|
doctorfrog posted:Is Diceware still a decent way to get a good master password? It's the best, if the dice are not loaded. Pick a 80+ bit entropy and you're done for life (or until you accidentally leak it).
|
# ? Sep 17, 2019 18:41 |
|
|
# ? May 15, 2024 02:21 |
|
Mr.Radar posted:Firefox is moving to a 4-week release cycle (from the current 6-8 week cycle) starting with Firefox 71. Firefox: now breaking your poo poo, monthly.
|
# ? Sep 17, 2019 18:47 |
|
iospace posted:Which plugin of the 9001 of them do you use? https://addons.mozilla.org/en-US/firefox/addon/keefox/ It also has a Chrome addon: https://chrome.google.com/webstore/detail/kee-password-manager/mmhlniccooihdimnnjhamobppdhaolme You need to follow these instructions to install it as it requires you to install an addon to KeePass to facilitate secure communication with the browser: https://forum.kee.pm/t/installing-kee-with-keepassrpc-for-keepass-password-safe-instructions/23 After that, make sure you have the URL field filled out for your websites inside KeePass. Nalin fucked around with this message at 19:04 on Sep 17, 2019 |
# ? Sep 17, 2019 19:01 |
Megillah Gorilla posted:Firefox: now breaking your poo poo, monthly. Thank gently caress I got the hardware to do a proper build server, because building firefox + rust + spidermonkey takes loving ages even on 16 threads and 96GB memory - even with (hw.ncpu*2)-1 threads plus build objects and everything else in memory (thanks to poudriere and tmpfs on FreeBSD which can easily handle double the number of threads for multithreaded building). BlankSystemDaemon fucked around with this message at 19:59 on Sep 17, 2019 |
|
# ? Sep 17, 2019 19:55 |
|
Nalin posted:https://addons.mozilla.org/en-US/firefox/addon/keefox/ didn't someone say mozilla will be introducing a password manager in the next update? might be worth waiting until then?
|
# ? Sep 17, 2019 21:54 |
|
I really wish XKCD guy would delete that loving comic off his website, especially now that he had his forums pwned and the password hashes of all his users stolen, some or all of which were using MD5. It's wrong in two ways: hash cracking *is* what average people should be worried about (and this was true even when the comic was made years ago). And it gives the impression that this type of password is what you should be using for all your accounts and websites (not a password manager). Which implies password re-use. To be clear, 4 uncommon words like that is a fine thing as a master password of a password manager. Or a somewhat longer grammatical phrase using small words. Or an abbreviation based on something longer that you will always remember that's 12+ letters, like zpgjgwwagatsfm or igot99pbabao (though maybe pick slightly more obscure songs). Or some other scheme of your own creation. It's fine if people do different things, as long as the result is a complex enough password. In some ways it's better if we don't all do the same thing. It makes building the dictionaries harder. FRINGE posted:For the people doing their own passwords: Total character length matters more than "how human-unreadable it is". Writing a small unique sentence is pretty acceptable. A short "m%tqo.,32" is still a bad password. However, here is the downside to long passwords & the reason why password managers still generate 16-20 characters of gibberish rather than a long phrase: inputs have to be truncated somewhere. Websites have been known to chop input rather severely, such that a long passphrase becomes a medium one. But the password manager itself isn't gonna do that, you could use a whole paragraph of text for the master password. (10 characters of alphanum+special is actually not terrible, at ~66 bits of entropy it has more randomness than a 4 word phrase. But very short random strings can get punished by random dictionary matches. For example, "m%tqo.,32" is ok but "mtqo%.,32" is very bad -- "mtgo" is gonna be in dictionary match. That makes your password into 1 word + 5 symbols which is an easy crack.) abelwingnut posted:didn't someone say mozilla will be introducing a password manager in the next update? might be worth waiting until then? (2 major qualms: it's new so it's probably gonna be buggy which is a security concern. And mozilla might be looking to monetize it.)
|
# ? Sep 17, 2019 23:35 |
|
abelwingnut posted:didn't someone say mozilla will be introducing a password manager in the next update? might be worth waiting until then? If you are only looking at using a password manager to store website passwords, I guess that's fine. I, on the other hand, store lots of other passwords in my vault, like video game logins, remote server login credentials, and other application login credentials.
