|
OSI bean dip posted:Free: How about Syncthing instead of Dropbox/OneDrive/Google Drive? I can't remember any vulnerability and their protocol seems pretty good from reading their documentation.
|
#
?
Mar 21, 2017 19:42
|
|
|
|
| # ? May 18, 2024 16:20 |
|
|
Furism posted:How about Syncthing instead of Dropbox/OneDrive/Google Drive? I can't remember any vulnerability and their protocol seems pretty good from reading their documentation. I presume you meant this? https://github.com/syncthing/syncthing I don't have an opinion. I only suggest Dropbox because it's the least complicated for what I am suggesting. If there is something else that fits the bill then go for it.
|
|
#
?
Mar 21, 2017 19:44
|
|
|
Yes this is the project. I like it because it's open source, cross-plat, you own the private keys and if you have an always-on server it effectively works like Dropbox (as far as synchronization is concerned).
|
|
#
?
Mar 21, 2017 19:50
|
|
|
Powered Descent posted:Encryption works really well with Dropbox or other cloud storage, for exactly that reason. ecryptfs and encfs are pretty much made for this: set the Dropbox folder as the encrypted root, and mount the plaintext view wherever convenient. Then just work with your files normally via that plaintext view, and the encrypted backend gets updated transparently. Dropbox never sees anything that isn't scrambled to hell and back.
|
|
#
?
Mar 21, 2017 20:54
|
|
|
OSI bean dip posted:It doesn't really matter in the end what your cloud storage option is provided you're securing the password database with a decent keyphrase and are using key files not stored in the cloud. Real question, because I find this one tricky: how does one best secure key files? Master password is clear, but keyfiles seem to always bring their very own headache, since you ideally want to back them up etc. Any recommendation(s)?
|
|
#
?
Mar 21, 2017 21:00
|
|
|
Hollow Talk posted:Real question, because I find this one tricky: how does one best secure key files? Master password is clear, but keyfiles seem to always bring their very own headache, since you ideally want to back them up etc. Any recommendation(s)?
|
|
#
?
Mar 21, 2017 21:07
|
|
|
Furism posted:How about Syncthing instead of Dropbox/OneDrive/Google Drive? I can't remember any vulnerability and their protocol seems pretty good from reading their documentation. Syncthing is good and I use it for this purpose myself
|
|
#
?
Mar 21, 2017 21:17
|
|
|
https://mobile.twitter.com/taviso/status/844312124541186048 Posted about 15 minutes ago. 
|
|
#
?
Mar 21, 2017 23:32
|
|
|
Have LogMeIn done nothing in terms of auditing code since the acquisition? It doesn't seem to be taking Tavis a ton of effort to highlight the clownlike qualities on display.
|
|
#
?
Mar 21, 2017 23:39
|
|
|
Also, restrict r/w on the keyfile to only Administrator and run KeePass elevated by setting the exe to run as administrator. Obviously, disable KeePass plugins and ensure UAC setting is maxed out. This prevents the keyfile from being grabbed by malware, and prevents the small possibility of process injection.
|
|
#
?
Mar 22, 2017 00:18
|
|
|
1password makes it hilariously difficult to import from lastpass. https://support.1password.com/import-lastpass/
|
|
#
?
Mar 22, 2017 01:29
|
|
|
PBS posted:1password makes it hilariously difficult to import from lastpass. Welcome to the hell that is getting your data from a cloud-based service.
|
|
#
?
Mar 22, 2017 01:48
|
|
|
PBS posted:1password makes it hilariously difficult to import from lastpass. quote:Mac  The PC instructions do look a tad more complex.
|
|
#
?
Mar 22, 2017 01:51
|
|
|
OSI bean dip posted:Welcome to the hell that is getting your data from a cloud-based service. LastPass wins on the import for sure.  Looking though the import to 1password now as well, total poo poo tier import. Might as well have done it by hand, going to have to anyway. 1/12 Stars PBS fucked around with this message at 01:59 on Mar 22, 2017 |
|
#
?
Mar 22, 2017 01:53
|
|
|
PBS posted:LastPass wins on the import for sure. This is basically a Chinese finger trap.
|
|
#
?
Mar 22, 2017 01:58
|
|
|
PBS posted:LastPass wins on the import for sure. LastPass -> Tools -> Import From -> LastPass yes I know
|
|
#
?
