This.... from a bank.... I'm.... WTF?!

flabdablet

@Ben L. said:

People should only ever know one password - the current password for their password manager.

Sing that, sister.

Mole

@flabdablet said:

@Ben L. said:

People should only ever know one password - the current password for their password manager.

Sing that, sister.

Apart from I need to login to my home pc/work pc to be able to login to my password manager. So that's 3 passwords already.

flabdablet

@Mole said:

@flabdablet said:

@Ben L. said:

People should only ever know one password - the current password for their password manager.

Sing that, sister.

Apart from I need to login to my home pc/work pc to be able to login to my password manager. So that's 3 passwords already.

Yeah, local logon passwords are a bit of a nuisance. Fortunately they usually only need to be strong enough to resist manual attacks from family and co-workers, and usually the people with physical access to your work computer and those with access to your home computer are disjoint groups, so it usually does no harm to keep your home password in line with your work one. So that's back to two, one of which doesn't really need to be excellent.

None of which changes the fact that people should ever only need to know the password that gets them into their password manager. One of these days I'll get around to writing an OS logon plugin for KeePass that allows that to happen cleanly. Until then, if you care, you can use an unsecured user account to launch KeePass and have it restart Windows Explorer using runas, which is near enough to a proper logon for most purposes.

LoremIpsum

@flabdablet said:

you can use an unsecured user account to launch KeePass and have it restart Windows Explorer using runas, which is near enough to a proper logon for most purposes.

Oh my... Does that really work? On Win7/8? That feels so soo soooo dirty.

 

blakeyrat

@LoremIpsumDolorSitAmet said:

Oh my... Does that really work? On Win7/8?

Why wouldn't it?

LoremIpsum

@blakeyrat said:

@LoremIpsumDolorSitAmet said:

Oh my... Does that really work? On Win7/8?

Why wouldn't it?

AFAIK, Explorer is literally just a shell and should (I hope) have nothing to do with the underlying user session. I know things were different back in the days of Win98 which had no real notion of users at all, but seriously now...

This reminds me of a big WTF at a secondary school I used to go to in order to study some of my subjects. Their IT system comprised of many Win98 machines, and they had some custom login system built on top of it that, when used, would revert to the DOS screen and do a whole bunch of server stuff, and if your login wasn't valid, or you were locked out for some reason the overzealous IT manager (who was a WTF in himself, and presumably designed this thing) saw fit, it would delete explorer.exe and effectively make the machine unusable until rebooted. I guess it was restored on startup with some simiarly WTF process that certainly didn't involve disk imaging. I know that much because if people installed nasty malware or custom screensavers on those workstations, they would persist.

Now, flabdablet did say 'for most purposes'. I guess if you quit explorer and relaunched it as another user, you could do quite a few casual things, but I imagine other things would fail badly.

flabdablet

@LoremIpsumDolorSitAmet said:

@flabdablet said:

you can use an unsecured user account to launch KeePass and have it restart Windows Explorer using runas, which is near enough to a proper logon for most purposes.

Oh my... Does that really work? On Win7/8? That feels so soo soooo dirty.

 

It was a good trick under XP, but I've just tried it under 7 and there are some issues.

After logging onto Windows as Guest, opening a cmd window, killing the explorer.exe process with Task Manager and doing runas /user:me explorer.exe, I get to see my own desktop icons, task bar and Start menu contents as expected (though Guest's wallpaper remains in place). Programs launched from the Start menu behave as I'd expect them to: for example I can open Notepad and use its Open dialog to browse files inside my own home folder. Windows Explorer itself, though, is weird: when I try to open a folder window I see a second explorer.exe process appear in the Task Manager with username Guest, and Explorer gives me access denied errors instead of showing me any folder contents.

