Password Managers

>>58066218
For any normie; LastPass.

For any NEET who is scared of the someone-else-manages-and-generates-your-passwords-where-you-have-little-control botnet: KeePass (or any other offline password manager).

I just use firefox with master password

>>58066752
To be fair, it's not unreasonable to be paranoid of using a cloud based service.

You can only be so secure on the internet

>>58066218
Dashlane desu
Super easy to cheat their refer a friend and get 6 months of premium

>>58066857
This is why I use KeePass.

>letting botnet have your passwords
Smh senpai

Just make your password yourpassword+website/device initials+123@Abc

>>58066991
but when you use a set algorithm, you password isn't as secure in a pattern like that

>>58066991
>not having 3 different arithmetic operations and applying one for sites which start with a letter from A to S other for T to Z and other one for number starting sites. Using the site's name in hexadecimal and applying the arithmetic operation.

keepassx or fuck off

>>58066218
pass + yubikey

>>58066991
I do something similar, but I also add a number to indicate the importance of the password. Email addresses have a higher number than throw away accounts.

>>58066218
>It touts itself as a password manager that obeys unix philosophy, although it's not quite that if you look into it.
How is it not following the UNIX philosophy?

>>58066752
If you don't mind your passwords being stolen:
>LastPass

If you don't mind your password database being brute forcable:
>KeePass

If you care about your passwords being secure:
>pass

I used a pass generator to come up with a long list of 16 digit random upper/lowercase letters and numbers.

I changed all my passwords to passwords on that list and I just keep a copy of the list
Only problem is, I can't for the life of me remember a single one of those passwords so I need to consult my list sometimes while other people are present

>>58066991
The strength of a password derives solely from its unpredictability. I mean, a “password” itself can't really have a strength to begin with. The thing you're measuring is the strength of a password generation /scheme/.

In your proposed scheme, most of it is noise that contributes absolutely zero security (0 bits), because it's either static information (shared prefix), public information (website name) or easily guessable information (device initials). The actual kernel of your password is dogshit.

The thing you have to realize is that in practice, you can assume an attacker has access to _some_ of your passwords and is trying to break into your other accounts based on the ones that they know of.

If your password generating scheme fails this requirement, then it's shit.

>>58067335
>If you don't mind your password database being brute forcable:
Mind clarifying?

>>58067361
I use a method similar to >>58067204
That way I know what all of my passwords are and even if someone gets access to a few of them, they can't guess any other passwords.

>>58067361
do you encrypt that file?

I'm using pass with custom scripts. I like how customizable it is.

My password pasting script checks the window name and tries to parse the password from that. If there isn't any unambigious title matching the passwords, a rofi prompt is displayed with the possible passwords, or all of the passwords. Pretty often it shows just all the password paths, but that's not so bad since I can type just a few letters to the rofi promp to get the right password entry.

super + p jus types the password.

super + shift + p types the username matching the password.

super + ctrl + p types the username, types tab and then types the password (very useful for most websites).

super + ctrl + shift + p types the password, types enter and then types the password. Useful for example for git password prompt.

This is nice because I have a fast global password entry system - it works for every single program. It's secure and also handy. Qutebrowser has also a script which fetches the right password entry and types it to the login form if one is found.

>>58067402
>Mind clarifying?
https://news.ycombinator.com/item?id=9727297
Weak, arbitrary and homegrown crypto. Very unlikely to withstand a cryptanalysis of any sophistication. You should operate under the assumption that anybody with a copy of your database is able to crack it.

>>58067568
this

I use rofi-pass: https://github.com/carnager/rofi-pass

>>58067568
wait, are you literally me? >>58067600

I use qutebrowser too

>>58067568
Nice

>>58067560
No, but the only digital copy is on a burner pc at my house that doesn't even connect to the internet unless I want it to.

