1. 16
  1.  

    1. 10

      Well, this is why my mother has three hundred maiden names, each pseudorandomly selected from a set with at least 56 bits of entropy. I keep them in my KeePass file encrypted in AES-256, which is secured with a seven word Diceware password.

      Granted, I haven’t managed to get my wife to do likewise.

      1. 3

        Well, this is why my mother has three hundred maiden names

        (o_O)

        http://tinyurl.com/oar4rk2

        1. 2

          http://tinyurl.com/oar4rk2

          They mean in relation to the secret question “What is your mother’s maiden name?”, they have made up and stored 300+ unique responses. Because using the actual one is asking for trouble.

          1. 2

            No, I get that. Should have quoted the other part of the post. Who the hell is actually that meticulous about security?

            Me, I just type random shit in those security questions, effectively disabling them. The only exception is my bank, because I get asked those questions after I type my password, if I’m coming from a different IP. Since I consider my card number and password the actual security, I don’t mind having these “insecurity” questions in this case.

            1. 2

              I am also that meticulous except it feels more like common sense. If you’re using a tool like Lastpass, Keepass or 1Password there is no reason not to do it or even just store the random gibberish you typed in.

              I don’t know which bank you’re with but I would check what security procedures they go through after you claim to have forgotten your password, because a lot of them with fall back on those questions. By doing it your way a person is relying on the bank not to do something stupid a hell of a lot more than the other way. So many criminals rely on social engineering over the phone to get what they want.

              1. 2

                Aw, crap, you’re right, stupid bank does ask those insecurity questions in case of lost password. Damn, I don’t know what to do now. I don’t want to go through the hassle of setting up a keychain of passwords. So you see, there is a reason to not do it, the same reason everyone else has: too damn inconvenient.

                Oh well. I too like to live dangerously, I guess.

                1. 2

                  With you there seriously: it is an inconvenience. However, it’s nowhere near as big an inconvenience as I thought it’d be before I started using LastPass. If you’re on Chrome it is almost seamless, even on mobile with iOS & Android.

                  1. 2

                    Anything that is not hosted by me or has no source code is out of the question. From your recommendations, that just leaves Keypass. But then I would have to build it myself, since there appears to be no Debian package.

                    Inconvenient.

                    1. 1

                      All valid worries. Keypass on Linux was always just a port of Keypass for Windows. Take a look at another project which looks almost identical but is properly cross-platform: GNU licensed KeePassX. [debian, src].

                      1. 2

                        Okay, thanks, this is pretty convenient. I’ll start using this, and I’ll recommend it to others. My fiancée would probably benefit from this too.