What is Reddit's opinion of
KeePass?
From 3.5 billion Reddit comments
100 reviews of this app found across Reddit:
>Verwende einen Passwort Manager wie Enpass oder 1Passwort
Lol, beide bezeichnen sich selbst als "best password manager". Statt solcher kommerzieller Produkte kann man auch ein offenes, komplett kostenfreies empfehlen: KeePass https://de.wikipedia.org/wiki/KeePass | https://keepass.info/
Never ever reuse the same password on two or more different sites!
Here's what you need to do:
- Ignore this email. What's done is done. If he or she has your password, and actually has anything else on you, they will not give a shit about you once you've paid them a few hundred bucks (or whatever .45BTC is worth at the moment)
- Immediately do an anti virus scan, windows and/or MacOS/iOS/Android updates. Update all devices you own.
- Download KeePass for all your devices where you will need access to your passwords
- Create a password database (KeePass 2.X, not 1.X, that's legacy) and begin adding all usernames and current passwords to it. Start changing the primary sites - emails, social media accounts, banking & personal finance sites, etc. Use a randomized password if possible - the strongest each site will allow. This will take a while. Do it for all the major sites and then the other random sites.
- Enable 2Factor authentication on ALL WEBSITES which support it. This requires you to enter a randomized 6-8+ digit PIN along with your password. You'll either receive it via text, email or using an Authentication app like Google Authenticator or Authy.
If you do this, you'll be protected from current & future data breaches, and put yourself in a safer position that you shouldn't be targeted in the future.
I wouldn't pay them - they probably only have your password and if it's a common one, maybe they have a few random pieces of data on you. It's unlikely though, they're probably bluffing. It's useless to pay them - nothing stops them from collecting the Bitcoin and immediately releasing whatever stuff they have on your, or continuing to exploit you and shake you down monthly or yearly.
Then why the hell is http://keepass.info/ not https://keepass.info/ ?
A Let's Encrypt cert would be easy to do...
Ninja edit: They DO have a web server up on https://keepass.info:443/ but the cert if for a different domain.
For online backups of sensitive information you can use a dedicated password management application like KeyPass. Even if your PC is hacked the passwords, and any other information in it, are still protected by encryption requiring a second password. I have it on Windows, Linux, and my iPhone with my database on Dropbox so I can easily access it from wherever I'm working.
What you should never do is keep your sensitive information online in a way that just anyone who uses your logon or computer can read or use. Letting your browser store passwords for automatic logins for example, or keeping them in a spreadsheet or document.
Little known fact: Computer security is rated by how long it takes to crack (difficulty), not whether or not it can ever be cracked. Anything man-made can be man-hacked. What you want is something that can't be hacked in at least the next few years.
(Don't kill the messenger. This explanation is too short and simple to cover all technical security possibilities, but it is a good enough place to start and it is what I tell family members.)
> how do you know pasword manager doesn't have security flaws?
My password manager (KeePass) is free and open source and regularly audited by security experts, and so far the only exploits found have required local admin access (at which point you're hosed anyway).
More importantly though, having my passwords stored in a local KeePass database doesn't expose me to any risk that simply entering the passwords doesn't also expose me to, and it mitigates the substantially larger risk that password reuse creates.
If you use a password on two sites, then one of those sites being breached means that your account on both those sites is compromised.
If you use the same password everywhere, a breach on one site is a breach everywhere for you.
With a password manager (like KeePass) and unique passwords for every site, even if this site is breached, you still will be safe on all the other sites you use.
If you want to check whether your existing passwords have been breached, check out haveibeenpwned, which is a free service run by a security expert at Microsoft to notify people when their accounts on various websites are confirmed to have been breached.
Always treat these 'security questions' as additional passwords. I do that, then store them in my password manager (KeePass2). That way a) no one that knows you would be able to know the answer and b) you don't need to remember them.
KeePass2 ist genial. Läuft auf Windows und Android. Ich habe die (verschlüsselte) Datei auf einem owncloud liegen und kann von allen geräten per WebDav drauf.
Android gibt es zwei Versionen im Google-Shop.
Practical Advice -- Change your passwords. If you're like most people and are re-using names/passwords, you're vulnerable if just one of them fails.
Use a program like Keepass (https://keepass.info/). It can randomly generate passwords for you, and you then only have to remember the one password that unlocks your database.
+1 for KeePass. It's compatible with basically anything (though I'm currently having trouble getting auto-type to pass through to a Hyper-V VM), and has some QoL features that make it usable. It's not as nice as, say, 1Password browser integration, but auto-type with window context works quite well. Clients are available for all the major desktop and mobile OSes.
I use KeePass and a USB stick. That still requires me to trust that KeePass doesn't have a backdoor, but given that it's open source and has received a security audit I'm much more comfortable with that than a black-box web service that could have compromised servers or be vulnerable to an XSS attack of some sort.
