How is software such as keepass more secure than having passwords all memorized in my brain?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Kubuntu 20.04, openSUSE Tumbleweed, Solus
Posts: 85
Rep:
How is software such as keepass more secure than having passwords all memorized in my brain?
Good day everyone,
I am wondering since so many people seem to recommend password safes these days how these software products can be more secure than trying to memorize and possibly to reset single ones if forgotten?
To me, these products feel like a comfortable solution to save time when typing down long passpharases but the loss of key elements such as certain files or a master password would result in a huge single point of failure also.
Am I missing the picture here or is it nothing but a big hype these days to promote these things?
Distribution: Kubuntu 20.04, openSUSE Tumbleweed, Solus
Posts: 85
Original Poster
Rep:
Quote:
Originally Posted by ntubski
If you memorize all your passwords for each site, you will probably use shorter passwords.
Not for important websites such as my E-Mail provider, Jabber or Paypal.
Speaking of message boards however, this is debatable and tends more towards shorter passwords.
How is software such as keepass more secure than having passwords all memorized in my brain?
I currently use LastPass, and there is no way I could memorize all 167 passwords I currently have. It also is great for keeping long and complex wifi passwords. It is much easier to autofill 20 character passwords than to memorize them.
If you are the one and only individual who need to access to those passwords, and you can manage that with your memory, then you can do it that way if you like.
If you work with other people, then a password manager is definitely a required tool nowadays.
Well, even for a "one and only individual" I would proceed that way. Since everybody dies one day or another, and that you may likely have some family members dealing with your bank/email/online service accounts to get them closed, it's something that would be useful (you can leave a copy of the master password in safe at the bank or something like that).
I use a different password for every account.
That way when a service (like Yahoo) is breached and it's compromised, I simply need to reset that password instead of a larger group (or all) of password/s.
Since password difficulty is the same for any length / complexity, I can use long complex passwords - reducing any chance of a dictionary attack succeeding.
Finally, keepass(x) allows me to make notes of any entry. This is very useful for when some service asks for recovery questions, or provides a pin number for whatever reason. Inevitably, I'd resort to 1111 or something. This allows me to look back months later and see: ah, 4631 - even though it has nothing to do with my password.
Yes, it has cons and you should take appropriate steps to prevent the file from being corrupted / lost, prevent file from being stolen, do your best to keep it updated and stops you from accessing it when you don't have access to the database file.
Sefyir's comments about using a unique password for each account are quite on target.
I have well over 100 unique passwords. No way could I remember all of them, and keeping them in an unencrypted file would be quite insecure.
I use KeePassX. I adopted it after a gig at a hosting provider which, for all practical purposes, required--er--suggested strongly--that staffers use it, and I became quite fond of it.
I also find KeePassX's ability to generate passwords to be quite useful.
Distribution: Kubuntu 20.04, openSUSE Tumbleweed, Solus
Posts: 85
Original Poster
Rep:
Quote:
Originally Posted by Ellendhel
Well, even for a "one and only individual" I would proceed that way. Since everybody dies one day or another, and that you may likely have some family members dealing with your bank/email/online service accounts to get them closed, it's something that would be useful (you can leave a copy of the master password in safe at the bank or something like that).
Indeed an interesting aspect I haven't thought of until now.
But then again, who would say the software remains like this in the late future at a point no one wants to know for sure?
I'd basically have to make sure the password is always stored somewhere in reality and in clear text that could still be stolen due to some stupid mistake.
Quote:
Originally Posted by Sefyir
Since password difficulty is the same for any length / complexity, I can use long complex passwords - reducing any chance of a dictionary attack succeeding.
Finally, keepass(x) allows me to make notes of any entry. This is very useful for when some service asks for recovery questions, or provides a pin number for whatever reason. Inevitably, I'd resort to 1111 or something. This allows me to look back months later and see: ah, 4631 - even though it has nothing to do with my password.
Yes, it has cons and you should take appropriate steps to prevent the file from being corrupted / lost, prevent file from being stolen, do your best to keep it updated and stops you from accessing it when you don't have access to the database file.
From my understanding, the longer the passwords are the longer crackers have to run their tools to get the proper result.
Now that you mention entry notes, how exactly does that work?
Would the system with my keepass file for example send me a mail or Jabber message if someone else to open my password container and fails a certain amount of attemps?
I'm curious as mentioned in the first post, these tools feel like a single point of failure otherwise.
Quote:
Originally Posted by frankbell
I use KeePassX. I adopted it after a gig at a hosting provider which, for all practical purposes, required--er--suggested strongly--that staffers use it, and I became quite fond of it.
Also, I find KeePassX's ability to generate passwords to be quite useful.
Unique and different passwords and passphrases are a must, no doubt and I'll go with that method for long now.
Speaking of keepass and its ability to generate passwords, is there a certain pattern or anything to it?
Lots of people say /dev/random is perfect for the purpose of generating random passwords, I myself felt fine with 'pwgen' myself in case I hadn't an idea for something strange and secure myself beforehand.
about pw generators:
as I experienced there are different sites with different password checks/requirements. In general there should be no restriction, but sometimes <> are not accepted, sometimes ! or something else will cause troubles. So a good pw generator can be configured to use (include/exclude) whatever you need, length can also be specified and able to calculate something called strength (which is used to check if your pw is weak, so it is actually about weakness).
the generator of keepass is quite good from this point of view.
Indeed an interesting aspect I haven't thought of until now.
But then again, who would say the software remains like this in the late future at a point no one wants to know for sure?
I'd basically have to make sure the password is always stored somewhere in reality and in clear text that could still be stolen due to some stupid mistake.
I'm using Keepass/KeepassX and it's free software, so I have some confidence about their security (more than for a commercial/closed-source product or service). And to avoid any other issue you also should have backups (of the software installer and of your password database). You can event print the content of your database with Keepass and then keep the paper listing in a safe if you like (again, in the case of a critical event).
Quote:
Originally Posted by WaterCatapult
Speaking of keepass and its ability to generate passwords, is there a certain pattern or anything to it?
Yes, you can define how many characters do you need, what sets are required (upper case, lower case, some symbols, ...). There is also extra options to define your own pattern or to select a custom algorithm, but I have never used those. And you can save your selected options as a profile if you like.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.