You are not logged in.

#1 2015-06-07 01:02:26

Median
Member
Registered: 2011-06-03
Posts: 60

Is it recommended to use a password manager?

Hi,

I've recently installed a password manager (PasswordSafe) after having mixed thoughts about using a password manager. The thing I'm scared of is that it creates a single point of failure, where if someone figures out the password to my database, they will have access to all my passwords. Are these unbased fears? Where else should I keep the passwords if not here? I'm paranoid by nature and value privacy highly.

Last edited by Median (2015-06-07 01:02:38)

Offline

#2 2015-06-07 01:19:35

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 30,424
Website

Re: Is it recommended to use a password manager?

A single point of failure, as you describe it, is justifiable if a) it is a very complex passphrase that can not be brute forced, and b) provides a trade off in terms of usability and convenience if you are managing a reasonable number of complex passwords and phrases.

I use pass and sync the database with Syncthing. It works extremely well for me.


Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

Offline

#3 2015-06-07 01:21:02

frostschutz
Member
Registered: 2013-11-15
Posts: 1,409

Re: Is it recommended to use a password manager?

I like the hashing approach.

$ echo Some super duper secret pass phrase. My archlinux.org password is: | md5sum
28f44d68b216280592b2a7c07b7ec428
$ echo Some super duper secret pass phrase. My facebook.com password is: | md5sum
ac5f985a22df30dfebc2d4d471f35628

As implemented in browser plugins "Password Hasher", "pwdhash", "masterpasswordapp"...

The only thing apparently missing from all the above... an expensive hash functions. Like LUKS, instead of producing a fast hash it should iterate long enough to make brute forcing the secret passphrase unfeasible.

Currently, if a site admin (or hacker) was truly determined, they could brute force my passphrase from my cleartext password and thus produce all my other passwords.

Online

#4 2015-06-07 01:23:59

Stebalien
Member
Registered: 2010-04-27
Posts: 1,237
Website

Re: Is it recommended to use a password manager?

frostschutz wrote:

I like the hashing approach.

$ echo Some super duper secret pass phrase. My archlinux.org password is: | md5sum
28f44d68b216280592b2a7c07b7ec428
$ echo Some super duper secret pass phrase. My facebook.com password is: | md5sum
ac5f985a22df30dfebc2d4d471f35628

As implemented in browser plugins "Password Hasher", "pwdhash", "masterpasswordapp"...

The only thing apparently missing from all the above... an expensive hash functions. Like LUKS, instead of producing a fast hash it should iterate long enough to make brute forcing the secret passphrase unfeasible.

Currently, if a site admin (or hacker) was truly determined, they could brute force my passphrase from my cleartext password and thus produce all my other passwords.

You're looking for a  key derivation function (e.g. bcrypt). Unfortunately, this scheme doesn't allow you to easily change a single website's password (e.g. if the website is compromised and forces you to reset your password).


Steven [ web : git ]
GPG:  327B 20CE 21EA 68CF A7748675 7C92 3221 5899 410C
Do not email: honeypot@stebalien.com

Offline

#5 2015-06-07 01:30:47

frostschutz
Member
Registered: 2013-11-15
Posts: 1,409

Re: Is it recommended to use a password manager?

Stebalien wrote:

You're looking for a  key derivation function (e.g. bcrypt).

Yup. I guess those addons are from an age where JavaScript was still order of magnitude slower than it is today.

Stebalien wrote:

Unfortunately, this scheme doesn't allow you to easily change a single website's password (e.g. if the website is compromised and forces you to reset your password).

"Password Hasher" lets you bump passwords, so you get archlinux.org, archlinux.org:1, archlinux.org:2 and each produces a completely different password. If you want to change passwords once a year in general you could archlinux.org:2015 etc. I'm sure the other solutions offer something similar.

You can do anything as long as you're able to remember what input you gave the hash function.

Last edited by frostschutz (2015-06-07 01:31:14)

Online

#6 2015-06-07 01:40:22

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: Is it recommended to use a password manager?

I like pwsafe


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#7 2015-06-07 01:42:00

Aerial Boundaries
Member
Registered: 2015-05-15
Posts: 26

Re: Is it recommended to use a password manager?

Silly question here but have you heard of diceware? Why not just use a bunch of those if you are worried (as I am) about a single point of failure.

They are easy to remember and secure.

Offline

#8 2015-06-07 18:32:16

frostschutz
Member
Registered: 2013-11-15
Posts: 1,409

Re: Is it recommended to use a password manager?

Aerial Boundaries wrote:

Silly question here but have you heard of diceware?

Sounds like an awfully complicated way to do 'shuf wordlist.txt'

Not every site allows such passwords though, they have silly requirements like lower, upper, digit, special character. No longer than 8 chars in total. Etc.

