Keeping Track of Multiple Passwords

[vjosullivan]

Has anyone found a reasonably accessible (yet secure) way of keeping track of multiple password across different systems, retrievable from various locations (e.g. at home, work or on the road)?

[Matthew Farwell]

Personally, I use a combination of Password Safe and Dropbox. I store the password file in the dropbox folder and it gets synced automatically.

I only use the windows version of password safe, I'm not sure about the linux version of it.

Matthew Farwell.

[Jan Goyvaerts]

I'm using Lastpass - it logs in for you, generates impossible passwords, has a plugin for many browsers, seems to have integration with Linux systems too. It has an ios app, but never used that.

I don't even know the passwords of the sites any more. I just know it's all different 20+ characters random crap. I only know the master password. :-)

--
You received this message because you are subscribed to the Google Groups "Java Posse" group.

To view this discussion on the web visit https://groups.google.com/d/msg/javaposse/-/qyrKu_kOKVMJ.

To post to this group, send email to java...@googlegroups.com.
To unsubscribe from this group, send email to javaposse+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/javaposse?hl=en.

[Fabrizio Giudici]

On Mon, 17 Dec 2012 09:48:35 +0100, Jan Goyvaerts <java.a...@gmail.com>
wrote:

> I'm using Lastpass <https://lastpass.com/> - it logs in for you,

> generates
> impossible passwords, has a plugin for many browsers, seems to have
> integration with Linux systems too. It has an ios app, but never used
> that.
>
> I don't even know the passwords of the sites any more. I just know it's
> all
> different 20+ characters random crap. I only know the master password.
> :-)

It's what I'd like to do - but who guarantees that Lastpass is secure?
That it stores passwords correctly encrypted? That it doesn't leak them in
memory? That it doesn't send them to a server?

Until somebody convinces me of the safety of these tools (*) I keep the
non-critical passwords (e.g. forums) stored in my browser, and the
critical ones (e.g. money-related, etc...) in a plain text file stored in
a USB key encrypted with Truecrypt, that I only mount when needed. This
involves that I don't do anything critical with my Android phone.


(*) Honestly, I think it's very hard to do. It would involve at least:
that the tool is open source, that it has been reviewed by some experts
and that I can install the application from a build I do by myself.

--
Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
"We make Java work. Everywhere."
http://tidalwave.it/fabrizio/blog - fabrizio...@tidalwave.it

[Jan Goyvaerts]

On Mon, Dec 17, 2012 at 11:55 AM, Fabrizio Giudici <Fabrizio...@tidalwave.it> wrote:

On Mon, 17 Dec 2012 09:48:35 +0100, Jan Goyvaerts <java.a...@gmail.com> wrote:

I'm using Lastpass <https://lastpass.com/> - it logs in for you, generates

impossible passwords, has a plugin for many browsers, seems to have
integration with Linux systems too. It has an ios app, but never used that.

I don't even know the passwords of the sites any more. I just know it's all
different 20+ characters random crap. I only know the master password. :-)

It's what I'd like to do - but who guarantees that Lastpass is secure? That it stores passwords correctly encrypted? That it doesn't leak them in memory? That it doesn't send them to a server?

You have to take the word of the owner's of Lastpass of course... And when THEY get hacked you're in deep .... As everything in security it's all about who trusts who. Personally, I'd think LastPass is safe.

What I'd appreciate is that they would also know how to handle password changes. That I can reset all my passwords in batch. :-)

 

Until somebody convinces me of the safety of these tools (*) I keep the non-critical passwords (e.g. forums) stored in my browser, and the critical ones (e.g. money-related, etc...) in a plain text file stored in a USB key encrypted with Truecrypt, that I only mount when needed. This involves that I don't do anything critical with my Android phone.

What backup plan do you have in case you lose the usb stick, erase it by accident, ... ? :-)

[Kevin Wright]

At this point, you're probably being over-paraniod in the wrong direction!

So far as I'm aware, you're at higher risk of having your card cloned from a cardholder-not-present transaction over the phone, or from day-0 exploit that logs your keyboard/clipboard, or from a remote website being hacked, or from a cashpoint that's been exploited.

Can you convince me that it's safer to type in your password each time, or to copy/paste than it is to allow a dedicated application to autofill web forms for you?

