lastpass or keepass?
pen and paper
Unix passwordstore
Laatpass
store-password.sh: echo $2 | openssl enc -aes-256-cbc -out $HOME/.passwords/$1
get-password.sh: openssl enc -d -aes-256-cbc -in $HOME/.passwords/$1
copy-password.sh: get-password.sh $1 | tr -d '\n' | xclip -selection clipboard
>>52280900
>AES
Why? It has an NSA backdoor.
>LastPass is a proprietary password management service which stores encrypted passwords in the cloud
>KeePass Password Safe is a free, open source, and light-weight password management utility. By default, the KeePass database is stored on local file system (as opposed to cloud storage).
is there even any competition?
Your own memory
>>52280587
Whichever is more convenient for you. With the number of devices I own, and the fact I only need it for web accounts, I prefer LastPass.
If you only need it on one device and want to control if your password database gets synced - if at all - go with KeePass.
Either one is a good choice. Frankly, as long as you're using a password manager, you're still way better off than any retarded faggot who isn't using one.
>>52280587
keepass
Where is maki?
>>52280929
Prove it
>>52280587
>lastbotnet or keebotnet?
>>52280587
>not using Windows credentials manager
>not using any notepad equivalent
>>52282715
Go meme somewhere else, faggot
>>52282952
>muh cloud services
Ignoring reality won't make your password manager more safe:
https://blog.lastpass.com/it/2015/06/lastpass-security-notice.html/
Enjoy giving all your passwords to some third party service.
>>52280587
Just use keepass and sync the database in whichever way you move files between devices already.
>>52283031
>keepass
>cloud
k
>>52283031
So explain what's wrong with that event and why my passwords weren't safe.
>>52280587
Neither. You just need to learn how to rank the websites you go to and how secure they need to be if at all.
>>52283350
The LastPass database was hacked, that's what's wrong. If you had any passwords stored in cloud before june 2015, then right now some chink is probably bruteforcing your hashed passwords.
>>52280929
... No... No, it doesn't.
You might be confusing it with RSA, in which it is sorta true. The NSA attempted to weaken/backdoor the RSA standard.
>>52283368
That's the dumbest thing I think I've ever heard.
And you post that xkcd comic like you know what you're talking about.
Bitch please, I bet you can't even calculate the Shannon Entropy value of a few of your passwords.
>>52280587
Just use a piece of paper dipshit.
>>52284303
It's okay to admit you're retarded.
Enjoy thinking every shitty website needs a 20+ character password
Enjoy not understanding how people commonly 'crack' hashes and passwords.
>>52280587
just use your goddamn brain for once in your pathetic life and remember your bullshit passwords yourself, you fucking retard nigger faggot
>>52284349
Mixing between a password manager and a few bad passwords is a horrible idea.
>>52284381
You don't need a password manager you dumb ass nigger.
And using shitty passwords for shitty sites with no risk to you is a non-issue.
Your brain.
>>52283368
Wasn't this proven a poor solution? I thought a dictionary attack could brute force this with some time.
Also, for those saying writing down passwords is really the safest, what about burglars? Fires? Water damage?
>>52284559
>I thought a dictionary attack could brute force this with some time.
Yes, it could. Relatively 'easily' too, considering the dude thinks Tr0ub4dor&3 would be easy.
>>52284559
>Wasn't this proven a poor solution? I thought a dictionary attack could brute force this with some time.
The complexity of dictionary attacks on multiple words is pretty high, but you could also equally make a password that's a code snippet. Easy to memorize, extremely hard to brute.
The problem is a lot of sites have shitty limits, etc.
>what about burglars? Fires? Water damage?
don't live in a 3rd world shithole
>>52284042
My password is 25 characters long. I highly doubt anything is going to come to fruition.
Combined with changing the passwords on the sites I go on after a while, the security issue is zero.
>>52284605
>>52284602
>>52284559
You're missing the point of what the comic is trying to convey. It's all about the entropy of the password.
https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength
>>52284615
>the security issue is zero.
it's still less secure than an offline solution like keepass
having your passwords online, where an attacker can theoretically read the communication between you and the server for every transaction
>>52284639
Except the comic implies that would be a "hard" password for a computer to guess. It wouldn't.
>>52284652
Man in the middle attack for an SSL connection? You may as well say entering a password into PayPal.com from memory is just as insecure
local, always m8.
self-hosted when possible as well. you do have a vps somewhere out there right fampai?
>>52282715
Keepass isn't a botnet. It doesn't even use the internet.
>>52284670
>Man in the middle attack for an SSL connection?
What is SSL Hijacking...?
