
Jesus Christ, Use a Password Manager Already - pzxc
http://pzxc.com/use-a-password-manager-already
======
glhaynes
As a person who spent a long time today changing passwords (in part due to the
Gawker thing, but I had been meaning to for a while), I have some _very_ nasty
things to say about how many sites have stupid restrictions on passwords - why
do you care if I want a password that's longer than 8 characters? Why do you
care if I want to include a non-alphanum in my password? wtf, really, why?
It's easier to _not_ have those restrictions on a field so why why why are you
going to extra trouble to add them? Oh I'm getting mad just thinking about it.

~~~
brown9-2
I was amazed to find one my banks (Chase) limited the password to something
like 12 characters when going through this same exercise yesterday.

~~~
harshpotatoes
I know, right? And even more insane, they only allow alpha numerics, no
symbols allowed. And for probably the only password which matters...

~~~
glhaynes
Yes, exactly. I was surprised how little correlation there was between how
important the security of the site was and what quality of password was
allowed by the site.

~~~
count
Some of that is archaic database tables (or using NIS/YP as the user manager
in the backend). You didn't used to be able to start a password on AMEX's
sites with a digit...

~~~
drinian
No bank should be storing passwords as plaintext, therefore the content of
your password should not be their concern.

~~~
bmastenbrook
I don't think it's just about hashing. When I see restrictions on passwords or
other fields, I always assume the worst. If < is not allowed, that's because
your password will show up unencoded in HTML somewhere. If $ is not allowed,
that's because somebody is afraid that it will actually be treated as a
variable reference somewhere. Likewise & or % in URL-encoded data, ' or " in
JavaScript, etc.

The most universal and silent restriction seems to be on NUL bytes.

------
Jach
Here's why not to, at least for me:

1\. I don't want a single point of failure, though I suppose an email account
fulfills that role no matter what you're using. My email account password is
30-34 characters long.

2\. I use multiple computers, multiple OSes, sometimes not owned by me, and
sometimes multiple browsers.

3\. Many accounts I couldn't care less if they got compromised; they get the
same password as each other, which is still complex.

> hashing your master password with SHA-256, encrypting the result a default
> of 6000 times with AES, and then hashing it again

Any crypto-geeks around to say whether this makes it more secure or less? I've
heard it said many times that multiple encryptions and hashings can actually
make the encryption weaker.

~~~
Sephr
Using KeePass + Dropbox + local copies of the passwords db makes it so that
even if Dropbox goes out of business, you'll still have your database. Dropbox
and KeePass (well at least variants thereof) all run on Linux, OSX, Windows,
and Android. On the issue of computers not owned by you, you shouldn't be
entering your passwords on untrusted computers to begin with, but if you must,
KeePass works right off a USB drive.

> Many accounts I couldn't care less if they got compromised; they get the
> same password as each other, which is still complex.

Sign up on mywebsite.example. I now have the password to (depending on what
accounts you couldn't care less about) your Facebook, Twitter, Hacker News,
etc. accounts and can ruin your reputation by spreading false information.

------
bmastenbrook
Using a password manager is a great idea in theory. In practice, I have the
same problems with the concept as many other people do. It's great if you
have, say, a MacBook, a Windows system, and an iPad that you want to keep
synced. When you have one of everything, your options are narrowed
drastically. Many of these solutions also either punt on synchronization and
rely on me to find an option I like to handle that problem, or they use some
kind of cloud service not under my control. I don't need or want that cloud
service. I don't care how well the file itself is protected; you can't attack
what you don't have.

What I do have access to from most of those systems is SSH to a machine I
control. I'd be willing to run a password manager on that system, but I
haven't yet found one I'm willing to install. I'm not going to put Qt and X11
on the system just to run KeePassX. I'm tempted to write my own at this point.
It'd at least solve the password management problem in way that I'm
comfortable with (i.e. any problems in the solution are my own fault and if I
get owned, I'm the only one to blame) and without having to send a copy of the
encrypted database out to the cloud (except in tarsnap backups, but I'm
already trusting cperciva with the keys to the kingdom there!).

------
auxbuss
What can I say? I use keepassx. I keep the db on dropbox -- so that it's
always available to me -- and protect it with a key file and a password.

Good luck getting into all my accounts. First you need to crack my dropbox
account. Then you need to guess which file out there on the interwebs I use to
protect it. Finally, you can try to crack the password I use. I'll even give
you a clue: the password is less than 40 characters.

So yes, use a password manager. It's trivially simple and stress free.

