Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
On Tue, Jul 21, 2015 at 10:05:57PM -0400, cov...@ccs.covici.com wrote: Neil Bothwick n...@digimed.co.uk wrote: Have you tried KeePass? It doe what you are doing but with a decent interface and the ability to type the details into web pages for you. But does it store the data on someone's server? Where they could have a data breech? As discussed in a related subthread (at least, it's inferred, though not explicitly stated) KeePass uses file-based storage on the local machine it's running on - passwords are stored in a *.kdb file - so you're not sharing your passwords, encrypted or otherwise, with any third party. This can be extended using some filesharing service - either commercial or personally run - to allow syncing of passwords between devices (or more accurately, syncing of KeePass databases between devices). KeePass is Qt based and has a client at least for Linux and Windows, as well as an Android app (DroidPass). I personally sync my .kdb using an ownCloud instance, whereas Neil uses SyncThing, a peer-to-peer sync service. Utilities available in Gentoo are: app-admin/keepassx dev-python/keepassx dev-perl/File-KeePass One I'm not certain of but, judging from the name may also be related, is: app-admin/keepass -- wraeth wra...@wraeth.id.au GnuPG Key: B2D9F759 signature.asc Description: Digital signature
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
On Wed, 22 Jul 2015 13:00:10 +1000, wraeth wrote: KeePass is Qt based and has a client at least for Linux and Windows, as well as an Android app (DroidPass). There are several Android clients, I use Keepass2Android. -- Neil Bothwick A pessimist complains about the noise when opportunity knocks. pgpEvAp9i9lzL.pgp Description: OpenPGP digital signature
Re: [gentoo-user] How does ssh know to use pinentry?
On Sun, Jul 6, 2014 at 12:09 PM, Mick michaelkintz...@gmail.com wrote: I think that the idea of keeping your passphrase in the clipboard is frowned upon for security reasons. Not only because of any potential memory leaks, but because you may inadvertently paste it in GUI fields/areas you were not meant to Mick, Thank you. I too have been concerned about this. I've also been concerned about memory leaks. FYI one cute feature of keepass is that it clears the clipboard 20 seconds after you copy your password to it. Today (2014) I am choosing to use the clipboard/keepass to manage complex/unique passwords. Perhaps in the future (2015) everybody will support something like the Yubikey HW OTP... in which case it won't matter if everyone sees my password! Chris
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
On Tue, Jul 21, 2015 at 10:38:50AM +0100, Neil Bothwick wrote: Something like KeePass. It has Linux, Windows and Android clients and because the file is encrypted locally, you can store it in a cloud service, although I now use Syncthing to keep it on all my devices, now that my life is free of Dropbox. I also use KeePass, including both GUI and Python (dev-python/keepassx) front-ends and sync it with a self-hosted ownCloud server - keeps my data _my_ data. Unfortunately it doesn't have the integration you get with something like LastPass, but it does mean it would take one heck of a catastrophic event to make me loose my passwords. That being said, not everyone wants or otherwise needs something like ownCloud, so you could also do it through scp and cron, etc. -- wraeth wra...@wraeth.id.au GnuPG Key: B2D9F759 signature.asc Description: Digital signature
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
On Tue, 21 Jul 2015 16:31:52 -0400, cov...@ccs.covici.com wrote: I have owncloud working just fine, although I don't use it for passwords -- for those I just have a pgp key and individual files and I have an iphone app which can decrypt them. Have you tried KeePass? It doe what you are doing but with a decent interface and the ability to type the details into web pages for you. -- Neil Bothwick We are upping our standards - so up yours. pgpXHzBJrbXEU.pgp Description: OpenPGP digital signature
Re: [gentoo-user] nsapass - alternative to keepassxc (and others)
On Sunday, 19 July 2020 09:48:35 CEST Caveman Al Toraboran wrote: > ‐‐‐ Original Message ‐‐‐ > > On Saturday, July 18, 2020 11:13 PM, J. Roeleveld wrote: > > This is not a GUI > > xterm is GUI. you don't need to click on gtk/qt > widgets to access details of password entries. > gtk/qt is a massive overkill. Please check the meaning of " GUI " and try to answer my statement again. > > This makes portability a problem. Exactly why keepass (and clones) are > > used more. > > compatibility with keepassxc is extremely > overrated. it's easy to port nsapass to > windows/apple (may even work out of the box, > didn't try). Compatibility with "keepass" (keepassxc is already a different tool/clone) is important and makes it simpler to use the same database on different environments. You might be happy with a simplistic database that only stores a few passwords. I tend to deal with passwords that are shared within teams because the hardware involved only supports a single account. This makes tools like keepass important. > > Nice, a full detailed list of every single change to your passwords :) > > no. how do you backup your passwords file? > dropbox? flash disk? it's up to you. this is > unrelated to the passwords manager. Actually, the more copies with changes to your passwords there are, the easier it will be to guess your passwords. And no, I do not use dropbox, I use a secure filestore for this. > > The likes of NSA don't actually care about your (dis)approval. > > no one does. not unique to nsa. people > exaggerate nsa as if they are any better. > > tbh, nsa is even better than most of our > neighbours. if our phones fall in the hands of > our neighbours, next day most people will find > themselves in pornhub. but nsa can get it all, > and yet they still didn't leak it to pornhub (at > least not as much). No, they leak it to the press and wikileaks. -- Joost
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
Neil Bothwick n...@digimed.co.uk wrote: On Tue, 21 Jul 2015 22:05:57 -0400, cov...@ccs.covici.com wrote: Have you tried KeePass? It doe what you are doing but with a decent interface and the ability to type the details into web pages for you. But does it store the data on someone's server? Where they could have a data breech? It stores it in a single, encrypted file, wherever you put it. You can put the file on a cloud server if you wish, but it's just a file, useless without the decryption key. Is there a command line interface to keepasss? I don't want to be tied down to some gui which may or may not work for me. -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici cov...@ccs.covici.com
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
Neil Bothwick n...@digimed.co.uk wrote: On Tue, 21 Jul 2015 16:31:52 -0400, cov...@ccs.covici.com wrote: I have owncloud working just fine, although I don't use it for passwords -- for those I just have a pgp key and individual files and I have an iphone app which can decrypt them. Have you tried KeePass? It doe what you are doing but with a decent interface and the ability to type the details into web pages for you. But does it store the data on someone's server? Where they could have a data breech? -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici cov...@ccs.covici.com
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
On Tue, 21 Jul 2015 22:05:57 -0400, cov...@ccs.covici.com wrote: Have you tried KeePass? It doe what you are doing but with a decent interface and the ability to type the details into web pages for you. But does it store the data on someone's server? Where they could have a data breech? It stores it in a single, encrypted file, wherever you put it. You can put the file on a cloud server if you wish, but it's just a file, useless without the decryption key. -- Neil Bothwick God created the world in six days. On the seventh day he also decided to create England... just to try out his Practical Joke Weather Machine. pgpiHU7CV7gJ3.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
On Tue, 21 Jul 2015 08:53:42 +0100, Mick wrote: A better, as in more secure, solution should involve local encryption and IMHO local air-gapped storage. A USB key will do nicely and you can have a second USB key stored in your brother's premises, for disaster recovery scenarios. Something like KeePass. It has Linux, Windows and Android clients and because the file is encrypted locally, you can store it in a cloud service, although I now use Syncthing to keep it on all my devices, now that my life is free of Dropbox. -- Neil Bothwick If man ruled the world: Daisy Duke shorts would never go out of fashion. pgpvwaVbdKY7M.pgp Description: OpenPGP digital signature
[gentoo-user] GTK Graphical Problems
