[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Password Manager opinions and recommendations

Am 30. Mar, 2018 schwätzte rhkramer@gmail.com so:

moin moin,


As I sometimes (often?) do, just commenting on a few points:

On Friday, March 30, 2018 04:39:05 AM der.hans wrote:

Am 26. Mar, 2018 schwätzte Richard Hector so:

On 26/03/18 04:52, rhkramer@gmail.com wrote:



We can add character set requirements and most sites now allow 30+
characters, so they at least look random.


Good point, I hadn't really thought that one through--I thought maybe I'd
generate an intentionally longer password and then just delete unallowable
characters.  (Or maybe the "right size" password and then substitute (random)
allowable characters for the unallowable characters.

I'm not sure what that would do to the cryptographic security if the
passwords.


They should still be fine provided they're long. I sometimes change out
characters.

When I run into password limitations on a site I add notes to the KeePassX
entry, e.g. "max pw length=15" or "doesn't allow % and &". For the latter,
I would change % and & in the randomly generated passwords to some other
non-alnum. That's one of the few occasions that I see passwords for
anything other than system logins.

Also, KeePassX can generate random word groups, ala correct horse battery
staple.

https://xkcd.com/936/

The following article has more info about password generation with
KeePassXC.

https://www.darkreading.com/endpoint/heartbleed-a-password-manager-reality-check/d/d-id/1204549?


   * a means to automatically update passwords on the target websites
   (to

facilitate regular / frequent password changes)--this is probably a
stretch--I mean something that would work its way through the various
screens and prompts to change a password with a minimum of manual
intervention by me


Difficult. That would have to be scripted for each website etc, wouldn't
it?


Many of the KeePass* tools support auto-type which will send a sequence to
the browser. The sequence can use the default pattern or be customized.

I believe one of the commercial, proprietary tools offers to change all
your passwords for you and uses a JavaScript client to do so, so perhaps
there's already a model to replicate.


Hmm, if anybody can shed more light on that, I'd be interested--not sure I
could make use of it in any quick fashion, but, if it exists, I'd like to
learn more about it.


Lastpass has some auto-change functionality. Turns out it's only for
specific sites. I recall claims during the Heartbleed reaction that they
could change all the passwords. Probably me mis-remembering, but they make
other bogus claims ( securely sharing passwords where the recipient can't
see that password ), so I might be remembering correctly.

Lastpass did add a feature to automagically check a site for Heartbleed before
authenticating. That was awesome.

https://helpdesk.lastpass.com/generating-a-password/#h2

Still, we could build templates for different sites with URL and auto-type
script for password changes.

Captcha is still annoying and needs an "I am a cyborg" option.

ciao,

der.hans


I don't use auto-type, so haven't investigated beyond seeing that it's
there. I have had multiple people report that it works well for them.


--
#  https://www.LuftHans.com   https://www.PhxLinux.org
# "I came to open source for the tech, but I stay for the people."
# -- Richard Gaskin, 2016Jan25
Reply to: