Password Management (attn: Woodruff, et. al.)

[Woodruff]

No system is foolproof. But Dashlane notes that it doesn’t ever see your passwords or your credit card information. They’re all stored on your own computer, encoded by the AES-256 encryption method, an open-source standard approved by the National Security Agency.

I have a problem with a program approved by the NSA. It just means the NSA can easily gain access your private info, just like they gained access to your phone records.

Yeah, that certainly won't happen unless the program is approved by the NSA. Definitely not. Ever.

[Woodruff]

Sure you pull up a Word doc. Put your passwords on it then encrypt and Password it (unsure of security from Word docs with such things). Choose a passphrase thats easy to remember hit save as and save it on your four flash drives and Voila.

That seems like the best idea yet. Would this work? Woodruff?

I have no idea what Word's security capabilities are, but my guess is that Word wouldn't be a particularly strong method of storing them. Would it work? If it has those capabilities...sure. Would it be strong security? I would suspect not, though I don't know.

[Woodruff]

I use Keepass and have the file on dropbox. I'm not sure if there are apps for android but i've seen one for iphone, tho i didn't buy it.

Im sure there are options that have apps in both android and iphone.

my Keepass and Dropbox password is all i have to remember, or even only the Keepass password if i make the file public on dropbox

Does this mean you have to download the file from Dropbox everytime you want to login? Could I use Keepass plus a USB? Also is there two factor authentication with Keepass? I've had complex passwords broken so many times I don't sneeze without two factor authentication these days.

I'd be concerned about letting it float over Dropbox. Seems like you're risking greater chances of having your files being intercepted---relative to simply keeping things on local USBs + word doc.

Agreed.

[Woodruff]

No, that would be too insecure. LastPass doesn't store your password anywhere. What happens is that your master password basically acts as a hashing function, and the only thing stored on their server is the hash. Your master password acts as a key that allows them to decrypt that into a real password, but basically the only way for anyone to get the real passwords is to use your computer when you're logged in.

Interesting idea with using the LastPass password as the hash itself.

[thegreekdog]

Given what Saxi uses his email for, I'm shocked anyone would care what his passwords were. I suppose there are some "Shipping Wars" fanatics out there who would like nothing more than to stick it to someone who is badgering their idols.

[BigBallinStalin]

Saxi thinks he's a spy or an enemy of the state, so in order to heighten that feeling, he needs to use many different passwords for many accounts.

[2dimes]

He's on a fixed income and doesn't want you stealing his credit card number to buy pr0n after he gets a new pair of swimming trunks off www.spedo.com

[waauw]

you could use a more complicated system of patterns
for example:

• first 2 letters= last two letters of email-address
• codenumbers for cathegory= 01 for job, 02 for family & friends, 03 for junk
• 3 constant letters= pgh
• 2 letters= 4th and 6th letter of email-address
• 1 number= 1st number in emailaddress

so if email were to be saxitonin58@blabla.com
password: in03pghio5

==> can sound annoying at first, but once you're used to it, it's real easy and it's not exactly making sense to anybody who doesn't understand the pattern
and you could ofcourse make it even more complicated if you say 3rd letter expressed NATO-letters(a ==>alpha), or 4th number is number of letters in email x number of numbers in email, etc.

[saxitoxin]

you could use a more complicated system of patterns
for example:

• first 2 letters= last two letters of email-address
• codenumbers for cathegory= 01 for job, 02 for family & friends, 03 for junk
• 3 constant letters= pgh
• 2 letters= 4th and 6th letter of email-address
• 1 number= 1st number in emailaddress

so if email were to be saxitonin58@blabla.com
password: in03pghio5

==> can sound annoying at first, but once you're used to it, it's real easy and it's not exactly making sense to anybody who doesn't understand the pattern
and you could ofcourse make it even more complicated if you say 3rd letter expressed NATO-letters(a ==>alpha), or 4th number is number of letters in email x number of numbers in email, etc.

