Why use a password manager?
Why use a password manager?
Ars just did a story about how anything but very high quality passwords may not be good enough. I'd been fighting the whole password managers thing because I've already got a system for difficult passwords, but they're definitely not as good as this article is recommending (along the lines of "WVGw.ZUT2bfLHR")
I always thought OpenID would take off to help fix this, so that, if you're going to remember a really hard password, you only have to remember one. Unfortunately, more services are using Facebook/Google sign-ins, which I avoid.
Edit: Note that this might fall into a category where you can never really gain actual security, but that's part of why I wanted to bring it up here; I'm trying to find out if anyone actually uses password managers + super hard passwords, or if that's a rarity.
I always thought OpenID would take off to help fix this, so that, if you're going to remember a really hard password, you only have to remember one. Unfortunately, more services are using Facebook/Google sign-ins, which I avoid.
Edit: Note that this might fall into a category where you can never really gain actual security, but that's part of why I wanted to bring it up here; I'm trying to find out if anyone actually uses password managers + super hard passwords, or if that's a rarity.
-
- Posts: 1212
- Joined: Wed Jul 18, 2007 5:45 pm
Re: Why use a password manager?
I came across that same article as well, webfork.
I've also skipped on using password managers, but that article gives a good reason why you should use one. Also the concept of passphrases is new to me and I'm definitely going to use the Diceware method.
I've also skipped on using password managers, but that article gives a good reason why you should use one. Also the concept of passphrases is new to me and I'm definitely going to use the Diceware method.
Last edited by freakazoid on Sat Jun 08, 2013 8:49 pm, edited 1 time in total.
is it stealth?
Re: Why use a password manager?
I'm using a password manager. It contains not so hard to remember passwords, but many different ones, so I really need it. Its database (master) password is simple, though, so I can easily remember it. I should note that I'm not hiding anything from NSA, CIA etc. They don't scare me. But if my wife would find access to some of my accounts...oh, boy!
Re: Why use a password manager?
There is a passphrase generator available for Keepass2 listed on plugins section of the keepass website. It's called Readable Passphrase Generator and is downlaodable from the Readable Passphrase Generator website.
Edited to add url.
Edited to add url.
Re: Why use a password manager?
I use Password Safe, and all my passwords are randomly generated.
My YouTube channel | Release date of my 13th playlist: August 24, 2020
- Andrew Lee
- Posts: 3076
- Joined: Sat Feb 04, 2006 9:19 am
- Contact:
Re: Why use a password manager?
This is a really big problem and is getting messier by the day.
I too use a password manager, but it is far from ideal. The password manager runs from my PC, and it is really inconvenient when I need a password on my mobile or laptop.
Not sure how readable passphrases help, since you are supposed to use different passwords on different sites, and I am subscribed one way or another to hundreds of them! (forums, ecommerce, social networking etc.). And some sites force you to change the password for one reason or another, so it won't be possible to remember them, and we are back to password managers again.
The prominent solution for cross-platform password manager now is LastPass, but even that is non-ideal (not after the demise of Google Reader!).
The world really screams for a solution on this issue, but there's no light at the end of this tunnel yet...
I too use a password manager, but it is far from ideal. The password manager runs from my PC, and it is really inconvenient when I need a password on my mobile or laptop.
Not sure how readable passphrases help, since you are supposed to use different passwords on different sites, and I am subscribed one way or another to hundreds of them! (forums, ecommerce, social networking etc.). And some sites force you to change the password for one reason or another, so it won't be possible to remember them, and we are back to password managers again.
The prominent solution for cross-platform password manager now is LastPass, but even that is non-ideal (not after the demise of Google Reader!).
The world really screams for a solution on this issue, but there's no light at the end of this tunnel yet...
Re: Why use a password manager?
All you can do is be proactive, use every character a site offers, change it periodically, check regularly for breaches. If it's 26 max characters, generate a 26 character password. eYEaaMso0kule is not very creative seeing the sophistication (and horsepower) used to crack em - pretty amazing.
I have to use a password manager for the drag&drop otherwise I could never remember them.
We are part of the problem, I don't think we want to be too put-out, but we like to complain when we get hit. I wouldn't mind a multi-step process if it was worth the effort.
This is our modern world, cracking passwords is one issue. There are those staunch political types who like to intimidate those on the political opposite side of a matter - same-sex marriage, pot, immigration ..., they find names, addresses, of the opposition and post the info online for the crazies who show up in your front yard, or at your place of business - threaten, intimidate, trouble make.
There will always be victimizers and victims. I guess you have to ask yourself, what lengths are you willing to go to protect yourself, or someone you love...?
I have to use a password manager for the drag&drop otherwise I could never remember them.
We are part of the problem, I don't think we want to be too put-out, but we like to complain when we get hit. I wouldn't mind a multi-step process if it was worth the effort.
This is our modern world, cracking passwords is one issue. There are those staunch political types who like to intimidate those on the political opposite side of a matter - same-sex marriage, pot, immigration ..., they find names, addresses, of the opposition and post the info online for the crazies who show up in your front yard, or at your place of business - threaten, intimidate, trouble make.
There will always be victimizers and victims. I guess you have to ask yourself, what lengths are you willing to go to protect yourself, or someone you love...?
Re: Why use a password manager?
