Need A FREE Password Manager - Secure and Simple

[Anonymous]

I'm trying to find a *simple* password manager my wife can use on her
phone. She is not at ease with the idea that she cannot use only two
simple passwords for everything, so what I choose HAS to be SIMPLE or
she won't use it. Her using the same password for her bank, Facebook and
Amazon accounts could turn into a BAD nightmare. I need some free
manager that is simple and easy. It doesn't need all kinds of extra
bells and whistles. All it has to do is basically store passwords.
Again, SIMPLE is the keyword.

Hopefully -

[Mike Easter]

Anonymous wrote:
> I'm trying to find a*simple* password manager my wife can use on her

One of the things about pw managers is that they like to create hefty
pw/s which no one would remember.

A great many people don't like those kinds of pw/s because you are
putting all of your faith in the pw manager. You can't remember the
pw/s so there is a sense of 'discomfort'.

The reason that people like to use the same pw 'all over the place' is
because they can remember; but we know that is a *terrible* idea. So,
some say there needs to be some kind of 'compromise' between how a
person likes to do it; ie be able to remember their pw/s but without
using the same one everywhere and how a pw manager likes to do it w/
bizarre unrememberable pw/s.

Then, the other advantage of the pw manager is that it will populate the
field w/ its remembered pw/s, whereas the person has to do it manually.
Automating pw entry has advantages over manually keyboarding.

So, I would think that for purposes of harmony between you and your wife
and the question or issue of pw manager vs 'whatever' is how many
behaviors and 'ideals' or comfort levels she is willing to give up for
the concept of security, which you and she may see differently, in a sense.

--
Mike Easter

[Carlos E. R.]

On 10/05/2019 03.33, Mike Easter wrote:
> Anonymous wrote:
>> I'm trying to find a*simple*  password manager my wife can use on her
>> phone. She is not at ease with the idea that she cannot use only two
>> simple passwords for everything, so what I choose HAS to be SIMPLE or
>> she won't use it. Her using the same password for her bank, Facebook and
>> Amazon accounts could turn into a BAD nightmare. I need some free
>> manager that is simple and easy. It doesn't need all kinds of extra
>> bells and whistles. All it has to do is basically store passwords.
>> Again, SIMPLE is the keyword.
>
> One of the things about pw managers is that they like to create hefty
> pw/s which no one would remember.

Only if you tell them to create a password. Just enter the one you want
to use.

I use KeePassXC in Linux. There is a variant for Android which I have
not tried yet.

--
Cheers,
Carlos E.R.

[Libor Striz]

"Carlos E. R." <robin_...@es.invalid> Wrote in message:

> I use KeePassXC in Linux. There is a variant for Android which I havenot tried yet.

It is probably KeePass2Android. I use it together with KeepassXC on Linux and Keepass2 on Windows.


--
Poutnik ( the Wanderer )



----Android NewsGroup Reader----
http://usenet.sinaapp.com/

[Arlen G. Holder]

On Fri, 10 May 2019 05:15:40 +0200 (GMT+02:00), Libor Striz wrote:

> It is probably KeePass2Android. I use it together with KeepassXC
> on Linux and Keepass2 on Windows.

We have a thread on this topic, which I point interested users to here:
o Cross platform free password managers for Linux/Windows/Mac/iOS/Android
<https://groups.google.com/forum/#!topic/comp.mobile.android/iIjcGCYnm-E>

Notice the goal was a general purpose solution, which we found, that
o works on all platforms
o reads/writes the password file on all platforms
o is free
o works without putting your passwords on the Internet
etc.

[123456789]

Mike Easter wrote:

> there needs to be some kind of 'compromise' between how
> a person likes to do it; ie be able to remember their
> pw/s but without using the same one everywhere

I use a password formula similar to this:

First 2 letters capitalized + old employee number + last
letter lower case + $13

Chase bank would be CH1357e$13
American Express would be AM1357s$13
State Farm would be ST1357m$13

Just use a formula that is easy for you to remember. Works
for me. YMMV...

[Anonymous]

In article <gjk2nh...@mid.individual.net>

Mike Easter <Mi...@ster.invalid> wrote:
>
>Anonymous wrote:
>> I'm trying to find a*simple* password manager my wife can use on her
>> phone. She is not at ease with the idea that she cannot use only two
>> simple passwords for everything, so what I choose HAS to be SIMPLE or
>> she won't use it. Her using the same password for her bank, Facebook and
>> Amazon accounts could turn into a BAD nightmare. I need some free
>> manager that is simple and easy. It doesn't need all kinds of extra
>> bells and whistles. All it has to do is basically store passwords.
>> Again, SIMPLE is the keyword.
>
>One of the things about pw managers is that they like to create hefty
>pw/s which no one would remember.

Those also are the safest.

Personally, when I have the choice, I use passphrases. But the sites
allowing passphrases are few and far between.

>A great many people don't like those kinds of pw/s because you are
>putting all of your faith in the pw manager. You can't remember the
>pw/s so there is a sense of 'discomfort'.

I will have all her passwords backed up on my desktop, plus on a few
of my external hard drives - all PGP encrypted.

I don't like password managers. Years back I had them fail on me more
than once. That is why I turned to keeping my passwords in a simple
text file encrypted with PGP. I decrypt the file after starting the
computer, so my passwords are available at all times for copy paste.

I also have the encrypted file write-protected. If I forget to end it
before turning off the computer, or accidentally prematurely end it,
it will revert back to the encrypted format. I also have ClipClear
installed in the system tray running at all times. It clears the
clipboard if the computer isn't used within 5 - 20 seconds. The amount
of time is adjustable.

However, my wife is *not* about to learn PGP. Besides, I don't think
they have a PGP app for android.

>The reason that people like to use the same pw 'all over the place' is
>because they can remember; but we know that is a *terrible* idea. So,
>some say there needs to be some kind of 'compromise' between how a
>person likes to do it; ie be able to remember their pw/s but without
>using the same one everywhere and how a pw manager likes to do it w/
>bizarre unrememberable pw/s.
>
>Then, the other advantage of the pw manager is that it will populate the
>field w/ its remembered pw/s, whereas the person has to do it manually.
>Automating pw entry has advantages over manually keyboarding.

The apps I have read about can insert a password into a Web site with
one click from the OP. No need to copy/paste or type it.

>So, I would think that for purposes of harmony between you and your wife
>and the question or issue of pw manager vs 'whatever' is how many
>behaviors and 'ideals' or comfort levels she is willing to give up for
>the concept of security, which you and she may see differently, in a sense.

>--
>Mike Easter

My search is for a manager that is simple as heck to use, no multi,
multi methods of doing all kinds of unnecessary things. I have had
some really great software ruined with updates which tried turning a
simple utility into a proggie which tried being all things to all
people.

As far as I'm concerned, the KISS principle, KEEP IT SIMPLE, STUPID,
still should reign supreme.

I'm thinking of one manager I found, it's called RoboForm. It seems
simple and it's free. I do buy programs at times, but I don't think I
want to spend $$$ on a passwd manager.

I'm also at a big disadvantage here figuring this out because I have
never owned a "smart" phone. I'm totally ignorant of them. I'm still
with the old flip style. I don't text message. I don't conversate on
social media. I still TALK to people.

I guess I'll have her download RoboForm onto her phone. If it doesn't
work, it's no big deal. I've spent a night or two sleeping in the
garage before.

Thanks for answering.

[Carlos E. R.]

On 10/05/2019 06.15, Anonymous wrote:
> However, my wife is *not* about to learn PGP. Besides, I don't think
> they have a PGP app for android.

Yes, there is. But what you would need would be a secure editor that
handles PGP encrypted files, or at least, an app that displays them.

It doesn't fit the definition of "very easy to use".

--
Cheers,
Carlos E.R.

[Daniel James]

In article <qb2ti0$du4$1...@dont-email.me>, 123456789 wrote:
> First 2 letters capitalized + old employee number + last
> letter lower case + $13
>
> Chase bank would be CH1357e$13
> American Express would be AM1357s$13

The trouble with that sort of scheme is that if your password for one
site is compromised (== becomes well known by bad guys) it's pretty
trivial to guess what your password will be on another system.

Using first and last in different case makes your scheme a little less
transparent than most -- it's better than just appending "cat" to the
name of the site, for example -- but it's not exactly impenetrable.

If two sites in which you had used this format of password were
compromised and an attacker could compare the passwords then your
scheme is blown wide open.

Of course, a well-protected site shouldn't store your password in a
recoverable form, so an attacker shouldn't simply be able to download a
file of credentials and extract passwords ... but some sites that have
been compromised have clearly done just that, so you can't rely on
their good behaviour.

.. and even so, if a site is compromised badly enough an attacker
could install software that intercepted passwords as they arrived and
were being checked, and could leak them that way.

It is really important that your passwords for different sites don't
follow an obvious simple pattern.

--
Cheers,
Daniel.

[sms]

On 5/9/2019 6:33 PM, Mike Easter wrote:

<snip>

> So, I would think that for purposes of harmony between you and your wife
> and the question or issue of pw manager vs 'whatever' is how many
> behaviors and 'ideals' or comfort levels she is willing to give up for
> the concept of security, which you and she may see differently, in a sense.

I created a method of designing passwords that I can remember and that
can be changed in a specific way that enables remembering them. When a
site indicates how secure or insecure a password is, my method always
gets the highest rating.

Combine numbers, symbols, dates, and words in a consistent way, along
with differences based on the web site you are visiting.

I would not trust a password manager. I want nothing that has all my
usernames and passwords stored.

[Piet]

Mike Easter wrote:
> Anonymous wrote:
>> I'm trying to find a*simple* password manager my wife can use on her
>> phone. She is not at ease with the idea that she cannot use only two
>> simple passwords for everything, so what I choose HAS to be SIMPLE or
>> she won't use it. Her using the same password for her bank, Facebook
>> and Amazon accounts could turn into a BAD nightmare.

