Hacker News new | ask | show | jobs
by bambax 4309 days ago
All the security measures usually presented (including here) are completely unrealistic - no one can use different, complex passwords on every site we log into, and then change them every month!

The only way to do this would be to use a password manager in an Saas mode... and if it gets cracked then you're completely doomed and lose all access to all services.

People probably assume that the time saved by not caring about security is greater than the time they will lose if (when) they're attacked, and they may be right.
1 comments
tribaal 4309 days ago
I do exactly that, using keepassX. Single use, complex passwords that I change every two months, stored in a shared encrypted database.

What exactly is hard about it?

link
bambax 4309 days ago
keepassX seems to be a local application: how do you use it on mobile, or when you're not at home?

Also: if the database gets corrupted, you lose access to all services; if you have backups then it's a little less safe; if the main password for the database is strong you may forget it (or need to write it down somewhere outside the system); if it's not strong it's not safe.

link
diafygi 4309 days ago
There are mobile clients for KeePass databases. So you just need to keep a copy of your database on your phone. That's extremely easy to do with syncing data apps like SpiderOak.
link
quoiquoi 4308 days ago
Soooo you're still using a cloud service to sync your passwords, right?
link
mynegation 4309 days ago
I cannot say for Android, but if you keep kdbx file on a Dropbox, you can access it with iKeepass iOS app
link
jimlei 4309 days ago
Android clients exist for both keepass v1 and keepass v2 :)
link
eik3_de 4309 days ago
why shouldnt the average user write down his/her master database password and store it in the kitchen drawer?
link
dredmorbius 4308 days ago
Does keepassX manage the password changing or is that something you schedule and do manually?
link
quoiquoi 4308 days ago
You still have to do it manually I think. Having a standardized API to change passwords (a "Rotate all my passwords" buttons) would be nice, but potentially a huge step forward in automating password attacks.
link
dredmorbius 4308 days ago
Thanks. I confirmed a Debian package. If I can sync devices I think I'm golden.
link