5

What’s your favorite method to deal with using and securely storing usernames and passwords?
Example: parsing information from a part of a website requiring a login

Everyone I talk to at school has their own different method and now I’m curiously looking for as many methods as people are willing to share

Comments
  • 2
    I use a password and have a master password that I can remember and is pretty long
  • 8
    Keepassxc
    Long master (sentence) password

    I often use sentences in other languages (even made-up languages) as passwords, too. Yes, with punctuation and everything. Easy for me to remember, nearly impossible to guess.
  • 5
    Same as the two red ones above: KeePassXC.
  • 1
    For me it's KeePassXC as well, with my key in dropbox and two factor on my dropbox
  • 2
    Chrome, nicely synced on mobile. Local applications requiring pw, none or memorized (come on, at my age we used to remember phone numbers of over 30 friends lol)
  • 4
    @mathume Chrome stores all of your passwords on your google account, and you can view these via the web. If you have your account broken into, which can happen from anywhere, you lose all of your accounts.

    Local password managers have the benefit of being local. Nobody without read access to your machine can break in.
  • 4
    Guys, I think hes talking about server-side dealing with passwords/logins for you webpage.

    There is a bunch of things to do and watch out for. But if we ignore the security things unrelated to passwords, then, on acc creation, store in the database: username, email, hashed salted password, salt.

    Theres some more and less secure ways to do that. I found a page that has an overview of that: https://crackstation.net/hashing-se...

    Im not an expert, so take my comment with a grain of salt (pun intended).
  • 7
    @Quirinus In that case: salted, high-cost bcrypt. Use a hash of the user's password generated on the client so the password is never transmitted anywhere.

    This ensures zero knowledge of the user's password, protects idiot users against their own password reuse, protects against rainbow tables, ensures an attacker must crack passwords one at a time, and ensures the cost of cracking a password well exceeds the value of the account. This is not, however, quantum resistant, so don't expect this level of security to be sufficient for more than ten to fifteen years.
  • 2
    @Root it's important that you hash twice though. Once on the client and once on the server. Otherwise someone with a DB dump can login easily.

    Also, if you have legacy passwords in MD5, i don't get why some companies keep them like that after changing to bcrypt... You could always just hash and salt the MD5 hash (and securely delete the source)
  • 1
    @Root I use MFA/ my phone to confirm credentials. I switch computer so often that local pwm isn't really an option :(
  • 2
    @eval That is what I meant; after rereading my comment, the double hashing isn't clear. Thanks for pointing that out.
  • 2
    @mathume keepassxc has an android app. 🙂
  • 1
    Store all the passwords as clear text, print them out on multi scented sticky notes, place said sticky notes around town, buy a dog, train the dog to fetch sticky notes based on scent, forget what you were doing, go eat a tamale, find a bunch of sticky notes everywhere and wonder what asshole would do that, remember you placed the sticky notes, check yourself into the hospital, get a clean bill of health, and use bcrypt
  • 2
    @Root I see bcrypt, I upvote. Love that !
Add Comment