
I know none of my passwords - colbyaley
http://aley.me/passwords
======
sneak
If your Yubikey dies, your 1Password vault is toast. This is a bad idea and
doesn't really add much to your level of security.

Just use a long and random 1Password, and store it in the OSX Keychain
(1Password supports this). Then back up your user keychain with the rest of
your files and don't forget your login password. Alternately, Mavericks (which
comes out in a week) will sync your Keychain items to iCloud for you.

This is all moot though because 1Password is a pain in the dick to use on iOS,
and Apple's using their lack of plugin support for MobileSafari to hinder
competition. In Mavericks' Safari, you can now save passwords for forms that
specifically attempt to disable password storage, and sync those encrypted
passwords to iCloud. This wouldn't matter much... but that sync now works with
iOS7's MobileSafari, where 1Password can't load a browser extension to
compete.

TL;DR: Cool story, but 1Password unfortunately becomes OS-bundled obsolete in
a week.

~~~
joebeetee
I live "exclusively in Apple's ecosystem", but still find 1Password incredibly
useful. You can store credit credit card/passport details (so useful when
filling in forms and not having to dig around for them), store software
licences, create secure notes, store bank account details and a bunch more
things.

So it's more than just a secure password storage/generation program, it's a
centralised system for all your important, easy to lose/forget details.

I don't know how much work Apple are going to put into Keychain, but it would
have to be a lot for me to switch.

~~~
sneak
Yes, I've been a 1Password user for years, but you have to admit that using
the database on iOS is hacky - you either have to log into 1Password and copy
the username out, switch to Safari, paste it, switch back, copy the password,
switch back, paste - or use the built in webview in 1Password to do your
browsing, which is clunky but will autofill the forms.

On iOS7, it uses the iCloud keychain (written to by Safari from 10.9
Mavericks) to autocomplete forms. Also, all the iOS tabs are available on the
desktop and vice versa.

Yes, I use 1Password to store other data, but its primary function is
credentials for websites, and anything that does that inside of MobileSafari
automatically blows 1Password out of the water.

~~~
vonseel
I wonder how this will affect Chrome / Firefox share among Mac users. Reading
the Mavericks details on Apple's website, they make some claims about Safari's
performance that were surprising to me ... But believable if the nitro
enhancements are vast.

~~~
sneak
I switched back to Safari from Chrome this week since installing Mavericks.
It's substantially faster in my experience.

------
MichaelJW
I haven't used 1Password before, but I know LastPass offers multifactor
authentication via your mobile app of choice[0], which comes to essentially
the same thing.

Once you've set it up, you require two passwords to log in: one you memorise;
the other you read off your mobile app, and is regenerated every 30 seconds.

[0]: [https://helpdesk.lastpass.com/security-
options/#Multifactor+...](https://helpdesk.lastpass.com/security-
options/#Multifactor+Authentication+Options)

------
WestCoastJustin
You can also use other password safes (sometimes called vaults) that are
multi-platform. A password safe is an encrypted database that allows you, and
your team, to securely store and share passwords. Basically, it is a free
piece of software that is cross platform (win, mac, linux), a common workflow
would be to store it on a shared drive, and give your team access, they use a
common password to access the safe, which holds the other passwords. Create
multiple safes if you need segregation i.e. dev safe, sysadmin safe, network
safe, etc. I have created a screencast about this @
[http://sysadmincasts.com/episodes/7-why-you-should-use-a-
pas...](http://sysadmincasts.com/episodes/7-why-you-should-use-a-password-
safe)

Personally, I would not recommend any of the cloud based solutions, for the
simple fact, that any slip up in their security and you are hosed. These are
your crown jewels, do not outsource this!

UPDATED: sentence structure.

~~~
dchest
"Also"? 1Password _is_ a "password safe".

EDIT: with your edit everything now makes sense :)

~~~
doppel
Yes, but 1Password is not support on Linux though there is a work-around so
you can atleast access the passwords but not save new one. I think that's what
he is referring to.

~~~
zachlatta
As far as I know, 1Password has Linux support. It's a browser plugin, not a
native application. I'm using it right now on Arch.