Being on Faecesbook IS already a nightmare.

> One of the things about pw managers is that they like to create hefty
> pw/s which no one would remember.

A pw managers creates passwords that aren't meant to be remembered,
but to be handled by the pw manager.

> A great many people don't like those kinds of pw/s because you are
> putting all of your faith in the pw manager.

Why is that a bad idea? It's mainly a problem for people who still
don't make backups, in this case of the pw manager's database.

> You can't remember the pw/s

See above.

> so there is a sense of 'discomfort'.

Then put all your passwords in a plain text file and encrypt that,
e.g. with AESCrypt, put it on a USB stick and stash it away in a
safe place. Then you have a fallback for your pw manager, but it
might be a little nightmare if you frequently change/add/delete
passwords, since you have to keep the two storages in sync.

> The reason that people like to use the same pw 'all over the place' is
> because they can remember

and because for false reasons like "discomfort" they don't use
methods which *are* a lot safer and still easy to use. Switching
to a pw manager might even save an anonymous marriage. :-)

-p

[Davidm]

On Fri, 10 May 2019 05:15:40 +0200 (GMT+02:00), Libor Striz

<poutnik4R...@gmailCAPITALS.com.INVALID> wrote:

>"Carlos E. R." <robin_...@es.invalid> Wrote in message:
>> I use KeePassXC in Linux. There is a variant for Android which I havenot tried yet.
>
>It is probably KeePass2Android. I use it together with KeepassXC on Linux and Keepass2 on Windows.

Have used KeePass for years on Windows, now also on Android:
KeePass2Android (there's online and offline versions if you want to
sync them, I use the offline version and sync manually).
You can let it suggest a password for each entry, or type your own.
https://keepass.info/

[123456789]

Daniel James wrote:
> 123456789 wrote:

>> First 2 letters capitalized + old employee number +
>> last letter lower case + $13
>>
>> Chase bank would be CH1357e$13 American Express would
>> be AM1357s$13

> The trouble with that sort of scheme is that if your
> password for one site is compromised (== becomes well
> known by bad guys)> it's pretty trivial to guess what
> your password will be
> on another system.

That assumes the bad guys even know I'm using a formula
password. I doubt it would even cross your mind looking at
my gibberish 13 character passwords unless I told you how I
did it. Oh wait, I did...

That also assumes the bad guys know of all my apps and sites
that require passwords. If somebody is stalking me enough to
know all that I've got much bigger troubles...

And since I use 2 factor authentication even the bad guys
knowing my password won't get them into my sensitive apps
and sites.

Also I have a pin registered with my phone company so my
number (and thus my 2FA) is unlikely to be hijacked.

But that was just an password generating example. My formula
method can be made as complicated (or as simple) as the user
desires. The OP wanted something better than using the same
password everywhere. This is one easy way...

[Chris]

I used to do this also, but not all websites have the same allowable
character rules. So, then I started having multiple rules and it got
complicated. Now i use a pw manager and only have to remember one pw. Plus,
all my passwords are at least 20 characters where possible.

[Chris]

Anonymous <nob...@cloaked.pw> wrote:
> I'm trying to find a *simple* password manager my wife can use on her
> phone.

I think it's going to be a struggle. All password managers have a learning
curve. You need to change your normal behaviour to work with it.

I've used keepassX in the past which is free , but now use enpass which
isn't.

The key thing is to not only keep the password database on the phone. If
the phone's then so are all your passwords. For that you will also need a
syncing method to another device/computer. You could try online managers
like lastpass or 1password, but you're entrusting it to a third party.

I'd recommend you try it yourself and then you're in a better place to help
her.
https://keepassxc.org/
https://www.enpass.io/ (free on mobile for first 20 passwords).

[123456789]

Chris wrote:
> 123456789 wrote:

>> Just use a [password] formula that is easy for you to
>> remember.

> I used to do this also, but not all websites have the
> same allowable character rules. So, then I started having
> multiple rules and it got complicated.

My sites password rules vary also. SO FAR my sites rules
sometimes don't allow less variety of characters but always
allow more. So my formula always includes at least one of
all types of characters. But I agree YMMV...

> Now i use a pw manager and only have to remember one pw.

I do the same in letting Google remember my NON-SENSITIVE
sites. And that's even easier since once signed in to Google
on a device no further password action is required.

> Plus, all my passwords are at least 20 characters where
> possible.

20 character passwords are certainly secure. I just don't
like giving up control of my sensitive stuff to someone
(something?) else. And of course what could go wrong? Can
you imagine a software glitch losing or botching the
passwords (and your control) to all your sites? Horrors.... 8-O

[xJumper]

I use keepass2 on Linux and Keepassandroid on my phone. Fully self
hosted non-cloud/third party seemless password managing isn't that hard.

There's a plugin for keepass2 to sync to online databases, I first setup
my own ftp server for that but realized that was a pain in the ass to
administer. So now I just put the password db on my router. Routers have
a public WAN IP and a small amount of internal memory and if it's a
semi-decent router it can withstand the rigors of being
accessible/exposed to the internet.

I set my router to DDNS to my domain name, I SCP the .kdbx file to the
routers home directory, created a limited user on the router and have
keepass2 sync over SCP with that limited users credentials.

So I have a fully homemade self hosted secure password db that
seamlessly syncs across all my devices.


On 5/10/19 12:09 AM, 123456789 wrote:> I use a password formula similar

to this:
>
> First 2 letters capitalized + old employee number + last
> letter lower case + $13
>
> Chase bank would be CH1357e$13
> American Express would be AM1357s$13
> State Farm would be ST1357m$13
>

> Just use a formula that is easy for you to remember. Works
> for me. YMMV...


This would get you owned so fast in an offline attack. So e.g. said
company/service you use gets hacked and the download the encrypted files
with everyones data. Crackers using off the shelf high end gamer PC
setups with quad GPU can brute force billions of combinations. Last I
read they can brute force EVERY SINGLE COMBINATION in the 8 character
space in something like 20 minutes, and that's if the password is
theoretically totally random. Your combo gives you a very non random 10
character password. Likely brute forced in seconds if they use a
password dictionary while brute forcing it maybe minutes if you're lucky.

On 5/10/19 12:41 PM, 123456789 wrote:>

That assumes the bad guys even know I'm using a formula
> password. I doubt it would even cross your mind looking at
> my gibberish 13 character passwords unless I told you how I
> did it. Oh wait, I did...

People think they're clever, that nobody ever thought of whatever trick
they have. At billions of guesses a computer brute forcing has a pretty
decent margin for error, combined with hundreds of password
dictionary/compilations of every other breached sites passwords/users
and all the other "clever" tricks somebody else in the world likely
thought of as well before you that will be attempted. That one liner
from that obscure led zeppelin song plus your DOB, it's been thought of,
somebody has done it and it's in a password dictionary db somewhere.

On 5/10/19 12:41 PM, 123456789 wrote:
> And since I use 2 factor authentication even the bad guys
> knowing my password won't get them into my sensitive apps
> and sites.
>
> Also I have a pin registered with my phone company so my
> number (and thus my 2FA) is unlikely to be hijacked.
>
> But that was just an password generating example. My formula
> method can be made as complicated (or as simple) as the user
> desires. The OP wanted something better than using the same
> password everywhere. This is one easy way...

2FA *might* help you against mass attacks, but a specific targeted
attack will take you out, and that doesn't necessarily mean somebody
stalking you, it just means somebody willing to go the extra mile once
they've purchased your "fullz" on the darknet markets.

You know/pay the right people on the .onion sites you can get an inside
man at all the big telco to sim swap/sim boost whoever you want. It's
not hard to do and it's big business right now.

[Arlen G. Holder]

On Fri, 10 May 2019 15:50:08 -0400, xJumper wrote:

> I use keepass2 on Linux and Keepassandroid on my phone. Fully self
> hosted non-cloud/third party seemless password managing isn't that hard.

Hi xJumper,
Me too on the fully-self-hosted non-cloud password management:
o The password file passes back & forth among all platforms over my LAN

The Windows, Linux, Android, & iOS keepass-compatible apps I use are
o I use KeePass Password Safe version 2.42.1 on Windows 10
<https://keepass.info/news/n190501_2.42.html>
o Keepass2Android version 1.06f on Android 7
<https://play.google.com/store/apps/details?id=keepass2android.keepass2android>
o KeePass2 on Ubuntu 18.10
(sudo apt-get install keepass2)
o Where iOS is always problematic, so I haven't chosen yet:
<https://i.postimg.cc/fLQZVgnK/encrypt01.jpg>
But where I may end up choosing minikeepass:
<http://minikeepass.github.io>

> There's a plugin for keepass2 to sync to online databases, I first setup
> my own ftp server for that but realized that was a pain in the ass to
> administer. So now I just put the password db on my router. Routers have
> a public WAN IP and a small amount of internal memory and if it's a
> semi-decent router it can withstand the rigors of being
> accessible/exposed to the internet.

This is good for those who want to access their passwd dbx over the net!

Me?
o My router is an "n" router that is too old (it's SMB version 1.0 I
think); where the caveat is, as you noted, that you need the later versions
of SMB to be secure (which any "ac" router should have, I would think).

> I set my router to DDNS to my domain name, I SCP the .kdbx file to the
> routers home directory, created a limited user on the router and have
> keepass2 sync over SCP with that limited users credentials.
>
> So I have a fully homemade self hosted secure password db that
> seamlessly syncs across all my devices.

I like this "seamless sync", as my sync is manual, but I don't often change
the passwd file so that manual sync isn't of great import.

