Confluence

A blog for Confluence group.

Tuesday 30 June 2020

Desmontando Bulos (II): De Esclavos De Saldo Y Engaños A La Wikipedia

Segundo artículo de la serie dedicada a desmontar bulos históricos. En un artículo anteriortratamos dos de los más populares: la canastilla del vigía de los barcos de vela y su supuesta relación con...

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

More information


  1. Lifestyle Gym Equipment
  2. Curiosidades Londres
  3. Viaje Birthday Blend 2020 Review
  4. Viaje 1 Y 2
  5. Curiosidades Del Mundo Y La Naturaleza
  6. Lifestyle Magazine
  7. Viaje 5 Dias Grecia
  8. Lifestyle Nearby
  9. Viaje Del Heroe
  10. Viaje Virtual A Disney
  11. When Is Lifestyle Sports Reopening
  12. What Lifestyle Choices Cause Diabetes
  13. Lifestyle 650 Price
  14. Curiosidades 7 Vidas
  15. 7 Curiosidades Sobre O Universo
  16. Viaje Sin Rumbo Letra
  17. Curiosidades Forrest Gump
  18. Viaje Quinceañeras
  19. Curiosidades Resident Evil
  20. Viaje Uzbekistan Politours
  21. Curiosidades Ranas
  22. What Does Vieja Mean In Spanish
  23. Viaje Largo Marcela Gandara
  24. Viaje Tailandia
  25. How Many Lifestyle Stores Are There In India
  26. Curiosidades Oceania
  27. Lifestyle Gift Card
  28. Curiosidades Estranhas
  29. Viaje Infinito Nicole
  30. Viaje Skull And Bones Cloudmaker
  31. Viajes Baratos
  32. Lifestyle Without Food
  33. Lifestyle Vs Diet
  34. Curiosidades Xbox
  35. Curiosidades Alina Reno Nv
  36. Lifestyle Business
  37. Curiosidades Instagram
  38. Curiosidades Y Leyendas De La Alhambra
  39. Curiosidades 25 De Abril
  40. Lifestyle Words
  41. Lifestyle Business
  42. Lifestyle Amrit Maan
  43. Lifestyle Realty
  44. Viaje Vs Viaja
  45. Curiosidades Sobre Two And A Half Man
  46. Viaje Hacia El Mar
  47. Lifestyle Journal
  48. Viaje Interprovincial Peru
  49. Lifestyle Without Barriers
  50. Curiosidades Plants Vs Zombies
  51. Curiosidades De Plantas Vs Zombies Garden Warfare
  52. Viaje Kilimanjaro
  53. Curiosidades Russia
  54. Will Lifestyle India
  55. Viaje To English
  56. Viaje Na Viagem
  57. Lifestyle 8X6Ft Metal Shed Kit
  58. Viaje Humanitario
  59. Fiesta De 15 Años O Viaje
  60. Curiosidades 50 Sombras Liberadas
  61. Viaje 5 Dias Grecia
  62. Is Viaje De Lujo Legit
  63. Viaje Meaning In English
  64. Curiosidades Lingua Portuguesa
  65. Lifestyle 901
  66. Lifestyle 535
  67. Where Is Lifestyle Located
  68. Viaje Warner Madrid
  69. Curiosidades Jojo Rabbit
  70. Viaje Entre Regiones Chile
  71. Curiosidades 5 De Mayo
  72. Who Lifestyle Medicine
  73. Viaje La Isla Misteriosa
  74. Lifestyle Qatar
  75. Viaje Karnavati University
  76. Curiosidades The Office
  77. Viaje Jalapeno Cigar
  78. Curiosidades 90210
  79. Lifestyle Campers
  80. Lifestyle Of A Butterfly
  81. Lifestyle 6X4Ft Greenhouse With Base
  82. Curiosidades Astronomia
  83. Viaje 7 Dias Europa
  84. Viaje En Ingles
  85. How Much Is Lifestyle Lift
  86. Curiosidades Italia
  87. Curiosidades Hoy
  88. Viaje
  89. Lifestyle Photos
  90. Lifestyle Shoes
  91. Lifestyle Xl Condoms Size
  92. Viaje Inmovil
  93. Lifestyle Hoodie
  94. Viaje Resorts
  95. Lifestyle 550
  96. Viaje De Chicas
  97. Viaje 5Th Anniversary
  98. When Lifestyle Is Sedentary
  99. How Much Is Lifestyle Fitness Membership
  100. 4 To Viaje De Colon
  101. Lifestyle Asia
  102. Curiosidades 747
  103. Lifestyle Youtube Channel Ideas
  104. Curiosidades Estranhas
  105. Who Lifestyle Related Disease
  106. Lifestyle Zimbabwe
  107. For Lifestyle-Related Diseases
  108. Curiosidades Will And Grace
  109. Where Can Lifestyle Vouchers Be Used
  110. Viaje Zombie Farmer Bill Hatchet
  111. Curiosidades Naturaleza
  112. Curiosidades Mexico
  113. Viaje Y Hotel
  114. Lifestyle Unlimited
  115. Lifestyle Young Thug
  116. Lifestyle 127
  117. Curiosidades Plantas
  118. Curiosidades 5S
  119. Lifestyle Without Modern Gadgets
  120. Lifestyle Coach
  121. Curiosidades Nba
  122. 8 Curiosidades Sobre O Trânsito
  123. Viaje How To Say
  124. Lifestyle Newborn Photography
  125. Viaje Salvaje
  126. 66 Curiosidades De La India
  127. Lifestyle Vs Standard Of Living
  128. Lifestyle Blogs
  129. Why Lifestyle Entrepreneur
  130. Curiosidades Aleatorias
  131. How To Say Viaje In Spanish
  132. Viaje Hamaki Omakase
  133. Lifestyle Dubai
  134. Curiosidades Italia
  135. Lifestyle Coach
  136. Viaje Interprovincial Peru
Posted by at No comments:

10 Useful Websites for Hackers

  • KitPloit: Leading source of Security Tools, Hacking Tools, CyberSecurity and Network Security.
  • HackRead: HackRead is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance, and Hacking News with full-scale reviews on Social Media Platforms.
  • Metasploit: Find security issues, verify vulnerability mitigations & manage security assessments with Metasploit. Get the worlds best penetration testing software now.
  • Hacked Gadgets: A resource for DIY project documentation as well as general gadget and technology news.
  • Exploit DB: An archive of exploits and vulnerable software by Offensive Security. The site collects exploits from submissions and mailing lists and concentrates them in a single database.
  • SecTools.Org: List of 75 security tools based on a 2003 vote by hackers.
  • The Hacker News: The Hacker News — most trusted and widely-acknowledged online cyber security news magazine with in-depth technical coverage for cybersecurity.
  • Packet Storm: Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers.
  • Phrack Magazine: Digital hacking magazine.
  • Hakin9: E-magazine offering in-depth looks at both attack and defense techniques and concentrates on difficult technical issues.
Posted by at No comments:

Thursday 11 June 2020

The OWASP Foundation Has Selected The Technical Writer For Google Season Of Docs

The OWASP Foundation has selected the technical writer for Google Season of Docs by Fabio Cerullo


The OWASP Foundation has been accepted as the organization for the Google Seasons of Docs, a project whose goals are to give technical writers an opportunity to gain experience in contributing to open source projects and to give open-source projects an opportunity to engage the technical writing community.

During the program, technical writers spend a few months working closely with an open-source community. They bring their technical writing expertise to the project's documentation, and at the same time learn about open source and new technologies.

The open-source projects work with the technical writers to improve the project's documentation and processes. Together they may choose to build a new documentation set, or redesign the existing docs, or improve and document the open-source community's contribution procedures and onboarding experience. Together, we raise public awareness of open source docs, of technical writing, and of how we can work together to the benefit of the global open source community.

After a careful review and selection process, the OWASP Foundation has picked the primary technical writer who will work along the OWASP ZAP Team for the next 3 months to create the API documentation of this flagship project.

Congratulations to Nirojan Selvanathan!

