Allegro.cc - Online Community

Allegro.cc Forums » Off-Topic Ordeals » Online password managers?

This thread is locked; no one can reply to it. rss feed Print
 1   2 
Online password managers?
Chris Katko
Member #1,881
January 2002
avatar

Anyone ever use them?

I've used GoogleDocs before, but they still don't support per-document passwords. So since GoogleDocs is likely tied to E-mail account, it would stand to reason that a very strong password should be protecting my e-mail/drive.

-----sig:
“Programs should be written for people to read, and only incidentally for machines to execute.” - Structure and Interpretation of Computer Programs
"Political Correctness is fascism disguised as manners" --George Carlin

SiegeLord
Member #7,827
October 2006
avatar

In this day and age, why would you keep something of such value on the Internet, especially hosted on US soil (as LastPass is)?

"For in much wisdom is much grief: and he that increases knowledge increases sorrow."-Ecclesiastes 1:18
[SiegeLord's Abode][Codes]:[DAllegro5]:[RustAllegro]

Chris Katko
Member #1,881
January 2002
avatar

SiegeLord said:

In this day and age, why would you keep something of such value on the Internet, especially hosted on US soil (as LastPass is)?

I'm not worried about the NSA. I'm worried about random Chinese/Russians/Script-Kiddies getting access to my password file. My wife's accounts have been compromised before, and once my debit card (which got picked up immediately, some kid buying... WoW stuff). But not everyone is as thorough as by bank/credit card in keeping my data safe. My random Linux box connected to the internet isn't going to have staff keeping an eye on it.

And it's not that passwords are hard. It's that every bloody website has their own idea of what constitutes a "valid" password and many of them do not overlap.

GoDaddy requires you to use an account number instead of a name for frak sake. I mean what is this, the stone age?

Let me clarify. GoogleDocs would be great if only it allowed an additional password for file access instead of giving gaping access to my e-mail, social media, and documents. Which of course, is why I have to use my strongest password on my e-mail. It's good too!

-----sig:
“Programs should be written for people to read, and only incidentally for machines to execute.” - Structure and Interpretation of Computer Programs
"Political Correctness is fascism disguised as manners" --George Carlin

BAF
Member #2,981
December 2002
avatar

I use LastPass. If you're talking NSA, why do they need your passwords? They already have all the backdoors they need. Plus, unless they're lying, there's no way to get at your passwords without your master password anyway.

Google Docs, or any Google service for that matter, is one of the last places I'd store sensitive data like passwords. They have absolutely zero reason to make it secure enough (if they can't read it, then they can't use it to target ads at you).

Please, use the proper tool for this job... a proper password manager.

[edit]
But yes, to answer your question, I do use LastPass (premium) myself. I've not had any problems with it, and the Chrome plugin is great. There are only a handful of passwords I have committed to memory, the rest are unique, long, randomly generated strings of shit.

Matthew Leverton
Supreme Loser
January 1999
avatar

I use Lastpass. Works great.

SiegeLord
Member #7,827
October 2006
avatar

BAF said:

They already have all the backdoors they need.

I store passwords in my password manager for more things than just random websites. While each random website (especially if it is hosted on US soil) could be/is compromised, those items individually are not as likely to be.

"For in much wisdom is much grief: and he that increases knowledge increases sorrow."-Ecclesiastes 1:18
[SiegeLord's Abode][Codes]:[DAllegro5]:[RustAllegro]

torhu
Member #2,727
September 2002
avatar

You guys store your passwords online? Mind blown :o

Arthur Kalliokoski
Second in Command
February 2005
avatar

I store mine on sheets of paper which my roomies would be unable to decide what they're for or how they're used.

“Throughout history, poverty is the normal condition of man. Advances which permit this norm to be exceeded — here and there, now and then — are the work of an extremely small minority, frequently despised, often condemned, and almost always opposed by all right-thinking people. Whenever this tiny minority is kept from creating, or (as sometimes happens) is driven out of a society, the people then slip back into abject poverty. This is known as "bad luck.”

― Robert A. Heinlein

Matthew Leverton
Supreme Loser
January 1999
avatar

torhu said:

You guys store your passwords online?

Everybody does.

Your password here is stored as bcrypt hash. If somebody gets access to the database and they wish to target you, they'll be able to crack your easy-to-remember password. And if it is the same as your other passwords, or similar enough, they may easily be able to get in to your other sites.

