Password managers

What do unfriendly Jews like you use for the n-billion needed logins in todays life then?

pass (bash+gpg) with a smartcard like yubikey

Attached: d386598d7f57cdf3242fc9dcf2b1a4c238d98946e664f2005af33d11c441d869.png (256x192, 23.54K)

I don't see why everyone doesn't just use a script something like this:
echo "[website][master password]" | sha256sum | cut -c-12

i do:

Get on the next level:printf '%s%s' "$WEBSITE" "`printf '%s' "$MASTER" | sha512sum`" | sha512sum | cut -d\ -f1 | xclip -l 1 -selection c

The best password manager is your brain.

That's all nice and cool my dudes but what if for some reason you need to log in using a machine without a command line able to do all these funk and dunk hashing maymays?

Well, install it, obviously. :^)

I used to actually remember a password like that

Use your phone

use Keepass2 or KeepassXC
both run on linux, but KeepassXC runs better because it doesn't use mono.

How are you going to run that script if you don't have access to your machine, huh?

Because that's a single level above "reusing the same password everywhere", if an attacker sees that command they know all of your passwords.

###### Option 1: Password store
Linux (and Windows): passwordstore.org/
Firefox: addons.mozilla.org/en-US/firefox/addon/passff/
Chromium: chrome.google.com/webstore/detail/chrome-pass-zx2c4/
Android: f-droid.org/en/packages/com.zeapo.pwdstore/
###### Option 2: Keepass
Linux (and Windows): keepass.info/
Firefox: addons.mozilla.org/en-US/firefox/addon/keefox/
chromium: chrome.google.com/webstore/detail/chromeipass/
Android: f-droid.org/en/packages/com.android.keepass/

just put them in a txt file and attach them to a post in this thread, I'll watch after your passwords, I promise

And logged in ~/.bash_history or equivalent.

The typical UNIX weenie response is for the user to always remember to proceed the command with a space, so that it doesn't get logged.

Use pass

What about a script like this one?
#!/bin/bashread -p "Enter website: " websiteread -p "Enter master password: " passwordecho "[$website][$password]" | sha256sum | cut -c-18
Is it safe?

Seems ok as long as those variables don't get written to disk and don't know any reason they should. I unironically use a password manager myself.

space doesn't prevent it getting put in bash_history on my machine. Is this a new feature?
Also, what is the LISP weenie's response? Never keep history of anything?

maybe give read -s for the password.

Not really. All the attacker will need is your password and this "recipe". Not much safer from having a database of passwords, like with KeePassX.

How would the attacker get the password though????

Kek, so let me tell you a little family story. My family are all pretty good with computers for normie tier folks. However, recently my sister (who lives with my mom) has gotten her shit hacked, and it spread to my mom, and then their Orbee or whatever the fuck got hacked too. So I had them go down to the Apple store (hate them myself but they are the best thing for normies) and get their shit reset. That worked great but even though I told them both to write down their passwords they didn't, and instead used their old password manager accounts and simply updated them with the new passwords. Whoops! They both got hacked again.

So now I'm stuck with these irate women who because of family duty I have decided to help even though it's EXCRUCIATING and trying to convince them that the old way of sticking a post-it note to the computer is actually more secure if that's how it has to be.

GWAAHHHHhhh it's crazy. I still think their phones or computers are rooted and shit but I'm like 3000 miles away so there's nothing I can do physically and they're not quite hip enough to get port forwarding going so I can't do VNC and SSH yet. Some fucking Pajeet or Chaim is going to feel red hot lead in his skull because of this, another couple weeks of these phone calls and I'm calling Blackwater or whatever it's called now and sending a hit team.

Nah. He is going to feel all the nudes of your sister though. Btw post pics of her feet.

You cannot be cyberbullied if you have no cyber accounts. This way, you can only be bullied by face.

...

Kek

Better suggestions?

Thanks! This is more portable. You can always recreate it from memory.

Good idea!
-s Silent mode. If input is coming from a terminal, characters are not echoed.

This is more portable, no need for KeepassX on usb, just type it up if you're using a new system. Right?

U R A Russian.

What happens if the website changes its domain name?
If you write down the specific names you've decided to use, that's just as bad as writing down your passwords.
If you memorize them, why not simply append the master password? You don't need a shell to do that, and it's just as safe.

How do you find the new domain name? Hmmmmmmmmm...
wrong
Are you retarded? If you want to login to goybook you run the script and get your password. You only have to memorise your masterpassword.
Most websites don't hash the passwords though. So when the password db gets leaked the attacker need only look at your password and can login to all your other accounts.

Think before replying.
If I create the password when the website is named memesite.com, but then the domain changes to meme.site.net or whatever, how do I remember what website name I used to first create the password? Was it "memesite.com", "memesite", an even older domain, "meme site" or "Meme site"?
Writing them down reveals which sites I have logins for, sugggests that I am using site names to create passwords, and if an attacker can see the list they probably can see the password script too.
If you don't write down the site names, you need to memorize them so as to use the right one in case of domain change and such.
Most websites absolutely hash passwords, even the shitty ones, it's still unsafe to append but so is building all your passwords from a master password.

Just use passphrases with uncommon words, if possible, of different languages. It's easier to remember and it's harder then any shit an algorithm can come up with.

How often does that happen? Just change the password then.
Then don't write it down.
Which is not a problem at all because you keep your master password secret.
Then don't use domain names. If you have a website named Meme Site just use the name of the website to derive your password.
lol
lol. read this en.wikipedia.org/wiki/Cryptographic_hash_function and this en.wikipedia.org/wiki/Key_derivation_function
Protip: KDFs are everywhere. Are you saying that they are insecure?

At that point, why not use a password manager instead?
Strictly better as you wouldn't have to change the password then.
Why not a password manager then?
If you trust the master password will remain secure, a password manager is just as protected on that front and doesn't leak the sites you have a password for.
Even the lazies, shittiest, shadiest sites I've seen did it.
Fucking furaffinity does it, and that's basically "How not to make a site: the example"
You didn't think before replying: hashing on your terminal is one more place the attacker can look at, and it's much more accessible than the average password db.
Appending is equally stupid, because it's only worse if your password gets leaked by the site you're using it on and it's better if you have an attacker looking at your machine.

But a password manager is basically just a key value database where the value is a randomly generated password and the key...
Hmmm what is the key? Maybe the domain? You have the same problem with a password manager too.
Because you have to keep the password db up to date on all devices. Also what happens should you lose the db? Deriving your passwords is strictly better.
Like adobe? Or those? duckduckgo.com/?q=plaintext password leak&t=ffab&ia=web
When you're using a password manager you have to enter the master password somewhere too. Also the passwords could be extracted from memory.

vast majority of websites never change their names. Those that do either do it very early, before many people joined (eg thefacebook), or they change it as a desperate attempt before dying (eg gittip).

A password manager is harder to hack than plain, readable code.
It's certainly possible, but it takes significantly more access than simply looking at terminal logs.

Well, gee, might as well just keep all your passwords in a encrypted ZIP file, am I right?

Attached: zZ86SqQ.jpg (891x717, 74.22K)

hit or miss, I guess they never miss, huh?

If your system is compromised in any way by an attacker that targets you, it's game over anyways, none of that matters anymore. Might as well keep your passwords in a file called passwords.txt in that case. I wouldn't even be surprised if some automated exploit scripts actively target the more common password managers. (and their databases)

You go right ahead, buddy. I'll keep my passwords encrypted.

I have diceware and password cards; I don't need them.

Attached: pwcard.png (1011x637, 92.41K)

...

So what you are saying is that having access to the source code is a security risk?

THIS
passwords.txt file is actually safer than password manager, because automated exploits will check your PC for any installed or running password managers and steal passwords from them. to get passwords.txt exploit would need to search for all files on your PC (which would be suspicious as you could see a lot of HDD activity)
and if you name your passwords file in different way, like cocks.txt, niggers.txt etc, it would be very hard for automatic malware to steal your passwords file

How can you even claim to know what a malware is going to do, unless you wrote it? Anyway there's no guaranty an encrypted file is going to be named something obvious or be in a default location. You can just as well uuencode the encrypted password file and make it text if you really want to, or append it to an image file or something. But doing away with the encryption means anyone who opens that file has all your fucking passwords, so that's fucking stupid, and only a cianigger would advocate this.

If you run internet-facing applications as your privileged main user account you are dumb anyways. Optimally the account who runs your browser for example shouldn't even be able to access your passwords.txt or passwords.gpg or whatever. Those files/database/whatever should be completely out if it's scope. Now the attacker doesn't need only an exploit for your browser, but also a privilege escalation exploit, which are harder to come by.

On top of that, mandatory access control that won't even allow the potentially compromised process to do anything interesting if it's compromised. Now the attacker doesn't only need an exploit for your browser, but also a privilege escalation exploit AND an exploit in your linux kernel. This is completely out of scope for most drive-by malware.

Even better would be to run the apps that run code off the web (as any browser technically does) on a physically different machine. Now you don't have to worry about your main working station or VM/sandbox breakout exploits anymore at all. The extra step would be to isolate that machine from your home network physically.