I use a password manager: it's Keepass, because it's multi-platform and has a single file database that I can easily synchronize via Dropbox or any such webservice; no super hard passwords, though -- too much hassle and not easily replicable by hand. OTOH, I use a keyfile as master password, so no dice without possession of that file... now which of the 1 432 765 files on my rig is the right one?webfork wrote:'m trying to find out if anyone actually uses password managers + super hard passwords, or if that's a rarity.
I had the same high hopes about OpenID and am truly saddened by its failure...
Re: Why use a password manager?
Maybe it will take off?!
-
- Posts: 48
- Joined: Thu Nov 15, 2012 11:38 pm
Re: Why use a password manager?
I loved that article from Ars Technica
But I also use a standalone PC based Password manager like KeePass. But I'm beginning to think that an online solution like Last Pass might be the best option. I heard Last Pass is one of the best methods of dealing with storing passwords plus it works on multiple computers and there's even a free version of it! I really feel that LastPass is the way of the future although I'm not going to them just yet. Last Pass
One more thing we really need to start getting serious about creating and using strong passwords.
Did you notice that the hackers even kept the correcthorsebatterystaple in their dictionary! That means people with thought that they could just use that will get pwned big time! Plus adding cool combinations like dogmonkeygirl is just as vulnerable beacuse they can use a combination attack to get the password, as a well known security researcher has said its the death of clever! You now need to create long and randomized passwords to be truly secure and lets not forget 2 factor authentication!
But I also use a standalone PC based Password manager like KeePass. But I'm beginning to think that an online solution like Last Pass might be the best option. I heard Last Pass is one of the best methods of dealing with storing passwords plus it works on multiple computers and there's even a free version of it! I really feel that LastPass is the way of the future although I'm not going to them just yet. Last Pass
One more thing we really need to start getting serious about creating and using strong passwords.
Did you notice that the hackers even kept the correcthorsebatterystaple in their dictionary! That means people with thought that they could just use that will get pwned big time! Plus adding cool combinations like dogmonkeygirl is just as vulnerable beacuse they can use a combination attack to get the password, as a well known security researcher has said its the death of clever! You now need to create long and randomized passwords to be truly secure and lets not forget 2 factor authentication!
Re: Why use a password manager?
The Image above should be credited to the brilliant XKCD site
http://xkcd.com/936/
http://xkcd.com/936/
Re: Why use a password manager?
I thought the path to the keyfile was listed in KeePass.config.xml - is that not actually the case on your installation? It is with my v2.22 installation - KeePass also shows the keyfile in the keyfield field drop-down when you run KeePass itself. The config file is an XML file, so open it with a text editor and search for the name of your keyfile to check it (just make sure you open the right config file, if you run Vista onwards with UAC enabled, you may find 2 config files on your system, the first one being a small file with one single line which simply points to the location of the real config file).Midas wrote:OTOH, I use a keyfile as master password, so no dice without possession of that file... now which of the 1 432 765 files on my rig is the right one?
Of interest as well, the below is from the keyfile section of the KeePass documentation, stating why keeping the keyfile location a secret is not really too important:
(http://keepass.info/help/base/keys.html)Location. The point of a key file is that you have something to authenticate with (in contrast to master passwords, where you know something), for example a file on a USB stick. The key file content (i.e. the key data contained within the key file) needs to be kept secret. The point is not to keep the location of the key file secret — selecting a file out of thousands existing on your hard disk basically doesn't increase security at all, because it's very easy for malware/attackers to find out the correct file (for example by observing the last access times of files, the recently used files list of Windows, malware scanner logs, etc.). Trying to keep the key file location secret is security by obscurity, i.e. not really effective.
Re: Why use a password manager?
My KeePass is a portable v1.23 (no DotNET dependency), which keeps settings in a 'keepass.ini' alongside the main executable, and the only path mention in there is the "KeeLastDir=" key -- defaulting to Keepass own folder. In any case, better keep that keyfile out of there...romulous wrote:I thought the path to the keyfile was listed in KeePass.config.xml - is that not actually the case on your installation? It is with my v2.22 installation - KeePass also shows the keyfile in the keyfield field drop-down when you run KeePass itself.
Quite rigth, I'm afraid. But then, password managers and such are only weak countermeasures for a determined foe; given enough resources, he won't even have to bruteforce your system (or yourself, for that matter); all he needs is access to TEMPEST type monitoring...http://keepass.info/help/base/keys.html author wrote:Location. The point of a key file is that you have something to authenticate with (in contrast to master passwords, where you know something), for example a file on a USB stick. The key file content (i.e. the key data contained within the key file) needs to be kept secret. The point is not to keep the location of the key file secret — selecting a file out of thousands existing on your hard disk basically doesn't increase security at all, because it's very easy for malware/attackers to find out the correct file (for example by observing the last access times of files, the recently used files list of Windows, malware scanner logs, etc.). Trying to keep the key file location secret is security by obscurity, i.e. not really effective.
(see also http://en.wikipedia.org/wiki/Computer_s ... a_distance)
BTW, I earnestly recommend people watch the late Tony Scott's "Enemy of the State" for an entertaining primer on digital surveillance -- nearly everything that movie shows related to the field is real...
Re: Why use a password manager?
Oops, yes - I am using the non-portable version, and of v2.x. I completely forgot about the portable version of 1.x - it should have been obvious I suppose, considering the forums I was posting in!Midas wrote:My KeePass is a portable v1.23 (no DotNET dependency), which keeps settings in a 'keepass.ini' alongside the main executable, and the only path mention in there is the "KeeLastDir=" key -- defaulting to Keepass own folder. In any case, better keep that keyfile out of there...