The difference with using Lastpass is that those dozens of insecure sites you use all now have different, random, and very hard to crack passwords.

And what's the difference between storing your encrypted file of passwords on your workstation that is connected to the Internet, or a Lastpass server that is connected to the Internet? I bet it's easier to break into your computer.

Chris Katko
Member #1,881
January 2002
avatar

I bet it's easier to break into your computer.

Impossible! I'm running OS/2 Warp!

I heard a funny story from a security admin at a conference about boxes he connected to the internet that he told the world "own my box." More or less every box would be "owned" sooner or later except one in Alaska... that he forgot about. It was running a FreeBSD distro so old that it had custom compiled binaries that didn't use modern binary formats (whenever that big switch happened) so all of the exploits people tried to run didn't work because they weren't binary compatible. [Vagueish story it's been a few years.] I'll see if I can find the source [Notacon 4 2007, Bruce Potter]

-----sig:
“Programs should be written for people to read, and only incidentally for machines to execute.” - Structure and Interpretation of Computer Programs
"Political Correctness is fascism disguised as manners" --George Carlin

Thomas Fjellstrom
Member #476
June 2000
avatar

Is there any way to use LastPass with standalone android apps?

edit: nevermind, theres an ime.

--
Thomas Fjellstrom - [website] - [email] - [Allegro Wiki] - [Allegro TODO]
"If you can't think of a better solution, don't try to make a better solution." -- weapon_S
"The less evidence we have for what we believe is certain, the more violently we defend beliefs against those who don't agree" -- https://twitter.com/neiltyson/status/592870205409353730

torhu
Member #2,727
September 2002
avatar

And what's the difference between storing your encrypted file of passwords on your workstation that is connected to the Internet, or a Lastpass server that is connected to the Internet? I bet it's easier to break into your computer.

I don't know about that other stuff, but I'm pretty sure it would be a major pain in the ass for someone in Eastern Europe, Africa, or China to get hold of my local file of secret stuff ;D

Chris Katko
Member #1,881
January 2002
avatar

Actually, a great idea that would stump even government officials? NTFS Alternate Data streams. You can hide entire files inside files... that won't show up even in disk usage, and won't copy if the original file is moved out of the partition.

-----sig:
“Programs should be written for people to read, and only incidentally for machines to execute.” - Structure and Interpretation of Computer Programs
"Political Correctness is fascism disguised as manners" --George Carlin

Thomas Fjellstrom
Member #476
June 2000
avatar

It'll still show up with data recovery tools, which they probably use.

--
Thomas Fjellstrom - [website] - [email] - [Allegro Wiki] - [Allegro TODO]
"If you can't think of a better solution, don't try to make a better solution." -- weapon_S
"The less evidence we have for what we believe is certain, the more violently we defend beliefs against those who don't agree" -- https://twitter.com/neiltyson/status/592870205409353730

bamccaig
Member #7,536
July 2006
avatar

Personally I think that having a "password file" is incredibly stupid. You underestimate the capacity of your brain if you think that you can't remember complex passwords. Granted, we don't like to learn new ones. I'd never record them anywhere. That goes for a file on my machine (which could easily be compromised without me knowing), and a third party service (which could also easily be compromised without me knowing).

I imagine I do what most [smart] people do: reuse passwords based on a "class" system of importance. Most sites I consider useless and I avoid storing any deeply personal information on. I really couldn't care less if my account on these sites is compromised. I only created the account because I had to for some trivial function (that probably could have been granted without an account, but the programmer is "special"). Those sites all get a simple password that would be trivial to crack, and I'm certain that I have inadvertently sent it to an IRC channel more than 3 times. The password that I choose for any given site is also based on how much I trust them to secure it.

Alarmingly I find that financial sites (bank, PayPal, etc.) are actually the worst for password limitations. I'd attempt to give them an extremely complex passphrase only to discover that I can't because all of the various character classes that I'm using aren't allowed and/or they have a physical size limit... OMFG, shake my head... I've even messaged my bank several times telling them they need to fix it. The response I get back is always, "We appreciate your feedback, but the limitations we have on our passwords protect you from dangerous characters!" Which is really just another way of saying that either the programmers employed by that bank are incompetent, and/or the managers are...

Thomas Fjellstrom
Member #476
June 2000
avatar

one of my credit cards has a site that requires digits in your username. now isn't that super extra secure!

--
Thomas Fjellstrom - [website] - [email] - [Allegro Wiki] - [Allegro TODO]
"If you can't think of a better solution, don't try to make a better solution." -- weapon_S
"The less evidence we have for what we believe is certain, the more violently we defend beliefs against those who don't agree" -- https://twitter.com/neiltyson/status/592870205409353730

SiegeLord
Member #7,827
October 2006
avatar

bamccaig said:

I'd attempt to give them an extremely complex passphrase only to discover that I can't because all of the various character classes that I'm using aren't allowed and/or they have a physical size limit... OMFG, shake my head...

So basically your method doesn't work.

"For in much wisdom is much grief: and he that increases knowledge increases sorrow."-Ecclesiastes 1:18
[SiegeLord's Abode][Codes]:[DAllegro5]:[RustAllegro]

bamccaig
Member #7,536
July 2006
avatar

No method works with them. Their system is inherently insecure. And they're too incompetent to comprehend the weaknesses. They're convinced that they're making things more secure.

OnlineCop
Member #7,919
October 2006
avatar

I've got LastPass setup so my wife can have her passwords automated, and routinely dump the LastPass passwords into KeePass (every month or so; we usually don't update or add passwords more frequently than that).

KeePass + Dropbox, where the KeePass database requires both a password and a key file (which I don't store in Dropbox).

I use KeePass because LastPass doesn't work in Incognito mode, nor do I want LastPass "tied" to me when I'm on the TOR network.

Google: My main accounts have 2-step authentication, where some use an SMS message and the others uses the Google Authenticator app. I've got Application Passwords enabled (or whatever the official name of those are called) so my email and contacts can't be accessed with my normal login password.

I also visit YouTube on a browser running AdBlock with which I've never signed into my Google accounts. It gives me ad-free videos without linking all those into my Watched History.

And if I ever need to check something from work, I just ssh tunnel into my home computer and make it handle all my requests from there.

I made a VR game!

Elias
Member #358
May 2000

OnlineCop said:

, I just ssh tunnel into my home computer

So anyone can just ssh into an open ssh port on your home computer? I'd never feel safe with that.

--
"Either help out or stop whining" - Evert

Arthur Kalliokoski
Second in Command
February 2005
avatar

Elias said:

So anyone can just ssh into an open ssh port on your home computer? I'd never feel safe with that.

Have you ever done it? Used ssh, I mean.

“Throughout history, poverty is the normal condition of man. Advances which permit this norm to be exceeded — here and there, now and then — are the work of an extremely small minority, frequently despised, often condemned, and almost always opposed by all right-thinking people. Whenever this tiny minority is kept from creating, or (as sometimes happens) is driven out of a society, the people then slip back into abject poverty. This is known as "bad luck.”

― Robert A. Heinlein

Elias
Member #358
May 2000

Yes, ssh-tunneling so I can use the internet from work. What I'm saying is I don't feel it's safe at all.

--
"Either help out or stop whining" - Evert

Chris Katko
Member #1,881
January 2002
avatar

Quote:

The keys that Amazon EC2 uses are 1024-bit SSH-2 RSA keys. You can have up to five thousand key pairs per region.

Not bad... not bad... if I need more, then I'm probably someone hiding something expensive enough to hire security professionals, or at the very least, the time and effort to increase the difficulty.

[edit] It appears that PR documentation is old and 2048-bit is standard. But don't quote me on that yet.

[edit 2]

Quote:

Supported lengths: 1024, 2048, and 4096.

Booya.

That's a lot of work to get access to my bloody resume.

-----sig:
“Programs should be written for people to read, and only incidentally for machines to execute.” - Structure and Interpretation of Computer Programs
"Political Correctness is fascism disguised as manners" --George Carlin

SiegeLord
Member #7,827
October 2006
avatar

Elias said:

Yes, ssh-tunneling so I can use the internet from work. What I'm saying is I don't feel it's safe at all.

What precludes you from using a key instead of a password? I assume OnlineCop has only a single work computer to generating a single key pair shouldn't be a problem.

"For in much wisdom is much grief: and he that increases knowledge increases sorrow."-Ecclesiastes 1:18
[SiegeLord's Abode][Codes]:[DAllegro5]:[RustAllegro]

Elias
Member #358
May 2000

SiegeLord said:

What precludes you from using a key instead of a password?

I am using a key, but anyone with access to my work computers harddrive as well as the NSA have it as well :p

--
"Either help out or stop whining" - Evert

 1   2 


Go to: