Lexar Fingerprint USB Flash Drive For Travel?

Sojourner said:
If you are willing to trust the extensive security measures a brokerage or bank website uses, then you should be even more willing to trust the very extensive security measures being used by companies like Bitwarden and KeePass.

I recently read through much of the Bitwarden FAQs regarding their encryption, storage, and security measures, and I'm convinced their open-source, extensively audited password manager app is essentially unhackable. Once you really understand the methodologies they're using, like "zero knowledge", salted and hashed passwords, etc., then you should be convinced that no hacker realistically could steal your data. This is probably also true for your brokerage/bank site data, but IMHO it's less clear for those sites because they are not open-source (i.e., their code is proprietary and private) and their security methodologies are not as transparent. The fact that you continue to use them, log into them, and have accounts with them implies a very high degree of trust, presumably based on their reputations and their "say so", whereas companies like Bitwarden and KeePass have gone well beyond that to openly demonstrate their rock-solid security measures.
Click to expand...

I was a software developer myself, although I didn't specialize in password security. Isn't using salted, hashed passwords pretty basic security 101? Have no sites using salted, hashed passwords been hacked?
 
Sojourner said:
If you are willing to trust the extensive security measures a brokerage or bank website uses, then you should be even more willing to trust the very extensive security measures being used by companies like Bitwarden and KeePass.
Click to expand...
The financial institutions I deal with indemnify me 100% against fraudulent transactions. What do the password managers guarantee and what level of financial strength or insurance do they have to back their guarantees?

Sojourner said:
II recently read through much of the Bitwarden FAQs regarding their encryption, storage, and security measures, and I'm convinced their open-source, extensively audited password manager app is essentially unhackable. Once you really understand the methodologies they're using, like "zero knowledge", salted and hashed passwords, etc., then you should be convinced that no hacker realistically could steal your data. ... companies like Bitwarden and KeePass have gone well beyond that to openly demonstrate their rock-solid security measures.
Click to expand...
So you have read their advertising and find it convincing. It's good that you are happy. More secure to me is to not concentrate my passwords in one place. (BTW, hashing predates the term "computer science." Only idiots store passwords as clear text. Not really anything special or innovative. But I'm sure the FAQ sounded brilliant.)
 
OldShooter said:
The financial institutions I deal with indemnify me 100% against fraudulent transactions. What do the password managers guarantee and what level of financial strength or insurance do they have to back their guarantees?

So you have read their advertising and find it convincing. It's good that you are happy. More secure to me is to not concentrate my passwords in one place. (BTW, hashing predates the term "computer science." Only idiots store passwords as clear text. Not really anything special or innovative. But I'm sure the FAQ sounded brilliant.)
Click to expand...

ZING! So much for diplomacy! LOL!
 
OldShooter said:
So you have read their advertising and find it convincing. It's good that you are happy. More secure to me is to not concentrate my passwords in one place. (BTW, hashing predates the term "computer science." Only idiots store passwords as clear text. Not really anything special or innovative. But I'm sure the FAQ sounded brilliant.)
Click to expand...

I find the tone of your reply highly condescending. You clearly mistake me for a simpleton who could be easily swayed by marketing doublespeak, even though you know nothing about my educational background, my critical thinking skills, or my technology expertise and experience. I won't bother refuting your faulty assumptions, as I'm sure all I'll get in response is more snark and backhanded insults. Have a nice day.
 
Sojourner said:
I find the tone of your reply highly condescending. You clearly mistake me for a simpleton who could be easily swayed by marketing doublespeak, even though you know nothing about my educational background, my critical thinking skills, or my technology expertise and experience. I won't bother refuting your faulty assumptions, as I'm sure all I'll get in response is more snark and backhanded insults. Have a nice day.
Click to expand...
Sorry. I was just responding to your lecture.
 
A simple thread about something innocuous as a flash drive and the contemptible arguments find a way.... knock it off
 
Vincenzo Corleone said:
I was a software developer myself, although I didn't specialize in password security. Isn't using salted, hashed passwords pretty basic security 101? Have no sites using salted, hashed passwords been hacked?
Click to expand...

Oh, ok. I don't want to judge but with your screen name I thought you might have been in another line of work. :LOL:
 
Vincenzo Corleone said:
I was a software developer myself, although I didn't specialize in password security. Isn't using salted, hashed passwords pretty basic security 101? Have no sites using salted, hashed passwords been hacked?
Click to expand...

IIRC, the only times passwords actually have been compromised were when the breached sites were using flawed hash algorithms that had known vulnerabilities. For example, the LinkedIn breach in 2012 exposed over 6 million passwords, because they were using (weak) SHA-1 hashing. Sites using ultra-strong SHA-256 in conjunction with PBKDF2 key derivation are not vulnerable to this kind of hacking.

Here is a quote from the Bitwarden FAQ:
Even if Bitwarden were to be hacked, there would be no method by which your master password could be obtained.
Click to expand...
They also make the claim that "[t]he utilized hash functions are one-way hashes, meaning they cannot be reverse engineered." These statements are consistent with everything I have read about PBKDF2 and SHA-256.
 
