Post #413,322
9/3/16 9:58:33 AM
9/3/16 9:58:33 AM
|
That's extremely annoying to me. Leave my browser fields alone!!1
I don't do much of anything involving passwords with my phone, yet, except for some non-sensitive web logins. I figure I'll be doing more on my phone when I finally get something that can do LTE data, has a bit more processing power, has a fingerprint sensor, etc., - things my Nexus 4 lacks. We have to use a bunch of sites at work that have draconian password policies. You know - 15 characters, mix of character types, have to be changed every 60 days, and can't be too close to the previous one. This is at a place that uses smart cards for many logins - you still have to have a different password. And of course, it's a bad policy to reuse passwords, so everyone has eleventy-seven passwords that they have to keep track of and somehow remember. It's maddening. Most people have them written down on slips of paper somewhere... :-/ I'm not yet using a non-browser-based password manager, but probably will before the end of the year. Dashlane and LastPass are a couple I've seen mentioned for Winders and Android, but of course the landscape is always changing. Here's a more recent list of 7 managers that I should review... The details always expand to consume any available time to consider the options, and more! Cheers, Scott.
|
Post #413,331
9/3/16 9:59:04 PM
9/3/16 9:59:04 PM
|
Caveat Emptor: It looks like some of them are kinda evil.
E.g. Dashlane for Android: Edgardo Gonzalez (one star)
Dirty rats Great free app, UNTIL! I got a new phone. All of my other applications allowed me to backup my data to Dropbox or e-mail the backup file. Then restore on my new phone. Ashland wants me to pay $39.99 s0 that it can sync my devices. NOT COOL. I rather enter all the data by hand first. Will look for a better password app. Dashlane August 10, 2016 Hello Egardo! Thanks for your feedback. Please note that you can get 6 months of free Premium for each person you invite to Dashlane using our referral program. https://www.dashlane.com/en/referral :-/ The non-response response isn't a good sign, either. The idea of saving all my passwords on "the cloud" kinda gives me the creeps, but it shouldn't since it'll be encrypted separately from the secure cloud connection. And Google backs up most of my phone stuff already anyway, but do I want to trust some little ISV with critical information like passwords?? Having to pay for the privilege of moving the password DB to a new phone something I hadn't considered before... I'm leaning toward KeePass at the moment, but haven't used any of them yet... Cheers, Scott.
|
Post #413,333
9/3/16 11:21:36 PM
9/3/16 11:21:36 PM
|
I use keepass at work. Seems very sensible
always look out for number one and don't step in number two
|
Post #413,335
9/4/16 7:32:12 AM
9/4/16 7:32:12 AM
|
No two-factor auth for KeePass. Dealbreaker.
There's no point setting up a thinger that makes all my passwords like this:
e@uGSNTK35D89TPdw&UPB5Q*B6EByY
if I can't lock it all the way down.
Even if my LastPass master password is compromised, the bad guys still can't get in.
|
Post #413,336
9/4/16 9:04:12 AM
9/4/16 9:04:12 AM
|
Use Yubico with it?
|
Post #413,355
9/4/16 3:52:09 PM
9/4/16 3:52:09 PM
|
Interesting.
Stuff like LastPass and Dashlane works out of the box with YubiKeys. KeePass... not so much. An 18-step process! With added "copy this key" and "copy these files here", for additional potential points-of-failure. (Password Safe and pwSafe aren't really much better)
|
Post #413,339
9/4/16 11:30:36 AM
9/4/16 11:30:36 AM
|
Encrypted, you say?
|
Post #413,340
9/4/16 11:38:55 AM
9/4/16 11:38:55 AM
|
Yikes.
It seems like the sensible thing in cases like this is to use a GPL-based tool. There's no guarantee that there isn't a bug or hole in it somewhere, maybe even in the compiler/libraries, but at least there isn't an explicit conflict in the business model. "Hey, we have important information here - we have them by the g'nads so we can eventually get money out of them!"
(sigh)
I can see the benefit of keeping stuff in the cloud, but it still seems more risky than relying on local DBs.
Cheers, Scott.
|
Post #413,354
9/4/16 3:43:47 PM
9/4/16 4:06:44 PM
|
Risk/reward
I need to reliably secure my stuff across different locations and devices - my home PC, my home laptop, my phone, my work PC (where I can install a Chrome extension but not a Windows executable), etc. Doing that safely and reliably with a homebrew solution is going to end in tears - either I'll end up with a binary blob I can't decrypt, or I'm going to end up spamming my master password somewhere it shouldn't go, or something else similarly inconvenient/catastrophic (delete as applicable) that I haven't foreseen. Local solutions are are local, and that's their strength and their dealbreaking (for me) weakness. (KeePass has had its problems.) Yeah, LastPass got busted. I now still trust them (a bit :)) because they have had to respond to that. Do you trust a lock made by a locksmith who's had to learn from their mistakes, or a lock made by a locksmith whose handiwork is untested (whether by luck or judgement)? Regarding the LastPass fuckup: https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/1. It was a bad bug. 2. It was fixed in one day. 3. All (security) software has bugs. What matters is how the provider responds. It is naïve to think that an open source solution will be any better. Security is a hard problem that, it seems, the open source approach doesn't help when it comes to real-world implementation. After all, OpenSSL was open source for a long, long time before anyone noticed that it was a complete bag of security bollocks. Stagefright is open source, and that was/is also a bag of security shit. But all this aside - even a bad (and realistically, they're all at least passable) password manager is better than no password manager. ETA: Holy crap, the KeePass website is fucking horrible to look at and use. It's like taking a trip back in time to 1998, and not in the good "hey man, let's surf the information superhighway!" way.
Edited by pwhysall
Sept. 4, 2016, 04:06:44 PM EDT
|
Post #413,343
9/4/16 12:16:59 PM
9/4/16 12:16:59 PM
|
thats why logs need to be encrypted (wouldnt help since admin password was stole tho)
always look out for number one and don't step in number two
|