|
Smart Cards? Fingerprint readers? Biometric shits? Ideally I would like to stop having to remember and type passwords out. I really don't know how far the technology has come. Losing a password device you shove into a computer means you lose the password contained within correct? Would it be possible to say, buy a new 'device' and have the new one spit out the same password as the old one using the same biometric input? There has to be some new technology that makes this easy?
|
#
?
Dec 23, 2016 16:31
|
|
|
|
| # ? Apr 23, 2024 11:23 |
|
|
Well google says this might be a decent idea: https://www.amazon.com/gp/product/B...pf_rd_i=desktop Seems like you HAVE to use some kind of password manager. I am not a fan of those.
|
|
#
?
Dec 24, 2016 17:10
|
|
|
redeyes posted:There has to be some new technology that makes this easy? Maybe this? https://hackaday.io/project/86-mooltipass-offline-password-keeper Edit: Get it from here. https://www.tindie.com/products/limpkin/mooltipass-offline-password-keeper/ DeepBlue fucked around with this message at 18:15 on Dec 24, 2016 |
|
#
?
Dec 24, 2016 18:12
|
|
|
redeyes posted:There has to be some new technology that makes this easy? Apple Watch? or, a U2F Key? MrMoo fucked around with this message at 16:22 on Dec 26, 2016 |
|
#
?
Dec 26, 2016 16:18
|
|
|
The best thing I have been able to find that seems to do everything I want is this: https://www.amazon.com/gp/product/B01KUJ2ASA/ref=crt_ewc_title_srh_1?ie=UTF8&psc=1&smid=A2I3OHFUPGS2EH Seems interesting. I may buy one just to see.
|
|
#
?
Dec 26, 2016 19:43
|
|
|
Some services will support YubiKey: https://www.yubico.com/ But not necessarily without a password. LastPass can take the pain away from this for the most part.
|
|
#
?
Dec 27, 2016 03:35
|
|
|
Like Heners_UK said. Ars recently had an article about it. http://arstechnica.com/security/2016/12/this-low-cost-device-may-be-the-worlds-best-hope-against-account-takeovers/
|
|
#
?
Dec 27, 2016 05:14
|
|
|
That thingy won't replace passwords, it'll replace mobile phones for two-factor-authentication. It's also very much in a state of "maybe we'll use it in the future someday if Google doesn't become bored with it soon". Currently your best bet is probably to have a strong Windows password, then enable a login PIN. Then choose strong Web passwords, and store them in the Chrome password safe that's protected by the Windows DPAPI.
|
|
#
?
Dec 27, 2016 10:58
|
|
|
redeyes posted:The best thing I have been able to find that seems to do everything I want is this:
|
|
#
?
Dec 27, 2016 13:19
|
|
|
peak debt posted:That thingy won't replace passwords, it'll replace mobile phones for two-factor-authentication. It's also very much in a state of "maybe we'll use it in the future someday if Google doesn't become bored with it soon". Well, this is to be able to log into other computers mostly. But what is this Chrome password safe which is protected by Windows DPAPI? Can you give me a little more explanation? Google smart lock remembers passwords I type into Chrome but I don't know how that is any different from other password-remembering utils?
|
|
#
?
Dec 28, 2016 19:19
|
|
|
Just use 1password
|
|
#
?
Dec 28, 2016 20:20
|
|
|
I'd rather not use online password managers.
|
|
#
?
Dec 28, 2016 20:38
|
|
|
So I haven't tried the online version of 1password yet, I'm using the OS X local version with a locally stored password file. The password file is in my Dropbox, which is then shared to my phone, also running the "offline" version of 1password. Whenever I add new passwords on my laptop, Dropbox syncs them with my phone. On my computer I type in a very long master password once, then use it many times for various logins. On my phone, my fingerprint also unlocks the passwords - no super long master password required there.
|
|
#
?
