So what's the best password manager currently?
I think password managers are more trusted than just randomizing passwords and saving it firefox or chrome.
So what's the best password manager currently?
I think password managers are more trusted than just randomizing passwords and saving it firefox or chrome.
KeePassX
>letting any 3rd party know any of your passwords
Keepass, use some NSA cloud service to sync it
Pass
>doesn't know how these things work
It's just an encrypted container that only you have the password to. It syncs with their service online so you can access it with multiple devices. It's just a much more secure version of how browsers save their passwords.
unixpass.
Lastpass used properly is a pretty good balance of security and convenience.
what about for mobile devices? It's not free.
Pay for it then, commie.
your brain
seriously
I'm happy with KeePass.
>not memorizing all of your passwords
Just use a goddamn paper to note all your passwords if you live alone.
>not randomly generating 100 character passwords than automatically change every week
That was 11 months ago. You know how much changes in 11 months?
More recent audits of LastPass have shown it to be incredibly secure.
LastPass is pretty good if you add a second factor. Whatever you use, just make sure you thoroughly understand the login process. For instance, LastPass will let you print out some one time passwords to use in case you need to bypass the login. But before it lets you use one of these it sends you a confirmation email. Good luck if you were using LastPass to log into that email and and you didn't write down the password or set up SMS recovery on that email.
Also if you use Google Authenticator as a second factor, I suggest having it give you the seed and writing that down instead of scanning the barcode. That way you can always set up a new phone without any hassle.
A notebook. At least when you die your family can delete your accounts. Those online grave accounts are creepy as fuck.
>google authenticator
lastpass has their own but it's still lacking in features
the best one to use is Authy, lets you back shit up to the cloud too and use it on a computer as well
Not convenient if you have a lot of passwords.
A fucking notebook
>Central point of failure
Nope.avi.gif.svg.mp4
Then just get a note book, enough paper to last you a life.
Yeah, I just prefer to keep it simple.
One thing that annoys me about LastPass is that you can't select which second factor you want to use if you have more than one set up. Any methods besides the preferred one are just fallbacks that require email confirmation to use. So if you want to have just one account that you share with your partner, you can't have one person login with a YubiKey and the other person use Google Authenticator. Obviously LastPass wants you to use two accounts with Premium in that scenario, but for some people that's overkill.
When you need a fucking password for your fucking passwords.....
feels good to be secure
wish lastpass security challenge still listed average password length, last I checked it was ~66
I don't have any password longer than 16 chars and yet I have a better 'Security Score'
a notepad under your bed
keepassx
...
Im still using lastpass but ever since they were bought by logmein ive been keeping an eye on it and will be ready to switch to keepass if they do anything screwy. Currently though lastpass's convenience will keep me using it.
>password manager
>a. k. a. Single point of failure
If someone can get access to and read your key file, you're already screwed.
If it bothers you to open the same file for everything, create several keyfiles for passwords of varying importance. I personally separate passwords for important stuff like my personal email and online banking from less important things like passwords for forums and things like that.
My head
its due to a few passwords on mine being "the same" when they're really the same account, just it didn't like them being different domains so I added them multiple times
mine is 93% it doesn't really take into account sites that have to have the same password like origin/EA/bioware/battlelog or mine would be higher
Also I don't really change passwords so a lot of my passwords are at least 3 years old
Audits on closed source? Or is that their network? I think if they opened their client side stuff, they'd do better.
Both keepassx and lastpass require protection of the key file. With lastpass the key file is secured by professionals. With keepassx you are in charge of securing the key file. If someone is targeting you specifically then lastpass is a better solution. If your attacker can break into lastpass db just to get to you then you can be your ass that it could even more easily compromise your system to get the keepassx key file.
>The lastpass downside is that their key file db is a desired tartget by any/all hackers while if you are o tartget to no one your keepassx key file should be relatively secure on your system.
>be
*bet
I use lastpass, not for security but for convenience, autologin is nice
True. But you're also trusting them not to be compromised by an NDA warrant. Local only syncthing of a keepass db works too. Only updates at home, but that shouldn't matter unless you're a business.
>having shit passwords which you are able to remember
Memory is the best, using a set of numbers and then randomizing the last word for each page.
For example, Google:
111211331GlE
and Facebook:
111211331FbK
>no symbols
>not using challenge-resopnse authentication hardware token
it's like you want to have you passwords stolen
Anybody here use epnass? It has the security of a locally stored AES256 encrypted key file, but has the convenient features like Browser extensions and device sync.
