Choose style:

Author Topic: Password Manager  (Read 4635 times)

0 Members and 1 Guest are viewing this topic.

Offline mac

  • Global Moderator
  • Veteran
  • *****
  • Posts: 1088
  • Karma: 336
    • View Profile
  • Peppermint version(s): Peppermint 7-8-9
Re: Password Manager
« Reply #15 on: April 04, 2018, 08:36:35 pm »
 :P
Peppermint: Standing Out from the Cloud
Reg. Linux User #432835

Offline grafiksinc

  • Member
  • ***
  • Posts: 268
  • Karma: 26
    • View Profile
  • Peppermint version(s): --Debian--
Re: Password Manager
« Reply #16 on: April 05, 2018, 09:06:30 am »
Personally I use KeePassX been using it for a few years now..
It has worked well,  the only annoyance for me is you always need to make sure you  sync your database across your computers i.e. desktop vs laptop,,,,
in a manual way...

Offline perknh

  • Trusted User
  • Hero
  • *****
  • Posts: 3876
  • Karma: 303
  • Soy un huevo, nada más.
    • View Profile
  • Peppermint version(s): Peppermint 10
Re: Password Manager
« Reply #17 on: April 05, 2018, 11:50:33 am »
Personally I use KeePassX been using it for a few years now..
It has worked well,  the only annoyance for me is you always need to make sure you  sync your database across your computers i.e. desktop vs laptop,,,,
in a manual way...

I've been using Encryptr from SpiderOak for quite a while now.  The only site Encryptr has had a problem loading is Outlook from Microsoft.  My Outlook page NEVER loads within Encryptr, so my Outlook account password is one of the few passwords I've had to memorize. :-[
We're all Peppermint users and that's what matters  ;).  -- AndyInMokum

Offline grafiksinc

  • Member
  • ***
  • Posts: 268
  • Karma: 26
    • View Profile
  • Peppermint version(s): --Debian--
Re: Password Manager
« Reply #18 on: April 05, 2018, 07:07:29 pm »
hmmm... I wonder though.... are those cloud based password managers safe you think? :-\
KeePassX it is not perfect but it is a local tool.... can make it harder to get too for unauthorized peeps.......

Offline christianvl

  • Member
  • ***
  • Posts: 191
  • Karma: 33
  • The Wheel weaves as the Wheel wills
    • View Profile
  • Peppermint version(s): 9
Re: Password Manager
« Reply #19 on: April 05, 2018, 10:12:03 pm »
Hum... you'll probably call me crazy... but I do use BitWarden to manage my passwords  :o

I do have 2FA activated for it and I have to type in my master password every single time I log in. I trust it more than native browsers managers or LastPass (and it allows me to port my passwords to different browsers).

As a side note, it looks like Firefox master password had a security flaw going on for nine years!  >:(

https://nakedsecurity.sophos.com/2018/03/20/nine-years-on-firefoxs-master-password-is-still-insecure/

 
There are neither beginnings or endings to the turning of the Wheel of Time. But it was a beginning.

Online PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26316
  • Karma: 2855
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Password Manager
« Reply #20 on: April 06, 2018, 10:27:08 am »
Before anyone panics, The Firefox master password weakness would require local access and some (possibly considerable) time to brute force the hash, so is more of a 'weakness' or 'area for improvement' rather than a 'flaw' .. given time and computing power even something stronger than SHA-1 would ultimately be crackable, so it's really just a matter of degree.

Personally if I had my computer stolen I'd consider ALL passwords compromised no matter what the encryption used.

ANY kind of encryption just makes things 'difficult', not 'impossible'.
« Last Edit: April 06, 2018, 10:31:04 am by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline christianvl

  • Member
  • ***
  • Posts: 191
  • Karma: 33
  • The Wheel weaves as the Wheel wills
    • View Profile
  • Peppermint version(s): 9
Re: Password Manager
« Reply #21 on: April 06, 2018, 10:47:48 am »
Before anyone panics, The Firefox master password weakness would require local access and some (possibly considerable) time to brute force the hash, so is more of a 'weakness' or 'area for improvement' rather than a 'flaw' .. given time and computing power even something stronger than SHA-1 would ultimately be crackable, so it's really just a matter of degree.

Thank you very much for the explanation.

