Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Long, Random Passwords Stored in Software
Old 12-30-2014, 09:33 AM   #21
Full time employment: Posting here.
 
Join Date: Apr 2006
Posts: 925
Long, Random Passwords Stored in Software

Quote:
Originally Posted by easysurfer View Post
My passwords are randomly generated and stored in a good password manager.
I use software to generate long, randomized passwords and store them.

My user ID's are also significantly different across most sites, especially anything related to my finances.

Two Open Source software tools that I can personally recommend for this purpose can be found at the following sites: KeePass Password Safe and Password Safe

If you go this route, backups of the files and using a pass phrase (master password) that is complex but which you have no real chance of forgetting are very important.
__________________

__________________
If there's one thing in my life that's missing; It's the time I spend alone
Sailing on the cool and bright clear waters; There's lots of those friendly people
Showin me ways to go; And I never want to lose your inspiration
CoolChange is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 12-30-2014, 10:39 AM   #22
Full time employment: Posting here.
 
Join Date: Sep 2012
Location: San Jose
Posts: 607
Quote:
Originally Posted by sengsational View Post
I also use LastPass. I like that it is not an advertising business model; you get the web version for free and pay 10 bucks a year if you want to use it on mobile devices. The encryption is all done locally in JavaScript, so what is saved on the LastPass servers is an encrypted blob that is pretty close to impossible for anyone to decrypt, including LastPass. I honestly only have memorized one password... Actually a pass phrase because longer is better...and that's my LastPass pass phrase. If you run with the browser plug-in, you authenticate with LastPass one time, and it populates user name and password when it "sees" a login page. It also recognize s when you do a password change and chunks the new password into it's memory. You can download the blob so that you can have access to your passwords offline. It is not open source, but some smart folks have looked at the JavaScript code and also sniffed the traffic without finding anything suspect, so I trust it to keep my stuff safe.
+1

About six months ago, I realized I needed to have stronger passwords, and unique to each site, so I did a lot of research on password managers.

I was initially skeptical of LastPass' model of keeping a blob of data on their servers, but the more research I did, I felt comfortable that they couldn't decrypt it provided I use a strong enough pass phrase.

I've been very happy with it. There are a few sites that it has trouble logging into automatically, even though I'm pretty sure I've got the correct URL saved. But it's not a big deal, because I just select the ID/password from the already-populated list it presents (which only contains that sites' credentials anyway, so only one entry to choose from) and then I log in no problem.

Even though I don't need the mobile part of it because I don't log into web sites from my phone, I'm tempted to subscribe anyway because I like the product, and some day I may want to incorporate a YubiKey for additional protection.
__________________

__________________
LoneAspen is offline   Reply With Quote
Old 12-30-2014, 10:49 AM   #23
Recycles dryer sheets
bltkmt's Avatar
 
Join Date: Aug 2008
Location: Fairfield County, CT
Posts: 208
+1 on Keepass. Very simple and powerful.
__________________
bltkmt is offline   Reply With Quote
Old 12-30-2014, 10:51 AM   #24
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Lsbcal's Avatar
 
Join Date: May 2006
Location: west coast, hi there!
Posts: 5,686
I too use Lastpass on my desktop PC but NOT on mobil devices. Mobil devices seem to me to be less secure because (1) who wants to have a password on a smartphone when a call comes in? (2) one uses networks that are possibly insecure when on the road (3) more likely to have a tablet/smartphone/laptop stolen when on the road. If I did have Lastpass on my mobil device, I would just turn it on just to logon and then turn it off as the vault makes all your passwords visible (by clicking on the "eye" on a password in the entry form). Logging in on a cell phone connection probably is more secure then a hotel wifi.

If a person hacks into Lastpass, maybe via a keylogger, all your passwords are easily visible. Admittedly, this is a remote possibility. For that reason I do not have my financial sites or other critical sites on Lastpass.