~~~
chmars
1Password does not support Linux. Password Anythere (1Password 3), however,
can be used with Linux of course:

[http://help.agile.ws/1Password3/1passwordanywhere.html](http://help.agile.ws/1Password3/1passwordanywhere.html)

~~~
zachlatta
Ah, my mistake. I was confusing LastPass with 1Password.

------
Random_Person
Hm, I've been using KeyPass/Dropbox for quite a while now. Not sure what
advantages this method has over mine? Yes, I have to remember my KeyPass
master password... but then you'd have to be logged into one of my machines to
get access to it anyway... or on my mobile, which everyone seems to be using
for 2 factor anyways, so it's moot if my mobile is compromised.

Not sure what the advantage is.

~~~
mey
This is the solution I currently use. I have found KeyPass problematic on OSX
but since that isn't one of my primary computing environments it works well.

I am putting a lot of faith in the security of KeyPass, as I don't put a lot
of faith in DropBox to keep the file secret. If DropBox's sync system wasn't
so simple/unobtrusive I'd use something else.

Then as a last step measure, there are backups of the keepass file in case a
machine or dropbox have issues.

~~~
patrickk
> If DropBox's sync system wasn't so simple/unobtrusive I'd use something
> else.

Perhaps consider using Bittorrent Sync[1] for synchronisation.

For practical purposes, it's similar to using DropBox, the key difference
being that instead of syncing with DropBox in the cloud, you are syncing
folders across hardware you control. The hardware could be different
computers, phones, tablets etc.

[1]
[http://labs.bittorrent.com/experiments/sync.html](http://labs.bittorrent.com/experiments/sync.html)

------
jerf
This essentially turns "something you know" into "something you have", with no
requirements that any of the remote websites change what they are doing.

It seems like this is an interesting counter to the recent budding trend of
arguing that "something you know" (passwords) is broken and we should all
throw it out and switch to "something you have". This shows that a user can
unilaterally convert "something you know" into "something you have", _and_
unlike the inevitable clusterfuck of trying to standardize on "something you
know" with the inevitable gold rush of competing, fragmented standards,
resulting in users having to have an unbounded number of "things" in their
possesion [1], authentication consumers can continue to work with standardized
password approaches.

It seems to me that rather than rewriting the Internet to not use passwords,
we'd be better off making this approach even easier (although it's not all
that hard right now, really).

[1]: Yes, I'm aware of things like RFC 4226. History's pretty clear though; if
there was more value to capture in this space it would break into proprietary
fragments in a heartbeat. All the proprietary fragments would probably be
beaten down by RFC 4226 in the end, but there would be an unhappy few years in
the middle.

~~~
mapgrep
>This essentially turns "something you know" into "something you have"

It really doesn't. This essence of "something you have" is that you really,
truly must _have it_ for authentication to work -- every time. In this case,
if you capture the data on the Yubikey once you never need to have the Yubikey
again (since he's using the static slot). Or to flip it around, if you just
once leave your Yubikey in your pocket in coat check, or in a checked airline
bag, or in your USB slot when you go to a meeting, etc., it is potentially
100% compromised without your ever knowing.

This is why true "something you have" systems like Google Authenticator, or
the actual Yubikey system as it was designed, use constantly changing keys.

------
ekns
I've been using PasswordMaker
([http://www.passwordmaker.org/](http://www.passwordmaker.org/)) for years to
generate most of my site-specific passwords when needed. PasswordMaker uses a
master password together with a site's domain name to hash a site-specific
password. It has Chrome and Firefox extensions for filling in the password
fields with one button.

Unfortunately, by default it uses MD5 and 8-character passwords. I always set
this to SHA256 and at least 12 characters when first installing the extension
on some device/browser.

Most sites play well with this, but there are exceptions: having to change a
password is a bit ugly when the passwords are generated from a given master
password and the site's domain name. A more common problem is when a site
refuses to accept certain characters in the hashed password or when a site
requires some number of digits and uppercase letters, for instance. I
currently just store these exceptions with Keepass.

