I was rather surprised to find that I could read the passwords stored by Mozilla/Firefox (Preferences=>Security). I always assumed they were encrypted in some way. Pure ignorance, I guess.
On 02/14/2015 05:39 PM, Timothy Murphy wrote:
I was rather surprised to find that I could read the passwords stored by Mozilla/Firefox (Preferences=>Security). I always assumed they were encrypted in some way. Pure ignorance, I guess.
You actually trusted FF to secure your online web account passwords???
On 02/14/2015 07:45 PM, jd1008 wrote:
On 02/14/2015 05:39 PM, Timothy Murphy wrote:
I was rather surprised to find that I could read the passwords stored by Mozilla/Firefox (Preferences=>Security). I always assumed they were encrypted in some way. Pure ignorance, I guess.
You actually trusted FF to secure your online web account passwords???
LOL. this is true.
Timothy, on a serious side, moz does put out a decent try by storing passwords in file "signons.sqlite". which is not an encrypted file.
what file are you seeing your passwords in?
see this link;
http://kb.mozillazine.org/Password_Manager
the diff of oos and linux versions is that access to the password manager is;
Edit > Preferences > Security > [Saved Passwords...]
to open window Saved Passwords where you can edit password file.
to aide editing, i use;
https://addons.mozilla.org/en-US/firefox/addon/saved-password-editor/ and https://addons.mozilla.org/en-US/firefox/addon/saved-passwords-button/
to export passwords, i use;
https://addons.mozilla.org/en-US/firefox/addon/password-exporter/
do you have above exporter and are seeing file it exports?
On 02/15/15 08:39, Timothy Murphy wrote:
I was rather surprised to find that I could read the passwords stored by Mozilla/Firefox (Preferences=>Security). I always assumed they were encrypted in some way. Pure ignorance, I guess.
Check the box, "use master password" for "maximum" security. You'll then need to enter that to display passwords.
Timothy Murphy writes:
I was rather surprised to find that I could read the passwords stored by Mozilla/Firefox (Preferences=>Security). I always assumed they were encrypted in some way. Pure ignorance, I guess.
Obviously Firefox needs to save and recover all your passwords, if it were to automatically provide them on your behalf.
So the passwords must be accessible to Firefox. Merely not displaying them is a false sense of security.
Allegedly, on or about 15 February 2015, Timothy Murphy sent:
I was rather surprised to find that I could read the passwords stored by Mozilla/Firefox (Preferences=>Security). I always assumed they were encrypted in some way. Pure ignorance, I guess.
If someone has unfettered access to your computer, the point is moot.
If they can read your files, locally or remotely, only very high grade encryption is going to help you, and the depth required is probably going to be restrictive to you in some annoying ways.
If they can walk up and use your computer, even that's not going to help you (your initial log-in process will have unlocked many things to "just work" as you use the GUI). You really need to lock the session, or log out.
I'm of the opposite vein. I really appreciate being able to view passwords stored on my computer. There are so many different things that require logon credentials that I cannot remember all of them all of the time. And I hate those blanked off password gadgets that obscure what you type in, so you can't see any typos. Even the type your new password in twice, into two separate gadgets, don't prevent you from making a typo that you find out about much later on, and then spend hours trying out all the possible typos you might have made to crack your own password.
On 02/14/2015 10:37 PM, Tim wrote: <<>>
I'm of the opposite vein. I really appreciate being able to view passwords stored on my computer. There are so many different things that require logon credentials that I cannot remember all of them all of the time. And I hate those blanked off password gadgets that obscure what you type in, so you can't see any typos. Even the type your new password in twice, into two separate gadgets, don't prevent you from making a typo that you find out about much later on, and then spend hours trying out all the possible typos you might have made to crack your own password.
this is true and my feelings.
it is also why i have a file of an ambiguous name that i use to enter site name, site url, site password.
then i do a 'drag and paste' or <ctrl+c> and <ctrl+v> to enter password, even tho firefox maintains passwords.
an interesting page on "needles";
https://www.grc.com/haystack.htm
generating "needles";
https://www.grc.com/passwords.htm
On Sun, 2015-02-15 at 01:04 -0600, g wrote:
an interesting page on "needles";
"supercalifragilisticexpialidocious" gave interesting numbers, but all you need was three obscure, unrelated, words (e.g. bluepigsskiing) to come up with some ridiculously difficult to crack passphrases (such as by dictionary attacks). They don't even have to be hard to type.
