Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Should You Use Password Managers?

Posted by BeauHD on from the actions-have-consequences dept.

New submitter informaticsDude writes: What do Slashdot users recommend regarding the use of password managers? The recent election underscored the hackability of many personal accounts. One solution is to use different passwords for every digital experience. But, of course, humans are lousy at remembering large numbers of large random strings. Another solution is to use a password manager. However, password managers have been hacked in the past, in which case you lose everything. How do Slashdot users balance the competing risks? What is a person to do?

56 of 415 comments (clear)

  1. Should You Use Password Managers? by Anonymous Coward · · Score: 5, Insightful

    Yes.

    1. Re:Should You Use Password Managers? by 93+Escort+Wagon · · Score: 5, Funny

      Ian Betteridge's head just exploded.

      --
      #DeleteChrome
    2. Re:Should You Use Password Managers? by belthize · · Score: 5, Funny

      Some day I hope to see a submission with the headline: "Is Ian Betteridge's Law of Headlines Real ?". Sure, it might break the universe, but it's a risk we should be willing to take in the pursuit of truth.

    3. Re:Should You Use Password Managers? by Anonymous Coward · · Score: 5, Informative

      I agree. I use KeePass *without* the browser integration extension. I let my browser store passwords for unimportant things like forums but I always manually copy passwords from my KeePass database for things like email, shopping and banking sites.

    4. Re:Should You Use Password Managers? by Aighearach · · Score: 5, Insightful

      While I share the distrust of the browser storage, I also don't trust of the OS or gui system to protect the clipboard.

    5. Re:Should You Use Password Managers? by vtcodger · · Score: 2

      Probably you shouldn't trust the OS or the window manager to protect anything. Not that they won't try. But if we have learned anything, it is that the population of vulnerabilities in virtually all software and hardware is very large. Fixing the known problems will take years. Fixing all the problems much longer. Moreover, "they" probably don't need to know our passwords. Any website viewed, or email opened, or application acquired and run can potentially download a nasty that will escalate its privileges and take over the computer. They don't need no steenking passwords to get at our treasures. Moreover, in the case of financial stuff, the bank or whatever itself can be hacked.

      Really, there's literally no place to hide. We're all likely going to be hacked sooner or later. If we haven't been already.

      Perhaps it's time to stop pretending that passwords, ACLs, user privileging etc can keep us all safe. They really can't. Instead, perhaps we should focus on balancing usability against opening our affairs to all in sundry, and in keeping stuff we don't want hacked (ballots for example) on paper or other non-digital media.

      --
      You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
  2. keepass by Anonymous Coward · · Score: 5, Informative

    http://keepass.info/

    1. Re:keepass by sexconker · · Score: 5, Informative

      I also vote for KeePass. It's very nice and very extensible.

    2. Re:keepass by war4peace · · Score: 5, Funny

      KeepAss keeps your ass secure.

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
    3. Re:KeePass by PsychoSlashDot · · Score: 3, Informative

      "i dont trust the cloud, but use the cloud"

      k

      You're either being deliberately ignorant, or the point hasn't been made clear to you. I'll try to help.

      With cloud-based password managers, your data is at risk. If they are hacked - and because they are online, they are vulnerable to attacks - your data is compromised unless it is always encrypted. In essence, you're trusting that they will never be hacked, and that if they are, they did best-practices to protect your data.

      With Keepass, even if the cloud-storage you use is hacked, you know the data isn't accessible because it's strongly encrypted. Because you did it.

      So yeah, the original comment makes perfect sense.

      --
      "Oh no... he found the .sig setting."
    4. Re:keepass by Jesus_666 · · Score: 2

      The KeePass database format is documented and a de-facto standard. There are independent implementations for non-Windows platforms such as KeePassX. The KeePass download page links to a whole bunch of them.

      --
      USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
  3. Re:1Password by Anonymous Coward · · Score: 5, Funny

    > Yes, but I'm sure a photogenic memory is super uncommon.

    But my god are they beautiful to look at.