As you can see, the more layers you introduce, the more complicated it gets, the first ones are reasonable. There's no such thing as 100% security for any use case anyways. Always think about your attack vectors and what's reasonable as defense. It's all you can do. I would never say that password managers are automatically safer for what it is to do. They might, or they might do absolutely nothing in regards to additional security. The user who said to just write them down on paper is actually right, as paper is 100% unhackable and also very easy to keep safe. You also won't run into technical difficulties that plague digital solutions by design. Such a password store is also very easy to destroy quickly effectively if you have to. If you really actually have CIA spooks after you and have to worry about them breaking in and stealing your password-book, you have bigger problems. You're not some kind of James Bond-esque suave character. They'll just punch you in the mouth until you tell them everything they want you to.

But as most people here are larping anyways and running Win10 I don't even know why I took my time writing all that. Carry on.

based

imagine what your sister was doing to pick up a computer STD this bad. do you think she has watched porn? just imagine haha

Hash your hash for N times, where N = characters in $website:
#!/bin/bashread -ps "Enter website: " websiteread -ps "Enter master password: " passwordFOO=$(echo "[$website][$password]" | sha512sum)LOOPS=$( echo $website | wc -c )LOOPCOUNT=1while [ $LOOPCOUNT < $LOOPS ]do BAR=$( echo $FOO | sha512sum ) FOO=$BAR $(( LOOPCOUNT++ ))doneecho $FOO | cut -c-18#cleanup (yes the variables may be internal to the script, but no harm done by doing this)website=""password=""FOO=""BAR=""#Things to consider:#Compressing it into a one liner/ function/ alias / something else#The use of "wc -c" for counting the characters is preferred over ${#website} because wc isn't platform dependent, which could mess you up if using ${#website} and you get a different value for website.

Your password system loses some security the moment you tell others what you use, so shhhhh don't tell anyone ;^) ...and no, I don't use the script above.

why?

It's nice to see my humble bash script being improved upon.

I assume so that attackers don't know the algorithm that turns your master password into a website password. Pretty stupid way to go about doing it; better would be to use a secret salt of some sort:
#!/bin/bashSALT='4cb0b66288a0b6f7f68c87ff6ed8c0f4'read -p "enter website: " websiteread -sp "enter master password: " passwordechosha512sum

But the master password is already secret.

The master passord only contains as much entropy as you can memorize. ~32 bits wouldn't be uncommon. An attacker could bruteforce this password fairly quickly. By attaching a high entropy salt, you make this infeasible.

You're retarded. Why don't you leave out the password if it has a negligible amount of entropy and instead just use your "secret salt"?
Oh right. This means your password is know saved on disk and your algorithm is public. At this point it's better to just use a password.txt file.
Protip: Think up a random sentence. Congratulations! You now have a high entropy password.

here's a better protip: write down half of the password, memorize the other half. Now you have something that is useless to someone who finds it lying around, and also next to impossible to bruteforce.
your algorithm has a certain amount of entropy as well nigger, and probably only a couple bits at that. Now you have something even harder to memorize and type in for no reason.
protect you from rainbow tables. Same difference though.

i have no words

...

you can easily memorize password that is impossible to bruteforce, unless you are a nigger. just select 6-7 random words from english dictionary.

what are you posting, CIA nigger?
he clearly said "random SENTENCE", why are you manipulating that he said SEQUENCE?

if there is 5000 commonly used english words, if you select 6 random words, that gives us 5000*5000*5000*5000*5000*5000 = 15625000000000000000000 combinations.
it's very easy to remember 6 words. you can even use more words than 6. it is impossible to brute force by CIA or even by aliens.
if you cannot remember 6 words then your nigger brain is too damaged by drugs.

fuck you CIA with your shit advice
it is hard to memorize 10-15 good passwords. instead, you should memorize 1-3 great master passwords, use them for your HDD encryption, password manager (or passwords.txt file), etc

example of strong password:
Dark nigger entered a room with yellow jews and gassed them they turned into special magical soap

even stronger password:
january obscure fag using and they cup technology of medical nerve mode options kids

the second one uses less words but they are randomly chosen. the first is also strong but it's easier to remember as it's sentence-like

you can even use less words, just 6-7 and it's already strong password. but the more words the stronger it is

Just use the script itself as salt. Changes to it will make it generate wrong results. Trying to copy it without copying it exactly (down to every space) will make it produce wrong results. There you go.

This guy is correct. Running network-based applications as a separate user is actually the simplest, most straightforward way to sandbox applications. If you use sudo, you don't even have to log out.

Even if someone gains access to your system, an encrypted database is still safer than a plain text file, as it has to be decrypted in some way. I don't see a reason to do away with encryption altogether, you gain nothing by doing this.

