How to create strong passwords (without driving yourself mad)

http://www.welivesecurity.com/2013/...trong-passwords-without-driving-yourself-mad/

 

For 25 characters, letters and numbers:

< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-25};echo;

 

Ever since I discovered LastPass, my internet life has never been the same. I now have the strongest passwords possible for every site on the web and I don't have to remember any of them.

 

Definitely see the links here.

 

id recommend you dish lastpass immediately if your passphrases security is of any importance to you

 

Bad grammar, no evidence, and questionable claims. Everyone will surely follow that.

Honestly, Lastpass is one of the most convenient ways for password management, with reasonable security like salted hashes, two-factor authentication, security checks, password generation, one-time passwords, and on-screen keyboard.

I've yet to see anything, but wild speculation on the privacy of your information there. Then again, I wouldn't store anything truly private online, so keep those kinds of passwords to yourself.

 

I just tried KeeFox. Pretty cool, although it took some tweaking to work with an already installed KP Portable in a TC container. Probably won't stick with it, but good to know.

PD

 

seriously thats all you got , lols , im not impressed , anyhow its up to you , i was just putting out the options , and keepass is the logical choice from my point of view, that would be storing all your passphrases !offline! not online not one not two , none , dont matter how "irrelevant" they may be so use a local client not online , btw never expected to see a grammar nazy here but whatever floats your boat i guess , oh before i forget , all the above mentioned can be done with keepass as well without any possible backdoors you can download and check the source code itself , and yes lastpass stores an encrypted copy of its database locally but still , i just dont trust it period, sorry



heres a little something that might interest you since i havent posted any evidence -.-'
http://lifehacker.com/5944969/which-password-manager-is-the-most-secure

and this might interest you wich you couldve found by doing a simple search

http://keepass.info/help/base/security.html

 

Grammar Nazis nitpick little details, I see something fundamentally wrong with your writing (like no periods or capitals). Seriously, that makes it harder to read.

It's your choice what to choose (pretty much fine with second post), but I do see a problem with vague, baseless bashing (first post).

That article is good, but doesn't support the "LastPass being insecure just because it's online" argument.

 

well thats the internetz for you kind sir , no periods no capitals , thats life , live with it , be happy that i havent brought out the big guns the legendary walls of text i do every so often depending on mood , lols, and as i said dont got nothing against people using lastpass but i for one wouldnt touch it with a ten foot pole , no offense and read the keepass security link ive linked too as well , now go and compare all that with lastpass and the picture should become pretty darn clear , if not , well atleast i tried, i cant startpage everything for ya , cheers

another one with audio and visuals


https://www.youtube.com/watch?v=JB1ePElPDjk&hd=1&list=UL

 

As I understand it LP encrypts/decrypts all locally within the browser, nothing plain text ever goes near the internet, throw in 2 factor authentication and its pretty much nailed on.
Is this doubt over LP a trust issue involving LP and how they treat our data/say they treat our data, or is it the fact that encrypted data is stored in the cloud and the crypto itself is vulnerable ? Has AES in fact been broke ?
Is there an implementation SNAFU ?
What could LP give away if compelled say with a national security letter (NSL) ?

 

for starters this older bit of news was enough for me to stay far away from it

http://blog.sucuri.net/2011/05/lastpass-hacked-forcing-users-to-change-their-master-passwords.html

and heres someone that got the same point of view as me

http://www.infosecstudent.com/2013/...s-why-lastpass-just-isnt-working-out-anymore/



a national security letter , hmmm...lemme think , how bout all and everything theyve ever stored about you on theyre servers that includes possible backdoores to your local "encrypted" database per browser addon, as said its up to whoever manages to put trust in them , i sure as hell dont , those should be enough infolinks to make up your mind id say, and no AES hasnt been cracked , lols, thats what the NSA is trying to do with that huge DATACENTER theyre building , perhaps planning on quantum computing buildings as well , tbh , it wont help much thou if the passphrases used are max entropy pseudo random passphrases with 20-64 characters

 

I kinda see your logic here but as far as I see it the folks at LP would pretty much have to be in bed with the enemy ( read NSA/elites/hackers/but probably the NSA )
The crypto and implementation just work. They are well known and documented and people a lot smarter than me have hammered on them.
I only ever install the add on on Firefox as you can't write a closed-source Firefox addon, since an addon contains Javascript files (.js), XUL files (.xul) and CSS files (.css), and some images. Javascript is an interpreted language, meaning that every javascript program must be open source, but you can obfuscate the code. XUL files are simple XML files, which control the GUI.
However and after all is said and done I have to concede that an element of faith in LP is required here.

