Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Best way of keeping track of passwords?
New Posts  All Forums:Forum Nav:

Best way of keeping track of passwords? - Page 8

Poll Results: Which Manager do you use?

This is a multiple choice poll
  • 4% of voters (1)
    I voted for more than one Password Manager
  • 41% of voters (10)
    I have more than 15 accounts that use Passwords
  • 0% of voters (0)
    I have less than 15 accounts that use Passwords
  • 41% of voters (10)
    I use LastPass
  • 16% of voters (4)
    I use KeePass
  • 0% of voters (0)
    I use RoboForm
  • 4% of voters (1)
    I use DashLane
  • 0% of voters (0)
    I use DirectPass
  • 4% of voters (1)
    I use both LastPass and KeePass
  • 4% of voters (1)
    I use a Physical and/or Digital documents that needs decryption using a Cipher.
  • 12% of voters (3)
    I use an Algorithm similar to what Plan9 and others have suggested ( Post #9 for Plan9 )
  • 12% of voters (3)
    I Remember each unique password mentally
  • 12% of voters (3)
    Other(s) please specify
24 Total Votes  
post #71 of 128
Quote:
Originally Posted by randomizer View Post

I don't know of any DBMS that allows storing strings of unlimited length,
A lot of SQL DBs these days do support infinitely long text fields (often called 'text'. varchar is obviously the fixed length).
I've not used any NoSQL aside basic things I've built myself so cannot comment about them.
Quote:
Originally Posted by randomizer View Post

so presuming that a limit is in place a cleartext password that exceeds that limit will either be truncated or will cause the transaction to fail. Hashes are always a fixed length so there's no need to place arbitrary limits on password length if you're not storing the password.
this was the bit I was confused about what you meant, but I was having a complete mind blank and forgotten that hashes are fixed length redface.gif
post #72 of 128
Quote:
Originally Posted by Plan9 View Post

A lot of SQL DBs these days do support infinitely long text fields (often called 'text'. varchar is obviously the fixed length).

Oh right, I completely forgot about those. I haven't used them for about 2 years. I always think in terms of varchar(n).
    
CPUMotherboardGraphicsRAM
i7 920 D0 MSI X58 Pro-E GTX 560 Ti 448 3x2GB G.Skill DDR3-1333 9-9-9-24 
Hard DriveHard DriveOptical DriveOS
840 Pro Caviar Black LG BD-ROM Windows 8.1 Pro x64 
MonitorMonitorKeyboardPower
Dell U2713HM Dell U2311H Turbo-Trak (Google it :D) Corsair HX-520 
CaseMouseMouse PadAudio
CM690 Mionix Avior 7000 Everglide Titan AKG K 242 HD 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
i7 920 D0 MSI X58 Pro-E GTX 560 Ti 448 3x2GB G.Skill DDR3-1333 9-9-9-24 
Hard DriveHard DriveOptical DriveOS
840 Pro Caviar Black LG BD-ROM Windows 8.1 Pro x64 
MonitorMonitorKeyboardPower
Dell U2713HM Dell U2311H Turbo-Trak (Google it :D) Corsair HX-520 
CaseMouseMouse PadAudio
CM690 Mionix Avior 7000 Everglide Titan AKG K 242 HD 
  hide details  
Reply
post #73 of 128
LastPass is what I use. They store your database encrypted and they can't decrypt it themselves, based on how they set up the tech. Good service, been using them since I heard it explained on the Security Now podcast.

I will say though that it seems master passwords are limited to non-Unicode characters, as I recently set an account up for a family member and realized that a text app had replaced some ellipsis in the master password that was decided upon with a single Unicode character. Couldn't log back in rolleyes.gif. Could have been actually been some other mix-up, but they do have a way of viewing your database in such situations using an email+local key. Always check you can log back in first.
post #74 of 128
LastPass is a good service but the front end software is a bit second rate.
    
CPUMotherboardGraphicsRAM
i7 920 D0 MSI X58 Pro-E GTX 560 Ti 448 3x2GB G.Skill DDR3-1333 9-9-9-24 
Hard DriveHard DriveOptical DriveOS
840 Pro Caviar Black LG BD-ROM Windows 8.1 Pro x64 
MonitorMonitorKeyboardPower
Dell U2713HM Dell U2311H Turbo-Trak (Google it :D) Corsair HX-520 
CaseMouseMouse PadAudio
CM690 Mionix Avior 7000 Everglide Titan AKG K 242 HD 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
i7 920 D0 MSI X58 Pro-E GTX 560 Ti 448 3x2GB G.Skill DDR3-1333 9-9-9-24 
Hard DriveHard DriveOptical DriveOS
840 Pro Caviar Black LG BD-ROM Windows 8.1 Pro x64 
MonitorMonitorKeyboardPower
Dell U2713HM Dell U2311H Turbo-Trak (Google it :D) Corsair HX-520 
CaseMouseMouse PadAudio
CM690 Mionix Avior 7000 Everglide Titan AKG K 242 HD 
  hide details  
Reply
post #75 of 128
Quote:
Originally Posted by randomizer View Post

LastPass is a good service but the front end software is a bit second rate.

