|
I really wish Myki was still around. It facilitated syncing between your devices via p2p so you got all the benefits of a cloud sync without having to store your pws on someone else's server
|
# ? Jan 8, 2023 05:38 |
|
|
# ? Jun 4, 2024 07:38 |
|
Slimy Hog posted:I really wish Myki was still around. A: is still around, and B: is loving terrible.
|
# ? Jan 8, 2023 05:52 |
|
I guess I'm the nerd this time, but what parts of keepass do people find hard to use?
|
# ? Jan 8, 2023 07:11 |
|
tuyop posted:You can host your own vault with Bitwarden so you can keep your encrypted vault off the cloud if you need to! You see what I mean!
|
# ? Jan 8, 2023 07:18 |
|
Is it really called Keep rear end
|
# ? Jan 8, 2023 07:41 |
|
no its called keep rear end xcTesseraction posted:As someone who swears by Keepass, I do have issues with the Google Drive plugin which decided to completely gently caress up my work database after I'd driven an hour to the site I was to work at. i have no idea what plugin you are using or why on earth you would need it i just put the encrypted mypasswords.kbdx file into a google drive folder that syncs to my desktop, laptop and phone then i use the normal app without any special plugins to open that file and it Just Works(tm) RPATDO_LAMD fucked around with this message at 08:50 on Jan 8, 2023 |
# ? Jan 8, 2023 08:44 |
|
That method works well but there can be issues with missing/conflicting entries if you're generating passwords on a device that is offline which syncs later on. I never considered this being an edge case that could happen but it hit me several times when I was traveling internationally. Multiple devices and periods without internet combined with some unlucky timing. In those cases it needs some form of.. version management or reconciliation, I guess? A .kdbx on a cloud account isn't enough.
Fruits of the sea fucked around with this message at 12:39 on Jan 8, 2023 |
# ? Jan 8, 2023 12:34 |
|
Fruits of the sea posted:That method works well but there can be issues with missing/conflicting entries if you're generating passwords on a device that is offline which syncs later on. I never considered this being an edge case that could happen but it hit me several times when I was traveling internationally. Multiple devices and periods without internet combined with some unlucky timing. In those cases it needs some form of.. version management or reconciliation, I guess? A .kdbx on a cloud account isn't enough. Even though I wasn't traveling, maybe losing internet is what did the KeePass + Google Drive method in for me too. I had to make sure not to generate or change passwords on my phone because they would often not sync, and then that new password would be lost when the phone did sync. Bitwarden is so much less hassle.
|
# ? Jan 8, 2023 13:04 |
|
I just remember my passwords.
|
# ? Jan 8, 2023 13:35 |
|
hooah posted:Even though I wasn't traveling, maybe losing internet is what did the KeePass + Google Drive method in for me too. I had to make sure not to generate or change passwords on my phone because they would often not sync, and then that new password would be lost when the phone did sync. Bitwarden is so much less hassle. Sounds exactly like my experience. There are plug-ins for Keepass that can handle this as well but I don't have any reason to promote it above another manager unless they have been compromised at some point. Tiggum posted:I just remember my passwords. lmao I wish my memory was worth a drat
|
# ? Jan 8, 2023 13:38 |
|
Tiggum posted:I just remember my passwords. i could probably remember 5 or 10 passwords without reusing any but i actually have at least 10x that many there's way too much poo poo that wants you to register an account nowadays
|
# ? Jan 8, 2023 13:50 |
|
You create a pattern that you can remember but isn't immediately obvious, then you don't have to worry about hackers finding out your password, and unless you're particularly important they're not going to spend the time to figure out your specific pattern.
|
# ? Jan 8, 2023 13:52 |
Tiggum posted:I just remember my passwords. Lol I have* over 30 gmail accounts alone with their own unique 5-word passwords or 32-character strings, get out of here with that poo poo. *access to, most of them are organizational accounts
|
|
# ? Jan 8, 2023 13:53 |
|
An example would be to assign letters of the alphabet into groups with code words, so like ROYBIV assigned too letters. A-F could be red, G-J could be orange, K-O yellow, P-T indigo, U-Z violet then you just need your cipher memorized, and you know all your passwords but they'd be unique, so using that and the first three letters of a website, like SA would be IndigoIndigoYellow and then some number. Your Gmail would be OrangeYellowRed and then some number etc. etc.
|
# ? Jan 8, 2023 13:59 |
|
Boba Pearl posted:An example would be to assign letters of the alphabet into groups with code words, so like ROYBIV assigned too letters. A-F could be red, G-J could be orange, K-O yellow, P-T indigo, U-Z violet Get a password manager.
|
# ? Jan 8, 2023 14:01 |
|
Boba Pearl posted:You create a pattern that you can remember but isn't immediately obvious, then you don't have to worry about hackers finding out your password, and unless you're particularly important they're not going to spend the time to figure out your specific pattern. Dr. Stab posted:Get a password manager.
|
# ? Jan 8, 2023 14:14 |
|
but what do you do if you have to change a password every 3 months due to some stupid security policy, or if your password is in one of those big public leaks and you've gotta change it, or if a kind/roommate/crazy stalker/etc finds one of your passwords and figures out the pattern?