I know some people who use a text file encrypted with openssl's command line tools; it's just less convenient and not as easily portable.
If your worried about security just use Keepass son - Hosted locally not in the cloud.
A local based PW manager is less convenient than a cloud hosted one but that's the trade off between security and convenience
KeePass can perform synchronization between different versions of a single database.
Syncthing keeps all of the conflicting versions accessible, so you just sync them all on any device and you're good.
First of all: Use a password manager. Just go download something like this. AND DO NOT REUSE PASSWORDS, PLEASE. What makes it hard for me is that the email you got is something so many people get. It is not specified to a person, so this hints to either the password being slightly similar to any older one or you have a keylogger on your device. The later is really, really unlikely. The best thing to do is update websites where you used the same/similar password and replace them with a generated password. Yes, for each site. Most importantly: we do not know the hashing algorythm. SHA1? MD5? Hell, the may have used the caesar cipher \s.
For peoplet that want to learn about proper password storage: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
Consider KeePass (open-source, Windows, audited by EU) or KeePassXC (open-source, cross-platform, community version of KeePass, not audited but potentially more eyes on it in day-to-day development).
It's certainly not as pretty, but if you care enough to use a password manager, it makes no sense to use a proprietary one.
If you are looking for a password safe that is offline, I've used Keepass for years without issue. It has tagging, a decent organisational system, plugin support, and a built in password generator. It also supports usbkeys and other hardware encryption tools. For better cross-platform support there is KeepassXC, and for Android there are a few apps which you can use.
The biggest caveat is having to personally handle backups, though there are plugins to assist that. While I usually use Syncthing to sync the database on my machines, you can also make a key + password combo for your database, sync the key on one cloud database and the database on the other. That way, even if both cloud services are compromised and fall into the hands of the same group, they would still need to figure out the master password.
> Kuten jo totesitkin, älä käytä samoja salasanoja sellaisissa palveluissa joita pidät tärkeänä.
Tätä ei voi riittävästi korostaa, varsinkaan nykyään, kun kaikki palvelut ovat usein linkitetty keskenään (yhden emailin salasananpalautus menee toiseen, jonka palautus menee kolmanteen, jonka palautus ensimmäiseen, jne.). Itse käytän KeePass:ia, jolla generoin 20-30 -merkkisen satunnaisen salasanan jokaiseen palveluun, ja missä myös säilytän salasanoja vahvan master-salasanan takana. Ohjelma on open source, eikä siinä ole mitään keskuspalvelinta, minne salasanat tallennetaan, vaan ne pidetään salatussa tiedostossa omalla koneella (tietysti varmuuskopioituna n+1:een paikkaan).
Still my go-to password manager. Funny thing is the EU gave this project a free security audit and besides using a weaker rand function it came out with flying colours! They also fixed that issue almost instantly. See all of its accolades. It really is the true libre alternative, and it's so powerful.
I recommend keepass its open source, you are in charge of your password file and there are a lot of different apps for nearly all devices.
I personaly use keepassxc on windows and linux and there is also KeeWeb witch run in a browser either localy, self hosted, or on their site.
Minha sugestão é usar algum gerenciador de senhas (1Password, KeePass, LastPass, etc.). Pessoalmente, uso o KeePass por não ter interações diretas com a rede e / ou browser e, portanto, limitando sua superfície de vulnerabilidades. Sincronizo o banco de dados dele por Dropbox entre os meus dispositivos.
Na prática, isso faz com que eu só precise saber uma senha para acessar minhas coisas e também não preciso ficar lembrando se já me cadastrei em algum site ou não.
If you do not believe you have been infected and have no Internet-facing ports open,
A:
- Reboot
- Check Internet-facing/WAN services like "Remote Management" and preferably UPnP are disabled
- Check for firmware updates manually. Do no rely on the device telling you about updates
- Update firmware
- Test with a port scanner like GRC Shields Up, or nmap if you are technical.
Done.
B:
If you believe you have been infected or you had any Internet-facing ports open or are very cautious,
- Check for vendor information
- (Optional) Take screenshots of the configuration. Do not rely on any configuration backups made from the device now
- Factory reset your device, which will involve a reboot
- Change your password and username, ideally by using a password manager to generate and store the strong password, e.g. the open source Keepass
- Do all the steps in the previous section A.
Done.
Other security advice: Router Security Checklist.
Keepass works with local databases [Bitwarden](bitwarden.com/) stores encrypted muddle on its servers. You can self host it, then you store encrypted muddle.
Just use one like those two and you're protected against that
Use a local password manager, like KeePass and ensure you take regular backups of the password database somewhere.
It's one thing to store procedures in a web document on how to do things, but credentials should be stored separately and much more securely.
