How do you keep track of all your passwords?
Pic related, I use pass.
keepassx
>>53343362
keepass2 here
My brain.
>>53343380
When you work at an organisation sometimes you have to share passwords securely.
What do people use to sync pass databases?
>>53343495
I use syncthing
keepass2
>>53343495
>syncing your entire password database across multiple devices
>wanting to increase the attack surface by x10
the only login I'd ever need on a device that isn't my main desktop, is my email.
>>53343758
Same encrypted file could be on everyone's computer in the world-- they still have to figure out the master key.
>>53343357
Pic related, but I also use EasyPG in Emacs if I want to add some extra information. Shit is convenient as fuck, completely transparent.
>>53343380
this, i remember every pass for my accounts everywhere
>>53343799
>they still have to figure out the master key.
No they don't.
If you used a public computer to access it, then they could just retrieve it from the memory.
Or setup a key logger. Or a thousand other methods.
>>53343357
I use pass
>keepass
>keepassX
hope you fuckos have nothing to hide
>>53343885
I mostly just wanted to sync a pass database betwen my laptop and my desktop, they still need my gpg private key and password for the private key, so I am not too worried.
How insecure would it actually be to post a GPG encrypted password database on the internet publically anyway?
Obviously not a good idea, but you wouldn't get instahacked right?
>>53343905
>How insecure would it actually be to post a GPG encrypted password database on the internet publically anyway?
Depends on the strength of your passphrase and key derivation function.
I would be confident posting mine in principle, but not in practice (because bugs mean the practice is never the same as the theory).
>>53343923
Oh, sorry. I misunderstood you. I thought you were asking how secure it would be to publicly post your actual private key on the internet.
If you're just posting the GPG-encrypted password database: Well, that's exactly what GPG is for.
GPG is designed to let you publicly transmit encrypted messages. So it would be as safe as GPG is, as a whole.
And remember kids, even the NSA can't crack GPG. (Source: Snowden leaks)
>>53343935
The main issue with posting a pass 'database' is it would reveal which websites you have accounts on, which i guess could make it easier? Though I guess that shouldn't matter.
>>53343975
Well it's certainly a private consideration.
>>53343975
> reveal which websites you have accounts on, which i guess could make it easier
Of course it makes it easier.
If you were FBI's most wanted criminal, would you want them having an entire list of every website you have accounts on? They could subpoena the site into giving up your credentials.
Or some bored Russian hacker could simply exploit 1 of the many sites you have an account for, then hope that you used the same user/pass on other sites.(Of course, if you use keepass, then you should have different user/pass for every single site you visit).
obviously the chances of any of this happening are low, but still something to think about.
>>53343357
Hash function I do in my head. Yes, I'm autistic.
>>53343885
even with a keylogger you can protect the database with a key file and/or a hardware one-time pad
and keepass at least encrypts your passwords in-memory
>>53344091
do keyloggers log clipboard contents?
>>53344131
some probably can, but keepass's auto-type feature uses both simulated keypresses and the clipboard simultaneously to write bits of the password in a form or something
>>53344131
if you have a keylogger on your computer you're already fucked
[prefix I use for everything]+[first letter of the service it's for]
anyone else do this? It's probably retarded but at least a little bit better than just the exact same pw.
>>53344201
I run linux so it's unlikely (though it's trivial to write a keylogger in bash... but I occasionally inspect my processes so it's very unlikely)
Was mostly curious for general knowledge.
>>53344240
KeyPass specifically has something they call Two-Channel Auto-Type Obfuscation (TCATO)
http://keepass.info/help/v2/autotype_obfuscation.html
It basically turns what a keylogger would typically see:[email protected]
{TAB}
MyTopSecretPassword
{TAB}
' ' (space)
{TAB}
{ENTER}
into this:^v{LEFT 8}m{RIGHT}ma{RIGHT}{RIGHT}@{RIGHT}ypr{RIGHT}vi{RIGHT}er{RIGHT}{RIGHT}om
It's obviously not perfect, but it makes it a pain in the ass to figure out what's going on
>>53344289
That's really neat!
lastpass
>>53343362
Same.
>>53344289
>>53344307
It's also completely useless against keyloggers
>>53344379
Is it because it can just playback the actions and due to being deterministic it gives you the same password back?
>>53344392
>Anyway, it's not perfectly secure (and unfortunately cannot be made by theory). None of the currently available keyloggers or clipboard spies can eavesdrop an obfuscated auto-type process, but it is theoretically possible to write a dedicated spy application that specializes on logging obfuscated auto-type.
>>53344392
Yes
>>53344379
I didn't say it was secure. However, if little Johnny Blackhat is running a botnet with 250,000 machines, he's probably got some automated script that's mining the passwords from the key logs. With Keypass, he will have to manually go back and "re-play" the keystrokes to get the password. Regardless, I point you back to my earlier post >>53344201
>>53344392
1. If you have a keylogger on your system, you're already fucked.
2. As you said it can just trivially play back the actions to get your password.
>>53344289
So it pastes a chunk and then fills in the gaps? Not too impressed though I suppose it might deter some chinks.
