Jeff on mayonnaise
-
If that were actually true, it would be trivial to generate SHA256 collisions on demand. It isn't. Therefore, that's not actually true.
Noted for future reference.
-
It took a little while to convince me that they are a good thing
The world has changed. Today, making all your passwords unique and hard and writing them on post-it notes is a far better option than trying to implement a password scheme that can be remembered.
-
Except, of course, the idiotic services that force you to use a short password from a restricted character set
I wonder if any of the services that don't restrict character set or length would have problems with
'\xFF'
being in a password...
-
If the post-it with the password for your account on your computer is attached to the monitor of your computer, you might want to rethink your system.
-
I wonder if any of the services that don't restrict character set or length would have problems with
'\xFF'
being in a password...Don't do that; you'll probably run into encoding problems. Stick to strict ASCII.
\x00
is in strict ASCII… ;)
-
If the post-it with the password for your account on your computer is attached to the monitor of your computer, you might want to rethink your system.
My "family computer" has the password taped to the monitor. If you are in my house, you are welcome to use the computer. The password is only there to help prevent remote attacks.
-
If the post-it with the password for your account on your computer is attached to the monitor of your computer, you might want to rethink your system.
Hawkins: I've got it! I've got it! The post-it with my password is attached to my computer; the wargame on the mainframe needs the two that are new! Right?
Griselda: Right. But there's been a change: they scrapped the mainframe with the wargame!
Hawkins: They scrapped the mainframe with the wargame?
Griselda: And replaced it with an iPad.
Hawkins: An iPad...?
Griselda: And a little Bluetooth doodad.
Hawkins: iPad and a doodad.
Griselda: Right.
Hawkins: But did you put the passwords for the wargame on a post-it on my puter?
Griselda: No! The password for the wargame's in the doodad for the iPad! The post-it on your puter has the new ones for you!
Hawkins: The password for the wargame's in the doodad for the iPad; the post-it on my puter has the two that are new.
Griselda: Just remember that.
-
If the post-it with the password for your account on your computer is attached to the monitor of your computer, you might want to rethink your system.
What if it's attached to the monitor of someone else's computer?
-
The Court Jester (8/9) Movie CLIP - The Flagon with the Dragon (1956) HD – 02:39
— MovieclipsBest scene in any musical comedy ever.
-
My "family computer" has the password taped to the monitor. If you are in my house, you are welcome to use the computer. The password is only there to help prevent remote attacks.
Why not just enable the guest account?
-
-
My "family computer" has the password taped to the monitor.
A lot of people do exactly that for wifi. (Except the postit is on the wifi device, of course; hardly anyone has a monitor attached to their wifi box…)
-
We should all be singing from the "use a password manager" hymn sheet with voices raised high.
I'd love to be -- but I simply have not found a reliable enough storage medium for the password database to satisfy me; besides, removable media restrictions are commonplace enough that it'd be useless in some of the places where I'd want it most, and cloud-based storage risks exposing the database itself to an offline attack.
-
I use a Discourse private message as my password manager. The really nice thing is it censors my passwords for other users, so if an admin is snooping in they won't get anything!
TDWTF: ■■■■■■■
Email: ■■■■■■■■■■■■■■
Bank: ■■■■■■■■■■■
-
besides, removable media restrictions are commonplace enough that it'd be useless in some of the places where I'd want it most
I never use the browser integration features. I just have my password manager on my phone and I look up passwords and type them by hand. If they are all unique, there's no need to make them so complicated that you can't type them.
-
I simply have not found a reliable enough storage medium for the password database to satisfy me; besides, removable media restrictions are commonplace enough that it'd be useless in some of the places where I'd want it most, and cloud-based storage risks exposing the database itself to an offline attack.
I keep my definitive copy in Dropbox, which means it gets automatically backed up on every device where I've installed the Dropbox client (currently three computers and my phone). I've also got a copy on one of these attached to my keyring, which I update every now and then (as long as it's got my current Dropbox password on it, I'm good).
I am not even slightly concerned about the possibility of offline attack against the password database itself. There has been some work done on DOSing KeePass databases by fooling with the unencrypted portions of their headers, but I remain unaware of any reported attacks that let you see inside them without the master key; and my master key is 18 characters long and came from random.org many years ago.
