Slashdot Mirror
Ask Slashdot: Should You Use Password Managers?
New submitter informaticsDude writes: What do Slashdot users recommend regarding the use of password managers? The recent election underscored the hackability of many personal accounts. One solution is to use different passwords for every digital experience. But, of course, humans are lousy at remembering large numbers of large random strings. Another solution is to use a password manager. However, password managers have been hacked in the past, in which case you lose everything. How do Slashdot users balance the competing risks? What is a person to do?
Yes.
http://keepass.info/
> Yes, but I'm sure a photogenic memory is super uncommon.
But my god are they beautiful to look at.
Non network connected pass
word manager with no RFconnectivity of any kind
job done
Not web nor cloud based. You make a master password, it stores a file on your hard drive containing your encrypted stuff. You can move that file anywhere and, if keypass is installed, get your passwords on that platform.
I don't trust cloud-based password managers. Use KeePass and encrypt your keyfile with a really strong password. If you want to access your keyfile from multiple devices, sync it to the cloud with box/dropbox/gdrive/etc. Even if the keyfile is stolen, it'd be very difficult to compromise if you use a strong password.
There's several options.
(1) Don't use a lot of password protected services; that way: less to remember.
(2) Live with being occasionally hacked.
(3) The Bratva solution: someone hacks you, send someone to shoot them in the head.
I don't know about you, but I'm kind of partial to #1, with #3 being a close second. I don't particularly like #2.
Use a password manager = yes. Storing passwords online = no. If you must store in the cloud, use different providers for the encryption as the storage.
Website Just Down For Me? Find out
Some password managers rely on remote servers or the cloud to store your password. That is risky for two reasons. (1) A service holding passwords for many users is a more likely target for hackers than your own individual computer. (2) If the server or cloud service goes down even temporarily, you are stuck without your passwords.
You should choose a password manager application that is installed within your computer and does not rely on you having an Internet connection. The application should use a master password -- actually a master pass-phrase -- to encrypt the individual passwords. That master pass-phrase itself is not stored anywhere. Instead, if it is entered incorrectly, it fails to decrypt any passwords. By "pass-phrase", I mean a longer expression containing blanks, punctuation, etc.
Note that Mozilla-based applications have internal password managers that reflect my second paragraph above.
That's good advice. Even if there is a company you could trust, you never know when they'll be bought out, or hire someone really bad and mess things up.
Website Just Down For Me? Find out
say like the sites name and select the letters and add in numbers. I use a couple different patterns depending on the type of site. That way I can remember 10's of passwords. 99% of the time it ends up no where near a dictionary word and they are all 8+ characters long.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
Why is lastpass a piece of crap, exactly?
+1 for 1Password.
I don't have strong enough words to endorse their Watchtower service, which tracks recent breaches, affected sites, and warns you about it so you can change your passwords on affected sites. It also reports about duplicate passwords used multiple places, last time they were changed, etc. That functionality of 1Password alone is worth the cost, especially if you have hundreds or thousands of passwords.
You can store your key database in multiple different places, you just have to choose the one you think is most secure. :)
That is what I do. Whenever I create an account I enter the password as the user name and my username as the password. I am so clever.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Hey, that's my Password (1Password) it satisifes all the usual criteria uper/ lowercase letters, including a # and length => 8 char.
(j/k of course)
How much is your data worth? Back it up now.
Why the hate for cloud storage? Lastpass encrypts your passwords with your own key, that you select, and this has been proven as they released the source of their client.
Yes. I recommend Firefox's password manager which can encrypt passwords stored in your browser with a master password. Then add to that Mozilla's sync feature to store an encrypted copy of your passwords on Mozilla's server. They are stored encrypted and cannot be recovered without the sync password and e-mail access. If you don't trust Mozilla's server, despite the passwords being encrypted, they provide the open source software so you can run your own server to sync your encrypted passwords to.
If someone (you or hacker) does not know the sync password and resets the password with access to your e-mail account, it will not give them access to the passwords that were sync'd previously. This is good because it keeps a hacker from being able to just hack your e-mail account then use that to get access to all your passwords.
The issues with KeePass generally is synchronization of your password database. You can put it into a USB stick and it gets out of sync, or you can put it up in the cloud, but then it's sort of our of your control..
I use KeePass for my password database and then Syncthing to sync it on all my devices. It's light enough to work on a Raspberry Pi, so it's easy to setup a Syncthing cluster. Resilio (previously known as Bittorent Sync) works too, but I've never tried it personally.
The result is an Open Source password manager, with a database that's synchronized between all my devices and in my control.
> Lastpass is a piece of crap.
And that's the end of the rant? Aww.
I continue to recommend Lastpass. 1Password (for 70$), not at all.
I've been using LastPass for years. I tried pwsafe (nice, but at the time, didn't support Mac well) and KeePass (which I didn't like for reasons that I don't quite recall now; ended up moving back to pwsafe) before I switched to LastPass.