  4. Keypass for me by Snotnose · · Score: 4, Informative

    Not web nor cloud based. You make a master password, it stores a file on your hard drive containing your encrypted stuff. You can move that file anywhere and, if keypass is installed, get your passwords on that platform.

  5. KeePass by Anonymous Coward · · Score: 2, Insightful

    I don't trust cloud-based password managers. Use KeePass and encrypt your keyfile with a really strong password. If you want to access your keyfile from multiple devices, sync it to the cloud with box/dropbox/gdrive/etc. Even if the keyfile is stolen, it'd be very difficult to compromise if you use a strong password.

  6. There's several options. by tlambert · · Score: 4, Funny

    There's several options.

    (1) Don't use a lot of password protected services; that way: less to remember.

    (2) Live with being occasionally hacked.

    (3) The Bratva solution: someone hacks you, send someone to shoot them in the head.

    I don't know about you, but I'm kind of partial to #1, with #3 being a close second. I don't particularly like #2.

    1. Re:There's several options. by war4peace · · Score: 4, Insightful

      With every fucking site on the Internet now requiring you to have an account to even take a look at stuff (MassDrop, looking at ya), #1 is a no-go.
      #2 is actually a valid option if you split your accounts into 3 main types:

      - accounts essential to my well-being (mail, bank, etc) which mandate complex, unique, memorized passwords + 2-step authentication;
      - accounts which are important but not essential (e.g. Steam), which mandate unique passwords with 2-factor auth but can be kept in a password manager;
      - finally, crap that nobody gives a fuck if hacked (e.g. Slashdot, niah niah). but seriously, "that odd forum which I had to make an account to ask an once-in-a-decade question and never visited again" fits the bill. Those can have relatively simple, non-unique passwords kept in Chrome's password list. So what if they get hacked?

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
    2. Re:There's several options. by aaarrrgggh · · Score: 3, Insightful

      In terms of execution, I break your three categories into:
      -Memorized passwords with hard-copy password in a book someplace
      -OSX Keychain
      -Passwords saved in browser.

      The OSX keychain is the weakest link unfortunately, although it pretty much requires local access to defeat. I used a Yubikey for a while, but it was just too much of a pain for day-to-day use.

      Ultimately, the weak link is my wife... who does not know how to secure all her passwords properly. When two different people need access to the same information security becomes an order of magnitude more difficult to achieve. I wish bank and brokerage accounts allowed one user "read only" access and the other the right to modify stuff.

  7. Use a password manager, don't store online by slazzy · · Score: 4, Insightful

    Use a password manager = yes. Storing passwords online = no. If you must store in the cloud, use different providers for the encryption as the storage.

    --
    Website Just Down For Me? Find out
  8. Use a Local Not a Remot Passwords Manager by DERoss · · Score: 5, Insightful

    Some password managers rely on remote servers or the cloud to store your password. That is risky for two reasons. (1) A service holding passwords for many users is a more likely target for hackers than your own individual computer. (2) If the server or cloud service goes down even temporarily, you are stuck without your passwords.

    You should choose a password manager application that is installed within your computer and does not rely on you having an Internet connection. The application should use a master password -- actually a master pass-phrase -- to encrypt the individual passwords. That master pass-phrase itself is not stored anywhere. Instead, if it is entered incorrectly, it fails to decrypt any passwords. By "pass-phrase", I mean a longer expression containing blanks, punctuation, etc.

    Note that Mozilla-based applications have internal password managers that reflect my second paragraph above.

    1. Re:Use a Local Not a Remot Passwords Manager by nasch · · Score: 3, Informative

      (2) If the server or cloud service goes down even temporarily, you are stuck without your passwords.

      I think LastPass will still work if the server goes down, you just can't sync your vault; perhaps others work that way too. At the least, a service could be designed that way even if LP isn't.

  9. Re:Dont use lastpass by Anonymous Coward · · Score: 3, Interesting

    Why is lastpass a piece of crap, exactly?

  10. Re:Dont use lastpass by mattyj · · Score: 2

    +1 for 1Password.