I just don't buy into this malarkey that they must contain numbers, symbols, and other awkward to type characters. Brute force cracking is going to be done by a machine, not a human, and they can easily throw them into the mix.
But I'm going to go out on a limb, and say that I'm sure that *most* people pick stupid ones. Ones that get tried by default (e.g. 1234, password, remember, etc.), and ones that are easily guess by someone who knows just a little bit about you (family and pets names, dates, etc).
On Sun, 2015-02-15 at 22:07 +1030, Tim wrote:
On Sun, 2015-02-15 at 01:04 -0600, g wrote:
an interesting page on "needles";
"supercalifragilisticexpialidocious" gave interesting numbers, but all you need was three obscure, unrelated, words (e.g. bluepigsskiing) to come up with some ridiculously difficult to crack passphrases (such as by dictionary attacks). They don't even have to be hard to type.
I just don't buy into this malarkey that they must contain numbers, symbols, and other awkward to type characters. Brute force cracking is going to be done by a machine, not a human, and they can easily throw them into the mix.
+1
Also, use words from more than one language.
Better is to use a password manager (Lastpass, Keepass, PasswordSafe ...) to avoid the temptation of choosing easy passwords and the difficulty of having to remember many different ones. Use one hard to guess password to access the rest.
poc
Hi,
Still, I believe keepass is better. your opinion please?
Krishna Prajapati
On Sun, Feb 15, 2015 at 5:46 PM, Patrick O'Callaghan pocallaghan@gmail.com wrote:
On Sun, 2015-02-15 at 22:07 +1030, Tim wrote:
On Sun, 2015-02-15 at 01:04 -0600, g wrote:
an interesting page on "needles";
"supercalifragilisticexpialidocious" gave interesting numbers, but all you need was three obscure, unrelated, words (e.g. bluepigsskiing) to come up with some ridiculously difficult to crack passphrases (such as by dictionary attacks). They don't even have to be hard to type.
I just don't buy into this malarkey that they must contain numbers, symbols, and other awkward to type characters. Brute force cracking is going to be done by a machine, not a human, and they can easily throw them into the mix.
+1
Also, use words from more than one language.
Better is to use a password manager (Lastpass, Keepass, PasswordSafe ...) to avoid the temptation of choosing easy passwords and the difficulty of having to remember many different ones. Use one hard to guess password to access the rest.
poc
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
On 02/15/2015 08:47 AM, Krishna Chandra Prajapati wrote:
Hi,
Still, I believe keepass is better. your opinion please?
Krishna Prajapati
On Sun, Feb 15, 2015 at 5:46 PM, Patrick O'Callaghan <pocallaghan@gmail.com mailto:pocallaghan@gmail.com> wrote:
On Sun, 2015-02-15 at 22:07 +1030, Tim wrote: > On Sun, 2015-02-15 at 01:04 -0600, g wrote: > > an interesting page on "needles"; > > > > https://www.grc.com/haystack.htm > > "supercalifragilisticexpialidocious" gave interesting numbers, but all > you need was three obscure, unrelated, words (e.g. bluepigsskiing) to > come up with some ridiculously difficult to crack passphrases (such as > by dictionary attacks). They don't even have to be hard to type. > > I just don't buy into this malarkey that they must contain numbers, > symbols, and other awkward to type characters. Brute force cracking > is going to be done by a machine, not a human, and they can easily > throw them into the mix. +1 Also, use words from more than one language. Better is to use a password manager (Lastpass, Keepass, PasswordSafe ...) to avoid the temptation of choosing easy passwords and the difficulty of having to remember many different ones. Use one hard to guess password to access the rest. poc -- users mailing list users@lists.fedoraproject.org <mailto:users@lists.fedoraproject.org> To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
I have discovered a method of creating passwords that has helped me greatly throughout the years. I learned it from this girl who was always teased in school for being "weird" LoL! (Thank you Sharon......wherever you are!) So imagine you want to use the word "gasoline" as a password.......the simple trick is to "push" each letter over by one! That's it!....so instead of using the "g" from gasoline you'd use the next letter in line..(the "h")....and for the "a"...you'd use the "b"....and so on until you've replaced each letter. (For those who have the mental prowess and can manage it, there's also using the letter PREVIOUS to the one you have or the process of "skipping" letters as well...) but I've found that this method provides you with a password that appears to be gibberish to anyone else, but makes perfect sense to you!...
