[edent]

A unique password, 2FA, AND a unique email address.

I use https://lastpass.com/ for generating passwords. $12/year and works on Linux & Android. Would prefer open source, but nothing else comes close. I tend to generate 32 char passwords with a mix of upper, lower, number, and special. Only a few websites insist on shorter passwords - or have character restrictions.

For 2FA I use either SMS or Authy https://www.authy.com/ Take a look at https://www.turnon2fa.com/ to see which sites support 2FA.

It does make logging in to some frequently used sites a bit of a pain (looking at you PayPal!) but I think it is worth it.

On to unique email addresses. I do this for two reasons.

1. Allows me to easily see where an email has come from & filter if necessary. I can tell if your company has leaked / lost / sold my address.

2. If I have reused a password, a database leak doesn't compromise other sites. An attacker doesn't know the login details for LinkedIn based on my GoToMyPC email.

I tend to use something like lnkdn@ mydomain / gtmypc@ ... / twttr@ ... - but if your mail provider lets you use a catch-all, it can be anything you like.

One word of warning - it really confuses people when you give the email over the phone! I usually say "I'm creating a unique email address for you so that the message doesn't go into spam. Ok? sound of me hitting random keys It's yourcompany@ ...."

[roddux]

KeePassX (https://www.keepassx.org/) is free and open source password manager. Having never tried LastPass I can't vouch that it's feature compatible, but it covers all my needs.

[StavrosK]

I tried both (switched from LastPass to KeePassX). KeePassX works better, especially with KeePass2Android. Strongly recommended.

[edent]

I did look at KeePassX - but it doesn't seem to have reliable autofill in Chrome & Firefox (where I use 99% of my passwords). It also means I have to manually synchronise the database between phone, PC, etc.

The hunt continues!

[tripzilch]

I just keep the keepass.db file in a cloud storage folder that is synced across devices. Works perfectly and because of the encryption it hardly even matters that cloud storage is (currently) on a US server.

The "perform autotype" option in KeepassX Linux seems to work well enough for me in Firefox, Chromium and most applications (it basically seems to send <user><TAB><password><ENTER> which usually does the trick--and afaik it has some settings you can tweak when it doesnt, but I never bothered with those).

But if Lastpass works for you, that's cool. Getting to use a password manager in the first place is the most important step, IMHO.

[vladimir-y]

> I did look at KeePassX - but it doesn't seem to have reliable autofill in Chrome & Firefox

It does have browser integration, for both Chrome - ChromeIPass extension, and Firefox - KeeFox extension. Both extension work via KeePassHttp plugin. Works well on Arch Linux.

[vladimir-y]

I meant KeePass http://keepass.info/ writing about browser integration (in my case I run it on mono), not the KeePassX. KeePassX is a very simple app in comparison with KeePass, so I prefer KeePass over KeePassX.

[0xmohit]

> I use https://lastpass.com/ for generating passwords. ... Would prefer open source, but nothing else comes close.

On a linux/unix system, one could use /dev/urandom:

  tr -dc '[[:alnum:][:punct:]]' < /dev/urandom | head -16c

would generate a 16 character long password.

One could even put the following function in $HOME/.bash_profile or such

  genpw() {
    tr -dc '[[:alnum:][:punct:]]' < /dev/urandom | head -${1-16}c
  }

Now invoking it by saying genpw would generate a pseudorandom string of 16 characters length. You could specify the length by passing a parameter to it, e.g. genpw 8.

[EasyTiger_]

Are you implying this comes close to the convenience of LastPass?

[0xmohit]

Sorry, haven't used LastPass myself. But as far as generating a random password goes, this would be pretty effective.

[edent]

O...K... but where do you store them? How do you sync them between devices? How do you auto fill them in the browser? How do you change them when a service is compromised? How do you securely share them with other users?

LastPass does all of that. And I don't even have to drop into the terminal.

[kbaker]

pwgen already exists, working exactly like you were thinking.

    $ pwgen 16 1
    siaJa9fohnie9aew

Though, you should use lastpass or similar for many other reasons. Not just generating passwords, but for managing them.

[jrnichols]

Ubuntu has "apg" which I think does something similar.

https://help.ubuntu.com/community/StrongPasswords

[hackuser]

> I use https://lastpass.com/

I feel like it's almost certain that Lastpass is owned, as are other popular online password stores.

No security is perfect; all you can do is make it more expensive than it's worth to the attacker.

How much would it be worth to have all the passwords to every account of every Lastpass user? Does Lastpass really have the resources and skill to protect something that valuable? Is it even possible?

[mhurron]

Well as long as you 'feel' that way, it must be true.

