I've been wanting to make a transition to one, and I'm curious as to what you use and why. I'm between using Keepass and Pass. (For those who aren't familiar with it, passwordstore.org/ is the link. It touts itself as a password manager that obeys unix philosophy, although it's not quite that if you look into it.)
I'm personally torn between the two, since keepass seems to be easier to use cross platform, but I do like the idea of Pass.
So, what password manager do you use? Why? Do you like it?
For any NEET who is scared of the someone-else-manages-and-generates-your-passwords-where-you-have-little-control botnet: KeePass (or any other offline password manager).
Angel Diaz
I just use firefox with master password
Samuel Mitchell
To be fair, it's not unreasonable to be paranoid of using a cloud based service.
You can only be so secure on the internet
Jordan Taylor
Dashlane desu Super easy to cheat their refer a friend and get 6 months of premium
Zachary Garcia
This is why I use KeePass.
Levi Perez
>letting botnet have your passwords Smh senpai
Just make your password yourpassword+website/device initials+123@Abc
Josiah Allen
but when you use a set algorithm, you password isn't as secure in a pattern like that
Isaac Clark
>not having 3 different arithmetic operations and applying one for sites which start with a letter from A to S other for T to Z and other one for number starting sites. Using the site's name in hexadecimal and applying the arithmetic operation.
Landon Jones
keepassx or fuck off
Leo Smith
pass + yubikey
Liam Stewart
I do something similar, but I also add a number to indicate the importance of the password. Email addresses have a higher number than throw away accounts.
Jonathan Williams
>It touts itself as a password manager that obeys unix philosophy, although it's not quite that if you look into it. How is it not following the UNIX philosophy?
Parker Wilson
If you don't mind your passwords being stolen: >LastPass
If you don't mind your password database being brute forcable: >KeePass
If you care about your passwords being secure: >pass
Bentley Rivera
I used a pass generator to come up with a long list of 16 digit random upper/lowercase letters and numbers.
I changed all my passwords to passwords on that list and I just keep a copy of the list Only problem is, I can't for the life of me remember a single one of those passwords so I need to consult my list sometimes while other people are present
Michael Gomez
The strength of a password derives solely from its unpredictability. I mean, a “password” itself can't really have a strength to begin with. The thing you're measuring is the strength of a password generation /scheme/.
In your proposed scheme, most of it is noise that contributes absolutely zero security (0 bits), because it's either static information (shared prefix), public information (website name) or easily guessable information (device initials). The actual kernel of your password is dogshit.
The thing you have to realize is that in practice, you can assume an attacker has access to _some_ of your passwords and is trying to break into your other accounts based on the ones that they know of.
If your password generating scheme fails this requirement, then it's shit.
Aaron Jenkins
>If you don't mind your password database being brute forcable: Mind clarifying?
I use a method similar to That way I know what all of my passwords are and even if someone gets access to a few of them, they can't guess any other passwords.
Asher Hughes
do you encrypt that file?
Landon Fisher
I'm using pass with custom scripts. I like how customizable it is.
My password pasting script checks the window name and tries to parse the password from that. If there isn't any unambigious title matching the passwords, a rofi prompt is displayed with the possible passwords, or all of the passwords. Pretty often it shows just all the password paths, but that's not so bad since I can type just a few letters to the rofi promp to get the right password entry.
super + p jus types the password.
super + shift + p types the username matching the password.
super + ctrl + p types the username, types tab and then types the password (very useful for most websites).
super + ctrl + shift + p types the password, types enter and then types the password. Useful for example for git password prompt.
This is nice because I have a fast global password entry system - it works for every single program. It's secure and also handy. Qutebrowser has also a script which fetches the right password entry and types it to the login form if one is found.
Nathan Garcia
>Mind clarifying? news.ycombinator.com/item?id=9727297 Weak, arbitrary and homegrown crypto. Very unlikely to withstand a cryptanalysis of any sophistication. You should operate under the assumption that anybody with a copy of your database is able to crack it.
