IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New Integration seems to be an arms race.
Sites that try to stop passwords being "pasted" in tend to break password managers.

Wade.
New That's extremely annoying to me. Leave my browser fields alone!!1
I don't do much of anything involving passwords with my phone, yet, except for some non-sensitive web logins. I figure I'll be doing more on my phone when I finally get something that can do LTE data, has a bit more processing power, has a fingerprint sensor, etc., - things my Nexus 4 lacks.

We have to use a bunch of sites at work that have draconian password policies. You know - 15 characters, mix of character types, have to be changed every 60 days, and can't be too close to the previous one. This is at a place that uses smart cards for many logins - you still have to have a different password. And of course, it's a bad policy to reuse passwords, so everyone has eleventy-seven passwords that they have to keep track of and somehow remember. It's maddening.

Most people have them written down on slips of paper somewhere... :-/

I'm not yet using a non-browser-based password manager, but probably will before the end of the year.

Dashlane and LastPass are a couple I've seen mentioned for Winders and Android, but of course the landscape is always changing. Here's a more recent list of 7 managers that I should review...

The details always expand to consume any available time to consider the options, and more!

Cheers,
Scott.
New Caveat Emptor: It looks like some of them are kinda evil.
E.g. Dashlane for Android:

Edgardo Gonzalez (one star)

Dirty rats Great free app, UNTIL! I got a new phone. All of my other applications allowed me to backup my data to Dropbox or e-mail the backup file. Then restore on my new phone. Ashland wants me to pay $39.99 s0 that it can sync my devices. NOT COOL. I rather enter all the data by hand first. Will look for a better password app.


Dashlane August 10, 2016
Hello Egardo! Thanks for your feedback. Please note that you can get 6 months of free Premium for each person you invite to Dashlane using our referral program. https://www.dashlane.com/en/referral


:-/ The non-response response isn't a good sign, either.

The idea of saving all my passwords on "the cloud" kinda gives me the creeps, but it shouldn't since it'll be encrypted separately from the secure cloud connection. And Google backs up most of my phone stuff already anyway, but do I want to trust some little ISV with critical information like passwords??

Having to pay for the privilege of moving the password DB to a new phone something I hadn't considered before...

I'm leaning toward KeePass at the moment, but haven't used any of them yet...

Cheers,
Scott.
New I use keepass at work. Seems very sensible
always look out for number one and don't step in number two
New No two-factor auth for KeePass. Dealbreaker.
There's no point setting up a thinger that makes all my passwords like this:

e@uGSNTK35D89TPdw&UPB5Q*B6EByY

if I can't lock it all the way down.

Even if my LastPass master password is compromised, the bad guys still can't get in.
New Use Yubico with it?
https://www.yubico.com/why-yubico/for-individuals/password-managers/

It's a USB thingy (maybe kinda like a CAC?) that works with password managers. $40 at Amazon.

That might be the type of solution that makes me feel most comfortable (but it seemingly won't help much with phones). I'll look at it a bit more when the time comes...

Cheers,
Scott.
New Interesting.
Stuff like LastPass and Dashlane works out of the box with YubiKeys.

KeePass... not so much. An 18-step process! With added "copy this key" and "copy these files here", for additional potential points-of-failure.

(Password Safe and pwSafe aren't really much better)
New Encrypted, you say?
What's that?
http://www.theregister.co.uk/2016/08/31/onelogin_breached_hacker_finds_cleartext_credential_notepads/
The online credential manager says its Secure Notes facility was breached, allowing the intruder to read in cleartext notes edited between 2 June and 25 August this year.

Some 12 million customers use OneLogin.

It could be a dangerous breach for those affected. OneLogin suggests Secure Notes can be used to hold "information such as license keys and firewall passwords" making the stolen data a gift for network exploitation and lateral movement, should IT folks heed the advice and store sensitive credentials in the service.

And for LastPass:
http://www.theregister.co.uk/2016/07/27/zero_day_hole_can_pwn_millions_of_lastpass_users_who_visit_a_site/
This hole was discovered by a Google researcher. It is unknown if it was exploited before it was patched.

For any cloud based stuff, IMO, the more vulture capitalists are involved, the more untrustworthy the product as extracting money becomes the dominant concern.
New Yikes.
It seems like the sensible thing in cases like this is to use a GPL-based tool. There's no guarantee that there isn't a bug or hole in it somewhere, maybe even in the compiler/libraries, but at least there isn't an explicit conflict in the business model. "Hey, we have important information here - we have them by the g'nads so we can eventually get money out of them!"

(sigh)

I can see the benefit of keeping stuff in the cloud, but it still seems more risky than relying on local DBs.

Cheers,
Scott.
New Risk/reward
I need to reliably secure my stuff across different locations and devices - my home PC, my home laptop, my phone, my work PC (where I can install a Chrome extension but not a Windows executable), etc.

Doing that safely and reliably with a homebrew solution is going to end in tears - either I'll end up with a binary blob I can't decrypt, or I'm going to end up spamming my master password somewhere it shouldn't go, or something else similarly inconvenient/catastrophic (delete as applicable) that I haven't foreseen.

Local solutions are are local, and that's their strength and their dealbreaking (for me) weakness.

(KeePass has had its problems.)

Yeah, LastPass got busted. I now still trust them (a bit :)) because they have had to respond to that. Do you trust a lock made by a locksmith who's had to learn from their mistakes, or a lock made by a locksmith whose handiwork is untested (whether by luck or judgement)?

Regarding the LastPass fuckup:

https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/

1. It was a bad bug.
2. It was fixed in one day.
3. All (security) software has bugs. What matters is how the provider responds.

It is naïve to think that an open source solution will be any better. Security is a hard problem that, it seems, the open source approach doesn't help when it comes to real-world implementation. After all, OpenSSL was open source for a long, long time before anyone noticed that it was a complete bag of security bollocks. Stagefright is open source, and that was/is also a bag of security shit.

But all this aside - even a bad (and realistically, they're all at least passable) password manager is better than no password manager.

ETA: Holy crap, the KeePass website is fucking horrible to look at and use. It's like taking a trip back in time to 1998, and not in the good "hey man, let's surf the information superhighway!" way.
Expand Edited by pwhysall Sept. 4, 2016, 04:06:44 PM EDT
New thats why logs need to be encrypted (wouldnt help since admin password was stole tho)
always look out for number one and don't step in number two
     Password managers - (pwhysall) - (14)
         Integration seems to be an arms race. - (static) - (10)
             That's extremely annoying to me. Leave my browser fields alone!!1 - (Another Scott) - (9)
                 Caveat Emptor: It looks like some of them are kinda evil. - (Another Scott) - (8)
                     I use keepass at work. Seems very sensible -NT - (boxley)
                     No two-factor auth for KeePass. Dealbreaker. - (pwhysall) - (2)
                         Use Yubico with it? - (Another Scott) - (1)
                             Interesting. - (pwhysall)
                     Encrypted, you say? - (scoenye) - (3)
                         Yikes. - (Another Scott) - (1)
                             Risk/reward - (pwhysall)
                         thats why logs need to be encrypted (wouldnt help since admin password was stole tho) -NT - (boxley)
         I like sticky notes with encryption - (boxley) - (2)
             Interesting. - (Another Scott) - (1)
                 I have a non technical friend whose idea of a password phrase involves his feelings - (boxley)

Mother Hubbard got me covered, like Sarah Lee on her cherry pie.
100 ms