[Fabrizio Giudici]

> What backup plan do you have in case you lose the usb stick, erase it by
> accident, ... ? :-)

The stick is cloned onto another truecrypt disk (this time, it's stored in
a file) on my NAS.

[Casper Bang]

I use Pocket (formerly SecureWallet, by Tim Clark) for Android, which uses Dropbox as backing store:

https://play.google.com/store/search?q=pname:com.citc.wallet

There likely are similar and better alternatives, but Wallet works as a mini-wiki too, and is the only one I've reverse-engineered to verify security aspects of (should other people be interested in seeing how Wallet works, I threw up some code on GitHub under a BSD license: https://github.com/casperbang/open-pocket)

Interesting topic for sure.

/Casper

[Paulo "JCranky" Siqueira]

+1 for lastpass

[]s,

Paulo "JCranky" Siqueira
http://jcranky.com
http://lojinha.paulosiqueira.com.br

--

You received this message because you are subscribed to the Google Groups "Java Posse" group.

To view this discussion on the web visit https://groups.google.com/d/msg/javaposse/-/bn8Uq5it8CUJ.

[Fabrizio Giudici]

On Mon, 17 Dec 2012 12:17:24 +0100, Kevin Wright
<kev.lee...@gmail.com> wrote:

> At this point, you're probably being over-paraniod in the wrong
> direction!
>
> So far as I'm aware, you're at higher risk of having your card cloned
> from
> a cardholder-not-present transaction over the phone, or from day-0
> exploit
> that logs your keyboard/clipboard, or from a remote website being hacked,
> or from a cashpoint that's been exploited.

Each risk breach has got its cost. If my card is cloned (it's difficult
nowadays, since they are all microchipped) I'd get in any case immediate
notification of transactions by means of SMS messaging and I'd block the
card. Usually the card company doesn't have problems in refunding the
transaction. For the most precious asset, my banking accounts, I have
three (since the past years, also to minimize financial risks of banks),
and I distribute money among them. If somebody steals one of the
passwords, it could drain one of my accounts. If all my passwords are at
LastPass and it's breached, the bad guy could access immediately all my
accounts (well, only two of them: the third also requires one-time
passwords generated by a dongle; this makes LastPass useless for this
account).

>
> Can you convince me that it's safer to type in your password each time,
> or
> to copy/paste than it is to allow a dedicated application to autofill web
> forms for you?

Having a keyboard sniffer on my Mac sound pretty much as the same risk of
having LastPass breached. This means that LastPass doesn't add any further
security, still it's one more system to take care of...


So far, the most interesting solution was the one advised by Casper quite
a few time ago (the topic was already debated), since I think he made some
analysis on the code... but I'm not convinced yet even of it.

[Dominic Mitchell]

I use 1password and dropbox.  It costs money, but it's been absolutely worthwhile for me.  1Password is available for Android, iOS, Mac and Windows, and once you've put your password storage in dropbox, it's shared automatically.

-Dom

On Mon, Dec 17, 2012 at 7:39 AM, vjosullivan <vjosu...@hotmail.com> wrote:

Has anyone found a reasonably accessible (yet secure) way of keeping track of multiple password across different systems, retrievable from various locations (e.g. at home, work or on the road)?

--

You received this message because you are subscribed to the Google Groups "Java Posse" group.

To view this discussion on the web visit https://groups.google.com/d/msg/javaposse/-/DzUTsz2F6bcJ.

[Robert Casto]

I use KeePass which has triple password protection. And then I store the file in Dropbox so I can get at it on my phone or other devices. Kind of a pain to use 3 passwords but it gets the job done. Every tool professes to be very good at security. I like that I can have the file where I need it and that it would take more than just a password to get at the 440+ entries in there.

--
Robert Casto
www.robertcasto.com
www.sellerstoolbox.com

www.lakotaeastbands.org

[Marc]

On Monday, December 17, 2012 5:55:35 AM UTC-5, fabrizio.giudici wrote:

On Mon, 17 Dec 2012 09:48:35 +0100, Jan Goyvaerts <java.a...@gmail.com>  
wrote:

> I'm using Lastpass <https://lastpass.com/> - it logs in for you,  
> generates
> impossible passwords, has a plugin for many browsers, seems to have
> integration with Linux systems too. It has an ios app, but never used  
> that.
>
> I don't even know the passwords of the sites any more. I just know it's  
> all
> different 20+ characters random crap. I only know the master password.  
> :-)

It's what I'd like to do - but who guarantees that Lastpass is secure?  
That it stores passwords correctly encrypted? That it doesn't leak them in  
memory? That it doesn't send them to a server?