I've run regedit and verified that HKCU does indeed map to the expected sub-branch of HKU, so this isn't a registry mismatch issue or anything as ugly as that: I think I'm just triggering a bit of Windows Explorer security theatre. This is interesting enough to be worth digging into further when I have more time.

anotherusername

@flabdablet said:

After logging onto Windows as Guest, opening a cmd window, killing the explorer.exe process with Task Manager and doing runas /user:me explorer.exe, I get to see my own desktop icons, task bar and Start menu contents as expected (though Guest's wallpaper remains in place). Programs launched from the Start menu behave as I'd expect them to: for example I can open Notepad and use its Open dialog to browse files inside my own home folder. Windows Explorer itself, though, is weird: when I try to open a folder window I see a second explorer.exe process appear in the Task Manager with username Guest, and Explorer gives me access denied errors instead of showing me any folder contents.

I've run regedit and verified that HKCU does indeed map to the expected sub-branch of HKU, so this isn't a registry mismatch issue or anything as ugly as that: I think I'm just triggering a bit of Windows Explorer security theatre. This is interesting enough to be worth digging into further when I have more time.

See if the "Open each folder in the same window" option has any effect on that. I seem to remember that it changed whether Explorer windows are opened in the same process or a new Explorer process is started for each window (which was handy if one of your Explorer windows hung, so killing that process wouldn't also terminate your desktop and taskbar). They might have changed it in Windows 7, though.

flabdablet

@anotherusername said:

See if the "Open each folder in the same window" option has any effect on that. I seem to remember that it changed whether Explorer windows are opened in the same process or a new Explorer process is started for each window (which was handy if one of your Explorer windows hung, so killing that process wouldn't also terminate your desktop and taskbar).

I think you've conflated that option with the one under the "View" tab for "Open Explorer windows in a separate process", which has been there since NT as far as I know and is still there in 7. And no, altering that one makes no difference.

mott555

@Mole said:

@flabdablet said:

@Ben L. said:

People should only ever know one password - the current password for their password manager.

Sing that, sister.

Apart from I need to login to my home pc/work pc to be able to login to my password manager. So that's 3 passwords already.

I use a pattern for generating passwords. They often don't have much to do with each other, but if I forget the password it's not too hard for me to guess it within a few tries.

Except for those nasty financial sites with ridiculous rules like "no consecutive numbers" or "must contain 3 special characters" or "cannot have any letter from your username". I always forget those passwords and by the time I get it figured out, I'm locked out of my account and have to do account recovery. I actually have two or three sites where I have to do an account recovery every single time because I cannot figure out my password. Fortunately no one has tried abusing account recovery, it's not too hard to find out what I drive or where I was born and that's all you need to reset the password.

I also hate those sites that have very few options for "security" questions. I've honestly had batches where I couldn't truthfully choose any of the questions. I don't have an older sibling, never been on a honeymoon, don't know my grandfather's middle name, etc. So I end up typing in random gibberish and hoping I never have to use it.

locallunatic

@mott555 said:

I also hate those sites that have very few options for "security" questions. I've honestly had batches where I couldn't truthfully choose any of the questions. I don't have an older sibling, never been on a honeymoon, don't know my grandfather's middle name, etc. So I end up typing in random gibberish and hoping I never have to use it.

What I do for those kinds of questions is translate them into a similar question that I can answer, like younger instead of older sibling or father rather than grandfather (but only on sites where I figure I'll be doing recovery). Plus while someone could get the answer to the question as posed with a little digging, they would need to know your translations off of the stupid questions to grab the right answer.

Lorne Kates

@mott555 said:

I also hate those sites that have very few options for "security" questions. I've honestly had batches where I couldn't truthfully choose any of the questions. I don't have an older sibling, never been on a honeymoon, don't know my grandfather's middle name, etc. So I end up typing in random gibberish and hoping I never have to use it.

 

1) Generate a GUID*

2) Store it somewhere "safe" and easily accessible, like in your gmail or something.

3) Anytime you need to set a Security Question, copy and paste that GUID

4) Done.

* some sites limit the length or character content of Security Answers. Generate a random password 12 characters long that is just a mix of upper and lower case characters. That is your fallback.

