Password management - Security & Cryptography
neeasade
(31-08-2016, 12:36 PM)z3bra Wrote: How do you use the pass(1) database from you phone?

Not mpcsh, but I use this app: https://github.com/zeapo/Android-Password-Store
jkl
While I do use KeePass (with KeeFox) to have my passwords where I need them, I can't see why I would want to use complex passwords for anything.
z3bra
Not for anything. Just for services you care about and don't want for someone to "guess" it.
For example, you mail account is pretty critical, as you use it to recover passwords. For a reddit/hn/youporn account, hou don't care much and can use "passw0rd".

I've heard some people say they just request a new password whenever they need to log in. It seem tedious, but I like thr idea!
jkl
If {whatever service I use} has sane hash+salt password storage algorithms, the complexity of the initial password does not matter at all. If they don't, I'm pretty much screwed anyway.
venam
(31-08-2016, 07:32 PM)z3bra Wrote: I've heard some people say they just request a new password whenever they need to log in. It seem tedious, but I like thr idea!
I've been doing that for some websites but not by choice.
I keep forgetting my credentials on those websites.

On another note, I've started putting my passwords in a hnb notebook and gpg this notebook.
With a helper alias it's nifty.
z3bra
(31-08-2016, 07:35 PM)jkl Wrote: If {whatever service I use} has sane hash+salt password storage algorithms, the complexity of the initial password does not matter at all. If they don't, I'm pretty much screwed anyway.

Has I see it, relying on other people to secure you online is flawed by design. Of course you need to trust people at some point, but if you can take steps by yourself to be more secure, it's a good habit.
If after that, the website stores the password in a plain text file, you're screwed.
aah
I am just experimenting with a different way, I know it's not very secure!
I have my own start page that is located on my hard drive, from that home page it links to 3 other pages, one of them is encrypted with ccrypt. So if someone was to somehow manage to log into my computer(need a password) and open a browser the page does not load. If I open the browser via a script, the page gets unencrypted first and the browser started.
On the page is just a series of usernames next to passwords that I can copy and paste when needed.
I can post my pathetic little script if anyone wants that, I am not a scripter!
Of course if anyone was to search my computer and open the script they see the password in there, big weakness! lol
although it would probably take a scripter to spot it.
Dworin
aah, if you password-protect your script, you basically have a password manager. Why not just one of the many available?

I've started using keepassc. I like that it also generates passwords and since it's without GUI, I could access it by logging in over ssh from my phone (passwordless login, to be sure). Never needed that yet though.
kerunaru
mpcsh Wrote:I moved to it from `mpw(1)` (http://masterpasswordapp.com), which I quite liked, but became unwieldy when passwords needed to be changed.

Uhm... I use mpw too and, now that you mention it, I would try pass because of this. I didn't find myself in the situation to change those strong password yet but what actually happened to me is that there are some sites which doesn't allow some characters from passwords generated by mpw.
yossarian
I use kbsecret [1], which I started developing a few months ago. It's written in Ruby and runs on top of KBFS and Keybase, which has a few advantages:
  • Encryption is transparent via KBFS - I don't have to worry about managing my PGP keys, my keychain, etc.
  • At its core, it's just JSON files and a directory structure on a FUSE mount.
  • I can create "sessions" between as many Keybase users as I want, meaning that I can share API keys and secrets across teams.

Using JSON for secrets has a few other advantages, like being able to create custom record types for logins, code snippets, environment variables, To Do notes, and so forth.

There are some downsides: you need to have a Keybase account and KBFS installed (it's all open source, but this is still potentially a hassle), and it's mostly command-line for the time being: no mobile app or browser integration.

I don't want to shill for myself too much, but I'd appreciate any thoughts!

[1]: https://github.com/woodruffw/kbsecret