Of course goy...

>of course goy, instead of having remembering your passwords you put them all together with a single point of failure master password, safety first!

I unironically don't understand this meme.

Other urls found in this thread:

johndcook.com/blog/2014/09/25/mental-crypto/
twitter.com/SFWRedditVideos

It's not hard to understand. People are idiots

dont forgot
>and make sure to store all your passwords on our server goy! for your convenience of course!

KeePass is offline. Your DB is encrypted and useless without the password.

you're unironically retarded

THIS!!
Based Apple will save this retared shit with face recognization.

Another thing regarding this is Google Chrome and its saved passwords thing which it's supposed to be secure but you can see them on settings without any problem

single point of failure doesn't matter when failure is impossible

It's a "single point of failure" that's auditable and therefore something you can trust. It's also kept offline and encrypted. Since your "single point of failure" password is the only thing you have to memorize, you can make it incredibly complex and practically unhackable without fear of losing it because it's one of dozens of passwords.
Truly random passwords are better than having a memorized password "system" because getting a password on one site compromised gives an attacker approximately fuck-all information about your passwords on other sites. The biggest attack vector against passwords is the simple fact that humans have to remember them or generate them using a set of memorized rules, which will always introduce systemic weaknesses, no matter how clever you think you're being. Of course, the only way you can use truly random passwords and avoid this is if you don't have to memorize them, which is where password managers come in.
Now, if it were LastPass, then I'd agree. I will never understand cloud-provided password services. Too much to trust blindly, and too much of a juicy target for attackers. KeePass, meanwhile, is an encrypted file fully within your own control. It's not some web endpoint that needs to be defended against hackers. The code is open-source and you can build it yourself without having to trust binaries someone else made. Seems perfectly sane to me.

/thread

>not using pass
It's like you want your shit to get fucked

and then you shave your beard or your face changes with age and you can't log into anything

you still have the single point of failure, it's just been moved, and it's more fragile and unreliable than a password

This

How do you use passwords on your phone I dont get it desu

You use a Keepass client which then copy/pastes the PW for you based on which site you're using. Some have browser plugins.

Can you recommend me what you use senpai

>put encrypted password db on phone
>use it on phone with whatever mobile applications works best for you

I like using syncthing to synchronize my password db between my computers and phone. It's not perfect, I've had to manually resolve conflicts on a couple occasions in the last year.

Keepass2Android seems fine, it's what a friend of mine uses. I use KeePassdroid

How are we inferior biological computers remember 20 passwords, each 32 character long ? Password managers are /comfy/ and as long as your PC doesn't get physically attacked or you run Windows, the list will be safe.

See:

I think I'd rather encrypt a file at that point.

Are the password databases stored in a universal file or integrated into the program

I use it and I'm thinking of writing all the passwords down on paper and keep it somewhere in my room. Nobody is going to break into my house to steal some passwords and if they do they're dead

>what is a strong password
>what is not writing your master password down anywhere
>what is only storing the password database locally
>what is encryption
OP needs to go back to

I just use last past and I don't give a fuck

If you don't give a fuck why introduce another time-wasting step to your facebook management instead of making every password qwerty123456? The level of security provided is comparable.

I bet you thought you bragging about using lastpass was somehow impressive rather than incredibly dumb and naive.

JUST ONE QUESTION:
can anyone show me a website proving that a
strong-password protected keepass archive has ever been broken into?
Show me where it says keepass is hackable using some kind of password cracker

password reuse is literally a non problem granted the service provider does not fuck up and you picked a decent pw to start with

Ι use keepassx with an 8 word passphrase and a key file of pseudorandom characters which I change every month, and store literally everything on it, it helps because I produce 200bit entropy passwords for everything
Explain to me how im in danger

>of course goy, gives us your number, 2fa is secure, we won't abuse our ... err, I mean your data

yours truly, Zuck

>Defending your entire digital life with a single password isn't that bad

Why do you give so many fucks?

explain me how were you in danger before you started using a shitware

I have around 60 accounts on different things ranging from PTs to uni services
I cant keep track of all the passwords in my head AND have secure passwords AND not reuse the same password
If you need it for like 3 services then sure, all is well, no need to use it
But any more and its necessary

ah, now we see this is a security services thread - who you work for, buddy? Having difficulty with keepass ? hahahahahaha try harder to persuade people not to use it hahahaha

Type it, don't trust your shitty phone

so what was the danger then?

granted no one can crack it, that is the absolute best way indeed. What do you think login with facebook does? What, you don't trust FB and Google security?

As I said, using the same password in everything GUARANTEES it is common knowledge
You cant do anything about it other than use different passwords
I cant remember 60 passwords of random strings

>casting perls infront of swine
>this guy
you are on the wrong platform, nobody here (roughly 99%) cares.

I would think that was more like 99.9999%

Sorry I don't know what FB and Google is or does.