The deciding factors were (1) LastPass Premium works on Android. (And, now, you don't need Premium; the free version also works on Android.) (2) Syncs password changes across all devices, and (3) Professional Paranoid Steve Gibson gave it his seal of approval.
Some of the others also have a way to sync across all devices now, but I haven't come across any compelling reason to switch. Though LetMeIn may be working on that one.
Just keep a tiny address book in your wallet.
Any important passwords you keep there.
The unimportant stuff can use a common password.
I like this solution, probably a little too un-'user friendly' for most though.
https://www.passwordstore.org/
Good use for an old PDA from pre-wifi. Of course if it craps out you're in deep. So make that two old PDAs from pre-wifi. You can sync it with irda or serial, which has the advantage of only working when you want it to (if that).
Liberty - Security - Laziness - Pick any two.
You had better use something in addition to that USB drive. One good static discharge and you're toast.
Use cloud storage like Google Drive or Dropbox and Keepass. It's encrypted, located locally and backed up to the cloud. Been working that way for years without any problems.
For any normal person (not rich, famous, or powerful), just storing hints in a document is good enough. Something like:
EBay kxxxxbxxxx3xxx
Where the mask character x is not precisely replacing characters.
It's enough to remind me, but not enough to aid a casual attacker.
Strange things are afoot at the Circle-K.
In as tech, Linux, and retro community as Slashdot, I give a particular shout to "pass" (passwordstore.org). Takes a little time to realize how simply powerful it is. And, it's literally nothing but GPG, Git, and a long but easy-to-read Bash script. Also, works really, really well for a team that needs a secrets vault. Back when we did that with KeePass, we'd always get out of sync. Now? It's a git-merge, just like the code.
Want more advanced security than that? My teams' GPG keys (and SSH keys for Git) are on a smartcards (Yubikeys to be specific) which means the actual private keys are never on our (day to day) computers.
In the broader sense of the question, yes, you should use a password manager. I have 300+ passwords (and password-like little bits of info). All different, all randomly generated. I never forget one. Not sure how you do that without a pw manager.
https://chriszarate.github.io/...
SuperGenPass is a different kind of password solution. Instead of storing your passwords on your hard disk or online—where they are vulnerable to theft and data loss—SuperGenPass uses a hash algorithm to transform a master password into unique, complex passwords for the Web sites you visit.
SuperGenPass is a bookmarklet and runs right in your Web browser. It never stores or transmits your passwords, so it’s ideal for use on multiple and public computers. It’s also completely free and open-sourced on GitHub.
+1 for 1Password.
I would have said the same a month ago, but 1Password is changing their pricing to $36 a year subscription.
I'm switching to LastPass.
I use a password manager that has Windows, Linux, Android and IOS clients. They all use the same encrypted data file that I keep on my dropbox.. I keep my day to day non-user critical account passwords in there so I can access them easily and quickly no matter where I find myself. But I don't put the important passwords (finical accounts and the like) in there, I just remember them.
But the PRIMARY thing you can do to keep yourself safe is to "DON'T use the same password on multiple sites!" Never, EVER use the same password in your "fun" accounts and your financial logins... This is because a breach at one of these "we don't care about your security" sites is a lot bigger risk than at your bank, but if you have the same password, you just gave the crooks a very important piece of information.
Secondary to that, is keeping passwords hard to guess. If you have a manager that generates passwords for you, use it for the throw away accounts.
So, in summary. Sure, use a password manager for the trivial junk accounts, use complex passwords and keep them different. But NO, don't put your important passwords in an online storage... Develop a way to remember them and Keep those in your head.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Haha, no. For the same reason you don't keep all your valuables in one safe.
I mean, you can probably live without for a while...
I've been using password safe for over 10 years. It's works well for me, is free, was created by Bruce Schneier and keeps your passwords in a local encrypted file.
I use LastPass just fine, because every site where getting my login details would hurt, I use 2fa: Microsoft, my bank, PayPal, LastPass, Google, etc. Sure I'm picking up my phone once in a while but it's a good balance between secure and convenient. Far less secure are card details; mine got compromised recently but was detected and reversed almost immediately. Which is why I use PayPal whenever possible.
it's what I've used for years. I have a not so memorable story, take an event from that, and turn it into your password scheme.
[completely fabricated example]
In 7th grade a girl I liked (Sarah) gave a presentation on Abraham Lincoln. She was wearing a blue dress.
Four score and blue dress. FoScBlDr (8 characters, safe)
Add in a number and a symbol, because some sites require it. FoScBlDr81? [I think it was in 1981]
So, there is my starting password. Password hint = Sarah Lincoln 81, maybe SL81 for short.
6 months later, you have to change your password. Hint becomes SL82 (FoScBlDr82?)
