|
Marinmo posted:Agreed (also on the edit). Honest question: IF one autoupdates Keepass via it's autoupdater, is the new installer verified somehow (MD5, GPG sigs or the like)? Otherwise, we're kinda back to square 1 there ... It's not really a true auto-update; it just asks you to download the new installer .exe from (puke) SourceForge. The installer .exe and program .exe are both signed, though.
|
#
¿
Dec 22, 2015 15:09
|
|
|
|
| # ¿ Apr 25, 2024 21:14 |
|
|
Just blew away my LastPass account and told them the reason was "concerned about security." I never trusted it before, preferring to use KeePass, but I had non-critical passwords stored in there for junk sites. My issue is that I can't really trust their browser extension given how poorly it parses URLs. That's like a Jr. Programmer/Stack Overflow copy-paste level of incompetence. I would just rather not have that code sniffing all my password forms regardless of what is stored in the vault.
|
|
#
¿
Jul 27, 2016 16:43
|
|
|
Since you reference it, why don't you use a similar mechanism to Hashpass (https://github.com/boyers/hashpass), but better, to form the password per site? You are deriving password values from some master key + the site's URL; this is the perfect use for a HMAC-SHA function. I can trust that the resultant password from HMAC-SHA can't be used in reverse to find my secret master key. Your hard-to-follow, hand-spun hashing/derivation function doesn't give me the same assurance. That is, if I obtained N different passwords (and the site URL's) generated from your bookmarklet, could I reverse them and get the list of primes (why bother with primes here anyway?). I'll bet for a large enough value of N, I could.
|
|
#
¿
Sep 4, 2016 14:12
|
|
|
Xarn posted:All employee at my work are probably going to get Yubikeys. Are they actually good? Which Yubikey model, and what are you using them for? For basic U2F, they're nice little devices, but the Yubikey 4 recently moved most of their advanced crypto features to a closed source blob (was previously open source.) https://plus.google.com/+KonstantinRyabitsev/posts/4a7RNxtt7vy Whether or not that matters to you would depend on your uses for the device and your trust of closed source crypto.
|
|
#
¿
Nov 7, 2016 15:01
|
|
|
EssOEss posted:LessPass is reinventing password managers! Leaking the password via displaying magic images is a cool innovation. Another worthless hash-based p/w generator that forces you to remember hundreds of site-specific p/w rules and other configuration options to "save" you the effort of syncing a database file.
|
|
#
¿
Nov 8, 2016 15:57
|
|
|
Modest Mouse cover band posted:How's this guide for password generation and storing? Don't roll your own. Microsoft Identity has a hasher built in: Microsoft.AspNet.Identity.Core/PasswordHasher.cs. It uses PBKDF2 (1000 iterations) to generate a 128 bit salt and 256 bit key. It automatically adds a version number, appends those items together, and returns a nice Base64 string that you can store in the DB. It also has a VerifyHashedPassword method that does a constant-time comparison and (smartly) returns an enumeration of whether it passed or not. The 1000 iterations is a bit low, but it shouldn't matter much for stronger passwords. The versioning they built in allows for MS to add additional algorithms and easily upgrade, though they haven't done it yet. edit: They actually have updated it. Version 3 will use: PBKDF2 with HMAC-SHA256, 128-bit salt, 256-bit subkey, 10000 iterations. B-Nasty fucked around with this message at 21:25 on Mar 9, 2017 |
|
#
¿
Mar 9, 2017 21:15
|
|
|
OSI bean dip posted:I do not recommend PBKDF2 for password hashing. The purpose of that hash is to key stretch a passphrase for the purposes of using it alongside another cryptographic algorithm. It's not the most ideal, but it is Microsoft's implementation that uses Windows' FIPS-compliant CSPs. It's also heavily tested by the millions of applications that use ASP.Net Identity. I'm sure the libraries you linked are perfectly fine, but certain organizations might not want to use an external library over what Microsoft provides.
|
|
#
¿
Mar 10, 2017 02:00
|
|
|
Also, restrict r/w on the keyfile to only Administrator and run KeePass elevated by setting the exe to run as administrator. Obviously, disable KeePass plugins and ensure UAC setting is maxed out. This prevents the keyfile from being grabbed by malware, and prevents the small possibility of process injection.
|
|
#
¿
Mar 22, 2017 00:18
|
|
|
Furism posted:Is there anyway to get a 2FA/FIDO plugin for Keypass? I couldn't find anything on their plugins page. I think I'm going to stick to Keepass (w/ SyncThing) but I'd like to have 2FA just in case. KeePass for Windows supports the YubiKey in, I think, HOTP mode. It reencrypts the DB using the next code that you then enter the next time you open it. edit: http://keepass.info/plugins.html#otpkeyprov
|
|
#
¿
Mar 22, 2017 12:15
|
|
|
Double Punctuation posted:“Nice, succulent, slow-cooked cloud computing.” LOL, I'm glad I decided not to pick one of these up. A sous vide cooker should be at about the same technological complexity as a Crock Pot. Set the desired temp, and walk away for a few hours. It doesn't even need to have auto-off or auto-on, since the cooking time doesn't matter that much. In fact, you're better off leaving whatever 'cooking' at 140F than to have the device shut off and let bacteria start to grow in your cooling meal. Old-school Option: Google search "sous vide temperature steak", input temp, and set any handy timer for 2-3 hours. IOT Option: Find phone, turn on bluetooth, pair to Anova, download app/update app, sign in/create account, click through ads, use lovely app to find the food I'm cooking, and worry that my device will be bricked when Anova goes out of business.
