I use KeePass no leaks of my local database yet. 😜

It is when they are at least 20+ (Use longer when I can) characters long, gibberish and different for each site. Keepass says I have 297 sites so...yeah

he company said that information stored in its Secure Notes feature, used by IT administrators to store sensitive network passwords, can be decrypted.

Former IT Administrators

What happened to post-it notes stuck to monitors

Errius wrote:

What happened to post-it notes stuck to monitors

Supplanted by the much more secure post-it note taped to the bottom of the keyboard.

https://www.youtube.com/watch?v=_UqEg1cFqig

clueless1 wrote:

Errius wrote:

What happened to post-it notes stuck to monitors

Supplanted by the much more secure post-it note taped to the bottom of the keyboard.

HAHA, its true I don't see sticky notes on monitors with passwords on them like I use to.

gdjacobs wrote:

https://www.youtube.com/watch?v=_UqEg1cFqig

Main I completely forget about that movie

Really nice, guys. Really... nice design. Kudos.

Glad you thought about the best way to store and protect this data.

DosFreak wrote:

It is when they are at least 20+ (Use longer when I can) characters long, gibberish and different for each site. Keepass says I have 297 sites so...yeah

he company said that information stored in its Secure Notes feature, used by IT administrators to store sensitive network passwords, can be decrypted.

Former IT Administrators

🤣 Can't agree more.

This says a lot:

https://mastodon.hasameli.com/users/munin/updates/6836

I bet you tell people to use formulaic passwords for everything. Better hope that formula never gets out due to one of hundreds of sites being hacked, or else someone could simply guess all of their other passwords.

A best practice is not to talk about how/what your password or others passwords are made up of. Or what you tell other people to use.

Ah, the old "figure it out for yourself" method. That always works so well for all the people who ask me for help with computers. Maybe I should stop giving people help and let them Google their own damn answers.

kode54 wrote:

Ah, the old "figure it out for yourself" method. That always works so well for all the people who ask me for help with computers. Maybe I should stop giving people help and let them Google their own damn answers.

Not really.
You just don't go around telling people what you tell others to use for a password.
If you tell people to use a password with 8 letter 2 numbers and one upercase, that's all right, but don't tell people that that's what you tell everyone to use.
It's the same with password requirements, it only tells people what people's passwords are made up of allowing people to haceca better chance of guessing passwords.
Say you require every password to have a number and uppercase, that tell you that you password contains a uppercase letter and number. And given how most people are the uppercase letter is probably the first letter and the number being the last.

I was going to suggest using a computer algorithm to generate the password randomly based on the requirements instead of relying on the person to come up with their own passwords, but that's probably just as prone to error, and not likely to be remembered. But I think people shouldn't be remembering their passwords anyway, as that tends to lead to using the same passwords or variations thereof at multiple places.

Maybe if places wouldn't utilize just passwords for authentication, people wouldn't place their trust in the security of a mere password, or in a password keeper, or in whatever mechanism they use to keep their passwords safe.

Now, it would be really lovely if there could be a great return of PGP, or some other asymmetrical encryption with key exchange system. You give site your public key, they encrypt their public key and an identifying token and give them back to you, and you use their public key to encrypt the token and send it back, completing the circle. The result is that you have either the site's current public key, or a user-specific public key, and they have your current public key. Good luck brute forcing the matching private keys from those.

And a site like Keybase.io makes it easier for people to produce, collect, and track such asymmetrical encryption keys. As long as you have someone else's public key, you can encrypt information for their eyes only. The service also currently has a private (one or more user tagged folders) and public (https://Keybase.pub/user/ exposed) folders, as well as a secure chat system. Both of these systems are facilitated using symmetrical encryption, where the keys to the data are encrypted for the eyes of the owners only, excluding the public folders, which are signed by the owner, but freely accessible over an https address, as well as publicly listed on the user's Keybase profile. It also makes use of a permanent block chain to store the history of every profile change and added or revoked device, and designed all of the end user software to verify the proof for each piece of information on its own, rather than merely trusting the service.