Another +1 for LastPass. You can read more about it at https://lastpass.com/enterprise_technology.php but LastPass doesn't know anything about your password/passwords. It just stores your encrypted password vault.  For example, if you forget your LastPass master password, then you are out of luck, they can't possibly recover it for you.  All decryption happens locally.

I now have distinct passwords on most of my online accounts because LastPass makes it so easier. This severely limits my exposure should a website get hacked that I have an account on.  To me that's the main security benefit of LastPass.

[Fabrizio Giudici]

On Mon, 17 Dec 2012 17:31:12 +0100, Marc <marc.c...@gmail.com> wrote:

> Another +1 for LastPass. You can read more about it at
> https://lastpass.com/enterprise_technology.php but LastPass doesn't know
> anything about your password/passwords. It just stores your encrypted
> password vault. For example, if you forget your LastPass master
> password,
> then you are out of luck, they can't possibly recover it for you. All
> decryption happens locally.

Marc, the problem is that this is what LastPass declares to do. Did you
see the code? What guarantees you that in a couple of years LastPass will
silently change the approach? What about bugs, that is the involuntary
leak of information? What about details: is LastPass careful in wiping
temporarily unencrypted passwords in memory as soon as they are no more
needed? Yesterday I read of an Android bug in Samsung implementation that
would allow to some crafted apps to bypass the memory sandbox and access
the memory of other apps.

Bruce Schneier said more than ten years ago that in his view open source
was not just a business model, but the only way to properly engineer a
security system.

[Vince O'Sullivan]

Thanks for all the responses.  Notwithstanding the hypothetical issues raised, I've decided to give LastPass a go.  The first immediate benefit was being able to open up our company intranet without having to log in to it firat (previously only possible if using IE), which was nice.

[Jan Goyvaerts]

On Tue, Dec 18, 2012 at 11:05 AM, Vince O'Sullivan <vjosu...@gmail.com> wrote:

Thanks for all the responses.  Notwithstanding the hypothetical issues raised, I've decided to give LastPass a go.  The first immediate benefit was being able to open up our company intranet without having to log in to it firat (previously only possible if using IE), which was nice.

It appears LastPass works offline also; when their servers are down. The locally stored account data still is available. Never tried that though...

The account data can be exported & imported. So even the angle of LastPass disappearing is covered. :-)

I particularly appreciate it perceives you registering for a web site - and proposes to generate a password for you. 

 

On Monday, 17 December 2012 07:39:04 UTC, vjosullivan wrote:

Has anyone found a reasonably accessible (yet secure) way of keeping track of multiple password across different systems, retrievable from various locations (e.g. at home, work or on the road)?

--

You received this message because you are subscribed to the Google Groups "Java Posse" group.

To view this discussion on the web visit https://groups.google.com/d/msg/javaposse/-/RutxuGp4fFEJ.

[Casper Bang]

Bruce Schneier said more than ten years ago that in his view open source  
was not just a business model, but the only way to properly engineer a  
security system.

That probably because Bruce has seen his share of security by obscurity. You are right of course, a properly designed system, would not need to hide behind closed code.

However, taking the tin-foil hat off for a moment, it's probably safe enough for most people to go with the big players like LastPass etc. As with many things, there's some comfort and safety in hiding in a crowd which have been under scrutiny from actual experts, and where an actual business would in jeopardy.

[Fabrizio Giudici]

On Tue, 18 Dec 2012 11:27:20 +0100, Casper Bang <caspe...@gmail.com>
wrote:

> However, taking the tin-foil hat off for a moment, it's probably safe
> enough for most people to go with the big players like LastPass etc.

I don't want to scare people, of course. But "it's probably safe enough"
is what I often think, when I'm particularly annoyed of my manual
procedure. Then I say: what does enough means? It depends on what you're
protecting. For many things, it's probably enough: you risk some major
annoyance in some public forums if some joker spreads some spam, or you
risk your websites to be defaced. If you have the proper counter-measures
(e.g. a backup to quickly restore a defaced site, etc...), it's ok.
Perhaps I could actually use one of the proposed open source solutions for
my passwords with a low criticality (but I don't see any advantage in just
having them managed by Opera).

For my banking accounts, not. Once the money has gone, has gone.