Caveat: I'm no security expert ... just paranoid.
__________________
Lsbcal is offline   Reply With Quote
Old 12-30-2014, 11:00 AM   #25
Thinks s/he gets paid by the post
 
Join Date: Mar 2011
Posts: 3,702
Anyone use Chrome's "password manager"? It keeps your passwords and automatically enters them as needed/appropriate. Stored in the cloud and as long as nobody hacks your Google password, you're good. (or not?)
__________________
Living well is the best revenge!
Retired @ 52 in 2005
marko is offline   Reply With Quote
Old 12-30-2014, 11:14 AM   #26
Thinks s/he gets paid by the post
 
Join Date: Jan 2008
Posts: 1,495
Quote:
Originally Posted by Sunset View Post
I use keepass, its like lastpass but not on the web.
So I don't worry that a web server will be hacked (it must be a big target).
The encrypted file is stored locally on my machine and I can copy it to a flash drive or other machine (laptop) to travel.
I only need to remember 1 password to open it and then have access to 100's of different usernames and passwords for the sites I visit.
I also own some domains, so I have unlimited email accounts for the sites that need you to use email for the username.
I forward all these disposable emails to a real email account so I can get reminders/spam
+1
I read the debates on the BH forum regarding keepass vs. lastpass and decided I wasn't comfortable with lastpass as it's on the web. I know it's encrypted but my personal preference is to have it on my laptop. I personally swear by keepass.
__________________
Options is offline   Reply With Quote
Old 12-30-2014, 11:19 AM   #27
Thinks s/he gets paid by the post
bUU's Avatar
 
Join Date: Dec 2012
Location: Georgia
Posts: 1,914
Quote:
Originally Posted by Lsbcal View Post
Mobil devices seem to me to be less secure because (1) who wants to have a password on a smartphone when a call comes in?
First, "mobile devices" encompasses more than just telephones. Second, LastPass has its own login separate from that of the mobile device, itself, so there is no LastPass-imposed password prompt simply to answer a phone call.
Quote:
Originally Posted by Lsbcal View Post
(2) one uses networks that are possibly insecure when on the road
Given the measures employed by LastPass, itself, any perceived difference in how "insecure" the networks possibly are, in the different contexts, is negligible. In other words, if public networks were "less" secure then home networks wouldn't be secure enough - but they are.
Quote:
Originally Posted by Lsbcal View Post
(3) more likely to have a tablet/smartphone/laptop stolen when on the road.
Ditto: The level of security that needed to be offered by LastPass had to be so high that the difference between having a device with your encrypted password blob on it stolen and not having that happen had to be negligible, or LastPass itself wouldn't be secure enough.

Quote:
Originally Posted by Lsbcal View Post
If I did have Lastpass on my mobil device, I would just turn it on just to logon and then turn it off
That's generally what many people do, as far as I know: They boot up LastPass as they're web surfing and using apps, and then shut it down. I have it set up to reprompt for a secondary (short) password each time a password is made available to me via password-specific paste, as well as every X minutes.

Quote:
Originally Posted by Lsbcal View Post
as the vault makes all your passwords visible (by clicking on the "eye" on a password in the entry form).
I have it set up such that that requires a re-entry of the full vault password every X minutes... I think 5 minutes.

Quote:
Originally Posted by Lsbcal View Post
Logging in on a cell phone connection probably is more secure then a hotel wifi.
Again, if there was actually a significant difference vis a vis LastPass in this regard, then LastPass wouldn't have been secure enough for any use.

I am far more concerned about my passport being stolen when I travel.
__________________
bUU is offline   Reply With Quote
Old 12-30-2014, 11:36 AM   #28
Thinks s/he gets paid by the post
nash031's Avatar
 
Join Date: Jun 2013
Location: Coronado
Posts: 1,486
After researching all the available password managers for Mac/Apple, I settled on LastPass. Security reviews say it's very good, and I like it. While it's web-based, it doesn't pass actual password information to it's servers since all the encryption happens locally on your machine. Thus, unless someone accesses my computer or tablet directly (i.e. by breaking into my house) and they have my LastPass master password, no one should have access to any of my password information. I have randomly generated passwords for all financial accounts, a few easier ones for various internet forums... all I have to do is remember my master password and all the info is available any time I need it. Frankly, I like not knowing a lot of my passwords by memory. It keeps me from checking financials at work, etc. My wife doesn't like that she doesn't know the passwords, but I'll convert her soon enough. :-)
__________________
"So we beat to our own drummer in the sun;
We ask for nobody's permission to run.
I just wanna live in a world like that;
Now I'm gonna live in a world like that!" - World Like That, O.A.R.
nash031 is offline   Reply With Quote
Old 12-30-2014, 11:45 AM   #29
Thinks s/he gets paid by the post
nash031's Avatar
 
