Coming up with a password that is very strong.

classic Classic list List threaded Threaded
62 messages Options
1234
Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Rich Freeman
On Mon, Feb 4, 2019 at 5:12 PM Dale <[hidden email]> wrote:

>
> Neil Bothwick wrote:
> > On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote:
> >
> >>> One reason I use LastPass, it is mobile.  I can go to someone else's
> >>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc,
> >>> logoff and it is like I was never there.
> >> As much as I like Lastpass I would never do that.  It isn't magic - it
> >> is javascript.  If there is a compromise on your computer, then your
> >> password database will be compromised.  This is true of other
> >> solutions like KeePassX and so on - if something roots your box then
> >> it will be compromised.
> > I don't see what root has to do with it. If someone gains access to your
> > box, they can copy the database file and then take their time trying to
> > crack the password, but you don't need to be root to do that.

Correct, it just needs access to the user's data or browser process,
which could mean running as root, or that user.

>
> I might point out, LastPass encrypts the password before sticking it in
> a file.  It isn't visible or plain text.  Even getting the file would
> still require some tools and cracking to get the password itself.

That assumes you're attacking the password file directly.

If you're using lastpass on a compromised system then there are many
ways that can be used to bypass the encryptions.  They could sniff
your master password when you key it in, or read it directly from the
browser's memory.  These things are protected from sandboxed code in
your browser, but not from processes running outside the browser
(unless again you're using a non-conventional privilege system like
selinux/android/etc).

--
Rich

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Mick-10
In reply to this post by Dale-46
On Monday, 4 February 2019 22:12:16 GMT Dale wrote:

> Neil Bothwick wrote:
> > On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote:
> >>> One reason I use LastPass, it is mobile.  I can go to someone else's
> >>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc,
> >>> logoff and it is like I was never there.
> >>
> >> As much as I like Lastpass I would never do that.  It isn't magic - it
> >> is javascript.  If there is a compromise on your computer, then your
> >> password database will be compromised.  This is true of other
> >> solutions like KeePassX and so on - if something roots your box then
> >> it will be compromised.
> >
> > I don't see what root has to do with it. If someone gains access to your
> > box, they can copy the database file and then take their time trying to
> > crack the password, but you don't need to be root to do that.
>
> I might point out, LastPass encrypts the password before sticking it in
> a file.  It isn't visible or plain text.  Even getting the file would
> still require some tools and cracking to get the password itself.
> Cracking the master password would likely be much easier and doesn't
> even require access to the box itself, Linux or windoze.  Also, LastPass
> only stores the encrypted password on its servers.  Even if LastPass is
> hacked, the passwords are still encrypted.  It's one reason LastPass
> shouldn't have to worry about getting court orders to turn over
> passwords.  It doesn't really have them.  I would suspect that cracking
> a encrypted password is as difficult as is just poking at a password
> until it is guessed.
>
> Even if a person is using a perfect tool, cracking a password is always
> going to be possible.  The tougher the password, the harder it will be
> and the longer it will take.  Still, it can be done.  Using these tools
> just makes it harder.  I'm not aware of a perfect password tool.  I
> doubt one exists or ever will either.  ;-)  It's still good to pick one,
> use it and try to be as secure as one can.
>
> Dale
>
> :-)  :-)
A solution like LastPass et al., using a browser's javascript to access it,
under a single master passwd, theoretically would have so many side-channel
attacks no one would be wasting time to brute force anything.

https://en.wikipedia.org/wiki/LastPass#Security_issues

You could use gpg/openssl to encrypt a number of files, which would contain
your different website/application passwds.  For paranoid use cases you can
use asymmetric keys and store your private key out-of-band.  Sure, it won't be
as convenient as LastPass, but I expect it would be more secure and unlikely
to be compromised by XSS vulnerabilities.

--
Regards,
Mick

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Dale-46
In reply to this post by tanstaafl-2
Tanstaafl wrote:

> On 2/4/2019, 12:47:35 AM, Dale <[hidden email]> wrote:
>> Thing is, with today's computing power, it really isn't anymore.
>> While no one could just guess it, it could be cracked/hacked I'm
>> sure.  I need to come up with a new one that meets the requirements I
>> just mentioned.  Strong, easy to remember, easy to type but won't
>> forget.  I've read that using maiden names, years of birth or whole
>> dates of birth, actual names, pet's name, words in a dictionary and a
>> whole list of other things makes it easier, especially if you post a
>> lot on social media, for hackers to use against you.  I'm trying to
>> avoid that sort of thing obviously and have a couple ideas but am
>> curious as to what method others use, without exposing to much
>> detail since this is public.
> I've been using a little Firefox Addon called Passwordmaker for many,
> many years, and despite all of its warts, I've been loathe to give it
> up, even though it will never be upgraded to work as a WebExtension.
>
> 2 things I loved about it -
>
>  a) it doesn't save the password locally, only info about the
>     site/account, and
>  b) you can use an unlimited number of Master Passwords
>
> I'm looking at migrating to KeePassXC, and even though I really hate the
> idea of saving the actual password - Passwordmaker simply generates the
> password on the fly each time based on certain specified criteria (ie,
> the site URL, username, password length, etc for each account - one
> technique I adopted shortly after assisting in updating the
> Passwordmaker website eases my mind about it...
>
> This is a simple technique I strongly recommend that everyone employ,
> especially if you use a Password manager (like LastPass or KeePass)...
>
> It is uncrackable (well, as long as it isn't the CIA or NSA that wants
> to crack it and they are willing to kidnap/torture you to do so).
>
> You sit down and come up with a ... call it a 'password modification
> protocol' ... whereby, you always modify your generated/stored password
> in a specific way before pressing enter.
>
> For example, you delete characters 3, 5 and 7, then add 2 characters to
> the beginning and 2 to the end.
>
> It is very simple, and negates worrying about someone stealing your
> password vault.
>
>


I tried to find it just to see how it works but it isn't listed.  From
what you wrote, you may want to at least check into LastPass.  Link
below.  It may do what you currently use and some.  I only use the free
version and it does more than I need already.  I think if I get a smart
phone, I'd have to pay a small monthly fee.  Still, I'm sure there is a
tool that will suite your needs.  There are a lot of them out there. 
Typing password in the add-on search box produces a LOT of results. 
Just find a good one and let it work for you. 

https://www.lastpass.com/

I'm not sure I understand what you mean password modification protocol. 
It sounds like you change your master password each time you use it.  If
I did that, I'd never know which one to use because that would confuse
me.  I don't write passwords down, period.  I went to the local nursing
home the other day, to drop off some puzzle books and a bunch of
bananas, and they have a coded entry thing on the door.  I entered the
code a couple times and it didn't work.  One of the nurses that was
coming on shift came up and entered the code.  When she told me the
code, I realized I was using the code they had before the current one. 
I shifted back in time a bit I guess.  I may not have a flux capacitor
but I did it anyway.  lol   I admit, some of the new things they use, I
have no idea how they work since I've never used most of them.  I've
read about a few of them but don't really get how they work.  If I used
them, I'd get it.