However, the _same_ process can be used to sync a common calendar file
without having to put your calendar on the net (where I note that Google
Calendar just surpassed the billion downloads mark, which pretty much means
there are a billion people's calendars on the net for hackers to hack their
privacy).
<https://www.androidpolice.com/2019/05/10/friday-may-10-google-calendar-reaches-1-billion-installs-on-the-play-store/>

Me?
o I pass calendar ics files back & forth over my private LAN

Those ics files could use your "DDNS" solution, if we understood it.

Unfortunately, it's a lot harder to find a freeware calendar solution that
can both export & import the industry-standard ics file format, where
setting up a Linux CalDAV server makes the most sense from the standpoint
of easy setup.

However that pre-supposes a Linux server running 24/7, where I note that a
calendar is updated far more often, in general, than a password dbx file,
so it's more important to have the automatic update for ics files.

For my cross-platform manual sync solution over the private LAN, I
currently use the following calendar apps which import/export ics files.

*Linux* privacy-based local LAN calendar solution:
o <https://www.rainlendar.net/cms/index.php?option=com_rny_download>

*Windows* privacy-based local LAN calendar solution:
o <https://www.rainlendar.net/cms/index.php?option=com_rny_download>

*MacOS* privacy-based local LAN calendar solution:
o <https://www.rainlendar.net/cms/index.php?option=com_rny_download>

*Android* privacy-based local LAN calendar solution:
o <https://play.google.com/store/apps/details?id=com.simplemobiletools.calendar.pro>

*iOS* privacy-based local LAN calendar solution:
o iOS appears to completely lack this basic privacy-based functionality

In addition to dbx & ics files, contacts and encrypted containers would
also benefit from being synced across the private lan with your DDNS
mechanism.
o What are some key common databases you often SHARE between your desktop & mobile devices?
<https://groups.google.com/d/msg/comp.mobile.android/fbtSgT0AiP0/Bwb_tsmeBwAJ>

Can you give us a pointer for how to set up this automatic sync with
"DDNS"?

Here's what a quick googling found...where it's apparently a way to handle
those with dynamic IP addresses, whereas mine is static:
<https://blog.dbrgn.ch/2016/7/23/afraid_org_dyndns_mikrotik/>

xJumper ... is there a good basic description of how the average home owner
can set up a automatic sync, assuming a static IP address, of the common
private datbases (ics, vcard, kdbx, tc, etc.)?

[123456789]

xJumper wrote:

> 123456789 wrote:

>> I use a password formula similar to this: First 2
>> letters capitalized + old employee number + last letter
>> lower case + $13

>> My personal formula makes 13 character passwords that
>> look like gibberish.

> This would get you owned so fast in an offline attack.

I would be owned no faster than any other 13 character
gibberish password.

> a company/service you use gets hacked and the download

> the encrypted files with everyones data.

Cracking ONE of my company's servers and gaining ONE of my
passwords to that ONE site doesn't endanger my many other
sites since the hackers don't know what they are.

> Crackers using off the shelf high end gamer PC setups
> with quad GPU can brute force billions of combinations>

> they can brute force EVERY SINGLE COMBINATION in the 8
> character space in something like 20 minutes, and that's
> if the password is theoretically totally random.

That would apply to all passwords, not just my formula
generated ones.

> Your combo gives you a very non random 10 character
> password.

My formula generated passwords are 13 characters long. And
my passwords are more random than many since other people
often use their kids names, regular words and phrases,
birthdays, etc. as passwords.

> Likely brute forced in seconds if they use a password
> dictionary while brute forcing it maybe minutes if
> you're lucky.

Brute force wouldn't work on most of my sensitive sites.
They lock you out after a small predetermined number of
failed password tries.

> 2FA *might* help you against mass attacks, but a
> specific targeted attack will take you out

As I said before, if I'm being personally targeted then I have
much bigger problems than just a password compromise...

[xJumper]

>
> Cracking ONE of my company's servers and gaining ONE of my
> passwords to that ONE site doesn't endanger my many other
> sites since the hackers don't know what they are.

Many many ways to track peoples identity online if you know where to
look. Most people even those using different passwords for everything
will still use the same username or variation of as well as the same
sign up email. Looking through the right database leaks/compilations of
those you can query the right info and find a surprising web of the
persons life online, everything they use, all the services, forums, etc.
Compromising ONE service is often all it takes to cascade and then
compromise many others.

On 5/10/19 11:57 PM, 123456789 wrote:
> That would apply to all passwords, not just my formula
> generated ones.
>
>

>> My formula generated passwords are 13 characters long. And
>> my passwords are more random than many since other people
>> often use their kids names, regular words and phrases,
>> birthdays, etc. as passwords.

Not all, as you noted most peoples passwords which are completely shit
will be brute forced in half a second. No really, anything resembling
what the average person uses gets brute forced in seconds. I'd bet that
50% of passwords get brute forced that quick. The harder ones well they
just leave their machine running for a few weeks to brute force the rest
and they'll pretty much have everyone except the 1%'ers who use
completely random passwords from password managers.

>
> Brute force wouldn't work on most of my sensitive sites.
> They lock you out after a small predetermined number of
> failed password tries.

That's not how most compromises work. If you read my post you'll notice
I specifically said offline attacks. They don't sit there and attempt
logins through the same web portal genuine customers use. They straight
up hack the company, steal all the encrypted personal files/account
info/user credentials, etc and then run offline attacks where they have
unlimited tries. Your info then gets compiled into large chucks sold to
other people for money or it gets curated into "fullz" which really go
for money and allow people to take over your life. These breaches happen
every day against major companies and you don't hear about it on the news.

>
>> 2FA *might* help you against mass attacks, but a
>> specific targeted attack will take you out
>
> As I said before, if I'm being personally targeted then I have
> much bigger problems than just a password compromise...

You don't understand how that works either. They don't need to
specifically target you, they just need to employ another tool thats
rather easy to use. You're overlooking the tools used by crackers to
give yourself a false sense of security thinking that if they're going
that far they must really be out to get you to the point of them
following you around in real life.

Say I crack your Amazon account password, it says it needs a 2FA code
from your mobile, we'll a lot of times I don't even need to look for
your mobile number because it says it in some prompt that it will send a
code to your number and then lists the number. To get around that all I
need to do is pay/message the right guys on .onion sites that do sim
swapping to have your number ported over to whatever sim I have control
of and receive your 2FA code. There's other methods as well but that's
the well known every level one for new guys in the sim boosting game.

You don't need to be the target of some shadowy organization for 2FA to
fail. 2FA through SMS straight up sucks as a security measure, SMS was
never meant to be secure and mobile numbers were never supposed to be
some kind of global identifier security system.

If anything, compared to a guy that just uses password managers vs the
average normal dude with "normal" passwords and 2FA, it makes it easier
to steal your identity.

Your security model is at best the dreaded "security through obscurity".
You might be spared only because hackers employing the tools I suggested
pwn 80% of the breached database and from that they make enough money
that they call it a day and decide not to brute force the remaining
slightly harder passwords in the last 20%.

[Chris]

123456789 <12...@12345.com> wrote:
> Chris wrote:
>> 123456789 wrote:
>
>>> Just use a [password] formula that is easy for you to
>>> remember.
>
>> I used to do this also, but not all websites have the
>> same allowable character rules. So, then I started having
>> multiple rules and it got complicated.
>
> My sites password rules vary also. SO FAR my sites rules
> sometimes don't allow less variety of characters but always
> allow more. So my formula always includes at least one of
> all types of characters. But I agree YMMV...

Yep. Many places don't allow special characters or uppercase letters or
numbers or have quite short maximum lengths - i kid you not.

>> Now i use a pw manager and only have to remember one pw.
>
> I do the same in letting Google remember my NON-SENSITIVE
> sites. And that's even easier since once signed in to Google
> on a device no further password action is required.
>
>> Plus, all my passwords are at least 20 characters where
>> possible.
>
> 20 character passwords are certainly secure. I just don't
> like giving up control of my sensitive stuff to someone
> (something?) else.

That's the thing. You don't lose control. My passwords file is under my
control on all my devices.

> And of course what could go wrong? Can
> you imagine a software glitch losing or botching the
> passwords (and your control) to all your sites? Horrors.... 8-O

That software glitch would have to take out all local copies of my
passwords database file at the same time, plus all backups. The risk is
miniscule.

The daily savings in effort are also huge. For every website i need to
login all it takes is a double-click on the entry in my manager. No more
typing of passwords :)

[Carlos E. R.]

On 11/05/2019 12.37, Chris wrote:
> Yep. Many places don't allow special characters or uppercase letters or
> numbers or have quite short maximum lengths - i kid you not.

Bank. 4 digits.

--
Cheers,
Carlos E.R.

[Daniel James]

In article <gjnncn...@mid.individual.net>, Carlos E. R. wrote:
> Bank. 4 digits.

There is some mitigation in the case of bank PIN codes -- you have a
fixed (and small) number (usually 3) of attempts before the PIN is
locked and you can't log in at all.

The PIN length limit of 4 is unfortunate, but there are so many ATMs
and PoS devices in the world (mostly in the USA) with that PIN length
hard-coded that it will be a LONG time before any bank feels able to
relax the limit.

--
Cheers,
Daniel.

[Daniel James]

In article <qb49ju$qkp$1...@dont-email.me>, 123456789 wrote:
> That assumes the bad guys even know I'm using a formula
> password.

Don't underestimate the power of Big Data! If BadGuys-R-Us get hold of
a big database of compromised EMail addresses and passwords for
different services they are likely to get a number of cases where the
same EMail address has been used for different services.

If they then run some sort of simple pattern-matcher between the
passwords used by that user they would very likely spot the 1357 and
the $13 parts of passwords formed using the scheme you outlined. A bit
more pattern-matching against the service names could reveal the method
-- or the software might just flag the user name as being worth looking
at by a real human, who might spot it at once.

