On Fri, 11 Apr 2014 11:39:33 -0400, Dicebot <public@dicebot.lv> wrote:

> On Friday, 11 April 2014 at 12:18:38 UTC, Steven Schveighoffer wrote:
>> If, after the last year of hacking, and the heartbleed bug, people are not using password tracker/generators, you haven't learned anything :)
>
> Remembering 15-20 different passwords is less of a burden to me than regularly verifying the code of password tracker browser extensions and infrastructure involved. And blindly using 3d-part tool for something that critical just does not make sense.

So you don't use browsers? Or did you write your own?

-Steve

On Friday, 11 April 2014 at 15:48:45 UTC, Adam D. Ruppe wrote:
> On Friday, 11 April 2014 at 15:39:35 UTC, Dicebot wrote:
>> And blindly using 3d-part tool for something that critical
>> just does not make sense.
>
> The most secure password tracker for the majority of people is a plain piece of paper put away in your desk. The odds that somebody will physically break into your home/office and grab your passwords off paper is a lot lower than the odds that some random browser bug will pwn you.
>
> The odds are a bit higher in the office so work passwords might be a different story, but still, making somebody go through the hassle of actually going there in real life is going to set the bar a LOT higher than a script kiddie with a MitM exploit or whatever collecting them en masse.
>
>
> BTW also use complete sentences for passwords. A lot easier to remember in your brain, easy to vary, and hard for others to guess. You can use a pattern to easily remember them all. For example, your reddit password might be "Reddit is a steaming pile of horse crap!", your twitter password might be "160 characters
> per message?! Yeah, right, what a spam haven." and your bank password would be "Capshort12" because they had the brilliant idea of truncating passwords at a certain number of characters.... blargh well it doesn't work everywhere.
>
> But I do something like this, and if I ever forget a password, I just use the site for a minute, something about it will piss me off, and then, boom the password comes right back to my mind!

I simply store two functions in my brain :
generatePassword(base, domain, importance)
adjustToIdioticRequirements(password, requirements)

generation algorithm itself is not most trivial but really easy to remember it if you do it every single day. No need to write down anything anywhere.

On Friday, 11 April 2014 at 15:50:47 UTC, Steven Schveighoffer wrote:
> On Fri, 11 Apr 2014 11:39:33 -0400, Dicebot <public@dicebot.lv> wrote:
>
>> On Friday, 11 April 2014 at 12:18:38 UTC, Steven Schveighoffer wrote:
>>> If, after the last year of hacking, and the heartbleed bug, people are not using password tracker/generators, you haven't learned anything :)
>>
>> Remembering 15-20 different passwords is less of a burden to me than regularly verifying the code of password tracker browser extensions and infrastructure involved. And blindly using 3d-part tool for something that critical just does not make sense.
>
> So you don't use browsers? Or did you write your own?
>
> -Steve

Don't use browser password managers for sure and don't use closed source browsers :) Trusting that it does not bluntly dump my text from all html inputs is necessarily evil borderline I need to not cross, that is true. If source is worked with by many different people continuously, it at least takes some skill to inject some security hole comparing to random 3-d party tool no one even looks inside.

On Fri, 11 Apr 2014 11:57:27 -0400, Dicebot <public@dicebot.lv> wrote:

> On Friday, 11 April 2014 at 15:50:47 UTC, Steven Schveighoffer wrote:
>> On Fri, 11 Apr 2014 11:39:33 -0400, Dicebot <public@dicebot.lv> wrote:
>>
>>> On Friday, 11 April 2014 at 12:18:38 UTC, Steven Schveighoffer wrote:
>>>> If, after the last year of hacking, and the heartbleed bug, people are not using password tracker/generators, you haven't learned anything :)
>>>
>>> Remembering 15-20 different passwords is less of a burden to me than regularly verifying the code of password tracker browser extensions and infrastructure involved. And blindly using 3d-part tool for something that critical just does not make sense.
>>
>> So you don't use browsers? Or did you write your own?
>>
>> -Steve
>
> Don't use browser password managers for sure and don't use closed source browsers :) Trusting that it does not bluntly dump my text from all html inputs is necessarily evil borderline I need to not cross, that is true. If source is worked with by many different people continuously, it at least takes some skill to inject some security hole comparing to random 3-d party tool no one even looks inside.