What I hate most, when my bank changes something about their login
process and a little research shows it accomplishes nothing.  My credit
card site has this picture and phrase thing.  I found where it was
researched and it does little to actually help because most people don't
pay it any attention.  My biggest cheat, I adblock stuff on the bank
website, like their great big logo thing.  If I do go to a website and
that logo shows up, it didn't match my adblock setting.  At that point,
that gets a little extra attention until I know for sure and for certain
I'm on the correct site.  Also, LastPass will pick up its on the wrong
site to.  It won't fill in the password info if it doesn't match up. 
They've had the same logo on the site for years. 

It's amazing what we have to do with our computers to keep ourselves
safe because of . . . computers.  :/  I guess this is one reason I like
Linux.  It at least tries to be secure. 

Dale

:-)  :-) 

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Roger J. H. Welsh
In reply to this post by Dale-46
Hi Dale,

On  Sun, Feb 03, 2019 at 11:47:35PM -0600 , Dale wrote:
> How do you, especially those who admin systems that are always being
> hacked at, generate strong passwords that meet the above?

I have a script for generating passwords the way I like (basically diceware on bash).

Something like:
FACTOR=$[ 2**(4*8)/$(cat "$WORDLIST"|wc -l) ]
cat "$WORDLIST" | head -n "$[ $(od -vAn -N4 -tu4 < /dev/random ) / $FACTOR ]" | tail -1

I use this in conjunction with
https://github.com/dwyl/english-words/blob/master/words.txt

As far as I understand, if you have about 96 bits of entropy you are
golden. 256 bits is unbruteforceable (at least within the realms of
physics apparently).
5 words = 94 bits (which is good enough for me)
14 words = 256 bits (which seems like a lot of typing)

I also have a messy spreadsheet for checking passwords.
https://github.com/rjhwelsh/gpg-tutorial/blob/master/password_checker.ods

I provide no warranty for my working. ;)

--

Roger Welsh
fpr: 2FCB 9E31 EA77 CDEC A3AE  5DD7 D54C C777 553A 180D

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Dale-46
In reply to this post by Neil Bothwick
Neil Bothwick wrote:

> On Mon, 04 Feb 2019 11:17:13 +0000, Mick wrote:
>
>>> https://xkcd.com/936/ 
>> Not strictly true ... the crackers would probably use rainbow tables
>> attacks first.  Also, it isn't fair to compare an 11 character passwd
>> against a 25 character passwd.  For the *same* number of characters
>> used in any given passwd, a random lower/upper/numerical/symbol passwd
>> will provide an exponentially higher degree of difficulty in cracking
>> it with brute force, than one which uses only lower case dictionary
>> words.  Anyway, these days many attacks are focused on OS or hardware
>> vulnerabilities which have been baked in by design, rather than brute
>> force attacks.
> I'm not sure xkcd is meant to be taken that seriously...
>
>


Sort of picking a random message to reply to here.  Someone sent a reply
off list about checking passwords on my system with tools available.
They also mentioned not trusting strength meters which I can get since
they pass some obvious passwords.  I used three meters and some sort of
common sense as well.  I found cracklib-check after some digging.  I
used that to try to check my password and get this weird response. 

-su: me-supper-secret-password-here;): event not found

I'm going to try to emulate my password without actually posting it, for
obvious reasons.  You all are smart enough to understand why.  ROFL  It
has some of the following 'stuff' in it.  !sdER*ark4567#  As you can
tell, I use some of those things on the tops of the number keys.  It
seems that confuses cracklib just a bit.  BTW, I was running that as
root just to be sure it wasn't a permissions issue.  I tried a few
different things but it seems the "!" is triggering that at least, maybe
others too.  The command works fine with just normal stuff.  That leads
me to this question.  Is there a tool I can use/install that will test a
password, try to crack it if you will, that will work regardless of the
characters used?  In other words, it doesn't mind the things on top of
the number keys. 

BTW, I've also whittled it down to something a little easier to type
too.  Feel sorry for any poor fool trying to just guess it.  lol  May
have better luck with P vs NP.  ;-)

Thanks.

Dale

:-)  :-) 

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Dale-46
In reply to this post by Rich Freeman
Rich Freeman wrote:

> On Mon, Feb 4, 2019 at 5:12 PM Dale <[hidden email]> wrote:
>> Neil Bothwick wrote:
>>> On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote:
>>>
>>>>> One reason I use LastPass, it is mobile.  I can go to someone else's
>>>>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc,
>>>>> logoff and it is like I was never there.
>>>> As much as I like Lastpass I would never do that.  It isn't magic - it
>>>> is javascript.  If there is a compromise on your computer, then your
>>>> password database will be compromised.  This is true of other
>>>> solutions like KeePassX and so on - if something roots your box then
>>>> it will be compromised.
>>> I don't see what root has to do with it. If someone gains access to your
>>> box, they can copy the database file and then take their time trying to
>>> crack the password, but you don't need to be root to do that.
> Correct, it just needs access to the user's data or browser process,
> which could mean running as root, or that user.
>
>> I might point out, LastPass encrypts the password before sticking it in
>> a file.  It isn't visible or plain text.  Even getting the file would
>> still require some tools and cracking to get the password itself.
> That assumes you're attacking the password file directly.
>
> If you're using lastpass on a compromised system then there are many
> ways that can be used to bypass the encryptions.  They could sniff
> your master password when you key it in, or read it directly from the
> browser's memory.  These things are protected from sandboxed code in
> your browser, but not from processes running outside the browser
> (unless again you're using a non-conventional privilege system like
> selinux/android/etc).
>