I'm also not really fussed about being unable to use my personal passwords on other people's air-gapped equipment.
-
I never use the browser integration features. I just have my password manager on my phone and I look up passwords and type them by hand. If they are all unique, there's no need to make them so complicated that you can't type them.
I also don't trust my phone as a storage medium for such things -- even less than I'd trust a removable Flash drive or SD/... card
I've also got a copy on one of these attached to my keyring, which I update every now and then (as long as it's got my current Dropbox password on it, I'm good).
I'm still not convinced that Flash is long-term reliable enough for credential storage, but maybe that's just my terrible experiences with USB Flash drives failing...I'm also not really fussed about being unable to use my personal passwords on other people's air-gapped equipment.
Not even air-gapped -- just restrictive enough that approaches like yours are out of the question.
-
I use a Discourse private message as my password manager. The really nice thing is it censors my passwords for other users, so if an admin is snooping in they won't get anything!
Until some enterprising admin downloads a DB backup and starts querying it … :P
-
Hmm, perhaps I should PGP the post then.
Paging @Onyx for a userscript request: PGP and de-PGP buttons!
-
I'm still not convinced that Flash is long-term reliable enough for credential storage
Neither am I, which is why my definitive copy doesn't live on it.
That said, my little Elago μSD reader has worked really well for me for about five years now. Nicest thing about it is that it's small enough to get out of the way of all the other things in my pocket that want to beat it up; and even if it does eventually get physically damaged, there's a really good chance that the μSD card inside it will survive. I've dropped my keys, I've run over them with my car, I've accidentally gone swimming with them, and the little card reader just keeps on working.
restrictive enough that approaches like yours are out of the question
It's the card in the wallet caper for you then.
-
I'm still not convinced that Flash is long-term reliable enough for credential storage, but maybe that's just my terrible experiences with USB Flash drives failing...
You could always try an M-DISC. You just won't be able to easily update your DB.
-
Until some enterprising admin downloads a DB backup and starts querying it
Or impersonates him.
Filed Under: Ruining jokes for fun and profit since...
-
Guess I could add pgp to @PleegBot. Anyone know a good node library?
-
Never used PGP, but there's this:
npm
package too.…nope; no idea re: the avatar…
-
I'll look into it later.
Also @PleegBot is back up - someone stealth-added a dependency.
-
.ycnedneped a dedda-htlaets enoemos - pu kcab si toBgeelP@ oslA
.retal ti otni kool ll'I
Filed under: random:reverse
-
someone stealth-added a dependency
And that is why I have a script that pulls the repo and runsnpm install
;)
-
I do too. It's called a vagrantfile :)
-
-
-
It's actually my own fault - I pulled, I restarted using upstart, and I neglected to check the log file whether the bot started correctly.
-
-
Oh, beautiful oneboxing there…
-
you will take my ability to paste into a password field from my cold dead etc.
KeePass can fill in form fields automatically, without a manual round trip through the clipboard. The Android KeePass app even has a keyboard, so the usernames and passwords don't pass through the clipboard there either.
Generating a new password does require pasting AFAIK.
-
Generating a new password does require pasting AFAIK.
Not sure if KeePassHTTP uses the clipboard but that's what I use for generating passwords.
However, I remember stuff from KeePass being blocked from pasting in Chrome before I had that addon. I had to paste to a text editor, then copy again and paste into Chrome from there
-
LastPass is the same; the Android app even autofills in apps as well as browsers
-
However, I remember stuff from KeePass being blocked from pasting in Chrome before I had that addon. I had to paste to a text editor, then copy again and paste into Chrome from there
I've always suspected that's a Mono issue. Primary selection doesn't work either, IIRC.
-
I've always suspected that's a Mono issue.
Why would it paste to gedit then? That's the bit that confuses me. Chrome is GTK as well, is it not? Or is it wxWidgets or something?
-
Why would it paste to gedit then?
I don't know, but I have issues with chrome and clipboards. Especially when I also have vmware running. When I want to paste from / to a VM from browsers I usually paste into Kate first and recopy. I suspect that chrome does some of its own custom clipboard stuff that isn't really down with native standards.
