# Securely store passwords



## folivora (Dec 2, 2011)

Hi,

I would like to hear what kind of solutions users of this forums are using to store passwords.

Since today it is almost impossible to remember all Usernames and Passwords, so the best way probably is to store them to some database which is secured.

- folivora


----------



## jem (Dec 2, 2011)

There is an open source program named KeePassX that I use on my Linux workstation at work that meets this requirement.

It's also in the FreeBSD ports collection: security/keepassx


----------



## fluca1978 (Dec 2, 2011)

A plain text file on a cyphered partition or usb key. Cannot be automated (which in most cases is good) and requires a manual search with a text editor, but it works for me (~ 50 usernames/passwords).


----------



## rusty (Dec 2, 2011)

Text file encrypted using gnupg (RSA 4096)


----------



## SirDice (Dec 2, 2011)

+1 on Keepass.


----------



## funky (Dec 2, 2011)

Either encrypted text files, editing via gnupg.vim, or KeepassX.


----------



## graudeejs (Dec 2, 2011)

Textfile... lol (textfile backups, swap files, hdd files, swap....., unencrypted sectors on HDD [when you decrypt file])

I use KeePassX


----------



## fluca1978 (Dec 2, 2011)

I will try keepassx even if it seems to me like kwallet and other products alike. Anyway, keep in mind that sooner or later you will have to decrypt some information, either on disk or in memory, and so you will access to it as a plain stream.


----------



## funky (Dec 2, 2011)

graudeejs said:
			
		

> Textfile... lol (textfile backups, swap files, hdd files, swap....., unencrypted sectors on HDD [when you decrypt file])
> 
> I use KeePassX


Oh, didn't I mention the encrypted hard drive? But actually I memorize most of my passwords, especially system passwords and encryption passwords. If these passwords are extremely valuable I rather write them on a sheet of paper and put it in a secure place.


----------



## SirDice (Dec 2, 2011)

fluca1978 said:
			
		

> I will try keepassx even if it seems to me like kwallet and other products alike.


True, but unlike kwallet, Keepass also runs on Windows and OS-X.

http://keepass.info


----------



## graudeejs (Dec 2, 2011)

SirDice said:
			
		

> True, but unlike kwallet, Keepass also runs on Windows and OS-X.
> 
> http://keepass.info



And it's pretty light-width and cross-DE/WM


----------



## fluca1978 (Dec 2, 2011)

SirDice said:
			
		

> True, but unlike kwallet, Keepass also runs on Windows and OS-X.
> 
> http://keepass.info



That is why I was talking about a text file over an encrypted disk: it could be _portable_ and used also for other things other than password storage.


----------



## phoenix (Dec 2, 2011)

KWallet, since I use KDE all day long, and all the apps I use integrate with it (including Google Chrome).


----------



## folivora (Dec 5, 2011)

Thank you all.

Keepass seems to be quite nice, since it has good "multi-os" support. Decided to use it.

Cheers.

-folivora


----------



## OH (Dec 5, 2011)

phoenix said:
			
		

> KWallet, since I use KDE all day long, and all the apps I use integrate with it (including Google Chrome).



Is this something that can be done with Firefox 8 as well, or is it exclusive to Chrome?


----------



## phoenix (Dec 6, 2011)

Firefox has it's own internal password manager that's not compatible with anything other than itself.    The only "bright" spot is that you can use the internal Firefox Sync or Xmarks add-on (much better) to sync the passwords to other systems.

Chromium/Google Chrome include support for KWallet.


----------



## fluca1978 (Dec 6, 2011)

phoenix said:
			
		

> Chromium/Google Chrome include support for KWallet.



Interesting, but not enough to switch to google browser


----------



## Mike G (Jun 2, 2021)

I'm another KeePass user (not the "X" version).  Compared to some of the other pw management systems, it has one problem which is that it is not very good at leeping your passwords synchronised across different machiens, that is unlesss you host your pw database file on a server and only use the one file to store all your passwords and keep them synched across machines (which you can do, using FTP or HTTP).  Before I did that I would end up with multiple data base files from different machines, and keeping track of which db file had the current pw for an account was a nightmare.


----------



## gpw928 (Jun 2, 2021)

I use sysutils/password-store.  Simple, text based, tree structured portable data store, uses security/gnupg.  Also universal.


