CHATPRIVACYDONATELOGINREGISTER
DMT-Nexus
FAQWIKIHEALTH & SAFETYARTATTITUDEACTIVE TOPICS
Password management Options
 
Psilosopher?
#1 Posted : 7/25/2019 6:39:41 AM

DMT-Nexus member


Posts: 732
Joined: 28-Dec-2014
Last visit: 21-Aug-2019
Location: Everywhen
What's the best way of storing many passwords? I use LastPass, but i feel really insecure with it, which may be completely unjustified. Are there better alternatives?
"Better than a thousand hollow words, is one word that brings peace." - Buddha
 

STS is a community for people interested in growing, preserving and researching botanical species, particularly those with remarkable therapeutic and/or psychoactive properties.
 
tatt
#2 Posted : 7/25/2019 4:40:23 PM

DMT-Nexus member

ModeratorSenior Member

Posts: 4290
Joined: 17-Jan-2009
Last visit: 22-Aug-2019
Well I'm going to say the obvious and honestly best way - offline, written down and kept somewhere quickly accessible, having none of it stored on your actual computer. This is hands down the best method.

With that said:


There's always using oneway cryptographic hash functions, storing the compiled hash values in a txt file, then if needing to remember your now-hashed passwords later - there's relatively small few-line scripts that can do the comparison, but for the comparison script to work you'd need to have wrote in/supplied the table of hashed passwords and their given plaintext equivalent within the script for it to even do the comparison against your pswd file w/ the given hashes and to retrieve the plain-text values.

(*Only reason I mentioned this is because I know you've talked about the fact you code, so yeah)

^^^ Using this comparison script is only for if you would need to retrieve the given plaintext - in say you forget a given password and can't remember - then you could run the comparison script against your txt file of pre-compiled pswd hashes.

Though this could be seen as overwork/overkill just to see your plaintext passwords if you'd happen to forget one of them - you'd have to create your own comparison script.



A really sound way imo/ime is using a AES encrypted usb drive stick. The best program out there for this ime is veracrypt [a fork from truecrypt].

You can use veracrypt to instantiate a usb flashdrive container - allowing an encrypted volume to be created so that whenever you decide to plug in & mount the usb drive - you can select an open slot in veracrypt, then select the path of your usb drive to mount, enter your passphrase, then decrypt the container/volume, then there's your plaintext pswds.

Btw when you have veracrypt open and the usb drive mounted - add w/e plaintext passwords you have - then once within the given volume/container they'll be automatically encrypted, then dismount, unplug usb, done. Then to retrieve - you just do what I said above. And obviously you want to keep the usb stick somewhere readily accessible && [hopefully] secure.

##!

If you really want to enhance vc to it's full potential - you can instantiate an encrypted volume within an encrypted volume - with the underlying volume hidden (i.e. the one that would contain your sensitive data). The outer volume you can throw in w/e BS files you'd like, anything to throw the person off if they happened to get the outer volume's key/passphrase - though when they'd access this outer volume all they'd see is your mach-files, with the inner volume completely hidden from view.

The only way said person would get to access your inner volume is if they knew the passphrase for that inner volume. But the whole point of having a volume within a volume is to fake the said person into believing they'd accessed 'your actual passwords/sensitive data' - when in reality you'd have given them only the outer volume passphrase - which is just essentially a honeypot of sorts, a dummy setup.



I know you said you use linux, so vc is worth looking into. I think it's out for windows too, but not entirely sure.



I use a usb stick with vc w/ the hidden volume.

Flight by wire

-9 SIGKILL

 
tatt
#3 Posted : 7/25/2019 6:41:40 PM

DMT-Nexus member

ModeratorSenior Member

Posts: 4290
Joined: 17-Jan-2009
Last visit: 22-Aug-2019
The pswd manager itself uses the companies server for much of the extensions functionality, though the extension itself has several fallbacks to server provided pages for a few of it's provided features. For example - one of these fallbacks on the extension is the 'account settings' which redirects you to a web-interface page hosted by last passes server, bypassing the extension itself.

There's been past flaws in the several APIs

** getdata & keyplug2web

It was found that the response to these API calls contained your local encryption key - which could potentially be used to decrypt all pswds server-side. Random websites used to be able to access these APIs, not sure how buttoned-down this is now, but I think now only the lastpass domains can trigger these calls. Lastpass blocks the calls now from any domains outside of the former.

