It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussionPassword Manager(52 posts)solved(52 posts)solved
(52 posts)solved
Pages:
1
2
3
4
This is my favourite topic
Posted December 25, 2015
avatar
DrakeFox: I made a small javascript webapp which would generate a printable table of a-z columns and a bunch of rows with random characters in the cells based on a master key.
The idea was you could print the table, or just open the thing and generate the table from the master key. This could work as a sort of password generator for you. So gog.com you could just note down or remember the password OldGames so you'd read O1, L2, D3, G4, A5, M6, E7, S8 and have a really random looking password. If you rotate passwords you'd just start from 2 instead of 1 and have a completely different passcode with the same keyword.

The javascript would print your password if you entered keyword and start number, but you'd have to first generate the table from your master pass. And if you printed it....it just got tedious to read. So I ended up going with KeePass instead.
avatar
Lin545: This is interesting idea, thank you!
I think the only weak point is limited amount of "start numbers" and common shared secret.
So if a password for "gog.com" leaks, then an attacker could reverse the algorithm if he/she gets access to whole printed table.

Also, its seems one needs to remember a "secret" for each password to decode it into full key. This can be optimized, I think.

Its nice to know that there are also people out there who came to idea that remembering (each of) the passwords themselves is very unreliable and unsecure thing.

As for software, I think it was a mistake move. But YMMV.
Yes, the remembering a keyword for each site was one of the annoying things. I were considering using the oft-included "Hint" field for the keyword. And still if someone got the gog.com password (OLDGAMES) they would be able to indeed figure out all the first characters if the hint started with O, or 2nd character for all sites having L as the second keyword character...and so on and so forth. The table should've been generated well enough that you couldn't reverse engineer the entire thing without several compromised passwords...or maybe my lacking ability with cryptography making it possible to reverse engineer it either way.

It was an attempt to come up with an analog solution to a digital problem. I did go around with a printed card in my wallet for a while. But it did get really cumbersome so I switched to KeePass.
Posted December 25, 2015
avatar
almabrds: I'm looking for a good password manager.
avatar
KingofGnG: Write all your passwords on a .txt file and print it down. Seriously.
I wrote by hand and keep my password with this
Posted December 25, 2015
I keep my password tattooed on my penis.

Needless to say it took a while getting the complete works of Shakespeare on there.

You can imagine what a bitch it is logging on.
Posted December 25, 2015
avatar
almabrds: I'm looking for a good password manager.
avatar
KingofGnG: Write all your passwords on a .txt file and print it down. Seriously.
this is what i do, except i wrote it backwards and change the extension to .sys
Posted December 25, 2015
avatar
DrakeFox: Yes, the remembering a keyword for each site was one of the annoying things. I were considering using the oft-included "Hint" field for the keyword. And still if someone got the gog.com password (OLDGAMES) they would be able to indeed figure out all the first characters if the hint started with O, or 2nd character for all sites having L as the second keyword character...and so on and so forth. The table should've been generated well enough that you couldn't reverse engineer the entire thing without several compromised passwords...or maybe my lacking ability with cryptography making it possible to reverse engineer it either way.

It was an attempt to come up with an analog solution to a digital problem. I did go around with a printed card in my wallet for a while. But it did get really cumbersome so I switched to KeePass.
Well, basically, if one has master password and software - he can re-generate the list.
Or he just copies/photos your list

I don't think this is big problem, because all this is automated. As such it can be copied from RAM or media using leftovers.

The secrecy is what I don't like in your approach.
1. there is no "salt", and
2. there is redundant keyphrase for each password, which - nevertheless, can be reverse-engineered from final key-password.

What if you would use amount of letters (plus magic, multiple of magic or more "magic") of the target website.
Let me give you an example:

GOG.COM -> 3 letters before dot.
Semi-constant magic says "two times minus 1/3, rounded" = 3 * 2 - 0.33 = 4.
The offset is 4, its "salt". You constantly add it to each number row.

First letter G, iteration 1 + salt 1 = 2. Col G, Row 2.
Second letter O, iteration 1 + salt 2 = 3. Col O, Row 3.
Third letter G, iteration 1 + salt 3 = 4. Col G, Row 4.
Fourth letter C, iteration 1 + salt 4 = 5. Col C, Row 5.
Sixth letter O, iteration 1 + salt 1 = 2. Col O, Row 2.
Seventh letter M, iteration 1 + salt 2 = 3. Col M, Row 3.

