OT: Password Managers?

Page 3 of 4  


Cute... I actually find it quite useful, but admittedly it has limitations. Still, I haven't found anything else that would work any better for me.
Anthony Watson www.watsondiy.com www.mountainsoftware.com
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 6/11/2016 10:15 AM, HerHusband wrote:

[snip]

Go back to Roboform, Anthony, and RTFM<g>
<http://www.roboform.com/manual#loginmultistep
Roboform may not be perfect, but it's way ahead (IMHO) of whatever is in second place.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 6/11/16 5:14 PM, Unquestionably Confused wrote:

I'd love to use a password manager as I've got over 150 I store in an hidden, encrypted partition on my computer. I copy/paste when I need to use one. Really tedious.
But I'm fearful of putting all that info onto some company's "cloud server" where it will eventually suffer the thrice-weekly "data breaches" that have become as common as mosquitoes in south Georgia.
--
With all this “gun control” talk, I haven’t heard one politician say how
they plan to take guns away from criminals and terrorists— just from law
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 6/12/2016 8:05 AM, Wade Garrett wrote:

Agree in part with "fear of the cloud" (especially Google's for some reason<g>).
OTOH, Roboform has been around and copped top honor in the various reviews for a long time. You have to trust somebody and they tell you right off the bat to be damn careful with your master password which, obviously, gives you access to all your other passwords and saved bookmarks, etc. If you lose it you are screwed since they have no way of retrieving it for you.
The nice thing about Roboform is that you don't HAVE to use the cloud but you limit the convenience of having all your data available to you anywhere in the world, even on public computers when you don't happen to have a thumb drive with you or your own computer.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 6/12/16 9:34 AM, Unquestionably Confused wrote:

It's not so much fear of "the cloud" as fear of the security of my data the password manager company has. For example, in the last 18 months I've been notified by:
1. the Feds that my (and six million other) contractor security clearance application data including SSN, DOB, all previous residences, work and education history, personal reference letters, physician's names, etc., was stolen, 2. two of my credit cards and two major retailers where I shop reported data breaches stealing credit card numbers and purchase history 3. the online sales department of major computer manufacturer that their credit card data for a 6 week period during which I made a purchase was stolen
I can see one of the password manager companies easily reporting the same thing. Bye bye banks, brokerage, credit cards, Amazon, Ebay, Newegg, B&H Camera, medical center, PayPal, etc., etc.
--
With all this “gun control” talk, I haven’t heard one politician say how
they plan to take guns away from criminals and terrorists— just from law
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 6/12/2016 3:19 PM, Wade Garrett wrote:

[SNIP]

The difference is that in your examples either the data in the cloud was unencrypted or, alternatively, the password used to encrypt the data was compromised.
My Roboform Everywhere data is stored in the cloud but it is encrypted. Roboform does not have the password, only I do. It's easy for me to remember but very difficult (according to password evaluaters it will take somebody a rather long time to decrypt it.)
For example: A password such as "I hate William Shatner" would require a computer program and 3 septillion years to break.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 06/12/2016 05:05 PM, Unquestionably Confused wrote:
[snip]

I like that kind of password. Memorable AND secure. I get tired of sites recommending something like "SX33F5KcjKgBzEz4fLWxfvz0vvL4e00AMyRnjSfbxWej4a6SoC3Ct8NlGbbrszp" without ever considering that you could never remember that (as well as a few dozen more, for other sites).
--
Mark Lloyd
http://notstupid.us/
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Not necessarily. Since most users pick common words for their passwords, hackers will often use a dictionary approach to check combinations of common words first. In your example, that's only four words. It would be a lot quicker to try every possible combination of four words, than it would be to try every possible combination of 16 individual characters.
Anthony Watson www.watsondiy.com www.mountainsoftware.com
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 06/12/2016 10:38 PM, HerHusband wrote:

Why did you tell the cracker you used 4 words?

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 6/13/2016 2:19 PM, notX wrote:

It's a password analyzer, not a cracker. There are numerous ones out there and they all return pretty much the same report. I have no idea what algorithms they utilize to evaluate them.
https://howsecureismypassword.net/
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 6/13/2016 2:09 PM, Unquestionably Confused wrote:

Essentially, they are trying to determine how much entropy (randomness) exists in the chosen password.
Try "11111111" Then, "froglegs" Then, "&F5$gH[-"
Once it has an assessment of how much randomness is present, it can determine how many possible combinations are competing with the one you've chosen. Then, it makes some assumption as to how many guesses can be attempted in a unit of time (seconds, hours, etc.) and bases its estimate on the number of possible combinations *at* that guessing rate, divide by two (because, "on average", you only need to try half of the possible combinations before you get it!)
[I.e., sometimes, you will guess it on the first attempt! Other times, you will guess it on the last *possible* attempt. As you are dealing with only the randomness aspects in your guessing, each possible guess is equally likely to succeed]
Note the time required for "I hate William Shatner" as compared to that for "1111111111111111111111" or even "8g%,:tE-&fWtm4_[k!mF#@"
I advocate to people that they use word groupings (not necessarily "sentences") in lieu of "totally random" passwords (because most people can remember a 20 character string of words a lot easier than a *10* character "random" password).
But, the longer word string suffers from much lower entropy and is essentially equivalent to the shorter, more random password.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Hi Anthony,
On 6/12/2016 8:38 PM, HerHusband wrote:

