Someone tried or has been able to guess my password ?

[MrBSD]

Why are we talking about remembering / writing passwords, instead of using password managers ? Am i missing something here, or you are all actually willingly sacrificing your security for convenience ?

 

[eternal_noob]

Why are we talking about remembering / writing passwords, instead of using password managers ? Am i missing something here, or you are all actually willingly sacrificing your security for convenience ?

Why are we talking about using password managers instead of just memorizing them ? Am i missing something here, or you are all actually willingly sacrificing your security for convenience ?

 

[mer]

+Password managers. You need to remember at least one "key" in order to decrypt all the keys.
Is that really different from you typing credentials into a text doc and then using GPG to encrypt the file?
Both mean "I need to remember only one (Highlander reference)", one simply needs to pick your poison.

Heck, writing credentials on paper, sticking paper in a fireproof safe that you have the only key to is the analog equivalent to password managers.
Obtain the key to any of them (password manager, GPG encrypted file, fireproof safe) and you have the data.

"...willingly sacrificing your security for convenience ?"
That is the eternal tradeoff; going back to securing one's cave. Everyone has a different tolerance for the tradeoff.
What I am comfortable with may be overkill to you or may be underkill to you.
Present the information, the tradeoffs, the consequences fall solely on the individual.

 

[astyle]

Why are we talking about using password managers instead of just memorizing them ? Am i missing something here, or you are all actually willingly sacrificing your security for convenience ?

Most people can remember 7 (plus or minus a couple) different passwords by heart. Any more than that, and an app becomes a necessary tool. I have over 100 different passwords to manage, and they were accumulated from 30+ years of living on the Internet like the rest of us here on the Forums.

I mean, you gotta put at least a couple passwords on your wifi router, one for your laptop, have a root password for your FreeBSD setup, a password for your regular user on those FreeBSD setups... that's 5 different passwords right there. Not to mention a password for Teams (oh, and same credentials will work for XBox), personal email, work email, Amazon... that's 4 more, for a total of 9.

Google does offer authentication services to simplify things from there on, so do Apple and Microsoft and Facebook - but instead of using those services, I'd rather have an app to manage 100 different passwords.

 

[mer]

Most people can remember 7 (plus or minus a couple) different passwords by heart. Any more than that, and an app becomes a necessary tool. I have over 100 different passwords to manage, and they were accumulated from 30+ years of living on the Internet like the rest of us here on the Forums.

This is true. But in the "only landline days", before smartphones and contact lists, it was amazing how many phone numbers one had memorized. Mom at work, dad at work, home, aunt suzie, grandma, best friend 1-20, etc. Think about entering a PIN on a keypad (ATM, building entry, etc): if you are standing in front of it, your mind knows the pattern of movement. If you are standing in front of the ATM and someone asks about "PIN to get into the lab at work" and you freeze, but if you imagine you are standing in front of the lab door your fingers know.
What does that mean? Context matters.

(Sorry I hope I'm not using as many words as Maturin That's a joke for the record)

 

[MrBSD]

+Password managers. You need to remember at least one "key" in order to decrypt all the keys.
Is that really different from you typing credentials into a text doc and then using GPG to encrypt the file?
Both mean "I need to remember only one (Highlander reference)", one simply needs to pick your poison.

Heck, writing credentials on paper, sticking paper in a fireproof safe that you have the only key to is the analog equivalent to password managers.
Obtain the key to any of them (password manager, GPG encrypted file, fireproof safe) and you have the data.

"...willingly sacrificing your security for convenience ?"
That is the eternal tradeoff; going back to securing one's cave. Everyone has a different tolerance for the tradeoff.
What I am comfortable with may be overkill to you or may be underkill to you.
Present the information, the tradeoffs, the consequences fall solely on the individual.

Thats what the hardware usb keys are for. Comon people.

 

[astyle]

Thats what the hardware usb keys are for. Comon people.

Not everybody uses them, even among the big guys. I'd know, at one of my $JOBs they were actually prohibited.

