Password management

[Gendarme]

This is something that has troubled me for quite some time now, and I have yet not been able to find a satisfying solution. For the people not well-versed on the subject, here's an introduction to password security (everyone else can jump to the discussion):

Introduction:

Protecting your accounts from illicit access is more than simply having one good password. First and foremost, if you have the same password on several accounts that can be linked together (e.g. by having the same username/email across the accounts), all of those accounts are as secure as the weakest one in that group. This means that if one of those passwords get leaked (either due to negligence or malicious intent of the entity storing it—neither of which should be dismissed), all of those accounts are compromised. This is why it is of the utmost importance to use unique passwords on accounts that you care about. However, unique is not enough. If one password can be guessed with the help of the other, it is more or less just the same password (e.g. "ThisIsHowIEnterESOC" and "ThisIsHowIEnterGmail"). What is needed are strong, unique, and unpredictable passwords. Passwords of this kind are unfortunately hard to remember which is the very problem I am trying to solve.

There are things called password managers, which are programs where you store all of your passwords so you don't have to remember them. These passwords are all encrypted and can be decrypted with a password, letting you store all your passwords in once place and only have to remember one password (the one to decrypt the rest). Using password managers is the generally recommended way to protect your accounts, but I am not satisfied with simply having one password manager and am searching for a better solution.

Discussion:

The reason I do not like just having a password manager (let's just say encrypted textfile because that's probably what I'd use rather than an actual manager) is that it is a single point of failure. If I store it on my HDD, my HDD may blow up and my whole life is rekt. If I store it on a cloud like Dropbox, it's also a risk since potentially anything could happen to it and rek my life. This is avoidable through redundancy (i.e. storing it in several places), which is one of the solutions I've come up with, but then updating it would be difficult. But I wonder: is there really a need to update it? Is it not possible to generate passwords in advance and somehow allocate them to new accounts as you go without ever forgetting which of the passwords belongs to the account? Is it perhaps viable through categorizing the passwords?

The other thing I have thought of is to have a kind of hashing algorithm that can be done mentally on the fly each time I wish to enter a password. I am no mathematician and do not know if this is even possible, but if it is it would be ideal as I could just have "esoc" as my password to this website and "gmail" as my Gmail-password and all I have to do is to remember the algorithm (and perhaps a salt).

[deleted_user0]

I think the best is to have it hard copy, not digital, and have several copies. Probably need 3. Keep one in a locked safe or a similar place. Keep 1 with your notary / will, in case you have an accident. Keep one in a safe but otherwise relatively easily accessible place. Don't write the actual passwords on this last copy, instead write a hint that only you can decipher. On the other two copies you write the hints + the passwords. In the end, accept that theft will always remain a possibility, unless you're fort knox or something.

I don't currently do this, because most of my passwords don't really protect anything that valuable at the moment. But when I'm a crypto billionaire in about 2 months, I will start doing this.

[Gendarme]

Why is theft an issue if it's encrypted? I've actually been thinking about storing the encrypted text files on cheap USB-drives and scatter them all around the world (give some to ma, some to pa, hide some in my neighbor's stable, etc.) so there's no way of ever losing them. But the issue is, as stated in the OP, that I can't update the text file with new passwords, which is the main issue here.

[deleted_user0]

Why is theft an issue if it's encrypted? I've actually been thinking about storing the encrypted text files on cheap USB-drives and scatter them all around the world (give some to ma, some to pa, hide some in my neighbor's stable, etc.) so there's no way of ever losing them. But the issue is, as stated in the OP, that I can't update the text file with new passwords, which is the main issue here.

in that case it isn't an issue, but I'd rather have something more functional I guess. You can update your locked password notebook once a year. Honestly, there are only a handful of passwords that really matter to me. for everything else I use the same, easy to remember password. I don't really care if my account on esoc gets hacked.

The only places that matter are social security, financial assets and medical records. In that case, just make sure you have something like 2 factor authentication or something like thumb recognition so that even if they have your password, it's not enough to actually breach the security.

[Snuden]

I use 2FA on all my jazz...

[Hidddy_]

I write them down on a piece of paper and hide the paper. The only way someone can find it is if they know the exact location (very very unlikely) before rummaging through my room. No hacking to worry about there.

[Gendarme]

Yeah hacking is not what I'm worried about. If it's encrypted then it's encrypted, amirite? Whether it's a piece of paper of a USB stick is insignificant. The issue is that I don't want to have just one copy of all my passwords. What if I lose that piece of paper? RIP!

[Hidddy_]

Call me paranoid but I don't even trust encryption, seeing as how the field of programming is progressing so fast right now. Hmm well having more copies means you will inevitably have to keep track of more things, either way your personal memory will be a factor in preserving the sercrecy of your passwords. My paper works for me bc it is hidden in something that won't be thrown away and is not in an obvious location.