Mar 22, 2017 02:08
|
|
|
Cup Runneth Over posted:LastPass -> Tools -> Import From -> LastPass Trashed 1password, it butchered the import completely. Tested out the form fill and it doesn't even work on some popular sites I tried. (With new, non-butchered items) New subscription based model they're using is 3$ a month, 3x the cost of lastpass premium which isn't even necessary anymore. Yeah, security is important so lastpass needs to go, but I don't see 1password as a viable replacement for it.
|
|
#
?
Mar 22, 2017 02:20
|
|
|
PBS posted:Trashed 1password, it butchered the import completely. Tested out the form fill and it doesn't even work on some popular sites I tried. (With new, non-butchered items) Use LastPass Pocket if you need to export it. https://lastpass.com/misc_download2.php https://lastpass.com/support.php?cmd=showfaq&id=1206
|
|
#
?
Mar 22, 2017 02:30
|
|
|
OSI bean dip posted:Use LastPass Pocket if you need to export it. Export from the browser plugin is fine, it's even what 1password tells you to do. 1password seems to just be incapable of importing correctly.
|
|
#
?
Mar 22, 2017 02:38
|
|
|
PBS posted:Trashed 1password, it butchered the import completely. Tested out the form fill and it doesn't even work on some popular sites I tried. (With new, non-butchered items) Pretty much this. It was garbage usability-wise last year when I tried it out. I'd be ecstatic if there was a competent password manager that wasn't itself insecure which was also as reasonable to use as lastpass is.
|
|
#
?
Mar 22, 2017 03:22
|
|
|
Where's that dumpster fire image? http://www.securityfocus.com/archive/1/540310 quote:2017-03-21 reply from vendor:
|
|
#
?
Mar 22, 2017 05:05
|
|
|
Sheep posted:Where's that dumpster fire image? This industry rules
|
|
#
?
Mar 22, 2017 06:28
|
|
|
PBS posted:1password makes it hilariously difficult to import from lastpass.
|
|
#
?
Mar 22, 2017 08:01
|
|
|
Is there anyway to get a 2FA/FIDO plugin for Keypass? I couldn't find anything on their plugins page. I think I'm going to stick to Keepass (w/ SyncThing) but I'd like to have 2FA just in case.
|
|
#
?
Mar 22, 2017 09:20
|
|
|
Furism posted:Is there anyway to get a 2FA/FIDO plugin for Keypass? I couldn't find anything on their plugins page. I think I'm going to stick to Keepass (w/ SyncThing) but I'd like to have 2FA just in case. What is 2FA protecting you from?
|
|
#
?
Mar 22, 2017 09:22
|
|
|
Jabor posted:What is 2FA protecting you from? It's something "I have" and is an extra layer of security from something "I know." My password doesn't have such a huge entropy (120 bits or so) because I need to type it regularly so it needs to be somewhat memorable. If I'm losing a device with the keepass database on it, and somehow it's found unlocked (I could get mugged, the laptop could be stolen while I'm working on it, who knows ; I do travel a lot for work so the chances of this happening are higher than the average), I don't want anyone to be able to brute force it. I feel that 2FA helps with this.
|
|
#
?
Mar 22, 2017 09:52
|
|
|
How would a 2FA device protect you better than a keyfile if an adversary has your password database?
|
|
#
?
Mar 22, 2017 10:27
|
|
|
Furism posted:Is there anyway to get a 2FA/FIDO plugin for Keypass? I couldn't find anything on their plugins page. I think I'm going to stick to Keepass (w/ SyncThing) but I'd like to have 2FA just in case. KeePass for Windows supports the YubiKey in, I think, HOTP mode. It reencrypts the DB using the next code that you then enter the next time you open it. edit: http://keepass.info/plugins.html#otpkeyprov
|
|
#
?
Mar 22, 2017 12:15
|
|
|
Is there a recommended source of files to use for keyfiles? Like in case you misplace your only copy of butt.jpg and you have trouble getting a byte-for-byte identical copy again. Is there a good generator system, or reliable source of files that (probably) won't ever change?
|
|
#
?
Mar 22, 2017 12:59
|
|
|
baka kaba posted:Is there a recommended source of files to use for keyfiles? Like in case you misplace your only copy of butt.jpg and you have trouble getting a byte-for-byte identical copy again. Is there a good generator system, or reliable source of files that (probably) won't ever change?
|
|
#
?
