Comments on: The Yubikey https://pthree.org/2012/10/30/the-yubikey/ Linux. GNU. Freedom. Mon, 09 Oct 2017 10:42:05 +0000 hourly 1 https://wordpress.org/?v=4.9-alpha-41547 By: August West https://pthree.org/2012/10/30/the-yubikey/#comment-197800 Wed, 17 Sep 2014 02:53:27 +0000 http://pthree.org/?p=2554#comment-197800 I also refuse to use online password managers. I recently found Abraxas, which is referred to as a collaborative password utility. It is not a vault per see, as it generates the passwords on the fly rather than storing them. It uses GPG for security and is fully open source. Only works on Linux though. http://www.nurdletech.com/linux-utilities/abraxas/

]]>
By: Aaron Toponce https://pthree.org/2012/10/30/the-yubikey/#comment-117190 Mon, 26 Nov 2012 05:19:12 +0000 http://pthree.org/?p=2554#comment-117190 Alexandre Franke- Still, it's on online password managar. It requires running software on an external server, whether you own the server or not. This isn't something I'm interested in.

]]>
By: Joseph Scott https://pthree.org/2012/10/30/the-yubikey/#comment-117164 Tue, 13 Nov 2012 15:15:55 +0000 http://pthree.org/?p=2554#comment-117164 The reason for passing along bcrypt's 72 character limit is password collisions. Here is an example: say Alice has a password that is 100 characters long and Bob has a password that is 80 characters long. If they both start with the same 72 characters then for your system those passwords are identical. I consider that a condition to be avoided.

I came up with a few methods for working around this limitation and discussed it with the author of phpass. Ultimately there were some work arounds that likely didn't reduce the security of the hashes, but the safest stance was still to limit user password strings to 72 characters to ensure uniqueness.

]]>
By: Alexandre Franke https://pthree.org/2012/10/30/the-yubikey/#comment-117163 Tue, 13 Nov 2012 08:59:44 +0000 http://pthree.org/?p=2554#comment-117163 It seems you didn't pay enough attention when looking it up.

Clipperz:
* can be installed on your own server (or your desktop provided you have a local web server) as it's free software
* doesn't store your passwords as it uses a zero knowledge paradigm

]]>
By: Aaron Toponce https://pthree.org/2012/10/30/the-yubikey/#comment-117115 Wed, 31 Oct 2012 12:51:30 +0000 http://pthree.org/?p=2554#comment-117115 Joseph- Even though bcrypt/blowfish imposes the limit internally, why bother with it externally?

Alexandre- No thanks. I don't buy into the security of online password managers. I would much rather prefer to manage my passwords without the help of an online 3rd party.

]]>
By: Alexandre Franke https://pthree.org/2012/10/30/the-yubikey/#comment-117091 Tue, 30 Oct 2012 20:41:25 +0000 http://pthree.org/?p=2554#comment-117091 You may want to look at Clipperz and consider it as a replacement to KeePassX.

]]>
By: Joseph Scott https://pthree.org/2012/10/30/the-yubikey/#comment-117090 Tue, 30 Oct 2012 18:53:35 +0000 http://pthree.org/?p=2554#comment-117090

This is to appease silly developers who think it’s funny to limit the length of passwords in their form fields.

I confess to having the same feelings about password length limits. Then I ran into bcrypt/blowfish only paying attention to the first 72 characters of a string. So now I'm looking at limiting password strings to 72 characters. Still a decent amount, but doesn't quite feel the same as allowing passwords of any length.

]]>