On Tue, May 12, 2020 at 01:13:26PM -0400, Daniel Barrett wrote:
> On May 11, 2020, Derek Martin wrote:
> >> Dan Barrett wrote:
> >>> 1. Store username/password pairs in a tab-delimited text file, one
> >>> entry per line, with 3 columns: username, password, and freeform text.
> >
> >I do the same b
On Tue, 12 May 2020 13:13:26 -0400
Daniel Barrett wrote:
> Here's a scenario. I maintain a dozen MediaWiki sites, and each one
> includes 1-2 mySQL passwords and several wiki user passwords. How
> would you handle this situation with multiple, separately encrypted
> password files? With a single
On May 11, 2020, Derek Martin wrote:
>> Dan Barrett wrote:
>>> 1. Store username/password pairs in a tab-delimited text file, one
>>> entry per line, with 3 columns: username, password, and freeform text.
>
>I do the same basic idea but I use one file per password and
>individually encrypt them.
H
On Fri, May 08, 2020 at 03:08:52PM -0400, Steve Litt wrote:
> On Fri, 8 May 2020 13:42:36 -0400
> Daniel Barrett wrote:
> > Here is my password manager that seems to meet most of your
> > requirements.
> >
> > 1. Store username/password pairs in a tab-delimited text file, one
> > entry per line,
Oops, I missed a couple of your questions, Steve!
On May 8, 2020, Steve Litt wrote:
>I'm going to arrange for a piece of punctuation to be inserted when
>creating the password. Most accounts require a punctuation in the
>password, but they all differ as to *which* punctuation they allow.
FWIW,
Steve Litt writes:
>Daniel Barrett wrote:
>> 3. Retrieve passwords using a simple script that calls gpg to decrypt,
>> grep to find the line you want, and cut to isolate the username &
>> password. Optionally, call xclip to copy username & password into the
>> window manager's clipboard for easy p
On Fri, 8 May 2020 13:42:36 -0400
Daniel Barrett wrote:
> On May 7, 2020, Tom Metro wrote:
> >Here are the characteristics I consider minimum acceptable for a
> >password manager: open source implementation; [...] code that only
> >changes when I explicitly download and install a new version; [..
On May 7, 2020, Tom Metro wrote:
>Here are the characteristics I consider minimum acceptable for a
>password manager: open source implementation; [...] code that only
>changes when I explicitly download and install a new version; [...]
>good random password generator [...] no browser integration; n
> I use lastpass. It works on all platforms. Individual passwords are
> encrypted as is the master password.
Before giving advice on password managers its good to consider the type
of user and the level of security required. Someone mentioned using a
paper solution, and indeed that can be an accep
On Wed, 6 May 2020 20:37:13 -0400
Kent Borg wrote:
> Choose and deploy password in such a way that you can survive many
> bugs.
I'll counter with: you should stop making assumptions.
First of all, this:
> Which is near where we started. By having passwords so cumbersome
> that they require con
On Wed, May 6, 2020 at 6:59 PM Kent Borg wrote:
> On 5/6/20 1:45 PM, Jack Bennett wrote:
> > One of the benefits of a password manager is that it automates this
> process
> > so you can easily use passwords that would be impossible to remember
> and/or
> > type in (and lock them behind a suitable
On 5/6/20 9:44 PM, Doug wrote:
> And even
> then be really worried that, though your password software and how you
> use it might be really, really excellent, if someone has spyware on your
> machine that targets your password software, you are *so* screwed.
>
> This stuff is terrifying.
Less so
On 5/6/20 7:32 PM, Kent Borg wrote:
16-random characters? Which? Let's assume just lower case ASCII
alphabetics.
26^16 is 43608742899428874059776L
That is a big number. (Add uppercase and numbers and other printable
stuff...and 52**16 and 96**16 are both crazy bigger.)
If your attacker st
> And even
> then be really worried that, though your password software and how you
> use it might be really, really excellent, if someone has spyware on your
> machine that targets your password software, you are *so* screwed.
>
> This stuff is terrifying.
Less so if one uses two-step verificatio
On 5/6/20 8:37 PM, Kent Borg wrote:
Choose and deploy password in such a way that you can survive many bugs.
...password software in such a way...
-kb
___
Discuss mailing list
Discuss@lists.blu.org
http://lists.blu.org/mailman/listinfo/discuss
On 5/6/20 8:26 PM, Kent Borg wrote:
Which is near where we started. By having passwords so cumbersome that
they require convenience-driven password management you are betting
that your password manager software is, for some magical reason,
bug-free.