    I don't have strong enough words to endorse their Watchtower service, which tracks recent breaches, affected sites, and warns you about it so you can change your passwords on affected sites. It also reports about duplicate passwords used multiple places, last time they were changed, etc. That functionality of 1Password alone is worth the cost, especially if you have hundreds or thousands of passwords.

    You can store your key database in multiple different places, you just have to choose the one you think is most secure. :)

  11. Use firefox master password with mozilla sync by Vairon · · Score: 3, Interesting

    Yes. I recommend Firefox's password manager which can encrypt passwords stored in your browser with a master password. Then add to that Mozilla's sync feature to store an encrypted copy of your passwords on Mozilla's server. They are stored encrypted and cannot be recovered without the sync password and e-mail access. If you don't trust Mozilla's server, despite the passwords being encrypted, they provide the open source software so you can run your own server to sync your encrypted passwords to.

    If someone (you or hacker) does not know the sync password and resets the password with access to your e-mail account, it will not give them access to the passwords that were sync'd previously. This is good because it keeps a hacker from being able to just hack your e-mail account then use that to get access to all your passwords.

    1. Re:Use firefox master password with mozilla sync by l20502 · · Score: 2

      Still inferior to the previous sync version, which also required a separate encryption key

  12. Re:Dont use lastpass by Anonymous Coward · · Score: 2

    > Lastpass is a piece of crap.

    And that's the end of the rant? Aww.

    I continue to recommend Lastpass. 1Password (for 70$), not at all.

  13. LastPass by Mike+Van+Pelt · · Score: 4, Informative

    I've been using LastPass for years. I tried pwsafe (nice, but at the time, didn't support Mac well) and KeePass (which I didn't like for reasons that I don't quite recall now; ended up moving back to pwsafe) before I switched to LastPass.

    The deciding factors were (1) LastPass Premium works on Android. (And, now, you don't need Premium; the free version also works on Android.) (2) Syncs password changes across all devices, and (3) Professional Paranoid Steve Gibson gave it his seal of approval.

    Some of the others also have a way to sync across all devices now, but I haven't come across any compelling reason to switch. Though LetMeIn may be working on that one.

    1. Re:LastPass by Chewbacon · · Score: 3, Informative

      It's worth adding that Last Pass information is decrypted on the device you're using it on and not on the server. Just pick a good password for the account.

      --
      Chewbacon
      The Bible is like Wikipedia: written by a bunch of people and verifiable by questionable sources.
    2. Re:LastPass by AmiMoJo · · Score: 2

      The problem with LastPass is that it runs in the browser. You don't really want to be trusting the browser with your passwords. Better to have them in another application and only paste them into the browser when needed. At least that way if the browser is compromised at worst they will only get the sites you log into after infection, not access to the while database. Stuff like bank accounts and other non-web-related information in particular will not be compromised that way.

      KeePass is better in every regard. Multiple client apps so you can pick the one that suits you. The official client is pretty good. Multiple free versions for Android and iOS. Cloud sync for free. Open source, well tested and examined for flaws.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  14. Better off with paper in wallet. by RobRyland · · Score: 2

    Just keep a tiny address book in your wallet.
    Any important passwords you keep there.
    The unimportant stuff can use a common password.

    1. Re:Better off with paper in wallet. by Required+Snark · · Score: 2
      I have a notebook next to my machine. It does not have a big label on the front saying PASSWORDS. It's one of the anonymous things piled on my desk. I should keep a copy somewhere else like my safe deposit box, but I don't. If someone with bad intent can get into my house there's not much I can do about it, so that's where I draw the line.

      I know it's a low tech solution, but no amount of computer hacking on any machine will get all my passwords. Since I usually remember the passwords I use all the time it is reasonably convenient. I use long easy to remember passwords with lots of non-alphanumeric characters, so that gives reasonably uncrackable passwords. An example would be !non-alpha.Numeric!. That's nineteen characters and relatively easy to remember.

      --
      Why is Snark Required?
  15. Re: Encrypted File, Encrypted USB by Anonymous Coward · · Score: 2, Interesting

    You had better use something in addition to that USB drive. One good static discharge and you're toast.

    Use cloud storage like Google Drive or Dropbox and Keepass. It's encrypted, located locally and backed up to the cloud. Been working that way for years without any problems.

