No Crappy Passwords — Secure passwords, no password book

Topic

New Reply

FREEWARE SPOTLIGHT By Deanna McElveen You have a password book. You know the one. That ruffled little book with the cover falling off and marked-out p
[See the full post at: No Crappy Passwords — Secure passwords, no password book]

5 users thanked author for this post.

Perq, lmacri, Norio, abbodi86, db98445

Reply | Quote

Replies

I think this is a reasonable alternative to password vaults, which I use regularly.  I like that I don’t have to carry my password file around with me.  However, just like my vault’s master password, doesn’t this mean that if my offset gets into the wrong hands, it could be used to create the same password that I used to secure my accounts, and then they can login as me?

 

Reply | Quote

I think that the offset is rather unnecessary, and if you come up with  a simple system that you can easily memorize, there’s never a need to record anything, ergo, it can never fall into the wrong hands.

Reply | Quote

‍Lose your Password Book ?
Simple, embark on a protracted journey, navigating ‘Forgotten Username’ & ‘Lost Password’ portals. It’ll refocus your mindset in the direction of contemporary techniques, for shipping passwords. ‍

Reply | Quote

How does this work when the site requires you to change your password after some amount of time? Don’t you need to use a new offset and remember that?

Reply | Quote

When you have to change the password for an existing account, you would need to come up with a new nickname for the account. For example “capitalone” might morph into “capitaloneb”

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

Reply | Quote

It is good that this software does not involve a browser extension. But …

• Recommending password software that only runs on Windows seems a bit off the mark these days.
• The term “offset” is not user friendly for non techies
• It is not able to limit the special characters that it creates. There are many places where certain special characters are not allowed.
• Trusting software with all your passwords. Are you kidding me?
• RTFM:” Version 10 will give different results for the same input due to a couple of changes under the hood if you have used a previous version.”

The software  is somewhat similar to the formulas I wrote about here.
https://michaelhorowitz.com/BestPasswordAdvice.php
I think the formula system I wrote about is better, but reasonable people can disagree.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

4 users thanked author for this post.

opti1, AlexEiffel, wdburt1, db98445

Reply | Quote

Really good suggestions. Linux and Windows binaries are included, but the source is also available and will run on anything with a TCL interpreter. “Offset” is explained in the readme, but I don’t think it’s really necessary anyway. The special characters .. I think an option to use only Base64 or (gasp) HexDec would be a good idea.

Reply | Quote

I have used a simple, small encrypted file program, Secret! by LinkeSoft for well over 25 years.  This is a “shareware” program with an extremely reasonable one time price. This program creates an encrypted file on your computer and/or your phone (2 separate programs that sync).  You remember ONE password for the file and can save all your passwords.  Since the desktop and phone versions can be manually sync’d I am never without my passwords.  I back this up to both a USB drive and iDrive cloud backup and it is super simple to restore or move to a new computer.

I just checked the website and notice they are only showing the Windows and Android versions although I have had the iOS version on my phone ever since I started wearing hearing aids that only connect to iOS – – maybe 10 years.  I have contacted them to ask about this.

https://linkesoft.com/secret/

I assume from your article, that NoCrappyPasswords does not work/sync to iPhone, so I would have to have a different solution when using my phone??

Reply | Quote

Some people want no part of password synching. For some, privacy is the issue, for others the objection is that complicated things break more often than simple things. There is no one right answer.

Are you backing up just the encrypted password file or the software too? You need both.

And, can you export your passwords? If not, you are putting all your trust in the software. As an old techie, I learned long ago that was sub-optimal.

Not to be overly critical, your approach is better than most

 

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

2 users thanked author for this post.

opti1, wdburt1

Reply | Quote

I made a small sqlite front end once, still use it, that stores logins, passwords, and notes, it works pretty well, actually, the db is encrypted / decrypted using a simple call to openssl without any additional hashing or anything, so in the worst case, I can just read the thing using a sqlite browser. It gets backed up to a couple of cloud services. I’m like you, I don’t like these things attached to other utils.

Reply | Quote

I have a password protected Excel spreadsheet for usernames and passwords, and it’s not named “Passwords”.  I can easily randomize a password in the cell, then save it.  I’ve never seen a need for an extra piece of software just for usernames and passwords.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

2 users thanked author for this post.

opti1, wavy

Reply | Quote

AM i missing something>  As described, it’s super easy to create a good password.  But the account doesn’t explain how the password is easily inserted at the desired site (bank, e.g.).  I’m inferring the user is expected to invoke the short program, retrieve the password, copy it, then paste it into the site.  That doesn’t sound reasonable.

If that’s correct, a free password mgr such as LastPass could generate an effective and unique pwd and much more quickly enter it into the site’s pwd field.

(FYI: There are many times when pwd’s are not remembered by the site though the user has made the choice to do so)

Help me understand this?  thnks

2 users thanked author for this post.

tom m, wavy

Reply | Quote

I  believe the point of the thing is to make it so that you don’t ever have to file anything, eliminating the possibility of the password manager being compromised.

Reply | Quote

db98445 wrote:

I  believe the point of the thing is to make it so that you don’t ever have to file anything, eliminating the possibility of the password manager being compromised.

That is what passkeys (FIDO) brings.

https://www.askwoody.com/forums/topic/paypal-goes-passkeys/

Reply | Quote

Alex5723 wrote:

That is what passkeys (FIDO) brings.

The problem, at least for me, is how few sites (relatively speaking) support FIDO, like almost none of the ones that I most would want to support it do so. This comes up every time I see the Yubikeys go on sale somewhere and I go to https://2fa.directory/us/ to review their list.

If anyone knows of a better, more thorough, and\or more up to date list of sites that support FIDO\2FA I would love to hear about it.

Reply | Quote

I did check and was told there was not enough interest in the iOS version to continue to support it.  It is saved in my iPhone Apps and will continue to work until there is a change in iOS that prevents it from working.  I will pray that Auracast will be available in all hearing aids and phones by then and I will transition back to Android!!!

Reply | Quote

A question for Deanna: I like the no crappy password, except that I my mobiles are Apple devices. How can I port the passwords to these devices, except for I coppying them manually and saved them to iCloud?

Reply | Quote