Choose and deploy password in such a way th
On 5/6/20 7:58 PM, Rich Pieri wrote:
Proof against dictionary and rainbow table attacks against compromised
account databases,
Why do you care about rainbow attacks? Once a site is so badly
compromised that an attacker the account database...what difference does
it make if your plaintext pass
On 5/6/20 7:32 PM, Rich Pieri wrote:
I have over 250 site passwords in my vaults. I can't remember and track
them all. Therefore I have programs do it for me. Since I don't have to
remember them all myself there is no need to constrain my passwords to
memorable patterns.
I'm not opposed to usin
On Wed, 6 May 2020 19:32:49 -0400
Kent Borg wrote:
> What is the point?
Proof against dictionary and rainbow table attacks against compromised
account databases, and making brute force atacks against my accounts
take longer than the low hanging fruit.
> Conversely, what is the cost? The cost is
On 5/6/20 1:58 PM, Doug wrote:
I am not a security expert. I certainly would not notice the 2FA versus 2SV
although now I see it is a real thing. What really impressed me and got me
to take out the credit card after I read the article was that Google
required all employees to use a Yubikey to do
On 5/6/20 1:58 PM, Rich Pieri wrote:
You tell me why you think 16 random characters is inappropriate for
this purpose.
The reason for making passwords long is to make them unguessable.
The key feature of a password is that, though I can make up guesses as
fast as I choose to spend the money,
On Wed, 6 May 2020 18:57:09 -0400
Kent Borg wrote:
> I'm not opposed to software automatically generating passwords. But
> why make them impossible to remember?
I have over 250 site passwords in my vaults. I can't remember and track
them all. Therefore I have programs do it for me. Since I don't
On 5/6/20 1:45 PM, Jack Bennett wrote:
One of the benefits of a password manager is that it automates this process
so you can easily use passwords that would be impossible to remember and/or
type in (and lock them behind a suitable and memorable passphrase).
I'm not opposed to software automati
On Wed, 6 May 2020 15:30:03 -0400
Daniel Barrett wrote:
> True, it's a black box, but it's a black box that world-class security
> professionals have trusted:
Around 4 years ago Yubi went closed source proprietary. Some of those
professionals have since withdrawn their endorsements.
--
Rich Pi
On May 6, 2020, Kent Borg wrote:
>Yubikey feels more "Isn't this cool!?" to me than it feels secure.
>Why should I trust it will only let me in? Why should I trust it
>*will* let me in?
True, it's a black box, but it's a black box that world-class security
professionals have trusted:
https://ww
I'm surprised I haven't seen anyone mention Teampass yet.
It's functionally similar to Lastpass but it's self-hosted.
--
Rich Pieri
___
Discuss mailing list
Discuss@lists.blu.org
http://lists.blu.org/mailman/listinfo/discuss
I am not a security expert. I certainly would not notice the 2FA versus 2SV
although now I see it is a real thing. What really impressed me and got me
to take out the credit card after I read the article was that Google
required all employees to use a Yubikey to do their day-to-day jobs. For
that r
On Wed, 6 May 2020 13:42:08 -0400
Kent Borg wrote:
> What are you trying to accomplish with these 16-random-characters?
> That's only about 75-bits of entropy, so not a very good encryption
> key, so you must mean password. So what are you trying to do? Stop a
> brute force guessing foe? Give me
I use KeePass as a password generator and safe. It has Mac, Linux,
Android, iOS ports that I have used. Specifically I use the KeePassXC
port on my Linux laptops and Mac desktop, MiniKeePass on my iPad and
KeePassDroid on my Android Phone. KeePass itself is Windows only. I've
not actually run
One of the benefits of a password manager is that it automates this process
so you can easily use passwords that would be impossible to remember and/or
type in (and lock them behind a suitable and memorable passphrase).
Of course, this still requires trusting the creators of the manager
applicatio
On 5/6/20 1:32 PM, Rich Pieri wrote:
On Wed, 6 May 2020 13:05:58 -0400
Kent Borg wrote:
Except 16+ is overkill for a password. (*Password*, not encryption
passphrase--the two are extremely different uses.)
Except... they're not. 16 random (I'm assuming) characters is what
Google use for appli
On Wed, 6 May 2020 13:05:58 -0400
Kent Borg wrote:
> Except 16+ is overkill for a password. (*Password*, not encryption
> passphrase--the two are extremely different uses.)
Except... they're not. 16 random (I'm assuming) characters is what
Google use for application passwords. Which are in fact
On 5/6/20 12:03 PM, Doug wrote:
Am I wrong to presume everyone here uses 2-factor authentication? Yubikey
is that, plus it has software that does try to figure out if the servers
being contacted are the right ones, and not ones that just look right to a
casual observer.
You are wrong in the cas
On May 5, 2020, Doug wrote:
>What if someone gets your Gmail account password? ...
>This is why I spent $100 to get a pair of Yubikeys.