Hi, At the weekend I updated my system and after reboot some of my apps have lots of black black squares/rectangles all over the place, covering all of the app window and making email difficult to write. Initially I thought this was a Wayland problem as using Wayfire but switched to X11 desktop and still had same issue. Trying all my apps this looks to be a GTK related issues as happening with claws-mail (worst), gkrellm, gcolor2, Bluefish etc. QT/EFL apps seem to be fine (qtfm, keepass). Firefox-bin works just fine, oddly. Anyone else seen this. I see a thread talking about GTK slots but not sure if this is related. I've rebuilt all gtk related packages which has not helped. John
Re: [gentoo-user] Moving from Lastpass to Bitwarden
Am Thu, Feb 18, 2021 at 03:04:21PM + schrieb Neil Bothwick: > > So the natural answer for my password needs is keepass (by now the XC > > variant). I sync it between my Linux machines with all other files using > > unison. > > That's what I was using, but I now run my own BitWarden server, so I get > the convenience and the security. That’s an interesting plot twist. -- Gruß | Greetings | Qapla’ Please do not share anything from, with or about me on any social network. The shortest brass joke ever: “Piano”. signature.asc Description: PGP signature
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
On Tue, 21 Jul 2015 20:27:32 +1000, wraeth wrote: Something like KeePass. It has Linux, Windows and Android clients and because the file is encrypted locally, you can store it in a cloud service, although I now use Syncthing to keep it on all my devices, now that my life is free of Dropbox. I also use KeePass, including both GUI and Python (dev-python/keepassx) front-ends and sync it with a self-hosted ownCloud server - keeps my data _my_ data. Unfortunately it doesn't have the integration you get with something like LastPass, but it does mean it would take one heck of a catastrophic event to make me loose my passwords. On the other hand, it does allow you to store extra information, like memorable words, and the auto-type feature gives enough integration for me. That being said, not everyone wants or otherwise needs something like ownCloud, so you could also do it through scp and cron, etc. Have you tried Syncthing - http://syncthing.net/ ? I only discovered it recently and it is a really nice syncing solution if you just want to keep files available in multiple locations without the complexity of ownCloud or the limitations of Dropbox. -- Neil Bothwick Evolution stops when stupidity is no longer fatal! pgpagETXQOWEH.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
On Tue, Jul 21, 2015 at 11:41:03AM +0100, Neil Bothwick wrote: On Tue, 21 Jul 2015 20:27:32 +1000, wraeth wrote: Something like KeePass. It has Linux, Windows and Android clients and because the file is encrypted locally, you can store it in a cloud service, although I now use Syncthing to keep it on all my devices, now that my life is free of Dropbox. I also use KeePass, including both GUI and Python (dev-python/keepassx) front-ends and sync it with a self-hosted ownCloud server - keeps my data _my_ data. Unfortunately it doesn't have the integration you get with something like LastPass, but it does mean it would take one heck of a catastrophic event to make me loose my passwords. On the other hand, it does allow you to store extra information, like memorable words, and the auto-type feature gives enough integration for me. Yes, I didn't mean to imply that it was _lacking_ in features, just that the main feature mentioned so far has been browser integration (with fair reason, too). That being said, not everyone wants or otherwise needs something like ownCloud, so you could also do it through scp and cron, etc. Have you tried Syncthing - http://syncthing.net/ ? I only discovered it recently and it is a really nice syncing solution if you just want to keep files available in multiple locations without the complexity of ownCloud or the limitations of Dropbox. No I haven't, but one of the main reasons for that is because I mostly bypassed online (read: not controlled by myself) services for any sort of syncing - I eyed a couple, but my primary thought was to retain proper control of my data. Besides, I was setting up a host for a mail server anyway and was looking for online calendaring and contact management for syncing between devices, so it wasn't that far out of my way. -- wraeth wra...@wraeth.id.au GnuPG Key: B2D9F759 signature.asc Description: Digital signature
Re: [gentoo-user] nsapass - alternative to keepassxc (and others)
‐‐‐ Original Message ‐‐‐ On Saturday, August 1, 2020 5:49 PM, J. Roeleveld wrote: > > > This is not a GUI > > > > xterm is GUI. you don't need to click on gtk/qt > > widgets to access details of password entries. > > gtk/qt is a massive overkill. > > Please check the meaning of " GUI " and try to answer my statement again. xterm/urxvt is a gui. it can render images too. e.g. seen ranger? but nitpick aside, i know what you want. you want an app that uses gtk or qt libraries, so that you get some buttons to click on with your mouse, and menus and scrollbars to drag around — but why would you seek to do this to yourself? very sadistic. if you check the latest version in this dev branch (wip, code will improve next month): https://github.com/Al-Caveman/nsapass/tree/space-cephalopod you'll find a neat interactive feature and a search feature that allows you to, say, retrieve passwords really fast. e.g. `nsapass get c p` would equate `nsapass get caveman protonmail` (if c p makes it unique). > > > This makes portability a problem. Exactly why keepass (and clones) are > > > used more. > > > > compatibility with keepassxc is extremely > > overrated. it's easy to port nsapass to > > windows/apple (may even work out of the box, > > didn't try). > > Compatibility with "keepass" (keepassxc is already a different tool/clone) is > important and makes it simpler to use the same database on different > environments. > You might be happy with a simplistic database that only stores a few > passwords. I tend to deal with passwords that are shared within teams because > the hardware involved only supports a single account. This makes tools like > keepass important. curious, any standardized or special hardware that works with keepass? e.g. some kind of dual factor authentication? or maybe USB sticks that give you some physical button to, mechanically, select if the passwords inside should be read? anything else interesting? about `few passwords'. i'm also curious why do you think so? e.g. here is a quick test with an outrageously unrealistic test of 1 million key entries in nsapass: - 3.9 seconds for scrypt to decrypt the file. for a good reason that makes it more secure than keepass's aes 256-bit enc. - 2.6 seconds for python's json to parse the file (parsing 1 mil entries). - everything else was instantaneous after that (just a dictionary lookup). about your team, not sure about your point. you said that nsapass is simplistic. so i guess this means that keepass offers you something more? or is it just that you have more people already using it and too lazy to migrate? > > > Nice, a full detailed list of every single change to your passwords :) > > > > no. how do you backup your passwords file? > > dropbox? flash disk? it's up to you. this is > > unrelated to the passwords manager. > > Actually, the more copies with changes to your passwords there are, the easier > it will be to guess your passwords. i never denied this. nothing in nsapass that makes you copy passwords with changes. i don't know where you got this. i personally use git to copy my passwords database around, but this -obviously- has nothing to do with nsapass. > > > The likes of NSA don't actually care about your (dis)approval. > > > > no one does. not unique to nsa. people > > exaggerate nsa as if they are any better. > > tbh, nsa is even better than most of our > > neighbours. if our phones fall in the hands of > > our neighbours, next day most people will find > > themselves in pornhub. but nsa can get it all, > > and yet they still didn't leak it to pornhub (at > > least not as much). > > No, they leak it to the press and wikileaks. leakers like snowden? doesn't media call them ``heros''? see, NSA is made of decent people. they either keep our secrets better than our neighbours do, or, when they leak it, they do so for a good cause and become ``heros''. i personally trust NSA much better than my trust to my neighbours (no comparision). nothing personal against my neighbours, decent people, but they are less educated than NSA's staff. it's just a matter of honesty to state that media's stance against NSA is unfair imo. even though this statement will probably harm the reputation of nsapass as i'm its dev and i'm flirting NSA (not that it matters though).
