I recently decided to upgrade my password policy to be more secure. My actual workflow is the following:

I use a set of "patterns" to build my passwords, depending on what the password is for, so that I can have different passwords everywhere that I can recover quite easily. But it's flawed in the sense that those password are "predictable". So I'm moving toward randomly generated passwords, managed via a keyring. This solution, while being more secure, require more efforts to deal with. Here are a few problems that need to be solved:

• Portability: it should be easy to carry with you, and work on different systems
  
• Security: this holds all you passwords, so someone getting his dirty hands on it should NOT be able to access it, at all costs
  
• Usability: you login to different services a lot everyday, it should be easy/quick to use
  
• Availability: you should not depend on the machine you're using to be able to use your passwords. You need a way to use it everywhere
  
• Reliability: you don't want your password keyring to be corrupted, as it will lock you out of everything
  
• Stupidity-proof: As for reliability, you'll probably want a sort of "backup" solution, in case your primary solution goes wrong
  

I did not found a solution to all these problems. So far, I imagined the following:

• Portability: plain text file, with one password per line and a hint for each password
  
• Security: encrypt the file with a modern algorithm (AES, Twofish, ...)
  
• Usability: a quick CLI program should be enough to grab passwords, and easily scriptable
  
• Availability: I'm not sure about this one. Make it publicly available via HTTP perhaps? no idea on how to sync it accross devices
  
• Reliability: add checks upon encryption, before replacing the file. Or maybe versionning it
  
• Stupidity-proof: Have it backed-up in plain text on an encrypted USB stick
  

What do you think about this system, would you use it yourself? If not, what would you do differently, or what would you improve?

The main drawbacks for me is portability and stupidity-proof.
It's extremely annoying, with the current solutions, to carry the db of passwords with you and to have to install the appropriate program to read it.

Just imagine yourself wanting to login to your account on another machine.
> Huh, wait let me plug my USB
> Ah, I need to install the 32 bit version of the program to read the DB
> Oh, I don't remember the password to open the briefcase

In those cases you just don't login at all and wait until you get home.

At the moment I stick with the passwords that are in my head and if I can't remember it there's always the "forgot your password" button.

EDIT: The only good password management tool I use is the one that comes with Firefox sync.

NB I'm not a sysadmin, but my thoughts are :-
A pendrive around your neck, but as pointed out above, that needs access to a usb port, which may not be available, so the only obvious alternative is a small pocketable notebook (attached to your belt at all times, whilst at work).

(28-04-2015, 08:54 AM)bsdkeith Wrote: NB I'm not a sysadmin, but my thoughts are :-
A pendrive around your neck, but as pointed out above, that needs access to a usb port, which may not be available, so the only obvious alternative is a small pocketable notebook (attached to your belt at all times, whilst at work).

> Wait a sec, let me check my password.

:) You could carry a whole system in that! ;)

Thinking about it again, the penkey/drive isn't really a solution for corporate companies.
When you take security courses you learn to not let anyone use any usb port on any machine you have.
Just leaving a usb port open can lead to physical escalation.

However, it's still a solution for personal use.

Quote:> Wait a sec, let me check my password.

you unzip the big pocket, open it up and then a small screen lights up, fixed to the top part.
Meanwhile, a small keyboard slowly move upward in an electric clickety sounds.
An electric female voice now speaks: "Please enter your master password, and validate with enter"
type type type
"Hello mister z3bra. Your password for http://nixers.net is: 'Iluvp0niez'. Thanks for trusting banana bags security systems. Have a good day."

Would totally pay for that!

(28-04-2015, 10:20 AM)z3bra Wrote: "Hello mister z3bra. Your password for http://nixers.net is: 'Iluvp0niez'. Thanks for trusting banana bags security systems. Have a good day."

Since when saying your password out loud is secure?

PS: I'm sure someone tried to login as z3bra using Iluvp0niez.

That was for the ironic part ;)

Am I the only one who does not need a password manager? I really don't see them useful, I know that some people have multiple accounts/password, but I am the same and can still manage them. They are pretty lengthy too.

Memory can diminish over time; just ask an older person. :)

I can memorise quite a few, but some days, I might forget, so having them backed up is useful, to save frustration.

