Stackoverflow has the password to my mail-account
-
Well, I actually trust Stackoverflow to forget my mail-password when I send it to them accidentally. But it happens frequently enough.
When I want to log-in to Stackoverflow, they ask me for my mail-address, and then for my password. And they do not allow logging-in with my username. Now any robot would know to use the Stackoverflow password when logging into Stackoverflow. I'm no robot. I will just enter my address, the password to my mail-account, then press enter, then swear.
I have the same problem when booting. When I boot one of my systems, I have to enter the passphrase to decrypt the drive. Now because this is good practice, I used different passphrases on all the five systems I use. Guess what happens frequently? The passphrase prompt looks the same after all. I'm thinking of prefixing the passphrases with their respective hostnames, so that I will type the hostname first which hopefully jogs my memory to use the right passphrase.
TLDR Gleemonk can't keep passphrases apart
-
Personally, I have one password for physical devices that can't be logged into remotely, one password for my password manager, and then all my other passwords are randomly generated gibberish.
-
@gleemonk This problem is mostly solved by google and facebook logins.
It should be openid, but everyone tried to have it's own thing, so obviously the biggest critters on the market won.
-
@gleemonk Said it before and I'll say it again. People who don't use password management software are .
Download KeePass, like now, and start learning to love it.
-
@flabdablet It doesn't seem cool to be locked out of everything when on a different computer, or trust all my passwords to something in the cloud. I'm passing on this one.
-
@fbmac I just keep my KeePass database in my DropBox directory, along with a portable version of KeePass. That way every time I save changes on any of my devices it's automatically synched, and I just need to know two passwords: for DropBox, and for my KeePass database.
-
@flabdablet how does KeePass work if you're, say on a public computer that you can't just download the client for, or need to get onto your email but only have someone else's phone available?
-
@fbmac I've got mixed feelings about this. Obviously I would only use a solution where the master password is only used locally and never transmitted. Still it feels like handing out my SSH private key to the Internet going "Yeah there is a good passphrase on each of them, have a crack at it."
On the other hand, because I keep making mistakes like this, I starting to wonder what the failure modes are. Handing over my mail-password to some random sites on a regular basis is much worse than having all the noncritical logins in a password manager. Then there is the comfort of not having to type these logins against the comfort of being able to login from any system when I remember the password.
-
@Onyx said in Stackoverflow has the password to my mail-account:
@fbmac I just keep my KeePass database in my DropBox directory, along with a portable version of KeePass. That way every time I save changes on any of my devices it's automatically synched, and I just need to know two passwords: for DropBox, and for my KeePass database.
Are they the same?
-
@DogsB what do you think I am, a moron?
KeePass one has a n additional
1
at the end since it's newer.
-
@fbmac, @Jaloopa You put it on your phone, too. Then you can look it up and type it in. This assumes there's a local copy of the db on your phone, which KeePass will do, at least on android.
I use Keepass2android offline, which doesn't use any cloud. I sync all copies with a thumb drive. The phone I sync by copying off to a computer, opening with desktop KeePass and syncing, then copying back.
-
@Onyx said in Stackoverflow has the password to my mail-account:
@fbmac I just keep my KeePass database in my DropBox directory, along with a portable version of KeePass. That way every time I save changes on any of my devices it's automatically synched, and I just need to know two passwords: for DropBox, and for my KeePass database.
I hope your Keepass makes backups because I had a colleague whose Google-synced database got corrupted.
Also make sure to copy it offline (and outside of synced folders) every while (though that's just more common sense backup advice).
-
@JBert I have a script on my home machine that watches it (along with some other files) and makes a backup every time the file changes.
inotify
is a beautiful thing ;)
-
@fbmac said in Stackoverflow has the password to my mail-account:
@flabdablet It doesn't seem cool to be locked out of everything when on a different computer, or trust all my passwords to something in the cloud. I'm passing on this one.
PasswordSafe on smartphone 4 EVA!
Though admittedly I haven't tried it, and you still need to type stuff into a potentially keyloggered PC.
-
@fbmac said in Stackoverflow has the password to my mail-account:
@flabdablet It doesn't seem cool to be locked out of everything when on a different computer, or trust all my passwords to something in the cloud. I'm passing on this one.
Right with you on relying on a cloud service that might go tits-up at any minute to remember my bookmarks and passwords and credit card details and everything else I've stuffed into my KeePass database. That's why I use KeePass, which relies on a local database file, instead of something fully cloud like LastPass or 1Password.
