Do you use a password manager?

[Unbreakable Disease]

My 50-year old brain isn't capable of memorizing that many passwords
anymore, so I use KeePassXC. I keep basically everything here including
my financial passwords and credit card data, with the exception of
passwords that I would have to remember anyway (full-disk encryption,
login, primary e-mail passwords, etc.)

Overall, it's much easier to remember and much harder to forget 10
complicated passwords that you use everyday than 100+ simple passwords
you use every month or even less.

I can't speak about Windows version of KeePass, because with the
exception of playing games not available on Macintosh, I haven't used
one since Windows 95 days.
--
Tip me: bc1qtwmjzywve5v7z6jzk4dkg7v6masw2erpahsn9f

bitcoin:bc1qtwmjzywve5v7z6jzk4dkg7v6masw2erpahsn9f

[Wade Garrett]

On 7/12/21 5:53 AM, Unbreakable Disease wrote:
> My 50-year old brain isn't capable of memorizing that many passwords
> anymore, so I use KeePassXC. I keep basically everything here including
> my financial passwords and credit card data, with the exception of
> passwords that I would have to remember anyway (full-disk encryption,
> login, primary e-mail passwords, etc.)
>
> Overall, it's much easier to remember and much harder to forget 10
> complicated passwords that you use everyday than 100+ simple passwords
> you use every month or even less.
>
> I can't speak about Windows version of KeePass, because with the
> exception of playing games not available on Macintosh, I haven't used
> one since Windows 95 days.

I'd like to use a password manager but I'm not comfortable with that
data being on some server somewhere- allegedly encrypted or not.

If there's one that keeps the data just on the local machine, I'd be
interested.

I keep a spreadsheet with my PWs on my FileVault-encrypted iMac hard
drive and copy/paste to logins that need to stay secure- financial,
vendors, healthcare, etc.

I always log out before leaving the house.

[nospam]

In article <sch9i1$k05$1...@dont-email.me>, Wade Garrett <wa...@cooler.net>
wrote:

> I'd like to use a password manager but I'm not comfortable with that
> data being on some server somewhere- allegedly encrypted or not.
>
> If there's one that keeps the data just on the local machine, I'd be
> interested.

most do, but that means syncing between devices will be limited or
non-existent.

[Andy K.]

I'm using KeepassX which is purely local, and am very happy with it.

AndyK

[Scott Alfter]

In article <sch9i1$k05$1...@dont-email.me>, Wade Garrett <wa...@cooler.net> wrote:

>On 7/12/21 5:53 AM, Unbreakable Disease wrote:
>> My 50-year old brain isn't capable of memorizing that many passwords
>> anymore, so I use KeePassXC. I keep basically everything here including
>> my financial passwords and credit card data, with the exception of
>> passwords that I would have to remember anyway (full-disk encryption,
>> login, primary e-mail passwords, etc.)
>>
>> Overall, it's much easier to remember and much harder to forget 10
>> complicated passwords that you use everyday than 100+ simple passwords
>> you use every month or even less.
>>
>> I can't speak about Windows version of KeePass, because with the
>> exception of playing games not available on Macintosh, I haven't used
>> one since Windows 95 days.
>
>I'd like to use a password manager but I'm not comfortable with that
>data being on some server somewhere- allegedly encrypted or not.
>
>If there's one that keeps the data just on the local machine, I'd be
>interested.

KeePass stores its file wherever you tell it. It could be local storage,
storage on a server you control (as on a VPS or a dedicated server), or
whatever cloud storage is supported on the OS you're using. I use a WebDAV
share on a VPS. It's accessible to my phone and my computers, but not to
others. (I suppose Linode could grab the file, but without the password to
unlock it, it's useless to anybody else.)

_/_
/ v \ Scott Alfter (remove the obvious to send mail)
(IIGS( https://alfter.us/ Top-posting!
\_^_/ >What's the most annoying thing on Usenet?

[Rich]

In comp.misc Wade Garrett <wa...@cooler.net> wrote:
> On 7/12/21 5:53 AM, Unbreakable Disease wrote:
>> My 50-year old brain isn't capable of memorizing that many passwords
>> anymore, so I use KeePassXC. I keep basically everything here including
>> my financial passwords and credit card data, with the exception of
>> passwords that I would have to remember anyway (full-disk encryption,
>> login, primary e-mail passwords, etc.)
>>
>> Overall, it's much easier to remember and much harder to forget 10
>> complicated passwords that you use everyday than 100+ simple passwords
>> you use every month or even less.
>>
>> I can't speak about Windows version of KeePass, because with the
>> exception of playing games not available on Macintosh, I haven't used
>> one since Windows 95 days.
>
> I'd like to use a password manager but I'm not comfortable with that
> data being on some server somewhere- allegedly encrypted or not.
>
> If there's one that keeps the data just on the local machine, I'd be
> interested.

This one stores everything locally:
https://github.com/zdia/gorilla

There are probably others that do so as well.

[Keith Thompson]

[I don't know why the OP cross-posted to alt.atheism. I've dropped it]

I use PasswordSafe https://pwsafe.org/ .

It's a Windows application with clones available for Android, iOS, and Mac.

There's a Linux version, available as "passwordsafe" in the Ubuntu repos
(and presumably others), but I haven't gotten it to work.

password-gorilla is a Linux application that uses the same file format
and should be available in the package repos for most distributions.

Keeping the database synchronized across devices is left as an exercise.

--
Keith Thompson (The_Other_Keith) Keith.S.T...@gmail.com
Working, but not speaking, for Philips
void Void(void) { Void(); } /* The recursive call of the void */

[Lewis]

In message <874kcz5...@nosuchdomain.example.com> Keith Thompson <Keith.S.T...@gmail.com> wrote:
> [I don't know why the OP cross-posted to alt.atheism. I've dropped it]

> Wade Garrett <wa...@cooler.net> writes:
>> On 7/12/21 5:53 AM, Unbreakable Disease wrote:
>>> My 50-year old brain isn't capable of memorizing that many passwords
>>> anymore, so I use KeePassXC. I keep basically everything here
>>> including my financial passwords and credit card data, with the
>>> exception of passwords that I would have to remember anyway
>>> (full-disk encryption, login, primary e-mail passwords, etc.)
>>> Overall, it's much easier to remember and much harder to forget 10
>>> complicated passwords that you use everyday than 100+ simple
>>> passwords you use every month or even less.
>>> I can't speak about Windows version of KeePass, because with the
>>> exception of playing games not available on Macintosh, I haven't
>>> used one since Windows 95 days.
>>
>> I'd like to use a password manager but I'm not comfortable with that
>> data being on some server somewhere- allegedly encrypted or not.

There is no "allegedly" about the encryption with LastPass, 1password,
or BitWarden. I know all three of these have been certified and tested
by third parties.

Having them on a server makes it simple to sync them to multiple
devices. At least 1Password can be synced manaully, and I would not be
surprised if the others allowed this in some way as well.

>> I keep a spreadsheet with my PWs on my FileVault-encrypted iMac hard
>> drive and copy/paste to logins that need to stay secure- financial,
>> vendors, healthcare, etc.

That is a very inefficient system, but it is a lot better than what
some people do. It also encourages patterns of passwords. One of the
main advantages of a manager is truly random passwords.

> I use PasswordSafe https://pwsafe.org/ .

> It's a Windows application with clones available for Android, iOS, and Mac.

> There's a Linux version, available as "passwordsafe" in the Ubuntu repos
> (and presumably others), but I haven't gotten it to work.

> password-gorilla is a Linux application that uses the same file format
> and should be available in the package repos for most distributions.

> Keeping the database synchronized across devices is left as an exercise.

And that means you end up with not having the password you need unless
you limit your use of the Internet to a single machine.


--
Everything you say is so boring, I replace it with dubstep.

[Keith Thompson]

Lewis <g.k...@kreme.dont-email.me> writes:
> In message <874kcz5...@nosuchdomain.example.com> Keith Thompson <Keith.S.T...@gmail.com> wrote:

[...]

>> I use PasswordSafe https://pwsafe.org/ .
>
>> It's a Windows application with clones available for Android, iOS, and Mac.
>
>> There's a Linux version, available as "passwordsafe" in the Ubuntu repos
>> (and presumably others), but I haven't gotten it to work.
>
>> password-gorilla is a Linux application that uses the same file format
>> and should be available in the package repos for most distributions.
>
>> Keeping the database synchronized across devices is left as an exercise.
>
> And that means you end up with not having the password you need unless
> you limit your use of the Internet to a single machine.

Not if I replicate the encrypted database across the machines I use.
I understand that that could open a potential security hole if
I'm not sufficiently careful. But if I *am* sufficiently careful,
my database doesn't exist on anyone else's server.

[nospam]

In article <87zgur4...@nosuchdomain.example.com>, Keith Thompson

<Keith.S.T...@gmail.com> wrote:

> >> Keeping the database synchronized across devices is left as an exercise.
> >
> > And that means you end up with not having the password you need unless
> > you limit your use of the Internet to a single machine.
>
> Not if I replicate the encrypted database across the machines I use.
> I understand that that could open a potential security hole if
> I'm not sufficiently careful. But if I *am* sufficiently careful,
> my database doesn't exist on anyone else's server.

and if you forget to sync it, murphy's law states that you won't have
the password you need.

computers are there to do work *for* you.

[Keith Thompson]

Of course. That happens now and then. The solution is to go back and
sync it.

> computers are there to do work *for* you.

I'm not going to go into too much detail about *how* I synchronize my
password database. I'm not confident that my method is sufficiently
secure. (Yes, I'm doing "security through obscurity", but only as a
layer on top of other methods.)

I'm comfortable with the amount of manual work my method requires.
Others won't be.

But what do you suggest?

[nospam]

In article <87v95f4...@nosuchdomain.example.com>, Keith Thompson

<Keith.S.T...@gmail.com> wrote:

> >> >> Keeping the database synchronized across devices is left as an exercise.
> >> >
> >> > And that means you end up with not having the password you need unless
> >> > you limit your use of the Internet to a single machine.
> >>
> >> Not if I replicate the encrypted database across the machines I use.
> >> I understand that that could open a potential security hole if
> >> I'm not sufficiently careful. But if I *am* sufficiently careful,
> >> my database doesn't exist on anyone else's server.
> >
> > and if you forget to sync it, murphy's law states that you won't have
> > the password you need.
>
> Of course. That happens now and then. The solution is to go back and
> sync it.

no, the solution is to have it automatically sync.

> > computers are there to do work *for* you.

^^this^^

> I'm not going to go into too much detail about *how* I synchronize my
> password database

you already said how: you manually sync it.

automatically syncing means a new or changed entry is available on
other devices within seconds, no additional effort required.

[Keith Thompson]

nospam <nos...@nospam.invalid> writes:
> In article <87v95f4...@nosuchdomain.example.com>, Keith Thompson
> <Keith.S.T...@gmail.com> wrote:
>> >> >> Keeping the database synchronized across devices is left as an exercise.
>> >> >
>> >> > And that means you end up with not having the password you need unless
>> >> > you limit your use of the Internet to a single machine.
>> >>
>> >> Not if I replicate the encrypted database across the machines I use.
>> >> I understand that that could open a potential security hole if
>> >> I'm not sufficiently careful. But if I *am* sufficiently careful,
>> >> my database doesn't exist on anyone else's server.
>> >
>> > and if you forget to sync it, murphy's law states that you won't have
>> > the password you need.
>>
>> Of course. That happens now and then. The solution is to go back and
>> sync it.
>
> no, the solution is to have it automatically sync.