 

[Maturin]

(Sorry I hope I'm not using as many words as Maturin That's a joke for the record)

Point taken.
Many of my words come from beancounter's prevention - while I always realize: No matter how watertight you're trying to make your point, there is always at least one weisenheimer, who thinks it makes him look clever by pointing out he counted the beans one 1/10 more precisely than you.

Back to topic:

password managers

Personally I don't trust pw managers.
And even if they are 100% trustworthy they don't provide more security at all. All they do is, you don't need to remember all passwords. But for that you have to protect you pw manager with a real strong one; as I said above: if that one's gone, all are gone. If I were a hacker, my primary target were password manager's passwords.

Anyway, before I start to explain I don't see a real risk in writing passwords down, I like to flag up the difference of a machine in a private home with only one user access, or if the machine is in a more public place, like office at work.

For my private machine at home all my logins do have really strong passwords. I wrote them down. And they are not really that hard to find. An attacker don't need no password at all, since I did not protect my machine from physical access. It was simple enough to boot my machine in single user mode, or by live system. But for that he or she has to break into my house first. Neither I have any stuff on my machines, that was even remotely interesting to break into my house for, nor I have that amount of money worth that trouble.
So, to note my login passwords are just for me to remember, but I see no a real security issue with that.

Additionally how you write down your passwords can also be kind of interesting.
You may use kind of a bank crossword puzzle:

(bad example quickly picked on the net, but you get the idea)

Only you know: your password is "line, column, direction"

Another way was to use a sentence written in a book:
"Er," squeaked the demon.
Only you know it's line 19 on page 65 in your Terry Pratchett's edition of "Eric".

As I also said above:
Really secure is only what you have memorized only in your head.

 

[mer]

Not everybody uses them, even among the big guys. I'd know, at one of my $JOBs they were actually prohibited.

Yep been there. Government/classified systems typically disable USB stuff.
Yubi keys, good stuff, but again, need to have chain of custody. If someone manages to abscond with your Yubi key that is tied to everything else, does that give them 100% access?
Your phone is set to finger/face locked: someone steals your phone, drugs you then can cut off your fingers or use your face to unlock the phone and then reset to their face/finger. Starts to give them access to everything on your phone like banking apps.

 

[MrBSD]

Not everybody uses them, even among the big guys. I'd know, at one of my $JOBs they were actually prohibited.

I use it.

Personally I don't trust pw managers.

Can you tell me why would you not trust 100% open source software that works offline and its available in freebsd repo ?

And even if they are 100% trustworthy they don't provide more security at all.

So you are telling me that if i lock my database with 48 character strong password paired with yubikey, thats less secure than memorizing 20 different passwords which are variation of the same password combined with finger muscle memory.

All they do is, you don't need to remember all passwords.

You are completely out of touch.

But for that you have to protect you pw manager with a real strong one; as I said above: if that one's gone, all are gone. If I were a hacker, my primary target were password manager's passwords.

Again, you do not know what you are talking about. You can literally set the most retarded and easy to remember password as your master password, and pair that with the encryption key, or in my case, a hardware yubikey. With this key combo, i can send you my encrypted passwords database, including my master password, and niether you or anyone else wont be able to do anything with it. This is very simple stuff to understand, but to me it seems that you guys are either trolling, or just completely out of touch when it comes to security. Im not sure which is worse.

Anyway, before I start to explain I don't see a real risk in writing passwords down, I like to flag up the difference of a machine in a private home with only one user access, or if the machine is in a more public place, like office at work.

Let me apply mer `s logic here. Someone can break into your home, blow your safe with a bundle of dynamite and steal your book where you have your password written. Am i doing this right ?

Yep been there. Government/classified systems typically disable USB stuff.
Yubi keys, good stuff, but again, need to have chain of custody. If someone manages to abscond with your Yubi key that is tied to everything else, does that give them 100% access?
Your phone is set to finger/face locked: someone steals your phone, drugs you then can cut off your fingers or use your face to unlock the phone and then reset to their face/finger. Starts to give them access to everything on your phone like banking apps.

