Rocksolid Light

News from da outaworlds

mail  files  register  groups  login

Message-ID:  

Don't get stuck in a closet -- wear yourself out.

comp / comp.sys.mac.system / Re: Do you use a password manager?

SubjectAuthor
* Re: Do you use a password manager?Alan Browne
`* Re: Do you use a password manager?Keith Thompson
 +- Re: Do you use a password manager?nospam
 +* Re: Do you use a password manager?Lewis
 |`- Re: Do you use a password manager?Keith Thompson
 +* Re: Do you use a password manager?Richard Kettlewell
 |`- Re: Do you use a password manager?Lewis
 `* Re: Do you use a password manager?Alan Browne
  `- Re: Do you use a password manager?Keith Thompson

1
Subject: Re: Do you use a password manager?
From: Alan Browne
Newsgroups: alt.atheism, comp.sys.mac.system, comp.sys.mac.misc, comp.unix.misc, comp.misc
Organization: UsenetServer - www.usenetserver.com
Date: Mon, 19 Jul 2021 14:42 UTC
References: 1 2
Path: eternal-september.org!news.eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.uzoreto.com!newsreader4.netcologne.de!news.netcologne.de!peer03.ams1!peer.ams1.xlned.com!news.xlned.com!peer03.iad!feed-me.highwinds-media.com!news.highwinds-media.com!fx47.iad.POSTED!not-for-mail
Subject: Re: Do you use a password manager?
Newsgroups: alt.atheism,comp.sys.mac.system,comp.sys.mac.misc,comp.unix.misc,comp.misc
References: <sch3ep$87h$1@dont-email.me> <sch9i1$k05$1@dont-email.me>
From: bitbucket@blackhole.com (Alan Browne)
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0)
Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <sch9i1$k05$1@dont-email.me>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Lines: 48
Message-ID: <DbgJI.45173$h8.20921@fx47.iad>
X-Complaints-To: abuse@usenetserver.com
NNTP-Posting-Date: Mon, 19 Jul 2021 14:42:43 UTC
Organization: UsenetServer - www.usenetserver.com
Date: Mon, 19 Jul 2021 10:42:43 -0400
X-Received-Bytes: 2731
View all headers

On 2021-07-12 07:37, Wade Garrett wrote:
> On 7/12/21 5:53 AM, Unbreakable Disease wrote:
>> My 50-year old brain isn't capable of memorizing that many passwords
>> anymore, so I use KeePassXC. I keep basically everything here
>> including my financial passwords and credit card data, with the
>> exception of passwords that I would have to remember anyway (full-disk
>> encryption, login, primary e-mail passwords, etc.)
>>
>> Overall, it's much easier to remember and much harder to forget 10
>> complicated passwords that you use everyday than 100+ simple passwords
>> you use every month or even less.
>>
>> I can't speak about Windows version of KeePass, because with the
>> exception of playing games not available on Macintosh, I haven't used
>> one since Windows 95 days.
>
> I'd like to use a password manager but I'm not comfortable with that
> data being on some server somewhere- allegedly encrypted or not.

256 bit AES encryption not good enough for you?

>
> If there's one that keeps the data just on the local machine, I'd be
> interested.

1Password has that option as well as using a local server.

>
> I keep a spreadsheet with my PWs on my FileVault-encrypted iMac hard
> drive and copy/paste to logins that need to stay secure- financial,
> vendors, healthcare, etc.

Not very secure. Of course it's your house and that has some security.

But far better to use a manager - even if only on your machine.

>
> I always log out before leaving the house.

My computer does that for me ... well, might be a few minutes after I
leave...