Or, will snoop your social media accounts for likely choices (names of pets, friends, schools, sports teams, etc.) And, that snooping can be done by malware that you picked up in a driveby attack -- running *in* your computer but not actually STORED on the disk, anywhere.
Likewise, the malware can intercept your keystrokes when it notices that "Roboform.exe" has been started and pass them along to Roboform after making a note of them; then waiting to see any side-effects of Roboform's actions -- like a new window being opened or something being copied to the paste-buffer: "Ah! the sorts of actions that happen when Roboform receives a valid password that we've noticed by observing the copy of Roboform that WE purchased have just happened! That suggests the last few characters intercepted are likely the password to Roboform!"
Having this, the malware can send *it* and the contents of whatever file/place Roboform caches your encrypted password off to the remote attacker: "Here's the password for his copy of Roboform and here's the file with the encrypted passwords. You know what to do..."
[This is why, IMO, you don't want a product KNOWN to control your passwords to be running on a machine that can potentially be accessed remotely]

Exactly. The "amount of randomness" in your password is what determines its strength.
The effort required to try every combination of four words -- assuming you *knew* 1,000,000 different words to choose from -- is roughly the same as picking a 14 character "random" password.
Furthermore, if you assume the password is a legitimate english sentence (i.e., follows the rules of grammar), then the number of combinations is much less than 1,000,000^4 (because, for example, any combination of "noun1 noun2 noun3 noun4" wouldn't be a "valid" sentence!).
The problem with cryptography is that attacks always get *better*. You can always use the best attack strategy that you've discovered to date. And, if a better one comes out tomorrow (building on some characteristic uncovered in yesterday's attack strategy), you immediately benefit from that "improved" attack! There's nothing to "undo".
And, the amount of processing (and storage) power available just keeps increasing as folks find ways of repurposing devices to exploit their potential attack capabilities.
E.g., the hashes used to store XP passwords *seemed* secure. Until folks theorized ways to attack them with rainbow tables. Attacks that were supposed to take YEARS suddenly were possible in *minutes*! (using the resources of the actual computer that you are trying to break into!)
Ooops!
The other, more practical, problem is that there are often flaws in the implementation of these algorithms. And, those flaws often dramatically reduce the strength of the code!
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 6/12/16 6:05 PM, Unquestionably Confused wrote:

Hell, it would take Leonard Nimoy 20 minutes, tops ;-)
--
There are no dangerous weapons. There are only dangerous men.
- Robert A. Heinlein
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Sun, 12 Jun 2016 22:05:17 GMT in alt.home.repair, wrote:

Decrypt it using the password you've selected, yes. That doesn't mean that someone would have to go that route to crack the cypher though. It depends on the cypher and how it was implemented.

Yes, if one were to rely on brute forcing methods only. With that said however, as I wrote above, if there's a weakness in the cyphering algorithm, the time required to gain unauthorized access to your encrypted data may be far less.
OTW, You cannot rely on the example you provided to ensure security; as it doesn't on it's own.
--
MID: <nb7u27$crn$ snipped-for-privacy@boaterdave.dont-email.me>
Hmmm. I most certainly don't understand how I can access a copy of a
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Sat, 11 Jun 2016 15:15:22 -0000 (UTC), HerHusband

I use C-Organizer Pro, but it does more than manage passwords.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 6/11/2016 11:15 AM, HerHusband wrote:

I've never used a pass word manager, nor do I ever expect to. Too easy for the program writer to put in a backdoor master pass, and then get into all my web pages, bank account, etc.
I keep a note book, with the printed out log-on page. I write the first letter of the PW with a hyphen and the numbers to the right of hyphen.
For example, if my PW was Mormon90210, I'd write M-90210. That way a casual reader won't know what the PW is.
--
.
Christopher A. Young
learn more about Jesus
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

That's one of the reasons I'm not interested in an online password manager.
With a local program someone would need to gain access to my computer in order to get into my password manager.

What happens to your notebook if you have a fire or flood? How will you recover your passwords?
One of the advantages of computer data is that you can have multiple backups.
Anthony Watson www.watsondiy.com www.mountainsoftware.com
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Per HerHusband:

I use and like mSecure:
- It runs on Windows, Android, and (I think....) IOS.
- It has a built-in facility for synchronizing it's database between the Windows version and Android versions.
- Nothing in the cloud.
--
Pete Cresswell

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Per (PeteCresswell):

Reading more of this thread, I come away thinking maybe mSecure it not the sort of thing you are looking for......It's more of a password database than a "Manager".
About the best it can do is copy a PW to the clipboard from which you can paste it.... but there's nothing automagic about it recognizing web pages or anything like that. ..... I rely on Chrome to do that... mSecure is more like my backup database of IDs/PWs.
--
Pete Cresswell

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Yep, that's the method I'm basically using now. It's secure enough, but there's no integration with my web browser or anything. It's simply a copy/paste process.
Anthony Watson www.watsondiy.com www.mountainsoftware.com
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Related Threads

    HomeOwnersHub.com is a website for homeowners and building and maintenance pros. It is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.