3

There are many password-related questions in here, but I failed to find the answer to mine. I'm no expert so maybe I don't have the right keywords. Sorry for any duplicate for a possibly asked 100 times question.

I'm just a regular user who wants to have good password. From what I understood, the best solution is to have a (good) password manager. The problem with password manager, is that, for the few I know, you can't access your account on a given website from someone else laptop (Unless, maybe, if you install the password manager app on that laptop and sync it with your account, which is still annoying).

Then, there is the tradeoff about basically, entropy of the password, the fact that you need to remember it, and the fact that you should not use twice the same password.

So I was wondering if there was any special added security by doing the following:

  • take an easy password : eg : foo
  • go to website website.com
  • apply to it a simple function that transform foo_website.com to say, 1634d6f7c5148738bfac403c2a59fdf1
  • use that as a password to sign in on website.com

The advantage compare to a password manager is that I can generate my password from any laptop if I remember both the password and the function. Here the password is a md5 hash and md5 which is implemented on many machines, so nothing to remember but foo.

My questions are:

  • Is there any password manager that satisfy the need to log on from another computer (which is not yours)
  • Otherwise, is that scheme providing a good compromise in this multiple trade-off situation, or is just as bad as re-using the same password whatever the entropy of it.
  • [NEW!] How easy is it to crack a function, be it simple, not even knowing if a function is used ? Say, I'm a target, how can one crack my password or my function ?
  • Finally, I've seen that some of you were using the concept of low-tech password.txt file [edit] as a mean to manage password [\edit]. What does it mean ? Is it just a plain text file with all your password ? How safe is this ?

Also, note that I don't have any smartphone, and that I'm aware that it won't be better than a password manager and that security comes at the expense usability. I'm wondering whether doing this would add a significant layer of security, compare to having different very strong password that you remember (putting aside password manager).

jrjc
  • 131
  • 3
  • The flaw in the design is that if all of your passwords are related to a single function, I do not need to try to crack a specific website. I would be solely interested in breaking your function and then I would be able to gain access to all of your accounts. In your design, there is no inherent security either. If you can generate a function and algorithm wherever you are, then so could the attacker. Password managers are generally encrypted and limit the number of password iterations to prevent brute-forcing. – pr- Oct 09 '15 at 15:31
  • Related to https://security.stackexchange.com/questions/62699/what-if-i-develop-my-own-hash-algorithm-to-create-strong-passwords-from-easy-one?rq=1 and https://security.stackexchange.com/questions/1222/is-there-a-method-of-generating-site-specific-passwords-which-can-be-executed-i?rq=1. – Neil Smithline Oct 09 '15 at 15:50
  • 1
    Many password managers come with mobile apps or access via a website. Google [online password managers](https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&es_th=1&ie=UTF-8#q=online%20password%20manager&es_th=1) for info. – Neil Smithline Oct 09 '15 at 15:51

3 Answers3

2

Your attempt to establish the theory behind the creation of the password has some shortcomings to it. Let me explain

  • Taking an easy password like foo and the attempt to transform for_website.com will lead to the attacker creating a set of files that would allow him to crack into the simple function and then generate a list of all the hashes using a combination of dictionary attack and a list of most your used websites and use that as one of the input to the password cracker. Which is why crypto-graphic algorithms are somewhat complex in their working.

To answer your other question:

  • Use a password manager on your mobility device. Try some of the apps available on your OS store.

  • I would say it as bad as it. Because there is no significant gain in the security. You would be better off using other available proven methods.

  • Totally depends on the context. Generally means a list of passwords in a text file that could be used as input in cracking tools or could also mean a list of compromised passwords.

user2339071
  • 271
  • 1
  • 8
  • My previous comment disappear. So thanks for your answer I edited a bit my question so you may adapt your answer accordingly. Plus I don't understange your first point, what set of file can an attacker create ? – jrjc Oct 10 '15 at 00:53
  • Depends on how simple the function is. The idea is that using a simple function is not recommended. Files like randomly sniffing outputs or hashes and performing a sort of analysis can reveal something about the function in general. I hope I could clarify your doubt. – user2339071 Oct 11 '15 at 17:37
1

I use the paid version of LastPass as my password manager. I'll try to address your questions by describing my experience with LastPass.

My master password is only semi-complex, it's something easy for me to type because I reinforce it with 2FA and an e-mail alert when connecting from any new location/device/browser.

Beyond my username/master password there's nothing for me to remember. Most of my passwords are LastPass randomly generated 16 character combinations, with an additional layer of 2FA for financial services.

