Path: csiph.com!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail From: Keith Thompson Newsgroups: alt.atheism,comp.sys.mac.system,comp.sys.mac.misc,comp.unix.misc,comp.misc Subject: Re: Do you use a password manager? Date: Wed, 21 Jul 2021 12:31:11 -0700 Organization: None to speak of Lines: 75 Message-ID: <875yx31n28.fsf@nosuchdomain.example.com> References: Mime-Version: 1.0 Content-Type: text/plain Injection-Info: reader02.eternal-september.org; posting-host="3dbb069d6fac32b4b637197387ebf1ae"; logging-data="7722"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/4L7S1k4rA7YAzbrfI8kQ2" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) Cancel-Lock: sha1:uYHAm3IvXIi/+EgYqYm2BBtCY68= sha1:qYJgq/yvz3227hd9/c1AYNnkkYE= Xref: csiph.com alt.atheism:3028484 comp.sys.mac.system:137321 comp.sys.mac.misc:8141 comp.unix.misc:323 comp.misc:21116 Dreamer In Colore writes: > On Mon, 12 Jul 2021 09:53:00 +0000, Unbreakable Disease > wrote: >>My 50-year old brain isn't capable of memorizing that many passwords >>anymore, so I use KeePassXC. I keep basically everything here including >>my financial passwords and credit card data, with the exception of >>passwords that I would have to remember anyway (full-disk encryption, >>login, primary e-mail passwords, etc.) >> >>Overall, it's much easier to remember and much harder to forget 10 >>complicated passwords that you use everyday than 100+ simple passwords >>you use every month or even less. >> >>I can't speak about Windows version of KeePass, because with the >>exception of playing games not available on Macintosh, I haven't used >>one since Windows 95 days. > > For what it's worth, I like LastPass. I'm not crazy about the fact > that I can't use it on multiple devices without having to pay for it, > but I can't begrudge the software developers over there the right to > earn a living. > > The best strengths in current password technology are in passphrases: > > https://useapassphrase.com > > There's some great stats in there, such as the amount of time it takes > to crack common spatial word passwords such as "qwerty" or "aaaaaa"... > 10 milliseconds. > > Or how long it takes to crack a password that's a date like > "03261981"... 2.213 seconds. > > However, if you use a sequence of four randomly chosen words like > "mergers decade labeled manager", it'll take 6 million centuries to > crack. > > So. > > I've converted all my passwords to sequences of four to six words; and > I have an email account at a provider that I've never used to send > email to anyone, or to use as the id for any website. There, I have a > draft of an email saved that holds the information. > > I now only need to remember one password, and I can get to everything. > As for the remote chance that the email provider will cease to exist, > I made backup accounts with other major providers, because paranoia. > > I don't use email apps to access my password storage account; and I > use Tor to get to it for the sake of anonymity. I'd be fairly > impressed if someone got through that level of security, and it's > probably overkill, but why take the risk? > > While I'm at it... does everyone know about > > https://haveibeenpwned.com > > You can put your email address in there, and see if it's been involved > in any large-scale thefts. It's got records going back years, and I > was fairly shocked to see that my wife's account had been hacked years > ago. I use a couple of programs I wrote to generate random passwords and passphrases: https://github.com/Keith-S-Thompson/random-passwords It's two Perl scripts. gen-password generates random passwords with specified criteria, and gen-passphrase generates xkcd-style random word sequences using the system dictionary or a specified one. -- Keith Thompson (The_Other_Keith) Keith.S.Thompson+u@gmail.com Working, but not speaking, for Philips void Void(void) { Void(); } /* The recursive call of the void */