Online

#9 2015-06-07 19:42:32

mpan
Member
Registered: 2012-08-01
Posts: 1,188
Website

Re: Is it recommended to use a password manager?

Median:
Password managers are introducing the single point of failure — that's true! But the risk is not only overestimated, but also greatly outweighted by the profits.

First of all, if your password manager database is stolen AND the passphrase to it is known, this implies your computer has been compromised. If it is so, then most probably passphrases are leaked anyway. There is a difference is in the size of the leak if the time window in which the attacker was able to log your passphrases was short. But it should be emphasized, that that's the only difference. It's not about "100% vs 0%", but more like between "100% vs much".

And the profits are considerable:

  1. With a password manager you actually can have unique passphrase to every service you're using, and chenge it as often as you want.

  2. You're no longer bound to memorable passphrases. You can just output as much as you need from /dev/urandom and use it.

Note that I assume that you're already using the passphrases only on trusted machines. Otherwise the question and the answer makes no sense. If you're — for example — leaking your bank account passphrase on your college workstation — then the security holes are on a much more basic layer than the question of using or not using a password manager. In such case password manager may not be the good solution, as you will indeed leak everything pretty fast.

Aerial Boundaries:
Correct horse battery staple is even simpler than diceware, provides better security and is easier to memorize. However, the OP asked not about how to generate passphrases, but about their storage. Whether you're using diceware, Randal;'s c.h.b.s. or any other generator, human's memory is capable of holding only a few to a dozen of good passphrases on average, and only to the often used resources (home pc, pc at the work, favourite fora, facebook or other marketing networks, banking, …). But nowadays we're having much, much more accounts everywhere. This is way beyond capabilities of our brains. An external storage is needed. Otherwise you'll start to re-use passphrases, which is bad from security pov. Re-use both spatially — between resources — and temporally — between passphrase changes on a single resource. Password managers are the answer.


Sometimes I seem a bit harsh — don’t get offended too easily!

Offline

#10 2015-06-07 19:43:31

Steef435
Member
Registered: 2013-08-29
Posts: 577
Website

Re: Is it recommended to use a password manager?

It's safer to use different passwords for all services and store them behind one master password than to use the same password on all services, if that's the direction you're thinking in.

EDIT: That's maybe a weird statement, but I find it highly likely in most cases.

Last edited by Steef435 (2015-06-07 19:44:25)

Offline

#11 2015-06-07 20:13:36

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,739

Re: Is it recommended to use a password manager?

I have grown to depend on LastPass.  I find it to be an excellent password manager that integrates well with the browsers I use.  And, it supports multi-factor authentication.  Even if my pass phrase were compromised, they still need my phone running an app that generates continually  changing keys that are only valid  for about a minute.


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#12 2015-06-08 18:34:37

Median
Member
Registered: 2011-06-03
Posts: 60

Re: Is it recommended to use a password manager?

Thanks for all the answers! I guess I'm kinda convinced that password managers are the way to go, especially after mpan pointed out that I would have been screwed either way, even if I didn't use a password manager, if my computer was compromised.
As others have pointed out, I could have been running diceware or whatever to generate more memorable passwords, but due to a lot of sites and so having the requirements of having lower- and uppercase letters, symbols, numbers or whatever, it's not feasible in the end.

I will still try to make an effort to try and manually remember the most important passwords.

Offline

#13 2015-06-09 06:12:49

nyn
Member
Registered: 2015-05-27
Posts: 11

Re: Is it recommended to use a password manager?

Pro password manager here.
There's a limit how many really good passwords you'll be able to remember, so without a password manager you're bound to either use weaker passwords that you can remember or use the good ones more than once. Both are bad.

I second the poster who mentioned pass (http://www.passwordstore.org/).
Simple program, no bloat, does everything you want.

Offline

#14 2015-06-10 12:49:17

chaonaut
Member
From: Kyiv, Ukraine
Registered: 2014-02-05
Posts: 382

Re: Is it recommended to use a password manager?

using a password manager encourages storing passwords somewhere instead of remembering them.
i never use such kind of software for my own passwords, but sometimes i have to do it at my job for passwords invented by / generated with someone/something else. i store these in encrypted plain text files.


— love is the law, love under wheel, — said aleister crowley and typed in his terminal:
usermod -a -G wheel love

Offline

#15 2015-06-11 03:08:18

Aerial Boundaries
Member
Registered: 2015-05-15
Posts: 26

Re: Is it recommended to use a password manager?

I'm using pass now with the dmenu script linked on their site. It is wonderful.

Finally, high entropy, unique, 20 character passwords for everything.