I just checked this method through the Mandyion Labs brute force attack tester (http://www.mandylionlabs.com/PRCCalc/BruteForceCalc.htm). The sample password you came up with only produces 8 trillion combinations so could be cracked in 10 seconds if 100,000 desktop computers were working on it and in less than one day if just 10 computers were working on it!

My current password produces 30 quintrillion combinations so (supposedly) would take 100,000 computers working 1 year to crack it, or 10,000 years if 10 computers were working on it (this is assuming Woodruff's AFR unit wasn't mobilized just to crack ol' Saxi's password due to complaints from Chris & Robbie). The problem is I can only remember one of those kind of passwords and it's to my email account so what if someone uses a key logger to get it or leans in and looks over my shoulder when I'm typing? Then they could reset all my passwords. Second issue is that the email program I use offers two methods of password reset ... text to phone or father's middle name. I put a fictitious middle name for my father's middle name so people couldn't try to reset my password using a public records search (like they did to Sarah Palin) but that still leaves me completely vulnerable if someone steals my phone.

[waauw]

you could use a more complicated system of patterns
for example:

• first 2 letters= last two letters of email-address
• codenumbers for cathegory= 01 for job, 02 for family & friends, 03 for junk
• 3 constant letters= pgh
• 2 letters= 4th and 6th letter of email-address
• 1 number= 1st number in emailaddress

so if email were to be saxitonin58@blabla.com
password: in03pghio5

==> can sound annoying at first, but once you're used to it, it's real easy and it's not exactly making sense to anybody who doesn't understand the pattern
and you could ofcourse make it even more complicated if you say 3rd letter expressed NATO-letters(a ==>alpha), or 4th number is number of letters in email x number of numbers in email, etc.

I just checked this method through the Mandyion Labs brute force attack tester (http://www.mandylionlabs.com/PRCCalc/BruteForceCalc.htm). The sample password you came up with only produces 8 trillion combinations so could be cracked in 10 seconds if 100,000 desktop computers were working on it and in less than one day if just 10 computers were working on it!

My current password produces 30 quintrillion combinations so (supposedly) would take 100,000 computers working 1 year to crack it, or 10,000 years if 10 computers were working on it (this is assuming Woodruff's AFR unit wasn't mobilized just to crack ol' Saxi's password due to complaints from Chris & Robbie). The problem is I can only remember one of those kind of passwords and it's to my email account so what if someone uses a key logger to get it or leans in and looks over my shoulder when I'm typing? Then they could reset all my passwords.

well it was only an example, I'm sure you can make a lot more complex and a lot longer passwords using the same method.
Also to understand such a password you need to understand the patterns. For this you need to know at least 2 email accounts with passwords. But even with 2 it wouldn't be as obvious yet, a person would probably need a lot more to just notice that there are patterns(best leave out constants for this reason). So it's highly doubtful that someone would crack all your email-addresses without hacking.

[nietzsche]

I use Keepass and have the file on dropbox. I'm not sure if there are apps for android but i've seen one for iphone, tho i didn't buy it.

Im sure there are options that have apps in both android and iphone.

my Keepass and Dropbox password is all i have to remember, or even only the Keepass password if i make the file public on dropbox

Does this mean you have to download the file from Dropbox everytime you want to login? Could I use Keepass plus a USB? Also is there two factor authentication with Keepass? I've had complex passwords broken so many times I don't sneeze without two factor authentication these days.

I have it in Dropbox in case I lose my laptop or something, and because I need to log in from Windows some times so it's handy to know I have it available. Also, if I'm somewhere not close to my laptop and need to access something there, I can retrieve the master file easily.

It's simply a way of having the info available at any time, and always updated. Every time I make a change it's saves automatically in Dropbox as well.

But yeah, you can use an USB flash drive.

