Little blue book
Nothing beats writing them down and keeping them in a filing cabinet at home.
Password management applications, recommended by many security experts as the only viable way to deal with large sets of passwords that are unique and sufficiently complex, introduce their own set of problems – namely the general fallibility of software. A group of security researchers called TeamSIK from the Fraunhofer …
"Nothing beats writing them down and keeping them in a filing cabinet at home."
Completely agree, the issue was accessing online. So I did similar using a sheet of paper with them all written down then pointed a cheap Asian webcam at them which I can access remotely. Whenever I need a password I fire up the webcam from a browser and type it in. Simples!
Mine is in a little blue book too!
I always feel if anyone has the guts to break into my home for them, then job well done.
Been waiting for the great password manager break in to happen for a while now. All these tech journos telling everyone to pop their passwords into these applications with zero comment on who actually is behind these pieces of software or how actually secure they are.
It will all end in tears I suspect. Lambs to the slaughter...
All these tech journos telling everyone to pop their passwords into these applications with zero comment on who actually is behind these pieces of software or how actually secure they are.
Bruce Schneier is behind the software I use. Something about due diligence...
BAH! No matter that vulnerabilities show up occasionally, because the way people used to use passwords was WAY MORE vulnerable than the occasional unpatched problem that shows up once and a while. If I gave up using managers, I'd be in much more serious condition than if I didn't use one. The little blue book is okay, if you are sure you do not have a keylogger in your phone - same for password manager - At least with the manager, if you change the master password, the attacker loses all advantage until the next breach.
I don't know about Android, but Windows has so many apps that keep keystrokes in memory or on the hard disk, that an attacker doesn't even need a keystroke logger to find all you passwords EVER used. The little blue book isn't too bad, but the more difficulty you put into password management the less likely the user will adopt the tactic. You are probably better off with a vulnerable password manager most of the time, than using practices that are even worse.
I noticed that too. The factor that might have put them off is that Keepass itself isn't an Android app or even arguably a Linux one being that it needs mono to work. There are Android apps that can connect to a Keepass database such as Keepass2Android (the offline version of which I use) but I suppose they could be said not to be popular enough to feature compared to the online vaults that seem to get more mentions when password managers are covered in news reports.
But the research only looked at Android:
In order to answer these questions, we performed a security analysis on the most popular Android password manager applications from the Google Play Store based on download count.
and if we wander over to the Keepass download page we see various "Contributed/unofficial" ports for Android. Dunno which of those are present on the Google Play Store (don't have an Android device here).
Hey, Will here from AgileBits - makers of 1Password
We and our customers benefit greatly from the work that Team-SIK did in their excellent analysis of 1Password 6.3.3 for Android. The particular vulnerabilities that they reported to us at the beginning of September 2016 were addressed in our Beta versions (1Password 6.4.1-BETA-1 on September 13 and 6.4.1-BETA-2 on September 21) and in full release of 1Password for Android 6.4.1 on September 27.
Although the Team-SIK report is highly critical of the security offered by password managers on Android in general, we hope that readers of their overview will take the time to recognize that their general statements do not apply universally, and that the issues that were specific to 1Password on Android were promptly addressed.
If you have more questions about this, please do get in touch.
I for one am astounded at the security flaws listed specifically for 1P. I am a long-time user.
FWIW: AgileBits has informed users about the website icon shenanigans when the feature was first released, but that doesn't mean many/most users understood the implications or that a better, more secure was was possible. I sure did. Still not sure I trust AB over that "lapse", even though it's claimed to have been fixed.
Deflection will get you nowhere.
Are you suggesting the issues reported for 1P were unintentional, e.g. not motivated by making it easier for the customer or to reduce the number of customer support interactions?
The URL icon issue sure looked/looks intentional. I don't see how AgileBits can deny that.
As for the others, if not intentional, they look like tremendous lapses in thought by experts in the field.
I could do with some crypto advice ...
I tend to generate my passwords from a concatenation of my username, the site in question, and my secret passphrase: "anonymouscoward elreg MyVerySecretPassword" which I then hash, convert to base64, make some substitutions to meet "you must use a special character" rules ...
~$ read text; echo -n $text | sha256sum | cut -c 1-64 | xxd -r -p | base64 | cut -c 1-24 | tr 'a-m' '!--'x
I think that gives me a 24 char 144 bit password that is specific to any given account and is reasonably safe but that allows me to recreate it any time I have access to a shell (BTW, I use read text, to avoid getting the password in the .bash_history or similar) or a programming environment I can do SHA256, base64 etc.
I clear the terminal display and the clipboard after use. Accounts that require me to change passwords regularly just get yyyy-mm in there as well. Is this a terrible idea?
Well, it boils down to two things. How easily an attacker could guess the inputs and the security of the hashing algorithm. Every else is second order beans, e.g. it would not take long to notice that you had a low frequency of a-m and a high one of !-- and reverse that.
The hash is pretty good, but only as good as its inputs: if an attacker can guess those, then the strength of the hash is moot.
So now we are down to: can an attacker guess your username, sites you might visit, and your passphrase? In many cases (perhaps not you personally) I would wager that the first two are easy to guess. How many John Smiths have a username of jsmith, johnsmith etc? (It's worse if your name is unusual, as you're more likely to grab the easy user names and not have to resort to some number after your ID. There's probably only one JanetOoberLuba in the bank's system, but John Smith is probably johnsmith03456). Sites are easy to watch too. Work in IT? British? Chances are you read El Reg. Right-wing, American? Look at Fox News, and maybe you bank with a bank in a red state. It's amazing what you can work out.
So then, at the end, we are down to this: is your passphrase any good?
Hashing with each web site address does in principle breach the rule of "don't re-use one password on multiple sites", even with variations.
I generate random letter-number passwords and, when I have to write them down. If a web site visit calls for another new password, I pause to decide if I really want to take the trouble.
The thing is, only after analysis of his passwords would the pattern be identified.
So, he is 100% safe from automated mass attacks, he is only in relative danger from targeted attacks.
And targeted attacks would, almost for sure, not go for his passwords in this way.. the normal route is targeted zero-day on banners in linkedin, etc, plus mails. Easier, and cheaper.
So while technically not safe, I would say it is completely safe.
This is a variation Of what I do, except its simpler and done in my head.
To get my (for example)Bank password the need to.
A)get my bank hash and guesstimate an apparently random 11+ digit password.
B)
1.get at least two other sets off hashes, (they prob have my old yahoo and linked in )
2. guesstimate two different apparently random 11+ digit password,
3. take those two passwords and try and work out what my "internal algorithm"
4. Find my banking username and generate my bank password.
5. do this before my rolling password resets complete(About 2 years)
remember related but not the same is as far as hashing is concerned completely different.
The way I see it I trust NO-ONE with my hashes now and assume them all vulnerable to guestimating.
so if A) is "secure enough" for me then the B step 2 x B step 2 difficulty is secure enough for me.
Remeber you cant outrun the (fancy)bear, you just need to outrun the other internet users.
(eg your password just needs to be hard enough to take too long to guesstimate, and as your banking password only need to be twice as hard to crack just make it ONE digit longer)
"Remeber you cant outrun the (fancy)bear, you just need to outrun the other internet users."
Except the bear will still be hungry and will keep going. Ultimately, he'll reach you. Meanwhile, there's the discerning tiger who might recognize you as a tastier meal and single you out.
Hashing with each web site address does in principle breach the rule of "don't re-use one password on multiple sites", even with variations.
Not really ... the advice not to use the same password on multiple sites is there to prevent someone who discovers your password from trying it on all/any other sites for which you have an account. Clearly, if someone discovers (say) that your password on El Reg is elreg!mysecret they're likely to try linkedin!mysecret to break into your LinedIn account, and so on ... but only because this is a manual attack and the attacker can see at a glance what your method is.