No, but the only digital copy is on a burner pc at my house that doesn't even connect to the internet unless I want it to.
I use a printed hard copy I carry in my wallet.
Colton Hernandez
dashlane normie
Brandon Edwards
consider using mnemonic passwords (e.g. diceware) instead of purely randomly generated passwords
Jackson Cooper
thanks for the tip user, I think this might help
The random upper and lowercase was driving me nucking futs. it makes it so much harder to mentally group letters and numbers when some of them are capitalized
Jace Edwards
any reason?
Adam Roberts
When considering a password scheme the thing you want to be optimizing for is entropy per effort - i.e. how many bits of entropy you gain versus how difficult it is to memorize that entropy.
If you assume that the amount of memorization work you can put into a password before you begin forgetting parts of it again is constant, then to gain the most amount of useful strength (entropy) you basically just have to find the scheme with the best efficiency (entropy / effort).
In practice, this means using mnemonic techniques: word associations, mental images, audio jingles, whatever your preferred method of memorization is.
Using a pure randomly generated password might seem the most secure on paper but when you consider how hard they are to memorize, you're getting a few bits of useful entropy at best; whereas an equivalently strong word password would be much easier to memorize.
This is what that widely-misunderstood xkcd comig was basically trying to convey: That password strength in practice is a function of entropy vs effort, not just effort
Brandon Davis
Well, the basic reasoning is that the human brain is significantly better at memorizing word patterns/associations than it is at memorizing random digits. These are techniques used by memory champions worldwide, and known as far back as ancient greece if not earlier. (e.g. the method of loci / memory palace)
If it's good enough for international memory champions, it's good enough for your passwords; which means you could stop having to constantly look them up from your paper copy of the password list and start just memorizing them instead.
Nathaniel Turner
Of course, you can also just use these mnemonic techniques to directly memorize the random strings, rather than making the menmonic technique itself your password.
(Although that being said, using the mnemonic technique directly as the password has the upside of making it more resilient against a pure brute force attack)
At any rate, you want to be using mnemonic techniques to memorize your password in the end.
Adrian Walker
I'm using 1password. Im liking it so far as long as it doesn't pull some jew shit and start charging me money.
John Diaz
just gonna leave this here Sup Forumsuise
Nathaniel Ward
botnet
Jose Wood
Why over Keepass2?
Liam Thomas
Seems complicated when you could just use a random string
Angel Sanders
Reading that thread people are claiming all of the original issues brought up were addressed, some even before that discussion took place.
Daniel Scott
>homegrown crypto
Matthew Cooper
Just use LastPass with 2-factor auth, works pretty well and someone would need my phone to crack into it.
Yes, it's riskier than an offline manager, but honestly I think the convenience is worth it.
Statistically speaking LastPass would advise of a compromise long before any hacker could login to my stuff, and changing the password again is easy.
Isaiah Lee
Just use a txt document
Eli Adams
The only stuff I'm *truly* worried about is my banking and Google details.
Google has a seperate 2-factor auth making it impossible to access without my phone.
My bank needs a password and a pin number to login, LastPass doesn't remember both.
So even if LastPass is compromised, the damage is pretty limited unless they take ages to notify users of the breach.
Julian Garcia
Use secure notes.
Camden James
KeePassX is all you'll really need.
Samuel Moore
>he needs a digital database that requires a master password to access to retrieve his passwords for all of his accounts
only autists like Sup Forums can make this more complicated than needs be. just sit down, take 10 minutes to come up with a sufficiently long and cryptic key pattern but still easy to remember for you, write that down in somewhere, and refer back to it as needed. after a while, you should be able to memorize it and not need it written down anymore.
Isaiah James
Use keepass, don't like it because it's a shitty GUI app. for a while I used a luks encrypted disk image and mounted it as needed, but the more i think about it the more a gpg encrypted message to myself makes sense.
But keepass works on my phone.