The solution *I use* is to go back and sync it. It works.

>> > computers are there to do work *for* you.
>
> ^^this^^
>
>> I'm not going to go into too much detail about *how* I synchronize my
>> password database
>
> you already said how: you manually sync it.

There's more to it than that.

> automatically syncing means a new or changed entry is available on
> other devices within seconds, no additional effort required.

I know what "automatically syncing" means. You haven't said anything
about how to do that. (I use Ubuntu, Windows, and Android.)

For my situation, I've decided (so far) that automation would be more
effort than it's worth *for me*. I'm willing to change my mind if
presented with new information. If you have none to offer, that's fine.

[Unbreakable Disease]

I use KeePassXC which is a modernized version of KeepassX. Can be also
cloudified if you put the database on Dropbox (which I don't recommend)
or somewhere else.

[Unbreakable Disease]

On 12.07.2021 15:36, Lamey wrote:

> If it's out there than people can access it if they want.
> Hackers are looking out for easy targets, almost nobody is going to
chase Scott Alfter. Too much risk and unknown benefits.

[Unbreakable Disease]

On 12.07.2021 15:28, Jolly Roger wrote:

> On 2021-07-12, Unbreakable Disease <unbre...@secmail.pro> wrote:
>> My 50-year old brain isn't capable of memorizing that many passwords
>> anymore, so I use KeePassXC. I keep basically everything here
>> including my financial passwords and credit card data, with the
>> exception of passwords that I would have to remember anyway (full-disk
>> encryption, login, primary e-mail passwords, etc.)
>>
>> Overall, it's much easier to remember and much harder to forget 10
>> complicated passwords that you use everyday than 100+ simple passwords
>> you use every month or even less.
>>
>> I can't speak about Windows version of KeePass, because with the
>> exception of playing games not available on Macintosh, I haven't used
>> one since Windows 95 days.
>

> I don't see anything wrong with using Apple's built-in Keychain password
> manager. The only drawback it has is that it's Apple-only, and that has
> never been a reason not to use it for me. Most of my family uses it and
> is happy with it.
>
> The iCloud Keychain service is optional and seamlessly synchronizes your
> password database between all of your Apple devices. It is also highly
> encrypted using end-to-end encryption so that it cannot be accessed by
> anyone but you.
>
> Others here will recommend cross-platform solutions, but if you have no
> need for synchronizing your password database to other platforms,
> Apple's built-in Keychain is quite a secure and capable solution, and
> it's integrated with all of Apple's operating systems by default.
>
I need to use my database on both Mac OS and Linux, so I use KeePassXC.
And what if you are left with the Keychain file and Apple goes south?
How you will migrate to KeePassXC? Your file is going to be nothing more
than useless junk, so at least call Apple or e-mail Tim Cook directly at
tim...@apple.com to allow to export Keychain data to other password
managers. I doubt that Apple will listen to us, but trying is better
than simply giving up.

[nospam]

In article <87r1g34...@nosuchdomain.example.com>, Keith Thompson

<Keith.S.T...@gmail.com> wrote:

> >> >> >> Keeping the database synchronized across devices is left as an
> >> >> >> exercise.
> >> >> >
> >> >> > And that means you end up with not having the password you need unless
> >> >> > you limit your use of the Internet to a single machine.
> >> >>
> >> >> Not if I replicate the encrypted database across the machines I use.
> >> >> I understand that that could open a potential security hole if
> >> >> I'm not sufficiently careful. But if I *am* sufficiently careful,
> >> >> my database doesn't exist on anyone else's server.
> >> >
> >> > and if you forget to sync it, murphy's law states that you won't have
> >> > the password you need.
> >>
> >> Of course. That happens now and then. The solution is to go back and
> >> sync it.
> >
> > no, the solution is to have it automatically sync.
>
> The solution *I use* is to go back and sync it. It works.

except when it doesn't, which you admit happens 'now and then'.

> >> > computers are there to do work *for* you.
> >
> > ^^this^^
> >
> >> I'm not going to go into too much detail about *how* I synchronize my
> >> password database
> >
> > you already said how: you manually sync it.
>
> There's more to it than that.

those details are irrelevant. the fact is that it's manual which means
it's a lot of extra work with the opportunity to screw it up.

i suspect whatever system you're using does not properly handle merges.

> > automatically syncing means a new or changed entry is available on
> > other devices within seconds, no additional effort required.
>
> I know what "automatically syncing" means.

then why not use it?

> You haven't said anything
> about how to do that. (I use Ubuntu, Windows, and Android.)

what's to know? choose a password manager that offers automatic sync.
done.

> For my situation, I've decided (so far) that automation would be more
> effort than it's worth *for me*. I'm willing to change my mind if
> presented with new information. If you have none to offer, that's fine.

what effort? download a new password manager app that offers syncing,
then export passwords from your existing password manager and import
them to the new one. it should take a minute or two.

[Keith Thompson]

It does not, and I did run into a problem with that not too long ago.
It took some manual work to resolve it.

>> > automatically syncing means a new or changed entry is available on
>> > other devices within seconds, no additional effort required.
>>
>> I know what "automatically syncing" means.
>
> then why not use it?
>
>> You haven't said anything
>> about how to do that. (I use Ubuntu, Windows, and Android.)
>
> what's to know? choose a password manager that offers automatic sync.
> done.

I've spent *some* time looking into alternatives, but perhaps not
enough. The password manager I use uses a local file. Others I've
looked at store data "in the cloud", i.e., on someone else's computer.
I've decided *for myself* that I don't want to store my passwords in the
cloud, and that I'm willing to pay the price of more difficult local
updates.

>> For my situation, I've decided (so far) that automation would be more
>> effort than it's worth *for me*. I'm willing to change my mind if
>> presented with new information. If you have none to offer, that's fine.
>
> what effort? download a new password manager app that offers syncing,
> then export passwords from your existing password manager and import
> them to the new one. it should take a minute or two.

And install it on all my devices, and learn how to use it -- plus
convincing myself that it's sufficiently secure. Much more than
"a minute or two".

Is there a password manager that supports automatic sync among Linux,
Android, and Windows *without* storing any of my information in the
cloud (i.e., on someone else's computer)? (It's possible that I hadn't
made it clear enough that I don't want to use cloud storage.)

[nospam]

In article <87mtqr4...@nosuchdomain.example.com>, Keith Thompson

some store it in the cloud, some store it on a local server. some do
either.

another option is set up a personal cloud hosted on your own hardware,
over which you have full control, which has many other benefits than
just password syncing.

in every case, it's encrypted, so even if someone did gain access to
the database, they won't get the actual passwords, at least not without
a shitload of effort trying to crack it (assuming you used a good
master passphrase).

keep in mind that any of your hardware is lost or stolen, someone will
have easy access to that database, no hacking of cloud servers
required.

nothing is 100% safe.

> >> For my situation, I've decided (so far) that automation would be more
> >> effort than it's worth *for me*. I'm willing to change my mind if
> >> presented with new information. If you have none to offer, that's fine.
> >
> > what effort? download a new password manager app that offers syncing,
> > then export passwords from your existing password manager and import
> > them to the new one. it should take a minute or two.
>
> And install it on all my devices, and learn how to use it -- plus
> convincing myself that it's sufficiently secure. Much more than
> "a minute or two".

true, but that's the easy part. download a bunch, try them out, put in
some random passwords and see which ones fit your workflow.

> Is there a password manager that supports automatic sync among Linux,
> Android, and Windows *without* storing any of my information in the
> cloud (i.e., on someone else's computer)? (It's possible that I hadn't
> made it clear enough that I don't want to use cloud storage.)

there are several, each with different mixes of features, some with
better integration than others, and only you can decide which one fits
your needs.

[Keith Thompson]

nospam <nos...@nospam.invalid> writes:
> In article <87mtqr4...@nosuchdomain.example.com>, Keith Thompson
> <Keith.S.T...@gmail.com> wrote:

[...]

>> Is there a password manager that supports automatic sync among Linux,
>> Android, and Windows *without* storing any of my information in the
>> cloud (i.e., on someone else's computer)? (It's possible that I hadn't
>> made it clear enough that I don't want to use cloud storage.)
>
> there are several, each with different mixes of features, some with
> better integration than others, and only you can decide which one fits
> your needs.

Are you unwilling to give examples? Is there one that you use (or do
you use a cloud solution)?

I tried KeePass a while ago, and it doesn't do what I want. (One
feature of the Android version of PasswordSave that I like is that it
implements a virtual keyboard, so passwords don't have to go through the
system clipboard.) Someone here mentioned KeePassXC, which I might try,
but I don't see an Android version.

I just found a reference to something called Syncthing, which I'll also
look into; it's a continuous file synchronization program, not
specifically related to passwords.

[nospam]

In article <87im1f3...@nosuchdomain.example.com>, Keith Thompson

<Keith.S.T...@gmail.com> wrote:

> >> Is there a password manager that supports automatic sync among Linux,
> >> Android, and Windows *without* storing any of my information in the
> >> cloud (i.e., on someone else's computer)? (It's possible that I hadn't
> >> made it clear enough that I don't want to use cloud storage.)
> >
> > there are several, each with different mixes of features, some with
> > better integration than others, and only you can decide which one fits
> > your needs.
>
> Are you unwilling to give examples? Is there one that you use (or do
> you use a cloud solution)?

i use 1password and keep everything on my devices, however, it does
sync via the cloud. there is (was) a way to sync locally but that had
some limitations and i'm not sure if that's even still an option.

they also offer a cloud version (their servers) but that's not required.

it does look like they now have linux support but i don't know how good
that is. that's relatively recent.

> I tried KeePass a while ago, and it doesn't do what I want. (One
> feature of the Android version of PasswordSave that I like is that it
> implements a virtual keyboard, so passwords don't have to go through the
> system clipboard.) Someone here mentioned KeePassXC, which I might try,
> but I don't see an Android version.

1password has a background process which directly communicates with
browser extension, skipping the clipboard entirely.

some use the system clipboard which is then auto-erased moments later.

> I just found a reference to something called Syncthing, which I'll also
> look into; it's a continuous file synchronization program, not
> specifically related to passwords.

syncthing is good. also check out nextcloud, which can be installed on
a variety of hardware as well as in a docker container or even a
raspberry pi (although that's not exactly fast).