Thanks to the people who suggested it. It is certainly in the unix spirit.

Offline

#16 2015-06-13 07:45:29

Median
Member
Registered: 2011-06-03
Posts: 60

Re: Is it recommended to use a password manager?

I tried switching to pass, and I can only say - wow. It's amazing - and so much better than pwsafe.
I'm stuck!

Last edited by Median (2015-06-13 07:45:40)

Offline

#17 2015-06-15 20:45:55

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 30,424
Website

Re: Is it recommended to use a password manager?


Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

Offline

#18 2015-06-16 03:11:48

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,739

Re: Is it recommended to use a password manager?

jasonwryan, Thanks for the heads up.  I've been busy, so that is the first I have heard of that.

I will state that I am not worried.  I believe I understand how their protection works and attacks are to be expected.  That is why protection must be layered.  Based upon that reading, I am not worried that my master password has been compromised yet.  There could well be a brute force attack occurring at this very moment, so the master password will be changing.  And yes, I do use multifactor authentication.  That would make it difficult for a bad guy to exploit the password unless they could intercept my email.  I do regard that control of an email account + a master password can override multifactor authentication a weakness.  But then there is that convenience factor hmm  And, of course, my password hints have zero correlation to the password or to any other real world information (like what high school did I attend, first pet's name, and other flotsam).

I will be changing the master password after I know they have updated their per user salt and not looking back. 

On the other hand, I did install pass this weekend and really like how it works smile

Last edited by ewaller (2015-06-16 03:12:46)


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#19 2016-05-27 15:25:27

Fabs
Member
Registered: 2015-09-08
Posts: 34

Re: Is it recommended to use a password manager?

I wouldn't trust browser addons to store your passwords, I think KeePass might be a great choice of a password manager solution.

Offline

#20 2016-05-27 15:33:21

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,739

Re: Is it recommended to use a password manager?

This thread is a bid old, but it is a discussion thread so the age is okay.
Since this thread went dormant, I gave up on LastPass.  I now use pass everywhere.  It even has a nice Android client.  And I know that my passwords are encrypted under my passphrase protected GPG key


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#21 2016-05-27 15:47:40

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: Is it recommended to use a password manager?

+1 for pass (coming from pwsafe which wasn't updated for quite some time).


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#22 2016-05-27 17:36:35

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: Is it recommended to use a password manager?

I've always used Lastpass, since it was the most complete and integrated solution I could find. But ever since the ownership change, I've felt kind of nervous about it. sad

How does pass compare to Lastpass? I just looked it up, and it seems to have a Firefox plugin (which is good) that only does read access to your keystore (which is inconvenient).
To generate passwords it uses `pwgen` which doesn't appear to do letters+numbers+special characters. I would prefer a password generation solution that included special characters...


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#23 2016-05-27 17:44:01

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,739

Re: Is it recommended to use a password manager?

https://wiki.archlinux.org/index.php/Pass

Passwords are stored as encrypted files in a local directory tree.  It will generate complex passwords.  The firefox plugin is a backend.

ewaller@turing/home/ewaller % pass generate foo 20
The generated password for foo is:
zKnn'?w_KgB}&!zvAd+9
ewaller@turing/home/ewaller % pass generate --no-symbols foo 30
An entry already exists for foo. Overwrite it? [y/N] y
The generated password for foo is:
OiB7XB3xK1VJ6N8nyy3ISmYyPc6GXF
ewaller@turing/home/ewaller % pass foo
OiB7XB3xK1VJ6N8nyy3ISmYyPc6GXF
ewaller@turing/home/ewaller % 

Edit: And, you share passwords between devices using a git repository like github.

Last edited by ewaller (2016-05-27 17:51:16)


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#24 2016-05-27 18:04:37

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: Is it recommended to use a password manager?

Ah, so pwgen does do special characters. My bad. yikes

I did see that the passwords are stored in a directory tree -- my primary question was really how smooth the plugin integration is. And ideally I could do everything directly from Firefox. smile
As you have used both, do you feel pass has everything you ever needed in Lastpass?


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#25 2016-05-27 18:15:51

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,739

Re: Is it recommended to use a password manager?

Eschwartz wrote:

...do you feel pass has everything you ever needed in Lastpass?

Pretty much.  Lastpass did have knowledge of common sites that have experienced compromises and suggested when passwords you may have for those sites should be changed.  Pass has nothing like that.
Stated without proof, I think pass is more secure.  With LastPass, I  worry about things I cannot see like session cookies, RAM scrapers, rogue Javasript and the lot  -- especially when I company I will not trust controls them.  OTOH,   pass does make use of clipboards which does have its own set of vulnerabilities.


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

Board footer

Powered by FluxBB