|
|
#
¿
Apr 13, 2017 15:43
|
|
|
Gotta love that Google allows email root access with a simple OAuth flow. OAuth is a user experience garbage fire. Let's use a innocent looking auth popup, that users see daily on their phones when they install flappy birds, that you must read in its entirety and know what the fine-grained permissions mean to understand what's reasonable access and what's pwned access.
|
|
#
¿
May 3, 2017 21:39
|
|
|
Klyith posted:anyone who has full access to your computer, whether remote or local, can potentially yoink all your passwords. To be fair, it's a little better than just a text file. The master p/w in the batch file is encrypted using Window's DPAPI, which is locked to a user account. The DPAPI key, though stored on disk, is encrypted with the login credentials, so an active user session would be necessary. Basically to steal the passwords in the vault, you'd have to be able to run a process (decrypt the enc password in the batch file using DPAPI) under the logged in user's account. Access to the file system isn't going to cut it. It's still not a particularly great idea, though.
|
|
#
¿
Jan 15, 2018 15:23
|
|
|
cheese-cube posted:Just want to clarify something here, the key derivation mechanism you're describing is PBKDF2 however DPAPI can be utilised with a normal plain-text key so it's worth verifying the implementation. I'm not following you. I think the blog post mentioned that by using KeePass itself to insert (autotype) the 'password' in the batch file, it spits out a long, nonsense value, which is the password value encrypted (protected) with DPAPI. Last time I looked at the KP source, it used the standard, user-level DPAPI Protect/Unprotect functions for all its interactions with DPAPI. PBKDF2 is an implementation detail of DPAPI internals, but that's not relevant to what is being done here. In reality, what this person is doing is effectively the same as just using the option in KeePass to encrypt the DB to a Windows user account. I guess the difference is that one could still use the master password to unlock the database, say on another machine. https://keepass.info/help/base/placeholders.html#passwordenc
|
|
#
¿
Jan 15, 2018 22:45
|
|
|
Mystic Stylez posted:Is it worth going through the hassle of setting up Two-Channel Auto-Type Obfuscation on KeePass and using it where you can or is it way too much for a regular person like me on my home desktop (i.e. no work or sensitive data) and copying/pasting through KeyPass is enough? That feature is mostly BS -- since keyloggers are typically way more sophisticated than just key/clipboard spies -- but it doesn't really hurt to turn it on for entries where you use auto-type already. Auto-type is pretty handy, but be real careful with it. If your focus is on the wrong form element or something, it could result in your password being auto-typed into the wrong textbox. It's best for forms/dialogs that will never change their layout (i.e. nothing on the lovely web that has bored/stupid product-manager-directed redesigns of login forms)
|
|
#
¿
Jan 17, 2018 23:09
|
|
|
You know this question was answered by nerds when the first thing that comes to mind is a game ROM file instead of the hash of some famous text, like from a book. Your program could strip all whitespace/linebreaks/punctuation and hash the lowercase ASCII encoding of a few hundred letters (set number, no matter how much text was entered.) You'd just have to remember: use part 3, chapter 4 of Crime and Punishment (or bible verses if you're so inclined.) This would allow you to decrypt offline by manually typing in the characters from a paper copy. If you were monitored, this would be less obvious than your sudden interest in finding Bubble_Bobble.nes in the year 2043.
|
|
#
¿
Jan 20, 2018 15:31
|
|
|
My password is "I murdered a homeless person 5 years ago", but I can invoke my 5th Amendment rights not to self-incriminate by telling anyone that* *except they already ruled that you can just enter it - they don't care what it is.
|
|
#
¿
Jan 20, 2018 23:51
|
|
|
Klyith posted:if you are a criminal in the US, or a dissident in a nasty dictatorship, your best bet is security through obscurity. the only way They can't force you to decrypt your poo poo is if they can't even find the storage media in the first place. a 128gb microsd card is the size of your fingernail, buy one of those and hide it somewhere clever. i suggest up your rear end. https://www.cultofmac.com/387108/electronics-sniffing-dogs-can-root-out-usb-drives/
|
|
#
¿
Jan 24, 2018 21:33
|
|
|
Jabor posted:The answer to my security question is "it's just a whole bunch of numbers and letters" That was literally what I said over the phone to a financial organization CSR, which was sufficient to pass the authentication. Proving 2 things: they store them plain-text, and static KBA is more security theater than the TSA's nut grabs.
|
|
#
¿
Feb 1, 2018 03:10
|
|
|
|
| # ¿ Apr 25, 2024 21:14 |
|
|
My late 90's Comp Sci dorm story: Back in those days, we all had our own public IP addresses issued from the school's class B (/16). Right before leaving for Thanksgiving break, I was installing the FTP server on, I think it was NT4 or perhaps an early copy of Win2K, and I forgot to lock down anon access (which was on by default.) When I came back from break, I found that my network access to the Internet (the local network was open) was blocked. I also found a ton of folders in the FTP root directory with names that Explorer wasn't able to list/delete. I had to write a program in C++ to recurse through the drive and delete all the folders/files. I didn't look at the files, but I hate to even think what kind of poo poo I was hosting for the world. The school let me know that my bandwidth usage of 100s of gigabytes (big whoop today) was completely unacceptable, and that I would have to take a "responsible network course/quiz" before I could have my access back. Not that we have the IPv4 space to support it, but it would be a fun day if everyone connected to the web without NAT again.
|
|
#
¿
Mar 24, 2018 21:03
|
|