One could argue the same thing with any password tool out there tho,
right?  After all, at some point, all password tools have to decrypt the
password even if it is only in memory.  At that point, it can be
'sniffed' out.  Thing is, if my system or any system I use is
compromised, I'll have the same issue no matter what I do or what tool I
use.  Even if I use the password tool included in Firefox or any other
browser, wouldn't I run into the same problem?  Wouldn't I run into some
other security problem if I used no password tool at all and just typed
in the same password for say 20 or 30 different sites?  The solution is,
be reasonably secure.  Nothing is 100% secure unless it is turned off
completely, maybe not even then.  I'm sure even selinux has its security
issues as well.  It is after all a OS that runs a lot of code and only
needs one flaw in it. 

As I've pointed out before on different topics, if a person gets
physical access or control of a machine and is able to install things on
it, it doesn't really matter what one does unless they can detect it
somehow before ever using anything.  Given I only install things from
trusted sources, the odds of that happening are likely very small.  Even
my neighbors don't install much of anything because they mostly use it
to access financial sites and to check their email.  They are a older
pair so they don't use it like even someone my age does.  Still, if I
did have to use it in a situation, such as ordering computer parts to
rebuild, I'd likely change my more important passwords just to be sure
ASAP.  I already do that regularly anyway especially for my financial
sites.  That's another thing LastPass tracks, how long a password has
been in use for a site.  It reminds me of that sort of thing.

While I'm trying to come up with a good password, I don't expect it to
cover every possible case.  While I use LastPass, I don't expect it to
be a perfect solution.  I wouldn't expect it of any other tool either. 
Thing is, LastPass does what I need and is likely as secure as other
tools that can do the same things.  I get that one can be hacked as you
describe but once a person is able to do what you describe, it really
doesn't matter what tool I use.  Even a simple keylogger can do the job
if I use no password tool at all.  I'm just trying to be reasonably
secure.  If everyone or even most everyone would do the same, those
little script kiddys would have to work much harder.  That's one thing I
read about while googling for ways to come up with passwords.  Over half
the people using passwords use some really awful ones.  Some use the
same one for a lot of sites as well.  Something we both know is bad.  If
everyone would put in even a tenth of the effort I am, the internet
would be a much safer place. 

Dale

:-)  :-) 



Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Dale-46
In reply to this post by Mick-10
Mick wrote:

> On Monday, 4 February 2019 22:12:16 GMT Dale wrote:
>> Neil Bothwick wrote:
>>> On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote:
>>>>> One reason I use LastPass, it is mobile.  I can go to someone else's
>>>>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc,
>>>>> logoff and it is like I was never there.
>>>> As much as I like Lastpass I would never do that.  It isn't magic - it
>>>> is javascript.  If there is a compromise on your computer, then your
>>>> password database will be compromised.  This is true of other
>>>> solutions like KeePassX and so on - if something roots your box then
>>>> it will be compromised.
>>> I don't see what root has to do with it. If someone gains access to your
>>> box, they can copy the database file and then take their time trying to
>>> crack the password, but you don't need to be root to do that.
>> I might point out, LastPass encrypts the password before sticking it in
>> a file.  It isn't visible or plain text.  Even getting the file would
>> still require some tools and cracking to get the password itself.
>> Cracking the master password would likely be much easier and doesn't
>> even require access to the box itself, Linux or windoze.  Also, LastPass
>> only stores the encrypted password on its servers.  Even if LastPass is
>> hacked, the passwords are still encrypted.  It's one reason LastPass
>> shouldn't have to worry about getting court orders to turn over
>> passwords.  It doesn't really have them.  I would suspect that cracking
>> a encrypted password is as difficult as is just poking at a password
>> until it is guessed.
>>
>> Even if a person is using a perfect tool, cracking a password is always
>> going to be possible.  The tougher the password, the harder it will be
>> and the longer it will take.  Still, it can be done.  Using these tools
>> just makes it harder.  I'm not aware of a perfect password tool.  I
>> doubt one exists or ever will either.  ;-)  It's still good to pick one,
>> use it and try to be as secure as one can.
>>
>> Dale
>>
>> :-)  :-)
> A solution like LastPass et al., using a browser's javascript to access it,
> under a single master passwd, theoretically would have so many side-channel
> attacks no one would be wasting time to brute force anything.
>
> https://en.wikipedia.org/wiki/LastPass#Security_issues
>
> You could use gpg/openssl to encrypt a number of files, which would contain
> your different website/application passwds.  For paranoid use cases you can
> use asymmetric keys and store your private key out-of-band.  Sure, it won't be
> as convenient as LastPass, but I expect it would be more secure and unlikely
> to be compromised by XSS vulnerabilities.
>


From what I read, no users had their passwords compromised in those.  As
I pointed out earlier, the passwords are already encrypted when they are
sent to LastPass.  If I called LastPass, could prove I am who I claim to
be and asked them for a password to a site, they couldn't give it to me
because it is encrypted when it leaves my machine. 

The only breach I recall is when they said that users email addresses
were taken.  There was once where they asked everyone to change their
master password as a precaution several years ago.  They had no info
that showed anything was hacked but they wanted users to change them
anyway.  Since I get emails as a user, I've never received a email that
said their service was hacked and that passwords were known to be taken
decrypted.  I do get emails when something needs to be changed or I
changed something. 

As I pointed out to Rich, I don't expect these tools to be 100%.  There
is no perfect password tool or a perfect way to manage them either.  No
matter what you do, someone can come along and poke a hole in it.  If
you use a tool, the tool is hackable.  If you use the same password that
is 40 characters long for several dozen sites, then the site can be
hacked and they have the password for those other sites as well.  The
list could go on for ages but it doesn't really change anything.  We do
the best we can and then hope it is enough.  Using tools is in my
opinion better than not using a tool at all.  At the least, they will
have a hard time breaking into a site directly without my password.  It
beats the alternative which is cutting off the computer and unplugging
it.  :-( 

Still can't get cracklib to work right.  < scratches head > 

Dale

:-)  :-) 

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Neil Bothwick
In reply to this post by Mick-10
On Mon, 04 Feb 2019 23:26:52 +0000, Mick wrote:

> You could use gpg/openssl to encrypt a number of files, which would
> contain your different website/application passwds.

pass does exactly that

* app-admin/pass
     Available versions:  1.7.3 **9999 {X dmenu emacs fish-completion +git importers zsh-completion ELIBC="Darwin"}
     Homepage: https://www.passwordstore.org/
     Description: Stores, retrieves, generates, and synchronizes passwords securely


--
Neil Bothwick

"There are some ideas so idiotic that only an intellectual could believe
them" George Orwell

attachment0 (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Mick-10
On Tuesday, 5 February 2019 08:41:28 GMT Neil Bothwick wrote:

> On Mon, 04 Feb 2019 23:26:52 +0000, Mick wrote:
> > You could use gpg/openssl to encrypt a number of files, which would
> > contain your different website/application passwds.
>
> pass does exactly that
>
> * app-admin/pass
>      Available versions:  1.7.3 **9999 {X dmenu emacs fish-completion +git
> importers zsh-completion ELIBC="Darwin"} Homepage:
> https://www.passwordstore.org/
>      Description: Stores, retrieves, generates, and synchronizes passwords
> securely
What do you know?!  Someone else thought of it too.  :-)

Thanks Neil, this looks interesting and seems way more advanced than my simple
one-liner.

--
Regards,
Mick

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Mick-10
In reply to this post by Dale-46
On Tuesday, 5 February 2019 06:48:53 GMT Dale wrote:

> Sort of picking a random message to reply to here.  Someone sent a reply
> off list about checking passwords on my system with tools available.
> They also mentioned not trusting strength meters which I can get since
> they pass some obvious passwords.  I used three meters and some sort of
> common sense as well.  I found cracklib-check after some digging.  I
> used that to try to check my password and get this weird response.
>
> -su: me-supper-secret-password-here;): event not found
>
> I'm going to try to emulate my password without actually posting it, for
> obvious reasons.  You all are smart enough to understand why.  ROFL  It
> has some of the following 'stuff' in it.  !sdER*ark4567#  As you can
> tell, I use some of those things on the tops of the number keys.  It
> seems that confuses cracklib just a bit.  BTW, I was running that as
> root just to be sure it wasn't a permissions issue.  I tried a few
> different things but it seems the "!" is triggering that at least, maybe
> others too.  The command works fine with just normal stuff.
Hmm ... I don't get such problem here, when I run cracklib as a plain user:

$ cracklib-check
password
password: it is based on a dictionary word
p4ssw0rd
p4ssw0rd: it is based on a dictionary word
p477w0rd
p477w0rd: OK
!sdER*ark4567#
!sdER*ark4567#: OK
helloworld
helloworld: OK
reallysecurepassword
reallysecurepassword: OK

LOL!

Could it be something to do with your terminal/shell?  I've run the above with
bash in a urxvt terminal.


> That leads
> me to this question.  Is there a tool I can use/install that will test a
> password, try to crack it if you will, that will work regardless of the
> characters used?  In other words, it doesn't mind the things on top of
> the number keys.
>
> BTW, I've also whittled it down to something a little easier to type
> too.  Feel sorry for any poor fool trying to just guess it.  lol  May
> have better luck with P vs NP.  ;-)
>
> Thanks.
>
> Dale
>
> :-)  :-)
I've used app-crypt/johntheripper in the distant past, but you'll need a good
word list for it to be useful.  Some of the wordlists I had found at the time
were too big to download over dial-up!  :p

--
Regards,
Mick

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Michael Schwartzkopff
Am 05.02.19 um 10:55 schrieb Mick:

> On Tuesday, 5 February 2019 06:48:53 GMT Dale wrote:
>
>> Sort of picking a random message to reply to here.  Someone sent a reply
>> off list about checking passwords on my system with tools available.
>> They also mentioned not trusting strength meters which I can get since
>> they pass some obvious passwords.  I used three meters and some sort of
>> common sense as well.  I found cracklib-check after some digging.  I
>> used that to try to check my password and get this weird response.
>>
>> -su: me-supper-secret-password-here;): event not found
>>
>> I'm going to try to emulate my password without actually posting it, for
>> obvious reasons.  You all are smart enough to understand why.  ROFL  It
>> has some of the following 'stuff' in it.  !sdER*ark4567#  As you can
>> tell, I use some of those things on the tops of the number keys.  It
>> seems that confuses cracklib just a bit.  BTW, I was running that as
>> root just to be sure it wasn't a permissions issue.  I tried a few
>> different things but it seems the "!" is triggering that at least, maybe
>> others too.  The command works fine with just normal stuff.
> Hmm ... I don't get such problem here, when I run cracklib as a plain user:
>
> $ cracklib-check
> password
> password: it is based on a dictionary word
> p4ssw0rd
> p4ssw0rd: it is based on a dictionary word
> p477w0rd
> p477w0rd: OK
> !sdER*ark4567#
> !sdER*ark4567#: OK
> helloworld
> helloworld: OK
> reallysecurepassword
> reallysecurepassword: OK
>
> LOL!
>
> Could it be something to do with your terminal/shell?  I've run the above with
> bash in a urxvt terminal.
>
>
>> That leads
>> me to this question.  Is there a tool I can use/install that will test a
>> password, try to crack it if you will, that will work regardless of the
>> characters used?  In other words, it doesn't mind the things on top of
>> the number keys.
>>
>> BTW, I've also whittled it down to something a little easier to type
>> too.  Feel sorry for any poor fool trying to just guess it.  lol  May
>> have better luck with P vs NP.  ;-)
>>
>> Thanks.
>>
>> Dale
>>
>> :-)  :-)
> I've used app-crypt/johntheripper in the distant past, but you'll need a good
> word list for it to be useful.  Some of the wordlists I had found at the time
> were too big to download over dial-up!  :p
>
A good password also has to be memorizable. See:

https://xkcd.com/936/


Mit freundlichen Grüßen,

--

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein



signature.asc (220 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Dale-46
In reply to this post by Mick-10
Mick wrote:

> On Tuesday, 5 February 2019 06:48:53 GMT Dale wrote:
>
>> Sort of picking a random message to reply to here.  Someone sent a reply
>> off list about checking passwords on my system with tools available.
>> They also mentioned not trusting strength meters which I can get since
>> they pass some obvious passwords.  I used three meters and some sort of
>> common sense as well.  I found cracklib-check after some digging.  I
>> used that to try to check my password and get this weird response.
>>
>> -su: me-supper-secret-password-here;): event not found
>>
>> I'm going to try to emulate my password without actually posting it, for
>> obvious reasons.  You all are smart enough to understand why.  ROFL  It
>> has some of the following 'stuff' in it.  !sdER*ark4567#  As you can
>> tell, I use some of those things on the tops of the number keys.  It
>> seems that confuses cracklib just a bit.  BTW, I was running that as
>> root just to be sure it wasn't a permissions issue.  I tried a few
>> different things but it seems the "!" is triggering that at least, maybe
>> others too.  The command works fine with just normal stuff.
> Hmm ... I don't get such problem here, when I run cracklib as a plain user:
>
> $ cracklib-check
> password
> password: it is based on a dictionary word
> p4ssw0rd
> p4ssw0rd: it is based on a dictionary word
> p477w0rd
> p477w0rd: OK
> !sdER*ark4567#
> !sdER*ark4567#: OK
> helloworld
> helloworld: OK
> reallysecurepassword
> reallysecurepassword: OK
>
> LOL!
>
> Could it be something to do with your terminal/shell?  I've run the above with
> bash in a urxvt terminal.
>
>


He he he he.  It was the idiot in the chair.  The idiot in the chair
thought it was done this way, like I saw on a website that must be
outdated. 

root@fireball / # cracklib-check !sdER*ark4567#
-su: !sdER: event not found
root@fireball / #

After seeing your reply, I realize I just type the command and it
prompts me for a password.  I ctrl c to exit.  Well, ain't that
something?  You can stop laughing now.  ;-) 

It seems to think helloworld and reallysecurepassword is OK.  I have to
question just how good this tool is at this point.  Maybe I need to
install some more stuff here.  Pardon me while I go find some more of
this.  Something has to be missing.  :/

Dale

:-)  :-) 

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Dale-46
In reply to this post by Michael Schwartzkopff
Michael Schwartzkopff wrote:

> Am 05.02.19 um 10:55 schrieb Mick:
>> On Tuesday, 5 February 2019 06:48:53 GMT Dale wrote:
>>
>>> Sort of picking a random message to reply to here.  Someone sent a reply
>>> off list about checking passwords on my system with tools available.
>>> They also mentioned not trusting strength meters which I can get since
>>> they pass some obvious passwords.  I used three meters and some sort of
>>> common sense as well.  I found cracklib-check after some digging.  I
>>> used that to try to check my password and get this weird response.
>>>
>>> -su: me-supper-secret-password-here;): event not found
>>>
>>> I'm going to try to emulate my password without actually posting it, for
>>> obvious reasons.  You all are smart enough to understand why.  ROFL  It
>>> has some of the following 'stuff' in it.  !sdER*ark4567#  As you can
>>> tell, I use some of those things on the tops of the number keys.  It
>>> seems that confuses cracklib just a bit.  BTW, I was running that as
>>> root just to be sure it wasn't a permissions issue.  I tried a few
>>> different things but it seems the "!" is triggering that at least, maybe
>>> others too.  The command works fine with just normal stuff.
>> Hmm ... I don't get such problem here, when I run cracklib as a plain user:
>>
>> $ cracklib-check
>> password
>> password: it is based on a dictionary word
>> p4ssw0rd
>> p4ssw0rd: it is based on a dictionary word
>> p477w0rd
>> p477w0rd: OK
>> !sdER*ark4567#
>> !sdER*ark4567#: OK
>> helloworld
>> helloworld: OK
>> reallysecurepassword
>> reallysecurepassword: OK
>>
>> LOL!
>>
>> Could it be something to do with your terminal/shell?  I've run the above with
>> bash in a urxvt terminal.
>>
>>
>>> That leads
>>> me to this question.  Is there a tool I can use/install that will test a
>>> password, try to crack it if you will, that will work regardless of the
>>> characters used?  In other words, it doesn't mind the things on top of
>>> the number keys.
>>>
>>> BTW, I've also whittled it down to something a little easier to type
>>> too.  Feel sorry for any poor fool trying to just guess it.  lol  May
>>> have better luck with P vs NP.  ;-)
>>>
>>> Thanks.
>>>
>>> Dale
>>>
>>> :-)  :-)
>> I've used app-crypt/johntheripper in the distant past, but you'll need a good
>> word list for it to be useful.  Some of the wordlists I had found at the time
>> were too big to download over dial-up!  :p
>>
> A good password also has to be memorizable. See:
>
> https://xkcd.com/936/
>
>
> Mit freundlichen Grüßen,
>


That's the problem.  I want one really good password that would be
virtually impossible even for someone who knows me to guess.  Doing that
and being able to remember it plus be relatively easy to remember
complicates things a lot.  While at it, I'd like it to be hard to crack
as well.  Even with these password test tools, that is proving to be
hard to know for sure.  I have one that I know would be hard to guess
and I think it would be hard to crack as well but I don't know that last
part for sure, yet anyway. 

Thanks.  It's a work in progress still. 

Dale

:-)  :-) 

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Mick-10
In reply to this post by Dale-46
On Tuesday, 5 February 2019 10:13:44 GMT Dale wrote:

> After seeing your reply, I realize I just type the command and it
> prompts me for a password.  I ctrl c to exit.  Well, ain't that
> something?  You can stop laughing now.  ;-)
>
> It seems to think helloworld and reallysecurepassword is OK.  I have to
> question just how good this tool is at this point.  

Quite!

I think the cracklib acceptance parameters are not as strict as they could
have been for modern computing, but I don't know how to tweak them.  With
johntheripper you have many options to tweak the characters tested, length,
etc. when checking a password.

