Welcome to Steve Gibson's Blog

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.
  • New Larger Font Styles
    Guest:

    Just a quick heads-up that I've implemented larger font variants of our forum's light and dark page styles. You can select the style of your choice by scrolling to the footer of any page here. This might be more comfortable (it is for me) for those with high-resolution displays where the standard fonts, while permitting a lot of text to fit on the screen, might be uncomfortably small.

    (You can permanently dismiss this notification with the “X” at the upper right.)

    /Steve.

Dave

Dave Jenkins, N1MXV
Sep 16, 2020
46
23
Gardner, MA (USA)
I have to say I was confused why the SQRL forums are completely separate from these, requiring me to register here (which felt like re-registering) instead of existing as a subforum category. It just seems a duplication of effort.
@Steve, please correct me if I am wrong but, I believe that is because this is the forum for all things GRC whereas SQRL is not a GRC product. SQRL is an autonomous project with its roots in GRC. And its forum is graciously hosted by GRC. But it should exist outside of GRC. Though I suppose one could mount an argument that, perhaps, the GRC SQRL Client should be represented here.
 

Happenstrance

Member
Sep 30, 2020
5
1
Todd...
Time has shown that I'm no good at maintaining living documents. I'm FAR better at storing dead documents. Just look at my site! But, seriously... What you're suggesting is a thankless effort.
Sounds like this could be crowdsourced by having the community contribute to, for example, github hosted documents that we each work on our own forks of, sending pull requests of our edits/new content for Steve (or/plus trusted people he nominates) to approve? One user-friendly interface for that is Gitkraken (link skips to Pull Requests 24 minutes in) -
- the example uses the Star Wars script with a "special edition" fork :)
 
Last edited:

Steve

(as in GRC)
Staff member
Feb 1, 2019
166
359
65
Southern CA, USA
www.grc.com
I have to say I was confused why the SQRL forums are completely separate from these, requiring me to register here (which felt like re-registering) instead of existing as a subforum category. It just seems a duplication of effort.
@Happenstrance : Dave's reply was as good as I could have given.

From the first moment and mention of SQRL on the podcast, I've made it clear that SQRL is explicitly and deliberately not a GRC property in any way. And while the original kernel of the idea was mine, and I managed the project, it was truly a community effort. The only chance anything like this might have to succeed would be by being perceived as in no way owned or controlled by any single entity. No one can own usernames and passwords, and no one can own SQRL.

My plan for THESE forums (and thus the more generic name) is that they will grow to become GRC's primary real time interactive interface with the world. So I wanted to keep it clearly separate from the SQRL community. (y)
 

motionblurrr

New member
Sep 30, 2020
1
1
LOL! Ok, fair enough. Maybe you and Leo can discuss the state of password managers in an upcoming Security Now episode.

And it would not be a thankless endeavor! I got 5 bucks I can Paypal you right now!! :)
I love TWiT and Security Now, but I don't think it would be possible for an unbiased review of password managers given the licensing deal for naming rights to the studio and one of the biggest sponsors being LastPass. I simply would not want to ask them to do that as I wouldn't want to put them in that position.
 
  • Like
Reactions: deonast

Steve

(as in GRC)
Staff member
Feb 1, 2019
166
359
65
Southern CA, USA
www.grc.com
I love TWiT and Security Now, but I don't think it would be possible for an unbiased review of password managers given the licensing deal for naming rights to the studio and one of the biggest sponsors being LastPass. I simply would not want to ask them to do that as I wouldn't want to put them in that position.
I think that's right. I'm still using LastPass, so I'm able to tell the truth when I mention it in passing. If I had switched to another password manager I would studiously say nothing. Would that be a lie of omission? I suppose so, since if LastPass were not a sponsor I would likely not have omitted a reference to whatever other solution I was using. So I'm glad that I've not been placed into that situation.
 

danlock

I feel at home here. That makes me very happy.
Sep 30, 2020
19
5
I love TWiT and Security Now, but I don't think it would be possible for an unbiased review of password managers given the licensing deal for naming rights to the studio and one of the biggest sponsors being LastPass. I simply would not want to ask them to do that as I wouldn't want to put them in that position.
What follows is NOT an objective review... merely personal experience:

As great as LastPass is (and all that jazz), I use Password Safe (Bruce Schneier's password manager, maintained and updated by others for Windows (Rony Shapiro)/Android (Jeff Harris)/iOS/Mac/Linux). I have access from nearly every device I own, and that means that I never have to remember anything other than my complex single password.

Here's the main site. Source code and binaries are available from github, fosshub, sourceforge, etc.

The encrypted file syncs to and from an online source, so I don't have to worry about my passwords anywhere, anytime, on any device, after I install pwsafe on that device, because it will download the newest file and save a local copy, overwriting any database present and, optionally, keeping backups of older versions of the local encrypted .pwsafe3 file.