|
# ? Sep 17, 2019 23:51 |
|
Klyith posted:I really wish XKCD guy would delete that loving comic off his website Klyith posted:To be clear, 4 uncommon words like that is a fine thing as a master password of a password manager. Strong agree on the 1 Diceware master password for password manager and distinct conventional, high-entropy, short passwords for each site.
|
# ? Sep 17, 2019 23:59 |
|
Klyith posted:For example, "m%tqo.,32" is ok but "mtqo%.,32" is very bad -- "mtgo" is gonna be in dictionary match. That makes your password into 1 word + 5 symbols which is an easy crack.) This is one of the things I really dont have straight in my brain.
|
# ? Sep 18, 2019 03:57 |
The master passphrase should be for the generated keyfile which unlocks the password database, not the passphrase for the database itself. An OPT USB dongle to read passwords out of the database on top of that would be even better. That way, you type your master password to unlock and whenever you need a login for a website you just insert your dongle.
|
|
# ? Sep 18, 2019 08:53 |
|
i just use full on sentences of like 50 characters with spaces and punctuaction included for my master password/FDE key. also, you can set keepass to ask you if that's what you really want to do every time something tries to retreive a key/password from it, it's good poo poo. also, on topic of firefox, i'm moving to ESR lol
|
# ? Sep 18, 2019 09:38 |
|
Klyith posted:10 characters of alphanum+special is actually not terrible, at ~66 bits of entropy it has more randomness than a 4 word phrase. But very short random strings can get punished by random dictionary matches. For example, "m%tqo.,32" is ok but "mtqo%.,32" is very bad -- "mtgo" is gonna be in dictionary match. That makes your password into 1 word + 5 symbols which is an easy crack. Could you maybe elaborate a bit on this? How does an attacker know which digits are letters, numbers or special characters to be able to figure "the first four digits will probably be in a dictionary, so it'll be 1 word +5 symbols"? And if it's so easy to figure out how long words in the password are, then why would a phrase of x words (totaling, say, 30 characters) be any better than a string of x random characters, outside of humans being able to remember it? Also, how does a dictionary then go from "mtgo" to the "mtqo" in your example? Are the dictionaries augmented with similar-looking character substitutions?
|
# ? Sep 18, 2019 10:04 |
|
Dictionary attacks will absolutely use common substitutions like e->3 i->! etc, since it's a fairly common practice people use to remember passwords and get still around "this password requires numbers/special characters/no repeats/etc"
|
# ? Sep 18, 2019 10:16 |
|
Geemer posted:Are the dictionaries augmented with similar-looking character substitutions? The video on password cracking I posted above elaborates on this.
|
# ? Sep 18, 2019 10:20 |
|
Ola posted:The video on password cracking I posted above elaborates on this. Thanks, I missed those before.
|
# ? Sep 18, 2019 14:22 |
|
How do I get Firefox to open links that lead off-site in a new tab? Like when clicking search results?
|
# ? Sep 18, 2019 16:50 |
|
Middle-click?
|
# ? Sep 18, 2019 16:52 |
|
Sab669 posted:Middle-click? Yeah, but I want it by default, with left-click.
|
# ? Sep 18, 2019 17:14 |
|
What about just doing the old ctrl + left click?
|
# ? Sep 18, 2019 17:20 |
|
FRINGE posted:This is one of the things I really dont have straight in my brain. Geemer posted:Could you maybe elaborate a bit on this? Arstechnica did some good articles a while back on password hash cracking, this is the best one. That series is what convinced me to get a password manager. The short of it is that you think of a pattern, you can set up the cracking program to run through every possible variation of that pattern at billions of guesses per second. The only barrier is time. So if you are a cracker you have a dictionary, which will have both real words and a whole bunch of fragments of things people like to put in passwords like "xyz". And you can can take that plus the pattern-generating to crack a whole lot of passwords. If you set it to chew through every combination of [dictionary word] + 5 characters you find "mtgo%.,32", "naruto73):>", and anything else matching that set in 1-2 days with a serious multi-GPU rig. On the other hand, there are serious diminishing returns to this process on the cracker side. Actual black hats looking for criminal gain don't care about cracking 100% of passwords. They just want to find the guy who used "naturo73):>" for both the anime forum that got hacked and his email, allowing them to steal his playstation account or whatever. Note that article is from 2013 and there's been 2 major changes since then. On the down side, GPUs are even faster. On the good side, more websites have started to use bcrypt or other hash algorithms that GPUs can't crack quickly. (Note that most password managers use even more strict methods that require yet more computational work -- Keepass for example lets you click a button for "whatever takes 1 full second of CPU time on my computer". Which is why the master password for your vault can often be paradoxically less random than the passwords it contains.) Geemer posted:Also, how does a dictionary then go from "mtgo" to the "mtqo" in your example? Are the dictionaries augmented with similar-looking character substitutions? Because the red underline of the spellcheck made me see a a q as a g Also note that I somehow counted 10 characters when the example has only 9. So I'm an idiot, mtqo isn't going to be in a dictionary and I'm doubtful that g->q is a common substitution that would be checked with a pattern set. But hopefully I've now explained what I was on about. 9 characters of alphanum+symbols would ordinarily take a couple months to crack, but being unlucky is a severe reduction.
