Ok so your site needs money from Ads to survive, I get it, we all have to make compromises. But you are serving those ads via un-vetted bloated 3rd party scripts which can harbor malware, cost me time and money & track my Ass between sites. Therefore if you put up a page that asks me to accept your 3rd party Scripted Ads, I will send you a copy of my User Terms of Service for you to agree too. In which you will find clauses that require you to accept responsibility for all 1st, 2nd & 3rd party content and resources served by your site and all losses incurred should that adversely affect my systems, privacy etc.
Alternatively, if you wish to serve all Ads in a 1st party context without scripting then I'm powerless to stop you and would be much happier.
So in the end to me its not the Ads themselves that are the problem, but how they are delivered and what hidden factors are present that I consider a detriment to my using your site.
Does this also include an exemption for the ubiquitous NSA/DHS hovering up of metadata, arguably the bigger problem here. If not how does CA expect to enforce its rules over data that leaves or enters CA soil, which is substantial?
So firstly I loved both the Book and the Movie. The book for the hard science portrayal (excluding the dust storm, OK) and the Movie for bringing it all home by showing what living on 1/3 rations will do to a body.
But, in going from the Book to Screenplay and to the Movie there are a number of induced goofs that make the final work nonsense, as an example (more to follow later)
In the book and in the movie there are Potatoes, sourced from a box labelled "Do Not Touch Until Thanksgiving", which Mark relies upon for survival . From internal calculation for the book and shown in the movie it is known that the Mars landing in both cases occurs on Nov' 8th 2035. BUT, while in the book the storm blows up on SOL 6 (>=Nov' 14th) 1 week before Thanksgiving. In the movie it is stated to occur on SOL 18 (>=Nov' 26th) which is at least 4 days after Thanksgiving 2035 (Nov 22nd).
So where did the potatoes come from 4 days after they were due to be eaten by the crew as part of a team prepared, thanksgiving day meal?
It does not matter how much they spend on neutral research for general healthcare, they spent money on 'targeted research' (I won't call it science) to the benefit of their own business interests.
This is iMessage not your iTunes account. The 'keys' are generated per-device and the private key remains there, if you lose your device or access to it you have to generate new ones. Also if your device has the Apple 'secure enclave' TPM, good luck anyone getting access to it without your unlock password.
I hate to add this but to be truthful Apple can comply if the iMessage is a group message using their cloud based keychain. Since Apple controls which public keys are associated with which participant there is no reason they could not insert an extra one for which they themself have the corresponding private key.
That is assuming they could make the UI hide the extra iMessage recipient line.
Its not even necessary to do that. If your camera app has filters and artistic image manipulation then you 'improve' the image with your software and now it is your copyrighted work.
This is a laudable suggestion with three small caveats, assuming you don't ban our iPhones, laptops all together:-
1/ If we are required to carry these batteries in the cabin then a mass dispensation needs to be made to accommodate them and what they are powering if non-removeable (I've had situations in the past where I needed to check my laptop power supply and batteries to get under the cabin Mass allocation)
2/ TSA etc cannot require that devices be activatable to be carried as a dead battery would mean nowhere else to carry them. (To be honest I nere understood this rule as all previous instances of 'converted' electronic devices used on planes would have passed this test but not the chemical sniffers.)
3/ If they do catch fire in the cabin, what you gonna do in the short period of time before toxic fumes start killing passengers. My suggestion, get an empty food trolley and keep duct-tape on hand.
Find out what anti-spam laws exist in your jurisdiction and on your next conversation with the cable company inform them that since neither you nor your wife have a financial association with them and that neither of you have been asked to agree or opt-out of receiving communications from them then they need to stop or be reported an possibly fined up to $x,xxx,xxx.xx for this infraction. BTW: Their company letter head and email signature counts as an advert.
Also tell them that if you do get further communication over this medium you will as well as reporting them, assume they are in agreement to pay you $50 for use of your devices to receive their advert.
I had this problem a while back with a company not updating their online store finder info and thus giving prospective customers my cell number. after several calls one email of the above resulted in removal of the information within 6 hours.
So I'm not raising the efficacy or exonomy of sticking with XP or not, if the navy wants to pay Microsoft for security patches instead of upgrading then that is fine.
No my question is, are the security patches the navy will get a federally paid for publishable items?
If they are then that means under current rules, once a piece of code is published to the navy, unless it is covered by a security mark then they and/or Microsoft is required to disclose it. Now this may not make financial sense to the big M, but how many times over are they willing to get paid for the same patch on an old OS.
