How to create strong passwords (without driving yourself mad)

Discussion in 'privacy technology' started by SweX, Jul 17, 2013.

Thread Status:
Not open for further replies.
  1. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    http://www.welivesecurity.com/2013/...trong-passwords-without-driving-yourself-mad/
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    For 25 characters, letters and numbers:

    < /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-25};echo;
     
  3. Grassman20

    Grassman20 Registered Member

    Joined:
    Jul 14, 2013
    Posts:
    26
    Location:
    USA
    Ever since I discovered LastPass, my internet life has never been the same. I now have the strongest passwords possible for every site on the web and I don't have to remember any of them.
     
  4. JackmanG

    JackmanG Former Poster

    Joined:
    May 21, 2013
    Posts:
    284
    Definitely see the links here.
     
  5. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    id recommend you dish lastpass immediately if your passphrases security is of any importance to you
     
  6. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Bad grammar, no evidence, and questionable claims. Everyone will surely follow that.

    Honestly, Lastpass is one of the most convenient ways for password management, with reasonable security like salted hashes, two-factor authentication, security checks, password generation, one-time passwords, and on-screen keyboard.

    I've yet to see anything, but wild speculation on the privacy of your information there. Then again, I wouldn't store anything truly private online, so keep those kinds of passwords to yourself.
     
  7. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    I just tried KeeFox. Pretty cool, although it took some tweaking to work with an already installed KP Portable in a TC container. Probably won't stick with it, but good to know.

    PD
     
  8. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802

    seriously thats all you got , lols , im not impressed , anyhow its up to you , i was just putting out the options , and keepass is the logical choice from my point of view, that would be storing all your passphrases !offline! not online not one not two , none , dont matter how "irrelevant" they may be so use a local client not online , btw never expected to see a grammar nazy here but whatever floats your boat i guess :rolleyes: , oh before i forget , all the above mentioned can be done with keepass as well without any possible backdoors you can download and check the source code itself , and yes lastpass stores an encrypted copy of its database locally but still , i just dont trust it period, sorry :cautious:



    heres a little something that might interest you since i havent posted any evidence -.-'
    http://lifehacker.com/5944969/which-password-manager-is-the-most-secure

    and this might interest you wich you couldve found by doing a simple search

    http://keepass.info/help/base/security.html
     
    Last edited: Aug 18, 2013
  9. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Grammar Nazis nitpick little details, I see something fundamentally wrong with your writing (like no periods or capitals). Seriously, that makes it harder to read.

    It's your choice what to choose (pretty much fine with second post), but I do see a problem with vague, baseless bashing (first post).

    That article is good, but doesn't support the "LastPass being insecure just because it's online" argument.
     
  10. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    well thats the internetz for you kind sir , no periods no capitals , thats life , live with it , be happy that i havent brought out the big guns the legendary walls of text i do every so often depending on mood , lols, and as i said dont got nothing against people using lastpass but i for one wouldnt touch it with a ten foot pole , no offense and read the keepass security link ive linked too as well , now go and compare all that with lastpass and the picture should become pretty darn clear , if not , well atleast i tried, i cant startpage everything for ya ;) , cheers

    another one with audio and visuals ;)


    https://www.youtube.com/watch?v=JB1ePElPDjk&hd=1&list=UL
     
    Last edited: Aug 18, 2013
  11. Gitmo East

    Gitmo East Registered Member

    Joined:
    Jul 28, 2013
    Posts:
    106
    As I understand it LP encrypts/decrypts all locally within the browser, nothing plain text ever goes near the internet, throw in 2 factor authentication and its pretty much nailed on.
    Is this doubt over LP a trust issue involving LP and how they treat our data/say they treat our data, or is it the fact that encrypted data is stored in the cloud and the crypto itself is vulnerable ? Has AES in fact been broke ?
    Is there an implementation SNAFU ?
    What could LP give away if compelled say with a national security letter (NSL) ?
     
  12. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    for starters this older bit of news was enough for me to stay far away from it

    http://blog.sucuri.net/2011/05/lastpass-hacked-forcing-users-to-change-their-master-passwords.html

    and heres someone that got the same point of view as me

    http://www.infosecstudent.com/2013/...s-why-lastpass-just-isnt-working-out-anymore/



    a national security letter , hmmm...lemme think , how bout all and everything theyve ever stored about you on theyre servers that includes possible backdoores to your local "encrypted" database per browser addon, as said its up to whoever manages to put trust in them , i sure as hell dont , those should be enough infolinks to make up your mind id say, and no AES hasnt been cracked , lols, thats what the NSA is trying to do with that huge DATACENTER theyre building , perhaps planning on quantum computing buildings as well , tbh , it wont help much thou if the passphrases used are max entropy pseudo random passphrases with 20-64 characters
     
    Last edited: Aug 18, 2013
  13. Gitmo East

    Gitmo East Registered Member

    Joined:
    Jul 28, 2013
    Posts:
    106
    I kinda see your logic here but as far as I see it the folks at LP would pretty much have to be in bed with the enemy ( read NSA/elites/hackers/but probably the NSA :p )
    The crypto and implementation just work. They are well known and documented and people a lot smarter than me have hammered on them.
    I only ever install the add on on Firefox as you can't write a closed-source Firefox addon, since an addon contains Javascript files (.js), XUL files (.xul) and CSS files (.css), and some images. Javascript is an interpreted language, meaning that every javascript program must be open source, but you can obfuscate the code. XUL files are simple XML files, which control the GUI.
    However and after all is said and done I have to concede that an element of faith in LP is required here.
     
