Password management
category: offtopic [glöplog]
skip useless sites. and:
Write them all down? And have a big sheet of carefully written passwords, along with the site it's for + the username so I know what goes where? If that goes missing, it's serious panic time. Plus I have to carry this sheet of paper everywhere so I can log in to stuff from my mobile. Which means it gets ruined fast, and I have to re-write it once a week, or print it (which means I have it on disk anyway!)
Besides, who wants to type out long random strings regularly?
Skrebbel: there's a difference between a file on dropbox and a lastpass account. If lastpass gets hacked, the hackers know exactly what the files are, can possibly get all of them, and can get to work on stealing your keys (they'd likely have some of your details at this point, like an email address).
Nobody is going to hack dropbox and steal ALL of the files. They'd need a datacentre :D If they hack your account, they'll get some stuff and an encrypted file, with no real idea of what it is. The only remaining risk is that they somehow know you're using keepass, and get access to your password + file (this risk exists for lastpass too, and it's pretty low I think).
Best solution would be lastpass with the encrypted file stored on dropbox or wherever.
Besides, who wants to type out long random strings regularly?
Skrebbel: there's a difference between a file on dropbox and a lastpass account. If lastpass gets hacked, the hackers know exactly what the files are, can possibly get all of them, and can get to work on stealing your keys (they'd likely have some of your details at this point, like an email address).
Nobody is going to hack dropbox and steal ALL of the files. They'd need a datacentre :D If they hack your account, they'll get some stuff and an encrypted file, with no real idea of what it is. The only remaining risk is that they somehow know you're using keepass, and get access to your password + file (this risk exists for lastpass too, and it's pretty low I think).
Best solution would be lastpass with the encrypted file stored on dropbox or wherever.
i see your point.
nevertheless, i think it's somewhat far-fetched - unless your lastpass master password is "password", of course.
that said, i'd never want to face the complications of having my passwords stored in a place that i can only access with a password (my dropbox password) that is listed inside that password file. the whole dropbox option basically doesn't work unless you're on your own device.
nevertheless, i think it's somewhat far-fetched - unless your lastpass master password is "password", of course.
that said, i'd never want to face the complications of having my passwords stored in a place that i can only access with a password (my dropbox password) that is listed inside that password file. the whole dropbox option basically doesn't work unless you're on your own device.
okkie has the leading!
Quote:
Use the "forgot my password" at every website on every log-in!
okkie just gets lonely and likes getting lots of emails.
most importantly just try and remember them passwords. use memorable nontrivial passwords and not some mambojambo. then use anagrams and substitute letters with 1337 speak stuff, you're a scener goddammit.
altho this way i lost the pw to my router, that has no email password functionality. i knew what it consits of, but not the right order >_<'
altho this way i lost the pw to my router, that has no email password functionality. i knew what it consits of, but not the right order >_<'
vectory: yeah, that's what I have been doing. But it's like one of those old style arcade games, where each time you nail it, it goes and repeats the last level but with 5 more enemies. You can hold 'em off for a while, but in the end they take you down.
Plus, there's the problem of remembering all the passwords but not which sites they're for. Especially when some of them force you to use a username of their choosing, or worse still the banks where you're asked for characters 7, 9 and 14 of your secret word and characters 5 and 6 of your secret passcode.
I had a tesco bank account before that had an 8 digit number as the username, plus a 10 character password and a 6 digit numeric password. How the fuck do they expect me to remember that? (I closed that fucker down :) And that was the replacement "customer friendly" login, before that it used 1 number + 1 password + a stupid card & card reader that you're supposed to keep with you if you want to do some banking while you're out!
Plus, there's the problem of remembering all the passwords but not which sites they're for. Especially when some of them force you to use a username of their choosing, or worse still the banks where you're asked for characters 7, 9 and 14 of your secret word and characters 5 and 6 of your secret passcode.
I had a tesco bank account before that had an 8 digit number as the username, plus a 10 character password and a 6 digit numeric password. How the fuck do they expect me to remember that? (I closed that fucker down :) And that was the replacement "customer friendly" login, before that it used 1 number + 1 password + a stupid card & card reader that you're supposed to keep with you if you want to do some banking while you're out!
psonice: the only financial site I have password to, sends me an sms with a code which is only alive for a few minutes upon login, so only I can log into it even if some1 else has the password. He has to steel my phone too. Also it sends me an sms for each transaction not only for the login.
my sms token security banking system is 6 digits long and lasts for 60 seconds only.
you can imaging how fun it is to try to use it while abroad with dodgy roaming conditions :)
you can imaging how fun it is to try to use it while abroad with dodgy roaming conditions :)
I use this myself, . There's a video of me demonstrating it here: vimeo
I've come up with a bit of a solution for this. It's not ideal, doesn't cover mobile devices, and only works on macs, but hey.
1. Let the browser store all of the passwords. It's critical that this gets stored in Keychain, not the browser. Safari and chrome should be OK.
2. Turn on the keychain status menu item, in Keychain Access' prefs.
3. When you finish using the computer, click on that new menu (with the padlock), and lock the keychain. Now the browser can't access your passwords until you unlock it again with your password :)
4. Synch keychain between computers using mobile me (it's automated once you authorise a computer, but the downside is MobileMe is 1. paid and 2. no longer available :( Hopefully iCloud will have this feature once it's available.)
Keychain also includes a tool to generate randomised, secure, memorable (so far as these things can be) passwords.
Anyway, that kind of does what lastpass does, with the same single password as the weak point, but it's now entirely under your control rather than some foreign company's. Hopefully I can figure out a way to sync this to my iPhone + iPad too.
1. Let the browser store all of the passwords. It's critical that this gets stored in Keychain, not the browser. Safari and chrome should be OK.
2. Turn on the keychain status menu item, in Keychain Access' prefs.
3. When you finish using the computer, click on that new menu (with the padlock), and lock the keychain. Now the browser can't access your passwords until you unlock it again with your password :)
4. Synch keychain between computers using mobile me (it's automated once you authorise a computer, but the downside is MobileMe is 1. paid and 2. no longer available :( Hopefully iCloud will have this feature once it's available.)
Keychain also includes a tool to generate randomised, secure, memorable (so far as these things can be) passwords.
Anyway, that kind of does what lastpass does, with the same single password as the weak point, but it's now entirely under your control rather than some foreign company's. Hopefully I can figure out a way to sync this to my iPhone + iPad too.