Useless Conversation

[Mrbloodworth]

Speaking of password keepers.

Any free ones that are more streamlined than that? That seems to have a lot of features for a more advanced user. Looking for something straight forward, simple, and not feature bloated ( No need for Import/export features and such ).

[bhodi]

It's pretty much as streamlined as you get. The thing is less than 2 megs and has no registry footprint so you can copy the directory around if you need to.

Absolute basic usage is to open then thing up, create a new database with a long master passphrase, then for each website/program right click, add entry. It autogens a password for you, just type in a description and your username. Hit OK, or hit tools and select the open window if you want to set up autotype. Hit CTRL-C to copy the pass, paste it in the password box.

It's also got plugins for all the popular browsers to emulate/replace their internal password storage.

[Mrbloodworth]

Can your grandmother use it? ( Obviously assuming your grandmother does not work in IT :) )

[Yegolev]

You might be looking for something besides a password manager.

[Mrbloodworth]

You might be looking for something besides a password manager.

Like what? I just want something I can keep all usernames and passwords in, and unlock with a single password to copy and paste when needed.

[Yegolev]

Sure, but if you want Grandma to be able to use it, I'll suggest a spiral-bound notepad hidden under a bowl of lemon drops.

[Merusk]

A coworker uses lastpass, how's that look?

[HaemishM]

Wow, ok, I am usually a little better at geography than that.

Yea, to be honest Alabama is one of those states I sort of forget exists and just kind of mentally merge with its neighbours. In general, that's way easier than remembering all of them.

Alabama is right "next-door" to my state of Mississippi, and I try to forget it exists as much as possible. 

[bhodi]

LastPass is pretty much KeePass + Dropbox. It was created by an old coworker of mine (Joe) and so I of course highly recommend it. It doesn't have as many plugins like the putty thing I was talking about last page, but it has a few cool features like the online password vault. Really, pick ANY password manager, just as long as you pick one and use it. Just do it.

[cmlancas]

Can someone extol the virtues of a password manager for those who have never considered using one?  I didn't even know these existed before this thread.

[bhodi]

Can someone extol the virtues of a password manager for those who have never considered using one?  I didn't even know these existed before this thread.

It prevents password reuse and you having to remember a million passwords, so that if one of your random accounts gets hacked, they don't have access to your entire life. It also makes it easy to have auto expiring passwords / passwords that you change every 90 days for work / insane password requirements / other random weirdness. It prevents the perpetual "Password reset" emails you have to go through when you log into something once a year and forgot what password you use. I have literally a hundred entries at this point and I have only been using it for a year. I really don't know how I went without it for so long.

Basically, you only have to remember one master passphrase and it uses that to gain access any number of other passwords that are strung off of it that you either enter manually or have randomly generated for you. The downside is that you (obviously) need access to this master file and the program to decrypt it, but the workaround for that is variable - everything from storing the file on your google drive to having it on your smartphone, or a company like lastpass which does all that for you and has a nice web browser login thing, so that if you can hit the internet, you have access to your passwords.

[IainC]

Can someone extol the virtues of a password manager for those who have never considered using one?  I didn't even know these existed before this thread.

So the normal problem with being connected is that you have a lot of passwords to remember. You have some which are pretty important and some which aren't. If you're most people you are probably using the same password or at least a very small number of passwords everywhere because otherwise you'd never remember the random 16 digit alphanumeric string that you're using for only one particular service. The chances are that a password you can easily remember is also not very secure. Basically security and convenience are not reconcilable if you have to remember your passwords for every system that you use.

A password manager has the advantage that you don't have to remember any passwords. In fact, in most cases you won't even know what your password for a particular service is, but, if you need to get it for some reason (logging in from a new device, need to change some settings that require you to input the old one first, etc) then you can easily retrieve it. Plus when for the Russian goatporn sites that you visit get hacked and the email address and password tables get turned over, they won't immediately be able to log in as you to Amazon, Steam, battle.net, Paypal, your email and your bank.

