CHATPRIVACYDONATELOGINREGISTER
DMT-Nexus
FAQWIKIHEALTH & SAFETYARTATTITUDEACTIVE TOPICS
Password management Options
 
Psilosopher?
#1 Posted : 7/25/2019 6:39:41 AM

Don't Panic

Senior Member

Posts: 756
Joined: 28-Dec-2014
Last visit: 01-Oct-2022
Location: Everywhen
What's the best way of storing many passwords? I use LastPass, but i feel really insecure with it, which may be completely unjustified. Are there better alternatives?
"A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools."
 

Live plants. Sustainable, ethically sourced, native American owned.
 
#2 Posted : 7/25/2019 4:40:23 PM
DMT-Nexus member

ModeratorSenior Member

Posts: 4612
Joined: 17-Jan-2009
Last visit: 07-Mar-2024
Well I'm going to say the obvious and honestly best way - offline, written down and kept somewhere quickly accessible, having none of it stored on your actual computer. This is hands down the best method.

With that said:


There's always using oneway cryptographic hash functions, storing the compiled hash values in a txt file, then if needing to remember your now-hashed passwords later - there's relatively small few-line scripts that can do the comparison, but for the comparison script to work you'd need to have wrote in/supplied the table of hashed passwords and their given plaintext equivalent within the script for it to even do the comparison against your pswd file w/ the given hashes and to retrieve the plain-text values.

(*Only reason I mentioned this is because I know you've talked about the fact you code, so yeah)

^^^ Using this comparison script is only for if you would need to retrieve the given plaintext - in say you forget a given password and can't remember - then you could run the comparison script against your txt file of pre-compiled pswd hashes.

Though this could be seen as overwork/overkill just to see your plaintext passwords if you'd happen to forget one of them - you'd have to create your own comparison script.



A really sound way imo/ime is using a AES encrypted usb drive stick. The best program out there for this ime is veracrypt [a fork from truecrypt].

You can use veracrypt to instantiate a usb flashdrive container - allowing an encrypted volume to be created so that whenever you decide to plug in & mount the usb drive - you can select an open slot in veracrypt, then select the path of your usb drive to mount, enter your passphrase, then decrypt the container/volume, then there's your plaintext pswds.

Btw when you have veracrypt open and the usb drive mounted - add w/e plaintext passwords you have - then once within the given volume/container they'll be automatically encrypted, then dismount, unplug usb, done. Then to retrieve - you just do what I said above. And obviously you want to keep the usb stick somewhere readily accessible && [hopefully] secure.

##!

If you really want to enhance vc to it's full potential - you can instantiate an encrypted volume within an encrypted volume - with the underlying volume hidden (i.e. the one that would contain your sensitive data). The outer volume you can throw in w/e BS files you'd like, anything to throw the person off if they happened to get the outer volume's key/passphrase - though when they'd access this outer volume all they'd see is your mach-files, with the inner volume completely hidden from view.

The only way said person would get to access your inner volume is if they knew the passphrase for that inner volume. But the whole point of having a volume within a volume is to fake the said person into believing they'd accessed 'your actual passwords/sensitive data' - when in reality you'd have given them only the outer volume passphrase - which is just essentially a honeypot of sorts, a dummy setup.



I know you said you use linux, so vc is worth looking into. I think it's out for windows too, but not entirely sure.



I use a usb stick with vc w/ the hidden volume.

 
#3 Posted : 7/25/2019 6:41:40 PM
DMT-Nexus member

ModeratorSenior Member

Posts: 4612
Joined: 17-Jan-2009
Last visit: 07-Mar-2024
The pswd manager itself uses the companies server for much of the extensions functionality, though the extension itself has several fallbacks to server provided pages for a few of it's provided features. For example - one of these fallbacks on the extension is the 'account settings' which redirects you to a web-interface page hosted by last passes server, bypassing the extension itself.

There's been past flaws in the several APIs

** getdata & keyplug2web

It was found that the response to these API calls contained your local encryption key - which could potentially be used to decrypt all pswds server-side. Random websites used to be able to access these APIs, not sure how buttoned-down this is now, but I think now only the lastpass domains can trigger these calls. Lastpass blocks the calls now from any domains outside of the former.