Mar 22, 2017 13:14
|
|
|
I've never used a keyfile for anything, but aren't they literally files? And the point is to have a bunch of unpredictable data in it?
|
|
#
?
Mar 22, 2017 13:20
|
|
|
Furism posted:It's something "I have" and is an extra layer of security from something "I know." My password doesn't have such a huge entropy (120 bits or so) because I need to type it regularly so it needs to be somewhat memorable. If I'm losing a device with the keepass database on it, and somehow it's found unlocked (I could get mugged, the laptop could be stolen while I'm working on it, who knows ; I do travel a lot for work so the chances of this happening are higher than the average), I don't want anyone to be able to brute force it. I feel that 2FA helps with this. If someone mugged you and stole your laptop, why wouldn't they take whatever hardware your 2nd factor is too? Will you be carrying it clenched tight between your paranoid cheeks? Who exactly is your adversary that's going to brute force your db password instead of immediately wiping and or flipping the laptop? In particular, who is doing so faster than you getting a backup copy and changing all of your passwords?
|
|
#
?
Mar 22, 2017 13:25
|
|
|
baka kaba posted:I've never used a keyfile for anything, but aren't they literally files? And the point is to have a bunch of unpredictable data in it?
|
|
#
?
Mar 22, 2017 13:40
|
|
|
Wiggly Wayne DDS posted:you generate a keyfile using a csprng, not via grabbing random files to feed it and keeping copies of those files to regenerate the keyfile later. the security is that a byte-for-byte copy should be nigh impossible to generate, and you're to keep backup copies of the generated keyfile in the event of disaster lol if you don't use calm.jpg as your universal keyfile base. This still refers back to my question earlier, to which somebody wittily replied "Paper?", but I loathe sharing keyfiles. This is one of these problems I always have with a "use keyfiles" approach; I hate having my private GPG private key on my phone, for example, but I need it there if I want to use GPG. Similarly, if I change expiration date etc. I have to resync, and it kind of just sits there on the phone. It also means you need different ways to sync your password container on one hand and your key files on the other, because if you just throw them into the same folder and share that via some cloud thingie, you might as well not bother with a keyfile to begin with. Hollow Talk fucked around with this message at 19:38 on Mar 22, 2017 |
|
#
?
Mar 22, 2017 13:46
|
|
|
Well the reason I'm asking is I was looking at KeePass, and their keyfile bit saysquote:A key file can be any file you choose; although you should choose one with lots of random data. And obviously having it generate a random file is more secure, so it seems like the only reason to allow people to use a normal file is because it's more convenient somehow - harder to 'lose', like a super-long master password you're not going to accidentally forget. I thought that was probably the idea anyway, just wondered if there was an accepted best practice for using these user-supplied files
|
|
#
?
Mar 22, 2017 13:52
|
|
|
I'm not sure that I would classify a Word doc as having lots of random data, hmm.
|
|
#
?
Mar 22, 2017 13:54
|
|
|
Subjunctive posted:I'm not sure that I would classify a Word doc as having lots of random data, hmm.
|
|
#
?
Mar 22, 2017 14:20
|
|
|
I disagree with keyfiles being a sensible trade-off for the general use case. Any access protections you apply to the keyfile could and should have been applied to the kdbx file instead with the same net result. A reasonable number of pbkdf2 rounds with a decent password (100+ bits) gives equivalent brute force protection as 128 bits is a practical upper bound on your entropy anyway given the use of AES128 all over the place. Integration with hardware ala yubikey is a completely different and valuable beast but the ecosystem is still too fragmented to handle consumer use cases.
|
|
#
?
Mar 22, 2017 15:19
|
|
|
I just switched from Lastpass to 1password and It Just Worked. Exported the CSV from lastpass, imported to 1password, done and dusted.
|
|
#
?
Mar 22, 2017 15:28
|
|
|
|
| # ? May 18, 2024 16:20 |
|
|
keseph posted:Any access protections you apply to the keyfile could and should have been applied to the kdbx file instead with the same net result. The general motivation is that the database needs to be continuously synced with other machines, while sharing the keyfile is a one-time thing. So there is a meaningful difference if you're concerned about, say, your password database being leaked by your cloud storage provider.
|
|
#
?
Mar 22, 2017 15:58
|
|