Securely store passwords

gpw928

Aspiring Daemon

Reaction score: 218
Messages: 527

43 characters!! You are paranoid !!
That would depend on what you are trying to protect.
For login to local physical computers (not via the Internet) where you have to type the password, or unlock ssh keys, it's convenient and sensible to use a good password of "sufficient" length, and memorise it.
In the era of post-quantum cryptography I want to protect my bank accounts, and other Internet "commerce".
Re-using a password for multiple sites is a really bad idea, as cracking it readily leads to a domino effect. That means every account must have a different high quality password.
I currently have about 60 of them. That's far too many to remember. So, they are always randomly generated, rarely less that 64 characters, and kept in a password safe. Simples.
 

jmos

Well-Known Member

Reaction score: 186
Messages: 254

43 characters!! You are paranoid !!
A little bit off topic, but related to "strong passwords":

We're always looking on passwords, but: If it comes to login attempts the password is just one half. The other one is the username. When I'm looking through thousands of login attempts on servers I see usernames like "admin", "a1b2c3", "tom", "michael" etc., but never ever something like "hsadyylhTfHbTnP.gdtTZbdlaperKtzHZs"; Okay, you don't want to type in that manually, but you can use f.e. an alias therefore. I'm using "strong usernames" ;)
 

sko

Aspiring Daemon

Reaction score: 381
Messages: 685

A little bit off topic, but related to "strong passwords":

We're always looking on passwords, but: If it comes to login attempts the password is just one half. The other one is the username. When I'm looking through thousands of login attempts on servers I see usernames like "admin", "a1b2c3", "tom", "michael" etc., but never ever something like "hsadyylhTfHbTnP.gdtTZbdlaperKtzHZs"; Okay, you don't want to type in that manually, but you can use f.e. an alias therefore. I'm using "strong usernames" ;)

Well, usually you stick with one or two handles that you use as a "username", but you can make the email address you use for login unique with extensions. I've been using address extensions for almost as long as postfix and dovecot support it and even sometimes give humans an extended address instead of the "short variant". This has various advantages:
- That email address _only_ works for that single site/service and is worthless for anything else
- Filtering gets really easy (just create a folder named after the extension...)
- I can tell who had a data leak when I suddenly receive spam on that address and can change my credentials there (or cancel my account with them, depending on how they handle a data breach..)
- I can add a disclosed address to my spamtrap list, so spammers using those addresses get immediately blacklisted

And of course: Use 2FA wherever possible! A lot of sites make it really easy nowadays and even support multiple variants (more and more often you can activate multiple factors, e.g. multiple authenticator apps or password managers with OTP support). Sadly even some big sites still get this completely wrong and either don't support it or the worst, most insecure and most annoying variants like SMS codes...
 

fbsd_

Active Member

Reaction score: 19
Messages: 103

Hi,

I would like to hear what kind of solutions users of this forums are using to store passwords.

Since today it is almost impossible to remember all Usernames and Passwords, so the best way probably is to store them to some database which is secured.

- folivora
Best way to secure an important data is encryption. There is already some applications exits which is password managers. You can secure a file on Unix-like systems by changing owner of file.
For example:
touch password.data
echo "example123" >> password.data
chown root password.data (This command requires root permission)
chmod -r password.data

This example makes files unable to read without root access. Only root user can make them readable so they will be secure until a exploit comes and hacks root permission.

Other way is encryption:
Encrypt:
openssl aes-256-cbc -a -salt -in password.data -out password.data.enc
Decrypt:
openssl aes-256-cbc -d -a -in password.data.enc -out password.data

If you gonna use something like that, it requires openssl installed to your system. If not, you can write a software that does it or you can just download it with your package manager etc. Im not sure FreeBSD were coming with openssl preinstalled.

Solution 3:
Use a password manager:
pkg install security/keepassxc (Requires root permission)


And thats it

The best solution is using a password manager and this is what Im using for my many jobs too. Password manager does all the job already for you.
 

Jose

Daemon

Reaction score: 903
Messages: 1,107

Well, usually you stick with one or two handles that you use as a "username"...
I would strongly advise you to not reuse usernames either, for the reasons Jmos lists. Sometimes this is unavoidable because the username is also your avatar's name, but take the option to have an opaque login name if it is given.
, but you can make the email address you use for login unique with extensions. I've been using address extensions for almost as long as postfix and dovecot support it and even sometimes give humans an extended address instead of the "short variant". This has various advantages:
- That email address _only_ works for that single site/service and is worthless for anything else
- Filtering gets really easy (just create a folder named after the extension...)
- I can tell who had a data leak when I suddenly receive spam on that address and can change my credentials there (or cancel my account with them, depending on how they handle a data breach..)
- I can add a disclosed address to my spamtrap list, so spammers using those addresses get immediately blacklisted
I'm not sure if you're talking about email subaddressing or email aliases. Subaddressing is nice in that most major services support it, but there is no way to make a subaddress stop working. Email aliases require that you have some control over email sending. I use Postfix and aliases(5) but I can do that because I host my own email. Nice thing about aliases is that you can delete them, causing all email sent to them to bounce.