If the passwords you use are actually hashes, you're not reusing the same password or any part of it for multiple sites in any obvious or discernible way -- just reusing some of the input data for a hash -- so the situation is quite different.
If someone discovers the hash you use as a password for El Reg, they are not going to be able to work out what that hash is a hash of (that's kind-of the point of using a hash) so they won't be able to substitute other service names in the same way. If the attacker is able to discover by some means what process you go through to compute the hash then all bets are off ... but given the ways most passwords become compromised that's not very likely, and the hashing method is pretty safe.
This post has been deleted by its author
So, what you're saying is, you'll keep re-using the same password for multiple different sites, then? Since no-one can possibly remember several hundred or thousand different strong passwords, many of which you will only use quite infrequently. Of course, sharing passwords across sites is one of the single worst problems with password security in general. But no, by all means, go on doing it.
Wow!! You must be really amazing to be able to remember over 400 different passwords for a variety of different websites, apps, programs and such. What a hero! :-D
Personally I am older, much less of a superhero and need my crutch to be able to function, so I use a cloud based system that caches locally as well and for less important items I reuse the same passwords. Human I am, fallible I am, learned to work around my weaknesses I have. Yoda I seem to have become. <LOL>
Just use a core password with an extension that is unique to the site/service you're using at the time; the site/service itself reminds you of the extension - 'my Register forums password', for instance, is easily remembered by noting that you're logging into El Reg in order to comment on the forums. So it's almost a no-brainer once you've got the core password memorised.
Obligatory xkcd: https://www.xkcd.com/538
Which is why I chose a password for my phone that I can blurt out safe in the knowledge that you'll never realise that's what I'm doing - you can seduce me, drug me, blackmail me, rubber hose me until you're in agony, never mind me, I can't give you a different one because I've been telling you the real one all along.
it isn't "F*ck you and the horse you rode in on!" but you get the idea.
A notebook on a desk isn't much bloody use when I'm not *at* my desk. And no-one enjoys typing in truly strong passwords, so if you don't use software which fills them in for you, you have a strong incentive to make your passwords not really very strong (but more convenient to type).
"when I'm not *at* my desk. And no-one enjoys strong passwords"
@AdamWill
Q1: What did you do before crutches like Password Managers? This is a tech website. Presumably as an IT pro you've been forced to systemically design complex passwords over the course of your career to secure many diverse systems...???
Q2: What happens next time Amazon-S3 is down, (the Cloud system your password manager website uses etc), and there's an outage at your workplace that requires urgent login to all the diverse systems you manage?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
There isn't any need for notebooks and they're a vulnerability. Instead use a little imagination and come up with a system, your own unique take on 'Too Many Secrets'. Form a strong password by designing a password structure into 3 / 4 / 5 / 6 segments etc.
Crude example: 1. Information related to your reason for using a website or the purpose of such a system, 2. The approx date you signed up, 3. Personal info uniquely related solely to you but never ever made public, 4. Your job status in your own cynical pov, 5. A private life goal on a bucket list somewhere, 6. An index number that can have a simple math operation defined on it, but something not easily reverse engineered except by you.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Break a strong password up into sections. Have a few different templates for each layout. Then have a system for evolving or changing it periodically as necessary, but within limits / bounds so you don't pick anything too random to forget.
This isn't for everyone, but we're tech pros. We shouldn't trust password websites to nanny us. What have Snowden / Russian hackers taught us? All data is leaky / hackable / slurpable!
@AC - Not sure if you've noticed but the number of sites with personalisation and login systems has grown phenomenally over the last decade or so. Before password managers, massive breaches were uncommon, and people didn't have 300 sites to access. (I think I've hit 700 sites stored in my PM at the moment).
A lot of people, before PMs used a single password for various sites. That's why the big breaches were such a problem - it allowed the attackers access to a bunch of other sites too.
I use a password manager, but not a password website. Specifically, KeePass. So passwords are stored locally on my PC. I use DropBox to back them up and replicate them to other devices. I can get at them from my phone without needing internet access.
