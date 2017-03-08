Ask Slashdot: Should You Use Password Managers? 155
New submitter informaticsDude writes: What do Slashdot users recommend regarding the use of password managers? The recent election underscored the hackability of many personal accounts. One solution is to use different passwords for every digital experience. But, of course, humans are lousy at remembering large numbers of large random strings. Another solution is to use a password manager. However, password managers have been hacked in the past, in which case you lose everything. How do Slashdot users balance the competing risks? What is a person to do?
Yes.
Ian Betteridge's head just exploded.
Some day I hope to see a submission with the headline: "Is Ian Betteridge's Law of Headlines Real ?". Sure, it might break the universe, but it's a risk we should be willing to take in the pursuit of truth.
I agree. I use KeePass *without* the browser integration extension. I let my browser store passwords for unimportant things like forums but I always manually copy passwords from my KeePass database for things like email, shopping and banking sites.
PasswordSafe (Score:4, Informative)
I am surprised no one has endorsed PasswordSafe yet! Written originally by Bruce Schneier, open source, and ported to Android which lets me sync my pwd database files between devices via Dropbox. I've been using it for years and plan to continue.
Since starting to use it on my mobile, I've segregated my database a bit to prevent a total breach in case my phone were compromised. I have my "lower security" internet website passwords that I need on the go in one file. And I have my financial passwords (which also stores account and credit card numbers that I might need in an emergency) in another file. And then on my PC there is a master file that has all these plus a ton of other accounts I've collected over the years but don't see the need to take on the road in my phone. Each database has a different unlock password, and those are all I have to remember.
Also DICEWARE!
Any passwords you are remembering or entering manually, use passphrase generators instead of making up some wonky hard to type and remember system for yourself that is orders of magnitude less secure than easy to quickly enter and very secure strings of dictionary words.
keepass (Score:5, Informative)
http://keepass.info/
Re:keepass (Score:5, Informative)
I also vote for KeePass. It's very nice and very extensible.
KeepAss keeps your ass secure.
That was my thought exactly!
Static compile (Score:2)
Load the app on the same usb as you keep your DB. Execute from the USB. Loading a keylogger which opens Keepass is not too complex. *think NSA and CIA snooping*
I use Keepass on my desktop(s) and Keepass Touch on my iPhone, since I can securely upload the desktop databases to the phone.
Have they finally made Keypass databases portable from Windows to macOS? Last time I tried, I couldn't import to macOS.
I know the program can be used on macOS, but can a password database created on a Windows PC be used on macOS?
1Password (Score:1)
I have been using 1Password for the past few years and since I keep everything local to wither my Mac or iPhone (using WiFi to sync) the only way I'll get hacked is if the attacker is already in my local network and if that's the case I'm already screwed. The data files have a master password that I have to remember, but it's much easier to remember 1 password and not hundreds, especially when different email accounts are also used. Is there a 100% secure system out there for passwords? Yes, but I'm sure a
> Yes, but I'm sure a photogenic memory is super uncommon.
But my god are they beautiful to look at.
Standalone hardware (Score:1)
Non network connected pass
word manager with no RFconnectivity of any kind
job done
This exactly. Taped to the bottom of my keyboard.
Keypass for me (Score:4, Informative)
KeePass (Score:1)
I don't trust cloud-based password managers. Use KeePass and encrypt your keyfile with a really strong password. If you want to access your keyfile from multiple devices, sync it to the cloud with box/dropbox/gdrive/etc. Even if the keyfile is stolen, it'd be very difficult to compromise if you use a strong password.
"i dont trust the cloud, but use the cloud"
k
You're either being deliberately ignorant, or the point hasn't been made clear to you. I'll try to help.
With cloud-based password managers, your data is at risk. If they are hacked - and because they are online, they are vulnerable to attacks - your data is compromised unless it is always encrypted. In essence, you're trusting that they will never be hacked, and that if they are, they did best-practices to protect your data.
With Keepass, even if the cloud-storage you use is hacked, you know the data
Right, you don't know what's going on behind a UI and even if you analyse the program to find out, cloud services can change that behavior between updates.
There's several options. (Score:2)
There's several options.
(1) Don't use a lot of password protected services; that way: less to remember.
