Don't Panic
Posts: 756 Joined: 28-Dec-2014 Last visit: 01-Oct-2022 Location: Everywhen
|
What's the best way of storing many passwords? I use LastPass, but i feel really insecure with it, which may be completely unjustified. Are there better alternatives? "A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools."
|
|
|
|
|
DMT-Nexus member
Posts: 4612 Joined: 17-Jan-2009 Last visit: 07-Mar-2024
|
Well I'm going to say the obvious and honestly best way - offline, written down and kept somewhere quickly accessible, having none of it stored on your actual computer. This is hands down the best method.
With that said:
There's always using oneway cryptographic hash functions, storing the compiled hash values in a txt file, then if needing to remember your now-hashed passwords later - there's relatively small few-line scripts that can do the comparison, but for the comparison script to work you'd need to have wrote in/supplied the table of hashed passwords and their given plaintext equivalent within the script for it to even do the comparison against your pswd file w/ the given hashes and to retrieve the plain-text values.
(*Only reason I mentioned this is because I know you've talked about the fact you code, so yeah)
^^^ Using this comparison script is only for if you would need to retrieve the given plaintext - in say you forget a given password and can't remember - then you could run the comparison script against your txt file of pre-compiled pswd hashes.
Though this could be seen as overwork/overkill just to see your plaintext passwords if you'd happen to forget one of them - you'd have to create your own comparison script.
A really sound way imo/ime is using a AES encrypted usb drive stick. The best program out there for this ime is veracrypt [a fork from truecrypt].
You can use veracrypt to instantiate a usb flashdrive container - allowing an encrypted volume to be created so that whenever you decide to plug in & mount the usb drive - you can select an open slot in veracrypt, then select the path of your usb drive to mount, enter your passphrase, then decrypt the container/volume, then there's your plaintext pswds.
Btw when you have veracrypt open and the usb drive mounted - add w/e plaintext passwords you have - then once within the given volume/container they'll be automatically encrypted, then dismount, unplug usb, done. Then to retrieve - you just do what I said above. And obviously you want to keep the usb stick somewhere readily accessible && [hopefully] secure.
##!
If you really want to enhance vc to it's full potential - you can instantiate an encrypted volume within an encrypted volume - with the underlying volume hidden (i.e. the one that would contain your sensitive data). The outer volume you can throw in w/e BS files you'd like, anything to throw the person off if they happened to get the outer volume's key/passphrase - though when they'd access this outer volume all they'd see is your mach-files, with the inner volume completely hidden from view.
The only way said person would get to access your inner volume is if they knew the passphrase for that inner volume. But the whole point of having a volume within a volume is to fake the said person into believing they'd accessed 'your actual passwords/sensitive data' - when in reality you'd have given them only the outer volume passphrase - which is just essentially a honeypot of sorts, a dummy setup.
I know you said you use linux, so vc is worth looking into. I think it's out for windows too, but not entirely sure.
I use a usb stick with vc w/ the hidden volume.
|
|
|
DMT-Nexus member
Posts: 4612 Joined: 17-Jan-2009 Last visit: 07-Mar-2024
|
The pswd manager itself uses the companies server for much of the extensions functionality, though the extension itself has several fallbacks to server provided pages for a few of it's provided features. For example - one of these fallbacks on the extension is the 'account settings' which redirects you to a web-interface page hosted by last passes server, bypassing the extension itself.
There's been past flaws in the several APIs
** getdata & keyplug2web
It was found that the response to these API calls contained your local encryption key - which could potentially be used to decrypt all pswds server-side. Random websites used to be able to access these APIs, not sure how buttoned-down this is now, but I think now only the lastpass domains can trigger these calls. Lastpass blocks the calls now from any domains outside of the former.
Though the subdirecs/pages within lastpass domain seemed to also be vulnerable under certain circumstances - there apparently used to be a breach notifier [i think there still might be] that lastpass server would send to the client if such a thing came up with the server, containing a short message with a link for the client - in which case if the client clicks the supplied link then the API keyplug2web would become unlocked - giving access to all the given passwords.
There's been numerous reports of lastpass's autofill functionality being exploitable.
One instance was a section of the code that parsed the URL to figure out the specific domain the browser was currently at, then it would fill in the given credentials due to a flaw in the URL encoding - which could be displayed on the subsequent get/post requests on the following page/s. (& with minor tweaking of the URL itself).
The master password could also potentially be bruteforced. I think lastpass uses pbkdf2 algorithm for derivation of the key from the master password. This algorithm has one major property of being fairly slow, so ppl trying to pswd guess locally can be slowed down a bit.
This 'time required' is proportional to the # of iterations for the algorithm, meaning an icnreased number of iterations would consequently lead to a significantly tougher time to guess the password. Lastpass's # of iterations used to be around 4000 or so, though as of last year they apparently up'd the # of iterations to 12000, which is s nice jump, and helps adding additional security.
There's a few other troublesome areas with lastpass in terms of the local encryption scheme. There's a number of occasions where the extension will expose your local encryption key to lastpass's servers:
opening account settings security challenge history bookmarklets linking a personal account adding an identity printing all sites
|
|
|
Don't Panic
Posts: 756 Joined: 28-Dec-2014 Last visit: 01-Oct-2022 Location: Everywhen
|
Thanks for the info, some really informative stuff. I'm not tech savvy enough to use all that stuff, but i did find this: https://masterpassword.app/Quote:Master Password is the answer to the problem that websites have forced on us.
Master Password is not a password manager. It is not a secure vault or a digital notebook. It is something else entirely, and yet something so simple.
