
Toward Better Master Passwords - spacemanaki
http://blog.agilebits.com/2011/06/toward-better-master-passwords/
======
IgorPartola
I am realizing that passwords are a _bad thing_. I have no problem with 1-2
passwords in my life. I can easily change them, and I can choose secure
passwords. My biggest fear with a password is that I use the same password
twice, once on a secure system (e.g.: my workstation or a remote server I
administer) and once on a web application with holes the size of Mt. Gox.

I have been moving to LastPass, but the service, as nice as it is, just has
too many controls, and is a bit ugly. It also only support Mobile Firefox if
you have the premium subscription (not a huge price to pay, just another
barrier for me). My biggest issue with it is that I will need to set up a
premium account for my wife as well, since there are some shared passwords
(e.g.: our banks, utilities, etc.) and some that are individual (work-
related).

Ideally, what I'd love to find is a cross-platform (mobile, UNIX, Windows)
system that syncs data over ssh to a server I specify.

Really ideally, I'd love if everyone adopted OpenID, so I can just maintain a
single access point that I secure to my satisfaction (client side
certificates, one-time passwords from hardware tokens, etc.)

~~~
sunchild
You should try 1password. It really like it. It syncs via wifi or dropbox.

------
tomjen3
I use a similar system, except that instead of remembering randomly choosen
words I use pwgen to generate a string of symbols and then construct a story
from them (human brains are pretty good a remembering stories.

Say I get IJC8M9yh I would then make a sentence like Ingrid, Joel and Carol
Ate Margriths 9 year horse.

(The example given is more tricky than most, since I had to add an extra
word). The idea is to take each letter and convert it into a word, leaving
numbers and special characters as they are (or use them creatively, as in the
example above) and if the letter is a capital letter, use a proper noun in the
sentence.

------
shazow
Like many who got bitten by Gawker, Sony, Mt.Gox and whoever else, I
researched better alternatives. I found these options for password management
utilities:

    
    
        - 1Password
        - KeePass
        - LastPass
        - PasswordGorilla
        - pwgen
        - pwsafe
        - SuperGenPassword
    

Here's my summary and comparison between the alternatives:
[https://github.com/shazow/everything/blob/master/research/pa...](https://github.com/shazow/everything/blob/master/research/password-
management-utilities.md)

~~~
abrowne
Nice summary. I wish I had seen it about a month ago when I spent an afternoon
hunting through comments here and elsewhere looking for alternatives to
1Password. (No Linux or WebOS is my main issue.)

I see that you're using SuperGenPass. I loved and used the SGP bookmarklet for
a while, but stopped when I read this article: "SuperGenPass is not that
secure"[1]. Read the article, try the demo, then STOP USING THE BOOKMARKLET!
Because of how the bookmarklet interacts with the page DOM, other scripts can
read your password!

Now this doens't mean you have to stop using SGP. I still use it, mostly with
the excellent Chrome extension (SuperGenPass for Google Chrome™ by Denis[2])
or the SPG mobile page[3] (which can be saved for offline use). Both of these
compute the password without interacting with any other pages.

[1]: <http://akibjorklund.com/2009/supergenpass-is-not-that-secure>

[2]:
[https://chrome.google.com/webstore/detail/bmmmhbgdbpnbfefmac...](https://chrome.google.com/webstore/detail/bmmmhbgdbpnbfefmacdlbpfgegcibkjo)

[3]: <http://supergenpass.com/mobile/>

[edited: typo, link formatting]

~~~
shazow
Thanks!

I agree, there are a few issues with SGP I would fix: It fails badly on Change
Password forms, it uses ~10-iteration MD5 hashes which are easily-reversible
today, and the default character set for the generated passwords is not great.

I feel I'm still in the "research" stage where I want to see if I can survive
with using something like SGP. I'll definitely switch over to the extension
from now, though.

Side note: It's probably not a terrible idea to still maintain multiple master
passwords for really-important vs throw-away accounts.

------
knutae
I use KeePass and synchronize the database file through Dropbox. I can
recommend this combination, it works well both on my computers and (Android)
phone.

The downside is that I sometimes have to enter the master password on my
phone's on-screen keyboard, so it is probably shorter than it should be.

~~~
newman314
Yeah, except for the whole Dropbox making passwords optional thing. I asked
AgileBits about this and they have stated that only syncing via Dropbox is
supported at this time.

I very much want to find an alternate sync solution. I think it is kind of
pointless to have a secure password solution if the underlying sync is
insecure or more accurately has a dismal approach to security.

~~~
knutae
I don't know... why should I worry about Dropbox security in this context? The
risk that someone could steal my Dropbox data is of course there, but that
they then would be able to decrypt the password database (or bother to spend
resources on trying) seems very unlikely.

The only thing I'm a bit worried about is accidentally deleting or corrupting
the password file, as Dropbox could then synchronize this change across all
devices. I guess I should back it up regularly to non-Dropbox folders to avoid
losing all my passwords.

~~~
pietro
Dropbox would keep the old versions.

------
mcherm
This article's advice is good, but is overkill for most purposes. That being
said, using something like dicewords, but replacing one of the words with
something NOT on the list sounds like a pretty good fit for maximizing the
ratio of entropy to ease-of-memorization.

------
pwg
Password Gorilla: <https://github.com/zdia/gorilla/wiki>

~~~
pasbesoin
I almost didn't look.

 _Password Gorilla is a Tcl/Tk application_

I can't speak to the efficacy, security of the program, but I found that bit
interesting.

I'm about ready to pick up Tk, again, because it looks good enough (for me)
and I'm tired of dicking around with UI crap.

------
jvc26
Doesn't look like the link works now - 'Error establishing a database
connection'