It's Yubikey-compatible if you desire further authentication, and the length of time used to decrypt the database is configurable, as is the amount of time it remains unlocked before automatically wiping itself from RAM (essentially leaving nothing behind but the encrypted file with its built-in integrity checks). There are no back doors. No swapping to disk. No storage of an unaltered (hashed?) password anywhere.

It's extremely versatile for password generation using specifics, also, and if the OS you are using has a clipboard which is dodgy (as Android can be), use the program's own keyboard to open the file. Dragging-and-dropping usernames, passwords, email addresses, other info, etc. into browser fields is simple, and it contains an optional autotype option that will log you in automatically after you've unlocked your database and selected the name you've given whatever site you want to access.

Go LastPass! Go Password Safe! Go SQRL! Go—I don't think I'm prepared to trust anything else right now.
 
Last edited:
  • Love
Reactions: Darcon

Happenstrance

Member
Sep 30, 2020
5
1
@Happenstrance : Dave's reply was as good as I could have given.

From the first moment and mention of SQRL on the podcast, I've made it clear that SQRL is explicitly and deliberately not a GRC property in any way. And while the original kernel of the idea was mine, and I managed the project, it was truly a community effort. The only chance anything like this might have to succeed would be by being perceived as in no way owned or controlled by any single entity. No one can own usernames and passwords, and no one can own SQRL.

My plan for THESE forums (and thus the more generic name) is that they will grow to become GRC's primary real time interactive interface with the world. So I wanted to keep it clearly separate from the SQRL community. (y)
Thank you, this makes total sense now. Also, did a new link just appear at the top of these forums to 📁SQRL FORUMS and in the same spot at those forums back to these ones? That's very cool 😎
 
  • Like
Reactions: Steve

Barry Wallis

Magician in Training
I think that's right. I'm still using LastPass, so I'm able to tell the truth when I mention it in passing. If I had switched to another password manager I would studiously say nothing. Would that be a lie of omission? I suppose so, since if LastPass were not a sponsor I would likely not have omitted a reference to whatever other solution I was using. So I'm glad that I've not been placed into that situation.
So we have a LastPass canary. ;-)
 
  • Haha
Reactions: cyberman

Keezer

New member
Sep 30, 2020
1
1
Hi Todd

Like you, I have been a long time user of LastPass but for the same reasons, decided to move elsewhere about 2 years ago.
I decided on Bitwarden, an open source password manager with desktop, web browser & mobile versions.
Bitwarden has a clean interface and is simple and easy to navigate. It has a free forever version for up to 2 users or premium versions for teams & enterprise.
I have been really pleased with the switch to Bitwarden.

Bitwarden is committed to regular cadence of security audits of their source code & platforms, the latest one completing in July 2020.

There are plenty of very positive reviews on password manager review sites. Worth checking out Bitwarden's website for more details.
Thanks for highlighting Bitwarden, I've been happily using Lastpass, but now wanting more control of ownership. I found what seems like an unbiased comparison of the two if anyone is interested : https://www.itproportal.com/news/lastpass-vs-bitwarden/

Cheers (Old Peculier, one of my favs https://www.beeradvocate.com/beer/profile/359/926/)
 
  • Like
Reactions: oldpeculier

OldAngryMan

New member
Oct 1, 2020
1
2
Steve,
Couple of points on WordPress. I've been battling Brazilian and Russian hackers for almost a decade. I had to rebuild the website more than 10 times. Constant defacing, comment spams... I was an easy pick for these #$%&^*. Finally, I decided to stop and do some research. Apparently, I was not the only one pissed off enough to do something about it. One change to .htaccess to put new rewriting rules which disabled the listing of login names plus 2 free plug-ins to stop the brute force attacks, nasty URL formating, known email addresses and IP, country blocking, etc.... has put the source of my constant aggravation to an end. I haven't been hacked in over 6 years. And, I sleep like a baby not worrying about my website.

1. WordPress plugin - Stop spammers by Trumani
2. Wordpress plugin - Edit Author Slug by Brandon Allen ( I used something annoying that starts with "kissmy...."
3. Wordpress plugin - Edit User Name (to rename userid without needing SQL "update" skills)
4. Rename the default administrative account from "admin" to something cute and secret using plugin #3. Any attempt to use the default will be blacklisted by plugin # 1.
5. change user_id from 1 or 2 to something MUCH HIGHER value. :)

Easy peasy.
Finally, you will get one more source of entertainment and satisfaction: watching logs included in the plugin- #1, automatic blocking, sending to the penalty box, and knowing what the ridiculing message, that YOU can create, was presented to the poor soul.
 

