I just started trying out Lastpass. It's extremely convenient so I use it for noncritical stuff like GitP. However, it's not open source so there is no way for a third party to assess their security. Still, there are a bunch of good features like 2-factor authentication and the ability to access a local copy of your data when offline.

An alternative that I am trying concurrently is Keepass, which is open source, but browser integration certainly isn't its intended purpose (for Firefox, you have KeeFox plugin and that's about it). Any other Lastpass/Keepass/1Password/etc users out there?

I just started trying out Lastpass. It's extremely convenient so I use it for noncritical stuff like GitP. However, it's not open source so there is no way for a third party to assess their security. Still, there are a bunch of good features like 2-factor authentication and the ability to access a local copy of your data when offline.

An alternative that I am trying concurrently is Keepass, which is open source, but browser integration certainly isn't its intended purpose (for Firefox, you have KeeFox plugin and that's about it). Any other Lastpass/Keepass/1Password/etc users out there?

Simple Fact: Nothing on the internet is 100% secure - as long as you remember that, you'll be fine. Not saying be paranoid - far from it.

My opinion on on-line password storage: bad idea. Think about it:

In general, if some hacker managers to crack one of your accounts - or manages to get into the admin of a site, they get access to everyone's info on that site. If they happen to gain access via your password (ie guessed, whatever), they can then use that to access your other accounts. Fine.
However, if they access via admin, or some other way in, they generally don't know your password, but they could easily see your info (like all your stored passwords). See the problem :smallwink:

Nah, I keep local copies. I also don't write down the full password, just short forms, hints, etc, that help me remember.

I remain very skeptical of online password storage. But that's just me. :smallbiggrin:

Simple Fact: Nothing on the internet is 100% secure - as long as you remember that, you'll be fine. Not saying be paranoid - far from it.

I hear you, that's why I don't put my really important stuff on the cloud. That said, not all password managers are cloud services. Keepass and 1password are local storage only, although syncing with Dropbox seems to be quite common (but I don't understand, if someone is too paranoid to use Lastpass with its syncing over the cloud, then why trust Dropbox?).



My opinion on on-line password storage: bad idea. Think about it:

In general, if some hacker managers to crack one of your accounts - or manages to get into the admin of a site, they get access to everyone's info on that site. If they happen to gain access via your password (ie guessed, whatever), they can then use that to access your other accounts. Fine.
However, if they access via admin, or some other way in, they generally don't know your password, but they could easily see your info (like all your stored passwords). See the problem :smallwink:

Nah, I keep local copies. I also don't write down the full password, just short forms, hints, etc, that help me remember.

I remain very skeptical of online password storage. But that's just me. :smallbiggrin:

Its not quite as bad as that. Lastpass claims to store your passwords using AES-256 encryption, shorthand for very secure, and no plaintext data is sent to them, so hacking into their database should be fruitless. The former is hard to verify, but the latter can at least be verified using a packet sniffer.

If your master password is easily guessable, or you're entering it on public computers full of keyloggers and malware, well then you're screwed. But there is no cure for stupidity.

I was looking into this a few months ago, Lastpass was the best I could find. If you want, I can try and find some others I tried?

We use Keepass at work, and it frankly seems to do the job well enough--certainly it's good enough we've not bothered looking for anything better.

I trust LastPass more than Firefox's local password storage. LastPass lets me use individual passwords for throwaway accounts, which is a bit cooler than me keeping a single insecure password. It wouldn't be the end of the world if my account here got stolen because I used the same password on a torrent site, but I like not having to worry about that anymore.

Long story short, anything that I would have stored in my browser can go to LastPass instead. Anything that I'm more paranoid about than that will get typed in.

If your master password is easily guessable, or you're entering it on public computers full of keyloggers and malware, well then you're screwed. But there is no cure for stupidity.

Amen.
I think I'm starting to show my age, and going "old school" :smallbiggrin:
"Why, back in my days, we didn't have passwords, we had rusty iron locks, and you slept with the only key.!"
:smalltongue:

I've never used a cloud based keychain, however, I have used and strongly recommend local keychains.

You use a strong, single, master key that you can remember to unlock your huge list of stored keys. The keys are stored with strong encryption, so even if someone manages to steal the data, it will take them longer than the universe's lifetime to decrypt them with current technology (it's faster the guess the password than try to decrypt it through attacking the algorithm).

That is a much more secure method than storing your password locally (not in keychain encryption) or any form of password "hints".