[Rich]

In comp.misc Keith Thompson <Keith.S.T...@gmail.com> wrote:
> nospam <nos...@nospam.invalid> writes:
>> In article <87mtqr4...@nosuchdomain.example.com>, Keith Thompson
>> <Keith.S.T...@gmail.com> wrote:
> [...]
>>> Is there a password manager that supports automatic sync among Linux,
>>> Android, and Windows *without* storing any of my information in the
>>> cloud (i.e., on someone else's computer)? (It's possible that I hadn't
>>> made it clear enough that I don't want to use cloud storage.)
>>
>> there are several, each with different mixes of features, some with
>> better integration than others, and only you can decide which one fits
>> your needs.
>
> Are you unwilling to give examples? Is there one that you use (or do
> you use a cloud solution)?
>
> I tried KeePass a while ago, and it doesn't do what I want. (One
> feature of the Android version of PasswordSave that I like is that it
> implements a virtual keyboard, so passwords don't have to go through the
> system clipboard.) Someone here mentioned KeePassXC, which I might try,
> but I don't see an Android version.
>
> I just found a reference to something called Syncthing, which I'll also
> look into; it's a continuous file synchronization program, not
> specifically related to passwords.

You mentioned password-gorilla in an earlier message. It contains a
"merge" feature that somewhat reduces the burden in manually
maintaining sync across devices.

[Keith Thompson]

When I tried KeePass on Android, I didn't find a way to copy a password
or other text from KeePass to another arbitrary application. Possibly I
didn't spend enough time exploring it. Something that *only* uses a
browser extension would not be useful to me.

> some use the system clipboard which is then auto-erased moments later.
>
>> I just found a reference to something called Syncthing, which I'll also
>> look into; it's a continuous file synchronization program, not
>> specifically related to passwords.
>
> syncthing is good. also check out nextcloud, which can be installed on
> a variety of hardware as well as in a docker container or even a
> raspberry pi (although that's not exactly fast).

Yes, I have a NextCloud instance, but I'm not sure I want to store (even
encrypted) passwords on it.

[Michael Trew]

On 7/12/2021 5:53 AM, Unbreakable Disease wrote:
> My 50-year old brain isn't capable of memorizing that many passwords
> anymore, so I use KeePassXC. I keep basically everything here including
> my financial passwords and credit card data, with the exception of
> passwords that I would have to remember anyway (full-disk encryption,
> login, primary e-mail passwords, etc.)
>
> Overall, it's much easier to remember and much harder to forget 10
> complicated passwords that you use everyday than 100+ simple passwords
> you use every month or even less.
>
> I can't speak about Windows version of KeePass, because with the
> exception of playing games not available on Macintosh, I haven't used
> one since Windows 95 days.

I like the concept of it, but I refuse to trust some server to store my
passwords.

[Scott Alfter]

In article <87im1f3...@nosuchdomain.example.com>,

Keith Thompson <Keith.S.T...@gmail.com> wrote:
>I tried KeePass a while ago, and it doesn't do what I want. (One
>feature of the Android version of PasswordSave that I like is that it
>implements a virtual keyboard, so passwords don't have to go through the
>system clipboard.)

Keepass2Android does that. It interoperates just fine with KeePass, which I
run on Windows and Linux (it's a .NET binary, so it runs fine on both).

[Lewis]

In message <87zgur4...@nosuchdomain.example.com> Keith Thompson <Keith.S.T...@gmail.com> wrote:
> Lewis <g.k...@kreme.dont-email.me> writes:
>> In message <874kcz5...@nosuchdomain.example.com> Keith Thompson <Keith.S.T...@gmail.com> wrote:
> [...]
>>> I use PasswordSafe https://pwsafe.org/ .
>>
>>> It's a Windows application with clones available for Android, iOS, and Mac.
>>
>>> There's a Linux version, available as "passwordsafe" in the Ubuntu repos
>>> (and presumably others), but I haven't gotten it to work.
>>
>>> password-gorilla is a Linux application that uses the same file format
>>> and should be available in the package repos for most distributions.
>>
>>> Keeping the database synchronized across devices is left as an exercise.
>>
>> And that means you end up with not having the password you need unless
>> you limit your use of the Internet to a single machine.

> Not if I replicate the encrypted database across the machines I use.

Yes, because you are perfect and will ALWAYS sync on EVERY change.

Not going to happen. You will forget and you will will be caught out
without some recent change or update because you are NOT perfect. Sorry,
but those are just facts.

> I understand that that could open a potential security hole if
> I'm not sufficiently careful. But if I *am* sufficiently careful,
> my database doesn't exist on anyone else's server.

Whopdie doo. That doesn’t make it more secure, you know, just more
obscure, more fragile, more prone to failure, and more likely that you
do not have the information you need when you need it.


--
'Now what?' it said. IT'S UP TO YOU. IT'S ALWAYS UP TO YOU.
--Maskerade

[Lewis]

In message <87im1f3...@nosuchdomain.example.com> Keith Thompson <Keith.S.T...@gmail.com> wrote:
> nospam <nos...@nospam.invalid> writes:
>> In article <87mtqr4...@nosuchdomain.example.com>, Keith Thompson
>> <Keith.S.T...@gmail.com> wrote:
> [...]
>>> Is there a password manager that supports automatic sync among Linux,
>>> Android, and Windows *without* storing any of my information in the
>>> cloud (i.e., on someone else's computer)? (It's possible that I hadn't
>>> made it clear enough that I don't want to use cloud storage.)
>>
>> there are several, each with different mixes of features, some with
>> better integration than others, and only you can decide which one fits
>> your needs.

> Are you unwilling to give examples? Is there one that you use (or do
> you use a cloud solution)?

Examples have been given. You see to think that using a system that you
yourself admit is inferior and prone to failure is somehow a virtue, so
you are unlikely to care about other solutions and that holds up since
you have ignored the other solutions offered.

> I tried KeePass a while ago, and it doesn't do what I want.

Has anyone mentioned KeePass? I know I haven;ts since I have never used
it, and I don't recall anyone else mentioning it in this thread. I do
not recall that Keepass does syncing, you hae to sync the database
yourself.

> but I don't see an Android version.

If you are trusting Android to store your password files you should have
no issue with FAR more secure and tested cloud storage.

> I just found a reference to something called Syncthing, which I'll also
> look into; it's a continuous file synchronization program, not
> specifically related to passwords.

If it cannot manage merges, it is useless for password management.

--
Hello Diane, I'm Bucky Goldstein

[Keith Thompson]

Lewis <g.k...@kreme.dont-email.me> writes:
> In message <87im1f3...@nosuchdomain.example.com> Keith Thompson <Keith.S.T...@gmail.com> wrote:
>> nospam <nos...@nospam.invalid> writes:
>>> In article <87mtqr4...@nosuchdomain.example.com>, Keith Thompson
>>> <Keith.S.T...@gmail.com> wrote:
>> [...]
>>>> Is there a password manager that supports automatic sync among Linux,
>>>> Android, and Windows *without* storing any of my information in the
>>>> cloud (i.e., on someone else's computer)? (It's possible that I hadn't
>>>> made it clear enough that I don't want to use cloud storage.)
>>>
>>> there are several, each with different mixes of features, some with
>>> better integration than others, and only you can decide which one fits
>>> your needs.
>
>> Are you unwilling to give examples? Is there one that you use (or do
>> you use a cloud solution)?
>
> Examples have been given. You see to think that using a system that you
> yourself admit is inferior and prone to failure is somehow a virtue, so
> you are unlikely to care about other solutions and that holds up since
> you have ignored the other solutions offered.

I don't believe anything I've written here could reasonably be read to
imply that I think the system I use is "somehow a virtue". It works for
me. I'm more than willing to consider better ideas.

I've had occasional problems with the setup I use. Those problems have
not included a loss of information and are not likely to.

>> I tried KeePass a while ago, and it doesn't do what I want.
>
> Has anyone mentioned KeePass? I know I haven;ts since I have never used
> it, and I don't recall anyone else mentioning it in this thread. I do
> not recall that Keepass does syncing, you hae to sync the database
> yourself.

Yes, I mentioned KeePass. Am I not allowed to mention something that
wasn't mentioned before?

>> but I don't see an Android version.
>
> If you are trusting Android to store your password files you should have
> no issue with FAR more secure and tested cloud storage.

Opinion noted.

"Cloud storage" is not a single thing that is "secure and tested". It's
likely that some of the cloud storage solutions are sufficiently secure,
but I haven't been using cloud storage and am hesitant to start, since,
as I've said several times, my current system works for me.

>> I just found a reference to something called Syncthing, which I'll also
>> look into; it's a continuous file synchronization program, not
>> specifically related to passwords.
>
> If it cannot manage merges, it is useless for password management.

I have not found that to be the case.

Perhaps you could offer advice rather than just shooting down ideas you
don't like.

[Oregonian Haruspex]

I use an old electronic organizer to store my passwords, and I keep a
printed hard copy locked in my safe. I don’t trust anything more
technological than that combination.

[%]

i don't use anything i have no passwords

[Unbreakable Disease]

Because you instead use your DNA to log in to your accounts.

[Unbreakable Disease]

Well, the biggest security hole is most of the time an user itself.
You'd be better off syncing your password manager file through the cloud.

[Unbreakable Disease]

You can use Syncthing if you are paranoid. That would probably be the
best compromise between usability and security.

If you are even more paranoid, you can keep manually syncing, but keep
in mind that once you get malware or somebody takes a physical control
over your device, you are pwned anyway no matter how much security
measures you take.

[Otto J. Makela]

Wade Garrett <wa...@cooler.net> wrote:

> I'd like to use a password manager but I'm not comfortable with that
> data being on some server somewhere- allegedly encrypted or not.
>
> If there's one that keeps the data just on the local machine, I'd be
> interested.

I believe the classic "pass" (based on pgp) is available on various Unix
implementations, including MacOS.

https://www.passwordstore.org/
--
/* * * Otto J. Makela <o...@iki.fi> * * * * * * * * * */
/* Phone: +358 40 765 5772, ICBM: N 60 10' E 24 55' */
/* Mail: Mechelininkatu 26 B 27, FI-00100 Helsinki */
/* * * Computers Rule 01001111 01001011 * * * * * * */

[Bob Eager]

On Fri, 16 Jul 2021 16:34:09 +0300, Otto J. Makela wrote:

> Wade Garrett <wa...@cooler.net> wrote:
>
>> I'd like to use a password manager but I'm not comfortable with that
>> data being on some server somewhere- allegedly encrypted or not.
>>
>> If there's one that keeps the data just on the local machine, I'd be
>> interested.
>
> I believe the classic "pass" (based on pgp) is available on various Unix
> implementations, including MacOS.
>
> https://www.passwordstore.org/

Indeed. I use it all the time. And it would be easy to do automatic
replication to anything that supported a shell.

--
Using UNIX since v6 (1975)...