  14. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    There is a simpler way to create strong passwords, and store them right in plain sight. Start with about 10 random text files, between 50 and 100K in size. Encrypt them using PGP and any available public keys. When you need a password, copy and paste from one of these encrypted text files, using an editor that displays line numbers. All you have to keep tract of is which file you used, where you started the copy, and where you stopped. You can keep that in its own file, obscured in whatever fashion you like.
    Example:
    example.gif
    The password selected is
    XF8g/d9QqSLy4lbRb/ocCimhzL+p/TScl9

    Unobscured, the selected password location is
    02-125-53-126-22
    2nd source file,
    start at line 125, 53 character
    stop at line 126, 22 character

    Unless the attacker knows exactly what you're doing, it would be next to impossible for them to know what you selected. Without knowing the length of the password and what files were used as sources, brute force would be quite a project.
    Using 10 source files, about 1000 lines each, 64 characters per line. With the password length unknown, how many possibilities are there?

    Some ways the key could be obscured.
    add any number to all stored numbers. Reverse source file numbers. add extra characters that only you know are meaningless. Use more than one copy and paste.
     
  15. Tipsy

    Tipsy Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    207
    I have been using Last Pass for years, but I never trust it for any critical passwords. I just keep all those memorize.

    There are some few things about Last Pass that I worry about. Maybe it is because I just do not understand the technology well.

    First, you can log into your account from any browser, as long as you enter your Last Pass id and master password. Does that not mean that any hacker who could find your id and master password then has complete access to ALL your other passwords? That seems too many eggs in one basket.

    Second, these companies like Last Pass are big targets for hackers. Every now and again they get hacked. The users probably never hear about most of the cases when the companies find it early. Even Last Pass, even though they specialize in security, announced in 2011 that they might have been hacked and they recommended changing passwords.

    Third, does Last Pass compile profiles based on tracking your internet activity? Even if your ids and passwords are not hacked, does your browsing profile if it exists make a risk to your anonymity?
     
  16. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    First, two-factor authentication. That's if they somehow found your password in the first place. Very difficult except on infected machines, use one-time password for public computers.

    Second, they only recommended it just in case. Hackers basically got access to your salted (encrypted) databases, meaning they have to crack 256-bit AES. Your browser extension stores the encryption key and decryption occurs on the local computer. More.

    Third, highly unlikely since they should only see encrypted data. You can be sure eyes are on them. A level of trust is required though, due to not truly open-source.
     
  17. JackmanG

    JackmanG Former Poster

    Joined:
    May 21, 2013
    Posts:
    284
    I share your concern for critical accounts. I maintain the same rule (only non-criticals in LastPass), but I use a local password manager instead of just memorization.

    See here.


    Well, depending on your security hygiene, some "hacker" gaining access to your ID and password should be quite low...but yes, if someone did gain access to that information, that's exactly what that means.

    It sounds like your facts are a bit lacking. I'd be interested to see evidence for "every now and again". True, LastPass did experience a possible breach, but the odds anyone's info was compromised are slim to none. The only reason you would have anything to worry about with a LastPass hack would be if they were incompetent in their encryption (which, I doubt they are, since they're pretty solid and reputable, plus it's basically all they do)...or if you maintained a weak master password.

    See here.

    The LastPass applet is simply a local javascript that encrypts & sends, and receives & decrypts data that you feed into it. There's really nothing else it can do.

    If you're suspicious about this, you could always just use the non-binary version of the extension, which is 100% JavaScript, which anyone could view to confirm it's not collecting any data. And then you could also use network sniffing with a proxy to verify that the sensitive data is encrypted before being sent anyway.
     
  18. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    LastPass never gets unencrypted data. All they have is an encrypted file on their server. All decryption happens locally. They don't know your master password, and they never see what you have in your vault.

    A hacker could get your KeePass credentials as well. A local compromise means your machine is no longer yours - all bets are off.

    LastPass was fully open about what they saw in their logs...as a matter of fact, I've never seen a security company be more open.

    I use it, so I'm a fanboy, but you can use KeePass and KeeFox if it makes you feel better.

    P.S. Oh yeah 2 Factor can help with LP, as mentioned above.

    PD
     
Loading...
Thread Status:
Not open for further replies.