I use a printed hard copy I carry in my wallet.

dashlane normie

>>58067645
consider using mnemonic passwords (e.g. diceware) instead of purely randomly generated passwords

>>58067699
thanks for the tip anon, I think this might help

The random upper and lowercase was driving me nucking futs. it makes it so much harder to mentally group letters and numbers when some of them are capitalized

>>58067699
any reason?

>>58067756
When considering a password scheme the thing you want to be optimizing for is entropy per effort - i.e. how many bits of entropy you gain versus how difficult it is to memorize that entropy.

If you assume that the amount of memorization work you can put into a password before you begin forgetting parts of it again is constant, then to gain the most amount of useful strength (entropy) you basically just have to find the scheme with the best efficiency (entropy / effort).

In practice, this means using mnemonic techniques: word associations, mental images, audio jingles, whatever your preferred method of memorization is.

Using a pure randomly generated password might seem the most secure on paper but when you consider how hard they are to memorize, you're getting a few bits of useful entropy at best; whereas an equivalently strong word password would be much easier to memorize.

This is what that widely-misunderstood xkcd comig was basically trying to convey: That password strength in practice is a function of entropy vs effort, not just effort

>>58067841
Well, the basic reasoning is that the human brain is significantly better at memorizing word patterns/associations than it is at memorizing random digits. These are techniques used by memory champions worldwide, and known as far back as ancient greece if not earlier. (e.g. the method of loci / memory palace)

If it's good enough for international memory champions, it's good enough for your passwords; which means you could stop having to constantly look them up from your paper copy of the password list and start just memorizing them instead.

>>58067864
>>58067891
Of course, you can also just use these mnemonic techniques to directly memorize the random strings, rather than making the menmonic technique itself your password.

(Although that being said, using the mnemonic technique directly as the password has the upside of making it more resilient against a pure brute force attack)

At any rate, you want to be using mnemonic techniques to memorize your password in the end.

>>58066218
I'm using 1password. Im liking it so far as long as it doesn't pull some jew shit and start charging me money.

File: 5wdmBP2.png (7KB, 631x137px) Image search: [Google]

7KB, 631x137px

just gonna leave this here /g/uise

>>58066869
botnet

>>58067212
Why over Keepass2?

>>58068455
Seems complicated when you could just use a random string

>>58067579
Reading that thread people are claiming all of the original issues brought up were addressed, some even before that discussion took place.

File: 1471450160645.jpg (103KB, 600x600px) Image search: [Google]

103KB, 600x600px

>>58067579
>homegrown crypto

Just use LastPass with 2-factor auth, works pretty well and someone would need my phone to crack into it.

Yes, it's riskier than an offline manager, but honestly I think the convenience is worth it.

Statistically speaking LastPass would advise of a compromise long before any hacker could login to my stuff, and changing the password again is easy.

Just use a txt document

>>58069618

The only stuff I'm *truly* worried about is my banking and Google details.

Google has a seperate 2-factor auth making it impossible to access without my phone.

My bank needs a password and a pin number to login, LastPass doesn't remember both.

So even if LastPass is compromised, the damage is pretty limited unless they take ages to notify users of the breach.

>>58069656
Use secure notes.

>>58066218
KeePassX is all you'll really need.

>>58066218
>he needs a digital database that requires a master password to access to retrieve his passwords for all of his accounts

only autists like /g/ can make this more complicated than needs be. just sit down, take 10 minutes to come up with a sufficiently long and cryptic key pattern but still easy to remember for you, write that down in somewhere, and refer back to it as needed. after a while, you should be able to memorize it and not need it written down anymore.

>>58066218
Use keepass, don't like it because it's a shitty GUI app. for a while I used a luks encrypted disk image and mounted it as needed, but the more i think about it the more a gpg encrypted message to myself makes sense.

But keepass works on my phone.

>>58066218
I use https://www.passwordcard.org/en I just have to remember a colour, visual marker or pattern for each website and then I add a word and special character to the end IMO the most secure way to do it since it has almost limitless possibilities and the only key is stored in my head

>>58069800
you shouldn't use the same password for everything

>>58066218
>It touts itself as a password manager that obeys unix philosophy, although it's not quite that if you look into it.
What?

