Password storage

[Guest]

So I was talking to my dad about my hack I posted about earlier today and he mentioned he has a lot of passwords on his PC.
I remembered there was some USB device that stored your passwords on it in an encrypted method, but I can't seem to find the video LTT did.
I found this video but I can't find the one about the USB device.
https://www.youtube.com/watch?v=t8SQo3R7qeU
 

TLDR: Looking for USB password storage device. (No not a flash drive with a .txt)

[Guest]

Stick KeePass Portable on it? ¯\_(ツ)_/¯

[AkiraDaarkst]

I use 1Password from AgileBits.  Don't need to carry a USB stick or something that could be lost.

https://1password.com/

[The Belgian Waffle]

Why don't people just remember passwords? Why don't you just use a pattern and then change some letters and numbers according to which website you're logging into? 

[Guest]

16 minutes ago, The Belgian Waffle said:

Why don't people just remember passwords? Why don't you just use a pattern and then change some letters and numbers according to which website you're logging into? 

Over 60 accounts in my password manager. Using a similar pattern and altering characters is not only less secure, but still not feasible for 60 accounts.

 

As far as I'm concerned, If you have more than say, 10 accounts (probably less) and not using a password manager, you're doing it wrong.

[The Belgian Waffle]

2 minutes ago, obi-fade-kenobi said:

Over 60 accounts in my password manager. Using a similar pattern and altering characters is not only less secure, but still not feasible for 60 accounts.

Yeah, you're right, this can't be done for so many accounts, but for less maybe, like for exemple : 

You have a Facebook account. You take a word that is meaningful to you, for exemple my girlfriend's name : Nathalie. you add "face", you twist it a little bit and it becomes 

N1tH4L1eF4c3 and you add a bunch of weird symbols like @&é"'(§ and I'm pretty sure It's gonna be pretty difficult to find

[Guest]

3 minutes ago, The Belgian Waffle said:

Yeah, you're right, this can't be done for so many accounts, but for less maybe, like for exemple : 

You have a Facebook account. You take a word that is meaningful to you, for exemple my girlfriend's name : Nathalie. you add "face", you twist it a little bit and it becomes 

N1tH4L1eF4c3 and you add a bunch of weird symbols like @&é"'(§ and I'm pretty sure It's gonna be pretty difficult to find

As a single password, yes, that's how most people come up with a master password for their manager. 

 

My point was, using one as a basis and then substituting a few characters isn't secure. 

 

If one account were to be hacked, hackers then throw that password into a dictionary in which attempts are made off of that (in a brute force attack this is). 

 

So for instance: Hacked password - R@Nd0mWoRD4. Gets thrown into a dictionary. Program thinks - right, lets take that and change the number on the end and see if that works. Nope? Okay, lets add this word onto the end, see if that works. Okay maybe they change some of their letter substituions, so change that @ back to a

[The Belgian Waffle]

1 minute ago, obi-fade-kenobi said:

If one account were to be hacked, hackers then throw that password into a dictionary in which attempts are made off of that (in a brute force attack this is). 

Don't the majority of websites disable your account after X times you entered the wrong password? (I'm asking, I legitimately don't know)

[Guest]

3 minutes ago, The Belgian Waffle said:

Don't the majority of websites disable your account after X times you entered the wrong password? (I'm asking, I legitimately don't know)

I've never really looked much into this, but I believe that's one way of protecting against a brute force attack on a live system. 

 

On a leaked database however, they can do what the fuck they want. So when you hear about a leaked database, but the passwords were hashed, someone's going to work on them with their Titans and password dictionary from past leaks

[The Belgian Waffle]

1 minute ago, obi-fade-kenobi said:

On a leaked database however, they can do what the fuck they want. So when you hear about a leaked database, but the passwords were hashed, someone's going to work on them with their Titans and password dictionary from past leaks

Oh yeah, the Yahoo leak that we found out 4 years later, or something like that... (Was it Yahoo?)

[Guest]

1 minute ago, The Belgian Waffle said:

Oh yeah, the Yahoo leak that we found out 4 years later, or something like that... (Was it Yahoo?)

mhm, have been many in the past though. Adobe, Unreal etc.

 

Computerphile have a good video on password cracking somewhere 

[Guest]

Well worth a watch

[LAwLz]

1 hour ago, The Belgian Waffle said:

Why don't people just remember passwords? Why don't you just use a pattern and then change some letters and numbers according to which website you're logging into? 

1) I have 122 accounts in my password manager. Pretty difficult to remember unique passwords for each and every one of them.

2) It is good to change your passwords once in a while, and it gets confusing if have lots of accounts and have to think "did I change the password on that account, and what did I change it to again?"

3) Because a very long and random password is far more secure than simply changing the letter A to a 4, and adding a number at the end.

 

 

OP I would recommend Keepass on a USB memory stick.

[Guest]

1 hour ago, The Belgian Waffle said:

Why don't people just remember passwords? Why don't you just use a pattern and then change some letters and numbers according to which website you're logging into? 

My dad has a huge list of passwords. Each one is drastically different from the other. Netflix, Reallusion, TV, Internet, E-mail, work server, home server, home wifi, and many many many more. He doesn't really have time to study what his passwords are. He runs his own business, so to create and remember a password for every account created is a difficult task. 
It has also been proven the more spiratic, or random a password is, the more secure it is. 

3LitE.Pas5W0Яd

is less secure than

as8H3(8%snфлж1

[Guest]

13 minutes ago, LAwLz said:

 

OP I would recommend Keepass on a USB memory stick.

Thanks, I'll forward that program idea as well. 

EDIT: Oh lol it was already recommended. So if the two of you use it, it must be more credible. 

[Paradine Sage]

KeePass (version 2, not version 1) is generally very good. LastPass is also pretty good if you are willing to store your passwords in the cloud.