I don´t see myself trusting any password manager, and the recent LastPass being hacked just confirms my point. How this can be done? How are you guys saving passwords?
Being a faithful user of keepass and it's variants, I see no problem with offline managers like that and I would always recommend those over any other manager. That being said, if password managers are not your thing, you really have only one option.
Your own memory.
More precisely, create pass phrases (emphasis on phrase meaning: multiple words) based on certain characteristics only known to you that are relatively easy to remember by you and you alone. One trick is to use a common base phrase and then based on the service/app etc. you pick some characteristics of it to enhance the base so your full password would be [base-phrase]+[your-service-specific-parts]. Kind of like semi-analog version of a password and a password salt. Of course, if someone cracks your base phrase you are SOL so even that is not foolproof.
Either that or invest in memory palace techniques to make yourself supermemory so you remember every random password like yesterday.
Or third: get whacked in the head real hard so your brain rewires itself and you develop photographic memory and never forget a thing (yes, this one is a joke).
> Save the site URL, the required userid, the password, and any other relevant things in a text file.
> Save all these text files in fossil.
> Password protect and save the fossil file with 7z.
When it's time to use a password, run a script to unzip the 7z file, fire up fossil, and expose the full set of password files, then access whatever I need.
When done, delete everything, leaving just the original 7z file.
Is it a little tedious and clunky? Yep. Does it work? Yep. Is it totally under my control? Yep.
Details
> Generate a 24-char password: gpg --gen-random --armor 1 18
I have a couple of passwords I care about. I have memorized them, but I also have written them in pages in a couple of books (among the hundreds I have).
The vast majority of other passwords (e.g., HN's account), well, they are in plain text in some file on my computer. I really don't care about them.
I'm using 1password for 8y now and am still confident on them being able to securely store my secrets. I think the trade off between convenience and security is there. I did move some 2fa codes to it and I'm unsure if I should have done so, might roll back that decision..
The problem is really to find a solution that allow sharing passwords between devices (computers, phones).
I think a solution like Keepass with an encrypted file shared on common cloud file services would be great if we could trust the third party versions for phones.
[+] [-] tomkarho|3 years ago|reply
Your own memory.
More precisely, create pass phrases (emphasis on phrase meaning: multiple words) based on certain characteristics only known to you that are relatively easy to remember by you and you alone. One trick is to use a common base phrase and then based on the service/app etc. you pick some characteristics of it to enhance the base so your full password would be [base-phrase]+[your-service-specific-parts]. Kind of like semi-analog version of a password and a password salt. Of course, if someone cracks your base phrase you are SOL so even that is not foolproof.
Either that or invest in memory palace techniques to make yourself supermemory so you remember every random password like yesterday.
Or third: get whacked in the head real hard so your brain rewires itself and you develop photographic memory and never forget a thing (yes, this one is a joke).
[+] [-] dxs|3 years ago|reply
> Create a long, unique, random password.
> Save the site URL, the required userid, the password, and any other relevant things in a text file.
> Save all these text files in fossil.
> Password protect and save the fossil file with 7z.
When it's time to use a password, run a script to unzip the 7z file, fire up fossil, and expose the full set of password files, then access whatever I need.
When done, delete everything, leaving just the original 7z file.
Is it a little tedious and clunky? Yep. Does it work? Yep. Is it totally under my control? Yep.
Details
> Generate a 24-char password: gpg --gen-random --armor 1 18
> Fossil: https://www.fossil-scm.org/home/doc/trunk/www/index.wiki
> 7z: https://en.wikipedia.org/wiki/7z
[+] [-] andrewwebber|3 years ago|reply
My favorite feature being that the backend store supports git, allowing you to sync and backup for password to anywhere you can push a git repository.
Pass stores your keys encrypted using your gpg key. Having the master key on your yubikey adds additional peace of mind
Only place I never use my password manager is my smart phone, out of choice - i don't trust my phone
https://wiki.archlinux.org/title/Pass
[+] [-] andrewwebber|3 years ago|reply
I never understand why people go all in on cloud based password stores or identify for that manner
https://github.com/mozilla/sops
[+] [-] pwg|3 years ago|reply
With a whole host of alternate, compatible, implementations:
https://www.pwsafe.org/relatedprojects.shtml
[+] [-] dakiol|3 years ago|reply
The vast majority of other passwords (e.g., HN's account), well, they are in plain text in some file on my computer. I really don't care about them.
[+] [-] aprdm|3 years ago|reply
[+] [-] mchenier|3 years ago|reply
I think a solution like Keepass with an encrypted file shared on common cloud file services would be great if we could trust the third party versions for phones.
[+] [-] theandrewbailey|3 years ago|reply
Local password database storage
No cloud account
No login
[+] [-] sqwrell|3 years ago|reply
[+] [-] znpy|3 years ago|reply
[+] [-] smoldesu|3 years ago|reply