xHireJan 26
Teun Vink

lifehack: use IPv6 addresses as passwords: they have letters, numbers, special characters, can contain caps, and are long enough.

If you accidentally paste it somewhere noone will suspect a thing.

Bonushack: you can put a label in DNS as a password reminder!

Jan 25 at 5:08pmWeb
Show threadnumber137Jan 25
@teunvink
Show threadDuncan BluesJan 26
@number137 @teunvink
My thoughts exactly. 🙈
Show threadÓlafur Jens SigurðssonJan 25

@teunvink yeah, something like

mypaasword.example.com AAAA IN $IP

No one will suspect a thing

Show threadBenno Jan 25
@teunvink and if, for some reason you cannot log in: it's DNS!
Show threadmirabilosJan 25
@teunvink ah, I can remember IPv6 addresses badly enough already, and without this, passwords have a separate headspace.
Show threadCybso  (he/him)Jan 25
@teunvink That's an... interesting idea 🤔. Especially since you can use the different spellings of IPv6 addresses to increase entropy 😏
Show threadrvstaverenJan 25
@teunvink nice, and my password will be proctected from tampering with thanks to DNSSEC and a dictionary attack is impossible thanks to NSEC3 💀
Show thread♾️ WaterJan 25
@teunvink I should store my passwords in a DNS resolver.
Show threadMorten LinderudJan 25
@teunvink
So you are saying I can use DNS as my password manager.
Show threadTeun VinkJan 25
@Foxboron you can for sure, but I’m not saying you *should* 😉
Show threadMorten LinderudJan 25
@teunvink
I run my own authoritative dns server. I can have free backups now.
Show threadDavid ZaslavskyJan 26
@Foxboron @teunvink I give it a week until someone implements this for real
Show thread"Musty Bits" McGeeJan 26
@diazona @Foxboron @teunvink I mean you could secure it by encrypting the passwords. Of course then one password is keys to the kingdom unless you added like a TOTP to the encryption string - then you could reencrypt all the passwords every thirty seconds... I wonder how well that TTL will be respected 😁
Show threadThomas StrömbergJan 25
@teunvink I've used UNIX command lines for passwords similarly in the past; I mean, who's going to suspect it when I accidentally type "sudo ls -lad /etc" into a Discord window?
Show threadBeccaJan 25
@teunvink it is just a really big number
Show threadBenedikt HeineJan 25
@teunvink If you use non-canonical forms, you even can hide it "securely" in your DNS zonefile.
Show threadIPng NetworksJan 25
@teunvink best advice i've seen all year =)
Show threadstibbonsJan 25
@teunvink
 lastpass
 dig
Show threadHaelwenn /элвэн/ Jan 26

@teunvink Yeah, I guess that can work.

head -c 16 /dev/urandom | od -An -t x2 | sed -e 's,^ ,,' -e 's, ,:,g'

Although with putting it in DNS you'd have to watch out for zero-fills in generated form and stripped-zero in DNS.

So I'll stick with head -c 18 /dev/urandom | base64

Show threadjoatJan 26
@teunvink I had the same idea but with valid Linux commands. Somebody with a keylogger won't suspect it's a password.
Show threadmark zeroJan 26
@teunvink
Just make a bunch of local users corresponding to server logins, put their passwords in their .plans, and finger them. You can even pipe that into commands.

*Much* easier than dealing with IPv6.
Show threadAndrew ZonenbergJan 26
@teunvink I mean I've used uuids as passwords before... Does that count?
Show threadchrysnJan 26
@azonenberg @teunvink That's the Enterpise way.
Show threadFranciscus Jan 26
@teunvink that is certainly one way to ensure wider diffusion 🙄
Show threadguentherJan 26
@teunvink won't you loose case info when storing it in DNS?
Show threadTeun VinkJan 26
@guenther yes it probably would 🙂
Show threadLambertJan 26
@teunvink @bert_hubert my sincere apologies if this was meant as a joke and I simply didn't get it. But especially the advice to publish the value of your own password—even if it looks like an inconspicuous IPv6 address—in a public database such as the DNS seems to me about as smart as investing your entire fortune in AI stocks. If you have trouble remembering your passwords, you should use more modern alternatives such as passkeys, or use a password manager.
Show threadWindfischJan 26
@teunvink @leyrer feature request: can your password field just resolve the AAAA dns record? saves so much typing time!
Show threadgunstickJan 26
@teunvink I actually use assembler code as passwords
Show threadWinfried Angele 🇺🇦🇪🇺Jan 26
@gunstick now you lost a piece of entropy ;)
Show threadgunstickJan 27
@winfried I did not say which CPU. 😁
Show threadPa: 🇵🇸 from the river to the sea.Jan 26
@teunvink RE-DNS People keep all weird stuff in TXT records
Show threadPseudo NymJan 26

@teunvink

This whole thread is cursed. I approve.

#infosec

Show threadChristophJan 26
@teunvink
😂
Show thread@Ducon_OfficielJan 27
@teunvink
I use URL as passwords sometime for the same copy/paste reason
@bortzmeyer
Show threadSheogorathJan 27
@teunvink Additionally, always have your passwordsafe ready: https://dns.google/query?name=laptop.passwords.example.com&rr_type=AAAA
Query: laptop.passwords.example.com - Google Public DNS

Show threadRudolph BottJan 27

@teunvink

Bonushack2: many Chat clients will happily replace random parts of your „password“ with emojis and confuse even more

@bert_hubert

Show threadExpired TokenJan 27

@teunvink Hidden in plain sight, Purloined Letter style, I like it.

Caveat: a lot of network admins won't recognize it as an IPv6 address because they don't know what it is.

Show threadNiJan 28
@teunvink KeePassXC can be setup to clear the clipboard after some time (30s by default). So I didn’t had this kind of accident in more than a decade now. 
Show threadcheesefoxFeb 3
@teunvink @catsalad ::1