I say, once the navy or any federal department who is paying for patches gets them then they should be released for public consumption, free of charge.
Because the connection WAS probably from a trusted IP, it would have been that machine that was infected and was used to ex-filtrate data from the main system to it and onwards to the attackers cloaked to look like normal internet bound traffic.
There is so much wrong with this article its not even funny. I don't blame the writer, he's just trying to tie a nice neat bow on a badly wrapped pig.
I had to laugh though when he twice gives the example of proximity unlock on cars as IOT security. These are the same devices that only guarantee proximity security by using signal strength and thus are easily defeated by a $17 signal booster available on eBay, which has been in the news as the cause of many thefts of the contents of vehicles.
By seriously the core issue here is authentication and concentration of secrets, and no matter how many extra factors you have this will not change because each new factor requires the service to store another secret to be stolen or live phished from you.
As I see it the only long term solution is a better single factor and one that puts the handling of secrets as close to the user as possible and contained in something that is hardened or prevented from running malware. Then have that device use a site specific asymmetric key pair to offer a zero knowledge proof of authentication to the service. In that way the services hold no authentication secrets and what they do hold cannot even be used by an attacker to infer linkage between services.
Unfortunately right now, there is nothing in production and widely available that can do this, not even the much vaunted FIDO an U2F will accomplish this as their choices have rendered those protocols only usable as a second factor. There is one Single factor protocol that is presently 18 months into its research and development that I think will satisfy all the requirements of what the article writer needs, that being SQRL from The Gibson Research Corporation. Which also has additional features that even allow complete recovery from a loss of control over its core secret.
There is so much wrong with this article its not even funny. I don't blame the writer, he's just trying to tie a nice neat bow on a badly wrapped pig.
I had to laugh though when he twice gives the example of proximity unlock on cars as IOT security. These are the same devices that only guarantee proximity security by using signal strength and thus are easily defeated by a $17 signal booster available on eBay, which has been in the news as the cause of many thefts of the contents of vehicles.
By seriously the core issue here is authentication and concentration of secrets, and no matter how many extra factors you have this will not change because each new factor requires the service to store another secret to be stolen or live phished from you.
As I see it the only long term solution is a better single factor and one that puts the handling of secrets as close to the user as possible and contained in something that is hardened or prevented from running malware. Then have that device use a site specific asymmetric key pair to offer a zero knowledge proof of authentication to the service. In that way the services hold no authentication secrets and what they do hold cannot even be used by an attacker to infer linkage between services.
Unfortunately right now, there is nothing in production and widely available that can do this, not even the much vaunted FIDO an U2F will accomplish this as their choices have rendered those protocols only usable as a second factor. There is one Single factor protocol that is presently 18 months into its research and development that I think will satisfy all the requirements of what the article writer needs, that being SQRL from The Gibson Research Corporation. Which also has additional features that even allow complete recovery from a loss of control over its core secret.
So encryption would not have helped because the Attackers had a valid set of credentials with which to ex-filtrate,millions of records.
The bigger issue here is why were alarms not ringing in the appropriate places while millions of records were being ex-filtrated? Why was there not effective monitoring of access use and network anomalies?
Funny thing is, if that sort of software was being used properly where another notable security cleared contractor was working (who's data was also leaked by this breach) he would have had a much harder time copying out so many documents without leaving a trace of his activities.
I have to think on the most recent Lastpass breach. In that case the lastpass people detected the anomalous network traffic, quickly tracked it down and discovered the exact nature of the possible breach. Because though their systems only stored data encrypted by keys that the systems themselves did not hold then the only leak was of the master-password hashes which because they were individually salted and hashed would only be useful in a targeted attack on individuals should they have weak passwords.
I have found myself in the same boat on many occasions, and not just on my own behalf but that of friends and relatives. Sometimes with patience a solution can be reached, threats often lead to dead ends while 'management advice' is sought. But if you have the knowledge and a sufficiently devious mind like me often the quickest way is to use social engineering to achieve your aims.
Now I am not promoting fraud or trying to get something out of them you rightly do not deserve. But if you do lead them to understand by judicious choice of words that in assisting you, either they themselves will gain something or that they will not loose something substantial then that is a good thing.
For those willing a good source of old school research are the two Autobiographical works of Kevin Mitnick.