Downsides are not OSS, developed by poo in the loos, and 10$ for the mobile app.
How is a password manager more secure than a browser's password saving?
Browser's passwords are more easily to steal by vulnerabilities
How so? If an exploit breaks through the protection to access the browser's stored passwords, why wouldn't it be able to do so just as easily to the manager plugin?
>developed by poo in the loos
I've got $50 that says it's using AES-256-CBC without MAC.
The manager plugins are only used to access their databases which are encrypted. Viruses won't do shit since all your passwords are secured and they need your password manager password (no pun).
1Password
It's more fleshed out than KeePass, can sync with any service you want unlike LastPass, and you only have to pay for it once. A bit expensive IMO, but easily the best I've used
I use my brain because I'm not a brainlet and can remember multiple complex passwords easily
tfw high IQ
*tips fedora*
...
This
>Password1
>Using 1234567a as your password for everything
Oook, I'm going to go through and dissect everything wrong with that reasoning.
>The manager plugins are only used to access their databases which are encrypted
1. Clearly, the database is not encrypted when in use, since that's impossible without some sort of homomorphic encryption (which obviously is not being used, these things aren't written by cryptographers). Presumably it would be decrypted in memory and not storage, but that doesn't help at all, since the plugin is run with the browser's credentials or a subset thereof, so any vulnerability in the browser would immediately translate to access to the decrypted database.
2. When you enable password protection on your browser's password manager, it is also encrypted at rest.
>Viruses won't do shit since all your passwords are secured
This doesn't mean anything. They're "secured"? I mean, yeah, when you're not using them. But there's no point in using a password manager if you're not going to actually use the passwords.
>and they need your password manager password
If you have a virus on your system, all bets are off, and the game is over. Unless the virus is somehow isolated from the means of entering in the master password (I guess something like Qubes would work here, but then it's Qubes that's doing the protecting, not the pw manager), the virus will have access to all keystrokes and can just use that.
So again, what's the security advantage over just using the one built into your browser? I see a potential usability advantage, in that you can use different browsers and manage passwords for non-web contexts, but no *security* advantage.
>password manager
Get out, you fucking casual.
Lmao dude, where do you think you are, this isn't technology board
>If you have a virus on your system, all bets are off, and the game is over. Unless the virus is somehow isolated from the means of entering in the master password
ding ding ding
password managers WILL work in "typed-in, static master password" mode, but if that's your solution, you really shouldn't be using a password manager at all. That's just protecting strong passwords (true random/etc) behind a weak password.
Taking shit seriously you'd use either pic related (in challenge-response or OTP mode), or a mobile authenticator for OTPs. This is in addition to a long, hand-typed master password and probably a keyfile.
KeePassX or 2 or whatever it's called.
>Closed source password manager
Lmao
Too much of a pain to do all that.
We need retinal scanner USB devices desu.
>We need a device that scans something uniquely identifiable to a person that would be NSL'd into uploading your iris to the NSA.
No thanks. Same deal with fingerprint readers. You're just handing over uniquely identifiable data to the NSA.
The human brain.
That's not how this works
No. Biometrics are awful as a sole means of security. This main issue is commonly described in the field as
>You can change your password. You can't change your fingerprints.
Ultimately, it's 1s and 0s that are being sent to the device, and if you can record the appropriate sequence, you can replay it whenever you want. So all it takes is for your retinal scan, or fingerprints, or whatever biometric marker to be stolen once, and suddenly, it's permanently compromised.
The other issue that is sometimes brought up: suppose you're securing something that someone would be willing to coerce for. With a password, they only need you to say it. With biometrics, they only need your body parts. One of these two things is much less costly to sacrifice.
I don't give a shit about the NSA. They already have my fingerprints so it's whatever.
I doubt retinal scans would become mandatory. Fingerprints haven't unless you want to do certain things. Would sure as shit beat trying to come up and remember an insecure by nature master password and then a few more for your encrypted telephone for TFA, carrying around a USB key, and then the password for decrypting your computer drives as well. Would be much easier to just use retinal scans.
>But what if someone holds a gun to your head and forces you to scan your eye?!
Well you'll probably die if you don't tell them the passwords anyway.
Why in the world would you create an incentive for someone to remove one of your body parts?
>But muh MITM
Stupid. It affects normal passwords just as much but it's not that much of any issue because of a little meme called end-to-end encryption.
As far as I know your retinal patterns aren't identical in each eye. If this is not the case then I'd be happy to read the source for it.