I see 1Password being mentioned a lot but I started using PasswordMaker and
Keepass well before I'd first heard of 1Password so I don't know how it might
compare.

~~~
dchest
Comparison of password generators and password managers:
[http://crypto.stackexchange.com/a/5691](http://crypto.stackexchange.com/a/5691)

------
JimWestergren
Sounds like a bad idea to depend on your Yubikey.

I only know my master password for Lastpass which is a kind of random 14-16
char long and complex. I type it once each morning and it goes fast to type.
With that I access my other 334 random generated passwords. But I do know my
password for email just in case.

------
peterwwillis
At the very least you should have a way to recall your e-mail password. Almost
every account that you have is linked to an e-mail for resetting. You need to
have reliable e-mail access in order to reset your digital life.

My e-mail password was created randomly based on 12 uppercase/lowercase
letters, numbers, and symbols. I memorized via muscle memory. My master-
password-database password is the same, but 18 characters. I know more
passwords, but these are the only two I need to retain.

You can also be pragmatic about your accounts. Do I care if my
PontiacSunfireCarClub.com account is hacked? Or my NewYorkDailyNewsTime.com
account? No, I don't. So the password is irrelevant.

~~~
nazgulnarsil
Insert obligatory XKCD

~~~
peterwwillis
Downvote unnecessary comment

~~~
autodidakto
^This

------
jmartens
"Stronger passwords are typically hard to remember. Since you will need to
enter your 1Password master multiple times a day, this can be a problem."

This doesn't make too much sense. While stronger passwords are harder to
remember, if you use them multiple times per day, you'll have stronger memory
of that password. Its hard to forget a password you have to use a few times
per day...no matter how long or short it is.

Additionally, stronger passwords are not always harder to remember. There are
some great password and memory techniques that makes long complicated
passwords easy to remember.

~~~
junto
Personally I like using long easy to remember lines out of films.

E.g. LifeislikeaboxOfChocolates,youneverquiteknowwhatyou'regonnaget!

~~~
e28eta
This article suggests that's a bad idea:

[http://arstechnica.com/security/2013/10/how-the-bible-and-
yo...](http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-
fueling-the-next-frontier-of-password-cracking/)

------
tommis
Here's I work with free Keepass:

1) setup your password store up with a strong password and a key file

2) keep your keyfile on your local machine and a backup on usb etc, not cloud

3) now you can backup your db into cloud eg. spideroak, dropbox

4) on your other machine (work laptop, mobile, ..) copy in the key file, sync
the db from the cloud

Now, you have a password manager that works on all of your devices - syncing
automatically, safely.

This works for me. I know where the db is at (which cloud provider) and can be
sure it's inaccessible without the key file + password. Any thoughts?

------
rubyalex
how do you recover from it if your yubikey got lost or stolen?

~~~
lparry
I'm pretty certain you're completely screwed if that happens. I don't think
it's worth that level of risk to not know the password for your 1Password
vault

~~~
JonnieCache
If it were me I'd have the long yubikey password written out on paper in a
safe in my house somewhere, or in a bank vault or something. If an adversary
is motivated enough to gain access to that, your days are probably numbered
anyway.

~~~
MAGZine
if your house burns down with the paper and the key in it?

~~~
groby_b
If you have any data actually worth preserving, it might probably be worth it
to

a) Get a fire-resistant lockbox, and b) have a safe deposit box at a bank.

------
nsxwolf
Remember:

1\. Use a different password for every account

2\. Always use a gigantic, mixed case alphanumeric password with special
characters for maximum entropy

3\. Never, ever write any of these passwords down! ;)

~~~
nawitus
I've recently switched to this. While my passwords are now secure, I've found
a number of situations where I can't login somewhere because the password list
is only found on my home computer.

~~~
fletchowns
Most of the time this is a good thing though, you don't want to be logging
into something from a machine you can't guarantee the security of.

------
Timothee
I think this is an interesting setup just because it makes it possible to have
a very complicated 1Password master password without being too inconvenient.
For my use of 1Password, it wouldn't work though since I use it on my phone
frequently.