I keep the authoritative version of my KeePass database in my Dropbox folder, and I also carry a copy attached to my car keys in one of these:
I update the car keys version every now and then, when I remember, but it's not all that critical; the only entry in it that absolutely needs to be up to date is the one for my Dropbox account (I have absolutely no clue what my Dropbox password is).
@Jaloopa said in Stackoverflow has the password to my mail-account:
@flabdablet how does KeePass work if you're, say on a public computer that you can't just download the client for, or need to get onto your email but only have someone else's phone available?
I keep the portable KeePass executable for Windows in the same folders where I keep my password database, which deals with 99% of the public-computer use cases. I've only ever needed to use a foreign phone once, and I just persuaded the owner that KeePassDroid and Dropbox were both well worth having installed on it; then I used the password database from the μSD card on my car keys.
-
@flabdablet when they say "any" USB port, I assume they still mean A type? Or is there a microUSB somewhere and you can plug it into phones as well?
-
@gleemonk said in Stackoverflow has the password to my mail-account:
Handing over my mail-password to some random sites on a regular basis is much worse than having all the noncritical logins in a password manager. Then there is the comfort of not having to type these logins against the comfort of being able to login from any system when I remember the password.
KeePass is not going to be of any use for HD decryption passwords - well, not until some clever Kickstarter releases a version embedded in a USB HID at any rate. OTOH, typing the wrong password when trying to decrypt a hard disk is not any kind of security risk.
For me, the main benefit I've had from taking the trouble to get comfortable with KeePass is feeling secure that all my passwords are permanently remembered in there. I can log into obscure services I haven't used for the last five years just as easily as I log into my email, and every service I use has a long, machine-generated, unique password.
As for logging in on any system: the combination of Dropbox and a miniature μSD card reader that's always within walking distance has yet to fail me.
-
@Onyx said in Stackoverflow has the password to my mail-account:
@flabdablet when they say "any" USB port, I assume they still mean A type? Or is there a microUSB somewhere and you can plug it into phones as well?
The Elago Nano is a very neat little design: the μSD card plugs into a cavity where a standard USB A plug has a solid chunk of useless plastic. It doesn't have an inbuilt micro USB connector, but it works fine with an OTG adapter; personally I just pull the μSD card and plug that straight into the phone.
On my own personal phone I have KeePassDroid and Dropbox installed, and KeePassDroid is set to use the Dropbox copy of my KeePass database as the default one. Works seamlessly. I bootstrapped it from my car keys DB.
The other nice thing about the Elago Nano is that because it's tiny, it's robust. I've had mine for four years now, and it's completely undamaged even after having been beaten up for all that time by all the shit I keep in my car keys pocket.
-
@flabdablet said in Stackoverflow has the password to my mail-account:
personally I just pull the μSD card and plug that straight into the phone.
Exactly the reason I asked: you can't do that on some phones. And yes, I am talking Android phones. Those are usually also the more expensive ones, too.
Fuck your non-expandable storage and non-removable battery!
-
@Onyx said in Stackoverflow has the password to my mail-account:
you can't do that on some phones
I would never even contemplate buying such a phone.
@Onyx said in Stackoverflow has the password to my mail-account:
Fuck your non-expandable storage and non-removable battery!
Correct.
-
@JBert said in Stackoverflow has the password to my mail-account:
you still need to type stuff into a potentially keyloggered PC
This is no less safe than just typing passwords into that same PC.
KeePass is excellent software, but it can't magically secure an insecure PC.
-
@Onyx said in Stackoverflow has the password to my mail-account:
@fbmac I just keep my KeePass database in my DropBox directory, along with a portable version of KeePass. That way every time I save changes on any of my devices it's automatically synched, and I just need to know two passwords: for DropBox, and for my KeePass database.
This is literally, exactly, what I do as well. ;)
-
22 posts and no
hunter2
? Dissapoint.
-
@flabdablet said in Stackoverflow has the password to my mail-account:
KeePass is not going to be of any use for HD decryption passwords - w
I also need a solution that lets me type passwords into a Xbox or my Windows Phone, and KeePass is useless for that, PLUS the passwords it generates are plain painful.