Computers make this sort of analysis really easy and cheap to do.
Enough people do use formulaic password generation schemes that it's
worth checking for them. Remember: BadGuys-R-Us only have to get lucky
once in a while to be able to make money.

> That also assumes the bad guys know of all my apps and sites
> that require passwords. If somebody is stalking me enough to
> know all that I've got much bigger troubles...

Point about stalking taken and well made ... but once BadGuys have
learnt that m...@example.com uses a formula they can try to use that
formula to log in to any service they like. Most of the time it won't
work, but once in a while they may get lucky. Bad guesses cost them
almost nothing, correct ones open up the opportunity for profit.

> And since I use 2 factor authentication even the bad guys
> knowing my password won't get them into my sensitive apps
> and sites.

You didn't mention 2FA before :-) Good for you, but it should have been
part of your original advice.

--
Cheers,
Daniel.

[nospam]

In article <gjnncn...@mid.individual.net>, Carlos E. R.

<robin_...@es.invalid> wrote:

> On 11/05/2019 12.37, Chris wrote:
> > Yep. Many places don't allow special characters or uppercase letters or
> > numbers or have quite short maximum lengths - i kid you not.
>
> Bank. 4 digits.

that's a pin code, not a password.

[123456789]

Chris wrote:

> 123456789 wrote:

> Many places don't allow special characters or uppercase
> letters or numbers or have quite short maximum lengths -
> i kid you not.

I doubt many sensitive sites don't allow complex passwords.
And if I run into a non-sensitive site that won't accept my
complex character formula password I'll just make one up
that fits and let Google remember it.

> My passwords file is under my control on all my devices.

Impossible to be hacked? Impossible is a strong word...

>> Can you imagine a software glitch losing or botching
>> the passwords

> That software glitch would have to take out all local
> copies of my passwords database file at the same time,
> plus all backups. The risk is miniscule.

Yes, and I suppose a wetware glitch (stroke) might do the
same to mine... :-/

> The daily savings in effort are also huge. For every
> website i need to login all it takes is a double-click on
> the entry in my manager.

What happens if you are at a friends house and want to log
into one of your sites on his computer?

> No more typing of passwords :)

I look at it as good exercise for my brain (memory) which
goodness knows needs all the exercise it can get these days...

[123456789]

xJumper wrote:

> 123456789 wrote:

> Many many ways to track peoples identity online if you
> know where to look.

Doing that would make the tracked person targeted. Already
previously answered.

>>> My formula generated passwords are 13 characters
>>> long. And my passwords are more random than many
>>> since other people often use their kids names,
>>> regular words and phrases, birthdays, etc. as
>>> passwords.

> most peoples passwords which are completely shit will be
> brute forced in half a second.

Then mine would take a full second.

> They straight up hack the company, steal all the
> encrypted personal files/account

Password complexity gives no protection over that.

> To get around that [2FA] all I need to do is pay/message

> the right guys on .onion sites

Mafia stuff huh?

> SMS straight up sucks as a [2FA] security measure, SMS

> was never meant to be secure

Better than the alternative which is no 2FA.

> compared to a guy that just uses password managers vs
> the average normal dude with "normal" passwords and 2FA,
> it makes it easier to steal your identity.

Agreed. Assuming you completely trust the software. Seems
like every day I read of some piece of software being outed
for having a security problem.

> Your security model is at best the dreaded "security
> through obscurity".

That and a 13 character formula generated gibberish
password... ;)

[123456789]

Daniel James wrote:

> If BadGuys-R-Us get hold of a big database of compromised
> EMail addresses and passwords for different services

If companies are hacked even a super complex password won't
help.

> they are likely to get a number of cases where the same
> EMail address has been used for different services.

Many sites only allow an email address for the user name.
That's why I keep several email accounts (doesn't everyone?).

> If they then run some sort of simple pattern-matcher
> between the passwords used by that user they would very
> likely spot the 1357 and the $13 parts of passwords
> formed using the scheme you outlined.

I think I have a better chance of getting whacked on the
freeway today than that scenario actually happening.

[nospam]

In article <qb6q91$i9h$1...@dont-email.me>, 123456789 <12...@12345.com>
wrote:

>
> > They straight up hack the company, steal all the
> > encrypted personal files/account
>
> Password complexity gives no protection over that.

yes it does.

> > To get around that [2FA] all I need to do is pay/message
> > the right guys on .onion sites
>
> Mafia stuff huh?

nope, and not necessarily darkweb. convince someone in a carrier store
and game over, and that likely will be free.

> > SMS straight up sucks as a [2FA] security measure, SMS
> > was never meant to be secure
>
> Better than the alternative which is no 2FA.

nope. it actually makes it easier.

without sms in the loop, the bad guys would need to actually crack your
hopefully hard to guess password.

with sms, all the bad guys need to do is hijack your phone (easy) and
reset the password, making whatever complex password you chose
completely irrelevant. the password reset confirmation sms goes to the
hijacked phone, which is now in *their* control, not yours, and then
they get to pick a new password that *you* don't know...

[Libor Striz]

nospam <nos...@nospam.invalid> Wrote in message:

> In article <gjnncn...@mid.individual.net>, Carlos E. R.<robin_...@es.invalid> wrote:> On 11/05/2019 12.37, Chris wrote:> > Yep. Many places don't allow special characters or uppercase letters or> > numbers or have quite short maximum lengths - i kid you not

> > Bank. 4 digits.

> that's a pin code, not a password.

The PIN code is a password in the format of 4 digit characters.


--
Poutnik ( the Wanderer )



----Android NewsGroup Reader----
http://usenet.sinaapp.com/

[nospam]

In article <qb6uec$ajn$1...@dont-email.me>, Libor Striz

<poutnik4R...@gmailCAPITALS.com.INVALID> wrote:

> > Yep. Many places don't allow special characters or uppercase letters or> >
> > numbers or have quite short maximum lengths - i kid you not
>
> > > Bank. 4 digits.
>
> > that's a pin code, not a password.
>
> The PIN code is a password in the format of 4 digit characters.

nope. it's a numeric code for an atm/debit/credit card.

the password is what is used to log into the bank's web site (or
another company), along with the user id (usually an email but
sometimes a user-selected name), comprised of letters, numbers and/or
symbols, usually a minimum of 6-8 characters and ideally *much* longer
than that.

[xJumper]

On 5/11/19 11:38 AM, 123456789 wrote:

> Password complexity gives no protection over that.

It does, saying otherwise means you do not understand cryptography in
regards to how it is applied today in computer security environments and
how password/credential databases are stored by corporations.

Unless the business is completely incompetent and stores your creds in
plaintext (e.g. something Facebook did until like 2013) your credentials
are encrypted/hashed. When your creds get stolen in big corporate
hacks/breaches the attackers have millions of peoples creds in
encrypted/hashed values. They use brute force attacks offline combined
with password dictionaries and rainbow tables to reverse the
hashed/encrypted values.

A strong password like one created from a password manager makes that
impossible to do with current computing power. A weak password will
likely be found fairly easily.

Either way this notion that you have that password complexity gives no
protection over large corporate database hacks in incorrect as is your
understanding of how attacks/compromises happen.

> Mafia stuff huh?

Not Mafia stuff at all, SIM boosting is a big thing right now in the
criminal world. It's easy, accessible and stupid simple to do. If I
didn't have a job and the only alternative was being a stickup men or
dealing eight balls I would totally do that. It's easy, there's large
amounts of money to be made, the risk of getting caught is almost nill
provided you use the right equipment/opsec procedures and the penalties
if caught would be relatively small compared to anything else that could
net you similar amounts of money.

> Agreed. Assuming you completely trust the software. Seems
> like every day I read of some piece of software being outed
> for having a security problem.

There are many completely open source pieces of software that have been
audited in the password manager realm. Either way unless you want to
write them down manually (which is a perfectly fine and top notch high
security solution I might add) the next best thing is using password
managers.

> That and a 13 character formula generated gibberish
> password... ;)

The security through obscurity model is considered by almost everyone in
the computer security world to be just about the worst thing you can
possibly do in any facet of which it could be employed.


Anyway I've said my piece, you can chose to laugh or educate yourself on
the modern attack vectors used to better hardened your security in the
digital world.

[Carlos E. R.]

That has to be used on the web page to gain access - call it as you wish.

--
Cheers,
Carlos E.R.

[Carlos E. R.]

Then it is is indeed a password of 4 digits to the bank web page. As I
said. I said nothing of cards.

Another bank I know improves things by allowing the user to set up to 8

[Carlos E. R.]

On 11/05/2019 17.07, 123456789 wrote:
> What happens if you are at a friends house and want to log
> into one of your sites on his computer?

If I do that, I change the password when I get back home.

--
Cheers,
Carlos E.R.

[nospam]

In article <gjoqbq...@mid.individual.net>, Carlos E. R.

<robin_...@es.invalid> wrote:

> >>> Yep. Many places don't allow special characters or uppercase letters or> >
> >>> numbers or have quite short maximum lengths - i kid you not
> >>
> >>>> Bank. 4 digits.
> >>
> >>> that's a pin code, not a password.
> >>
> >> The PIN code is a password in the format of 4 digit characters.
> >
> > nope. it's a numeric code for an atm/debit/credit card.
> >
> > the password is what is used to log into the bank's web site (or
> > another company), along with the user id (usually an email but
> > sometimes a user-selected name), comprised of letters, numbers and/or
> > symbols, usually a minimum of 6-8 characters and ideally *much* longer
> > than that.
>
> Then it is is indeed a password of 4 digits to the bank web page. As I
> said. I said nothing of cards.

then that bank is insecure, close the account *now*.

> Another bank I know improves things by allowing the user to set up to 8
> digits.

that's better, but only slightly. it's still under 1 second to brute
force all combinations.

[nospam]

In article <gjoq7j...@mid.individual.net>, Carlos E. R.