That doesn't fix the problem now, but sounds like a neat way to deal with it in the future. A technology invented well in the past, making a resurgence due to new found ease of use and shallower learning curve, hopefully. This is the sort of thing that could make web services way more secure for their users.

Sure, there's also S/MIME identification, but most secure servers would have to generate those for the user, and the user has not yet proven who they are with a key of their own.

Blah, now I'm not blathering on.

That's just an argument against cloud password managers, not password managers (or just plain writing down your password in general).

And a poor argument at that, if you've seen the sort of passwords most people use without password managers (and the frequency at which they reuse them) then you know the only difference between them and OneLogin users is that OneLogin users know they've been compromised.

You just don't go around telling people what you tell others to use for a password.
If you tell people to use a password with 8 letter 2 numbers and one upercase, that's all right, but don't tell people that that's what you tell everyone to use.

With how many password databases have been leaked, not telling anyone your pattern is futile. Chances are good the hackers know it, as well as the most common password patterns people use.

Jade Falcon wrote:

A best practice is not to talk about how/what your password or others passwords are made up of. Or what you tell other people to use.

My passwords are (up to) the longest randomly generated strings the service I use allows for. Isn't it weird that I can entirely ignore your "best practice" with zero concern as to the safety of my accounts?

Not telling people your password pattern is not and never was best practice. Not having a password pattern is best practice. That requires a password manager. Use an offline one if you don't trust the cloud.

ZellSF wrote:

Not telling people your password pattern is not and never was best practice. Not having a password pattern is best practice. That requires a password manager. Use an offline one if you don't trust the cloud.

Where do you store it?
How do you protect it from storage crash causing data loss?
How do you synchronize it between multiple computers and devices?
What do you do if you need to do a one-time login from a devices you have not use before?

These questions require some thought.

dr_st wrote:

Where do you store it? How do you protect it from storage crash causing data loss? How do you synchronize it between multiple co […]
Show full quote

ZellSF wrote:

Not telling people your password pattern is not and never was best practice. Not having a password pattern is best practice. That requires a password manager. Use an offline one if you don't trust the cloud.

Where do you store it?
How do you protect it from storage crash causing data loss?
How do you synchronize it between multiple computers and devices?
What do you do if you need to do a one-time login from a devices you have not use before?

These questions require some thought.

Where? Multiple storage options that should be used because of
How to protect from storage crash.
Synchronize? Manual of course, since there is no other option when you don't trust the cloud.

What do you do if you need to do a one-time login from a devices you have not use before?

Yo may have to have the password database and manager with you. Perhaps you store it on an USB stick? Perhaps on your mobile device? Again, answer 1 applies, multiple devices.

The way I see it, you either have one place where you store it (and then it's always has to be with you, and there is a risk of data loss / theft), or you have multiple storage spots, where you have to constantly synchronize between them.

A nice option would be some safe central location (like a home server) with automatic backup. Then from any place you just have to be able to connect to your personal server, and have access to all your passwords. It is not offline, but still it's not "the cloud", since the server is completely under your control.

I use 1Password and I am really happy with it. It works well on all my devices (my iPhone, my windows machine and my various iMacs (at work and home)). The password file is on the cloud sure but it is encrypted pretty well to my knowledge: https://support.1password.com/1password-security/

dr_st wrote:

ZellSF wrote:

Not telling people your password pattern is not and never was best practice. Not having a password pattern is best practice. That requires a password manager. Use an offline one if you don't trust the cloud.

Thats not much different then using the same password everywhere. I only need to make a worm with key logger and snatch up your password manger password . If your remember your passwords you'd likely find the worm before you give it everything.

Having passwords stored anywhere is a bad idea, I deal with the fallout of cracked password mangers alot in my line of work.
A well made mangier is grate in meany ways but fundamentally bad in just as meany. The only thing you're protected from is someone at a computer tying to gees your password to Facebook or something. if they get any local accesses your screwed.