It sounds like a joke but as you think about the expected value of a lost or disclosed password it is a really good fit.
If you lose it will be spend like a $100 bill and no one will care about the numbers written on it.
I've been using password safe for over 10 years. It's works well for me, is free, was created by Bruce Schneier and keeps your passwords in a local encrypted file.
I use LastPass just fine, because every site where getting my login details would hurt, I use 2fa: Microsoft, my bank, PayPal, LastPass, Google, etc. Sure I'm picking up my phone once in a while but it's a good balance between secure and convenient. Far less secure are card details; mine got compromised recently but was detected and reversed almost immediately. Which is why I use PayPal whenever possible.
it's what I've used for years. I have a not so memorable story, take an event from that, and turn it into your password scheme.
[completely fabricated example]
In 7th grade a girl I liked (Sarah) gave a presentation on Abraham Lincoln. She was wearing a blue dress.
Four score and blue dress. FoScBlDr (8 characters, safe)
Add in a number and a symbol, because some sites require it. FoScBlDr81? [I think it was in 1981]
So, there is my starting password. Password hint = Sarah Lincoln 81, maybe SL81 for short.
6 months later, you have to change your password. Hint becomes SL82 (FoScBlDr82?)
You could cycle through to 89, then back to 81. Over time, you can morph it in other ways. Maybe put a $ in there instead of a ? for financial sites, or come up with a separate story for those.
The thing is, YOU make up the story and the cycling rules.
You can even write down your password hints, nobody would ever think "Crush 88" was actually "FoScBlDr88?"
I have used one scheme/password since 1999, and it has morphed so much even if I told someone my original password, they couldn't guess what it is now... it's just jibberish.
My beliefs do not require that you agree with them.
Write everything down, lock in a safe. Unhackable.
I use the Post-It on Monitor, keyboard, desk, filing cabinet method here.
I just write the passwords on Post-It notes and stick them to the monitor. :)
I use keychain and Safari's automatic password generator. It's extremely convenient and I'm surprised no one's mentioned it here. Serious question: are there any reasons why this isn't a good idea?
Yes; just don't use the SaaS based ones. Use keepass, pass, gpg, or openssl.
SaaS providers store your passwords centrally; you don't know if it's encrypted; and chances are it's not if they autopopulate password fields.
Not to mention if they get subpoena'd they have hand them over. They could have backdoors if they do encrypt.
Also, 1Password is complete garbage: https://myers.io/2015/10/22/1password-leaks-your-data/
1Password is garbage https://myers.io/2015/10/22/1password-leaks-your-data/
..my brain? Then yes.
As with all things security related, the first thing you have to do is decide what kind of threats you're really worried about. If you're doing anything that might make you the target of either state backed or other deep pocketed groups that are also technically sophisticated, that's very different than if you're just some person trying to keep their banking and credit card details private. A shorter way to think of that is: is there any reason anyone rich and smart might want to spear phish you? If yes, good luck and I probably can't help you. If no, keep it simple.
Personally, I have an encrypted text file on my encrypted local PCs that I back up to an encrypted HDD. When I need to create a new password for something, I open it up, enter my one main password that I don't write down and have never told to anyone, and then enter the new site, user, and PW info. I don't use the same passwords for any site, but I do let browsers remember passwords for non-critical things (Amazon, forums and tech support stuff, etc.). Depending on the number of different devices you use and the number of different sites you consider "critical" (i.e. you don't trust a browser to remember the PW), you should only need to really remember 10 passwords. That's easily do-able, especially if they're things you use at least a couple times a month.
Assuming you've got strong and secret passwords that are unique to each critical site (banking, credit cards, social media), that's all you really need. No need to hook into any cloud based service that itself might be compromised, no need to spend any money, no need to trust the keys to your life to anyone but yourself.
I'm not against password managers. I know smart people who use them. But smart paranoia is better than general paranoia, and for most use cases they've always struck me as creating more security holes than they plug.
YMMV.
Password Managers, especially "cloud" based password management is absolute garbage.
The thing you should be doing is designing your own password algorithm
eg:
slashdotcanbiteme911
^^^^^^^^ Padding
--------^^^^^^^^ phrase you can remember
-----------------^^^ number you can increment
You use the padding word or phrase to fill out the minimum password length, typically something unique to the site that is obvious. Your phrase is something you use with all sites, and then you increment the number when you reset the password.
If you have sites that require a symbol or something, you hold the SHIFT key for one of those numbers, etc.
If you can't remember this kind of algorithm, then you should be resetting your password every time you login to a site you don't quite care about, and save your memory capacity for your bank accounts.
No, No, No, and even more No.
