[clug] Adobe Password Breach

[Andrew Janke]

> How do you back that up so if you lose your phone you're not stuffed when
> you need to do some banking in a hurry as your wallet was stolen too?

I store the (encrypted!) keypassfile on owncloud. There are web
clients for keepassX somewhere but I dont use one. I know I can get my
password file onto something and get keepassx. Mind you I don't store
internet banking passwords anywhere except my frontal lobes.

> Or you want to change phones, or use a real computer because using the
> phone for much beyond casual browsing is a royal pain.

Owncloud + keepassx. Sync clients for just about anything imaginable.
If not, copy the text file.

> Can you dump the encrypted store and import into an equivalent program on
> your laptop?

Yes.

> Then what happens if you add one password to your phone and a
> different site and password to your laptop - are they smart enough not to
> clobber?

With Owncloud, password file just gets updated by datestamp. You could
invent a situation where the sync will clobber but it wouldn't be
normal usage. You can of course have multiple password databases if
you desire with differing levels of security.

> Can they cope with these moronic websites, like say, your bank that insist
> on "at least one number, one piece of punctuation but no more than 8
> characters" because they, um, why do they limit the size? Because they're
> not storing hashes but actually store the palintext password on their
> database? Really? Or they just can't program?

Yes.  A zillion check boxes to generate passwords of varying flavours
for website requirements.

> Is it better than a master list created with a text editor on a remote box
> that you store gpg encrypted and can backup?

Probably not. The difference is you need a client for each of your
things you want to access this on. Keepassx is this client and it
exists.


a