jdev - 2021-12-31

Zash: yes sure

ist there a collection site for all such projects? ✏

Wiki maybe? If not, wiki it ☺️

No, if not website it :-) ✏

guys if you use a password manager, write your master password down on some paper and store it with your documents somewhere in your home

i nearly had a meltdown today, when i woke up, type in my password which i typed in every day for the last years, and its wrong, then i think about it for a minute, and cant remember the fucking password anymore, its just gone.

fireproof safety deposit box?

+1

then i realize whats in that password manager, like everything, ssh keys, root passwords, passwords for every fucking device in my life, TOTP keys for all the sites, of course i activated 2FA Everywhere, so now even if i know the password i cant login anymore

For a long time we told people not to write down passwords, but these days it's far less likely that your online accounts will be compromised by someone breaking into your home than forgotten, guessed or phished

lovetox, it doesn't happen to be lastpass? https://news.ycombinator.com/item?id=29705957 has been mentioned in a bunch of places

no i dont use a online password manager, i have a keepass xc

i took me the whole day calming down, just now i sit in front of the thing again, and i type and type per muscle memory, and suddenly i realize, im off one key to the right fot the last letter

ah yes, the keyboard alignment error

and then i found it, and im really happy, and i write my password now down, even think about exporting that content of the password manager to hard copy somehwere

I know that feeling of not "knowing" passwords, but only having them in muscle memory... I usually use quite complex passwords and only have them in something like a password manager to initially learn them :)

Also SSSS and also keep a part for yourself to make it slightly easier to get back? :/

So you handle the case you're incapacitated, be it that you're alive or dead :x

my laptop is encrypted with LUKS, and the password is the same as to my password manager, i googled today the whole day how to crack LUKS encryption, and how to crack KeepassXC v4 database

and of course i used the newest algos on everything

its basically impossible right now :D

haha let me tell you about the BIOS supervisor password I thought was a good idea to set on the now 3 year old laptop I bought

and then never used again, until I thought I'd install the extra RAM I had bought, because it's got tamper protection and a built-in battery so you have to do stuff in bios to open it up

still can't remember it

and then I spilled one drop of water into the keyboard, which promptly broke just enough keys to prevent typing any password I could think of, *AND* the disk crypto password

lovetox, haha yes good lesson, I had the same problem unlocking the LUKS partition on my server I rarely reboot

turns out I can only type it correctly when sitting down, not standing up and hunching over, who knew ?

lovetox, welcome back ;)

I spent one afternoon this year brute-forcing my own LUKS password

it was luckily an xkcd-horse-battery-staple-correct-style password, and I remembered three out of five words, so brute forcing it was even feasible

otherwise.... that would've turned into a pretty terrible day

yes, i had the same thought, i knew i was off by one or 2 keys

i thought bruteforcing is the way to go

but luks2 with kdf=aragon2i or something like that

among the forgotten words was the first one, so I couldn't trigger muscle memory

its not really possible

if you know enough bits, it is

might just take a few dozen CPU—hours

yeah but then i have to write the bruteforce myself

the tools like hashcat, john the ripper, which are usually used

all have no support right now for these new algos

how2 brute force bios password when you need the bios password to boot into DOS to run the brute force tool?

and you have 3 attempts before it just shuts down again

yeah Zash thats a hard one

but cant you flash a new bios or something?

Zash, that becomes a screen capture + fake keyboard input excercise :P

I'm sure the FBI has something you can use

lovetox, yeah, that was like 200 lines of python shelling out to cryptsetup luksOpen and checking the exit status

fun fact, I got the exit status check wrong the first time, which made it brute force the entire possible corpus claiming failure

ask me how I managed to not go crazy

declare it a loss or possibly a stationary desktop machine and buy a new laptop?

tho enabling all the paranoia options on something intended to be the travel laptop seemed sensible at the time

Bios passwords (normally? ometimes?) have a pin you can short to reset them. I've had to do that on my laptop in the past

Tamper detection wouldn't be very effective if that was possible ✏

in my laptops case, tamper detection isn't very effective :)

All I could find was "not possible, you must replace the motherboard"

I'm certain it is possible with sufficient determination. though that might involve de- and re-soldering some things :)

In the good 'ol days unplugging the battery for a while solved everything. 🙂

I also have a laptop that sais in it's documentation that the only way to remove the bios password is to replace the mainboard... that kind of forces me to set one, just so nobody picks it up and sets one i /dont/ know

now that's some good ransomware