Join Date: Jun 2013
Location: Coronado
Posts: 1,486
Quote:
Originally Posted by bUU View Post
That's generally what many people do, as far as I know: They boot up LastPass as they're web surfing and using apps, and then shut it down. I have it set up to reprompt for a secondary (short) password each time a password is made available to me via password-specific paste, as well as every X minutes.

I have it set up such that that requires a re-entry of the full vault password every X minutes... I think 5 minutes.
At some point, worrying about some of this stuff borders on paranoia, but yes, I too close out LastPass on the rare occasion that I use it on a mobile device. I get the password, then close the program. Thus, to get my passwords from my phone or tablet, someone has to: (1) steal the mobile device; (2) know my PIN or mimic my fingerprint; (3) know my LastPass password.

At home, I suppose someone could use a keylogger to access my computer, if they can get on my network. That requires them to: (1) be close to my house (or inside it physically on the computer); (2) know and find my hidden network name; (3) break the WPA password; and (4) know/hack my LastPass master password.

At that point, it'd be easier for them to obtain my credit card information via radio intercept at a gas station, which has happened to me once and was easy to correct...

In any event, I get emails from my two most prominent financial institutions any time anyone accesses the accounts from anywhere except my home computer, so there's so much redundancy built in I don't lose sleep over it.

A lot of this security stuff is more about making yourself a hard target, not being the "hardest target". You don't have to be the fastest gazelle on the savannah, you just can't be the slowest.
__________________
"So we beat to our own drummer in the sun;
We ask for nobody's permission to run.
I just wanna live in a world like that;
Now I'm gonna live in a world like that!" - World Like That, O.A.R.
nash031 is offline   Reply With Quote
Old 12-30-2014, 11:56 AM   #30
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Lsbcal's Avatar
 
Join Date: May 2006
Location: west coast, hi there!
Posts: 5,686
Quote:
Originally Posted by bUU View Post
...

I have it set up such that that requires a re-entry of the full vault password every X minutes... I think 5 minutes.
...
Again, if there was actually a significant difference vis a vis LastPass in this regard, then LastPass wouldn't have been secure enough for any use.
...
I admit I've not used Lastpass on mobil and am perhaps misjudging it. I really didn't follow your use of LastPass on mobil. Could you explain it more fully?

Do you logon to Lastpass before connecting to a hotel wifi so the network does not see your Lastpass password entry? Or is it the case that the network cannot ever see your Lastpass entry as no keylogger can exist on your mobil device?

Again, I'm no security expert and along with many here I'm still learning and willing to learn new things.
__________________
Lsbcal is offline   Reply With Quote
Old 12-30-2014, 12:04 PM   #31
Thinks s/he gets paid by the post
bUU's Avatar
 
Join Date: Dec 2012
Location: Georgia
Posts: 1,914
If someone could get a keylogger onto my tablet they could just as well keylog our brokerage passwords. Two passwords and they essentially have everything we own. Like I said, LastPass had to be so secure that the substantive difference between the standard scenario and your worst case scenario would be negligible.
__________________
bUU is offline   Reply With Quote
Old 12-30-2014, 12:06 PM   #32
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Lsbcal's Avatar
 
Join Date: May 2006
Location: west coast, hi there!
Posts: 5,686
Quote:
Originally Posted by nash031 View Post
At some point, worrying about some of this stuff borders on paranoia, but yes, I too close out LastPass on the rare occasion that I use it on a mobile device. I get the password, then close the program. Thus, to get my passwords from my phone or tablet, someone has to: (1) steal the mobile device; (2) know my PIN or mimic my fingerprint; (3) know my LastPass password.
...
Let's say you logon to a hotel wifi network. Have you entered the LastPass password before logging on? Do you use the same LastPass vault that you have for home use? Or do you employ maybe a LastPass vault that is more limited for travel use?

Just trying to understand best practices with this tool. I hope I'm not coming across as disapproving of anyone here.

Maybe I should be asking this stuff on the LastPass forum.
__________________
Lsbcal is offline   Reply With Quote
Old 12-30-2014, 12:14 PM   #33
Full time employment: Posting here.
 
Join Date: Jul 2011
Posts: 573
Quote:
Originally Posted by Sunset View Post
I use keepass, its like lastpass but not on the web.
So I don't worry that a web server will be hacked (it must be a big target).
The encrypted file is stored locally on my machine and I can copy it to a flash drive or other machine (laptop) to travel.
I only need to remember 1 password to open it and then have access to 100's of different usernames and passwords for the sites I visit.
I also own some domains, so I have unlimited email accounts for the sites that need you to use email for the username.
I forward all these disposable emails to a real email account so I can get reminders/spam
I use Keepass but store it on a 2 thumb drives. One is for backup. I just purchased a wireless thumb drive for use on my tablet when travelling. My security adviser, SIL , says that it is best to connect and disconnect your passwords and not leave them on the hard drive, even Keepass. I find it to be fairly easy.

I just got the Yubikey, a Google product, that works with Lastpass and Chrome. It provides two factor authentication at point-of-use. Very convenient vs. the phone, for example. If you are using Lastpass it offers another level of protection. But as SIL says, it adds another level of protection at the front door but not the back. But, an improvement. Having said this, without the help of my SIL, I think I would have made my way to the cemetery before figuring out how to install it on my computer. Once set up, the two-factor is an easy click and go.
__________________
davef is offline   Reply With Quote
Old 12-30-2014, 12:14 PM   #34
Thinks s/he gets paid by the post
 
Join Date: Jan 2008
Posts: 1,495
Lbscal, I'd suggest searching the BH forum. They covered this stuff (including in depth debates regarding lastpas) ad nauseum when the heartbleed bug was all the rage.
__________________
Options is offline   Reply With Quote
Old 12-30-2014, 12:16 PM   #35
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,888
Quote:
Originally Posted by CoolChange View Post
I use software to generate long, randomized passwords and store them.

My user ID's are also significantly different across most sites, especially anything related to my finances.

Two Open Source software tools that I can personally recommend for this purpose can be found at the following sites: KeePass Password Safe and Password Safe

If you go this route, backups of the files and using a pass phrase (master password) that is complex but which you have no real chance of forgetting are very important.
For extra safety, even parts of ID's can be randomly generated. For example, John Doe's id may be JDxxxx where xxxx are random numbers. All a copy/paste away with a good password keeper, so not much pain.
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is online now   Reply With Quote
Old 12-30-2014, 12:29 PM   #36
Thinks s/he gets paid by the post
nash031's Avatar
 
Join Date: Jun 2013
Location: Coronado
Posts: 1,486
Quote:
Originally Posted by Lsbcal View Post
Let's say you logon to a hotel wifi network. Have you entered the LastPass password before logging on? Do you use the same LastPass vault that you have for home use? Or do you employ maybe a LastPass vault that is more limited for travel use?

Just trying to understand best practices with this tool. I hope I'm not coming across as disapproving of anyone here.

Maybe I should be asking this stuff on the LastPass forum.
On the very rare occasion that I use it from my smartphone, it's usually to view a password for entry on some other device. I think I've actually used the vault once by copying the password and then pasting it into another app via the LP app option.

In order to access the vault, I entered my LastPass master password, yes. The vault wasn't any different than the one on my computer. Could someone put a keylogger on my phone? Sure, if I download some app that has one attached that no security expert already identified, or jailbreak my phone to allow installation of apps outside those that Apple signs. I think the possibility that someone could remotely install a keylogger on my smartphone is pretty remote without me doing something to allow it or them having a direct hack into the network, my phone, and my AppleID.

I rarely (I mean like once ever) access my financials - thus LastPass - from anywhere but home, and think that this likely mitigates what little risk there is. Again, not trying to make myself the fastest gazelle on the savannah, just trying not to be the slowest.
__________________
"So we beat to our own drummer in the sun;
We ask for nobody's permission to run.
I just wanna live in a world like that;
Now I'm gonna live in a world like that!" - World Like That, O.A.R.
nash031 is offline   Reply With Quote
Old 12-30-2014, 12:30 PM   #37
Confused about dryer sheets
 
Join Date: Dec 2014
Location: Springfield
Posts: 1
The best one is KeePass. I've tried a few as an IT guru over the years, but this by far is Free & Best: KeePass Password Safe
__________________
AntonioK is offline   Reply With Quote
Old 12-30-2014, 02:32 PM   #38
Thinks s/he gets paid by the post
 
Join Date: Jul 2005
Posts: 3,862
I use Keepass on Windows, Mac, Android, iPhone, and iPad between DW and myself. I'd use any of the major encrypted storage lockers, this one just worked best for me at the time I started using it. I have 454 accounts saved in it currently, including notes about the PIN to get my car radio working after disconnecting the battery, where the title to the car is located, all my credit/debit card info and any other important information that I'll never remember. I've had something like it since my first Palm Pilot.
__________________
Animorph is offline   Reply With Quote
Old 12-30-2014, 02:42 PM   #39
Thinks s/he gets paid by the post
sengsational's Avatar
 
Join Date: Oct 2010
Posts: 3,837
Quote:
Originally Posted by Lsbcal View Post
Let's say you logon to a hotel wifi network. Have you entered the LastPass password before logging on? Do you use the same LastPass vault that you have for home use? Or do you employ maybe a LastPass vault that is more limited for travel use?

Just trying to understand best practices with this tool. I hope I'm not coming across as disapproving of anyone here.

Maybe I should be asking this stuff on the LastPass forum.
You connect to an open wifi and go to a random web page then are redirected to the hotel's terms agreement page.

Now you have Internet access, and all of your non-encrypted traffic is sniffable.

You click on the LastPass plug-in that you had previously installed. JavaScript starts running on your local machine (no network traffic) and you get a password dialog. The password is used to decrypt your "vault" which is just a blob of truely random looking data; the only time it has meaning is when it is used with the correct password and correct algorithm. The blob can be on your local device, or can come down from the LastPass server. So what the bad guy sees while sniffing the connection is a blob of data from LastPass. No reasonable way for the bad guy to decrypt it. Your decrypted vault is only available locally and never goes over the network.

When you allow LastPass to enter a password into a non-encrypted web page, that, of course, would be sniffable, but that is out of the control of the password manager.

If you must use a machine in the hotel lobby, you almost can't do that safely, but LastPass offers a list of one time passwords that you can print out from a safe computer in advance. You enter the first unused one time password (you would presumably carry this list in your wallet for these kinds of emergencies), which would decrypt your vault. You never are prompted for your "keys to the kingdom" real LastPass master key. You grab the password for the site you must get to, quit LastPass (which securely wipes memory), use the site you needed to get to, then change your password on that site as soon as you get back to a secure computer.
__________________
sengsational is offline   Reply With Quote
Old 12-30-2014, 02:48 PM   #40
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,888
I'm always looking for the ideal password manager. Was using MyPadlock (Windows only). But the password file got clobbered (thanks for backups and rollback software) after some windows updates. I've used AnyPassword, Password Safe and right now like Password Corral (Windows only). It's sort of a mixture of geekish and simple at the same time. Plus, there's a hide password option which encrypts user names and passwords on screen -- great to avoid any rubbernecking
__________________

__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is online now   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Yahoo Passwords Hacked easysurfer Other topics 8 07-12-2012 06:57 PM
Keeping passwords safe summer2007 FIRE and Money 46 03-21-2008 12:34 PM
Default passwords cute fuzzy bunny Other topics 0 02-22-2006 11:13 AM
Website to Borrow Passwords? haha Other topics 9 06-23-2005 12:09 PM

 

 
All times are GMT -6. The time now is 10:35 PM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.