Simon Zerafa

Member
Sep 18, 2020
9
16
Hi Steve,

I'm wondering if the Lastpass sponsership might have come at a fortunate time, given what 2020 has brought us all and California in particular.

If it hadn't come along (or more likely Leo and the TwiT gang working hard on it) then maybe TwiT wouldn't be here in its current form or at all? 🤔

Kind Regards

Simon
 

Steve

(as in GRC)
Staff member
Feb 1, 2019
166
359
65
Southern CA, USA
www.grc.com
Simon,

Toward the beginning of all this, Leo had his team build-up a full backup mini-studio in a spare bedroom (he has a few of those) at home. So, the worst (or least or most) that would have happened would have been that he would have retreated to home. He would likely still have some satellite editors. But, really, the TWiT studio is fun and it creates a FAR more professional feel... but it adds no actual content to the podcasts. So, we might have returned to the original "cottage" format. But I doubt Leo's ready to throw in the towel.
 
  • Like
Reactions: philodygmn

GrayBeardGreg

New member
Oct 2, 2020
1
1
ALMOST painless site registration! First time actually using it. Nicely done. I dearly hope more sites will see the wisdom of using SQRL.

One nit... Admittedly I may have an old client, but when you click on the QR code, or scan it, the prompt you get for your SQRL password just asks for "The Password", without specifying to use the SQRL password. I expected that was the case (otherwise what would be the point?), but right above the password entry is displayed in bold, the site you're registering for. To a first-time user, that was confusing. In my slightly confused mind, looked like it might have been asking for a password for the site, not for SQRL.

Likely a first-time / one-time event, but a suggestion for clarifying the displayed text.
 
  • Like
Reactions: peterhatoz

Frenchie

New member
Oct 3, 2020
1
1
What follows is NOT an objective review... merely personal experience:

As great as LastPass is (and all that jazz), I use Password Safe (Bruce Schneier's password manager, maintained and updated by others for Windows (Rony Shapiro)/Android (Jeff Harris)/iOS/Mac/Linux). I have access from nearly every device I own, and that means that I never have to remember anything other than my complex single password.

Here's the main site. Source code and binaries are available from github, fosshub, sourceforge, etc.

The encrypted file syncs to and from an online source, so I don't have to worry about my passwords anywhere, anytime, on any device, after I install pwsafe on that device, because it will download the newest file and save a local copy, overwriting any database present and, optionally, keeping backups of older versions of the local encrypted .pwsafe3 file.

It's Yubikey-compatible if you desire further authentication, and the length of time used to decrypt the database is configurable, as is the amount of time it remains unlocked before automatically wiping itself from RAM (essentially leaving nothing behind but the encrypted file with its built-in integrity checks). There are no back doors. No swapping to disk. No storage of an unaltered (hashed?) password anywhere.

It's extremely versatile for password generation using specifics, also, and if the OS you are using has a clipboard which is dodgy (as Android can be), use the program's own keyboard to open the file. Dragging-and-dropping usernames, passwords, email addresses, other info, etc. into browser fields is simple, and it contains an optional autotype option that will log you in automatically after you've unlocked your database and selected the name you've given whatever site you want to access.

Go LastPass! Go Password Safe! Go SQRL! Go—I don't think I'm prepared to trust anything else right now.
Hey @danlock, I've been using Password Safe for several years because it's available on all sorts of platforms. I keep the .pwsafe3 file in a Dropbox account to keep it sync'ed across multiple devices. You mention sync'ing to and from an online source - I assume you use something similar?
 
  • Like
Reactions: danlock

PHolder

Well-known member
Sep 16, 2020
163
95
Ontario, Canada
It's Yubikey-compatible if you desire further authentication
I looked into this with password safe once, but what they did isn't great, unless it has eventually evolved. The original Yubikey protocol REQUIRED access to the online server, and since the data is local, introducing a 3rd party loop between you and your local file is meaningless (it could be proxied out easily.) So what I think they did was just allow you to store your password into the 2nd bank of the key... which is fine to save you from typing the password manually, but isn't much of a security boost.

FIDO or FIDO2 would allow you to use the key the way a true 2nd factor would be required, but that wasn't invented at the time of my last check on what they did, so I don't expect they've replaced it with that. Later Yubikeys can also store and use RSA key, but again, that came after, and I suspect is not what they ended up offering.

Still, that doesn't take away from the program itself, just takes away from any claim they have a reasonable 2nd factor approach.
 
  • Like
Reactions: danlock

danlock

I feel at home here. That makes me very happy.
Sep 30, 2020
19
5
Hey @danlock, I've been using Password Safe for several years because it's available on all sorts of platforms. I keep the .pwsafe3 file in a Dropbox account to keep it sync'ed across multiple devices. You mention sync'ing to and from an online source - I assume you use something similar?
Yes. It sounds like you use it in much the same way I do!