Though the subdirecs/pages within lastpass domain seemed to also be vulnerable under certain circumstances - there apparently used to be a breach notifier [i think there still might be] that lastpass server would send to the client if such a thing came up with the server, containing a short message with a link for the client - in which case if the client clicks the supplied link then the API keyplug2web would become unlocked - giving access to all the given passwords.



There's been numerous reports of lastpass's autofill functionality being exploitable.

One instance was a section of the code that parsed the URL to figure out the specific domain the browser was currently at, then it would fill in the given credentials due to a flaw in the URL encoding - which could be displayed on the subsequent get/post requests on the following page/s. (& with minor tweaking of the URL itself).



The master password could also potentially be bruteforced. I think lastpass uses pbkdf2 algorithm for derivation of the key from the master password. This algorithm has one major property of being fairly slow, so ppl trying to pswd guess locally can be slowed down a bit.

This 'time required' is proportional to the # of iterations for the algorithm, meaning an icnreased number of iterations would consequently lead to a significantly tougher time to guess the password. Lastpass's # of iterations used to be around 4000 or so, though as of last year they apparently up'd the # of iterations to 12000, which is s nice jump, and helps adding additional security.



There's a few other troublesome areas with lastpass in terms of the local encryption scheme. There's a number of occasions where the extension will expose your local encryption key to lastpass's servers:

opening account settings
security challenge
history
bookmarklets
linking a personal account
adding an identity
printing all sites
 
Psilosopher?
#4 Posted : 7/26/2019 2:27:02 AM

Don't Panic

Senior Member

Posts: 756
Joined: 28-Dec-2014
Last visit: 01-Oct-2022
Location: Everywhen
Thanks for the info, some really informative stuff.


I'm not tech savvy enough to use all that stuff, but i did find this:

https://masterpassword.app/


Quote:
Master Password is the answer to the problem that websites have forced on us.

Master Password is not a password manager. It is not a secure vault or a digital notebook. It is something else entirely, and yet something so simple.

Think of it as, a store-bought calculator. If your name was 1337, your master password was 5317 and you'd like to log into the site 707, take any calculator in the world and type in 1337 + 5317 + 707 to get the password to use for this site, = 7361.
Can somebody steal your password? Just hit

.
What are you going to do if you forget your site's password? Just redo the math.
What if you lose or break your device? Borrow a buddy's or get a new one, math is universal.
Does a calculator need to sync with the cloud before you can use it? No, just remember your own name and master password.

This is the freedom Master Password gives you.
Master Password performs a similar but cryptographically secure operation, hardened by interweaving primitives against both known and unknown attack vectors, ensuring that targeting your identity remains absolutely insurmountable.

With Master Password you leave no passwords laying around. You no longer store passwords in commercial, proprietary apps and no longer send them off to the cloud. You are no longer tied to your laptop or the internet if you need to look one up. Even if a personal or natural catastrophe causes you loss, you can never lose your account passwords — all you ever need is your one and only secret master password and anyone's Master Password calculator app.




It does have limited functionality compared to LastPass, like autofilling, but seems way more secure.
"A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools."
 
#5 Posted : 7/26/2019 2:38:20 PM
DMT-Nexus member

ModeratorSenior Member

Posts: 4612
Joined: 17-Jan-2009
Last visit: 07-Mar-2024
Psilosopher? wrote:

I'm not tech savvy enough to use all that stuff, but i did find this:


It does have limited functionality compared to LastPass, like autofilling, but seems way more secure.


If you're interested there's fairly straightforward articles on doing the encrypted volume/s and/or usb approach, but it's understandable if you'd rather not mess with it.

&&

Limited functionality is a good thing in alot of cases haha, at least in terms of things surrounding passwords. Small surface area as far as offensive attacks go, though the premise of 'small surface area' only stands really if this supposed limited surface area design is true to it's underlying tenets/framework.

Appears this is just a cryptographic hash calculator with some added inherent functionality.