- Honestly, how many of the 400 websites get used outside of your home / how many do you really use everyday?
- To learn a musical instrument or a foreign language a person develops tricks & techniques. But we're not taught to think about passwords that way. We're taught to entrust security to someone else, from a web service to a local device... But past history has shown: users always get burned!
- Online / Local PM's will always be a magnet for hackers / cybercrims. System designers must protect against every possible intrusion, but hackers only need to get lucky once!
"Honestly, how many of the 400 websites get used outside of your home / how many do you really use everyday?"
IMHO how often and where you use the website and username/password is not the point. The point is how long the password is and whether the password is unique for each site.
The Sony hack showed that a significant proportion of users had the same password across multiple high-profile websites which were then immediately hacked as well.
It is generally accepted that any password less than 11 characters can be brute force attacked in a day. Anything with 12 or more characters will take significantly longer as long as the system allows non alpha-numeric characters.
I've got about 10 key websites for banking, email, shopping, appstore etc. that I use regularly. I'm not sure I could remember 10 completely different passwords for these that had no relation to each other and also included random non alpha-numeric characters.
At the end of the day everyone has to make their own judgement on ease of use vs. security. Personally I use a PM because I believe relative ease of use increases security. I remember one long >20 character passphrase and then all the sites I use have unique random passwords.
- I get the counter views. Many are happy to trust PM's. For me not enough risk analysis has been done yet in storing passwords in the cloud, or locally on the same device used to log-in.
- With Hackers / cybercrims seemingly winning the data wars, we can agree there are risks...
- I sleep better knowing my passwords aren't in the cloud and aren't on any internet connected device. But you guys feel the trade off is worth it. But, only time will tell...
What does the regularity or location matter for the sites? The irregularly used ones are more important to keep in a PM - there's no chance I'd remember such a password. Take into account the idea of keeping control of your identity online also, ie. registering a username so that others don't, and that gives you more to keep hold of.
Everything is a target for criminals. That's why we constantly hear about hacks of Sony, Yahoo, etc... Its very rare to hear any real danger to a PM provider though.
There's always a trade off between security and usability, or to put it another way, you can have a completely secure system by keeping it turned off.
Password managers sit at a particular point on the line between security and usability, they're more secure than using the same password for every site, or using the password manager most browser's come with. However, they're not as secure as keeping your passwords written down in a book, or memorising them. Again though, a password manager is much more usable than trying to memorise many unique passwords, or keeping them in a book.
Just because a password manager is not the most secure method, does not mean they don't have a place, it's about balancing risk with ease of use.
Hmmm, nice to know. I don't use password managers on my phone or tablet, since, PM manager or no PM manager, I figure anything really non-trivial (besides my web mail) best stay off mobiles. I do use them on my laptop, cloud-disconnected.
How about the same audits for the some of the desktop apps?
And, though no vendor's exactly covered themselves with glory here, let's stay realistic about risk/benefit trade-offs - reliably memorizing distinct, complex, non-guessable, occasionally changed passwords for more than 2-3 high security accounts is not doable for most people (at least not me). PMs are, IMHO, necessary.
Always argued that all a password manager does is shift the risks of a single account being breached into the risk that *all* of your accounts being breached.
The root and branch password methodology is still the best option to memorising longer passwords, and failing that, write them down on a piece of paper that's not kept near your PC and doesn't reference the services the passwords link to.
I use one, but with exceptions. My domain, email and master password for the PW manager itself are never stored there. Heck none of them are stored - they are the only ones I remember and change myself.
This means should my passwords all be leaked, the method of recovering access to those accounts (generally via e-mail) is secure.
"The root and branch password methodology is still the best option to memorising longer passwords, and failing that, write them down on a piece of paper that's not kept near your PC and doesn't reference the services the passwords link to."
And if neither's an option because your memory's that bad and the xkcd method doesn't work for you (because you start with "correcthorsebatterystaple" and end up with "donkeyenginepaperclipwrong")?