  16. Save hints by Lije+Baley · · Score: 2, Interesting

    For any normal person (not rich, famous, or powerful), just storing hints in a document is good enough. Something like:
    EBay kxxxxbxxxx3xxx
    Where the mask character x is not precisely replacing characters.
    It's enough to remind me, but not enough to aid a casual attacker.

    --
    Strange things are afoot at the Circle-K.
  17. SuperGenPass by kwerle · · Score: 2

    https://chriszarate.github.io/...
    SuperGenPass is a different kind of password solution. Instead of storing your passwords on your hard disk or online—where they are vulnerable to theft and data loss—SuperGenPass uses a hash algorithm to transform a master password into unique, complex passwords for the Web sites you visit.

    SuperGenPass is a bookmarklet and runs right in your Web browser. It never stores or transmits your passwords, so it’s ideal for use on multiple and public computers. It’s also completely free and open-sourced on GitHub.

  18. Re:Dont use lastpass by SensitiveMale · · Score: 3, Insightful

    +1 for 1Password.

    I would have said the same a month ago, but 1Password is changing their pricing to $36 a year subscription.

    I'm switching to LastPass.

  19. Yes and no... by bobbied · · Score: 2

    I use a password manager that has Windows, Linux, Android and IOS clients. They all use the same encrypted data file that I keep on my dropbox.. I keep my day to day non-user critical account passwords in there so I can access them easily and quickly no matter where I find myself. But I don't put the important passwords (finical accounts and the like) in there, I just remember them.

    But the PRIMARY thing you can do to keep yourself safe is to "DON'T use the same password on multiple sites!" Never, EVER use the same password in your "fun" accounts and your financial logins... This is because a breach at one of these "we don't care about your security" sites is a lot bigger risk than at your bank, but if you have the same password, you just gave the crooks a very important piece of information.

    Secondary to that, is keeping passwords hard to guess. If you have a manager that generates passwords for you, use it for the throw away accounts.

    So, in summary. Sure, use a password manager for the trivial junk accounts, use complex passwords and keep them different. But NO, don't put your important passwords in an online storage... Develop a way to remember them and Keep those in your head.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  20. password safe by djk1024 · · Score: 2

    I've been using password safe for over 10 years. It's works well for me, is free, was created by Bruce Schneier and keeps your passwords in a local encrypted file.

  21. Use a manager, use 2fa by WinstonWolfIT · · Score: 3, Insightful

    I use LastPass just fine, because every site where getting my login details would hurt, I use 2fa: Microsoft, my bank, PayPal, LastPass, Google, etc. Sure I'm picking up my phone once in a while but it's a good balance between secure and convenient. Far less secure are card details; mine got compromised recently but was detected and reversed almost immediately. Which is why I use PayPal whenever possible.

  22. I do not.. come up with a good story scheme... by gosand · · Score: 3, Interesting

    it's what I've used for years. I have a not so memorable story, take an event from that, and turn it into your password scheme.

    [completely fabricated example]
    In 7th grade a girl I liked (Sarah) gave a presentation on Abraham Lincoln. She was wearing a blue dress.
    Four score and blue dress. FoScBlDr (8 characters, safe)
    Add in a number and a symbol, because some sites require it. FoScBlDr81? [I think it was in 1981]

    So, there is my starting password. Password hint = Sarah Lincoln 81, maybe SL81 for short.
    6 months later, you have to change your password. Hint becomes SL82 (FoScBlDr82?)
    You could cycle through to 89, then back to 81. Over time, you can morph it in other ways. Maybe put a $ in there instead of a ? for financial sites, or come up with a separate story for those.

    The thing is, YOU make up the story and the cycling rules.
    You can even write down your password hints, nobody would ever think "Crush 88" was actually "FoScBlDr88?"

    I have used one scheme/password since 1999, and it has morphed so much even if I told someone my original password, they couldn't guess what it is now... it's just jibberish.

    --

    My beliefs do not require that you agree with them.