EGO II
On Sun, 2015-02-15 at 09:18 -0500, Eddie G. O'Connor Jr. wrote:
I have discovered a method of creating passwords that has helped me greatly throughout the years. I learned it from this girl who was always teased in school for being "weird" LoL! (Thank you Sharon......wherever you are!) So imagine you want to use the word "gasoline" as a password.......the simple trick is to "push" each letter over by one! That's it!....so instead of using the "g" from gasoline you'd use the next letter in line..(the "h")....and for the "a"...you'd use the "b"....and so on until you've replaced each letter. (For those who have the mental prowess and can manage it, there's also using the letter PREVIOUS to the one you have or the process of "skipping" letters as well...) but I've found that this method provides you with a password that appears to be gibberish to anyone else, but makes perfect sense to you!...
Wow. So clever! I mean who would think of having a password cracker shift all the words in its dictionary, especially as you've now publicized it?
Please try to understand that "looking like gibberish to a human" is not a reliable indicator of password strength.
poc
On 02/15/2015 09:22 AM, Patrick O'Callaghan wrote:
On Sun, 2015-02-15 at 09:18 -0500, Eddie G. O'Connor Jr. wrote:
I have discovered a method of creating passwords that has helped me greatly throughout the years. I learned it from this girl who was always teased in school for being "weird" LoL! (Thank you Sharon......wherever you are!) So imagine you want to use the word "gasoline" as a password.......the simple trick is to "push" each letter over by one! That's it!....so instead of using the "g" from gasoline you'd use the next letter in line..(the "h")....and for the "a"...you'd use the "b"....and so on until you've replaced each letter. (For those who have the mental prowess and can manage it, there's also using the letter PREVIOUS to the one you have or the process of "skipping" letters as well...) but I've found that this method provides you with a password that appears to be gibberish to anyone else, but makes perfect sense to you!...
Wow. So clever! I mean who would think of having a password cracker shift all the words in its dictionary, especially as you've now publicized it?
Please try to understand that "looking like gibberish to a human" is not a reliable indicator of password strength.
poc
I agree that a human might not be able to crack it but even a PC would have a hard time if you use phrases, foreign words, and the like. Also I'm assuming that even if someone were to try it there's no way they could decipher the passwords some people would use, (birthdate....death date....middle name of the kid who lived down the block five years ago.....the last name of the professor you had in college who got married twice...) I'm just sayin' is all....and I only offered it as a possibility. I would never divulge the true "process" by which I create passwords!
EGO II
On 15.02.2015, Eddie G. O'Connor Jr. wrote:
I agree that a human might not be able to crack it but even a PC would have a hard time if you use phrases, foreign words, and the like.
Please search the net on "dictionary attack" in combination with words like "feasibility", "speed" and the like. You will be blown away by reading what can be done.
I would never divulge the true "process" by which I create passwords!
There is password manager software implementing high-grade encryption, and there is pwgen...
Allegedly, on or about 15 February 2015, Heinz Diehl sent:
Please search the net on "dictionary attack" in combination with words like "feasibility", "speed" and the like. You will be blown away by reading what can be done.
Of course that kind of implies that you have something that will let you continuously try different passwords upon it, instead of denying you after a few failures. Which is an incredibly foolish way to run security.
It all depends on what they're trying to crack. Have their stolen your hard drive, and are free to do what they like using their own computers on your data? They can do that until they manage it, or your drive wears out from use. Or are they trying to hack into some service of yours over the internet, where they only have you remote facing interface to deal with? If they only get three goes an hour, before locking them out for too many failures, there never going to crack it if you had an even mildly good password.