You could cycle through to 89, then back to 81. Over time, you can morph it in other ways. Maybe put a $ in there instead of a ? for financial sites, or come up with a separate story for those.
The thing is, YOU make up the story and the cycling rules.
You can even write down your password hints, nobody would ever think "Crush 88" was actually "FoScBlDr88?"
I have used one scheme/password since 1999, and it has morphed so much even if I told someone my original password, they couldn't guess what it is now... it's just jibberish.
My beliefs do not require that you agree with them.
The linked article informaticsDude refers to is sort of outdated for LastPass, as Anonymous Coward points out, the vulnerabilities in LastPass and others have been fixed as of 2017-03-01 as reported by Team[SIK] (https://team-sik.org/trent_portfolio/password-manager-apps/), so what's the problem now? I use LastPass.
I just write the passwords on Post-It notes and stick them to the monitor. :)
I also (as many do) tend to reuse passwords with minor variations. Most of my passwords (even in the file) are "shorthand" passwords that wouldn't work as listed in the document.
I don't understand why more people don't do this. It's easy to come up with a suitably long and random base password that you can then add minor variations to based on some algorithm to make it unique per website or service. e.g. if P@ssword1 is your base password, your slashdot login might be sP@sslword1a (sticking the first three letters of the site into the beginning, middle, and end of the password). Assuming you use an actually random base password and do something a little more sophisticated to mask where you're getting the variance from (e.g. rotate the site initials based on the value of the first one) no one is going to be able to figure out your other passwords based on seeing just one or two in the event a database with your plaintext credentials gets pwned.
Obviously that's not the be-all end-all of password security and you'd want to use truly unique passwords for important stuff (bank, email, etc.), but it works great for the 100s of unimportant/semi-important passwords that you use on a semi-regular basis without putting all your eggs in one basket like with a password manager.
I use keychain and Safari's automatic password generator. It's extremely convenient and I'm surprised no one's mentioned it here. Serious question: are there any reasons why this isn't a good idea?
1Password is garbage https://myers.io/2015/10/22/1password-leaks-your-data/
As with all things security related, the first thing you have to do is decide what kind of threats you're really worried about. If you're doing anything that might make you the target of either state backed or other deep pocketed groups that are also technically sophisticated, that's very different than if you're just some person trying to keep their banking and credit card details private. A shorter way to think of that is: is there any reason anyone rich and smart might want to spear phish you? If yes, good luck and I probably can't help you. If no, keep it simple.
Personally, I have an encrypted text file on my encrypted local PCs that I back up to an encrypted HDD. When I need to create a new password for something, I open it up, enter my one main password that I don't write down and have never told to anyone, and then enter the new site, user, and PW info. I don't use the same passwords for any site, but I do let browsers remember passwords for non-critical things (Amazon, forums and tech support stuff, etc.). Depending on the number of different devices you use and the number of different sites you consider "critical" (i.e. you don't trust a browser to remember the PW), you should only need to really remember 10 passwords. That's easily do-able, especially if they're things you use at least a couple times a month.
Assuming you've got strong and secret passwords that are unique to each critical site (banking, credit cards, social media), that's all you really need. No need to hook into any cloud based service that itself might be compromised, no need to spend any money, no need to trust the keys to your life to anyone but yourself.
I'm not against password managers. I know smart people who use them. But smart paranoia is better than general paranoia, and for most use cases they've always struck me as creating more security holes than they plug.
YMMV.
Pick even just a short password, and a consistent non-obvious way to append other data about the account. Then cat | some hashing command, type your stuff and cut/paste. Save the relevant data about the account in a text file, but not in the same format you use to append to the password and with some extra cruft. Be sure to include a rough date so you know how stale a password is.
This avoids one compromised cleartext password giving clues about others, as long as you are not so p0wned as to have someone be able to see how you generate the hash or hijack your clipboard.
Someone had to do it.
Password Managers, especially "cloud" based password management is absolute garbage.
The thing you should be doing is designing your own password algorithm
eg:
slashdotcanbiteme911
^^^^^^^^ Padding
--------^^^^^^^^ phrase you can remember
-----------------^^^ number you can increment
You use the padding word or phrase to fill out the minimum password length, typically something unique to the site that is obvious. Your phrase is something you use with all sites, and then you increment the number when you reset the password.
If you have sites that require a symbol or something, you hold the SHIFT key for one of those numbers, etc.
If you can't remember this kind of algorithm, then you should be resetting your password every time you login to a site you don't quite care about, and save your memory capacity for your bank accounts.
I personally only use password managers for decent passwords on relatively unimportant sites. And if the password manager gets lost, then I'll just have to reset some passwords.
For anything important (bank sites, root etc) I have memorized about 14 random 12-16 character passwords.
Custom electronics and digital signage for your business: www.evcircuits.com
Dashlane?
why more people don't do this. It's easy to come up with a suitably long and random base password that you can then add minor variations to based on some algorithm to make it unique per website or service.