  23. What's wrong with this? by reboot246 · · Score: 3, Funny

    I just write the passwords on Post-It notes and stick them to the monitor. :)

  24. Re:Pick a patrern for your passwords by Aero77 · · Score: 2

    I used that technique until someone used my password from SiteA to guess my password for SiteB. Sorry, this isn't a clever solution

  25. Re:Encrypted File, Encrypted USB by skids · · Score: 2

    Pick even just a short password, and a consistent non-obvious way to append other data about the account. Then cat | some hashing command, type your stuff and cut/paste. Save the relevant data about the account in a text file, but not in the same format you use to append to the password and with some extra cruft. Be sure to include a rough date so you know how stale a password is.

    This avoids one compromised cleartext password giving clues about others, as long as you are not so p0wned as to have someone be able to see how you generate the hash or hijack your clipboard.

    --
    Someone had to do it.
  26. Re:Encrypted File, Encrypted USB by mysidia · · Score: 2

    why more people don't do this. It's easy to come up with a suitably long and random base password that you can then add minor variations to based on some algorithm to make it unique per website or service.

    People DO do this. Research has shown that when implementing Password Expiration, in 80% of the time users created a new password which could be guessed by using a dictionary attack on the previous password and applying minor variations.

  27. Re: Standalone hardware by jep77 · · Score: 4, Funny

    This exactly. Taped to the bottom of my keyboard.

  28. Re:No Need by networkzombie · · Score: 2

    Yeah, that's great. I'm in IT and my Keepass shows over one thousand entries. I use the mnemonic device method for most passwords, like (examples only) rfhpwtycg (really fucking hard password that you can't guess), or MvEmJsUn (mercury, venus, earth, etc...), oTtFfSsEnT (one, two, three, four, etc...). Using mnemonic devices helps me remember what the password is, but not where it was used. I have at least 10 gmail accounts, 20 other email accounts, and multiple accounts with Cisco, SonicWALL, Office 365, Barracuda, Hostgator, CloudFalare, AT&T, Verizon, 8x8, Register.com, etc, etc, etc... I would never even think about trying to memorize any password except the one that opens Keepass.

  29. Re:Encrypted File, Encrypted USB by Jason+Levine · · Score: 2

    Which is one reason why expiring users passwords too often leads to insecure passwords. If your password is going to last for a year, you might use a 20 character string including various special characters and caps/lower case mixing. If your password needs to be changed every month, you'll get the PASSWORD1, PASSWORD2, PASSWORD3, etc. variations.

    --
    My sci-fi novel, Ghost Thief, is now available from Amazon.com.
  30. PasswordSafe by twitnutttt · · Score: 5, Informative

    I am surprised no one has endorsed PasswordSafe yet! Written originally by Bruce Schneier, open source, and ported to Android which lets me sync my pwd database files between devices via Dropbox. I've been using it for years and plan to continue.

    Since starting to use it on my mobile, I've segregated my database a bit to prevent a total breach in case my phone were compromised. I have my "lower security" internet website passwords that I need on the go in one file. And I have my financial passwords (which also stores account and credit card numbers that I might need in an emergency) in another file. And then on my PC there is a master file that has all these plus a ton of other accounts I've collected over the years but don't see the need to take on the road in my phone. Each database has a different unlock password, and those are all I have to remember.

    1. Re:PasswordSafe by twitnutttt · · Score: 3, Informative

      Also DICEWARE!
      Any passwords you are remembering or entering manually, use passphrase generators instead of making up some wonky hard to type and remember system for yourself that is orders of magnitude less secure than easy to quickly enter and very secure strings of dictionary words.

    2. Re:PasswordSafe by twitnutttt · · Score: 5, Informative

      Having just read through these comments, my forehead hurts from banging it against the wall and I better flush this explanation out a bit more...

      First of all, I'm amazed NO ONE mentioned the classic xkcd comic on memorized random password security: https://xkcd.com/936/

      Second, forget about it all you people with your **genius** schemes for generating unique 8-11 character passwords. Congratulations, you've just been hacked. Look up rainbow tables, people!

      You are all reinventing square and pentagonal wheels here. It's not working against the threat profile you face, and it's a pain in the ass for you compared to the painless solution that is already out there and explained if you just knew about it...

