Password Managers

pass + yubikey

I do something similar, but I also add a number to indicate the importance of the password. Email addresses have a higher number than throw away accounts.

>It touts itself as a password manager that obeys unix philosophy, although it's not quite that if you look into it.
How is it not following the UNIX philosophy?

If you don't mind your passwords being stolen:
>LastPass

If you don't mind your password database being brute forcable:
>KeePass

If you care about your passwords being secure:
>pass

I used a pass generator to come up with a long list of 16 digit random upper/lowercase letters and numbers.

I changed all my passwords to passwords on that list and I just keep a copy of the list
Only problem is, I can't for the life of me remember a single one of those passwords so I need to consult my list sometimes while other people are present

The strength of a password derives solely from its unpredictability. I mean, a “password” itself can't really have a strength to begin with. The thing you're measuring is the strength of a password generation /scheme/.

In your proposed scheme, most of it is noise that contributes absolutely zero security (0 bits), because it's either static information (shared prefix), public information (website name) or easily guessable information (device initials). The actual kernel of your password is dogshit.

The thing you have to realize is that in practice, you can assume an attacker has access to _some_ of your passwords and is trying to break into your other accounts based on the ones that they know of.

If your password generating scheme fails this requirement, then it's shit.

>If you don't mind your password database being brute forcable:
Mind clarifying?

I use a method similar to That way I know what all of my passwords are and even if someone gets access to a few of them, they can't guess any other passwords.

do you encrypt that file?

I'm using pass with custom scripts. I like how customizable it is.

My password pasting script checks the window name and tries to parse the password from that. If there isn't any unambigious title matching the passwords, a rofi prompt is displayed with the possible passwords, or all of the passwords. Pretty often it shows just all the password paths, but that's not so bad since I can type just a few letters to the rofi promp to get the right password entry.

super + p jus types the password.

super + shift + p types the username matching the password.

super + ctrl + p types the username, types tab and then types the password (very useful for most websites).

super + ctrl + shift + p types the password, types enter and then types the password. Useful for example for git password prompt.

This is nice because I have a fast global password entry system - it works for every single program. It's secure and also handy. Qutebrowser has also a script which fetches the right password entry and types it to the login form if one is found.

>Mind clarifying?
news.ycombinator.com/item?id=9727297
Weak, arbitrary and homegrown crypto. Very unlikely to withstand a cryptanalysis of any sophistication. You should operate under the assumption that anybody with a copy of your database is able to crack it.

this

I use rofi-pass: github.com/carnager/rofi-pass

wait, are you literally me? I use qutebrowser too

Nice

No, but the only digital copy is on a burner pc at my house that doesn't even connect to the internet unless I want it to.

I use a printed hard copy I carry in my wallet.

dashlane normie

consider using mnemonic passwords (e.g. diceware) instead of purely randomly generated passwords

thanks for the tip user, I think this might help

The random upper and lowercase was driving me nucking futs. it makes it so much harder to mentally group letters and numbers when some of them are capitalized

any reason?

When considering a password scheme the thing you want to be optimizing for is entropy per effort - i.e. how many bits of entropy you gain versus how difficult it is to memorize that entropy.

If you assume that the amount of memorization work you can put into a password before you begin forgetting parts of it again is constant, then to gain the most amount of useful strength (entropy) you basically just have to find the scheme with the best efficiency (entropy / effort).

In practice, this means using mnemonic techniques: word associations, mental images, audio jingles, whatever your preferred method of memorization is.

Using a pure randomly generated password might seem the most secure on paper but when you consider how hard they are to memorize, you're getting a few bits of useful entropy at best; whereas an equivalently strong word password would be much easier to memorize.

This is what that widely-misunderstood xkcd comig was basically trying to convey: That password strength in practice is a function of entropy vs effort, not just effort

Well, the basic reasoning is that the human brain is significantly better at memorizing word patterns/associations than it is at memorizing random digits. These are techniques used by memory champions worldwide, and known as far back as ancient greece if not earlier. (e.g. the method of loci / memory palace)

If it's good enough for international memory champions, it's good enough for your passwords; which means you could stop having to constantly look them up from your paper copy of the password list and start just memorizing them instead.

Of course, you can also just use these mnemonic techniques to directly memorize the random strings, rather than making the menmonic technique itself your password.

(Although that being said, using the mnemonic technique directly as the password has the upside of making it more resilient against a pure brute force attack)

At any rate, you want to be using mnemonic techniques to memorize your password in the end.

I'm using 1password. Im liking it so far as long as it doesn't pull some jew shit and start charging me money.

just gonna leave this here Sup Forumsuise

botnet

Why over Keepass2?

Seems complicated when you could just use a random string

Reading that thread people are claiming all of the original issues brought up were addressed, some even before that discussion took place.

>homegrown crypto

Just use LastPass with 2-factor auth, works pretty well and someone would need my phone to crack into it.

Yes, it's riskier than an offline manager, but honestly I think the convenience is worth it.

Statistically speaking LastPass would advise of a compromise long before any hacker could login to my stuff, and changing the password again is easy.

Just use a txt document

The only stuff I'm *truly* worried about is my banking and Google details.

Google has a seperate 2-factor auth making it impossible to access without my phone.

My bank needs a password and a pin number to login, LastPass doesn't remember both.

So even if LastPass is compromised, the damage is pretty limited unless they take ages to notify users of the breach.

Use secure notes.

KeePassX is all you'll really need.

>he needs a digital database that requires a master password to access to retrieve his passwords for all of his accounts

only autists like Sup Forums can make this more complicated than needs be. just sit down, take 10 minutes to come up with a sufficiently long and cryptic key pattern but still easy to remember for you, write that down in somewhere, and refer back to it as needed. after a while, you should be able to memorize it and not need it written down anymore.

Use keepass, don't like it because it's a shitty GUI app. for a while I used a luks encrypted disk image and mounted it as needed, but the more i think about it the more a gpg encrypted message to myself makes sense.

But keepass works on my phone.

I use passwordcard.org/en I just have to remember a colour, visual marker or pattern for each website and then I add a word and special character to the end IMO the most secure way to do it since it has almost limitless possibilities and the only key is stored in my head

you shouldn't use the same password for everything

>It touts itself as a password manager that obeys unix philosophy, although it's not quite that if you look into it.
What?

I think it misses a few things here and there, I don't think that passwords being labeled in plain-text with no way to fix is unixy (I might be wrong and there is a way to do that,) and also the tree view is the standard, but I think that can be changed as well

These are completely retarded nitpicks, and I don't even know why I wrote that. I guess I wasn't thinking earlier.

So just ignore it, it's unix.

>I don't like the way it displays shit
Then change it. It's a fucking bash script
git.zx2c4.com/password-store/tree/src/password-store.sh

You mean like the breach from 2013 that was just reported? That breach?

>not using 10+ digit passwords with a combonation of lowercase uppercase symbols and numbers as well as words from foreign languages

> store passwords in the """cloud"""

what the fuck

A really bad decision desu, it's just not safe

>have to fly up to the sky to grab my passwords

don't think i have that much money for hackers to buy a plane and grab my password and have it be worth it

I use KeePass because I'm not going to pay just to access my passwords on my phone. Also I'd much rather store my database in my own cloud than in a centralized server full of passwords.

Why use keepassX over Keepass? Mono might turn people off, but it has more plugin support I believe

The X makes it cooler

thats pretty edgy

Not real. Keepass is safe.

The non cancerous logo and linux support.

Isn't the plug in support nearly non existent, though? Things like two factor authentication and cloud sync

> not using OSX's keychain in $currentYear

p cool

For what fucking purpose

I don't understand the 2Auth meme
my passwords are stored in plaintext as a .txt which also makes my accounts impossible to access without my laptop

yea. You can still use key files and manually pull from cloud so its just a minor inconvenience.

>trusting a company under PRISM
>_81738062_risitas.jpg

veracrypt+txt file

>almost 2017
>not using 'asdfasdf' as your password for everything since 1996

I'm more confused about what password manager to use than when I started this thread.

I just want a reasonably secure, not even super secure password manager that's cross platform.

Then use KeePassX. Works everywhere, as far as I know.

Norman the Normie here:

Why do you use these things?

Why don't you just write your shit in a little notebook that you always keep on your person, or in a drawer, or whatever so you can get it when you need it?

It just seems odd to have to use software to help you manage passwords.

Maybe because I only have a few.

Convenience

If you had a book in a safe or something, it would probably be safer, but you would also be limited. KeePass allows you to carry a copy of the passwords everywhere, and use 2 factor authentication (usually a picture and a password) in order to access the stuff. It's safer than carrying around a notebook with you, though less safe than keeping it in a safe at all times that you don't need it.

Because my passwords are 32-64 (or max length allotted) strings of random shit like
>bwbwu838;*;@))281;sjkan℅~~`|}{£[]¢iwiwbdgyJSJSN_8282+@AWKWNk0
And being able to press CTRL+ALT+A to have the password autotype is extremely convenient.

But I mostly started using one after I checked haveibeenpwned and got a bunch of hits for an account with a password I use everywhere. It's important to never use the same password twice on anything you wouldn't mind losing, and to never put any other personally identifying information on those disposable accounts.

The amount of passwords I have is getting obscene and the only way I can memorize them all is taking shortcuts that's killing security.

It's also just a matter of they take a long time to type in.

t. IT consultant

Try remembering 30, all having their own convoluted scheme like

My password are in a notebook in my book shelf

>I need to consult my list sometimes while other people are present
If it was digital...

grep passwords.txt | xclip

You can always use ssh and X-forwarding to do that from elsewhere.

I use my brain.

Thank you. I understand now. My pedestrian needs don't really warrant this sort of thing.

However, how can you trust that your shit isn't compromised?

I mean, I'm wary of normal autocorrect, but having a central something know all my passwords and have the ability to auto every single one?

What if you lose your access to this database? Do you need a password manager for a password manager?

If this thing were ever compromised then you'd be up shit creek without a paddle.

If you forget the one single password that's actually important, then your default scheme of memorizing every password in your head isn't going to fair much better.

>The only stuff I'm *truly* worried about is my banking and Google details.

Then you write those 2 things in multiple pieces of paper which you store in your home behind lock and key.

Keepass worked really shitty on my ubuntu machine - I couldn't copy/paste stored passwords into shell and I had to resort to first pasting them into a text editor and then copying from it and only then pasting into shell.

Also, KeepassX doesn't look shit.

>ctrl+f
>no pwd.sh

You disappoint me, Sup Forums.

>Keepass worked really shitty on my ubuntu machine - I couldn't copy/paste stored passwords into shell and I had to resort to first pasting them into a text editor and then copying from it and only then pasting into shell.
X is retarded and has multiple clipboards, that's probably what tripped you up

Also if you're on Linux why use that garbage when you can just use the superior ‘pass’

this

that is why you don't use keepass, you use superior keepassX

see above, the database is far superior and is free of .NET

>that is why you don't use keepass, you use superior keepassX
Why would I use keepassX when I can use a real password manager like pass instead?

Keepass you dumb faggot

>want to use a password manager
>decide on keepass
>bloated as fuck because mono
>continue looking
>find keepassX
>project is dead we keepassx2 now
>we don't have any plugins
>you have to try and get some firefox addon that was designed for keepass to work for keepassx2
>no yubikey support
I just want to be able to have security + somewhat ease of use. Is this not allowed?

The one thing that bothers me with pass is that it leaves the folder structure/account names unencrypted.
If anyone has a .bashrc script or a systemd job config that takes care of unencrypting and untaring the .passwordstore folder on startup and then taring and encrypting it on shutdown, pls post.

why not just use ecryptfs

I suppose that is the way to go.

>The one thing that bothers me with pass is that it leaves the folder structure/account names unencrypted.

Why the fuck does Sup Forums recommend this then?

So I skimmed through the thread and i'm still sceptical. I just don't trust any third party service storing/generating passwords for me, but again, I realize how important it is to regularly update passwords, add 2fa where possible and so on.

So is there a password manager, which is really secure and free? Maybe a password manager which stores passwords locally or something?

Muh UNIX philosophy. I don't know of any other password manager that doesn't require a GUI.
And the unencrypted directory structure has the benefit of enabling tab completion for account names.

Also enables you to add passwords to the store without entering the password of the private key.

Yes, it's called keepass.

Becuase it follows the UNIX philosophy and reuses tried and true existing technologies instead of reinventing the wheel poorly

`pass` is just a shell script that wraps together existing tools like `tree`, $EDITOR, GnuPG, xclip and git. It does basically nothing on its own, and that's why it's

1. secure (GPG is well-known, widely audited and NSA-proof as per snowden)
2. forwards compatible (since it uses plain files and GPG, you can both easily migrate your database to future versions and easily read/recover it 20 years down the line, can't say the same for some shitty homegrown database format that's reliant on a single tool continuing to exist)
3. portable