Snooder

@locallunatic said:

@mott555 said:

I also hate those sites that have very few options for "security" questions. I've honestly had batches where I couldn't truthfully choose any of the questions. I don't have an older sibling, never been on a honeymoon, don't know my grandfather's middle name, etc. So I end up typing in random gibberish and hoping I never have to use it.

What I do for those kinds of questions is translate them into a similar question that I can answer, like younger instead of older sibling or father rather than grandfather (but only on sites where I figure I'll be doing recovery). Plus while someone could get the answer to the question as posed with a little digging, they would need to know your translations off of the stupid questions to grab the right answer.

Honestly, the best security question would be something like "If you had all the money in the world, what is the first thing you would buy?" A personal question that's hard to guess but pretty easy to remember.

anotherusername

@locallunatic said:

@mott555 said:

I also hate those sites that have very few options for "security" questions. I've honestly had batches where I couldn't truthfully choose any of the questions. I don't have an older sibling, never been on a honeymoon, don't know my grandfather's middle name, etc. So I end up typing in random gibberish and hoping I never have to use it.

What I do for those kinds of questions is translate them into a similar question that I can answer, like younger instead of older sibling or father rather than grandfather (but only on sites where I figure I'll be doing recovery). Plus while someone could get the answer to the question as posed with a little digging, they would need to know your translations off of the stupid questions to grab the right answer.

I read the question as "Please give a random string of gibberish, which we'll call 'Older brother's middle name' to confuse anyone else who might try to break into your account. Paste it here, and also store it in your password vault:". I've never had a problem remembering one yet, as long as it does get put into that password vault.

drurowin

@Lorne Kates said:

@mott555 said:

I also hate those sites that have very few options for "security" questions. I've honestly had batches where I couldn't truthfully choose any of the questions. I don't have an older sibling, never been on a honeymoon, don't know my grandfather's middle name, etc. So I end up typing in random gibberish and hoping I never have to use it.

 

1) Generate a GUID*

2) Store it somewhere "safe" and easily accessible, like in your gmail or something.

3) Anytime you need to set a Security Question, copy and paste that GUID

4) Done.

* some sites limit the length or character content of Security Answers. Generate a random password 12 characters long that is just a mix of upper and lower case characters. That is your fallback.

I've done something similar, except for sites where I couldn't put the GUID in, I'd put the SHA-1 of the GUID.

Ben L.

@drurowin said:

@Lorne Kates said:

@mott555 said:

I also hate those sites that have very few options for "security" questions. I've honestly had batches where I couldn't truthfully choose any of the questions. I don't have an older sibling, never been on a honeymoon, don't know my grandfather's middle name, etc. So I end up typing in random gibberish and hoping I never have to use it.

 

1) Generate a GUID*

2) Store it somewhere "safe" and easily accessible, like in your gmail or something.

3) Anytime you need to set a Security Question, copy and paste that GUID

4) Done.

* some sites limit the length or character content of Security Answers. Generate a random password 12 characters long that is just a mix of upper and lower case characters. That is your fallback.

I've done something similar, except for sites where I couldn't put the GUID in, I'd put the SHA-1 of the GUID.

GUID is 16 bytes. SHA-1 is 20 bytes. What?

drurowin

@Ben L. said:

@drurowin said:

@Lorne Kates said:

@mott555 said:

I also hate those sites that have very few options for "security" questions. I've honestly had batches where I couldn't truthfully choose any of the questions. I don't have an older sibling, never been on a honeymoon, don't know my grandfather's middle name, etc. So I end up typing in random gibberish and hoping I never have to use it.

 

1) Generate a GUID*

2) Store it somewhere "safe" and easily accessible, like in your gmail or something.

3) Anytime you need to set a Security Question, copy and paste that GUID

4) Done.

* some sites limit the length or character content of Security Answers. Generate a random password 12 characters long that is just a mix of upper and lower case characters. That is your fallback.

I've done something similar, except for sites where I couldn't put the GUID in, I'd put the SHA-1 of the GUID.

GUID is 16 bytes. SHA-1 is 20 bytes. What?

It didn't like brackets and dashes.