      OK, so here is the true situation you face if you actually want to be secure:
      1) You have hundreds of passwords to store.
      2) Each one better be 25+ characters of RANDOM data. Otherwise, you face a very realistic threat from brute force / rainbow tables cracking you in trivial amounts of time now or in the near future.
      3) You better not be reusing any of them anywhere, cause, you know, hacking.
            3a) If you use a standard root and "permute" it, you are relatively safer until one of your sites storing it in cleartext gets revealed, and then guess what, literally *everyone* uses the first character or two of the site name, or one or two letters more than the first characters to permute. So if you are ever an actual individual target as opposed to a mass script kiddie attack, you're toast. I know, and you thought you were so clever!

      AND, even if you managed to memorize all this, it's a goddam PAIN IN THE ASS to type these passwords in, especially on phones.

      Here is a solution that is 1) easier to remember, 2) faster to access your websites and login, and 3) order of orders of magnitude more secure:

      Stesps:
      1) Generate a SINGLE 6-7 word diceware PASSPHRASE. https://theintercept.com/2015/...
      2) Memorize it. This should take you all of two minutes.
      3) Download passwordsafe or keepass or another trusted OFFLINE password manager. I'm not going to press my personal preferences here. But it should have an automatic password generator feature.
      4) Lock the password manager with your diceware passphrase and start generating 30+ character random, unique passwords for each site you use.

      If you have a good tool (I use passwordsafe), you can store the URL, username, and password and with a combination of 3 hotkeys open any website, and login in under 2 seconds for any of the hundreds of TRULY SECURE passwords you store.

      You can sync the encrypted pwd manager file to your mobile and other devices and access from there with equal security.

      And a passphrase with all lower case letters to unlock your pwd manager is even faster to type on a computer or phone than a single one of these insecure, short, alpha-symbol-numeric jokes people are advocating the genius of here.

      OK. Now you know. So spread the word and forget all this elaborate security theater nonsense.

    3. Re:PasswordSafe by paulatz · · Score: 5, Insightful

      Except that many websites do not accept very long passwords, and most will require it to contain an upper case letter and/or a number, and may even bitch if you put the upper case at the beginning and the number at the end, at which point you put them somewhere else and you forget the password the moment you press "ok".

      --
      this post contain no useful information, no need to mod it down
    4. Re:PasswordSafe by TheRaven64 · · Score: 4, Insightful

      Second, forget about it all you people with your **genius** schemes for generating unique 8-11 character passwords. Congratulations, you've just been hacked. Look up rainbow tables, people!

      If you have upper- and lower-case letters, numbers, and symbols then each character is one from a set of 80, so a random 8-character password from this set contains 50 bits of entropy (2^50 possible combinations). To store all such passwords in a rainbow table would require 2^54 bytes (8 petabytes) of storage. I doubt that most hackers have that much space.

      A case insensitive 8-character password, in contrast, has just under 38 bits of entropy, so it is quite feasible to compute a rainbow table. Mixing cases alone takes this up to 45 bits, which means that you'll need around half a petabyte for the rainbow table.

      If you're using a salted hash to store the password, then the rainbow table needs to be computed for each salt (and if you're sensible, you'll use a different salt for each password, so you need a different rainbow table per password, not per password db). You're better off brute forcing it than storing the rainbow table. A modern GPU can manage about 20,000,000,000 hashes per second, so can search a 34-bit key space per second. 45 bit of entropy gives you a search space that takes about half an hour of GPU time. 50 bits gives you 18 hours. An 11-character password will give you 69 bits of entropy (and a rainbow table that most filesystems can't store, though ZFS can if you can afford enough disks), and will take about 1,000 years to brute force with a single GPU (though with 10,000 GPUs you can do it in a reasonable amount of time). A 10-character password gives you 63 bits, which takes about 17 GPU years to crack and is still probably beyond the capabilities of anyone other than a nation-state adversary.

