When creating a password, it’s a good strategy to actually make it a sentence instead of a word with some numbers. If possible you could also do it in a different language.
1 Like
Has it? Thought it was secure. 
I don’t think any password manager is perfectly secure. Aren’t browser-extension-based ones susceptible to browser security bugs? How about ones that have a website – install a malicious extension and now you’ve got a problem.
When I looked up KeePass vulnerabilities, I was not able to find anything that gave someone access to the password database from the database file without the master password. The attacks I can find:
- Require the database to be unlocked with the master password on a compromised computer
- (or) Require the user to use a database file modified by an attacker (loss of data and data corruption attacks)
- (or) Require the user to run a “new” version of KeePass without checking if it’s authentic
If you do any of those things with any password manager, then you’re going to have a problem.
The database file one is not possible when using web-based password managers. If you have important data on your computer (i.e. KeePass database), you should be keeping it backed up so that any data loss (from hardware failure or due to an attacker) is not an issue. If an attacker is modifying your KeePass database, they can probably also keylog your master password for any password manager anyway.
Maybe I’m wrong about what I said there. Maybe there are vulnerabilities that can be used from just a database file and without a compromised computer or data access. If so, I’d love to see what those vulnerabilities are.
Concerning password managers, I personally use KeePass, but recommend LastPass since it’s much easier to use. I don’t mind having to unlock my database before entering passwords or set up my own database syncing. The mild inconvenience is the price I pay for security. I don’t have to put in passwords enough for it to slow me down more than the security is worth.
3 Likes
Relevant XKCD
8 Likes
When creating important passwords, I generally make them 40-50 characters long (if allowed).
I start off by choosing a random OPCODE from assembly, followed by its hexadecimal equivalent. After that, I have a standard phrase that I use in the center of every password (in different varients). Then, I convert the password use into a binary string.
The end result is literal gibberish.
EXAMPLE (Phrase in the middle is NOT the phrase I use):
JNL7D_PKGIE_01010100011001010111001101110100
If needed, I convert the binary string into a hash.
1 Like
Safer to not have all the 0s and 1s.
1 Like
Could you explain why / link me to an article explaining why?
(If this is the case, I’ll convert the binary part to a hash)
While your password is strong, there are more variations of letters than numbers.
JNL7D_PKGIE_abcdefghijklmnopqrstuvwxyzzywrsf
would be stronger than JNL7D_PKGIE_01010100011001010111001101110100
1 Like
Let’s say that all of your passwords look like JNL7D_PKGIE_01010100011001010111001101110100
This means you have:
- 5 [upper-case letters + digits]
- underscore
- 5 [upper-case letters + digits]
- underscore
- 32 [1 and 0]
If someone were to brute-force this, it would be pretty easy in comparison to others:
-
(26 + 10)^5 + (26 + 10)^5 + 2^32= -
4 415 899 648possible passwords.
For comparison, here’s a 12 character password of various random characters:
- 12 [upper-case + lower-case + digits + symbols + space + underscore] =
-
(26 + 26 + 10 + 31 + 1 + 1)^12= - around
540 360 087 662 640 000 000 000possible passwords.
While brute-forcing would still take a long time for yours on an average computer, if it was a Windows password then this machine could crack it in under a second, if they knew that basic format. And the time it takes is nothing in comparison to how long that 12-character password would take.
And they’ll probably know that basic format because if you use the format everywhere, there’s probably two unique, but very-similarly-formatted passwords in password leaks from you.
Also because you just posted it on a forum page accessible to the public. 
But even worse, since it sounds like you go through a process with only the following inputs:
- An opcode
- A phrase that can be found out by looking at password leaks
Then you follow a format. So you have only one unique input. Let’s assume that there are 1000 opcodes. That’s 1000^1 = 1000 combinations if they follow your format and brute-force the inputs instead of the characters.
That’s… pretty bad. Adding a hash function doesn’t make it much better, especially if they look at leaked passwords to find out what hash function you use.
At least no one is probably going to be trying to get into your accounts that way unless you get very well known and have a lot to steal from. Your format is better than re-using the same password everywhere, but it’s not perfect. If you’re saving these or writing them down somewhere, you might as well use a password manager anyway and generate much stronger passwords.
9 Likes
Interesting, I’ve never considered this.
Thank you for explaining this to me.
1 Like
I would just think of something that no one would guess, but this is thorough.
1 Like
I noticed a lot of people were saying it’s difficult to keep on top of long complicated passwords, you can quite literally buy a cheap notepad or book irl and note them all down for reference, store it somewhere safe and keep it secured.
4 Likes
Adding onto Headless’s point:
It’s not as secure, but you can fill a notepad file with all passwords and save it somewhere inconspicuous with a false name. This will allow you to copy+paste long passwords.
2 Likes
If you’re going to be putting passwords into a notepad file then you might as well use a password manager. Using a notepad file is a good start though, I guess.
If anyone has concerns about the security of a password manager, then they should keep in mind that an encrypted database with a master password is absolutely more secure than an unencrypted notepad file hiding by an obscure name.
KeePass is one that works locally. There are applications to open KeePass databases for most popular platforms (Windows (alternative), Mac, Linux, Android, iOS). The database is encrypted, so if you trust a cloud storage provider then you can sync your database to the cloud and access it on the go on your phone.
BitWarden and LastPass are some online solutions. BitWarden is open source and you can even host your own BitWarden server so everything stays within your control.
9 Likes
Let’s be honest, who is going to want your robux that bad? If you have a randomly generated password over 10-20 characters with symbols, letters and numbers you’re safe enough. Pretty sure you’re not being pursued by an international intelligence agency who wants to get into your roblox account.
Anything past that is just pointless because the risks of you getting phished, keylogged, leaked or hacked (probably even physically interrogated) are way more likely than someone brute forcing it.
5 Likes
1 Like
I recently changed my methods to using a high entropy noise generated password.
The reason I do it is because I’m OCD when it comes to security. I know the odds of someone getting into my account is <1%. I just prefer safe over sorry. 
4 Likes
There’s also this startup called myki. It combines the autocompletion of LastPass with the security of being stored locally and the convenience of using your fingerprint (from your phone) to authenticate you. If you have a compatible phone I highly recommend it. Basically, all your passwords are encrypted on your phone but an extension on your browser can request a single login from the phone and all you have to do is go to the phone and approve it with your fingerprint. Good if you don’t totally trust LastPass.
Topic was necrobumped and has been locked
1 Like