----------



## Deleted member 30996 (Jun 2, 2021)

I use security/bcrypt to encrypt passwords and save everything to a couple different USB sticks. I copy any new passwords into the specific Directory on USB then use the same sticks to repopulate all 7 laptops.


----------



## Alain De Vos (Jun 3, 2021)

I use real paper for passwords


----------



## covacat (Jun 3, 2021)

Alain De Vos said:


> I use real paper for passwords


well if your handwriting is shitty enough it mostly works


----------



## jmos (Jun 3, 2021)

Let me be the punk in this thread and be a little provocative  Imagine my $HOME will be hacked.

Password for my mail account? I don't type it in - and as far I can see: Also most other users store it inside their mail clients configuration. Our hacker can easily go through those mails, and use the "password forgotten" option!
Here we could already stop thinking, but anyway:

A password used for online shopping? Think over how many shops really have a clue of data handling, and you seldom will use accounts on their platforms - but order as guest wherever possible. Maybe your choosing even a different dealer to get rid of being forced to use an account.

Passwords for my servers? I wouldn't go with a password based login on a server. But my certificates our hacker now also has.

Online banking? Shouldn't nowadays be possible with just a mail address and a password.

So it doesn't matter if my passwords are encrypted or not, a plain text file does it. Anything you can reach by your computer is as safe as the weakest part of it. If a hacker has reached my $HOME there will be no difference if I'm using something like keepass: I've got to assume that none of my passwords is save anymore. And that file wouldn't be my basic problem…

Does really someone think a hacker would say "holy crap, this dude uses keepass, so I have no chance"? My passwords are stored inside a database. It will take some time for someone else to figure out how things of that database match together (and it's not named like "db4pw" etc.), but: Unencrypted.

But I've got something like keepass: It's my $HOME on my computer. And that account already has a master password! But I wouldn't feel well if I would use f.e. Windows and have no clue, if my data is stored also on some cloud machines (after all, they always say they have to check all this out for my safety).


----------



## tux2bsd (Jun 3, 2021)

'pass' kicks the shit out of all the above, the dev's website  https://www.passwordstore.org/

edit: oh gpw928 beat me to it.


----------



## Tieks (Jun 3, 2021)

If you have an Android smartphone you can simply ask Google for most of your passwords.


----------



## Menelkir (Jun 3, 2021)

Keepass. It creates an encrypted file with your user/pass and you can customize like a catalog, using categories and stuff and even downloading favicons for the sites. There's also extensions for browsers to work with it, or just copy/paste. Also, keepass accept storing 2FA.
Need a frontend? security/keepass security/keepassxc 
Still feel insecure? Create a container with security/veracrypt and store your keepass file inside, now you can store the container even in a anonymous ftp.


----------



## rotor (Jun 7, 2021)

I keep my passwords (a few dozen of 'em) in a spreadsheet.

The spreadsheet is kept in an encrypted file.  On Windows and FreeBSD, veracrypt.  On Linux Mint zulucrypt.

This fits my needs quite well.


----------



## ralphbsz (Jun 7, 2021)

Text file (edited with an ASCII editor). Also contains lots of comments. It is stored only in encrypted form (now with openssl encryption, used to be GPG, but Gnu made GPG too complicated to use). The resulting file is then stored only on encrypted disks, both locally (on an Apple file system disk) and in the cloud (at a provider, that uses encrypted hardware with the SSH file system), so there are multiple layers of encryption.

Well, and some passwords are also on yellow stickers on the edge of the monitor, or paper lists.


----------



## asteriskRoss (Jun 7, 2021)

+1 for not telling the internet exactly how I store my passwords


----------



## gpw928 (Jun 7, 2021)

ralphbsz said:


> some passwords are also on yellow stickers on the edge of the monitor, or paper lists.


Current thinking on risk analysis provides support for such approaches.

The analysis says that it is actually quite rare for a password to be breached by physical intrusion.

By far the most usual compromise is by a plethora of broadly based "electronic methods".

But I recommend a Post-It note under the keyboard.  It's more secure because it's harder to find .


----------



## Jose (Jun 8, 2021)

ralphbsz said:


> Well, and some passwords are also on yellow stickers on the edge of the monitor, or paper lists.


