Just recently, I was steered to this site..
https://www.passwordstore.org/
And in there, I realized that a very simple self-managed password
"vault" can be created with just using gpg from the command line.
For example, if you wanted to store a password for Ebay..
gpp -o pw-for-ebay.gpg -e -r [myID] -
..and the system will open stdin for typing. when done, hit new-line, and
ctrl-C [probably ^D in linux], and the file is created with the string stored
inside.
File 'pw-for-ebay.gpg' exists. Overwrite? (y/N) y
updated pw is ... blahblahblah111
^C
When you need to view the pw:
gpg: encrypted with 2048-bit RSA key, ID 583B29AD69D0999F, created 2020-01-02
"August Abolins <august@kolico.ca>"
updated pw is ... blahblahblah111
So.. it's relatively simple to have a safe directory with all the pw*.gpg files like that.
I've been a happy https://pwsafe.org/ user for many many years. Both on Linux and Windows.
gpg -o pw-for-ebay.gpg -e -r [myID] -
When you need to view the pw:
H:\temp>> gpg -d pw-for-ebay.gpg
Interesting, and maybe for emergency use, when a real password manager isn't available, but otherwise I don't find it very practical...
Interesting, and maybe for emergency use, when a real password
manager isn't available, but otherwise I don't find it very
practical...
Practical is exactly what it is! It doesn't rely on any other 3rd party software. And compatibility across OS changes is ensured.
And.. a terminal is available to anyone, cmd-line or GUI.
Just keep all the .gpg files in a easy to remember folder:
C:\PW
.. and list all of them with DIR (or ls) *.gpg
Simple.
Build it into a script for a faster list from any diretory:
mypws, to produce the output of "dir c:\pw\*.gpg"
I dunno.. I think the use of gpg manually keeps us sharp. "User-friendly" as
an excuse to use GUI kinda makes us lazy and dumb.
Are you going to use this yourself for every day use?
If so, let us know how you feel about it in a month or a year of
usage... ;-)
But most of my passwords are rememered by the browser I use. And even those follow a "recipe" that I use to reconsistute any pw I need for
any site - so, I don't really need to remember the password, just the
way to build it.
But most of my passwords are rememered by the browser I use. And even
those follow a "recipe" that I use to reconsistute any pw I need for
any site - so, I don't really need to remember the password, just the
way to build it.
That's not good practice! It makes them predictable...
I just have my password manager generate a long random password, consisting of all possible characters, most of the time.
Nothing about the formula is predictable. Only I know it. It's only
in my head. And.. depending on the circumstances for pw changes by
some sites, even the tweeking follows a pseudo "rule".
I just have my password manager generate a long random password,
consisting of all possible characters, most of the time.
That's fine, but even a set of "random" words or phrase is good enough.
So.. as an example, a random phrase that is only meaningful to you,
add some other uniqueness in some other way that only you know, and
you have a pw that no one could guess,
and it's something you can recover with only the technology of your
brain. ;)
Nothing about the formula is predictable. Only I know it. It's only
in my head. And.. depending on the circumstances for pw changes by
some sites, even the tweeking follows a pseudo "rule".
How long are your passwords? Do they have pronouncable words/parts?
So.. as an example, a random phrase that is only meaningful to you,
When it's meaningful it's not random! ;-)
add some other uniqueness in some other way that only you know, and
you have a pw that no one could guess,
"No one" isn't the problem. It's the automated password guessers that
are your adversaries. And they can try thousands or probably milions of passwords in a second, and do that in a smart way.
and it's something you can recover with only the technology of your
brain. ;)
Can you give an example for a ficticious website (without revealing your formula of course)?
Length can vary, depending on the formula output for each "part".
Pronouncable words are a choice. Pronouncable or not doesn't really
matter if the whole sum of parts makes no "sense".
Well it makes your password easier to guess. Password guessers use dictionaries.
[...] But sometimes databases
get stolen. Or hackers get direct access to the systems that store the (encoded) passwords.
Parts [A] [B] [C] [D] could be in any order you like.
As long as you always use the same order. Otherwise you can forget which order you used for a particular website. ;-)
The devil is in the details I suppose. Depending on a few variables in your sceme, it might be sufficiently random for passwords guessers
(which have become quite advanced, and will only become better in the future) to not break it.
But I think it's much easier and safer, to use long truly randomly generated passwords and store them in a password manager.
I don't know about you, but many of my site/system logins are NOT
email addresses.
[...] But sometimes databases
get stolen. Or hackers get direct access to the systems that store the
(encoded) passwords.
I think unencryted databases are the true target.
And length is not as critical as to avoid outright guessable. I have
a friend who simply uses her first name and 1234 for her hotmail
account, and her name is in the email address itself!
Another fellow uses the layout of the keyboard to guide him to
"remember" his passswords. Eg. the leftmost keys on the kb =
qweasdzxc, or qazwsxed, and then some numbers. Personally, I would
not use that scheme as the sole pw. Instead, maybe the qweasdzxc or qazwsxedc strings could be one of the parts in [A] [B] [C] as a
minimum.
I do admit, that some of my sites don't follow exactly the same scheme between them. I do something different for financial/banking accounts too. And a few older sites have pws before I came up with the formula method.
For recovery, facebook can send a 6-digit code to an email address
that I had associated with facebook. That works. But when I enter
the 6-digits at the facebook prompt for those digits, it comes up with "you have to use another device that you used before". That
requirement is stupid!
I think this might be the perfect time to drop Facebook.
| Sysop: | Merlin |
|---|---|
| Location: | West Virginia |
| Users: | 9 |
| Nodes: | 5 (0 / 5) |
| Uptime: | 494196:57:10 |
| Calls: | 95 |
| Files: | 5,002 |
| D/L today: |
3,744 files (1,676M bytes) |
| Messages: | 23,350 |