Liking v3. Huge improvement UI-wise from v2. Can't speak of the standalone clients, don't use them.
post #76 of 128
Quote:
Originally Posted by Coreda View Post

LastPass is what I use. They store your database encrypted and they can't decrypt it themselves, based on how they set up the tech. Good service, been using them since I heard it explained on the Security Now podcast.

I will say though that it seems master passwords are limited to non-Unicode characters, as I recently set an account up for a family member and realized that a text app had replaced some ellipsis in the master password that was decided upon with a single Unicode character. Couldn't log back in rolleyes.gif. Could have been actually been some other mix-up, but they do have a way of viewing your database in such situations using an email+local key. Always check you can log back in first.

You seem to be contradicting yourself (or I've misunderstood you?)
post #77 of 128
Quote:
Originally Posted by Plan9 View Post

You seem to be contradicting yourself (or I've misunderstood you?)

Lastpass stores a copy of the database locally, for each browser that has the addon installed. The database they keep is decrypted using your email+master password hashed, etc, while they only verify that the final hash matches. They do store your email address, obviously.

If you forget your password there's little that can be done, however they store a separate local key per-browser that can be used to view parts of your local-only database, after they send a special email link, and only in the browser the addon has been installed on. Guessing they did this so people didn't feel suicidal after forgetting their master password, but the feature can be disabled in the settings.

Re-reading it I see it looks like I meant 'they' as in, 'they see it'. It's just a local feature.
Edited by Coreda - 4/24/14 at 3:16am
post #78 of 128
Quote:
Originally Posted by Coreda View Post

Liking v3. Huge improvement UI-wise from v2. Can't speak of the standalone clients, don't use them.

v3 looks prettier but it behaves much the same if you exclude the contextual popup that appears when clicking the LastPass logo on a login form field. I think that popup is clunky, especially since it adds a second password generation form that does exactly the same thing as the old one but with a more buggy UI.

The Android application is horrible. The browser is slow and for whatever reason it doesn't work properly with the swipe capabilities of the newer Google Keyboard versions. It tends to move the caret all over the place and you end up with words inside other words, words completely replaced and a whole lot of wasted time. Fortunately the mobile Firefox extension is simple enough that its limited feature set behaves adequately (although it wasn't working at all when I first tried it, hence why I was stuck with the awful LastPass application).
    
CPUMotherboardGraphicsRAM
i7 920 D0 MSI X58 Pro-E GTX 560 Ti 448 3x2GB G.Skill DDR3-1333 9-9-9-24 
Hard DriveHard DriveOptical DriveOS
840 Pro Caviar Black LG BD-ROM Windows 8.1 Pro x64 
MonitorMonitorKeyboardPower
Dell U2713HM Dell U2311H Turbo-Trak (Google it :D) Corsair HX-520 
CaseMouseMouse PadAudio
CM690 Mionix Avior 7000 Everglide Titan AKG K 242 HD 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
i7 920 D0 MSI X58 Pro-E GTX 560 Ti 448 3x2GB G.Skill DDR3-1333 9-9-9-24 
Hard DriveHard DriveOptical DriveOS
840 Pro Caviar Black LG BD-ROM Windows 8.1 Pro x64 
MonitorMonitorKeyboardPower
Dell U2713HM Dell U2311H Turbo-Trak (Google it :D) Corsair HX-520 
CaseMouseMouse PadAudio
CM690 Mionix Avior 7000 Everglide Titan AKG K 242 HD 
  hide details  
Reply
post #79 of 128
Quote:
Originally Posted by Plan9 View Post

That's not strictly true.

A pass phrase of 6 words still has more entropy than a 12 character randomly generated password from a 70 character pool (upper/lower case, numbers and 8 symbols)
Code:
$ calc "17000^6"
        24137569000000000000000000
$ calc "70^12"
        13841287201000000000000

That's using a relatively small dictionary of just 17000 words too (approx the amount of English words in common use). Once you start adding non-English, uncommon words and l33t spk, that dictionary will grow exponentially.

The problem with pass phrases are that you'd need a unique on for each web site, and then remembering all of them might require a password store anyway.

As for the dictionary attacks you mentioned earlier, those are generally used to crack shorter passwords (maybe only 2 or 3 words, usually less) rather than lengthy pass phrases. And those dictionaries contain common passwords. So like with randomly generated passwords, the key to a secure pass phrase is length.