I'm 100% certain you know how to take a screenshot, but not everyone does. Including some in Congress, who take a picture of their screen with their phone. Unfortunately, the sticky with the passwords is legible.


> As Twitter users quickly noted, a photo that Brooks tweeted of his computer screen showing Alabama’s trespassing statute also showed a piece of paper that appeared to include a PIN number and a Gmail account password.





			https://www.washingtonpost.com/nation/2021/06/07/mo-brooks-eric-swalwell-trespassing/


----------



## Lamia (Jun 8, 2021)

KeepassXC is strongly advised over Keepass, from what I learnt.


----------



## rotor (Jun 8, 2021)

Lamia said:


> KeepassXC is strongly advised over Keepass, from what I learnt.



What have you learnt?


----------



## Lamia (Jun 8, 2021)

I would bail out of a debate on both. That was my inference after comparing both. Of course, one is Qt-based and the other is mono-based. And KeepassXC is a fork of the other. 

There are tonnes on articles on them online.


----------



## sko (Jun 8, 2021)

gpw928 said:


> I use sysutils/password-store.  Simple, text based, tree structured portable data store, uses security/gnupg.  Also universal.





tux2bsd said:


> 'pass' kicks the shit out of all the above, the dev's website  https://www.passwordstore.org/
> 
> edit: oh gpw928 beat me to it.



+1 for pass
Have been using it for several years now together a ubikey to store and carry around my gpg-keys.

It doesn't restrict you what you wan to store in it like most solutions (as its basically just gpg-encrypted text files), plus there are plugins available for almost anything (e.g. OTP) and you can very easily write your own scripts. As it is basically a wrapper aroung gpg & git, you can also leverage those tools to make it fit your needs. E.g. I've been using git branches to have a "private" and "work" tree of passwords for a while (reverted to using only folder-based organization because I fat-fingered my branches once because git hates me...)

There's even some GUIs available nowadays (e.g. QtPass), but haven't really used them...


At work we're using Passbolt (self-hosted), which also relies on GPG in the background, but isn't as feature-rich yet as some other solutions, although they are adding more and more stuff and listen to their users requirements. It's purely browser-based, so no need for any apps/widgets/etc except a browser-plugin which also manages your keys.


----------



## tux2bsd (Jun 9, 2021)

sko said:


> +1 for pass
> There's even some GUIs available nowadays (e.g. QtPass), but haven't really used them...


There's even android & ios apps.  I've not used them though, just cli version - it's so easy.


Jose said:


> Unfortunately, the sticky with the passwords is legible.


Medical Doctors being the exception.


----------



## rootbert (Jun 14, 2021)

security/keepass because it is audited ... keepassxc is not audited. Though in some cases I use security/kpcli


----------



## decuser (Jun 14, 2021)

KeepassXC, it's cross-platform and secure. I use it on my Mojave systems, FreeBSD systems, and Linux. KeepassXC is an actively developed fork of the nearly unchanging KeepassX (last release 2016), which is a fork of the original Keepass... which is still actively developed.


----------



## decuser (Jun 14, 2021)

tux2bsd said:


> 'pass' kicks the shit out of all the above, the dev's website  https://www.passwordstore.org/
> 
> edit: oh gpw928 beat me to it.


Intriguing. I will give it a shot, but I do a lot more with Keepassxc than just put passwords in it. For example, when I create a new XYZ account, I may back it with one of several email accounts. I also get the backup codes in case something goes awry. When I decommission an account (but haven't deleted it yet), I like to note that in the database. Where does all this meta-data go in pass, or does it have a comment field that can be overloaded for this sorta stuff?


----------



## gpw928 (Jun 14, 2021)

pass(1) just encrypts a file using gpg, and maintains that file in a file-system based tree structure, where the path name provides the key (e.g. Forums/FreeBSD/gpw928).
I routinely add URLs and sundry aide-mémoires into the file, along with a password.  Within that context, you could enforce any structure you wanted.


----------



## Deleted member 30996 (Jun 15, 2021)

Alain De Vos said:


> I use real paper for passwords


When I forgot my password to get into my FreeBSD box a few years ago the only password I had left was one I had written down on paper. 

It was for the forum where I ended up first posting my FreeBSD Desktop Tutorial.