This isn't like the movies, or picking your bicycle combination lock, where you can crack one digit at a time. There is nothing to say that they've got any part of it right, so that they can then concentrate on cracking the rest. They've got to guess the entire password in one go.
On 02/15/2015 09:29 PM, Tim wrote:
Allegedly, on or about 15 February 2015, Heinz Diehl sent:
Please search the net on "dictionary attack" in combination with words like "feasibility", "speed" and the like. You will be blown away by reading what can be done.
Of course that kind of implies that you have something that will let you continuously try different passwords upon it, instead of denying you after a few failures. Which is an incredibly foolish way to run security.
It all depends on what they're trying to crack. Have their stolen your hard drive, and are free to do what they like using their own computers on your data? They can do that until they manage it, or your drive wears out from use. Or are they trying to hack into some service of yours over the internet, where they only have you remote facing interface to deal with? If they only get three goes an hour, before locking them out for too many failures, there never going to crack it if you had an even mildly good password.
This isn't like the movies, or picking your bicycle combination lock, where you can crack one digit at a time. There is nothing to say that they've got any part of it right, so that they can then concentrate on cracking the rest. They've got to guess the entire password in one go.
I think this topic has been discussed at length on other lists and forums more thoroughly than we can manage here. No need to continue beating up this topic too much. I do not mean to say that you should not. Just that it does not shed much light on this very dark and secret world :) :)
On 16.02.2015, Tim wrote:
Please search the net on "dictionary attack" in combination with words like "feasibility", "speed" and the like. You will be blown away by reading what can be done.
Of course that kind of implies that you have something that will let you continuously try different passwords upon it, instead of denying you after a few failures.
As you point out, all is a matter of your thread model. Said that, a software counter can easily be circumventet. You could just recompile the program with the counter diabled, you could take a backup of the original counter and many more...
On 15.02.2015, Eddie G. O'Connor Jr. wrote:
..the simple trick is to "push" each letter over by one! That's it!
ROT1 (or ROTX, where X is any number) is a common part of most of the dictionary attacks, very easy to implement and causes near zero CPU load. So your ROT'ed password has not a single bit more security than the word it originates from.
On 02/15/2015 09:27 AM, Heinz Diehl wrote:
On 15.02.2015, Eddie G. O'Connor Jr. wrote:
..the simple trick is to "push" each letter over by one! That's it!
ROT1 (or ROTX, where X is any number) is a common part of most of the dictionary attacks, very easy to implement and causes near zero CPU load. So your ROT'ed password has not a single bit more security than the word it originates from.
imagine if the "word" ISN'T a word that's found in the dictionary.....ANY dictionary.....would that qualify it as being a bit more secure?
EGO II
On 15.02.2015, Eddie G. O'Connor Jr. wrote:
imagine if the "word" ISN'T a word that's found in the dictionary.....ANY dictionary.....would that qualify it as being a bit more secure?
Here's the "math" behind it, so you can calculate for yourself:
The password strength (entropy) is calculated this way,
B = ((L * log P) / log 2)
where B is the entropy in bits, L is the length of the password, and P is the amount of possible different chars (the "pool"). So if you choose e.g. base64, P will always be 64, and if you choose a password which e.g. includes A-Za-z0-9 og random chars as %!"/(] (and so on), P will be higher, thus resulting in a higher strength of the overall password. There are P^L different passwords.
In general, a password only containing letters or numbers must be *very* large to have a high security margin.
On 02/15/2015 09:43 AM, Heinz Diehl wrote:
On 15.02.2015, Eddie G. O'Connor Jr. wrote:
imagine if the "word" ISN'T a word that's found in the dictionary.....ANY dictionary.....would that qualify it as being a bit more secure?
Here's the "math" behind it, so you can calculate for yourself:
The password strength (entropy) is calculated this way,
B = ((L * log P) / log 2)
where B is the entropy in bits, L is the length of the password, and P is the amount of possible different chars (the "pool"). So if you choose e.g. base64, P will always be 64, and if you choose a password which e.g. includes A-Za-z0-9 og random chars as %!"/(] (and so on), P will be higher, thus resulting in a higher strength of the overall password. There are P^L different passwords.
In general, a password only containing letters or numbers must be *very* large to have a high security margin.