Use the BIG mirror service in the UK:
http://www.mirrorservice.org

[Wade Garrett]

On 7/16/21 9:34 AM, Otto J. Makela wrote:
> Wade Garrett <wa...@cooler.net> wrote:
>
>> I'd like to use a password manager but I'm not comfortable with that
>> data being on some server somewhere- allegedly encrypted or not.
>>
>> If there's one that keeps the data just on the local machine, I'd be
>> interested.
>
> I believe the classic "pass" (based on pgp) is available on various Unix
> implementations, including MacOS.
>
> https://www.passwordstore.org/
>

Thanks- but use/setup looks a bit above my pay grade :-)

[Lewis]

In message <ildlj9...@mid.individual.net> Bob Eager <news...@eager.cx> wrote:
> On Fri, 16 Jul 2021 16:34:09 +0300, Otto J. Makela wrote:

>> Wade Garrett <wa...@cooler.net> wrote:
>>
>>> I'd like to use a password manager but I'm not comfortable with that
>>> data being on some server somewhere- allegedly encrypted or not.
>>>
>>> If there's one that keeps the data just on the local machine, I'd be
>>> interested.
>>
>> I believe the classic "pass" (based on pgp) is available on various Unix
>> implementations, including MacOS.
>>
>> https://www.passwordstore.org/

> Indeed. I use it all the time. And it would be easy to do automatic
> replication to anything that supported a shell.

I find this works well if I don't happen to have 1Password available
(like on a remote machine, for example)

uuidgen| sha256sum| cut -c -24

(or any number from 16 on up to 64, though i do not need a 64 hex digit
password, ever.)

But I add those passwords to my password manager immediately, of course.

--
Hey kids, shake it loose together the spotlight's hitting something
That's been known to change the weather we'll kill the fatted
calf tonight So stick around you're gonna hear electric music:
Solid walls of sound

[Bob Eager]

On Fri, 16 Jul 2021 20:10:38 +0000, Lewis wrote:

> In message <ildlj9...@mid.individual.net> Bob Eager
> <news...@eager.cx> wrote:
>> On Fri, 16 Jul 2021 16:34:09 +0300, Otto J. Makela wrote:
>
>>> Wade Garrett <wa...@cooler.net> wrote:
>>>
>>>> I'd like to use a password manager but I'm not comfortable with that
>>>> data being on some server somewhere- allegedly encrypted or not.
>>>>
>>>> If there's one that keeps the data just on the local machine, I'd be
>>>> interested.
>>>
>>> I believe the classic "pass" (based on pgp) is available on various
>>> Unix implementations, including MacOS.
>>>
>>> https://www.passwordstore.org/
>
>> Indeed. I use it all the time. And it would be easy to do automatic
>> replication to anything that supported a shell.
>
> I find this works well if I don't happen to have 1Password available
> (like on a remote machine, for example)
>
> uuidgen| sha256sum| cut -c -24
>
> (or any number from 16 on up to 64, though i do not need a 64 hex digit
> password, ever.)
>
> But I add those passwords to my password manager immediately, of course.

Mine, in that situation, is:

dd if=/dev/random count=1 bs=16 2>/dev/null | b64encode - | \
sed -e 's/=*$//' -e '/^begin/d' -e '/^$/d'

[Lewis]

There's no "b64encode" on my macOS.


--
'They say that whoever pays the piper calls the tune.' 'But,
gentlemen,' said Mr Saveloy, 'whoever holds a knife to the
piper's throat writes the symphony.' --Interesting Times

[Bob Eager]

Sorry - it's a FreeBSD command, equivalent to uuencode -m (which you may
or may not have). I like the general idea of using /dev/random, though.

[Scott Dorsey]

Michael Trew <mt99...@ymail.com> wrote:
>
>I like the concept of it, but I refuse to trust some server to store my
>passwords.

Just write it on your office whiteboard like everyone else. Kevin Mitnick
says one out of every three whiteboards has a password on it somewhere.
--scott
--
"C'est un Nagra. C'est suisse, et tres, tres precis."

[Alan Browne]

On 2021-07-12 05:53, Unbreakable Disease wrote:
> My 50-year old brain isn't capable of memorizing that many passwords
> anymore, so I use KeePassXC. I keep basically everything here including
> my financial passwords and credit card data, with the exception of
> passwords that I would have to remember anyway (full-disk encryption,
> login, primary e-mail passwords, etc.)
>
> Overall, it's much easier to remember and much harder to forget 10
> complicated passwords that you use everyday than 100+ simple passwords
> you use every month or even less.
>
> I can't speak about Windows version of KeePass, because with the
> exception of playing games not available on Macintosh, I haven't used
> one since Windows 95 days.

I use 1Password. Be careful of the option you select. They are leaning
towards "rent" model which I despise.

You can keep the encrypted master file on iCloud or Dropbox so it's
available to all of your devices. Avoid the 'rent' model if possible.

--
"...there are many humorous things in this world; among them the white
man's notion that he is less savage than the other savages."
-Samuel Clemens

[Alan Browne]

On 2021-07-12 07:37, Wade Garrett wrote:

> On 7/12/21 5:53 AM, Unbreakable Disease wrote:
>> My 50-year old brain isn't capable of memorizing that many passwords
>> anymore, so I use KeePassXC. I keep basically everything here
>> including my financial passwords and credit card data, with the
>> exception of passwords that I would have to remember anyway (full-disk
>> encryption, login, primary e-mail passwords, etc.)
>>
>> Overall, it's much easier to remember and much harder to forget 10
>> complicated passwords that you use everyday than 100+ simple passwords
>> you use every month or even less.
>>
>> I can't speak about Windows version of KeePass, because with the
>> exception of playing games not available on Macintosh, I haven't used
>> one since Windows 95 days.
>

> I'd like to use a password manager but I'm not comfortable with that
> data being on some server somewhere- allegedly encrypted or not.

256 bit AES encryption not good enough for you?

>
> If there's one that keeps the data just on the local machine, I'd be
> interested.

1Password has that option as well as using a local server.

>
> I keep a spreadsheet with my PWs on my FileVault-encrypted iMac hard
> drive and copy/paste to logins that need to stay secure- financial,
> vendors, healthcare, etc.

Not very secure. Of course it's your house and that has some security.

But far better to use a manager - even if only on your machine.

>
> I always log out before leaving the house.

My computer does that for me ... well, might be a few minutes after I
leave...

[Alan Browne]

On 2021-07-12 11:36, Lamey wrote:
> On Mon, 12 Jul 2021 15:17:43 GMT, Scott Alfter
> <sc...@alfter.diespammersdie.us> wrote:

>
>> In article <sch9i1$k05$1...@dont-email.me>, Wade Garrett <wa...@cooler.net> wrote:
>>> On 7/12/21 5:53 AM, Unbreakable Disease wrote:
>>>> My 50-year old brain isn't capable of memorizing that many passwords
>>>> anymore, so I use KeePassXC. I keep basically everything here including
>>>> my financial passwords and credit card data, with the exception of
>>>> passwords that I would have to remember anyway (full-disk encryption,
>>>> login, primary e-mail passwords, etc.)
>>>>
>>>> Overall, it's much easier to remember and much harder to forget 10
>>>> complicated passwords that you use everyday than 100+ simple passwords
>>>> you use every month or even less.
>>>>
>>>> I can't speak about Windows version of KeePass, because with the
>>>> exception of playing games not available on Macintosh, I haven't used
>>>> one since Windows 95 days.
>>>
>>> I'd like to use a password manager but I'm not comfortable with that
>>> data being on some server somewhere- allegedly encrypted or not.
>>>

>>> If there's one that keeps the data just on the local machine, I'd be
>>> interested.
>>

>> KeePass stores its file wherever you tell it. It could be local storage,
>> storage on a server you control (as on a VPS or a dedicated server), or
>> whatever cloud storage is supported on the OS you're using. I use a WebDAV
>> share on a VPS. It's accessible to my phone and my computers, but not to
>> others. (I suppose Linode could grab the file, but without the password to
>> unlock it, it's useless to anybody else.)
>>
> If it's out there than people can access it if they want.

Access ≠ decryption.

[Keith Thompson]

Alan Browne <bitb...@blackhole.com> writes:
> On 2021-07-12 07:37, Wade Garrett wrote:

[...]

>> I'd like to use a password manager but I'm not comfortable with that
>> data being on some server somewhere- allegedly encrypted or not.
>
> 256 bit AES encryption not good enough for you?

The weak link is not the encryption algorithm, but the key used to
decrypt the data.

[...]

[nospam]

In article <87r1fu1...@nosuchdomain.example.com>, Keith Thompson

<Keith.S.T...@gmail.com> wrote:

> >> I'd like to use a password manager but I'm not comfortable with that
> >> data being on some server somewhere- allegedly encrypted or not.
> >
> > 256 bit AES encryption not good enough for you?
>
> The weak link is not the encryption algorithm, but the key used to
> decrypt the data.

that's up to you to choose something complex.

hint: don't use 'password123'

[Lewis]

In message <87r1fu1...@nosuchdomain.example.com> Keith Thompson <Keith.S.T...@gmail.com> wrote:
> Alan Browne <bitb...@blackhole.com> writes:
>> On 2021-07-12 07:37, Wade Garrett wrote:
> [...]
>>> I'd like to use a password manager but I'm not comfortable with that
>>> data being on some server somewhere- allegedly encrypted or not.
>>
>> 256 bit AES encryption not good enough for you?

> The weak link is not the encryption algorithm, but the key used to
> decrypt the data.

Which the user chooses.

Have you done any actual research into this or have you just read
know-nothing clickbait shit?

--
And the three men I admire most, the father son and the holly ghost
they caught the last train for the coast...

[Keith Thompson]

Lewis <g.k...@kreme.dont-email.me> writes:
> In message <87r1fu1...@nosuchdomain.example.com> Keith Thompson <Keith.S.T...@gmail.com> wrote:
>> Alan Browne <bitb...@blackhole.com> writes:
>>> On 2021-07-12 07:37, Wade Garrett wrote:
>> [...]
>>>> I'd like to use a password manager but I'm not comfortable with that
>>>> data being on some server somewhere- allegedly encrypted or not.
>>>
>>> 256 bit AES encryption not good enough for you?
>
>> The weak link is not the encryption algorithm, but the key used to
>> decrypt the data.
>
> Which the user chooses.

Yes, of course.

> Have you done any actual research into this or have you just read
> know-nothing clickbait shit?

Be less rude. If I'm wrong, say so and tell us what's right.

[Richard Kettlewell]

Keith Thompson <Keith.S.T...@gmail.com> writes:
> Alan Browne <bitb...@blackhole.com> writes:
>> On 2021-07-12 07:37, Wade Garrett wrote:
> [...]
>>> I'd like to use a password manager but I'm not comfortable with that
>>> data being on some server somewhere- allegedly encrypted or not.
>>
>> 256 bit AES encryption not good enough for you?
>
> The weak link is not the encryption algorithm, but the key used to
> decrypt the data.

There’s lots of possible weak links.

- The key may be stored insecurely.
- If the key is derived from a password then the user may choose a weak
password.
- It’s easy to make a bad choice of KDF.
- The choice of cipher mode matters.
- For some cipher modes, how you choose the parameters matters.
- Some ciphers (including AES) are prone to side channels.

How much each of these matters is situational, but “256 bit AES
encryption” is not a complete description and may indeed not be good
enough, depending on the missing details.

--
https://www.greenend.org.uk/rjk/

[Lewis]

In message <8735s99...@LkoBDZeT.terraraq.uk> Richard Kettlewell <inv...@invalid.invalid> wrote:
> Keith Thompson <Keith.S.T...@gmail.com> writes:
>> Alan Browne <bitb...@blackhole.com> writes:
>>> On 2021-07-12 07:37, Wade Garrett wrote:
>> [...]
>>>> I'd like to use a password manager but I'm not comfortable with that
>>>> data being on some server somewhere- allegedly encrypted or not.
>>>
>>> 256 bit AES encryption not good enough for you?
>>
>> The weak link is not the encryption algorithm, but the key used to
>> decrypt the data.