--
"...there are many humorous things in this world; among them the white
man's notion that he is less savage than the other savages."
-Samuel Clemens

Subject: Re: Do you use a password manager?
From: Keith Thompson
Newsgroups: comp.sys.mac.system, comp.sys.mac.misc, comp.unix.misc, comp.misc
Organization: None to speak of
Date: Mon, 19 Jul 2021 18:08 UTC
References: 1 2 3
Path: eternal-september.org!news.eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: Keith.S.Thompson+u@gmail.com (Keith Thompson)
Newsgroups: comp.sys.mac.system,comp.sys.mac.misc,comp.unix.misc,comp.misc
Subject: Re: Do you use a password manager?
Date: Mon, 19 Jul 2021 11:08:12 -0700
Organization: None to speak of
Lines: 17
Message-ID: <87r1fu18j7.fsf@nosuchdomain.example.com>
References: <sch3ep$87h$1@dont-email.me> <sch9i1$k05$1@dont-email.me>
<DbgJI.45173$h8.20921@fx47.iad>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: reader02.eternal-september.org; posting-host="953c0f9a82460b5ce0c8a9ac675002e5";
logging-data="1709"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX196JwRx3RHM5Kg0Sj0O2G53"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
Cancel-Lock: sha1:RGhXqqaU622SiY7YeVKHnD37o2I=
sha1:yIMiQmTuzT5b4yc1zkvsS0Fl0As=
View all headers

Alan Browne <bitbucket@blackhole.com> writes:
> On 2021-07-12 07:37, Wade Garrett wrote:
[...]
>> I'd like to use a password manager but I'm not comfortable with that
>> data being on some server somewhere- allegedly encrypted or not.
>
> 256 bit AES encryption not good enough for you?

The weak link is not the encryption algorithm, but the key used to
decrypt the data.

[...]

--
Keith Thompson (The_Other_Keith) Keith.S.Thompson+u@gmail.com
Working, but not speaking, for Philips
void Void(void) { Void(); } /* The recursive call of the void */

Subject: Re: Do you use a password manager?
From: nospam
Newsgroups: comp.sys.mac.system, comp.sys.mac.misc, comp.unix.misc, comp.misc
Organization: A noiseless patient Spider
Date: Mon, 19 Jul 2021 18:12 UTC
References: 1 2 3 4
Path: eternal-september.org!news.eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: nospam@nospam.invalid (nospam)
Newsgroups: comp.sys.mac.system,comp.sys.mac.misc,comp.unix.misc,comp.misc
Subject: Re: Do you use a password manager?
Date: Mon, 19 Jul 2021 14:12:46 -0400
Organization: A noiseless patient Spider
Lines: 14
Message-ID: <190720211412468849%nospam@nospam.invalid>
References: <sch3ep$87h$1@dont-email.me> <sch9i1$k05$1@dont-email.me> <DbgJI.45173$h8.20921@fx47.iad> <87r1fu18j7.fsf@nosuchdomain.example.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Injection-Info: reader02.eternal-september.org; posting-host="8dcf17dd52a1046607cd4d0312636b59";
logging-data="4390"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+il1FluHPK2Y5ePBUCz2Gv"
User-Agent: Thoth/1.9.0 (Mac OS X)
Cancel-Lock: sha1:z+ki/vQGXIZNG/MaLRMuhcxEnYs=
View all headers

In article <87r1fu18j7.fsf@nosuchdomain.example.com>, Keith Thompson
<Keith.S.Thompson+u@gmail.com> wrote:

> >> I'd like to use a password manager but I'm not comfortable with that
> >> data being on some server somewhere- allegedly encrypted or not.
> >
> > 256 bit AES encryption not good enough for you?
>
> The weak link is not the encryption algorithm, but the key used to
> decrypt the data.

that's up to you to choose something complex.

hint: don't use 'password123'