I think you get the idea. If you look up my 1st post in thread, you will see that the magic is not static key, but "an algorithm" which transforms source hash list into target key. My method is about equal, but I don't have generator like in your version.

You generator is pretty interesting =]
Post edited December 25, 2015 by Lin545
Posted December 25, 2015
I use keepass also, but since we're talking about password generators, I liked very much the idea presented on PwCard (not actually something new, or very bullet proof).

https://www.pwcard.net/
Posted December 25, 2015
avatar
OlivawR: I use keepass also, but since we're talking about password generators, I liked very much the idea presented on PwCard (not actually something new, or very bullet proof).

https://www.pwcard.net/
Thats interesting.. but I see some problems.
- no per-case regenerations possible. Some websites may ask to change password. Changing password would require to change master password, which would require to reset all the passwords.

- initial start code is static, some services are limited by pass length

- step 2 requires to code master password in each password using a card, which can be picked off.
If attacker steals or gets you card and has at least one password, he can reverse the master password using the card.

- if attacker manages to capture several raw passwords (and nothing else) , he can crack the whole card, because it consists of big static part and part which depends on openly available data (URL).
Post edited December 25, 2015 by Lin545
Posted December 25, 2015
avatar
tinyE: I keep my password tattooed on my penis.

Needless to say it took a while getting the complete works of Shakespeare on there.

You can imagine what a bitch it is logging on.
Just wondering how many times the police have been called when you need to login in a public place?
Posted December 25, 2015
My password manager is a small notebook. Nobody can hack paper. :P
Posted December 25, 2015
avatar
DrakeFox: Yes, the remembering a keyword for each site was one of the annoying things. I were considering using the oft-included "Hint" field for the keyword. And still if someone got the gog.com password (OLDGAMES) they would be able to indeed figure out all the first characters if the hint started with O, or 2nd character for all sites having L as the second keyword character...and so on and so forth. The table should've been generated well enough that you couldn't reverse engineer the entire thing without several compromised passwords...or maybe my lacking ability with cryptography making it possible to reverse engineer it either way.

It was an attempt to come up with an analog solution to a digital problem. I did go around with a printed card in my wallet for a while. But it did get really cumbersome so I switched to KeePass.
avatar
Lin545: Well, basically, if one has master password and software - he can re-generate the list.
Or he just copies/photos your list

I don't think this is big problem, because all this is automated. As such it can be copied from RAM or media using leftovers.

The secrecy is what I don't like in your approach.
1. there is no "salt", and
2. there is redundant keyphrase for each password, which - nevertheless, can be reverse-engineered from final key-password.

What if you would use amount of letters (plus magic, multiple of magic or more "magic") of the target website.
Let me give you an example:

GOG.COM -> 3 letters before dot.
Semi-constant magic says "two times minus 1/3, rounded" = 3 * 2 - 0.33 = 4.
The offset is 4, its "salt". You constantly add it to each number row.

First letter G, iteration 1 + salt 1 = 2. Col G, Row 2.
Second letter O, iteration 1 + salt 2 = 3. Col O, Row 3.
Third letter G, iteration 1 + salt 3 = 4. Col G, Row 4.
Fourth letter C, iteration 1 + salt 4 = 5. Col C, Row 5.
Sixth letter O, iteration 1 + salt 1 = 2. Col O, Row 2.
Seventh letter M, iteration 1 + salt 2 = 3. Col M, Row 3.

I think you get the idea. If you look up my 1st post in thread, you will see that the magic is not static key, but "an algorithm" which transforms source hash list into target key. My method is about equal, but I don't have generator like in your version.