Lastpass (supposedly) stores the encrypted password vault, never the decrypted. Decryption occurs on the users end. You would need to either have a keylogger on the target users machine to grab their master password, or compromise the software. Neither is impossible, but both are a little harder than simply break in and access Lastpass's storage.

I say supposedly because I do not know of any 3rd party verification.

[tripzilch]

> You would need to either have a keylogger on the target users machine to grab their master password, or compromise the software. Neither is impossible, but both are a little harder than simply break in and access Lastpass's storage.

That reasoning only holds if it's in fact significantly harder to compromise the software than it is to "simply break in and access Lastpass's storage". If you believe that might be possible, then the security of your password vault basically depends on the differential difficulty compared to "simply break in and compromise the login form / browser extension / update channel to make it do <whatever>".

My point is not that this would be easy, rather that if someone went as far to break in and grab the storage[0], given the sheer value of the data, the barrier to go a step further and compromise the software isn't big enough to make me go "okay well that's all right then, that might happen, but this surely won't".

The biggest difference in risk between those two scenarios is that yes some cybercriminal that is "just poking around" might easier stumble upon access and just grab the vault than to set up a compromised login form and wait--not so much more difficult but just more effort.

[0] which I agree is fair to trust Lastpass to have properly encrypted, cause if you can't trust the people you pay $12/year to keep your most sensitive data secure, then who can you trust?

[hackuser]

I didn't make that claim; why add that attitude to an otherwise pleasant conversation?

When disagreeing, please reply to the argument instead of calling names. E.g. "That is idiotic; 1 + 1 is 2, not 3" can be shortened to "1 + 1 is 2, not 3."

https://news.ycombinator.com/newsguidelines.html

[mhurron]

Yes you did make that claim. You said that you feel there is a high likelihood that lastpass is compromised. You have no evidence or proof of this, just a gut feeling presented as some sort of fact or 'just asking questions.'

"I feel like it's almost certain that Lastpass is owned"

[SnacksOnAPlane]

I use LastPass, but I'm still fearful about it. It's such a rich target, and all a hacker would really have to do is to intercept when you put your decryption key in and send it off to their own server. Then they'd have access to all your accounts. They'd have to put that backdoor into the extension, but the point is, it's doable, and most people wouldn't have any way of knowing that it happened.

[mhurron]

LastPass doesn't have you send the master key to log in or decrypt, Decryption does not occur on their servers.

https://lastpass.com/support.php?cmd=showfaq&id=6926

"LastPass says they never receive my Master Password. Don’t I send it to the LastPass servers when I log in?

No, when you login to LastPass, two things are generated from your Master Password using our code discussed previously before anything is sent to the server: the password hash and the decryption key. This is all done locally.

    The password hash is sent to our servers to verify you. Once verified, we send back your encrypted Vault. We are only sent your hash, not your Master Password.
    The decryption key, which NEVER leaves your computer, is then used to decrypt your Vault once it comes back."

[tripzilch]

Well no they better not, obviously!

The point was "all a hacker would really have to do is to intercept when you put your decryption key in and send it off to their own server" (emphasis added).

However this is more about keeping the Lastpass software secure than it is about keeping the encrypted user vaults secure. The documentation you quoted really obscures this by use of the passive voice, casting the end-user somehow as an active agent deliberately doing all the encryption/hashing and sending, implying that they are in full control :) Try this on for a change:

"LastPass says they never receive my Master Password. Doesn't the LastPass Software send it to the LastPass servers when I log in?

No, when you login to LastPass, the LastPass Software generates two things when you give it your Master Password, before the LastPass Software sends anything to the server: the password hash and the decryption key. The LastPass Software does all this locally.

The LastPass Software sends your password hash to our servers to verify you. Once verified, our server sends back your encrypted Vault. The LastPass Software only sends your hash to our server, not your Master Password that you just entered into the LastPass Software.

The LastPass Software then uses this decryption key, which should NEVER leave your computer, to decrypt your Vault once it comes back."

-

The above is IMHO a much better way to word the same documentation, since it doesn't try to gloss over a rather important part of the attack surface. It's not really fair to on the one hand congratulate a user for being security-aware enough to use a password manager, but then ignore this part. Good security software documentation should proudly present the last few exposed parts of the attack surface, especially if they are minor ones, so that a user can assess the limits of their trust--there are always limits, no sense in pretending there aren't, and it's better to know them so that the user gets to decide what they're okay with.

[chmars]

I am switching away from unique mail addresses … I used a mix of catch-all and plus characters:

The former reduces the efficiency of your spam filter, the later is not (fully) supported by many websites. AirBnB for example allowed me to set an mail address with a plus character, however, login did not work anymore, so I was locked out and had to create a new account … AirBnB support refused to change my mail address since they apparently did not get the plus character 'trick'.

