nixers
Password management - Printable Version
+- nixers (https://nixers.net)
+-- Forum: Operating Systems (https://nixers.net/forumdisplay.php?fid=4)
+--- Forum: Security & Cryptography (https://nixers.net/forumdisplay.php?fid=27)
+--- Thread: Password management (/showthread.php?tid=1642)
Pages: 1 2 3 4 5


RE: Password management - tigoesnumb3rs - 31-08-2016

I'm currently using pass as well. Since I set it up I started just dumping randomly generated passwords into it. I just start up 'pwgen -A 20' and pick a new one whenever I need to set up something. I have no Idea which passwords I currently use for most of the newer things I set up, but I guess thats alright: half of the tim it is a service where I can use email recovery or sth similar and the other half of the time it is a linuxmachine/vm/container where I have physical access anyways..

Using pass with dmenu or rofi is kinda neat, however there have been some issues with it: when I'm using dmenu to autotype within i3 for example I end up typing my passwords into the wrong windows sometimes.. guess I have to take a look at my script, when I have time for it. Other than that pass is really nice to use. It also has some git functionality build in so there's your version control..

As an addition to pass you could buy yourself an yubikey [2].. it's basically a small little device where you can dump you gpg keys for example and every time you need to access pass you can unlock the password store by touching the device instead of entering a password. You cannot read from the device, but I believe you can delete its contents. A friend of mine has a yubikey set up with pass. Looks really nice!

I wouldn't use any web based solutions however, since there seem to be security issues with most of them on a fairly regular basis, e.g. [0,1]. Most of them probably work similar. Software which embeds some JS snippet into random browserwindows and then starts serving my credentials.. kinda creeps me out.

[0] : https://bugs.chromium.org/p/project-zero/issues/detail?id=917
[1] : http://thehackernews.com/2016/07/lastpass-password-manager.html
[2] : https://www.yubico.com/


RE: Password management - neeasade - 31-08-2016

(31-08-2016, 12:36 PM)z3bra Wrote: How do you use the pass(1) database from you phone?

Not mpcsh, but I use this app: https://github.com/zeapo/Android-Password-Store


RE: Password management - jkl - 31-08-2016

While I do use KeePass (with KeeFox) to have my passwords where I need them, I can't see why I would want to use complex passwords for anything.


RE: Password management - z3bra - 31-08-2016

Not for anything. Just for services you care about and don't want for someone to "guess" it.
For example, you mail account is pretty critical, as you use it to recover passwords. For a reddit/hn/youporn account, hou don't care much and can use "passw0rd".

I've heard some people say they just request a new password whenever they need to log in. It seem tedious, but I like thr idea!


RE: Password management - jkl - 31-08-2016

If {whatever service I use} has sane hash+salt password storage algorithms, the complexity of the initial password does not matter at all. If they don't, I'm pretty much screwed anyway.


RE: Password management - venam - 01-09-2016

(31-08-2016, 07:32 PM)z3bra Wrote: I've heard some people say they just request a new password whenever they need to log in. It seem tedious, but I like thr idea!
I've been doing that for some websites but not by choice.
I keep forgetting my credentials on those websites.

On another note, I've started putting my passwords in a hnb notebook and gpg this notebook.
With a helper alias it's nifty.


RE: Password management - z3bra - 01-09-2016

(31-08-2016, 07:35 PM)jkl Wrote: If {whatever service I use} has sane hash+salt password storage algorithms, the complexity of the initial password does not matter at all. If they don't, I'm pretty much screwed anyway.

Has I see it, relying on other people to secure you online is flawed by design. Of course you need to trust people at some point, but if you can take steps by yourself to be more secure, it's a good habit.
If after that, the website stores the password in a plain text file, you're screwed.


RE: Password management - aah - 17-05-2017

I am just experimenting with a different way, I know it's not very secure!
I have my own start page that is located on my hard drive, from that home page it links to 3 other pages, one of them is encrypted with ccrypt. So if someone was to somehow manage to log into my computer(need a password) and open a browser the page does not load. If I open the browser via a script, the page gets unencrypted first and the browser started.
On the page is just a series of usernames next to passwords that I can copy and paste when needed.
I can post my pathetic little script if anyone wants that, I am not a scripter!
Of course if anyone was to search my computer and open the script they see the password in there, big weakness! lol
although it would probably take a scripter to spot it.


RE: Password management - Dworin - 31-05-2017

aah, if you password-protect your script, you basically have a password manager. Why not just one of the many available?

I've started using keepassc. I like that it also generates passwords and since it's without GUI, I could access it by logging in over ssh from my phone (passwordless login, to be sure). Never needed that yet though.


RE: Password management - kerunaru - 31-05-2017

mpcsh Wrote:I moved to it from `mpw(1)` (http://masterpasswordapp.com), which I quite liked, but became unwieldy when passwords needed to be changed.

Uhm... I use mpw too and, now that you mention it, I would try pass because of this. I didn't find myself in the situation to change those strong password yet but what actually happened to me is that there are some sites which doesn't allow some characters from passwords generated by mpw.