Dropbox Loophole to Close

[Deleted member 473]

But the cloud is password protected and the database encrypted so it is pretty safe.

Anyway, the main problem was what keepass does to the database, ie, not preserving its integrity. The ios problem was that the apps to access keepass either didn't work with a network drive or else were not free, nor did they have a trial period so I could check them out.

As it happens, Lastpass works perfectly on android, ios and windoze. For instance, on android, it uses an app fill helper that fills fields in any app, usually without having to copy and paste username and password.

 

[MikeSh]

But the cloud is password protected and the database encrypted so it is pretty safe.

Awww. Someone who still has faith.

Anyway, the main problem was what keepass does to the database, ie, not preserving its integrity. The ios problem was that the apps to access keepass either didn't work with a network drive or else were not free, nor did they have a trial period so I could check them out.

It sounds like some third party apps that kludge the keepass system to work with a remote database, but not being an Apple person I can't say more than that.

As it happens, Lastpass works perfectly on android, ios and windoze. For instance, on android, it uses an app fill helper that fills fields in any app, usually without having to copy and paste username and password.

I appreciate the convenience aspect, but as any security person will tell you: Convenience = less security. To have a remote system enter username and password for a site without me prompting it to is waaaaay beyond my comfort zone ... someone somewhere is probably working on a hack to persuade that system to send all the passwords to them.
(There was a report recently of a kind of phishing where a site had fields for personal data, but they were invisible to the user - so their auto-fill options merrily supplied all the info without them being aware.)

 

[af123]

I haven't seen it mentioned yet - I've been a 1Password user for a long time. It can sync its encrypted database via Dropbox and the IOS app works well with good integration. Probably similar on Android too.

 

[cdmackay]

I appreciate the convenience aspect, but as any security person will tell you: Convenience = less security. To have a remote system enter username and password for a site without me prompting it to is waaaaay beyond my comfort zone ... someone somewhere is probably working on a hack to persuade that system to send all the passwords to them.
(There was a report recently of a kind of phishing where a site had fields for personal data, but they were invisible to the user - so their auto-fill options merrily supplied all the info without them being aware.)

Indeed; fortunately, LP's auto-fill is optional, and I have it disabled, for similar reasons. Manual fill, either directly, or even more manually via clipboard, is still quite easy.

 

[Deleted member 473]

Use of the clipboard is even more dangerous. Many programs, and possibly all apps, have access to that. You are writing the login information on a whiteboard in front of the class, hoping none of them will copy it. Plus, you are possibly leaving it there, until the next class starts.

 

[Deleted member 473]

 

[Deleted member 473]

My understanding of how Lastpass works, and I may be wrong, is that the encrypted database is downloaded to your device and credentials extracted from it on your device. There is no question of these credentials being sent by Lastpass, they don't even have access to them.

The xkcd cartoon is irrelevant now, as many sites require upper and lower case, numerals and, in some cases, special characters. It would do as a method of generating a Lastpass master password, though.

 

[Black Hole]

many sites require upper and lower case, numerals and, in some cases, special characters.

I know, f*****g pain in the arse.

 

[MikeSh]

It would do as a method of generating a Lastpass master password, though.

This is exactly what I do to generate my Keepass master password ... and it was the xkcd item that gave me the principle. (Must be a few years old now.)

I know, f*****g pain in the arse.

... and of course the reason why it's virtually impossible for normal people to memorize passwords.

 

[Deleted member 473]

Which brings us back to the cartoon.

 

[af123]

1Password's rating system probably needs tweaking.

 

[Trev]

Probably because the first one is all words. No numbers or characters.

 

[af123]

Probably because the first one is all words. No numbers or characters.

I refer you back to the cartoon earlier in the thread : )

 

[MikeSh]

1Password's rating system probably needs tweaking.

KeePass reports the quality of the "goo gorge ..." one as 104 bits and the ",P2R..." as 65 bits.
Also the ones from the cartoon report as 59 bits and 99 bits; roughly double the entropy quoted in the cartoon.

I've no idea if KeePass is right but the comparitive results look sensible.

 

[Deleted member 473]

-''$4*8+;;'%ggdthgCbxseu

is a good password. Here is a 16 char one generated by Lastpass.

C7$VU5mSyj63pdKy

https://www.grc.com/haystack.htm


I can't say I really understand password entropy. It seems to assume the division of characters into indivisible blocks.

lowercase a--z
uppercase A--Z
numerals 0--9
special characters

But why does the inclusion of ! in a password imply that the domain includes all special characters? Is the entropy a function of the domain specified for password selection, or, as seems to be the assumption, of the subdomain the user selects for his password?

What happened to Greek letters? Diphthongs? Mathematical symbols? Indeed, any Unicode characters?

Are people with other alphabets only allowed to have ASCII passwords?