>>58070471
I think it misses a few things here and there, I don't think that passwords being labeled in plain-text with no way to fix is unixy (I might be wrong and there is a way to do that,) and also the tree view is the standard, but I think that can be changed as well

These are completely retarded nitpicks, and I don't even know why I wrote that. I guess I wasn't thinking earlier.

So just ignore it, it's unix.

>>58070570
>I don't like the way it displays shit
Then change it. It's a fucking bash script
https://git.zx2c4.com/password-store/tree/src/password-store.sh

>>58069656
You mean like the breach from 2013 that was just reported? That breach?

>>58066991
>not using 10+ digit passwords with a combonation of lowercase uppercase symbols and numbers as well as words from foreign languages

> store passwords in the """cloud"""

what the fuck

>>58070913
A really bad decision desu, it's just not safe

>>58070913
>have to fly up to the sky to grab my passwords

don't think i have that much money for hackers to buy a plane and grab my password and have it be worth it

>>58066752
I use KeePass because I'm not going to pay just to access my passwords on my phone. Also I'd much rather store my database in my own cloud than in a centralized server full of passwords.

File: 1481981685251.gif (885KB, 250x250px) Image search: [Google]

885KB, 250x250px

Why use keepassX over Keepass? Mono might turn people off, but it has more plugin support I believe

>>58071265
The X makes it cooler

>>58071286
thats pretty edgy

>>58067579
Not real. Keepass is safe.

>>58071265
The non cancerous logo and linux support.

>>58071605
Isn't the plug in support nearly non existent, though? Things like two factor authentication and cloud sync

File: _81738062_risitas.jpg (34KB, 1024x576px) Image search: [Google]

34KB, 1024x576px

> not using OSX's keychain in $currentYear

>>58067568
>>58067600
p cool

>>58071792
For what fucking purpose

>>58069656
I don't understand the 2Auth meme
my passwords are stored in plaintext as a .txt which also makes my accounts impossible to access without my laptop

>>58071643
yea. You can still use key files and manually pull from cloud so its just a minor inconvenience.

>>58071792
>trusting a company under PRISM
>_81738062_risitas.jpg

veracrypt+txt file

>almost 2017
>not using 'asdfasdf' as your password for everything since 1996

I'm more confused about what password manager to use than when I started this thread.

I just want a reasonably secure, not even super secure password manager that's cross platform.

>>58073749
Then use KeePassX. Works everywhere, as far as I know.

>>58066218
Norman the Normie here:

Why do you use these things?

Why don't you just write your shit in a little notebook that you always keep on your person, or in a drawer, or whatever so you can get it when you need it?

It just seems odd to have to use software to help you manage passwords.

Maybe because I only have a few.

>>58073832
Convenience

>>58073832
If you had a book in a safe or something, it would probably be safer, but you would also be limited. KeePass allows you to carry a copy of the passwords everywhere, and use 2 factor authentication (usually a picture and a password) in order to access the stuff. It's safer than carrying around a notebook with you, though less safe than keeping it in a safe at all times that you don't need it.

>>58073832
Because my passwords are 32-64 (or max length allotted) strings of random shit like
>bwbwu838;*;@))281;sjkan℅~~`|}{£[]¢iwiwbdgyJSJSN_8282+@AWKWNk0
And being able to press CTRL+ALT+A to have the password autotype is extremely convenient.

But I mostly started using one after I checked haveibeenpwned and got a bunch of hits for an account with a password I use everywhere. It's important to never use the same password twice on anything you wouldn't mind losing, and to never put any other personally identifying information on those disposable accounts.

>>58073832
The amount of passwords I have is getting obscene and the only way I can memorize them all is taking shortcuts that's killing security.