I can't count the number of passwords I forgot. I realised that the day I stumbled upon my myspace account. It tried login in, but couldn't recall the password (it was like 5 years old). So I pressed "forgot my password", and the link to reset it was sent to an old account that I had let die slowly. Couldn't remember the password either, So I pressed "forgot my password", which led me to my first email address created. Needless to say I was locked out too. In the end, I managed to recreate the hotmail.com account, which was deleted after a few monthes, and have myspace give me another password. But I was lucky there!

As of today, I still can't remember what my password was back in the days. and I think it will be the same for the passwords I use now (which are even more complicated, and numerous). Hence the need for a password manager.

The thing I don't like about password managers is that they become just another thing to crack, at which point all the passwords are out. You can sacrifice security for convenience, but rarely can you have both.

Randomly generated passwords are no harder for a computer to guess and far harder for the human to memorize. I use the same long base string for all my passwords, then modify it somehow for each account. I record these modifications in a notebook but not the base, so it's useless to anyone who finds it. For example:

Base password: icantrememberthepasswordto

Nixers password: ic4ntr3m3mb3rthep4ssw0rdt0nix3rs
Nixers notebook entry: l33t nix3rs

Facebook password: icantrememberthepassword4facebook!!ohshit
Facebook notebook entry: -2+4fb!!ohshit

So on and so forth. I have a good memory so after I use the password a few times I don't really need the notebook. Except for things I rarely log into.

I've gone through several approaches to my passwords. From super portable but dumb as shit, to very secure but not very portable.

Initially when I was like 9 or whatever I had a text file in my USB. Not encrypted or anything, I just put my usernames and passwords there.

Then I moved on to using LastPass[1]. An approach I had for like 3 years and it worked great, not once was my account hacked.

Then I moved on to using `pass`[1]. Which was great but a bit tedious. That was until I figured out I could use dmenu+pass, and then I had quick and easy secure access to my passwords. Though not portable because GPG. Then I thought of using z3bra's `pass` but it got tedious to import all the passwords and stuff.

Now I'm back to some sort of hybrid. I use GPG to encrypt my file with all my passwords, and use LastPass to login quickly to my most common websites.

I'm considering trying out getvault[3] seriously. It's as portable as it gets, pretty damn secure, and as long as you've a unique passphrase and pattern for service names, it's pretty unhackable.

[1]: https://lastpass.com/
[2]: http://www.passwordstore.org/
[3]: https://getvau.lt/

---

@ThePlantMan that's a nice method. Though now that you've shared it with us we could figure it out. ;)

P.S.: Writing as if this was a text email cause I'm too lazy to bbcode.

I use KeePass X Alpha on Mac/Linux and KeePass 2 on Windows. They all support the same password database and it's worked well for me so far.

^ same

@ThePlantMan - I do a similar thing, though not as complicated - my passwords are variations of the same words mixed around - but I can represent them with a letter or number etc.

example
password: asdfqwer4523
in notebook: aq#

number is usually the same, and I have ~4 common variations/phrases I use. I'm slowly moving things to use password-store as well, though. Combined with dmenu it is a pleasant enough experience(and if you use different usernames/emails for different sites, it's handy as fuck), and there's an android app you can use with it as well for convenience: https://github.com/zeapo/Android-Password-Store

I manage my passwords a bit like ThePlantMan, but i use 3 types of passwords in general

Type 1. a not too complicated password for things like unlocking my laptop screensaver which i can tell someone and have not to worry about it.
Type 2. a "base string" modified with a website specific string, for my email accounts
Type 3. a really long password for things like truecrypt and full disk encryption

I have a mix of passwords that is now getting beyond a joke trying to remember them all. I have thought of using the base string method with a modifier per service or website. I've also been thinking about getting a couple of yubikeys to use with lastpass.

(23-08-2015, 06:43 PM)swathe Wrote: I have a mix of passwords that is now getting beyond a joke trying to remember them all. I have thought of using the base string method with a modifier per service or website. I've also been thinking about getting a couple of yubikeys to use with lastpass.

I've heard about yubikeys, they've interested me. Will probably get one later on and mess with it.

It's been more than a year since I started this thread, and I must say I only made a poor improvements on this topic...
I'm now using a "pass(1)" like application (pgp encrypted file tree) more and more, that I backup online. I generate random password that I know can't remember anymore.

I'm yet not satisfied with it, as I can't use it on different hosts without moving my GPG private key along, which makes it totally pointless. For now, when I need a password, I ssh into my main computer, print a password to stdout, and copy it by hand when I use it on another terminal.
If you've ever typed a sha256 hash by hand, you probably know that feel...

Any idea on how I can improve it?