Personally if I had my computer stolen I'd consider ALL passwords compromised no matter what the encryption used.

ANY kind of encryption just makes things 'difficult', not 'impossible'.

Totally agree.
There are neither beginnings or endings to the turning of the Wheel of Time. But it was a beginning.

Online PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26316
  • Karma: 2855
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Password Manager
« Reply #22 on: April 06, 2018, 11:04:14 am »
Yeah hopefully (should you have your computer stolen) any attempt to crack even SHA-1 would give you 'enough' time to change your passwords before they'd been decrypted.

And change them you should, as quickly as possible .. no matter the encryption ;)

I don't think Mozilla ever expected anyone to consider the master password hash fully secure, just that it should give you a little breathing space.
(that said there are stronger hashes, so it would be nice if you used them Mozilla .. if you're reading this)
« Last Edit: April 06, 2018, 11:09:50 am by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline christianvl

  • Member
  • ***
  • Posts: 191
  • Karma: 33
  • The Wheel weaves as the Wheel wills
    • View Profile
  • Peppermint version(s): 9
Re: Password Manager
« Reply #23 on: April 06, 2018, 11:31:46 am »
And change them you should, as quickly as possible .. no I don't think Mozilla ever expected anyone to consider the master password hash fully secure, just that it should give you a little breathing space.
(that said there are stronger hashes, so it would be nice if you used them Mozilla .. if you're reading this)

I'm sure they will. It looks like they'll release a password manager too.

And yet, it's never too much to remember to have 2FA enabled when possible.
There are neither beginnings or endings to the turning of the Wheel of Time. But it was a beginning.

Offline tetricky

  • Jr. Member
  • **
  • Posts: 74
  • Karma: 15
  • New Forum User
    • View Profile
  • Peppermint version(s): 8, 9
Re: Password Manager
« Reply #24 on: April 13, 2018, 04:45:03 pm »
hmmm... I wonder though.... are those cloud based password managers safe you think? :-\
KeePassX it is not perfect but it is a local tool.... can make it harder to get too for unauthorized peeps.......

I too use keepassX.

I store the database on dropbox, and store the keyfile on gmail. When connecting a new device, I connect to those two sources and supply the passphrase. Saving the database syncs to all the devices I have connected (because the dropbox syncs.

I also save local copies of the database and keyfile for backup purposes.

I use long secure passwords, that I couldn't type in with my eyes, or more pertinently with a phone keyboard.

Online PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26316
  • Karma: 2855
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Password Manager
« Reply #25 on: April 13, 2018, 05:12:24 pm »
Okay I'm intrigued .. how do you type in a password with your eyes  ???

And does it hurt (considering they're long) ? .. I gave it a go and I'm now half blind after just the first character ;)
« Last Edit: April 13, 2018, 05:16:27 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline christianvl

  • Member
  • ***
  • Posts: 191
  • Karma: 33
  • The Wheel weaves as the Wheel wills
    • View Profile
  • Peppermint version(s): 9
Re: Password Manager
« Reply #26 on: April 13, 2018, 06:07:15 pm »
hmmm... I wonder though.... are those cloud based password managers safe you think? :-\
KeePassX it is not perfect but it is a local tool.... can make it harder to get too for unauthorized peeps.......

I too use keepassX.

I store the database on dropbox, and store the keyfile on gmail. When connecting a new device, I connect to those two sources and supply the passphrase. Saving the database syncs to all the devices I have connected (because the dropbox syncs.

I also save local copies of the database and keyfile for backup purposes.

I use long secure passwords, that I couldn't type in with my eyes, or more pertinently with a phone keyboard.
I was always curious about that…  when you copy your passwords to your clipboard, isn't it more susceptible to some "hack"? Or the passwords are always encrypted, even when passing through the clipboard?
There are neither beginnings or endings to the turning of the Wheel of Time. But it was a beginning.

Offline tetricky

  • Jr. Member
  • **
  • Posts: 74
  • Karma: 15
  • New Forum User
    • View Profile
  • Peppermint version(s): 8, 9
Re: Password Manager
« Reply #27 on: April 14, 2018, 06:25:51 am »
I was always curious about that…  when you copy your passwords to your clipboard, isn't it more susceptible to some "hack"? Or the passwords are always encrypted, even when passing through the clipboard?

