Linked by Howard Fosdick on Sat 10th Nov 2012 07:28 UTC
Bugs & Viruses If you want to ensure you have adequate passwords but don't have the time or interest to study the topic, there's a useful basic article on how to devise strong passwords over at the NY Times. It summarizes key points in 9 simple rules of thumb. Also see the follow-up article for useful reader feedback. Stay safe!
Thread beginning with comment 541908
To read all comments associated with this story, please click here.
Keepass2
by WereCatf on Sun 11th Nov 2012 00:25 UTC
WereCatf
Member since:
2006-02-15

I personally just use Keepass2 to keep my passwords safe. The password database is very strongly encrypted so if you have a strong password for the database there is no way anyone is going to get to the actual contents of the database. Once in Keepass2 allows you to create passwords automatically, allowing you to specify things like which character set to use, how many characters, should there be special characters and so on and so forth. Also, once you copy a password or username from the database to clipboard Keepass2 will empty the clipboard after 10 or 15 seconds, making sure you won't even accidentally reveal your passwords.

I have a strong password set up for the database, I always store any new login stuff in there, and I keep a copy of the database on my desktop, mobile phone, server and in the cloud so that even if one -- or even multiple -- devices were to break I'd still always have a copy somewhere. Also, the Android - app is handy on-the-go.

Reply Score: 2

RE: Keepass2
by Soulbender on Sun 11th Nov 2012 01:44 in reply to "Keepass2"
Soulbender Member since:
2005-08-18

Didn't you read the article? You can't trust password managers because, uh, if someone steals your computer all your passwords are lost. Too bad it's completely impossible to have them backed up somewhere and encrypted. Yeah....

It's kind of interesting that Mr Kocher makes the oldest mistake of all: keeping the passwords on a note in his wallet. Obviously much safer than a password manager with an encrypted database. Apparently it's also impossible to have your wallet stolen. Wtf?

Security expert my ass.

Reply Parent Score: 3

RE: Keepass2
by UltraZelda64 on Sun 11th Nov 2012 05:37 in reply to "Keepass2"
UltraZelda64 Member since:
2006-12-05

I have a strong password set up for the database, I always store any new login stuff in there, and I keep a copy of the database on my desktop, mobile phone, server and in the cloud so that even if one -- or even multiple -- devices were to break I'd still always have a copy somewhere. Also, the Android - app is handy on-the-go.

Yikes. I wouldn't want to store my passwords on my phone or laptop or any other computer I take with me even occasionally or on any USB thumb drive... but there's no way in hell you'd ever see me put all my password in a file up in the "cloud." Even if they were first encrypted in a database file. Just not gonna happen. I just don't have that kind of trust.

Edited 2012-11-11 05:54 UTC

Reply Parent Score: 2

RE[2]: Keepass2
by WereCatf on Sun 11th Nov 2012 08:56 in reply to "RE: Keepass2"
WereCatf Member since:
2006-02-15

Yikes. I wouldn't want to store my passwords on my phone or laptop or any other computer I take with me even occasionally or on any USB thumb drive... but there's no way in hell you'd ever see me put all my password in a file up in the "cloud." Even if they were first encrypted in a database file. Just not gonna happen. I just don't have that kind of trust.


The Keepass2 password database is encrypted with 256-bit Twofish. You'd need a quantum computer to be able to crack that in any sort of a feasible time. No, using something like that Amazon cloud computing service would still need way more time for cracking that open than I have years left in me. Since there are no fully-functioning quantum computers yet, and I'm not a high-profile target anyways...

EDIT: Few links:
http://keepass.info/help/base/security.html
http://en.wikipedia.org/wiki/Twofish

Edited 2012-11-11 09:02 UTC

Reply Parent Score: 2

RE[2]: Keepass2
by Soulbender on Sun 11th Nov 2012 09:20 in reply to "RE: Keepass2"
Soulbender Member since:
2005-08-18

Just not gonna happen. I just don't have that kind of trust.


That's the thing about encryption, you don't need trust.
The chances that your cloud provider will take so much interest in you that they will use all their computing power to break into your (hopefully Twofish or AES) encrypted password database is minuscule.
Even if they do you'll probably have changed all the passwords by the time they actually manage to brute-force it.

Reply Parent Score: 2