Sexploitation Email

googler

DocQuincy wrote: »

the one I use (1Password) checks your passwords against breaches and warning you against duplicates and not using two-factor auth.

Now all my passwords are things like BbmgoPF=jdzqaMuZ@vx7xU instead of Fido1970.

So what happens if your 1Password installation gets corrupted by a hard drive error, and you re-install the software?

DocQuincy

So what happens if your 1Password installation gets corrupted by a hard drive error, and you re-install the software?

Your files are all stored in 1Password's cloud* so nothing happens. You can get 1Password through the browser, on your phone or as a desktop app. Data syncs locally but even if you only use it on one device hard drive failure is not something you need to worry about.


*Your files are stored encrypted and even 1Password cannot access your data so you're stuck if you forget your credentials — but that's part of the security. The files are downloaded and decrypted locally so nothing sensitive ever leaves your device or computer.


The security is like iCloud keychain but developed in such a way that it's much more usable.

SpanishBlue

DocQuincy wrote: »

If anyone would like to know more about how password managers work feel free to ask! As I said before I regard it as an essential now. Much better than keeping everything in a password-protected Word doc.

Well seeing as you asked:D


I must have 50 or 60 various logons. Would I have to initially change the password to every single one whilst setting it up?


I also have numerous usernames for various logons, does 1password remember them as well?


What about online banking etc where you also get asked your memorable name, your 1st pet or your Grannie's favorite drink - Does it cope with that?

DocQuincy

I must have 50 or 60 various logons. Would I have to initially change the password to every single one whilst setting it up?

No, your passwords can be anything. It will warn you if the strength is too low or if you use them elsewhere though. I added everything and then slowly went through and updated them all, starting with the ones I was most protective about first.

I also have numerous usernames for various logons, does 1password remember them as well?

Yes. You can really store anything in there but there are preset storage types to make things easier.

https://imgur.com/a/gMw0xC2

You can get a browser plugin for Safari and Chrome. When you have a login you also store a web address. If you were, for example, a social media guru and had 100 client Twitter accounts, when you're on twitter.com and you click the 1Password button it will show you all the logins and you pick one and it fills it out for you. An easier way is to open up 1Password search for the login you want and click a button and it will open the site up for you and fill out the details.

The browser extensions also listen out for new and changed logins and prompt to save and update where appropriate. The browser plugins really are excellent and a massive time saver.

What about online banking etc where you also get asked your memorable name, your 1st pet or your Grannie's favorite drink - Does it cope with that?

Good question. I have banking details stored in there but I have never tried it with one of those logins where it asked you to enter certain characters from a phrase. I've always done these manually since you need to generate a code from your device and 1Password can't do this. So, sorry, I can't really answer that one other than you can store the banking details but I don't know about auto-fill.

You can store any additional fields per entry you like so with banking you can store all the security questions and logins codes you like.

takman

Personally i don't think you really need to use password managers. All my most important accounts have some kind of two factor authentication on them which is far more secure than using a complex password from a password manager.

Even with a password manager a third party could still log into that site if they got your password, with 2FA they can't log in even with your password.

I still use a unique password for each site but i use a sort of code which means i can have a unique password for each site but remember what it is.

DocQuincy

TLDR: 2FA is secure but a password manager still offers benefits.

Personally i don't think you really need to use password managers.

Not all sites support 2FA although, yes, most “important” ones do.

Even with a password manager a third party could still log into that site if they got your password, with 2FA they can't log in even with your password.

That misses the whole point of it though. You put all your eggs in the basket of the password manager, which has been designed by security experts to be safe.

The passwords generated by 1Password are cryptographically secure — as close to random as you can get (there really is no such thing as a random number). In spite of how good you think your system is humans are terrible at creating random data. In practical terms a cryptographically secure password, so long as it's entropic (unpredictable) enough, can be considered unbreakable for practical purposes.

So, you rightly identify the weakest point in the system as “if they got your password”. Password managers are set up so that no one can get your passwords — unless you're really negligent. If your system can be remembered by you then it is be definition insecure. What you're doing is probably a lot better than most people but a cryptographer could mathematically and objectively demonstrate why a unique cryptographically secure password per-site is more secure than you trying to create your own memory-based system.

It's not a dig at you because that you have thought of a system and are using unique password puts you well ahead of most people, who add their date-of-birth to their pet's name and use it for everything across the board. What I'm saying it that your system replaces the need of a password manager is not true.

If your system secure enough? Maybe. Most people aren't targeted and hackers tend to go for low-hanging fruit per my pet name-DOB example so unless you're an Edward Snowden type it's unlikely you'll ever have any problems. You are missing out on the convenience aspect though.

All my most important accounts have some kind of two factor authentication on them which is far more secure than using a complex password from a password manager. Even with a password manager a third party could still log into that site if they got your password, with 2FA they can't log in even with your password.

But why not do both? Password managers are about security and convenience. You never need forget anything again and you know that you are using a very, very high level of security. Once you use a password manager there is no gain to using a memorable password. And not all sites use 2FA and in the event of a hack if the site in question uses dubious password hashing techniques then you are still likely to be safe if you used a cryptographically secure password. A 128-bit AES key (similar to a good cryptographically secure password) would take 2,158,000,000,000 years to brute force (the age of the universe by comparison is 13,799,000,000).

Chino

DocQuincy wrote: »

a hashing algorithm designed to be fast — a bad thing in password hashing and encryption

Hardly a problem - you simply apply the algorithm repeatedly until the time taken on most systems is still short enough to not inconvenience a genuine user but long enough to make life difficult to an attacker performing brute force attacks.

Stoke

I didn't think MD5 had actually been cracked as such, but being a fast hasing algorithm and also one that is readily available, rainbow tables with billions of entries are basically now in existence.

https://project-rainbowcrack.com/table.htm

takman

DocQuincy wrote: »

But why not do both? Password managers are about security and convenience. You never need forget anything again and you know that you are using a very, very high level of security. Once you use a password manager there is no gain to using a memorable password. And not all sites use 2FA and in the event of a hack if the site in question uses dubious password hashing techniques then you are still likely to be safe if you used a cryptographically secure password. A 128-bit AES key (similar to a good cryptographically secure password) would take 2,158,000,000,000 years to brute force (the age of the universe by comparison is 13,799,000,000).

But even the most basic websites these days will have a Captcha system that prevents brute force attacks to guess my password. So in reality how long it takes to brute force is only relevant if the website has already been compromised. If they then go onto brute force and get my password they will only have it for that website which they will have already had access to the data during the hack.

So the risk is quite low unless your an individual that is likely to be targeted.
If i didn't access some of my accounts from devices that i can't install a password manager on then i might consider it. But at the moment it would inconvenience me for very few benefits.

DocQuincy

Hardly a problem - you simply apply the algorithm repeatedly until the time taken on most systems is still short enough to not inconvenience a genuine user but long enough to make life difficult to an attacker performing brute force attacks.

No, no, no, no! It's that kind of misinformation that leaks data in the first place. Never use MD5 or SHA* for password hashing. Even with millions of rounds it's still no good since you can use GPUs to brute-force.

Use bcrypt since it forces you to use a salt and it designed such that GPUs don't really help you.

MD5 is built for speed and better used for checksums. Never use it for security.