Sojourner said:
IIRC, the only times passwords actually have been compromised were when the breached sites were using flawed hash algorithms that had known vulnerabilities. For example, the LinkedIn breach in 2012 exposed over 6 million passwords, because they were using (weak) SHA-1 hashing. Sites using ultra-strong SHA-256 in conjunction with PBKDF2 key derivation are not vulnerable to this kind of hacking.

Here is a quote from the Bitwarden FAQ:

They also make the claim that "[t]he utilized hash functions are one-way hashes, meaning they cannot be reverse engineered." These statements are consistent with everything I have read about PBKDF2 and SHA-256.
Click to expand...

Thanks for explaining that. I can certainly see how someone who doesn't keep up with the latest/greatest hash algorithms could fall into a false sense of security simply because they used any ol' (flawed - unbeknownst to him) hash algorithm. I know there is a SHA-512. Do you think they don't use that because it's too slow (and probably overkill)?
 
To be clear, I'm not too concerned about a user's password database being compromised. Harvesting passwords at a retail level like that is unlikely to be profitable. Besides, most (I have read 70%) of password compromises are accomplished by phishing. It's easier.

The risk I see is that the password manager's code is successfully hacked and malware installs a back door either at the retail level or, worse, somehow tricks the password manager vendor into distributing the hacked code. This kind of thing has happened. Then the most sophisticated database protection algorithms in the world are irrelevant.
 
ERD50 said:
Agreed, and it's been a while, so I'll repeat a system that has worked well for me for over a decade. It is simple, secure, and you don't need to rely on a failing memory.

A) Create a complex password "key" made up of only alpha-numeric. I suggest keeping the upper-lower case in easy to type segments. An example: "RACoonSNOT409".

B) Now, write down "RACoonSNOT409", but not on the same paper as your passwords.

C) On a separate paper, write down a hint to the web page, and a unique password suffix with any required special characters. An example for fidelity: fido ---FIDO#%1zX. The "---" reminds you to add your password "key".

Repeat step "C" for every secure web site you want to access.

D) For fido, you go to fidelity's web site (assuming you can remember it, if not, just write it down), enter your password key plus the unique password suffix for that site: "RACoonSNOT409FIDO#%1zX".

So it is very secure to have all the password suffixes written down. No one could get in w/o also knowing your password "key". And you can write down your password key in some inconspicuous place, but if you choose wisely, and with practice, muscle memory kicks in and it's almost automatic.

I guess it's a little like those old Cold War movies where it took two or more keys to start a nuclear attack. A bad actor who got a hold of your cheat sheet would only have one key.

I trust this system more than I do some cloud server. You may feel differently, that's OK too.

-ERD50
Click to expand...

I also use a long complex password that is easy to remember comprising of a:

<Word><numeric sequence><word><special symbol>

I change the numeric sequence every 3 months.
 
OldShooter said:
To be clear, I'm not too concerned about a user's password database being compromised. Harvesting passwords at a retail level like that is unlikely to be profitable. Besides, most (I have read 70%) of password compromises are accomplished by phishing. It's easier.

The risk I see is that the password manager's code is successfully hacked and malware installs a back door either at the retail level or, worse, somehow tricks the password manager vendor into distributing the hacked code. This kind of thing has happened. Then the most sophisticated database protection algorithms in the world are irrelevant.
Click to expand...

How to Check the Integrity of a File
https://www.logsign.com/blog/how-to-check-the-integrity-of-a-file/
 
Last edited:
OldShooter said:
Yes. DW and I each carry a debit card, 2 different banks, for ATMs and we each carry a Visa or Master card, two different providers. No Discover or Amex as they are routinely refused due to high costs. Sometimes we leave the country with thousands in $100 bills to pay a travel provider (makes for nice discounts if you offer this) but we try to get rid of that as quickly as possible after we land.
Click to expand...

Yes, again to MrsHaloFIRE. Not a software developer, just a traveler who regularly leaves for 4 to 6 weeks mainly, but not only, in Europe. I have two sets of credit cards (one Visa, one Mastercard) from two different banks, two ATM cards for different accounts and two passports (dual citizen). I carry one set with me and I keep one set where ever I am staying. I don't carry cash to pay vendors but I do use a service called Wise to transfer money to their accounts in local currency. My Wise account also holds money in local currency which I can take out using an ATM. If all of this fails, I will end up at the local US embassy begging for help!
br
 
Last edited:
You must log in or register to reply here.

Similar threads

G
Buckle Up and Enjoy the FIRE Journey
2
Replies
38
Views
8K
gl.hf
G
Nords
Using an iPad2 with a wireless keyboard for travel?
2 3 4
Replies
97
Views
8K
photoguy
photoguy
ladelfina
dollar decline and financial system/MBS woes
Replies
12
Views
2K
Patrick
Patrick
wabmester
weak links in online shopping security
Replies
9
Views
3K
Nords
Nords
N
prediction of 2/27/07
Replies
21
Views
5K
newyorklady
N

Latest posts

Back
Top Bottom