Re: [gentoo-user] Catastrophic bug in the firefox 'ProfileManager' function
On Wed, Jul 22, 2015 at 04:15:30PM -0400, cov...@ccs.covici.com wrote: Neil Bothwick n...@digimed.co.uk wrote: On Tue, 21 Jul 2015 22:05:57 -0400, cov...@ccs.covici.com wrote: Have you tried KeePass? It doe what you are doing but with a decent interface and the ability to type the details into web pages for you. But does it store the data on someone's server? Where they could have a data breech? It stores it in a single, encrypted file, wherever you put it. You can put the file on a cloud server if you wish, but it's just a file, useless without the decryption key. Is there a command line interface to keepasss? I don't want to be tied down to some gui which may or may not work for me. I mentioned in the other part of this subthread that there is a python-based utility for using it: dev-python/keepassx This provides the utility `kp` which allows for using the kdb file. There is one issue I've logged upstream with this utility where it's attempting and failing to copy the password to clipboard, but I don't know the scope of this issue yet. -- wraeth wra...@wraeth.id.au GnuPG Key: B2D9F759 pgpYxAFysFafU.pgp Description: PGP signature
Re: [gentoo-user] nsapass - alternative to keepassxc (and others)
On 17 July 2020 07:15:01 CEST, Caveman Al Toraboran wrote: >hi - recently i heard some guys were suffering in >this list from keepassxc, which reminded me of my >my own. so i finally decided to put an end to >this in 404 lines of py code: > >https://github.com/Al-Caveman/nsapass > >hth. > >rgrds, >cm. Looks nice. Except for: I like having a GUI where I can easily access the different account details. Does it use Keepass databases? Or something you designed yourself? Can it work with password database files that are stored on a central server without having to change the code? A password database with NSA in the name does not inspire confidence. -- Joost -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: [gentoo-user] GTK Graphical Problems
On Wed, 2 Jun 2021 11:14:40 +0100 jdm wrote: > Hi, > > At the weekend I updated my system and after reboot some of my apps > have lots of black black squares/rectangles all over the place, > covering all of the app window and making email difficult to write. > > Initially I thought this was a Wayland problem as using Wayfire but > switched to X11 desktop and still had same issue. > > Trying all my apps this looks to be a GTK related issues as happening > with claws-mail (worst), gkrellm, gcolor2, Bluefish etc. QT/EFL apps > seem to be fine (qtfm, keepass). Firefox-bin works just fine, oddly. > > Anyone else seen this. I see a thread talking about GTK slots but not > sure if this is related. > > I've rebuilt all gtk related packages which has not helped. > > John > Noticed a minor oddity with sddm where text not rendering correctly so decided not a gtk problem but strange that qt apps where hardly affected. Updated mesa to latest version (currently masked) and issue has gone away. John
Re: [gentoo-user] Moving from Lastpass to Bitwarden
On Thu, 18 Feb 2021 15:22:52 +0100, Frank Steinmetzger wrote: > Call me Ishmael^wold-fashioned. I don’t trust the Internet with anything > sensitive. Even if the other party behaves trustworthy (trustwortily?). > If it’s on someone else’s system, it’s out of my reach. A password > database not only contains the passwords themselves, but naturally also > what I have passwords for in the first place. [snip] > So the natural answer for my password needs is keepass (by now the XC > variant). I sync it between my Linux machines with all other files using > unison. That's what I was using, but I now run my own BitWarden server, so I get the convenience and the security. -- Neil Bothwick If at first you don't succeed, you'll get a lot of free advice from folks who didn't succeed either.
Re: [gentoo-user] Moving from Lastpass to Bitwarden
On Thu, 18 Feb 2021 10:04:21 -0500, Neil Bothwick wrote: > > On Thu, 18 Feb 2021 15:22:52 +0100, Frank Steinmetzger wrote: > > > Call me Ishmael^wold-fashioned. I don’t trust the Internet with anything > > sensitive. Even if the other party behaves trustworthy (trustwortily?). > > If it’s on someone else’s system, it’s out of my reach. A password > > database not only contains the passwords themselves, but naturally also > > what I have passwords for in the first place. > > [snip] > > > So the natural answer for my password needs is keepass (by now the XC > > variant). I sync it between my Linux machines with all other files using > > unison. > > That's what I was using, but I now run my own BitWarden server, so I get > the convenience and the security. If I were to run my own bitwarden server, which seems not to be in the tree, is there a way I can use windows, mac and ios to get passwords from it? -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una cov...@ccs.covici.com
Re: [gentoo-user] nsapass - alternative to keepassxc (and others)
On Saturday, 18 July 2020 18:51:12 CEST Caveman Al Toraboran wrote: > ‐‐‐ Original Message ‐‐‐ > > On Friday, July 17, 2020 8:56 PM, J. Roeleveld wrote: > > Looks nice. Except for: > > I like having a GUI where I can easily access the different account > > details. > how about: > `nsapass list | less` > ? > > (thinking to let nsapass automatically pipe list's > output to `less`) This is not a GUI > > Does it use Keepass databases? Or something you designed yourself? > > myself. it's just an encrypted json file. you > can decrypt it by `scrypt dec path/to/db.enc` to > see how stupidly simple it is. > > (to create it, use `nsapass gen 25 printable` to > generate an entry quickly, or `nsapass add UNAME > PWORD NOTE` for a manual approach). This makes portability a problem. Exactly why keepass (and clones) are used more. > > Can it work with password database files that are stored on a central > > server without having to change the code? > no. i personally sync my passwords file with git > (as i also sync my configs). Nice, a full detailed list of every single change to your passwords :) > > A password database with NSA in the name does not inspire confidence. > > it's like making a bear gag. if you run away from > bear, bear may chase you. but instead if you > stand, and put your fist in bear's mouth, the bear > gags and runs away. > > i wonder if this would make nsa gag and run away? > on the other hand, but if it was named > BlockchainedTorPass, they would be probably > sniffing at it day long. > > the name is a joke though. i thought it is funny > (someone suggested it to me and i liked it). I do understand it's a joke, but a lot of people won't. > just to clarify, i am not even against nsa. imo > nsa people are actually good guys that try to > audit suspects to ensure longer stability and > peace, and it's disappointing that they get a bad > image in media. Considering what the NSA (and the other TLAs have been upto), I'm afraid I have to disagree with you on this. > that said, i just like having a personal space > that its boundaries are respected. if anyone > wants my data, i want him to take it with my > approval. The likes of NSA don't actually care about your (dis)approval. -- Joost
Re: [gentoo-user] Re: Coming up with a password that is very strong.