It's also just a matter of they take a long time to type in.

t. IT consultant

>>58073832
Try remembering 30, all having their own convoluted scheme like >>58068455

My password are in a notebook in my book shelf

>>58067361
>I need to consult my list sometimes while other people are present
If it was digital...

grep <SITENAME> passwords.txt | xclip

You can always use ssh and X-forwarding to do that from elsewhere.

I use my brain.

>>58073906
>>58073897
>>58073893
>>58073878
>>58073906

Thank you. I understand now. My pedestrian needs don't really warrant this sort of thing.

However, how can you trust that your shit isn't compromised?

I mean, I'm wary of normal autocorrect, but having a central something know all my passwords and have the ability to auto every single one?

What if you lose your access to this database? Do you need a password manager for a password manager?

If this thing were ever compromised then you'd be up shit creek without a paddle.

>>58074731
If you forget the one single password that's actually important, then your default scheme of memorizing every password in your head isn't going to fair much better.

>>58071265
Keepass worked really shitty on my ubuntu machine - I couldn't copy/paste stored passwords into shell and I had to resort to first pasting them into a text editor and then copying from it and only then pasting into shell.

Also, KeepassX doesn't look shit.

>ctrl+f
>no pwd.sh

You disappoint me, /g/.

>>58075270
>Keepass worked really shitty on my ubuntu machine - I couldn't copy/paste stored passwords into shell and I had to resort to first pasting them into a text editor and then copying from it and only then pasting into shell.
X is retarded and has multiple clipboards, that's probably what tripped you up

Also if you're on Linux why use that garbage when you can just use the superior ‘pass’

>>58067212
>>58069794
this

>>58067335
>>58067579
that is why you don't use keepass, you use superior keepassX

>>58068511
>>58071265
see above, the database is far superior and is free of .NET

>>58075524
>that is why you don't use keepass, you use superior keepassX
Why would I use keepassX when I can use a real password manager like pass instead?

>want to use a password manager
>decide on keepass
>bloated as fuck because mono
>continue looking
>find keepassX
>project is dead we keepassx2 now
>we don't have any plugins
>you have to try and get some firefox addon that was designed for keepass to work for keepassx2
>no yubikey support
I just want to be able to have security + somewhat ease of use. Is this not allowed?

>>58066218
The one thing that bothers me with pass is that it leaves the folder structure/account names unencrypted.
If anyone has a .bashrc script or a systemd job config that takes care of unencrypting and untaring the .passwordstore folder on startup and then taring and encrypting it on shutdown, pls post.

>>58076359
why not just use ecryptfs

>>58076415
I suppose that is the way to go.

So I skimmed through the thread and i'm still sceptical. I just don't trust any third party service storing/generating passwords for me, but again, I realize how important it is to regularly update passwords, add 2fa where possible and so on.

So is there a password manager, which is really secure and free? Maybe a password manager which stores passwords locally or something?

>>58076518
Muh UNIX philosophy. I don't know of any other password manager that doesn't require a GUI.
And the unencrypted directory structure has the benefit of enabling tab completion for account names.

Also enables you to add passwords to the store without entering the password of the private key.

>>58076537
Yes, it's called keepass.

>>58076518
Becuase it follows the UNIX philosophy and reuses tried and true existing technologies instead of reinventing the wheel poorly

`pass` is just a shell script that wraps together existing tools like `tree`, $EDITOR, GnuPG, xclip and git. It does basically nothing on its own, and that's why it's

1. secure (GPG is well-known, widely audited and NSA-proof as per snowden)
2. forwards compatible (since it uses plain files and GPG, you can both easily migrate your database to future versions and easily read/recover it 20 years down the line, can't say the same for some shitty homegrown database format that's reliant on a single tool continuing to exist)
3. portable

>>58076518
>>58076610
Nobody is requiring you to have the account name in the folder structure. `pass` mandates no folder structure, it's entirely your choice.

The scheme proposed by rofi-pass, for example, is to have both the account name and the password inside the encrypted contents, as separate lines (using a “Key: Value” format)

Then make the file name the domain/URL/whatever, and rofi-pass / qutebrowser will be able to automatically fill in the login prompt for matching domains.