As for sites cropping password strings, I've not heard of any that do this, but it wouldn't surprise me at all. It's retarded enough that a lot of sites have an upper character limit on passwords - silently cropping the string seems almost to be expected from those kinds of idiots.
Random passphrases will work but the majority of passphrases are most definitely not random. That's what I really meant.


Even worse than truncating.... The LM hash used by XP applied UPPER to the password. doh.gif
ThIsIsmYPasSwoRd => THISISMYPASSWORD



Quote:
Originally Posted by Dctr View Post

I'm just wondering how secure a password like that would be? How hard it would be to crack?
It would be virtually impossible until quantum computers..... unless.... there are patterns, reduced character spaces, or weak password storage process.

The trick is to figure out how to attack and just do pure brute-force.
Quote:
Originally Posted by randomizer View Post

The Android application is horrible. The browser is slow and for whatever reason it doesn't work properly with the swipe capabilities of the newer Google Keyboard versions. It tends to move the caret all over the place and you end up with words inside other words, words completely replaced and a whole lot of wasted time. Fortunately the mobile Firefox extension is simple enough that its limited feature set behaves adequately (although it wasn't working at all when I first tried it, hence why I was stuck with the awful LastPass application).

The new version of LastPass is actually awesome. You don't have retrieve PWs from the app. It runs as service and pops up when it detects you are on a site with a saved password. I believe it is browser independent now.
Once again...
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7 920 [4.28GHz, HT] Asus P6T + Broadcom NetXtreme II VisionTek HD5850 [900/1200] + Galaxy GT240 2x4GB G.Skill Ripjaw X [1632 MHz] 
Hard DriveOSMonitorKeyboard
Intel X25-M 160GB + 3xRAID0 500GB 7200.12 Window 7 Pro 64 Acer H243H + Samsung 226BW XARMOR-U9BL  
PowerCaseMouseMouse Pad
Antec Truepower New 750W Li Lian PC-V2100 [10x120mm fans] Logitech G9 X-Trac Pro 
  hide details  
Reply
Once again...
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7 920 [4.28GHz, HT] Asus P6T + Broadcom NetXtreme II VisionTek HD5850 [900/1200] + Galaxy GT240 2x4GB G.Skill Ripjaw X [1632 MHz] 
Hard DriveOSMonitorKeyboard
Intel X25-M 160GB + 3xRAID0 500GB 7200.12 Window 7 Pro 64 Acer H243H + Samsung 226BW XARMOR-U9BL  
PowerCaseMouseMouse Pad
Antec Truepower New 750W Li Lian PC-V2100 [10x120mm fans] Logitech G9 X-Trac Pro 
  hide details  
Reply
post #80 of 128
Quote:
Originally Posted by DuckieHo View Post

Random passphrases will work but the majority of passphrases are most definitely not random. That's what I really meant.


Even worse than truncating.... The LM hash used by XP applied UPPER to the password. doh.gif
ThIsIsmYPasSwoRd => THISISMYPASSWORD
It would be virtually impossible until quantum computers..... unless.... there are patterns, reduced character spaces, or weak password storage process.

The trick is to figure out how to attack and just do pure brute-force.
The new version of LastPass is actually awesome. You don't have retrieve PWs from the app. It runs as service and pops up when it detects you are on a site with a saved password. I believe it is browser independent now.
Yes it is it is entirely based on an extension.
My Rig
(17 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i5 3570k Asus P8Z77-M Galaxy GTX 670 2GB GC Corsair 8GB DDR3 1600mhz 
Hard DriveOptical DriveCoolingOS
Seagate Barracuda 2TB Samsung SH-224BB Coolermaster Hyper 212 EVO Windows 7 64-bit 
MonitorKeyboardPowerCase
BenQ XL2420T Coolermaster Quickfire Pro Cherry Blue Mechanic... Antec HCG 520W Modular Power Supply Fractal Design Define XL R2 Black Pearl 
MouseMouse PadAudioAudio
Logitech G600 SteelSeries Qck Audio Technica ATH-AD700 Graham Slee Voyager Amplifier 
Audio
Asus Xonar Essence ST 
  hide details  
Reply
My Rig
(17 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i5 3570k Asus P8Z77-M Galaxy GTX 670 2GB GC Corsair 8GB DDR3 1600mhz 
Hard DriveOptical DriveCoolingOS
Seagate Barracuda 2TB Samsung SH-224BB Coolermaster Hyper 212 EVO Windows 7 64-bit 
MonitorKeyboardPowerCase
BenQ XL2420T Coolermaster Quickfire Pro Cherry Blue Mechanic... Antec HCG 520W Modular Power Supply Fractal Design Define XL R2 Black Pearl 
MouseMouse PadAudioAudio
Logitech G600 SteelSeries Qck Audio Technica ATH-AD700 Graham Slee Voyager Amplifier 
Audio
Asus Xonar Essence ST 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Best way of keeping track of passwords?