[Novalug] Looking for opinions on password managers and

Jeremy Hoel jthoel@gmail.com
Sat Mar 9 22:16:29 EST 2013


Interesting articles about the KeyPass master password here:

http://www.excivity.com/ComputeCycle/cracking-keepass-passwords/

http://security.stackexchange.com/questions/8476/how-difficult-to-crack-keepass-master-password

http://keepass.info/help/base/security.html#secdictprotect


And yes.. i use and trust keypass too.

On Sat, Mar 9, 2013 at 8:05 PM, Tom Gutnick <tag@sunny-banana.com> wrote:
> Having worked in information security for over three decades, I tend to be
> paranoid also.
>
> FWIW, I use KeePass on my Windows desktop and netbook computers, and native
> KeePass apps on my Android phone and iPad mini.  The copy on my desktop is
> what I consider to be the "master" version, and use Dropbox to share it with
> the other devices.  So yes, I'm trusting KeePass's encryption, so I don't
> have to trust Dropbox.  So far, so good...
>
> Tom Gutnick
> Sunny Banana IT Consulting -- your personal technology assistant
> 3107 North Trinidad Street, Suite 200
> Arlington, Virginia  22213
> 571.449.6775
> tag@sunny-banana.com
>
>
>
>> Message: 2
>> Date: Sat, 09 Mar 2013 15:50:19 -0500
>> From: Gopher <gopher@3wa.org>
>> Subject: [Novalug] Looking for opinions on password managers and
>>       remote  access
>> To: NOVALUG <novalug@calypso.tux.org>
>> Message-ID: <513BA08B.8060702@3wa.org>
>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>
>> I am asking for some opinions on password managers and their use.  I find
> my
>> self painted into a corner of paranoia and doubt. I would like to get
> feedback
>> and opinions from others who use such tools.
>>
>> I have acquired too many passwords to keep track of in my head so I need
> to
>> find a password manager tool.  However, it would be really handy to make
> this
>> data available remotely on the *very* rare occasions that I need to access
> it
>> remotely.  I have a sub-par solution right now which involves flat files
> and SSH
>> access and it really doesn't work when I don't have access to a SSH
> client.
>> Thankfully, I only need remote access a few times a year for such data. I
> am
>> NOT a mobile user, I don't like working on tablets, I prefer to have a
> laptop to
>> work on.
>>
>> The simple solution would be to use something like Lastpass, but I have
> trouble
>> with the concept of handing my data to a third-party, encrypted or
> otherwise.
>> (I come from a world where it's assumed if you have the encrypted data,
> you'll
>> have the un-encrypted data eventually. It just terrifies me that people
> see these
>> 'cloud' solutions as secure without acknowledging the inherent flaws in
> the
>> overall system.)
>>
>> Lastpass just scares the hell out of me.  I trust Firefox, but when you
> start
>> talking about having a PLUGIN doing encryption and description through
>> JAVASCRIPT, I break out in hives.  Not to mention, see previous paranoia
> about
>> storing data with third-party.  Also I'm just not sure how much trust I
> should put
>> in something that inserts passwords and personal data into webforms for
> me.
>> At the moment, I'm very comfortable with using the cut-n-paste buffer for
>> transporting my passwords from KeePass to the browser.  At least with
> KeePass
>> the buffer is cleared after a short period of time.
>>
>> As far as an actual password manager, my laptop is running OSX.  I'm
> familiar
>> with KeePass from using it at work, however to run it at home on OSX, it
> would
>> require me to install Mono, which I'm not happy with at all. I trust
> KeePass on
>> XP, but to run it on top of Mono worries me a bit, isn't Mono more of a
>> reversed engineered hack of .NET? This just feels like it opens me up to
> exploits
>> via bugs in Mono. 1Password seems OK, but the UI doesn't quite work for me
>> and it seems very expensive compared to the other options out there.
>>
>> I've tried the default keyring/password manager that comes with OSX and I
>> simply hate it.  It doesn't make any sense to me; I just don't think they
> ever
>> intended it to be used by humans.
>>
>> I could use 1password or KeePass and keep my data file local to my machine
>> but then I couldn't access it remotely.  This brings in the requirement
> for some
>> 'cloud' solution (unfortunately SSH/SCP/SFTP just doesn't seem to be a
> viable
>> option for accessing/syncing data these days when I'm not at a command
>> prompt, and when I'm remote, I don't have that option).  However, now we
> go
>> back to  my hangup about handing data to a third party (encrypted or
>> otherwise).
>>
>> I guess in a perfect world, I would end up with something that stores my
>> password data locally on my machine in such a way I could get at it
> remotely
>> the two or three times a year I really need to get at it that doesn't
> require a
>> client like SSH or FTP.
>>
>> For possible remote access tools, I'm currently testing SpiderOak for a
> 'secure
>> cloud solution' (I can't take that phrase seriously, I just can't!), and
> there's no
>> way in hell I'm ever touching Dropbox.  I can see possibly taking an
> encrypted
>> password manager database and then storing it on SpiderOak as it's now
> twice-
>> encrypted.  That should give me plenty of time to change all my passwords
>> once SpiderOak *IS* eventually compromised.
>>
>> So anyway, I'm interested in people's feedback and opinion on this topic.
>> Hopefully somebody will offer me something I've overlooked which lets me
>> make progress on this quest of mine.
>>
>> thx
>> Gopher.
>> --
>> gopher@3wa.org
>> "Evil is, as humans do" - The Misfits
>>
>
>
> _______________________________________________
> Novalug mailing list
> Novalug@calypso.tux.org
> http://calypso.tux.org/mailman/listinfo/novalug



More information about the Novalug mailing list