This forum is in permanent archive mode. Our new active community can be found here.

Password Managers

edited August 2008 in Technology
I've been thinking about switching out from using FireFox password manager to using something more secure. Could you all recommend what password manager to use? Or I should I even bother? I use 5 passwords and I assign each one to a certain type of security. One password I use for just forum accounts. And I use one specifically for my online bank. It works out alright but I can't help feeling I should be using a better way of securing my accounts.
«1

Comments

  • How timely! I just switched up all my password management! I use two things, and by combining both of their powers, I can manage all of my passwords for web sites.

    SuperGenPass
    Verisign PIP for sites that use OpenID
  • edited August 2008
    This is great. The OpenID site list several sites you can sign for an OpenID service. Was there any particular reason why you chose Verisign PIP to use as your OpenID service? Are you using the one click option to store all your passwords on it? Or do you just use the site for the OpenID account?
    Post edited by Josh Bytes on
  • edited August 2008
    This is great. The OpenID site list several sites you can sign for an OpenID service. Was there any particular reason why you chose Verisign PIP to use as your OpenID service? Are you using the one click option to store all your passwords on it? Or are you just use the site for the OpenID account?
    I only use Verisign for OpenID sites, and I used supergenpass for all the others. I chose Verisign because even though they charge too much money for some of their products, their products are high quality and trustworthy. Since the PIP is free, why not pick the super awesome commercial provider? Also, I'm using the provided seatbelt Firefox extention in combination with the PIP.

    There are a few problems with my new solution. The first problem is that I can't use either of these tools to manage the passwords I use to login to machines. That's ok, because I have SSH keys and agents all setup perfectly, and I just memorize the passwords for the three computers I log into physically.

    The other problem is when I need to login to some website on my iPhone. For example, supergenpass handles my Twitter password. If I want to type my Twitter password into an iPhone app, I need to load up supergenpass, get the password, then type it in. Slightly annoying.
    Post edited by Apreche on
  • I put portable apps in a Truecrypt'd partition on my thumb drive, and run portable keypass on that. Works great, easy to use, highly recommended.
  • I hear that Keypass is a good manager. I just use Firefox, though.
  • Firefox doesn't help with software keys, or anything else that isn't on the web, though.
  • edited September 2008
    Password Safe on a memory stick works for me.
    Post edited by getHorns() on
  • edited September 2008
    onepassword is pretty good I hear.
    Post edited by CHOIS CHOIS CHOIS on
  • Is KeePass the right one to use still?
  • I use LastPass.
  • KeePass seems to be for tinfoil hat neckbeards and LastPass is for everyone else.
  • Don't use any of those.
  • I use password safe for all the passwords I don't just remember, because I don't use them often enough to keep them in my head. I use password safe because it was originally written by Schneier, and is currently maintained by someone he vouches for. If I can't trust his crypto I'm not sure who I can trust.
  • My passwords are based on an algorithm only I know, and are unique for every single site.

    A local crypto vault is fine, if you use it to remember passwords you've forgotten or store secure data in general.

    A web site password-autofiller or any of that? GLHF.


    http://www.lifehacker.com.au/2016/06/keepass-vulnerability-lets-attackers-steal-passwords-but-dont-expect-it-to-be-patched/
    http://arstechnica.com/security/2015/11/hacking-tool-swipes-encrypted-credentials-from-password-manager/
    https://www.engadget.com/2016/06/04/keepass-wont-fix-security-hole-due-to-ads/
  • edited August 2016
    Rym said:

    A web site password-autofiller or any of that? GLHF.

    Literally the first thing I turned off with lastpass. I had no idea at the time if(though obviously, I do now) or how(still don't, sorry) having a plugin supply my password to whoever asks right could be exploited - but I do know that I don't know enough to correctly assess that risk, and the time-and-effort cost for having it turned off is negligible, so I took the safer route.

    Post edited by Churba on
  • Rym said:

    My passwords are based on an algorithm only I know, and are unique for every single site.

    A local crypto vault is fine, if you use it to remember passwords you've forgotten or store secure data in general.

    A web site password-autofiller or any of that? GLHF.


    http://www.lifehacker.com.au/2016/06/keepass-vulnerability-lets-attackers-steal-passwords-but-dont-expect-it-to-be-patched/
    http://arstechnica.com/security/2015/11/hacking-tool-swipes-encrypted-credentials-from-password-manager/
    https://www.engadget.com/2016/06/04/keepass-wont-fix-security-hole-due-to-ads/

    I did the in-your-head-algorithm thing for many years and it was fine. But LastPass is way better; the convenience and speed of not having to work out and type passwords is worth it, especially when I upgrade phones and have to sign back into everything all over again. Being able to share the occasional password with my S.O. with a couple of clicks is nice too.

    Re: GLHF -- Passwords aren't secure anyway! If you're paranoid enough not to trust LastPass, you shouldn't trust any site that has a password recovery link or any form of real human interaction based user support, period.
    https://www.wired.com/2012/11/ff-mat-honan-password-hacker/
  • Rym said:

    My passwords are based on an algorithm only I know, and are unique for every single site.