>>58076720
does keepassX use GnuPG too?

>>58076735
>Nobody is requiring you to have the account name in the folder structure
I know, but someone who's laid his hands on the device can still see I have an account at bad-dragon.com, see entries for multiple ssh and VPN keys he wouldn't have known to look for, etc.

>>58076808
In that case you could use ecryptfs as suggested

>>58076836
>he'd rather have one monolothic blob of poorly implemented software than combining 10 pieces of purpose-built, well-engineered subsystems that are each designed by experts for their particular use case

>>58076836
>>58076957
windows user detected

enjoy your unsecure bloatware

>>58068455
>we keep cleartext password in our public-facing mysql server last updated in 2007
Sounds like your average bank.

>>58071265
the x stands for xtreme

>>58072340
I mean he has a point, keychain works pretty well. Don't have to use iCloud Keychain.
Also remembers wifi passwords.
I use 1Password tho

>>58076359
Are you saying that you're not using FDE?

File: wtf_am_i_reading.jpg (61KB, 600x600px) Image search: [Google]

61KB, 600x600px

>>58076720
>GnuPG
>NSA-proof

>>58077360
NSA has been unable to crack OTR and GPG

>>58077379
How do you know?

>>58077392
Snowden documents

>>58077399
Did you cross-check those documents from another source?

>>58077360
sauce

Pen & Paper

>>58076348
You're "allowed" to use Lastpass

>>58076348
Why does everyone get so upset over mono? Is it a freedoms thing?

>>58079244
the installed size of keepass for me would be 163.80 MiB (because mono) versus 2.05 MiB for keepassx2
it's bloat

>>58079576
Do you have so little storage?

>>58079576
I guess that is fair. Depends on the features you want i suppose

>>58079681
It's because of people like you that Visual Studio now requires 60+GB free space

>>58066218
KeePass, because you can use frankly ludicrous encoding, you can generate random passwords fitting all kinds of restrictions, and it has no networking components. If you want it to be available over the Internet you can put the relevant files in Dropbox or something more secure.

>>58080841
Obvious NSA shill is obvious

>>58080964
single source to back that up

File: 1465796768233.jpg (40KB, 750x566px) Image search: [Google]

40KB, 750x566px

>>58066218
how the fuck do I install KeeOTP? It says the plugin is loaded, but I have no option for this anywhere

>>58081459
Keepass is okay, if any of the things it is on get compromised it is game over. Same shit as having your browser remember your passwords...

If you have access to the program you can simply turn off the encryption and the next time the user uses keepass you get everything dumped to a .csv file.

For the skiddies, I'm pretty sure it'll take under 30 seconds to find a program to do that on github.

>>58081459
just google keepass hack...

>>58083260
Actually doing the googling- very bruteforceable if you only have the database

File: 1452830003036.png (53KB, 1000x1000px) Image search: [Google]

53KB, 1000x1000px

>>58083298
On the topic of brute forcing, how easy is it to brute-force compared to the GPG-encrypted files of pass? Anybody have a clue?

Bump actually been interested in this too. Is pass more secure than KeePass or the forks?

lastpass because im not paranoid lmao

>>58076348
Project is not dead you dumbass.

Stop talking shit.

>>58085278
enjoy getting your data hacked, nerd

>>58067579

Couldn't you make your own (use a known algorithm, but don't use the program/keep the source code them to reverse the process). If the crypto guys trying to crack it don't know the algorithm/salting (or other additives to the hash) how can they crack it. Shouldn't it be hashed then encrypted in some manner, making it take some decades to figure out?

If I use a local password encryption service I now have a weak point in that if someone knows or steals the storage device with the program, they can gain access to everything, it's only slowing them down a little bit. Because if they're remote viewing and recording before they do the attack then they should have that master password available to them, making the entire thing only as secure as a text document (or in a physical note pad). The same goes for loss of a USB with the program, wouldn't you be paranoid about carrying that around?