You Yes people are absolutely naive as fuck.
So, you can't remember all the unique passwords? Do what smart people do and remember a password formula related to the site. Not perfect but the best compromise out there.
I personally only use password managers for decent passwords on relatively unimportant sites. And if the password manager gets lost, then I'll just have to reset some passwords.
For anything important (bank sites, root etc) I have memorized about 14 random 12-16 character passwords.
Custom electronics and digital signage for your business: www.evcircuits.com
Keepass+password file on dropbox+encryption file not on dropbox+password
Dashlane?
use pass, a gpgv2-protected password store. available packaged for most distros or direct from https://www.passwordstore.org/
graphical frontends also available for those who prefer them.
Dashlane uploads a screenshot of every page you use it on. That`s supposed to be for your records. But if you turn the feature off, it still takes a screenshot anyway! That`s when I gave up and went back to using a simple spreadsheet. It gives me peace of mind.
I used KeePass for a long time on linux, but having to use mono sucked, and I felt like there was minimal work going on with the plugin, and the software in general for that matter.
I feel like the weakest link to all password managers is the browser plugin. With that conclusion, I decided to go with LastPass, because I always see their name listed as paying well for bug bounties. I figure that significantly reduces the chances of there being a major 0 day vulnerability in their plugin over the other guys who in general have pretty lackluster dev cycles, and don't seem to have much of a bug bounty presence.
I also do things like: require multi factor, don't auto load passwords on any sites, etc to mitigate my risk using lastpass.
It's a risk - lastpass is a big target, but it seems like they do a good job of taking security seriously, so I decided I was better off with my passwords stored in a world that is actively attacked, but also actively defended instead of a world that is mostly ignored.
-- "I feel a strong disturbance in the for.."\*Segmentation Fault*\ (core dumped)
So I have used Roboform for god knows how long, it sync across all my devices. Up until recently the last version, you could stick a version on a USB stick and it would allow you to load up an instance on a computer that didnt have Roboform installed. An when you took the USB out, the app disappears. I have something like 500 different passwords managed with it.
But - I also provide every site a separate e-mail.
slashdot@nuttybee.com
yahoo@nuttybee.com
If slashdot@nuttybee.com starts getting Viagra spam, theres a good chance that they got my address from Slashdot. And when that happens, I TKO the address, it goes directly to trash.
If you're lucky enough to figure out my login - slashdot@nuttybee.com and my password '3l13t3haxor', it is usable at absolutely zero other sites.
I am surprised no one has endorsed PasswordSafe yet! Written originally by Bruce Schneier, open source, and ported to Android which lets me sync my pwd database files between devices via Dropbox. I've been using it for years and plan to continue.
Since starting to use it on my mobile, I've segregated my database a bit to prevent a total breach in case my phone were compromised. I have my "lower security" internet website passwords that I need on the go in one file. And I have my financial passwords (which also stores account and credit card numbers that I might need in an emergency) in another file. And then on my PC there is a master file that has all these plus a ton of other accounts I've collected over the years but don't see the need to take on the road in my phone. Each database has a different unlock password, and those are all I have to remember.
That is what "password managers" are. You may as well just write all you passwords down and post them in plain text on a publicly accessible website.
PasswordMaker, on the other hand, makes a unique password for each site/system and you do not have to remember anything, and the passwords are not stored anywhere so they cannot be compromised.
I'm sad that Passopolis/Mitro hasn't gotten more love after the Mitro team open sourced it, and We Are Wizards took it over. Mitro was great before Twitter acquired the team behind it. Sadly, Passopolis has never bothered to get the Android client working again. I looked at building it myself, but the toolchain is ancient by Android standards..
https://passopolis.com/
https://en.wikipedia.org/wiki/...
Mitro uses Google's Keyczar on the server and Keyczar JS implementation on the browser.
Master key is a 128-bit AES key derived using PBKDF2 (SHA-1; 50000 iterations; 16 salt bytes)
RSA with 2048-bit keys using OAEP-SHA1 (separate signing and encryption keys)
AES with 128-bit keys in CBC mode with PKCS5 padding
All encrypted data includes a MAC (HMAC-SHA1)
It's really easy for someone to port your number to there sim. Happend to that YouTuber Linus Sebastian.