People DO do this. Research has shown that when implementing Password Expiration, in 80% of the time users created a new password which could be guessed by using a dictionary attack on the previous password and applying minor variations.
use pass, a gpgv2-protected password store. available packaged for most distros or direct from https://www.passwordstore.org/
graphical frontends also available for those who prefer them.
While most sites will store crypts instead of cleartext passwords, you have no way of knowing which ones don't and those ones are likely more likely to be compromised. Cleartext can also be exposed easily by accident -- e.g. typing the password at a username prompt by accident, depending on how logging is configured on the service, or not caring to pay attention and do due diligence when ssh tells you a server key changed (really wish SSH would add a challenge response protocol, but it sadly puts 100% trust in the tunnel integrity with no plan B when used with passwords.)
So discernable patterns in cleartext is something you should only use on low-priority sites.
Hashing those patterns locally before using them can add enough security for most uses, though.
Someone had to do it.
Yeah, that's great. I'm in IT and my Keepass shows over one thousand entries. I use the mnemonic device method for most passwords, like (examples only) rfhpwtycg (really fucking hard password that you can't guess), or MvEmJsUn (mercury, venus, earth, etc...), oTtFfSsEnT (one, two, three, four, etc...). Using mnemonic devices helps me remember what the password is, but not where it was used. I have at least 10 gmail accounts, 20 other email accounts, and multiple accounts with Cisco, SonicWALL, Office 365, Barracuda, Hostgator, CloudFalare, AT&T, Verizon, 8x8, Register.com, etc, etc, etc... I would never even think about trying to memorize any password except the one that opens Keepass.
I used KeePass for a long time on linux, but having to use mono sucked, and I felt like there was minimal work going on with the plugin, and the software in general for that matter.
I feel like the weakest link to all password managers is the browser plugin. With that conclusion, I decided to go with LastPass, because I always see their name listed as paying well for bug bounties. I figure that significantly reduces the chances of there being a major 0 day vulnerability in their plugin over the other guys who in general have pretty lackluster dev cycles, and don't seem to have much of a bug bounty presence.
I also do things like: require multi factor, don't auto load passwords on any sites, etc to mitigate my risk using lastpass.
It's a risk - lastpass is a big target, but it seems like they do a good job of taking security seriously, so I decided I was better off with my passwords stored in a world that is actively attacked, but also actively defended instead of a world that is mostly ignored.
-- "I feel a strong disturbance in the for.."\*Segmentation Fault*\ (core dumped)
Which is one reason why expiring users passwords too often leads to insecure passwords. If your password is going to last for a year, you might use a 20 character string including various special characters and caps/lower case mixing. If your password needs to be changed every month, you'll get the PASSWORD1, PASSWORD2, PASSWORD3, etc. variations.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
So I have used Roboform for god knows how long, it sync across all my devices. Up until recently the last version, you could stick a version on a USB stick and it would allow you to load up an instance on a computer that didnt have Roboform installed. An when you took the USB out, the app disappears. I have something like 500 different passwords managed with it.
But - I also provide every site a separate e-mail.
slashdot@nuttybee.com
yahoo@nuttybee.com
If slashdot@nuttybee.com starts getting Viagra spam, theres a good chance that they got my address from Slashdot. And when that happens, I TKO the address, it goes directly to trash.
If you're lucky enough to figure out my login - slashdot@nuttybee.com and my password '3l13t3haxor', it is usable at absolutely zero other sites.
I also use password safe. And I use it with a Yubikey for 2FA. Works both with my phone and my PC.
I am surprised no one has endorsed PasswordSafe yet! Written originally by Bruce Schneier, open source, and ported to Android which lets me sync my pwd database files between devices via Dropbox. I've been using it for years and plan to continue.
Since starting to use it on my mobile, I've segregated my database a bit to prevent a total breach in case my phone were compromised. I have my "lower security" internet website passwords that I need on the go in one file. And I have my financial passwords (which also stores account and credit card numbers that I might need in an emergency) in another file. And then on my PC there is a master file that has all these plus a ton of other accounts I've collected over the years but don't see the need to take on the road in my phone. Each database has a different unlock password, and those are all I have to remember.
Why not just use an app???
Yeah, your system seems equally as secure, but harder to use. You have to enter two different passwords and then navigate what, a text file, to copy and paste the info?
With PasswordSafe (open source by Bruce Schneier) I unlock once with my master password and then type the first few letters of the entry I want, and in a series of key combinations that I've done so many times they take me literally less than 2 seconds I can open the associated URL in my browser and copy/paste the username and password. And no, none of this involves having the browser remember anything.
One drawback is if a website has its database compromised or for some other reason you need or want to change your password. Do you use a different base password for that one site, or different rules for altering it? How do you remember which sites are still using the old way and which ones are on the new way? What if you have to change password X a second time, and now you have sites using three different algorithms or base passwords. It could pretty easily become a mess.