----------



## usakhncit (Jun 15, 2021)

I don't write or save my passwords. I simply memorize them.


----------



## sko (Jun 15, 2021)

decuser said:


> Where does all this meta-data go in pass, or does it have a comment field that can be overloaded for this sorta stuff?



It doesn't use a database and doesn't force you to use arbitrary fields - it's just plain, simple text files, organized in folders (git branches are also possible) encrypted with gpg. pass(1) is essentially just some shellscripts around gnupg and git - so even if the maintainers one day decide to bin the whole project, you can still access everything.
For things like browserplugins there are a few simple conventions though:
- the first line always has to be the password (the whole line, so no prefixes or comments)
- for autofill (browserplugins) you might want to prefix lines with "email:", "login:" or "otp:" (that's usually handled by the OTP plugin), so the plugin can pick the correct entry. If it doesn't work as expected, inspect the page and search for the description/name of the box where that information should go - "webdesigners" are horrible at naming stuff and don't follow simple conventions, so e.g. login fields often have completely stupid names no plugin could automatically guess.
apart from that, everything but the first line of the textfile is yours - you can put in everything you want. I regularly store OTP recovery codes in them, sometimes even for multiple factors, and even gpg keys or certificates. You can put everything in there that can be represented by text - even store base64 encoded images would be possible.




usakhncit said:


> I don't write or save my passwords. I simply memorize them.


Do you perform in a circus with that number where you can memorize dozens of 32 character long arbitrary utf8 strings?


----------



## tux2bsd (Jun 15, 2021)

decuser said:


> I like to note that in the database. Where does all this meta-data go in pass, or does it have a comment field that can be overloaded for this sorta stuff?




```
pass edit site1/account1
```
then edit text

it was a while ago when I got it going, just fiddling with it now on a blank machine and remember it's a bit of a pain to begin because of the gpg stuff

still recommend


----------



## tux2bsd (Jun 15, 2021)

decuser so the whole process looks like below, give it a muck around go like this then do it properly with more GPG properness (it's the gpg side that's painful)


```
u@buntu:~$ gpg --full-generate-key
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072)
Requested keysize is 3072 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Lay Dees
Email address: example@example.com
Comment:
You selected this USER-ID:
    "Lay Dees <example@example.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 30172473CD40DA96 marked as ultimately trusted
gpg: directory '/home/u/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/u/.gnupg/openpgp-revocs.d/62CC2D94696CBAEB2AD0270330172473CD40DA96.rev'
public and secret key created and signed.

pub   rsa3072 2021-06-15 [SC]
      62CC2D94696CBAEB2AD0270330172473CD40DA96
uid                      Lay Dees <example@example.com>
sub   rsa3072 2021-06-15 [E]

u@buntu:~$ pass init example@example.com
Password store initialized for example@example.com
u@buntu:~$ pass add potato
Enter password for potato:
Retype password for potato:
u@buntu:~$ pass potato   #THIS IS WHERE IT'LL PROMPT YOU BEFORE DISPLAYING THE PASSWORD
asdf
```

I can't imagine there being much different on FreeBSD so I didn't change OSes to make a quick howto


----------



## decuser (Jun 16, 2021)

usakhncit said:


> I don't write or save my passwords. I simply memorize them.


When asked for his password, he scoffs at password managers and rattles off the 43 characters from his astounding oversized memory - he must be... The most interesting man in the world!


----------



## decuser (Jun 16, 2021)

decuser said:


> When asked for his password, he scoffs at password managers and rattles off the 43 characters from his astounding oversized memory - he must be... The most interesting man in the world!


Or perhaps The most interesting woman? But seriously, I must have 200+ secure passwords. I can hardly remember the urls, much less the passwords.


----------



## Deleted member 30996 (Jun 16, 2021)

I have 79 files in my password folder and the oldest one is for a Yahoo account from 9-01-12, whowuzthatmaskedman.

That was my future self that made that account. I remember it like yesterday...


----------



## usakhncit (Jun 17, 2021)

decuser said:


> When asked for his password, he scoffs at password managers and rattles off the 43 characters from his astounding oversized memory - he must be... The most interesting man in the world!





decuser said:


> Or perhaps The most interesting woman? But seriously, I must have 200+ secure passwords. I can hardly remember the urls, much less the passwords.