PS.  I wasn't laughing at you, I was laughing at the passwords cracklib
thought were OK.
--
Regards,
Mick

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Mick-10
In reply to this post by Dale-46
On Tuesday, 5 February 2019 07:55:41 GMT Dale wrote:
> Mick wrote:

> > https://en.wikipedia.org/wiki/LastPass#Security_issues
> >

> From what I read, no users had their passwords compromised in those.

I read it differently.  LastPass didn't know if any passwds were compromised
(or wouldn't tell you).  As a precaution they asked users to change their
master passwd, while they changed their server's salt.  In addition, there
were XSS vulnerabilities later on, which is probably to be expected with
JavaScript and similar technologies.


> As
> I pointed out earlier, the passwords are already encrypted when they are
> sent to LastPass.  If I called LastPass, could prove I am who I claim to
> be and asked them for a password to a site, they couldn't give it to me
> because it is encrypted when it leaves my machine.

I don't know exactly how the LastPass architecture is configured, other than
it relies on device based encryption activated with JavaScript, but anomalies
they observed in incoming and outgoing traffic on the 2011 incident indicate
someone was interfering with their data streams.  Given Diffie-Hellman could
be compromised (e.g. as per Logjam) by precomputing some of the most commonly
used primes in factoring large integers, it may be someone was undertaking
comparative analysis to deduce ciphers and what not.  If the server salt was
obtained, then one layer of encryption was compromised.

All this is juxtaposition and my hypothesizing does not mean LastPass is not
useful, or not secure.  It just means its design is not as secure as locally
run simpler encryption mechanisms, which do not leave your PC and are not
stored somewhere else.

The greater surface area a security system exposes, the higher likelihood
someone will take a punt at cracking it.  A browser, sandboxed or not, has far
too many moving parts and exposed flanks to keep crackers and state actors
busy.  I expect with advances in AI this effort will accelerate
logarithmically.


> As I pointed out to Rich, I don't expect these tools to be 100%.  There
> is no perfect password tool or a perfect way to manage them either.  No
> matter what you do, someone can come along and poke a hole in it.  If
> you use a tool, the tool is hackable.  If you use the same password that
> is 40 characters long for several dozen sites, then the site can be
> hacked and they have the password for those other sites as well.  The
> list could go on for ages but it doesn't really change anything.  We do
> the best we can and then hope it is enough.  Using tools is in my
> opinion better than not using a tool at all.  At the least, they will
> have a hard time breaking into a site directly without my password.  It
> beats the alternative which is cutting off the computer and unplugging
> it.  :-(
Yes, well said.  A disconnected and switched off PC is probably quite secure,
but what use is this to anybody.  LOL!  The effectiveness of PC security is
challenged on a daily basis and you eventually have to arrive at a personal
trade-off between security and usability.

--
Regards,
Mick

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Nikos Chantziaras-2
In reply to this post by Dale-46
On 04/02/2019 22:49, Dale wrote:
> Also, if my computer were to
> die a sudden death, power supply goes bonkers and burns everything in it
> up including hard drives, my passwords are still safe but available.

Firefox stores my login passwords encrypted on a server provided by
Mozilla. It syncs them between my machines.


Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Dale-46
In reply to this post by Mick-10
Mick wrote:

> On Tuesday, 5 February 2019 10:13:44 GMT Dale wrote:
>
>> After seeing your reply, I realize I just type the command and it
>> prompts me for a password.  I ctrl c to exit.  Well, ain't that
>> something?  You can stop laughing now.  ;-)
>>
>> It seems to think helloworld and reallysecurepassword is OK.  I have to
>> question just how good this tool is at this point.  
> Quite!
>
> I think the cracklib acceptance parameters are not as strict as they could
> have been for modern computing, but I don't know how to tweak them.  With
> johntheripper you have many options to tweak the characters tested, length,
> etc. when checking a password.
>
> PS.  I wasn't laughing at you, I was laughing at the passwords cracklib
> thought were OK.

I'm emerging john* or at least it's thinking on it. 

I was talking about you laughing at my comment about the idiot in the
chair who was using the command wrong.  I have to admit, I was laughing
at myself over here.  lol  I might add, I did try to get a man page or
-h to help but it didn't. 

I've got my password down to something I can remember and isn't to bad
to type.  The password strength meter thingys, while not perfect either,
do say it is a strong one.  My looking at it says it is strong too.  I
just can't imagine anyone guessing it.  It's so random and such that I
think it would be very difficult to crack.  Even if one could, it would
take a fairly long time even with some pretty fast puters.  It may not
be NSA proof either but I suspect it would take even them a while. 
Still, I'd like to test this thing really well if I can find a tool that
can really do it properly.  We already know the meter sites aren't
trustworthy.  It seems cracklib isn't quite there either.  Moving on. 

Thanks for the help.  By the time I get around to using this thing, it
may be easy to crack with some laser type puter or something. 

Dale

:-)  :-) 

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Dale-46
In reply to this post by Mick-10
Mick wrote:

> On Tuesday, 5 February 2019 07:55:41 GMT Dale wrote:
>> Mick wrote:
>>> https://en.wikipedia.org/wiki/LastPass#Security_issues
>>>
>> From what I read, no users had their passwords compromised in those.
> I read it differently.  LastPass didn't know if any passwds were compromised
> (or wouldn't tell you).  As a precaution they asked users to change their
> master passwd, while they changed their server's salt.  In addition, there
> were XSS vulnerabilities later on, which is probably to be expected with
> JavaScript and similar technologies.
>

I recall the email vaguely.  It said there was nothing that showed the
passwords were compromised.  I did change passwords for things like my
bank etc but left the others alone.  Of course, I change those passwords
on a fairly regular basis anyway.  Thing is, when it comes to financial
stuff, I don't leave as much to chance.  I found the email notice.  Here
is a bit of it:


"No encrypted user vault data was taken, however other data, including
email addresses and password reminders, was compromised." 

So, the encrypted stuff such as passwords was not compromised.  They
only got email addys and such which isn't a big deal.


