<div dir="ltr"><div dir="ltr" class="gmail_msg">what do you guys think of password managers such as KeePass? have one master password for it, and have it generate passwords for you...</div><br class="gmail_msg"><div class="gmail_quote gmail_msg"><div dir="ltr" class="gmail_msg">On Fri, Mar 31, 2017 at 5:31 PM Rick Moen <<a href="mailto:rick@linuxmafia.com" class="gmail_msg" target="_blank">rick@linuxmafia.com</a>> wrote:<br class="gmail_msg"></div><blockquote class="gmail_quote gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Quoting Paul Zander (<a href="mailto:paulz@ieee.org" class="gmail_msg" target="_blank">paulz@ieee.org</a>):<br class="gmail_msg">
<br class="gmail_msg">
> Well the pattern I use you could probably break with N=1 samples. My<br class="gmail_msg">
> thought is that when passwords are "stolen", they probably go into a<br class="gmail_msg">
> database where a simple computer software can give a lot of "benefit"<br class="gmail_msg">
> to the thief by just using the passwords as is, combined with a lot of<br class="gmail_msg">
> people using same login and password in many places. Why go to the<br class="gmail_msg">
> bother of even attempting to "derive a pattern"? <br class="gmail_msg">
<br class="gmail_msg">
I can only say: Adjust your approach to suit your personal level of<br class="gmail_msg">
paranoia -- and don't assume you're not worth (the bad guys) bothering<br class="gmail_msg">
with unless you're rather sure.<br class="gmail_msg">
<br class="gmail_msg">
Most attacks on user credentials can be expected to be the automated<br class="gmail_msg">
kind, which implies not very adaptable, but don't underestimate them.<br class="gmail_msg">
For example, malware able to gain user-level authority on your computing<br class="gmail_msg">
device (and this includes Javscript snippets you shouldn't have run) can<br class="gmail_msg">
be expected (if able) to mine your device activity history for outgoing<br class="gmail_msg">
access activity, usernames employed, and (if preserved) security tokens<br class="gmail_msg">
use -- and then convey that information to the bad guys.<br class="gmail_msg">
<br class="gmail_msg">
The classic old-school example of this was: You sshed into a shared<br class="gmail_msg">
server, that unbknownst to you has had a trojaned /usr/bin/ssh client<br class="gmail_msg">
program (or called library) installed. You then, unknowing, conduct<br class="gmail_msg">
outbound ssh or scp activity to a variety of other hosts. All tokens,<br class="gmail_msg">
credentials, and remote-host identities you expose to the trojaned SSH<br class="gmail_msg">
client will get logged and delivered to the bad guys. (That much is<br class="gmail_msg">
certain to be totally automated, these days. The further abuse of your<br class="gmail_msg">
exposed information might not be.)<br class="gmail_msg">
<br class="gmail_msg">
Please note that this form of information exposure is not defeated by<br class="gmail_msg">
using differing usernames and unpredictable passwords, nor by eschewing<br class="gmail_msg">
passwords and sticking to ssh keypairs -- but nonetheless sticking to<br class="gmail_msg">
passwords (or other credentials) unique to each system and never reused<br class="gmail_msg">
across systems will at least help limit the damage to _just_ those lost<br class="gmail_msg">
credentials.<br class="gmail_msg">
<br class="gmail_msg">
As to personal level of paranoia, I tend to err on the side of 'Make<br class="gmail_msg">
security compromise effectively impossible everywhere you can', as<br class="gmail_msg">
having fewer things to worry about simplifies my life.<br class="gmail_msg">
<br class="gmail_msg">
<br class="gmail_msg">
_______________________________________________<br class="gmail_msg">
conspire mailing list<br class="gmail_msg">
<a href="mailto:conspire@linuxmafia.com" class="gmail_msg" target="_blank">conspire@linuxmafia.com</a><br class="gmail_msg">
<a href="http://linuxmafia.com/mailman/listinfo/conspire" rel="noreferrer" class="gmail_msg" target="_blank">http://linuxmafia.com/mailman/listinfo/conspire</a><br class="gmail_msg">
</blockquote></div></div>