Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
  • Locked thread
redeyes
Sep 14, 2002
I LOVE THE WHITE STRIPES!

Smart Cards? Fingerprint readers? Biometric shits? Ideally I would like to stop having to remember and type passwords out. I really don't know how far the technology has come. Losing a password device you shove into a computer means you lose the password contained within correct? Would it be possible to say, buy a new 'device' and have the new one spit out the same password as the old one using the same biometric input?

There has to be some new technology that makes this easy?

Adbot
ADBOT LOVES YOU

redeyes
Sep 14, 2002
I LOVE THE WHITE STRIPES!

Well google says this might be a decent idea: https://www.amazon.com/gp/product/B...pf_rd_i=desktop

Seems like you HAVE to use some kind of password manager. I am not a fan of those.

DeepBlue
Jul 7, 2004

SHMEH!!!


redeyes posted:

There has to be some new technology that makes this easy?

Maybe this?

https://hackaday.io/project/86-mool...password-keeper

Edit:

Get it from here.

https://www.tindie.com/products/lim...assword-keeper/

DeepBlue fucked around with this message at Dec 24, 2016 around 17:15

MrMoo
Sep 14, 2000



redeyes posted:

There has to be some new technology that makes this easy?

Apple Watch?

or, a U2F Key?

MrMoo fucked around with this message at Dec 26, 2016 around 15:22

redeyes
Sep 14, 2002
I LOVE THE WHITE STRIPES!

The best thing I have been able to find that seems to do everything I want is this:
https://www.amazon.com/gp/product/B...=A2I3OHFUPGS2EH

Seems interesting. I may buy one just to see.

Heners_UK
Jun 1, 2002


Some services will support YubiKey: https://www.yubico.com/

But not necessarily without a password. LastPass can take the pain away from this for the most part.

Houstonista
Dec 30, 2000


Like Heners_UK said.

Ars recently had an article about it.

http://arstechnica.com/security/201...ount-takeovers/

peak debt
Mar 10, 2001
b& :(

That thingy won't replace passwords, it'll replace mobile phones for two-factor-authentication. It's also very much in a state of "maybe we'll use it in the future someday if Google doesn't become bored with it soon".

Currently your best bet is probably to have a strong Windows password, then enable a login PIN. Then choose strong Web passwords, and store them in the Chrome password safe that's protected by the Windows DPAPI.

Forgall
Oct 16, 2012

What're you lookin' at?


redeyes posted:

The best thing I have been able to find that seems to do everything I want is this:
https://www.amazon.com/gp/product/B...=A2I3OHFUPGS2EH

Seems interesting. I may buy one just to see.
It only remembers up to 24 passwords (12 without annoying pin-switching), and you have to memorize which key combination corresponds to each account. Not very convenient...

redeyes
Sep 14, 2002
I LOVE THE WHITE STRIPES!

peak debt posted:

That thingy won't replace passwords, it'll replace mobile phones for two-factor-authentication. It's also very much in a state of "maybe we'll use it in the future someday if Google doesn't become bored with it soon".

Currently your best bet is probably to have a strong Windows password, then enable a login PIN. Then choose strong Web passwords, and store them in the Chrome password safe that's protected by the Windows DPAPI.

Well, this is to be able to log into other computers mostly. But what is this Chrome password safe which is protected by Windows DPAPI? Can you give me a little more explanation? Google smart lock remembers passwords I type into Chrome but I don't know how that is any different from other password-remembering utils?

Moreleth
Jun 11, 2001

lego my eggo

Just use 1password

redeyes
Sep 14, 2002
I LOVE THE WHITE STRIPES!

I'd rather not use online password managers.

Moreleth
Jun 11, 2001

lego my eggo

So I haven't tried the online version of 1password yet, I'm using the OS X local version with a locally stored password file. The password file is in my Dropbox, which is then shared to my phone, also running the "offline" version of 1password. Whenever I add new passwords on my laptop, Dropbox syncs them with my phone. On my computer I type in a very long master password once, then use it many times for various logins. On my phone, my fingerprint also unlocks the passwords - no super long master password required there.

Canine Blues Arooo
Jan 7, 2008

when you think about it...i'm the first girl you ever spent the night with


Grimey Drawer

I have issues with online password managers. Besides having a single point of failure for a ton of important data, I really don't like not having absolute control over my auth for services (in this case, not actually knowing the password [Yes, I know you can look this up, but while the length they employ makes them exceptionally secure, it also makes them exceptionally impossible to actually commit to memory]). A lot of people are OK with Magic Software™ managing their passwords. I am not.

The strategy I employ is to have a common string that is then modified based on the website I'm logging into. It's not perfectly secure, but it also means that any attempt to mass-attempt logins will fail.

