Slyguy

Level 43
I love the concept on this one, but the fact that you have to install Java for the windows version is crappy.
Master Password
Stateless Passwords - I've looked into those in the past and they are brilliant. There are a good number of these, perhaps the most widely used is Hashpass but there are tons of options.

My main concern with this method is if the hash method becomes compromised then your entire password structure will fall. However unlikely that would be. The other issue I find is the inability to store login names. So you must remember every login name for every account. If you are anything like me, I don't have the same login name anywhere - which adds a bit of security - albeit slight security to the mix but means I literally could not ever remember all of my login names. With these hashing systems you'd need to at least remember those.

A technique I started working with years ago is a decoration method using hashed stateless passwords in combination with a password storage/manager method. This provides ultimate security because even if the password manager is compromised they don't know your password. You simply 'decorate' the stored password with either a known decoration method, or a hashed decoration method then APPEND that to the password entered by your password manager. Does that make sense? Allow me to explain a bit better..

Let's say your password for Amazon is stored in your password manager such as:

Username: MyAmazonAccount@Gmail.com
Password: N#=[V&t?RB]3N$L#Ry%=

Your password manager fills in all of that but doesn't AUTO-ENTER. So you tab up to the password entry and enter your private - memory held decoration. So in my case I could be using a decoration of 'EGD$8121'.. So I would append my top secret decoration to the password then login to the website. The decoration is NEVER stored anywhere. So the login becomes;

Username: MyAmazonAccount@Gmail.com
Password: N#=[V&t?RB]3N$L#Ry%=EGD$8121
(1) Stored Password (2) Secret Memory Held Decoration

If you want to ramp this up, simply use a HASH tool to make unique decorations for each website! So for example using the above technique but ramping it up using a stateless password system, in this case Hashpass, I would create a hash of Amazon.com with the keycode: Biff!, which would generate the hashpass of +q99Gt2Al2gjUphY Now THAT would be my decoration in this case, otherwise known as:

Username: MyAmazonAccount@Gmail.com
Password: N#=[V&t?RB]3N$L#Ry%=+q99Gt2Al2gjUphY

This little gem has been a technique used in some counter intelligence circles for a couple of decades now. Something you have stored, something you know and something you don't know. Good luck breaking that system, right? Also, imagine if a password manager utilized both methods to generate AND insert decorations on the fly via a popup?
 
Last edited:

Disturbedkt

New Member
If you are worried about cloud sync, that is pine of the main differentiators of Sticky Password. They do have a cloud sync option using AWS, but they also have a local-only sync that goes between devices over WiFi (must be on the same WiFi network to do so, of course). For those who don't trust cloud sync, and don't mind syncing mobile to desktop when they are home, it's a great option.


Guys, are there any decent password managers (with cloud sync) that aren't based in VA. Aren't hacked all of the time. Aren't stored on AWS?

Reviewing the Snowden/Wikileaks documents and other press releases I am inclined to believe AWS isn't to be trusted. I know the NSA blew a gasket when Glenn Greenwald convinced Wikileaks to switch away from AWS (NSA said that kind of advice needs to be disrupted). Also Booz Allen Hamilton 'brags' they have accessed AWS data centers and 'consult' with AWS at a deep, API level. Also apparently OneLogin was compromised at the backend through AWS API.

Roboform = VA.. (no clue about their cloud stuff, but VA? No.. Also they've been implicated in exposing user data)
Lastpass = VA (also, they may use AWS. They've had too many issues)
Dashlane = AWS, and they dump thousands of logs a day to Ireland.
Stickypassword/KasperskyPW = AWS
1Password = AWS
mSecure = AWS

I'm thinking there has to be something out there that doesn't stink, but also isn't overly compromised or sitting on US Intelligence linked servers with NSA API's..
 

Slyguy

Level 43
Bit Warden uses Secured Azure servers and has nothing related to AWS involved with it.

bitwarden uses AES 256 bit encryption as well as PBKDF2 to secure your data. PBKDF2 is used to derive the encryption key from your master password. This key is then salted and hashed. bitwarden does not write any crypto code. bitwarden only invokes crypto from popular and reputable crypto libraries that are written and maintained by cryptography experts. bitwarden always encrypts and/or hashes your data on your local device before it is ever sent to the cloud servers for syncing. The bitwarden servers are only used for storing encrypted data. It is not possible to get your unencrypted data from the bitwarden cloud servers.
 

Slyguy

Level 43
If you are worried about cloud sync, that is pine of the main differentiators of Sticky Password. They do have a cloud sync option using AWS, but they also have a local-only sync that goes between devices over WiFi (must be on the same WiFi network to do so, of course). For those who don't trust cloud sync, and don't mind syncing mobile to desktop when they are home, it's a great option.
Also keep in mind.. Local-Sync also works if you have a VPN into your local network, such as an OpenVPN or FortiClient VPN server running on your Firewall/UTM.
 
Top