<robin_...@es.invalid> wrote:

> >>> Yep. Many places don't allow special characters or uppercase letters or
> >>> numbers or have quite short maximum lengths - i kid you not.
> >>
> >> Bank. 4 digits.
> >
> > that's a pin code, not a password.
>
> That has to be used on the web page to gain access - call it as you wish.

nope. to log into a web site (not just banks), a username (usually
email, but not always) and a password is required, which is not a 4
digit number. most web sites require a password with at least 6
characters, using a combination of letters, numbers and (hopefully)
symbols.

pin codes are used *with* the physical card to make a purchase or
withdraw money from an atm, not to log into a web site, which is why
they're called chip & pin cards.

in some cases, a mobile app will offer an *optional* 4 digit pin code
(sometimes 6 digits) as a convenience because typing a long password
every time on small display is a pain, but only *after* properly
authenticating with the actual password. the better apps offer
fingerprint authentication.

any bank that requires only 4 digits to log into their website is
horribly insecure. close your accounts *now* before it's hacked.

[123456789]

xJumper wrote:

> this notion that you have that password complexity gives no
> protection over large corporate database hacks in incorrect as is your
> understanding of how attacks/compromises happen.

After the bad guys already have ALL my information from that
ONE corporation why I would then worry that they might also
break my ONE password to access that very same corporation?

[123456789]

nospam wrote:
> 123456789 wrote

>> Password complexity gives no protection over that.

>> [company hack]

> yes it does.

No it doesn't

> convince someone in a carrier store and game over [sim
> hijack]

With a sim hijack the bad guys would have my phone number
but not know which sites I use so SMS 2FA would do them
little good before I quickly rectified things.

[Carlos E. R.]

On 12/05/2019 00.35, nospam wrote:
> In article <gjoqbq...@mid.individual.net>, Carlos E. R.
> <robin_...@es.invalid> wrote:
>
>>>>> Yep. Many places don't allow special characters or uppercase letters or> >
>>>>> numbers or have quite short maximum lengths - i kid you not
>>>>
>>>>>> Bank. 4 digits.
>>>>
>>>>> that's a pin code, not a password.
>>>>
>>>> The PIN code is a password in the format of 4 digit characters.
>>>
>>> nope. it's a numeric code for an atm/debit/credit card.
>>>
>>> the password is what is used to log into the bank's web site (or
>>> another company), along with the user id (usually an email but
>>> sometimes a user-selected name), comprised of letters, numbers and/or
>>> symbols, usually a minimum of 6-8 characters and ideally *much* longer
>>> than that.
>>
>> Then it is is indeed a password of 4 digits to the bank web page. As I
>> said. I said nothing of cards.
>
> then that bank is insecure, close the account *now*.

LOL

>> Another bank I know improves things by allowing the user to set up to 8
>> digits.
>
> that's better, but only slightly. it's still under 1 second to brute
> force all combinations.

Try. At the third failed try, you are out, and you have to phone to get
another attempt.

--
Cheers,
Carlos E.R.

[Carlos E. R.]

On 12/05/2019 00.35, nospam wrote:

> In article <gjoq7j...@mid.individual.net>, Carlos E. R.
> <robin_...@es.invalid> wrote:
>
>>>>> Yep. Many places don't allow special characters or uppercase letters or
>>>>> numbers or have quite short maximum lengths - i kid you not.
>>>>
>>>> Bank. 4 digits.
>>>
>>> that's a pin code, not a password.
>>
>> That has to be used on the web page to gain access - call it as you wish.
>
> nope. to log into a web site (not just banks), a username (usually
> email, but not always) and a password is required, which is not a 4
> digit number. most web sites require a password with at least 6
> characters, using a combination of letters, numbers and (hopefully)
> symbols.

Not here.

> pin codes are used *with* the physical card to make a purchase or
> withdraw money from an atm, not to log into a web site, which is why
> they're called chip & pin cards.
>
> in some cases, a mobile app will offer an *optional* 4 digit pin code
> (sometimes 6 digits) as a convenience because typing a long password
> every time on small display is a pain, but only *after* properly
> authenticating with the actual password. the better apps offer
> fingerprint authentication.
>
> any bank that requires only 4 digits to log into their website is
> horribly insecure. close your accounts *now* before it's hacked.

LOL


--
Cheers,
Carlos E.R.

[nospam]

In article <gjp713...@mid.individual.net>, Carlos E. R.

irrelevant when the bank's database has been breached.

[nospam]

In article <qb7o1g$i5d$2...@dont-email.me>, 123456789 <12...@12345.com>

wrote:

> >> Password complexity gives no protection over that.
> >> [company hack]
>
> > yes it does.
>
> No it doesn't

yes it most certainly does.

> > convince someone in a carrier store and game over [sim
> > hijack]
>
> With a sim hijack the bad guys would have my phone number
> but not know which sites I use so SMS 2FA would do them
> little good before I quickly rectified things.

the already know that, and by the time you notice, it's too late.

[xJumper]

On 5/11/19 8:04 PM, 123456789 wrote:
>
> After the bad guys already have ALL my information from that ONE
> corporation why I would then worry that they might also break my ONE
> password to access that very same corporation?
>

I almost think you're trolling, but I'll give you one last benefit of
the doubt.

This is the really dumbed down version...

They don't have any of your info as your info is "sealed" in "encrypted
envelopes" that were stolen once those companies got hacked. Companies
"seal" all your info in "encrypted envelopes" to protect it while in
their storage so it's not just one large plain text readable database.

The only way to access that "encrypted envelopes" contents is to brute
force the encryption/hashing via the method/process I previously described.

So they don't have anything until they break those envelopes open, but
if you use a shitty password like the one you say you use, you make that
job relatively easy.


Like I said you need to do some serious reading on this topic, you're
way out to lunch on some of this stuff and your understanding of how
attacks work.

[Arlen G. Holder]

On Sun, 12 May 2019 01:54:10 -0400, xJumper wrote:

> I almost think you're trolling, but I'll give you one last benefit of
> the doubt.

Hi xJumper,
You have to know a bit about 1thru9, where you draw your own conclusions
o I've long ago drawn mine...

Which are, he sometimes makes sense (and yet, rarely adds any value)...
o Where, most of the time, it's just his emotional meaningless drivel.

Just watch.
o Decide for yourself.

Meanwhile, I did ask a reasonable question that you might not have seen
which is how to automatically sync Android with the PC.
<https://groups.google.com/d/msg/comp.mobile.android/5HFVXB5yTk4/0vD_ZKkfAQAJ>

I even opened a separate thread on that, which will help everyone far
better than arguing about passwords when logic should prevail.
o Do you have an existing working automatic sync setup for all your devices on your home LAN?
<https://groups.google.com/forum/#!topic/alt.comp.freeware/KI9m-50mOkg>

So far nobody seems to know how to automate rsync between Android & PC.

[123456789]

nospam wrote:

> 123456789 wrote:

>>> convince someone in a carrier store and game over

>>> [SIM hijack]

>> With a SIM hijack the bad guys would have my phone

>> number but not know which sites I use

> they already know that,

How would they know all my sites unless I'm targeted? And
what are the chances of me being targeted out of hundreds of
millions of phone accounts?

[123456789]

xJumper wrote:

> They [hackers] don't have any of your info as your info

> is "sealed" in "encrypted envelopes"

My password alone is guarding a company's encrypted
envelopes? I'm impressed.

> So they don't have anything until they break those
> envelopes open, but if you use a shitty password like the
> one you say you use,

My 13 character formula generated gibberish passwords are
less shitty than most passwords I see the general population
using.

> you make that job relatively easy.

I'll report back when I get hacked. So far it's been zip
(knocks on wood)...

[123456789]

Arlen G. Holder wrote:

> Hi xJumper, You have to know a bit about 1thru9, where

> you draw your own conclusions I've long ago drawn mine...

> Which are, he sometimes makes sense (and yet, rarely adds

> any value)... Where, most of the time, it's just his
> emotional meaningless drivel. Just watch. Decide for
> yourself.

Gosh Arlen are you OT chit-chatting again? Thought you didn't
do such things... 8-O

[xJumper]

On 5/12/19 3:30 AM, 123456789 wrote:
>
> My password alone is guarding a company's encrypted
> envelopes? I'm impressed.

Yep confirmed, trolling or you straight up don't understand...

[Carlos E. R.]

Nobody has done it yet.

--
Cheers,
Carlos E.R.

[Carlos E. R.]

On 12/05/2019 09.30, 123456789 wrote:
> xJumper wrote:
>
>> They [hackers] don't have any of your info as your info
>> is "sealed" in "encrypted envelopes"
>
> My password alone is guarding a company's encrypted
> envelopes? I'm impressed.

Gosh. You are either trolling or you understood nothing.


--
Cheers,
Carlos E.R.

[nospam]

In article <gjqa7c...@mid.individual.net>, Carlos E. R.

<robin_...@es.invalid> wrote:

> >>>> Another bank I know improves things by allowing the user to set up to 8
> >>>> digits.
> >>>
> >>> that's better, but only slightly. it's still under 1 second to brute
> >>> force all combinations.
> >>
> >> Try. At the third failed try, you are out, and you have to phone to get
> >> another attempt.
> >
> > irrelevant when the bank's database has been breached.
>
> Nobody has done it yet.

there's no way to be sure about that, but when (not if) it's breached,
you're screwed.

[123456789]

Perhaps just my point that maximum paranoia/security/hassle
is not for everyone. I also don't drive a large truck on the
freeway to avoid injury in the minuscule possibility that I
might get into an accident...

[123456789]

Carlos E. R. wrote:

> 123456789 wrote:

>> My password alone is guarding a company's encrypted
>> envelopes? I'm impressed.

