--- lyndon@orthanc.ca wrote: From: Lyndon Nerenberg <lyndon@orthanc.ca> On 2012-06-08, at 12:48 PM, Michael Thomas wrote:
I'm sorry, my brain doesn't hold that many passwords. Unless you're a savant, neither does yours. So what you're telling me and the rest of the world is impossible. t :: https://agilebits.com/onepassword (1Password) is one solution to :: managing web site passwords.
Only if you have an OS you have to pay for: apple or ms. scot
On Fri, Jun 8, 2012 at 1:02 PM, Scott Weeks <surfer@mauigateway.com> wrote:
:: https://agilebits.com/onepassword (1Password) is one solution to :: managing web site passwords. ----------------------------------------------------------------
Only if you have an OS you have to pay for: apple or ms.
So use LastPass, then. -j
On 2012-06-08, at 1:02 PM, Scott Weeks wrote:
Only if you have an OS you have to pay for: apple or ms.
I don't pay for them. $WORK pays for them. If you're complaint is about 1Password not running on your particular operating systems, then pick a solution that *does* run on your OS. There are several open source alternatives you can use.
On 06/08/2012 10:02 AM, Scott Weeks wrote:
--- lyndon@orthanc.ca wrote: From: Lyndon Nerenberg<lyndon@orthanc.ca> On 2012-06-08, at 12:48 PM, Michael Thomas wrote:
I'm sorry, my brain doesn't hold that many passwords. Unless you're a savant, neither does yours. So what you're telling me and the rest of the world is impossible. t :: https://agilebits.com/onepassword (1Password) is one solution to :: managing web site passwords.
Only if you have an OS you have to pay for: apple or ms.
scot
Use lastpass, or maybe Password Gorilla (uses an encrypted local file but you could stick that on a dropbox space or SpiderOak space).
:: https://agilebits.com/onepassword (1Password) is one solution to :: managing web site passwords.
Only if you have an OS you have to pay for: apple or ms.
The 1password password store has a perfectly usable local-only HTML app that lives in its data folder. http://help.agile.ws/1Password3/1passwordanywhere.html It works perfectly well from Linux and other OSes. I keep hoping for a free full-fledged Linux desktop port a la the android one ;-) [Or for seahorse integration, or whatever - I'm as big an open source advocate as nearly anyone, but having 1P on windows, osx, my droid, my ipad, and usable from my linux and solaris desktops... well, it's just too good not to give them a little money and a lot of respect for a good application.] best, --e
My biggest problem still is the multiple computer issue. I am on at least 3-5 physical computers and 1-20 virtual machines, and 2 cellphones a day. I honestly do not want to store a database of passwords encrypted or not on an open service. As I have never had a virus or malware on any of my computers in the last 20 something years I trust my local machine/network more. The problem is it creates a distribution problem that is painful and tedious to deal with. So I stick with 10-15 long reasonably secure passwords that get used for stuff that just doesn't matter because there is an assumed no security (facebook, linkedin, whatever, and honestly who cares if this stupid stuff is hacked, its really just to avoid the hassle it would cause) and 1 unique password per critical sites (bank, benefits, financials). I store them on a local 3x3 levels of encrypted virtual drives with (2) 32-48 remembered passwords to access them just in case I forget any. Then I lock the 2 passwords up in a safe in a sealed envelope just in case something happens to me. If you are cautious on what and where you use them you honestly only need to change the criticals once a year or if there is a security event, heck outside of the bank account, I almost never login to any of the other accounts except to change the password. And for all other internet stuff, who cares, the assumption is it will be hacked, don't put stuff on the open internet that you don't want the entire world to know.
On Sat, Jun 9, 2012 at 10:52 AM, <joseph.snyder@gmail.com> wrote:
My biggest problem still is the multiple computer issue. I am on at least 3-5 physical computers and 1-20 virtual machines, and 2 cellphones a day. I honestly do not want to store a database of passwords encrypted or not on an open service.
Security is all about trade-offs. In this case it's the trade-off between storing an excrypted password database on a 3rd party server, v's re-using passwords and having (potentially) weaker passwords as a result of not doing so. Personally I use KeePass, with the database stored on a cloud-synced directory. To decrypt the KeePass database requires both a Passwords AND a Key file, which is NOT synced to the cloud. IMHO this gives the best of both worlds - easy syncing between multiple computers and the ability to use unique, very strong passwords with all websites. But also very strong security in the case that the KeePass database is somehow compromised from the cloud service, as both the password and keyfile would be required to decrypt. Scott
On 6/9/12, Scott Howard <scott@doc.net.au> wrote: [snip]
Security is all about trade-offs. In this case it's the trade-off between storing an excrypted password database on a 3rd party server, v's re-using passwords and having (potentially) weaker passwords as a result of not [snip] Yes. Using an encrypted online password vault is a trade-off.
Risks that are unaffected: o A randomly generated password might be more guessable than a human-created password, if generated by an insecure PRNG, for example, if the possible generation outcomes for given input parameters can be predicted through analysis. o A password can easily be stolen by malware on a computer the password is typed on that logs keystrokes and mouse clicks (even a vault's master password). o A password can easily be stolen if transmitted to a remote site unencrypted, by a computer on the local or remote LAN with malware infection (even a switched LAN). o If either endpoint's SSL certificate (or a CA) is compromised, a MITM attack can be used to learn the contents of encrypted communications. o A password can be stolen by malware if stored temporarily at rest or temporarily in RAM in an unencrypted format. o A password can be stolen if stored at rest in unencrypted format. o A password can be stolen, even if encrypted, if the symmetric encryption key can also be stolen. New risks increased in magnitude: o If malware running on a computer is aware of the password vault application, it may be able to maliciously modify the executable code of the password vault application in memory, resulting in data compromise. o Your password data is vulnerable to local compromise if your master pw is guessed or stolen. (Use a vault with multi-factor authentication to mitigate). o If password vault data is stolen, the thief has a convenient list of accounts. Risk can be reduced by using multiple vaults of different types for different security levels/use frequency. o If the password vault software fails, DB is corrupted, or the online password vault service goes offline, you can lose access to your accounts, because you don't remember the passwords. o The pass vault is an additional piece of software; if the software developers' systems are compromised, it might be possible for malicious code to be inserted in the password vault application. o If the password vault software has a bug, the encryption doesn't work properly, or fails to maintain good security hygene, all your passwords may be vulnerable. For example, if you keep a GPG encrypted list of passwords, and you create a "temporary plain text file" when re-encrypting to create a new encrypted list, passwords are vulnerable to theft during this process, and afterwards via latent disk analysis techniques. Examples of Risks mitigated by online encrypted password vault VS shared or similar passwords that are memorized: o Reduced risk of loss of access to account, resulting from forgetting which password was selected for a particular account, or adverse password changes enforced by "password setting" or "mandatory password change" policies. o No need to use short/guessable passwords (less than 16 characters); high-entropy passwords can be chosen which can only be attacked by brute force, and which will take massive amounts of money or time to successfully attack. o If the login password to one site is compromised, guessed, or accidentally disclosed by any means; many of your accounts are at increased risk. Risks eliminated pw vault VS passwords written down on a slip of paper: o No risk of losing the paper, resulting in account compromise and loss of access o No risk of a piece of paper being stolen. o No need to use short passwords (less than 32 characters) that can easily be written down -- -JH
participants (8)
-
elijah wright
-
Jimmy Hess
-
John Adams
-
joseph.snyder@gmail.com
-
Lyndon Nerenberg
-
Paul Graydon
-
Scott Howard
-
Scott Weeks