Wow! 12 characters. That sounds super secure against hacks... if it were still 1993!
OK sorry for the snark, but seriously rainbow tables have you powned out to 16 characters easily nowadays.
From what I have read, 21-25 characters minimum is what you need to be doing now for security against brute force / dictionary attacks now that hackers are using cloud resources to attack them.
I'm sad that Passopolis/Mitro hasn't gotten more love after the Mitro team open sourced it, and We Are Wizards took it over. Mitro was great before Twitter acquired the team behind it. Sadly, Passopolis has never bothered to get the Android client working again. I looked at building it myself, but the toolchain is ancient by Android standards..
https://passopolis.com/
https://en.wikipedia.org/wiki/...
Mitro uses Google's Keyczar on the server and Keyczar JS implementation on the browser.
Master key is a 128-bit AES key derived using PBKDF2 (SHA-1; 50000 iterations; 16 salt bytes)
RSA with 2048-bit keys using OAEP-SHA1 (separate signing and encryption keys)
AES with 128-bit keys in CBC mode with PKCS5 padding
All encrypted data includes a MAC (HMAC-SHA1)
I like it because you can use it for more than just passwords. You can store bookmarks and files in it too. I don't trust bookmark sync. I'd never use browser extensions for sensitive information because that info is only as secure as the weakest link, be it the extension or web browser. I also never use a cloud service to store the database files. Surely if something is important, you can remember a single password and where you keep a flash drive. KeePassX also allows the use of key files as a password. You can have it as both so if the password is compromised, they still need the file. This way, you can use a cloud service but it will only open on your computer. You could also keep them on separate services. What I do is create a dummy KeePassX database and key file and edit it with more random string stuff and then create the real KeePassX database and use the edited key file from before. It's only 44 characters long if you don't. 4096 that sucker! You could maybe also use Steganography to hide the key file within the icon of the database file if separate cloud storage is too much.
Not in a million years.
Finally! Other people doing security right!
I have 1,200+ passwords in PasswordSafe. Each one is generally 25 (for the oldest) or more characters randomly generated by password safe itself. URL is stored for each one so that with three hotkeys, I have opened the website and pasted the username and password in under 2 seconds.
The passwordsafe itself is secured with a 6-7 word diceware passphrase.
Can be synced to my android device which has a password safe port, including a keyboard integration that keeps the password off the clipboard memory.
I am shocked by the number of slashdot users who think an 8, 12, or 16 character random password or one they permuted off a common root structure is secure.
Bush league pscyche out shit, man. Hah! Laughable!
Load the app on the same usb as you keep your DB. Execute from the USB. Loading a keylogger which opens Keepass is not too complex. *think NSA and CIA snooping*
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Use a passphrase made up of the first letter from a phrase, such as: MGai4meO... is "My Gmail account is for my eyes only" (the periods are simply extra fluff which add to the complexity
And congratulations, you high "complexity" 11 character password has just been solved by a rainbow table in less than 3 seconds.
Actually using the phrase instead you would have been literally a million times safer.
At 2017 FOSDEM I attended a session about the mooltipass hardware password manager. The speaker talked about his successful kickstarter campaign the mooltipas and how he verified the integrity of every step of the process. The device is open source hardware, that is assembled and tested with a tamper evident case. It attaches via USB and uses a chip and pin smartcard to store encrypted passwords. You can check it out here: https://www.themooltipass.com/
"Tempt not a desperate man" - Willy S.
Modern electronics have sufficient ESD protection that I wouldn't really worry about that. I'd be much more concerned about losing it.
Also, OP mentioned backups.
Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
Password managers, especially cloud-based, provide a huge honey pot for hackers. Regardless of the encryption algorithm used, there is ALWAYS a weak link in the chain somewhere. Remember Heartbleed, or the LastPass hack of 2016?
If you must use a password manager, use a lesser-known one, because these will be a less-attractive target for hackers. Or try storing password hints, so the actual password isn't stored anywhere.
I am mind boggled that even banks do not allow complex passwords. The use of long phrases can help. For example "Phil and Bill went up the hill to fetch a bucket of blood1938." should be really hard to crack. The ASC11 symbols are also a great way to build a really complex password. I can understand why small companies do not have software that is long or complex password tolerant but major businesses should all be so equipped. Long phrase passwords should require so much effort to crack that almost nobody would even try and they can be really easy to remember as well.
A password hasher takes a password that you can remember, the domain you need the password for and cryptographically hashes them together to generate a secure, site specific, password.
There are browser plugins that can intercept your weak-used-a-lot password on webforms and replace them on the fly with the strong, per site, password.
Nothing is ever stored, all you do is remember a few easy to recall passwords.