I like it because you can use it for more than just passwords. You can store bookmarks and files in it too. I don't trust bookmark sync. I'd never use browser extensions for sensitive information because that info is only as secure as the weakest link, be it the extension or web browser. I also never use a cloud service to store the database files. Surely if something is important, you can remember a single password and where you keep a flash drive. KeePassX also allows the use of key files as a password. You can have it as both so if the password is compromised, they still need the file. This way, you can use a cloud service but it will only open on your computer. You could also keep them on separate services. What I do is create a dummy KeePassX database and key file and edit it with more random string stuff and then create the real KeePassX database and use the edited key file from before. It's only 44 characters long if you don't. 4096 that sucker! You could maybe also use Steganography to hide the key file within the icon of the database file if separate cloud storage is too much.
Not in a million years.
The answer is yes. Absolutely you should. My keepass file is teh precioussss.
Load the app on the same usb as you keep your DB. Execute from the USB. Loading a keylogger which opens Keepass is not too complex. *think NSA and CIA snooping*
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Not all data are worthy of serious protection. For information I have that is worth it, I simply write a short verse about something I'll be sure to remember and use that as the password. If I felt the need to record it (usually I don't), I'd make it part of something else which might not be protected at all.
For example, if I wanted to make sure a list of American clients and their information stayed safe, the first thing I'd do would be to encrypt the files, then the drive I was keeping them on. Then I might write something like, "Trumpty Dumpty building a wall/Trumpty Dumpty lacking in balls/All of the contards who voted him in/Are treasonous hillbillies boning their kin."
That would be the password to the drive. I'd store it with other verses, multimedia files and essays, and put a link to the whole folder on my desktop. I doubt very much even the best hacker could crack that. But if I was really worried, I'd have something related but obvious only to me as the password to the folder or file containing the actual information.
Nothing is completely secure, but I think that's not too far off. I'd be interested to hear from a real expert how they'd go about cracking it, short of torturing the password out of me.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
At 2017 FOSDEM I attended a session about the mooltipass hardware password manager. The speaker talked about his successful kickstarter campaign the mooltipas and how he verified the integrity of every step of the process. The device is open source hardware, that is assembled and tested with a tamper evident case. It attaches via USB and uses a chip and pin smartcard to store encrypted passwords. You can check it out here: https://www.themooltipass.com/
"Tempt not a desperate man" - Willy S.
Use KeePass and sync it with your favorite web storage. Protect it with two factor authentication and or add a salt to all the passwords so if the database is comprised, they won't get the whole password. Yubikey works great to secure the DB.
From microprocessors to supertankers, drawing distinct lines to contain the incoming perils has always been a major risk containment engineering trick!
In the case of passwords, the following split works well for me:
* Business passwords are a class of their own: 2FA fully used, plus business dedicated password vault (keePass)
* private web-generic class passwords can be stored within lastpass.com with minimal hustle; yes, you need to trust it; yes, you need to balance your risks there
* private google/gmail 2FA-enabled domain is a distinct class of its own across devices; it serves as "password-reset-lender-of-last-resort" when above line fails
btw. Banks and such should normally give you their own 2FA, so security collapse of the above should be irrelevant.
In short, there is no silver bullet; yet, an onion-approach design and a distinct pool for your business/bank related stuff can get you going for quite a while.
Password managers, especially cloud-based, provide a huge honey pot for hackers. Regardless of the encryption algorithm used, there is ALWAYS a weak link in the chain somewhere. Remember Heartbleed, or the LastPass hack of 2016?
If you must use a password manager, use a lesser-known one, because these will be a less-attractive target for hackers. Or try storing password hints, so the actual password isn't stored anywhere.
I am mind boggled that even banks do not allow complex passwords. The use of long phrases can help. For example "Phil and Bill went up the hill to fetch a bucket of blood1938." should be really hard to crack. The ASC11 symbols are also a great way to build a really complex password. I can understand why small companies do not have software that is long or complex password tolerant but major businesses should all be so equipped. Long phrase passwords should require so much effort to crack that almost nobody would even try and they can be really easy to remember as well.
A password hasher takes a password that you can remember, the domain you need the password for and cryptographically hashes them together to generate a secure, site specific, password.
There are browser plugins that can intercept your weak-used-a-lot password on webforms and replace them on the fly with the strong, per site, password.
Nothing is ever stored, all you do is remember a few easy to recall passwords.
No. (Ian may now sleep in peace)
Slashdot, fix the reply notifications... You won't get away with it...
I too use 1Password with DropBox integration vs their pay to play cloud service. I pay nothing and it updates DropBox which is accessible to all of my clients quickly. It can be used for secure notes and other things so all of those security questions that you do NOT put in truthful answers for can be remembered :) My passwords are generated by a different app and I use different passwords for nearly every site now. Get hacked once and you learn the hard way - took me an entire day to track down most of my accounts and fix them!
Someone below mentioned it leaking metadata through a .js file - that file doesn't exist on my DropBox, the .JS files that do don't contain anything cleartext.
