Password Managers

Josh Bytes · August 2008

I've been thinking about switching out from using FireFox password manager to using something more secure. Could you all recommend what password manager to use? Or I should I even bother? I use 5 passwords and I assign each one to a certain type of security. One password I use for just forum accounts. And I use one specifically for my online bank. It works out alright but I can't help feeling I should be using a better way of securing my accounts.

Apreche · August 2008

How timely! I just switched up all my password management! I use two things, and by combining both of their powers, I can manage all of my passwords for web sites.

SuperGenPass
Verisign PIP for sites that use OpenID

Josh Bytes · August 2008

This is great. The OpenID site list several sites you can sign for an OpenID service. Was there any particular reason why you chose Verisign PIP to use as your OpenID service? Are you using the one click option to store all your passwords on it? Or do you just use the site for the OpenID account?

Apreche · August 2008

This is great. The OpenID site list several sites you can sign for an OpenID service. Was there any particular reason why you chose Verisign PIP to use as your OpenID service? Are you using the one click option to store all your passwords on it? Or are you just use the site for the OpenID account?

I only use Verisign for OpenID sites, and I used supergenpass for all the others. I chose Verisign because even though they charge too much money for some of their products, their products are high quality and trustworthy. Since the PIP is free, why not pick the super awesome commercial provider? Also, I'm using the provided seatbelt Firefox extention in combination with the PIP.

There are a few problems with my new solution. The first problem is that I can't use either of these tools to manage the passwords I use to login to machines. That's ok, because I have SSH keys and agents all setup perfectly, and I just memorize the passwords for the three computers I log into physically.

The other problem is when I need to login to some website on my iPhone. For example, supergenpass handles my Twitter password. If I want to type my Twitter password into an iPhone app, I need to load up supergenpass, get the password, then type it in. Slightly annoying.

Tron · August 2008

I put portable apps in a Truecrypt'd partition on my thumb drive, and run portable keypass on that. Works great, easy to use, highly recommended.

Dkong · August 2008

I hear that Keypass is a good manager. I just use Firefox, though.

Tron · September 2008

Firefox doesn't help with software keys, or anything else that isn't on the web, though.

getHorns() · September 2008

Password Safe on a memory stick works for me.

CHOIS CHOIS CHOIS · September 2008

onepassword is pretty good I hear.

Starfox · August 2016

Is KeePass the right one to use still?

JettisonJoe · August 2016

I use LastPass.

Pegu · August 2016

KeePass seems to be for tinfoil hat neckbeards and LastPass is for everyone else.

Apreche · August 2016

Don't use any of those.

Naoza · August 2016

I use password safe for all the passwords I don't just remember, because I don't use them often enough to keep them in my head. I use password safe because it was originally written by Schneier, and is currently maintained by someone he vouches for. If I can't trust his crypto I'm not sure who I can trust.

Rym · August 2016

My passwords are based on an algorithm only I know, and are unique for every single site.

A local crypto vault is fine, if you use it to remember passwords you've forgotten or store secure data in general.

A web site password-autofiller or any of that? GLHF.

http://www.lifehacker.com.au/2016/06/keepass-vulnerability-lets-attackers-steal-passwords-but-dont-expect-it-to-be-patched/
http://arstechnica.com/security/2015/11/hacking-tool-swipes-encrypted-credentials-from-password-manager/
https://www.engadget.com/2016/06/04/keepass-wont-fix-security-hole-due-to-ads/

Churba · August 2016

Rym said:
A web site password-autofiller or any of that? GLHF.

Literally the first thing I turned off with lastpass. I had no idea at the time if(though obviously, I do now) or how(still don't, sorry) having a plugin supply my password to whoever asks right could be exploited - but I do know that I don't know enough to correctly assess that risk, and the time-and-effort cost for having it turned off is negligible, so I took the safer route.

JettisonJoe · August 2016

Rym said:
My passwords are based on an algorithm only I know, and are unique for every single site.

A local crypto vault is fine, if you use it to remember passwords you've forgotten or store secure data in general.

A web site password-autofiller or any of that? GLHF.

http://www.lifehacker.com.au/2016/06/keepass-vulnerability-lets-attackers-steal-passwords-but-dont-expect-it-to-be-patched/
http://arstechnica.com/security/2015/11/hacking-tool-swipes-encrypted-credentials-from-password-manager/
https://www.engadget.com/2016/06/04/keepass-wont-fix-security-hole-due-to-ads/

I did the in-your-head-algorithm thing for many years and it was fine. But LastPass is way better; the convenience and speed of not having to work out and type passwords is worth it, especially when I upgrade phones and have to sign back into everything all over again. Being able to share the occasional password with my S.O. with a couple of clicks is nice too.

Re: GLHF -- Passwords aren't secure anyway! If you're paranoid enough not to trust LastPass, you shouldn't trust any site that has a password recovery link or any form of real human interaction based user support, period.
https://www.wired.com/2012/11/ff-mat-honan-password-hacker/

Starfox · August 2016

Rym said:
My passwords are based on an algorithm only I know, and are unique for every single site.

