by AbhyudayaSharma on 5/29/21, 7:14 AM with 61 comments
by yosito on 5/29/21, 11:32 AM
by ahelwer on 5/29/21, 1:45 PM
The whole process took probably three minutes front-to-back. Lastpass lets you export your passwords in a CSV, which you then upload to any other service which automatically imports them. Very easy. If you're frustrated with lastpass I recommend the switch. Personally I chose Bitwarden because it's open source.
by baldfat on 5/29/21, 12:20 PM
Companies that use password managers are infinitely better off with one then without. My co-workers would repeat their passwords and make them incredibly simple and easy for anyone to break the it with basic social hacking. My old company had the lowest level of tech skills and the company contracted their IT work and had the stupidest password policy. You just had to change one digit. So the joke was people would just +1 their passwords and they would know how long they worked there.
Repeated passwords is something people do because we all have hundreds of passwords if they don't have a password manager. Even me and my paranoid ways had several because I had to use a system that was based on the url of what I using.
by jfktn5ntkfl on 5/29/21, 1:39 PM
It feels to me like we need someone with huge resources, like Microsoft/Gooogle/Apple... to buy them and apply their methods against this attack.
For example, where are the binaries built? Who controls the accounts used to upload the installers? Do they regularly pay security teams to try to find vulnerabilities?
To be clear, I'm not worried about the code, but I'm very worried about the downloadable binaries.
by batch12 on 5/29/21, 12:34 PM
by mkl95 on 5/29/21, 1:51 PM
by iamshs on 5/29/21, 7:04 PM
by umvi on 5/29/21, 2:59 PM
f(domain, secret_word, secret_sentence, rules)
= UPPER(KEY_TO_RIGHT(domain[0:3])) + secret_word + secret_sentence[LENGTH(domain)] + LENGTH(domain) + PAD_TO_20("X")
So if my secret word were "bottleneck" and my secret sentence were "It is a truth universally acknowledged, that a single man in possession of a good fortune, must be in want of a wife." my algorithm generates the following passwords:
google.com:
f("google", "bottleneck", "It is a truth universally acknowledged, that a single man in possession of a good fortune, must be in want of a wife." , rules)
password = "HPPbottleneckacknowledged,6"
(note that "HPP" are the letters on the keyboard shifted right from "GOO")
microsoft.com:
f("microsoft", "bottleneck", "It is a truth universally acknowledged, that a single man in possession of a good fortune, must be in want of a wife." , rules)
password = "ZOVbottlenecksingle9"
The "rules" parameter is because some sites have length restrictions, symbol restrictions, and you may have to truncate the password or replace symbols. Also in "rules" is how many times you've changed a given password. I store the "rules" in a google doc.
Anyway, the nice thing about this system is that the algorithm is in your brain and you can use it to generate the password for a given service without relying on a password manager. So theoretically if I got stranded in Europe as a tourist and my phone got stolen, I'd still be able to get into my accounts (assuming 2FA isn't enabled...).
Password managers definitely generate more secure passwords, but my goal isn't to be the most secure, it's to strike a balance between the things I care about (and I care about being able to get into my accounts if I somehow lose access to my password manager).
by aneutron on 5/29/21, 11:06 AM
by ncphil on 5/29/21, 5:09 PM
Accept no substitutes.
by bradgranath on 5/29/21, 2:50 PM
by JCWasmx86 on 5/29/21, 6:35 PM
by 2Gkashmiri on 5/29/21, 1:21 PM