Keepass/KeepassXC have this. They use the same db file type so you can try both without having to export your passwords. The only differences I've experienced in my normal usage is that Keepass has a sync feature which makes it a bit easier to keep backups, and KeepassXC has better browser support through the extension.
This is terrible advice. Have I Been Pwned is a totally legit way of learning when and where you've been compromised. It's free, convenient, and not intrusive.
Yes, they're affiliated with 1Password, but there is nothing shady going on at all. They don't send you e-mails unless you ask.
Ya'll should be using a password manager anyway. Here are the most popular:
Read up on them, and pick one that works best for you. Also use 2 factor authentication whenever possible. If the terms "password manager" and "2 factor authentication" mean nothing to you, please do some googling and save yourself some future headaches.
Have a look at KeePass. It is open source so you can download all of the binaries and source code needed to compile the program. When I was beginning development/code it always helped when I could look at other code that has been properly vetted by tons of experts (and I'm still by no means an expert).
Keepass may be a starting point for your project too. Who knows?
KeePass (the original version) on desktop and KeePass2Android on mobile and then sync through a cloud storage provider.
It'll take a little time to setup but once it is you're done and it'll give you the most options.
This is it!
Use https://keepass.info/ and profit. Needs some time to set up with all your stuff. But it is worth it so much and it is secure, I don't trust a profit company with all my pw in a cloud service. Would never do that.
Use Keypass to save all your accounts.
Make multiple copies of the file and key.
Also you can export as a CSV that can be printed and placed somewhere safe.
Good luck, hope you pull through.
I use KeePass mainly because I started using it before those browser extensions like LastPass, 1Password & Co started appearing. It has some browser integration through 3rd party extensions and I store the database file on my Google Drive to share it across devices.
The ability to store files, like ssh keys, and blobs of arbitrary text, for recovery keys, in the password database is also a big plus.
Personally I use Keepass.
- It's open source
- It's been audited by the EU commision, who found the cryptography secure and reported no security issues.
- It can work either fully offline, or on-line on a self hosted site.
- It can also use a keyfile (that's stored only on a USB say) as part of the password.
- There are versions of Keepass for nearly all platforms.
KeePass is the one I use, it works offline with all the info in an encrypted file, rather than being in an online service. You can just put the file to be synchronised in something like dropbox/onedrive though if you want remote/mobile access
Put your email in here, see what sites it says your passwords were compromise on:
If you re-used passwords, change any that are the same as those breached sites
Use complicated unique passwords in future. Use a password manager. This is a simple free one, you can find many others that are paid
Start using 2fa for every site that supports it
Yup! Keepass is one such manager, which stores everything offline: https://keepass.info/
Obviously if anything happens to your password database, and you aren't backing it up, you lose all your passwords.
This is also why it's a good idea to have a different password for every site you go on. If your password for AO3 is the same as your PayPal or online banking password, then a phisher will get access to your money. So if you did accidentally put your login information into that fake site, make sure the same password isn't used anywhere else.
When in doubt, use a password manager to generate and store unique passwords for each site. I personally like KeePass.
Goodness. Don't use AutoHotKey for what Keepass was designed for. https://keepass.info/ and your logins are stored securely in an encrypted DB with auto-completion based on window name with the ability to allow you to select from multiple logins in cases where you have more than one.
So for example, you could have LoginA, LoginB, LoginC for Guild Wars 2, you setup a Keepass entry for each login with the appropriate password for each, then you tie those logins to the Guild Wars 2 login window so Keepass knows that those logins are bound to that program and when you press whatever your Auto-Completion keystroke is, it'll pop open a dialog to allow you to choose which account it should enter from among LoginA, LoginB, or LoginC (it will only suggest logins that you've tied to that window) and then it will fill in the login automatically and submit it. It can do this for everything on your computer so you need only know the password to decrypt your database and you're good to go.
>Who-wants-to-remember-or-type-a-password-that-is-100-characters-long?Sounds-really-annoying-to-me!!!
There you go, a 100 character password that should be fairly easy to both type and remember.
Furthermore, if you use a password manager such as Lastpass, 1password, or Keypass you only need to remember a small handful of passwords. I couldn't tell you my password for 95% of the services I use, but they are all 50-100 characters long (assuming the service supports that) and stored encrypted by my password manager. Highly, highly recommend for convenience and security.
As a general rule, it's probable that your card information will eventually be compromised if used on the internet. I recommend these steps to limit your exposure and risk:
​
- Never use a debit card for an online transaction, even as a credit card. They typically carry liability and are tied directly to your bank account, so anything that happens can have immediate effect (as you've found out).
- Use gift credit cards to sign up for things online if you can. This is higher overhead, but accessible to everyone (no need to be approved).
