Ask HN: Does anyone use an alternative to a password manager?
As time goes on I find myself, both in my professional and my personal life, adding more and more usernames and passwords I need to remember. I have over a 100 accounts I need to keep track of and access typically access at a whim.
Since it's insecure to both use the same password over and over or to modify a single password per service (e.g. appending "fb" or "tw" etc to a password when using a different service) I have found that a password manager is literally the only thing working for me.
However, as break-ins become more and more frequent, I am concerned that my single point of failure, my password manager, could become compromised. I mean it seems almost inevitable, right? An attacker wouldn't even need to compromise the service or app you're using but your phone instead to gather the same data.
So I'm curious to those of you who use something other than a typically password manager: what do you use and has it been successful or a pain?
249 comments
[ 3.6 ms ] story [ 286 ms ] threadIt works very well from my experience.
http://ssl.masterpasswordapp.com/
In theory it's solid but in practice, websites with arbitrary (and foolish) password requirements means your generated pass is likely to not be accepted. You can add fields for tuning the presence of non-alpha and capitalised characters but then that needs syncing and at that point - the benefits aren't really there.
If you use git to store your passwords you can use that to see the age of entries neatly too:
https://blog.steve.fi/rotating_passwords.html
I used to have a little notebook with everything, tucked 'securely' out of the way. I mean, even in a robbery somebody isn't going to rifle through some junk on a shelf right? I came to think though, that in that situation of course a list of passwords is not the target but if the robber has a small amount of technical knowledge (getting more likely, these days) then the risk is that they recognize the value of something like a book of passwords and just take it along. All of a sudden, their technology aware friend has access to my bank account!
So, I use Keepass now with a long passphrase, and syncthing keeps copies of the database distributed across several devices in several locations for me and I have access from all the various operating systems that I use. I am thinking about giving the passphrase to a friend also, as I have known him for 30+ years but I do not work with him or live near him and see him only yearly or less.
It would be great if someone added this feature into Keepass so that you didn't have to use an additional tool. Each instance of a database would have its own key and set of linked databases. When you open the database it would sync with every one of its linked databases that is also open. This would (hopefully?) get around the problem of adding new passwords to different databases before syncing. I expect one issue might be that people tend to only log into one instance of their database at a time.
Anyway I want to change to a paperless variant due to the increasing amount of "important" services.
If you're concerned, you could use separate files for different levels of security, which would give you the theoretical ability to compartmentalize the loss. But again, if you're compromised to that extent it's game over, there is nothing you can do that will allow you to operate securely on untrusted hardware/OS, you simply can't let that happen.
It's not like that's an unreasonable goal, the combination of Ublock Origin, Windows Defender, and common sense have kept my systems clean for 10 years now.
But with a password manager - they get 100% of usernames + passwords to every site you've ever used, even if you dont visit it after the compromise...
I recently got one for my parents (as they use and keep loosing post-it’s) and it has fields for username, password, secret question and notes.
1: https://chriszarate.github.io/supergenpass/
https://play.google.com/store/apps/details?id=info.staticfre...
I use SGP for the bulk of my throwaway accounts.
I have a file of the first word that comes to mind for every letter in the alphabet. Then my password is created based on some features of the site.
I.e. eBay has 4 letters so I could choose: 'Elephant_4_Yankee'
The delimiter is up to you and you could just as easily choose every second letter or whatever.
Yes, it does mean my Netflix password is a bitch to put in but I know it off by heart.
sha256("password"+domain)
The problem is, the login form doesn't remind that a) a special character was required and b) what characters that particular site thinks are "special".
(Data: I have 72 logins currently cached in Firefox. Every single one of those sites accepts 10-character mixed case alphanumeric passwords with no extra special character requirements. About once a year I come across a site that needs one.)
Still, I'd say it's inconvenient to have "special cases" to remember about. Even if they're something important, like banking.
---
Someone had mistaken downvote with "I disagree" rather than "unhelpful". Upvoted you, as I think your comment was helpful and contributed to the discussion.
