How many people where use masterpassword or similar sites like it

How many people where use masterpassword or similar sites like it.

Other urls found in this thread:

passwordstore.org/
linux.com/learn/weekend-project-make-portable-encrypted-file-safe
twitter.com/SFWRedditImages

>uploading your passwords to the web

It's bootleg lastpass. They even stole the logo.

Masterpassword isn't stored anywhere though.
An algorithm generates your password each time

thats known as decryption, which can be broken

That isn't decryption at all. Its hashing.

Generating your passwords is pretty flawed from a usability and security point of view. Since the seed of whatever hash function they use is your username/domain/master password, changing passwords for individual sites isn't possible. Also, if one of your passwords gets leaked, and it's known that you use this service, your master password can be brute forced, and you're totally fucked since all of your passwords were generated with it.

Just use KeePassX

Okay, I'll consider it. But what are the chances that someone that was able to get my password through a leak will also know I use this service?

>Using any password management / generation site

How secure can a password be if someone had to remember or read off the password each time

Why KeePassX and not KeePass?

>if someone had to remember
You....are an idiot. The most secure password is one never spoken and never written. Just make it memorable and you will never have a problem.

Pretty slim, unless these services get very popular and it's assumed a certain fraction of a leak would be using it. It's still a flaw, and since you can't easily change passwords I see no reason to use it over a local password manager.

No reason, I mentioned it because I thought it was popular. Personally, I use this passwordstore.org/

Keeping a unique password in your head is the most secure way to do it, but it's not the best. It's difficult to create unique and rememberable passwords for each site you use. I used to use a combinations of random words or phrases and numbers, but the more accounts I start to have the more these words or phrases fell into a theme and that's no good.

Using a password manager is a good idea, but it should be an OFFLINE application. That way you don't have to worry about some remote server containing your passwords getting hacked.
Both KeePass and its derivative, KeePassX, are excellent choices.

>Not just using a simple iteration on one password
Again, if you never reveal your password, you will not have a problem unless there is a hack, in which case you should change your shit anyway. Just pick a simple phrase like "Iamadumbass" and just change it up like "Iamamassivedumbass1" for another site for sites that require numbers.

>using password manager

damn brainlets

Not him.
You're not wrong, but at this point, why not choose a long, but easy-to-remember password?
Having a long password makes it much harder to brute force, even if it doesn't contain strange characters.

>not using a password manager

>"Iamamassivedumbass1"
>Not long
Yeah, that was half of my point. You can just use an easy to remember phase, which, by necessity of words being about three letters each, will be pushing the typical 16 character limit all the time.

Password length limits are downright retarded, I never understood why so many sites set them.

To prevent arbitrarily long passwords designed to overtake all storage. If people could attack a server by storing 10000000000000000000000000000 character passwords, you can be sure someone would do it.

what?

1. There is a 'counter' field that lets you increment the number and generate a new password.
2. You can't brute force it easily, it uses Scrypt (a lot more resource-heavy than regular hashing algorithms), and, well, you should be using a long password for your master password that makes this take billions of years.

Are just unique phrases good enough to be secure?

Nobody brute forces passwords.
That's just a phrase normies use who think it sounds cool.

Dictionary attacks are by far the most common.

No, use Dashlane.

No, use Yourbrain.idiot

Used to use Lastpass
Moved to Keepass some months ago. It's cash.
Keepass database is on some cloud service to sync between devices

This strip is bullshit, the entropy assumes the entropy per character. Using Zipf's law, it reduces the actual entropy of "memorable" passwords rather short from the point of view the fact that words can be ascribed to a fixed hierarchy of statistical likelyhood of it being chosen casually.

If the is the most common word, ascribe it index 0, if and is the second, ascribe it to the index 1, etc. Then use a dictionary of lets say the 1000 most commonly used words ranked by the 80/20 rule (Pareto distribution, and called Zipfs law in context of linguistics) and the actual entropy is utter shit.

I wrote a CS thesis on this specifically for my undergrad using modified hashing techniques (PRINCE hash cracking) and other forms of statistical distribution hash cracking using such laws like Zipfs.

>if one of your passwords gets leaked, and it's known that you use this service, your master password can be brute forced

Correct me if I'm wrong.

But multiple master passwords can lead to the same singe use passwords, correct?

So if the master password is longer than the single use passwords, say 40 character master to generate 20 character passwords, then you would have to try a shitload of master passwords to crack the second site.

I don't know who to believe anymore

Believe no one. Trust no one.

Remember kids!

The best way to secure your passwords and data is to upload them through your cracked router across a compromised link to an unknown website that knows your passwords and keys because it created them.

Stay safe!
Agent Fud

So are password managers good or bad? So many security boards and forums recommend using one that I feel some people here are just memeing or misinformed

If you use a password manager like keepassx, keep everything local and store it on an encrypted usbstick that you keep in your pocket, not connected to a computer.

I just keep mine in a plain text file on a luks-encrypted usbstick. No sense trusting yet one more thing (a password manager).

Make a Portable Encrypted File Safe:
linux.com/learn/weekend-project-make-portable-encrypted-file-safe

>Keep easily lost USB when you could keep the passwords in the impossible to lose head on your shoulders.
Found the idiot.

t. fucktard who knows zip about security

Oh, please do tell me how keeping a password in your head is less secure than a USB. Go on. Do it. I will wait.

Dear pretentious dumbass,

A password that you keep in your head is inherently less secure because you can be coerced to divulge it.

An unmemorized password kept on a usbstick can easily be destroyed if the knock comes on the door. Then no power on Earth can recover it.

This is security 101, and you don't know your ass from a hole in the ground.

This sounds interesting as hell. Where can I learn more? Any good books or lectures?

t. CIA boogiemen gonna take it
Fuck off, shithead.

