Announcement

Collapse
No announcement yet.

Do you you use a password manager?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Do you you use a password manager?

    If not, you should.

    The simple reason is that if you like myself have accounts at 100+ sites, or even 20+, it's pretty much impossible to keep unique, secure passwords for each site all in your head. If you don't and use the same password on two sites, you create what is called a trust relationship between the respective accounts. Meaning they depend on each other to keep their data secure. If one site leeks your password, the security of the other is put in jeopardy. You would be surprised how many sites doesn't secure their users passwords properly, some idiots even keep them in plain text "in case the user forgets them" *epic facepalm*.

    I'm not gonna tell you which password manager to use, there is a bunch of them and most of them do the job. Just google the term for more information on which one is right for your needs. Me myself I use LastPass and I'm perfectly happy with it. It's convenient, everything is encrypted locally and synced to the cloud and it offers a wide range of multi-factor authentication options. The LastPass Security Challenge is also a neat feature.

    If you use a password manager, which one and why?
    29
    Yes
    72.41%
    21
    No, don't want/need to
    20.69%
    6
    Not yet, but I will get one now
    3.45%
    1
    I don't care
    3.45%
    1

  • #2
    I use the plain A4 Paper password manager.
    It's simple but it gets the job done.

    Comment


    • #3
      Unless you lock that paper inside a safe it's not very secure :P

      Comment


      • #4
        Security is an illusion.
        So thinking you are safe by implementing one measure makes you delusional.
        Nevertheless, storing something physical is always better idea than digital.

        Comment


        • #5
          Originally posted by ak_74 View Post
          Security is an illusion. So thinking you are safe by implementing one measure makes you delusional. Nevertheless, storing something physical is always better idea than digital.
          I strongly disagree. It's much easier to steal a physical paper then decrypt something that is properly encrypted with a good passphrase. Security is not an illusion, it's a compromise. There are no perfect solutions. However properly implemented security measures can be very effective, and one security measure is better than none.

          Comment


          • #6
            Let's talk about probabilities.
            I leave in the current house for 25 year. In this time frame i have never been stolen. Neither anyone that i know of.
            And if someone breaks into your house, do you think he will be looking for you paper with passwords? I doubt it.

            Imagine now you computer, how often do you use cracked software?, do you use flash?, do you use java?, do you use windows?, how often do you see critical updates for your os?...
            You see, 99% chances that you have already have 2-3 individuals spying on you. (no matter what internet security you use)
            And if someone breaks into your computer, do you think that stored passwords won't be one the first thinks that he will be looking for?Be assured it is.
            And don't tell me about the difficulty of breaking the encrypted passwords, there is not such think.

            Comment


            • #7
              I agree with the above statement: security is an illusion. That doesn't mean you shouldn't take steps to protect your stuff, whether digital or physical. I use a variant of the plain A4 paper password manager, the little black book. I agree with [MENTION=140318]ak_74[/MENTION], burglars most likely look to steal your hardware, which they later might look through for usable information. Depending where your computer ends up, you might be in trouble. I also want to add that burglars often look for documents to be used for identity theft, so keep that stuff hidden. When I'm not at home I have an alarm system and two german shepherds to keep my passwords safe - I like those odds...

              I actually have an account at a password manager, SecureSafe, and I like it fine, but only use it for nonessential passwords. It's something with putting all your eggs in one basket that doesn't agree with me... I don't remember why I chose SecureSafe, probably because of favorable reviews and recommendations. Like I said, I do like it, it's more the concept I have a problem with.

              Comment


              • #8
                Moved this to Off Topic > Computers since this is not a tutorial.
                JOIN US ON IRC FOR CHATTING, FUN, GAMES & PRIZES!

                How To Connect To IRC

                IRC Word Game
                IRC Word Game Prizes


                Comment


                • #9
                  I use LastPass, having many accounts on many systems & do being able to use the same one on each means there is no much alternative unless I write them down. Maybe using 2-factor authentication would be better but is such a pain....
                  sigpic

                  Comment


                  • #10
                    Originally posted by ak_74 View Post
                    Let's talk about probabilities.
                    I leave in the current house for 25 year. In this time frame i have never been stolen. Neither anyone that i know of.
                    And if someone breaks into your house, do you think he will be looking for you paper with passwords? I doubt it.