>meanwhile you can just encrypt a simple text file and store it on whatever system or cloud platform you wish

lay off the pearls buddy

Even if you type it, you can't trust your shitty phone.

If you insist on using a "smart"phone, you should probably just give up and put your passwords into a plain text file. You can't magically make something secure on an inherently insecure device.

I perfectly understand, it is very common to hold strong opinions on issues where you have no idea how they work

Been using keepass for a while now. Everything requires a password and I'm not about to remember 80 different unique and secure passwords. I got tired of logging in by resetting my password every time. Now I get to remember a single 28 character strong password.

If someone is going to steal your password, it's usually because they can guess it or because the site got hacked and the email/password you used was reused on another site. Keepass eliminates this most common vector of attack by allowing you to use unique strong passwords for every site. Almost nobody has their account stolen because someone cracked their strong unique password

>Almost nobody has their account stolen because someone cracked their strong unique password

so what's the point of security placebo when suffering a csrf attack is much more likely while being logged in with a giga password

you're missing a part of your brain, aren't you?

Hi fbi

Are you honestly retarded or just new to crypto?
Every password you will ever think of is not random, it has something of you in it, so to speak
So even if you do have 80 different accounts with 80 different passwords, if at some point in the future Isukcokz.ru gets hacked by straight activists, it will leak literally 0 information about your main mail account long as you use proper OPsec and a password manager

Of course you'll never eliminate all attack vectors, but the point is that if someone gets access to one of your accounts, they don't also get access to others. Specifically for csrf, I never check "remember me" and always log off after using the site. No point in having a strong unique password if someone just has to type gmail.com on your computer and your inbox pops open.

I just use the sane modifications on about:config and dont even have to do that either

johndcook.com/blog/2014/09/25/mental-crypto/
Thoughts?

I am 12 and what is this?

What's a computer?

I just think its better to be realistic about the security of what you put on a smartphone rather than being delusional and having a false sense of security.

A claim that you can remember a key/pepper/seed and then essentially securely cryptographically hash that in your head using a website name as salt, giving secure passwords that can be "remembered" in ~10 seconds (with practice) provided you memories the pepper

>a single point of failure
How can you have more than one?

2 F A M E M E S

Which is fine, but all you've done there is create another password manager.

The value from this comes from:
1. Your master password doesnt suck.
2. All the passwords in the database are completely random.

>and then you shave your beard or your face changes with age and you can't log into anything

Know how I know you have no idea what you're taking about?

And you need to stop bumping obvious bait threads, but we can't all get what we want.

if someone punches you in the nose and it swells up, face recognition won't work and you'll never be able to log in again

selling a text file as a password manager is some next level marketing shit

btw that blows both local and hosted options out of the water

(YOU)

>not having your password on a paper in a box with a lock on

>2fa
>not secure

>not printing your passwords out

>run local password manager
>host db on owncloud
>host it p2p between your machines
>host it on fucking google drive who cares
ezpz

>which will always introduce systemic weaknesses, no matter how clever you think you're being
It is a fact of maths that there are way too many methods capable of generating strong passwords for ANY brute force + dictionary to ever attack.
Period.
Stop listening to dumb memes.

Even using fucking DiceWare is secure enough for the next century of expected computational growth if you use 5 words.
You add a non DiceWare word in there? You shit on every dictionary that uses it.
Add a non-word word in there? You break every dictionary.

Just as you said, if you have a generation method that is random, it reveals fuck-all about your passwords on other services.
You can easily do that with manually generated passwords if you aren't an idiot.
Since they don't have a clue what your password is like, they cannot use a dictionary with it.

You seriously over-estimate how good computers are at brute-forcing, even when they use dictionaries.
Dictionaries aren't some fucking magical pill. They are for simple password strings, quotes, popular memes and other shit like that.
They don't work on generic English sentences someone pulls out their ass and mangles a single word.

The only reasonably secure system is 2 or 3FA.

>have 5 physical dictionaries, 4 which are less popular languages I'm moderately fluent with
>use polyhedral dices to roll numbers for a page, and then for w word on that page
>5 words from 5 different languages
>capitalisation of a first letter in each word determined by a coin toss
>01-99 number at the end
>have a piece of paper to put in on
>remember 3 or 4 most used passwords
sometimes I also
>roll 1d6 for number of special character I put in

>hurr durr what is a dictionary attack
you don't know what are you talking about

>entire life contained in keepass database
>on a seagate external hdd several years old
>with no backups

I live on the edge, but literally.

I know it must be hard to be a retard, but understand that KeePass is open source and stored offline. I don't even keep mine on a computer, it's stored in a USB drive inside a fireproof safe.

Nigga, I know it's bait but I'm bored and suffering from insomnia.

>iamverysmart

I keep my DB on Google Drive to sync across my comps and phone.