*NIX enthusiast, Metal Head, MUDder, ex-WoW head, and Anon radio fan.

  • 0 Posts
  • 55 Comments
Joined 2 years ago
cake
Cake day: June 12th, 2023

help-circle
  • I use a hardware password manager that connects over USB or bluetooth for most things. The few things that I use often I have a system for, and that system is popular culture.

    Love “The Prisoner of Azkaban”? Initialize it, and add the publish date some where: HP&TPoA|1999

    Starship troopers fan? Initialize a memorable quote. “The enemy can not push a button… if you disable his hand. Medic!”: Tecnpab…iydhh.M! Need numbers? Find a quote with numbers, or add the release year, or the number of times you watched it that one weekend where you and a friend watched it 32 times.

    Like TV shows more? How about the fourth episode of family guy: S1-MindOverMuder-E4.

    Metal Fan? I do love track three off of Metallica’s 1983 album: #3|Motorbreath-1983

    Etc.







  • I must have been way out of it late last night. I totally missed that you were asking why people do it and not looking for recommendations. Sorry for the spammy nonsense response to your OP.

    To the latter question, I’ve seen devices that do OTP and FIDO in addition to basically storing arbitrary strings (e.g. your cc number).

    I get harassment scolding me for using Lemmy to advertise when I mention any of the products by name, despite having no affiliation with any of them outside of being a user, but they’re not hard to find if you look.








  • Korthrun@lemmy.sdf.orgtoPrivacy@lemmy.mlUse a password manager
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    4 months ago

    I saw the lack of arm and facepalmed but I was half asleep poo posting so got over it :p (fixed now!)

    I’ve been using this device for ~5 years now, so my memory is a little hazy on it, but I’m pretty sure for the particular device I prefer (which is to say, I have nfc what the setup is for other vendors, which could be greatly superior) the AES-256 key used for encryption isn’t generated until you setup your first card.


  • How would any company, regardless of geography have the secret I generated? This is a stand alone hardware device. They seller is not involved at all once I’ve received my package.

    Could a sophisticated/well resourced actor clone the smart card they stole or you lost? Sure, brute force attacks are brute force attacks. At least you’d know your device and card are stolen. Now you’re in a race to reset your passwords before they finish making 500 clones of the smart card they stole.

    Hypothetically I could blackmail someone at LastPass and have a backdoor is installed for me.

    Someone could bust down my door while I have it connected and unlocked and just login to all my things. ¯\_(ツ)_/¯


  • That will vary from vendor to vendor. In the case of the one I like there are a few relevant things.

    The password db is stored encrypted on the device. Accessing the passwords requires all of:

    • the device
    • a smartcard with a particular secret on it
    • the 4 digit hex pin to unlock the secret on said smartcard, which is what is used to decrypt the db

    Three PIN failures and the smart card is invalidated.

    That sort of covers “stolen” and “lost + recovered by a baddie”. Your bad actor would need to have their hands on both physical pieces and guessed the 4 digit hex code in 3 tries.

    As far as a user recovering from a lost or failed device or smart card goes, you can export the encrypted version of the db for backups, which I do to a thumb drive I keep in my document safe. I do the same with a backup smart card. So that and a backup device or purchasing a new one if yours fails or is lost/stolen.

    In the super “just in case” move, I also keep a keepassdb on said thumb drive. In case my device fails and it’s just not possible to get a new one. Kind of like keeping two cloud providers in case LastPass goes bankrupt or something.



  • Korthrun@lemmy.sdf.orgtoPrivacy@lemmy.mlUse a password manager
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    4 months ago

    So many folks talking about which software they use, and how they sync it between devices etc.

    You all know there are hardware password keepers right? They present to your devices as a usb and/or bluetooth keyboard and just type out the user/password that you select. They have browser plugins to ease the experience. Now your password is not even stored on the device you’re using to perform your login and it will work on any modern device even without internet access.

    Oh and no subscription fee to cover the costs of cloud infrastructure.



  • All of the repos for my GitHub sourced vim plugins live under one parent directory. I symlink to them from ~/.vim

    One example is a simple function that pushes the top level repo directory onto my dir stack and then runs a loop where it pushes each subdir into the stack, runs “ggpull” then pops back to the top level repo directory. ggpull is an alias added by the zsh git plugin. After all repos have been updated it pops back to my original pwd.

    I run this as part of my “update all the things” script but sometimes I also want to run it in demand from the cli. So I want this function in all scopes and I want it to have access to “ggpull” in all of those scopes.