Do You Trust Your Password Manager?

[braumeister]

I have a really ignorant question regarding these products. Don't you have one password that unlocks the password manager? If someone get that one password, do they get the keys to everything? Sorry if this is a dumb question, but I don;t have any experience with these.

Not a dumb question. The answer is that this is the beauty of the password manager -- you only have to memorize that one master password.

In my case, it would be practically impossible to guess, but easy for me to remember. DW also knows it, and it is written down and stored in the safe, as well as in the safe deposit box.

 

[easysurfer]

I have a really ignorant question regarding these products. Don't you have one password that unlocks the password manager? If someone get that one password, do they get the keys to everything? Sorry if this is a dumb question, but I don;t have any experience with these.

Put another way, password manager is all the eggs in one basket. No password manager is eggs all over the place.

I'm for eggs in one basket with a well protected basket as the alternative is IMO, non manageable or carry it's own risks.

A good master password along with encryption of the password manager is that well protected basket .

 

[Rianne]

I trust my DH, but he leaves all his passwords neatly typed in a folder on his desk. I mentioned my niece and all her lovely (trustworthy) friends come over, spend the night sometimes. One click of their cell phone could take a picture of that neatly organized page and well...you know the rest. That's why for the most important websites we have voice activated pass codes and 2 step authentication. Then again, growing up, we left all the doors open, keys in the cars. Friends, relatives came and went as they pleased. That was 40 years ago. My car did get stolen, probably by someone who knew me, and police found it across town parked, in good condition.

 

[The Cosmic Avenger]

Put another way, password manager is all the eggs in one basket. No password manager is eggs all over the place.

I'm for eggs in one basket with a well protected basket as the alternative is IMO, non manageable or carry it's own risks.

A good master password along with encryption of the password manager is that well protected basket .

Also, most of them, like Lastpass, let you set up two-factor authentication, which means either emailing or texting a code to a trusted email address or cell phone number, so that even if someone obtained your username and password, they couldn't get into your account. That's like having an armor-plated basket, IMO.

 

[Chuckanut]

The answer to all my security questions is "banana". That keeps it simple.

Like:

Q. What was your first car?

A. Banana

etc.

(it's really not banana)

Ugh. I can think of several reasons that is a mistake, including the fact that if just one site you do business with messes up and your data is lost to bad guys, they have the key to everything.

 

[Rianne]

Ugh. I can think of several reasons that is a mistake, including the fact that if just one site you do business with messes up and your data is lost to bad guys, they have the key to everything.

Yes, scrambling everything, even just a little, add cap, number, symbol and jumble up a phrase helps, i think. Misspelling words to the point of no return, phrases that make no sense. That's what l try to do. I have a fake name, fake b day, fake address in Facebook and I still got hacked. I had to shut down twice and my niece posts pictures of her kids, their school, the front of her house and posts little maps of where they went to dinner.

 

[Chuckanut]

I have a really ignorant question regarding these products. Don't you have one password that unlocks the password manager? If someone get that one password, do they get the keys to everything? Sorry if this is a dumb question, but I don;t have any experience with these.

Yes, that is why you pick a weird password that is easy for you to remember but hard for others to guess.

You should also have 2nd factor authentication turned on. (I use a number generator app on my iPhone, codes sent to our phones are not secure) .

The password manager also notifies me whenever it is logged on via a previously unknown computer.

It's not perfect. Maybe when SQRL is actively used, I might go with that.

https://www.grc.com/sqrl/sqrl.htm

A highly secure, comprehensive, easy-to-use replacement
for usernames, passwords, reminders, one-time-code
authenticators . . . and everything else.

 

[Willers]

Thanks everyone. I have a better understanding now. I've looked at these, but have never pulled the trigger. Maybe I'll give one a try.

 

[mpeirce]

One thing about password managers is that I really really hope there is a nice assortment of them rather than one dominant company for the foreseeable future.

When one gets hacked, and it's really only a matter of time before this happens, it's best if 80% of folks don't all use it.

 

[Alan]

Password manager or not, a very popular method of getting access to bank accounts is via social engineering so we are all trusting customer service people to keep our accounts secure, and those customer service people are not necessarily those in financial institutions as our accounts are usually associated with our email and phone numbers.