Build it, Drive it, Improve it! Hybridz.org
Lastpass has concerns because it actively stores your passwords in its own cloud. You don't know the encryption used, provably, and because Lastpass is a central storage point for passwords, it is an active target. This is in contrast to 1Password's storage on Dropbox or mSecure, where an attacker would have to attack a lot of cloud based users, as opposed to one basket with all the eggs in it.
Plus, with other utilities, one can use a very long, secure password for the cloud syncing (min 32 characters), and a short one on devices which have encryption and a mechanism for erasing. This way, one has easy access to their passwords, but an attacker who compromises a cloud account has to brute force a lot longer password. Lastpass is all about "just trust us". I prefer packing my own parachute and having separate cloud providers and endpoint encryption.
My personal choice:
1. Use password manager (I use KeePass, but other ones are no worse).
2. NEVER-NEVER-NEVER let your encrypted passwords database leak to server you don't own, like DrobBox, Google Drive and so on. Only direct rsync/scp from one machine you own to another one.
3. If you need to access some account from the machine you don't trust completely (such as your girlfriend computer - you may ultimately trust her good intention but be not so sure about her sysadmin skills), don't plug USB drive with your password database in. Open password manager on your phone or tablet look up the password you need and type it in untrusted computer by hand.
1Password also does something unique. It is able to store your Google Authenticator 2FA keys. That, and allow export in a text format, so you can input them into another authentication app if needed. There are other apps which can back up the 2FA keys like Authy, but the backups are only accessible to the app itself.
Yes, 1Password has had flaws, which were corrected, but it works well, and allows one to store the PW data on a cloud provider of choice.
This type of question "Should You Use Password Managers?" is so dumb, because the sentence assumes that it speaks with authority. Typical bs.
I use lastpass and it works really well. With two factor authentication and both mobile and browser extensions it has balanced security with convenience. I could find something a lot more secure maybe but then it becomes far less convenient.
I assume you trust your IP TV too...
Everything I write is lies, read between the lines.
I have a new revolutionary service that beats all competition; we store all your passwords and all your money and belongings. Give me a cal ASAP please.
Everything I write is lies, read between the lines.
Dale's article is from October 22, 2015.
Changing to opvaults appears to have addressed the issue, which was with metadata and not actual password data.
Just sayin'.
+1 for 1Password
Another technique for strengthening a password is simply to pad it generously. Probably one of the most secure passwords you can ever have is just 30-40 full stop characters. Because it's the least likely to get bruteforced. So if you have decided on some arbitrary password AsDeFeGeLe9, you can pad it to increase the length by 14 and multiply the security 1000-fold, as so: AsDeFeGeLe9.............. or AsDeFeGeLe9-0-0-0-0-0-0-0
Enter a very long string of characters.
When you want to access again, just reset the password :)
You only need password managers if you cannot remember your passwords. And you probably cannot remember your passwords because of ridiculous password requirements made up by people that don't read xkcd. Just avoid those systems and use long but easy to remember passwords. Problem solved.
0x or or snor perron?!
Just because something has been hacked doesn't mean you shouldn't use it. Consider your threat model (the EFF has a great page on this) for passwords. Which is more secure - writing your password on a sticky note and placing that on your computer or using a password safe that requires computing power no one is likely to expend to get into your match.com account?
I use and strongly recommend https://www.passbolt.com/
I use an address book, which has letters along the edge of the pages, and write them down in there. Very easy. All my important passwords (i.e. for things where I use my real name, address, etc. not for forums where I use a junk e-mail address and a made up name) are at least 12 characters long, many are 20 characters long. There is no way I can remember them all, which is how it should be.
Why people can't just use a physical address book is beyond me. The only possible way somebody could ever get my passwords is if they burgled my house AND decided to spend their time in there, opening an address book, that clearly looks like an address book. Burglars are not going to do that, they are looking for money, jewellery, and valuable electric items they can carry away and sell easily. Burglars don't spend their time going through all the books on a shelf, etc.
Use a physical address book and then you can't 'forget' your passwords, just keep the book by your computer all the time. How difficult is that?
Unfortunately it's apparently too difficult for most people. I have so many friends who actually ask ME what their password is for Ebay, or whatever, as if I must somehow know, because I'm a computer 'whizz', and they aren't. This is after I've told them numerous times to buy an address book, or ANY notebook, and write down their passwords, and keep it by their PC. Or told them to write their passwords on a sticker and stick it UNDER their computer table. How could they possibly lose that? But none of them ever do it. Too much effort, I presume.
1. They leave some data unencrypted.
2. They lie about it.
Never store important passwords electronically.