~~~
trjordan
Except that it's _not_ trivially simple. I don't want to:

\- Set up dropbox on every computer I use.

\- Figure out how to get keepassx to work on Android.

\- Open up a password manager when I want to log into something. Oh, I can
leave it open? Wait, is that secure?

\- Figure out if there are any limitation of the password manager you've
suggested, which you may have missed.

\- Deal with a "password migration" if I decide to switch browsers, which will
include an absolutely non-trivial search for some software that replaces an
app that is now a crucial part of my daily routine.

I could go on, but password managers are most definitely not a trivial task --
they add a layer of friction that I simply can't bring myself to care about
when it comes to security to my Gawker account. Computers exist to make my
life easier, not as a creator of problems that require working around.

~~~
brown9-2
KeePass doesn't interface with the browser directly - instead (at least in
Windows) it registers a global hotkey with the OS which will use the active
window title to find an entry in your password database and then automatically
fill in the form with your username and password.

 _KeePass features an "Auto-Type" functionality. This feature allows you to
define a sequence of keypresses, which KeePass can automatically perform for
you. The simulated keypresses can be sent to any other currently open window
of your choice (browser windows, login dialogs, ...).

By default, the sent keystroke sequence is {USERNAME}{TAB}{PASSWORD}{ENTER},
i.e. it first types the user name of the selected entry, then presses the Tab
key, then types the password of the entry and finally presses the Enter key._

For sites or apps with weird forms you can customize the sequence.

<http://keepass.info/help/base/autotype.html>

------
rwhitman
Ok, so I've definitely lost about 3 dozen client passwords when my password
manager was eaten by a drive failure. And then when I went to restore the
backup discovered that the creator of the password manager was no longer
supporting the software.

So my faith in password managers has been shaken. I greatly enjoyed having to
ask all my clients for their passwords again.

I have a new system, but if someone ever got ahold of my drives who knew what
they were looking for, that would be hellish

~~~
sjs
1password backs up to Dropbox which is a nice touch.

~~~
rwhitman
I'm looking at their docs now...

I worry about Dropbox + security. The fact that I'm sharing folders publicly
with other people in the same directory that I have private data, worries me.
Lots of room for human error

Why does 1Password need dropbox? It would make much more sense if they had
their own cloud solution

Edit: Don't get me wrong, I love dropbox and I'm sure 1password is great. But
I don't feel secure with dropbox (ever lost a file that was in your dropbox
because you or a colleague made a mistake on a synced computer?) and I hate
the idea that a person could have a copy of a single file with every one of my
clients critical passwords, encrypted or not

~~~
berberich
Have you taken a look at LastPass? It's great - centralized web storage with
clients/plug-ins on every major browser/OS/smartphone.

There was a Security Now episode about it this summer
[<http://www.grc.com/sn/sn-256.htm>], and it got the Steve Gibson seal of
approval.

~~~
rwhitman
yea this is closer to what i'm talking about, thanks

------
riobard
I use the default OS X password manager Keychain access.app and symlink the
keychain file to Dropbox. It manages all my web, app, WiFi, mail account
passwords. It has a nice feature to generate different styles (memorable,
letters&numbers, numbers only, random, FIPS-181) of password at various
lengths up to 31 chars.

The interface is less polished than 1Password, but since it comes by default
on every OS X install I just use it. Meanwhile 1Password seems really annoying
from time to time: it always asks to save passwords but seldom autofills for
me. Maybe I just use it wrong…

------
grok2
No one mentioned lasspass (<http://lastpass.com>) -- desktop benefits and
portable. Other than the fact that your passwords are out there on the
Internet (in encrypted form) for someone to hack into, is there any other
downside to using something like lastpass?

~~~
quadhome
I use LastPass; but, the fact it's file format is a per-record encrypted
sqlite3 database makes me nervous.

------
anthonycerra
At what point does "good practice" become justified OCD? Not every account is
equally important. Have unique passwords for email and financial accounts -
absolutely, but does it really matter if someone compromises your HN password?
As long you keep that completely separate from anything that can really hurt
you, why obsess over it?

