Re: dropbox security situation
On Mon 09 Dec 2019 at 14:10:56 -0500, Celejar wrote:
> On Mon, 09 Dec 2019 16:31:35 +0100
> Jonas Smedegaard <jonas@jones.dk> wrote:
>
> > Quoting Charles Curley (2019-12-09 15:56:26)
> > > On Sun, 8 Dec 2019 18:55:12 +0100 (CET)
> > > <l0f4r0@tuta.io> wrote:
> > >
> > > > Usual advice : use strong passwords (i.e. long enough with high
> > > > entropy => generated&stored in a dedicated password manager) AND 1
> > > > different per service, never the same.
> > >
> > > There is a handy password generator available on Debian, called APG
> > > (Automated Password Generator), which will generate passwords for you.
> > > The default settings yield a fairly strong password, but you can modify
> > > those to make the results even stronger.
> >
> > I dislike APG because it generates passwords difficult to remember -
> > without aiding in how to deal with that, which has a high risk of
> > passwords getting stored on physical notes in the top drawer...
>
>
> I use 'pwgen', whose manpage begins thus:
>
> *****
> The pwgen program generates passwords which are designed to be easily
> memorized by humans, while being as secure as possible. Human-memo‐
> rable passwords are never going to be as secure as completely
> completely random passwords. In particular, passwords generated by
> pwgen without the -s option should not be used in places where the
> password could be attacked via an off-line brute-force attack. On the
> other hand, completely randomly generated passwords have a tendency to
> be written down, and are subject to being compromised in that fashion.
> *****
>
> Although I almost always use it with its --secure option, since I
> don't try to memorize passwords, but instead record them (in a plain
> text file) - who can remember hundreds of passwords?
Indeed. Memorising is part of the password problem. I've indicated a
possible solution that does not rely on the fallibility of memory in
another mail.
Your plain text storage method would benefit immensley from using the
scrypt package.
--
Brian.
Reply to: