|
This thread is locked; no one can reply to it. |
1
2
|
Online password managers? |
Chris Katko
Member #1,881
January 2002
|
Anyone ever use them? I've used GoogleDocs before, but they still don't support per-document passwords. So since GoogleDocs is likely tied to E-mail account, it would stand to reason that a very strong password should be protecting my e-mail/drive. -----sig: |
SiegeLord
Member #7,827
October 2006
|
In this day and age, why would you keep something of such value on the Internet, especially hosted on US soil (as LastPass is)? "For in much wisdom is much grief: and he that increases knowledge increases sorrow."-Ecclesiastes 1:18 |
Chris Katko
Member #1,881
January 2002
|
SiegeLord said: In this day and age, why would you keep something of such value on the Internet, especially hosted on US soil (as LastPass is)? I'm not worried about the NSA. I'm worried about random Chinese/Russians/Script-Kiddies getting access to my password file. My wife's accounts have been compromised before, and once my debit card (which got picked up immediately, some kid buying... WoW stuff). But not everyone is as thorough as by bank/credit card in keeping my data safe. My random Linux box connected to the internet isn't going to have staff keeping an eye on it. And it's not that passwords are hard. It's that every bloody website has their own idea of what constitutes a "valid" password and many of them do not overlap. GoDaddy requires you to use an account number instead of a name for frak sake. I mean what is this, the stone age? Let me clarify. GoogleDocs would be great if only it allowed an additional password for file access instead of giving gaping access to my e-mail, social media, and documents. Which of course, is why I have to use my strongest password on my e-mail. It's good too! -----sig: |
BAF
Member #2,981
December 2002
|
I use LastPass. If you're talking NSA, why do they need your passwords? They already have all the backdoors they need. Plus, unless they're lying, there's no way to get at your passwords without your master password anyway. Google Docs, or any Google service for that matter, is one of the last places I'd store sensitive data like passwords. They have absolutely zero reason to make it secure enough (if they can't read it, then they can't use it to target ads at you). Please, use the proper tool for this job... a proper password manager. [edit] |
Matthew Leverton
Supreme Loser
January 1999
|
I use Lastpass. Works great. |
SiegeLord
Member #7,827
October 2006
|
BAF said: They already have all the backdoors they need. I store passwords in my password manager for more things than just random websites. While each random website (especially if it is hosted on US soil) could be/is compromised, those items individually are not as likely to be. "For in much wisdom is much grief: and he that increases knowledge increases sorrow."-Ecclesiastes 1:18 |
torhu
Member #2,727
September 2002
|
You guys store your passwords online? Mind blown |
Arthur Kalliokoski
Second in Command
February 2005
|
I store mine on sheets of paper which my roomies would be unable to decide what they're for or how they're used. They all watch too much MSNBC... they get ideas. |
Matthew Leverton
Supreme Loser
January 1999
|
torhu said: You guys store your passwords online? Everybody does. Your password here is stored as bcrypt hash. If somebody gets access to the database and they wish to target you, they'll be able to crack your easy-to-remember password. And if it is the same as your other passwords, or similar enough, they may easily be able to get in to your other sites. The difference with using Lastpass is that those dozens of insecure sites you use all now have different, random, and very hard to crack passwords. And what's the difference between storing your encrypted file of passwords on your workstation that is connected to the Internet, or a Lastpass server that is connected to the Internet? I bet it's easier to break into your computer. |
Chris Katko
Member #1,881
January 2002
|
Matthew Leverton said: I bet it's easier to break into your computer. Impossible! I'm running OS/2 Warp! I heard a funny story from a security admin at a conference about boxes he connected to the internet that he told the world "own my box." More or less every box would be "owned" sooner or later except one in Alaska... that he forgot about. It was running a FreeBSD distro so old that it had custom compiled binaries that didn't use modern binary formats (whenever that big switch happened) so all of the exploits people tried to run didn't work because they weren't binary compatible. [Vagueish story it's been a few years.] I'll see if I can find the source [Notacon 4 2007, Bruce Potter] -----sig: |
Thomas Fjellstrom
Member #476
June 2000
|
Is there any way to use LastPass with standalone android apps? edit: nevermind, theres an ime. -- |
torhu
Member #2,727
September 2002
|
Matthew Leverton said: And what's the difference between storing your encrypted file of passwords on your workstation that is connected to the Internet, or a Lastpass server that is connected to the Internet? I bet it's easier to break into your computer. I don't know about that other stuff, but I'm pretty sure it would be a major pain in the ass for someone in Eastern Europe, Africa, or China to get hold of my local file of secret stuff |
Chris Katko
Member #1,881
January 2002
|
Actually, a great idea that would stump even government officials? NTFS Alternate Data streams. You can hide entire files inside files... that won't show up even in disk usage, and won't copy if the original file is moved out of the partition. -----sig: |
Thomas Fjellstrom
Member #476
June 2000
|
It'll still show up with data recovery tools, which they probably use. -- |
bamccaig
Member #7,536
July 2006
|
