Storing passwords
What's the recommended FSF method of storing passwords?
I don't know if it's FSF-recommended, but I use KeePass2. It's fully FLOSS and there's a PPA available on Launchpad that's compatible with Trisquel. It runs on Mono.
KeePass is best
KeePass2 should be avoided. It depends on Mono. Which is a huge beast with a huge potential for security holes.
KeePass is a better choice as it needs Wine or Windows and no other dependencies.
The KeePass format has the advantage of having quite a lot of apps using it. You have apps for Android and J2ME too. For *nix native you have KeePassX which is quite slim. The downside: there is no documentation.
I hear a brain is quite secure these days (unless you get interrogated).
On Sat, 2014-04-12 at 14:39 +0200,
name at domain wrote:
> KeePass2 should be avoided. It depends on Mono. Which is a huge beast with a
> huge potential for security holes.
> KeePass is a better choice as it needs Wine or Windows and no other
> dependencies.
>
> The KeePass format has the advantage of having quite a lot of apps using it.
> You have apps for Android and J2ME too. For *nix native you have KeePassX
> which is quite slim. The downside: there is no documentation.
>
lolz
Yes - Your head is best, and this will probably help because you only need to keep the one secret in your head, while having strong passwords for each thing you need and no need to keep passwords saved away in a database:
You're right that the best place is your head.
However, IMO the method you describe will merely prevent the Script Kiddie style bots which try common passwords. Other than those all the method you give does is introduce another documented level of cryptographic hashing to what will mostly be a human decided pair by some system. Therefore any cracker who profiles you as an individual and knows the definitely not random habits of human choosing will still be able to crack this. If you look around the web you'll find many security experts advise for password security you need lots of _real_ entropy not human pseudo-random 'imagination' and definitely not anything based on a system or it's one cracked, all cracked.
I'd like to see you try. The script published does not reflect the same one I use and breaking the SHA2 hashing algorithm itself would not be trivial. Even if it were, SHA3 and other hashing algorithms are also available.
>I hear a brain is quite secure these days (unless you get interrogated).
I wonder how good an argument this is considering you still need to input the password using hardware and software, potentially vulnerable to keyloggers and network sniffers &c. And it certainly cuts down on the complexity (and in worst case the number) of the remembered passwords.
In related news I'm always shocked to see people logging in to various services using public computers, not aware of the risk or trusting the machine not to be compromised. One course, using one time pads would negate any such worries but somehow I doubt too many people use such devices.
Try Revelation.
Can't I use something like GnuPG?
Whatever you use, make sure the license respects your freedom. KeepassX is nice
I use no software. All passwords in my head and brain.
use MATHEMATICS to generate and remember strong password
and remember only logic
Here's at least two options.
If you have to use your head you can try XKCD's famous Horse Staple Battery Method: http://xkcd.com/936/
Generator - http://correcthorsebatterystaple.net/
Alternatively there's KeepassX (Same as Keypass but doesn't need Mono), plus it's in the native repo so you don't have to worry about sketchy PPA:
http://packages.trisquel.info/search?keywords=keepassx&searchon=names&suite=toutatis§ion=all
Why to be weary of PPAs:
http://www.techrepublic.com/blog/linux-and-open-source/hand-of-thief-malware-could-be-dangerous-if-you-install-it/
What's more secure?
1. Use my normal internet connected computer to install and use keepassx and use the passwords from keepassx as and when needed while connected to the internet
2. Use a separate disconnected computer which has a fully encrypted hard drive, create a text file to store the passwords. This computer will never be connected to the internet ever and will only be switched on as and when a password has been forgotten from my own memory.
I don't mind the inconvenience of option 2 if it's more secure. I mainly want a super secure backup just incase I forget a password in my head.
see post # 6.
Best Regards
Hello everybody,
Yes, KeepassX is a good choice (and yes FSF recommends to avoid Mono-based apps).
To generate random passwords, you can use KeypassX or a CLI app like apg. I don't know if both apps use the same algorithm or not. Maybe it's a good thing to use passwords generated from different algorithms.
KeepassX has a good page of help once you launch the program.
Cheers