Please refer to the linked document where you could look at the deliverables and work execution plan.
https://drive.google.com/open?id=1kwxAzaqSuvWhis9Xn1VKNJTJZPM2UV20



Related posts


Posted by at No comments:

Tishna: An Automated Pentest Framework For Web Servers, Web Applications To Web Security

About Tishna:
   Tishna is complete automated pentest framework for web servers, application layer to web security.

   Tishna was tested on: Kali Linux, Parrot Security OS, Black Arch, Termux, Android Led TV.

Tishna's interface: Tishna has 62 options with full automation and can be use for web security swiss knife.

Tishna's installation: First, boot your Kali Linux or Parrot Security OS up. Then open Terminal and enter these commands

Appeared:
  • Cyber Space (Computer Security).
  • Terror Security (Computer Security).
  • National Cyber Security Services.

Brief Introduction
  • Tishna is useful in Banks, Private Organisations and Ethical hacker personnel for legal auditing.
  • It serves as a defense method to find as much as information possible for gaining unauthorised access and intrusion.
  • With the emergence of more advanced technology, cybercriminals have also found more ways to get into the system of many organizations.
  • Tishna software can audit, servers and web behaviour.
  • Tishna can perform Scanning & Enumeration as much as possible of target.
  • It's first step to stop cyber criminals by securing your Servers and Web Application Security.
  • Tishna is false positive free, when there is something it will show no matter what, if it is not, it will give blank results rather error.

Developer

Support to the coder
   You can sponsor and support via BTC.
   The bitcoin address: 3BuUYgEgsRuEra4GwqNVLKnDCTjLEDfptu
qr code

More articles

Posted by at No comments:

JoomlaScan - Tool To Find The Components Installed In Joomla CMS, Built Out Of The Ashes Of Joomscan


A free and open source software to find the components installed in Joomla CMS, built out of the ashes of Joomscan.

Features
  • Scanning the Joomla CMS sites in search of components/extensions (database of more than 600 components);
  • Locate the browsable folders of component (Index of ...);
  • Locate the components disabled or protected
  • Locate each file useful to identify the version of a components (Readme, Manifest, License, Changelog)
  • Locate the robots.txt file or error_log file
  • Supports HTTP or HTTPS connections
  • Connection timeout

Next Features
  • Locate the version of Joomla CMS
  • Find Module
  • Customized User Agent and Random Agent
  • The user can change the connection timeout
  • A database of vulnerable components

Usage
usage: python joomlascan.py [-h] [-u URL] [-t THREADS] [-v]
optional arguments:
-h, --help              show this help message and exit

-u URL, --url URL       The Joomla URL/domain to scan.
-t THREADS, --threads   THREADS
                        The number of threads to use when multi-threading
                        requests (default: 10).
-v, --version           show program's version number and exit

Requirements
  • Python
  • beautifulsoup4 (To install this library from terminal type: $ sudo easy_install beautifulsoup4 or $ sudo pip install beautifulsoup4)

Changelog
  • 2016.12.12 0.5beta > Implementation of the Multi Thread, Updated database from 656 to 686 components, Fix Cosmetics and Minor Fix.
  • 2016.05.20 0.4beta > Find README.md, Find Manifes.xml, Find Index file of Components (Only if descriptive), User Agent and TimeOut on Python Request, Updated database from 587 to 656 components, Fix Cosmetics and Minor Fix.
  • 2016.03.18 0.3beta > Find index file on components directory
  • 2016.03.14 0.2beta > Find administrator components and file Readme, Changelog, License.
  • 2016.02.12 0.1beta > Initial release




Read more


  1. Pentest Ftp
  2. Pentest Os
  3. Pentest Hardware
  4. Pentest Training
  5. Pentest Box
  6. Pentest Certification
  7. Pentest Cheat Sheet
  8. Hacker Typer
  9. Pentest Network
  10. Hacking Tutorials
  11. Hacking Names
  12. Pentest Uk
  13. Pentest With Metasploit
  14. Hacking Groups
Posted by at No comments:

Wednesday 10 June 2020

Top 5 Most Useful Linux Tools For Programmers

Top 5 most useful linux tools for Programmer

Linux is a free and open-source software operating systems built around the Linux kernel. It typically packaged in a form known as a Linux distribution for both desktop and server use. It is a great development environment for programmers and developers. However, without the development tools, that would be impossible. Fortunately, plenty of Linux tools are available. Here are the top 5 most useful Linux tools for programmers.