HardwareGeek

@Snooder said:

Honestly, the best security question would be something like "If you had all the money in the world, what is the first thing you would buy?" A personal question that's hard to guess but pretty easy to remember.

Sorry, I think that's a terrible question. That is exactly the kind of question I guarantee will not remember when I need to. My answer to that kind of question may vary widely, depending on my mood at any given moment. The probability of my remembering how I answered that a year ago is just about zero; might as well try a brute-force dictionary attack.

Almost as bad is "favorite hobby," which also has a large range of possible answers; the main difference is the time scale on which the answers change. That one locked me out of online banking for a while.

error

@Snooder said:

@locallunatic said:

@mott555 said:

I also hate those sites that have very few options for "security" questions. I've honestly had batches where I couldn't truthfully choose any of the questions. I don't have an older sibling, never been on a honeymoon, don't know my grandfather's middle name, etc. So I end up typing in random gibberish and hoping I never have to use it.

What I do for those kinds of questions is translate them into a similar question that I can answer, like younger instead of older sibling or father rather than grandfather (but only on sites where I figure I'll be doing recovery). Plus while someone could get the answer to the question as posed with a little digging, they would need to know your translations off of the stupid questions to grab the right answer.

Honestly, the best security question would be something like "If you had all the money in the world, what is the first thing you would buy?" A personal question that's hard to guess but pretty easy to remember.

A red convertible? What the fuck was I thinking?

flabdablet

@Lorne Kates said:

@mott555 said:

I also hate those sites that have very few options for "security" questions. I've honestly had batches where I couldn't truthfully choose any of the questions. I don't have an older sibling, never been on a honeymoon, don't know my grandfather's middle name, etc. So I end up typing in random gibberish and hoping I never have to use it.

 

1) Generate a GUID*

2) Store it somewhere "safe" and easily accessible, like in your gmail or something.

3) Anytime you need to set a Security Question, copy and paste that GUID

4) Done.

* some sites limit the length or character content of Security Answers. Generate a random password 12 characters long that is just a mix of upper and lower case characters. That is your fallback.

The number of creative ways that people have invented to avoid using password management software, which is easier to use and more secure than any of them, never ceases to astound me. I mean, I understand that Not Invented Here is a thing, but every time I encounter a scheme like this I can't help hearing Baldrick say "I have a cunning plan..."

Seriously, people, stop fartarsing about. Just use KeePass. It will take anybody who reads this forum five minutes to work out how to use it, tops. Keep your passwords database file, along with the portable version of the Windows executable, in your Dropbox folder so you get synchronized backups on every networked device you use. Keep an offline backup on a micro SD card in a tiny card reader attached to your car keys. Keep randomly generated answers to security questions right in your passwords database alongside your randomly generated passwords. That's all you need to do. GUID schmuid!

HardwareGeek

@joe.edwards said:

Filed under: I avoid security questions that are subject to my shifting personal preferences.

Exactly the point I made just above your post, but you made it more succinctly. Thank you.

mott555

Just happened to me again. I'm actually getting KeePass set up thanks to this thread, and I'm logging into rarely-used email accounts (mostly set up just to preserve my email address at all the common free webmail domains). I logged in correctly but it said I needed to verify my account due to lack of use. The security question? "What is your youngest child's nickname?" I have no kids (yet) and have no idea what I could have entered.

flabdablet

My guess: "Nick".

error

@mott555 said:

Just happened to me again. I'm actually getting KeePass set up thanks to this thread, and I'm logging into rarely-used email accounts (mostly set up just to preserve my email address at all the common free webmail domains). I logged in correctly but it said I needed to verify my account due to lack of use. The security question? "What is your youngest child's nickname?" I have no kids (yet) and have no idea what I could have entered.

I like that they ask for your youngest child and not the eldest. (Your youngest is always the most recent child you've had, the eldest will always be your eldest.)

drurowin

@flabdablet said:

Keep randomly generated answers to security questions right in your passwords database alongside your randomly generated passwords. That's all you need to do. GUID schmuid!