Despite popular belief, writing down your password and storing it in a lock
box is leagues better than storing it online. The number of people who have
access to your physical belongings is many orders of magnitude less than the
number of people who can attempt to compromise an encrypted database.

"Don't write your password down" might have been good advice in the 90s when
most people only used a computer at work and the internet wasn't as ubiquitous
as it is today.

------
bcl
text file + gpg + long passphrase

You can also setup vim to read/write it easily

    
    
      augroup GPG
        au!
        " decrypt before reading
        au BufReadPre *.gpg       set bin viminfo= noswapfile
        " decrypted; prepare for editing
        au BufReadPost *.gpg      %!gpg
        au BufReadPost *.gpg      set nobin
    
        " encrypt
        au BufWritePre *.gpg      set bin
        au BufWritePre *.gpg      %!gpg -ear email@wherever
        " encrypted; prepare for continuing to edit the file
        au BufWritePost *.gpg     silent undo | set nobin
      augroup END

~~~
wonderzombie
This sounds pretty great. I have much respect for DIY solutions.

Is there any chance you or anyone else could point me to a howto or something
similar?

~~~
bcl
This is so simple you don't need a howto.

1) Add the text block above to your ~/.vimrc file, change the email address to
be one of your gpg keys.

2) Edit the file: vim somefile.gpg

3) Save the file

------
spindritf
The author looks down on browser's password managers but to me they seem like
the perfect solution -- relatively safe, with reliable auto-fill and, most
importantly, already installed and configured. Syncing is just a matter of
moving your profile to another computer.

Am I missing something? Is there some inherent flaw in these managers? Firefox
will even encrypt the passwords by default and allows the user to set a master
password. Exporting passwords is a little annoying, but how often is there a
need for that?

~~~
theBobMcCormick
It certainly seems a lot more secure than re-using the same password all over
the place.

------
adammichaelc
I've always found it odd how people say Jesus Christ as if it were a curse
word. I wonder where this practice originated. Is it common in other parts of
the world for other religions? Do people in China have an equivalent saying?
Oh Buddha! etc.

-Genuinely curious

~~~
Dove
Yeah, there are a whole slew of religious curse phrases -- "oh my God",
"mother of God", "for God's sake", "for heaven's sake". Or even exotic
variants like, "sweet mother of mercy".

I find it interesting that they are generally used to express awe, surprise,
or to invoke a sense of gravity or urgency -- opposed to other swear words
which generally seek to disgust, communicate an offensive attitude, or invoke
taboo to draw attention through shock. The religious oaths seem to me more
like the oaths of fantasy ("By Turin's beard!", "I swear upon the sword of my
father", "In Vela's name") than the language of shock and offense ("scurvy
maggots", "Why don't you go stick your foo in a bar and then baz it?")

I'd speculate that they're referencing the strong emotions religious people
actually feel -- the awe and gravity of the sacred, a cry for help in a moment
of fear, not the offensive force of blasphemy. The amplification is always
toward the sacred ("sweet Mary, Jesus, and all the saints") or the silly
("Jesus H. Christ on a pogo stick"), never toward the offensive. "Jesus"
amplifies to "Jesus Christ" or "holy Jesus", never to something like "Jesus'
stinkin' piss".

~~~
waterlesscloud
And Zounds! (God's Wounds!) and Gadzooks! (God's Hooks, aka nails that held
Christ to the cross).

------
joevandyk
1password + Dropbox is pure awesomeness. Great browser integration. Works on
iPhone as well.

------
cxy7z
Maybe this is a case of premature optimization: but what if you ever need to
log into a site from a public computer where you can't install your password
manager.

I realized that without a password manager you're forced to choose between 1)
having one super-secure password and 2) having multiple easy-to-remember
passwords.

My compromise is this: have a password template. This is a string that changes
in a predictable way based on the site. This could be something as silly as
"password_${site_name}", making my gmail.com password "password_gmail" and my
twitter password "password_twitter".

Obviously, the formula won't be terribly complex, so if I tell yo my gmail
pass you can probably figure out my twitter pass given though time. But that
doesn't bother me, since I'm mostly concerned about gawker-type incidents
where my password is among thousands of others, in which case the bad guys
will exploit the 90% of the passwords that do work instead of trying to
reverse-engineer those 10% which don't.