I see! Wow....I guess I now have to rethink my entire password process! Thanks for the document....it explained the MD5 / hash a little better.....well gotta get to work on all the security. Maybe I'll take a look at one of those Password Managers after all!
EGO II
Allegedly, on or about 15 February 2015, Eddie G. O'Connor Jr. sent:
I have discovered a method of creating passwords that has helped me greatly throughout the years. I learned it from this girl who was always teased in school for being "weird" LoL! (Thank you Sharon......wherever you are!) So imagine you want to use the word "gasoline" as a password.......the simple trick is to "push" each letter over by one!
Short passkeys, whether words or letters, are too easy to crack, one way or another. Lengthy ones are your best protection. If *you* have to type it in, you really want something that you can type easily, and without making mistakes. Adding difficult stuff to type in only hurts you, they're not any harder to the machines cracking your password than any other characters.
As far as I'm concerned, the easiest way to make lengthy passwords that you can remember and type in correctly is to combine three or more words into a passphrase. Don't use a quote, or logical sentence that someone may guess at. e.g. If people know your favourite film, it's stupid to use a famous quote from it.
Something like "purpleglidingcows" would be something you could type in easy enough, and picture it in your mind as a memory aid. It's odd ball enough that nobody could simply guess it, it's long enough that cracking it would take ages. And for a family situation, where you want to tell others the password to use for something, it's easy enough to tell them what to type.
While some will argue that real words make it easier to crack, I argue that the combination of several makes it damn near impossible. A cracker has to guess the right number of characters, or words, to try, as well what characters they might be. The possibilities of what your password might be are astronomical.
It's a hell of a long time since I did probabilities in high school maths, but if you just use letters instead of numbers, each position could be any of 26 characters (instead of 10 options), and each position is not related to any other character (one does not determine the other), so my example means that it represents an unknown number of 26 to the power of 17 that you have to guess at.
Of course if you don't know how long my password is, you've got even more combinations to deal with (all of the shorter than 17 character possibilities, too). So, if we converted that word to numbers, tell me what number I'm thinking of right now, that might be anywhere between 0 and something with 24 numerals (to give you approx all the possible variations that my password might have).
If you really think that you could have guessed /that/ password in a useful time, please let us know the winning lottery numbers for next week, while you're at it.
On 02/15/2015 10:09 PM, Tim wrote: <<>>
It's a hell of a long time since I did probabilities in high school maths, but if you just use letters instead of numbers, each position could be any of 26 characters (instead of 10 options), and each position is not related to any other character (one does not determine the other), so my example means that it represents an unknown number of 26 to the power of 17 that you have to guess at.
or maybe they did not teach you correctly. ;-)
and, it is really not a probability calculation.
if one uses only the 27 characters, with password 27 characters long, the number of possible combination is found by multiplying;
1x2x3x4x5x6x7x8x9x10x11x12x13x14x15x16x17x18x19x20x21x22x23x24x25x26x27=
4.9494861138265237094e+26
[do not ask how i am aware of factor as it relates to national security]
which would take an extensively long time for a grid of Cray-2 or Blue Gene computer systems to break. and to do such, 1 Cray-2 would need to first run process to find all the possibilities, which would then be divided to sequential groups of sections of sequence.
with 3 strikes, wait an hour, it could take a long time, which can be calculated by factoring number of sequences assigned to each cray in above grid, especially if correct sequence was last in group. ((GBWG))
If you really think that you could have guessed /that/ password in a useful time, please let us know the winning lottery numbers for next week, while you're at it.
NFW. do you really think i would tell you number if i new it. :-P
Tim:
It's a hell of a long time since I did probabilities in high school maths, but if you just use letters instead of numbers, each position could be any of 26 characters (instead of 10 options)
g:
or maybe they did not teach you correctly. ;-)
and, it is really not a probability calculation.
Nah, it's my memory. And, of course, not "probability" (which is what something else might be, based on what happened before, and not applicable to this situation), but combinations (how many possible combinations could there be).
Which surely had to be 26 by 26 by 26, etc., for the number of characters used in the password. The first character could be anything from A to Z (26 choices), likewise with each subsequent character. It's a base-26 number, instead of base-10 decimal number.
Anyway, bloody huge.
On 02/16/2015 05:56 AM, Tim wrote:
Tim:
It's a hell of a long time since I did probabilities in high school maths, but if you just use letters instead of numbers, each position could be any of 26 characters (instead of 10 options)
g:
or maybe they did not teach you correctly. ;-)
and, it is really not a probability calculation.
Nah, it's my memory. And, of course, not "probability" (which is what something else might be, based on what happened before, and not applicable to this situation), but combinations (how many possible combinations could there be).
Which surely had to be 26 by 26 by 26, etc., for the number of characters used in the password. The first character could be anything from A to Z (26 choices), likewise with each subsequent character. It's a base-26 number, instead of base-10 decimal number.
Anyway, bloody huge.
also, just imagine how huge the 1x2x3x4... combinations would be if you use both upper and lower case letters. ;-)
all of which is why i do agree with what is on the 2 grc.com pages i posted.
if i ever have need to do the calculations again, i am going to write a script to do it. using a calculator is a lot of trouble. LOL.
On 02/15/2015 11:09 PM, Tim wrote:
Allegedly, on or about 15 February 2015, Eddie G. O'Connor Jr. sent:
I have discovered a method of creating passwords that has helped me greatly throughout the years. I learned it from this girl who was always teased in school for being "weird" LoL! (Thank you Sharon......wherever you are!) So imagine you want to use the word "gasoline" as a password.......the simple trick is to "push" each letter over by one!
Short passkeys, whether words or letters, are too easy to crack, one way or another. Lengthy ones are your best protection. If *you* have to type it in, you really want something that you can type easily, and without making mistakes. Adding difficult stuff to type in only hurts you, they're not any harder to the machines cracking your password than any other characters.
As far as I'm concerned, the easiest way to make lengthy passwords that you can remember and type in correctly is to combine three or more words into a passphrase. Don't use a quote, or logical sentence that someone may guess at. e.g. If people know your favourite film, it's stupid to use a famous quote from it.
Something like "purpleglidingcows" would be something you could type in easy enough, and picture it in your mind as a memory aid. It's odd ball enough that nobody could simply guess it, it's long enough that cracking it would take ages. And for a family situation, where you want to tell others the password to use for something, it's easy enough to tell them what to type.
While some will argue that real words make it easier to crack, I argue that the combination of several makes it damn near impossible. A cracker has to guess the right number of characters, or words, to try, as well what characters they might be. The possibilities of what your password might be are astronomical.
It's a hell of a long time since I did probabilities in high school maths, but if you just use letters instead of numbers, each position could be any of 26 characters (instead of 10 options), and each position is not related to any other character (one does not determine the other), so my example means that it represents an unknown number of 26 to the power of 17 that you have to guess at.
Of course if you don't know how long my password is, you've got even more combinations to deal with (all of the shorter than 17 character possibilities, too). So, if we converted that word to numbers, tell me what number I'm thinking of right now, that might be anywhere between 0 and something with 24 numerals (to give you approx all the possible variations that my password might have).
If you really think that you could have guessed /that/ password in a useful time, please let us know the winning lottery numbers for next week, while you're at it.
It would seem I have been /ignorant/ of password management for all these years. I am grateful for all the advice and instruction from you guys (special Thank You to Heinz Diehl, for breaking things down and explaining things to me on my "sub-atomic" level of understanding!) I am now going to install a Password Manager on both my Fedora and CEntOS boxes, (and I guess I will see what exists for my Ubuntu and Arch Linux machines as well. I think that armed with a Password manager things might be a little more secure at home.
EGO II
On Sun, 2015-02-15 at 19:17 +0530, Krishna Chandra Prajapati wrote:
Still, I believe keepass is better. your opinion please?
[Please don't top-post. See the list Guidelines]
I don't want to get into which of these is "better" as we all have different ideas of what better means. Personally I use LastPass as it's supported on Linux (some of the others such as Dashlane are not) and I can get to my passwords on my phone and tablet as well as the desktop without having to manually synchronize databases.
My point is that having a password manager is almost always better than not having one.
poc
On Sun, 2015-02-15 at 15:30 +0100, Heinz Diehl wrote:
On 15.02.2015, Krishna Chandra Prajapati wrote:
Still, I believe keepass is better. your opinion please?