On Wed, Feb 13, 2019 at 12:12 PM Mark David Dumlao wrote: > > On Thu, Feb 14, 2019 at 12:32 AM Rich Freeman wrote: > > I just stumbled on lesspass which seems to be such a tool for > > algorithmic password generation (lesspass.com). > > Great tool. Good to know there are those that think alike. One > important point though is that in my "version", the user has to > completely know a secure algorithm (which is where all the security > comes from), with a managed tool this is only feasible for technical > users (or at least technical past a certain level). A version of > lesspass that allows users to view and customize the secret-generation > algorithm would be much more secure. Maybe. Here is the problem with this: If you just give the user a choice of one of several secure algorithms to use, then basically all you're doing is adding a few more bits of entropy to the mix. You also have to deal with vulnerabilities in any algorithm your software uses, and not just the one you picked. If you instead let the user code their own algorithm, then while this increases complexity, it also makes it easy for users to shoot themselves in the feet with an insecure algorithm. I think it would make more sense for users to focus on more robust master keys than to rely on security by obscurity with an algorithm that doesn't benefit from peer review. > > 2. The solution does allow incremental counters for sites, but of > > course that is basically state and it looks like they have a way to > > sync this somewhere, but of course that means having a cloud sync > > infrastructure and that info could get compromised (doesn't include > > the passwords themselves). > > Also not an issue for me in practice. In practice you also remembr > which sites forced you to change passwords, since they're pretty much > the only ones in that class. Sure, assuming you don't regularly change your passwords everywhere. I'm not sure that this is as important with manager-generated passwords, but it is a consideration. > Likewise, > your keepass / lesspass secrets should probably be some insane > paranoid level secret that themselves don't come from keepass / > lesspass and their alternatives. While any master password should be secure, the algorithmic approaches suffer more, IMO. With something like Keepass or Lastpass you need both the database and the master password to do an attack. Now, with lastpass anybody with the master password can obtain the database from the cloud, but they're going to throttle attacks or lock the account after so many failures, and you have nothing to crack offline. Lastpass would be vulnerable to intruders stealing the database of course, which then reduces the difficulty of an attack to the same as something like Lesspass. > > > 4. I'm not sure how straightforward it would be to change > > passwords/etc. If you have 100 sites, you'd have to remember what > > password you used for what site, or change them all at once. Again, > > the stateless approach has its downsides as passwords are not > > stateless from the standpoint of the remote sites. > > Actually the generation approach is massively simpler since the > passwords themselves don't matter. If you don't like your secret, are > not sure which iteration a site is, are not sure if a site used an old > or new secret, etc, you can trigger a password reset on most services > and force it to use the current generated password. You can update any > passwords on an as-needed basis to always use the current generated > iteration. The problem with "as-needed" is that you have to remember which accounts use which master password. That sounds simple until you have 100 different accounts. My password manager has a huge number of accounts in it. Granted, some of those are more disposable than others, but keep in mind that everything from the local burger chain to your bank has a password these days. Either that, or it supports something even worse like Facebook authentication. I'm all for SSO, but not ones locked into a single provider, and especially not Facebook. > > Password incrementing is an issue for any algorithmic solution - you > > need to be able to remember which password version is in use on what > > site. > > If you're talking about remembering the iteration counter for a > particular site, well, yes you have to store state somewhere. But > consider: > 1 very strong secret + remember that these 3 or 4 sites are on iteration X > > is a LOT less headspace than > 4+ independent strong secrets Sure, but I'm mostly comparing altorithmic password managers to database-based ones. In neither case are you remembering hundreds of passwords. > > and I'm pretty sure most people have logins on more than 4 sites. > &g
Re: [gentoo-user] Re: Coming up with a password that is very strong.
On Thu, Feb 14, 2019 at 3:18 AM Rich Freeman wrote: > > On Wed, Feb 13, 2019 at 12:12 PM Mark David Dumlao wrote: > > > > On Thu, Feb 14, 2019 at 12:32 AM Rich Freeman wrote: > > > I just stumbled on lesspass which seems to be such a tool for > > > algorithmic password generation (lesspass.com). > > > > Great tool. Good to know there are those that think alike. One > > important point though is that in my "version", the user has to > > completely know a secure algorithm (which is where all the security > > comes from), with a managed tool this is only feasible for technical > > users (or at least technical past a certain level). A version of > > lesspass that allows users to view and customize the secret-generation > > algorithm would be much more secure. > > Maybe. Here is the problem with this: > > If you just give the user a choice of one of several secure algorithms > to use, then basically all you're doing is adding a few more bits of > entropy to the mix. You also have to deal with vulnerabilities in any > algorithm your software uses, and not just the one you picked. > > If you instead let the user code their own algorithm, then while this > increases complexity, it also makes it easy for users to shoot > themselves in the feet with an insecure algorithm. > > I think it would make more sense for users to focus on more robust > master keys than to rely on security by obscurity with an algorithm > that doesn't benefit from peer review. Changing (or rather customizing) algorithms is not security by obscurity. While it may be true that at the end of the day you're adding bits of entropy, the fact is the freeform nature of design implies the number of bits of entropy you are adding could very easily exceed any humane password. And on second point, you can completely automate simply running lesspass, whereas to automate cracking an unknown algorithm you would have to automate writing arbitrary programs, which is in theory reducible to the halting problem. TLDR: you probably can't. > While any master password should be secure, the algorithmic approaches > suffer more, IMO. With something like Keepass or Lastpass you need > both the database and the master password to do an attack. Now, with > lastpass anybody with the master password can obtain the database from > the cloud, but they're going to throttle attacks or lock the account > after so many failures, and you have nothing to crack offline. > Lastpass would be vulnerable to intruders stealing the database of > course, which then reduces the difficulty of an attack to the same as > something like Lesspass. That's technically correct, which is why I would suggest a custom-designed algorithm as opposed to something like lesspass. With lesspass all the security directly goes to your secret, so the pressure to make the secret ridiculous is huge. With your own algorithm, the algorithm itself adds entropy between your secret and the generated password. Consider: - to crack a lesspass secret, you can bruteforce the lesspass secret and check if they produce a valid output. On any success, you're 99.99x% certain to have cracked the original lesspass secret, which will instantly work on other sites. - to crack an arbitrary algorithm, it is insufficient to bruteforce an input secret because by itsef it does not produce an output secret. You would also have to bruteforce different transformation algorithms that map from the input secret to the output secret. Even if you end up producing a valid password, you cannot guarantee that thje guessed algorithm works on other accounts, because it might simply be a collision, which is indistinguishable from the algorithm being wrong due to missing some site-specific rules. > > > > > > 4. I'm not sure how straightforward it would be to change > > > passwords/etc. If you have 100 sites, you'd have to remember what > > > password you used for what site, or change them all at once. Again, > > > the stateless approach has its downsides as passwords are not > > > stateless from the standpoint of the remote sites. > > > > Actually the generation approach is massively simpler since the > > passwords themselves don't matter. If you don't like your secret, are > > not sure which iteration a site is, are not sure if a site used an old > > or new secret, etc, you can trigger a password reset on most services > > and force it to use the current generated password. You can update any > > passwords on an as-needed basis to always use the current generated > > iteration. > > The problem with "as-needed" is that you have to remember which > accounts use which master password. That sounds simple until you have > 100 different account
Re: [gentoo-user] How does ssh know to use pinentry?
On Sun, Jul 6, 2014 at 3:25 AM, Rich Freeman ri...@gentoo.org wrote: Typically they are launched from a bash profile, or an X11 startup script. KDE/Gnome look like they have it in their default scripts. Just grep -r gpg-agent /etc and you'll find where it is being loaded if you didn't add them to your own startup scripts in /home. Rich, Thank you again. My bash history shows ssh-agent being executed in the past, but I'm still not sure where gpg-agent came from. Using gpg-agent is considered a best practice in general, so I wouldn't go getting rid of it unless it is really causing you problems. You haven't mentioned what issue you're actually having with it/pinentry/etc. FYI pinentry frustrates me because: 1. pinentry-gtk and pinentry-qt do not allow me to paste my passphrase. My passphrase is difficult to type. I keep my passphrase in keepass. 2. Supposedly pinentry-curses will let me paste; however, pinentry-curses doesn't work. https://www.gnupg.org/documentation/manuals/gnupg/Common-Problems.html suggests that my problem is a misconfigured GPG_TTY environment variable. At this point though I'm not even interested in using it anymore. At the moment pinentry is no longer installed on my system so these problems should be gone. If/when I understand what is going on, I'll reinstall them. FYI I removed pinentry with: tail /etc/portage/package.use # 2014-07-05 Avoid pinentry dev-vcs/git -gpg mail-client/thunderbird -crypt tail /etc/portage/package.mask # 2014-07-05 Avoid password entry program that disallows paste app-crypt/pinentry Chris
Re: [gentoo-user] nsapass - alternative to keepassxc (and others)
‐‐‐ Original Message ‐‐‐ On Friday, July 17, 2020 8:56 PM, J. Roeleveld wrote: > Looks nice. Except for: > I like having a GUI where I can easily access the different account details. how about: `nsapass list | less` ? (thinking to let nsapass automatically pipe list's output to `less`) > Does it use Keepass databases? Or something you designed yourself? myself. it's just an encrypted json file. you can decrypt it by `scrypt dec path/to/db.enc` to see how stupidly simple it is. (to create it, use `nsapass gen 25 printable` to generate an entry quickly, or `nsapass add UNAME PWORD NOTE` for a manual approach). > Can it work with password database files that are stored on a central server > without having to change the code? no. i personally sync my passwords file with git (as i also sync my configs). > A password database with NSA in the name does not inspire confidence. it's like making a bear gag. if you run away from bear, bear may chase you. but instead if you stand, and put your fist in bear's mouth, the bear gags and runs away. i wonder if this would make nsa gag and run away? on the other hand, but if it was named BlockchainedTorPass, they would be probably sniffing at it day long. the name is a joke though. i thought it is funny (someone suggested it to me and i liked it). just to clarify, i am not even against nsa. imo nsa people are actually good guys that try to audit suspects to ensure longer stability and peace, and it's disappointing that they get a bad image in media. that said, i just like having a personal space that its boundaries are respected. if anyone wants my data, i want him to take it with my approval.