> There’s lots of possible weak links.

> - The key may be stored insecurely.

The key is not stored at all. The key is the password that that the user
selects.

> - If the key is derived from a password then the user may choose a weak
> password.

Nothing anyone can do about that.

> - It’s easy to make a bad choice of KDF.
> - The choice of cipher mode matters.

Which is why these tools are audited by third parties and you should
only use tools that have been audited.

> - For some cipher modes, how you choose the parameters matters.

Ibid.

> - Some ciphers (including AES) are prone to side channels.

Ibid.

> How much each of these matters is situational, but “256 bit AES
> encryption” is not a complete description and may indeed not be good
> enough, depending on the missing details.

Ibid.


--
you cannot code around infinite implementations of OCD -John C Welch

[Alan Browne]

On 2021-07-19 14:08, Keith Thompson wrote:
> Alan Browne <bitb...@blackhole.com> writes:
>> On 2021-07-12 07:37, Wade Garrett wrote:
> [...]
>>> I'd like to use a password manager but I'm not comfortable with that
>>> data being on some server somewhere- allegedly encrypted or not.
>>
>> 256 bit AES encryption not good enough for you?
>
> The weak link is not the encryption algorithm, but the key used to
> decrypt the data.

First off there is a difference between a "key" and a "password".

If the password is "a", the key will still be extremely strong at 256
bits and would look completely different to the key for password "b".
Of course that is not a recommendation.

As to passwords, it's trivial to make strong and easy to remember
passwords with a few misspelled words, mixed case, some symbols and digits.

[Keith Thompson]

Alan Browne <bitb...@blackhole.com> writes:
> On 2021-07-19 14:08, Keith Thompson wrote:
>> Alan Browne <bitb...@blackhole.com> writes:
>>> On 2021-07-12 07:37, Wade Garrett wrote:
>> [...]
>>>> I'd like to use a password manager but I'm not comfortable with that
>>>> data being on some server somewhere- allegedly encrypted or not.
>>>
>>> 256 bit AES encryption not good enough for you?
>> The weak link is not the encryption algorithm, but the key used to
>> decrypt the data.
>
> First off there is a difference between a "key" and a "password".

Sure (but sometimes they can be the same, right?).

> If the password is "a", the key will still be extremely strong at 256
> bits and would look completely different to the key for password "b".
> Of course that is not a recommendation.

Are you talking about a key being algorithmically derived from the
password? If the string "a" is all the information you need to unlock
an encrypted file, then an attacker is going to be able to unlock it,
whether it first has to be translated to a 256-bit key or not. (Or I'm
missing something.)

> As to passwords, it's trivial to make strong and easy to remember
> passwords with a few misspelled words, mixed case, some symbols and
> digits.

Sure. It's also easy for a password to leak in any of a number of ways.

[Dreamer In Colore]

On Mon, 12 Jul 2021 09:53:00 +0000, Unbreakable Disease
<unbre...@secmail.pro> wrote:

>My 50-year old brain isn't capable of memorizing that many passwords
>anymore, so I use KeePassXC. I keep basically everything here including
>my financial passwords and credit card data, with the exception of
>passwords that I would have to remember anyway (full-disk encryption,
>login, primary e-mail passwords, etc.)
>
>Overall, it's much easier to remember and much harder to forget 10
>complicated passwords that you use everyday than 100+ simple passwords
>you use every month or even less.
>
>I can't speak about Windows version of KeePass, because with the
>exception of playing games not available on Macintosh, I haven't used
>one since Windows 95 days.

For what it's worth, I like LastPass. I'm not crazy about the fact
that I can't use it on multiple devices without having to pay for it,
but I can't begrudge the software developers over there the right to
earn a living.

The best strengths in current password technology are in passphrases:

https://useapassphrase.com

There's some great stats in there, such as the amount of time it takes
to crack common spatial word passwords such as "qwerty" or "aaaaaa"...
10 milliseconds.

Or how long it takes to crack a password that's a date like
"03261981"... 2.213 seconds.

However, if you use a sequence of four randomly chosen words like
"mergers decade labeled manager", it'll take 6 million centuries to
crack.

So.

I've converted all my passwords to sequences of four to six words; and
I have an email account at a provider that I've never used to send
email to anyone, or to use as the id for any website. There, I have a
draft of an email saved that holds the information.

I now only need to remember one password, and I can get to everything.
As for the remote chance that the email provider will cease to exist,
I made backup accounts with other major providers, because paranoia.

I don't use email apps to access my password storage account; and I
use Tor to get to it for the sake of anonymity. I'd be fairly
impressed if someone got through that level of security, and it's
probably overkill, but why take the risk?

While I'm at it... does everyone know about

https://haveibeenpwned.com

You can put your email address in there, and see if it's been involved
in any large-scale thefts. It's got records going back years, and I
was fairly shocked to see that my wife's account had been hacked years
ago.

--
Cheers,
Dreamer
AA 2306

"The fact that a believer is happier than a skeptic is no
more to the point than the fact that a drunken man is
happier than a sober one. The happiness of credulity is a
cheap and dangerous quality of happiness, and by no means
a necessity of life."

George Bernard Shaw
Androcles and the Lion

[Keith Thompson]

I use a couple of programs I wrote to generate random passwords and
passphrases:

https://github.com/Keith-S-Thompson/random-passwords

It's two Perl scripts. gen-password generates random passwords with
specified criteria, and gen-passphrase generates xkcd-style random word
sequences using the system dictionary or a specified one.

[Bob Eager]

On Wed, 21 Jul 2021 12:31:11 -0700, Keith Thompson wrote:

> I use a couple of programs I wrote to generate random passwords and
> passphrases:
>
> https://github.com/Keith-S-Thompson/random-passwords
>
> It's two Perl scripts. gen-password generates random passwords with
> specified criteria, and gen-passphrase generates xkcd-style random word
> sequences using the system dictionary or a specified one.

I use dicewords and a set of casino dice.

[Ben Bacarisse]

Bob Eager <news...@eager.cx> writes:

> On Wed, 21 Jul 2021 12:31:11 -0700, Keith Thompson wrote:
>
>> I use a couple of programs I wrote to generate random passwords and
>> passphrases:
>>
>> https://github.com/Keith-S-Thompson/random-passwords
>>
>> It's two Perl scripts. gen-password generates random passwords with
>> specified criteria, and gen-passphrase generates xkcd-style random word
>> sequences using the system dictionary or a specified one.
>
> I use dicewords and a set of casino dice.

What do you do when the password is restricted as is so often the case?

--
Ben.

[Bob Eager]

It provides a basis to which I add stuff.

Jitsi does similar when choosing a random 'room' name, although I haven't
looked at the code.

[Unbreakable Disease]

On 19.07.2021 14:40, Alan Browne wrote:
> On 2021-07-12 05:53, Unbreakable Disease wrote:
>> My 50-year old brain isn't capable of memorizing that many passwords
>> anymore, so I use KeePassXC. I keep basically everything here
>> including my financial passwords and credit card data, with the
>> exception of passwords that I would have to remember anyway (full-disk
>> encryption, login, primary e-mail passwords, etc.)
>>
>> Overall, it's much easier to remember and much harder to forget 10
>> complicated passwords that you use everyday than 100+ simple passwords
>> you use every month or even less.
>>
>> I can't speak about Windows version of KeePass, because with the
>> exception of playing games not available on Macintosh, I haven't used
>> one since Windows 95 days.
>
> I use 1Password.  Be careful of the option you select.  They are leaning
> towards "rent" model which I despise.
>
> You can keep the encrypted master file on iCloud or Dropbox so it's
> available to all of your devices.  Avoid the 'rent' model if possible.
>

You can use any FOSS password manager. For me, anything that is not FOSS
is automatically suspicious (including 1Password). I don't trust
proprietary software and try to reduce its usage to minimum.

[Alan Browne]

1Password has proven itself over time. I like companies that pay
employees to do things right when it's a critical component.

Free? You get what you pay for. So unless it's a wildly widespread and
popular package with many people maintaining it, it tends to crud.

The Gimp refers.

[Unbreakable Disease]

On 22.07.2021 13:52, Alan Browne wrote:
> On 2021-07-22 04:52, Unbreakable Disease wrote:
>> On 19.07.2021 14:40, Alan Browne wrote:
>
>>> You can keep the encrypted master file on iCloud or Dropbox so it's
>>> available to all of your devices.  Avoid the 'rent' model if possible.
>>>
>> You can use any FOSS password manager. For me, anything that is not
>> FOSS is automatically suspicious (including 1Password). I don't trust
>> proprietary software and try to reduce its usage to minimum.
>
> 1Password has proven itself over time.  I like companies that pay
> employees to do things right when it's a critical component.
>
> Free?  You get what you pay for.  So unless it's a wildly widespread and
> popular package with many people maintaining it, it tends to crud.
>
> The Gimp refers.
>
>

Well, I like free software. It's not always of the same quality as
commercial software, but at least its security can be tested by many
experts in the industry easily as anyone has access to the source code.
Anyone can read and edit it... understanding and making it work not so much.

--
Tip me: bc1qtwmjzywve5v7z6jzk4dkg7v6masw2erpahsn9f
bitcoin:bc1qtwmjzywve5v7z6jzk4dkg7v6masw2erpahsn9f

Secmail.pro is down, please mail me at current address instead

[Your Name]

On 2021-07-27 11:27:00 +0000, Unbreakable Disease said:
> On 22.07.2021 13:52, Alan Browne wrote:
>> On 2021-07-22 04:52, Unbreakable Disease wrote:
>>> On 19.07.2021 14:40, Alan Browne wrote:
>>>>
>>>> You can keep the encrypted master file on iCloud or Dropbox so it's

>>>> available to all of your devices.  Avoid the 'rent' model if possible.

>>>
>>> You can use any FOSS password manager. For me, anything that is not
>>> FOSS is automatically suspicious (including 1Password). I don't trust
>>> proprietary software and try to reduce its usage to minimum.
>>
>> 1Password has proven itself over time.  I like companies that pay
>> employees to do things right when it's a critical component.
>>
>> Free?  "You get what you pay for."  So unless it's a wildly widespread
>> and popular package with many people maintaining it, it tends to crud.
>>
>> The Gimp refers.
>
> Well, I like free software. It's not always of the same quality as
> commercial software, but at least its security can be tested by many
> experts in the industry easily as anyone has access to the source code.
> Anyone can read and edit it... understanding and making it work not so
> much.

With the source code available for free, it also means the hackers can
more easily work out how to steal your information. Using open source
or hacked pirated versions for anything even remotely to do with
security is simply incredibly silly.

[nospam]

In article <sdpqco$1erg$1...@gioia.aioe.org>, Your Name

<Your...@YourISP.com> wrote:


> With the source code available for free, it also means the hackers can
> more easily work out how to steal your information. Using open source

nonsense.

open source means it's easy to audit so that nothing undesirable is
hidden.