[Mrbloodworth]

Sure, but if you want Grandma to be able to use it, I'll suggest a spiral-bound notepad hidden under a bowl of lemon drops.

lol, point. But I was using "Can grandma use it" as to ask if the program has a drop of useability in its design. KeePass does not seem to fit that bill. Its "Programer" level of "Good useability" from what I can see.

[bhodi]

lol, point. But I was using "Can grandma use it" as to ask if the program has a drop of useability in its design. KeePass does not seem to fit that bill. Its "Programer" level of "Good useability" from what I can see.

This is particularly funny coming from a (ex?) Wurm developer and lover of weird (read: horrible) indie games.

Yes, you have to learn a new program. No, it's not overly obtuse and millions of people use it every day. No, obstinate or belligerently anti-tech people aren't going to learn how to use it. It's similar to using an unfamiliar word processor or email program, not opening photoshop for the first time.

[Mrbloodworth]

lol, point. But I was using "Can grandma use it" as to ask if the program has a drop of useability in its design. KeePass does not seem to fit that bill. Its "Programer" level of "Good useability" from what I can see.

This is particularly funny coming from a (ex?) Wurm developer and lover of weird (read: horrible) indie games.

I actively tried to change the UI's useability during my time there! Compleate with atempting to use a real markup, and not one they created, that's all sent from the server ( Yes, all of it ). So, wrong guy there on that. I used the same phrase internally during discussions :)

I need something that does not look like an FTP client. Anyway, thanks for the suggestions. I think.

[cmlancas]

Can someone extol the virtues of a password manager for those who have never considered using one?  I didn't even know these existed before this thread.

So the normal problem with being connected is that you have a lot of passwords to remember. You have some which are pretty important and some which aren't. If you're most people you are probably using the same password or at least a very small number of passwords everywhere because otherwise you'd never remember the random 16 digit alphanumeric string that you're using for only one particular service. The chances are that a password you can easily remember is also not very secure. Basically security and convenience are not reconcilable if you have to remember your passwords for every system that you use.

A password manager has the advantage that you don't have to remember any passwords. In fact, in most cases you won't even know what your password for a particular service is, but, if you need to get it for some reason (logging in from a new device, need to change some settings that require you to input the old one first, etc) then you can easily retrieve it. Plus when for the Russian goatporn sites that you visit get hacked and the email address and password tables get turned over, they won't immediately be able to log in as you to Amazon, Steam, battle.net, Paypal, your email and your bank.

So tl;dr:  no more goatporn?  K.   

But @bhodi and @IainC, thanks.  :)

[Hammond]

LastPass is pretty much KeePass + Dropbox. It was created by an old coworker of mine (Joe) and so I of course highly recommend it. It doesn't have as many plugins like the putty thing I was talking about last page, but it has a few cool features like the online password vault. Really, pick ANY password manager, just as long as you pick one and use it. Just do it.

LastPass weirds me out.  You are relying upon a service where you can store your passwords in the cloud.  While conceptually it sounds like a great idea you are introducing yet another layer of potential failure out there.  Who is to say the provier does not get hacked in some manner and then start capturing your passwords? I have seen far to many website hacked in the last few years to even consider storing my personal information in the cloud like that. 

Personally I am not a big fan of all my eggs in one basket.  Not that remembering the 40 odd passwords I have to deal with on a regular basis is very easy....   Just look what happened with the wired.com guy last week connecting everything together.   http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/ 

[Merusk]

Lots of that was failure in the systems of those providers and an over-reliance on iTunes because he had so many Apple devices.

If anything I see his case as an indictment of Apple and Amazon's horrible password change system more than anything.

I do share your reluctance to store anything in the cloud, however.   Power outages, hacks, an additional service payment in the budget.  I see no upside to using it as an individual.

[bhodi]

LastPass weirds me out.  You are relying upon a service where you can store your passwords in the cloud.  While conceptually it sounds like a great idea you are introducing yet another layer of potential failure out there.  Who is to say the provier does not get hacked in some manner and then start capturing your passwords? I have seen far to many website hacked in the last few years to even consider storing my personal information in the cloud like that.  