[rakesh mailgroups]

Hi Fabrizio,

i think you are being unrealistic.

I'm all for doing due diligence when choosing important software like this (I use 1Password + dropbox btw) but you need to realise their are NO 100% guarantees.

Look what happened to Sony, hackers get hold of government data and post it.

What I think you should be asking yourself is, will I be able to get any money back if I should be hacked? The answer is invariably yes as you are already part of the minority who understands technology and isn't stupid to use guessable passwords or the same one across multiple sites.

As someone pointed out, you have to trust someone somewhere in order to do anything. LastPass, KeyPass, 1Password all have a lot to lose if their software is not good enough. Personally, thats good enough for me. They should have the smart people staying on top of this situation for me.

Lifes too short, move on.

Rakesh

--
You received this message because you are subscribed to the Google Groups "Java Posse" group.

To post to this group, send email to java...@googlegroups.com.

To unsubscribe from this group, send email to javaposse+unsubscribe@googlegroups.com.

[Cédric Beust ♔]

Agreed.

Personally, I worry a lot more about someone being able to use social engineering to have one my passwords reset than someone breaking one of my passwords.

-- 

Cedric

-- 

Cédric

To unsubscribe from this group, send email to javaposse+...@googlegroups.com.

[Kevin Wright]

+1

--
Kevin Wright
mail: kevin....@scalatechnology.com
gtalk / msn : kev.lee...@gmail.com

quora: http://www.quora.com/Kevin-Wright

google+: http://gplus.to/thecoda

twitter: @thecoda

vibe / skype: kev.lee.wright

steam: kev_lee_wright

"My point today is that, if we wish to count lines of code, we should not regard them as "lines produced" but as "lines spent": the current conventional wisdom is so foolish as to book that count on the wrong side of the ledger" ~ Dijkstra

[Fabrizio Giudici]

On Tue, 18 Dec 2012 15:33:29 +0100, rakesh mailgroups
<rakesh.m...@gmail.com> wrote:

> Hi Fabrizio,
>
> i think you are being unrealistic.
>
> I'm all for doing due diligence when choosing important software like
> this
> (I use 1Password + dropbox btw) but you need to realise their are NO 100%
> guarantees.
>
> Look what happened to Sony, hackers get hold of government data and post
> it.
>
> What I think you should be asking yourself is, will I be able to get any
> money back if I should be hacked? The answer is invariably yes as you are
> already part of the minority who understands technology and isn't stupid
> to
> use guessable passwords or the same one across multiple sites.

That's precisely my problem, and I think I wouldn't get the money back -
in the most optimistic case, I'd have to fight with lawyers spending lots
of time (thus money). Please note that we're not talking of a problem of
the bank, but of a problem of me, the customer. I bet the bank would say:
blame your password manager provider. I think we all learned in those
years how banks are able to blame others for *their own* errors, so figure
out when the error is not theirs. And then I suppose that in the fine
prints 1Password, KeyPass etc deny all relevant liability. Not counting
that they refer to courts abroad from my point of view, which would only
increase the troubles. And in any case it would require time, and in the
meantime? How do you live without money?

> LastPass, KeyPass, 1Password all have a lot to lose if their software is
> not good enough.

True. Even Tepco had a lot to lose if their estimate about the maximum
height of tsunami waves was wrong. In fact they lost a lot.

> As someone pointed out, you have to trust someone somewhere in order to
> do
> anything.

... and for my banking account I trust on me, myself and I :-) Should
something tragic happen without any possibility of recovery, at least I'd
blame myself. If I can't recover, I prefer to have troubles caused by me
than a third party who escapes its responsibility. This helps in keeping
my blood pressure low.

> Lifes too short, move on.

Yep. If it's short and moneyless is even worse. :-)

[Fabrizio Giudici]

On Tue, 18 Dec 2012 15:46:07 +0100, Cédric Beust ♔ <ced...@beust.com>
wrote:

> Agreed.
>
> Personally, I worry a lot more about someone being able to use social
> engineering to have one my passwords reset than someone breaking one of
> my
> passwords.

This is an additional risk that is not alternative to the other. Thus, we
have to deal with both.

[Cédric Beust ♔]

On Tue, Dec 18, 2012 at 7:08 AM, Fabrizio Giudici <Fabrizio...@tidalwave.it> wrote:

This is an additional risk that is not alternative to the other. Thus, we have to deal with both.