If they succeed and are not put in the line-up for manned deliveries then just of the shear hell of it, SpaceX should send their own man up with a stack of Pizzas, for delivery to the ISS, COD!
Is this really about back-doors or bugs exposing entrances?
In any case are the representatives of governments really the ones you should be showing your source code too? Seems to me that some of these people have a vested interest in keeping any exploits they find secret to their own intelligence agencies to be used later in targets (possibly their own citizens) to intrude and exploit.
I think I've said this before, if they really want to gain our confidence they need to let the users choose someone to inspect their source and demonstrate its validity against published binaries.
I the damages were limited to One copy $10AU and I were a stakeholder in the company that put the lawyers on this I would be having a serious word with them on the merits of fiscal responsibility and launching a potential vote of no confidence in their management.
OOTO - Out Of The Ordinary, is what law enforcement officers are trained to spot and is often a good starting point for possible criminal activity. But to the general public a "noisy and very visible" drone, or even someone wandering around someone else's property is not OOTO to them as the main activity is not the indicator.
So the advice given is in effect worse than useless and will result in way too many false positives / negatives. Now if the police were to offer free courses in situational awareness and OOTO then that might be a start, though isn't that what we pay taxes for non-existent beat cops for?
In finishing, a nice piece of research from a few years ago, talked to convicted burglars and what they look for in a target. One thing they found was that it was much preferred to case and burgle during the 1pm - 4pm period than any other time of the day or night because people are at work, there is lower delivery traffic, its easy to see and people don't see you are a burglar but as a workman. They also found that for those criminals that end up committing crime at night, much prefer properties with BIG Bright spot lights on than in complete darkenss because the bright lights leave dark shadows to stand in and means you don't have to carry round a flash-light which often attracts more trouble than its worth.
This is more a limitation of the researcher than of the science. This type of Short duration hyperbright nova is not unknown and elsewhere in the literature there are several theories as to their Natural origins. They have been a few detected over the last 50 years but because of their rarity a comprehensive analysis is still wanting.
So this is not a NEW HUBBLE DISCOVERY, more a OH NICE! you saw one too.
Since internet based crime is already hard to track down to individuals or groups who are only making reasonable efforts to hide their identities I envision a new from of cyber-attack, DOFBA attack or Denial Of Funds By America attack. All that is needed is to commit a 'cyber' attack on the US or its citizens in a way that upon investigation tracks back to some group that you wish to punish. Though come to think of it, this may have already happened see the timeline of the Sony Hack.
Before we get too far down the rabbit home here, I would like to add a correction to the story above.
The Verizon 'SuperCookie' is not "placed on their phones" it is an additional header line 'X-UIDH' inserted in outgoing internet requests by their network management system see: http://en.wikipedia.org/wiki/V.... As such it is never present on the users device, but does uniquely identify a user to any server they communicate with if that server either has back end pair access to verizon's customer database or they use services that combine multiple trackers with this one to keep lock on the users sessions relative to the entire history, but not associated with a Verizon customer record.
One good thing (if anything about this can be called good) is that they cannot add this header to TLS/SSL traffic as the headers are end-to-end encrypted, so provided yo stay HTTPS on your connections or run a mobile VPN it does not matter if you opt out or not as they cannot add this tracker to your traffic.
One final thought is that even without encryption if there was a proxy server out on the internet that you set your mobile device to sent all traffic through and that server was to strip out this header from your requests before passing it on to its destination then you would also be protected, which I will be setting up should this 'service' emerge from the slime in the future.
If you don't trust password managers and would like a way to generate unique, deterministic and hard to crack passwords. Take your 8 word diceware password and use it as the entropy for:- https://www.grc.com/otg/offthe...
Which generates a 26x26 latin square. Use that with the domain name of the site and a memorable algorithm to generate a password for each site.
You will still need your ONE strong password (or biometric) to protect the master key from which all site specific keys are generated (via the domain name), but when supported by a site it leaves nothing but a site specific public key for them to store that you use by proving that you can sign a random challenge with your site specific associated private key. So even if their database leaks it has no useful authentication data for an attacker to make use of because each sites keys are unrelated to any other. Which also means that for low value site who only need your key and nothing else to authenticate you due ti it being a two party system you are uncrackable.