43 characters!! You are paranoid !!
You need to learn something about memorizing passwords.
Let me tell you one of my password which is: "decuser is a paranoid fool".


----------



## Deleted member 30996 (Jun 17, 2021)

My usr and root passwords are different. Each is between 20-25 characters long and I have both memorized. 
The rest go in my password file after encryption and no attempt to memorize them is made. Only the password to decrypt them.

I forgot my Windows password one time and let my fingers do the walking across the keyboard from muscle memory and got it right.


----------



## gpw928 (Jun 18, 2021)

usakhncit said:


> 43 characters!! You are paranoid !!


That would depend on what you are trying to protect.
For login to local physical computers (not via the Internet) where you have to type the password, or unlock ssh keys, it's convenient and sensible to use a good password of "sufficient" length, and memorise it.
In the era of post-quantum cryptography I want to protect my bank accounts, and other Internet "commerce".
Re-using a password for multiple sites is a really bad idea, as cracking it readily leads to a domino effect.  That means every account must have a different high quality password.
I currently have about 60 of them.  That's far too many to remember.  So, they are always randomly generated, rarely less that 64 characters, and kept in a password safe. Simples.


----------



## Jose (Jun 18, 2021)

gpw928 said:


> Re-using a password for multiple sites is a really bad idea, as cracking it readily leads to a domino effect.  That means every account must have a different high quality password.


Indeed. There are handy online databases of cracked passwords:


			https://haveibeenpwned.com/
		


Reuse passwords at your peril. I have 97 in my Keepassxc database.


----------



## Deleted member 30996 (Jun 18, 2021)

OpenBSD uses bcrypt. 

And what was encrypted with security/bcrypt on FreeBSD could not be decrypted with what I remember to be three different bcrypt programs available when I ran an OpenBSD box. Neither could it be decrypted on Windows.


----------



## VucanRidr (Jun 18, 2021)

I use bitwarden for most web passwords, and keepassxc for non-web passwords. However, I ran across an article the other week that you can incorporate keepassxc into your browser. https://danschmid.de/en/blog/install-firefox-under-freebsd-and-set-it-up-with-privacy


----------



## jmos (Jun 18, 2021)

usakhncit said:


> 43 characters!! You are paranoid !!


A little bit off topic, but related to "strong passwords":

We're always looking on passwords, but: If it comes to login attempts the password is just one half. The other one is the username. When I'm looking through thousands of login attempts on servers I see usernames like "admin", "a1b2c3", "tom", "michael" etc., but never ever something like "hsadyylhTfHbTnP.gdtTZbdlaperKtzHZs"; Okay, you don't want to type in that manually, but you can use f.e. an alias therefore. I'm using "strong usernames"


----------



## sko (Jun 18, 2021)

jmos said:


> A little bit off topic, but related to "strong passwords":
> 
> We're always looking on passwords, but: If it comes to login attempts the password is just one half. The other one is the username. When I'm looking through thousands of login attempts on servers I see usernames like "admin", "a1b2c3", "tom", "michael" etc., but never ever something like "hsadyylhTfHbTnP.gdtTZbdlaperKtzHZs"; Okay, you don't want to type in that manually, but you can use f.e. an alias therefore. I'm using "strong usernames"



Well, usually you stick with one or two handles that you use as a "username", but you can make the email address you use for login unique with extensions. I've been using address extensions for almost as long as postfix and dovecot support it and even sometimes give humans an extended address instead of the "short variant". This has various advantages:
- That email address _only_ works for that single site/service and is worthless for anything else
- Filtering gets really easy (just create a folder named after the extension...)
- I can tell who had a data leak when I suddenly receive spam on that address and can change my credentials there (or cancel my account with them, depending on how they handle a data breach..)
- I can add a disclosed address to my spamtrap list, so spammers using those addresses get immediately blacklisted

And of course: Use 2FA wherever possible! A lot of sites make it really easy nowadays and even support multiple variants (more and more often you can activate multiple factors, e.g. multiple authenticator apps or password managers with OTP support). Sadly even some big sites still get this completely wrong and either don't support it or the worst, most insecure and most annoying variants like SMS codes...