Personally I am not a big fan of all my eggs in one basket.  Not that remembering the 40 odd passwords I have to deal with on a regular basis is very easy....   Just look what happened with the wired.com guy last week connecting everything together.   http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/  

If you read that article closely, you'll discover that the hacker got into his gmail account and then used password reset to get to everything else. Nothing is going to prevent this except making sure that your gmail password is different than every other password. And that's still not going to stop a keylogger on your host from snarfing it. There is really only so much you can do.

As for lastpass specifically, like keepass, the passwords are encrypted into a file before being uploaded, in encrypted format. Neither dropbox (in my case) or lastpass can do anything with the hunk of encrypted bits. If they get hacked, my data / passwords are as safe as it can be - they'd still need to beat me with a lead pipe or use some NSA supercomputer to brute force their way into it.

At the end of the day, the biggest potential security risk isn't the company servers, it's your local desktop at home. The point isn't to make it completely secure, because that can't be done. It's to simply NOT be the low hanging fruit when hackers suck 150,000 passwords from the playstation network or battle.net or linedin and then try logging into gmail, windows live, or what have you with that same password. That is what a password manager does, and it adds auto-complete and random secure passwords as conveniences on top.

[Trippy]

lol, point. But I was using "Can grandma use it" as to ask if the program has a drop of useability in its design. KeePass does not seem to fit that bill. Its "Programer" level of "Good useability" from what I can see.

This is particularly funny coming from a (ex?) Wurm developer and lover of weird (read: horrible) indie games.

I actively tried to change the UI's useability during my time there! Compleate with atempting to use a real markup, and not one they created, that's all sent from the server ( Yes, all of it ). So, wrong guy there on that. I used the same phrase internally during discussions :)

I need something that does not look like an FTP client. Anyway, thanks for the suggestions. I think.

Ger her 1password. It has its own issues and it's commercial but it's more user-friendly than KeePass.

[Yegolev]

Alabama is right "next-door" to my state of Mississippi, and I try to forget it exists as much as possible. 

Same to you, buddy!

[Lantyssa]

Password Safe

[Mrbloodworth]

Ger her 1password. It has its own issues and it's commercial but it's more user-friendly than KeePass.

Password Safe

Thanks!

[schild]

Looks like that Estate Sale thing fell apart. Turns out people in Gainesville don't follow the first-come-first-served rule of selling stuff privately.

I hope they die of exposure.

[Merusk]

You'll find most of the South deals with Yankees that way.

[Hammond]

LastPass weirds me out.  You are relying upon a service where you can store your passwords in the cloud.  While conceptually it sounds like a great idea you are introducing yet another layer of potential failure out there.  Who is to say the provier does not get hacked in some manner and then start capturing your passwords? I have seen far to many website hacked in the last few years to even consider storing my personal information in the cloud like that.  

Personally I am not a big fan of all my eggs in one basket.  Not that remembering the 40 odd passwords I have to deal with on a regular basis is very easy....   Just look what happened with the wired.com guy last week connecting everything together.   http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/  

If you read that article closely, you'll discover that the hacker got into his gmail account and then used password reset to get to everything else. Nothing is going to prevent this except making sure that your gmail password is different than every other password. And that's still not going to stop a keylogger on your host from snarfing it. There is really only so much you can do.

As for lastpass specifically, like keepass, the passwords are encrypted into a file before being uploaded, in encrypted format. Neither dropbox (in my case) or lastpass can do anything with the hunk of encrypted bits. If they get hacked, my data / passwords are as safe as it can be - they'd still need to beat me with a lead pipe or use some NSA supercomputer to brute force their way into it.

At the end of the day, the biggest potential security risk isn't the company servers, it's your local desktop at home. The point isn't to make it completely secure, because that can't be done. It's to simply NOT be the low hanging fruit when hackers suck 150,000 passwords from the playstation network or battle.net or linedin and then try logging into gmail, windows live, or what have you with that same password. That is what a password manager does, and it adds auto-complete and random secure passwords as conveniences on top.

I just included that link as a warning on how unintended things are linked together.    The hacker did not compromise his gmail account.  He compromised the guys Apple account by calling apple with the last 4 digits off of the guys credit card which he got from amazon.   I do understand your argument though but I personally think password managers are a temporary fix for a much more serious issue. Things are only getting worse as far as hacking goes and a rethink of security in general needs to happen. 

