Remembering all of those passwords without sacrificing security

[Bernard Lerring]

I've been Lastpass user for nearly 3 years now. It costs me about $12/year but that's nothing to have peace of mind over my banking and shopping passwords.

I also use a YubiKey for multi factor authentication if I'm away from my own computer. That'll set you back another £25 but it's a neat little gadget.

I'm not saying don't use Keepass, or another free alternative. Just saying LastPass is really good too.

[1715016336]

1715016336

[1715016336]

1715016336

[1715016336]

1715016336

[1715016336]

1715016336

[1715016336]

1715016336

[Bernard Lerring]

LastPass also lets you backup all of your passwords into a csv file on your computer, should anything happen to the Web server.

I make a backup about once a month and store the csv into a password protected rar file, using a Sha256 hash as the password, then shredding the original csv file.

In the unlikely event that someone gets a copy of my rar csv backup good luck to them trying to brute force a sha256 password.

[Harley997]

Bruteforce use a dictionary of words. So use a password with no words. example {#.#--#.#}_GLLo--->>69 {Mixture of Uppercase and lower case and symbols and numbers}

But as a previous poster said, if you get keylogged, NO password is strong enough. Or if you webcam is not covered, and your keystrokes streamed, via cam and logged, hmmm well you f$%^.

So cover those cams guys and girls. 

I'm curious about keylogging. What happens if you use a password manager? Like, does it just give hackers "CMD+V or CTRL+V"? Auto form filling?

My password generator is currently set for 23 characters. How long until somebody comes up with something to break that?

-W

In theory an attacker could see what is in your clipboard at that moment in time, and your previous clipboards would likely remain accessible for some amount of time (until the memory is overwritten).

If an attacker is able to install a keylogger then they would likely be able to get your encrypted file containing all of your passwords, so the attacker could simply keylog your password to decrypt your password, then use that to get all of your other passwords

[Bernard Lerring]

It's a good idea to get into the habit of refilling your clipboard with a random word from a Web page straight after you've pasted any secure info.

Just double click on "and" or "the" and copy it to overwrite whatever's in the clipboard.

I searched both windows and ubuntu clipboard functionality a while ago and as far as I know they only store the last entry you use, IIRC.

[Squidoogeek]

This is why I like the idea of requiring a fingerprint for everything. Theoretically, it should be harder to steal somebody's thumb than to hack most people's passwords, simply because you might steal their money but they might give you a fight if you demand their thumb too. Even so, it might still be a good idea to use 2FA for everything, but at least if you use fingerprints, you won't have to worry about remembering a password.

[VeroPossumus]

I use lastpass and have no complaints..
You can also try oldschool style, just get a notebook 

[Cicero2.0]

I actually use a bitcoin address for the really important stuff. It is written down in a paper in my home office. It is kind of a pain to type it each time but I don't log into my banking and credit card stuff very often anyway.

[Harley997]

This is why I like the idea of requiring a fingerprint for everything. Theoretically, it should be harder to steal somebody's thumb than to hack most people's passwords, simply because you might steal their money but they might give you a fight if you demand their thumb too. Even so, it might still be a good idea to use 2FA for everything, but at least if you use fingerprints, you won't have to worry about remembering a password.

A fingerprint password is really nothing more then a picture of your finger.


Also since most people touch a lot of things every day it would not be difficult to simply lift someone's fingerprint after they touch it. If someone were to get a hold of your fingerprints like this then you would have no way of chaining your password. When someone figures out your password you can simply change your password.

[Nagato4]

+1 for keepass.
It is free, user-friendly, open source, and you can make random strong passwords with it.

If you lose your credentials to your keepass then you will lose your credentials to everything. If your keepass file somehow gets corrupted or otherwise inaccessible then you will lose access to everything.

You can always write all your password down on a piece of paper and place it somewhere which is secure.

Thats why its always good to backup the database from time to time on a cloud like MEGA

Exactly.
You should always backup all your important files (bitcoin wallet, password lists in keepass, etc) as your computer can fail at any second.

[InwardContour]

+1 for keepass.
It is free, user-friendly, open source, and you can make random strong passwords with it.

If you lose your credentials to your keepass then you will lose your credentials to everything. If your keepass file somehow gets corrupted or otherwise inaccessible then you will lose access to everything.

You can always write all your password down on a piece of paper and place it somewhere which is secure.

Thats why its always good to backup the database from time to time on a cloud like MEGA

Exactly.
You should always backup all your important files (bitcoin wallet, password lists in keepass, etc) as your computer can fail at any second.

Many people look to cloud storage for this. IMO this is a horrible idea as your cloud storage account could get hacked at any time and/or the NSA/government could be snooping around in your private information.

[Nagato4]

Many people look to cloud storage for this. IMO this is a horrible idea as your cloud storage account could get hacked at any time and/or the NSA/government could be snooping around in your private information.

You should really first encrypt the files (use 7zip for example) before putting it on cloud storage.