Anyone remember my rant against passwords? Anyone? Seriously, this "every site needs a password" is getting out of hand. Just remember what ISP I signed up from, and what email address I gave you when I did. That's all you need. If I connect from a different network, email me a thing with a one-time code, then all I need to keep up with is the password to my email account.

The real fix would be Internet-wide government-hosted SSO using real identities. You plug your identity card into a smartcard reader, and you're authenticated to every site you use, with guaranteed real identity information.

flabdablet

Is this you?

As for SSO, government hosted or otherwise: Do! Not! Want! Privacy is not dead. Get over it.

error

@drurowin said:

@flabdablet said:

Keep randomly generated answers to security questions right in your passwords database alongside your randomly generated passwords. That's all you need to do. GUID schmuid!

Anyone remember my rant against passwords? Anyone? Seriously, this "every site needs a password" is getting out of hand. Just remember what ISP I signed up from, and what email address I gave you when I did. That's all you need. If I connect from a different network, email me a thing with a one-time code, then all I need to keep up with is the password to my email account.

The real fix would be Internet-wide government-hosted SSO using real identities. You plug your identity card into a smartcard reader, and you're authenticated to every site you use, with guaranteed real identity information.

Getting better at this trolling thing, I see.

mott555

More fun stuff. I got the majority of my passwords entered into KeePass, and I set the master password to something memorable. I shut down KeePass and relaunched it to make sure it works, and guess what, my master password doesn't work! I'm 100% sure I remember it.

EDIT: Figured it out, and yes I am TRWTF. I remembered one digit incorrectly.

dkf

@drurowin said:

what ISP I signed up from

Anyone got an IP address to ISP mapping DB? My usual tools for that sort of thing are frustratingly incomplete…

Mole

I don't trust the security of keepass, so I have a smallish (10 character) password for the password database, and then store the database inside a TrueCrypt container thats hidden inside an image file with a 26-character password on it. This image is then RAR'd with a lengthy password before being placed in my Dropbox folder to be backed up.

The only problem is that if I forget any of those 3 passwords, I'm screwed.

flabdablet

@Mole said:

I don't trust the security of keepass

Why not? It's been around for over a decade, the source code is auditable, the crypto is solid, and I've never heard of it being cracked except via master password guessing.

I can think of nothing that makes KeePass less trustworthy than TrueCrypt, and keeping the bare KeePass database file in a Dropbox folder is much, much more convenient than having to mount a TrueCrypt volume from in there. Also, because the TrueCrypt volume is exposed to the client OS as a block device, file corruption can happen quite easily on the online version if the network connection to the client is interrupted. That corruption will then happily propagate to all your other local Dropbox folders as they sync.

drurowin

@dkf said:

@drurowin said:

what ISP I signed up from

Anyone got an IP address to ISP mapping DB? My usual tools for that sort of thing are frustratingly incomplete…

ARIN has most of the US netblock assignments. Check your regional NIC for other areas.

HardwareGeek

@drurowin said:

What?!? Bread-loaf-snout is gone! However, your new avatar is even sillier, and should be a good target for ridicule for a while.

drurowin

@HardwareGeek said:

@drurowin said:

What?!? Bread-loaf-snout is gone! However, your new avatar is even sillier, and should be a good target for ridicule for a while.

I figured it'd be good for a laugh. Note those are flies circling it.

HardwareGeek

@drurowin said:

@HardwareGeek said:

@drurowin said:

What?!? Bread-loaf-snout is gone! However, your new avatar is even sillier, and should be a good target for ridicule for a while.

I figured it'd be good for a laugh. Note those are flies circling it.

Oh. Given the recent discussions on fur suits, I really, really do not want to know what is attracting the flies.

mott555

@HardwareGeek said:

@drurowin said:

What?!? Bread-loaf-snout is gone! However, your new avatar is even sillier, and should be a good target for ridicule for a while.