Camden Martin
I use passwordcard.org/en I just have to remember a colour, visual marker or pattern for each website and then I add a word and special character to the end IMO the most secure way to do it since it has almost limitless possibilities and the only key is stored in my head
Luis Garcia
you shouldn't use the same password for everything
Liam Scott
>It touts itself as a password manager that obeys unix philosophy, although it's not quite that if you look into it. What?
Ian Diaz
I think it misses a few things here and there, I don't think that passwords being labeled in plain-text with no way to fix is unixy (I might be wrong and there is a way to do that,) and also the tree view is the standard, but I think that can be changed as well
These are completely retarded nitpicks, and I don't even know why I wrote that. I guess I wasn't thinking earlier.
You mean like the breach from 2013 that was just reported? That breach?
Jayden Turner
>not using 10+ digit passwords with a combonation of lowercase uppercase symbols and numbers as well as words from foreign languages
Leo Cruz
> store passwords in the """cloud"""
what the fuck
Aiden Myers
A really bad decision desu, it's just not safe
Xavier Baker
>have to fly up to the sky to grab my passwords
don't think i have that much money for hackers to buy a plane and grab my password and have it be worth it
Colton Perez
I use KeePass because I'm not going to pay just to access my passwords on my phone. Also I'd much rather store my database in my own cloud than in a centralized server full of passwords.
Jason Barnes
Why use keepassX over Keepass? Mono might turn people off, but it has more plugin support I believe
Carter Brown
The X makes it cooler
Hunter Johnson
thats pretty edgy
Sebastian Harris
Not real. Keepass is safe.
Logan Allen
The non cancerous logo and linux support.
Brayden Gomez
Isn't the plug in support nearly non existent, though? Things like two factor authentication and cloud sync
Thomas Green
> not using OSX's keychain in $currentYear
Nathaniel Nguyen
p cool
Angel Stewart
For what fucking purpose
Brayden Perry
I don't understand the 2Auth meme my passwords are stored in plaintext as a .txt which also makes my accounts impossible to access without my laptop
Noah Collins
yea. You can still use key files and manually pull from cloud so its just a minor inconvenience.
Brayden Brooks
>trusting a company under PRISM >_81738062_risitas.jpg
Alexander Ortiz
veracrypt+txt file
Sebastian Wilson
>almost 2017 >not using 'asdfasdf' as your password for everything since 1996
Joseph Barnes
I'm more confused about what password manager to use than when I started this thread.
I just want a reasonably secure, not even super secure password manager that's cross platform.
Jose Cook
Then use KeePassX. Works everywhere, as far as I know.
Ethan Carter
Norman the Normie here:
Why do you use these things?
Why don't you just write your shit in a little notebook that you always keep on your person, or in a drawer, or whatever so you can get it when you need it?
It just seems odd to have to use software to help you manage passwords.
Maybe because I only have a few.
Carter Wright
Convenience
Brody Wood
If you had a book in a safe or something, it would probably be safer, but you would also be limited. KeePass allows you to carry a copy of the passwords everywhere, and use 2 factor authentication (usually a picture and a password) in order to access the stuff. It's safer than carrying around a notebook with you, though less safe than keeping it in a safe at all times that you don't need it.
Aiden Gonzalez
Because my passwords are 32-64 (or max length allotted) strings of random shit like >bwbwu838;*;@))281;sjkan℅~~`|}{£[]¢iwiwbdgyJSJSN_8282+@AWKWNk0 And being able to press CTRL+ALT+A to have the password autotype is extremely convenient.
But I mostly started using one after I checked haveibeenpwned and got a bunch of hits for an account with a password I use everywhere. It's important to never use the same password twice on anything you wouldn't mind losing, and to never put any other personally identifying information on those disposable accounts.
Joshua Torres
The amount of passwords I have is getting obscene and the only way I can memorize them all is taking shortcuts that's killing security.
