password storage

Discussion in 'Networking & Security' started by goodrob, Apr 4, 2018.

  1. goodrob

    goodrob Limp Gawd

    Messages:
    242
    Joined:
    Apr 10, 2001
    Hi all, so i had a friend come to me and ask about something to store passwords. It has been a few years since I needed anything like that so was looking for a few suggestions and pros cons if know for the products. I use sticky notes taped to my monitor then post a picture of them to facebook so i can always be able to view them lol.
     
  2. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,199
    Joined:
    Oct 4, 2007
    Depends on how tech savvy your friend is and how susceptible you think they would be to really messing this up and losing all their accounts permanently.

    I would err on the side of caution and use the tried and true LastPass. It's cloud based and also has an authenticator you can use on a mobile device for 3rd party MFA.
     
  3. Archaea

    Archaea [H]ardness Supreme

    Messages:
    7,809
    Joined:
    Oct 19, 2004
    AES 256 encryption is now built into MS Office 2013 and newer. You canturn it on to protect your document that way.

    It is uncrackable with a long simple password for the foreseeable future.

    For instance a 15 character simple passphrase made up of only lowercase letters and numbers would take a 980Ti roughly 37 million years to exhaust the key space with brute force cracking AES 256 at 7000 passwords per second. I was just playing with passware pro today and saw that stat and that’s ONLY 15 characters attempts. That doesn’t include anything less or more than exactly 15 character passwords.
     
  4. Vengance_01

    Vengance_01 [H]ardness Supreme

    Messages:
    5,393
    Joined:
    Dec 23, 2001
    There are alot of web based password managers. At work we use the free version thyotic secert server. This is more of an Enterprise solution... Other options like last pass etc.. might be a better fit
     
  5. k1pp3r

    k1pp3r [H]ardness Supreme

    Messages:
    7,650
    Joined:
    Jun 16, 2004
    If its just a Friend, not a business. Keepass and lastpass are the best combination ever!
     
    MrGuvernment likes this.
  6. Haven

    Haven [H]ardness Supreme

    Messages:
    5,785
    Joined:
    Oct 11, 2002
    KeePASS is free, and pretty good. I used it at my last job and kept my password file on my Network Home Directory so I could share it between my desktop and laptop.

    I have moved to Lastpass, so I have my passwords on my work computer, home computer, phone, iPad, etc. In the past I had used SplashID as well.

    I like all three options.
     
  7. magnetik

    magnetik Moderator Staff Member

    Messages:
    6,269
    Joined:
    Jun 6, 2000
    LastPass w/ Yubikey
     
    entropism and Machupo like this.
  8. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,199
    Joined:
    Oct 4, 2007
    KeePASS is great if you are good at keeping track and understanding how it works - which is why I was up front about the OP's friend's technical accumen. If he loses the master password or certificate, they're screwed.
     
  9. goodrob

    goodrob Limp Gawd

    Messages:
    242
    Joined:
    Apr 10, 2001
    thank you all for the suggestions i will do a little research into them and tell him about each. again thank you very much.
     
  10. HammerSandwich

    HammerSandwich [H]ard|Gawd

    Messages:
    1,043
    Joined:
    Nov 18, 2004
    How - & why - do you use both?
     
  11. k1pp3r

    k1pp3r [H]ardness Supreme

    Messages:
    7,650
    Joined:
    Jun 16, 2004
    I use keepass for either non website passwords (Development systems, ftp accounts etc), and for things that lastpass doesn't work well for (RSA token secure sites).
     
  12. ChristianVirtual

    ChristianVirtual [H]ard DCOTM Mar 2016,Aug 2017

    Messages:
    2,051
    Joined:
    Feb 23, 2013
    I use 1Password on my iOS and macOS. In addition I trust the keychain-chain based auto-fill on Safari. On the few cases i use Windows I need to retype the passwords comming from iOS device.
     
    Hakaba likes this.
  13. Biznatch

    Biznatch [H]ard|Gawd

    Messages:
    1,781
    Joined:
    Nov 16, 2009
    Keepass w/ Kee FF extension (allows writes to the DB). KP database stored on my Nextcloud server to sync to all my devices, and remote access from the internet if needed. Lots of setup involved, but keeps the DB completely under my control, while still getting close to the cloud services functionality. Password is like 40 characters long (Something I won't forget), so it's not getting cracked in my lifetime.

    With all the data breaches lately, I am not about to trust a cloud services to store my DB with every single one of my passwords.
     
  14. cheap50

    cheap50 n00bie

    Messages:
    40
    Joined:
    Feb 27, 2018
    Keepass. If you don't use an email service that spies on you, save a copy of your DB in your email. Use a long passphrase.
     
  15. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,199
    Joined:
    Oct 4, 2007
    Wouldn't it be prudent to not save your DB file in a repository that requires credentials to access? What about a flash drive in a safety deposit box?
     
  16. silk186

    silk186 [H]ard|Gawd

    Messages:
    1,448
    Joined:
    Feb 26, 2008
    I've been using lastpass for a year, it's really go. When I travel and use a diffenent latop I can install the browerser extension, and it carrys over to my phone as well.
     
    Cmustang87 likes this.
  17. cheap50

    cheap50 n00bie

    Messages:
    40
    Joined:
    Feb 27, 2018
    You can, there are few bad answers when we are talking about password managers. I don't trust flash drives for that though, I have had a enough randomly stop working after long periods of not using them to make it a no-go in my book.

    It will also depend on your goal or purpose for making a duplicate of your DB. Are you making a duplicate for yourself? Then storing it in a trusted cloud repo is fine. Or a duplicate for your next of kin (in case of the worst...)? Then a safety deposit box with a trusted storage medium would be better.
     
  18. Wild1

    Wild1 n00bie

    Messages:
    24
    Joined:
    Mar 13, 2018
    Hard to keep passwords current if its in safety deposit box.

    I keep keepass on an external drive with a password on it, simple yet effective.
     
  19. grasshoppa

    grasshoppa Limp Gawd

    Messages:
    385
    Joined:
    Jun 18, 2017
    Maybe I'm naive, but I compartmentalize the process. KeePass to keep the information secure ( strongest encryption with key transformations which I've boosted to taking 5 seconds to open the database ), google drive to keep it reliable/robust/backed up.

    I figure if anyone really wants my credentials, they aren't going to attack my keystore given how hard that would be, they're going to try to trick me into giving up my credentials through a more direct route ( browser hack, social engineering, ect.. )
     
  20. Wild1

    Wild1 n00bie

    Messages:
    24
    Joined:
    Mar 13, 2018
    you can buy logins for $5 from data dumps, I wouldn't be to sure about that.

    https://haveibeenpwned.com

    I have lots of info lost in various attacks over the years.

    Have to constantly change passwords.
     
  21. grasshoppa

    grasshoppa Limp Gawd

    Messages:
    385
    Joined:
    Jun 18, 2017
    I have two factor authentication enabled and I habitually monitor login attempts, so I'd be very surprised if my email account were compromised. Even if it were, however, they'd need to break the encryption on the keepass database.

    Both accounts are secured by non-dictionary strings that I routinely change once or twice a year. There are softer targets than me, and software attack vectors than brute forcing my db or email.