Though the subdirecs/pages within lastpass domain seemed to also be vulnerable under certain circumstances - there apparently used to be a breach notifier [i think there still might be] that lastpass server would send to the client if such a thing came up with the server, containing a short message with a link for the client - in which case if the client clicks the supplied link then the API keyplug2web would become unlocked - giving access to all the given passwords.



There's been numerous reports of lastpass's autofill functionality being exploitable.

One instance was a section of the code that parsed the URL to figure out the specific domain the browser was currently at, then it would fill in the given credentials due to a flaw in the URL encoding - which could be displayed on the subsequent get/post requests on the following page/s. (& with minor tweaking of the URL itself).



The master password could also potentially be bruteforced. I think lastpass uses pbkdf2 algorithm for derivation of the key from the master password. This algorithm has one major property of being fairly slow, so ppl trying to pswd guess locally can be slowed down a bit.

This 'time required' is proportional to the # of iterations for the algorithm, meaning an icnreased number of iterations would consequently lead to a significantly tougher time to guess the password. Lastpass's # of iterations used to be around 4000 or so, though as of last year they apparently up'd the # of iterations to 12000, which is s nice jump, and helps adding additional security.



There's a few other troublesome areas with lastpass in terms of the local encryption scheme. There's a number of occasions where the extension will expose your local encryption key to lastpass's servers:

opening account settings
security challenge
history
bookmarklets
linking a personal account
adding an identity
printing all sites
Flight by wire

-9 SIGKILL

 
Psilosopher?
#4 Posted : 7/26/2019 2:27:02 AM

DMT-Nexus member


Posts: 732
Joined: 28-Dec-2014
Last visit: 21-Aug-2019
Location: Everywhen
Thanks for the info, some really informative stuff.


I'm not tech savvy enough to use all that stuff, but i did find this:

https://masterpassword.app/


Quote:
Master Password is the answer to the problem that websites have forced on us.

Master Password is not a password manager. It is not a secure vault or a digital notebook. It is something else entirely, and yet something so simple.

Think of it as, a store-bought calculator. If your name was 1337, your master password was 5317 and you'd like to log into the site 707, take any calculator in the world and type in 1337 + 5317 + 707 to get the password to use for this site, = 7361.
Can somebody steal your password? Just hit

.
What are you going to do if you forget your site's password? Just redo the math.
What if you lose or break your device? Borrow a buddy's or get a new one, math is universal.
Does a calculator need to sync with the cloud before you can use it? No, just remember your own name and master password.

This is the freedom Master Password gives you.
Master Password performs a similar but cryptographically secure operation, hardened by interweaving primitives against both known and unknown attack vectors, ensuring that targeting your identity remains absolutely insurmountable.

With Master Password you leave no passwords laying around. You no longer store passwords in commercial, proprietary apps and no longer send them off to the cloud. You are no longer tied to your laptop or the internet if you need to look one up. Even if a personal or natural catastrophe causes you loss, you can never lose your account passwords — all you ever need is your one and only secret master password and anyone's Master Password calculator app.




It does have limited functionality compared to LastPass, like autofilling, but seems way more secure.
"Better than a thousand hollow words, is one word that brings peace." - Buddha
 
tatt
#5 Posted : 7/26/2019 2:38:20 PM

DMT-Nexus member

ModeratorSenior Member

Posts: 4290
Joined: 17-Jan-2009
Last visit: 22-Aug-2019
Psilosopher? wrote:

I'm not tech savvy enough to use all that stuff, but i did find this:


It does have limited functionality compared to LastPass, like autofilling, but seems way more secure.


If you're interested there's fairly straightforward articles on doing the encrypted volume/s and/or usb approach, but it's understandable if you'd rather not mess with it.

&&

Limited functionality is a good thing in alot of cases haha, at least in terms of things surrounding passwords. Small surface area as far as offensive attacks go, though the premise of 'small surface area' only stands really if this supposed limited surface area design is true to it's underlying tenets/framework.

Appears this is just a cryptographic hash calculator with some added inherent functionality.

Seems like an interesting app Smile


Flight by wire

-9 SIGKILL

 
 
Users browsing this forum
Guest (2)

DMT-Nexus theme created by The Traveler
This page was generated in 0.195 seconds.