But this is going off-topic (and discussing votes is something we should refrain from)
For the special chars, I chose the Safari way of encoding, i.e. I only extract alpha-numberics from base64, and add a "-" every 3 chars. This also improves readability. I assume that if Apple chose this way of doing, either they studied it and/or sites will conform to that.
[1] https://hackernoon.com/mempa-a-modern-deterministic-password...
Regarding the user interface don't get me started on keepass. It was recently forked into keepassxc but the chromeipass/ foxipass integration does not work all the time. Also love it if a website just shows your username already and you have to fill out the password and can't use hotkeys. (I am looking at you google) Lastpass can do it successfully, but keepass...
The Android interface was last tested a few years ago by me and it only had a notification area you had to always show. I don't know if it is much better at the moment.
Regarding your password security: Lastpass itself encrypts your passwords and hashes them thousand times. You can also manually adjust the hashrate to even more. So even if lastpass would get cracked. You would have to try out every possible hashing number with every possible password combination. So thats a plus. Well compromising your pc and installing root would be your least concern. It would be easier to steal your phone, get your fingerprint and unlock your database this way.
You can never be 100% secure. But have to choose your best way of doing it.
Also i am open to suggestion regarding a great password manager for android. Will have to try out keepass and dashlane again.
[0] https://bitwarden.com/
LastPass Firefox Toolbar Version: 4.2.3 Built: Mon Dec 04 2017 13:51:36 GMT-0500 (EST)
Binary Component: true (Native Messaging version 4.1.44, built Nov 16 2017 23:33:27)
Is it broken upstream in the nightly build, but not in the stable build?
I don't know about mobile (especially Android), but at least on Google's authentication page, even though it only visually presents the username field, the password field is already there and is filled out by 1Password.
dl the file from dropbox and decrypt it via termux /s
At work, and with shared family accounts, I use 1Password; it works nicely and has a Web interface so I can use it from FreeBSD.
My personal workflow though is heavily Emacs-centric; I use Emacs for editing, programming, IRC, email, file management, PIM (orgmode), and (soon) Slack.
If you're not expecting to be specifically targeted, then "modify a single password per service" can be surprisingly secure. Don't just add "tw" "fb", but memorize a more complicated algorithm that's not obvious from inspecting two or three leaked passwords. e.g. Basic Caesar Cipher on the odd characters of the passwords using some part of the service name (fb, tw) as a key. Memorize a single algorithm that you can do mentally. Use something completely different for primary accounts (probably bank + main email that allows you to reset other accounts' passwords).
Some people will disagree and say "just use a secure password manager", but there is a valid argument that managers are not necessarily the best solution, depending on your use case.
[0] https://xkcd.com/538/
What is that argument?
However, I agree that for some people existing password managers seem either too complicated (KeePass) or expensive (1Password). In that case, I recommend:
1. Generate a password randomly using a 'diceware' type methodology
2. Use a standard prefix in front of all your passwords.
3. Write the password without the prefix in a notebook that you carry everywhere.
It's still not as good as 1Password because the passwords are not encrypted. But it's better than using a predictable algorithm that you have to remember. And of course, it's better than the system this often replaces - using the same 8 character password everywhere.
But I still strongly recommend paying for 1Password. How much do you pay for a padlock for your bike, or a burglar alarm for your house?
Yes, it has its own attack vectors, but they don't include things like ads stealing your info from your password manager [0] and apps stealing your passwords from your clipboard [1], both of which are legitimate reasons why you might want an alternative to a password manager.
"home-grown solution" has very negative connotations in infosec and rightfully so. I don't like seeing it in these kind of contexts as it blurs an important distinction between "Don't write your own random number generator if you're creating an app like Signal" (don't do it) vs "Find a solution to deal something as shitty as passwords in a way that works for you" (do it).
Your recommended method might also suit some people better (e.g. people who already carry a notebook around everywhere and guard it carefully).
There are no silver bullets out there. Work out what your needs are and then find a reasonable solution. It might be a password manager. It might not be.