In theory, cloud based storage of the keychain should be just as good in all regards except for a slight increased chance of exposure. The keychain could be stolen from a cloud database, but they will still have the algorithm/master password to contend with.

is writing them down so terrible?
i mean, if you lack physical security, i think you have bigger problems.

is writing them down so terrible?

Yes, it is.

is writing them down so terrible?
i mean, if you lack physical security, i think you have bigger problems.

Though it is silly to just right them down and leave them by your machine, i found that writing them with replacement characters and hiding them inside a book in your bookcase (i use standard galactic alphabet in a copy of phb 6 bible) . It might sound silly but it works.

Though it is silly to just right them down and leave them by your machine, i found that writing them with replacement characters and hiding them inside a book in your bookcase (i use standard galactic alphabet in a copy of phb 6 bible) . It might sound silly but it works.

unless you are forced to live around people you dont trust. (the only thing im coming up with are college roommates), why couldn't you leave it by your machine?

unless you are forced to live around people you dont trust. (the only thing im coming up with are college roommates), why couldn't you leave it by your machine?

I take it you didnt grow up with siblings? or nosy parents, girlfriend, room mate? Not to mention that should anyone break in and steal your tower, that you have also just handed them access to the machine, your data and all of your accounts that could have sensitive info stored.

Writing them down on paper also means they may get misplaced, and then you have no idea if anyone else picked them up or not. And definitely not at work, unless you want give the cleaning lady godly admin powers.

Oh, another reason to use password managers - on the Internet, you have to assume that your login passwords will be stored in plaintext. There's just no way for you to know, like for example with the Sony fiasco last year, I believe the passwords were stored in the clear. Unless you can keep track of completely separate passwords for every important site you go to, you're probably better off with a password manager.

The problem of a single master password providing access to your other passwords can be mitigated through multi-factor authentication. This means that in addition to your master password, you need some other object, like your phone to access the password database. So theoretically, a remote attacker cannot do jack even with your master password.

Personally, I decided to go with managers plus password hints for the master passwords. These are no ordinary password hints however. Inside the password database, I store the passwords for unimportant stuff, and more password hints for the important accounts, which will hopefully buy me some time to change them should the master password be compromised.

I take it you didnt grow up with siblings? or nosy parents, girlfriend, room mate? Not to mention that should anyone break in and steal your tower, that you have also just handed them access to the machine, your data and all of your accounts that could have sensitive info stored.

had the first 3. no roommates yet, but i did say that was a good reason not to.

I just found another good method that others have devised to create unique passwords for every site: password generators.

Simply, you have a master password that you memorize, and the password generator uses that and an identifier that is unique to the site you're signing into (such as the domain name) to generate a secure password for that particular site. As long as the master password and the identifier doesn't change, the same password is generated every time. If the hashing method meets certain requirements, even if an attacker learns of one of the generated password, it will not provide any information about the other passwords or the master.

Advantage: Passwords are algorithmically generated, so they are not stored anywhere, either locally or online. This is a step up from traditional password managers.

Disadvantage: In its most basic form, the master password is still a weak point, an attacker with the master pwd and knows what generator you're using can generate your passwords.

For more reading, go to http://supergenpass.com/ or http://mettadore.com/ruby/secure-password-generator-as-manager-without-single-point-failure/

I cannot recommend SuperGenPass, as nifty as it is though, because of http://akibjorklund.com/2009/supergenpass-is-not-that-secure (link)

Write everything in a txt file.

Get a program or write it, it's easy enough if you know just a little bit of programming, and then you'd not have problems at all with trust issues (I use "xor everything character by character with the master key repeating and add 128 to each character", so the encryption and decryption can be done by the same program, and even with the master key, the program, and the encrypted txt file, it has a chance of not working on a foreign machine (ASCII after 128 is blurry)) to encrypt it with a master key.

Do NOT forget the master key.
Problem solved!

You've basically described Keepass without the use of a key file, or TrueCrypt. As such it's subject to the same vulnerability to loggers as them. That said, for a local database that's probably not a big problem as long as you have A/V and a good firewall.

And personally, I would not put anything important inside something I wrote myself, no matter how good the theory is. Plus that encryption scheme doesn't look very secure.

Why generate the password every time? As long as you generate the password once and store it with a strong master key, there is no difference (in fact, using the passowrd generator each time could actually introduce vulnerabilities).

1) Generate a very strong password that no human could remember.
2) Store it in a keychain with strong encryption and a strong master key (preferably multi-factor).
3) Pull it out only when needed.