One example is the SIM card swap where thieves learn enough personal information to fool telephone customer service into getting your phone number assigned to their SIM and then phone your bank and get them to send validation codes to the phone number on record. I listened to someone being interviewed on how it happened to him. He noticed that he had “No Service” on his phone and started to inquire what was going on. In the hours it took for him to notice and for the phone company to disable his number his bank account had already had thousands transferred out.

What is SIM card fraud -- and how can you avoid it?

 

[walkinwood]

As time goes by, I go to more and more secure passwords. The next step would be to allow my password manager (EnPass, recommended over LastPass*) complete control to create passwords, fill them in, and store them.


My worry is that a password like



*^%#uyh*9076__&5$#@!


would be trouble if EnPass ever died. Having 100 passwords like that would be worse.


Does you give your password manager complete control?


*I used to use LastPass, but found that EnPass lets me fill in a password with fewer clicks of the mouse. It has some other advantages as well.

I use LastPass and it generates and manages my passwords and has done so for a number of years now. I also use it to store other confidential information & form-fill data like credit cards for payment. I do use 2-factor authentication using the google authenticator.


It has trouble auto-filling some website logins & forms - most annoying for me is CapitalOne - but for the most part, it makes logging in easy & secure.

 

[TromboneAl]

Since posting this, enpass on my phone didn't work right, and I ended up having to enter a password like &*V6;9hhf manually. Couldn't copy and paste either.


That's what I was hoping to avoid.

 

[Tiger8693]

I also use 1Password. I really like making 1, memorable but extremely difficult PW to enter that program, and I then autogenerate all passwords for websites within that 1Password system. I have no clue what the PW's are for the individual websites, but if for some reason I fall, hit my head, and can't get into 1Password, it would be a pain but i can always go through the process of PW resets.

It seems fairly safe to me, so yes, I trust it.

 

[CoolRich59]

I use Dashlane but will be switching to LastPass. Except for my Yahoo email being hacked years ago, I’ve never had a problem with passwords.

My credit card, however, is another story. We just had our Chase Sapphire card compromised again. This must be at least the 5th time this card has been hacked. It’s pretty much an annual event.

 

[TromboneAl]

Since posting this, enpass on my phone didn't work right, and I ended up having to enter a password like &*V6;9hhf manually. Couldn't copy and paste either.


That's what I was hoping to avoid.

I hadn't set up the syncing. This should no longer be a problem.

 

[TromboneAl]

I switched from LastPass because some aspects of their interface were poorly designed.


For example, in LastPass, IIRC, if I wanted to copy and paste a password, I had to choose to edit that password record and manually select and copy the password to the clipboard. In addition to the inconvenience, that procedure made it more likely that I would inadvertently modify of delete the password (e.g. type Ctl-X by mistake).


With Enpass, there's a button to copy the password.


Also, there are some security advantages to Enpass.


Finally, they have responsive tech support.

 

[CoolRich59]

I switched from LastPass because some aspects of their interface were poorly designed.


For example, in LastPass, IIRC, if I wanted to copy and paste a password, I had to choose to edit that password record and manually select and copy the password to the clipboard. In addition to the inconvenience, that procedure made it more likely that I would inadvertently modify of delete the password (e.g. type Ctl-X by mistake).


With Enpass, there's a button to copy the password.


Also, there are some security advantages to Enpass.


Finally, they have responsive tech support.

Interesting. I am not familiar with Enpass. What is their advantage in security?

Also, I like responsive tech support. I am having an issue with my Sonos system and while they're still diagnosing the problem, it is nice to get timely responses and updates. I really hate being sent into a black hole wondering if anyone received my query or not.

 

[The Cosmic Avenger]

I switched from LastPass because some aspects of their interface were poorly designed.


For example, in LastPass, IIRC, if I wanted to copy and paste a password, I had to choose to edit that password record and manually select and copy the password to the clipboard. In addition to the inconvenience, that procedure made it more likely that I would inadvertently modify of delete the password (e.g. type Ctl-X by mistake).


With Enpass, there's a button to copy the password.


Also, there are some security advantages to Enpass.


Finally, they have responsive tech support.