> or hacked pirated versions for anything even remotely to do with
> security is simply incredibly silly.

that part is true. using pirated versions is dumb.

[Bob Eager]

On Wed, 28 Jul 2021 08:30:16 +1200, Your Name wrote:

> With the source code available for free, it also means the hackers can
> more easily work out how to steal your information. Using open source or
> hacked pirated versions for anything even remotely to do with security
> is simply incredibly silly.

Ah, a proponent of security through obscurity.

I think not.

[Your Name]

On 2021-07-27 22:47:01 +0000, Bob Eager said:
> On Wed, 28 Jul 2021 08:30:16 +1200, Your Name wrote:
>>
>> With the source code available for free, it also means the hackers can
>> more easily work out how to steal your information. Using open source or
>> hacked pirated versions for anything even remotely to do with security
>> is simply incredibly silly.
>
> Ah, a proponent of security through obscurity.
>
> I think not.

I guess that's why the banks leave their vault doors open all night. :-\

[Otto J. Makela]

Your Name <Your...@YourISP.com> wrote:

> With the source code available for free, it also means the hackers can
> more easily work out how to steal your information. Using open source
> or hacked pirated versions for anything even remotely to do with
> security is simply incredibly silly.

"Hacked pirated" versions aside, security by obscurity never works in
the long run.

The security of cryptosystems should depend on things like your key
management, not that nobody has got their hands on the source code.
Widely used systems like openssl are open source and better for it,
as they have open audits of how they are builts.

--
/* * * Otto J. Makela <o...@iki.fi> * * * * * * * * * */
/* Phone: +358 40 765 5772, ICBM: N 60 10' E 24 55' */
/* Mail: Mechelininkatu 26 B 27, FI-00100 Helsinki */
/* * * Computers Rule 01001111 01001011 * * * * * * */

[Bob Eager]

Non sequitur.

[Lewis]

You obviously have no idea what "security by obscurity" means. A vault
is not obscure. If you hide you money in a hollow book, that would be
security by obscurity.



--
Demons have existed on the Discworld for at least as long as the
gods, who in many ways they closely resemble. The difference is
basically the same as between terrorists and freedom fighters.

[Scott Alfter]

In article <sdpqco$1erg$1...@gioia.aioe.org>,
Your Name <Your...@YourISP.com> wrote:

>With the source code available for free, it also means the hackers can
>more easily work out how to steal your information. Using open source
>or hacked pirated versions for anything even remotely to do with
>security is simply incredibly silly.

Security by obscurity? Please tell us you're joking...this has to be one of
the most ignorant comments I've seen on Usenet in a good long while.

If you have access to the source code, you can verify that (1) secure
algorithms are in use and (2) those algorithms have been properly translated
into secure code that works. Without source code, you're potentially buying
a pig in a poke.

_/_
/ v \ Scott Alfter (remove the obvious to send mail)
(IIGS( https://alfter.us/ Top-posting!
\_^_/ >What's the most annoying thing on Usenet?

[Lewis]

Once again you demonstrate a complete lack of knowledge on a topic. The
VAST majority of encryption is done with open source tools, you nimrod.
Not on;y that, but when companies try to write their own (like Telegram)
it turns out they write shitty software with massive security holes.

Please stop trying to weigh in on things you know absolutely nothing
about, it's embarrassing.

--
"Are you pondering what I'm pondering?"
"Sure, Brain, but how are we going to find chaps our size?"

[nospam]

In article <slrnsg3mjk....@m1mini.local>, Lewis

that would mean an end to his posts...

[Lewis]

<fingers crossed>

--
'The trouble with my friend here is that he doesn't know the
difference between a postulate and a metaphor of human existence.
Or a hole in the ground.' --Pyramids

[rtr]

On Mon, 12 Jul 2021 09:53:00 +0000

Unbreakable Disease <unbre...@secmail.pro> wrote:

> My 50-year old brain isn't capable of memorizing that many passwords
> anymore, so I use KeePassXC. I keep basically everything here
> including my financial passwords and credit card data, with the
> exception of passwords that I would have to remember anyway
> (full-disk encryption, login, primary e-mail passwords, etc.)
>
> Overall, it's much easier to remember and much harder to forget 10
> complicated passwords that you use everyday than 100+ simple
> passwords you use every month or even less.
>
> I can't speak about Windows version of KeePass, because with the
> exception of playing games not available on Macintosh, I haven't used
> one since Windows 95 days.

I use Pass, which is a command-line only password manager using git and
gpg. It's good and lightweight.

[Bob Eager]

Yes, me too. It works well.

[Otto J. Makela]

rtr <r...@nospam.invalid> wrote:

> I use Pass, which is a command-line only password manager using git
> and gpg. It's good and lightweight.

I also use it, though gpg is a bit clunky it helps me trust the cryptosystem.

[rtr]

On Sun, 28 Nov 2021 14:16:49 +0200
o...@iki.fi (Otto J. Makela) wrote:

> rtr <r...@nospam.invalid> wrote:
>
> > I use Pass, which is a command-line only password manager using git
> > and gpg. It's good and lightweight.
>
> I also use it, though gpg is a bit clunky it helps me trust the
> cryptosystem.

GPG is indeed a bit clunky and non-user friendly. It's really secure
but the complexity required to set it up makes it unapproachable.

It's only recently that I've gotten around maintaining a proper gpg key
setup when I was sorting out my password situation and looking at what
you can do with it it's certainly a waste that not all people are aware
or can even use this with ease.

--
Give them an inch and they will take a mile.

[Anssi Saari]

rtr <r...@nospam.invalid> writes:

> I use Pass, which is a command-line only password manager using git and
> gpg. It's good and lightweight.

I haven't used pass but now that I looked into it, it seems it could
work for me too. I currently used Keepass with sftp access to the
password database and it works, for my current platforms which are
Linux, Android and Windows. Looks like pass could also work for my use
case.

[Lewis]

In message <sm0zgpn...@lakka.kapsi.fi> Anssi Saari <a...@sci.fi> wrote:
> my current platforms which are Linux, Android and Windows.

So why are you posting to comp.sys.mac.system and comp.sys.mac.misc and
alt.atheism?

> case.


--
Laugh it up, fuzzball!

[The Real Bev]

On 11/28/2021 04:16 AM, Otto J. Makela wrote:
> rtr <r...@nospam.invalid> wrote:
>
>> I use Pass, which is a command-line only password manager using git
>> and gpg. It's good and lightweight.
>
> I also use it, though gpg is a bit clunky it helps me trust the cryptosystem.

No. I have a text file for when browsers and email forget.

I'm increasingly annoyed by the 'security' features required by various
financial businesses. I don't want texts sent to my phone EVER -- email
is just fine. I don't want to have to respond to a text message on my
phone BEFORE I can accomplish a transaction on my computer. This shit
takes time. MY time.

--
Cheers, Bev
Warning -- Driver carries less than $20 worth of ammunition

[The Real Bev]

On 02/05/2022 04:43 AM, Matti Haveri wrote:
> In article <sch3ep$87h$1...@dont-email.me>,
> Unbreakable Disease <unbre...@secmail.pro> wrote:
>
>> KeePassXC
>
> I used KeePassX 0.4.4 works up to OS X 10.11 and then, after some
> testing, settled to KeePassXC.
>
> I use the same .kdbx file at work with a KeePass Windows standalone
> version and it works great.

Does it put a text file containing the passwords on your computer or are
you completely reliant on the thing ALWAYS working forever?

> I have advocated KeePass to the rest of the family and some use it and
> some don't preferring the iCloud keychain which also seems to work OK
> with less hassle.

--
Cheers, Bev
"Genius may have its limitations, but stupidity
is not thus handicapped."
-- Elbert Hubbard, American author

[Dan Purgert]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

["Followup-To:" header set to comp.misc.]

The Real Bev wrote:
> Does it put a text file containing the passwords on your computer or are
> you completely reliant on the thing ALWAYS working forever?

No. You're reliant on the software continuing to work -- the "database"
file is encrypted.

Equivalent of being reliant on say gpg continuing to work to decrypt a
text file or something.


-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmH+ygkACgkQbWVw5Uzn
KGADqw/+ORqJZ5qc2FNmu5+UJIUmcDBAcGGn1LtI2gkz/ZofMHwnlGtG/qV5vqxI
RQanW2LBtP8UpgwUzs5b6SGZ+/5dyCaNKhMZFo3HW6KUtp7JJHNQhPsOc1EA+fQc
wWc2XIVqiD9ZD0emhIcce3amZdk1FizjN5Hu7uUwfZBoGt4Iul8FMmht3IcEIepH
yEqLStwjQzZPH+RRC69u7u5NhrsMWZXCskR4DYr9qTRkEBSbq0fl7JpUAv26A9X4
g1kPZIWxbYfmZPoIRhyUdaN8mhCisqHyE69czMEzv4mUrOS6Yt1X4YF9o+X2GiqE
DNDpadh4GXAiPiXMO5gZWghNm6Fxl9+3U4svDnUxuzlGD3gRnL9B44HPDjR83wBR
iR4BBUU69ME+UOkgsz99cUphJ0/PdiqYgTWdq0BqcPQUOqW9uipE8JsYa10h2Cqz
70yfcqOk4PgPU+WRJQxsUaLQ1d5CWT1NLwxBV9BVabt7uioUQHUfCB9E/Z/oaAuf
wKBgDaAmUYJPOhq+YptQhsrP6M1RpWpihXB/AwgESFuCwg+oj1KR0A9dH9Jpdye7
RmTIf4mmTQmAavH3XJwHxIvsTUuBN4Z2n348dZPbwkVGnlEmAl/gnjMW/DFaG0rv
o8y0IO8ASee2RW7Mk7TOtLcWaAWouz5cer20ZuYLH45LdxFRfEU=
=8bNb
-----END PGP SIGNATURE-----

--
|_|O|_| Github: https://github.com/dpurgert
|_|_|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860
|O|O|O|

[Scientific (she/her) ⚧]

On 2/5/22 7:03 PM, Dan Purgert wrote:
> ["Followup-To:" header set to comp.misc.]
> The Real Bev wrote:
>> Does it put a text file containing the passwords on your computer or are
>> you completely reliant on the thing ALWAYS working forever?
>
> No. You're reliant on the software continuing to work -- the "database"
> file is encrypted.
>
> Equivalent of being reliant on say gpg continuing to work to decrypt a
> text file or something.
>
>
>

A PGP-signed message, nice. Do you think that there should be a
newsgroup reader for Android?

[meff]

On 2022-02-05, Scientific ⚧ <sci...@danwin1210.de> wrote:
> A PGP-signed message, nice. Do you think that there should be a
> newsgroup reader for Android?

An Android newsreader would be fantastic IMO.

[The Real Bev]

On 02/05/2022 11:03 AM, Dan Purgert wrote:

> ["Followup-To:" header set to comp.misc.]
> The Real Bev wrote:
>> Does it put a text file containing the passwords on your computer or are
>> you completely reliant on the thing ALWAYS working forever?
>
> No. You're reliant on the software continuing to work -- the "database"
> file is encrypted.