However as others have said, you need to have a way to get to the full
password somehow, likely in the form of it written down and stored in a safe,
at home or in a bank. Or in somebody else's password vault.

Actually, that's something I haven't seen much and that I have done myself
manually only: the ability to secure this information by spreading the
database with multiple trusted parties. Similar to what Snowden has done I
understand: no-one can access the information by themselves, but _you_ can
piece together whatever information you need from multiple people. I know some
stuff exists like this, I just haven't seen for password vaults specifically.

------
VLM
Is the yubikey static secondary password sniffable via a keylogger type
exploit? That could be a problem.

~~~
matthewbadeau
It is sniffable with a key logger. It's still very useful though. If you're
only using the Yubikey for two-factor auth (slot one), then it will only get
your one time password.

------
DanBC
This thread shows that there's still some confusion around best practice with
Yubikey.

{EDIT: Was the submission edited after being posted here? Because a bunch of
people are saying that the password dies if the Yubikey dies, even though the
submission says that the password is backed up independently of the Yubikey}

Yubikey is nearly brilliant. Not having a battery and a clock makes it a bit
sub-optimal. But it's still a cool bit of tech. They don't help by having a
terrible website. They need to split it into "info for developers", "why you
want Yubikey" and "how to use Yubikey now you have one".

And it's kind of scary to see how many different password safes there are and
how few of them have had any kind of auditing.

------
colbyaley
I have appended the post to include the fact that I have a copy of my password
physically printed and hidden in a secure location.

As for mobile, I have not tried the workflow on iOS but I hear you can use the
USB camera connection kit to connect your Yubikey.

------
BIair
I use Lastpass with Google Authenticator two-factor authentication. Like most
Lastpass users the only password I know is my master password, and of course
it's the weakest.

Lastpass has worked well, but going forward there are two major concerns. Lack
of a mobile browser plugin makes it difficult to use on mobile (Android).
Second, is that all major browsers appear to be dropping plugin support out of
security and performance concerns.

What's best for password management without using browser plugins? Chrome
clear text password storage is troublesome. Bitlocker and mobile encryption
may help. Are more OS implementations one the way?

~~~
fps
if you pay for lastpass premium, you can use the android app with an android
keyboard plugin. The keyboard is secured with your lastpass password and/or
mobile PIN, and will fill forms on websites or login boxes on apps. It's
pretty bad at detecting the site or app you're using, so I end up browsing for
passwords more often than not, but's pretty usable. It's better than
copy/paste because the interaction happens entirely inside the keyboard pane.

~~~
tekalon
This is my only problem with lastpass. I use both iOS and Android and for some
of my apps I have to manually type in the information. I know lastpass has a
browser, but I rather use the basic Safari/Chrome/Firefox (depending on the
need).

~~~
uses
You can copy/paste the passwords out of the LastPass app.

~~~
tekalon
True, but is still requires jumping back and forth.

------
techscruggs
A lot of people are concerned about the Yubikey dying, but that is only one of
3 passwords you should have memorized.

You also need to know your app store password. If your computer crashes, you
will want to be able to reinstall 1password.

Additionally, you probably want to use dropbox to sync your passwords and act
as a psuedo remote backup. If that is the case, then you also want to know
your dropbox password.

All in all, I think you should have 3 passwords memorized: 1) 1password master
password 2) app store 3) dropbox

If you have this knowledge, you can gain access to all your credentials from a
freshly installed OS.

~~~
junto
You can get around this by having more than one device. Hence, if I have a
fresh install, I can lookup my DropBox account on an existing install, then
install 1Password and it auto syncs when it detects the password vault in
DropBox. Hene, I only really need to remember 1Password.

------
kbar13
but then you're out of luck if you're on mobile and need something from
1password.

~~~
JimmaDaRustla
I use yubikey, but I don't need it on my mobile because its a trusted device.

