Passwords and remembering them...

If none of the more specific forums is the right place to ask

Passwords and remembering them...

Postby Hallvor » 2020-05-25 06:31

I have a hard time remembering all my website passwords, and would like a good compromise between convenience and security.

My best idea so far:

* Generate and use very strong passwords with a password generator
* Write down the passwords, GPG-encrypt the file with a very strong password and save the file in cloud storage with two factor authentication.

Are there any problems with this that I am not aware of, and are there better ways of solving this?
Lenovo ThinkPad T440S, Intel Core i7-4600U CPU @ 2.10GHz, 8 GB RAM, 256 GB SSD, Debian Buster (KDE)
Lenovo ThinkPad X240, Intel Core i5-4300U CPU @ 2.90GHz, 8 GB RAM, 120 GB SSD, Debian Buster (KDE)
User avatar
Hallvor
 
Posts: 1062
Joined: 2009-04-16 18:35
Location: Norway

Re: Passwords and remembering them...

Postby dilberts_left_nut » 2020-05-25 07:42

AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 5055
Joined: 2009-10-05 07:54
Location: enzed

Re: Passwords and remembering them...

Postby Head_on_a_Stick » 2020-05-25 09:16

Black Lives Matter

Debian buster-backports ISO image: for new hardware support
User avatar
Head_on_a_Stick
 
Posts: 12150
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Passwords and remembering them...

Postby Hallvor » 2020-05-25 14:55

I read a bit and tested a random password of the same entropy and length as I created with pwgen

https://howsecureismypassword.net/
It would take a computer about

233 duodecillion years

to crack your password


:lol:
Lenovo ThinkPad T440S, Intel Core i7-4600U CPU @ 2.10GHz, 8 GB RAM, 256 GB SSD, Debian Buster (KDE)
Lenovo ThinkPad X240, Intel Core i5-4300U CPU @ 2.90GHz, 8 GB RAM, 120 GB SSD, Debian Buster (KDE)
User avatar
Hallvor
 
Posts: 1062
Joined: 2009-04-16 18:35
Location: Norway

Re: Passwords and remembering them...

Postby arzgi » 2020-05-25 15:07

I've been using password-gorilla which fills your requirements. It also creates passwords if you want, and what I like, lets add groups of passwords.

EDIT: Well not fullly, should have read more carefully :roll: '

Hallvor wrote: save the file in cloud storage with two factor authentication.
arzgi
 
Posts: 637
Joined: 2008-02-21 17:03
Location: Finland


Re: Passwords and remembering them...

Postby sunrat » 2020-05-25 23:52

Image
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!
User avatar
sunrat
 
Posts: 3086
Joined: 2006-08-29 09:12
Location: Melbourne, Australia

Re: Passwords and remembering them...

Postby LE_746F6D617A7A69 » 2020-05-26 00:15

Only 20 years? I would say 30+, and those "efforts" are still continued ... :lol:

Most of the "Password Strength Checkers" used today are still basing on that Caps/Numbers/SpecialCharacter rule - i.e. they are useless.
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed
LE_746F6D617A7A69
 
Posts: 168
Joined: 2020-05-03 14:16

Re: Passwords and remembering them...

Postby RU55EL » 2020-05-26 01:46

correcthorsebatterystable

Tested at: How secure is my password.: 188 quadrillion years as opposed to 550 years in the cartoon (at 1000 guesses per second).

My (just changed) forums.debian.net password tested at the same place: 233 duodecillion years

Keepassx:
Cross Platform Password Manager233 duodecillion years233

KeePassX is a free/open-source password manager or safe which helps you
to manage your passwords in a secure way. You can put all your
passwords in one database, which is locked with one master key or a
key-disk. So you only have to remember one single master password or
insert the key-disk to unlock the whole database. The databases are
encrypted using the algorithms AES or Twofish.


Keypassx is handy if you want to keep a copy of the database in the cloud and use it on different platforms: Phone, computer, tablet, etc.

Of course, encrypting a text file of passwords with a one good password works too. I just don't think it is as handy across platforms.

[edit]

ySAE9WypXgqhQuA5rUN4XSu6GjrxhjqwkmezHVPrJDTQpwB6H8BX3k2KaaHUxmUc tested at how secure is my password:

4 untrigintillion years

So, 233 duodecillion years isn't the maximum. (I noticed that the test Hallvor did also came up with 233 duodecillion years.)

2,499,280,183,817,064 nonagintillion years is as high as I got before it said forever.

[/edit]
User avatar
RU55EL
 
Posts: 442
Joined: 2014-04-07 03:42
Location: /home/russel

Re: Passwords and remembering them...

Postby LE_746F6D617A7A69 » 2020-05-26 02:06

RU55EL wrote:correcthorsebatterystable

Tested at: How secure is my password.: 188 quadrillion years

Not Really:
passwords-under-assault

That 188 quadrillion years was probably calculated using the assumption that the attack will be performed using dumb brute-force method. In reality, You don't have to find the exact password - You need to find a string of characters which are causing full or partial hash collision - and this can be done relatively fast using f.e. "rainbow tables".
This also explains why passwords constructed as a "strange" combination of characters are actually useless - it's the length of the password that matters.