- If you have a credit card (that you're hopefully paying back every month and getting percentage back on), see if they offer generated numbers. Bank of America does this, and Capitol one just started. Basically you can generate unique card numbers and assign them to specific websites / services. This way if something gets compromised, you'll know exactly who it was and where it came from. Additionally, loss, stolen, or expired card replacements won't immediately hit everything you have linked to it... because nothing will be.
- Use something like keepass ( https://keepass.info/ ) or Lastpass... another reddit thread debating them is here. Use a password manager to keep track of which sites use which data. Use it to generate unique, complex passwords for each site and auto-fill capabilities to never have to remember them again. :)
Quite possibly You Don't Want XTS. XTS does leak data if an attacker can observe multiple versions of the ciphertext. That's a problem any practical full-disk encryption has. Which is why encrypting files with AEADs is generally a better choice. FDE is a "last resort" encryption, and container files using XTS like True/Veracrypt use are far worse than encrypting the entire disk. XTS is only safe if the attacker only gets a single chance to see the encrypted data (an "evil maid" attack), not if they can continually observe it (eg container file on cloud storage).
KeepassXC uses the KBDX4 format which uses HMAC-SHA-256 to authenticate the ciphertext. It's IND-CCA2 secure, and doesn't leak data (other than total size) about the contents.
If you want to encrypt arbitrary files, I'd generally recommend age.
Or its bad password change your email password and bank ...And Don't reuse it / or variant of it on anything else. Most of the time this kinda thing happens from password reuse, when it happens over and over.
And consider using a password manager and set all password to random gibberish and keep a master password you only use in the password manager. https://keepass.info/
​
If not tell him to use a different gas station or atm the one he uses might have skimmer or something. tug hard on the card feeder areas if it moves you will probably found a skimmer.
> I remember mostly the words
Either you remember them or you don't. Uncertainty about capital letters isn't too hard a problem to solve. Uncertainty about the characters in the password is effectively called "not knowing the password".
You could script this in any language you like and try the generated passwords via https://keepass.info/help/base/cmdline.html
You basically need to create your own tool.
Or use randomly generated passwords that take any repetition and patterns out of your passwords. This LPT is probably on the edge of being dangerous advice to give out.
Use something like KeePass if you're looking for something free. LastPass if you're willing to spend a few bucks for online syncing.
Take a look into using password managers (KeePass, LastPass, 1Password). One bad thing about it is all your passwords are in one location. There have been times when LastPass was hacked (your data is encrypted).
Assuming you are using either Firefox or Chrome, use the following browser extensions: uBlock Origin, Privacy Badger, HTTPS Everywhere.
I wish you the best.
KeePass 2's synchronization tool might get the job done. It was designed for multiple versions of the same database, not separate databases, but it should work. You'd have to make the master password the same on both databases first. As always, make backup copies of your databases before attempting this.
for the hacking issue, use this -
https://my.norton.com/extspa/idsafe?path=pwd-gen
generate yourself a 20 character password for your twitter, and keep it locked up with keepass - https://keepass.info/
also make sure you have dual (at the very least) authentication set up for your twitter.
What do you mean? It gets updated all the time
> KeePass 2.39 (2.39.1) released > 2018-05-06 11:43. > > KeePass 2.38 released > 2018-01-09 17:54. > > KeePass 1.35 released > 2018-01-02 14:25. > > KeePass 2.37 released > 2017-10-12 13:16.
password manager! it's stupid not to use them for anything worth hacking. 20+ long random passwords for each site. a free, open source one is KeePass
also it does not hurt to use multiple emails for different sites.
It’s off-topic, but I can recommend to everyone using a tool like KeePass ( https://keepass.info ) for managing passwords.
At work alone I literally have about 200 separate accounts for applications, databases, etc.
Privately I am probably approaching that number as well.
There are versions for different operating systems and also for mobile devices. It’s ver convenient!
If you have a firesafe for family documents or similar, you could do what me and my father do, we keep a record of our passwords (or in my case, my laptop password and a recovery password for my Bitwarden Cloud password database) inside a database file that you open with a program called "Keepass" on a USB disk, along with a copy of the installer, that sits in the safe labelled up, so in the event either of us dies, we have a way to access an encrypted database of that person's passwords so they can get into the machine or any web accounts and recover personal data and close accounts. Each USB has an unlock password that only we know so the password files are safe but can be accessed in an emergency
The rest of the family's not what you'd call technical, so we'll just have to break in the old fashioned way...(we've tried to set this kind of thing up for them, but no luck)
KeePass is a good option for this. Open sourced and you control the database file (store it locally, on a flash drive, or in the cloud if you choose). Apps available on most if not all major platforms (Windows/Linux/Android is what I've used, looks like it's available on Mac and iOS as well).
Good explanation as well, reuse of passwords is the worse thing you can do. Use a tool to randomize it, and remember a single long and complex password to the database.
