Thoughts on yubikey?
Want to get one to act in conjunction with lastpass. Mostly will live in my laptop, but being able to use it on my phone would be really nice too. But I'd have to choose between being small and acceptable on my laptop or being able to use it with my phone via nfc.
>lastpass
don't store your passwords in the cloud, regardless of how supposedly secure it is.
this
>firefox still does not officially support u2f
suggestions for best password manager?
A fucking paper sheet and a pencil.
Write it in unitologist for extra safety.
keepass, which also supports yubikey and has plugins for auto-login and all that shit. just be smart about where you backup your password database file.
KeepAss
This. Get a 99c notebook from walgreens or something and keep it in the back of your drawer.
pgp encrypted text file
That's not really a manager, its a back up. I'm willing to trade some security for some convenience. Typing 40 character strings of nonsense from a piece of paper is hella inconvenient.
Besides its not like the paper is perfectly secure either.
Use KeePass and store copies of your encrypted database on as many storage devices as possible so that you never lose it.
Proprietary bullshit.
For those concerned: the latest Yubikeys now use closed-source, proprietary software and are not recommended. The Yubikey Neo is still okay, however. You should look at something like www.nitrokey.com
what is this yubikon nitrokey or similars? in a nutshell
i read lost of buzzwordsfilled text on the official sites, videos, and the wikipedia article is just a two paragraph description , and im no closer to understanding
is it a device that stores a keypair and you just feed it a text and get the encrypoted text (or filestream whatever) to send, even if you're using a hostile computer, is that it?
i see it can also output One-time Passwords (OTP), but whats stopping a cybercafe station from spoofing the datetime to make yubygay vomit a future time-based OTP so the attacker can just wait for you to leave and access your account 2 hours from now?
btw i see that if you purchase 50+ they let you use some reprogramming software, that way at least only you would have the OTP list and not the usa manufacters (and ofc NSA)... but then the reprogramming tool uses the same USB interface, so... again:
whats stopping a hostile computer from running the reprogramming protocols in the background with a manufacturer hardcoded masterkey to have youbegay vomit all of your home-generated OTP list?
SERIOUSLY?!?!?!!?!?!?!?!?!
pass or keepass
*that is assuming offcourse that you even took the care to run the reprogramming tool in an offline computer and then wiped the operating system, so that the software couldnt generate a secret copy of your custom OTP list, because they know a regular paranoid techie would just firewall block the software and not care for whatever files it generates, they don't even need to be sent anywhere, just having it on your system is a big no, win10cortana could upload it in chunks for all i know, its not like its out of reach for the Federal Idioct Act or similar 'protective' laws
Use a tpm so I can laugh at you when it fails
Does this affect me if I don't care about free software?
It's a black box. Black boxes are always bad for security.
I had a 2 hour lecture on this shit in itsec 101 and still didn't understand half of it.
It's a nifty solution but I'm wary whether the sheer complexity doesn't make it more vulnerable in the future. It's not like there would be no easier, similar solutions which you can actually understand.
Your brain, you dipshit.
Dedicated hardware containing secure (decap resistant) keypair storage and a crypto engine is a fundamentally good idea. These USB keys are basically the same concept as enterprise smartcards. I haven't yet evaluated each of the offerings, though. Not sure which one to get.
I wonder if it would be better to get a smartcard reader/writer and some smartcards... that tech is tried/tested/trusted.
Pen and accounting paper, or if you want to go high tech get a laptop and physically disable the network hardware.
There are some of us that have at least 50 accounts, all with different combinations of multiple usernames, email addresses, and passwords that are nearly impossible to remember and are prone to forgetting for one reason or another.
Assuming you're not a neckbeard tinfoil hatter, how many accounts do you have scattered across the web? A fair amount I'm sure.
Best practice is to use strong passwords with high entropy that are resistant to dictionary and other table attacks.
Best practice is to always use unique passwords, if not usernames, for every different account.
Best practice for sensitive accounts is change passwords regularly.
This very quickly can become a giant fucking mess if you're only using your head.
Too frequently compromised by drugs and alcohol
I got a couple during that free promotion. They're awesome but cross-platform support is lacking so I never use it despite it being on my (physical) keychain