Right, but I think the pendulum has swung far enough on the "secure password storage" side while it has barely moved on the "social engineering break in" aspect. If you're worried about the safety of your private information, I think your time will be better spent making sure that the companies you entrust have safe "reset" procedures than asking to see the source code of their encryption back end.

Wired published a very enlightening article on this very topic last month, I highly recommend it.

-- 

Cedric

[Fabrizio Giudici]

On Tue, 18 Dec 2012 16:13:43 +0100, Cédric Beust ♔ <ced...@beust.com>
wrote:

> Wired published a very enlightening article on this very

> topic<http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/all/>last

> month, I highly recommend it.

Absolutely correct and I do agree. I do know the case of the guy quoted by
Wired, as I discussed in another community months ago.
Indeed, unfortunately, correctly dealing with security is a hard task.

[Casper Bang]

Right, but I think the pendulum has swung far enough on the "secure password storage" side while it has barely moved on the "social engineering break in" aspect. If you're worried about the safety of your private information, 

Exactly. To invoke the insurance metaphor as a simple cost/benefit analysis; a determined thief WILL succeed in breaking into your house, regardless of how many locks and security cameras you have - so the best strategy is to limit the damage. There might be a cultural/social issue buried here though, as my bank is obliged to cover (non-social-engeneered) fraud and in case of bankruptcy  my government guarantees for whatever money I have in the bank.

[Casper Bang]

Exactly. To invoke the insurance metaphor as a simple cost/benefit analysis; a determined thief WILL succeed in breaking into your house, regardless of how many locks and security cameras you have - so the best strategy is to limit the damage. There might be a cultural/social issue buried here though, as my bank is obliged to cover (non-social-engeneered) fraud and in case of bankruptcy  my government guarantees for whatever money I have in the bank.

I should specify; "limiting the damage" means, among other things, not to allow one compromised account to escalate by i.e. using unique passwords (or password layers), unique email addresses (or aliases), two-factor auth etc. It's the escalation aspect that frightens me the most with the SSO login aggregation solutions discussed in this thread.

Which reminds me, does any of these support security layers or rings? That is, one layer for non-important stuff (i.e. google groups), one for medium important stuff (say amazon) and of for very important stuff (email, banking) in order to minimize exposure?

[jon.ki...@gmail.com]

I have a day to day account, which I use for bills and expenses. That account never has more than a month's expenses in it, unless there's a major purchase to be made.
I have a separate staging account at an unrelated bank, where I keep an accessible reserve. That account has never been used for any electronic transaction, and on fact there is not even a bank card issued on it.
It's possible that someone could duo me some nuisance, but in order to do that they'd have to forge a check (there are good procedures for dealing with  physical forgery, you can generally recover losses) or else they'd have too convince my bank to grant them electronic access, which would put the bank rather on the hook.

So I'm not too worried about my bank passwords, personally. I take reasonable care, but I'm tolerably well insulated against long-term harm.

Sent from my mobile.
(Typos courtesy of swype)

--
Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
"We make Java work. Everywhere."
http://tidalwave.it/fabrizio/blog - fabrizio...@tidalwave.it

[Cédric Beust ♔]

On Tue, Dec 18, 2012 at 7:44 AM, Casper Bang <caspe...@gmail.com> wrote:

I should specify; "limiting the damage" means, among other things, not to allow one compromised account to escalate by i.e. using unique passwords (or password layers), unique email addresses (or aliases), two-factor auth etc.

This is another aspect of security that very few people realize: using different passwords on different sites don't make you as safe as you think.

Your single point of failure is your email account, period. Once a hacker gets access to your email, they can reset pretty much every single other account that you own, regardless of how many different passwords you use for those.

-- 

Cédric

[Fabrizio Giudici]

On Tue, 18 Dec 2012 16:44:18 +0100, Casper Bang <caspe...@gmail.com>
wrote:

>
>>
>>

Government guarantees. LOL. We all have it in Europe. This is specifically
one of the things that makes me cautious. In fact, the problem is that in
my country never happened a case in recent times. You know "not tested? it
doesn't work!". I think it applies not only to software. The theory is
that a state agency will refund you (under a reasonable threshold that is
about 100k€) in 45 days max (or such). Now, the past summer it happened
for an italian bank. Indeed, several months passed before the authorities
approved the procedure, and the 45 days count started from there. In the
end, people were stuck with their accounts locked for at least six months,
more or less. This episode made me think a lot, that I don't feel
guaranteed until I see a test case that was handled positively.

As a side note: the government guarantee won't work in many countries if
multiple banks fail at the same time as a domino effect, because there
won't be money for everybody.
But this is OT with respect to computer security.

Back to the topic, the escalation worries me too. That's why I have
multiple bank accounts, as I said. But having all the passwords managed by
the same device would jeopardize this strategy.
And yes, one of the banks relies on a dongle for one-time passwords. I'm
still unsure if I had to move away from the other bank, that doesn't use
it. Probably it's ok as is now. In this way I can adopt the policy of
always keeping the dongle at home (more secure, even though losing it
would be just an annoyance of getting another, in fact the bank requires
the one-time password AND a fixed password plus the account name) even
though this prevents me from operating when I'm not at home. But in case
of urgent need, I have the other bank account.

[Fabrizio Giudici]

On Tue, 18 Dec 2012 17:40:24 +0100, Cédric Beust ♔ <ced...@beust.com>
wrote:

> This is another aspect of security that very few people realize: using
> different passwords on different sites don't make you as safe as you
> think.
>
> Your single point of failure is your email account, period. Once a hacker
> gets access to your email, they can reset pretty much every single other
> account that you own, regardless of how many different passwords you use
> for those.

True. But e.g. the procedure for resetting the password to my banks aren't
as easy - they also require some other proof, such as other "secret
information" that has been previously shared, and they involve some phone
call. Still, this can be hacked. The think that people should do (and I've
only partially done, but I'll fill the gap ASAP) is to have a short
security assessment of the accounts and their recovery procedures. Then
you can try to compare it with e.g. the breach reported by Wired. BTW, if
I remember well, Apple was doing something very stupid in the reset
procedure, and that's why no major corporate will ever have my primary
credit card numbers (for them I use a PayPal card with a very tight credit
cap).

It isn't particularly hard, I think that you need just to classify two
levels: one for the bank accounts and all the thing that can cause serious
damage, and the other for all the rest. Then use separate emails. I'm
considering to use, for the first class, the "certified email" that has
become obligatory by law in many countries. Not only the provider
guarantees signing, timestamping and archival (which means it would be
easy to reconstruct an incident, and even proof it), but it's used very
seldom, just for some perodic communications with state agencies and such
(at least in my case). For instance, this means that I don't have
configured my smartphone to connect with it.

I was going to add that some well designed reset procedures make use of
SMS notifications (e.g. banks), but in this case the smartphone can be
again a single point of failure and some malicious app could hack them.

[Casper Bang]

This is another aspect of security that very few people realize: using different passwords on different sites don't make you as safe as you think.

Your single point of failure is your email account, period. Once a hacker gets access to your email, they can reset pretty much every single other account that you own, regardless of how many different passwords you use for those.

 

Sure, which is why your email account would qualify as belonging to the maximum security tier - similar to root level. A good practice is to have an automatic forwarding rule, which sends everything you receive to a special "shadow slave account", so that you may always retrieve reset emails to your compromised master account. Google also offers nonce codes as a recovery mechanism.

All I am trying to say is that there is no silver bullet, but there are pragmatic damage control and recovery strategies.

[Dominic Mitchell]

If you're using gmail, you should enable two-factor auth, in order to help prevent this.

http://support.google.com/accounts/bin/answer.py?hl=en&answer=180744

It's a significant step towards securing your account.

-Dom

[Kirk Pepperdine]

>
> Your single point of failure is your email account, period. Once a hacker gets access to your email, they can reset pretty much every single other account that you own, regardless of how many different passwords you use for those.

A link that I've broken for important accounts. It's still not 100% but if the email address you need to get to doesn't exist anymore....

-- Kirk

[clay]

Every recommendation is a system based on some secure server storing passwords.

How about hash systems? I use http://passwordmaker.org/

It normalizes the site URL, concatentates with your email and a master password, hashes (MD5) that full string, converts the binary hash to text, and there is your password.

You only need to remember one password, the hash system generates new passwords for every new site, and there is no server-storage involved. Nothing to hack, protect, or lose access to.