Field input limitations make using phrases as passwords a limited option. Did you really crack "MGai4meO..." in less than 3 seconds? I suspect hyperbole. This is a frequently discussed topic. In my experience, when cracking, I must introduce character sets, depending upon language spoken / keyboard layout. "Horse battery yeah whatever" is already loaded as the ASCII character set (128 characters). Add in a few î‘€ symbols from the full ISO 8859-1 character set (try Japanese) and the software requires a bit more time because the full character set is larger than the ASCII character set (63 characters more?). Even hashes and ampersands required a tick box in Lopht to add as a character set. Alas, now we are back to Field Input limitations. If we could use Japanese characters with a 64 bit field length, well, that would make for some interesting passwords, if they were stored correctly.
correction: 256 bit field lengths.
No. (Ian may now sleep in peace)
Slashdot, fix the reply notifications... You won't get away with it...
I too use 1Password with DropBox integration vs their pay to play cloud service. I pay nothing and it updates DropBox which is accessible to all of my clients quickly. It can be used for secure notes and other things so all of those security questions that you do NOT put in truthful answers for can be remembered :) My passwords are generated by a different app and I use different passwords for nearly every site now. Get hacked once and you learn the hard way - took me an entire day to track down most of my accounts and fix them!
Someone below mentioned it leaking metadata through a .js file - that file doesn't exist on my DropBox, the .JS files that do don't contain anything cleartext.
Build it, Drive it, Improve it! Hybridz.org
My personal choice:
1. Use password manager (I use KeePass, but other ones are no worse).
2. NEVER-NEVER-NEVER let your encrypted passwords database leak to server you don't own, like DrobBox, Google Drive and so on. Only direct rsync/scp from one machine you own to another one.
3. If you need to access some account from the machine you don't trust completely (such as your girlfriend computer - you may ultimately trust her good intention but be not so sure about her sysadmin skills), don't plug USB drive with your password database in. Open password manager on your phone or tablet look up the password you need and type it in untrusted computer by hand.
1Password also does something unique. It is able to store your Google Authenticator 2FA keys. That, and allow export in a text format, so you can input them into another authentication app if needed. There are other apps which can back up the 2FA keys like Authy, but the backups are only accessible to the app itself.
Yes, 1Password has had flaws, which were corrected, but it works well, and allows one to store the PW data on a cloud provider of choice.
I assume you trust your IP TV too...
Everything I write is lies, read between the lines.
I have a new revolutionary service that beats all competition; we store all your passwords and all your money and belongings. Give me a cal ASAP please.
Everything I write is lies, read between the lines.
Dale's article is from October 22, 2015.
Changing to opvaults appears to have addressed the issue, which was with metadata and not actual password data.
Just sayin'.
+1 for 1Password
Another technique for strengthening a password is simply to pad it generously. Probably one of the most secure passwords you can ever have is just 30-40 full stop characters. Because it's the least likely to get bruteforced. So if you have decided on some arbitrary password AsDeFeGeLe9, you can pad it to increase the length by 14 and multiply the security 1000-fold, as so: AsDeFeGeLe9.............. or AsDeFeGeLe9-0-0-0-0-0-0-0
Maybe he's Willy from the original V series. He also had a peculiar memory.
And on the Eighth Day, Man created God.
You only need password managers if you cannot remember your passwords. And you probably cannot remember your passwords because of ridiculous password requirements made up by people that don't read xkcd. Just avoid those systems and use long but easy to remember passwords. Problem solved.
0x or or snor perron?!
I use and strongly recommend https://www.passbolt.com/
Never store important passwords electronically.
By all means use the password manager built into your browser for very low security systems if you like the convenience.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
I used to use shorthand password that were reminders (first letter of one of a selection of base words, with a random five digit number at the end).
In the end it was the convenience of being able to copy and paste the full password that made me switch to storing the actual password. Especially on a phone, where typing a complex password is a pain.
Sigs are so 1990s. No way would I be seen dead with one.
Another good reason for using a password manager has to do with death. The executor of my estate has my master pass phrase to the LastPass account with all my financial and social account details. Should I die (when I die), it will be a simple matter for him to clean up my estate. I also have the master password for my Dad's online password manager, as I'm his executor. These passwords are stored offline and not easily recognized as a pass phrase.
Apple iCloud Keychain for me. I don't trust LastPass etc etc because they are smaller 3rd party solutions funded on a budget, one day they'll be hacked. Apple have infinite $ so I trust they are throwing tons of resources at keeping iCloud Keychain secure. Non Apple OS's are excluded of course, but that isn't an issue for me.
Or 3. You lie. Source?
+1 for 1Password.
I would have said the same a month ago, but 1Password is changing their pricing to $36 a year subscription.
I'm switching to LastPass.
Actually, the subscription thing was introduced a year ago. You can still opt for the standalone one-time license though. Response on a support ticket on their site:
Password standalone licences are still available for sale; our subscription accounts offer many advantages compared to a standalone licence, and so for almost everyone a subscription account is the best way to go.