Well... aliens can atack tomorow, and all is lost anyway. I mean, seriously man. Can we get back to reality now? Im not talking about government issued equipement with locked down USB ports, no one is going to drug me or cut my fingers. Im talking about simple open source password manager that works offline and can be secured with password, software, or hardware keys. Dont have a yubikey, no problem. Generate a software key, store it on USB drive, and use that. Or simply store it on your drive somewhere, obfuscate the file name, and viola. This is all simple stuff, why are you making this so complicated with all these what if scenarios ?

 

[astyle]

Well... aliens can atack tomorow, and all is lost anyway. I mean, seriously man. Can we get back to reality now? Im not talking about government issued equipement with locked down USB ports, no one is going to drug me or cut my fingers.

Remember how people used to 'steal' ballpoint pens and pencils? Today somebody can mindlessly pick up a USB stick off your desk (instead of a ballpoint pen) and walk away with it. You'd pretty much have to have that stick on a lanyard on you at all times, like your work ID card that you use to unlock the door to your workplace. If you lose that, you're in trouble. I've seen people forget their ID at home, and then realize they can't get into the office to report to work.

Being mindless is kind of the real problem. Mindlessly losing track of your favorite ballpoint pen is one thing. Mindlessly losing track of the Yubikey the same way... that is a disaster, esp. if someone else finds it. Because regaining access to the database that you locked with that 48-character password that is paired with the specific Yubikey. Yubikeys still have a chain of custody. Even if the Yubikey is replaced, someone will still need to override the specific Yubikey ID so that you regain access to that database.

You know how some XBox accounts were tied to the console's serial number? If the console with the correct serial number is irrecoverably lost, that XBox account is good as gone. Yubikey works the same way.

 

[MrBSD]

Remember how people used to 'steal' ballpoint pens and pencils? Today somebody can mindlessly pick up a USB stick off your desk (instead of a ballpoint pen) and walk away with it. You'd pretty much have to have that stick on a lanyard on you at all times, like your work ID card that you use to unlock the door to your workplace. If you lose that, you're in trouble. I've seen people forget their ID at home, and then realize they can't get into the office to report to work.

What the hell are you talking about ?

Let me clarify, because you seem lost too. Im talking about personal home use.

Being mindless is kind of the real problem. Mindlessly losing track of your favorite ballpoint pen is one thing. Mindlessly losing track of the Yubikey the same way... that is a disaster, esp. if someone else finds it. Because regaining access to the database that you locked with that 48-character password that is paired with the specific Yubikey. Yubikeys still have a chain of custody. Even if the Yubikey is replaced, someone will still need to override the specific Yubikey ID so that you regain access to that database.

You know how some XBox accounts were tied to the console's serial number? If the console with the correct serial number is irrecoverably lost, that XBox account is good as gone. Yubikey works the same way.

You dont need yubikey. Just generate key file. Or dont. Just use master password.

Am i the only sane person here ?

 

[astyle]

Am i the only sane person here ?

No, the only sane person here is not you, but me. Hopefully sarcasm comes across.

But frankly, sometimes you just have to see the forest for the trees. Trees alone don't make up a forest.

 

[vmisev]

MrBSD, I can't argue about IT security with you since I'm just a hobbyist user, but looks like you never hung out with actual hard-core criminals, just based on your assessment what's possible/probable. You have no idea how (and what about) those fellas think.

 

[mer]

Well... aliens can atack tomorow, and all is lost anyway. I mean, seriously man. Can we get back to reality now? Im not talking about government issued equipement with locked down USB ports, no one is going to drug me or cut my fingers. Im talking about simple open source password manager that works offline and can be secured with p

Yes I realize my examples are a bit over the top but they are realistic. The basic premise is someone has thought a step ahead of you.
Faces and fingers? I think there are actual examples of that. Your spouse thinks you're cheating, then while asleep uses your finger/face to unlock your phone to find all your deleted texts to the mistress.