Re: [gentoo-user] nsapass - alternative to keepassxc (and others)
‐‐‐ Original Message ‐‐‐ On Saturday, July 18, 2020 11:13 PM, J. Roeleveld wrote: > This is not a GUI xterm is GUI. you don't need to click on gtk/qt widgets to access details of password entries. gtk/qt is a massive overkill. > This makes portability a problem. Exactly why keepass (and clones) are used > more. compatibility with keepassxc is extremely overrated. it's easy to port nsapass to windows/apple (may even work out of the box, didn't try). > Nice, a full detailed list of every single change to your passwords :) no. how do you backup your passwords file? dropbox? flash disk? it's up to you. this is unrelated to the passwords manager. it's just that i personally use git. that's all. some use dropbox, and it's the same in this regard: none of them see passwords. they only get encrypted passwords. i put encrypted psswords database in a git server. it's my personal choice. you don't have to do it. the git server sees random bytes only. and thanks to scrypt, even if i don't do anything, but merely encrypt/decypt with the same key, the encrypted file will still look totally different. > The likes of NSA don't actually care about your (dis)approval. no one does. not unique to nsa. people exaggerate nsa as if they are any better. tbh, nsa is even better than most of our neighbours. if our phones fall in the hands of our neighbours, next day most people will find themselves in pornhub. but nsa can get it all, and yet they still didn't leak it to pornhub (at least not as much).
Re: [gentoo-user] GTK Graphical Problems
On Thu, Jun 03, 2021 at 10:01:43AM +0100, jdm wrote: > On Wed, 2 Jun 2021 11:14:40 +0100 > jdm wrote: > > > Hi, > > > > At the weekend I updated my system and after reboot some of my apps > > have lots of black black squares/rectangles all over the place, > > covering all of the app window and making email difficult to write. > > > > Initially I thought this was a Wayland problem as using Wayfire but > > switched to X11 desktop and still had same issue. > > > > Trying all my apps this looks to be a GTK related issues as happening > > with claws-mail (worst), gkrellm, gcolor2, Bluefish etc. QT/EFL apps > > seem to be fine (qtfm, keepass). Firefox-bin works just fine, oddly. > > > > Anyone else seen this. I see a thread talking about GTK slots but not > > sure if this is related. > > > > I've rebuilt all gtk related packages which has not helped. > > > > John > > > > Noticed a minor oddity with sddm where text not rendering correctly so > decided not a gtk problem but strange that qt apps where hardly > affected. > > Updated mesa to latest version (currently masked) and issue > has gone away. > > John > What version of mesa was causing the problem, what version did you upgrade to, and what are your useflags? I've been having similar issues, but I'm on the current (21.1.1) version of mesa. Did you upgrade drivers anywhere?
Re: [gentoo-user] Moving from Lastpass to Bitwarden
Am Tue, Feb 16, 2021 at 06:04:01PM -0600 schrieb Dale: > Howdy, > > Lastpass is forcing people to use only one device type or pay a fee. > I've used the free version of Lastpass for years and it works well for > me. Call me Ishmael^wold-fashioned. I don’t trust the Internet with anything sensitive. Even if the other party behaves trustworthy (trustwortily?). If it’s on someone else’s system, it’s out of my reach. A password database not only contains the passwords themselves, but naturally also what I have passwords for in the first place. > I use it on my desktop and my cell phone too. On top of that, I don’t trust Android with sensitive stuff, either. Sure, I have mail, calendar and contacts on my mobile devices (synced against a local Radicale instance on my raspberry). But nothing that involves money; No banking app, no paypal app, I don’t even have a credit card. The exception is the app for our railway system that is directly linked to my back account (but most of the times I buy the ticket at a vending machine and pay cash). So the natural answer for my password needs is keepass (by now the XC variant). I sync it between my Linux machines with all other files using unison. > Anyone have info on switching from Lastpass to Bitwarden? I’m aware this doesn’t answer your question, > Thoughts? but I wanted to make a case for another viewing angle on the matter. -- Gruß | Greetings | Qapla’ I recently bought a hula hoop. And what can I say—it fits! signature.asc Description: PGP signature
Re: [gentoo-user] Moving from Lastpass to Bitwarden
On Thu, Feb 18, 2021 at 03:22:52PM +0100, Frank Steinmetzger wrote: > So the natural answer for my password needs is keepass (by now the XC > variant). I sync it between my Linux machines with all other files using > unison. That is also what I use. I also personally use my phone with KeepassDX for when I'm not next to my personal PC, and I have the databases synced together through Syncthing. However, on the topic of Syncthing, I haven't had any issue so far, but I also haven't been able to find anywhere if the thing encrypts traffic that's sent from anywhere to anywhere else. From what I understand of Syncthing though, it seems to give each machine a unique ID, let's you give them names and then specify a shared folder, then using the local networks it can find other devices running Syncthing, and on the wider internet, it seems to connect to some random "discovery servers" that seem like their purpose is to act as a way to have the devices find each other if they're on other networks so that the shared directories stay synced at all times. I just wish I knew if the files are encrypted e2e or not when using this. Kusoneko. signature.asc Description: PGP signature
Re: [gentoo-user] Re: Coming up with a password that is very strong.
On Thu, Feb 14, 2019 at 12:32 AM Rich Freeman wrote: > > > On Wed, 6 Feb 2019 04:28:49 +0800, Mark David Dumlao wrote: > > > > > >> My own solution is actually very simple. I have a "secret algorithm" > > >> that incorporates several secrets with a predictable way to generate a > > >> site-specific secret. The end result is a 100% predictable way to > > >> generate unique passwords for every site that are cryptographically > > >> secure from each other (you cannot derive > > >> one from the other) which can be generated by any device using the > > >> appropriate tools. > I just stumbled on lesspass which seems to be such a tool for > algorithmic password generation (lesspass.com). Great tool. Good to know there are those that think alike. One important point though is that in my "version", the user has to completely know a secure algorithm (which is where all the security comes from), with a managed tool this is only feasible for technical users (or at least technical past a certain level). A version of lesspass that allows users to view and customize the secret-generation algorithm would be much more secure. Or another way to put it might be: if an attacker knows that you're using lesspass, then the only encryption they have to break is that on your master password, so your security is only as strong as your master password. On the other hand, if an attacker knows that I am using an algorithm-generating technique, they need to break both the master secret AND the algorithm, which could have vastly more entropy than the master secret itself. > > Some thoughts regarding this approach: > > 1. Remembering the right "site name" for every site might be tricky - > sites change names/URLs and you won't have any database to search. In my personal practice, not a problem. In practice you always remember the old site name for any common enough site. If you don't, you reset the password to the new site name. > 2. The solution does allow incremental counters for sites, but of > course that is basically state and it looks like they have a way to > sync this somewhere, but of course that means having a cloud sync > infrastructure and that info could get compromised (doesn't include > the passwords themselves). Also not an issue for me in practice. In practice you also remembr which sites forced you to change passwords, since they're pretty much the only ones in that class. > 3. Master password complexity probably matters more than for > something like Lastpass/KeepassX. With traditional password managers > you need the database plus you need to crack the master password (or > get it some other way). With a purely algorithmic approach you can > probably guess at all the parameters other than the master password, > so anybody can try to crack you without stealing any data at all, This is an issue for lesspass, because the only secret is the master password. This is not an issue for algorithmic approaches in general, because the algorithm is part of the secret. Every which way that you choose to encode the intermediary steps in my example above is also part of the secret, because none of those can be guessed from the resulting password. As an example, encoding "madum...@gmail.com" as the site-specific identifier would give a completely different password than "gmail:madumlao" or "madumlao@gmail" or "madumlao+gmail", etc. And that hasn't yet counted any peppering which influences intermediary hashes. That being said, any system that depends on a master password had better be goddamned secure. In fact, my email account - which is a resetting point for basically all services - is exempt from my password algorithm and uses some ridiculously long secret. Likewise, your keepass / lesspass secrets should probably be some insane paranoid level secret that themselves don't come from keepass / lesspass and their alternatives. > 4. I'm not sure how straightforward it would be to change > passwords/etc. If you have 100 sites, you'd have to remember what > password you used for what site, or change them all at once. Again, > the stateless approach has its downsides as passwords are not > stateless from the standpoint of the remote sites. Actually the generation approach is massively simpler since the passwords themselves don't matter. If you don't like your secret, are not sure which iteration a site is, are not sure if a site used an old or new secret, etc, you can trigger a password reset on most services and force it to use the current generated password. You can update any passwords on an as-needed basis to always use the current generated iteration. > If you do increment passwords, well, now you just introduced state > back in, and the "stateless" solutio
Re: [gentoo-user] Coming up with a password that is very strong.
