New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Yeah, if you want a quasi real-time update to your store of passwords every time that you add a password, then my old-fashioned method wouldn't be a serious contender.
If I get a new account somewhere, I first write the new password on my printed copy, and then every two or three months, I update the file based on the printed copy. But I may not be a typical user, because I don't add new accounts so often.
Do you never need passwords on-the-go? Or do you take the printed copy everywhere with you?
@angstrom, do you color-code your passwords with crayons?
No master passsword! Restore using a single password!
https://discussion.enpass.io/index.php?/topic/404-security-audit/&
No security audit, could have bad crypto implementation.
Do you successfully type your 32 character password in one try?
This week on LET: Nekki asks everyone for their favorite password managers for easier l33t hax0ring.
I used 1Password many moons ago, but found the iOS integration extremely clunky. I also had intermittent problems getting passwords to sync between devices. Both of these might be fixed by now, but I'll never know, because I bought it on Mac, then when I transitioned to Windows, found out that you have to buy it again. Contacted their support asking them if they can license me for Windows, they offered me a discount on buying it again for Windows. Apparently their licensing is stuck in 1997. Oh also forgot: They'll hammer you with their newsletter. You can click the unsubscribe link millions of times and you'll still receive the newsletter. Fortunately the CEO signs it with his name, and they have a dial-by-name directory on their support, so you can likely figure out how I managed to get off their newsletter list.
I switched to LastPass and used them until they were engulfed by the "LogMeIn" mess.
I switched to BitWarden and still use it. It's slightly clunkier than LastPass, but I like that it's open source and subject to peer review, and I can self-host if I desire. Password updates sync to my devices nearly immediately; I can recall only a handful of times that I had to force it to sync, and that's probably just because I was impatient. I recently started paying for their family plan even though I don't use any of the paid features, just because I like it that much. On Android, I like that their notification pops whenever there's a password field, instead of a continuous un-removable notification like LastPass.
https://security.stackexchange.com/questions/44368/are-the-ss64-com-password-generators-a-good-approach
My own implementation does not suffer any of the weaknesses described in the stackexchange answers, but someone less experienced than me may implement things wrong.
There needs to be 3 layers of security. First, you need to have a "master salt" which is prepended to all passwords, in addition to site specific salts. That brings the entropy up even before hashing starts. Second, you need to have a custom scrambler function, not standard hashes. That's security through obscurity, which isn't a very good thing, but it prevents pre-imaged rainbow tables at least. Then you need a good time constraint. Simply hashing the same password 30,000 times is better than just 1, but you need a good "memory-heavy" key expansion algorithm which can't be easily replicated by GPU hash crackers.
Almost every time. Just swiping my keyboard from left to right.
P.S. You will never guess which row!
I definitely agree that with the scrambler function, it what makes your implementation a lot more resilient and step towards a secure implementation. Of course, it would mean that your implementation of the scrambler would have to be a close guarded secret in order to maintain the difference from other password generators. Possibly XOR the resulting hash or something similar due to the limit of ASCII may provide the last step to obscure reverse engineering of multiple password breaches of your scrambler.
Well, if I have my laptop or smartphone with me, I have a copy of the file, and I'll update the file beforehand if I think that I'll need the recently added accounts that I've added by hand to the printed copy.
If I don't have my laptop or smartphone with me, then I probably don't need the internet to begin with, so no need for the passwords.
But, yes, if I think that I'll need the passwords but don't have my laptop or phone with me, I sometimes take the printed copy with me, in which case I hide it as much as possible. (Please don't tell anyone this!)
On the printed copy, crayons have sometimes been used. :-) But in the text file, it's all just plain text.
The scrambler is, again, just "security through obscurity", which is the weakest link of the chain. If I release the code or start a service, everyone will need to have the exact scrambler.
The main function of the scrambler is preventing general-purpose rainbow tables to be used trying to crack the system. An attacker will need to have custom rainbow tables, but if they create one, they can use it for attacking any user.
It's not supposed to be a closely guarded secret. It's supposed to be custom, so existing tables are useless. It may be as simple as hashing twice with a simple set of salts.
The other two points, a long master key and memory-heavy key derivation are more important.
I may take a look at https://www.passwordstore.org/ , mentioned earlier in this thread by @mfs.
So no love for Avast Password Manager?
Edit: Sorry, forgot it had to be shared between multiple users.
I guess not...?
https://1password.com/sign-up/
I can't find any place on their site to buy 1Password except under the new subscription model.
Right, and spending $600 over the next 10 years is ridiculous.
1Password on a traditional buy-and-upgrade-when-you-want model is fantastic.
1Password on a forced subscription model is evil and awful.
I remembered that I'd emailed Agile Bits. Dave Teare, the founder, replied "I know not everyone wants to use subscriptions and that's why we are NOT forcing it upon you."
So I've opened a ticket asking where I can buy the Mac/Win bundle.
Shouting at my crotch is not exactly emailing, but please, don't stop.
Is spend around $700 a year on coffee, so it’s the equivalent of skipping my early morning mocha once a week. It’s a fair trade for not having to unfuck things and reclaiming a small amount of my free time back for myself.
That's a lot of wasted CPU cycles in exchange for frou-frou caffeine. Just chew the damn beans.
I personally recommend LastPass for this need, because it works with everything, everywhere, and last I checked had both free, and $12/yr services.
I don’t see that $12/year plan - $24/year for single user and $48/year for a family plan.
By the way if anyone needing a password manager is a student you can get some deals
Roboform Everywhere (free): https://www.roboform.com/promotions/college
Dashlane Premium (1 year free): https://www.dashlane.com/students
LastPass Premium (6 months free): https://lastpass.com/edupromo.php
Huh. It's gone up since I kicked them to the curb last year ago (and change), then..
If anyone has Dashlane premium, I think you can kick me a referral link, I get 6 months free premium and you get $20.
Both people get $20 in Dashlane credits which is 6 months free
Yes, no Master Password. The restore process uses the offline 24 word seed that shows when you first setup the device. So this Recover password is only stored offline on paper and never, ever go into the computer.
In the simple way, the Recover Password is the same 24 word seed that you use to store the Crypto Wallet.
It really seems to be very safe!
Leave this to the security experts in cryptography . Keep doing Web Design, before anybody suffer from that thing you call SallaPass ...
Here we go again...
I have 17 years of professional expertise on cryptography. I studied it in college, I have created encryption algorithms reviewed and tested by professors and their teams 16 years ago.
I've been playing with S-boxes before half of LET members were playing with diapers.
I've studied the intricate details of SHA-3 algorithm and Argon2 before you "tech guys" ever heard of those.
I've spent more time on cryptoanalysis for fun than 90% of server admins here spent for securing their servers.
I've written 200,000+ lines of pure C code that does crypto stuff in the first 5 years of my studies before I switched over to other tools.
For FraudRecord, I've written my own c++ library that does the iterated hashing 30% faster than PHP does it, compiled it into a php extension and deployed it to my server. All by myself as a web designer!
Just because i'm designing websites for a quick buck doesn't mean you know how experienced I am with anything else.
Please shut up when you don't know anything about someone.
Just 17 years? Ditto.
FraudRecord still long ways to go, so far is pretty terrible. Do you even validate providers? Has it become a legal regulated entity or?
Nothing wrong with doing Websites. I think you know that pretty well. Good work!