The main advantage of generators is that no passwords are stored anywhere. As a consequence, you do not need to worry about your password database being lost or corrupted. Even if your encrypted database is perfectly secure, an attacker could simply delete it and make your life hell if you don't make regular backups.

Also, it could allow for ultimate portability without the need to trust your passwords to the cloud or any other third party. SuperGenPass is nothing but a bookmarklet, any browser can run it and the hashing is done locally of course.

Multi-factor wouldn't work very well though as you would need to use the extra factors every single time you need a password.

The main advantage of generators is that no passwords are stored anywhere. As a consequence, you do not need to worry about your password database being lost or corrupted. Even if your encrypted database is perfectly secure, an attacker could simply delete it and make your life hell if you don't make regular backups.

Also, it could allow for ultimate portability without the need to trust your passwords to the cloud or any other third party. SuperGenPass is nothing but a bookmarklet, any browser can run it and the hashing is done locally of course.

Multi-factor wouldn't work very well though as you would need to use the extra factors every single time you need a password.

There's no advantage, you still need to store the seed and the generator. All you are doing is making it more complicated and adding additional vectors for attack and failure.

I'm of the simple belief:

Important stuff? Unique ID, Unique pwd. Make it a seemingly random string of characters that follow a simple, easy to remember algorithm.

Non important stuff? One of twelve unique passwords[not factoring the rape of L337 and 'txt spk'*shudders* for more variance].

Seriously, the more programs and sites and other objects you use, the more likely you are to lose your password to someone else. Hell, if I wanted to hack someone[many people], I would run one of these for several years before performing the hack, then claim I was hacked. :P

Seriously, store your passwords in your brain. No wet-wire jacks yet, and I doubt there are people out there looking to take pliers to your finger nails for your GiTP PM inbox.

Heck, you want a password that will stand up to most password hacks?

I'll tell you how a lot of people do it:

Take three facts about yourself, unrelated to each other. Write them down. Random examples?

I like Lady GaGa. I am actually a Frenchman. My great grand-pappy was killed by a flaming turkey from space.

Now, pick a pattern... Let's say first and last of each. Now toss in capitalization, then punctuation. Let's drop spaces and the letter... 'A'.

IleLyG.ImyFn.Mygtgdpywskdbyfgtyfmse.

If you take three facts and use that pattern, and not openly share this pattern+facts with others, the probability of ever getting directly hacked is close enough to 0 that you might not even exist on the site to them. You're info is more likely to be gleaned from a full root hack(which is out of your control anyway).

Take three short phrases. Hometown, birthdate, whatever is close and not too easy to glean, follow that pattern, and voila. Nigh unhackable password.

Want to never get hacked? Don't get a computer or sign up for websites. :P

I'm of the simple belief:

Important stuff? Unique ID, Unique pwd. Make it a seemingly random string of characters that follow a simple, easy to remember algorithm.

Non important stuff? One of twelve unique passwords[not factoring the rape of L337 and 'txt spk'*shudders* for more variance].

Seriously, the more programs and sites and other objects you use, the more likely you are to lose your password to someone else. Hell, if I wanted to hack someone[many people], I would run one of these for several years before performing the hack, then claim I was hacked. :P

Seriously, store your passwords in your brain. No wet-wire jacks yet, and I doubt there are people out there looking to take pliers to your finger nails for your GiTP PM inbox.

Heck, you want a password that will stand up to most password hacks?

I'll tell you how a lot of people do it:

Take three facts about yourself, unrelated to each other. Write them down. Random examples?

I like Lady GaGa. I am actually a Frenchman. My great grand-pappy was killed by a flaming turkey from space.

Now, pick a pattern... Let's say first and last of each. Now toss in capitalization, then punctuation. Let's drop spaces and the letter... 'A'.

IleLyG.ImyFn.Mygtgdpywskdbyfgtyfmse.

If you take three facts and use that pattern, and not openly share this pattern+facts with others, the probability of ever getting directly hacked is close enough to 0 that you might not even exist on the site to them. You're info is more likely to be gleaned from a full root hack(which is out of your control anyway).

Take three short phrases. Hometown, birthdate, whatever is close and not too easy to glean, follow that pattern, and voila. Nigh unhackable password.

Want to never get hacked? Don't get a computer or sign up for websites. :P

Meh, no need to go to that complexity, if you're not using a keychain with master password, just make a passphrase.