How to make secure logins with a password manager

Discussion in 'privacy problems' started by garry35, Dec 9, 2013.

Thread Status:
Not open for further replies.
  1. garry35

    garry35 Registered Member

    Joined:
    Jan 20, 2009
    Posts:
    329
    i have read here and many other places that long passwords are more secure, but for most people long or complex passwords are hard to remember and the situation becomes worse the more you have to remember, so whats the most secure solution ?. i have ruled out a few for obvious reasons as follows :-

    written down - the security problems are obvious but include losing the paper or whatever, the paper or other getting wet or damaged, the paper falling into the wrong hands. there are no doubt many others.......

    using an online service - i dont trust my passwords to be sent online, there are times when an internet connection isnt available

    using another program to keep master passwords - this brings another layer of complexity and presents another possible attack point for an attacker and presents extra problems if the legit owner cant remember the master password

    so whats left ?
     
  2. Balthazar

    Balthazar Registered Member

    Joined:
    Nov 8, 2013
    Posts:
    137
    Location:
    Earth
    Hi,

    I use Keepass 2 with a Yubikey. You can create very strong passwords using different character sets. There are a lot of possibilities that you can choose from. In order to keep your encrypted database secure you have to use a master key and/or a key file. I use a Yubikey, which is perfectly suited for securing your database. You can configure your Yubikey to protect your database with One-Time Passwords. Here’s a detailed guide.
    Code:
    http://www.yubico.com/applications/password-management/consumer/keepass/
    The big advantage is, you don't have to memorize a strong password and you usually carry your Yubikey around on your key chain. So if your computer is stolen no one can access the database without the Yubikey. It's perfect for phones as well. Two-factor authentication is the best way to secure accounts (in my opinion).
    Code:
    http://keepass.info
    There are two slots to each Yubikey. I have 2. I also use it when logging in to Win7.

    Edit:
    There's also a portable version of Keepass. You could carry it around on an USB stick (which could be encrypted with truecrypt - there's also a portable version...and maybe the key to the file is in slot 2 or another Yubikey). That's just an idea. (But don't use the USB stick on the same key chain in case you lose it.) It may sound difficult but it is very easy because once set up, you don't have to remember anything except which slot or which Yubikey to use. If you only want to use one slot you have to configure it once and that's all. ;-)
     
    Last edited: Dec 9, 2013
  3. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    Even a long/strong password can become memorized and easily recalled through repetitively entering it. Particularly if there is some kind of pattern to it. A creative pattern, that is obscure/unique and only makes sense to you of course. Arbitrary example: a "memory walk" through your childhood home, where certain characters or combinations of said represent the things you encounter along your walk.

    Another approach would be to utilize a password that *is* written down or otherwise stored as plaintext, but a) make sure there are multiple copies of it including off-site, and b) make sure its "passwordness" is not obvious. Arbitrary example: an entry in an address book, along with some short-hand notes that work in unusual characters in a way that doesn't draw attention, which you convert to actual password form by entering things in a special order. Perhaps even two entries that get combined somehow.

    Just remember, no matter what approach you settle on to manage passwords including master passwords, you must consider the possibility that something could happen to you. If you were incapacitated, is there something you would want a family member and/or other person to be able to access? If you were killed, is there something you would want your executor and/or other survivors to be able to access? Such scenarios have to be thought through and, if/where necessary, plans put in place so that the appropriate people will have what they need to access things. Here, too, some people might choose to be a bit creative in order to protect against unauthorized use. Arbitrary example: break master password info into pieces and disperse those pieces in a way that would make it difficult for one person to pull them together... except in special situations where they would gain legal access to something, where multiple parties holding a piece would agree to bring them together, etc.
     
  4. garry35

    garry35 Registered Member

    Joined:
    Jan 20, 2009
    Posts:
    329
    thanks for the replies but the memorizing approach might sound easy, but after a few weeks or months you might forget....... the plain text approach seems a little risky if somehow it fell into the wrong hands, all this is assuming that the master password can somehow be linked to the password(s) being protected.

    :ninja:
     
  5. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    I advocate using some type of password manager software.

    I mainly use LastPass which combines online and offline storage. My online setup uses 2 factor authentication. The offline relies on my 20 character password only.

    I still have a handful of things I keep in KeePass. It can be used in an online type mode but it is essentially an offline storage method. I use a 20 character password with it too.

    Both approaches use strong encryption as long as the master password is good. Forgetting the password is not an issue as I only remember 1 for LastPass and 1 for KeePass. I have found it easy to remember only 2 passwords. More than that would probably be a problem for an old geezer like me... ;)
     
  6. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    I wouldn't expect someone to forget a master password they are presumably entering on a regular basis to unlock the password database for use. However, given other usage scenarios and just the potential for someone to have an accident that affects their memory, I would agree that it would be good to have a "I've forgotten everything" plan.

    I'm not sure what you mean. If done well, you could literally hand someone the written/clear text from which your password is extracted/derived and they wouldn't have a clue it was used to remember a password. Let alone know how to arrive at the password from it. The possibilities are endless, but sticking with the address book entry for no particular reason...