|
# ? Sep 18, 2019 17:33 |
|
PirateBob posted:Yeah, but I want it by default, with left-click. This might work: https://addons.mozilla.org/en-US/firefox/addon/open-link-with-new-tab/
|
# ? Sep 18, 2019 17:57 |
|
Thanks a lot. This is all stuff I kinda already know, but having it laid out like this is really making me think hard about my password practices and strongly consider changing my mind about password managers turning my several points of failure into a single one.
|
# ? Sep 18, 2019 18:03 |
|
On the other hand you can crack like 3/4 of all passwords just by trying the 100 most common passwords verbatim
|
# ? Sep 18, 2019 18:47 |
|
Mozilla can get hosed pushing their own built-in password manager after they locked everyone else out of the APIs to tie into the browser password store. That's the reason password managers are so janky now, they're all trying increasingly desperate workarounds as the browsers keep locking down more and more of the extensions API. It's the direct cause of lastpass getting owned repeatedly, for example.
|
# ? Sep 18, 2019 20:17 |
|
I have exactly zero entries in the browser password store. You don't need it at all to use a password manager, which has its own store. The cookies remember your logins and when they expire you can just go get the password from wherever it is that you store it. The manager addon fills in the fields without touching the browser password store, automatically if you so desire, but I prefer click-to-fill. Btw, said store is not secure unless you have a master password set in your browser. There has been malware that steals the files necessary to get at your logins. Without a master password set, your passwords are encrypted with a key stored in plaintext, i.e. like stealing candy from a baby who happens to be sleeping in a different room.
|
# ? Sep 18, 2019 21:02 |
|
if i downloaded a non-firefox password manager and added it, would it be able to import the passwords i already have stored in firefox?
|
# ? Sep 18, 2019 21:51 |
|
abelwingnut posted:if i downloaded a non-firefox password manager and added it, would it be able to import the passwords i already have stored in firefox? I think so yeah. Seems like there's a bit of a song and dance to do it, depending on which one you go for. Google "manager-name import firefox"
|
# ? Sep 18, 2019 21:57 |
|
Harik posted:It's the direct cause of lastpass getting owned repeatedly, for example. The direct cause of the Lastpass extension being owned repeatedly was that their developers seemingly did not keep security in mind when designing and writing it. Not to mention they were bad at regex, which to a certain extent is normally understandable but not for something that 100% needs to be secure.
|
# ? Sep 18, 2019 21:59 |
|
abelwingnut posted:if i downloaded a non-firefox password manager and added it, would it be able to import the passwords i already have stored in firefox? 1Password and Bitwarden have built-in importing from all browsers. Keepass doesn't have it built-in, but there is a plugin for keepass that adds the ability.
|
# ? Sep 18, 2019 22:19 |
Harik posted:Mozilla can get hosed pushing their own built-in password manager after they locked everyone else out of the APIs to tie into the browser password store. That's the reason password managers are so janky now, they're all trying increasingly desperate workarounds as the browsers keep locking down more and more of the extensions API. They're even letting developers program add-ons in WebAseembly for maximum fasts per hour. BlankSystemDaemon fucked around with this message at 22:30 on Sep 18, 2019 |
|
# ? Sep 18, 2019 22:27 |
|
Nalin posted:This might work: Thank you, this seems to do the trick. Also, is there an addon that keeps the tab bar scrolled to the end of the list? So you don't have to keep pressing the right arrow to see the end of your tabs?