One other thing you can do is enable 2 factor authentication on any website that supports it. This is where you use an app or your cell phone number to receive time limited authentication codes whenever you log into a new device. This helps stop hackers, since in order to bypass this they would need both your passwords and access to either your cell carrier (for SMS based 2 factor auth) or your phone for app based authentication. Or a site like Authy would need to be hacked as well if you use that.
Combined, a randomized password + 2 factor authentication should provide a high level of security, particularly useful for banking and social media websites.
hi, yes you can use Keepass with softwares as well. Look for the Auto-type and global hotkeys features. Keepass uses the window title (and more) to identify the entry.
The url field is optionnal and not limited to http(s)://. Example you can define ftp:// or cmd://myapp.exe
https://keepass.info/help/base/autotype.html https://keepass.info/help/base/autourl.html
Sorry for the sincerity, but use smart lock is madness.
I strongly recommend you start use a local and open source password manager like: https://keepass.info/
You can find it in ubuntu software center. Just don't forget to backup your database in a secure place.
While it's a good sentiment to alert people to this, most folks in this sub would know https://keepass.info is the official site, you'd do better posting this in one of the more general subs like /r/techsupport.
Also, be careful, looking at this post and some others you've posted recently, you're sailing very close to violating Rule 2 of the sub. It's really not clear what your relationship to the Infoteam business or their blog is, so it may be worth padding out your posts a bit more instead of just a few words and a link to one specific blog. (Just a friendly warning as I know there are a few on here that tend to be quite hot on stuff like this).
https://keepass.info/ with the database on my dropbox, but it would be better to have the database syncing to my home NAS, been too lazy to get that setup though since I need something cross platform.
To install xdotool use this command:
sudo apt-get install xdotool
Apart from that see this page for auto-type help
https://keepass.info/help/base/autotype.html
^^Sorry_for_bad_format_i_am_using_mobile_rn
Keepass2Android has native integration for some cloud providers. If you're using any of them, then K2A will keep its end synced by itself.
On Windows, don't open the database directly from the cloud provider location. See here https://keepass.info/help/kb/trigger_examples.html#dbsync
KeePass site clearly states how KeePass generates random numbers:
https://keepass.info/help/base/security.html#secrandom
Yes, you can add additional mouse momennt entropy to password generation, it's the last option in password generation which can collect additional user input as entropy.
​
HOWEVER It doesn't matter, it's pointless.
This is the right answer.
MFA everywhere.
Get a password vault and use it to randomly generate your passwords for each site.
Scan everything you download for the rest of your life with virustotal
Patch your shit, allow updates, etc....
Block this person from contacting you.
and be hyper vigilant
KeePass is no online service, it's a regular program that creates an encrypted file with your passwords. Then you can if you want put that file on say dropbox or onedrive to access it anywhere.
That way you are in control of how you distribute and access your passwords. KeePass is also open source if you wish to inspect the code.
I completely agree with you regarding online password services, but KeePass is good stuff.
Local password storage and management (never forget a password again, doesn't offload your passwords to some dodgy 'cloud' location). If you use Firefox you can use Kee for full browser integration.
No, no, no. LastPass isn't open-source, had security issues (even Wikipedia lists major four), its extensions work strange sometimes and even their design is ugly for me. The most recommended password manager is surely open-source and community-driven KeePass with KeePassXC as a desktop client.
I use KeePass https://keepass.info/ for my desktop.
I use MiniKeePass https://itunes.apple.com/app/id451661808 for my iPhone.
I manually sync them over & use my desktop as the "Master" copy.
Keepass is great for storing passwords. And you only need to remember just one password. I actually have no idea what my passwords are for most things I use, they're all a totally random assortment of numbers and letters and such.
The whole LastPass, cloud-synchronisation still isn't secure and if they wanted your password they could still access it.
Something like Keepass where you store all your keys offline is much safer, although, there isn't built-in synchronisation. It does have a great password generator and overall quite nice. You can use a chrome or Firefox plugin to fill forms and another plugin to sync to Dropbox or Google Drive as well.
I'm also surprised that they never even mentioned HaveIBeenPwned to see if your email and current password have ever been compromised.
i recommend keepass. it's free and since it's open source, you can be relatively sure that it's safe to use.
keepass works locally on your machine, meaning it doesn't upload to a cloud or to some company's servers, so you never have to worry about some hacker getting into a company's files and getting all your passwords. so if you're smart about it, it's virtually impossible for a malicious attacker to get all your passwords.
Based on the release history, you are clearly mistaking KeePass with a different software package. Perhaps you are thinking of KeePassX.
Hey there! The thing is that it's intended as a second factor. This means that if either your password is stolen, or your key is stolen, then they still don't have access to your account - and you have time to either change your password or cancel your second factor.