    Claud Kilmarnok
    1785 W Laramie Plaza
    Waianae, HI 96792
    123-456-7890 (home)
    555-867-5309 (cell)
    098-765-4321 (work)

    What's my password? Here is the method I've chosen:

    1) First name characters in reverse order, alternated with home phone characters in reverse order: d0u9a8l7C-
    2) Work phone number without the area code with alternating shift key: 7^5$3@1
    3) Last cell phone digit, in spanish: nueve
    4) First and last characters from last name, in caps, separated by a comma: K,K

    All together that's: "d0u9a8l7C-7^5$3@1nueveK,K". Hopefully that at least demonstrates the concept of how you can take cleartext... even something no one would think twice about you having laying around or pulling up... and manipulate it in some way (any way you can dream up, really) to arrive at a strong password. Of course, there is still the "what if I forget how I did it" issue though.
     
    Last edited: Dec 9, 2013
  7. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,002
    Location:
    USA
    What exactly do you mean by a "2 factor authentication" in LastPass - and where/how do you set that up?
     
  8. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
  9. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,002
    Location:
    USA
  10. chiraldude

    chiraldude Registered Member

    Joined:
    Jul 3, 2010
    Posts:
    157
    This may be secure enough for your purpose but many others would say that is a risky password formula. If the CIA/FBI/NSA/KGB (maybe even local police) were motivated to crack your password, I am sure they have this sort of thing baked into their brute force program. Since you now have documented it on the internet, you should not use it without some substantial modifications.
     
  11. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    You weren't supposed to pick at the specific formula I chose for an example ;) FWIW though, I agree with you, one could very easily do better even if they applied their formula to the same type of (address book) text. Unless of course you object to the basic concept of applying a secret formula to non-secret text(1).

    (1) Non-secret in the sense that someone might find it, but that doesn't mean they will know that is used for such purposes.
     
  12. CaixFang

    CaixFang Registered Member

    Joined:
    Mar 24, 2009
    Posts:
    72
    What is the confidence level that lastpass truly cannot decrypt our data? Regardless of their claims, it seems pretty simple to me that all they would need is to have a piece of code that intercepts the master password when entered by the user and write that off elsewhere for future use (ie under an NSA request, they tag my account, next time I auth it intercepts my password and stores it in plaintext for their later use.)

    Granted using 2factor can somewhat defeat this, although at this point I have to suspect that 2factor offerings like google auth could possibly be circumvented by intel agencies, by the provider compromising the code to generate the OTPs.....

    I honestly havent done a lot of research on it, but it has always been a lingering concern for me.
     
  13. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Tip for master password: write down (physical paper and/or computer file) a password hint. For example, your password hint could be "Nickname of my first love, followed by first 2 digits of my social security number, followed by name of my first dog, followed by last 2 digits of my social security number, followed by my college GPA (without decimal point) (all letters in lowercase)." A corresponding master password might be butternut31ralphie65312.
     
  14. CaixFang

    CaixFang Registered Member

    Joined:
    Mar 24, 2009
    Posts:
    72
    In general, I am VERY much against this, however, if you ARE going to do this, I recommend something much more meaningless to someone else. I happen to use the word dakota in a lot of passwords, so I would use something more like:

    north wedding bang to be dakota10142008! Except I almost always add some punctuation substitution in words like d@kota, in which case I wouldnt add that to my hint. I rarely am in favor of hints except on systems that the security isnt critical.

    I believe there is a much stronger value in memorizing one strong password, and building on it. you can use something like your first license plate, which is pretty easy to remember since they are generally 3 letter 3 number or similar. Then you can build on it by doing something like lmp871dakot@10142008! and use a hint like north plate wedding bang. It wont secure you from a 3 letter, but it will from someone that might be able to gather other info like an ssn or whatnot.
     
  15. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    How about this idea for a password hint for a master password?

    What you'll need to construct your master password:
    1. A non-short sequence of random characters. You can use http://strongpasswordgenerator.com/ to generate this sequence. For this example, I'll use "fx69<Dq6" (without quotes).
    2. Two questions with short answers that you'll always remember the answer to, but yet that others are not likely to know the answer to both simultaneously.

    Here's an example password hint that gives you the construction of your master password:
    "First three letters of the last name of the first person that I dated (all lowercase letters), followed by the 6th and 7th digits of my social security number, followed by the remainder of the letters of the last name of the first person that I dated (all lowercase letters), followed by "fx69<Dq6" (without quotes), followed by the first three letters of my childhood nickname, followed by the 8th and 9th digits of my social security number, followed by the remainder of the letters of my childhood nickname."

    The corresponding constructed master password might be fer41rarofx69<Dq6wee77bers.

    You can keep the non-short sequence of random characters in a clipboard manager such as Ditto for quick access.

    I think such a password would hold up well against Hashcat (see Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”), unless the person using Hashcat is specifically targeting you and is in possession of the password hint. This password may or may not hold up well against someone who knows you personally and is in possession of the password hint.
     
  16. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    LastPass never gets your password. They get a hashed version of yoru password, which is used for authentication, and then that triggers the payload sent to your system where the password is used to decrypt it.
     
  17. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    A very similar question could be asked about any program/website/computer that we use that has secure information involved. In the end, we all make choices on who and what we trust.

    I did a fair amount of study on LastPass before giving them my trust. So far, I feel very confident they have kept their part of the bargain.

    If you'd like to learn more, and have some time, here's a transcript from Security Now where Steve Gibson devoted most of an episode to LastPass (which to my knowledge, he still uses today.) https://www.grc.com/sn/sn-256.htm
     
  18. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I found a nice solution for making a memorable yet strong master password: Diceware.
     
Loading...
Thread Status:
Not open for further replies.