Stop using bad passwords. Start using Vault. (opens in new tab)

(getvau.lt)

6 pointsadambom12y ago6 comments

6 comments

6 comments · 3 top-level

cmwelsh12y ago· 2 in thread

KeyPassX and MiniKeyPass are working well enough here, plus they are open source software that one can install on his or her computer or iPhone.

I keep my database on Dropbox for availability on multiple devices.

jlgaddis12y ago

Yep, I started using KeePassX years ago and love it. About a year ago I switched to LastPass because it is just so damn convenient, even though I know I probably shouldn't be using a password manager that stores my passwords "in the cloud" (again, it's so damn convenient). I am, however, trying to switch back to KeePassX but it's harder to use since I've stopped using Dropbox, et al., as well.

ebtalley12y ago

+1 for this. I have been using keepassX for at least 5 years now and I can access the file through dropbox on my phone, laptop, and desktop machine without issue and the 2FA is an extra bonus on the full computers.

roywiggins12y ago· 1 in thread

Neat, but SuperGenPass does this better- has a bookmarklet with configurable salt, and it's based off the domain name, not the service, so you can't get into ambiguities (Gmail, GMail, gmail?)

http://supergenpass.com/

That said, the options for disallowed characters is nice.

Casseres12y ago

"The SuperGenPass UI is rendered within the DOM of the current page when you click the bookmarklet. The UI is where you enter your master password. And because the UI is part of the current page, any script running in the page can read your master password. Remember that script can be external too, as in advertisements or widgets of some kind." - http://akibjorklund.com/2009/supergenpass-is-not-that-secure

There are even a couple of demos:

http://akibjorklund.com/files/2009/10/supergenpass-vulnerabi...

I tested both demos with the latest version of SuperGenPass (2.01) from http://supergenpass.com/

jlgaddis12y ago

A couple of things:

1. add an "avoid ambiguous characters" option (is that an "l" or a "1", an "O" or an "0", etc.).

2. encouraging people to type or generate passwords into/from random web sites is a bad idea -- perhaps even making the problem worse instead of solving it.

3. who's your target audience? The tech community already understands this. Is it my mother, the average user? She'd use this exactly once and then forget it. Why? "getvau.lt". While that's "cute" and us techies love crap like that, all Joe User knows is .com. When he tries to come back to the site tomorrow, he'll type in "getvault.com" or (more likely) "get vault" or "getvault", end up somewhere else, and never use your service again.

HTH.

j / k navigate · click thread line to collapse

6 comments

6 comments · 3 top-level

cmwelsh12y ago· 2 in thread

KeyPassX and MiniKeyPass are working well enough here, plus they are open source software that one can install on his or her computer or iPhone.

I keep my database on Dropbox for availability on multiple devices.

jlgaddis12y ago

ebtalley12y ago

roywiggins12y ago· 1 in thread

Neat, but SuperGenPass does this better- has a bookmarklet with configurable salt, and it's based off the domain name, not the service, so you can't get into ambiguities (Gmail, GMail, gmail?)

http://supergenpass.com/

That said, the options for disallowed characters is nice.

Casseres12y ago

There are even a couple of demos:

http://akibjorklund.com/files/2009/10/supergenpass-vulnerabi...

I tested both demos with the latest version of SuperGenPass (2.01) from http://supergenpass.com/

jlgaddis12y ago

A couple of things:

1. add an "avoid ambiguous characters" option (is that an "l" or a "1", an "O" or an "0", etc.).

2. encouraging people to type or generate passwords into/from random web sites is a bad idea -- perhaps even making the problem worse instead of solving it.

HTH.

j / k navigate · click thread line to collapse