The way I see it:

5% of people use decent or good passwords.
85% of people use poor passwords like "iAmAf4ggot!@"
10% of people use utter useless passwords like "password1234"

When passwords get cracked it's usually the bottom 10% and maybe a couple of the middle 85% that get compromised.
You don't need an unbreakable lock you just need a lock that's better than your neighbors.

Using an online service is far worse than using a GOOD password you never share.
But an online service is still better than what the people who would normally get compromised use.

KeePassXC compiled from source master race reporting

To open Keepass I need both a key file on an USB stick and a password I memorized.

Isn't the saying "something you own, something you know and something you are"?
That would mean adding biometrics would make it even better but I'm not that paranoid nor do I know if Keepass even lets me use a fingerprint/iris scanner

>"iAmAf4ggot!@"
Explain how that is a bad one.
>inb4 It is not a random string of characters
Words are fine as long as they are not common words and the length of the password is sufficient to make a brute force impossible (a 16 character sentence will take billions of years+ to brute force). Random characters are pointless and promote people writing them down as they are annoying to remember. When people are given a hard task, they will always drift toward the easiest method.

How long did it take you to audit the source?

>sites
Use a password manager program. Why the fuck would you upload your passwords to someone's website? If you need to access your passwords anywhere, upload your encrypted password database somewhere.

>Explain how that is a bad one.

- Using "leetspeak" is so common in passwords than cracking programs often try supplementing letters for 1337 equivalents.

- Adding extra "difficult" characters like "!" and "@" to the end is also extremely common.

- And yes, "i am a faggot" is a fairly common phrase.

And by the aggressive way you respond I deduct you currently use quite a similar looking password yourself.

>One good password
>keepass is mentioned
>throw a million accounts into the db and never fucking care
>if you suspect your database was obtained and currently being """tried"" change all the important shit long before they get in
>fuck memeonic shit

>upload your encrypted password database somewhere.

You are overestimating normies.
And remember 80% of people on Sup Forums are Apple users.

Still on that intro to cryptography course, will keep you posted

Billions of years for one computer, days for a farm, friend.

The graphic calls for "random" words.
Your method is only effective against "casually chosen" words. It doesn't apply to the graphic.

>And by the aggressive way you respond
If you think that is aggressive, you might do better on tumblr. They have safe spaces there.

>you currently use quite a similar looking password yourself
Nope not even remotely. I tend to use foreign characters on any sites that allow it and mix case throughout the words rather than at the beginning.

>2/10 nice b8

>I tend to use foreign characters on any sites that allow it and mix case throughout the words rather than at the beginning.
And you tell people what patterns to use to crack your passwords, in public.

>implying anyone here cares about my passwords
>implying anyone here knows what sites I use
>implying knowing a pattern means you instantly know everything
You are a fucking moron. Not only are you asserting that by knowing one pattern, you know the entire thing, you are saying that is enough info to crack a password. That is like saying by knowing a guy that makes keys, you know know the passcode to get into CIA headquarters. Fuck off and come back when you even know what the definition of a password is.

Are you fucking serious?

>Nope not even remotely. I tend to use foreign characters on any sites that allow it and mix case throughout the words rather than at the beginning.

But the basic idea is the same, just a slight variation.
I'll put you in the top 15% OK? - when only the bottom 20% has anything to worry about you are perfectly safe is what I was saying.

I will tell you my exact scheme:

All my passwords only consist of lower case letters and numbers. (makes them easy to type).
And I avoid characters that can be confused by others like "l" or "0". (makes them easy to read).
Then it's completely random and at least 10 characters long, for example "dm7wip38ds9m"
Good luck cracking all my passwords!

Masterpassword has an online option.
Again, nothing is stored, nothing is being uploaded. Everything is generated each time

That's literally the lastpass logo.

I wouldn't trust that with syncing my fucking notes.

Not him but I prefer KeePassX because it doesn't depend on .NET, it's good ol' C++.

Thanks guys, decided to go into Keypassx

If I use keepassx on desktop could I use keepass or keepass2 on android?

True. However most mnemonic guides tend to mistake that simply choosing from one's own memory or method of artifice would be enough simply by the fact of length.

But your point is still moot. The permutation of 4 words out of lets say 5,000 words is lower than one of 14characters with multiple charsets. By spades. Do the math

Entropy =/= computational complexity. Although they do correlate roughly.

And given the comic example. The first pass of the list used would only have to sift through 500 dictionary words

A dictionary attack IS a bruteforce attack.

Technically the best way IS to seperate a master password with an encrypted database. It causes LEA to use search and seizure laws (and can be defended to a point) and having the key in your head can't be coerced over your fifth amendment right (in most cases)

The insecurity lies in the fact that human meatsacks can be 'bruteforced' into revealing the master key.

>not even bothering to find out what masterpassword is before shitposting

How many online accounts do you have, five?

Master Password for the Master Race!

Honestly, nothing can compare. You can lose everything, but as long as you know your master password (and name) you can always retrieve your passwords.

Offline, redundant, can generate SEVERAL passwords for one site using a simple increment, and is consequently a million times safer than most other stupid password managers.

It's objectively the best.

I used to think the same, but recently thought differently. If your master password gets out (someone saying on you for example), they have everything. At least in keepass they need your master password and database.

If they can get your master password, they already have your database.

Not him, but how is this possible? I thought you could sperate where your passwords are stored. So if you get your masterpassword it's just empty.

>i just learned what these things mean
brute forcing a password is guessing a password using a pre defined criteria, it doesn't mean you're restricted to using single bytes or bits. you can use ascii, or a whole dictionary of english words loaded into RAM with a ruleset.

My point is more subtle than that.

>not programming your own password manager