                    Imagine now you computer, how often do you use cracked software?, do you use flash?, do you use java?, do you use windows?, how often do you see critical updates for your os?...
                    You see, 99% chances that you have already have 2-3 individuals spying on you. (no matter what internet security you use)
                    And if someone breaks into your computer, do you think that stored passwords won't be one the first thinks that he will be looking for?Be assured it is.
                    And don't tell me about the difficulty of breaking the encrypted passwords, there is not such think.
                    Do you have a source on that, or are you just making stuff up? Let's say I have a password encrypted with AES-256 and a key derived with 5000 rounds of bcrypt from the original 60-bit (entropy, not length) pass-phrase. How do you plan on cracking that?

                    Originally posted by MKUTW View Post
                    I agree with the above statement: security is an illusion. That doesn't mean you shouldn't take steps to protect your stuff, whether digital or physical. I use a variant of the plain A4 paper password manager, the little black book. I agree with @ak_74 , burglars most likely look to steal your hardware, which they later might look through for usable information. Depending where your computer ends up, you might be in trouble. I also want to add that burglars often look for documents to be used for identity theft, so keep that stuff hidden. When I'm not at home I have an alarm system and two german shepherds to keep my passwords safe - I like those odds...

                    I actually have an account at a password manager, SecureSafe, and I like it fine, but only use it for nonessential passwords. It's something with putting all your eggs in one basket that doesn't agree with me... I don't remember why I chose SecureSafe, probably because of favorable reviews and recommendations. Like I said, I do like it, it's more the concept I have a problem with.
                    What do you mean by illusion? If what you mean that is security is something you think you have but actually don't, that might be true for some people but it certainly isn't true in general. Security is about minimizing risk with minimal disruption to business, about balancing risk and convenience. It's about knowing what to do when the measures you put in place fail before they do. Let's take a look at risk vs convenience for some of the options:

                    Password managers (e.g. LastPass), on-line and off-line, closed and open source
                    + Very convenient if on-line, if off-line not so much since you need to bring the encrypted blob with you physically
                    + Your passwords are strongly encrypted everywhere except locally on your machine when logged in (even with a weak master password properly implemented encryption is secure enough to deter the common attacker. With a strong one, it's practically unbreakable even for the NSA)
                    + Multi-factor authentication schemes can minimize risk further

                    - Risk of locally running trojans, keyloggers stealing your passwords. Mitigation: Use up-to-date OS/software and anti-virus.
                    - If closed source, risk of company placing back-doors to retrieve confidential information and leak to government agencies (this risk is much greater if company is US-based, which LastPass is)
                    - If it fails, all your eggs are crushed.


                    Plain A4 method
                    + Almost* immune to viruses/trojans etc
                    - Critical risk of unauthorized physical access. Mitigation: Use a safe or obfuscate the password with an algorithm only known by you.
                    - Not convenient to copy pass-phrase by hand (remember: pass-phrases need to have high entropy to be useful, i.e. either very long or very complex)
                    - If the passwords are obfuscated with any algorithm worth using it drops from not convenient to not feasible since it would take ages to decipher the pass-phrase (unless you're extremely smart, which most users are not)

                    * A compromised web-cam can be used to snap a picture of it if not careful

                    I for one find the balance of risk and convenience to be best with an on-line password manager. And I do not marginalize the risk of someone reading your "black book". It doesn't have to be a burglar you know. What if you're hosting a party with some of your friends and your friends' friends? Do you really trust all those people you barely know 100%? Do I trust my computer 100%, or the companies who built the software in it? No I don't, but it's a risk I'm willing to take.

                    Comment


                    • #11
                      The weak link is always the humans.
                      And with the password managers there is a lot of involvement.

                      And you asked how that encryption scheme can be cracked (if it is actually implemented), imagine you have access to super computer (or equally a botnet) with one million cores/computers. Now the problem seems easier doesn't it?
                      Last edited by ak_74; April 21, 2015, 04:39 AM.

                      Comment


                      • #12
                        Originally posted by ak_74 View Post
                        The weak link is always the humans.
                        And with the password managers there is a lot of involvement.

                        And you asked how that encryption scheme can be cracked (if it is actually implemented), imagine you have access to super computer (or equally a botnet) with one million cores/computers. Now the problem seems easier doesn't it?
                        It is implemented, in all places with a decent IT-administrator. 60-bit entropy -> 2^60 possible passphrases. To derive they key from the password takes let's say 1 second on a standard, modern CPU in single-threaded mode (it depends on how many rounds you use). So going through all possible pass-phrases takes (2^60 / (60 * 60 *24 * 365.25)) years to test all pass-phraseson a single core, which is about 36 559 million years. With a million cores, it takes 36 559 years. After half that time (18 279 years) there's a 50/50 shot that the correct pass-phrase has been found, so we will use that as our number.

                        So unless the attacker has 1 billion cores at his disposal, I'm not worried.