I definitely have a Copy Password button in Chrome (MacOS and Windows), and a menu item for it on my Android phone (see screenshots). Their customer service isn't great...that's why I stopped paying for Premium, I wasn't getting any real help from their "support" staff, so I figured I'd just use it without their "Premium" support.

I'd be interested in hearing more about the differences in security. Does Enpass allow you to require two factor authentication on unregistered devices, and alert you to logins from a new geographic location than those previously used, even with an authorized device? I appreciate those features of Lastpass, but I'm quite willing to switch if there's a good reason.

 

[kgtest]

I personally don't trust anyone but myself, and the executor of the will with my passwords. That's right, not even DW (wait she is executor).


Passwords are not safe. They weren't yesterday, and they aren't today. Multi Factor Authentication, now that I trust.

 

[Cobra9777]

I'm a long-time user of PasswordSafe, probably dating back to around 2000. I trust it. No reason not to after almost 20 years. Seems to me that NOT using a password manager is a situation I would not trust. Plus it's so much more convenient than typing user IDs and passwords.

The master password is very long and complex but easy for me to remember and type quickly. DW knows it as well. There's a single printed copy of it in a rather obscure location with our important papers. I have the program installed on our main desktop PC, laptop, and my Android phone.

I use 2FA at whatever sites offer it. At Fidelity, I use VIP Access plus the voice recognition security for phone calls. All user IDs and passwords are very strong, 25-character strings generated by PasswordSafe. Same for all my answers to security questions, all of which are stored in PasswordSafe as well. So for example: In what school did you attend the 6th grade? Answer: h=vAU<c07gHz>9f?@(7EiO6vU. Occasionally, I encounter a site which is restricted to 20 characters, or prohibits certain symbols, so I have to modify. But that's becoming much less common.

 

[Alan]

Passwords are not safe. They weren't yesterday, and they aren't today. Multi Factor Authentication, now that I trust.

Unless it is a cell phone being used for the multi factor authentication then something like a sim swap can get around that.

What is SIM card fraud -- and how can you avoid it?
http://uk.creditcards.com/credit-card-news/sim-card-fraud.php

 

[bltkmt]

Yes, I trust LastPass completely.

 

[sengsational]

I don't trust it completely, but I'm begrudgingly staying with LastPass for the time being. It was okay before getting snapped up by Logmein megacorp, but it's been getting buggier, in my eyes, since. Almost no sites "just work" with autopopulate any more. But I "need" it, since zero of my passwords are anything I could possibly remember (all autogenerated gibrish), and I log in from my computer and phone. LastPass' general scheme is "right", in that, if set up "properly"*, it would be impossible for an agent with all of LastPass' data to decrypt a user's vault, except through brute force. Or at least that used to be the case in the old days, to the extent we could believe what they said (LastPass is not open source). If I leave, it will be Keepass that takes over (is open source).

Yes, that is why you pick a weird password that is easy for you to remember but hard for others to guess.

You should also have 2nd factor authentication turned on. (I use a number generator app on my iPhone, codes sent to our phones are not secure) .

The password manager also notifies me whenever it is logged on via a previously unknown computer.

It's not perfect. Maybe when SQRL is actively used, I might go with that.

https://www.grc.com/sqrl/sqrl.htm

We can only hope that one day this, or a scheme like it, gets adopted widely. Passwords suck. You can quote me on that.


* Not the default. If you can run any kind of "forgot password" routine, then an all-knowing agent can get the keys to the kingdom.

 

[TromboneAl]

I definitely have a Copy Password button in Chrome (MacOS and Windows), and a menu item for it on my Android phone (see screenshots).

I may have been using it differently or it's different on Firefox. Here are the forms for LastPass and Enpass compared (for Firefox):

For Lastpass, the only way to copy the password was to choose to view it, select it, and copy it.

As for security, Enpass stores the passwords on my computer, if I understand it correctly. OTOH, it has a way of syncing to my phone via a file stored somewhere (I don't want to say where).

 

[TromboneAl]

Yesterday, my new reliance on Enpass got me again. Lena and I share our Kindle account, so when she needed to enter a password on her phone to read a book, I had to manually enter it.

It's very hard to enter a password like 7^%$j*9%$34^()776%% on a tiny phone.