Subject: Re: Do you use a password manager?
From: Lewis
Newsgroups: comp.sys.mac.system, comp.sys.mac.misc, comp.unix.misc, comp.misc
Organization: Miskatonic U
Date: Mon, 19 Jul 2021 20:07 UTC
References: 1 2 3 4
Path: eternal-september.org!news.eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!kreme.dont-email.me!.POSTED!not-for-mail
From: g.kreme@kreme.dont-email.me (Lewis)
Newsgroups: comp.sys.mac.system,comp.sys.mac.misc,comp.unix.misc,comp.misc
Subject: Re: Do you use a password manager?
Date: Mon, 19 Jul 2021 20:07:46 -0000 (UTC)
Organization: Miskatonic U
Lines: 20
Message-ID: <slrnsfbmsi.1ut8.g.kreme@m1mini.local>
References: <sch3ep$87h$1@dont-email.me> <sch9i1$k05$1@dont-email.me>
<DbgJI.45173$h8.20921@fx47.iad> <87r1fu18j7.fsf@nosuchdomain.example.com>
Reply-To: g.kreme@gmail.don-t-email-me.com
Injection-Date: Mon, 19 Jul 2021 20:07:46 -0000 (UTC)
Injection-Info: kreme.dont-email.me; posting-host="3771ffbfb068bd2643af80e6b2897482";
logging-data="23376"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+sMuVYMbnKvoLytM3Gl03F"
User-Agent: slrn/1.0.3 (Darwin)
Cancel-Lock: sha1:uAWRbcW4or8EiJqTKN9wi9ieneE=
X-Face: )^b5"R:T7U>9~:PEn3YkzMfW*[b1qKeU.fP9C8~8HpU9}lA&6`bH1z
X-Clacks-Overhead: GNU Terry Pratchett
Mail-Copies-To: nobody
View all headers

In message <87r1fu18j7.fsf@nosuchdomain.example.com> Keith Thompson <Keith.S.Thompson+u@gmail.com> wrote:
> Alan Browne <bitbucket@blackhole.com> writes:
>> On 2021-07-12 07:37, Wade Garrett wrote:
> [...]
>>> I'd like to use a password manager but I'm not comfortable with that
>>> data being on some server somewhere- allegedly encrypted or not.
>>
>> 256 bit AES encryption not good enough for you?

> The weak link is not the encryption algorithm, but the key used to
> decrypt the data.

Which the user chooses.

Have you done any actual research into this or have you just read
know-nothing clickbait shit?

--
And the three men I admire most, the father son and the holly ghost
they caught the last train for the coast...

Subject: Re: Do you use a password manager?
From: Keith Thompson
Newsgroups: comp.sys.mac.system, comp.sys.mac.misc, comp.unix.misc, comp.misc
Organization: None to speak of
Date: Mon, 19 Jul 2021 21:15 UTC
References: 1 2 3 4 5
Path: eternal-september.org!news.eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: Keith.S.Thompson+u@gmail.com (Keith Thompson)
Newsgroups: comp.sys.mac.system,comp.sys.mac.misc,comp.unix.misc,comp.misc
Subject: Re: Do you use a password manager?
Date: Mon, 19 Jul 2021 14:15:33 -0700
Organization: None to speak of
Lines: 26
Message-ID: <87mtqi0zuy.fsf@nosuchdomain.example.com>
References: <sch3ep$87h$1@dont-email.me> <sch9i1$k05$1@dont-email.me>
<DbgJI.45173$h8.20921@fx47.iad>
<87r1fu18j7.fsf@nosuchdomain.example.com>
<slrnsfbmsi.1ut8.g.kreme@m1mini.local>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: reader02.eternal-september.org; posting-host="953c0f9a82460b5ce0c8a9ac675002e5";
logging-data="11978"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/OC1HT43wyljV0cN5MgLsb"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
Cancel-Lock: sha1:rAk4+85fMS3i2P+IW0FT7PwBW7w=
sha1:72897Swyg9XYABAjn82Qp8CVe4U=
View all headers

Lewis <g.kreme@kreme.dont-email.me> writes:
> In message <87r1fu18j7.fsf@nosuchdomain.example.com> Keith Thompson <Keith.S.Thompson+u@gmail.com> wrote:
>> Alan Browne <bitbucket@blackhole.com> writes:
>>> On 2021-07-12 07:37, Wade Garrett wrote:
>> [...]
>>>> I'd like to use a password manager but I'm not comfortable with that
>>>> data being on some server somewhere- allegedly encrypted or not.
>>>
>>> 256 bit AES encryption not good enough for you?
>
>> The weak link is not the encryption algorithm, but the key used to
>> decrypt the data.
>
> Which the user chooses.

Yes, of course.