[mistersquid]

Add grep whitelist to your spam filter for some arbitrary extension, e.g. a tld such as '.com'.

This way the address can be some-web-app.somecompany.com@yourdomain.tld, you can whitelist *.com@ (or higher up on the subdomain if necessary).

Not sure if this would maintain the efficiency of your (or any) spam filter, but it does avoid the '+' character.

[bronson]

In my experience adding the domain of the recipient often leads to problems.

  Rep: "Can you verify your email address?"
  Me: "er, em-verizon@example.com"
  Rep: "Hey, I didn't know you worked for Verizon!"
  Me: "no..."

And now the call gets excruciatingly slow and unfriendly because the rep thinks I'm trying to hack something.

Also, more than one web forum has silently binned me until I removed the domain from my email address. Had one where I could post for a few days, then the admin deleted me and sent that email address a crazy anti-spam rant thinking I was a bot.

I still like using unique email addresses but I make sure they're obscure.

[dreamcompiler]

I use the domain backwards e.g. nozirev@mydomain.com.Customer service agents don't notice, and it's easy for me to tell where the email was supposed to have originated.

[gregmac]

Yep, I highly recommend LastPass as well. The password generation, sync, platform support, and browser extension features are great. It's fairly easy to setup exclusion filters for not remembering passwords, as well as controlling if matching works on the first level domain (*.domain.com) or exact host.. The former generally works well for most sites, but the latter is essential for my own domains (where I have multiple different services, accounts for testing, etc).

I've been using a catch all domain for at least 15 years. One thing I learned early is to use a subdomain, which avoids getting dictionary spam attacks.

For the last many years, I just forward it to a gmail account, where there is a corresponding filter to label it into an "accounts" group. I get essentially zero spam to this.

Also, I've had multiple times where it confused reps as well. It's kind of funny when it happens, but also sad that having "theircompany@sub.my domain.com" makes them go "oh, did you used to work here or something?".

[tripzilch]

> For the last many years, I just forward it to a gmail account

How do you do this?

[jagermo]

Ha, just like my setup. And yes, it does confuse people, to a lot of them it seems like magic.

[Mandatum]

What provider do you use that allows for catch-all? I really like GMail but the lack of support is really annoying, and a lot of sites & dump leaks are beginning to ignore the "+word" notation for email addresses.

[acmecorps]

Good idea on (2). I have a gmail account, so I just use myaccount+whatever_service@gmail.com. Pretty handy.

[tonmoy]

If a lot of people start doing this thing, then it will be trivial for an attacker to figure out name+service1@domain can be changed to name+service2@domain

[ethbro]

Same argument for port knocking. Absolutely ineffective against targeted attacks, but most attacks aren't customized and targeted.

[EdHominem]

It also cuts down on the attack surface enough to let you use more active alerting.

[rzzzt]

"service1" could be generated randomly as well, and stored along with the password in a password manager.

Another nice property of this suffix is that one can identify who gave away their email address / which site it was scraped from when receiving spam; not sure where I have seen this written down originally.

[drdaeman]

I think when spammers see a "+" they just strip everything after it down, i.e. me+spam@example.org -> me@example.org. Not to say many sites just don't accept "+" (or, worse, cease to accept such addresses).

Unique, non-guessable, machine-generated addresses are the way to go (do with emails just like password managers do with passwords), but no common person can use those, because they'll need a domain and self-hosted MDA.

E.g.

    $ echo "$(echo -en "secretsalt\nsome.example.net" | sha1sum -b | xxd -r -p | base36 | cut -c-8)@me.example.org" 
    h6t8490d@me.example.org

Or just generating random IDs and maintaining the database.

(Sure, HMAC would be a better idea than this string concatenation, but meh...)

[tonmoy]

Then I could just make my rand(service1) chars larger. No point in adding it to email address at all. Email leak (privacy) is an issue that this could help with but I do not see any benefit in terms of securing my account

[lukasm]

How do you generate new emails? Say, I see a new websites I need a new email? What do you do? Is there a chrome extension that can do it with one click?

[StavrosK]

I use 33mail.com. You just give them a new email address, no need to generate. For example, hackernews@lukasm.33mail.com

[stephengillie]

My personal domain is set to forward all email to my Gmail. Since Google is my registrar, it's expectedly simple to configure this. I haven't setup outbound addresses; services rarely need email sent to them, and replying from my Gmail hasn't caused me any problems yet.

[robotmlg]

Gmail doesn't need any config. Add whatever you want to your usual email after a + and it'll just work

[lukasm]

Yeah but doesn't prevent the attack. Username is still in the email address. Ideally I'd like <domain>+<nonce>@gmail.com that forwards all to my email.