> Gosh. You are either trolling or you understood nothing

Thanks Carlos. I guess my tongue in cheek was lost on you.
Perhaps the language difference? Or maybe I just needed to
use an emoticon for the sartorially impaired... ;)

[Carlos E. R.]

LOL X'-)

--
Cheers,
Carlos E.R.

[xJumper]

On 5/10/19 10:06 PM, Arlen G. Holder wrote:
>xJumper ... is there a good basic description of how the average home owner
>can set up a automatic sync, assuming a static IP address, of the common
>private datbases (ics, vcard, kdbx, tc, etc.)?
>automatic update for ics files.


To run any kind of home server/self-hosted thing you probably want to
start out with getting a domain name. Even if you use web mail getting
it associated/linked to a domain name you own is a good idea since it
means emails associated with your persona go to that domain and the
webmail provider is just that, an email provider only. This allows you
to switch freely between providers and never have your email address
held hostage.

Getting a domain name with a registrar that supports DDNS (Dynamic DNS)
is the next step in setting up home brew solutions. With this you don't
need a static IP and/or the expensive business internet connections
typically associated with it.

Dynamic DNS is simply a program you run on your machine/server/router or
what have you that will monitor your WAN IP and update the IP record of
your domain name on the registar when it changes. This allows you to run
home brew servers/self-hosted solutions with a real domain instead of
trying to figure out and remember your constantly changing dynamic IP
and connecting to your home brew solution by numerical address.

Once you do that, skys the limit. You can setup a NAS with files and
port forward from your router to make it accessible from the internet,
have whatever files you want on it (including .kbdx files). You can use
some of the on rails solutions like nextcloud, or a quick an dirty
solution like I suggested, simply placing the .kbdx file on your routers
home directory and accessing it via SCP protocol which can be done in
Keepass2 using the auto-syncing SCP plugin.

[xJumper]

On 5/12/19 11:42 AM, 123456789 wrote:
>
> Thanks Carlos. I guess my tongue in cheek was lost on you.
> Perhaps the language difference? Or maybe I just needed to
> use an emoticon for the sartorially impaired...  ;)

So instead of just using facts and logic to properly argue a point, e.g.
"what you say is true but I don't require that level of protection and
aa comfortable with my setup".... You just go on and on pretending you
don't understand to waste everyones time when people are giving real
advice on how cryptographic/modern cracking works.

Lol your fucked.

[123456789]

xJumper wrote:
> 123456789 wrote:

>> Thanks Carlos. I guess my tongue in cheek was lost on
>> you. Perhaps the language difference? Or maybe I just
>> needed to use an emoticon for the sartorially
>> impaired... ;)

> So instead of just using facts and logic to properly
> argue a point, e.g. "what you say is true but I don't
> require that level of protection and aa comfortable with
> my setup"....

This (sub-thread?) started when someone said his wife
was using the same password on everything. He wondered if
there was something between doing that and using a password
manager. That's when I mentioned the password formula system
that I've been using for almost 30 years now. It seemed to
fit what he might want. It was just a suggestion.

And when others wanted to discuss the system I was happy to
do so. Things seemed pretty cordial until you went cerebral.

> You just go on and on pretending you don't understand to
> waste everyones time when people are giving real advice
> on how cryptographic/modern cracking works.

I never asked for and frankly don't give a damn about
your modern password cracking lectures. I suppose it would
have been more humane of me to have just have ignored them.
I'll endeavor to do that in the future.

> Lol your fucked.

BTW for some odd reason both my tablets (Fire HD8 and
Samsung S4) using the Android Groundhog newsreader refuse to
open your posts giving me an error message. No problems with
anyone else. Curious. Perhaps I should use Groundhog more
often... ;)

Have we worn this out yet?

[Chris]

Carlos E. R. <robin_...@es.invalid> wrote:
> On 12/05/2019 00.35, nospam wrote:
>> In article <gjoq7j...@mid.individual.net>, Carlos E. R.
>> <robin_...@es.invalid> wrote:
>>
>>>>>> Yep. Many places don't allow special characters or uppercase letters or
>>>>>> numbers or have quite short maximum lengths - i kid you not.
>>>>>
>>>>> Bank. 4 digits.
>>>>
>>>> that's a pin code, not a password.
>>>
>>> That has to be used on the web page to gain access - call it as you wish.
>>
>> nope. to log into a web site (not just banks), a username (usually
>> email, but not always) and a password is required, which is not a 4
>> digit number. most web sites require a password with at least 6
>> characters, using a combination of letters, numbers and (hopefully)
>> symbols.
>
> Not here.

As per usual nospam claims his experience is universal. Yes, most websites
have sensible practises, but many don't. We're specifically talking about
them.

For example until about last year the Air France site only required a 6
digit PIN and your email address.

[Chris]

nospam <nos...@nospam.invalid> wrote:
> In article <qb6uec$ajn$1...@dont-email.me>, Libor Striz

> <poutnik4R...@gmailCAPITALS.com.INVALID> wrote:
>
>>> Yep. Many places don't allow special characters or uppercase letters or> >
>>> numbers or have quite short maximum lengths - i kid you not
>>

>>>> Bank. 4 digits.
>>
>>> that's a pin code, not a password.
>>

>> The PIN code is a password in the format of 4 digit characters.
>
> nope. it's a numeric code for an atm/debit/credit card.
>
> the password is what is used to log into the bank's web site (or
> another company), along with the user id (usually an email but
> sometimes a user-selected name), comprised of letters, numbers and/or
> symbols, usually a minimum of 6-8 characters and ideally *much* longer
> than that.

Banks in UK are going over the top now. You need three codes: a user id, a
PIN and a password of which they ask for three random characters from. Then
you need a physical device to actually do anything. The physical device is
sometimes a credit sized card with a number grid. All this is a pain in the
arse as if you're away from home you're severely limited in what you can
do, plus you need a different device for each bank <sigh>.

[Chris]

123456789 <12...@12345.com> wrote:
> Chris wrote:

>> 123456789 wrote:
>
>> Many places don't allow special characters or uppercase
>> letters or numbers or have quite short maximum lengths -

>> i kid you not.
>
> I doubt many sensitive sites don't allow complex passwords.
> And if I run into a non-sensitive site that won't accept my
> complex character formula password I'll just make one up
> that fits and let Google remember it.
>
>> My passwords file is under my control on all my devices.
>
> Impossible to be hacked? Impossible is a strong word...

It is. Which is why I didn't use it ;)

>>> Can you imagine a software glitch losing or botching
>>> the passwords
>
>> That software glitch would have to take out all local
>> copies of my passwords database file at the same time,
>> plus all backups. The risk is miniscule.
>
> Yes, and I suppose a wetware glitch (stroke) might do the
> same to mine... :-/

True. A friend has his password manager's password written in his will!

>> The daily savings in effort are also huge. For every
>> website i need to login all it takes is a double-click on
>> the entry in my manager.
>
> What happens if you are at a friends house and want to log
> into one of your sites on his computer?

Why would you want to? I have my phone for mobile access to sites.

>> No more typing of passwords :)
>
> I look at it as good exercise for my brain (memory) which
> goodness knows needs all the exercise it can get these days...

I have plenty other things to exercise my mind.

[Chris]

xJumper <suga...@mailinator.com> wrote:
>
> Say I crack your Amazon account password, it says it needs a 2FA code
> from your mobile, we'll a lot of times I don't even need to look for
> your mobile number because it says it in some prompt that it will send a
> code to your number and then lists the number.

That's why they only show the last few digits. Same as credit cards.

[Carlos E. R.]

Yes, same thing here. And they may also send a confirmation code to the
smartphone, which can be an SMS or a push message to the bank application.

The pin code only allows read access, no operations.

In fact, there are companies that offer to do analysis of your bank
setup, your accounts, savings, etc, and tell you when you'd better do
something else. For this they need read access to your account, which
they get by having the login/pin code, but not the operation password.


--
Cheers,
Carlos E.R.

[Carlos E. R.]

On 13/05/2019 09.11, Chris wrote:
> Carlos E. R. <robin_...@es.invalid> wrote:
>> On 12/05/2019 00.35, nospam wrote:
>>> In article <gjoq7j...@mid.individual.net>, Carlos E. R.
>>> <robin_...@es.invalid> wrote:
>>>
>>>>>>> Yep. Many places don't allow special characters or uppercase letters or
>>>>>>> numbers or have quite short maximum lengths - i kid you not.
>>>>>>
>>>>>> Bank. 4 digits.
>>>>>
>>>>> that's a pin code, not a password.
>>>>
>>>> That has to be used on the web page to gain access - call it as you wish.
>>>
>>> nope. to log into a web site (not just banks), a username (usually
>>> email, but not always) and a password is required, which is not a 4
>>> digit number. most web sites require a password with at least 6
>>> characters, using a combination of letters, numbers and (hopefully)
>>> symbols.
>>
>> Not here.
>
> As per usual nospam claims his experience is universal. Yes, most websites
> have sensible practises, but many don't. We're specifically talking about
> them.

Certainly.

Change bank ASAP! Well, for one reason they have not been hacked yet,
there is insurance, it would be their fault, and moving assets is done
at a loss. Besides other banks having similar web practices and being
smaller have less offices and other inconveniences.

> For example until about last year the Air France site only required a 6
> digit PIN and your email address.

Yep. There are many sites using absurd methods. So fly on a cheap
company with cramped seats instead? No, thanks.

--
Cheers,
Carlos E.R.

[Carlos E. R.]

On 13/05/2019 09.30, Chris wrote:
> 123456789 <12...@12345.com> wrote:
>> Chris wrote:


>>>> Can you imagine a software glitch losing or botching
>>>> the passwords
>>
>>> That software glitch would have to take out all local
>>> copies of my passwords database file at the same time,
>>> plus all backups. The risk is miniscule.
>>
>> Yes, and I suppose a wetware glitch (stroke) might do the
>> same to mine... :-/
>
> True. A friend has his password manager's password written in his will!