People really are a trusting lot, aren't they?

> Equivalent of being reliant on say gpg continuing to work to decrypt a
> text file or something.

For a while I put the text file on my phone encrypted with some android
encryption facility, but then I removed both. I don't want to depend on
an app for anything important. Much easier to regard my phone as
potential theft-fodder and not keep anything on it but photos, some
e-books, maps, email, various utilities (a LOT of utilities!) etc.
Stuff that I wouldn't actually regard as secret.

--
Cheers, Bev
If you are going to try cross-country skiing,
start with a small country.

[gtr]

On Jul 12, 2021 at 1:53:00 AM PDT, "Unbreakable Disease"

<unbre...@secmail.pro> wrote:

> My 50-year old brain isn't capable of memorizing that many passwords
> anymore, so I use KeePassXC. I keep basically everything here including
> my financial passwords and credit card data, with the exception of
> passwords that I would have to remember anyway (full-disk encryption,
> login, primary e-mail passwords, etc.)
>
> Overall, it's much easier to remember and much harder to forget 10
> complicated passwords that you use everyday than 100+ simple passwords
> you use every month or even less.
>
> I can't speak about Windows version of KeePass, because with the
> exception of playing games not available on Macintosh, I haven't used
> one since Windows 95 days.

I have the older version (non-subscription) of 1Password, but also make use of
the keychain password manager and the manager built-in to Safari (I use Safari
on both the mac and the ipad/iphone).

Only lately, when I'm offered a complex "strong password" of jibberish, I take
it. That's working well too.

But I also use a variation on the same password: I selected two capitalized
words (for instance ArchBasket with a few numbers, 245, then the first two
letters of the intended website, for instance AMazon. Then I use this same
password everywhere, with the exception of those last two letters.
ArchBasket245am, for Powell's books: ArchBasket245po.

It's easy to remember.

[Dan Purgert]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Scientific ⚧ wrote:
> A PGP-signed message, nice. Do you think that there should be a
> newsgroup reader for Android?

If people find it useful, I'm sure they'd write it. I am ambivalent on
the matter -- I'd just as soon ssh back to a system that has slrn on it.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmIAbgMACgkQbWVw5Uzn
KGB0xg//X4+ZP/mqdXkD6oax3AJvl6+tkLB/8QVeEL5GjvxlyNROIh5OvmuFm68h
3o3QHUTGVXeG1SyMCNBcDLzuTDhDCSTqJKmCfVhKYAj5//oPt5bnoW8B+6IqBBCC
IwRAaCil3m+pY06Z0i+XYKLFnpNOA4oEHWfwGTiUpb1hwX+dPt47tGda4cmDrvy/
b+5zT75PIgjuS8CeiU+PdHyTDT4Q+L2VlG2dXhJEGE83AAJLWN0QfWRGgTJsVdkW
U01rtaesuJv4n+U0HMHncLso3oNM5rHayI+qsqD8ejKWX5ppDf0fee6hjJWzUSuQ
/ZPDh1hkaxK6msVzPcdSdof3qGiYNV/bNrjVF7KUUv0NtTeTeDqFRqzvLDgAz3yH
+wj1+/1xm8DZ14zfL6EuKyIgzs2ethNfYF0cfNbi0Nk4JfQXx2f6Wuf5RBTlFQze
/F5aAChdO7bZBSDGrajnKeNVyiP5iRkB2sCsYpU0rF+r57n6hQSe7vCuQwlEpCcv
tW41zB4gRpMUvC2np10UFdcj9J4c//mhgCbp6ATGhcfAFgcy7PvJvd/12As83Ner
FHG6naiaPSum9xi8kocggN5LETCKPWoMX9JOZ7r3HxNd0DClGiyGRuwIHa69Pjyn
sZziN1DsKqaFpJ/lxt11Xk+b1Q4jqNxJFaZ+9+VkVBuvKPYsN7Q=
=a6Fw

[Dan Purgert]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

The Real Bev wrote:
> On 02/05/2022 11:03 AM, Dan Purgert wrote:
>
>> ["Followup-To:" header set to comp.misc.]
>> The Real Bev wrote:
>>> Does it put a text file containing the passwords on your computer or are
>>> you completely reliant on the thing ALWAYS working forever?
>>
>> No. You're reliant on the software continuing to work -- the "database"
>> file is encrypted.
>
> People really are a trusting lot, aren't they?

I mean, keepass has worked for a decade (or longer). Long as I don't do
something completely daft, I don't see anything wrong with it.

Granted it only "really" keeps website passwords. Worst case, I'll have
to click "Forgot Password" somewhere.

>
>> Equivalent of being reliant on say gpg continuing to work to decrypt a
>> text file or something.
>
> For a while I put the text file on my phone encrypted with some android
> encryption facility, but then I removed both. I don't want to depend on
> an app for anything important. Much easier to regard my phone as
> potential theft-fodder and not keep anything on it but photos, some
> e-books, maps, email, various utilities (a LOT of utilities!) etc.
> Stuff that I wouldn't actually regard as secret.

Sure, but that wasn't the point of the comment I was making.


-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmIAbrYACgkQbWVw5Uzn
KGCZbg//X83wjIk+SxyLxMq9HhiGZ+VwbYS22jdEYkF4hu4DSlhQxcWNMmnucksh
NRjyvN6LYzfhOs1IHKmj6kkRBAXDGN8U/FqKdBWfEHr0jOgeqJx88mpSVgMuMwsl
qOjC7Hl6iSlE9N0MFQnNpe0pVP/U/qXegnPGwfGhsSBbys94zvRAOJjnfkFf8IQU
l0uZCxI97upFPvHby1mVvo+BOHoZTFvZDMNPpG5m5YwfUp/gpdbwHXf/BGh1J3fH
BJv+sqJfGWKi+OJxdSvngGCWU+6EKyRQzPdPfBemdNv1am/HtF4APT9emIcLSI+A
0Oo7ANB92MLaJV1lzzdv+e32TV1h3d6d4uY1VR27kf/59g7+9DqScYUCQTHhDOy3
6fJqf4TQq2puJjsdiBeBhfV/9Fu46pfoKkHQyFBKkujFERcRbriD/ixA95VA1U79
HHlUzi77+NPwa4229+EtU0ph8S8O4tTnJhF6X26jd0GgWwDaEYfzghOSY3Cg5MVm
gX60OCqdE5DoDa7pJ6CkuGjtObwJzo69OEz00QrYLJZHVXNqXUZoA9TU2ml4hybQ
+lVzuRHGHn71Tfv86F+P8OzPCO1uvTr00m3CiWGiWiN8+FF39Jr1Mlp8fH6bNPOO
opP8hZHwa47CLsVp9h3nyOIQOxugcNSM/eoTDuF4Lz56yCx8w4s=
=iR+K

[Siri Cruise]

In article <stp7fn$tn4$1...@dont-email.me>, gtr <x...@yyy.zzz>
wrote:

> But I also use a variation on the same password: I selected two capitalized

merde d'oie.

--
:-<> Siri Seal of Disavowal #000-001. Disavowed. Denied. Deleted. @
'I desire mercy, not sacrifice.' /|\
Discordia: not just a religion but also a parody. This post / \
I am an Andrea Doria sockpuppet. insults Islam. Mohammed

[El Kabong]

With the latter system, if someone ever found out your
Powell's password (say, a rogue Powell admin), they might
easily guess your amazon & other passwords from that.

Also, if you should occasionally change a password, what
are you going to change it to? Your system doesn't allow
a lot of variation.

(i keep passwords in an encrypted excel file. Excel
always works, and it's safe for cloud storage.)

[Bob Eager]

I don't keep passwords on my phone.

I use a shell script called 'pass', which is a wrapper round gnupg. I can
get passwords without the wrapper if need me, as long as I remember the
(long) passphrase (which is easy for me to remember, but not for anyone
else to guess).

[The Real Bev]

On 02/06/2022 04:57 PM, Dan Purgert wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> The Real Bev wrote:
>> On 02/05/2022 11:03 AM, Dan Purgert wrote:
>>
>>> ["Followup-To:" header set to comp.misc.]
>>> The Real Bev wrote:
>>>> Does it put a text file containing the passwords on your computer or are
>>>> you completely reliant on the thing ALWAYS working forever?
>>>
>>> No. You're reliant on the software continuing to work -- the "database"
>>> file is encrypted.
>>
>> People really are a trusting lot, aren't they?
>
> I mean, keepass has worked for a decade (or longer). Long as I don't do
> something completely daft, I don't see anything wrong with it.

Microsoft has been around longer than that. I actually LIKED win95
almost as much as win3.x (which was really forgiving when you screwed
up). It's gone downhill since then and my last update was 7. I would
hate to be dependent on MS for anything important, which is why I
convert my tax files to pdfs on my linux machine as soon as I finish them.

LinusT doesn't annoy me with unwanted updates :-) Gates et al. can be
really annoying sometimes.

> Granted it only "really" keeps website passwords. Worst case, I'll have
> to click "Forgot Password" somewhere.
>>
>>> Equivalent of being reliant on say gpg continuing to work to decrypt a
>>> text file or something.
>>
>> For a while I put the text file on my phone encrypted with some android
>> encryption facility, but then I removed both. I don't want to depend on
>> an app for anything important. Much easier to regard my phone as
>> potential theft-fodder and not keep anything on it but photos, some
>> e-books, maps, email, various utilities (a LOT of utilities!) etc.
>> Stuff that I wouldn't actually regard as secret.
>
> Sure, but that wasn't the point of the comment I was making.

No, but threads drift. Chris Ilias used to have a serious problem with
that :-)


--
Cheers, Bev
"I'm sorry I ever invented the Electoral College."
Al Gore 11/08/00

[The Real Bev]

On 02/06/2022 06:21 PM, Siri Cruise wrote:
> In article <stp7fn$tn4$1...@dont-email.me>, gtr <x...@yyy.zzz>
> wrote:
>
>> But I also use a variation on the same password: I selected two capitalized
>
> merde d'oie.

The American version would be merde de cheval or possibly merde de
poulet, depending on the nature of the merde.

[Dan Purgert]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

The Real Bev wrote:
> On 02/06/2022 04:57 PM, Dan Purgert wrote:
>> The Real Bev wrote:
>>> On 02/05/2022 11:03 AM, Dan Purgert wrote:
>>>> ["Followup-To:" header set to comp.misc.]
>>>> The Real Bev wrote:
>>>>> Does it put a text file containing the passwords on your computer or are
>>>>> you completely reliant on the thing ALWAYS working forever?
>>>>
>>>> No. You're reliant on the software continuing to work -- the "database"
>>>> file is encrypted.
>>>
>>> People really are a trusting lot, aren't they?
>>
>> I mean, keepass has worked for a decade (or longer). Long as I don't do
>> something completely daft, I don't see anything wrong with it.
>

> Microsoft has been around longer than that. [...]

I'm honestly not really sure what point you're trying to make here. One
company's longevity (or not) doesn't really directly correlate to
another's (or the length of time software will continue to run).