|
# ? Sep 18, 2019 22:45 |
|
PirateBob posted:Thank you, this seems to do the trick. Just in case you didn't know, your scroll wheel works on the tab bar as well.
|
# ? Sep 18, 2019 23:10 |
|
Geemer posted:Just in case you didn't know, your scroll wheel works on the tab bar as well. Oh, cool, I didn't know that. I still wish they gave you a choice about which end of the list to prioritize showing though.
|
# ? Sep 18, 2019 23:41 |
|
D. Ebdrup posted:I think you might be mixing up a few things here: XUL got deprecated which took a lot of extensions with it in favour of the WebExtensions API - but there has since been at least one add-on made for KeePassXC for example, and Mozilla are in the process of extending WebExtensions to provide the same functionality as XUL did while still retaining the sandboxing, astral posted:The direct cause of the Lastpass extension being owned repeatedly was that their developers seemingly did not keep security in mind when designing and writing it. See also this 18-year-old bug closed "WONTFIX because gently caress apple". https://nakedsecurity.sophos.com/2018/03/20/nine-years-on-firefoxs-master-password-is-still-insecure/
|
# ? Sep 19, 2019 20:03 |
|
Harik posted:... which is because they had to do dumb API tricks and try to interpret HTML+JS logins instead of having a sane integration path. Neither of those have a thing to do with my criticisms. For example, this was one of my favorite lastpass browser extension vulnerability situations: https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/ The tl;dr is that for the bit that detects what website you were on, they were using some badly-written regex instead of modern javascript features to begin with. A user actually took a look at it and noticed the flaw in the regex that allowed an attacker with malicious code on a website to trivially fool the extension into disclosing passwords. They 'fixed it quickly' but didn't really handle it well: https://palant.de/2016/09/16/more-last-pass-security-vulnerabilities/ Rather than changing it to use modern browser features or even properly fixing the regex, they made the bizarre decision to run the URL through their bad regex multiple times. Luckily, after Palant's report they changed it to use the browser-provided URL object, but they still ended up comparing it to their hack-job regex for some reason. astral fucked around with this message at 21:14 on Sep 19, 2019 |
# ? Sep 19, 2019 21:11 |
|
Not Invented Here
|
# ? Sep 20, 2019 20:29 |
|
Does anyone have recommendations for making Firefox profiles portable? I tried the Firefox Portable app and that was garbage, but I figured out a way to do it with the regular installed app. You create a profile directory on the thumb drive (or copy one from the Firefox profiles directory in AppData) called profile2, then make a batch file called profile2.bat with this contentcode:
|
# ? Sep 24, 2019 19:06 |
|
Curious what makes Portable Firefox garbage. I’ve used it on and off for years.
|
# ? Sep 24, 2019 20:03 |
|
Its Coke posted:Does anyone have recommendations for making Firefox profiles portable? I tried the Firefox Portable app and that was garbage, but I figured out a way to do it with the regular installed app. You create a profile directory on the thumb drive (or copy one from the Firefox profiles directory in AppData) called profile2, then make a batch file called profile2.bat with this content You could replace the C:\Program Files (x86) bit with %ProgramFiles(x86)%, which would help if C: isn't the home drive. You could also go crazy with stuff like IF EXIST "%ProgramFiles(x86)%\Mozilla Firefox\firefox.exe" (start "" "%ProgramFiles(x86)%\Mozilla Firefox\firefox.exe" -Profile "%~dp0profile2") ELSE (start "" "%ProgramFiles%\Mozilla Firefox\firefox.exe" -Profile "%~dp0profile2") for compatibility with both older and newer installs. But that'll still fail if it's not installed in either Program Files. I haven't exactly tested these, so use at your own risk. But at worst it should just throw some error box or something, I guess.
|
# ? Sep 24, 2019 20:24 |
|
|
# ? May 15, 2024 02:21 |
|
Mr.Radar posted:Firefox is moving to a 4-week release cycle (from the current 6-8 week cycle) starting with Firefox 71. I remember that they already did that long ago and then walked it back when it turned out that the devs were burning out and that security, QA and users were also suffering. If they are lucky, they can learn from their mistakes twice.
|
# ? Sep 24, 2019 20:29 |