I'm not a security expert, but I don't think that the (local device) clipboard is any less secure than the (local device) event devices...in fact we surely know that "key loggers" are a thing. At some point you have a local device, and entering a password. Unless you ssh with a public/private key. Which is a good idea...but the local device has your key.  At some level you just have to have local device security...and we don't really.....I don't know a single person who has ever personally vetted every piece of code that runs on their machine.  At some level there is trust, and society relies on building on the shoulders of other peoples achievements. Take away trust and we are back to hunter gathering, and throwing spears at each other. Assuming we know how to make a spear.  The local device is generally the weakest link in the chain. It generally has a password that can be cracked (it tends to be something that people can remember and type in, or there tends to be bits of paper around with it written on - try under the keyboard) .  With local access passwords can be reset. If you have granted access to someone, on various systems, it's best to withdraw their access credentials before that messy meeting where you both part company antagonistically (or indeed know your staff well enough to see disquiet coming - most damage is done by legitimately authenticated users).

So, physical security for local devices...and good practices....and the ability to trash and burn if the machine becomes compromised (or there's a suspicion of it). Generally a secure, encrypted password manager helps, rather than hinders in these situations (put things you need for a setup in the keepassX database, re-install, harden, install password manager, setup machine). One of the reasons that I am an open source advocate is that *someone* *might* have vetted the code. Anyone can.

Okay I'm intrigued .. how do you type in a password with your eyes  ???

And does it hurt (considering they're long) ? .. I gave it a go and I'm now half blind after just the first character ;)

You little minx.  Clearly I have expressed myself badly.

I have eyesight that is good (once corrected) into the distance.  Unfortunately I can't easily focus within the range of my arms.  This, coupled with phone keyboards tendency to garble even correctly typed passwords (I need auto-correct generally, but it doesn't help with passwords), and hidden password characters, means that if a password is *secure enough* I can rarely type it in correctly - and I need it written somewhere, because those babies are not memorable. The deal I've done with the devil is a password manager.  YMMV.

Online PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26316
  • Karma: 2855
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Password Manager
« Reply #28 on: April 14, 2018, 07:04:05 am »
I'm not sure where the clipboard comes into this (unless maybe on multiseat systems, where it's set to save a plain text log).

Remotely I can't see how the clipboard comes into the equation .. unless I'm missing your point ? or you suspect it's somehow leaking onto the network ?

For someone with local access to a machine that was left running .. okay it may be possible for them to dump stuff from memory but...

And as I've said before .. if someone has local access, the machine isn't secure (even with full disk encryption which only makes it 'more difficult' to crack, not impossible).

ALL system security models and efforts are just about 'degree of difficulty' and will at some point ALWAYS be proven vulnerable where they were incorrectly considered 100% attack proof .. specially from someone with local access.

Quote
You little minx.  Clearly I have expressed myself badly.

Sorry couldn't resist .. I'm weak and impulse lead, I know :))
« Last Edit: April 14, 2018, 07:10:26 am by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline christianvl

  • Member
  • ***
  • Posts: 191
  • Karma: 33
  • The Wheel weaves as the Wheel wills
    • View Profile
  • Peppermint version(s): 9
Re: Password Manager
« Reply #29 on: April 14, 2018, 07:43:06 am »
I'm not sure where the clipboard comes into this (unless maybe on multiseat systems, where it's set to save a plain text log).

Remotely I can't see how the clipboard comes into the equation .. unless I'm missing your point ? or you suspect it's somehow leaking onto the network ?

For someone with local access to a machine that was left running .. okay it may be possible for them to dump stuff from memory but...

And as I've said before .. if someone has local access, the machine isn't secure (even with full disk encryption which only makes it 'more difficult' to crack, not impossible).

ALL system security models and efforts are just about 'degree of difficulty' and will at some point ALWAYS be proven vulnerable where they were incorrectly considered 100% attack proof .. specially from someone with local access.

Quote
You little minx.  Clearly I have expressed myself badly.

Sorry couldn't resist .. I'm weak and impulse lead, I know :))
I was thinking about someone using a local password manager and typing the passwords on a "ctrl + c; ctrl + v", specially with longer and harder to type passwords.

Isn't the password copied to the clipboard?  Is that stored in plain text?

I'll look more into this subject.
There are neither beginnings or endings to the turning of the Wheel of Time. But it was a beginning.