|
# ? Jan 8, 2023 14:17 |
|
I do actually have a similar system for the most commonly used passwords (although it doesn't use sequences that can be found in a dictionary for obvious reasons) but I'm unable to consistently remember them because of brain problems. Great for people who can do it but there are all sorts of reasons why folks can't, plus dictionary attacks are pretty advanced these days. Even if most breaches are now thanks to e-mail falsification and sim hacking.
|
# ? Jan 8, 2023 14:20 |
|
If your password is in a public leak, they would have to use your password instead of all the other insanely easy ones, your algorithm should account for the date, and if the only place your password exists is in your mind, how would they find your password?
|
# ? Jan 8, 2023 14:21 |
|
If your password is in a public leak it'll be a bot trying all the passwords, there (probably) isn't anyone individually targeting you. Either way, you have to at a minimum change the password for the account that got leaked. My point is that, you can't have a simple algorithm that only works on the website name, since you need to be able to update it at some point. You can include the date in your cipher yeah but then you've gotta remember the specific date you 'chose' every password, since there are no hints in the website name alone. That's a huge PITA (i'd never be able to do it). Your mind is never the only place your password exists, the companies/websites you're logging in to often have terrible computer security practices and can leak it, and as mentioned kids or roommates can just incidentally peek over your shoulder while you're typing. There's a huge list of breaches here on HaveIBeenPwned. Many are just personal information like email, name, real life address but some of those breaches contain hundreds or thousands or millions of passwords.
|
# ? Jan 8, 2023 14:39 |
|
RPATDO_LAMD posted:but what do you do if you have to change a password every 3 months due to some stupid security policy RPATDO_LAMD posted:if your password is in one of those big public leaks and you've gotta change it RPATDO_LAMD posted:if a kind/roommate/crazy stalker/etc finds one of your passwords and figures out the pattern?
|
# ? Jan 8, 2023 14:48 |
|
Changing all the passwords at once is a huge undertaking, especially since the whole point of the mnemonic system in the first place is that it's supposed to let you figure out your passwords on the fly without remembering every website you have a password on. So then you stumble across a website that you vaguely remember registering for to log into once, months ago, and you have to figure out whether you used the v1 or v2 or v3 password pattern. That kinda stuff is why I gave up on the password pattern thing and just started using a PW manager.
|
# ? Jan 8, 2023 15:00 |
|
RPATDO_LAMD posted:So then you stumble across a website that you vaguely remember registering for to log into once, months ago, and you have to figure out whether you used the v1 or v2 or v3 password pattern.
|
# ? Jan 8, 2023 15:18 |
|
That sounds like a lot more work than just remembering a single secure password.
|
# ? Jan 8, 2023 15:33 |
|
I just keep my database on a USB stick and plug it into whatever computer I'm using, because that amounts to a whole two devices, personal computer and work computer 🤷♂️
|
# ? Jan 8, 2023 15:36 |
|
this is no small question, but certainly related—how close are we technologically to moving on from passwords? obviously we have faceid and touch stuff, but those only work locally afaik. and hell, are those even more secure?
|
# ? Jan 8, 2023 15:42 |
|
RPATDO_LAMD posted:no its called keep rear end xc I used the one on the plugins page https://keepass.info/plugins.html The specific problem is more that our ceo is super paranoid and sets our work emails to logout all the loving time, and it just so happened one of the logouts was just as I was opening the database, so it tried to reauth my gdrive access and this logout cancelled it, causing an unrecoverable corruption of my local database somehow that when I had logged back in to Google then propagated the corrupted database to the drive. Personally I blamed the ceo's dumb constantly-forced-relogin policy.
|
# ? Jan 8, 2023 15:45 |
|
abelwingnut posted:this is no small question, but certainly related—how close are we technologically to moving on from passwords? obviously we have faceid and touch stuff, but those only work locally afaik. and hell, are those even more secure? I'm real tinfoil hatted about that poo poo and I assume Google would sell my fingerprints to every police dept on the planet if I gave it to them
|
# ? Jan 8, 2023 15:46 |
|
abelwingnut posted:this is no small question, but certainly related—how close are we technologically to moving on from passwords? obviously we have faceid and touch stuff, but those only work locally afaik. and hell, are those even more secure? The best explanation I've heard for touch ID is if your fingerprint gets stolen (and that is possible to do) then the average person will only be able to change their fingerprint 9 more times.
|
# ? Jan 8, 2023 15:46 |
|
Generally the use of a password and nothing else is what will be deprecated, moving on to two- or even three-factor authentication: something you know (a password), something you have (a fingerprint, a retinal scan) and something you own (a phone, a digital key). So it becomes less of an issue if someone steals your password because without your phone to use the rotating key mechanism used by things like Discord, Slack and Patreon, they can't do anything.