As much as I hate this argument: unless you're doing something extremely important or criminal then no one is going to want your password so bad that they'll gouge out your eye.
Not every site allows those, so you'd have to have exceptions to that password rule, which complicates it beyond convenience.
>MITM
... I wasn't talking about a MITM. I was talking about the fact that there is no agility to their security properties. This isn't hard to understand.
>Password database gets compromised
Better change my password. Good thing I already use a different one for every service.
>Retinal scan database gets compromised
...
>Local retinal scan database gets compromised
Mind explaining how this happens without resorting to
>Muh birus
? Because I don't see how it's possible without a MITM.
Assume the person uses a VPN for public networks, as well.
Are you implying that passwords never get compromised? Or that retinal scans some how behave differently than passwords?
I want to hear how often password get compromised without resorting to virus boogeyman and using a VPN so we can properly judge if a retinal scan would be a bad and insecure option for a common user who isn't storing top secret documents or logs or millions in drug trafficking.
>Or that retinal scans some how behave differently than passwords?
password stolen (or expired): change password. 0/10 difficulty
retinal data stolen: change....retinas....??? +inf/10 difficulty
I use a notepad .txt file saved on my desktop
Nice. This is honestly what everyone should use. You all need to stop being so paranoid.
Jesus fscking christ would you shut up about the damn VPNs and MITM bullshit? Ignoring the fact that malware is immeasurably more common than detected MITM network attacks, VPNs don't even actually *do* anything to protect against network attacks other than relocate what we define as "local" to being the VPN provider. TLS, SSH, etc. are what you were looking for. I was going to let it go, but you're embarrassing yourself.
As to how often passwords get compromised, well on servers hosting many of them, all the time obviously (see: the latest news on the linkdin hack). If you're talking about local stores, then I wouldn't have any exact numbers, but it's irrelevant, since they aren't any *less* secure than a strong password, but again, carry INSANELY more risk. There is absolutely no advantage from a security perspective. Like many things, you could potentially make a usability case, but at what cost?
If you want a more concrete example, recently there was a database of fingerprints that was compromised and released, from something like a background check service, can't remember what in detail. Well, now if any of those people have an iphone that allows access via fingerprint, then the thief can just access that fingerprint from the leaked database. These occurrences are only going to become more frequent. And what were those people supposed to do? Not get a background check? No, they're supposed to use a damn password so that it doesn't matter their fingerprint was leaked. I myself had a retinal scan once after being arrested for a crime I didn't commit (charges eventually dropped, but the record stays). As morons like you keep pushing for this kind of tech, you think that it's going to be any different than fingerprints? Or passwords before it? Again, the *only* thing that changes is the fact that you get to choose your password and change it.
Yes, that is exactly the point I'm making. Biometrics as authentication are a bad idea.
no automatic sync across devices
Agree with all of this post
You are able to combine the domains together in settings
The thief with the database still has to be able to bypass the scanner and directly send the data. Unlikely unless he's government or police.
What country do you live in where you get retinal scans after crimes? Certainly not the US.
VPNs encrypt traffic and prevent MITM attacks is what I was getting at. If you're not a retard you won't get a virus so basically your argument against retinal scans is only valid if two things happen:
>Get a virus
>Said virus is able to access the raw data from the retinal scan
The second one can be stopped if the data is encrypted after being read.
>The thief with the database still has to be able to bypass the scanner and directly send it the data. Unlikely unless he's government or police.
Even if this was correct, which it's not, wouldn't you want to keep government and police OUT of your device anyway? Because in that non-zero chance that you are a target of investigation, a password is still a better choice over biometrics, one of those things is far easier for them to get a hold of.
I know just too lazy to do it for a bunch of sites
You can't just input raw data into the fingerprint reader fucktard. You still have to bypass it.
Show me the law that says the government and police are entitled to your biometric data without your consent.
>The thief with the database still has to be able to bypass the scanner and directly send it the data.
What the fuck are you even talking about? The database is a series of images of retinal data. Ideally it would be stored in some hashed format, but we know from experience, organizations *do not do this*, especially if they're not the one using it as an authentication mechanism (again, background checks come to mind). Everyone who had their fingerprints stolen in the recent attack can no longer use them as authentication mechanisms, bar none. Why is this so hard for you to understand?
>What country do you live in where you get retinal scans after crimes? Certainly not the US.
It was indeed the US.
>VPNs encrypt traffic and prevent MITM attacks is what I was getting at.
