If you are like me and you like the idea of password managers but don't trust them because they're giant targets for cyber criminals and intelligence agencies have at my trusty ruby script:
puts ((rand * 1_000_000_000).to_i.to_s + \
("a".."z").to_a.sample(10).join + \
("A".."Z").to_a.sample(10).join + "_")
You can save your passwords in a gpg'd text file if you want, though it usually doesn't matter that much. Just store them in chrome and use two-factor. If you get logged out just password reset to your email.
One of the more persistent annoyances of the modern web for the tech-savvy is the experience of putting a long, randomly generated password into a site and getting an "invalid characters" error.
I haven't lookek at keepass in a long time, and a quick glance at the website didn't help. The author of TFA says that keepass handles synchronization for you. Is that true? Because it didn't do that in the past.
Also, can keepass generate secure passwords for you? That's something I love about lastpass.
UPDATE: also, how easy is it to use on an Android?
> At a bare minimum you should be using a unique 32 character random alphanumeric on every website or service that you use.
That is a non-starter....
The only complicated part of this method is securing the key, and the key is definitely required or you may as well just save it as plain text.
You sync your DB across multiple cloud services, and to decrypt you use a weak master pass and strong key.
I've been struggling with how to move that key around.
.1) Put it on a USB drive or hide it in your filesystem.
This is cumbersome and losing the drive could be disastrous. It's also trivial to scan a filesystem for key-like files.
.2) Use an authentication dongle.
This one is better but requires third party hardware in most cases, and is slightly expensive.
.3) Bluetooth/NFC to your device.
This can be intercepted at extended ranges as proven at defcon etc. Though is admittedly the most convenient method. The data can be signed, but I haven't seen anything out there that implements this well just yet.
.4) Timed one time passwords, PushBullet etc.
This feels like a bonus feature.
I'm not sure how to go about this. You lose or leak the key then you're screwed.
Is there a wristwatch or phone app with signed credential sharing based on wearer input, compatible to a standard?
Just use diceware. Simple and effective.
For passwords I need to be able to remember (not many) or share (initial passwords for user accounts) I use a passphrase generator. Everything else is random 24-character Keepass.
Plugging my super simple passphrase generator built upon the EFF wordlist: https://spg.brashear.me
What about 8-character passwords with letters, numbers, and symbols? What if it includes non-ASCII characters?
Any 'password manager' is a priority target. Just use longish pass phrase and don't walk around with a target on your back.
Having worked in IT, this is the kind of "guide" that I hate. It's theoretically correct, but wildly impractical and therefore not useful at all.
Do not let perfect be the enemy of good. Right now, people's password hygiene is not even "good".
Some specific criticisms:
> At a bare minimum you should be using a unique 32 character random alphanumeric on every website or service that you use.
Sometimes you have to type in a password, even if you use a password manager. Maybe you are using a public computer. 32 character passwords are laughable. NIST recommends 80 bits, that's ~14 characters. Entirely sufficient.
> Do not use online password services
If it means you're using different, reasonably strong passwords for all your accounts instead of just one password shared with everything, then PLEASE DO use an online password service. You will be vastly more secure.
Getting "normal" people to use good passwords means their password manager has to be super easy to use. LastPass is fine. 1Password is fine. Hell, even writing your passwords down in a book is fine, as long as you look after the book.