KeePassX has strong encryption, is easy to handle and has user-configurable hash iteration to delay brute force attacks. For me, it seems to be perfectly suited.
Agreed, except that it still requires you to synch databases manually if you want to use it in more than one place. Which you usually do.
poc
On Sun, 15 Feb 2015 17:32:05 +0000 "Patrick O'Callaghan" pocallaghan@gmail.com wrote:
On Sun, 2015-02-15 at 15:30 +0100, Heinz Diehl wrote:
On 15.02.2015, Krishna Chandra Prajapati wrote:
Still, I believe keepass is better. your opinion please?
KeePassX has strong encryption, is easy to handle and has user-configurable hash iteration to delay brute force attacks. For me, it seems to be perfectly suited.
Agreed, except that it still requires you to synch databases manually if you want to use it in more than one place. Which you usually do.
I use Figaro's Password Manager (fpm2, available in the Fedora repositories). I don't know how good it is (and would like to hear about that), but it does give me a lot of options in creating the password.
Best wishes, Ranjan
____________________________________________________________ FREE 3D EARTH SCREENSAVER - Watch the Earth right on your desktop! Check it out at http://www.inbox.com/earth
On 15.02.2015, Ranjan Maitra wrote:
I use Figaro's Password Manager. I don't know how good it is (and would like to hear about that)
Unfortunately, I'm not familiar with it, so I can't answer here.
.. but it does give me a lot of options in creating the password.
This plays a minor role, because pwgen exists. On the other hand, when you trust your password manager (which you should when using it), why not trust its password generator?
Personally, I use pwgen because it uses /dev/urandom and is written by Ted Ts'o, whom I trust.
On 02/15/2015 06:16 AM, Patrick O'Callaghan wrote: <>
On Sun, 2015-02-15 at 22:07 +1030, Tim wrote:
<>
a few years ago, i would have agreed with you both.
except for, a few years ago +1 day, when i needed to find password for a client running w98se, that had an employee leave. he actually was fired and when asked for his password, he supplied wrong password.
granted, with w98se, such was not a great problem, except that he had also encrypted a lot of files.
on a hunch, to see if he used same password for encrypted files, i ran a web search to see what was available to recover his password, and i found: Austrumi 0.9.2 iso and burned it to a cd.
http://cyti.latgola.lv/ruuni/ ftp://austrumi.ru.lv/
https://en.wikipedia.org/wiki/Austrumi_Linux http://distrowatch.com/table.php?distribution=austrumi
on boot, it presents a list of options, among them is password recovery for oos, which i ran and recovered his password. after login, i found encryption program he used, ran it using his login password and obtained access to files.
the next day, i decided to install w98se on a spare drive and run some test to see how well it worked. i did notice a little increase in time with larger passwords, but i did not use a stop watch to time them. "counting monkeys" was close enough. ;-)
i have not had need again and i do not know how Austrumi works on latest releases, or even if it does.
i do know that there are many programs for cracking encrypted files and phrases, and i have noted that some have comments regarding the make up.
i see no need to debate what does or does not make good passwords, ie, longer to to break or unbreakable, because there are plenty of decrypt programs for linux that you can see for yourself that the more mixed, the harder/longer to decrypt. if you live long enough. ;-)
On 15.02.2015, g wrote:
granted, with w98se, such was not a great problem, except that he had also encrypted a lot of files.
It totally depends on how much entropy a password has, assumed the crypto used is strong and not flawed (e.g. proper implementation of AES, serpent, twofish and the like).
on a hunch, to see if he used same password for encrypted files, i ran a web search to see what was available to recover his password, and i found: Austrumi 0.9.2 iso and burned it to a cd.