~~~
berberich
LastPass gives you the ability to generate one time passwords
[<https://lastpass.com/otp.php>] ahead of time that you can print out and keep
in your wallet for use on public machines.

There are also several options for multi-factor authentication for an
additional level of security.

------
hedaru
Password? Use your brain to memorize it all! Really, I've been memorizing
hundreds of password with just a simple key, hint, and reminder. Rather than
using a password manager that actually a computer programmed system. You'll
only forgot your password if you lost your brain!

Okay, for a serious situation, I'm using a basic text storage then encrypt it
with a trusted modern encryption system, high bit level.And some cloud
computed storage web app that already moving on the new way to store and
encrypt your password. That's it? Nope, it's useless.

But for real, there are lots of another way to store your password than using
a password manager or a computer. Sometimes we can do it manually. For your
life, use your idea. Peace.

------
drags
I use SuperGenPass with a strong master password. It's not perfect (a
malicious website could use Ajax to fish for my master password on a sign-up
form), but it gives me a single password to remember, different passwords for
every site, and I can keep the HTML page that runs the hash function on my
thumb drive and use it anywhere.

<http://supergenpass.com/>

~~~
bmastenbrook
In order to solve this problem for myself I looked into SuperGenPass as well,
and reimplemented it in Racket so I could understand what it's doing. Here are
a few notes on that:

• It's based on MD5.

• It repeats the hash 10 times. Typical key strengthening functions will do at
least 1000 iterations, and at least 10000 seems to be becoming more common.

• Each time it repeats the hash, the output is encoded with a variant of
Base64.

• The implementation of Base64 is deliberately nonstandard. + and / are
replaced with 9 and 8 in the output (respectively). It pads with A, not =. The
point is presumably to avoid generating special characters that could be
disallowed by some password systems. This actually seems like an unintentional
benefit to me: while it theoretically increases the probability of a
collision, it does make it slightly more difficult to recover the original
passphrase from the hash, or so it seems to me. (Any cryptographers want to
comment on this one?)

• Hashing is repeated until it generates a password that starts with a
lowercase letter and contains at least one uppercase letter and at least one
number. The first restriction must come from some actual site, but it hardly
seems common enough to enforce.

The biggest risk is in a site fishing your master password, though their
"mobile" version allows you to run it in a different window. All in all, I
think the concept has promise, but the implementation could be significantly
improved.

------
pielud
I like clipperz.com. Completely web based. Encryption is done client side in
javascript, so not even clipperz can access my account.

~~~
ivank
They can just change their JavaScript to capture your master password, or
change it to send all of your passwords to them after decryption.

Even if that problem didn't exist, I'm not sure I'd want all of my passwords
anywhere in browser memory.

------
MatthewRayfield
Wasn't Mozilla at some point working on a browser based global identity
system?

I can't seem to find information about it anymore.

------
da5e
username: yeshua password: wwjd

But seriously, I visit so many sites and use so many different computers that
I have my passwords indexed in a little black book encoded with my own
personal code. They would have to pry it from my cold dead hands to get them.

------
rinkjustice
The name Jesus Christ is a sacred name. He is my Saviour. Please don't defile
it.

~~~
lutorm
The article is lamenting the fact that He did not use a password manager. Why
does that constitute defiling?

~~~
Mithrandir
Although that could have been the author's intention, I doubt it as Jesus is
never mentioned in the article.

See also <http://news.ycombinator.com/item?id=2006779>

------
sigzero
Vim:

set cm=blowfish

:X filename <\--- encrypts with blowfish

I have Vim everywhere I work. Blowfish is "good enough" for me. :-)

~~~
quadhome
I didn't realize Vim 2.3 came with this!

This is me, happily switching from my hacked together aesfilter solution.

------
scrod
Notational Velocity was designed from the ground up as a desktop password
manager and follows all of these rules, using PBKDF2-based key derivation with
a default of 8000 iterations, adjustable in units of measured CPU time.
Security features are described in greater detail here:

    
    
      https://github.com/scrod/nv/wiki/Database-Security