~~~
sensecall
How do you mean?

~~~
JimmaDaRustla
I have username/password/yubikey combination to log into LastPass. On my
Android phone though, I only need my username/password to access LastPass.

The trust lies with LastPass being able to uniquely identify my device as
mine, and not someone spoofing me.

Yubikey is soley used from PC where I can plug in the yubikey. I could also
have trusted computers, but I prefer to keep trusted devices to a minimum.

------
crusso
Steve Gibson (of "Security Now!" fame) recently proposed a novel way to manage
account access called SQRL. Basically, you use a SQRL app on your smart phone
to read login QR codes. Some behind-the-scenes magic happens and then you're
logged in.

It has a large number of benefits over the traditional account/password
paradigm.

[https://www.grc.com/sqrl/sqrl.htm](https://www.grc.com/sqrl/sqrl.htm)

------
callesgg
I have a thing called paper which i hide. On it i write stuff about events in
my life that has to do with the password in question. That way i can easily
memorise a shitload of passwords and if i forget one i just look at my papper.
And easily figure out what the password was.

If the password is for a realy dumb service that i dont care about i just
write it in a text file located on my server /home/user/shitty_passwords.txt

------
triplesec
If you lose your Yubikey, is it all backed up online somewhere, or will you
lose access to all your online services its password is used for?

~~~
scott_karana
It emulates a USB keyboard (IIRC), so you could conceivably just print off the
password and store it (whether analog or digital is up to you).

------
cpeterso
I use SuperGenPass, a JavaScript bookmarklet that hashes a master password
with the website's domain name to generate a unique password for every site.
The only problem is websites that have unusual password requirements that
don't like SuperGenPass' passwords.

[http://supergenpass.com/](http://supergenpass.com/)

------
dbot
I've used Dashlane for over a year and like it quite a bit. I think it started
off as an automated checkout app but the password part has overtaken that
feature (though payment and form filling still works great).

Dashlane does encrypted cloud storage with local decryption - but I'm just
wondering if there are good reasons to switch to 1Password or LastPass.

------
sivanmz
He misstates the 1Password premise. It is actually that even if you have a
complicated single password, repeating it throughout the day makes it easy to
remember.

The rest of his argument is based on convenience alone and rather weak. A
YubiKey, nice as it is, doesn't help with mobile devices, where transactions
are increasingly taking place.

------
grahamburger
Instead of memorizing all of my passwords, I memorized an algorithm that I use
to generate passwords. So all of my passwords are unique with fairly good
entropy, and I can recover any of them, but I don't necessarily have them
memorized. The ones that I use often are saved in muscle memory.

~~~
jmcphers
I have wanted to take this approach, but it's hard to reconcile with the
password requirements for service providers. Sometimes these go so far as to
be mutually exclusive--for instance, some providers will not accept a password
unless it has at least one non-alphanumeric character; others will not accept
a password that has one. I found that it was difficult to remember what
mutations I'd done to my password to make it acceptable to the service
provider.

How do you account for this in your algorithm?

~~~
grahamburger
That was a problem when I first started a few years ago, so I used a very
simple algorithm that didn't have non-alphanumeric letters. About 3 years ago
I came up with a better algorithm, and now I use both. The simpler one on
throwaway sites, which tend to be the same sites with insecure password
requirements, and the more complex one for everything else.

The only problem I still occasionally run in to is when a site requires a
password change for whatever reason. I have a couple of minor permutations on
the algorithm that I use in those cases, but sometimes that does trip me up.

------
dfischer
I love www.passpack.com

[http://blog.danielfischer.com/2011/05/12/its-time-to-
start-u...](http://blog.danielfischer.com/2011/05/12/its-time-to-start-using-
a-password-manager/)

------
igorgue
I use book quotes for passwords (include spaces and sometimes change letters
for numbers (if the stupid website requires it)), I don't forget those since
they're meaningful.

~~~
VaucGiaps
I would not be surprised if huge numbers of sentences from popular books are
hashed already (and put in rainbow tables)...

------
qwerta
Is it made in US? Does it have automatic NSA export feature?

------
davidcollantes
So, if you lose or break your Yubikey, you are left locked out.