If physical safety is a concern, then I'd perhaps suggest that in terms of security then the best next step you can take to improve your security is to use a password manager if you aren't already. By using a password manager, you can use autogenerated passwords which are much stronger, and you don't have to remember them either.
Personally I use Keepass, but it can be somewhat complicated to setup and sync. For ease of use others in my family use Firefox + Firefox Lockwise, and I've heard good things about Bitwarden - though I haven't tried it myself.
I've never done it but I think the synchronization option in keepass might do what you're looking for. I think KeepassXC also has something similar.
[Edit] Make sure to backup both files before trying, just in case.
Yes, use Global Auto-Type. It can be invoked with Ctrl+Alt+A. A big part of getting this to work 100% is to set up custom sequences for specific windows. You can find this in the Auto-Type tab when editing your entry. This way, you can make your entries match any window you need just by specifying the window titles or browser tab titles you need.
It does not work this way.
Kee Pass is an open source program, the original version of which was made exclusively for Windows. That's what is called Kee Pass, without further qualifiers.
Other developers have forked the code to create alternatives either for Windows, or for other platforms : Mac, Linux, Android, iOS, web apps. Those forks bear modified names, usually with Kee Pass in it (but not always).
There's no CEO of Kee-Passdom granting official endorsements to this and that version. There are reputations, built by users.
You can nevertheless find a list of those forks on the site of the original Kee Pass, including some for Macintosh. They are called "contributed / unofficial ports", which reflects the fact that the original Kee Pass developer does not vouch for them.
Nevertheless, you might consider that if a version was downright dangerous or malicious, it wouldn't be listed there. Also, Dominik Reichl, the developer, insists on a naming convention for the forks, as you will read on this page. He does not have the means to enforce it, but authors of forks generally follow it.
PSA: Please don't trust this blindly and start storing your seeds / critical data with this unless the author shares the source code since he claims it's open source.
An alternative is https://keepass.info/ which has years of development and open source code
>Comment puis je faire pour sécuriser au max tous mes outils sachant que j’achète pas mal en ligne?
Vu que t'as fais comme la majorité, je présume que t'as plein de mails avec des infos de connexion dans la boîte hotmail qu'on t'a compromis.
Pour limiter la casse, il va falloir déjà changer les mot de passe de tous les services pour lesquels tu a réutilisé le mot de passe qui te permettait de te connecter à ton compte hotmail.
Ensuite, il faut que tu règles le 2FA sur tous les sites qui le permettent. Utilise Authy plus que Google Authenticator, qui te permet de sauvegarder les seeds de tes 2FA. Tu me remercieras quand tu changeras de téléphone. N'utilise pas le 2FA par SMS sauf en dernier recours.
Puisque tu vas changer un tas de mot de passes, profites en pour en utiliser des différents, et utiliser une solution comme Keepass pour les sauvegarder/générer.
De manière générale, j'éviterais de stocker des infos de paiement sur des sites. Je ne le fait que sur ceux qui proposent du 2FA, et encore.
>Quelqu’un peut-il accéder à toutes mes données ou surveiller mes activités en ayant infiltré mon pc, portable ou tablette?
Oui, mais ce n'est pas le cas ici. Il s'agit simplement d'un accès mail. Il aura aussi accès à tous les services pour lesquels tu as utilisé le même e-mail/mot-de-passe. Vérifie qu'il n'y a pas eu de notification de modification d'e-mail pour des services dans ta boîte mail (regarde dans la corbeille).
>Dois-je porter plainte ( je l’ai fait deja en ligne pour mon piratage iTunes)?
Tu peux, mais tu te rendras vite compte que la police sert à rien à moins qu'il y ait un mort.
That's the point of the password manager. I use KeePass because I want to have more control over my manager. It has over 200 passwords that are all around 20 characters in length that are randomly generated with lower case, upper case, numbers and special characters, but I don't know any. I don't even know my PayPal password, only my mangers database password.
If you want to hear from experts on how to have secure passwords, computerphile did an episode on it and also an episode on password cracking. Highly recommend the second if you're curious on how your password may have been compromised so you can better defend against those attacks.
Here is my advice to everyone. Use a password vault that stores your secrets on you own hard drive and has can also run on your phone. This way you can use auto generated gibberish for your passwords. I use Keypass
I recommend KeePass. Just create one strong password that you have memorized. It generates even stronger random ones for accounts you store in it. It's clean, simple, and easy to back up.
For back ups, you can easily create a trigger that backs up your database, say, every time you close it. Following this trigger example on Linux, you would set:
File/URL: cp
Arguments: "{DB_PATH}" "/home/USER/backup/{DB_BASENAME}.{DT_SIMPLE}"
(Where USER is your username)
Then every once in a while, you might save a copy of your latest back up on a flat drive or in a secured repository.