Great, but now dudebro-my-passwords-are-fucked-up.com got hacked and you have to change that one. Does the algorithm permit that?

MATATAT · August 2016

Starfox said:

Rym said:
My passwords are based on an algorithm only I know, and are unique for every single site.
Great, but now dudebro-my-passwords-are-fucked-up.com got hacked and you have to change that one. Does the algorithm permit that?

That's why you have shitty password you use for sites where you're fairly confident that their security is awful. Use it on all shitty websites who gives a fuck. If someone compromises that password they have access to stupid website that no one cares about.

Josh Bytes · August 2016

Keepass fixed it's security flaw on the last version update. Also the app never did auto updates. It just sends a notification of the latest version. User has to go to website to install it.

Rym · August 2016

Knowing my password on one site will not compromise the algo on other sites. I guess if someone got my password, clear, on several sites, yes, they could figure it out. But the odds of that are pretty low, and the algo is different for shitty sites.

The point is that passwords are good if you know them in your head and nowhere else, and never rely on other things to type them for you.

As for password reset, those almost invariably require email access, so set up your two-factor and you're fine.

Also, fucking use two-factor on every single service that offers it.

Naoza · August 2016

Thing with 2 factor is, it's not offered on much. Like, I have it on my email, steam, blizzard and bank accounts, but. I'm SOL on things like well say, the FRC forum, or my still totally active RIT account (by the way, they totally just realized I've graduated and decided to change my account into an alum account. But not before I secured myself copies of Windows 7, 8.1, 10, Server 2012, Access and, Visio w/ product keys, compliments of my Alma Mater), or Patreon,

Does Amazon do 2-factor?

Apreche · August 2016

Naoza said:
Does Amazon do 2-factor?

Yes, but it doesn't prompt you for it very often.

I have 2factor for..

Google
Blizzard
Amazon AWS
Amazon
Microsoft
Github
Gitlab (one for each)
Bitbucket
Slack (one for each)
Bitbucket
Linode
Kickstarter
500px
Tumblr
Facebook
Twitter (kind of)
WordPress (one for each)

Naoza · August 2016

Well hold on, so if someone gets my password they only have it unitl amazon bugs them for it.. basically randomly?

Linkigi(Link-ee-jee) · August 2016

Naoza said:
Well hold on, so if someone gets my password they only have it unitl amazon bugs them for it.. basically randomly?

They use IP and cookies to identify the machine that's logging in -- two-factor is guaranteed to trigger when logging in from a new computer.

Starfox · August 2016

Rym said:
Knowing my password on one site will not compromise the algo on other sites. I guess if someone got my password, clear, on several sites, yes, they could figure it out. But the odds of that are pretty low, and the algo is different for shitty sites.

Sure, but I'm not talking about compromising every site. Suppose your algorithm gives you "hunter2_frcf" for this forum. Vanilla gets compromised, and you have to change this one. Does your algorithm elegantly handle this? "hunter2_frcf2"?

Now you're on your way back up the same hill - have to remember unique things for every site.

MATATAT said:
That's why you have shitty password you use for sites where you're fairly confident that their security is awful. Use it on all shitty websites who gives a fuck. If someone compromises that password they have access to stupid website that no one cares about.

Good sites get hacked too. Adobe, Amazon, Google, Yahoo...

Rym · August 2016

Yes, my algorithm handles this. You vastly underestimate the complexity of my passwords.

Rym · August 2016

Also, before I had algorithms, I just memorized a unique password for every site. It only broke down when I had more than 10 or so.

MATATAT · August 2016

Also anything that isn't capable of making purchases using my money or allows access to that action in some form then I am more lax on the passwords. I can always get those accounts back if they're compromised. If it is capable of those actions then I have a unique password for it and 2 factor if available.

JettisonJoe · August 2016

Rym said:
Yes, my algorithm handles this. You vastly underestimate the complexity of my passwords.

Would you be able to share a dumbed-down "toy" version of your algorithm (or something like it) to demonstrate how it "handles" this case? I'd be interested to see that.

Apreche · August 2016

JettisonJoe said:

Rym said:
Yes, my algorithm handles this. You vastly underestimate the complexity of my passwords.
Would you be able to share a dumbed-down "toy" version of your algorithm (or something like it) to demonstrate how it "handles" this case? I'd be interested to see that.

I don't know anything about Rym's algorithm. I also personally don't use such a method. Regardless, I will come up with a reasonable algorithm on the spot. Let's see how it goes.

An animal that starts with the same letter as the thing you are logging into: e.g: Facebook = Ferret
A place that starts with the last letter - FerretKansas
The number of letters in the name of the thing you are logging into - FerretKansas8
Add 5 (cycling around the keyboard) and press shift on that number. Put at the beginning - #FerretKansas8
Write your name backwards at the end all lowercase - #FerretKansas8niburttocs

That's strong enough.

Howdy, Stranger!

Categories

Password Managers

Comments