Sometimes avatar ridicule is all that keeps me going around here.

morbiuswilters

@Mole said:

I don't trust the security of keepass, so I have a smallish (10 character) password for the password database, and then store the database inside a TrueCrypt container thats hidden inside an image file with a 26-character password on it. This image is then RAR'd with a lengthy password before being placed in my Dropbox folder to be backed up.

The only problem is that if I forget any of those 3 passwords, I'm screwed.

Jesus Christ, dude, what the hell are you protecting?

morbiuswilters

@flabdablet said:

It's been around for over a decade, the source code is auditable, the crypto is solid, and I've never heard of it being cracked except via master password guessing.

I agree, OpenSSL is unimpeachable.

Oh, we were talking about KeePass?

morbiuswilters

@flabdablet said:

Yeah, local logon passwords are a bit of a nuisance. Fortunately they usually only need to be strong enough to resist manual attacks from family and co-workers, and usually the people with physical access to your work computer and those with access to your home computer are disjoint groups, so it usually does no harm to keep your home password in line with your work one. So that's back to two, one of which doesn't really need to be excellent.

None of which changes the fact that people should ever only need to know the password that gets them into their password manager. One of these days I'll get around to writing an OS logon plugin for KeePass that allows that to happen cleanly. Until then, if you care, you can use an unsecured user account to launch KeePass and have it restart Windows Explorer using runas, which is near enough to a proper logon for most purposes.

I only have one computer. The entire root volume is encrypted and you can't boot it without the password. I don't bother with a root password because nobody is getting in anyway. The screen lock--which happens automatically if I walk away from the computer, or can be triggered manually--dumps the disk cache, "forgets" the encryption key and locks the GUI. The only way to unlock is to type the disk encryption password. Ten failed logins causes the OS to shut down, to prevent further tampering. Once it's shut down, no one outside the NSA is getting in.

I keep all of my passwords in a MySQL database (accessed using a tool I wrote) which sits on the encrypted volume. I also have some files (still on the encrypted volume) which contain encrypted filesystems that can be mounted as loop devices. I use those for storing things I want to keep even more secure, but rarely need access to.

morbiuswilters

@drurowin said:

The real fix would be Internet-wide government-hosted SSO using real identities.

cough cough

Of course, it's not government-hosted, but lots of governments have backdoors, so there's that. It also keeps track of the physical locations you visit, which is a nice feature most SSO offerings lack.

drurowin

@morbiuswilters said:

I only have one computer. The entire root volume is encrypted and you can't boot it without the password. I don't bother with a root password because nobody is getting in anyway. The screen lock--which happens automatically if I walk away from the computer, or can be triggered manually--dumps the disk cache, "forgets" the encryption key and locks the GUI. The only way to unlock is to type the disk encryption password. Ten failed logins causes the OS to shut down, to prevent further tampering. Once it's shut down, no one outside the NSA is getting in.

I keep all of my passwords in a MySQL database (accessed using a tool I wrote) which sits on the encrypted volume. I also have some files (still on the encrypted volume) which contain encrypted filesystems that can be mounted as loop devices. I use those for storing things I want to keep even more secure, but rarely need access to.

Dude, the NSA saw you download it, no point in encrypting all of it. Besides, they're PROBABLY adults inside the soiled Sonic costumes.

morbiuswilters

@drurowin said:

@morbiuswilters said:

I only have one computer. The entire root volume is encrypted and you can't boot it without the password. I don't bother with a root password because nobody is getting in anyway. The screen lock--which happens automatically if I walk away from the computer, or can be triggered manually--dumps the disk cache, "forgets" the encryption key and locks the GUI. The only way to unlock is to type the disk encryption password. Ten failed logins causes the OS to shut down, to prevent further tampering. Once it's shut down, no one outside the NSA is getting in.

I keep all of my passwords in a MySQL database (accessed using a tool I wrote) which sits on the encrypted volume. I also have some files (still on the encrypted volume) which contain encrypted filesystems that can be mounted as loop devices. I use those for storing things I want to keep even more secure, but rarely need access to.

