Talk to me about password managers
-
@flabdablet said in Talk to me about password managers:
There is a preference for forcing single instance, but it's off by default. Probably worth checking whether 2.x has a similar preference that's on by default.
That would be Options -> Advanced -> Limit to single instance
It was on by default when I installed 2.x, which could be interpreted as "forcing you to use tabs" if you look at it funny.
-
@DCRoss If you're using its global hot keys, forcing a single instance might result in the least surprise.
I don't do that; Alt-Tab Ctrl-V is quite quick enough for me, and always works.
-
@DCRoss You don't need more than one instance of an application to open more than one window. WTF kind of thinking is that.
-
So I'm finally getting around to actually doing this.
Keepass it is.
Haven't really decided on a sync mechanism. I think I'm going to try Google Drive, since I need to keep the Google password headspaced because I use it on quite a few devices that aren't going to get a keepass install.
-
@Weng Hilariously, my WtfCorp domain login keeps intercepting attempts to sync from my personal computer. Apparently it's picking up a stale Google accounts cookie somewhere from when I logged into my corpo email.
So I guess Dropbox.
-
@Weng said in Talk to me about password managers:
I think I'm going to try Google Drive
World of pain in the desktop client. Dropbox's is much more reliable.
As an alternative, if you end up using KeePass 2.x you might care to try out the Google Drive plugin for it. I have not used it so I can't speak to its quality.
-
@Weng I used OneDrive, but all these file sharing sites are blocked from my work so it's moot. I have it synced on my phone so if I need to get into something I can always type it in manually, but I mostly don't sign in to things from work anyway.
I also have a database on my work machine for network logins and the like
-
I keep my keepass db synced via S3
-
@Weng said in Talk to me about password managers:
So I guess Dropbox.
That's what I do. And the Android client (Keepass2Android) "just works" with it.
-
@dcon It knows how to merge properly, assuming there's no actual conflict. So that's great. I haven't seen what its conflict resolution looks like though.
-
@LB_ said in Talk to me about password managers:
The one thing that would suddenly get me to start using a password manager no-questions-asked would be support for 2FA as part of the decryption process, but I don't really see how that can happen. I guess you could use a U2F like a YubiKey, but you are supposed to have two so that one acts as a backup if you lose your primary and that wouldn't really work for encryption+decryption.
Does a password and a keyfile count? If yes, you can suddenly start using KeePass 2.
-
@OffByOne Generally the "thing you have" is a physical thing; that way, nobody else can have it without your knowledge. The "thing you know" is to cover when they steal the physical thing from you; it's useless to them without your brain.
If the only copy of your keyfile is on a physical media, like a USB or phone storage, then it can count. But then you don't have backups.
-
@Yamikuronue said in Talk to me about password managers:
@OffByOne Generally the "thing you have" is a physical thing; that way, nobody else can have it without your knowledge. The "thing you know" is to cover when they steal the physical thing from you; it's useless to them without your brain.
If the only copy of your keyfile is on a physical media, like a USB or phone storage, then it can count. But then you don't have backups.
I know what 2FA is, thanks :)
As stated above, thing-you-have ultimately can be reduced to a thing-you-know: where to get a replacement if you lose yours.
If your keyfile is a 64KB dump of a true entropy source, that's arguably a thing-you-have.
If on the other hand your keyfile just contains the number 4 (the result of a roll with a fair die, so it's guaranteed Random™!), well, that's more a thing-you-know.
-
@OffByOne said in Talk to me about password managers:
If your keyfile is a 64KB dump of a true entropy source, that's arguably a thing-you-have.
But you missed my point entirely in your flippancy: you don't know if someone else has made a copy of your 64KB file. You know you still have yours, but that doesn't mean nobody else does. You can be sure nobody's made a copy if the only copy is on your USB stick so long as you've never left it out of your sight, so it can arguably count, but even then, you have to sleep sometime.
-
@Yamikuronue said in Talk to me about password managers:
@OffByOne said in Talk to me about password managers:
If your keyfile is a 64KB dump of a true entropy source, that's arguably a thing-you-have.
But you missed my point entirely in your flippancy: you don't know if someone else has made a copy of your 64KB file. You know you still have yours, but that doesn't mean nobody else does. You can be sure nobody's made a copy if the only copy is on your USB stick so long as you've never left it out of your sight, so it can arguably count, but even then, you have to sleep sometime.
We're in violent agreement :)
Assumptions I made but didn't state:
- you created your keyfile yourself
- on a safe system (no internet connection, booted from a LiveCD with a trusted OS)
- that is powered down after creating the keyfile and saving it to your USB stick
You could even encrypt the keyfile or the filesystem it's saved to, so you'd need to know an extra thing to get to the keyfile.
You might even use a smartcard to do the encryption, making it real 2FA.Anyway, I just use long passphrases to encrypt my KeePass databases. It's good enough security for my needs.
-
@OffByOne said in Talk to me about password managers:
Does a password and a keyfile count? If yes, you can suddenly start using KeePass 2.
Seems to me that any argument in support of a keyfile being a second factor applies equally well to your KeePass database file itself.
-
@OffByOne said in Talk to me about password managers:
Anyway, I just use long passphrases to encrypt my KeePass databases. It's good enough security for my needs.
Same here, although I think I should change my passphrase to something slightly less obnoxiously long
-
@Jaloopa said in Talk to me about password managers:
I think I should change my passphrase to something slightly less obnoxiously long
Using the complete text of War and Peace as a password is a bit much.
Unless you're testing of course. Paging @accalia.
-
@OffByOne said in Talk to me about password managers:
Using the complete text of War and Peace as a password is a bit much.
that was a fun test.
bit impractical for day to day use.