----------



## fbsd_ (Jun 18, 2021)

folivora said:


> Hi,
> 
> I would like to hear what kind of solutions users of this forums are using to store passwords.
> 
> ...


Best way to secure an important data is encryption. There is already some applications exits which is password managers. You can secure a file on Unix-like systems by changing owner of file.
For example:
touch password.data
echo "example123" >> password.data
chown root password.data     (This command requires root permission)
chmod -r password.data

This example makes files unable to read without root access. Only root user can make them readable so they will be secure until a exploit comes and hacks root permission.

Other way is encryption:
Encrypt:
openssl aes-256-cbc -a -salt -in password.data -out password.data.enc
Decrypt:
openssl aes-256-cbc -d -a -in password.data.enc -out password.data

If you gonna use something like that, it requires openssl installed to your system. If not, you can write a software that does it or you can just download it with your package manager etc. Im not sure FreeBSD were coming with openssl preinstalled.

Solution 3:
Use a password manager:
pkg install security/keepassxc      (Requires root permission)


And thats it

The best solution is using a password manager and this is what Im using for my many jobs too. Password manager does all the job already for you.


----------



## Jose (Jun 18, 2021)

sko said:


> Well, usually you stick with one or two handles that you use as a "username"...


I would strongly advise you to not reuse usernames either, for the reasons Jmos lists. Sometimes this is unavoidable because the username is also your avatar's name, but take the option to have an opaque login name if it is given.


sko said:


> , but you can make the email address you use for login unique with extensions. I've been using address extensions for almost as long as postfix and dovecot support it and even sometimes give humans an extended address instead of the "short variant". This has various advantages:
> - That email address _only_ works for that single site/service and is worthless for anything else
> - Filtering gets really easy (just create a folder named after the extension...)
> - I can tell who had a data leak when I suddenly receive spam on that address and can change my credentials there (or cancel my account with them, depending on how they handle a data breach..)
> - I can add a disclosed address to my spamtrap list, so spammers using those addresses get immediately blacklisted


I'm not sure if you're talking about email subaddressing or email aliases. Subaddressing is nice in that most major services support it, but there is no way to make a subaddress stop working. Email aliases require that you have some control over email sending. I use Postfix and aliases(5) but I can do that because I host my own email. Nice thing about aliases is that you can delete them, causing all email sent to them to bounce.

You can add either subaddresses or aliases to spamtrap files. I'm not sure how you enforce that aliases or subaddresses can only work from one sender. I'm pretty sure once the alias or subaddress exists, anyone can send mail to it. This is also how you discover who's been shopping your email address around.


sko said:


> And of course: Use 2FA wherever possible! A lot of sites make it really easy nowadays and even support multiple variants (more and more often you can activate multiple factors, e.g. multiple authenticator apps or password managers with OTP support). Sadly even some big sites still get this completely wrong and either don't support it or the worst, most insecure and most annoying variants like SMS codes...


I'm not a big fan of 2FA. It only makes sense if you have a phone, and it often requires a specific app to work. I wonder how much spyware the 2FA phone app includes.


----------



## mer (Jun 18, 2021)

write them on a piece of paper then eat the paper?


----------



## Deleted member 30996 (Jun 18, 2021)

Jose said:


> I would strongly advise you to not reuse usernames either...



I always used a different username for each site I joined and a different password for each site.

The people at PC-BSD knew me as Weixiong and Trihexagonal came here. oko said he had been one of the earlier usernames registered in the PC-BSD forums and that he didn't remember me. I remember scottro from back then and used his Tutorial to learn pf.

I told oko who I was and Less Moore soon saw it afterward. But in your face as it was in every screenshot I posted nobody realized I was jitte, and that's somebody the Moore Bros. knew from that time, too...

Files encrypted with security/bcyypt and be encrypted over and over using different passwords, the file extension removed, the filename changed and moved to another directory deep in a rabbithole. As long as you put the filename back to the original you can decrypt it back to the original text file with no loss or scrambling of data.


----------



## ralphbsz (Jun 18, 2021)

Jose said:


> I'm not a big fan of 2FA. It only makes sense if you have a phone, and it often requires a specific app to work. I wonder how much spyware the 2FA phone app includes.