(2) Live with being occasionally hacked.
(3) The Bratva solution: someone hacks you, send someone to shoot them in the head.
I don't know about you, but I'm kind of partial to #1, with #3 being a close second. I don't particularly like #2.
With every fucking site on the Internet now requiring you to have an account to even take a look at stuff (MassDrop, looking at ya), #1 is a no-go.
#2 is actually a valid option if you split your accounts into 3 main types:
- accounts essential to my well-being (mail, bank, etc) which mandate complex, unique, memorized passwords + 2-step authentication;
- accounts which are important but not essential (e.g. Steam), which mandate unique passwords with 2-factor auth but can be kept in a password manager;
- finally, crap that nobody gives a fuck if hacked (e.g. Slashdot, niah niah). but seriously, "that odd forum which I had to make an account to ask an once-in-a-decade question and never visited again" fits the bill. Those can have relatively simple, non-unique passwords kept in Chrome's password list. So what if they get hacked?
-Memorized passwords with hard-copy password in a book someplace
-OSX Keychain
-Passwords saved in browser.
The OSX keychain is the weakest link unfortunately, although it pretty much requires local access to defeat. I used a Yubikey for a while, but it was just too much of a pain for day-to-day use.
Ultimately, the weak link is my wife... who does not know how to secure all her passwords properly. When two different people need access to the same information, it becomes more difficult to secure.
4: Use password recovery.
Most sites allow you to reset passwords through a link sent through e-mail. Note: This is also why you should never register at a site using an e-mail provider you can't trust. Else whoever controls your e-mail can also reset all your passwords.
5: Remember them.
Buy and read a book on mnemonics. It's not wizardry to remember a few dozen different long passwords.
I have a crap memory so I simply use an internal algorithm to generate a three word passphrase based upon the website I want to access. So say I wanted to access the Whitehouse website and they wanted user names and passwords, the one I would go with is bullshitnumber1 https://www.whitehouse.gov/(sh... [whitehouse.gov] that Trump is more honest than Obama but at least Trump doesn't pretend to be something he isn't), maybe perhaps a little more complicated than that but you get the idea. Sometimes more slack, sometimes more
Use a password manager, don't store online (Score:4, Insightful)
+1. Second advice: don't use password managers with custom formats or custom encryption. My recommendation is Pass [passwordstore.org], with simple GPG encrypted files. Add the GUI of your choice over it.
Use a Local Not a Remot Passwords Manager (Score:5, Insightful)
Some password managers rely on remote servers or the cloud to store your password. That is risky for two reasons. (1) A service holding passwords for many users is a more likely target for hackers than your own individual computer. (2) If the server or cloud service goes down even temporarily, you are stuck without your passwords.
You should choose a password manager application that is installed within your computer and does not rely on you having an Internet connection. The application should use a master password -- actually a master pass-phrase -- to encrypt the individual passwords. That master pass-phrase itself is not stored anywhere. Instead, if it is entered incorrectly, it fails to decrypt any passwords. By "pass-phrase", I mean a longer expression containing blanks, punctuation, etc.
Note that Mozilla-based applications have internal password managers that reflect my second paragraph above.
(2) If the server or cloud service goes down even temporarily, you are stuck without your passwords.
I think LastPass will still work if the server goes down, you just can't sync your vault; perhaps others work that way too. At the least, a service could be designed that way even if LP isn't.
Pick a patrern for your passwords (Score:3)
say like the sites name and select the letters and add in numbers. I use a couple different patterns depending on the type of site. That way I can remember 10's of passwords. 99% of the time it ends up no where near a dictionary word and they are all 8+ characters long.
I too use a password algorithm. You don't want to use letters in the site itself. You want to transform them so it's difficult to figure out the algorithm by looking at the passwords. Ideally someone would need to steal a bunch (like 8 or more) of your passwords and then spend a lot of time trying to reverse engineer them.
You can still use a password manager, just don't store the password. Store the algorithm ("First Algorithm"
.. "2015 Version" "Blue Algorithm" ... just make sure the name does NOT relate t
99% of the time it ends up no where near a dictionary word and they are all 8+ characters long.
And they're all a fucking joke to crack in 3 seconds!