So, for example, say my base string is '5mm3XXX7w!nt3r'. I'd then replace the XXX with an identifier for the website. So, for Something Awful, it might be '5mm3SA7w!nt3r'. Now, that is a monster to memorize, but in reality, you only need to memorize the base string once and then understand how you internalize your identifiers. Hell, you can ever keep a spreadsheet with your site identifiers and it still would mean nothing to anyone. This system protects against the most common types of attacks and incidents of lax security on a service provider. Pairing your email and a password for a given site is totally useless unless someone actually takes the time to figure out how you generate your particular password, which is never going to happen. If someone gets a hold of your password ID spreadsheet, it's useless without the base string. Anecdotally, Ive used this system for about 10 years now and while individual auth information has been compromised, no one has ever made a cross-site attack on my accounts. The only attack that can realistically compromise this kind of system is a keylogger, which is extremely unlikely with even intermediate Internet know-how.

I have an additional layer of security, where all my accounts are based from, and recovered from my gmail account. My gmail account has an entirely unique password as a final layer of security in case the worst would happen.

At the end of the day, I have to effectively memorize 2 passwords and I enjoy a level of security that is very nearly equivalent to the kind provided by a password manager. I do have a spreadsheet that contains the IDs for sites I don't use much and I don't care much about, but again, compromising that spreadsheet is both extremely unlikely and not useful unless you have the base string of the passwords as well.

I personally think this is the 'best' way to handle password management if you don't want to put all your trust in a software solution.

GobiasIndustries
Dec 14, 2007



Lipstick Apathy

I use 1Password and iCloud Keychain to manage/store all my passwords. Those services store passwords locally, right? Like, if 1Password and iCloud were to both go down simultaneously, I'd still have all my passwords on my devices?

MrDeSaussure
Jul 20, 2008


Yubikey is exactly what I've used, both in Enterprise and at home.

penus penus penus
Nov 8, 2014

by piss__donald


I really dig Yubikey with NFC and I'm about to get one I think. I use 2 factor for everything by default these days and I tend to image tons of computers and it gets kind of old going through the whole routine. The NFC feature is really icing on the cake when im using other people's tablets or phones, and its usually always something in a pinch too and getting that little record screech right int he middle of something is annoying.

Doesn't solve the OP's question of course, however. But frankly I'd be surprised if something like that existed commercially. Its considered a big no no to have primary authentication for potentially important stuff on a physical thing that can fall out of your pocket during hershey squirts in a 7-11 bathroom

Forgall
Oct 16, 2012

What're you lookin' at?


Canine Blues Arooo posted:

Anecdotally, Ive used this system for about 10 years now and while individual auth information has been compromised, no one has ever made a cross-site attack on my accounts.
That only means you have been lucky so far.

Craptacular!
Jul 9, 2001

Fuck the DH


GobiasIndustries posted:

I use 1Password and iCloud Keychain to manage/store all my passwords. Those services store passwords locally, right? Like, if 1Password and iCloud were to both go down simultaneously, I'd still have all my passwords on my devices?

1Password stores files locally and, if you choose, will include an encrypted backup on some service. They support iCloud and Dropbox because they are "large, well-known, and carefully scrutinized by the many people that rely on them to keep their data safe", but also supports offline syncing between smart devices and PCs.

Basically, their take is, "we feel these two cloud drives are secure, but even if they're compromised and someone gets your file, it's still strongly encrypted." This helps in the event that you and two million of your best friends find their Dropbox accounts hacked, that all your passwords aren't toast. I consider this to be acceptable for "everyone but the NSA" level security, and if you need "everyone including the NSA" security you're pretty much hosed anyways.

Canine Blues Arooo
Jan 7, 2008

when you think about it...i'm the first girl you ever spent the night with


Grimey Drawer

Forgall posted:

That only means you have been lucky so far.

How do you figure?

To compromise my passwords, you'd need two pieces of information in two different locations, and the attack would have to be a personal attack, not a widescale attack. That's not lucky, that's just a basic understanding of the nature of auth attacks: They are done en masse and without discrimination.

peak debt
Mar 10, 2001
b& :(

redeyes posted:

Well, this is to be able to log into other computers mostly. But what is this Chrome password safe which is protected by Windows DPAPI? Can you give me a little more explanation? Google smart lock remembers passwords I type into Chrome but I don't know how that is any different from other password-remembering utils?

DPAPI is basically Windows' integrated password safe. It's difficult to steal from even if you are running malware on the PC because the OS requires the user password to do an export, and newer Windows versions protect these login boxes from software based password stealers and keyloggers. If you use a PIN to log in daily, you are even reasonably protected against rootkit and hardware based password stealers.

Adbot
ADBOT LOVES YOU

b0lt
Apr 28, 2005


peak debt posted:

That thingy won't replace passwords, it'll replace mobile phones for two-factor-authentication. It's also very much in a state of "maybe we'll use it in the future someday if Google doesn't become bored with it soon".

Google isn't going to get bored with it, it's deployed throughout all of Google's corporate network. Things that Googlers rely on internally are basically never going to be deprecated, which is why Reader is gone, and Groups is still around.

  • Locked thread