[clug] [OT] all text passwords == secure?

Angus Gratton gus at projectgus.com
Sun Aug 26 20:13:37 MDT 2012


On Sun, 26 Aug 2012 16:39:10 +1000
Hal Ashburner <hal.ashburner at gmail.com> wrote:

> I'll bite.
> How do i create or choose a secure password? All this reading of this
> discussion among people with clue(tm) and I've missed the consensus...
> 
> I hate that web rejection for 'you can't use that password it needs a cap,
> a number and punctuation and can only be 8 letters long.' Banks...

Hi Hal,

I absolutely recommend using a password manager program. For a while now
I've used LastPass, which is closed source but runs pretty much
everywhere (browser plugins, mobile devices, etc.) with good linux
support, transparent syncing, etc.

There are some open source alternatives, the best one I know of is
KeepassX.

In a nutshell, how they work is:

- You have one master password you choose, something you really trust.

- You unlock your "keychain" with your master password.

- All your passwords are randomly generated strings (one per site) that
  are stored there. The generator has rules so you can customise it to
  meet ridiculous site requirements like weird lengths or
  disallowed punctuation, but all your passwords essentially look
  like G$n*ywOz%vp%9u - not that you care because you never need to
  know them.

- The manager has autologin and copy/paste shortcut operations to make
it easy for you to login to websites or paste passwords into dialogs.


The best thing about using a password manager is zero password reuse (or
password similarity), so password leaks or bad password storage
practices have a much lower potential impact. The worst thing is that
you have all your eggs in one basket, so to speak.

There's a Sydney-based Microsoft MVP (I know, I know) called Troy Hunt
who has written some posts about password management that I think are
pretty good:

http://www.troyhunt.com/2011/03/only-secure-password-is-one-you-cant.html

- Angus


More information about the linux mailing list