Why not just set the Master Password in your browser's password store?
What makes you think that the Master Password in the browser is any more secure than any of the purpose-written password managers being torn apart here?
In any case, most people use more than one browser on more than one system, and locking a password away on one browser doesn't help when trying to use it on another.
IME allowing the browser to remember passwords is the best way to ensure that you don't remember them when you need to, and don't have a backup copy when your PC dies. I always recommend turning that facility OFF.
My mobile (being a few years old) doesn't have the latest 'droid and as such doesn't have revocable permissions. Thus, as apps have been developed (in most cases, seemingly just shark-jumping) they have invariably asked for more and more permissions for the next update.
As each permission is an increased risk, but not updating is also an increased risk, what's a commentard to do?
you can't afford a new one (and the cheapos don't work on your network)?My HTC Desire was a cheapie; less than $AU200 new. Likewise the Galaxy Note 3 I just purchased is "new" (never used) and was less than $AU300. What kind of a network isn't compatible with my phones?
Hate to break it to you, but for the vast majority of the world's population $AU200 is far from "cheap".Hate to break it to you, but I assumed Charles 9 was not one of those living on a dollar a day. FWIW, The Gitling regularly spends more than $AU1,000 on a new phone. Heck, the tenants who rent from me have 52 inch TV sets and I'm informed that they are poor. Mine's a mere 42 inch since The Gitling gave us his to replace our 32 inch.
While it would be ideal not to have any security holes in security software, some of these are definitely worse than others. In particular, "Keepsafe Plaintext Password Storage" and "Hardcoded Master Key in LastPass Password Manager" are not bugs, they're deliberate design choices to produce something with effectively zero security from the start.
@Whitter
"As each permission is an increased risk, but not updating is also an increased risk, what's a commentard to do?"
Delete them. If an app asks for information or permission you're not comfortable giving it, and you can't safely use it without doing so, then get rid of it. Different people will draw the line of where security beats convenience in different places, but wherever it is you hit that line the only solution is to remove the problem at the source. Fortunately, I have yet to meet an app I couldn't live without.
"Delete them. If an app asks for information or permission you're not comfortable giving it, and you can't safely use it without doing so, then get rid of it. Different people will draw the line of where security beats convenience in different places, but wherever it is you hit that line the only solution is to remove the problem at the source. Fortunately, I have yet to meet an app I couldn't live without."
That's you. What about others where they find themselves in a dilemma: FORCED (such as by work) to use an app they cannot trust?
"That's you. What about others where they find themselves in a dilemma: FORCED (such as by work) to use an app they cannot trust?"
Then you make sure to only use such an app on your work phone, and if it gets compromised as a result it's entirely their fault. If they try to force you to use your personal belongings for work instead of providing you with the tools required, tell them to fuck off.
Have you looked at some of these. This one from Keeper requires you have physical access to the phone and email. This is not some hack the webcam type of issue. Below is the just the first half of the actual report for one of the keeper issues. And I am sure there are others beyond these, but you will never get 100 percent bug free, you just want to make your app harder to break then the attacker wants to spend.
If the user is logged out, the master password has to be entered to access the passwords in the app. An adversary with local access to the device can now attempt to reset the master password. For this attack scenario it is also assumed that, by having local access to the device the adversary has also access to the mail account which is connected to the keeper account.
By entering the password incorrectly once the adversary can select “Forgot Password” after which a verification code has to be entered.
In this state the Keeper app with minSdkVersion=15, the adversary can launch the activity com.callpod.android_apps.keeper.DeepLinkActivity by using the shell based Activitymanager am
First, the defects were from last year and were quickly resolved.
Second, the main benefit of a password manager is to have unique and random passwords for each site, so that in the event that a site is compromised, the ID/PWD are limited to that site.
Third, the password manager is used to store site specific and nonsense responses to personal questions like "Who was your 3rd grade teacher?" Answer "Chalup97 Multii-purpose." Cuts down on social engineering based upon multiple site compromises.