Agreed! Protecting an account with a strong password and a Yubikey for
the second factor is the best combo I've heard of.
On 5/6/20 11:16 AM, Rich Pieri wrote:
On Wed, 6 May 2020 10:09:30 -0400
Kent Borg wrote:
And for one that is reused...doesn't matter so much. All your uses
are as weak as the weakest site to which you have given that password.
Which is why 16+ random characters never reused.
Except 16+ is o
On Wed, 6 May 2020 12:03:41 -0400
Doug wrote:
> Am I wrong to presume everyone here uses 2-factor authentication?
Probably.
To be nit-picky, common 2FA is actually 2SV (two-step verification).
2FA collquially is something you know plus something you have like an
ATM PIN and the matching card. A
On Tue, May 5, 2020 at 5:58 PM Jerry Feldman wrote:
> I use lastpass. It works on all platforms.
>
LastPass is endorsed by Steve Gibson of Security Now! as being "Trust No
One"; works with all major browsers and phones.
They already had their minor security breach so have gotten past the
obviou
Am I wrong to presume everyone here uses 2-factor authentication? Yubikey
is that, plus it has software that does try to figure out if the servers
being contacted are the right ones, and not ones that just look right to a
casual observer.
On Wed, May 6, 2020 at 11:19 AM Rich Pieri wrote:
> On We
On Wed, 6 May 2020 10:09:30 -0400
Kent Borg wrote:
> And for one that is reused...doesn't matter so much. All your uses
> are as weak as the weakest site to which you have given that password.
Which is why 16+ random characters never reused.
Also, site operators cannot be trusted to report brea
On 5/6/20 9:57 AM, Kent Borg wrote:
A password (if not reused between sites) does not have to be
particularly strong.
And for one that is reused...doesn't matter so much. All your uses are
as weak as the weakest site to which you have given that password.
-kb
__
On 5/5/20 10:41 PM, Rich Pieri wrote:
* Run: "pwgen -nsB ##" (where ## is typically 16 or more)
Remember that there is a *big* difference between a password that is a
password and one that is used for encryption. A password (if not reused
between sites) does not have to be particularly strong.
On Tue, 5 May 2020 20:27:03 -0400
Doug wrote:
> One nice perk of lastpass: it will give you an overall security score
> for every password you have. It took quite a bit of dull work over a
> few weeks, but my security score is at 95%. The reason it is not
> higher: shared passwords with the misse
One nice perk of lastpass: it will give you an overall security score for
every password you have. It took quite a bit of dull work over a few weeks,
but my security score is at 95%. The reason it is not higher: shared
passwords with the misses.
Lastpass or 1Password are still not good enough.
Wh
On Tue, 5 May 2020 17:47:43 -0400
Jerry Natowitz wrote:
> I've decided it is time to start using strong unique passwords on all
> sites. What products will work on Linux/gnu, Linux/Android, and
> Windows 10? Is the integration to the O/S, the window manager, or
> the web browser? Looking for
On 5/5/20 6:54 PM, Kent Borg wrote:
The result is the passwords I use most frequently I remember, so I
just type them. The ones I use infrequently are infrequent, so I don't
mind looking them up.
Remember: All software has bugs, password managers are not somehow
immune.
How about this analo
FYI last pass will offer a long random secure password to you as an option
Sent from my iPhone
> On May 5, 2020, at 6:56 PM, Kent Borg wrote:
>
> On 5/5/20 5:47 PM, Jerry Natowitz wrote:
>> I've decided it is time to start using strong unique passwords on all sites.
>
> Smart.
>
>> What pro
On 5/5/20 5:47 PM, Jerry Natowitz wrote:
I've decided it is time to start using strong unique passwords on all
sites.
Smart.
What products will work on Linux/gnu, Linux/Android, and Windows 10?
Is the integration to the O/S, the window manager, or the web
browser? Looking for something tha
I'm happy with 1Password
It works seamlessly on everything I've tried it on: macOS, Ubuntu and Red
Hat Linux, Windows 10. I'd be surprised if there weren't an Android app but
you probably want to check that out to make sure.
On Tue, May 5, 2020 at 5:50 PM Jerry Natowitz wrote:
> I've decided it
I use lastpass. It works on all platforms. Individual passwords are
encrypted as is the master password. The only problem I had was when I
forgot the exact spelling of my master pass phrase. Since my desktop system
was logged in I was able to set another pass phrase.
--
Jerry Feldman
Boston Linux
I've decided it is time to start using strong unique passwords on all
sites. What products will work on Linux/gnu, Linux/Android, and Windows
10? Is the integration to the O/S, the window manager, or the web
browser? Looking for something that will work transparently across all
the mentioned
50 matches
Mail list logo