      --
      I am TheRaven on Soylent News
    5. Re:PasswordSafe by AmiMoJo · · Score: 2

      So much bad advice, it's hard to know where to begin. Let's start with what NOT to do:

      First of all, I'm amazed NO ONE mentioned the classic xkcd comic on memorized random password security: https://xkcd.com/936/ ...

      1) Generate a SINGLE 6-7 word diceware PASSPHRASE.

      Such passphrases are EXTREMELY weak. The words are easily predictable (just use a few different language dictionaries, and the usual uppercase/lowercase/substitution combos) and concatenating several of them doesn't increase the amount of entropy enough to resist brute force attacks on a cheap GPU.

      Look up rainbow tables, people!

      Salting negates that threat. If the site doesn't salt or limits you to 11 character passwords, it has bigger problems and a good password won't protect your account.

      AND, even if you managed to memorize all this, it's a goddam PAIN IN THE ASS to type these passwords in, especially on phones.

      Any half way good password manager will copy them for you. Keepass on Windows and Android does, for example, and it's implemented in a secure way. You don't even have to display the password on screen, so no danger of shoulder surfing.

      The best option is to use something like Keepass with both a password and a keyfile. Store the database in the cloud for easy access, but keep the keyfile local only. Then you only have to copy it to each device once, while the database can be synced whenever changes are made. Use a good, random password (you just have to memorize it, there is no getting around it).

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re:PasswordSafe by Big_Breaker · · Score: 2

      What about non-standard characters? Is the whole ASCII set generally available? Some websites are explicit about which characters are valid but many say nothing.

      Most attackers using a rainbow table or brute force would probably not include (Alt-"214") in any of their attack attempts.

    7. Re:PasswordSafe by twitnutttt · · Score: 2

      Thanks for filling in a few details I left out, guys. :)

      Yes, individual sites with poor password support are a problem (short max length, or not allowing special characters). In response, PasswordSafe (or similar quality tools) allow you to override the password generator policy for a particular site to have a particular length and require or exclude certain character classes.

      I totally forgot to mention the notes field! Yes, you should use it to store the secret questions and answers required for some sites. AND, use the password generator feature to generate random answers to these questions. These should be thought of as just additional passwords. DON'T USE REAL ANSWERS TO REAL QUESTIONS! And the length policy should be extra long because these answers are usually not case sensitive.
      For example: "What was my first pet?" Answer: klihyrseet4rslchvlajyt2565zfx trdrzoij nxvk52juzhf ygvzhxdjvw 34ncolsd2k jlgcda52sufiogxciuyfu

  31. KeePassX by TheOuterLinux · · Score: 2

    I like it because you can use it for more than just passwords. You can store bookmarks and files in it too. I don't trust bookmark sync. I'd never use browser extensions for sensitive information because that info is only as secure as the weakest link, be it the extension or web browser. I also never use a cloud service to store the database files. Surely if something is important, you can remember a single password and where you keep a flash drive. KeePassX also allows the use of key files as a password. You can have it as both so if the password is compromised, they still need the file. This way, you can use a cloud service but it will only open on your computer. You could also keep them on separate services. What I do is create a dummy KeePassX database and key file and edit it with more random string stuff and then create the real KeePassX database and use the edited key file from before. It's only 44 characters long if you don't. 4096 that sucker! You could maybe also use Steganography to hide the key file within the icon of the database file if separate cloud storage is too much.

  32. Re:Pick a patrern for your passwords by twitnutttt · · Score: 2

    See above comment.
    You have a totally solid ILLUSION of security going here. ;-)

  33. Re:Dont use lastpass by BLKMGK · · Score: 2

    I too use 1Password with DropBox integration vs their pay to play cloud service. I pay nothing and it updates DropBox which is accessible to all of my clients quickly. It can be used for secure notes and other things so all of those security questions that you do NOT put in truthful answers for can be remembered :) My passwords are generated by a different app and I use different passwords for nearly every site now. Get hacked once and you learn the hard way - took me an entire day to track down most of my accounts and fix them!

    Someone below mentioned it leaking metadata through a .js file - that file doesn't exist on my DropBox, the .JS files that do don't contain anything cleartext.

    --
    Build it, Drive it, Improve it! Hybridz.org