Seems like an interesting app Smile


 
B1ack_Ph03niX
#6 Posted : 11/28/2019 9:37:53 PM

DMT-Nexus member


Posts: 122
Joined: 19-Jun-2019
Last visit: 12-Aug-2024
Location: 01
after using Several password managers at last i found keepass2 better than other even 1password . its open source (You can be sure there is no malicious code) and multi platform i'm using it for 2 years now with no problems.
if you have confidential files i suggest to you use linux .
i have one hard drive For these things. i setup linux and encrypt all the hard drive (linux has security option in installation)

hope this helps
“I understood myself only after I destroyed myself. And only in the process of fixing myself, did I know who I really was.”

 
Hailstorm
#7 Posted : 6/4/2020 9:14:21 AM

DMT-Nexus member

Chemical expert

Posts: 267
Joined: 14-Dec-2018
Last visit: 14-Apr-2024
Most password recommendations are created for ordinary Internet users who only need medium levels of security - enough to keep script kiddies away from your email.

My (unqualified, personal) opinion is that these recommendations may not be sufficient for Nexus users. When the stakes are high and the adversary is strong, higher levels of security are required.

Consider the unthinkable - memorizing a new, really long and strong password (say, 12 to 20 random uppercase and lowercase letters, numbers, special symbols) every year. Do not trust any tool or website - just roll the dice. No, it is not easy, and it takes some practice, but an average human can do it. To ensure there is an emergency backup in case your memory fails, split that password into parts and write them down somewhere (never together / in one place).

If you are in the US, do not rely on your fingerprints to unlock your encrypted phone. The Fifth Amendment protects your right not to disclose your password, to anyone, ever, unless you are granted immunity from prosecution. Your fingerprints are not protected at all.
 
pastanostra
#8 Posted : 6/4/2020 11:16:38 PM

DMT-Nexus member


Posts: 337
Joined: 01-Dec-2017
Last visit: 09-Apr-2024
Location: Virtually on earth, Really everywhere
Hey
Personnaly i use an encrypted partition and a keepass (using keepassxc because it's open source) database stored on the computer. It's synced on a nextcloud instance (a personnal server, with encrypted drive).
All password are auto generated by keepass at least 64bits caracters (128 / 256 if app accept it).
I just know 2 nice passpjrase to have access to all my passwords.
Something to consider is a regular backup to protect all your data.
It's some habits to change.
Otljer things to consider is to think to close / restart your computer to prevent potential memory leak from website (see spectre and other flaws )
Cheers
 
MachienDome
#9 Posted : 10/1/2020 12:19:35 AM

DMT-Nexus member


Posts: 117
Joined: 13-May-2018
Last visit: 01-Apr-2022
Location: The Nexus
B1ack_Ph03niX wrote:
after using Several password managers at last i found keepass2 better than other even 1password . its open source (You can be sure there is no malicious code) and multi platform i'm using it for 2 years now with no problems.
if you have confidential files i suggest to you use linux .
i have one hard drive For these things. i setup linux and encrypt all the hard drive (linux has security option in installation)

hope this helps


I highly suggest this.
"In this secret room, from the past, I seek the future..."
 
Northerner
#10 Posted : 11/5/2020 8:32:13 AM

DMT-Nexus member


Posts: 804
Joined: 27-Feb-2016
Last visit: 17-Aug-2024
On ss64.com there is a password generator. You remember a single password and it will generate complex passwords for you. Whatever the algorithm is it remains the same so as long as you remember your master password you can fetch all of your passes on any device connected to the internet.

It's not a bad approach.
The nearest we ever come to knowing truth is when we are witness to paradox.
 
PsilocybeChild
#11 Posted : 12/14/2020 7:00:21 AM

DMT-Nexus member


Posts: 574
Joined: 24-Jan-2009
Last visit: 25-Aug-2023
Location: somewhere in the sands of time
+1 for https://www.ProtonMail.com/
They also fought off the largest DDOS attack in Europe's history.
Proton Mail's underground bunker:
PsilocybeChild attached the following image(s):
8742746.image_-1024x681.jpg (117kb) downloaded 13 time(s).
―λlτεrηιτγ→
Kambo.me Forum
​Internet Security Walk-Through
[url=https://kambo.me/smf/index.php?topic=395.0]Tobacco Disinformation

PM me about personal Herbalist consultations.
Can do it over PMs as to not reveal personal information.
 
 
Users browsing this forum
Guest

DMT-Nexus theme created by The Traveler
This page was generated in 0.045 seconds.