. and of course there is a dark side to it.. Answer for me is yes though.. Pass (https://www.passwordstore.org/) does it nicely with great GIT integration.
with browser and android integration. I'm only frustrated that the browser plugin is not available for firefox on android.
>/dev/null 2>&1
Not to mention that any website that is not locking your account out after multiple failed attempts (or at least notifying you) has a major security issue. I want my account locked and a email sent to me after 3 failed password attempts.
There are two cases, physically secure, and not:
If you're physically secure, you can use a simple notebook. This is unhackable from the network, and allows you to keep distinct passwords for everything. You can also use a separate desktop with no network communications and a password manager in this case, but of course that's much more expensive and generally requires more desk space. Backups become an issue as well. Whereas a notebook... other than physical disaster like fire or flood, quite robust. A phone is network connected whether you want it to be or not, whether the phone number is active or not, whether it's in airplane mode or not. State actors (and highly sophisticated private ones) can get into any even slightly recent phone that still has antennas and a live battery. So don't use a phone. Of course, if your computer is hacked, then any password you type in after the hack should be considered immediately compromised, because it probably is.
If you're not physically secure, but are concerned about real security and on a low or zero budget, then optimally, you won't be surfing all over the place, and will limit the number of passwords you need to the places you actually need to go. Then you can probably hold them in your own memory.
If you can't do that, then you may want to consider a robust safe, or a desk with professional level security, which basically means, it has a safe in it that can't be gotten out of it without making a noticeable disturbance. An alarm system backing this up is a good idea.
If you can't arrange for a safe, then we're down to password managers. The problem with a password manager is that typically everything depends upon a single access sequence; so in this case, you'd better be sure that your access to the manager is quite difficult. Which is annoying. But still best practice. You also need to hope there isn't some kind of back door that whoever you are concerned about has access to. Personally, I don't put much stock in such a hope. Admittedly, I'm a cynic.
It's worth talking about what "physically secure" means here. In the case of most law-abiding individuals, no one cares enough to ever come to your place and physically access your passwords. You are secure by default from external threats. Although you should consider family and friends. If there is any actual reason to worry about external threats, then you're part of this next case regarding physical security:
In the case of a person or organization with access to serious computing resources or valuable data, physical security means robust physical locks at the very least, escalating through guards, alarm systems, timed access, and so forth. You should consult professionals if you want this to really be effective. Protip: If you think you know how to get this handled, that's more likely a sign that you really should consult professionals than it is that you don't need them.
Network security for valuable data is also a very good idea if it can be implemented. This means that the network that the data is on, isn't linked to any network that connects to the WAN, and of course is not physically accessible to anyone not authorized to use it.
Large data sets with very low access rates can be airgapped by humans; request comes in for data, properly vetted human authorizes it, physically fetches the data from an off-WAN system, and moves it physically to the on-WAN system. This is expensive and slow, but serves very well to prevent wholesale loss of the large data set.
If your data is only used in-house, then neither the data source or the clients should be WAN connected, and users should be vetted and physically access-limited to whatever degree is required.
Most of this stuff is not really too hard, and you can of course take a swing at it yourself, but if it's other people's data you're dealing with rather than only putting yourself at risk... I still say consult professionals. And be prepared to spend money like it's water.
From the other end: the very le
I've fallen off your lawn, and I can't get up.
I don't need a password manager. I have a little book in my home where I write down user names and passwords for all important websites I use. Try and hack that. Fat chance anyone would ever break into my home and take it, so it's worth the risk to me.
I do sentences only for important passwords. Something like: When I went to bed I saw 7 little orange elephants! And I typically don't write those down, I just remember them (I just have 3 or 4 important passwords/phrases to remember, the rest is pretty much irrelevant) If I have to change the important passwords, I change the number in there. Of when I have 2 numbers in there, I change one up by 1 and the other down by one.
the NSA can see them on the reflections on your eyes :)
The NSA analysts are more concerned about their jilted ex-lovers to worry about you...
Maybe we just get rid of passwords altogether and use applications that use an alternative authentication method like SQRL.
Wouldn't a password manager be a good single point to attach for someone trying to get your information? Sites, usernames and passwords, all in one neat file.
Use cryptomator on your cloud of choice (google drive, dropbox, whatever). Cryptomator sets up an encrypted volume on cloud drives, much like Truecrypt and Veracrypt. Now store your keypass.db file in that encrypted volume container instead of nakedly on the cloud drive. Bonus: Cloud drives, Cryptomator, and Keypass are all available on Windows, Mac, iOS, and Android
From a workflow perspective, you enter your cryptomator password to open the encrypted folder and then you will enter your Keypass master password to open Keypass. If you are lazy, you can save the Cryptomator pass so it opens every time and just enter the Keypass password. This is particularly helpful for phones.