You can add either subaddresses or aliases to spamtrap files. I'm not sure how you enforce that aliases or subaddresses can only work from one sender. I'm pretty sure once the alias or subaddress exists, anyone can send mail to it. This is also how you discover who's been shopping your email address around.
And of course: Use 2FA wherever possible! A lot of sites make it really easy nowadays and even support multiple variants (more and more often you can activate multiple factors, e.g. multiple authenticator apps or password managers with OTP support). Sadly even some big sites still get this completely wrong and either don't support it or the worst, most insecure and most annoying variants like SMS codes...
I'm not a big fan of 2FA. It only makes sense if you have a phone, and it often requires a specific app to work. I wonder how much spyware the 2FA phone app includes.
 

Trihexagonal

Son of Beastie

Reaction score: 2,317
Messages: 2,888

I would strongly advise you to not reuse usernames either...

I always used a different username for each site I joined and a different password for each site.

The people at PC-BSD knew me as Weixiong and Trihexagonal came here. oko said he had been one of the earlier usernames registered in the PC-BSD forums and that he didn't remember me. I remember scottro from back then and used his Tutorial to learn pf.

I told oko who I was and Less Moore soon saw it afterward. But in your face as it was in every screenshot I posted nobody realized I was jitte, and that's somebody the Moore Bros. knew from that time, too...

Files encrypted with security/bcyypt and be encrypted over and over using different passwords, the file extension removed, the filename changed and moved to another directory deep in a rabbithole. As long as you put the filename back to the original you can decrypt it back to the original text file with no loss or scrambling of data.
 

ralphbsz

Son of Beastie

Reaction score: 2,301
Messages: 3,211

I'm not a big fan of 2FA. It only makes sense if you have a phone, and it often requires a specific app to work. I wonder how much spyware the 2FA phone app includes.

I'm a reasonably big fan of 2FA. Having disagreed with you, I will now agree with you: I'm not a big fan of 2FA if it is implemented by needing a phone app.

I think the best implementation of 2FA is using a FIDO security token, in the style of a Yubikey (I think they're one of the largest vendors). If implemented carefully, that version is pretty safe. It means that to "log in" (whatever that means), you need to both know your password, and have physical possession of a thing, the security key.

Second best are fingerprint readers (again used in conjunction with a password). Their biggest problem is that they are not ubiquitous. I think the problems with fingerprints being spoofed have been mostly overcome. Another issue is that fingerprint readers are physically integrated with an expensive device. If I find a vulnerability with a security token, I throw it in the trash (after hitting it with a hammer), and get a new one, at a cost of an extra $10. If I find a vulnerability with the fingerprint reader on my laptop, I'm not about to throw a $2500 laptop in the trash, making the fingerprint reader useless.

And even 2FA that is implemented by sending an e-mail or an SMS to a well-known e-mail address or cell phone number is a reasonable way to enhance security: it proves that the person both knows the password and has access to the communication device; if they protected those separately, this does enhance security, but it is less fool-proof than hardware (such as tokens or fingertips).
 

Trihexagonal

Son of Beastie

Reaction score: 2,317
Messages: 2,888

And even 2FA that is implemented by sending an e-mail or an SMS to a well-known e-mail address or cell phone number is a reasonable way to enhance security: it proves that the person both knows the password and has access to the communication device; if they protected those separately, this does enhance security, but it is less fool-proof than hardware (such as tokens or fingertips).
Here are two free online SMS services I recently found:



Here are two temporary email throwaway services for registration when you don't want it associated with your accounts:


 

sko

Aspiring Daemon

Reaction score: 381
Messages: 685

I'm not sure if you're talking about email subaddressing or email aliases. Subaddressing is nice in that most major services support it, but there is no way to make a subaddress stop working. Email aliases require that you have some control over email sending. I use Postfix and aliases(5) but I can do that because I host my own email. Nice thing about aliases is that you can delete them, causing all email sent to them to bounce.

You can add either subaddresses or aliases to spamtrap files. I'm not sure how you enforce that aliases or subaddresses can only work from one sender. I'm pretty sure once the alias or subaddress exists, anyone can send mail to it. This is also how you discover who's been shopping your email address around.
I'm also using aliases, but for different reasons and also with subaddresses (+) for logins. I don't want to make a subadress 'stop working' if it has been leaked to spamlists as it is much more effective to use those as spamtrap addresses with spamd. So if any server tries sending to that 'compromised' address, it gets immediately blacklisted and always gets trapped in spamd.


I'm not a big fan of 2FA. It only makes sense if you have a phone, and it often requires a specific app to work. I wonder how much spyware the 2FA phone app includes.
you can freely decide what phone app you're using/trusting or completely ignore those altogether and just use a password manager that supports generation of 2FA TOTP tokens (pass can do this with an otp plugin). TOTP is called "google authenticator" because google first defined the standard, but the libraries are freely available and have been re-implemented in various languages and can be used in a multitude of ways ('server' and 'client' side). There's even a PAM module for 2FA with TOTP...
But yes, there are still some moronic 'web designers' that think they have to be special and use some home-brewn, proprietary app for 2FA - I completely ignore those and if I have to use their service, I usually brag their support every few weeks to finally implement a proper 2FA solution...
 
Top