Also I should emphasis that I am not against password managers in general sense.  If you have one running on your local machine it is more for convenience.  With lastpass you just put your information out in the cloud into a nice central location with thousands of other people to create a target for hackers. Lets be honest nothing on the internet is secure.  We can see that from the debacle of those RSA security dongles.  Everyone thought they were completely secure but look what happened there?

[schild]

You'll find most of the South deals with Yankees that way.

Sure. But I live in Texas and am from Virginia?

[Ingmar]

Jews are auto-Yankees.

[Draegan]

lol

[Merusk]

Anyone without a drawl or a twang is a Yankee.

[Yegolev]

You'll find most of the South deals with Yankees that way.

Sure. But I live in Texas and am from Virginia?

Yankees are found from mid-Tennessee and north.  When you live less than 100 miles from the Gulf, you view people from Atlanta (aka San Francisco of The South) with grand suspicion.

Gainesville, though... probably just someone showed up with a truck and $100.

[Salamok]

Jews are auto-Yankees.

You beat me to it.

[bhodi]

With lastpass you just put your information out in the cloud into a nice central location with thousands of other people to create a target for hackers. Lets be honest nothing on the internet is secure.  We can see that from the debacle of those RSA security dongles.  Everyone thought they were completely secure but look what happened there?

I could deconstruct this however would take an essay and I really don't think anyone cares enough, but basically what you're talking about was a highly customized government-level-funded targeted attack. Password safes aren't intended to protect you from that, as I said a few posts ago they're to prevent your accounts from being scraped up as low-hanging fruit by cross-site brute force account hacking. Which they protect against very well.

You're basically suggesting it's pointless to lock your car or house because a swat team successfully broke into the guy next door's locked house and car.

[Hammond]

With lastpass you just put your information out in the cloud into a nice central location with thousands of other people to create a target for hackers. Lets be honest nothing on the internet is secure.  We can see that from the debacle of those RSA security dongles.  Everyone thought they were completely secure but look what happened there?

I could deconstruct this however would take an essay and I really don't think anyone cares enough, but basically what you're talking about was a highly customized government-level-funded targeted attack. Password safes aren't intended to protect you from that, as I said a few posts ago they're to prevent your accounts from being scraped up as low-hanging fruit by cross-site brute force account hacking. Which they protect against very well.

You're basically suggesting it's pointless to lock your car or house because a swat team successfully broke into the guy next door's locked house and car.

At this rate we are going to have to go to politics.

Not to be snarky but did you read the first sentence?  "Also I should emphasis that I am not against password managers in general sense."

What I am saying is if you put something on the internet it can get hacked.  In the case of the RSA hack the hackers used a phishing attack to compromise machines within the corporate firewall.  From there they branched out and compromised machines containing the code behind the dongles.  Which then then transmitted across the internet to a remote location.   IE if those machines containing the super secret code was not connected to the internet it would have never gotten out. I am simplifying things somewhat but you get the general idea.

Using your car example it is more like driving your car out into the ghetto locking the door and expecting it to still be there and intact in the morning.

[Samwise]

Seems like the ideal cloud solution is to use something like Keepass with something like Dropbox or Google Drive.  Someone could get your Keepass files by hacking Dropbox or whatever, but since it's all encrypted using your master passphrase (unless I completely misunderstand how Keepass works), those files are useless to them.  Since the software that does the decryption lives client-side, they can't get at it unless they compromise your own personal machine as well, at which point you'd be fucked no matter what.

I can see how a completely server-side solution (which sounds like Lastpass) would be a little more troubling since in theory somebody could hack Lastpass and replace their server software with something that steals your master password when you enter it.  That's a pretty big stretch from any security breach we've seen so far, though (it's one thing to get a copy of a database, entirely another to actually replace the live page that clients use without anyone noticing).  While it's possible for something like that to happen, I can't imagine that it'd go for very long before someone pulled the plug, and you as a user would only be compromised if you had the bad luck to access the site and give it your master password during that window.  Since, again, assuming they at all know what they're doing, the database is all encrypted.