Dude, the NSA saw you download it, no point in encrypting all of it. Besides, they're PROBABLY adults inside the soiled Sonic costumes.

Two words: plausible deniability.

drurowin

@morbiuswilters said:

@drurowin said:

The real fix would be Internet-wide government-hosted SSO using real identities.

cough cough

Of course, it's not government-hosted, but lots of governments have backdoors, so there's that. It also keeps track of the physical locations you visit, which is a nice feature most SSO offerings lack.

Now if it was MANDATED that sites use Facebook Connect for logins, I'd be all for it.

morbiuswilters

@drurowin said:

@morbiuswilters said:

@drurowin said:

The real fix would be Internet-wide government-hosted SSO using real identities.

cough cough

Of course, it's not government-hosted, but lots of governments have backdoors, so there's that. It also keeps track of the physical locations you visit, which is a nice feature most SSO offerings lack.

Now if it was MANDATED that sites use Facebook Connect for logins, I'd be all for it.

Jesus, don't give Dianne Feinstein any ideas.

alegr

@drurowin said:

Now if it was MANDATED that sites use Facebook Connect for logins, I'd be all for it.

Some websites require Facebook account to verify registration. Even if you don't login via facebook.

drurowin

@alegr said:

@drurowin said:

Now if it was MANDATED that sites use Facebook Connect for logins, I'd be all for it.

Some websites require Facebook account to verify registration. Even if you don't login via facebook.

Can I get a shortlist so I know who's doing it right?!

Ben L.

@morbiuswilters said:

@Mole said:

I don't trust the security of keepass, so I have a smallish (10 character) password for the password database, and then store the database inside a TrueCrypt container thats hidden inside an image file with a 26-character password on it. This image is then RAR'd with a lengthy password before being placed in my Dropbox folder to be backed up.

The only problem is that if I forget any of those 3 passwords, I'm screwed.

Jesus Christ, dude, what the hell are you protecting?

That reminds me - I want to protect a file containing the password to another encrypted file containing a 1×1px transparent png in about 100 more layers of encryption, just so I can "leak" it somewhere and watch "hackers" on the internet go crazy trying to brute force it open (by the way, the encryption keys will all be generated with various PRNGs using the same seed, something like 0xDEADBEEF or 0xAAAAAAAB) only to find that they wasted their parents electricity on the most expensive way to generate a useless file.

flabdablet

@morbiuswilters said:

@flabdablet said:

It's been around for over a decade, the source code is auditable, the crypto is solid, and I've never heard of it being cracked except via master password guessing.

I agree, OpenSSL is unimpeachable.

Oh, we were talking about KeePass?

CVE listings for OpenSSL: 154

For KeePass: two. Which is actually a single issue discovered in both editions (1.x and 2.x), relies on the user being tricked into double-clicking a password database file in the same folder as a hypothetical trojan DLL, and was fixed in 2010.

It is completely unreasonable to imply that no piece of open source security software is trustworthy merely because OpenSSL is a steaming pile.

morbiuswilters

@flabdablet said:

@morbiuswilters said:

@flabdablet said:

It's been around for over a decade, the source code is auditable, the crypto is solid, and I've never heard of it being cracked except via master password guessing.

I agree, OpenSSL is unimpeachable.

Oh, we were talking about KeePass?

CVE listings for OpenSSL: 154

For KeePass: two. Which is actually a single issue discovered in both editions (1.x and 2.x), relies on the user being tricked into double-clicking a password database file in the same folder as a hypothetical trojan DLL, and was fixed in 2010.

It is completely unreasonable to imply that no piece of open source security software is trustworthy merely because OpenSSL is a steaming pile.

To be fair, OpenSSL has probably had far more eyes on it than KeePass. But, anyway, I was mostly being facetious.

Mole

There's one thing that TrueCrypt does that I don't believe KeyPass does (but correct me if I'm wrong) - hidden volumes. I can enter one password and get a list of passwords or enter a different password and get a completely different list of passwords. As of yet, I don't know anyone who has managed to prove that there is more than a single password to a TrueCrypt volume.