Lesson learnt the hard way: Always store your passwords. Yes, do it securely, use a password manager, hide a piece of paper behind multiple protection mechanisms, but DO KEEP A BACKUP OF YOUR PASSWORDS

Long story short: I decided to store every 2FA revocation code as well as every PGP and SSH key of mine in a strongly (64 Argon2d rounds) encrypted KDBX v4. As you may have guessed, I forgot the password. I do remember it slightly, but to no luck. Have been trying to brute-force it for 6 hours...

There is a way to extract a hash from KeePass databases up to v3.1 and use Hashcat or John on them, which would save me tons of time. Apparently, similar stuff simply doesn't exist for KDBX v4 :(

After 6 hours of running my bodged Python code on ca. 5k possible combinations, I think it's time to give up and just regenerate my 2FA revocation keys. Luckily, PGP and SSH keys were there for backup and are also present on my machine.

@NickKaramoff What do you mean keep a backup of the passwords, other than using a password manager then?

@huy_ngo well, for example, the password to the password manager itself 😁 you would want to either remember it or, to not repeat my mistake, write it down and keep it offline, like on a piece of paper stored safely at home, or on a USB drive, or something along the line

@NickKaramoff @huy_ngo I write my password manager password in an notes app which is completely offline. And when someone sees it, they won't know what it is. But I know

@NickKaramoff another interesting approach is, have simple passwords, run thru md5sum / sha1sum , and use that as the actual password.


Yeah, that is the part that is omitted in most of preaching talks about 2FA and password managers...

Sign in to participate in the conversation

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.