>>52284605
I never knew crime, fires, and water only exist in 3rd world countries
>>52280929
Go read a bit about how symmetric cryptography works. The mathematics behind AES is sound.
>>52284969
weaknesses have already been found for the 256-bit key version m8.
NIST just keeps to stop being retards and increase the standard to be more rounds.
My solution to password management has been using Nadim Kobeissi's (creator of CryptoCat) tool, npwd. You enter a master key and then the name of the account you're generating a password for.
The key is derived from the master password using scrypt, and then salted using whatever the name of the account is: e.g., using "buttsecks" as a the master key and then typing "github" for the account name will always produce the same character string.
You're thus never storing passwords. All you need to keep track of is a good master key.
Here's a link to npwd: https://github.com/kaepora/npwd
>>52284615
>My password is 25 characters long
You see, that's not the issue, it could be 96 chars for what they care, once they manage to crack the hashing algorythm it's all over.
Besides, using a proprietary solution in the first place is suicidal, do you honestly believe there're no backdoors in LastPass encryption, decryption and hashing systems? I don't use them so I don't give a shit but you should be concerned if you use this sort of things.
>>52284653
It all depends on how the bruteforcer is set up.
If you know, or suspect, the person is using a combination of dictionary words then you might start with that and then switch to rainbow tables and letter by letter bruteforcing.
Of course the dictionary attack will fall apart if one of the words isn't in your dictionary, and there is nothing stopping you from using words from another language in your password that you might find easy to remember.
>>52283368
>what is a dictionary attack
>>52285041
Wouldn't that mean that, say, on a site where the name of the account is visible you could bruteforce the program to effectively find the master key?
>>52285207
>thinks dictionary attacks instantly solve the problem
>thinks dictionary attacks of an n words concatenated is quick
>thinks anyone is doing a dictionary attack over a rainbow table in this day and age
>>52285179
There are more combinations of words than there are letters in the alphabet. Simply misspelling a few words in the password is enough to throw off a dictionary cracker indefinitely.
>>52285209
The keyspace is incredibly large for two reasons, making bruteforcing rather infeasible: you choose both the master key and the account name, which acts as the salt. There's no guarantee that the user will use a specific salt. If the attacker wants to brute force my GitHub password, for example, she must do the following:
1. Guess the master key/password which I use for all of my accounts
2. Guess the salt (e.g., could be "github", "gh", "github.com", "github.com/myname", "myname", the email you use on github, etc)
>trusting other people to keep your passwords safe
~/.passwords
>>52285340
This.
Some people believe that a password databse being leaked is a minor concern and haxxorz will never manage to crack it because *whatever reason* but in reality with the large number of samples that they get from a databse, it will be much more easy to crack whatever encryption the database might be using, implying that the database was even encrypted in the first place.
>b-but muh developer said passwords were kept very safe
Of course devs will never admit their system was faulty or that it contained intentional backdroos, because they don't want to face legal issues they choose the easy way out.
The LastPass devs probably didn't sleep properly since the leak, the people who copied the database might discolse whatever security breach they found in the process of cracking, like for example a backdoor.
>last ass
>the greatest ass ever, all of your primitive desires will be forever gone
>your dick will be transcended
>keep ass
>a lifetime supply of mediocre ass
i use keepassx
>>52281444
not secure enough, anon. my memory has no encryption
>>52282715
>everything is a botnet
http://sprunge.us/aFbV
uhh.... my own I guess?
I mean gpg jus werk
plus I can version control this shit
literally wrote this in like 15 minutes desu
https://en.wikipedia.org/wiki/LastPass#2015_security_breach
>be k00l l337 h4x0r
>discover breach in lastpass service but do nothing yet
>register 10k accounts with slightly different names and password reminders
>exploit the breach to steal the lastpass database
>see day and hour of files creation to identify your 10k accounts
>start reverse bruting the encrypted files of your 10k accounts
>crack the lastpass databse encryption in no time at all
>...
>profit.
k00l l337 h4x0rz: 1
password manager users: 0
>>52285207
>talk like you know some shit
>dont actually know some shit
>>52280587
Memorize your passwords you dumb fuck.
>>52284369
>I DON'T UNDERSTAND ANYTHING ABOUT SECURITY OR PASSWORD GENERATION
I bet you repeat passwords across services, too.
>>52286664
>$currentyear
>not memorizing a 64 random chars string and use it to generate passwords swapping parts around
>>52285738
>be 1337 haxor
>not actually steal anything important
>LastPass encrypted user vault data were not taken in this incident
>>52280929
Citation needed.
>>52282694
Argumentum ad ignorantiam.
>>52284269
Dual_EC_DRBG is weak, highly suspicious and must be avoided, but a back door hasn't been confirmed.
