On Thu 12 Dec 2019 at 22:39:13 -0500, Celejar wrote: > On Thu, 12 Dec 2019 23:29:28 +0000 > Brian <a...@cityscape.co.uk> wrote: > > > On Thu 12 Dec 2019 at 21:13:06 +0100, l0f...@tuta.io wrote: > > > > > Hi, > > > > > > 10 déc. 2019 à 23:11 de a...@cityscape.co.uk: > > > > > > > On Tue 10 Dec 2019 at 22:34:07 +0100, l0f...@tuta.io wrote: > > > > > > > >> 9 déc. 2019 à 19:13 de a...@cityscape.co.uk: > > > >> > > > >> > How about not having to remember (or write down) any passwords for > > > >> > the places you log in to? > > > >> > > > > >> > https://masterpassword.app/ > > > >> > > > > >> > Not in Debian, unfortunately. > > > >> > > > > >> Interesting. > > > >> However, I presume that a specific password modification should not be > > > >> very > > > >> easy because it seems you rely on a rather fixed encryption seed... > > > >> > > > > > > > > Modifying a password with the masterpassword app is simplicity > > > > itself. There is no fixed encryption seed. > > > > > > > I've read the documentation. User needs to remember all of > > > this: > > ... > > > > site-counter > > > > I'll give you this. But it would be very unusual to want it. The > > default is generally good enough. > > "Very unusual"? Actually, IIUC, you're almost always going to maintain > a whole table of these. As per the documentation: > > "The site counter ensures you can easily create new keys for the site > should a key become compromised." > > IOW, whenever you need to change the password for a given site, e.g, > because it has suffered a breach, or because of an expiration policy, > you have to either change your master password (and then update every > single password managed by the system), or else increment the site > counter for that site. You then have to keep track of all non-default > site counters. > > Of course, these values are not that sensitive, so you can still argue > that this system is safer than storing actual passwords - but it's > still not the stateless utopia promised by the developer.
That's a fair analysis, although I am never quite sure what is meant by "stateless". The only password change I have had to make was forced on me by MBNA. They required that I reduce my 20 character high-entropy password to 16 chars and knock off some of the funny symbols. Then they tell me they are doing lots of things to make me safer. What a strange world! > > Your device is stolen or destroyed? You can recover your passwords if > > you can remember your own name and the master password. How about that? > > And your site counters - although I suppose trial and error would work > if you haven't changed a password too many times. I think that that is the recommended technique. Although, in line with other points raised in this thread, it could be written down. -- Brian.