[Fabrizio Giudici]

On Tue, 18 Dec 2012 23:30:30 +0100, clay <clayt...@gmail.com> wrote:

> Every recommendation is a system based on some secure server storing
> passwords.
>
> How about hash systems? I use http://passwordmaker.org/
>

> You only need to remember one password, the hash system generates new
> passwords for every new site, and there is no server-storage involved.
> Nothing to hack, protect, or lose access to.

I didn't know passwordmaker and I'll have a deeper look at it in the next
days. In the past I've thought of a similar approach, but with some doubts:

1. In case one password is compromised (e.g. by eavesdropping) you have to
change the password and give up with this approach, at least for the
compromised site.
2. Sometimes the URL might change. For instance, one of my banks
introduced a redesigned website. The original URL was www.bank.it, for
some time it redirected to new.bank.it (transitory period in which the
original website was still available). This would have caused at least
some annoyance (forced to change the password) at least temporarily.

Still, it is of some interest.

[Ryan Schipper]

Password Maker supports both of those scenarios. Check out their FAQ.

That said, I would advise against using Password Maker. 

I've just had a quick browse of the source and the software uses your master password as direct key material for their HMAC algorithms. This is a direct violation of HMACs security assumptions (specifically, that the key derivation function is a pseudo-random function). These sorts of errors make me nervous regarding the general security posture of the application. 

If you're still thinking about PasswordMaker (or already using it), the default settings are quite weak (http://passwordmaker.sourceforge.net/help/account-settings.xhtml).

I would advise altering these settings to the following:

  - use the SHA256 algorithm

  - increase the default generated password length to at least 12, if not 16

  - update the default character set to include symbols

This will decrease the chance that a vulnerable service (eg facebook) is retaining a stored hash which can be trivially brute forced using oclhashcat and 8 GPUs. 

-- Ryan Schipper

--
You received this message because you are subscribed to the Google Groups "Java Posse" group.

To post to this group, send email to java...@googlegroups.com.

To unsubscribe from this group, send email to javaposse+unsubscribe@googlegroups.com.

[clay]

It sounds like you are in favor of the general strategy of automatically hash generate individual passwords based on a single master password.

IMO, this general strategy seems superior to the store-on-a-server strategy. Sure, you can change/tweak the hash algorithm and settings and even write your own implementation of these things.

If the URL changes: change your password, or manually remember the old URL.

If an individual password is compromised: no big deal. You have to use a modifier text string, such as an incremental number which is concatenated to the string that generates the final hash -> password. You have to do this for sites that require you to routinely change your password as well.

If your master password is compromised: you're screwed. Every system has to have an ultimate weak point.

To unsubscribe from this group, send email to javaposse+...@googlegroups.com.

[pwagland]

On Wednesday, December 19, 2012 4:16:43 AM UTC+1, Ryan Schipper wrote:

That said, I would advise against using Password Maker. 

I've just had a quick browse of the source and the software uses your master password as direct key material for their HMAC algorithms. This is a direct violation of HMACs security assumptions (specifically, that the key derivation function is a pseudo-random function). These sorts of errors make me nervous regarding the general security posture of the application.  

Security software is rife with issues. Read this paper for more scary stuff: http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

That is why I don't disagree with Fabrizio for being unduly cautious, despite the fact that I do store my passwords using 1Password.

As with all things, it is a tradeoff between security and convenience, and I think that 1Password gives me much better security than "one password", and most of the convenience of that.

Cheers,

Paul

[jwd]

Since it has not been mentioned in this Java Posse thread, i will add a reference to my password keeper tool of choice JCards

I've been maintaining my password records in a JCards file (in my personal Git repository now) for years.  Source code available for the paranoid; uses Bouncy Castle libraries for encryption last time I checked.

[Casper Bang]

On Saturday, January 5, 2013 2:22:07 AM UTC+1, jwd wrote:

Since it has not been mentioned in this Java Posse thread, i will add a reference to my password keeper tool of choice JCards

I've been maintaining my password records in a JCards file (in my personal Git repository now) for years.  Source code available for the paranoid; uses Bouncy Castle libraries for encryption last time I checked.

Unfortunately Bouncy Castle is needed on JRE, as Sun/Oracle is an american company with silly export limitations when it comes to strong crypto (funny enough, this is not needed on Android where you can readily get away with > AES-128). I am no security expert, but JCards seems to use Blowfish (typically considered an inferior algorithm to AES) with only 64bit block size and iteration count of only 16. It also doesn't look as if JCards seeds with new random data between successive encryptions.