​
And why not use KeePass (https://keepass.info/) which is opensource with many functions not only for online resources passwords? You can "add" online sync using any cloud services from big companies: Dropbox/Google/Microsoft/Amazon/etc. https://www.howtogeek.com/165882/how-to-use-keepass-in-your-browser-across-your-computers-and-on-your-phone/
Well there are multiple options that would have improve security, explaining everything is very long just head into the official site keepass.info it has everything in great detail, but in general:
- Increase the time/resources required to brute-force your DB by altering the KDF parameters. I recommend using Argon2 over AES-KDF.
- Use Secure Desktop on Windows.
- Use TCATO, if you are unfamiliar with auto-type, use it as well. makes everything very comfortable.
- Lock the DB after X time, clear clipboard after X time. X being whatever suits you.
- I would keep multiple copies of the DB, at different places. backup can be done by triggers(script) or manually. dropbox by itself keeps backups and previous version for your files which is really nice.
NOTE: Keepass was never designed to be used as a cloud based password manager but a local password manager.
This is a good time to remind people about the importance of password managers (like KeePass, which is free and open source and regularly audited).
With a password manager and unique passwords for every site, even if this site is breached, you still will be safe on all the other sites you use.
If you use the same password everywhere, a breach on one site is a breach everywhere for you.
If you want to check whether your existing passwords have been breached, check out haveibeenpwned, which is a free service run by a security expert at Microsoft to notify people when their accounts on various websites are confirmed to have been breached.
I use keepass, it is free, runs on your desktop (no web), you can put the password file (vault) on a cloud drive (dropbox) and keep it backed up and synced, even to your phone.
I posted this in another thread - since it is affecting so many people.
There have been major hacks releasing millions of usernames and passwords ( from other companies ) in the past few years.
If you have not checked already I suggest everyone going to this website and typing in their email.
If your email appears on ANY of the sites that get listed, I recommend changing your password to those sites immediately as well as any site you use the same password on if you have not done so already.
99.9% of all "Hacks" is because users reuse the same password on multiple sites. If you have trouble remembering passwords I suggest using a 3rd party offline service like Keepass ( Do not save passwords in your browser autofill - that can easily be hacked )
I was about to post an angry comment about how it is unfair to call a private server "unsecure", but then I realized they can actually royally fuck you over. Here's some ways:
- Farming your passwords. While the client only sends your password MD5, if you're reusing it and it isn't too complex it can easily be stolen and used it elsewhere (see: credential stuffing). You can combat this by using a password manager.
- Using your HWID values to get you banned from the official server. Not that much of a problem if you don't ever plan on playing on the official server ever again, but I assume that's not the case for most people :) Another fun thing: you can automate this for every person on the server, getting basically every single player banned if you're in a bad mood and want to watch the world burn.
- Installing malware through the auto-updating client. You probably didn't see that one coming, did you? As with any auto-updating software (including but not limited to: osu!, (Better)Discord, your average cheat provider), you are putting all your trust into the creator of said program to not flip a switch and turn every single user into part of a botnet. We can be pretty sure that peppy isn't going to do this, but if you are using a private server you're passing this power over to its administrators.
I'm probably too late in this topic for anyone to actually see this, but hopefully I'll educate at least on person which can then spread it on.
**EDIT:** Accidentally pressed ctrl+enter instead of shift+enter :(
A.) Use Argon2 instead of AES-KDF
https://keepass.info/help/kb/kdbx_4.html
https://courses.csail.mit.edu/6.857/2017/project/21.pdf
"This requires attackers to either buy quite sub-par generalized hardware, or a different set of ASICs for each target, which presents a significant pragmatic limitation."
B.) Keepass support 'key files'.
Password + key file = the end for all brute force attacks.
Yes, this is possible (to some extent) using a "key provider" plugin. The most common are probably OtpKeyProv for apps like Authenticator and KeeChallenge for Yubikey, but there are others for things like smart cards or certificate stores. See https://keepass.info/plugins.html
KeePass => File => Import = > LastPass CSV
Once you have a KDBX database going (and verified that the import was successful), you can then go to a fork.
Keepass2 - works across many platforms and is nice and stable.
https://keepass.info/index.html
The addons-Extensions for Firefox and Chrome/Chromium integration make it a no-brainer.
I have it running offline on Linux distros, tablets, phones and even Window$ - been at it for years. P¬))
From the keepass help:
> An entry is considered to be usable for the current window title when at least one of the following conditions is fulfilled: > > The title of the entry is a substring of the currently active window title. > The entry has a window/sequence association, of which the window specifier matches the currently active window title.
So, do you have window-specific associations defined for one or more of the entries that pop up? Or perhaps you have multiple entries whose title is part of the active window title? For example "Banking" and "Login" entries and your window title is "Login to Online Banking" or similar.