By all means use the password manager built into your browser for very low security systems if you like the convenience.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
Makes it easier for the CIA to get all your passwords at once
It's 2017, this shouldn't even be a question. Neither was it in 2016.
Of course you must use a password manager, a local one for better security. Share the password db with your devices using any file syncing service, provided that the password db is encrypted (it should always be) and you make modifications only on one device, usually your laptop.
you should not use passwords anyway.
hashed storage doesn't limit char lengths.
Another good reason for using a password manager has to do with death. The executor of my estate has my master pass phrase to the LastPass account with all my financial and social account details. Should I die (when I die), it will be a simple matter for him to clean up my estate. I also have the master password for my Dad's online password manager, as I'm his executor. These passwords are stored offline and not easily recognized as a pass phrase.
Apple iCloud Keychain for me. I don't trust LastPass etc etc because they are smaller 3rd party solutions funded on a budget, one day they'll be hacked. Apple have infinite $ so I trust they are throwing tons of resources at keeping iCloud Keychain secure. Non Apple OS's are excluded of course, but that isn't an issue for me.
Or 3. You lie. Source?
Hacks can happen. Services get compromised. Details linked.
If you store your full password some where, some how, it can be found and be compromised.
Even if it is only in your head (hello torture). Not much we can do about that one...
All of these solutions posted above, Keepass, passwordsafe, are still potentially vulnerable precisely because they have everything an attacker needs to know.
You need to have strong passwords. preferably long, complex strings. Oh but remembering them is so hard (queue As Seen on TV sound effect). or even better, oh but some websites are archaic and force me to use only 12 character and have all manner of string characters boohooohooo.
I don't store full passwords anywhere except my head. I have similar categories of passwords as mentioned above: A few variations of cheap throw away (forum) account passwords, a few complex alphanumerics to deal with dumb websites, and special/unique long complex multi word strings for high value websites.
I have a cloud based location with a file that I use to store password hints/reminders/triggers. No hacker is going to figure out even a short character password from clues that do not include any details on the # of characters or what they are... but, of course i can look at a cryptic clue (of my own creation) and say right I need to use the 1qa password here.
The only vulnerability I can't fix with this is brute force, but that's why you have multiple levels of passwords on their own.
These guys just published a paper on all the badly-implemented password managers on Android. It's worth a read, if only to give you some clues about what to look for in your own solution, whether on Android or not.
+1 for 1Password.
I would have said the same a month ago, but 1Password is changing their pricing to $36 a year subscription.
I'm switching to LastPass.
Actually, the subscription thing was introduced a year ago. You can still opt for the standalone one-time license though. Response on a support ticket on their site:
Password standalone licences are still available for sale; our subscription accounts offer many advantages compared to a standalone licence, and so for almost everyone a subscription account is the best way to go.
. and of course there is a dark side to it.. Answer for me is yes though.. Pass (https://www.passwordstore.org/) does it nicely with great GIT integration.
with browser and android integration. I'm only frustrated that the browser plugin is not available for firefox on android.
>/dev/null 2>&1
I use Stanford PwdHash and I keep a file listing sites, user IDs and password hints.
The only issue I've ever had is sometimes the generated password doesn't meet a site's requirements (e.g. too long, missing special characters) so I either retry with a different site password or note changes in my file.
There are two cases, physically secure, and not:
If you're physically secure, you can use a simple notebook. This is unhackable from the network, and allows you to keep distinct passwords for everything. You can also use a separate desktop with no network communications and a password manager in this case, but of course that's much more expensive and generally requires more desk space. Backups become an issue as well. Whereas a notebook... other than physical disaster like fire or flood, quite robust. A phone is network connected whether you want it to be or not, whether the phone number is active or not, whether it's in airplane mode or not. State actors (and highly sophisticated private ones) can get into any even slightly recent phone that still has antennas and a live battery. So don't use a phone. Of course, if your computer is hacked, then any password you type in after the hack should be considered immediately compromised, because it probably is.
If you're not physically secure, but are concerned about real security and on a low or zero budget, then optimally, you won't be surfing all over the place, and will limit the number of passwords you need to the places you actually need to go. Then you can probably hold them in your own memory.
If you can't do that, then you may want to consider a robust safe, or a desk with professional level security, which basically means, it has a safe in it that can't be gotten out of it without making a noticeable disturbance. An alarm system backing this up is a good idea.
If you can't arrange for a safe, then we're down to password managers. The problem with a password manager is that typically everything depends upon a single access sequence; so in this case, you'd better be sure that your access to the manager is quite difficult. Which is annoying. But still best practice. You also need to hope there isn't some kind of back door that whoever you are concerned about has access to. Personally, I don't put much stock in such a hope. Admittedly, I'm a cynic.