Personally I think that having a "password file" is incredibly stupid. You underestimate the capacity of your brain if you think that you can't remember complex passwords. Granted, we don't like to learn new ones. I'd never record them anywhere. That goes for a file on my machine (which could easily be compromised without me knowing), and a third party service (which could also easily be compromised without me knowing). I imagine I do what most [smart] people do: reuse passwords based on a "class" system of importance. Most sites I consider useless and I avoid storing any deeply personal information on. I really couldn't care less if my account on these sites is compromised. I only created the account because I had to for some trivial function (that probably could have been granted without an account, but the programmer is "special"). Those sites all get a simple password that would be trivial to crack, and I'm certain that I have inadvertently sent it to an IRC channel more than 3 times. The password that I choose for any given site is also based on how much I trust them to secure it. Alarmingly I find that financial sites (bank, PayPal, etc.) are actually the worst for password limitations. I'd attempt to give them an extremely complex passphrase only to discover that I can't because all of the various character classes that I'm using aren't allowed and/or they have a physical size limit... OMFG, shake my head... I've even messaged my bank several times telling them they need to fix it. The response I get back is always, "We appreciate your feedback, but the limitations we have on our passwords protect you from dangerous characters!" Which is really just another way of saying that either the programmers employed by that bank are incompetent, and/or the managers are... -- acc.js | al4anim - Allegro 4 Animation library | Allegro 5 VS/NuGet Guide | Allegro.cc Mockup | Allegro.cc <code> Tag | Allegro 4 Timer Example (w/ Semaphores) | Allegro 5 "Winpkg" (MSVC readme) | Bambot | Blog | C++ STL Container Flowchart | Castopulence Software | Check Return Values | Derail? | Is This A Discussion? Flow Chart | Filesystem Hierarchy Standard | Clean Code Talks - Global State and Singletons | How To Use Header Files | GNU/Linux (Debian, Fedora, Gentoo) | rot (rot13, rot47, rotN) | Streaming |
Thomas Fjellstrom
Member #476
June 2000
|
one of my credit cards has a site that requires digits in your username. now isn't that super extra secure! -- |
SiegeLord
Member #7,827
October 2006
|
bamccaig said: I'd attempt to give them an extremely complex passphrase only to discover that I can't because all of the various character classes that I'm using aren't allowed and/or they have a physical size limit... OMFG, shake my head... So basically your method doesn't work. "For in much wisdom is much grief: and he that increases knowledge increases sorrow."-Ecclesiastes 1:18 |
bamccaig
Member #7,536
July 2006
|
No method works with them. Their system is inherently insecure. And they're too incompetent to comprehend the weaknesses. They're convinced that they're making things more secure. -- acc.js | al4anim - Allegro 4 Animation library | Allegro 5 VS/NuGet Guide | Allegro.cc Mockup | Allegro.cc <code> Tag | Allegro 4 Timer Example (w/ Semaphores) | Allegro 5 "Winpkg" (MSVC readme) | Bambot | Blog | C++ STL Container Flowchart | Castopulence Software | Check Return Values | Derail? | Is This A Discussion? Flow Chart | Filesystem Hierarchy Standard | Clean Code Talks - Global State and Singletons | How To Use Header Files | GNU/Linux (Debian, Fedora, Gentoo) | rot (rot13, rot47, rotN) | Streaming |
OnlineCop
Member #7,919
October 2006
|
I've got LastPass setup so my wife can have her passwords automated, and routinely dump the LastPass passwords into KeePass (every month or so; we usually don't update or add passwords more frequently than that). KeePass + Dropbox, where the KeePass database requires both a password and a key file (which I don't store in Dropbox). I use KeePass because LastPass doesn't work in Incognito mode, nor do I want LastPass "tied" to me when I'm on the TOR network. Google: My main accounts have 2-step authentication, where some use an SMS message and the others uses the Google Authenticator app. I've got Application Passwords enabled (or whatever the official name of those are called) so my email and contacts can't be accessed with my normal login password. I also visit YouTube on a browser running AdBlock with which I've never signed into my Google accounts. It gives me ad-free videos without linking all those into my Watched History. And if I ever need to check something from work, I just ssh tunnel into my home computer and make it handle all my requests from there.
|
Elias
Member #358
May 2000
|
OnlineCop said: , I just ssh tunnel into my home computer So anyone can just ssh into an open ssh port on your home computer? I'd never feel safe with that. -- |
Arthur Kalliokoski
Second in Command
February 2005
|
Elias said: So anyone can just ssh into an open ssh port on your home computer? I'd never feel safe with that. Have you ever done it? Used ssh, I mean. They all watch too much MSNBC... they get ideas. |
Elias
Member #358
May 2000
|
Yes, ssh-tunneling so I can use the internet from work. What I'm saying is I don't feel it's safe at all. -- |
Chris Katko
Member #1,881
January 2002
|
Quote: The keys that Amazon EC2 uses are 1024-bit SSH-2 RSA keys. You can have up to five thousand key pairs per region. Not bad... not bad... if I need more, then I'm probably someone hiding something expensive enough to hire security professionals, or at the very least, the time and effort to increase the difficulty. [edit] It appears that PR documentation is old and 2048-bit is standard. But don't quote me on that yet. [edit 2] Quote: Supported lengths: 1024, 2048, and 4096. Booya. That's a lot of work to get access to my bloody resume. -----sig: |
SiegeLord
Member #7,827
October 2006
|
Elias said: Yes, ssh-tunneling so I can use the internet from work. What I'm saying is I don't feel it's safe at all. What precludes you from using a key instead of a password? I assume OnlineCop has only a single work computer to generating a single key pair shouldn't be a problem. "For in much wisdom is much grief: and he that increases knowledge increases sorrow."-Ecclesiastes 1:18 |
Elias
Member #358
May 2000
|
SiegeLord said: What precludes you from using a key instead of a password? I am using a key, but anyone with access to my work computers harddrive as well as the NSA have it as well :p -- |
|
1
2
|