Now extend that to how you may be protecting a cache of passwords/passkeys for your banking......

 

[MrBSD]

No, the only sane person here is not you, but me. Hopefully sarcasm comes across.

But frankly, sometimes you just have to see the forest for the trees. Trees alone don't make up a forest.

This is exactly what the person with no arguments would say. Please spare me.

MrBSD, I can't argue about IT security with you since I'm just a hobbyist user, but looks like you never hung out with actual hard-core criminals, just based on your assessment what's possible/probable. You have no idea how (and what about) those fellas think.

Oh. Ok. That makes sense. Because i dont hang out with hard-core criminals that chop peoples fingers that makes everything i said completely invalid. I get it now.

Please tell me you guys are trolling me. Because, if you dont...my god...

Yes I realize my exaples are a bit over the top but they are realistic. The basic premise is someone has thought a step ahead of you.
Faces and fingers? I think there are actual examples of that. Your spouse thinks you're cheating, then while asleep uses your finger/face to unlock your phone to find all your deleted texts to the mistress.

Now extend that to how you may be protecting a cache of passwords/passkeys for your banking......

Can we please stop. Please.

 

[vmisev]

Oh. Ok. That makes sense. Because i dont hang out with hard-core criminals that chop peoples fingers that makes everything i said completely invalid. I get it now.
Please tell me you guys are trolling me. Because, if you dont...my god...

Unfortunately, I'm not trolling. I met people who will not drop a drop of sweat to do (to you unimaginable) things just to for a score

Can we please stop. Please.

We can. They will not.

 

[MrBSD]

Im done.

 

[mer]

Im done.

Sorry, that does not survive dictionary attacks.

 

[yjqg6666]

Use apg to generate random/strong password and use password-store to manage/store as git-managed (with history) gpg-signed local files. Set a gpg password as the master password to decrypto the files for all other passwords.

 

[freezmi]

as someone that was maintaining >1k servers for one company and a bitcoin exchange for another I've been using gpg encrypted files containing passwords for about 15 years, but was required to use a password manager later on (for better 'teamwork') and I stuck with that ever since. I'm afraid that keeping more than a few passwords in memory would be simply impossible for me. I still remember a few very old phone numbers from the '90s (when they were 7 digits long), but nowadays there's no chance.

a few gotchas regarding password managers:
- make sure the pm times out and locks out after a few seconds of inactivity. the clipboard should be single use.
- do NOT integrate the pm into the browser. (the newest clickjacking exploit was covered last month)
- have some kind of separation between the browser and your real home directory - make sure in case the former gets owned it cannot access the pm's database. I run the browser as a dedicated low priv user that has special firewall rules while the pm is executed by my main user account.

 

[Espionage724]

I said above: if that one's gone, all are gone. If I were a hacker, my primary target were password manager's passwords.

Eh, I trust math

I'm not sure if the password DB file itself could be exploited beyond brute force, so I assume anyone that gets a copy of a DB has to defeat 256-bits of something trusted probably everywhere currently.

The password manager itself I guess would require a local exploit or malware on the OS to go through the manager and access data (if that's possible). Any physical access assumes the database is locked (in which case they'd have to exploit the file).

Anything like a cold boot attack with keys in RAM implies physical access, and while CPU memory encryption/scrambling, ALSR, etc might help; you're probably a very interesting person and https://xkcd.com/538/ might apply

 

[covacat]

here is a CRUDE shell implementation of checking password similarity with an older one without storing the previous one in plain text or reversible encrypted format

#!/bin/sh
# pa.sh
# this script saves salted md5 hashes of the trigrams of the password in
# /tmp/db.txt
mk_pat() {
str="$1"
n=${#str}
n=$(($n-3))
pat=""
while [ $n -ne 0 ]
do
 pat="${pat}?"
 n=$(($n-1))
done
echo "$pat"
}
rm -f /tmp/pwdb.txt
echo "Enter a password that will act as previous password"
read opass
opass="__${opass}__"
SALT="ab22xy"
while [ ${#opass} -gt 2 ]
do
 pat=$(mk_pat "$opass")
 frag=${opass%$pat}
# echo $frag
 echo $SALT$frag|md5 >>/tmp/pwdb.txt
 opass=${opass#?}
 done
 echo "password hashes stored in /tmp/pwdb.txt"
 cat /tmp/pwdb.txt
# end of pa.sh

#!/bin/sh
# ra.sh
# this script generates md5 hashes and compare how many match with the saved
# ones
mk_pat() {
str="$1"
n=${#str}
n=$(($n-3))
pat=""
while [ $n -ne 0 ]
do
 pat="${pat}?"
 n=$(($n-1))
done
echo "$pat"
}
while true
do
egr="bollocks"
echo "Enter a password to check if similar to the older one"
read npass
npass="__${npass}__"
SALT="ab22xy"
while [ ${#npass} -gt 2 ]
do
 pat=$(mk_pat "$npass")
 frag=${npass%$pat}
# echo $frag
 md5=$(echo $SALT$frag|md5)
 egr="${egr}|$md5"
 npass=${npass#?}
 done
 cnt=$(egrep -c "$egr" /tmp/pwdb.txt)
 [ $cnt -ge 4 ] && echo "to similar" || echo "not similar"
done
# end of ra.sh

[09:38:52] [ns!covacat]~ $sh pa.sh
Enter a password that will act as previous password
bigfatcat
password hashes stored in /tmp/pwdb.txt
14d29e33f92fc415ad59fa306929e5c0
9fbe4900d36df2128cac72146ae198e2
a63cfcba82db39006c435b46ebff2509
1a4e23c143dc77071e321798902b7341
7a26fd75bdb510834b51406915a59f11
4b7279722fe889ed931b0654c27c9f0f
fb7af98b1085862610a0cbac97fcf844
56a7717fe3ba37e7f0264bdb7641d4b8
b26e1913cc4b08dd80b084360fce7ab2
af8a7665d9221f0520fa967f1889b22a
52d69086f573b93e75447e6230a9e952
[09:39:03] [ns!covacat]~ $sh ra.sh
Enter a password to check if similar to the older one
bigfatdog
to similar
Enter a password to check if similar to the older one
secret99
not similar
Enter a password to check if similar to the older one
fatbigcow
not similar
Enter a password to check if similar to the older one
bigcatfat22
to similar
Enter a password to check if similar to the older one
catbigfat
to similar
Enter a password to check if similar to the older one

 

[Maturin]

So you are telling me that if i lock my database with 48 character strong password paired with yubikey, thats less secure than memorizing 20 different passwords which are variation of the same password combined with finger muscle memory.

No. I'm saying protecting your passwords with a password does not increase the strength of those passwords.
Using a pw manager means you neither have to remember, nor type them yourself, so you can use ludicrous long, so very strong passwords. That what brings more security, yes.
But only if
a) your pwmanager can be 100% trusted, and
b) your pwmanager's pw ain't cracked.

Can you tell me why would you not trust 100% open source software that works offline and its available in freebsd repo ?

No.
I was talking password managers in general. When you drag my general statement into a specific context of one very particular picked point of course my statement becomes wrong, so you feel right.
But to me that's no way to talk to each other. At least not if the talk is not about who is right, or wins an argument (political, power), but to share informations, experiences, and solutions (scientific.)

I'm saying a pwmanager ain't not trustworthy just because it's a pw manager.
I'm pretty sure, there are trustworthy pwmanagers, but I also believe there are others, who are not.
And there is another point I hoped I don't need to elaborate (again):