And I do hate those things filing your forms for you, and asking you if you want to save what you just typed. I rather do it manually in Keepass, although there's a extension for Keepass that you can download that does exactly that intrusive thing if you want.

It's impossible to remember my usernames and passwords anymore, with so many sites and things... I depend on my Keepass.

[notyou2]

LastPass

just gave that a try, can't stand the pop-up - feels ultra-chintzy ... every single website I go to - even the CC forums - it keeps asking me if it wants me to remember the password ... the whole user experience makes me feel as secure as a nietzsche in the donkey costume

Well, I kind of expected you'd value your comfort over your security, so no big deal.

How come he's banned from posting in this thread and still can and I can't?

[Metsfanmax]

I was not banned from the thread. Look more closely.

OK, I'm officially kicking the following people out of this thread:

Metsfanmax*
notyou2
Dukasaur

I need to getting fucking secure and lock my shit down. I don't have time for your shenanigans and shit-ass suggestions.

Thunderbird? For fucks sake. Maybe I should just use a FAX machine!



*may continue to post here.

[Woodruff]

you could use a more complicated system of patterns
for example:

• first 2 letters= last two letters of email-address
• codenumbers for cathegory= 01 for job, 02 for family & friends, 03 for junk
• 3 constant letters= pgh
• 2 letters= 4th and 6th letter of email-address
• 1 number= 1st number in emailaddress

so if email were to be saxitonin58@blabla.com
password: in03pghio5

==> can sound annoying at first, but once you're used to it, it's real easy and it's not exactly making sense to anybody who doesn't understand the pattern
and you could ofcourse make it even more complicated if you say 3rd letter expressed NATO-letters(a ==>alpha), or 4th number is number of letters in email x number of numbers in email, etc.

That's actually a very good system.

[Metsfanmax]

you could use a more complicated system of patterns
for example:

• first 2 letters= last two letters of email-address
• codenumbers for cathegory= 01 for job, 02 for family & friends, 03 for junk
• 3 constant letters= pgh
• 2 letters= 4th and 6th letter of email-address
• 1 number= 1st number in emailaddress

so if email were to be saxitonin58@blabla.com
password: in03pghio5

==> can sound annoying at first, but once you're used to it, it's real easy and it's not exactly making sense to anybody who doesn't understand the pattern
and you could ofcourse make it even more complicated if you say 3rd letter expressed NATO-letters(a ==>alpha), or 4th number is number of letters in email x number of numbers in email, etc.

That's actually a very good system.

Meh.

[saxitoxin]

I use Keepass and have the file on dropbox. I'm not sure if there are apps for android but i've seen one for iphone, tho i didn't buy it.

Im sure there are options that have apps in both android and iphone.

my Keepass and Dropbox password is all i have to remember, or even only the Keepass password if i make the file public on dropbox

Does this mean you have to download the file from Dropbox everytime you want to login? Could I use Keepass plus a USB? Also is there two factor authentication with Keepass? I've had complex passwords broken so many times I don't sneeze without two factor authentication these days.

I have it in Dropbox in case I lose my laptop or something, and because I need to log in from Windows some times so it's handy to know I have it available. Also, if I'm somewhere not close to my laptop and need to access something there, I can retrieve the master file easily.

It's simply a way of having the info available at any time, and always updated. Every time I make a change it's saves automatically in Dropbox as well.

But yeah, you can use an USB flash drive.

And I do hate those things filing your forms for you, and asking you if you want to save what you just typed. I rather do it manually in Keepass, although there's a extension for Keepass that you can download that does exactly that intrusive thing if you want.

It's impossible to remember my usernames and passwords anymore, with so many sites and things... I depend on my Keepass.

Nietzsche may have the best suggestion. I'm going to try this when I get home and if it works nietzsche will win 5 minutes with xeno.

[saxitoxin]

NIETZSCHE WINS! KEYPASS IS EVERYTHING I'D DREAM OF ... AND MORE!!!!!!

[nietzsche]