It's worth talking about what "physically secure" means here. In the case of most law-abiding individuals, no one cares enough to ever come to your place and physically access your passwords. You are secure by default from external threats. Although you should consider family and friends. If there is any actual reason to worry about external threats, then you're part of this next case regarding physical security:
In the case of a person or organization with access to serious computing resources or valuable data, physical security means robust physical locks at the very least, escalating through guards, alarm systems, timed access, and so forth. You should consult professionals if you want this to really be effective. Protip: If you think you know how to get this handled, that's more likely a sign that you really should consult professionals than it is that you don't need them.
Network security for valuable data is also a very good idea if it can be implemented. This means that the network that the data is on, isn't linked to any network that connects to the WAN, and of course is not physically accessible to anyone not authorized to use it.
Large data sets with very low access rates can be airgapped by humans; request comes in for data, properly vetted human authorizes it, physically fetches the data from an off-WAN system, and moves it physically to the on-WAN system. This is expensive and slow, but serves very well to prevent wholesale loss of the large data set.
If your data is only used in-house, then neither the data source or the clients should be WAN connected, and users should be vetted and physically access-limited to whatever degree is required.
Most of this stuff is not really too hard, and you can of course take a swing at it yourself, but if it's other people's data you're dealing with rather than only putting yourself at risk... I still say consult professionals. And be prepared to spend money like it's water.
From the other end: the very le
I've fallen off your lawn, and I can't get up.
https://www.passwordstore.org/
Stores passwords as gnupg encrypted in a git repo, that you _can_ push to a publicly reachable repo, _if_ you want to synchronize. Works well with dmenu, has a firefox extension, a chrome plugin, can run on Android (with OpenKeychain and Forker) and iOS, and many other options.
I don't need a password manager. I have a little book in my home where I write down user names and passwords for all important websites I use. Try and hack that. Fat chance anyone would ever break into my home and take it, so it's worth the risk to me.
- Ben Franklin. Either he really said that. or he wrote it in his Poor Richard's almanac. Or the internet lies.
But the idea is sound. If you want your password to remain secure. Don't Tell ANYONE. Not your wife/husband, not your dog, not your brother/sister, not your boss. Don't tell strangers you meet on the the way to work. Don't tell the taxi driver.
And -- Don't tell strange companies who's financial success is dubious and who will eventually be forced to consider ways they can make money with the assets they control - ie, your passwords. they might end up selling them off, for all you know. yes /tinfoil-hat and all, but if you don't give them the password, then there's 100% chance it won't happen.
For sites that allow long passwords (looking at you PayPal...), I use a SHA-1 hash composed of a common passphrase and a token unique to the service.
For example, if my passphrase was, "ILoveDogs", I'd combine that with something like the name of the site or service, like "/." Take a hash of the combined string, and use that for your password:
$ echo -n ILoveDogs/. | shasum
e157052633a0f658c9c0dd3f8a55e5ae8f49f2b7 -
For twitter, I might use:
$ echo -n ILoveDogstwitter | shasum
18dd3dd587f906b94d38154a525458dab8adb67e -
Note that these will remain in your bash history, so you should enable having history not remembering commands if your preface them with a space, and then preface your password generating command with a space.
the NSA can see them on the reflections on your eyes :)
The NSA analysts are more concerned about their jilted ex-lovers to worry about you...
use memorized unique passwords for the few important websites and 1 generic password for all non important accounts (forums, etc...). let's be honest, majority are accounts nobody would care about in case these are compromised or locked out. we just register a new account and cry 5minutes for having lost our e-penis post count kudos
Maybe we just get rid of passwords altogether and use applications that use an alternative authentication method like SQRL.
I interact with customers that have moderately high security requirements, and for my own liability protection I strive to ensure I implement stronger security policy on my own self and systems than they require of me. You can ramp up password security quite a bit without creating too much of a nuisance in day to day use.
You have to use a password database. Here's why:
- Human generated passwords are notoriously insecure. Good passwords have to be truly random. Google "correct horse battery staple" for the excellent xkcd post on the subject.
- You want separate passwords for each site. A successful attack on one compromises all your other accounts that use that password, or variations of it.
- Humans memory is limited. I have over 1500 entries in my password database right now.
To use a password database effectively:
- Use a good password database manager that uses quality encryption. I use pass (password-store.org) which uses GnuPG for cryptography operations. pass doesn't encrypt the password entry names -- if you care, place the password database directory on an encrypted disk, volume, or directory (encfs is nice).