Of course such attacks are possible only in "offline mode" - that is against stolen password database.
Normally every OS or Web service will block the attacker after, let's say 3 unsuccessful tries.
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed
LE_746F6D617A7A69
 
Posts: 168
Joined: 2020-05-03 14:16

Re: Passwords and remembering them...

Postby RU55EL » 2020-05-26 03:13

I agree that How secure is my password is some kind of estimate. Heck, at the bottom of the web page:
This site is for educational use. Due to limitations of the technology involved, the results cannot always be accurate. Your password will not be sent over the internet.


I haven't looked at the source code, if you are interested they list a link: https://github.com/howsecureismypassword/hsimp

P.S. I don't use such websites to seriously evaluate my password. Although it is kind of fun to play with them...
User avatar
RU55EL
 
Posts: 442
Joined: 2014-04-07 03:42
Location: /home/russel

Re: Passwords and remembering them...

Postby Hallvor » 2020-05-26 07:24

Yes, the result of such websites should be taken with a small spade of salt. However, there is no denying that very long passwords are the hardest to crack. I have made passwords of 30-50 characters in length, sometimes using the longest password allowed by the website.

As for passphrases, I have tried them out, but I just can't memorize them all. I counted all the websites I am registered at, and the number was about 60. :shock:

Bulkley's suggestion may work for many.

keepassx looks very nice, and the ease of which you can use it across devices is a big plus in my book.
Lenovo ThinkPad T440S, Intel Core i7-4600U CPU @ 2.10GHz, 8 GB RAM, 256 GB SSD, Debian Buster (KDE)
Lenovo ThinkPad X240, Intel Core i5-4300U CPU @ 2.90GHz, 8 GB RAM, 120 GB SSD, Debian Buster (KDE)
User avatar
Hallvor
 
Posts: 1062
Joined: 2009-04-16 18:35
Location: Norway

Re: Passwords and remembering them...

Postby oswaldkelso » 2020-05-26 11:23

passwords can be long and easy to remember

InthebeginningGodcreatedtheheavenandtheearthandgnu/linux

522 sesvigintillion years

I use a very long password for my gpg key

Reasonable long one's for root, freedombox , servers and banking

easy to recall ones on places like this that I consider a trusted site but not the end of the world if I got owned (Could be quite funny though ):mrgreen:

crappy, easy to remember passwords on places where I don't really care. I have an email account especially for linking to these sites.
Ash init durbatulûk, ash init gimbatul,
Ash init thrakatulûk agh burzum-ishi krimpatul.
User avatar
oswaldkelso
 
Posts: 1249
Joined: 2005-07-26 23:20
Location: UK

Re: Passwords and remembering them...

Postby NFT5 » 2020-05-26 16:06

oswaldkelso wrote:InthebeginningGodcreatedtheheavenandtheearthandgnu/linux

522 sesvigintillion years


That's pretty cool but fails on many websites because it doesn't contain any numbers or "special characters".

Then you have the ones that set low maximums. For example one bank has a 6 character limit with at least one numerical digit but doesn't allow special characters or punctuation. For their phone app it's 4 digits only. Hardly secure by the long passphrase standards.

The other issue that I see (coming) is that an appropriately trained AI could probably crack an obvious phrase like that.

Most importantly I really don't want to spend 15 of the next 25 years typing passwords. After that I really don't give a rat's - I'll be too busy pushing daisies.

What I want is ease of use - autofill when I open a page and reasonable security against an attack not logged in as my user. To a large extent most browsers have this functionality built in.

However, the biggest risk is not how complex a password I have, but the poor security that many websites have. That's by far the most likely reason why you'll get pwned. To improve my chances, and stem the resultant flow of spam I like services like Blur which will allocate a random email and password for each site that I'm registered at and forwards any email to my own address. Then, when the spam comes because they've sold my information I can just shut down that random email address.
User avatar
NFT5
 
Posts: 391
Joined: 2014-10-10 11:38
Location: Canberra, Australia

Re: Passwords and remembering them...

Postby KitchM » 2020-05-26 17:37

I have used KeePassXC for a long time now, and am extremely pleased with it. The ability to have a password generator is a blessing, as is the simple ability to edit a given password should some weird site not allow all special characters.

You are free to create as long and as complex a password as you wish, with the relative strength clearly indicated. It is easy to get a password that all the computers in the world could not crack in a thousand years.

The program resides in the system tray area and pops up with one click. Point at the entry you wish and right click, selecting the password. The program then can be set to just close back to the tray area. Paste into web page blank and you're good to go.

Using one long pass-phrase to get into it, should give you all the protection you wish. The encrypted database can be saved to flash drive as a backup and/or a portable password safe. Just install the program on each computer and open the database from the same flash drive. It even includes a sync feature that can be used between databases in either direction to keep them the same if you have more than one database.

Until we have Pico https://www.cl.cam.ac.uk/~fms27/papers/2011-Stajano-pico.pdf, this will work just fine.
Last edited by KitchM on 2020-05-27 18:14, edited 1 time in total.
KitchM
 
Posts: 98
Joined: 2019-06-11 18:11

Next

Return to General Questions

Who is online

Users browsing this forum: No registered users and 7 guests

fashionable