Think of it as, a store-bought calculator. If your name was 1337, your master password was 5317 and you'd like to log into the site 707, take any calculator in the world and type in 1337 + 5317 + 707 to get the password to use for this site, = 7361. Can somebody steal your password? Just hit
. What are you going to do if you forget your site's password? Just redo the math. What if you lose or break your device? Borrow a buddy's or get a new one, math is universal. Does a calculator need to sync with the cloud before you can use it? No, just remember your own name and master password.
This is the freedom Master Password gives you. Master Password performs a similar but cryptographically secure operation, hardened by interweaving primitives against both known and unknown attack vectors, ensuring that targeting your identity remains absolutely insurmountable.
With Master Password you leave no passwords laying around. You no longer store passwords in commercial, proprietary apps and no longer send them off to the cloud. You are no longer tied to your laptop or the internet if you need to look one up. Even if a personal or natural catastrophe causes you loss, you can never lose your account passwords β all you ever need is your one and only secret master password and anyone's Master Password calculator app. It does have limited functionality compared to LastPass, like autofilling, but seems way more secure. "A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools."
|
|
|
DMT-Nexus member
Posts: 4612 Joined: 17-Jan-2009 Last visit: 07-Mar-2024
|
Psilosopher? wrote: I'm not tech savvy enough to use all that stuff, but i did find this:
It does have limited functionality compared to LastPass, like autofilling, but seems way more secure.
If you're interested there's fairly straightforward articles on doing the encrypted volume/s and/or usb approach, but it's understandable if you'd rather not mess with it. && Limited functionality is a good thing in alot of cases haha, at least in terms of things surrounding passwords. Small surface area as far as offensive attacks go, though the premise of 'small surface area' only stands really if this supposed limited surface area design is true to it's underlying tenets/framework. Appears this is just a cryptographic hash calculator with some added inherent functionality. Seems like an interesting app
|
|
|
DMT-Nexus member
Posts: 122 Joined: 19-Jun-2019 Last visit: 12-Aug-2024 Location: 01
|
after using Several password managers at last i found keepass2 better than other even 1password . its open source (You can be sure there is no malicious code) and multi platform i'm using it for 2 years now with no problems. if you have confidential files i suggest to you use linux . i have one hard drive For these things. i setup linux and encrypt all the hard drive (linux has security option in installation) hope this helps βI understood myself only after I destroyed myself. And only in the process of fixing myself, did I know who I really was.β
|
|
|
DMT-Nexus member
Posts: 267 Joined: 14-Dec-2018 Last visit: 14-Apr-2024
|
Most password recommendations are created for ordinary Internet users who only need medium levels of security - enough to keep script kiddies away from your email.
My (unqualified, personal) opinion is that these recommendations may not be sufficient for Nexus users. When the stakes are high and the adversary is strong, higher levels of security are required.
Consider the unthinkable - memorizing a new, really long and strong password (say, 12 to 20 random uppercase and lowercase letters, numbers, special symbols) every year. Do not trust any tool or website - just roll the dice. No, it is not easy, and it takes some practice, but an average human can do it. To ensure there is an emergency backup in case your memory fails, split that password into parts and write them down somewhere (never together / in one place).
If you are in the US, do not rely on your fingerprints to unlock your encrypted phone. The Fifth Amendment protects your right not to disclose your password, to anyone, ever, unless you are granted immunity from prosecution. Your fingerprints are not protected at all.
|
|
|
DMT-Nexus member
Posts: 337 Joined: 01-Dec-2017 Last visit: 09-Apr-2024 Location: Virtually on earth, Really everywhere
|
Hey Personnaly i use an encrypted partition and a keepass (using keepassxc because it's open source) database stored on the computer. It's synced on a nextcloud instance (a personnal server, with encrypted drive). All password are auto generated by keepass at least 64bits caracters (128 / 256 if app accept it). I just know 2 nice passpjrase to have access to all my passwords. Something to consider is a regular backup to protect all your data. It's some habits to change. Otljer things to consider is to think to close / restart your computer to prevent potential memory leak from website (see spectre and other flaws ) Cheers
|
|
|
DMT-Nexus member
Posts: 117 Joined: 13-May-2018 Last visit: 01-Apr-2022 Location: The Nexus
|
B1ack_Ph03niX wrote:after using Several password managers at last i found keepass2 better than other even 1password . its open source (You can be sure there is no malicious code) and multi platform i'm using it for 2 years now with no problems. if you have confidential files i suggest to you use linux . i have one hard drive For these things. i setup linux and encrypt all the hard drive (linux has security option in installation)
hope this helps I highly suggest this. "In this secret room, from the past, I seek the future..."
|
|
|
DMT-Nexus member
Posts: 804 Joined: 27-Feb-2016 Last visit: 17-Aug-2024
|
On ss64.com there is a password generator. You remember a single password and it will generate complex passwords for you. Whatever the algorithm is it remains the same so as long as you remember your master password you can fetch all of your passes on any device connected to the internet. It's not a bad approach. The nearest we ever come to knowing truth is when we are witness to paradox.
|
|
|
DMT-Nexus member
Posts: 574 Joined: 24-Jan-2009 Last visit: 25-Aug-2023 Location: somewhere in the sands of time
|
+1 for https://www.ProtonMail.com/They also fought off the largest DDOS attack in Europe's history. Proton Mail's underground bunker: PsilocybeChild attached the following image(s): 8742746.image_-1024x681.jpg (117kb) downloaded 13 time(s).βΞ»lΟΞ΅rΞ·ΞΉΟΞ³β Kambo.me ForumβInternet Security Walk-Through [url=https://kambo.me/smf/index.php?topic=395.0]Tobacco DisinformationPM me about personal Herbalist consultations. Can do it over PMs as to not reveal personal information.
|