Also Read;-  How To Clone One Android To Another

5 Most Useful Linux tools for Programmers

1. VIM

vim editor-compressed
VIM is a free and open source software written by Bram Moolenaar in 1991. It is designed for use both from a command-line interface and as a standalone application in a graphical user interface. It comes standard with almost every Linux distribution and is also known as "the programmer's editor". VIM is great for coding and can also be used for editing things like configuration files and XML documents.
Vim has been developed to be a cross-platform that supports many other platforms. In 2006, it was voted as the most popular editor amongst Linux Journal readers. In 2015, Stack Overflow developer survey found it to be the third most popular text editor while in 2016, the Stack Overflow developer survey found it to be the fourth most popular development environment.
Read more;-  How To Use WhatsApp without Mobile No

2. Zsh

Zsh is written in C and initially released in 1990. It is a Unix shell that can be used as an interactive login shell and as a powerful command interpreter for shell scripting. Zsh is an extended version of Bourne shell (BASH) with a large number of improvements, including some features of Bash, ksh, and tcsh. Zsh gives a user-friendly experience on the command line. It also gives better auto-completion, Vim key bindings, and smart guesses when you write a command wrong.
Its features include (but not limited to):
  • Programmable command-line completion,
  • Sharing of command history among all running shells
  • Extended file globbing
  • Improved variable/array handling
  • Editing of multi-line commands in a single buffer
  • Spelling correction
  • Various compatibility modes,
  • Themeable prompts, and
  • Loadable modules.

3. Byobu

It was initially released in 2009 written in Sh and Python. Byobu can be used to provide on-screen notification or status and tabbed multi-window management. Thus, it is intended to improve terminal sessions when users connect to remote servers with an operating system Linux and Unix-like. It is is an enhancement for the GNU Screen terminal multiplexer or tmux used with the GNU/Linux computer operating system.

4. GIT

git commandsGit was initially released on April 7, 2005. It is a version control system to track changes in computer files and to coordinate work on those files among multiple people. It is primarily used for source code management in software development and can be used to keep track of changes in any set of files available in the English language. It is aimed at speed, data integrity, and support for distributed, non-linear workflows. It is free and open source software distributed under the terms of the GNU General Public License version 2.
Moreover, Linus Torvalds was the creator of GIT for the development of the Linux kernel. On the other hand, its current maintainer since then is Junio Hamano. Thus, every Git directory on every computer is a full-fledged repository with complete history and full version tracking abilities, independent of network access or a central server.

5. Docker

Written by Solomon Hykes in 2013, it is a computer program that performs operating-system-level virtualization, the containerization, which is developed by Docker, Inc. Primarily, Docker was developed for Linux to use as the resource isolation features of the Linux kernel. It is a tool that can package an application and its dependencies in a virtual container that can run on any Linux server. This helps enable the flexibility and portability on where the application can run, whether on premises, public cloud, private cloud, bare metal, etc.  Moreover, it accesses the Linux kernel's virtualization features either directly using the libcontainer library.
Read more
  1. Pentest Tools Framework
  2. Pentest Meaning
  3. Pentest Vs Red Team
  4. Pentest Report
  5. Hacking Google
  6. Hacking Tutorials
  7. Pentest Basics
  8. Hacking Jailbreak
  9. Pentest Enumeration
  10. Hackerrank Sql
  11. Hacking Tools
  12. Hacking Apps
  13. Pentesting And Ethical Hacking
  14. Hackerrank Sql
  15. Pentest Red Team
  16. Hacker Types
  17. Pentest Vs Ceh
Posted by at No comments:

How To Run Online Kali Linux Free And Any Devices

More information
  1. Pentest Keys
  2. Pentest Hardware
  3. Hacking 3Ds
  4. Pentest Azure
  5. Pentest Vs Ceh
  6. Hacking Network
  7. Hacking Process
Posted by at No comments:

Tuesday 9 June 2020

How Do I Get Started With Bug Bounty ?