> Have you done any actual research into this or have you just read
> know-nothing clickbait shit?

Be less rude. If I'm wrong, say so and tell us what's right.

--
Keith Thompson (The_Other_Keith) Keith.S.Thompson+u@gmail.com
Working, but not speaking, for Philips
void Void(void) { Void(); } /* The recursive call of the void */

Subject: Re: Do you use a password manager?
From: Richard Kettlewell
Newsgroups: comp.sys.mac.system, comp.sys.mac.misc, comp.unix.misc, comp.misc
Organization: terraraq NNTP server
Date: Tue, 20 Jul 2021 08:15 UTC
References: 1 2 3 4
Path: eternal-september.org!news.eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.gegeweb.eu!gegeweb.org!nntp.terraraq.uk!.POSTED.nntp.terraraq.uk!not-for-mail
From: invalid@invalid.invalid (Richard Kettlewell)
Newsgroups: comp.sys.mac.system,comp.sys.mac.misc,comp.unix.misc,comp.misc
Subject: Re: Do you use a password manager?
Date: Tue, 20 Jul 2021 09:15:39 +0100
Organization: terraraq NNTP server
Message-ID: <8735s99z9w.fsf@LkoBDZeT.terraraq.uk>
References: <sch3ep$87h$1@dont-email.me> <sch9i1$k05$1@dont-email.me>
<DbgJI.45173$h8.20921@fx47.iad>
<87r1fu18j7.fsf@nosuchdomain.example.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Injection-Info: mantic.terraraq.uk; posting-host="nntp.terraraq.uk:2a00:1098:0:86:1000:3f:0:2";
logging-data="2496"; mail-complaints-to="usenet@mantic.terraraq.uk"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
Cancel-Lock: sha1:kgftv3ui3ecSkxwjAZIaop4Co0w=
X-Face: h[Hh-7npe<<b4/eW[]sat,I3O`t8A`(ej.H!F4\8|;ih)`7{@:A~/j1}gTt4e7-n*F?.Rl^
F<\{jehn7.KrO{!7=:(@J~]<.[{>v9!1<qZY,{EJxg6?Er4Y7Ng2\Ft>Z&W?r\c.!4DXH5PWpga"ha
+r0NzP?vnz:e/knOY)PI-
X-Boydie: NO
View all headers

Keith Thompson <Keith.S.Thompson+u@gmail.com> writes:
> Alan Browne <bitbucket@blackhole.com> writes:
>> On 2021-07-12 07:37, Wade Garrett wrote:
> [...]
>>> I'd like to use a password manager but I'm not comfortable with that
>>> data being on some server somewhere- allegedly encrypted or not.
>>
>> 256 bit AES encryption not good enough for you?
>
> The weak link is not the encryption algorithm, but the key used to
> decrypt the data.

There’s lots of possible weak links.

- The key may be stored insecurely.
- If the key is derived from a password then the user may choose a weak
password.
- It’s easy to make a bad choice of KDF.
- The choice of cipher mode matters.
- For some cipher modes, how you choose the parameters matters.
- Some ciphers (including AES) are prone to side channels.

How much each of these matters is situational, but “256 bit AES
encryption” is not a complete description and may indeed not be good
enough, depending on the missing details.