When you reached a certain age you become wary, even distrusful, because you have so much experiences, so many disappointments, sometimes even got you into real trouble because of you too quickly, too blindly, too naive trusted people (things are made by people) of the kind:
"It's awesome! You must use this! Forget everyting else! This has advantages only, and no disdavantages at all! And it's completely for free! They are not doing it for profit, but out of pure altruism, only, to make the world a better place! All doing it! So why you, old-timer, be such a blockhead and insist to stay in the stone ages forever?!"
Well, because sooner or later all - all -turned out not to be the final wisdom.
Because there is no such thing that provides only advantages. Everything always comes as a package deal, as a compromise between advantages, disadvantages, and a price you have to pay.
Sometimes new or other things really are a good or even better thing, yes. But knowing the nature of compromises all things bring, you know evaluation, and validation is needed, to make distinctions when to use it how for what, and when for what the conventional 'old' things are better. Asking if it's worth all the effort? In almost all cases anything useful new is an addition to the existing arsenal, a new option, but extremely seldom really a full replacement, which always have to be handled very carefully.
Sometimes new things turn out to be not useful, or even a larger burden. They safe you something (time, effort, work, money) at one edge for the price they cost you the same or even more at another.
Sometimes they turn out after a while to be not for free anymore, but you are being charged for them - especially when it comes to software. (As I said above: I'm talking generally. Don't pick a single point otherwise! I do know that myself.)
And sometimes things even come really as a fraud.

When you have the experience, there are no things - no matter what "youngsters" believe, nor tell you; I once also was a quick believer, especially in new technical innovations when I was in my early twenties - there are no things, and never will be, that does not anyhow fit into that grid, you don't decide for anything anymore, before you didn't give it a really close look.
And as long as the things you have do all the jobs you need, you only give few things a closer look, because you don't spend any effort on something you don't need.
And "it's better, you moron!" ain't no convincing prove.

So, since my methods I have work for me - I never was hacked in the fourty years of my computer life. I catched me the one or the other virus in the 80s and the early 90s, but neither one of my machines, nor any of my accounts have been hacked (so far [at least I didn't recognized]).
I don't see a reason to change a winning team, unless I really have to.

To give a silly example:
Cars are a pretty neat thing. No question. And in the 1950s...~1980s everybody agreed everybody had to have one. But if you live in Manhattan without a parking spot, and your job is just in the neighbour block, a car makes no sense to you at all whatsoever. It was just a useless burden ("The Odd Couple" S4 E6 "The New Car" USA 1973, pictures that exactly.)

Bottom line - again:
I never said "don't use password managers! They are useless crap!" No! That was stupid, of course.
I only say a password manager does not increase security just because you have one, neither they solve all your password issues for you, just becasue you have one.
And I say as long as you can handle your passwords yourself (I said above to make a distinction between a single user private machine at home, and professional/public machines) check if there really is a need for one. Since at first - as all other software per se you additionally install - it is additional effort, and they increases the attack surface. And if handled wrong - or like you said

YOU are the problem.

those can become a security gap instead.
( Which does not mean I imply you handle your pwmanager wrong.)

All I'm saying is:
Always check what alternatives there are, which is best for what, and find your own compromise suit your individual situation - evaluate, validate. But beware of ultimate single solutions, and above all don't convince people to also fall for those, especially don't question their sanity if they don't. They may have their reasons. Maybe in some cases they even evaluated and validated on a topic more than you. And it's not their intention to make you look bad, but simply to point out for other options, and alternatives.
Since there is no such thing as the one and only ultimate solution.

Am i the only sane person here ?

I am neither capable, nor willing to answer that question.

 

[Maturin]

Eh, I trust math

There are people using a password manager with a password like "1234" You don't need no brute force software or exploit RAM, or such for to get it. You only need to know that person uses trivial passwords ("social hacking" if you want to name that this way) and try a few.
Because they think, if they use a pwmanager they are safe, because they use a pwmanager. And they don't want to disturb the convinience of using a pwmanager by using an inconvenient long pw for it.
This way a pwmanager does not bring more security, but being actually a security gap. Because once somebody guessed "1234" right, she gots all the passwords, no matter how strong they are.

Or to put it otherwise briefly:
Don't tell people to use password managers until you convinced and made them always use strong passwords for everything - including the password manager - first.
You know that. I know that. But as you can read regulary "1234" is still the most popular used password.