How do I get started with bug bounty hunting? How do I improve my skills?



These are some simple steps that every bug bounty hunter can use to get started and improve their skills:

Learn to make it; then break it!
A major chunk of the hacker's mindset consists of wanting to learn more. In order to really exploit issues and discover further potential vulnerabilities, hackers are encouraged to learn to build what they are targeting. By doing this, there is a greater likelihood that hacker will understand the component being targeted and where most issues appear. For example, when people ask me how to take over a sub-domain, I make sure they understand the Domain Name System (DNS) first and let them set up their own website to play around attempting to "claim" that domain.

Read books. Lots of books.
One way to get better is by reading fellow hunters' and hackers' write-ups. Follow /r/netsec and Twitter for fantastic write-ups ranging from a variety of security-related topics that will not only motivate you but help you improve. For a list of good books to read, please refer to "What books should I read?".

Join discussions and ask questions.
As you may be aware, the information security community is full of interesting discussions ranging from breaches to surveillance, and further. The bug bounty community consists of hunters, security analysts, and platform staff helping one and another get better at what they do. There are two very popular bug bounty forums: Bug Bounty Forum and Bug Bounty World.

Participate in open source projects; learn to code.
Go to https://github.com/explore or https://gitlab.com/explore/projects and pick a project to contribute to. By doing so you will improve your general coding and communication skills. On top of that, read https://learnpythonthehardway.org/ and https://linuxjourney.com/.

Help others. If you can teach it, you have mastered it.
Once you discover something new and believe others would benefit from learning about your discovery, publish a write-up about it. Not only will you help others, you will learn to really master the topic because you can actually explain it properly.

Smile when you get feedback and use it to your advantage.
The bug bounty community is full of people wanting to help others so do not be surprised if someone gives you some constructive feedback about your work. Learn from your mistakes and in doing so use it to your advantage. I have a little physical notebook where I keep track of the little things that I learnt during the day and the feedback that people gave me.


Learn to approach a target.
The first step when approaching a target is always going to be reconnaissance — preliminary gathering of information about the target. If the target is a web application, start by browsing around like a normal user and get to know the website's purpose. Then you can start enumerating endpoints such as sub-domains, ports and web paths.

A woodsman was once asked, "What would you do if you had just five minutes to chop down a tree?" He answered, "I would spend the first two and a half minutes sharpening my axe."
As you progress, you will start to notice patterns and find yourself refining your hunting methodology. You will probably also start automating a lot of the repetitive tasks.

Related links
  1. Hackerrank
  2. Pentest Tools Framework
  3. Pentesterlab
  4. Hacking The System
  5. Hackerone
  6. Pentest Vs Red Team
  7. Hacker Wifi Password
  8. Hacking Jailbreak
  9. Hacking Simulator
  10. Hacker Computer
  11. Hacker Prank
  12. Pentest Ftp
  13. Hacking Names
  14. Pentest Vs Ceh
  15. Hacking Google
Posted by at No comments:

Monday 8 June 2020

Change Passwords Regularly - A Myth And A Lie, Don'T Be Fooled, Part 2

In the previous blog post, I have covered the different passwords you have to protect, the attackers and attack methods. Now let's look at how we want to solve the issue.

Password requirements

So far we have learned we have to use long, complex, true random passwords. In theory, this is easy.
Now, this is my password advice for 2014:

Password character classes
Use upper-lower-digit-special characters in general cases.
If you don't understand what I just write, choose from this:
qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM0123456789-=[];'\,./<>?:"|{}_+!@#$%^&* ()`~
If you are a CISO, and say: use 3 out of 4 character class, everyone will use Password12 or Welcome12 as their password (after the 12th enforced password change).

Password length
This is basically the only thing which changes whether the password is in the very high/high/medium/low level. Check the previous blog post for the details about very high/high/medium/low level.