Also you people saying you only have two passwords-- uh, you have your desktop and laptop set to not ask for a password on login? Because that seems like the opposite a person who cares enough to use a password manager program would do. I just use Human Memory 1.0 and I'd never turn off passwords on my laptop.
-
@blakeyrat said in Stackoverflow has the password to my mail-account:
you have your desktop and laptop set to not ask for a password on login?
I use a fingerprint scanner :) Solves that problem!
-
@Yamikuronue said in Stackoverflow has the password to my mail-account:
@blakeyrat said in Stackoverflow has the password to my mail-account:
you have your desktop and laptop set to not ask for a password on login?
I use a fingerprint scanner :) Solves that problem!
http://memecrunch.com/meme/3DRC/not-sure-if-trolling/image.png
-
@Yamikuronue said in Stackoverflow has the password to my mail-account:
I use a fingerprint scanner Solves that problem!
What about a PIN on your phone, or do you have one of those Apple phones with a fingerprint scanner, too?
My problem is I don't buy laptops with fingerprint scanners because they invariably only go on the ugliest most box-like models possible. Show me a nice sleek ultrabook with one and I might change my mind.
Also I've never seen a desktop with a fingerprint scanner, although I guess you use a USB one?
-
@gleemonk said in Stackoverflow has the password to my mail-account:
I'm no robot. I will just enter my address, the password to my mail-account, then press enter, then swear.
The problem there is that you know your email password. The only passwords I actually know are the master password to my password store, and the TrueCrypt password for my full-disk encrypted VM (which isn't in my password store at all, and is long and strong enough that I legitimately run the risk of forgetting it if I don't type it once in a while; the VM's not important enough to worry about losing it, so if that ever happens I'll just wipe the image and reinstall over it).
-
@anotherusername Yet another person who claims he has no password on his PC...
-
@blakeyrat said in Stackoverflow has the password to my mail-account:
the passwords it generates are plain painful
I wouldn't know. I never look at them.
-
@blakeyrat said in Stackoverflow has the password to my mail-account:
Yet another person who claims he has no password on his PC...
Sorry, what?
-
@anotherusername said in Stackoverflow has the password to my mail-account:
The only passwords I actually know are the master password to my password store, and the TrueCrypt password for my full-disk encrypted VM
So you don't know the password to your computer login. If I read this literally.
Nor do you have a PIN for your phone or tablet, but that's kind of a different thing so I'm ok with that.
-
@SirTwist KeePass2Android is actually amazing. It has a really nice UI. I need to get around to buying that guy a few beers.
-
@blakeyrat said in Stackoverflow has the password to my mail-account:
@anotherusername said in Stackoverflow has the password to my mail-account:
The only passwords I actually know are the master password to my password store, and the TrueCrypt password for my full-disk encrypted VM
So you don't know the password to your computer login. If I read this literally.
Oh, you mean the account password to log in to the OS? Yeah, those are mostly pointless; too easy to crack on Windows to be useful, and anyone who stole the laptop would either just pop the hard drive into an enclosure and read all of my files that way (except the ones on the full-disk encrypted VM, natch) or they'd just want to wipe it and reinstall pirated Windows anyway. And I'd go through my password store and change all the passwords ASAP if that happened, just in case they happened to try to get saved passwords from my browser.
I actually do have a Windows account password (and I know what it is), but I don't consider it secure enough to be worth mentioning.
Nor do you have a PIN for your phone or tablet, but that's kind of a different thing so I'm ok with that.
Those devices (well, phone... I don't have a tablet) never really leave my direct control, so yeah. Different thing.
-
@Onyx USB On the go is a thing.
-
@blakeyrat said in Stackoverflow has the password to my mail-account:
I also need a solution that lets me type passwords into a Xbox or my Windows Phone, and KeePass is useless for that
Windows Phone 7Pass (for Windows Phone 7 / 8.1)
Windows Phone WinPass (for Windows Phone 7 / 8.1)
Windows Phone WinKee (for Windows Phone 8.1)And if you want to enter it on your Xbox, you just use SmartGlass like any other time you want to do a significant amount of typing.
That being said, I don't use it for everything of course.
-
@Jaloopa said in Stackoverflow has the password to my mail-account:
public computer
If you're using public computers at all, you're already using a potentially compromised system you don't control, so you might as well set all your passwords to "hunter2".
Seriously, in times when everyone has either a smartphone or a tablet, why take the risk of using a public device?