>>53344462
Yes, it pastes a chunk and then uses the left and right arrows to fill in the spaces.
>>53344429
>None of the currently available keyloggers or clipboard spies can eavesdrop an obfuscated auto-type process
Do the keepass developers seriously believe this bullshit?
I mean, I know they're incompetent morons who don't understand crypto at all and rely on security-through-obscurity, but this is just beyond ridiculous.
>>53344487
Also, it takes me EXACTLY ZERO SECONDS to find a keylogger that will record arrow keys.
Because I already have one on my system.
>>53344505
Calm your tits you turbo-nerd. It's not intended to be end-all be-all secure, it's just another layer in a defense-in-depth strategy designed to filter out the shittiest skiddie keyloggers. You're complaining about the taste of the cake because it's got red sprinkles instead of green ones
>>53344505xinput test <ID>
>>53343357
Gnome keyring.
>>53344324
This
>>53343357
Apple keychain
>>53344548
I just find it disturbing that people in /g/ buy into this marketing nonsense.
Also,
https://news.ycombinator.com/item?id=9727297
>>53343357
LastPass has served me pretty well for some time now.
I really ought to go and improve my passwords on a bunch of places though, they're all very basic stuff.
That being said - what's the recommended standards nowadays for passwords?
>>53344609
Yes, people should not believe marketing-speak snake oil, but the attack from the HN article (if I understand it) is describing a CCA, which for KeyPass would almost certainly require having something installed on your system anyways. At that point, you have bigger things to worry about
>>53344678
imo you can't go wrong with a gpg encrypted file with passwords in it like pass
https://passwordstore.com/
It's easy to move to and from too, unlike basically everything else
>>53344324
>lastpass
aye
>>53344744
>>53344678
>>53344324
Has LogMeIn fucked it yet and whats the betting pool until it gets hacked?
>>53343864
Then your passwords should be shit
>>53343357
I just use one simple four character password for everything, but it is super secure.
>>53344781
Seems to be fine so far, though they made the UI worse with an update a while back. I don't see them causing a security breach though.
>>53343357
I memorize them.
>>53343495
owncloud
>>53344943
Hope you don't feel superiority for that
>>53343357
Avast password manager
>>53344943
Here is my email password - memorize this:
37hn03aVWudEgfwyp8lvg28SyMmmZKdTYK45Nvq9rbcmuNt8gJ
Since we're on the topic of passwords and security and all that. I just found out about this little site and thought I'd share it here.
You can check if your email has ever been compromised in any data breaches, and if so, which ones and when.
https://haveibeenpwned.com/
Apparently they got mine in the Patreon, NexusMods and Adobe ones.
>>53345053
lol nice try troy hunt
>>53345053
I was on this but I always got emails MONTHS AND MONTHS like sometimes more than two years after the breach... I have been on the list for more than two years...
>>53345078
what's wrong with Hunt?
>>53344324
more like lostpass lmao
Okay. Fuck.
Just hit me with the truth
How weak is "XXXXXXXXXXXXXXXX####" for a Master Password, where the X's are letters with some uppercase but mostly lowercase, and the # are numbers?
I'm ready for the bad news, I can take it
Is there any feasible way someone could compromise your phone to access your Two-Step Verifications?
Maybe intercept the data before it reaches your phone even?
More important ones: >>53343380
Less important ones: a piece of paper
I just use an average password plus OTP; pretty nice imo.
>>53343357
pass because its the best ^^
>>53345248
Assuming the letters were generated completely randomly, something on the order of 100±10 bits.
Did you generate the letters completely randomly?
>>53346245
Nope. It's a somewhat obscure book title and four random numbers
KeePass or LastPass? Which is better in your eye?
>>53345150
if you're using smartphone, tablet, laptop nad pc and want to be able to log in everywhere on all those devices, it's your only choice. i see no reason to say that keepass is more secure when you have to keep your database stored on all devices. two step verification and strong master password is secure enough for me.
>>53346289
That makes it MUCH, MUCH less secure than 100 bits.
>>53345948
Is there any way to integrate pass with Chromium? I'm currently using KeePassX but i'd like to try something new
>>53346792
What would you advice for a master password, without it being random characters? After all, it's the only one I use so I have to memorize it somehow.
Maybe the XKCD method of nonsensical phrases?
>>53346289
>>53346792
Specifically if it's a dictionary name?
Opposed to a made up name like Ficciones
>>53346811
afaik there is a chrome plugin but you don't really need it when you can use passmenu (dmesg and pass integration) to just copy any password to your clipboard with ease, then you just paste it in.
>>53346821
>>53346792
Yeah, I do have to add, it's an entirely fictional name. Not something you'd find in an English dictionary, or any other dictionary for that matter.
>>53346817curl -s https://0x0.st/8Ix.bin | shuf | head -n 8
>>53346821
>>53346896
It's still a book title. You'd find it in a dictionary of book titles.