Dec 28, 2016 20:53
|
|
|
I have issues with online password managers. Besides having a single point of failure for a ton of important data, I really don't like not having absolute control over my auth for services (in this case, not actually knowing the password [Yes, I know you can look this up, but while the length they employ makes them exceptionally secure, it also makes them exceptionally impossible to actually commit to memory]). A lot of people are OK with Magic Software™ managing their passwords. I am not. The strategy I employ is to have a common string that is then modified based on the website I'm logging into. It's not perfectly secure, but it also means that any attempt to mass-attempt logins will fail. So, for example, say my base string is '5mm3XXX7w!nt3r'. I'd then replace the XXX with an identifier for the website. So, for Something Awful, it might be '5mm3SA7w!nt3r'. Now, that is a monster to memorize, but in reality, you only need to memorize the base string once and then understand how you internalize your identifiers. Hell, you can ever keep a spreadsheet with your site identifiers and it still would mean nothing to anyone. This system protects against the most common types of attacks and incidents of lax security on a service provider. Pairing your email and a password for a given site is totally useless unless someone actually takes the time to figure out how you generate your particular password, which is never going to happen. If someone gets a hold of your password ID spreadsheet, it's useless without the base string. Anecdotally, Ive used this system for about 10 years now and while individual auth information has been compromised, no one has ever made a cross-site attack on my accounts. The only attack that can realistically compromise this kind of system is a keylogger, which is extremely unlikely with even intermediate Internet know-how. I have an additional layer of security, where all my accounts are based from, and recovered from my gmail account. My gmail account has an entirely unique password as a final layer of security in case the worst would happen. At the end of the day, I have to effectively memorize 2 passwords and I enjoy a level of security that is very nearly equivalent to the kind provided by a password manager. I do have a spreadsheet that contains the IDs for sites I don't use much and I don't care much about, but again, compromising that spreadsheet is both extremely unlikely and not useful unless you have the base string of the passwords as well. I personally think this is the 'best' way to handle password management if you don't want to put all your trust in a software solution.
|
|
#
?
Dec 28, 2016 21:50
|
|
|
I use 1Password and iCloud Keychain to manage/store all my passwords. Those services store passwords locally, right? Like, if 1Password and iCloud were to both go down simultaneously, I'd still have all my passwords on my devices?
|
|
#
?
Dec 28, 2016 23:32
|
|
|
Yubikey is exactly what I've used, both in Enterprise and at home.
|
|
#
?
Dec 29, 2016 02:30
|
|
|
I really dig Yubikey with NFC and I'm about to get one I think. I use 2 factor for everything by default these days and I tend to image tons of computers and it gets kind of old going through the whole routine. The NFC feature is really icing on the cake when im using other people's tablets or phones, and its usually always something in a pinch too and getting that little record screech right int he middle of something is annoying. Doesn't solve the OP's question of course, however. But frankly I'd be surprised if something like that existed commercially. Its considered a big no no to have primary authentication for potentially important stuff on a physical thing that can fall out of your pocket during hershey squirts in a 7-11 bathroom
|
|
#
?
Dec 29, 2016 06:02
|
|
|
Canine Blues Arooo posted:Anecdotally, Ive used this system for about 10 years now and while individual auth information has been compromised, no one has ever made a cross-site attack on my accounts.
|
|
#
?
Dec 29, 2016 13:01
|
|
|
GobiasIndustries posted:I use 1Password and iCloud Keychain to manage/store all my passwords. Those services store passwords locally, right? Like, if 1Password and iCloud were to both go down simultaneously, I'd still have all my passwords on my devices? 1Password stores files locally and, if you choose, will include an encrypted backup on some service. They support iCloud and Dropbox because they are "large, well-known, and carefully scrutinized by the many people that rely on them to keep their data safe", but also supports offline syncing between smart devices and PCs. Basically, their take is, "we feel these two cloud drives are secure, but even if they're compromised and someone gets your file, it's still strongly encrypted." This helps in the event that you and two million of your best friends find their Dropbox accounts hacked, that all your passwords aren't toast. I consider this to be acceptable for "everyone but the NSA" level security, and if you need "everyone including the NSA" security you're pretty much hosed anyways.
|
|
#
?
Dec 29, 2016 13:40
|
|
|
Forgall posted:That only means you have been lucky so far. How do you figure? To compromise my passwords, you'd need two pieces of information in two different locations, and the attack would have to be a personal attack, not a widescale attack. That's not lucky, that's just a basic understanding of the nature of auth attacks: They are done en masse and without discrimination.
|
|
#
?
Dec 29, 2016 14:49
|
|
|
redeyes posted:Well, this is to be able to log into other computers mostly. But what is this Chrome password safe which is protected by Windows DPAPI? Can you give me a little more explanation? Google smart lock remembers passwords I type into Chrome but I don't know how that is any different from other password-remembering utils? DPAPI is basically Windows' integrated password safe. It's difficult to steal from even if you are running malware on the PC because the OS requires the user password to do an export, and newer Windows versions protect these login boxes from software based password stealers and keyloggers. If you use a PIN to log in daily, you are even reasonably protected against rootkit and hardware based password stealers.
|
|
#
?
Dec 29, 2016 15:09
|
|
|
|
| # ? Apr 23, 2024 11:23 |
|
|
peak debt posted:That thingy won't replace passwords, it'll replace mobile phones for two-factor-authentication. It's also very much in a state of "maybe we'll use it in the future someday if Google doesn't become bored with it soon". Google isn't going to get bored with it, it's deployed throughout all of Google's corporate network. Things that Googlers rely on internally are basically never going to be deprecated, which is why Reader is gone, and Groups is still around.
|
|
#
?
Jan 3, 2017 09:13
|
|