In general is it a good idea to encrypt the password encryption program/folder using the basic win7 encryption? It's more about making it harder to just copy paste the program/folder and brute force it.

>So, what password manager do you use?
Firefox

>Why?
Because I'm not mentally retarded.

>>58086059
Enjoy your down syndrome, retard.

Has anyone tried enpass?

File: 1469248780110.png (19KB, 931x969px) Image search: [Google]

19KB, 931x969px

I see everybody talking about how "if somebody gets a hold of your database, then you're totally fucked" but for the record, I'm sure a lot of people here use Firefox autofill. Getting a hold of those databases wouldn't be hard, and arguably it's harder to police because of how not secure Firefox is.

I think the prime reason people use a password manager is to keep their passwords diverse, so that way losing one password isn't the death of you. If you aren't worried about the former getting jacked, then being worried about the latter can be pretty silly unless you let your stuff get regularly go over the cloud.

It's also easy to keep track of what you have an account on, and letting one password get lost on a shitty website doesn't result in multiples.

So, benefits and tradeoffs I guess.

>2016
>Not using BioSSL or hardware solutions for password management.

Use keepass2 it is better than keepassx but over mono framework on linux

>>58086959
this

yeah i'm probably fucked if DropBox gets hacked and they fail to warn users in time, and Keepass database is as trivial to brute force as this thread seems to think. But just using it to have completely different passwords on EVERY site helps a lot

>>58086448
>If the crypto guys trying to crack it don't know the algorithm/salting (or other additives to the hash) how can they crack it.
This is called “security by obscurity” and it only works if you're uninteresting.

>>58077317
I am actually.
It's just that FDE protects you when the device is off. There are plenty of times I need to step away from my running laptop either at work or at home.

>>58088803
Put it in a truecrypt container that is unmounted every time you lock the screen then

>>58086632
>Because if they're remote viewing and recording before they do the attack
You're pretty fucked regardless then aren't you?

How come people trust these small companies to keep everything safe? If amazon can get hacked, why not onepassword?

>>58088803
Somebody with physical access to your machine can pwn you in a billion different ways

FDE ain't gonna change that, kid

>>58090331
Because they have password in their name???

>>58090331
its down to convenience
It's enough for most people to say "oh it's a reputable company, so I'll trust them to not get hacked".
You can't really blame them either, when the alternative is either Keepass (which has 2 different versions as well as a different product with a very similar name KeepassX) or maintaining 16 different scripts with Pass

>>58090331
>How come people trust these small companies to keep everything safe?
Because they're fucking retards?

>>58090631
>or maintaining 16 different scripts with Pass

emerge pass

wow, such maintenance; so difficult, omg

2hard4me

>>58090666
>implying normies will do this

>>58090688
> Sup /g/, let's talk password managers.
> normies

>>58090724
are you dense?
the question was why do people trust these small companies like Lastpass etc.
The answer is coz they are normies

>>58066218
I put everything insubstantial in LastPass and memorize the important ones

So I have to remember my bank, cell service, Google account, and LastPass

>>58090777
That seems like a pretty good method

>>58091113
It prevents anything from really falling out of my control, everything I store in LastPass requires verification through my email address to change credentials.

Never store your email address passwords in a password manager and never reuse your email address password, the rest isn't that important

>>58083489
Bump, I'd still like to know which uses better encryption

>>58066218
Write your own command line password manager.

>>58086816
Yes. Enpass is the best. Would recommend 100%.

>>58093348
How is enpass?

I've never heard of it until now, but the lack of open sourceness does bother me

I just use keepassX, it just werks

>>58093201
Another bump because I don't want to make an ew thread for this

My password manager is a cyanide pill under my third molar. B-)

>>58095780
+1 for Keepass

>>58096375
But how do you get the cops to swallow it?
The onvious answer does you no glory, anon.