Password length: Very high level class (including work-related/enterprise passwords)
15 character (or 20 if you are really paranoid). Making true random passwords longer than 20 characters usually does not make any sense, even in high security scenarios (e.g. military, spy agencies, etc.). 15 character in Windows environment is a right choice, as LM hash is incompatible with 15 character passwords, thus one (effective) attack won't work. Beware, there might be bugs with using 15 character passwords, with a low probability.

Password length: High-level class
12 character, upper-lower-special characters

Password length: Medium class
10 character, upper-lower-special characters, still TRUE random

Password length: Low-level class
9 character. Why less?

Pin codes
Always choose the longest provided, but a maximum of 8. Usually, more is pretty impractical.

Password randomness
True random, generated by a (local) computer. Avoid Debian. Avoid random generated by your brain. Do not use l33tsp33k. Do not append or prepend the current month, season or year to a word. Do not use Star Wars/Star Trek/(your favorite movie/series here) characters or terminology. In general, avoid any pattern like the above ones. The chances that a true random password generator generates SkyWalker12 is very-very low. And believe me, it is not that hard to crack those. Every algorithm that you would come up with; the bad guys have already thought of it. Use true random. Let the computer do it for you. See details later in this post.

Password history
Never-ever reuse passwords. NEVER!

Password change period
If it is not enforced otherwise, don't bother to change it twice in a year. But! Check if the password cracking speed made your current ones obsolete. If yes, change the obsolete passwords. Immediately change the password if you have been notified that the service you use has been compromised. Immediately change all of your recently used passwords if you suspect malware was running on your computer (do this on a known clean computer). Immediately change your password if you have used it on a computer you don't own, or there is a small chance malware is running on it. Change it if you really had to give your password to someone. Otherwise, goodbye regular password change. We will miss you...

If you are a CISO, and writing security policies, you should have to enforce the password change period based on: do you allow LM hashes? What is the password length requirement for users and administrators? What is the current hash cracking speed, and the forecast for the next 2 years? I think people would be happy to increase their passwords with 1-2 characters, if they are not forced to change it frequently (e.g. every month).
Now after I was sooo smart giving advises people still hate to implement, let's see the practical implementations. At least some people might like me, because I told them not to change the passwords regularly. Next time someone tells you to change all your important passwords regularly, put a lie detector on him, and check if he changes all of his passwords regularly. If he lies, feel free to use the wrench algorithm to crack his passwords. If he was not lying, call 911, to put a straitjacket on him. Only insane paranoid people do that in reality. Others are just too scared to say "what everyone recommended so far is bullshit". Comments are welcome ;) Other people might hate me for telling them using true random passwords. Don't panic, keep reading.
And don't forget to use 2 factor authentication. It might seem a bit of an overkill at the beginning, but after months, you won't notice using it.

(Bad and good) solutions

I will use the same password everywhere

This is a pretty bad idea. If one of the passwords are compromised, either the attackers can access your other sites, or you have to change all of your passwords. There are better ways to spend your life on earth than changing all of your passwords.

I will remember it

Good luck remembering 250 different, complex passwords. Don't forget to change them regularly! ;)

I will use the password recovery all the time

Not a very user-friendly solution. And because the security answer has to be as complicated as the password itself, the problem has not been solved.

I will write it down into my super-secret notebook and put it in my drawer

Although it might work in some cases, it won't work in others. I don't recommend it.





I will use an algorithm, like a base password, and add the websites first letters to the end of the password

Still better than using the same password everywhere, but believe me, if this is a targeted attack, it is not that hard to guess your password generation algorithm.

I will use the advice from XKCD, and use the password correcthorsebatterystaple

Still a lot better than simple passwords, but unfortunately, people are still bad at choosing random words with random order, so it is not the best solution. And again, you can't memorize 250 different passwords ... Even 10 is impossible. Only use this method in special corner cases (see details later), and use a passphrase generator!