Slashdot Mirror
Ok so your site needs money from Ads to survive, I get it, we all have to make compromises. But you are serving those ads via un-vetted bloated 3rd party scripts which can harbor malware, cost me time and money & track my Ass between sites. Therefore if you put up a page that asks me to accept your 3rd party Scripted Ads, I will send you a copy of my User Terms of Service for you to agree too. In which you will find clauses that require you to accept responsibility for all 1st, 2nd & 3rd party content and resources served by your site and all losses incurred should that adversely affect my systems, privacy etc.
Alternatively, if you wish to serve all Ads in a 1st party context without scripting then I'm powerless to stop you and would be much happier.
So in the end to me its not the Ads themselves that are the problem, but how they are delivered and what hidden factors are present that I consider a detriment to my using your site.
Does this also include an exemption for the ubiquitous NSA/DHS hovering up of metadata, arguably the bigger problem here. If not how does CA expect to enforce its rules over data that leaves or enters CA soil, which is substantial?
Sounds exactly like something from Mr Robot, IP address CTO of organisation found in logs related to hacking server farm.
Like, we trust the logs, after someone has Owned the system, sure let me know how that goes!
So firstly I loved both the Book and the Movie. The book for the hard science portrayal (excluding the dust storm, OK) and the Movie for bringing it all home by showing what living on 1/3 rations will do to a body.
But, in going from the Book to Screenplay and to the Movie there are a number of induced goofs that make the final work nonsense, as an example (more to follow later)
In the book and in the movie there are Potatoes, sourced from a box labelled "Do Not Touch Until Thanksgiving", which Mark relies upon for survival . From internal calculation for the book and shown in the movie it is known that the Mars landing in both cases occurs on Nov' 8th 2035. BUT, while in the book the storm blows up on SOL 6 (>=Nov' 14th) 1 week before Thanksgiving. In the movie it is stated to occur on SOL 18 (>=Nov' 26th) which is at least 4 days after Thanksgiving 2035 (Nov 22nd).
So where did the potatoes come from 4 days after they were due to be eaten by the crew as part of a team prepared, thanksgiving day meal?
It does not matter how much they spend on neutral research for general healthcare, they spent money on 'targeted research' (I won't call it science) to the benefit of their own business interests.
This is iMessage not your iTunes account. The 'keys' are generated per-device and the private key remains there, if you lose your device or access to it you have to generate new ones. Also if your device has the Apple 'secure enclave' TPM, good luck anyone getting access to it without your unlock password.
I hate to add this but to be truthful Apple can comply if the iMessage is a group message using their cloud based keychain. Since Apple controls which public keys are associated with which participant there is no reason they could not insert an extra one for which they themself have the corresponding private key.
That is assuming they could make the UI hide the extra iMessage recipient line.
See: https://www.grc.com/sn/sn-448.... for further info and some interesting other stuff about the IOS security model.
Its not even necessary to do that. If your camera app has filters and artistic image manipulation then you 'improve' the image with your software and now it is your copyrighted work.
This is a laudable suggestion with three small caveats, assuming you don't ban our iPhones, laptops all together :-
1/ If we are required to carry these batteries in the cabin then a mass dispensation needs to be made to accommodate them and what they are powering if non-removeable (I've had situations in the past where I needed to check my laptop power supply and batteries to get under the cabin Mass allocation)
2/ TSA etc cannot require that devices be activatable to be carried as a dead battery would mean nowhere else to carry them. (To be honest I nere understood this rule as all previous instances of 'converted' electronic devices used on planes would have passed this test but not the chemical sniffers.)
3/ If they do catch fire in the cabin, what you gonna do in the short period of time before toxic fumes start killing passengers. My suggestion, get an empty food trolley and keep duct-tape on hand.
Find out what anti-spam laws exist in your jurisdiction and on your next conversation with the cable company inform them that since neither you nor your wife have a financial association with them and that neither of you have been asked to agree or opt-out of receiving communications from them then they need to stop or be reported an possibly fined up to $x,xxx,xxx.xx for this infraction. BTW: Their company letter head and email signature counts as an advert.
Also tell them that if you do get further communication over this medium you will as well as reporting them, assume they are in agreement to pay you $50 for use of your devices to receive their advert.
I had this problem a while back with a company not updating their online store finder info and thus giving prospective customers my cell number. after several calls one email of the above resulted in removal of the information within 6 hours.
So I'm not raising the efficacy or exonomy of sticking with XP or not, if the navy wants to pay Microsoft for security patches instead of upgrading then that is fine.
No my question is, are the security patches the navy will get a federally paid for publishable items?
