The more I play with antiX, the better I like it!
And as Linux forums go, so far the people here really are a helpful bunch. But I've a question about the forum itself. It has to do with logging in. I know better than to use the same password for my on-line banking as I would for a forum. But there are a lot of forums and I can remember only just so many passwords, so it does bother me a little that I can't find an https:// equivalent of ucp.php?mode=login I mean it would probably be a waste to secure the entire forum session. But it always bothers me to transmit any password in the clear. And if I used the same password as I currently do with several other forums, well lets just say I do wish there was an
why not?
6 posts
• Page 1 of 1
-
jtwdypPosts: 71
- Joined: 08 Apr 2012
-
rokytnjiPosts: 4,164
- Joined: 20 Feb 2009
#2
I use a addon in my browser like
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://lastpass.com/"
linktext was:"https://lastpass.com/"
====================================
to organize and save all my different passwords from site to site.
It has the capability also to generate encrypted passwords for sites you login to also. There are others like that also if not wanting to use that.
Any ways. That is how I handle it.
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://lastpass.com/"
linktext was:"https://lastpass.com/"
====================================
to organize and save all my different passwords from site to site.
It has the capability also to generate encrypted passwords for sites you login to also. There are others like that also if not wanting to use that.
Any ways. That is how I handle it.
-
jtwdypPosts: 71
- Joined: 08 Apr 2012
#3
Besides, while it would enable me to actually use a truly unique password for each site I login to, I can't see how it would make logging in via plain http: secure. Because even if the password itself is encrypted, if the login transaction itself isn't, then the sniffer simply records the encrypted form of the password and it can be replayed to another login session... Whereas if the entire login transaction is encrypted via https, then the miscreant would have to actually crack the SSL/TLS protocol encryption itself before they could know which part of which packets contained the password. And if the villain is THAT good then I'm a lot more worried about my on-line banking and credit card transactions than about such a one bothering messing with trivial passwords.
The only way that I can see lastpass being able to actually log me in securely to the forum would be if they negotiated an https: connection to it. And if the forum will do that for lastpass, why not just let forum users login that way...
I suppose there must be some cost involved in getting a"trusted certificate authority" to"sign" the required public key certificate. But compared to the rest of the costs involved in keeping the forum online, can it really be that much?
What's the point in bothering with passwords if they are transmitted in the clear?
Yeah I can see the attraction of such a method up to a point. EXCEPT then I'd have to trust them with all my passwords. (And I'm far too paranoid for that) Because once I start letting them remember some of my frequently used passwords, I'll get lazy. and next thing you know I won't be able to remember any of them except lastpass. It's a slippery slope that I don't want to start down... __{{emoticon}}__rokytnji wrote:I use a addon in my browser like
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://lastpass.com/"
linktext was:"https://lastpass.com/"
====================================
to organize and save all my different passwords from site to site.
It has the capability also to generate encrypted passwords for sites you login to also. There are others like that also if not wanting to use that.
Any ways. That is how I handle it.
Besides, while it would enable me to actually use a truly unique password for each site I login to, I can't see how it would make logging in via plain http: secure. Because even if the password itself is encrypted, if the login transaction itself isn't, then the sniffer simply records the encrypted form of the password and it can be replayed to another login session... Whereas if the entire login transaction is encrypted via https, then the miscreant would have to actually crack the SSL/TLS protocol encryption itself before they could know which part of which packets contained the password. And if the villain is THAT good then I'm a lot more worried about my on-line banking and credit card transactions than about such a one bothering messing with trivial passwords.
The only way that I can see lastpass being able to actually log me in securely to the forum would be if they negotiated an https: connection to it. And if the forum will do that for lastpass, why not just let forum users login that way...
I suppose there must be some cost involved in getting a"trusted certificate authority" to"sign" the required public key certificate. But compared to the rest of the costs involved in keeping the forum online, can it really be that much?
What's the point in bothering with passwords if they are transmitted in the clear?
-
malePosts: 325
- Joined: 04 Nov 2011
#4
against the"lazy" ... __{{emoticon}}__
synaptic __{{emoticon}}__ keepassx
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"http://www.keepassx.org/"
linktext was:"http://www.keepassx.org/"
====================================
synaptic __{{emoticon}}__ keepassx
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"http://www.keepassx.org/"
linktext was:"http://www.keepassx.org/"
====================================
-
dolphin_oraclePosts: 2,238
- Joined: 16 Dec 2007
#5
You are right that an last pass won't help with secure connections. FYI, lastpass encrypts/decrypts on the client side, so they don't know your passwords either.
-
jtwdypPosts: 71
- Joined: 08 Apr 2012
#6
I'm more comfortable searching/and editing from vim than with any gui tool I've ever encountered.
Then optionally, I encrypt & preserve any changes before wiping the small partition.
So technically I could use a completely unique password for each forum. But I'm a little too lazy to enter any passphrase (good enough to protect my primary password list) every time I want to login to some forum. Hence I tend to maintain one trivial password for insecure forums and another for the ones that let me log in securely.
I can usually keep up with two current forum passwords, So I'm not overly distressed that antiX forum doesn't do much to protect member passwords. I'm just a little bit saddened by it.
That part is OK then, I guess. But if I let them hold my passwords and then I can't connect to them for some reason... If I'm going to have a master password storage it's going to have things like this weeks root password in it as well. And I might need that in order to fix my internet connection.dolphin_oracle wrote:You are right that an last pass won't help with secure connections. FYI, lastpass encrypts/decrypts on the client side, so they don't know your passwords either.
That might have a bit more potential. But it appears fancier than I like. As it is I do keep a gpg encrypted file. Which I decrypt to tmpfile on small partition && vim -n -i NONE tmpfile...male wrote:against the"lazy" ... __{{emoticon}}__
synaptic __{{emoticon}}__ keepassx
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"http://www.keepassx.org/"
linktext was:"http://www.keepassx.org/"
====================================
I'm more comfortable searching/and editing from vim than with any gui tool I've ever encountered.
Then optionally, I encrypt & preserve any changes before wiping the small partition.
So technically I could use a completely unique password for each forum. But I'm a little too lazy to enter any passphrase (good enough to protect my primary password list) every time I want to login to some forum. Hence I tend to maintain one trivial password for insecure forums and another for the ones that let me log in securely.
I can usually keep up with two current forum passwords, So I'm not overly distressed that antiX forum doesn't do much to protect member passwords. I'm just a little bit saddened by it.