For comfort, you can also set up folders with appropriate owner and group permissions, for example let the browser-user and other sub-users read configuration files from a shared themes folder etc. the configuration files in their home directory are symlinked to but only let your main account write to those files. It's not even complicated, you can set that all up once and then write a script you start the programs via sudo with and then pretty much forget about it. This is also all stuff that has been in the *nixes since forever and is very simple. They were designed as and are multi-user operating systems. Use that feature.

My browser runs under it's own user but visually there's zero indication it does. The only problem is X which cannot isolate stuff fully. For example, your browser process could read all IDs and window titles of other processes running on the X-Server and also the keyboard and mosue events when you type something into a different window, for example a password. Everything is shared there, and by default every process is trusted.

You could use programs like Xephyr then to sandbox, or run the browser in it's own X-Server in a virtual framebuffer you VNC to. Granted it gets kinda complicated here and I don't bother with all that. X does have isolation in it's SECURITY extension with which it can make a difference between "trusted" and "untrusted" programs (which then don't get to read those resources) but most programs (mainly web browsers, -surprise surprise=running chrome untrusted makes it crash-) don't play nice with it since these features weren't taken into account.

Then in Linux there's also namespaces where you can isolate processes into their own virtual view of the system, for example don't let a running process see any other process on the system or put it into it's own network namespace that can't see the network connection to avoid it calling home. Or combine network namespaces with tor or openvpn so processes in the "tor" or "vpn" namespaces literally can't accidentally connect via your direct network connection because they cannot even see them. These are all simple features the kernel brings with it and only need a few lines of scripting to use. This actually helps securing your system. Encrypting a password into some database while all that other stuff isn't taken care of doesn't.

tl;dr fagg0t

If you want your Linux to be secure, you have go get rid of all the suid bits, Joey.

Attached: maxresdefault.jpg (1280x720, 78.99K)

Here's what I use to generate my passwords:

openssl rand -base64 32 (you can replace 32 with a bigger or smaller number)

Then I input my passwords into my HP 200LX which travels with me everywhere.

Nope. It means getting rid of everything written in an unsafe language.

Use a password manager on an airgapped phone/laptop/tablet
/thread

The brain it is then.

Shillbots don't have brains

I think you can achieve close to 100% security by storing your keys on an airgapped, networking-disabled machine. Paper is vulnerable to burglars and guests who might enter your home. This might matter if you use it to store important banking shit or cryptocurrency seeds.

Store your keys in your brain, and then blow your brains out with a shotgun.
Nobody will ever get your passwords, problen solved.

except for the fact that your passwords are probably really shit

"Everything" means the Linux kernel, C libraries, compilers, and most software packages. Frankly at that point you might as well just write an entirely new OS with its own dev tools, web browsers, etc. all from scratch. And don't do it on x86 full botnet hardware.

Better, salt it with the script contents and the script's full path concatenated somewhere. That way a perfect copy of the file would also have to be placed in the same directory structure to get the same salt.

That's exactly what I meant.

You're embarrassing yourselves,

Here's a reality check for you.

Password managers are only as secure as your system is, the only benefit that they bring is that you can store the database offsite if you want to, since it's encrypted.
If you use a password manager but don't have database backups in some form of open storage (unencrypted drive, cloud) then you're just indulging in security theater and might as well keep them in a plain text file to save yourself the time to open a database.

Attached: 3bfe5ec89e2b66c507042a9c6f4fbeeee5ee8b260a2a64e053fc85b3d8b2bae4.png (253x227, 34.93K)

nah the password manager will totally make it safe, it uses encryption and shit, like in the movies, no need to think about threat models and security concepts. That shit is for nerds.

I swear to god every time the word "encryption" drops, everyone's IQ just drops by ten points. Encryption by itself is not the end-all and by itself is absolutely meaningless. Not even only just for storing passwords.

This thread has really brought out all the hardnosed tech retards. Look knuckleheads, if encrypting passwords was so stupid, why do you use the /etc/shadow or /etc/master.passwd files for just this? Why do you use ssh passwords and/or keys that end up being stored one or several computers with network access? (yes even the private key gets stored on your disk, or the shit wouldn't work).

Why do you even try to be sneaky then?

Yeah dude, let's just do away with encryption altogether! Why not tell every single company in the world to store passwords in plaintext too, right? After all, if they get """hacked""", they are fucked anyway amirite?

...

doesnt most ((groups)) that are a problem already have cia backdoor programs anyway?

if youre so smart why do you need a computer? just do it all in your head

I do
passwordstore.org/

dropped

How bad is seahorse?