Well, it is sensible. How can you tell your family when you are dead? A
sealed envelope would be nice.

>
>>> The daily savings in effort are also huge. For every
>>> website i need to login all it takes is a double-click on
>>> the entry in my manager.
>>
>> What happens if you are at a friends house and want to log
>> into one of your sites on his computer?
>
> Why would you want to? I have my phone for mobile access to sites.

I travel with a small laptop. Using somebody else's computer is a risk.
And they would have Windows, argh! Too risky.

--
Cheers,
Carlos E.R.

[Daniel James]

In article <qb6rde$p1c$1...@dont-email.me>, 123456789 wrote:
>> If BadGuys-R-Us get hold of a big database of compromised
>> EMail addresses and passwords for different services
>
> If companies are hacked even a super complex password won't
> help.

Not for those companies, no ... but you can limit your exposure by not
using the same *or similar* passwords for other companies/services.
That's what we're discussing, here.

It helps if the companies in question store their verification data
properly, as salted password hashes rather than plain passwords, but
we're positing it might be possible for BadGuys to insinuate some code
that snatches the supplied password before it is hashed.

Always protect against the worst-case scenario!

--
Cheers,
Daniel.

[nospam]

In article <qbb5be$a5q$1...@dont-email.me>, Chris <ithi...@gmail.com>

wrote:

> >>>>>> Yep. Many places don't allow special characters or uppercase letters or
> >>>>>> numbers or have quite short maximum lengths - i kid you not.
> >>>>>
> >>>>> Bank. 4 digits.
> >>>>
> >>>> that's a pin code, not a password.
> >>>
> >>> That has to be used on the web page to gain access - call it as you wish.
> >>
> >> nope. to log into a web site (not just banks), a username (usually
> >> email, but not always) and a password is required, which is not a 4
> >> digit number. most web sites require a password with at least 6
> >> characters, using a combination of letters, numbers and (hopefully)
> >> symbols.
> >
> > Not here.
>
> As per usual nospam claims his experience is universal. Yes, most websites
> have sensible practises, but many don't. We're specifically talking about
> them.

very few don't, and that doesn't make a pin code a password.

> For example until about last year the Air France site only required a 6
> digit PIN and your email address.

they finally realized that it was insecure.

[nospam]

In article <gjsun2...@mid.individual.net>, Carlos E. R.

<robin_...@es.invalid> wrote:

> >>>> Can you imagine a software glitch losing or botching
> >>>> the passwords
> >>
> >>> That software glitch would have to take out all local
> >>> copies of my passwords database file at the same time,
> >>> plus all backups. The risk is miniscule.
> >>
> >> Yes, and I suppose a wetware glitch (stroke) might do the
> >> same to mine... :-/
> >
> > True. A friend has his password manager's password written in his will!
>
> Well, it is sensible.

it's not at all sensible. it's incredibly stupid.

> How can you tell your family when you are dead? A
> sealed envelope would be nice.

tell family members ahead of time, or use a password manager that
handles that scenario.

<https://blog.lastpass.com/2016/04/preparing-a-digital-will-for-your-pas
swords.html/>

<https://blog.lastpass.com/2016/07/how-to-get-started-with-lastpass-emer
gency-access.html/>

[123456789]

Chris wrote:

> 123456789 wrote:

> A friend has his password manager's password written in
> his will!

Does he trust his lawyer? Does he trust his lawyer's staff?
Does he trust his lawyers computers? If a paper will, has he
hidden it well? And how much does he trust his (dishonest
and greedy?) relatives. Where there's a WILL there's a way...

>> What happens if you are at a friends house and want to
>> log into one of your sites on his computer?

> Why would you want to? I have my phone for mobile access
> to sites.

Good point. I can't ever remember doing it either. But I
could in an emergency. Very small advantage I admit.

>> I look at it [remembering passwords] as good exercise
>> for my brain

> I have plenty other things to exercise my mind.

We're both glad you're not me... ;)

[123456789]

Chris wrote:

> Banks in UK are going over the top now. You need three
> codes: a user id, a PIN and a password of which they ask
> for three random characters from. Then you need a
> physical device to actually do anything. The physical
> device is sometimes a credit sized card with a number
> grid. All this is a pain in the arse as if you're away
> from home you're severely limited in what you can do,
> plus you need a different device for each bank <sigh>.

I do all my (US-AZ) banking on my phone. When I first
installed and opened the banking apps they required a ONE
TIME SMS 2FA to authorize the device. Since then all I need
do is enter my password. One app makes it even easier by
allowing a locally chosen 4 digit PIN after the first
password entry.

[123456789]

Daniel James wrote:

> you can limit your exposure by not using the same *or
> similar* passwords for other companies/services. That's
> what we're discussing, here.

Even if the bad guys got ONE of my formula generated
passwords from ONE compromised company server, they wouldn't
know what my other companies were. And from that one
gibberish looking password they wouldn't know or even
suspect it was a formula generated password.

To hack my system they would have to break into several of
my company servers and compare several of my passwords. What
are the chances...

> Always protect against the worst-case scenario!

If I did that I would have an eight foot steel wall around
my house. I don't of course. I simply take reasonable
precautions. My password system is reasonably secure.

Some years back I lost a lot of ebooks because a company
went belly up. I never had full control over those books.
Perhaps that somewhat explains my reluctance to relinquish
control of my passwords to more software...

[Carlos E. R.]

On 13/05/2019 17.41, 123456789 wrote:

> Daniel James wrote:


> Some years back I lost a lot of ebooks because a company
> went belly up. I never had full control over those books.
> Perhaps that somewhat explains my reluctance to relinquish
> control of my passwords to more software...

Didn't you make, er, "backups"?


--
Cheers,
Carlos E.R.

[Arlen G. Holder]

On Sun, 12 May 2019 15:35:10 -0400, xJumper wrote:


> simply placing the .kbdx file on your routers
> home directory and accessing it via SCP protocol which can be done in
> Keepass2 using the auto-syncing SCP plugin.

Hi xJumper,
Thanks for that detailed set of instructions, summarized below:
1. Get a domain name from a DDNS-supporting registrar (allows dynamic IP)
2. Run Dynamic DNS on your server or router to update the registrar
3. Set up a NAS & port forward of desired files, via the router
4. And then setting up Keepass2 for auto-syncing via the SCP protocol

The other thread also came up with ideas which I will explore:
o Do you have an existing working automatic sync setup for all your devices on your home LAN?
<https://groups.google.com/forum/#!topic/alt.comp.freeware/KI9m-50mOkg>

I summarized my upcoming tests in this post as I explored solutions:
<https://groups.google.com/d/msg/alt.comp.freeware/KI9m-50mOkg/lptIDbljAwAJ>

Where the quick summary is that the following freeware may work:
o *GoodSync Free*
<https://www.goodsync.com/download/GoodSync-v10-Setup.exe>
<https://www.goodsync.com/download/GoodSync-v10-2Go-Setup.exe>
o *SyncBack Free*
<https://www.2brightsparks.com/assets/software/SyncBack_Setup.exe>
o *Microsoft SyncToy 2.1*
<https://download.microsoft.com/download/6/c/4/6c406239-a648-4e01-833e-2c452deed3b6/SyncToySetupPackage_v21_x64.exe>
<https://download.microsoft.com/download/a/3/f/a3f1bf98-18f3-4036-9b68-8e6de530ce0a/NetFx64.exe>
o Resilio Sync (free?)
<https://download-cdn.resilio.com/stable/windows64/Resilio-Sync_x64.exe>

If/when I get an autosync solution set up, I will edify the team.

I much appreciate that you, xJumper, appear to be an expert in Android,
where every post of yours contains useful value for the rest of us, where I
applaud that you bring value to the table of this Usenet potluck picnic.

Thanks from me, and from everyone who cares to learn more from you!

[123456789]

Carlos E. R. wrote:

> 123456789 wrote:

>> Some years back I lost a lot of ebooks because a
>> company went belly up. I never had full control over
>> those books. Perhaps that somewhat explains my
>> reluctance to relinquish control of my passwords to
>> more software...

> Didn't you make, er, "backups"?

My ebooks were encrypted and could only be read with the
defunct sellers no longer functioning software. So though
they were stored on my hard drive they were rendered unusable.

Many authors and sellers still encrypt their ebooks to
battle piracy. Can't say I blame them. I once was an ardent
downloader of the Usenet ebook groups. However I got
religion when a son-in-law became a struggling author. I now
have over 500 ebooks in my Amazon account. Ebooks are cheap
entertainment so why steal from the authors and sellers?

And yes many Amazon ebooks are also encrypted. However that
encryption is relatively easy to break and I keep text file
copies for a backup (but not for sharing) though I doubt
Amazon will go broke anytime soon...

[Carlos E. R.]

On 13/05/2019 20.58, 123456789 wrote:
> Carlos E. R. wrote:
>> 123456789 wrote:
>
>>> Some years back I lost a lot of ebooks because a
>>> company went belly up. I never had full control over
>>> those books. Perhaps that somewhat explains my
>>> reluctance to relinquish control of my passwords to
>>> more software...
>
>> Didn't you make, er, "backups"?
>
> My ebooks were encrypted and could only be read with the
> defunct sellers no longer functioning software. So though
> they were stored on my hard drive they were rendered unusable.

If they

Damn it. Wikipedia doesn't load, I can't verify what I was going to write.

If you can open those books in Adobe Digital Editions, it is possible to
break the encryption and do a private backup with protection removed.
Problem is, ADE only runs in Windows.