- Always generate a new, unique, long and random password for each new site/account to store in the password database.
- Use two-factor authentication to access the password database. I use a Yubico key in smart card mode; my GnuPG private key material (2K or 4K RSA keys) is only available on the token, and there is no known way to extract the private keys short of an X-ray microscope.
- Use a very good passphrase for the hardware token. I find 8 word Dicewords passphrases are easy enough to memorize without writing them down, and they provide over 100 bits of entropy (which is quite good). I prefer the EFF dictionary. Be sure to use a truly random set of words; don't self select!
- Never store your password database on a server or service directly connected to the public internet. I don't think the convenience is worth the risk. This means no Dropbox, no LastPass, no VPS, etc.
- Never store your password database on a smartphone. Google "Carrier IQ" for one of several issues that should lead you to the conclusion that you can't trust your phone OS with secure information.
- Don't ever use your hardware token on a computer that you don't trust. Since the passphrase is entered on the computer keyboard and passes over USB to the token, there are several ways a malicious actor with access to that computer could steal your passphrase.
Pro tips:
- Use gpg-agent to reduce the number of times you have to manually input the token's passphrase. gpg-agent has been vetted pretty well. This reduces the hassle factor without presumably decreasing security.
- Use the GnuPG SSH agent to use the keys on your hardware token to secure shell to servers you work with. GnuPG can encrypt additional SSH keys stored on disk if you prefer to have a separate set of SSH keys for public services like Github or VPSes.
- Use passmenu and xdotool with pass to provide a powerful and fast search capability that types the selected password directly into whatever has keyboard focus. This avoids using the insecure system clipboard for temporary password storage.
- Pass uses Git to store an audit log of changes to the password database. Make a backup of your pass database by simply pushing to a remote (using SSH, with key not password) that is under your physical control. Don't allow a Git viewer to access your remote to avoid alternative download methods.
- For very high security information, such as in my case customer system access, use a separate 8 word Dicewords passphrase and don't store it in the password database. I find that I can remember a number of Dicewords passwords simultaneously as long as I use them semi-regularly.
https://www.xkcd.com/936/
Wouldn't a password manager be a good single point to attach for someone trying to get your information? Sites, usernames and passwords, all in one neat file.
Use cryptomator on your cloud of choice (google drive, dropbox, whatever). Cryptomator sets up an encrypted volume on cloud drives, much like Truecrypt and Veracrypt. Now store your keypass.db file in that encrypted volume container instead of nakedly on the cloud drive. Bonus: Cloud drives, Cryptomator, and Keypass are all available on Windows, Mac, iOS, and Android
From a workflow perspective, you enter your cryptomator password to open the encrypted folder and then you will enter your Keypass master password to open Keypass. If you are lazy, you can save the Cryptomator pass so it opens every time and just enter the Keypass password. This is particularly helpful for phones.
Sidenote: I am not affiliated with any of the above. Just a happy user that it all works so nice together -- and across my many devices.
single point of failure, not controlled by the user. now a looseleaf binder in the bottom of a drawer, that's fully controllable. unless theire's a fire, which would also destroy a password manager on the hard drive.
if this is supposed to be a new economy, how come they still want my old fashioned money?
Instead of storing your keypass file directly on the clous drive, have you considered using Cryptomator? (or another similar tool). It creates an encrypted container on your cloud drive where you can store your keypass.db file.
I am sure Keypass crypto is strong but I don't like the idea of storing naked Keypass db files in the cloud. Bad actors are just one password away from the keys to the kingdom. With cryptomator (or similar), they would have to also decrypt the container file before they could even get to keypass db.
It seems obvious to me that there's no one 'best' solution, since there's many contexts in which passwords are needed. My physical location is highly (but not perfectly) secure. The risk of storing my PWs on my machine or in the cloud and having them compromised is far higher, I believe, than having them physically stolen. People on wired home LANs (are there any of those anymore?) have a different risk profile than people who do only cloud computing & storage. The optimum solution depends on your circumstances, including what you have to lose and how secure your devices are.
And why #2?
If you don't believe in the security of strong encryption then you can't have faith in SSL, PGP, AES, etc.
A simple alternative to using simple dictionary passwords (appropriately, eg to unlock a more secure password manager) is to get out a map of the world, pick some region you are willing to become familiar with, and choose the name of a town or other small, obscure feature.
You will always be able to re-read that passphrase if forgotten, by searching the same regional map, and it almost certainly won't be in a language dictionary (assuming you choose wisely) as cities and town are normally not included in dictionaries save for large, well known ones.