|
# ? Jan 8, 2023 15:58 |
|
Dr. Stab posted:That sounds like a lot more work than just remembering a single secure password. No password is secure if you're relying on the other side to not expose it in a data breach. abelwingnut posted:this is no small question, but certainly related—how close are we technologically to moving on from passwords? obviously we have faceid and touch stuff, but those only work locally afaik. and hell, are those even more secure? They aren't really more secure. It's possible to make printed biological analogs to fingerprints out of gelatin that are good enough to fool a print reader, so if someone's able to get your print data and your device, they can log in. I'm pretty sure you could fool FaceID with a photograph. Both of these also have a secondary issue that if you're interacting with American law enforcement, they can compel you to log into your device for them. They can't force you to divulge your password though. Security is greatly improved if you have to provide multiple proofs of identity, a.k.a. two-factor authentication. This generally boils down requiring two out of "something you know" (password), "something you have" (token, badge, etc), and "something you are" (biometrics). It's a lot more work to break through two checks than just one. A lot of two-factor auths out there use your phone as the "thing you have", and send you an SMS key through the phone so that you can combine that with a password. SMS isn't that secure though -- a better option is to use an authenticator program, e.g. Google Authenticator. But those have a setup process to go through, which some users may find confusing. Using email as the "thing you have" is even worse since if your website password got cracked, odds are good your email password did too (because most people use one password for everything). The general problem with authentication is that security is a pain in the rear end. It always has been, and I expect it always will be. So there's a conflict between people who want as smooth of an experience as possible, and people who want to make sure their privacy is respected. There's enough of the former that most companies aren't willing to make their security systems properly rigorous, because it'd drive users away. So we end up with the half-assed SMS/email-based two-factor auth everywhere.
|
# ? Jan 8, 2023 16:07 |
|
Banking, online transactions, government & educational portals in my country have already moved to digital 2-factor auth. Remember one universal password and use it together with a one-time code you receive via an app contracted by the government. (ok 2 passwords, the app has its own). I'm not sure if there are plans to implement biometrics. I think it might be a tall order for pensioners, but I can see it happening in the future. Or perhaps just a physical dongle. Either way, it would be part of a 2fa solution. Adoption is near universal since, well... otherwise we wouldn't be able to pay taxes or get a doctor's appointment or a million other things. The system is relatively new though - some poo poo got messed up or delayed so a lot of portals still rely on the old solution, cards with a bunch of one-time codes that are mailed to residents, used in conjunction with a password. Which is just another flavour of 2FA. The cards are being deprecated partly because scammers figured out that they could con gullible people into giving the password and sending a picture of the one-time codes. The consequences could be pretty devastating because that meant they could breach security dozens of times instead of just once. Fruits of the sea fucked around with this message at 16:18 on Jan 8, 2023 |
# ? Jan 8, 2023 16:08 |
|
Killingyouguy! posted:I just keep my database on a USB stick and plug it into whatever computer I'm using, because that amounts to a whole two devices, personal computer and work computer 🤷♂️ How do you log into things on mobile?
|
# ? Jan 8, 2023 16:16 |
|
Slimy Hog posted:How do you log into things on mobile? And any employer with a sane security policy will disallow USB drives.
|
# ? Jan 8, 2023 16:22 |
|
Slimy Hog posted:How do you log into things on mobile? View the password on my computer and type it into my phone using my eyes How often do other people need to type passwords into their phones anyway? The Twitter and SA apps boot me out about once a year and I think those are the only apps I have that require a login Not trying to be a shithead genuinely asking idk how other people use their phones Killingyouguy! fucked around with this message at 16:45 on Jan 8, 2023 |
# ? Jan 8, 2023 16:34 |
|
Killingyouguy! posted:View the password on my computer and type it into my phone using my eyes code:
Killingyouguy! posted:How often do other people need to type passwords into their phones anyway? The Twitter and SA apps boot me out about once a year and I think those are the only apps I have that require a login I have TONS of things that require logins on mobile, I'm honestly surprised you only have two...
|
# ? Jan 8, 2023 16:47 |
|
TooMuchAbstraction posted:No password is secure if you're relying on the other side to not expose it in a data breach. Sure, but, it's less work and less exposure to use a manager versus mirroring your semi-secure password scheme across all sites, and coming up with different schemes every time there's a breach. With random passwords on each site, a breach just means you change the password on that site to a different randomly generated password and move on. For most people, the google account is already a single point of failure as access to your email gives you recovery access to all of your accounts. Putting your database on your google drive would require access to your email and also a way to break the encryption on the database.
|
# ? Jan 8, 2023 16:48 |
|
Slimy Hog posted:My passwords are all auto-generated and usually quite long; typing this garbage I mean same but given having to do that is like a twice yearly thing I guess I just put up with it
|
# ? Jan 8, 2023 16:50 |
TooMuchAbstraction posted:I'm pretty sure you could fool FaceID with a photograph. No you can’t lol
|
|
# ? Jan 8, 2023 16:54 |
|
|
# ? Jun 4, 2024 07:38 |
|
Killingyouguy! posted:View the password on my computer and type it into my phone using my eyes This is a pretty weird question to ask. A lot of people don't really use computers for anything that doesn't specifically require using a big keyboard. Everything is done on phones, and pretty much every workplace, school etc will have at least one mobile platform you need to log on to. And because of two-step verification I need to log into things on my phone to log into things on my computers
|
# ? Jan 8, 2023 16:55 |