If they are then that means under current rules, once a piece of code is published to the navy, unless it is covered by a security mark then they and/or Microsoft is required to disclose it. Now this may not make financial sense to the big M, but how many times over are they willing to get paid for the same patch on an old OS.
I say, once the navy or any federal department who is paying for patches gets them then they should be released for public consumption, free of charge.
Because the connection WAS probably from a trusted IP, it would have been that machine that was infected and was used to ex-filtrate data from the main system to it and onwards to the attackers cloaked to look like normal internet bound traffic.
There is so much wrong with this article its not even funny. I don't blame the writer, he's just trying to tie a nice neat bow on a badly wrapped pig.
I had to laugh though when he twice gives the example of proximity unlock on cars as IOT security. These are the same devices that only guarantee proximity security by using signal strength and thus are easily defeated by a $17 signal booster available on eBay, which has been in the news as the cause of many thefts of the contents of vehicles.
By seriously the core issue here is authentication and concentration of secrets, and no matter how many extra factors you have this will not change because each new factor requires the service to store another secret to be stolen or live phished from you.
As I see it the only long term solution is a better single factor and one that puts the handling of secrets as close to the user as possible and contained in something that is hardened or prevented from running malware. Then have that device use a site specific asymmetric key pair to offer a zero knowledge proof of authentication to the service. In that way the services hold no authentication secrets and what they do hold cannot even be used by an attacker to infer linkage between services.
Unfortunately right now, there is nothing in production and widely available that can do this, not even the much vaunted FIDO an U2F will accomplish this as their choices have rendered those protocols only usable as a second factor. There is one Single factor protocol that is presently 18 months into its research and development that I think will satisfy all the requirements of what the article writer needs, that being SQRL from The Gibson Research Corporation. Which also has additional features that even allow complete recovery from a loss of control over its core secret.
OOps, posted on wrong thread please ignore.
There is so much wrong with this article its not even funny. I don't blame the writer, he's just trying to tie a nice neat bow on a badly wrapped pig.
I had to laugh though when he twice gives the example of proximity unlock on cars as IOT security. These are the same devices that only guarantee proximity security by using signal strength and thus are easily defeated by a $17 signal booster available on eBay, which has been in the news as the cause of many thefts of the contents of vehicles.
By seriously the core issue here is authentication and concentration of secrets, and no matter how many extra factors you have this will not change because each new factor requires the service to store another secret to be stolen or live phished from you.
As I see it the only long term solution is a better single factor and one that puts the handling of secrets as close to the user as possible and contained in something that is hardened or prevented from running malware. Then have that device use a site specific asymmetric key pair to offer a zero knowledge proof of authentication to the service. In that way the services hold no authentication secrets and what they do hold cannot even be used by an attacker to infer linkage between services.
Unfortunately right now, there is nothing in production and widely available that can do this, not even the much vaunted FIDO an U2F will accomplish this as their choices have rendered those protocols only usable as a second factor. There is one Single factor protocol that is presently 18 months into its research and development that I think will satisfy all the requirements of what the article writer needs, that being SQRL from The Gibson Research Corporation. Which also has additional features that even allow complete recovery from a loss of control over its core secret.
So encryption would not have helped because the Attackers had a valid set of credentials with which to ex-filtrate ,millions of records.
The bigger issue here is why were alarms not ringing in the appropriate places while millions of records were being ex-filtrated? Why was there not effective monitoring of access use and network anomalies?
Funny thing is, if that sort of software was being used properly where another notable security cleared contractor was working (who's data was also leaked by this breach) he would have had a much harder time copying out so many documents without leaving a trace of his activities.
I have to think on the most recent Lastpass breach. In that case the lastpass people detected the anomalous network traffic, quickly tracked it down and discovered the exact nature of the possible breach. Because though their systems only stored data encrypted by keys that the systems themselves did not hold then the only leak was of the master-password hashes which because they were individually salted and hashed would only be useful in a targeted attack on individuals should they have weak passwords.
I have found myself in the same boat on many occasions, and not just on my own behalf but that of friends and relatives. Sometimes with patience a solution can be reached, threats often lead to dead ends while 'management advice' is sought. But if you have the knowledge and a sufficiently devious mind like me often the quickest way is to use social engineering to achieve your aims.
Now I am not promoting fraud or trying to get something out of them you rightly do not deserve. But if you do lead them to understand by judicious choice of words that in assisting you, either they themselves will gain something or that they will not loose something substantial then that is a good thing.