[htd@keera ~]$ pwgen -sy 17 1 ?AQqh/utFcIl+p$2;
Use KeePassX and encrypt its database with this password. Then, run Austrumi and report back how long time it took and how much expenditure it was to pay the electricity bill. You are allowed to use the standard iter-count :-)
On 02/15/2015 08:50 AM, Heinz Diehl wrote: <<>>
[htd@keera ~]$ pwgen -sy 17 1 ?AQqh/utFcIl+p$2;
Use KeePassX and encrypt its database with this password. Then, run Austrumi and report back how long time it took and how much expenditure it was to pay the electricity bill. You are allowed to use the standard iter-count :-)
i am not in disagreement as to the entropy factor. longer is better whether using limited set of character only or all printable keys on keyboard. all printable keys just makes decrypting longer.
if i were to run Austrumi, i would have install oos. NFW. ;-)
Allegedly, on or about 15 February 2015, g sent:
a few years ago +1 day, when i needed to find password for a client running w98se, that had an employee leave. he actually was fired and when asked for his password, he supplied wrong password.
granted, with w98se, such was not a great problem, except that he had also encrypted a lot of files.
on a hunch, to see if he used same password for encrypted files, i ran a web search to see what was available to recover his password, and i found: Austrumi 0.9.2 iso and burned it to a cd.
http://cyti.latgola.lv/ruuni/ ftp://austrumi.ru.lv/
https://en.wikipedia.org/wiki/Austrumi_Linux http://distrowatch.com/table.php?distribution=austrumi
on boot, it presents a list of options, among them is password recovery for oos, which i ran and recovered his password. after login, i found encryption program he used, ran it using his login password and obtained access to files.
Well if you use a crappy encryption technique, it doesn't matter how good your password is, if you have a technique to be able to reverse engineer it (which is entirely different from just throwing passwords at some remote service which only gives you a pass/fail result interface).
Windows was well known for poor security, especially back then. And that is just one reason why you don't use the same password in multiple places.
There are plenty of things with bad encryption, or the program that controls it can be subverted.
On 02/15/2015 10:16 PM, Tim wrote: <<>>
Well if you use a crappy encryption technique, it doesn't matter how good your password is, if you have a technique to be able to reverse engineer it (which is entirely different from just throwing passwords at some remote service which only gives you a pass/fail result interface).
in web search, i did get a lot of hits that offered cracking password if encryption was sent to them. but i did not see need when Austrumi was described as being able to crack password.
Windows was well known for poor security, especially back then. And that is just one reason why you don't use the same password in multiple places.
i never do.
There are plenty of things with bad encryption, or the program that controls it can be subverted.
with out debate. ;-)
Tim:
Windows was well known for poor security, especially back then. And that is just one reason why you don't use the same password in multiple places.
g:
i never do.
The one saving grace of really annoying and different password requirements for different services was stopping people from using the same password everywhere.
i.e. Site A says your password must be 8 letters long, site B says your password must be between 10 and 15 letters long...
But I always hated things that enforced crappy passwords thanks to their dumb rules.
On 02/16/2015 05:59 AM, Tim wrote:
Tim:
Windows was well known for poor security, especially back then. And that is just one reason why you don't use the same password in multiple places.
g:
i never do.
The one saving grace of really annoying and different password requirements for different services was stopping people from using the same password everywhere.
this is true. crack one, cracked all.
i.e. Site A says your password must be 8 letters long, site B says your password must be between 10 and 15 letters long...
But I always hated things that enforced crappy passwords thanks to their dumb rules.
same here and why i always use 16 characters of u/l letters, numbers and special characters.
i am waiting for the day when i have a site tell me 16 is too long. for sure i will write web master and let him know he is a dumb ass. LOL.
On 15 February 2015 at 02:39, Timothy Murphy gayleard@eircom.net wrote:
I was rather surprised to find that I could read the passwords stored by Mozilla/Firefox (Preferences=>Security). I always assumed they were encrypted in some way. Pure ignorance, I guess.
In the past the username/password pairs were stored in signons*.txt then it was changed to use signons.sqlite and starting from Firefox 32.0 logins.json is used. AFAIU the usernames and passwords stored in those files are encrypted and the encryption key is key3.db, in the profile directory. You can see them in the password manager GUI because they were decrypted for you.
Anyone who has access to your machine and consequently access to logins.json and key3.db can copy those two files to another Firefox profile or a different machine and gain access to your passwords. To guard against that you'd have to set a Master password in Firefox, which locks access to that data altogether (but it adds the inconvenience of having to enter that password every time you start Firefox).
(Looks like a reasonable method to me).