Seriously, the comments of people here who have these complex schemes but don't understand their "genius" password is going to be cracked by a rainbow table, not brute force.
You need to just use a combination of diceware passphrases (truly long enough to avoid guessing, we're talking 30+ characters here) to unlock a trusted, non-service-based password manager app that generates unique and ridiculously long and impossible to even want to try to remember pa
Yep, this is it. I have 12-14 character passwords that are all highly secure with numbers, capitals and shift characters, different for every site, that I can just type off the top of my head.
Just need a pattern or algorithm. I use pattern, date shift, keyboard slide(i.e. w=q, q=p), shift.
I've used this for the past 17 years and never needed a password manager.
The only time I have issues is with a very few sites that do not allow shift characters(!@#$%^&*()).
See above comment.
;-)
You have a totally solid ILLUSION of security going here.
Hide it in plain sight. (Score:2)
So your password is 140Mandak262Jamuna
... now i just need to find your username!!
Use firefox master password with mozilla sync (Score:2)
Yes. I recommend Firefox's password manager which can encrypt passwords stored in your browser with a master password. Then add to that Mozilla's sync feature to store an encrypted copy of your passwords on Mozilla's server. They are stored encrypted and cannot be recovered without the sync password and e-mail access. If you don't trust Mozilla's server, despite the passwords being encrypted, they provide the open source software so you can run your own server to sync your encrypted passwords to.
If someone
KeePass + Syncthing here (Score:2)
The issues with KeePass generally is synchronization of your password database. You can put it into a USB stick and it gets out of sync, or you can put it up in the cloud, but then it's sort of our of your control..
I use KeePass for my password database and then Syncthing to sync it on all my devices. It's light enough to work on a Raspberry Pi, so it's easy to setup a Syncthing cluster. Resilio (previously known as Bittorent Sync) works too, but I've never tried it personally.
The result is an Open Source
The issues with KeePass generally is synchronization of your password database. You can put it into a USB stick and it gets out of sync, or you can put it up in the cloud, but then it's sort of our of your control..
I use KeePass for my password database and then Syncthing to sync it on all my devices. It's light enough to work on a Raspberry Pi, so it's easy to setup a Syncthing cluster. Resilio (previously known as Bittorent Sync) works too, but I've never tried it personally.
The result is an Open Source password manager, with a database that's synchronized between all my devices and in my control.
I sync my KeePass to the cloud. But, I've also set it up with two-factor authentication. You need both the key file and the password. I place the key file on my portable devices using offline methods. So, even though the database is in the cloud, it's much more secure, in my opinion, than online key managers.
LastPass (Score:5, Informative)
I've been using LastPass for years. I tried pwsafe (nice, but at the time, didn't support Mac well) and KeePass (which I didn't like for reasons that I don't quite recall now; ended up moving back to pwsafe) before I switched to LastPass.
The deciding factors were (1) LastPass Premium works on Android. (And, now, you don't need Premium; the free version also works on Android.) (2) Syncs password changes across all devices, and (3) Professional Paranoid Steve Gibson gave it his seal of approval.
Some of the others also have a way to sync across all devices now, but I haven't come across any compelling reason to switch. Though LetMeIn may be working on that one.
It's worth adding that Last Pass information is decrypted on the device you're using it on and not on the server. Just pick a good password for the account.
Better off with paper in wallet. (Score:2)
Just keep a tiny address book in your wallet.
Any important passwords you keep there.
The unimportant stuff can use a common password.
I know it's a low tech solution, but no amount of computer hacking on any machine will get all my passwords. Since I usually remember the passwords I use all the time it
Pass (Score:2)
I like this solution, probably a little too un-'user friendly' for most though.
https://www.passwordstore.org/ [passwordstore.org]
Good use for an old PDA (Score:2)
Save hints (Score:2)
For any normal person (not rich, famous, or powerful), just storing hints in a document is good enough. Something like:
EBay kxxxxbxxxx3xxx
Where the mask character x is not precisely replacing characters.
It's enough to remind me, but not enough to aid a casual attacker.
"pass" (aka passwordstore.org) (Score:2)
In as tech, Linux, and retro community as Slashdot, I give a particular shout to "pass" (passwordstore.org). Takes a little time to realize how simply powerful it is. And, it's literally nothing but GPG, Git, and a long but easy-to-read Bash script. Also, works really, really well for a team that needs a secrets vault. Back when we did that with KeePass, we'd always get out of sync. Now? It's a git-merge, just like the code.
Want more advanced security than that? My teams' GPG keys (and SSH keys for G
SuperGenPass (Score:2)
https://chriszarate.github.io/... [github.io]
SuperGenPass is a different kind of password solution. Instead of storing your passwords on your hard disk or online—where they are vulnerable to theft and data loss—SuperGenPass uses a hash algorithm to transform a master password into unique, complex passwords for the Web sites you visit.
SuperGenPass is a bookmarklet and runs right in your Web browser. It never stores or transmits your passwords, so it's ideal for use on multiple and public computers.
Yes and no... (Score:3)
I use a password manager that has Windows, Linux, Android and IOS clients. They all use the same encrypted data file that I keep on my dropbox.. I keep my day to day non-user critical account passwords in there so I can access them easily and quickly no matter where I find myself. But I don't put the important passwords (finical accounts and the like) in there, I just remember them.
But the PRIMARY thing you can do to keep yourself safe is to "DON'T use the same password on multiple sites!" Never, EVER use the same password in your "fun" accounts and your financial logins... This is because a breach at one of these "we don't care about your security" sites is a lot bigger risk than at your bank, but if you have the same password, you just gave the crooks a very important piece of information.
Secondary to that, is keeping passwords hard to guess. If you have a manager that generates passwords for you, use it for the throw away accounts.
So, in summary. Sure, use a password manager for the trivial junk accounts, use complex passwords and keep them different. But NO, don't put your important passwords in an online storage... Develop a way to remember them and Keep those in your head.
Haha, no (Score:2)
Haha, no. For the same reason you don't keep all your valuables in one safe.
Should you drink water to stay alive? (Score:2)
I mean, you can probably live without for a while...
password safe (Score:3)
Thank god, reading the comments and not a single mention of pwsafe,
Re: (Score:2)
That's what I use too. There's even an Android version that I use with a copy of my PasswordSafe file stored in the cloud so I can get to my passwords on the go.
Re: (Score:2)
And both the Android and PC versions support YubiKey.
Use a manager, use 2fa (Score:3)
I use LastPass just fine, because every site where getting my login details would hurt, I use 2fa: Microsoft, my bank, PayPal, LastPass, Google, etc. Sure I'm picking up my phone once in a while but it's a good balance between secure and convenient. Far less secure are card details; mine got compromised recently but was detected and reversed almost immediately. Which is why I use PayPal whenever possible.
I do not.. come up with a good story scheme... (Score:4, Interesting)
it's what I've used for years. I have a not so memorable story, take an event from that, and turn it into your password scheme.
[completely fabricated example]
In 7th grade a girl I liked (Sarah) gave a presentation on Abraham Lincoln. She was wearing a blue dress.
Four score and blue dress. FoScBlDr (8 characters, safe)
Add in a number and a symbol, because some sites require it. FoScBlDr81? [I think it was in 1981]
So, there is my starting password. Password hint = Sarah Lincoln 81, maybe SL81 for short.
6 months later, you have to change your password. Hint becomes SL82 (FoScBlDr82?)
You could cycle through to 89, then back to 81. Over time, you can morph it in other ways. Maybe put a $ in there instead of a ? for financial sites, or come up with a separate story for those.
The thing is, YOU make up the story and the cycling rules.
You can even write down your password hints, nobody would ever think "Crush 88" was actually "FoScBlDr88?"
I have used one scheme/password since 1999, and it has morphed so much even if I told someone my original password, they couldn't guess what it is now... it's just jibberish.
What's wrong with this? (Score:2)
Keychain (Score:1)
The main drawback is it's in a place everyone who might want your password knows to look, and generic malware to sniff out your keychain password is more likely to be manufactured given how may passwords are at stake globally. Whether that's concerning to you depends on your personal security needs.
Step 1) Threat Evaluation, Step 2) Pick Something (Score:1)
As with all things security related, the first thing you have to do is decide what kind of threats you're really worried about. If you're doing anything that might make you the target of either state backed or other deep pocketed groups that are also technically sophisticated, that's very different than if you're just some person trying to keep their banking and credit card details private. A shorter way to think of that is: is there any reason anyone rich and smart might want to spear phish you? If yes, go
No, bad idea (Score:1)
Password Managers, especially "cloud" based password management is absolute garbage.
The thing you should be doing is designing your own password algorithm
eg:
slashdotcanbiteme911
^^^^^^^^ Padding
--------^^^^^^^^ phrase you can remember
-----------------^^^ number you can increment
You use the padding word or phrase to fill out the minimum password length, typically something unique to the site that is obvious. Your phrase is something you use with all sites, and then you increment the number when you reset the password.
Sometimes (Score:2)
I personally only use password managers for decent passwords on relatively unimportant sites. And if the password manager gets lost, then I'll just have to reset some passwords.
For anything important (bank sites, root etc) I have memorized about 14 random 12-16 character passwords.
yes. use pass. (Score:2)
use pass, a gpgv2-protected password store. available packaged for most distros or direct from https://www.passwordstore.org/ [passwordstore.org]
graphical frontends also available for those who prefer them.
I abandoned KeePass for LastPass (Score:1)
I used KeePass for a long time on linux, but having to use mono sucked, and I felt like there was minimal work going on with the plugin, and the software in general for that matter.
I feel like the weakest link to all password managers is the browser plugin. With that conclusion, I decided to go with LastPass, because I always see their name listed as paying well for bug bounties. I figure that significantly reduces the chances of there being a major 0 day vulnerability in their plugin over the other guys who don't pay as well.
RoboForm & Separate e-mails for EVERYONE (Score:2)
So I have used Roboform for god knows how long, it sync across all my devices. Up until recently the last version, you could stick a version on a USB stick and it would allow you to load up an instance on a computer that didnt have Roboform installed. An when you took the USB out, the app disappears. I have something like 500 different passwords managed with it.
But - I also provide every site a separate e-mail.
slashdot@nuttybee.com
yahoo@nuttybee.com
If slashdot@nuttybee.com starts getting Viagra spam, the
Passopolis (formerly Mitro) (Score:2)
I'm sad that Passopolis/Mitro hasn't gotten more love after the Mitro team open sourced it, and We Are Wizards took it over. Mitro was great before Twitter acquired the team behind it. Sadly, Passopolis has never bothered to get the Android client working again. I looked at building it myself, but the toolchain is ancient by Android standards..
https://passopolis.com/ [passopolis.com]
https://en.wikipedia.org/wiki/... [wikipedia.org]
Mitro uses Google's Keyczar on the server and Keyczar JS implementation on the browser.
Master key is a 128-bit
KeePassX (Score:1)
Nope (Score:2)
Not in a million years.
Why not just use an app???
Yeah, your system seems equally as secure, but harder to use. You have to enter two different passwords and then navigate what, a text file, to copy and paste the info?
With PasswordSafe (open source by Bruce Schneier) I unlock once with my master password and then type the first few letters of the entry I want, and in a series of key combinations that I've done so many times they take me literally less than 2 seconds I can open the associated URL in my browser and copy/paste the username and password.
Re: Encrypted File, Encrypted USB (Score:2, Interesting)
You had better use something in addition to that USB drive. One good static discharge and you're toast.
Use cloud storage like Google Drive or Dropbox and Keepass. It's encrypted, located locally and backed up to the cloud. Been working that way for years without any problems.
I also (as many do) tend to reuse passwords with minor variations. Most of my passwords (even in the file) are "shorthand" passwords that wouldn't work as listed in the document.
I don't understand why more people don't do this. It's easy to come up with a suitably long and random base password that you can then add minor variations to based on some algorithm to make it unique per website or service. e.g. if P@ssword1 is your base password, your slashdot login might be sP@sslword1a (sticking the first three letters of the site into the beginning, middle, and end of the password). Assuming you use an actually random base password and do something a little more sophisticated to mask
Pick even just a short password, and a consistent non-obvious way to append other data about the account. Then cat | some hashing command, type your stuff and cut/paste. Save the relevant data about the account in a text file, but not in the same format you use to append to the password and with some extra cruft. Be sure to include a rough date so you know how stale a password is.