I'm a reasonably big fan of 2FA. Having disagreed with you, I will now agree with you: I'm not a big fan of 2FA if it is implemented by needing a phone app.

I think the best implementation of 2FA is using a FIDO security token, in the style of a Yubikey (I think they're one of the largest vendors). If implemented carefully, that version is pretty safe. It means that to "log in" (whatever that means), you need to both know your password, and have physical possession of a thing, the security key.

Second best are fingerprint readers (again used in conjunction with a password). Their biggest problem is that they are not ubiquitous. I think the problems with fingerprints being spoofed have been mostly overcome. Another issue is that fingerprint readers are physically integrated with an expensive device. If I find a vulnerability with a security token, I throw it in the trash (after hitting it with a hammer), and get a new one, at a cost of an extra $10. If I find a vulnerability with the fingerprint reader on my laptop, I'm not about to throw a $2500 laptop in the trash, making the fingerprint reader useless.

And even 2FA that is implemented by sending an e-mail or an SMS to a well-known e-mail address or cell phone number is a reasonable way to enhance security: it proves that the person both knows the password and has access to the communication device; if they protected those separately, this does enhance security, but it is less fool-proof than hardware (such as tokens or fingertips).


----------



## Deleted member 30996 (Jun 18, 2021)

ralphbsz said:


> And even 2FA that is implemented by sending an e-mail or an SMS to a well-known e-mail address or cell phone number is a reasonable way to enhance security: it proves that the person both knows the password and has access to the communication device; if they protected those separately, this does enhance security, but it is less fool-proof than hardware (such as tokens or fingertips).


Here are two free online SMS services I recently found:





__





						Receive SMS online | Temporary Phone Number
					

receive-smss.com is a free website to receive SMS and voice mail online. You can use it from all the countries and for Gmail,Facebook,Linked and more



					receive-smss.com
				












						Receive SMS online | Temporary Phone Numbers
					

No Registration. Receive SMS online for FREE using our disposable / temporary numbers from  USA, Canada, UK, Russia, Ukraine, Israel and other countries. Receive anonymous verification code from all the countries and for Instagram, Telegram, Google, Facebook, Linked and more




					sms24.me
				




Here are two temporary email throwaway services for registration when you don't want it associated with your accounts:









						FakeMail | Temp Mail Addresses
					

The temp mail address to keep your original mailbox safe. The disposable, temporary email platform provides fleeting temp mail addresses for 10 minutes up to 2 weeks.




					www.fakemail.net
				






			10 Minute Mail - Free Anonymous Temporary email - 10 Minute Mail - Free Anonymous Temporary email


----------



## sko (Jun 21, 2021)

Jose said:


> I'm not sure if you're talking about email subaddressing or email aliases. Subaddressing is nice in that most major services support it, but there is no way to make a subaddress stop working. Email aliases require that you have some control over email sending. I use Postfix and aliases(5) but I can do that because I host my own email. Nice thing about aliases is that you can delete them, causing all email sent to them to bounce.
> 
> You can add either subaddresses or aliases to spamtrap files. I'm not sure how you enforce that aliases or subaddresses can only work from one sender. I'm pretty sure once the alias or subaddress exists, anyone can send mail to it. This is also how you discover who's been shopping your email address around.


I'm also using aliases, but for different reasons and also with subaddresses (+) for logins. I don't want to make a subadress 'stop working' if it has been leaked to spamlists as it is much more effective to use those as spamtrap addresses with spamd. So if any server tries sending to that 'compromised' address, it gets immediately blacklisted and always gets trapped in spamd.




> I'm not a big fan of 2FA. It only makes sense if you have a phone, and it often requires a specific app to work. I wonder how much spyware the 2FA phone app includes.


you can freely decide what phone app you're using/trusting or completely ignore those altogether and just use a password manager that supports generation of 2FA TOTP tokens (pass can do this with an otp plugin). TOTP is called "google authenticator" because google first defined the standard, but the libraries are freely available and have been re-implemented in various languages and can be used in a multitude of ways ('server' and 'client' side). There's even a PAM module for 2FA with TOTP...
But yes, there are still some moronic 'web designers' that think they have to be special and use some home-brewn, proprietary app for 2FA - I completely ignore those and if I have to use their service, I usually brag their support every few weeks to finally implement a proper 2FA solution...


----------