(27-05-2016, 11:57 AM)z3bra Wrote: Any idea on how I can improve it?

I'm curious to hear what others suggest.

I'd simply ditch the online backup to reduce the attack surface. Maybe you then feel comfortable enough to use a simple password-based encryption, so you don't need to keep the private key around. Finally, use peer-to-peer rsync or git or whatever to sync the files among your machines.

---

What I don't like about the whole situation is that I have to enter passwords all day long. Essentially, my password database is always unlocked. This pretty much sucks.

(24-08-2015, 07:15 PM)October Wrote: I've heard about yubikeys, they've interested me. Will probably get one later on and mess with it.

Was interested by a yubikey as well. I won one few weeks ago during a CTF, and it is in my laptop case since then... I have been using keepass for years and I don't really have the motivation to change it. It fits my needs so far.

Two factor authentication is a plus, but only big services support it, and except Github, I don't like them. I want to be able to connect to my Github account on my (no so smart)phone, therefore I don't use two factor auth here.

I don't want to use for ssh auth for servers I can't physically access (basically my main server hosted on OVH where the highest level of security is applied), because it is too easy to screw up and lock the server forever. Experienced it on my laptop and fixing it has been a pita.

Don't know if you guys are using a yubikey on a daily basis, but I would be interested to know some useful application for this device. Should take some time to investigate. I like this little thing and it is a good enhancement in security, just needs a bit of configuration (lazy guy here). I use the same thing at work and it is very useful, to unlock keepass database or decrypt computer for instance. It also contains a certificate to encrypt mails. However, if you forget it, you're screwed.

(15-06-2016, 02:05 PM)sagittarius Wrote: Don't know if you guys are using a yubikey on a daily basis, but I would be interested to know some useful application for this device. Should take some time to investigate. I like this little thing and it is a good enhancement in security, just needs a bit of configuration (lazy guy here). I use the same thing at work and it is very useful, to unlock keepass database or decrypt computer for instance. It also contains a certificate to encrypt mails. However, if you forget it, you're screwed.

Here's an article by someone who used to frequent nixers.net: http://cmacr.ae/blog/2013/12/25/yubikey-openssh/

I have also been wondering about yubikey but as you've mentioned, 2FA is a pain. I'd rather use or the yubikey or a password not both at the same time.

I just use spm and keep them locally, but this isn't really a problem because I actually remember my passwords.
The password manager is just for being sure I don't forget them :D

@pranomostro, What spm ?

https://notabug.org/kl3/spm.git

Really simple script, uses gpg2 for encrypting/decrypting.

The only thing that bothers me that updates sometimes break the configuration.

But otherwise, it's good. It fits my need.

I like the idea of a physical key attached among my other keys for my passwords. So I bought one of these pill box (or even a bigger one) to attach to my keys. I can write down the password on a piece of paper (no, wait, may be a bad idea), or having these on an usb key in it.

But for now I remember these. With an one for all the worthless website that want you to have an account.

How do you use the pass(1) database from you phone?

I'm currently using pass as well. Since I set it up I started just dumping randomly generated passwords into it. I just start up 'pwgen -A 20' and pick a new one whenever I need to set up something. I have no Idea which passwords I currently use for most of the newer things I set up, but I guess thats alright: half of the tim it is a service where I can use email recovery or sth similar and the other half of the time it is a linuxmachine/vm/container where I have physical access anyways..

Using pass with dmenu or rofi is kinda neat, however there have been some issues with it: when I'm using dmenu to autotype within i3 for example I end up typing my passwords into the wrong windows sometimes.. guess I have to take a look at my script, when I have time for it. Other than that pass is really nice to use. It also has some git functionality build in so there's your version control..

As an addition to pass you could buy yourself an yubikey [2].. it's basically a small little device where you can dump you gpg keys for example and every time you need to access pass you can unlock the password store by touching the device instead of entering a password. You cannot read from the device, but I believe you can delete its contents. A friend of mine has a yubikey set up with pass. Looks really nice!

I wouldn't use any web based solutions however, since there seem to be security issues with most of them on a fairly regular basis, e.g. [0,1]. Most of them probably work similar. Software which embeds some JS snippet into random browserwindows and then starts serving my credentials.. kinda creeps me out.

[0] : https://bugs.chromium.org/p/project-zero...ail?id=917
[1] : http://thehackernews.com/2016/07/lastpas...nager.html
[2] : https://www.yubico.com/