URL and username/password are irrelevant (unless you have a plugin to make the URL relevant or to put the URL in the window title). Window titles are king. If you don't want multiple entries to match then look very carefully at why each entry's title matches the window title and change them to make them unique.
Hi, you can use the plugin: KeePass Fields Admin Console (SourceForge and listed in KeePass Plugins).
Saves you a LOT of time to edit multiples entries in batch.
There is a "Disable Clipboard Capture" setting you may want to consider (in Admin -> Configuration -> Application Configuration -> Other Settings).
Consider using a password manager that can autotype the password into the currently active window and doesn't rely on the clipboard. For example, the open source Keepass. Other password managers may have a similar function. YMMV.
I've also heard there is a "Clipboard Helper" extension in screenconnect marketplace. If you disable clipboard sync in screenconnect you can still send the contents of your clipboard to the target computer ("Send Clipboard Keystrokes" command). Certainly less convenient, but more secure.
KeePass has an import feature. It’s under the “File” menu. See: https://keepass.info/help/base/importexport.html. You’ll be able to import from another KeePass file to “merge”.
If you have a strong enough, unique password, it probably is perfectly fine. There are some caveats (you're a possible target of a state actor) but if you have a good password, then there's almost no chance a hack of Dropbox or any cloud service will be a problem.
Most hackers aren't going to bruteforce all databases due to the length of time and power to do so. Now, if you're a possible target of a nation state (e.g. China is targetting you specifically), then it's probably not a good idea but for most users, it really isn't an issue. It's too costly to bruteforce every user's keepass database for most hackers. Even keepass themselves say it shouldn't be a problem.
Now, I'd still recommend using a keyfile or yubikey to secure the DB but even without that, with a strong enough password, it shouldn't be a problem. I'd also recommend a personal cloud server, like NextCloud, instead of DropBox but that's asking a lot of most users.
"Assuming password managers encrypt your login ids and passwords to the various services you use using a secure, one way hash."
Incorrect assumption, also almost all password managers explain how they do this.
https://support.1password.com/1password-security/ https://keepass.info/help/base/security.html etc
It's a potential point of failure, but you have to weigh up the relative threat from using a password manager vs. memorising less passwords.
Could a password manager have a security flaw? Yes. But if an attacker has remote access to mess with the password manager program itself, you normally have bigger problems to worry about (see here for some examples). Side-channel attacks would fall under this category.
Breaking into the password database itself is even less likely. Any decent password manager will implement something like AES - which if it was broken, would be all over the news.
I'm not telling you to, just throwing it out there if you're a bit paranoid is all. In the end it's up to you if you do or do not change them. I use a password manager to manage all my passwords. Keepass is one example.
There is no security issue.
Just use adequate, unique passwords.
That's it.
The reports of hacking by "russians" are a bullshit meme by angry children who lost their accounts due to buying accounts and losing them later, putting their account-credentials on shady websites to receive free nat5 or crystals or cheats or popular people who use stuff like "password123" or their birthday as password.
Steam had the same problem because of the big amount of children who have no sense for secure passwords and they had to introduce this two-factor-auth-thingy which is totally annoying.
Please take a look at some basic tutorial for password-creation and imho the best way to handle unique passwords for different services/websites is to use something like this: https://keepass.info/
Just go to https://keepass.info/ and browse the FAQ/help pages. There's a keepass client for every major OS and if you want cloud sync, then there are plugins for that as well (the one I'm using is called KeeAnywhere). I didn't really follow any tutorial, I just downloaded the application and started using it, so I'm not sure what else to tell you.
I would recommend the FOSS alternative of KeePass over a closed-source password manager personally, then install a plugin into your browser of choice to make it work for websites transparently.
Important to note though, if you want to access your password file across devices, this may not be the best option for your use case. (edit: it appears there are cloud sync plugins available for this as well)
HAVE I TOLD YOU ABOUT OUR LORD AND SAVIOUR, THE PASSWORD MANAGER?!
IF YOU LIKE TO KEEP CONTROL, TRY KEEPASS
IF YOU LIKE EASE OF USE, TRY LASTPASS WHICH CAN EASILY BE INTEGRATED INTO YOUR BROWSER AND PHONE!
^(nuff said)
EDIT: HERE'S AN EXAMPLE PASSWORD FROM KEEPASS: ¡\s³ÏüGãÄ~ç5Òí{£0Cn¹ï÷Q-.Âüoi2å>
YOU THINK YOU CAN CRACK AND/OR GUESS THAT SHIT? GOOD FUCKING LUCK!
In this case you'll definitely want a digital password manager, even if just for the ability to properly categorize. I use KeePass:
You'll want to pick one master password that is really strong, but still type-able on a mobile device, along with a key file that needs to be present to unlock your database.