And I'm telling you they *don't*. They move the location of where the attack can occur. It's a risk mitigation strategy for if you're e.g. using a public wifi hotspot, where you trust the VPN provider more than fellow hotspot users, or if you suspect your ISP as being malicious. But they don't actually provide any additional security, they just move where the trust is located, because VPNs are NOT end to end encryption, they just encrypt to the provider.
>If you're not a retard you won't get a virus
Spoken like a fucking securitybro. Malware starts exploiting reverse engineered browser and flash patches in ~4 days now on ad networks, and that number is only going to go down. Yes, there are plenty of mechanisms to hinder malware, but I literally study this stuff for a living and *I* still reinstall xubuntu on a regular basis because I don't trust that my behavior was perfect. Anyone who believes they can't get hit is fooling themselves.
>The second one can be stopped if the data is encrypted after being read.
Encrypted, or hashed? Because... Whatever, it doesn't matter. The point is, how is it different than a password? At all? Again, other than creating a horrible, unnecessary risk?
>You can't just input raw data into the fingerprint reader fucktard.
What is a photograph?
I'll take security homeopathy for $1000, Alex!
>Photograph detailed enough to work on a fingerprint reader
The point is that it's much easier to scan your eyeball for 2 seconds than to use TFA, a physical key, a password, and whatever else every time you want to open your password manager because you cannot possibly remember 64 digit 256bit keys for everything.
The chances of you getting your eyeball print stolen is very small, and I don't believe that you got your eyeball scanned after being accused of a crime. Pics or it didn't happen.
>trusts them to follow letter of the law
>ignores that fingerprints are taken without suspect's knowledge all the time (water cups in interrogation, etc)
ok
>>Photograph detailed enough to work on a fingerprint reader
I've seen videos where people used a black and white copier, or a silicone casting, and both worked almost every time, including on high-profile door locks
>The chances of you getting your eyeball print stolen is very small
use any untrusted eyeball scanner, or walk in front of any untrusted high-resolution camera, and your eyeball print is stolen.
contrast a hardware key where the only data transmitted is OTP or challenge-response. Without access to the actual hardware where the master key is stored (never transmitted), you cannot use a compromised reader/scanner to steal credentials.
>brain.EXE
>pen and paper
>my own program
At least I know the password is safe enough...
>Using other retinal scanners
>Implying there are cameras with enough definition to capture your fucking eyeprint
0/10
>Photograph detailed enough to work on a fingerprint reader
... uh, yeah? It just needs to be the resolution of the scanner, and protip: they're not as high a resolution as your fucking flip phone's camera was. This isn't theory, people do it.
srlabs.de
>The point is that it's much easier to scan your eyeball for 2 seconds than to use TFA, a physical key, a password, and whatever else every time you want to open your password manager because you cannot possibly remember 64 digit 256bit keys for everything.
Oh my god... you seriously believe these scanners give 256 bits of entropy? I'm fucking dying here, this is hilarious.
protip2: Some people on my lab work on this sort of problem. You're getting, like, 60 good bits of entropy on a scan, at MOST (top of the line hardware). You don't want to use this shit for an AES key without some kind of stretching (which, oh hey whaddaya know, you can do with passwords too). And the question, again, was what the *security* benefit is.
>The chances of you getting your eyeball print stolen is very small, and I don't believe that you got your eyeball scanned after being accused of a crime. Pics or it didn't happen.
If you had bothered to google, you would have known that it's been standard pratice in NY since 2010, and has since spread to other jurisdictions.
nytimes.com
I can't give you pics, because they don't fucking give you a souvenir photo of you being scanned. They shove your chin into a plastic thing with what is basically a camera aimed at your eye, they press a button, you get blinded in that eye for a split second, and they move you on to the rest of processing.
Any camera will do you fucking idiot. How do you think this shit works? You think it fucking gets a 3D rendering or some shit? No, it's a photo. It's called a retinal scan for the same reason a normal scanner is called a scanner- it's basically a camera you can't move around. There's no extra-special technology involved, despite what you saw in the movies.
>>Using other retinal scanners
guess this logic makes sense when you never leave your parents' basement.
some people use more than one computer, user. Including some computers that are *gasp* stored in different places, and owned by different people.
>KeKPass manager
>in "20" + "1" + "6"
Brain 2016.
1Password. Works on my Windows PC and OSX laptop and I can pull up and key-in passwords with my thumbprint on my iPhone. Syncs between all of my shit with Dropbox. Literally can't imagine not using it now.