-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmIBzdMACgkQbWVw5Uzn
KGAz5Q//Q8c3GfAEOJulLxfOYrF8DqW8Zg00qzVdSaawJiC+uHMySssZLXbbZMSJ
WfbEVmGHwcIDnJMq4S7mGUZOpz/N+G+Z/31CvQhJlF7EKWHIRQF3zdWRtLxfm/Wq
uKeyI824NWEP9UgPbCsWrgG5Btx5wdCDcJw4nl+A+dJV7B+EZH1RgpDCEd2AEh6S
FJRfk1S2Z98a8E9OdWbjpiEZjnBANK83v9fcbZ0+vS6Pg8xSq7V3SVovvHxI93gV
l5NuZ1tcfyhEKXaKSSckWUovsQ7rVCBlNuVRWsmk32P5PjPxwdSn7KFLiE6+YmS/
C/V0XFyTxHuoju/DHzuDHlN58z7M2CmtLpPfJ5nWyjEXeLHYSXaOACAHnf0i1vRa
ZXyoQjhWcyLG9njZgRBYt+HG9Kc21dgGJmacyr3QoCJt77JpZISM5WjSjMNWwZem
tp4iG+BqKqjkLC8Rb4MGl6LgXJyduNrawO78Xh0zKf1kOO9DkMb9CCY7KMM5XqAv
PTQrgt/WRuvbc5BmCPUMLUpkpM8QOLY3lr+l862vHW7VWHUY1D8Hv1d0dlayLdBh
DFuYl2Ap5xhiMGnKInA1S8s9oXwhweEmUSaPHTcVYkVs73G1d6aL8RgXf+k6GRMe
yN5pN5RSHCMXOClIN3tjPWX5TZuFhV5nyOjU4KyvA8kXd8B0jvs=
=y9Sb

[Siri Cruise]

In article <sts850$dbi$2...@dont-email.me>,

The Real Bev <bashl...@gmail.com> wrote:

> On 02/06/2022 06:21 PM, Siri Cruise wrote:
> > In article <stp7fn$tn4$1...@dont-email.me>, gtr <x...@yyy.zzz>
> > wrote:
> >
> >> But I also use a variation on the same password: I selected two capitalized
> >
> > merde d'oie.
>
> The American version would be merde de cheval or possibly merde de
> poulet, depending on the nature of the merde.

Or the Fountainhead. One of Toohey's disciples uses it in faux
brave nonconformist fashion pretending he is so brave saying
birdshit evem though nobody undrstsnds him to be outrwaged. this
contrasts to Roark who would just say burdsghit without nrrding
to outrage or shock.

[The Real Bev]

On 02/07/2022 05:55 PM, Dan Purgert wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> The Real Bev wrote:
>> On 02/06/2022 04:57 PM, Dan Purgert wrote:
>>> The Real Bev wrote:
>>>> On 02/05/2022 11:03 AM, Dan Purgert wrote:
>>>>> ["Followup-To:" header set to comp.misc.]
>>>>> The Real Bev wrote:
>>>>>> Does it put a text file containing the passwords on your computer or are
>>>>>> you completely reliant on the thing ALWAYS working forever?
>>>>>
>>>>> No. You're reliant on the software continuing to work -- the "database"
>>>>> file is encrypted.
>>>>
>>>> People really are a trusting lot, aren't they?
>>>
>>> I mean, keepass has worked for a decade (or longer). Long as I don't do
>>> something completely daft, I don't see anything wrong with it.

You've heard of ransomware, right? If my bank gets hacked I know that
they'll eventually straighten everything out, that the FDIC will keep
me from losing a single penny, and that the companies whose bills I pay
on line will understand and forgive.

Not so with a password storage site, which might simply cease to exist.
What would happen then? Would you have to go to each
password-requiring entity and reset your password? I hate doing that
even ONCE, especially when they insist on sending a code to my cell in
addition. What about sites that demand your old password before
allowing you to change it? What if that's an online-only brokerage account?

>> Microsoft has been around longer than that. [...]
>
> I'm honestly not really sure what point you're trying to make here. One
> company's longevity (or not) doesn't really directly correlate to
> another's (or the length of time software will continue to run).

"Past performance does not guarantee future performance."

I have hundreds of passwords, some of which I may not use for years.
The idea of not being able to access them on my own machine without net
-- or specific website -- access seems ridiculous.

Not to mention the danger of hackage of the password-storage website.

--
Cheers, Bev
It doesn't matter who you vote for, the government always gets in.

[meff]

On 2022-02-08, The Real Bev <bashl...@gmail.com> wrote:
> Not so with a password storage site, which might simply cease to exist.
> What would happen then? Would you have to go to each
> password-requiring entity and reset your password? I hate doing that
> even ONCE, especially when they insist on sending a code to my cell in
> addition. What about sites that demand your old password before
> allowing you to change it? What if that's an online-only brokerage account?

KeePass doesn't actually need a password storage site. I keep my
KeePass database backed up in my own backups, and the db files are
synced across my devices using Syncthing. My db doesn't ever hit a
"public" cloud and I don't have to trust any third party for access to
it.

[Dan Purgert]

Where on earth have you gotten this idea of a "password storage website"
from? KeePass is an application running locally on your PC, no network
communication required.



-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmICX7MACgkQbWVw5Uzn
KGAjFA//TP2mA8Wja+4NHo1CDsMPjgcfKJTd5IVlBBvnIChY/5f1zzy0/fWwdzkH
4OsyVGXEO3TnoEOU6eAaWcdugYc2pnNm28Bl9eP32cbq1ck0UowCMyjkiq2FPM0C
jdZRdq+/qTFEOgFp78jm8KTId2sYVEGV2rm8bEe8xRT7Mqa/g+Y85ypLFJ1TZdy2
o9N8Kl4LUEsYfbDDErizgEWFiCUcECG05HL82Y3l2HmjRTC0kc/FfpRVmRtYwyO5
i4U4E2z8RoSi4E2ja5p3paRooY+PJMWRNLgrBug6KnxU/LwBMSGfyJKle+n8hKWK
GLKUPHj4sAU370PyD7RMz1cJBw4YSkoUfI+N1GDuPA7jTwC9JcR1psd8bA+T/q2f
3Z3cm2jpDCkRzNBBr3lWs1HphWA4AXKQtNYKa3aVenoV9Jr44jwUz7Xykshml8iU
tebcDNetRZIu8Cj0PiPipdWkxk2dUAy8VSO9ANTKXuaSG2ODY1sg+W4kHxeGF0+b
mrUOxeowah9qu8wtqtW4/1BszkhntYVrHLY/QyZNbOKGxILr9mAcyfC9TUAzux5M
fmHmVzbBHQdcKWN93JzznIygWWNolT4aPHC/G9TKjMDpCvWdyZfzJ3UFk3JPGhhK
igO92hs6I3kjFHNMjllCxd5JxQvDufEpRayKPQ+/jOxUD3fH71g=
=KeR2

[Rich]

Dan Purgert <d...@djph.net> wrote:
> The Real Bev wrote:
>> Not to mention the danger of hackage of the password-storage
>> website.
>
> Where on earth have you gotten this idea of a "password storage
> website" from? KeePass is an application running locally on your PC,
> no network communication required.

Most likely Bev is mixing up those password managers that store your
passwords "in the cloud" with websites (granted, most of them do have
'websites' for advertising their system).

But there are some password managers where the client that runs locally
stores nothing locally, all storage of everything is in "the cloud"
(and, hopefully, encrypted, but if closed source one just has to take
their word for that if they claim encryption).

[Dan Purgert]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I looked back, and perhaps Bev misread my comment (I dunno, some
clarification would be nice).

In MID <stmcsl$vgs$1...@dont-email.me>; the question posed was:

| Does it put a text file containing the passwords on your computer
| or are you completely reliant on the thing ALWAYS working forever?

I responded in MID <slrnsvtig...@djph.net>:

| No. You're reliant on the software continuing to work -- the
| "database" file is encrypted.

To be perfectly clear - KeePass does password storage in an ENCRYPTED
file on your machine's local filesystem. There is no "plain text" copy
of your passwords (unless explicitly created by the user).

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmICiK4ACgkQbWVw5Uzn
KGCccw//Zc00SOCa/QeLw/vuPqeV0r97QTbFXaLGbbvfancCxIrmt7ZwWk2sE9j+
whsQ6d2FCyg5CHNftNXyFneAI3YtsgHjl972iN8sMH9sjvnPnCYTUB5ghiEKQSPE
tc/JY9zfVTBNwcfXEj7mFUP1hheS/JItiwgPFRnBZyvvCNA/gpo37dtIbuLaLEuv
k1EsMkPcZYLYWjhzn/+Vwjrusag7XByACSxtzo27OghJO4QCHsRXkmnBCQf2zPhk
rBy8V3ppHXLkYP1VlKoBmzIuw3e04p/5MLUVnpDvwFRuZAjDUPiYXbs2kKuSkQYJ
JYxm2JFPsy0SpB/QH5dKbU7lfg3awaGZnQq9/tWlNmjejqN217v8MMavtmwSjhZn
0OyNAwxzqgEkgMhnOSuIMdHvSVphisB4TEZknnN4TMSdnNkhtS4Zad+vgUdRgYaf
kkZDoy7PL7csZtBQpehXwiqHGXLncO0RIE7H6ibR0m7eqWJjbGd+dKkBcw85sy+E
wtQadO/KwWw/uRvXNp+9fdhjdf71tIxuwU0O58nAjPdijPP76a8NWxHHrs6JYMyj
IXelTtdY7T8Ml458zM3QxOE3ZJMXllFfkoTUjlag82senDaPdt3p9tToZPFU8rQt
3Bb6xNMewLxGmozF0lUA9ASUhUR/E6oxjeP2rFkdUgK4ys2CxbM=
=EDtU

[Eli the Bearded]

In comp.misc, Scientific (she/her) ⚧ <sci...@danwin1210.de> wrote:
> A PGP-signed message, nice. Do you think that there should be a
> newsgroup reader for Android?

Install termux, compile any Unix newsreader you like. I did it with trn,
but only as proof of concept, using it for just a couple of posts.

My preferred method is ssh to Unix host, run tmux, read news in there.
The tmux allows me to easily switch sessions between various devices.
The various devices then don't need a local newsrc.

Termux is my preferred ssh environment on Android, too.

https://f-droid.org/en/packages/com.termux/

Elijah
------
Play store Termux is deprecated

[sc...@alfter.diespammersdie.us]

Bob Eager <news...@eager.cx> wrote:
> On Sat, 05 Feb 2022 23:26:13 +0000, meff wrote:
>
>> On 2022-02-05, Scientific ⚧ <sci...@danwin1210.de> wrote:
>>> A PGP-signed message, nice. Do you think that there should be a
>>> newsgroup reader for Android?
>>
>> An Android newsreader would be fantastic IMO.
>
> I don't keep passwords on my phone.

Since KeePass has already been brought up, Keepass2Android makes password
handling nearly as seamless as on the desktop.

--
_/_
/ v \ Scott Alfter (remove the obvious to send mail)
(IIGS( https://alfter.us/ Top-posting!
\_^_/ >What's the most annoying thing on Usenet?