 

There is a simpler way to create strong passwords, and store them right in plain sight. Start with about 10 random text files, between 50 and 100K in size. Encrypt them using PGP and any available public keys. When you need a password, copy and paste from one of these encrypted text files, using an editor that displays line numbers. All you have to keep tract of is which file you used, where you started the copy, and where you stopped. You can keep that in its own file, obscured in whatever fashion you like.
Example:

The password selected is
XF8g/d9QqSLy4lbRb/ocCimhzL+p/TScl9

Unobscured, the selected password location is
02-125-53-126-22
2nd source file,
start at line 125, 53 character
stop at line 126, 22 character

Unless the attacker knows exactly what you're doing, it would be next to impossible for them to know what you selected. Without knowing the length of the password and what files were used as sources, brute force would be quite a project.
Using 10 source files, about 1000 lines each, 64 characters per line. With the password length unknown, how many possibilities are there?

Some ways the key could be obscured.
add any number to all stored numbers. Reverse source file numbers. add extra characters that only you know are meaningless. Use more than one copy and paste.

 

I have been using Last Pass for years, but I never trust it for any critical passwords. I just keep all those memorize.

There are some few things about Last Pass that I worry about. Maybe it is because I just do not understand the technology well.

First, you can log into your account from any browser, as long as you enter your Last Pass id and master password. Does that not mean that any hacker who could find your id and master password then has complete access to ALL your other passwords? That seems too many eggs in one basket.

Second, these companies like Last Pass are big targets for hackers. Every now and again they get hacked. The users probably never hear about most of the cases when the companies find it early. Even Last Pass, even though they specialize in security, announced in 2011 that they might have been hacked and they recommended changing passwords.

Third, does Last Pass compile profiles based on tracking your internet activity? Even if your ids and passwords are not hacked, does your browsing profile if it exists make a risk to your anonymity?

 

First, two-factor authentication. That's if they somehow found your password in the first place. Very difficult except on infected machines, use one-time password for public computers.

Second, they only recommended it just in case. Hackers basically got access to your salted (encrypted) databases, meaning they have to crack 256-bit AES. Your browser extension stores the encryption key and decryption occurs on the local computer. More.

Third, highly unlikely since they should only see encrypted data. You can be sure eyes are on them. A level of trust is required though, due to not truly open-source.

 

I share your concern for critical accounts. I maintain the same rule (only non-criticals in LastPass), but I use a local password manager instead of just memorization.

See here.

Well, depending on your security hygiene, some "hacker" gaining access to your ID and password should be quite low...but yes, if someone did gain access to that information, that's exactly what that means.

It sounds like your facts are a bit lacking. I'd be interested to see evidence for "every now and again". True, LastPass did experience a possible breach, but the odds anyone's info was compromised are slim to none. The only reason you would have anything to worry about with a LastPass hack would be if they were incompetent in their encryption (which, I doubt they are, since they're pretty solid and reputable, plus it's basically all they do)...or if you maintained a weak master password.

See here.

The LastPass applet is simply a local javascript that encrypts & sends, and receives & decrypts data that you feed into it. There's really nothing else it can do.

If you're suspicious about this, you could always just use the non-binary version of the extension, which is 100% JavaScript, which anyone could view to confirm it's not collecting any data. And then you could also use network sniffing with a proxy to verify that the sensitive data is encrypted before being sent anyway.

 

LastPass never gets unencrypted data. All they have is an encrypted file on their server. All decryption happens locally. They don't know your master password, and they never see what you have in your vault.

A hacker could get your KeePass credentials as well. A local compromise means your machine is no longer yours - all bets are off.

LastPass was fully open about what they saw in their logs...as a matter of fact, I've never seen a security company be more open.

I use it, so I'm a fanboy, but you can use KeePass and KeeFox if it makes you feel better.

P.S. Oh yeah 2 Factor can help with LP, as mentioned above.

PD