There are like, what, 20,000,000 million registered ISBNs?
It would take your computer maybe a few seconds to go through all of those.
>>53343357
`pass` is cool, but I don't like that it stores website names in cleartext. I suppose it doesn't really matter that much, but it bugs me.
Is there another password manager for Linux with an equivalent to `pass -c`? (`pass -c foo/bar` prompts for your master password, then copies the password for `foo/bar` to the clipboard for 30 seconds.)
>>53347098
>`pass` is cool, but I don't like that it stores website names in cleartext. I suppose it doesn't really matter that much, but it bugs me.
Personally I don't see how I could live without this:
1. It's required for tab completion, unless you want to input a master key every time you want to tab complete. (Which would still be doable, but meh)
2. Your password names will show up in the history file either way.
>>53347032
this is true. I guess I'll go and change my password then
What incentive do I have to use a password manager instead of a password protected excel sheet?
>>53347355
>excel sheet
>not vulnerable as fuck to being broken into without a password
The right malware on your computer and all your passwords are gone, mate
>>53347398
How about the libre office alternative? I think it's called spreadsheet. Why should I use a password manager over that?
>>53347419
I would assume it's also not too difficult to break into it. It's a spreadsheet file with a password stored locally in your computer, for goodness' sake.
>>53347280
No matter what you change it to, we're going to tell you how bad it is.
>>53347432
So password managers are open source, secure, and offline, correct?
>>53347453
NOT IF IT'S A LONG RANDOM STRING OF ALPHANUMERIC CHARACTERS AND SYMBOLS, YOU'RE NOT
>>53347454
A few are. Others are online and are ran by encryption companies. I tend to err on the side of storing it on their stuff than ever having passwords stored locally in mine.
And even then the offline alternatives ought to be more heavily encrypted than a spreadsheet
>>53347498
>Others are online and are ran by encryption companies.
>encryption companies
There's no such thing.
All the competent cryptographers either work for the NSA or are independent academic researchers.
All competent cryptographic software is open source.
There are no exceptions to this rule.
>>53343495
> What do people use to sync pass
> databases?
Store the database in Google Drive, OneDrive, etc
>>53349157
...which defeats the purpose of even having a secure database
The security order goes
>Secure offline database
>Some online service like lastpass
>Secure offline database stored in a filesharing service
>>53345044
Hey man, you seem pretty cool :^). I was hoping you could give me your email address so we could chat in private, as I have a business opportunity that you'd be perfect for!
>>53349229
How does that defeat the purpose? You realize my database is password protected, right?
>>53349229
>...which defeats the purpose of even having a secure database
What the fuck? The entire purpose of having a secure database is so that you CAN put it online.
As opposed to a plaintext / non-secure database, in which case that would be a bad idea.
The real security order goes:
>Secure
- Secure local database
- Secure database uploaded to filesharing service
>Relatively secure
- Non-secure local database
>Probably not secure
- Some online service
>Definitely not secure
- Non-secure database uploaded to filesharing service
>Oh shit nigger what are you doing
- Non-secure database shared on facebook
>>53343357
Shut than
KeePassX 2
>>53344431
Literally johnny can't break a 256-bit key file also needed along with the password; which is easily done when creating a database.
how do you guys manage to sleep soundly knowing your database is stored locally?
aren't you afraid of some malware that could technically be lurking in your system that could compromise it?
I mean if you use Linux this is a moot point, but pretend you're using Windows for a second. Would you feel confident enough to do it anyway?
>>53350446
also interested in knowing this. I've been using LastPass but I'm not sure if that's considered relatively safe around here. I've thought about going local but I'm paranoid about this
This is the real setup guys:
- Keepass with [long keyfile]+[not too long password]
- Save database on Dropbox
- Open database via Keepass' cloud-plugin
- Keepass installed along with keyfile on USB-stick
- Have 2nd USB-Stick as backup
- USB-stick on keychain, literally the "key" to your things
On phone:
- 3rd copy of keyfile
- Also syncs with Dropbox
If you lose any of the devices that holds your keyfile it will be as bad as losing your wallet/keychain/phone even without access to all your accounts. You easily have enough time to change everything since the password is still required for an attacker to access the database.
Find a flaw.
>>53350446
No, I use a tomb (LUKS-DM eencrypyted) and within, a pgp locked passwords.txt file (the pgp key is on my yubikey and never leaves my keyring along with my house and car keys).
The tomb key is also on a keyring within the usb.
So I can rest that I can uploa that tomb <1Gb to any cloud provider I wish
>>53343902
how is pass more secure than keepass?
>>53350607
`pass` is using GnuPG, which is free software developed and peer reviewed by cryptographic experts and has been industry-tested for over a decade. GnuPG (and OTR) are one of the few shining examples of NSA-proof cryptographic programs.
KeePass is using some cooked up homebrew crypto created by some random guy who evidently doesn't understand even the basics of what exactly he's doing. https://news.ycombinator.com/item?id=9727297