-
@blakeyrat said in Stackoverflow has the password to my mail-account:
PLUS the passwords it generates are plain painful
You can select the constraints when generating the password.
-
While we're on this topic, anyone else here use FIDO U2F keys?
-
@flabdablet said in Stackoverflow has the password to my mail-account:
OTOH, typing the wrong password when trying to decrypt a hard disk is not any kind of security risk.
These are not attack scenarios I fear personally but I can see two:
- hardware keylogger or keylogger embedded into boot system
- observing or recording me typing
in both cases when I accidentally type another passphrase I have spilled more secrets than what's on that system.
@flabdablet said in Stackoverflow has the password to my mail-account:
@JBert said in Stackoverflow has the password to my mail-account:
you still need to type stuff into a potentially keyloggered PC
This is no less safe than just typing passwords into that same PC.
KeePass is excellent software, but it can't magically secure an insecure PC.
Here I disagree. Just typing my Stackoverflow login into a random system is nothing risky. But downloading all my passwords and providing the key? That's like the difference between being showered with saliva from random drunk people that want to talk to you at a loud party and actually taking them home. Entirely different risk profile and much harder to correct if it goes wrong.
@JBert said in Stackoverflow has the password to my mail-account:
@fbmac said in Stackoverflow has the password to my mail-account:
@flabdablet It doesn't seem cool to be locked out of everything when on a different computer, or trust all my passwords to something in the cloud. I'm passing on this one.
PasswordSafe on smartphone 4 EVA!
Though admittedly I haven't tried it, and you still need to type stuff into a potentially keyloggered PC.
Sound like a good approach. I'll consider that.
-
@flabdablet said in Stackoverflow has the password to my mail-account:
@JBert said in Stackoverflow has the password to my mail-account:
you still need to type stuff into a potentially keyloggered PC
This is no less safe than just typing passwords into that same PC.
KeePass is excellent software, but it can't magically secure an insecure PC.
Yes, yes, you're right. Though a PC could still be rigged to take off with your master password and your Keypass file, whereas just entering a few account passwords should only take a password reset when you're home. And it's not as if you need to do extra effort to remember it, it was a random string before and it'll be a random string after.
-
I wish KeePass had a way to start up without having to select the password file/enter the password.
-
@coldandtired In that case I recommend Notepad. *
Filed under: Though then I'd like to have a copy of your password database for testing the strength of the encryption
-
@JBert If it auto-filled logins I would use it.
-
@coldandtired You can use Windows encryption instead, but then you lose the db when you lose your Windows password or installation, unless you've backed up the keys. Also, then it only works on Windows.
-
@anotherusername said in Stackoverflow has the password to my mail-account:
Yeah, those are mostly pointless; too easy to crack on Windows to be useful
NTLM? Not... really - a quite solid rig takes almost 6 hours just to get up to 8 characters. It's not super secret government-proof stuff, being basically unsalted MD4, but with a long enough password that kid with a graphics card won't be watching your porn anytime soon. And that's assuming you actually have "misplaced" your SAM database.
Unless you've enabled legacy LanMan, but then well, you only have yourself to blame.
-
@Maciejasjmj said in Stackoverflow has the password to my mail-account:
a quite solid rig takes almost 6 hours just to get up to 8 characters
That's brute-force. Real world attackers will probably start with rainbow tables. Or, if they don't care what you password was, but just want access to the files, in most cases it'll be trivially easy for a bad guy to just overwrite the hash of your password with a hash of a password he already knows. And of course, they can always just pop your drive into an enclosure and read all of your files without even booting into the OS.
-
So what you're saying is, encrypt the drive?
-
@anotherusername said in Stackoverflow has the password to my mail-account:
@Maciejasjmj said in Stackoverflow has the password to my mail-account:
a quite solid rig takes almost 6 hours just to get up to 8 characters
That's brute-force. Real world attackers will probably start with rainbow tables. Or, if they don't care what you password was, but just want access to the files, in most cases it'll be trivially easy for a bad guy to just overwrite the hash of your password with a hash of a password he already knows. And of course, they can always just pop your drive into an enclosure and read all of your files without even booting into the OS.
You don't even need any skill to do that too, the tools are free and very user friendly. I use NT Offline Password Recovery (https://pogostick.net/~pnh/ntpasswd/) when I need to break into a computer here at work. Just a couple of minutes with a USB stick to clear the account password.
-
@Cursorkeys indeed.