It's also just a matter of they take a long time to type in.
t. IT consultant
Robert Martinez
Try remembering 30, all having their own convoluted scheme like
Jeremiah Peterson
My password are in a notebook in my book shelf
Wyatt Flores
>I need to consult my list sometimes while other people are present If it was digital...
grep passwords.txt | xclip
You can always use ssh and X-forwarding to do that from elsewhere.
Aiden Russell
I use my brain.
Hudson Foster
Thank you. I understand now. My pedestrian needs don't really warrant this sort of thing.
However, how can you trust that your shit isn't compromised?
I mean, I'm wary of normal autocorrect, but having a central something know all my passwords and have the ability to auto every single one?
What if you lose your access to this database? Do you need a password manager for a password manager?
If this thing were ever compromised then you'd be up shit creek without a paddle.
Wyatt Rivera
If you forget the one single password that's actually important, then your default scheme of memorizing every password in your head isn't going to fair much better.
Josiah Lewis
>The only stuff I'm *truly* worried about is my banking and Google details.
Then you write those 2 things in multiple pieces of paper which you store in your home behind lock and key.
Connor Bell
Keepass worked really shitty on my ubuntu machine - I couldn't copy/paste stored passwords into shell and I had to resort to first pasting them into a text editor and then copying from it and only then pasting into shell.
Also, KeepassX doesn't look shit.
Jackson Price
>ctrl+f >no pwd.sh
You disappoint me, Sup Forums.
Levi Allen
>Keepass worked really shitty on my ubuntu machine - I couldn't copy/paste stored passwords into shell and I had to resort to first pasting them into a text editor and then copying from it and only then pasting into shell. X is retarded and has multiple clipboards, that's probably what tripped you up
Also if you're on Linux why use that garbage when you can just use the superior ‘pass’
Lucas Russell
this
that is why you don't use keepass, you use superior keepassX
see above, the database is far superior and is free of .NET
Jose Sanchez
>that is why you don't use keepass, you use superior keepassX Why would I use keepassX when I can use a real password manager like pass instead?
Hunter Ross
Keepass you dumb faggot
Hunter Morris
>want to use a password manager >decide on keepass >bloated as fuck because mono >continue looking >find keepassX >project is dead we keepassx2 now >we don't have any plugins >you have to try and get some firefox addon that was designed for keepass to work for keepassx2 >no yubikey support I just want to be able to have security + somewhat ease of use. Is this not allowed?
Logan Robinson
The one thing that bothers me with pass is that it leaves the folder structure/account names unencrypted. If anyone has a .bashrc script or a systemd job config that takes care of unencrypting and untaring the .passwordstore folder on startup and then taring and encrypting it on shutdown, pls post.
Elijah Wright
why not just use ecryptfs
Adrian Martin
I suppose that is the way to go.
Jaxson Kelly
>The one thing that bothers me with pass is that it leaves the folder structure/account names unencrypted.
Why the fuck does Sup Forums recommend this then?
Jose Gomez
So I skimmed through the thread and i'm still sceptical. I just don't trust any third party service storing/generating passwords for me, but again, I realize how important it is to regularly update passwords, add 2fa where possible and so on.
So is there a password manager, which is really secure and free? Maybe a password manager which stores passwords locally or something?
Josiah Taylor
Muh UNIX philosophy. I don't know of any other password manager that doesn't require a GUI. And the unencrypted directory structure has the benefit of enabling tab completion for account names.
Michael King
Also enables you to add passwords to the store without entering the password of the private key.
Caleb Anderson
Yes, it's called keepass.
Brody Sanchez
Becuase it follows the UNIX philosophy and reuses tried and true existing technologies instead of reinventing the wheel poorly
`pass` is just a shell script that wraps together existing tools like `tree`, $EDITOR, GnuPG, xclip and git. It does basically nothing on its own, and that's why it's
1. secure (GPG is well-known, widely audited and NSA-proof as per snowden) 2. forwards compatible (since it uses plain files and GPG, you can both easily migrate your database to future versions and easily read/recover it 20 years down the line, can't say the same for some shitty homegrown database format that's reliant on a single tool continuing to exist) 3. portable