Do you put a foil hat on your computer too? ;)

I understand what you are saying, but I don't think it's even remotely likely something like that would happen, due to the possible reputation lost. You're more likely to be attacked via the server accepting the password than the browser. The truth probably is that nobody will likely have access to either of our accounts. There are enough people out there who use "12345" and "password" as their main passwords, that there isn't much reason to go after paranoid people like you and me. We can't be 100% sure of all code we use, so it's really just a matter of personal choice what level of trust to have.

-Steve

Am Fri, 11 Apr 2014 15:53:31 +0000
schrieb "Dicebot" <public@dicebot.lv>:

> I simply store two functions in my brain :
> generatePassword(base, domain, importance)
> adjustToIdioticRequirements(password, requirements)
> 
> generation algorithm itself is not most trivial but really easy to remember it if you do it every single day. No need to write down anything anywhere.

So it is a variation of the URL! ;)

-- 
Marco

On Friday, 11 April 2014 at 12:18:38 UTC, Steven Schveighoffer wrote:
> I use lastpass premium, $1/month. I started using it when a web site that I created a user for, to comment *once* on an article, ended up having its passwords stolen (in encrypted form), and I realized I had used the same password as my bank, credit card, email, etc.
>
> A good article on password managers:
>
> http://www.pcmag.com/article2/0,2817,2407168,00.asp
>
> As a bonus, I keep all kinds of info in my last pass vault, that I would normally have to write down (like safe combinations, or key codes for doors). It's really cool to have an infinite memory for infrequently used, but very important things, that only I can access :)
>
> They just updated their "challenge" tool to scour your passwords, tell you which ones are for sites that were affected by the heartbleed bug, whether those sites are now safe or not (including whether the certificate is new or not), and whether your password predates them making their site safe (so you should go change the password).
>
> -Steve

I second the endorsement for LastPass. I have over 200 passwords, all unique to each site and all random characters, symbols, and numbers between 12-64 characters in length (64 unless the site restricts password length). There is a lot of peace of mind knowing any site hacks that occur are isolated to one site and not all the sites I used the password for.

On 4/11/2014 5:18 AM, Steven Schveighoffer wrote:
> If, after the last year of hacking, and the heartbleed bug, people are not using
> password tracker/generators, you haven't learned anything :)

But those pw managers are a single point of failure. One mistake and you've compromised or lost everything. If your machine it is installed on is stolen, you've lost all your passwords. Etc.

On Fri, 11 Apr 2014 12:42:31 -0400, Walter Bright <newshound2@digitalmars.com> wrote:

> On 4/11/2014 5:18 AM, Steven Schveighoffer wrote:
>> If, after the last year of hacking, and the heartbleed bug, people are not using
>> password tracker/generators, you haven't learned anything :)
>
> But those pw managers are a single point of failure. One mistake and you've compromised or lost everything.

What mistake?

> If your machine it is installed on is stolen, you've lost all your passwords. Etc.

Read about LastPass. Your last-pass vault is encrypted and stored in the cloud.

-Steve

On Friday, 11 April 2014 at 16:42:30 UTC, Walter Bright wrote:
> On 4/11/2014 5:18 AM, Steven Schveighoffer wrote:
>> If, after the last year of hacking, and the heartbleed bug, people are not using
>> password tracker/generators, you haven't learned anything :)
>
> But those pw managers are a single point of failure. One mistake and you've compromised or lost everything. If your machine it is installed on is stolen, you've lost all your passwords. Etc.

The only thing you have to worry about with LastPass is having the password to your vault stolen. It's extremely important to keep your LastPass password safe, which is much easier because you only have one password to remember, so you can keep it solely in your head.

On Friday, 11 April 2014 at 15:06:33 UTC, Meta wrote:
> I swear by LastPass as well. It's a great tool.

Physical ties to the United States --> security expectations null and void. Cough http://lavabit.com cough.