This avoids one compromised cleartext password giving clues about others, as long as you are not so p0wned as to have someone
why more people don't do this. It's easy to come up with a suitably long and random base password that you can then add minor variations to based on some algorithm to make it unique per website or service.
People DO do this. Research has shown that when implementing Password Expiration, in 80% of the time users created a new password which could be guessed by using a dictionary attack on the previous password and applying minor variations.
Re: (Score:2)
Which is one reason why expiring users passwords too often leads to insecure passwords. If your password is going to last for a year, you might use a 20 character string including various special characters and caps/lower case mixing. If your password needs to be changed every month, you'll get the PASSWORD1, PASSWORD2, PASSWORD3, etc. variations.
I don't understand why more people don't do this
Because its unnecessary. I have a keepass database thats stored in a trucrypt volume on my PC. I randomly generate passwords that are 12+ characters using random numbers, letters, cases, etc. I also use keepass on my iPhone using a 6 digit pin + TouchID with MDM that allows remote wipe in the event its lost/stolen.
Wow! 12 characters. That sounds super secure against hacks... if it were still 1993!
OK sorry for the snark, but seriously rainbow tables have you powned out to 16 characters easily nowadays.
From what I have read, 21-25 characters minimum is what you need to be doing now for security against brute force / dictionary attacks now that hackers are using cloud resources to attack them.
One drawback is if a website has its database compromised or for some other reason you need or want to change your password. Do you use a different base password for that one site, or different rules for altering it? How do you remember which sites are still using the old way and which ones are on the new way? What if you have to change password X a second time, and now you have sites using three different algorithms or base passwords. It could pretty easily become a mess.
Why is lastpass a piece of crap, exactly?
Re: (Score:3)
+1 for 1Password.
I don't have strong enough words to endorse their Watchtower service, which tracks recent breaches, affected sites, and warns you about it so you can change your passwords on affected sites. It also reports about duplicate passwords used multiple places, last time they were changed, etc. That functionality of 1Password alone is worth the cost, especially if you have hundreds or thousands of passwords.
You can store your key database in multiple different places, you just have to choose the o
+1 for 1Password.
I would have said the same a month ago, but 1Password is changing their pricing to $36 a year subscription.
I'm switching to LastPass.
Re: Dont use lastpass (Score:1)
1Password is garbage https://myers.io/2015/10/22/1password-leaks-your-data/
Hey, that's my Password (1Password) it satisifes all the usual criteria uper/ lowercase letters, including a # and length => 8 char.
(j/k of course)
> Lastpass is a piece of crap.
And that's the end of the rant? Aww.
I continue to recommend Lastpass. 1Password (for 70$), not at all.
Dashlane?
Re: (Score:2)
they released the source of their client.
...until they change the source.
yes AC we believe you!...
While most sites will store crypts instead of cleartext passwords, you have no way of knowing which ones don't and those ones are likely more likely to be compromised. Cleartext can also be exposed easily by accident -- e.g. typing the password at a username prompt by accident, depending on how logging is configured on the service, or not caring to pay attention and do due diligence when ssh tells you a server key changed (really wish SSH would add a challenge response protocol, but it sadly puts 100% trus
Re: (Score:2)
Use a passphrase made up of the first letter from a phrase, such as: MGai4meO... is "My Gmail account is for my eyes only" (the periods are simply extra fluff which add to the complexity
And congratulations, you high "complexity" 11 character password has just been solved by a rainbow table in less than 3 seconds.
Actually using the phrase instead you would have been literally a million times safer.
I also use password safe. And I use it with a Yubikey for 2FA. Works both with my phone and my PC.
Finally! Other people doing security right!
I have 1,200+ passwords in PasswordSafe. Each one is generally 25 (for the oldest) or more characters randomly generated by password safe itself. URL is stored for each one so that with three hotkeys, I have opened the website and pasted the username and password in under 2 seconds.
The passwordsafe itself is secured with a 6-7 word diceware passphrase.
Can be synced to my android device which has a password safe port, including a keyboard integration that keeps the