Password rememberall / Computer Science / Forums

Forums

4hv.org :: Forums :: Computer Science

« Previous topic | Next topic »

Password rememberall

previous 1 2 3 next

Move Thread

LAN_403

dexter

Thu Jan 08 2015, 11:11PM

Registered Member #42796 Joined: Mon Jan 13 2014, 06:34PM
Location:
Posts: 195

simple fix change the password to incorrect so that when you forget it the computer will tell you "Your password is incorrect" :)

BigBad

Fri Jan 09 2015, 01:50AM

Registered Member #2529 Joined: Thu Dec 10 2009, 02:43AM
Location:
Posts: 600

Have you tried LastPass?

That's what LastPass does.

Fysac

Sun Jan 11 2015, 08:50PM

Registered Member #44377 Joined: Tue Apr 08 2014, 09:27PM
Location:
Posts: 6

LastPass and KeePass are both very good options for the criteria you listed. Strong crypto, browser autofill, and portable enough.

LastPass encrypts your passwords locally, uploads the hashes to its database, and syncs them over all your browsers. You use a single master password to decrypt them.

KeePass is just a local encrypted database file that you can save anywhere, like on a flash drive or cloud storage. Same master password situation. It's a little more work than with LastPass, but I tend to trust it more due to its FOSS nature.

Either one you choose, these are your best bet for convenience and security.

Dr. Slack

Mon Jan 12 2015, 10:30AM

Registered Member #72 Joined: Thu Feb 09 2006, 08:29AM
Location: UK St. Albans
Posts: 1659

I still haven't been convinced how any of those is better than what I have, or had anybody point out any significant flaw in mine. It does not need a data base, anywhere, so there's nothing to sync. It will run on any browser, so can deliver a password at any time you might want one. There is nothing special in the algorithm, save for SHA-1, so no physical space for a backdoor to exist, and it's FOSS so you can see it doesn't. You can always replace SHA-1 with one of the SHA-2s if you don't like its age, available from the same Chris Veness moveable type guy (first hit on google for 'sha-2 javascript'). Perhaps I'll put it github or codereview to see if that flushes out any criticism.

Avalanche

Mon Jan 12 2015, 12:30PM

Registered Member #103 Joined: Thu Feb 09 2006, 08:16PM
Location: Derby, UK
Posts: 845

Use the same password for everything, and remember it (never write it down)

AND

for every service that you sign up to, add some random characters to the end of your 'remembered' password. You can write these characters down, or even put them on post-it notes.

Then you only have to remember one password, and you can write the extra characters down because they will be useless to anyone without the rest of the password

BigBad

Mon Jan 12 2015, 07:18PM

Registered Member #2529 Joined: Thu Dec 10 2009, 02:43AM
Location:
Posts: 600

First let me say, perfect security doesn't exist.

Bruce Schneier who is an expert on passwords says you should basically always write down your passwords.

The main purpose of passwords is to avoid joe random on the internet from cracking your account- they don't have access to your written down passwords.

But still, security is a personal thing, if you need protection from people near to you, and you're worried about people breaking in and finding the passwords, then you should take additional steps.

The idea that Avalanche suggests, of using the same password for everything is about the worst advice conceivable. Many sites have atrocious security and crackers breaking into sites will often find a list of passwords that they can then go around the internet with. If you have reused your password, then they can log in, everywhere and create mayhem, particularly sites like Amazon are very problematic.

It's sometimes reasonable to divide sites into 'low security' and 'high security'. High security is sites like email, online stores etc. Low security is forums. Using the same password on low security sites is probably reasonable, but all high security sites must have long, very difficult to guess and completely unique passwords.

That's where tools like LastPass come in; that permits you to manage multiple high security sites with (reasonable, but never perfect) security.

Fysac

Mon Jan 12 2015, 07:21PM

Registered Member #44377 Joined: Tue Apr 08 2014, 09:27PM
Location:
Posts: 6

Dr. Slack wrote ...

Perhaps I'll put it github or codereview to see if that flushes out any criticism.

Please do that. I'd like to see it - not necessarily for criticism, I'm just interested is all.

Avalanche

Mon Jan 12 2015, 07:26PM

Registered Member #103 Joined: Thu Feb 09 2006, 08:16PM
Location: Derby, UK
Posts: 845

BigBad wrote ...

The idea that Avalanche suggests, of using the same password for everything is about the worst advice conceivable.

I don't think you actually read my post

Fysac

Mon Jan 12 2015, 07:29PM

Registered Member #44377 Joined: Tue Apr 08 2014, 09:27PM
Location:
Posts: 6

Even using the same base password for everything is a bad idea. If that base is discovered, it's trivial for an attacker to bruteforce the remaining few characters and compromise any of your other accounts. The best kind of password is a long, completely unique, and unpredictable sequence of characters.

Dr. Slack

Tue Jan 13 2015, 06:42AM

Registered Member #72 Joined: Thu Feb 09 2006, 08:29AM
Location: UK St. Albans
Posts: 1659

Fysac wrote ...

Dr. Slack wrote ...

Perhaps I'll put it github or codereview to see if that flushes out any criticism.

Please do that. I'd like to see it - not necessarily for criticism, I'm just interested is all.

It's already posted as an attachment above. It has an extra .txt extension to pass the board's attachment filter.

To save you scrolling up, it's

here

previous 1 2 3 next

Moderator(s): Chris Russell, Noelle, Alex, Tesladownunder, Dave Marshall, Dave Billington, Bjørn, Steve Conner, Wolfram, Kizmo, Mads Barnkob