>> As
>> I pointed out earlier, the passwords are already encrypted when they are
>> sent to LastPass.  If I called LastPass, could prove I am who I claim to
>> be and asked them for a password to a site, they couldn't give it to me
>> because it is encrypted when it leaves my machine.
> I don't know exactly how the LastPass architecture is configured, other than
> it relies on device based encryption activated with JavaScript, but anomalies
> they observed in incoming and outgoing traffic on the 2011 incident indicate
> someone was interfering with their data streams.  Given Diffie-Hellman could
> be compromised (e.g. as per Logjam) by precomputing some of the most commonly
> used primes in factoring large integers, it may be someone was undertaking
> comparative analysis to deduce ciphers and what not.  If the server salt was
> obtained, then one layer of encryption was compromised.
>
> All this is juxtaposition and my hypothesizing does not mean LastPass is not
> useful, or not secure.  It just means its design is not as secure as locally
> run simpler encryption mechanisms, which do not leave your PC and are not
> stored somewhere else.
>
> The greater surface area a security system exposes, the higher likelihood
> someone will take a punt at cracking it.  A browser, sandboxed or not, has far
> too many moving parts and exposed flanks to keep crackers and state actors
> busy.  I expect with advances in AI this effort will accelerate
> logarithmically.

This is why I don't use the built in password manager in Firefox. 
Firefox most likely concentrates on the browser since its main job is
being a browser.  A password tool is a little lower on the list I would
think.  However, LastPass and other password tools, it is their main
function to be password tools that are secure but can still work with
the browser as well. 


>
>> As I pointed out to Rich, I don't expect these tools to be 100%.  There
>> is no perfect password tool or a perfect way to manage them either.  No
>> matter what you do, someone can come along and poke a hole in it.  If
>> you use a tool, the tool is hackable.  If you use the same password that
>> is 40 characters long for several dozen sites, then the site can be
>> hacked and they have the password for those other sites as well.  The
>> list could go on for ages but it doesn't really change anything.  We do
>> the best we can and then hope it is enough.  Using tools is in my
>> opinion better than not using a tool at all.  At the least, they will
>> have a hard time breaking into a site directly without my password.  It
>> beats the alternative which is cutting off the computer and unplugging
>> it.  :-(
> Yes, well said.  A disconnected and switched off PC is probably quite secure,
> but what use is this to anybody.  LOL!  The effectiveness of PC security is
> challenged on a daily basis and you eventually have to arrive at a personal
> trade-off between security and usability.
>

This is what I run into with this new password project.  I want one that
is easy for me to remember, easy to type and such but I also want it to
where some script kiddy can't crack it in like 10 seconds while laughing
his/her fool head off at me.  The decision to use a tool like LastPass,
or any other tool for that matter, also means a trade off.  Anything we
use will expose us to something.  That said, not using one exposes us to
something else, even if it is just bad ways to deal with passwords. 
Using one password on several sites is one thing that jumps to my mind. 
We just have to try to be reasonable about it.  One thing about this,
I'm putting more effort into one password than most do for every
password they have. 

Now to play with the strength meters some more. 

Dale

:-)  :-)

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Rich Freeman
In reply to this post by Dale-46
On Tue, Feb 5, 2019 at 2:34 AM Dale <[hidden email]> wrote:

>
> Rich Freeman wrote:
> > On Mon, Feb 4, 2019 at 5:12 PM Dale <[hidden email]> wrote:
> >> Neil Bothwick wrote:
> >>> On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote:
> >>>
> >>>>> One reason I use LastPass, it is mobile.  I can go to someone else's
> >>>>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc,
> >>>>> logoff and it is like I was never there.
> >>>> As much as I like Lastpass I would never do that.  It isn't magic - it
> >>>> is javascript.  If there is a compromise on your computer, then your
> >>>> password database will be compromised.  This is true of other
> >>>> solutions like KeePassX and so on - if something roots your box then
> >>>> it will be compromised.
> >
> >> I might point out, LastPass encrypts the password before sticking it in
> >> a file.  It isn't visible or plain text.  Even getting the file would
> >> still require some tools and cracking to get the password itself.
> > That assumes you're attacking the password file directly.
> >
> > If you're using lastpass on a compromised system then there are many
> > ways that can be used to bypass the encryptions.  They could sniff
> > your master password when you key it in, or read it directly from the
> > browser's memory.  These things are protected from sandboxed code in
> > your browser, but not from processes running outside the browser
> > (unless again you're using a non-conventional privilege system like
> > selinux/android/etc).
>
> One could argue the same thing with any password tool out there tho,
> right?

Of course.  This is by no means specific to Lastpass.  I wasn't
reacting to your use of Lastpass (I use it myself).  I was reacting to
your statement that you can go to someone else's computer and use
lastpass on that computer and then log off and it is as if you were
never there.

> Given I only install things from
> trusted sources, the odds of that happening are likely very small.

Not if you go typing your Lastpass master password into computers
owned by people who aren't as careful as you are...

If you do want the benefits of a password manager on an untrusted
computer then you might want to look into the hardware/USB-based
solutions, or alternatives like U2F and so on.

Now, you're still vulnerable to MITM attacks and so on against the
sites you're actually logging into, but your credentials for other
sites would not be at risk since they stay on the hardware device,
which is going to be hardened against USB attacks (well, at least you
hope it would be).  If you're using conventional passwords then of
course something could still sniff that password since it has to pass
through the untrusted computer.  If you're using OTPs or U2F/etc then
you may still be vulnerable to some cookie-based attacks and MITM and
so on, but if you log off at the end of your session that at least
limits their duration.

Personally I would like to switch to a hardware-based solution, but
they have their own set of downsides:

1.  Less convenience - you have to physically have the device on you
(I don't carry my keys around in the hosue/etc), and plug it in when
you want to use it.
2.  Recovery options aren't always great.  Often these devices don't
really have their own recovery solution, and you're stuck following
the recovery options on each individual site.  Many of these are
pretty lousy.
3.  Often no support for multiple hardware devices (and keeping them
in sync).  Again you're stuck with what individual sites allow, and
many sites don't let you have multiple hardware tokens registered.
4.  Lack of convenience features like auto-changing passwords.  Some
software-based solutions have this.  Though, to be honest, I rarely
trust these because if something goes wrong I could lose account
access and this can be difficult or impossible to recover from in many
situations.