You generator is pretty interesting =]
The algorithms of salt would make it a lot more of a hassle to read if you need to read it, since you're using it instead of a password manager. But yes I see where you're coming from, but at that point, unless you want to spend a lot of time looking up your password every time you login, a password manager such as KeePass is a better solution, from compromised passwords nothing can be reverse engineered.
Posted December 25, 2015
avatar
DrakeFox: The algorithms of salt would make it a lot more of a hassle to read if you need to read it, since you're using it instead of a password manager. But yes I see where you're coming from, but at that point, unless you want to spend a lot of time looking up your password every time you login, a password manager such as KeePass is a better solution, from compromised passwords nothing can be reverse engineered.
Here

KeePass is piece of software. Its vulnerable, known, predictable, prone to hardware corruption, dependent, relying upon and sharing space (hard drive, ram, network ports) with other software. To escape majority of these problems, people tend to introduce even more attack vectors. Its more secure to store your passwords in a text file with random name than in dedicated known piece of software. But thats my point of view.
Posted December 25, 2015
avatar
DrakeFox: The algorithms of salt would make it a lot more of a hassle to read if you need to read it, since you're using it instead of a password manager. But yes I see where you're coming from, but at that point, unless you want to spend a lot of time looking up your password every time you login, a password manager such as KeePass is a better solution, from compromised passwords nothing can be reverse engineered.
avatar
Lin545: Here

KeePass is piece of software. Its vulnerable, known, predictable, prone to hardware corruption, dependent, relying upon and sharing space (hard drive, ram, network ports) with other software. To escape majority of these problems, people tend to introduce even more attack vectors. Its more secure to store your passwords in a text file with random name than in dedicated known piece of software. But thats my point of view.
Where is the evidence for that? I have used keepass for ages both on main computer and portable apps. Never had any issue with it. That post you link to mainly seems to deal with this dropbox. And my recommendation is, always, don't use online services. They are always the weak link in anything you do and requires the vendor to continue to provide access. Under no circumstances would I use an online storage for anything, even synchronising favourites, do it yourself, organse it, and above all keep it away from the internet.
Posted December 25, 2015
avatar
nightcraw1er.488: Where is the evidence for that? I have used keepass for ages both on main computer and portable apps. Never had any issue with it. That post you link to mainly seems to deal with this dropbox. And my recommendation is, always, don't use online services. They are always the weak link in anything you do and requires the vendor to continue to provide access. Under no circumstances would I use an online storage for anything, even synchronising favourites, do it yourself, organse it, and above all keep it away from the internet.
No, its just password db file getting corrupted and discarded as whole. Usual stuff.

Its just - KeePass and similar - are software. Unlike data file or piece of paper. They function like, within and depend upon software stack, require to function and are expoitable via hardware.

The idea is, the shorter the possible breakage chain, the more efficient it is. Of course, there are also probabilities, chances. But static data file is less probable to be corrupted than running code file. But most which confuses me, is that you use pretty specific software which is known. Like storing passwords in firefox, with malware targeting specifically this part. Ofc, KeePass file is probably very secure, at least much better than firefox plain-text password file in known location. Still, its a file in known location.
But you store all your passwords in one text file somewhere - the offender would need to parse whole filesystem to find the keys. Its like storing stuff in pretty big complicated safe inside the house, versus putting them inside a cheap fake book in your library.
I think the safe is much better protected against direct assault. But if attacker knows you have the safe in attack phase then,. bad chances. YMMV, but I choose portability, by that I mean ability to read the password list from any system where a drive can be hooked up to. Only running KeePass can read KeePass file. Any text editor can read text file.
Posted December 26, 2015
avatar
OlivawR: I use keepass also, but since we're talking about password generators, I liked very much the idea presented on PwCard (not actually something new, or very bullet proof).

https://www.pwcard.net/
There's a lot of things you can do to get seemingly random passwords for a ton of sites. For example, you can take the site's domain name + a personal password + the date and run that through a hash and wind up with something that appears to be rather random. Each time you need to update the passwords on all your sites you choose a new password and keep that memorized.

Realistically, it's rather unlikely that an attacker is going to figure out the password from just the domain name and the date the password was created. And in any case you'll be storing that information either way.

An attacker is unlikely to see more than a couple of your passwords at any given time, so trying to figure out how the password was generated is largely impossible. They'd be left with trying to either brute force the password or more likely abuse the password reset feature to get into the account. Or, I suppose try to trick you into giving the password away.

People tend to think that harder passwords are better and to an extent that's true, but realistically trying to brute force a password is a lot of work for not a lot of profit in most cases.
Posted December 26, 2015
I started using Encryptr because it is simple, free and is available on Windows, Mac and iOS.

https://spideroak.com/solutions/encryptr
Pages:
1
2
3
4
This is my favourite topic
Community
General discussionPassword Manager(52 posts)solved(52 posts)solved
(52 posts)solved