On 2/4/2019, 8:10:57 PM, Dale wrote: > Tanstaafl wrote: >> I've been using a little Firefox Addon called Passwordmaker for many, >> many years, and despite all of its warts, I've been loathe to give it >> up, even though it will never be upgraded to work as a WebExtension. >> >> 2 things I loved about it - >> >> a) it doesn't save the password locally, only info about the >> site/account, and >> b) you can use an unlimited number of Master Passwords >> >> I'm looking at migrating to KeePassXC, and even though I really hate the >> idea of saving the actual password - Passwordmaker simply generates the >> password on the fly each time based on certain specified criteria (ie, >> the site URL, username, password length, etc for each account - one >> technique I adopted shortly after assisting in updating the >> Passwordmaker website eases my mind about it... >> >> This is a simple technique I strongly recommend that everyone employ, >> especially if you use a Password manager (like LastPass or KeePass)... >> >> It is uncrackable (well, as long as it isn't the CIA or NSA that wants >> to crack it and they are willing to kidnap/torture you to do so). >> >> You sit down and come up with a ... call it a 'password modification >> protocol' ... whereby, you always modify your generated/stored password >> in a specific way before pressing enter. >> >> For example, you delete characters 3, 5 and 7, then add 2 characters to >> the beginning and 2 to the end. >> >> It is very simple, and negates worrying about someone stealing your >> password vault. > I tried to find it just to see how it works but it isn't listed. What... Passwordmaker (the old one I still use and why I keep an old Firefox 56 portable version around)? > From what you wrote, you may want to at least check into LastPass. I did a massive amount of research (including LastPass), and settled on KeePassXC for a good reason. > Still, I'm sure there is a tool that will suite your needs. ? Its like you didn't really read my email. I already said, I'm migrating to KeePassXC. But my complaint is, nothing works like Passwordmaker (again, it doesn't store passwords, can only use one Master Password). > I'm not sure I understand what you mean password modification protocol. > It sounds like you change your master password each time you use it. No, I'm talking about the saved (or in Passwordmakers case, generated) password, not the Master Password. Doing this with the Master Password wouldn't make any sense.
Re: [gentoo-user] Coming up with a password that is very strong.
On 2/4/2019, 12:47:35 AM, Dale wrote: > Thing is, with today's computing power, it really isn't anymore. > While no one could just guess it, it could be cracked/hacked I'm > sure. I need to come up with a new one that meets the requirements I > just mentioned. Strong, easy to remember, easy to type but won't > forget. I've read that using maiden names, years of birth or whole > dates of birth, actual names, pet's name, words in a dictionary and a > whole list of other things makes it easier, especially if you post a > lot on social media, for hackers to use against you. I'm trying to > avoid that sort of thing obviously and have a couple ideas but am > curious as to what method others use, without exposing to much > detail since this is public. I've been using a little Firefox Addon called Passwordmaker for many, many years, and despite all of its warts, I've been loathe to give it up, even though it will never be upgraded to work as a WebExtension. 2 things I loved about it - a) it doesn't save the password locally, only info about the site/account, and b) you can use an unlimited number of Master Passwords I'm looking at migrating to KeePassXC, and even though I really hate the idea of saving the actual password - Passwordmaker simply generates the password on the fly each time based on certain specified criteria (ie, the site URL, username, password length, etc for each account - one technique I adopted shortly after assisting in updating the Passwordmaker website eases my mind about it... This is a simple technique I strongly recommend that everyone employ, especially if you use a Password manager (like LastPass or KeePass)... It is uncrackable (well, as long as it isn't the CIA or NSA that wants to crack it and they are willing to kidnap/torture you to do so). You sit down and come up with a ... call it a 'password modification protocol' ... whereby, you always modify your generated/stored password in a specific way before pressing enter. For example, you delete characters 3, 5 and 7, then add 2 characters to the beginning and 2 to the end. It is very simple, and negates worrying about someone stealing your password vault.
Re: [gentoo-user] How does ssh know to use pinentry?
On Sunday 06 Jul 2014 16:29:03 Chris Stankevitz wrote:
On Sun, Jul 6, 2014 at 3:25 AM, Rich Freeman ri...@gentoo.org wrote:
Typically they are launched from a bash profile, or an X11 startup
script. KDE/Gnome look like they have it in their default scripts.
Just grep -r gpg-agent /etc and you'll find where it is being loaded
if you didn't add them to your own startup scripts in /home.
Rich,
Thank you again. My bash history shows ssh-agent being executed in
the past, but I'm still not sure where gpg-agent came from.
ssh-agent and gpg-agent are part of ssh and gnupg:
$ qfile /usr/bin/gpg-agent
app-crypt/gnupg (/usr/bin/gpg-agent)
They are usually started by the Desktop Environment startup scripts.
I start gpg-agent using ~/.xsession:
===
if [ -x /usr/bin/gpg-agent ]; then
kill $(ps ux | awk '/gpg-agent/ !/awk/ {print $2}') /dev/null 21
fi
if [ -x /usr/bin/gpg-agent ]; then
eval $(/usr/bin/gpg-agent --daemon)
fi
===
Using gpg-agent is considered a best practice in general, so I
wouldn't go getting rid of it unless it is really causing you
problems. You haven't mentioned what issue you're actually having
with it/pinentry/etc.
FYI pinentry frustrates me because:
1. pinentry-gtk and pinentry-qt do not allow me to paste my
passphrase. My passphrase is difficult to type. I keep my passphrase
in keepass.
2. Supposedly pinentry-curses will let me paste; however,
pinentry-curses doesn't work.
https://www.gnupg.org/documentation/manuals/gnupg/Common-Problems.html
suggests that my problem is a misconfigured GPG_TTY environment
variable. At this point though I'm not even interested in using it
anymore.
Interesting - I don't seem to have a GPG_TTY environment variable set up
either:
$ echo $GPG_TTY
$
At the moment pinentry is no longer installed on my system so these
problems should be gone. If/when I understand what is going on,
I'll reinstall them.
FYI I removed pinentry with:
tail /etc/portage/package.use
# 2014-07-05 Avoid pinentry
dev-vcs/git -gpg
mail-client/thunderbird -crypt
tail /etc/portage/package.mask
# 2014-07-05 Avoid password entry program that disallows paste
app-crypt/pinentry
I think that the idea of keeping your passphrase in the clipboard is frowned
upon for security reasons. Not only because of any potential memory leaks,
but because you may inadvertently paste it in GUI fields/areas you were not
meant to:
Only a couple of days ago a friend ended up pasting his passphrase on an IM
client for all to see, as he was trying to login into a system ... O_O
--
Regards,
Mick
signature.asc
Description: This is a digitally signed message part.