--
https://www.greenend.org.uk/rjk/

Subject: Re: Do you use a password manager?
From: Lewis
Newsgroups: comp.sys.mac.system, comp.sys.mac.misc, comp.unix.misc, comp.misc
Organization: Miskatonic U
Date: Tue, 20 Jul 2021 20:13 UTC
References: 1 2 3 4 5
Path: eternal-september.org!news.eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!kreme.dont-email.me!.POSTED!not-for-mail
From: g.kreme@kreme.dont-email.me (Lewis)
Newsgroups: comp.sys.mac.system,comp.sys.mac.misc,comp.unix.misc,comp.misc
Subject: Re: Do you use a password manager?
Date: Tue, 20 Jul 2021 20:13:10 -0000 (UTC)
Organization: Miskatonic U
Lines: 48
Message-ID: <slrnsfebil.2a9s.g.kreme@m1mini.local>
References: <sch3ep$87h$1@dont-email.me> <sch9i1$k05$1@dont-email.me>
<DbgJI.45173$h8.20921@fx47.iad> <87r1fu18j7.fsf@nosuchdomain.example.com>
<8735s99z9w.fsf@LkoBDZeT.terraraq.uk>
Reply-To: g.kreme@gmail.don-t-email-me.com
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 20 Jul 2021 20:13:10 -0000 (UTC)
Injection-Info: kreme.dont-email.me; posting-host="f867e0e7d35d4562fec1fa1ca8a554a6";
logging-data="18667"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18mTxNH2tLZrrrPdBP8fmgp"
User-Agent: slrn/1.0.3 (Darwin)
Cancel-Lock: sha1:ZcRJBb6AqJMdYAEzrK9dvTBIP7Q=
X-Face: )^b5"R:T7U>9~:PEn3YkzMfW*[b1qKeU.fP9C8~8HpU9}lA&6`bH1z
Mail-Copies-To: nobody
X-Clacks-Overhead: GNU Terry Pratchett
View all headers

In message <8735s99z9w.fsf@LkoBDZeT.terraraq.uk> Richard Kettlewell <invalid@invalid.invalid> wrote:
> Keith Thompson <Keith.S.Thompson+u@gmail.com> writes:
>> Alan Browne <bitbucket@blackhole.com> writes:
>>> On 2021-07-12 07:37, Wade Garrett wrote:
>> [...]
>>>> I'd like to use a password manager but I'm not comfortable with that
>>>> data being on some server somewhere- allegedly encrypted or not.
>>>
>>> 256 bit AES encryption not good enough for you?
>>
>> The weak link is not the encryption algorithm, but the key used to
>> decrypt the data.

> There’s lots of possible weak links.

> - The key may be stored insecurely.

The key is not stored at all. The key is the password that that the user
selects.

> - If the key is derived from a password then the user may choose a weak
> password.

Nothing anyone can do about that.

> - It’s easy to make a bad choice of KDF.
> - The choice of cipher mode matters.

Which is why these tools are audited by third parties and you should
only use tools that have been audited.

> - For some cipher modes, how you choose the parameters matters.

Ibid.

> - Some ciphers (including AES) are prone to side channels.

Ibid.

> How much each of these matters is situational, but “256 bit AES
> encryption” is not a complete description and may indeed not be good
> enough, depending on the missing details.

Ibid.

--
you cannot code around infinite implementations of OCD -John C Welch

Subject: Re: Do you use a password manager?
From: Alan Browne
Newsgroups: comp.sys.mac.system, comp.sys.mac.misc, comp.unix.misc, comp.misc
Organization: UsenetServer - www.usenetserver.com
Date: Tue, 20 Jul 2021 20:39 UTC
References: 1 2 3 4
Path: eternal-september.org!news.eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.uzoreto.com!newsfeed.xs4all.nl!newsfeed7.news.xs4all.nl!news-out.netnews.com!news.alt.net!fdc2.netnews.com!peer03.ams1!peer.ams1.xlned.com!news.xlned.com!peer02.iad!feed-me.highwinds-media.com!news.highwinds-media.com!fx47.iad.POSTED!not-for-mail
Subject: Re: Do you use a password manager?
Newsgroups: comp.sys.mac.system,comp.sys.mac.misc,comp.unix.misc,comp.misc
References: <sch3ep$87h$1@dont-email.me> <sch9i1$k05$1@dont-email.me>
<DbgJI.45173$h8.20921@fx47.iad> <87r1fu18j7.fsf@nosuchdomain.example.com>
From: bitbucket@blackhole.com (Alan Browne)
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0)
Gecko/20100101 Thunderbird/78.12.0
MIME-Version: 1.0
In-Reply-To: <87r1fu18j7.fsf@nosuchdomain.example.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Lines: 26
Message-ID: <ewGJI.48839$h8.31881@fx47.iad>
X-Complaints-To: abuse@usenetserver.com
NNTP-Posting-Date: Tue, 20 Jul 2021 20:39:38 UTC
Organization: UsenetServer - www.usenetserver.com
Date: Tue, 20 Jul 2021 16:39:38 -0400
X-Received-Bytes: 2038
View all headers