Fourth, the passphrase to open the the app is so long and random as to be infeasible to crack, save installing a key logger or other double-secret probation device.
Fifth, I'm getting older. My adult kids have an envelope with the passcode to my phone and laptop, and the passphrase to 1Password app. 1Password has all my financial and personal information in case of unexpected journey to Adios City. (Vault backups are on Dropbox and iCloud with the links in the kids' possession in the event the phone and laptop travel with me!)
Older, but perhaps not wiser.If somebody DID want to get at you, they'd find your all your security policy laid down here on a public website.
Yes, such hight risk. So high that by the end of the night I'll have his details!
Well, that's assuming that first, I can figure out what his name is from his El Reg user name (maybe his posting history will help), then from there I have to figure out actually which of WMW_REALNAME he is - he might have a very rare name which could narrow him down in minutes, or he might have a common name, one of millions. Then I have to figure out who his adult children are and where they live. Farcebook may help here if WMW has an account under WMW_REALNAME, but it may be under something else. Then finding the kids - if all married daughters then that could be an issue as on FB friends lists they'll probably be one-among-many unless WMW's friend's lists is rather short or the daughters kept their real name, then..
Fuck it. To much effort even thinking about how I could get WMW's security info from what has been posted on El Reg, I'll target someone I know locally who has a spare credit card in his top drawer of his computer desk, spare key on top of his back door frame (outside the house), and of course the same envelope that has his CC also has any other necessary info with it, handily noted down where it is nice and safe.
FTR, I use a similar approach to WMW - I have a sealed envelope with family details tucked away and family has same for me. Your average burglar isn't going to find it as they're only after what they can quickly grab, and a more targetted attack will have a high probability of failing to find it in a reasonable time frame. If the details are obfuscated enough it's a perfectly safe way to handle such things.
Well that's a major security risk right there.
Don't give anyone potential access to your financial accounts. Banks, unsurprisingly, deal with people dying all the time, and will NEVER expect those still on this earth to have access to the passwords. Indeed, people have been dragged through the courts for accessing accounts of dead relatives thinking they're doing something completely innocent, whereas actually it is unauthorised access of a computer system and the associated terrorism acts that deal with these incidents. And you cannot explain that it's all a grave misunderstanding and that it was you, breaking the Ts and Cs and leaving said relatives the passwords, cause ye've kicked the bucket already, so the banks are duty-bound to investigate and prosecute for fraud.
By all means leave them a list of accounts you have. But not the passwords, you'll cause them far more hassle.
Well that's a major security risk right there.Don't give anyone potential access to your financial accounts. Banks, unsurprisingly, deal with people dying all the time, and will NEVER expect those still on this earth to have access to the passwords.
There can be other things happen as well, situations where you're still alive but not able to access your accounts. While your bank drags it's heels and demands this and that from your loved ones, fees, automatic payments etc all quickly drain your account. Only when it's below $0 will your bank let your family get in and stop then, only instead of having money there to be used in a certain manner in an emergency there's now a debt with the bank.
And while some will, at least some Kiwi banks won't let you add your partner's name to your account under any circumstances, you have to jump through all sorts of hoops, set up new (joint) accounts and so on.
You should be able to trust your family, and by the time your kids are old enough for such things you should know if they're able to be responsible or not. If it's a "not" then you should have someone else you can find who you can trust.
Indeed, people have been dragged through the courts for accessing accounts of dead relatives thinking they're doing something completely innocent, whereas actually it is unauthorised access of a computer system and the associated terrorism acts that deal with these incidents.
Terrorism?
A will and/or other documentation giving them access to shut down trumps court action, and few banks would waste time and money on lawyers for a case they know they'll lose - they know they'll not only have to pay their costs but pay yours as well, and after a few tries will be up before the beak for making false complaints.
Putting all your eggs in a basket and place it on a shaky shelf would not sound a nice idea.
It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. It should be operated in a decentralized formation or should be considered mainly for low-security accounts, not for high-security business which should desirably be protected by all different strong passwords unique to each account.