For those willing a good source of old school research are the two Autobiographical works of Kevin Mitnick.
If they succeed and are not put in the line-up for manned deliveries then just of the shear hell of it, SpaceX should send their own man up with a stack of Pizzas, for delivery to the ISS, COD!
Is this really about back-doors or bugs exposing entrances?
In any case are the representatives of governments really the ones you should be showing your source code too? Seems to me that some of these people have a vested interest in keeping any exploits they find secret to their own intelligence agencies to be used later in targets (possibly their own citizens) to intrude and exploit.
I think I've said this before, if they really want to gain our confidence they need to let the users choose someone to inspect their source and demonstrate its validity against published binaries.
I the damages were limited to One copy $10AU and I were a stakeholder in the company that put the lawyers on this I would be having a serious word with them on the merits of fiscal responsibility and launching a potential vote of no confidence in their management.
OOTO - Out Of The Ordinary, is what law enforcement officers are trained to spot and is often a good starting point for possible criminal activity. But to the general public a "noisy and very visible" drone, or even someone wandering around someone else's property is not OOTO to them as the main activity is not the indicator.
So the advice given is in effect worse than useless and will result in way too many false positives / negatives. Now if the police were to offer free courses in situational awareness and OOTO then that might be a start, though isn't that what we pay taxes for non-existent beat cops for?
In finishing, a nice piece of research from a few years ago, talked to convicted burglars and what they look for in a target. One thing they found was that it was much preferred to case and burgle during the 1pm - 4pm period than any other time of the day or night because people are at work, there is lower delivery traffic, its easy to see and people don't see you are a burglar but as a workman. They also found that for those criminals that end up committing crime at night, much prefer properties with BIG Bright spot lights on than in complete darkenss because the bright lights leave dark shadows to stand in and means you don't have to carry round a flash-light which often attracts more trouble than its worth.
This is more a limitation of the researcher than of the science. This type of Short duration hyperbright nova is not unknown and elsewhere in the literature there are several theories as to their Natural origins. They have been a few detected over the last 50 years but because of their rarity a comprehensive analysis is still wanting.
So this is not a NEW HUBBLE DISCOVERY, more a OH NICE! you saw one too.
Yay, swatting just got an upgrade.
Since internet based crime is already hard to track down to individuals or groups who are only making reasonable efforts to hide their identities I envision a new from of cyber-attack, DOFBA attack or Denial Of Funds By America attack. All that is needed is to commit a 'cyber' attack on the US or its citizens in a way that upon investigation tracks back to some group that you wish to punish. Though come to think of it, this may have already happened see the timeline of the Sony Hack.
Before we get too far down the rabbit home here, I would like to add a correction to the story above.
The Verizon 'SuperCookie' is not "placed on their phones" it is an additional header line 'X-UIDH' inserted in outgoing internet requests by their network management system see: http://en.wikipedia.org/wiki/V.... As such it is never present on the users device, but does uniquely identify a user to any server they communicate with if that server either has back end pair access to verizon's customer database or they use services that combine multiple trackers with this one to keep lock on the users sessions relative to the entire history, but not associated with a Verizon customer record.
One good thing (if anything about this can be called good) is that they cannot add this header to TLS/SSL traffic as the headers are end-to-end encrypted, so provided yo stay HTTPS on your connections or run a mobile VPN it does not matter if you opt out or not as they cannot add this tracker to your traffic.
One final thought is that even without encryption if there was a proxy server out on the internet that you set your mobile device to sent all traffic through and that server was to strip out this header from your requests before passing it on to its destination then you would also be protected, which I will be setting up should this 'service' emerge from the slime in the future.
If you don't trust password managers and would like a way to generate unique, deterministic and hard to crack passwords. Take your 8 word diceware password and use it as the entropy for:-
https://www.grc.com/otg/offthe...
Which generates a 26x26 latin square. Use that with the domain name of the site and a memorable algorithm to generate a password for each site.
Also, in the near future (from the same source) is:-
https://www.grc.com/sqrl/sqrl....
You will still need your ONE strong password (or biometric) to protect the master key from which all site specific keys are generated (via the domain name), but when supported by a site it leaves nothing but a site specific public key for them to store that you use by proving that you can sign a random challenge with your site specific associated private key. So even if their database leaks it has no useful authentication data for an attacker to make use of because each sites keys are unrelated to any other. Which also means that for low value site who only need your key and nothing else to authenticate you due ti it being a two party system you are uncrackable.