[Gendarme]

Encryption is just simple mathematics. If it's proven then it's, well, proven. If encryption one day gets cracked somehow I'd say we're all in for a world of hurt much more than what losing our passwords would cause. Anyway, I digress.

I suppose 2FA as much as possible is the way to go. Hopefully 2FA will become more commonplace than it is today, but assuming that every service provider is malicious, it doesn't really help you. Does it? It protects you from hackers, but does not allow you to use the same password for every 2FA across the internet, I think.

[Dolan]

I just remember those encrypted passwords.. Like d8N2_00l!~a*Lp3

And I wrote a script which generates "random" passwords which I use every time I need a new one.

[Gendarme]

My IQ is too low for that, unfortunately. RIP

[Goodspeed]

I use 2FA on all my jazz...

Pretty much this. If the account is important, it will support 2FA.

[Dolan]

No log-in method is 100% sure on the internet. Now with design flaws in every type of CPU architecture, even moreso. Most consumer-facing encryption can be easily cracked with the right amount of computing power.

So, at this point, if your stuff is really worth cracking, it will happen, no matter which security method you're using. Your only real protection right now is not being worth cracking, basically.

You could use some methods to mitigate against the most basic attacks though:

- Using different passwords for different accounts (which you mentioned)
- Using passwords which are difficult to crack with trivial computing resources
- Having multiple ways to check your account
- Having hard backups of your data on external drives that aren't connected to the internet
- Redundancy can always help (ie, multiple backups of the same data)
- Don't store your most critical data in places that could get exposed by security flaws (so, don't post your compromising orgy pics in the cloud, like those brainlets who saved their iPhone pics on iCloud, then got hacked by people using basic social engineering techniques)

And so on and so forth.

I wouldn't trust a password manager, though, since putting all your eggs in one basket wouldn't be the smart thing to do.

[Jam]

I'll take care of your passwords for you.

[Gendarme]

@Dolan How do you crack an encryption with computing power if you don't know what you're looking for? You'd need a human (or insane AI) to check the text-file to see if it makes any sense. Do you not?

[Dolan]

In the case of passwords, there are clear, public constraints on what kind of string you can enter in a password field. For PINs it's even easier.

SHA-1 encryption has already been cracked (https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html). Many web-facing applications and sites probably still use SHA-1, though it's been on a deprecation trend.

More recently an attack on AES encryption has also been reported (https://www.theinquirer.net/inquirer/news/2102435/aes-encryption-cracked).

So I wouldn't be surprised if some well-funded agencies like the NSA already had the tools to break the most secure encryption algorithms.

[Gendarme]

It just hit me, can we not just use hashes of weak but easily remembered phrases as passwords? How often do you need to enter a password but don't have access to a hashing algorithm anyway? As long as you have internet access it's a done deal.

Example:

Gmail phrase: "ThisIsHowIEnterGmail"
Actual password: "ede24d9669bd47ae3d993a2900a812e8f9857436eb805a174383a48cfde83979" (shoutout to @edeholland)

ESOC password: "ThisIsHowIEnterESOC"
Actual password: "2c32c4b8a3ab2b4e9790d6e1b9a74efaf9228306ee9cc5f57f675ffd901571b5"

You can of course slice it to the desired length.

[edeholland]

I got a shoutout here, so I guess it's my time to leave a reply.

Using password managers is the generally recommended way to protect your accounts, but I am not satisfied with simply having one password manager and am searching for a better solution.

Why exactly are you not satisfied? Because of the single point of failure?

I am currently using Enpass and I'm quite satisfied. It stores your passwords offline (but you can sync it to mobile using a cloud service like Google Drive) and encrypts the data with AES-256. The desktop version is 100% free, you only pay 10 bucks if you want the full version on mobile (in-app purchase, you can use the free mobile version forever if you want).

For the most important stuff I also have 2FA, but Enpass is nice for those countless accounts I have on various websites.

[deleted_user]

I store all my passwords in the ultimate deep learning encrypted warehouse -- my own mind.

Because I am a very stable genius I am yet able to utilize a very diverse password portfolio.

[Gendarme]

The encryption and everything is trivial to be honest. You can do that yourself, so you don't really need a password manager if you don't want to use its other services (such as syncing), do you? I don't like storing on a cloud because I don't see that as permanently secure storage. I want to store it offline, but obviously still not just have a single point of failure, and this is where the issue arises.

[deleted_user]

https://lifehacker.com/5897708/how-to-t ... y-champion

[Gendarme]

Is this how you remembered to send 600c in that British mirror? I would never have remembered that insane BO.

[deleted_user]

I don't send 600c in british mirrors -- I win before then.

[EAGLEMUT]

I think it's about time we move on onto MD6.

[Gendarme]

I don't send 600c in british mirrors -- I win before then.

Oh you silly liar