So, instead of Zagreb (Capital city of Croatia), perhaps choose a small town near there that isn't a Croatian dictionary word, and use that. Say, "Sesvete"
Check that it isn't a dictionary word (with a Crotian dictionary) ... you don't want a town whose English translation is "Brother", for example. It will be in the dictionary.
It might take a half hour of playing around to get a decent example, but after that you have a non-dictionary word you can remember, that few, if any, others will guess, and of moderate complexity. You could also use it as a component of a more complex password that has the usual features (uppercase + lowercase + numerals + symbols).
If you want to implement such a beast, feel free to do so. Count it as "Open Source IP". :p
I personally use longish passwords that might be difficult for most people to remember, and wish most places that accept passwords would allow for more flexibility. Someone already mentioned that a lot of sites hamper the password's max size and require a mix of different type of characters. And there is no consistent rule between sites on this, either.
Probably the best approach would be to rely on multi-factor authentication. And if it's good enough for a gaming site like Steam, it should be good enough for everyone.
If you are posting in this thread and you have a password plan already.. you are years ahead of most users. If you like a complex password algorithm where you create unique passwords for everything and remember the pattern, that probably works. . If you like a password manager, whether it stores locally or in the cloud, again that probably works and you are doing better than at least 90% of users.
If you don't have a password plan, your password is probably already compromised.
I'm posting as AC so obviously yes I'm slightly autistic, but I mean I'm not rain man or anything.
What exactly do people do with these things? Are there people who are really not able to remember passwords?
I use random password generators, and usually go with 14 characters unless the service doesn't allow something that long, and I have less than 20 of them to keep track of, so I just remember them.
What would a password manager do for me, everyone says they should be used, I just don't know for what.
Yeah you should use a password manager. And 2 (or mutli) factor authentication. Surprised it wasn't mentioned, but I didn't read all comments.
Seems my solution is unique among Slashdotters. I use the same password for every site (with slight variations for stupid password rules). I vary the user name and email address.
Actually, the subscription thing was introduced a year ago. You can still opt for the standalone one-time license though.
1Password is moving to an all subscription pricing model. If someone has purchased 6 they'll receive all updates to 6, but that's it.
From Dave Teare directly "So no, I will not promise that 1Password 7 or 8 will allow licenses to be used instead of memberships. These releases are too far in the future to make any promises about."
Actually, the subscription thing was introduced a year ago. You can still opt for the standalone one-time license though.
1Password is moving to an all subscription pricing model. If someone has purchased 6 they'll receive all updates to 6, but that's it.
From Dave Teare directly "So no, I will not promise that 1Password 7 or 8 will allow licenses to be used instead of memberships. These releases are too far in the future to make any promises about."
Yes iPassword 6 and later are subscription based, but iPassword 4 isn't going out of support, according to John M in support:
When we debuted our subscription service in late 2015, we didn't have a Windows app that was capable of talking to our service. Windows had also undergone a lot of technological improvements since development of 1Password 4 had started, so we decided to start fresh with a new codebase. We also took the opportunity to jump a version number or two, and name the new app "1Password 6" to match our other platforms; we figured the tradeoff of a little confusion for existing customers was worth reducing confusion for all future customers. 1Password 6 for Windows is still in active development along-side 1Password 4 for Windows - one supported app for subscription customers, one supported app for licence customers.
I thought Wine, an mostly binary compatible free reimplementation of Win32, was available for macOS. If you need to share between a key file, and KeePass for macOS cannot import databased from KeePass for Windows, try running KeePass for Windows in Wine for macOS.
Online password managers are a no no, except installed locally for a company on secure server, only accessible on the internal company lan, and using strict least access to ration passwords to employees as needed, and to rotate them.
Do no use public password managers.
Keepass, Keepass2, and related family of password managers are recommended. I also recommend saving the keepass file on an otherwise encrypted disk like a tcrypt partition, or whole disk encryption.
Ok, so you have FUD. FUD is fine as long as it's accurate, but do we have some sort of proof to point to here?
I don't have strong enough words to endorse their Watchtower service
I'd hope it doesn't have quite as much confused theology as that other Watchtower service.
KeePass. The only I trust: opensource, without subscription and NOT stored in the cloud. (multi plaftorm too. I run it in windows and linux)
Lol enjoy your early vulnerability panic :-D
*yearly lol
cite?
This comment is my opinion and does not represent an official position of Donald Trump or others I do not work for
I use Dashlane. On three desktops, ipad, iphone and android. It syncs seamlessly across all my devices and gives me fine grain control over how secure I want individual passwords to be both when generating and when using them.
This comment is my opinion and does not represent an official position of Donald Trump or others I do not work for