[0] https://www.theverge.com/2017/12/30/16829804/browser-passwor...
[1] https://arstechnica.com/information-technology/2014/11/using...
Not a panacea, but significantly minimizes the length of a theoretical breach.
I’m not sure what you mean by “as well as your master”, though. If your master password is programmatically changed, how would you be able to access any of your stored passwords?
Wish I had more time to spend on it.
A real problem I ran into is that a full browser is required for many operations, now. Instagram.com, for example, is completely opaque to non-DOM+JS browsers. Right down to the shamefully empty `<noscript>` block.
0. https://github.com/SirCmpwn/pass-rotate
Please don't get me wrong, it would be great to have a service to centralize all your passwords including rotation, but this already exists. It's Google/Facebook if you choose to use oauth to sign in into other sites.
If this kind of api/js would exist and work, an attacker could exploit it to automatically change user's password.
Note that changing password is often used also as a simple mechanism to log out all the sessions (simple = easy to understand for the end user).
In summary, I really hope all website would do all they can do to protect their change password endpoints from automatic tools.
For me, passwords need to exist and need to be remembered, because if this is not the case, then many other security assumptions fail. With this I don't want to say that the current state of affairs is good, I definitely think that we need to invest in more mechanisms to help users remember their passwords, or reuse them in secure ways.
I let Keychain (MacOS) remember the passwords, so I never really think about them.
An example line in the text file looks like this:
Anyone thinking of trying to crack that, well good luck. I removed and twiddled a few characters from it, as if it wasn't hard enough already. Oh but here's how to decrypt if you really want to try: That's not a script, it's just an excerpt. You'll have to guess the password. You should probably do something else with your time.Since the text file is encrypted, I store it on Dropbox. Then I can access this from any computer where I log into Dropbox, provided I know my main password for decryption.
Later I can type 'get facebook pass' on the command line and the get script will retrieve the best matching entry, decrypt the value, and put it in my copy paste buffer ready to paste.
The biggest problem with this system is sometimes when two or more entries are a close match to whatever keywords I input, it may pick the wrong match. I need to improve it to show a list to pick from in those cases, or work on better ways to remember the right keywords for each item. Also my matching heuristics could be improved.
I use this in conjunction with a command line script for generating strong passwords. Most accounts have different passwords at this point and they are all strong. One problem with the script is I sometimes have to tweak the resulting password by hand to match whatever (generally dumb) rules are in place at a new site... when I say dumb, I mean for example, '!' not allowed, etc.
For sharing web passwords with my phone, I just allow Safari to remember them and then trust iCloud, for better or worse.
Overall this is not a pain, and pretty successful. But if someone got terminal access in my account on my computer, it would be game over... so I try not to allow that.
No. Entropy does not change by adding redundant bits.
You really are confused about this stuff.
You also seem completely unaware that many sites have password rules that require special characters that don't exist in your scheme... lol!
If I need to see the password for some reason you can find it from browser settings.
I'd rather propse to use a self-hosted password manager on a VPS or in a cloud service.
As long as that password manager is hosted securely, VPS for example, and uses your login password to help decrypt the stored passwords.
Perhaps some HMAC required too.
Anyone know if this exists in the open source world?
[0]: https://www.vaultproject.io/
[1]: https://thycotic.com/products/secret-server/
You can find a web version here: https://milliways.cryptomilk.org/passhash.html You can save the page locally (it's only a piece of javascript), or extract the functionality to build your own command line tool with nodejs from it, like I did.
(not my code, and I shamelessly grabbed the pieces from the js code for my own fork of it)
This way I have a new password for every use case but only need to remember one master password, which should be pretty hard to reverse engineer. I hope.
Has actually worked really well for me, though the annoying part comes when you need to login to something on your phone and the cypher program is on your desktop PC.
Though this likely wouldn't be an issue if I had an android phone and could easily make a small application for it.
It has problems on sites that have shitty password rules. But for those sites, i just mash the keyboard then rely on the forgotten password link.
Note: as TC has been discontinued, using VeraCrypt would be a good idea.