I hate it when programs don't respect Primary Selection, however. They're the worst of the worst.
-
Not sure if KeePassHTTP uses the clipboard but that's what I use for generating passwords.
Oh yeah, I forgot about that. I use the KeeFox extension in both Firefox and Thunderbird, which doesn't use KeePassHTTP.
ChromeIPass does use KeePassHTTP and I think is able to fill in a newly generated password in a form field through the context menu, so skipping the clipboard and manual paste.
However, I remember stuff from KeePass being blocked from pasting in Chrome before I had that addon. I had to paste to a text editor, then copy again and paste into Chrome from there
KeePass and the X clipboard fuckery don't like eachother that well. There has been effort in the KeePass camp to just make it work. IIRC you have to install
xsel
, and KeePass uses that for clipboard management, which works.
-
Why would it paste to gedit then?
Why would it paste to gedit then? That's the bit that confuses me. Chrome is GTK as well, is it not? Or is it wxWidgets or something?
Blame the 3 clipboards X provides (PRIMARY selection, SECONDARY selection, CLIPBOARD selection).
Edit: fixed misattribution of boomzilla's quote. @discoursebot...
-
@OffByOne - Days Since Last Discourse Bug: -1
-
ChromeIPass does use KeePassHTTP and I think is able to fill in a newly generated password in a form field through the context menu, so skipping the clipboard and manual paste.
You can just click on the key icon.
-
You can just click on the key icon.
Indeed, but I don't see a "Just fill in the password field plz" button, only copy to clipboard and optionally fill in the field.
Unless that button got cropped out of your screenshot.
-
Oh, yeah, now that you say it... No idea why, it will save it to KeePass without me pasting it. It asks after you submit the form, IIRC.
-
Sure, I get that. It transfers the username, password, URL, ... to KeePass through KeePassHTTP.
I was wondering if it's possible to generate a new password and have it filled in the password field on the HTML form, without the password ever getting sent to the clipboard.
KeeFox doesn't seem to do that: "generate new password" puts the generated password on the clipboard. I'd expect browser plugins to be able to do some DOM magic to fill in the generated password.
If I want to log in to a site for which KeePass already has a username/password combination stored, it will fill those in automatically, so it can do that.
-
Blame the 3 clipboards X provides (PRIMARY selection, SECONDARY selection, CLIPBOARD selection).
Fun fact: X supports as many different selections as you have X IDs, and there's actually more than three standard ones. This is nuts. Fortunately, hardly anything uses any selections other than
PRIMARY
,CLIPBOARD
andXdndSelection
(used for drag-and-drop support). Particularly fortunately, nobody uses cut buffers any more, and I only know one program that supportsSECONDARY
(in a sort of “because I can” way too).
-
I've always suspected that's a Mono issue.
I prefer KeePass 1.x on Windows, and I use the more-or-less compatible KeePassX on Linux, precisely because neither of these has to crank up some massive slow-starting runtime just to do its job.
It's not a lot of time wasted waiting for Mono or .Net to get its arse in gear, but it just seems to be particularly irritating when what I want to do is enter a password so I can get on with something else.
-
It's not a lot of time wasted waiting for Mono or .Net to get its arse in gear, but it just seems to be particularly irritating when what I want to do is enter a password so I can get on with something else.
That bit has never bothered me. I just launched it and it came up in under a second. Though I had it open earlier, so probably the requisite files were already cached in RAM.
-
Yeah, the CLRs are only slow on first launch. But I've been using KeePass and KeePassX since before 2.x was a thing, and I don't need any of the fancy features supported by the 2.x database format, and I really do appreciate first launch of both KeePass 1.x and KeePassX being noticeably faster than Nth launch of 2.x.
I'm also impressed both by the willingness of the KeePass dev to keep both major KeePass branches actively maintained and by his having said explicitly on the KeePass versions page that he would do this. If I thought the 1.x database format was going to disappear down a legacy memory hole I'd switch, but it remains very well supported.
For what it's worth, I've never seen KeePassX display anomalous cut/paste behavior.