Potent LastPass exploit underscores the dark side of password managers

Page 2 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
ch33zw1z

ch33zw1z

Lifer
Nov 4, 2004
37,772
18,051
146
I guess that depends on a few things, such as your ISP, your gear at home, and what type of server you want to run.

Do you open ports to the WAN for you "cloud"
 
WilliamM2

WilliamM2

Platinum Member
Jun 14, 2012
2,391
489
136
I use Keypass, with the database stored on an external backup drive. That drive is off 99% of the time, no way to hack a drive that's turned off. Also keep another copy on a second backup drive off site.
 
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
67,436
12,158
126
www.anyf.ca
I run my own web based password manager off one of my servers. I could not trust cloud especially not to store passwords. I could not find a web based solution at the time I wanted to switch from PINs (a windows based manager) so I just wrote my own. It's very basic but gets the job done.

Essentially it just stores them in an encrypted DB and presents the password in a form where the letters are same color as background so I can copy and paste it to whatever I'm logging into. Given it's local I didn't bother with SSL though but if I had more people using my network then that's something I would want to do.

I can access it from home and from work only. From work I can VPN in.

I want to setup some kind of secure way to temporarily open up the VPN port from anywhere but not really a priority. I used to leave the VPN port open to all IPs so I can VPN in from anywhere using my phone, but after heart bleed I realized that was perhaps a bad idea. As a precaution after heart bleed I fully rebuilt that VM and added the firewall rule so only my work's IP can access it.
 
  • Like
Reactions: ch33zw1z
Ajay

Ajay

Lifer
Jan 8, 2001
15,479
7,883
136
I'm checking out Keepass, looks like it can sync with most cloud providers (if not natively, then with a plug-in). I suppose I could use sftp or similar to sync when I want via my file server if I wanted more security. I haven't looked yet, but I'd imagine that there is an app for iOS. Also need to check out automated password update - it's a nice feature that commercial password managers support - not sure about KeePass, lots to read still.
 
lxskllr

lxskllr

No Lifer
Nov 30, 2004
57,442
7,634
126
ch33zw1z said:
Do you guys ever need to access passwords while you're not at home?
Click to expand...
I use my phone and KeepassDroid. It uses the same database as the desktop clients. I always sigh a little inside when I have to use it though. My database password is... extensive, and it's tedious typing it on a touch screen.
 
Brainonska511

Brainonska511

Lifer
Dec 10, 2005
24,106
6,910
136
ch33zw1z said:
Do you guys ever need to access passwords while you're not at home?
Click to expand...
I use Keepass too. In the past, I used to keep a copy of the database on my USB drive on my keys along with a self-contained copy of Keepass. Lately, I haven't needed any passwords away from home beyond the important few I have memorized.
 
  • Like
Reactions: ch33zw1z
ch33zw1z

ch33zw1z

Lifer
Nov 4, 2004
37,772
18,051
146
lxskllr said:
I use my phone and KeepassDroid. It uses the same database as the desktop clients. I always sigh a little inside when I have to use it though. My database password is... extensive, and it's tedious typing it on a touch screen.
Click to expand...
Yea, my password is also extensive. Safe in cloud desktop makes you type it in all the way the first time you run it after boot, but it has a "quick" setting you can turn on to only enter the last or first 4 of the password after that

Safe in cloud on droid, Samsung S5 here, will accept fingerprint to unlock....which I use quite often to open it.

My phone and SD card are both encrypted already, but safe in cloud encrypts the dB either way.
 
Muse

Muse

Lifer
Jul 11, 2001
37,540
8,122
136
Ichinisan said:
Didn't click the link, but I've always felt that an online password manager is a target for hackers.

I have a complex base password I can remember with some parts where I dynamically substitute some characters. I only have to remember which characters I chose for that particular site/service. If I have to write it down, I don't need to write down the entire password. Just the chosen substitutions, which I can obfuscate.
Click to expand...
I do something similar. I do record hints (that I understand) but not something someone would know what to do with, in my local data.

I need to do something better, I think, and what I'm doing necessitates my having to look up my hints when I don't remember what hints apply to a specific site.

I bookmarked this article today:

New York Times -- Protecting Your Digital Life in 9 Easy Steps
 
John Connor

John Connor

Lifer
Nov 30, 2012
22,840
617
121
The best way you can create a password is with music lyrics. Take your favorite song or any song and say, use the first part of the lyrics. Like the song Paint It Black by the Rolling Stones. So you have the first part of the song that goes like this:

I see a red door and I want it painted black
No colours anymore, I want them to turn black

So what you would do is take the first letter of each word to form a password and throw in some numbers and symbols.


ISARDAIWIPBNCAIWTTTB-1234!@#$

It doesn't have to be that long though.


This is the bases of my password generation and my passwords are damn long and complicated. My computers that are all encrypted use this scheme and the password is well over 20 characters long using upper case and lower case letters, numbers and symbols.
 
Ichinisan

Ichinisan

Lifer
Oct 9, 2002
28,298
1,234
136
John Connor said:
The best way you can create a password is with music lyrics. Take your favorite song or any song and say, use the first part of the lyrics. Like the song Paint It Black by the Rolling Stones. So you have the first part of the song that goes like this:

I see a red door and I want it painted black
No colours anymore, I want them to turn black

So what you would do is take the first letter of each word to form a password and throw in some numbers and symbols.


ISARDAIWIPBNCAIWTTTB-1234!@#$

It doesn't have to be that long though.


This is the bases of my password generation and my passwords are damn long and complicated. My computers that are all encrypted use this scheme and the password is well over 20 characters long using upper case and lower case letters, numbers and symbols.
Click to expand...
Great! Let's all start doing that until those passwords are statistically common and end up in every password dictionary.

Wait...
 
John Connor

John Connor

Lifer
Nov 30, 2012
22,840
617
121
If you should know. Not only did I come up with that idea, but so did Bruce Schneier.

Bruce Schneier (/ˈʃnaɪər/; born January 15, 1963[1]) is an American cryptographer, computer security professional, privacy specialist and writer. He is the author of several books on general security topics, computer security and cryptography.

Schneier is a fellow at the Berkman Center for Internet & Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute. He has been working for IBM since they acquired Resilient Systems where Schneier was CTO.[2][3][4] He is also a contributing writer for The Guardian news organization.[5]
Click to expand...

https://en.wikipedia.org/wiki/Bruce_Schneier
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom