jdev - 2021-12-31

  1. emus

    Zash: yes sure

  2. emus

    ist there a collection site for alle such projects?

  3. emus

    ist there a collection site for all such projects?

  4. Zash

    Wiki maybe? If not, wiki it ☺️

  5. emus

    No, if not website it :/)

  6. emus

    No, if not website it :-)

  7. lovetox

    guys if you use a password manager, write your master password down on some paper and store it with your documents somewhere in your home

  8. lovetox

    i nearly had a meltdown today, when i woke up, type in my password which i typed in every day for the last years, and its wrong, then i think about it for a minute, and cant remember the fucking password anymore, its just gone.

  9. Zash

    fireproof safety deposit box?

  10. MattJ


  11. lovetox

    then i realize whats in that password manager, like everything, ssh keys, root passwords, passwords for every fucking device in my life, TOTP keys for all the sites, of course i activated 2FA Everywhere, so now even if i know the password i cant login anymore

  12. MattJ

    For a long time we told people not to write down passwords, but these days it's far less likely that your online accounts will be compromised by someone breaking into your home than forgotten, guessed or phished

  13. Zash

    lovetox, it doesn't happen to be lastpass? https://news.ycombinator.com/item?id=29705957 has been mentioned in a bunch of places

  14. lovetox

    no i dont use a online password manager, i have a keepass xc

  15. lovetox

    i took me the whole day calming down, just now i sit in front of the thing again, and i type and type per muscle memory, and suddenly i realize, im off one key to the right fot the last letter

  16. Zash

    ah yes, the keyboard alignment error

  17. lovetox

    and then i found it, and im really happy, and i write my password now down, even think about exporting that content of the password manager to hard copy somehwere

  18. nephele

    I know that feeling of not "knowing" passwords, but only having them in muscle memory... I usually use quite complex passwords and only have them in something like a password manager to initially learn them :)

  19. pep.

    Also SSSS and also keep a part for yourself to make it slightly easier to get back? :/

  20. pep.

    So you handle the case you're incapacitated, be it that you're alive or dead :x

  21. lovetox

    my laptop is encrypted with LUKS, and the password is the same as to my password manager, i googled today the whole day how to crack LUKS encryption, and how to crack KeepassXC v4 database

  22. lovetox

    and of course i used the newest algos on everything

  23. lovetox

    its basically impossible right now :D

  24. Zash

    haha let me tell you about the BIOS supervisor password I thought was a good idea to set on the now 3 year old laptop I bought

  25. Zash

    and then never used again, until I thought I'd install the extra RAM I had bought, because it's got tamper protection and a built-in battery so you have to do stuff in bios to open it up

  26. Zash

    still can't remember it

  27. Zash

    and then I spilled one drop of water into the keyboard, which promptly broke just enough keys to prevent typing any password I could think of, *AND* the disk crypto password

  28. moparisthebest

    lovetox, haha yes good lesson, I had the same problem unlocking the LUKS partition on my server I rarely reboot

  29. moparisthebest

    turns out I can only type it correctly when sitting down, not standing up and hunching over, who knew ?

  30. jonas’

    lovetox, welcome back ;)

  31. jonas’

    I spent one afternoon this year brute-forcing my own LUKS password

  32. jonas’

    it was luckily an xkcd-horse-battery-staple-correct-style password, and I remembered three out of five words, so brute forcing it was even feasible

  33. jonas’

    otherwise.... that would've turned into a pretty terrible day

  34. lovetox

    yes, i had the same thought, i knew i was off by one or 2 keys

  35. lovetox

    i thought bruteforcing is the way to go

  36. lovetox

    but luks2 with kdf=aragon2i or something like that

  37. jonas’

    among the forgotten words was the first one, so I couldn't trigger muscle memory

  38. lovetox

    its not really possible

  39. jonas’

    if you know enough bits, it is

  40. jonas’

    might just take a few dozen CPU—hours

  41. lovetox

    yeah but then i have to write the bruteforce myself

  42. lovetox

    the tools like hashcat, john the ripper, which are usually used

  43. lovetox

    all have no support right now for these new algos

  44. Zash

    how2 brute force bios password when you need the bios password to boot into DOS to run the brute force tool?

  45. Zash

    and you have 3 attempts before it just shuts down again

  46. lovetox

    yeah Zash thats a hard one

  47. lovetox

    but cant you flash a new bios or something?

  48. moparisthebest

    Zash, that becomes a screen capture + fake keyboard input excercise :P

  49. moparisthebest

    I'm sure the FBI has something you can use

  50. jonas’

    lovetox, yeah, that was like 200 lines of python shelling out to cryptsetup luksOpen and checking the exit status

  51. jonas’

    fun fact, I got the exit status check wrong the first time, which made it brute force the entire possible corpus claiming failure

  52. jonas’

    ask me how I managed to not go crazy

  53. Zash

    declare it a loss or possibly a stationary desktop machine and buy a new laptop?

  54. Zash

    tho enabling all the paranoia options on something intended to be the travel laptop seemed sensible at the time

  55. Sam

    Bios passwords (normally? ometimes?) have a pin you can short to reset them. I've had to do that on my laptop in the past

  56. Zash

    Tamper protection wouldn't be very effective if that was possible

  57. Zash

    Tamper detection wouldn't be very effective if that was possible

  58. Sam

    in my laptops case, tamper detection isn't very effective :)

  59. Zash

    All I could find was "not possible, you must replace the motherboard"

  60. jonas’

    I'm certain it is possible with sufficient determination. though that might involve de- and re-soldering some things :)

  61. Martin

    In the good 'ol days unplugging the battery for a while solved everything. 🙂

  62. nephele

    I also have a laptop that sais in it's documentation that the only way to remove the bios password is to replace the mainboard... that kind of forces me to set one, just so nobody picks it up and sets one i /dont/ know

  63. moparisthebest

    now that's some good ransomware