Re: [gentoo-user] Moving from Lastpass to Bitwarden
Frank Steinmetzger wrote: > Am Tue, Feb 16, 2021 at 06:04:01PM -0600 schrieb Dale: >> Howdy, >> >> Lastpass is forcing people to use only one device type or pay a fee. >> I've used the free version of Lastpass for years and it works well for >> me. > Call me Ishmael^wold-fashioned. I don’t trust the Internet with anything > sensitive. Even if the other party behaves trustworthy (trustwortily?). If > it’s on someone else’s system, it’s out of my reach. A password database not > only contains the passwords themselves, but naturally also what I have > passwords for in the first place. > >> I use it on my desktop and my cell phone too. > On top of that, I don’t trust Android with sensitive stuff, either. Sure, I > have mail, calendar and contacts on my mobile devices (synced against a > local Radicale instance on my raspberry). But nothing that involves money; > No banking app, no paypal app, I don’t even have a credit card. The > exception is the app for our railway system that is directly linked to my > back account (but most of the times I buy the ticket at a vending machine > and pay cash). > > So the natural answer for my password needs is keepass (by now the XC > variant). I sync it between my Linux machines with all other files using > unison. > >> Anyone have info on switching from Lastpass to Bitwarden? > I’m aware this doesn’t answer your question, > >> Thoughts? > but I wanted to make a case for another viewing angle on the matter. > Thing is, your stuff is likely on the internet already. You have a bank account? If so, that bank is almost certainly connected to the internet. I don't know of a bank that isn't. I doubt a bank can exist without being connected to the internet given a lot of money transfers are electronic anyway. I'm sure any account you have, power, water or any other account is connected to the internet in some way. If you have credit of any kind, they have your info on the internet already. It's how they work. You may not put it there or access it yourself but it is already there for a hacker if they want it. You may think you are protecting yourself but really, you're not. You're just not accessing it or putting it to use for your own advantage. If someone steals my info and uses it, I'll likely know quickly. I monitor my bank, credit card and credit info using the internet that way if it is stolen, I'll know it sooner. I can make use of the internet to protect myself instead of refusing to use the tool and waiting on a letter that takes days or even weeks to arrive, if one is ever sent. Pretending the internet doesn't exist just isn't good. It exists whether you use it or not. Just keep in mind, people who have info on you use it and so does the ones who might want that info. I consider that a false sense of security. You may feel secure but you are sadly mistaken. Unless you live with no digital footprint at all, likely impossible, you already have info out there. I still trust Lastpass and for those willing to pay for it, I'd recommend it in a heart beat. It's widely used and secure. Bitwarden however is as or even more secure. It also has a better pricing structure. I can manage with the free version but will likely pay for the paid plan soon. I feel it is worth that. Just my angle of view. ;-) Dale :-) :-)
Re: [gentoo-user] Coming up with a password that is very strong.
Tanstaafl wrote: > On 2/4/2019, 12:47:35 AM, Dale wrote: >> Thing is, with today's computing power, it really isn't anymore. >> While no one could just guess it, it could be cracked/hacked I'm >> sure. I need to come up with a new one that meets the requirements I >> just mentioned. Strong, easy to remember, easy to type but won't >> forget. I've read that using maiden names, years of birth or whole >> dates of birth, actual names, pet's name, words in a dictionary and a >> whole list of other things makes it easier, especially if you post a >> lot on social media, for hackers to use against you. I'm trying to >> avoid that sort of thing obviously and have a couple ideas but am >> curious as to what method others use, without exposing to much >> detail since this is public. > I've been using a little Firefox Addon called Passwordmaker for many, > many years, and despite all of its warts, I've been loathe to give it > up, even though it will never be upgraded to work as a WebExtension. > > 2 things I loved about it - > > a) it doesn't save the password locally, only info about the > site/account, and > b) you can use an unlimited number of Master Passwords > > I'm looking at migrating to KeePassXC, and even though I really hate the > idea of saving the actual password - Passwordmaker simply generates the > password on the fly each time based on certain specified criteria (ie, > the site URL, username, password length, etc for each account - one > technique I adopted shortly after assisting in updating the > Passwordmaker website eases my mind about it... > > This is a simple technique I strongly recommend that everyone employ, > especially if you use a Password manager (like LastPass or KeePass)... > > It is uncrackable (well, as long as it isn't the CIA or NSA that wants > to crack it and they are willing to kidnap/torture you to do so). > > You sit down and come up with a ... call it a 'password modification > protocol' ... whereby, you always modify your generated/stored password > in a specific way before pressing enter. > > For example, you delete characters 3, 5 and 7, then add 2 characters to > the beginning and 2 to the end. > > It is very simple, and negates worrying about someone stealing your > password vault. > > I tried to find it just to see how it works but it isn't listed. From what you wrote, you may want to at least check into LastPass. Link below. It may do what you currently use and some. I only use the free version and it does more than I need already. I think if I get a smart phone, I'd have to pay a small monthly fee. Still, I'm sure there is a tool that will suite your needs. There are a lot of them out there. Typing password in the add-on search box produces a LOT of results. Just find a good one and let it work for you. https://www.lastpass.com/ I'm not sure I understand what you mean password modification protocol. It sounds like you change your master password each time you use it. If I did that, I'd never know which one to use because that would confuse me. I don't write passwords down, period. I went to the local nursing home the other day, to drop off some puzzle books and a bunch of bananas, and they have a coded entry thing on the door. I entered the code a couple times and it didn't work. One of the nurses that was coming on shift came up and entered the code. When she told me the code, I realized I was using the code they had before the current one. I shifted back in time a bit I guess. I may not have a flux capacitor but I did it anyway. lol I admit, some of the new things they use, I have no idea how they work since I've never used most of them. I've read about a few of them but don't really get how they work. If I used them, I'd get it. What I hate most, when my bank changes something about their login process and a little research shows it accomplishes nothing. My credit card site has this picture and phrase thing. I found where it was researched and it does little to actually help because most people don't pay it any attention. My biggest cheat, I adblock stuff on the bank website, like their great big logo thing. If I do go to a website and that logo shows up, it didn't match my adblock setting. At that point, that gets a little extra attention until I know for sure and for certain I'm on the correct site. Also, LastPass will pick up its on the wrong site to. It won't fill in the password info if it doesn't match up. They've had the same logo on the site for years. It's amazing what we have to do with our computers to keep ourselves safe because of . . . computers. :/ I guess this is one reason I like Linux. It at least tries to be secure. Dale :-) :-)
Re: [gentoo-user] Coming up with a password that is very strong.