[InwardContour]

Many people look to cloud storage for this. IMO this is a horrible idea as your cloud storage account could get hacked at any time and/or the NSA/government could be snooping around in your private information.

You should really first encrypt the files (use 7zip for example) before putting it on cloud storage.

You have a couple of issues with this.

1 -If the key to decrypt the file is held on your computer then in the event that your computer crashes (all data lost) then you would lose your file.

2 -If all you need is a password to decrypt the file (similar to a brain wallet) then all an attacker would need would be the password instead of the private key. The attacker could simply brute force the password instead of brute forcing the private key to decrypt the file.

[Nagato4]

1 -If the key to decrypt the file is held on your computer then in the event that your computer crashes (all data lost) then you would lose your file.

2 -If all you need is a password to decrypt the file (similar to a brain wallet) then all an attacker would need would be the password instead of the private key. The attacker could simply brute force the password instead of brute forcing the private key to decrypt the file.

True and true.
And so the password I use to encrypt is a very long password (20+ characters, with special characters) that only I know and I am pretty sure I won't forget it ever (as it has some special meaning to me but just random characters to others).

[Argwai96]

Cloud storage without encryption is asking for trouble. I prefer to keep my important documents/files closer to home, but if needed, encryption/decryption is as easy as using PGP.

[validium]

Cloud storage without encryption is asking for trouble. I prefer to keep my important documents/files closer to home, but if needed, encryption/decryption is as easy as using PGP.

That's why a service like MEGA is a good option for safe encrypted cloud storage but for extra security you can put your files in a truecrypt container before you upload them.

[InwardContour]

1 -If the key to decrypt the file is held on your computer then in the event that your computer crashes (all data lost) then you would lose your file.

2 -If all you need is a password to decrypt the file (similar to a brain wallet) then all an attacker would need would be the password instead of the private key. The attacker could simply brute force the password instead of brute forcing the private key to decrypt the file.

True and true.
And so the password I use to encrypt is a very long password (20+ characters, with special characters) that only I know and I am pretty sure I won't forget it ever (as it has some special meaning to me but just random characters to others).

If your passwords were valuable enough then an attacker could invent/buy a ASIC type device that is designed for brute forcing passwords with your type of encryption

[Zebra]

1 -If the key to decrypt the file is held on your computer then in the event that your computer crashes (all data lost) then you would lose your file.

2 -If all you need is a password to decrypt the file (similar to a brain wallet) then all an attacker would need would be the password instead of the private key. The attacker could simply brute force the password instead of brute forcing the private key to decrypt the file.

True and true.
And so the password I use to encrypt is a very long password (20+ characters, with special characters) that only I know and I am pretty sure I won't forget it ever (as it has some special meaning to me but just random characters to others).

If your passwords were valuable enough then an attacker could invent/buy a ASIC type device that is designed for brute forcing passwords with your type of encryption

You could use truecrypt and employ AES-Twofish-Serpent then.
Of course it is still possible to crack all the three algorithms or simply brute-force your long password, but it is highly unlikely IMO.

[InwardContour]

1 -If the key to decrypt the file is held on your computer then in the event that your computer crashes (all data lost) then you would lose your file.

2 -If all you need is a password to decrypt the file (similar to a brain wallet) then all an attacker would need would be the password instead of the private key. The attacker could simply brute force the password instead of brute forcing the private key to decrypt the file.

True and true.
And so the password I use to encrypt is a very long password (20+ characters, with special characters) that only I know and I am pretty sure I won't forget it ever (as it has some special meaning to me but just random characters to others).

If your passwords were valuable enough then an attacker could invent/buy a ASIC type device that is designed for brute forcing passwords with your type of encryption

You could use truecrypt and employ AES-Twofish-Serpent then.
Of course it is still possible to crack all the three algorithms or simply brute-force your long password, but it is highly unlikely IMO.

I would say the trick would be to try to hide the type of encryption is being used.

[Harley997]

Cloud storage without encryption is asking for trouble. I prefer to keep my important documents/files closer to home, but if needed, encryption/decryption is as easy as using PGP.

That's why a service like MEGA is a good option for safe encrypted cloud storage but for extra security you can put your files in a truecrypt container before you upload them.

Using multiple encryption types, that is encrypting an encrypted file can sometimes lead to the inability to decrypt the originally encrypted file as encryption can sometimes make small changes to a file that would normally be unnoticeable but can be the difference between not being able to decrypt and being able to decrypt a file.   

[BigMac]

Cloud storage without encryption is asking for trouble. I prefer to keep my important documents/files closer to home, but if needed, encryption/decryption is as easy as using PGP.

That's why a service like MEGA is a good option for safe encrypted cloud storage but for extra security you can put your files in a truecrypt container before you upload them.

Using multiple encryption types, that is encrypting an encrypted file can sometimes lead to the inability to decrypt the originally encrypted file as encryption can sometimes make small changes to a file that would normally be unnoticeable but can be the difference between not being able to decrypt and being able to decrypt a file.   

Is that a real risk? I mean, I have read lots of people suggesting to use multiple encryption (like 7zip + truescrypt).