I will use a password manager

This is the very first good idea. It solves the problem of remembering 250 different complex and random passwords. Some people might complain about using a password manager, here are those complaints. And my answers:

If someone gets access to this one password store, all is lost.
Answer: If someone accessed your password store, and the master password, you can be pretty damn sure that most of your passwords are already stolen. For extra paranoids, you can use multiple password stores, one for daily use, one for rare cases. Beware not to forget the password for the second one ;)

What if I don't have access to the password store when I need it?
Answer: In the age of cheap notebooks, tablets, and smartphones, in 99% of the cases you should not use that important password on any other device than yours. In the rare cases when you must, you can use either your smartphone to get the password, or use a browser extension like Password hasher to generate different passwords to different websites, with one password. For extra paranoids, you can have different master passwords for the different security levels. And don't forget to change the password after you are back at your own computer.

What if I forgot the one password to the password store?
Answer: If you use your password manager daily, it has the same odds to forget that one password as it is to forget every one of your passwords.

Password managers make phishing attacks easier.
Answer: Who started this nonsense? Good password managers decrease the risk of phishing.

Password managers have the same vulnerabilities as other websites or software.
Answer: Well, this is partially true. There are at least 3 types of password managers, from most secure to least: offline, browser built-in, online. Online password managers give better user experience, with a sacrifice in security. But if you choose one of the leading password managers, and you are a simple home user, the risks are negligible. If you try to store your work password in an online password store, you might violate your internal security policy. For paranoids, use offline password managers, and back them up regularly. If you choose an online password manager, at least use 2-factor authentication. And don't forget, your Chrome password can be easily synchronized to the cloud, shifting it to the online category.

In some cases, like Full Disc Encryption, OS login, smartphone login, or password manager login, the auto-type of password from the password manager is not available, thus choosing a true random password is a pain in the a$$.
Answer: True. Generate pronounceable passwords or passphrases in these corner cases, e.g. with the Linux tool apg you can generate pronounceable passwords. For easy and fast type, don't use capital letters (only lower-alpha - digit - special) in the original password, but increase the length of the password. Add 1 extra character because you don't use upper case letters, add 3 other because it is a pronounceable password, and you are good to go. For extra paranoids change one or two of the letters to uppercase where it is convenient. 
apg -M SNL -m 15 is your friend.
If you want to check what I write here (always a good idea), test the entropy of a true random 10 character password with all character classes, and check it with 14 characters, without uppercase. I recommend KeePass for that. If you comment on this that "Keepass can not measure that it is a pronounceable password, thus the entropy is lower in reality", my answer is: "Check out the current passwords used by users, and current password advises, and tell me if this password is a lot better or not ..." . You have been warned.
 

For the high-level password class, I don't recommend anything your brain generated. There are also suitable offline passphrase generators. Use at least 5-6 words for passphrases.

Password managers are not user-friendly, it takes more time to log in.
Answer: If you set auto-type/auto-fill, and the password manager is opened once a day (and you lock your computer when you leave it), in this case, logging in takes less time than typing it! It is more convenient to use it, rather than typing the passwords every time.

I like to create new unique passwords every time I create a new account, and password managers take the fun away from it.
Answer: Said no one, ever! "38 percent of people think it sounds more appealing to tackle household chores – from folding the laundry to scrubbing toilets – than to try and come up with another new user name or password."

To summarize things. Use a password manager.

General advise

Never use your essential passwords on other computers. They might be infected with a password stealer. If you really have to use it, change the password as soon as possible on a trusted (your) computer.

Don't fool yourself by phishing sites. If you go to the local flea market, and there is a strange looking guy with "Superbank deposit here" logo above his head, will you put your money?

Protect yourself against malware. Use a recent operating system, and even if you use OSX or Linux, it is not a bad thing to have an AV as a "last line of defense". Or to check your pendrive for Windows USB worms.

Never-ever use online web sites to "generate your password", "measure the complexity of your password" or "check if it has been breached". Never! (Except if it is your password manager :) ... )

Update: Sign up on the https://haveibeenpwned.com/ for notification if your e-mail is found in a leak.

Changing passwords frequently is bad advice. It is not effective. Put more energy in other right password advise. 

More information


Posted by at No comments:
Subscribe to: Posts (Atom)