On 2021-07-19 14:08, Keith Thompson wrote:
> Alan Browne <bitbucket@blackhole.com> writes:
>> On 2021-07-12 07:37, Wade Garrett wrote:
> [...]
>>> I'd like to use a password manager but I'm not comfortable with that
>>> data being on some server somewhere- allegedly encrypted or not.
>>
>> 256 bit AES encryption not good enough for you?
>
> The weak link is not the encryption algorithm, but the key used to
> decrypt the data.

First off there is a difference between a "key" and a "password".

If the password is "a", the key will still be extremely strong at 256
bits and would look completely different to the key for password "b".
Of course that is not a recommendation.

As to passwords, it's trivial to make strong and easy to remember
passwords with a few misspelled words, mixed case, some symbols and digits.

--
"...there are many humorous things in this world; among them the white
man's notion that he is less savage than the other savages."
-Samuel Clemens

Subject: Re: Do you use a password manager?
From: Keith Thompson
Newsgroups: comp.sys.mac.system, comp.sys.mac.misc, comp.unix.misc, comp.misc
Organization: None to speak of
Date: Tue, 20 Jul 2021 22:52 UTC
References: 1 2 3 4 5
Path: eternal-september.org!news.eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: Keith.S.Thompson+u@gmail.com (Keith Thompson)
Newsgroups: comp.sys.mac.system,comp.sys.mac.misc,comp.unix.misc,comp.misc
Subject: Re: Do you use a password manager?
Date: Tue, 20 Jul 2021 15:52:43 -0700
Organization: None to speak of
Lines: 36
Message-ID: <87im141ttw.fsf@nosuchdomain.example.com>
References: <sch3ep$87h$1@dont-email.me> <sch9i1$k05$1@dont-email.me>
<DbgJI.45173$h8.20921@fx47.iad>
<87r1fu18j7.fsf@nosuchdomain.example.com>
<ewGJI.48839$h8.31881@fx47.iad>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: reader02.eternal-september.org; posting-host="3dbb069d6fac32b4b637197387ebf1ae";
logging-data="27993"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/hbBt1AckGPQ/yBmkLnrct"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
Cancel-Lock: sha1:2juWPJYRjY12EJ9GWwIq6MyViS4=
sha1:6gDdrm7fBXLBDUhEL9B6IUJAw2w=
View all headers

Alan Browne <bitbucket@blackhole.com> writes:
> On 2021-07-19 14:08, Keith Thompson wrote:
>> Alan Browne <bitbucket@blackhole.com> writes:
>>> On 2021-07-12 07:37, Wade Garrett wrote:
>> [...]
>>>> I'd like to use a password manager but I'm not comfortable with that
>>>> data being on some server somewhere- allegedly encrypted or not.
>>>
>>> 256 bit AES encryption not good enough for you?
>> The weak link is not the encryption algorithm, but the key used to
>> decrypt the data.
>
> First off there is a difference between a "key" and a "password".

Sure (but sometimes they can be the same, right?).

> If the password is "a", the key will still be extremely strong at 256
> bits and would look completely different to the key for password "b".
> Of course that is not a recommendation.

Are you talking about a key being algorithmically derived from the
password? If the string "a" is all the information you need to unlock
an encrypted file, then an attacker is going to be able to unlock it,
whether it first has to be translated to a 256-bit key or not. (Or I'm
missing something.)

> As to passwords, it's trivial to make strong and easy to remember
> passwords with a few misspelled words, mixed case, some symbols and
> digits.

Sure. It's also easy for a password to leak in any of a number of ways.

--
Keith Thompson (The_Other_Keith) Keith.S.Thompson+u@gmail.com
Working, but not speaking, for Philips
void Void(void) { Void(); } /* The recursive call of the void */

1

rocksolid light 0.9.8
clearnet tor