A big advantage (and disadvantage) of the software-based solutions is
that they're just data files and you can back them up trivially.

Really though a lot of this boils down to the fact that PKI is a hard
problem without a trusted and convenient mediator, and this largely
doesn't exist in the world of free online services.

--
Rich

Reply | Threaded
Open this post in threaded view
|

Re: Coming up with a password that is very strong.

Dale-46
Rich Freeman wrote:

> On Tue, Feb 5, 2019 at 2:34 AM Dale <[hidden email]> wrote:
>> Rich Freeman wrote:
>>> On Mon, Feb 4, 2019 at 5:12 PM Dale <[hidden email]> wrote:
>>>> Neil Bothwick wrote:
>>>>> On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote:
>>>>>
>>>>>>> One reason I use LastPass, it is mobile.  I can go to someone else's
>>>>>>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc,
>>>>>>> logoff and it is like I was never there.
>>>>>> As much as I like Lastpass I would never do that.  It isn't magic - it
>>>>>> is javascript.  If there is a compromise on your computer, then your
>>>>>> password database will be compromised.  This is true of other
>>>>>> solutions like KeePassX and so on - if something roots your box then
>>>>>> it will be compromised.
>>>> I might point out, LastPass encrypts the password before sticking it in
>>>> a file.  It isn't visible or plain text.  Even getting the file would
>>>> still require some tools and cracking to get the password itself.
>>> That assumes you're attacking the password file directly.
>>>
>>> If you're using lastpass on a compromised system then there are many
>>> ways that can be used to bypass the encryptions.  They could sniff
>>> your master password when you key it in, or read it directly from the
>>> browser's memory.  These things are protected from sandboxed code in
>>> your browser, but not from processes running outside the browser
>>> (unless again you're using a non-conventional privilege system like
>>> selinux/android/etc).
>> One could argue the same thing with any password tool out there tho,
>> right?
> Of course.  This is by no means specific to Lastpass.  I wasn't
> reacting to your use of Lastpass (I use it myself).  I was reacting to
> your statement that you can go to someone else's computer and use
> lastpass on that computer and then log off and it is as if you were
> never there.

What I meant was, they couldn't use it without knowing my password. 
Sure, I may leave something, like LastPass installed but disabled, on
their computer but no one can use it without it being logged in.  Once I
logout and close the browser, that pretty much ends the session.  Most
sites I visit are not set to remember me anyway and some don't allow
it.  I also logout before leaving a site especially when I'm on a
computer other than mine.  So, once I logout, they can't login as me
without my password.  We sort of went in different directions. 

If I really wanted to, I could use some bootable media like Knoppix.  I
think it comes with Firefox already installed. I could boot that,
install LastPass, do my thing, reboot into the OS and not have to worry
about anything they have installed at all.  I do keep copies of those
around and try to update every once in a while.  I certainly keep
sysrescue up to date.  I don't think it has a browser tho.  It may but
I'm not sure. 


>> Given I only install things from
>> trusted sources, the odds of that happening are likely very small.
> Not if you go typing your Lastpass master password into computers
> owned by people who aren't as careful as you are...
>
> If you do want the benefits of a password manager on an untrusted
> computer then you might want to look into the hardware/USB-based
> solutions, or alternatives like U2F and so on.
>
> Now, you're still vulnerable to MITM attacks and so on against the
> sites you're actually logging into, but your credentials for other
> sites would not be at risk since they stay on the hardware device,
> which is going to be hardened against USB attacks (well, at least you
> hope it would be).  If you're using conventional passwords then of
> course something could still sniff that password since it has to pass
> through the untrusted computer.  If you're using OTPs or U2F/etc then
> you may still be vulnerable to some cookie-based attacks and MITM and
> so on, but if you log off at the end of your session that at least
> limits their duration.
>
> Personally I would like to switch to a hardware-based solution, but
> they have their own set of downsides:
>
> 1.  Less convenience - you have to physically have the device on you
> (I don't carry my keys around in the hosue/etc), and plug it in when
> you want to use it.
> 2.  Recovery options aren't always great.  Often these devices don't
> really have their own recovery solution, and you're stuck following
> the recovery options on each individual site.  Many of these are
> pretty lousy.
> 3.  Often no support for multiple hardware devices (and keeping them
> in sync).  Again you're stuck with what individual sites allow, and
> many sites don't let you have multiple hardware tokens registered.
> 4.  Lack of convenience features like auto-changing passwords.  Some
> software-based solutions have this.  Though, to be honest, I rarely
> trust these because if something goes wrong I could lose account
> access and this can be difficult or impossible to recover from in many
> situations.
>
> A big advantage (and disadvantage) of the software-based solutions is
> that they're just data files and you can back them up trivially.
>
> Really though a lot of this boils down to the fact that PKI is a hard
> problem without a trusted and convenient mediator, and this largely
> doesn't exist in the world of free online services.
>

This is what was mentioned in another post.  No matter what we use, it
is a trade off.  While it may be rare that I need it, I like the idea of
my passwords being stored somewhere that can be available if I'm
somewhere else or my computer blows a gasket.  No matter what is used,
there is some risk involved unless we don't use a computer at all. 
Heck, even having a computer that is unplugged from the internet can
still have security issues.  At one point, that used to be a option but
then you have to bring media in for updates or other data to be added. 
If it is compromised, well, there you go. 

I saw a link on a link posted here that lists password tools on the wiki
thing.  LastPass and one other that is dead now was the only two that
seemed to fit what I like having.  Given that the other is no longer a
option, LastPass is the only one that works like I want it too.  Now
later on something better may come along but for the moment, LastPass is
the set of trade-offs that has to be dealt with.  Some of that is
because I just don't have time to try to figure out how to store things
encrypted on USB sticks and such as well.  I still haven't had time to
play with the kodi thing for my videos either. 

Of course, right now, I'm just trying to generate a good master
password.  I'd like to test the thing a bit but most tools just aren't
up to the task.  Since the NSA saves all our emails, maybe they will
offer some help.  Howdy you nosy things.  lol  You enjoying our password
talks?

Dale

:-)  :-) 

1234