LastPass has a standalone application which I keep on a thumb drive. This gives me access to my password vault without installing any software on the local machine. Particularly handy is a portable version of Chromium on the thumb drive, with the LastPass extension already installed for browser based auto-fill. If I'm only going to need one or two logins while I'm at the local machine, I may just bring up the password vault on my phone.

onrul
  • 11
  • 1
  • Are you sure you should still recommend LastPass [after they got hacked and lost the hashes of all user master passwords](http://www.forbes.com/sites/katevinton/2015/06/15/password-manager-lastpass-hacked-exposing-encrypted-master-passwords/)? – Philipp Oct 10 '15 at 11:11
  • "My master **password** (1) is only semi-complex, **it's** (2) something easy for me to type because I reinforce **it** (3) with 2FA and an e-mail alert when connecting from any new location/device/browser." In this sentence pronoun **it** (2) replaces the noun **password** (1). However if pronoun **it** (3) replaces the same **password** (1), then your reasoning is false. 2FA does not reinforce password in any way. **It** (3) might replace the noun **LastPass** from your previous paragraph, but it (sic!) is not immediately clear to the reader. – techraf Oct 10 '15 at 12:23
  • Security breaches are going to happen, and I'm not going to not recommend something because of it. All we can do is try to best prepare ourselves with 2FA, and alerting systems. – onrul Oct 11 '15 at 15:20
1

My questions are:

  • Is there any password manager that satisfy the need to log on from another computer
  • Otherwise, is that scheme providing a good compromise in this multiple trade-off situation, or is just as bad as re-using the same password whatever the entropy of it.
  • [NEW!] How easy is it to crack a function, be it simple, not even knowing if a function is used ?
  • Finally, I've seen that some of you were using the concept of low-tech password.txt file [edit] as a mean to manage password [\edit]. What does it mean ? Is it just a plain text file with all your password ? How safe is this ?

Oh yay a list! This makes it easy to keep track of the questions, so I'll address them in order.

Are there any password managers that satisfy the need to log on from a different comuter?

Google Chrome allows this. As long as you sign into your google account on the chrome web browser it will carry over your passwords with it that it keeps safe and secure in your google account. Otherwise take a look at Roboform since it can be run on multiple system architectures, and even form a USB drive!

Otherwise, is that scheme providing a good compromise in this multiple trade-off situation, or is just as bad as re-using the same password whatever the entropy of it.

Again look at Roboform. That thing will generate a random password for you.

As for the one you're generating, it will be secure as long as you are the only person to have a copy of the generation script. It does have some downfalls though. It's noise limited to hex digits. This is a big problem because that hex digit only goes from 0-9, A-F. This limits the amount of guesses a brute force needs to guess your password. Always use the full ASCII character set(or if Unicode is available, so forth and onward) to generate your password.

  • [NEW!] How easy is it to crack a function, be it simple, not even knowing if a function is used ?

As in for a password generator? Depends.

The password will only be as strong as the function is to create it, and if the function uses a limited character set to generate the password, it's a trivial matter to crack it. If it uses a full set... well things get harder to crack.

The truth of the matter is that having a good password is only one step towards keeping it secure. The other part is rotating it so that long term force attacks can't break it eventually, they'll just never get to it because the password has changed.

For example, the one in Roboform is awesome in that it generates a password that uses ALL AVAILABLE CHARACTERS it can within constraints of what you tell it. This generates extremely hard to crack passwords.

Finally, I've seen that some of you were using the concept of low-tech password.txt file [edit] as a mean to manage password [\edit]. What does it mean ? Is it just a plain text file with all your password ? How safe is this ?

This just means we keep our passwords, website address, and account information in a .txt file. This is as secure as the storage medium it is on. If anyone finds it they now have your credentials. It's... frowned upon to do this, and that's putting it lightly. The credentials are not encrypted, password protected, or even kept safe. They just rely on the fact that they have their computer in their possession. If it gets stolen, they are in BIG trouble.

Of course you can go this route safely as well. You can encrypt, password protect, and store it in a hard to get to place far away from the encryption key. This means that if someone gets the .txt file, and doesn't decrypt it it's just a worthless flow of garbage. Especially if you pad it with garbage data(like a hundred lines of keyboard mash). Of course at this point you're doing manual password management and might as well just look at Roboform again.

TL,DR: LOOK AT ROBOFORM! It was really something that came up to every single one of your questions and seems like it will be what you're looking for. I use this myself and love it.

Robert Mennell
  • 6,968
  • 1
  • 13
  • 38