Double-blind passwords

Double-blind passwords

Explanation of Terms
Neither the user nor the password manager knows the full password for a service; both know only part of it. Password manager-generated + user-defined

Example
Account #1
Password: %s4Lnf9&2U#!5n7fF!2B+myself
Account #2
Password: i!^c3g2*V9s&cAnz4E5&+myself

Prefixed Postfixed Either is fine, but you need to disable auto-login after padding because you have to enter your own part as well in order to be right. Must be simple Easy to remember Generic

Reasons for doing this
Assuming that some password manager broke a promise, which may itself be a lie. Sneaking in a bad change, whether initiated or forced.
For example:
for more money
CEO eats poisonous mushrooms and goes insane
gets a gun to his head by the government

If someone trusted PG’s recommendation a few years ago and used strongbox…this year they look at it and are horrified that the service has been de-recommended and become unreliable and that it (strongbox) lied. (I don’t mean to blame PG, it’s not PG’s fault) . Password managers are the most important web services that contain all of one’s accounts. No one can guarantee that a particular manager won’t be the next strongbox.
Transparent Reliable Trust is not the same as Eternal

2FA (TOTP Physical security key)
And 2FA, don’t put it in the same basket with passwords. Doesn’t that work?
Your password manager betrays you, data leaks, and your account becomes 1FA. Many accounts need to change their passwords one by one. Some services it doesn’t support 2FA, or only cell phone numbers and SMS.

Any other suggestions or ideas from the forum folks?

Translation was used, so forgive me if the tone and expression is weird!

1 Like

Isn’t this just salting your passwords? That’s what it reads like.

What am I missing here?

1 Like

That’s not it, I mean the password manager doesn’t record full passwords
The password manager generates: abcd
User writes: 1234
The full password is: abcd1234
where 1234 is not saved to the password manager.
1234 is fixed and unchanging, each password is followed by
This is done to prevent the password manager from breaking its promise

I am doing this for last 2 years (almost). I was using offline password manager and wanted to try out Proton Pass. I tried and liked their service but was paranoid, even though, it is all e2ee. So, changed every single password before importing and now I complete all passwords with something that only I know in my mind. I have written down that in somewhere safe, just for emergency. The thing I am using to complete all my password is randomly generated crap that I put as my desktop password for many days, which helped me type it out fast and reliably. Now, I can type out 24 random characters pretty fast without any mistakes.

I don’t think this gives any significant security improvements, just peace to your paranoid mind. That’s all.

One more thing which is equally paranoid that I would like to share is my 2fa Auth codes. Again, I shifted from offline app to Ente auth because of its e2ee syncing and sharing compatibilities. My Ente auth codes are numbered 1-100. For each online account, I have saved notes in password manager which also have a number. With a mathematical operation on the number in password manager, i get resultant number which represents correct TOTP code for that particular service. What i do with password manager’s number to arrive at corresponding TOTP number is not stored anywhere. This, again, adds lot of friction, but I quickly got used to it and now it doesn’t bother me much, so i don’t feel the need to change the setup again.

1 Like

Isn’t this just peppering? Pepper (cryptography) - Wikipedia

2 Likes

Yes, that would be a better way to put it out. Now, i am certain that even if someone has phished me bad and have access to not only password manager but also authenticator, they still need two more thing that is not there to use it adversely.

So what I understand for the 2fa codes is that you have not mentioned the service name in Ente but just a number, and that number with its name is stored in password manager, correct? I think it might be only useful if you have more than 50 services stored, as in your case

It’s easy to go over 50, just make up 100 fake ones that have nothing to do with any service.

You might be interested in SSS: Shamir's secret sharing - Wikipedia

Yes, I have over 100 codes most of them are dummy. Password manger number for any service gives only a half part and (= , - or *) mathematical operation on that number gives resultant number which stores TOTP code for that service in Ente Auth.

all whatever mentioned is only usefull if only I am stupid in future and gives access to someone I don’t trust, and I would still be vulnerable like rest if the servers of any service faces any data breach.

But, how would I use it in case of online password manager and authenticator services?

Right, that’s what it means, but I personally don’t need to break it up into many parts. only two.
It’s easy to make a mistake if you split it up too much.

SSS accounts for this and lets you recreate the original text with only some of the many parts.
eg. you can split a password into three parts but still only need any two to recover it.

It indeed is less useful in this case, but would be a more proper way to achieve your goal.

1 Like