Sidenote: I am not affiliated with any of the above. Just a happy user that it all works so nice together -- and across my many devices.
single point of failure, not controlled by the user. now a looseleaf binder in the bottom of a drawer, that's fully controllable. unless theire's a fire, which would also destroy a password manager on the hard drive.
if this is supposed to be a new economy, how come they still want my old fashioned money?
Instead of storing your keypass file directly on the clous drive, have you considered using Cryptomator? (or another similar tool). It creates an encrypted container on your cloud drive where you can store your keypass.db file.
I am sure Keypass crypto is strong but I don't like the idea of storing naked Keypass db files in the cloud. Bad actors are just one password away from the keys to the kingdom. With cryptomator (or similar), they would have to also decrypt the container file before they could even get to keypass db.
This is interesting to me because of the addition of the hash process. Otherwise, since you must reasonably assume eventually some of your passwords will be compromised in plaintext, your homegrown password generation routine would be relatively trivial to solve for anyone targeting you individually.
Not random... permuted off a common root structure.
I should have been clearer, meaning these schemes "look" random at a glance.
A simple alternative to using simple dictionary passwords (appropriately, eg to unlock a more secure password manager) is to get out a map of the world, pick some region you are willing to become familiar with, and choose the name of a town or other small, obscure feature.
You will always be able to re-read that passphrase if forgotten, by searching the same regional map, and it almost certainly won't be in a language dictionary (assuming you choose wisely) as cities and town are normally not included in dictionaries save for large, well known ones.
So, instead of Zagreb (Capital city of Croatia), perhaps choose a small town near there that isn't a Croatian dictionary word, and use that. Say, "Sesvete"
Check that it isn't a dictionary word (with a Crotian dictionary) ... you don't want a town whose English translation is "Brother", for example. It will be in the dictionary.
It might take a half hour of playing around to get a decent example, but after that you have a non-dictionary word you can remember, that few, if any, others will guess, and of moderate complexity. You could also use it as a component of a more complex password that has the usual features (uppercase + lowercase + numerals + symbols).
If you want to implement such a beast, feel free to do so. Count it as "Open Source IP". :p
I personally use longish passwords that might be difficult for most people to remember, and wish most places that accept passwords would allow for more flexibility. Someone already mentioned that a lot of sites hamper the password's max size and require a mix of different type of characters. And there is no consistent rule between sites on this, either.
Probably the best approach would be to rely on multi-factor authentication. And if it's good enough for a gaming site like Steam, it should be good enough for everyone.
If you are posting in this thread and you have a password plan already.. you are years ahead of most users. If you like a complex password algorithm where you create unique passwords for everything and remember the pattern, that probably works. . If you like a password manager, whether it stores locally or in the cloud, again that probably works and you are doing better than at least 90% of users.
If you don't have a password plan, your password is probably already compromised.
Actually, the subscription thing was introduced a year ago. You can still opt for the standalone one-time license though.
1Password is moving to an all subscription pricing model. If someone has purchased 6 they'll receive all updates to 6, but that's it.
From Dave Teare directly "So no, I will not promise that 1Password 7 or 8 will allow licenses to be used instead of memberships. These releases are too far in the future to make any promises about."
Actually, the subscription thing was introduced a year ago. You can still opt for the standalone one-time license though.
1Password is moving to an all subscription pricing model. If someone has purchased 6 they'll receive all updates to 6, but that's it.
From Dave Teare directly "So no, I will not promise that 1Password 7 or 8 will allow licenses to be used instead of memberships. These releases are too far in the future to make any promises about."
Yes iPassword 6 and later are subscription based, but iPassword 4 isn't going out of support, according to John M in support:
When we debuted our subscription service in late 2015, we didn't have a Windows app that was capable of talking to our service. Windows had also undergone a lot of technological improvements since development of 1Password 4 had started, so we decided to start fresh with a new codebase. We also took the opportunity to jump a version number or two, and name the new app "1Password 6" to match our other platforms; we figured the tradeoff of a little confusion for existing customers was worth reducing confusion for all future customers. 1Password 6 for Windows is still in active development along-side 1Password 4 for Windows - one supported app for subscription customers, one supported app for licence customers.
I thought Wine, an mostly binary compatible free reimplementation of Win32, was available for macOS. If you need to share between a key file, and KeePass for macOS cannot import databased from KeePass for Windows, try running KeePass for Windows in Wine for macOS.
Ok, so you have FUD. FUD is fine as long as it's accurate, but do we have some sort of proof to point to here?
I don't have strong enough words to endorse their Watchtower service
I'd hope it doesn't have quite as much confused theology as that other Watchtower service.
cite?
This comment is my opinion and does not represent an official position of Donald Trump or others I do not work for
I use Dashlane. On three desktops, ipad, iphone and android. It syncs seamlessly across all my devices and gives me fine grain control over how secure I want individual passwords to be both when generating and when using them.
This comment is my opinion and does not represent an official position of Donald Trump or others I do not work for