                        Comment


                        • #13
                          What do you mean by illusion? If what you mean that is security is something you think you have but actually don't, that might be true for some people but it certainly isn't true in general. Security is about minimizing risk with minimal disruption to business, about balancing risk and convenience. It's about knowing what to do when the measures you put in place fail before they do. Let's take a look at risk vs convenience for some of the options:

                          Password managers (e.g. LastPass), on-line and off-line, closed and open source
                          + Very convenient if on-line, if off-line not so much since you need to bring the encrypted blob with you physically
                          + Your passwords are strongly encrypted everywhere except locally on your machine when logged in (even with a weak master password properly implemented encryption is secure enough to deter the common attacker. With a strong one, it's practically unbreakable even for the NSA)
                          + Multi-factor authentication schemes can minimize risk further

                          - Risk of locally running trojans, keyloggers stealing your passwords. Mitigation: Use up-to-date OS/software and anti-virus.
                          - If closed source, risk of company placing back-doors to retrieve confidential information and leak to government agencies (this risk is much greater if company is US-based, which LastPass is)
                          - If it fails, all your eggs are crushed.


                          Plain A4 method
                          + Almost* immune to viruses/trojans etc
                          - Critical risk of unauthorized physical access. Mitigation: Use a safe or obfuscate the password with an algorithm only known by you.
                          - Not convenient to copy pass-phrase by hand (remember: pass-phrases need to have high entropy to be useful, i.e. either very long or very complex)
                          - If the passwords are obfuscated with any algorithm worth using it drops from not convenient to not feasible since it would take ages to decipher the pass-phrase (unless you're extremely smart, which most users are not)

                          * A compromised web-cam can be used to snap a picture of it if not careful

                          I for one find the balance of risk and convenience to be best with an on-line password manager. And I do not marginalize the risk of someone reading your "black book". It doesn't have to be a burglar you know. What if you're hosting a party with some of your friends and your friends' friends? Do you really trust all those people you barely know 100%? Do I trust my computer 100%, or the companies who built the software in it? No I don't, but it's a risk I'm willing to take.
                          Hi @epicdavid,

                          I'm referring to the more philosophical concept of security as being or, often more important, feeling secure, as opposed to security as a noun. And I do consider it a general truth. Let's say you equal security with having a security camera. In objective terms you have more security (the camera itself is not an illusion) than you did before, but it still doesn't make you secure in the absolute sense of the world. Security is measure on a scale from less to more, to achieve absolute security is impossible - it's an abstract concept and therefore an illusion. Of course I'm not arguing against adding security to be and feel more secure, but the day you think you achieved absolute security, you're fooling yourself.

                          From my perspective you actually seem to be of the same opinion. You talk about minimizing and managing risk, not eliminate it. You have a pros and cons list of the password managers discussed earlier, which means that there are benefits and disadvantages of either system. You say you can't trust your computer or the companies that built the software 100%, but you choose to accept that risk because you consider it the most secure option. And you weigh in convenience in your decision making process, which really shouldn't be a factor if you're going for maximum amount of security. Neither you or I can claim to have the ultimate password management solution. We each choose based on multiple factors, some more rational, like objective security and convenience, and some more irrational, like perceived security. We each achieved our goal, to be and feel more secure, but neither of us (I hope!) think we are absolutely secure.

                          Comment


                          • #14
                            Originally posted by epicdavid View Post
                            It is implemented, in all places with a decent IT-administrator. 60-bit entropy -> 2^60 possible passphrases. To derive they key from the password takes let's say 1 second on a standard, modern CPU in single-threaded mode (it depends on how many rounds you use). So going through all possible pass-phrases takes (2^60 / (60 * 60 *24 * 365.25)) years to test all pass-phraseson a single core, which is about 36 559 million years. With a million cores, it takes 36 559 years. After half that time (18 279 years) there's a 50/50 shot that the correct pass-phrase has been found, so we will use that as our number.

                            So unless the attacker has 1 billion cores at his disposal, I'm not worried.
                            And you assumed single core and the core's power is generating one hash per sec.
                            I would say to multiply that with 10^4. (gpus, accelerators, or even normal cpu)
                            And then the dream becomes possible.

                            Comment


                            • #15
                              I use KeePass as I have different passwords for everything, the master is on a piece of paper somewhere at home and the database is on a usb stick which is removed and put somewhere else when I am not logging on. Sometimes it may get a bit tedious but overall I am happy.

                              And I agree no one is ever 100% safe in life from anything, but you can take steps towards minimising something bad from happening...

                              Comment

                              Working...
                              X