Tanstaafl wrote: > On 2/4/2019, 8:10:57 PM, Dale wrote: >> Tanstaafl wrote: >>> I've been using a little Firefox Addon called Passwordmaker for many, >>> many years, and despite all of its warts, I've been loathe to give it >>> up, even though it will never be upgraded to work as a WebExtension. >>> >>> 2 things I loved about it - >>> >>> a) it doesn't save the password locally, only info about the >>> site/account, and >>> b) you can use an unlimited number of Master Passwords >>> >>> I'm looking at migrating to KeePassXC, and even though I really hate the >>> idea of saving the actual password - Passwordmaker simply generates the >>> password on the fly each time based on certain specified criteria (ie, >>> the site URL, username, password length, etc for each account - one >>> technique I adopted shortly after assisting in updating the >>> Passwordmaker website eases my mind about it... >>> >>> This is a simple technique I strongly recommend that everyone employ, >>> especially if you use a Password manager (like LastPass or KeePass)... >>> >>> It is uncrackable (well, as long as it isn't the CIA or NSA that wants >>> to crack it and they are willing to kidnap/torture you to do so). >>> >>> You sit down and come up with a ... call it a 'password modification >>> protocol' ... whereby, you always modify your generated/stored password >>> in a specific way before pressing enter. >>> >>> For example, you delete characters 3, 5 and 7, then add 2 characters to >>> the beginning and 2 to the end. >>> >>> It is very simple, and negates worrying about someone stealing your >>> password vault. >> I tried to find it just to see how it works but it isn't listed. > What... Passwordmaker (the old one I still use and why I keep an old > Firefox 56 portable version around)? I'm on the newer version of Firefox so it doesn't show up in my search since it isn't compatible. I'm pretty sure that is why it doesn't show up for me. If I were on the older version of Firefox, then it would show up. I was wanting to look at it tho. I did find a Pro version which is likely the same thing but for the newer versions of Firefox. Did you see it? It is here: https://addons.mozilla.org/en-US/firefox/addon/firefox-passwordmaker-pro/?src=search I see another version as well but with very few users. Still, if the above is just a version for the newer Firefox, you may not have to switch or can use both somehow. Some other add-ons I use did similar things. Since some required a complete rewrite, they also changed the name a bit too. Thing is, some of the new versions of add-ons don't show up in older versions of Firefox. If you didn't see this, I hope it helps. >> From what you wrote, you may want to at least check into LastPass. > I did a massive amount of research (including LastPass), and settled on > KeePassXC for a good reason. I've read where people use that and like it. It just depends on what you are looking for and expect from the tool. If it meets your needs, then it is a good fit for you. I picked LastPass since it did what I need and then some plus is free. I also had the privilege of emailing back and forth with one of the original owners or creators way back then. His name is Joe Siegrist. My bank and credit card sites wouldn't work at first. I gave him a link and he made some changes so that the next version would fill those sites. I may switch one day, may even switch to what you are using, but at the moment, LastPass seems to be doing well. >> Still, I'm sure there is a tool that will suite your needs. > ? Its like you didn't really read my email. I already said, I'm > migrating to KeePassXC. But my complaint is, nothing works like > Passwordmaker (again, it doesn't store passwords, can only use one > Master Password). > >> I'm not sure I understand what you mean password modification protocol. >> It sounds like you change your master password each time you use it. > No, I'm talking about the saved (or in Passwordmakers case, generated) > password, not the Master Password. > > Doing this with the Master Password wouldn't make any sense. > If I understand you correctly, I think I have seen a site that allows that sort of thing. I think. To be honest, this is why I like tools. I tend to let tools do the heavy lifting. My biggest responsibility is having a good master password. That's what started this. I want a good one. ;-) Most of the sites I use are email or ID plus password. A couple have this picture and phrase thing between login and password tho. There is also a couple that uses that secret question thing
Re: [gentoo-user] GTK Graphical Problems
On Thu, 3 Jun 2021 22:03:21 + z...@posteo.us wrote: > On Thu, Jun 03, 2021 at 10:01:43AM +0100, jdm wrote: > > On Wed, 2 Jun 2021 11:14:40 +0100 > > jdm wrote: > > > > > Hi, > > > > > > At the weekend I updated my system and after reboot some of my > > > apps have lots of black black squares/rectangles all over the > > > place, covering all of the app window and making email difficult > > > to write. > > > > > > Initially I thought this was a Wayland problem as using Wayfire > > > but switched to X11 desktop and still had same issue. > > > > > > Trying all my apps this looks to be a GTK related issues as > > > happening with claws-mail (worst), gkrellm, gcolor2, Bluefish > > > etc. QT/EFL apps seem to be fine (qtfm, keepass). Firefox-bin > > > works just fine, oddly. > > > > > > Anyone else seen this. I see a thread talking about GTK slots but > > > not sure if this is related. > > > > > > I've rebuilt all gtk related packages which has not helped. > > > > > > John > > > > > > > Noticed a minor oddity with sddm where text not rendering correctly > > so decided not a gtk problem but strange that qt apps where hardly > > affected. > > > > Updated mesa to latest version (currently masked) and issue > > has gone away. > > > > John > > > > What version of mesa was causing the problem, what version did you > upgrade to, and what are your useflags? I've been having similar > issues, but I'm on the current (21.1.1) version of mesa. > > Did you upgrade drivers anywhere? > I was using media-libs/mesa-20.3.5 and upgraded to 21.1.2 (which stopped issue) I did not upgrade any drivers previously but have now upgraded libdrm 2.4.105 to 2.4.106 but this did not help. Was using stable kernel 5.10.27 but upgraded to 5.11.22 but this did not resolve issue. Currently using a Radeon 5600 XT graphics card with latest linux-firmware-20210518 but was using this before problem. in make.conf I have following use flags USE="X egl dbus udev alsa opengl symlink lock bash-completion ffmpeg pulseaudio mtp virgl elogind wayland -cups -gnome -bluetooth -systemd -networkmanager" in package.accept_keywords gui-wm/wayfire ~amd64 gui-libs/gtk-layer-shell ~amd64 gui-libs/wf-config ~amd64 gui-apps/wf-shell ~amd64 gui-apps/wcm ~amd64 gui-apps/wf-recorder ~amd64 x11-terms/alacritty ~amd64 gui-apps/wayland-logout ~amd64 gui-libs/wayfire-plugins-extra ~amd64 x11-themes/kvantum ~amd64 x11-libs/libdrm ~amd64 media-libs/mesa ~amd64 # kernel sys-kernel/gentoo-sources ~amd64 After upgrading kernel I was too lazy to switch back to stable version emerge --info Portage 3.0.18 (python 3.9.4-final-0, default/linux/amd64/17.1/desktop, gcc-10.3.0, glibc-2.33, 5.11.22-gentoo x86_64) = System uname: Linux-5.11.22-gentoo-x86_64-AMD_Ryzen_7_5800X_8-Core_Processor-with-glibc2.33 KiB Mem:16403904 total, 13208816 free KiB Swap: 16777212 total, 16777212 free Timestamp of repository gentoo: Thu, 03 Jun 2021 12:00:01 + Head commit of repository gentoo: d3b754271c5044865980daa94fcc0046c21d7ce8 sh bash 5.1_p8 ld GNU ld (Gentoo 2.35.2 p1) 2.35.2 app-shells/bash: 5.1_p8::gentoo dev-java/java-config: 2.3.1::gentoo dev-lang/perl:5.32.1::gentoo dev-lang/python: 3.9.4_p1::gentoo dev-lang/rust:1.51.0-r2::gentoo dev-util/cmake: 3.18.5::gentoo sys-apps/baselayout: 2.7::gentoo sys-apps/openrc: 0.42.1-r1::gentoo sys-apps/sandbox: 2.23::gentoo sys-devel/autoconf: 2.13-r1::gentoo, 2.69-r5::gentoo sys-devel/automake: 1.16.3-r1::gentoo sys-devel/binutils: 2.35.2::gentoo sys-devel/gcc:10.3.0::gentoo sys-devel/gcc-config: 2.4::gentoo sys-devel/libtool:2.4.6-r6::gentoo sys-devel/make: 4.3::gentoo sys-kernel/linux-headers: 5.10::gentoo (virtual/os-headers) sys-libs/glibc: 2.33::gentoo Repositories: gentoo location: /var/db/repos/gentoo sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 sync-rsync-extra-opts: sync-rsync-verify-jobs: 1 sync-rsync-verify-metamanifest: yes sync-rsync-verify-max-age: 24 crossdev location: /var/db/repos/portage-crossdev masters: gentoo priority: 10 wayland-desktop location: /var/lib/layman/wayland-desktop sync-type: laymansync sync-uri: https://github.com/bsd-ac/wayland-desktop.git masters: gentoo priority: 50 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT=&