> Many authors and sellers still encrypt their ebooks to
> battle piracy. Can't say I blame them. I once was an ardent
> downloader of the Usenet ebook groups. However I got
> religion when a son-in-law became a struggling author. I now
> have over 500 ebooks in my Amazon account. Ebooks are cheap
> entertainment so why steal from the authors and sellers?
>
> And yes many Amazon ebooks are also encrypted. However that
> encryption is relatively easy to break and I keep text file
> copies for a backup (but not for sharing) though I doubt
> Amazon will go broke anytime soon...

Same here, but not from Amazon. All paid for, not shared, and with a
proper backup. Almost as safe as paper, they can not remove them from me
without my permission, and I can pass them on to my inheritors.

--
Cheers,
Carlos E.R.

[123456789]

Carlos E. R. wrote:
> 123456789 wrote:

>> My ebooks were encrypted and could only be read with
>> the defunct sellers no longer functioning software.

> If you can open those books in Adobe Digital Editions,
> it is possible to break the encryption and do a private
> backup with protection removed.

Thanks but the books are long gone. It happened well over 20
years ago.

[Carlos E. R.]

20? You were an early adopter of ebooks then.

--
Cheers,
Carlos E.R.

[123456789]

Carlos E. R. wrote:
> 123456789 wrote:
>> Carlos E. R. wrote:
>>> 123456789 wrote:

>>>> My ebooks were encrypted and could only be read
>>>> with the defunct sellers no longer functioning
>>>> software.

>>> If you can open those books in Adobe Digital
>>> Editions, it is possible to break the encryption and
>>> do a private backup with protection removed.

>> Thanks but the books are long gone. It happened well
>> over 20 years ago.

> 20? You were an early adopter of ebooks then.

I started reading ebooks in the early 90's. I like ebooks
for 2 reasons, storage and portability. But for that I would
actually prefer real books.

Storage: Can you imagine having to locally store the 500+
books in my Amazon account? In the old days I just gave
most of my read books to charity. Now when I can't find
something new I often reread a stored ebook from the past. I
am sometimes amazed that it reads like a new book since I
have forgotten most of it. Perhaps it has something to do
with age... :-/

Portability: I've always liked to read on the go. In the old
days I'd rip a chapter out of a paperback for portability to
carry with me. Folks on the Usenet ebook groups used to be
horrified at the practice and accused me of sacrilege...

My first truly portable device was my Palm Pilot with its
Peanut Reader in the late 90's. That was a fun gadget on
many levels.

As I mentioned before, I also got ebooks from Usenet. No
encryption breaking in those days. Folks actually physically
scanned their paper books, page by page, to post them. That
was dedication...

Anyway that's more info than you wanted but there it is...

[Carlos E.R.]

On 14/05/2019 17.13, 123456789 wrote:
> Carlos E. R. wrote:
>> 123456789 wrote:
>>> Carlos E. R. wrote:
>>>> 123456789 wrote:
>
>>>>> My ebooks were encrypted and could only be read
>>>>> with the defunct sellers no longer functioning
>>>>> software.
>
>>>> If you can open those books in Adobe Digital
>>>> Editions, it is possible to break the encryption and
>>>> do a private backup with protection removed.
>
>>> Thanks but the books are long gone. It happened well
>>> over 20 years ago.
>
>> 20? You were an early adopter of ebooks then.
>
> I started reading ebooks in the early 90's. I like ebooks
> for 2 reasons, storage and portability. But for that I would
> actually prefer real books.
>
> Storage: Can you imagine having to locally store the 500+
> books in my Amazon account?

I don't have to imagine it. I do :-D

> In the old days I just gave
> most of my read books to charity. Now when I can't find
> something new I often reread a stored ebook from the past. I
> am sometimes amazed that it reads like a new book since I
> have forgotten most of it. Perhaps it has something to do
> with age... :-/

I know that feeling. I keep a database of books not to buy some tittle a
second time. At first I may not notice, till at some point I say: "this
plot seems familiar...:-?" :-D

> Portability: I've always liked to read on the go. In the old
> days I'd rip a chapter out of a paperback for portability to
> carry with me. Folks on the Usenet ebook groups used to be
> horrified at the practice and accused me of sacrilege...

Argh! Rip a book! :-o

> My first truly portable device was my Palm Pilot with its
> Peanut Reader in the late 90's. That was a fun gadget on
> many levels.
>
> As I mentioned before, I also got ebooks from Usenet. No
> encryption breaking in those days. Folks actually physically
> scanned their paper books, page by page, to post them. That
> was dedication...

Oh, yes, I have read some that way. But I had to print them locally, I
had no reader.

>
> Anyway that's more info than you wanted but there it is...

I'll give you another reason: ease of purchase. I live in Spain, and
here, unless you live on one of the large cities, purchasing a
particular English book may be impossible. Once I bought a book from a
NY shop. Price was about one dollar, but post and packaging was about
8... For me the epub is a revolution, I can buy any book I want (in
English on my case) without delay.

But first I had to buy a reader. I got a Kobo touch on a trip to Canada,
and it was expensive. Could it have been 200 dollars? Now it is less
that 70 euros. Initially I thought about getting a kindle, but they
mentioned the Kobo which was sold locally there. I still use it,
although the battery needs replacement.


My surprise with you is not that you like ebooks, but that you had a
reader that early. I had to read on the computer, which I do not like, I
prefer the sofa, or print them.


--
Cheers, Carlos.

[123456789]

Carlos E.R. wrote:

> I live in Spain, and here, unless you live on one of the
> large cities, purchasing a particular English book may
> be impossible.

I live in a large metro area with around 6M people. But
though there are lots of bookstores they are slowly closing.
Perhaps because of people like me. I browse my local Barnes
and Noble while the wife shops and if I find a good
book...you guessed it, I whip out my phone and buy it on
Amazon. But in my defense I often buy a soda at their snack
bar while I start reading my new ebook...

> I got a Kobo touch on a trip to Canada, and it was
> expensive. Could it have been 200 dollars?

My first Palm Pilot was around $400 US IIRC.

> Initially I thought about getting a kindle

I've had several Kindles over the years. I probably won't
buy another. Other than battery life, they have few
advantages over a tablet or phone IMO.

> My surprise with you is not that you like ebooks, but
> that you had a reader that early

I read my first pirated ebook on an Atari 400 fed into a small
CRT type TV set. It wasn't all that pleasant but I was
trying to save a buck...

> I had to read on the computer, which I do not like, I
> prefer the sofa, or print them.

I often read my ebooks on a 12" Chromebook (that I'm
currently posting with). Picture me sitting on my big plushy
comfortable recliner, legs up, pillow on my lap, Chromebook
on the pillow, black screen with white type for easy eyes,
and an occasional space bar hit to change pages.

BTW that's how I'm currently typing this post. Makes me
sleepy just describing itttttttt...snore........

[Carlos E.R.]

On 14/05/2019 19.47, 123456789 wrote:
> Carlos E.R. wrote:
>
>> I live in Spain, and here, unless you live on one of the
>>  large cities, purchasing a particular English book may be impossible.
>
> I live in a large metro area with around 6M people. But
> though there are lots of bookstores they are slowly closing.
> Perhaps because of people like me. I browse my local Barnes
> and Noble while the wife shops and if I find a good
> book...you guessed it, I whip out my phone and buy it on
> Amazon. But in my defense I often buy a soda at their snack
> bar while I start reading my new ebook...

I do the same.

Last September I made a trip to Ottawa. I had a gift card on a big book
shop there, Chapters, the same place where I had bought my reader. I
perused their many shelves, and made a large list of books. Then I went
to the counter with the list and the gift card, and said I wanted them
in epub format. They said they didn't know how to do it, email the
management. I googled later, and found out that it is a common question.
Some people said to buy a Kobo/Rakuten gift card with the Chapters gift
card.

Absurd.

Back in Spain, I sometimes look at the shelves of the much smaller book
store of a local chain; I can make a list and later purchase at /their/
web shop in epub format.

If at the Chapters web page you select a book and click purchase as
epub, you are automatically redirected to the correct link for that book
at kobo store (Rakuten)

>> I got a Kobo touch on a trip to Canada, and it was expensive. Could it
>> have been 200 dollars?
>
> My first Palm Pilot was around $400 US IIRC.
>
>> Initially I thought about getting a kindle
>
> I've had several Kindles over the years. I probably won't
> buy another. Other than battery life, they have few
> advantages over a tablet or phone IMO.

I prefer an electronic paper display for reading, much more restful than
the shiny display of a tablet. Pity they haven't invented yet a colour one.

>> My surprise with you is not that you like ebooks, but that you had a
>> reader that early
>
> I read my first pirated ebook on an Atari 400 fed into a small
> CRT type TV set. It wasn't all that pleasant but I was
> trying to save a buck...

Yes, of course.

>
>> I had to read on the computer, which I do not like, I prefer the sofa,
>> or print them.
>
> I often read my ebooks on a 12" Chromebook (that I'm
> currently posting with). Picture me sitting on my big plushy
> comfortable recliner, legs up, pillow on my lap, Chromebook
> on the pillow, black screen with white type for easy eyes,
> and an occasional space bar hit to change pages.

:-D

> BTW that's how I'm currently typing this post. Makes me
> sleepy just describing itttttttt...snore........
>

:-D

--
Cheers, Carlos.

[123456789]

Carlos E.R. wrote:

> I prefer an electronic paper display for reading, much
> more restful than the shiny display of a tablet.

Reading style preferences are a YMMV thing of course. In
recent years I've gotten used to reading white type on a
black background (on all my devices) which I also find very easy
on the eyes. Try it sometime. Takes a little getting used to
at first but now it seems very normal to me.

[Carlos E.R.]

Oh, it was normal to us long ago ;-)

Then one day I noticed that on a CGA display black letters on clear
display were almost smooth, while white letters were like dots with thin
black breaks.

But yes, there is a tendency for dark themes now.

--
Cheers, Carlos.