Discussion in 'polls' started by cet, Feb 6, 2009.
I just dont "feel" safe. Hahahaha
Dont get me wrong.
Lastpass personally, do what i expect it to do
None! - I log into as few sites as possible.
Well, keepass is encrypted and you can only open my safe with my Yubikey. Some of my passwords are very strong. I wouldn't want to type them in on my keyboard. Copy & paste does it for me (no auto fill in).
I stopped using the browsers built in password manager. Now I copy and paste passwords from one of 6 "source files". The source files were created by encrypting large text files with various PGP keys. I keep tract of them using a location file that contains the source file used, the line and character number where the copy begins, and the line and character number of where it ends.
In this instance I used source file 4, started on line 62, character 16, and ended on line 62, character 45.
The copy/paste can start and end on different lines as well. The site names and source location are stored in a sortable file, but with a slight twist that makes it unusable to others. I mentally offset every character by a certain amount that isn't written down, such as subtract one or add two to each. 4-62-16-62-44 would get written down as 2-60-14-60-42 with everything shifted -2. The numbers could be stored in any order you choose as long as it's consistent. One could add additional numbers that have no meaning at all. One could use a different amount of shift on each number just by remembering a 5 digit number that would apply to all the entries. There's an almost unlimited number of ways you could vary it. My source files contain about 800 lines each, 64 characters in each line. Without knowing the exact way that you record the locations and the shift that you apply to the numbers, what's the odds that anyone could determine what your passwords are, even with all the files in front of them?
If we assume that password is 1-16 characters long then there are 819.080 possible passwords (with 51.200 char long file). The file could be used in dictionary attack and it probably wouldn't take too long to be cracked. I hope there is no password on that picture. Otherwise you should change it
EDIT: if you would use password with 1-255 length there would be 13.023.615 possible passwords. Still not that much.
EDIT2: the numbers are not exact as there definitely are duplicates. So there are even less combinations.
Nope, just an example. Your math accounts for one source file. I'm currently using 6. The user could also copy/paste more than one segment from more than one source to create a password. A dictionary attack using the source files would require the attacker to have those files, local access or a total hack, and that they know what files are being used for source material. If the user drops the source files into a directory with a few hundred files of encrypted gibberish, the job gets much more difficult.
Yes you're right, they have to get that files. They might use last access time stamp to determine which files were recently used, if you have that enabled.
The password length is a relative thing. Try a dictionary attack on Gmail and see what's happening. Even with a 5 characters long password you would need all your life to break into an account.
Yes, that's true. Unless you manage to pull MITM attack.
My primary reason for using copy/paste was to avoid using password software, whether it's separate or part of a browser. IMO, password software and the files/devices that store the passwords are natural targets. All software has flaws, which may be directly exploitable or bypassed by an exploited system. In a growing number of countries, the user can be compelled to open password managers and encrypted material. With no passwords stored by a browser and no password manager to be exploited or opened by coercion, there are no obvious passwords the user can be compelled to reveal. The user could explain the source files as experimenting with encryption, especially when the source files decrypt to normal text files that are nothing of interest. There's lots of plausible deniability. "It's an experiment that didn't work like I wanted."
you make a good point there.
i also liked the way you hide your password in a text file.
I use LastPass. Extremely convenient and very safe. I can have a peace of mind with it.
I write them down with intentional typos only I know, almost like runes, lol. So that even if someone found it it'd be gibberish to them. Then stick them in a random page of one book I have of many on a bookshelf that nobody would ever grab. So I need only remember that book and one page number. But really I pretty much just remember them. I just don't completely trust password managers.
Same here, for important things i dont store them in my PC.
I memorize them.
*.txt file in a Truecrypt container.
I use KeePass, however it´s a bit annoying that it´s not integrated with the browser, so I´m thinking about installing RoboForm for Opera v12. If I´m correct it´s freeware. I´ve also read that letting your browser manage passwords is not safe.
Keepass does have various plugins for integration you may want to look at if you haven't already.
RoboForm free is limited, I believe you can only store a very limited number of passwords. In any case I wouldn't use a program to store my passwords that is put out by a company that has proven to be untrustworthy.
Still with Sticky Pro for IE11, Mitro for Chrome.
KeePass is what I use.
I'd use a password manager even if I never entered the passwords. Even if I could memorize the passwords, could I remember:
All of the sites with which I have accounts, including which ones have multiple accounts?
The username and email address associated with each site?
All of the quirks for certain sites, like character limitations and notes about truncated characters?
The date each password was last changed? And could I reliably remind myself to change them periodically?
Security question "answers?" (I suppose these would just be like more passwords, but even then you have to remember the questions so you can match them up with the right "answers.")
It's not only all or nothing. A hybrid approach of using password managers only for the vast majority of non-important passwords works best IMO.
Just like i do.
Hahahahaha i also store other info like security questions, email i used etc.
I suggest you try LastPass. It's amazing. It's safe to let LastPass manage passwords.
Couldn't agree more.
Separate names with a comma.