• WANTED: Happy members who like to discuss audio and other topics related to our interest. Desire to learn and share knowledge of science required. There are many reviews of audio hardware and expert members to help answer your questions. Click here to have your audio equipment measured for free!

Warning: change your password please!

somebodyelse

Major Contributor
Joined
Dec 5, 2018
Messages
3,680
Likes
2,958
I recently engaged a white hat security consultant to pen test our network at work. He hacked into our security manager's laptop, replaced his KeePass executable with a hacked version, and gained access to the admin passwords for nearly everything on our network. He left his report on the desktop of my laptop instead of emailing it to me. Needless to say, we no longer allow KeePass. He recommends BitWarden.
I don't understand the logic here. Why couldn't the next security consultant replace the BitWarden executable with a hacked one, with the same result?
 

_thelaughingman

Major Contributor
Forum Donor
Joined
Jan 1, 2020
Messages
1,324
Likes
1,943
Changed password, enabled 2FA.

I moved to 1password since last year.
I used LastPass since the beginning of password managers.

My default recommendation is either 1password or bitwarden...which corresponds to the advice from 'Security Now' podcast episode 904.

I recommend Bitwarden over most of the other password managers due to it being self host able, open source and secure.
 

Digby

Major Contributor
Joined
Mar 12, 2021
Messages
1,632
Likes
1,555
I tried a couple of password managers but found them too cumbersome. Now I just use a plain old Word document on my Windows system. The file system is NTFS, so I can encrypt the file. If you don't use NTFS I believe you can still use bitlocker, but I'm not sure.
I suppose the problem then is that you have to ALWAYS be able to remember the encryption pass. Back to a piece of paper in a drawer again? :p
 

Ahmonge

Active Member
Forum Donor
Joined
Sep 30, 2022
Messages
210
Likes
209
Location
Valencia, Spain
I suppose the problem then is that you have to ALWAYS be able to remember the encryption pass. Back to a piece of paper in a drawer again? :p
Better to remember only one password than dozens of them.
 

Digby

Major Contributor
Joined
Mar 12, 2021
Messages
1,632
Likes
1,555
Better to remember only one password than dozens of them.
True, but if you forget it and are locked out, then you are locked out of 5-50+ passwords/accounts, rather than just one.
 

Trouble Maker

Addicted to Fun and Learning
Joined
Jan 6, 2020
Messages
676
Likes
709
Location
Columbus, Ohio, US
I'm going to hide a series of secure USB drives that all have the key to the next one and a clue where it's hidden that I won't be able to figure out and the last one has the backup key to my password manager. Maybe I'll even bury one somewhere in the yard and make a kind of treasure hunt for myself.
 
Last edited:

Piere

Active Member
Joined
Feb 24, 2022
Messages
195
Likes
190
I'm going to hide a series of secure USB drives that all have the key to the next one and a clue where it's hidden that I won't be able to figure out and the last one has the backup key to my password manager. Maybe I'll even burry one somewhere in the yard and make a kind of treasure hunt for myself.

Stone age block-chaining! No one would expect that :)
 

Steve Dallas

Major Contributor
Joined
May 28, 2020
Messages
1,201
Likes
2,784
Location
A Whole Other Country
I don't understand the logic here. Why couldn't the next security consultant replace the BitWarden executable with a hacked one, with the same result?

It is open source, so more eyeballs are on the code looking for vulnerabilities. And, there is currently no hacked version of it available on the dark web, unlike KeePass.
 

Ahmonge

Active Member
Forum Donor
Joined
Sep 30, 2022
Messages
210
Likes
209
Location
Valencia, Spain
True, but if you forget it and are locked out, then you are locked out of 5-50+ passwords/accounts, rather than just one.
Yes, you’re right, but this is the worst case scenario.
 
Last edited:

symphara

Addicted to Fun and Learning
Joined
Jan 24, 2021
Messages
632
Likes
592
Standard, works with all e-mail.
No it's not. It's a custom scheme for creating disposable addresses first implemented by Gmail, to the best of my knowledge. Microsoft (hotmail, outlook, Exchange) and other services also added this feature at some point.

Other email providers have different implementations for disposable addresses and do NOT support this scheme. Yahoo uses a special prefix, Duck generates random strings etc.

Otherwise "+" is a perfectly valid character to use in an email address per RFC2822 and if you run sendmail on your server you can have that kind of recipients without any disposable address scheme.
 

DavidEdwinAston

Addicted to Fun and Learning
Forum Donor
Joined
Nov 18, 2021
Messages
753
Likes
566
I have four flashdrives with copies of my passwords for perhaps fifty, sixty sites. To be fair, one is always plugged into the desktop. Access it as required.
Any probs with this, do you guys think?
 

tomtoo

Major Contributor
Joined
Nov 20, 2019
Messages
3,607
Likes
4,514
Location
Germany
A relative easy way to make a easy remember password thats also easy to remember and changes from site to site.

Birthday of dog, son, mother whatever.
1307
Add your favorite car, beer, animal. Or most hated.
Eichbaum
Add year of your, brother, wife,dog, rat, cat birthday.
1950


So we would have 1307eichbaum1950.

Thats very hard to guess. And long enough, even with having the database to bruth force..
Now add site name at prevered place. Lets say asr.

1307eichbaum1950asr

Easy to remember. Easy to change from site to site. Hard to guess and hard to brute force.


Ok needs some typing, but not that much. Salt it with lower upper letters. Or use a special sign to replace a numbe or letter. Say 0 with a add and a a with a $

13@7eichB$um195@$sr.

Thats very bulletproof and still easy to remember.

Get your own system to do this. Then you not forgett so fast, and your password can change from site to site and still be nearly the same.

To be honest mine is not so secure here on asr but it follows a similar algorythm.

If you create somerhing like 4r@ta4! its less secure and forgetten in a ms.
 
Last edited:

Nango

Major Contributor
Joined
Aug 6, 2018
Messages
1,463
Likes
985
Location
D:\EU\GER\Rheinhessen
Mine is a phantasy word with the birthday of my wife between the letters, salted with upper and lower case and it ends by some special signs:

P2h2a1n2t1a9s6y5w.o.r.D

Can't forget, can type it everywhere, easy!! First I type the word, then the numbers, then the signs. Downside is: once divorced I still have to remember her birthdate.
 
Last edited:

tomtoo

Major Contributor
Joined
Nov 20, 2019
Messages
3,607
Likes
4,514
Location
Germany
Mine is a phantasy word with the birthday of my wife between the letters and it ends by some special signs:

P2h2a1n2t1a9s6y5w.o.r.D

Can't forget, can type it everywhere, easy!! First I type the word, then the numbers, then the signs. Downside is: never divorce.

Thats what i mean, you have your personal algorythm to create it. So you dont forgett it and its still very strong.
 

tomtoo

Major Contributor
Joined
Nov 20, 2019
Messages
3,607
Likes
4,514
Location
Germany
Mine is a phantasy word with the birthday of my wife between the letters and it ends by some special signs:

P2h2a1n2t1a9s6y5w.o.r.D

Can't forget, can type it everywhere, easy!! First I type the word, then the numbers, then the signs. Downside is: never divorce.

Divorce is not such a big problem you learn the birthday of your new wife faster. ;)
 

Piere

Active Member
Joined
Feb 24, 2022
Messages
195
Likes
190
Ok, but what is the algorithm to keep corresponding PW and sites/logins together?

Here we have a few encrypted PW lists daily backed up on the home server (NAS) for the family members. All with the same PW which is an easy to remember modified fairytale fantasy name for all of them. So the brains of the members are a nice PW back-up for each other in case of emergency.
 
Top Bottom