    Great, but now dudebro-my-passwords-are-fucked-up.com got hacked and you have to change that one. Does the algorithm permit that?
  • edited August 2016
    Starfox said:

    Rym said:

    My passwords are based on an algorithm only I know, and are unique for every single site.

    Great, but now dudebro-my-passwords-are-fucked-up.com got hacked and you have to change that one. Does the algorithm permit that?
    That's why you have shitty password you use for sites where you're fairly confident that their security is awful. Use it on all shitty websites who gives a fuck. If someone compromises that password they have access to stupid website that no one cares about.
    Post edited by MATATAT on
  • Keepass fixed it's security flaw on the last version update. Also the app never did auto updates. It just sends a notification of the latest version. User has to go to website to install it.
  • Knowing my password on one site will not compromise the algo on other sites. I guess if someone got my password, clear, on several sites, yes, they could figure it out. But the odds of that are pretty low, and the algo is different for shitty sites.

    The point is that passwords are good if you know them in your head and nowhere else, and never rely on other things to type them for you.

    As for password reset, those almost invariably require email access, so set up your two-factor and you're fine.

    Also, fucking use two-factor on every single service that offers it.
  • Thing with 2 factor is, it's not offered on much. Like, I have it on my email, steam, blizzard and bank accounts, but. I'm SOL on things like well say, the FRC forum, or my still totally active RIT account (by the way, they totally just realized I've graduated and decided to change my account into an alum account. But not before I secured myself copies of Windows 7, 8.1, 10, Server 2012, Access and, Visio w/ product keys, compliments of my Alma Mater), or Patreon,

    Does Amazon do 2-factor?
  • edited August 2016
    Naoza said:

    Does Amazon do 2-factor?

    Yes, but it doesn't prompt you for it very often.

    I have 2factor for..

    Google
    Blizzard
    Amazon AWS
    Amazon
    Microsoft
    Github
    Gitlab (one for each)
    Bitbucket
    Slack (one for each)
    Bitbucket
    Linode
    Kickstarter
    500px
    Tumblr
    Facebook
    Twitter (kind of)
    WordPress (one for each)
    Post edited by Apreche on
  • Well hold on, so if someone gets my password they only have it unitl amazon bugs them for it.. basically randomly?
  • Naoza said:

    Well hold on, so if someone gets my password they only have it unitl amazon bugs them for it.. basically randomly?

    They use IP and cookies to identify the machine that's logging in -- two-factor is guaranteed to trigger when logging in from a new computer.
  • Rym said:

    Knowing my password on one site will not compromise the algo on other sites. I guess if someone got my password, clear, on several sites, yes, they could figure it out. But the odds of that are pretty low, and the algo is different for shitty sites.

    Sure, but I'm not talking about compromising every site. Suppose your algorithm gives you "hunter2_frcf" for this forum. Vanilla gets compromised, and you have to change this one. Does your algorithm elegantly handle this? "hunter2_frcf2"?

    Now you're on your way back up the same hill - have to remember unique things for every site.
    MATATAT said:

    That's why you have shitty password you use for sites where you're fairly confident that their security is awful. Use it on all shitty websites who gives a fuck. If someone compromises that password they have access to stupid website that no one cares about.

    Good sites get hacked too. Adobe, Amazon, Google, Yahoo...
  • Yes, my algorithm handles this. You vastly underestimate the complexity of my passwords.
  • Also, before I had algorithms, I just memorized a unique password for every site. It only broke down when I had more than 10 or so.
  • Also anything that isn't capable of making purchases using my money or allows access to that action in some form then I am more lax on the passwords. I can always get those accounts back if they're compromised. If it is capable of those actions then I have a unique password for it and 2 factor if available.
  • Rym said:

    Yes, my algorithm handles this. You vastly underestimate the complexity of my passwords.

    Would you be able to share a dumbed-down "toy" version of your algorithm (or something like it) to demonstrate how it "handles" this case? I'd be interested to see that.
  • Rym said:

    Yes, my algorithm handles this. You vastly underestimate the complexity of my passwords.

    Would you be able to share a dumbed-down "toy" version of your algorithm (or something like it) to demonstrate how it "handles" this case? I'd be interested to see that.
    I don't know anything about Rym's algorithm. I also personally don't use such a method. Regardless, I will come up with a reasonable algorithm on the spot. Let's see how it goes.

    An animal that starts with the same letter as the thing you are logging into: e.g: Facebook = Ferret
    A place that starts with the last letter - FerretKansas
    The number of letters in the name of the thing you are logging into - FerretKansas8
    Add 5 (cycling around the keyboard) and press shift on that number. Put at the beginning - #FerretKansas8
    Write your name backwards at the end all lowercase - #FerretKansas8niburttocs

    That's strong enough.
Sign In or Register to comment.