Do You Trust Your Password Manager?

[Scuba]

Quote:

Originally Posted by aja8888 The answer to all my security questions is "banana". That keeps it simple. Like: Q. What was your first car? A. Banana etc. (it's really not banana)

Good idea!

[Fedup]

Quote:

Originally Posted by pjigar I have came across a security question in the past: Did you forgot your password? Can you guess the answer?

Banana?

[MBAustin]

I use 1Password for nearly all passwords except for a couple that I have memorized. For less important (non-financial) passwords I also keep them in Safari keychain so that they sync to my iPhone. The password for 1Password is a phrase of random short words with some other random stuff thrown in the middle. I do print out all of the passwords periodically and put a copy in our safe deposit box.

[braumeister]

^^^^^^
Exactly what I've done for many years.

[Willers]

I have a really ignorant question regarding these products. Don't you have one password that unlocks the password manager? If someone get that one password, do they get the keys to everything? Sorry if this is a dumb question, but I don;t have any experience with these.

[braumeister]

Quote:

Originally Posted by Willers I have a really ignorant question regarding these products. Don't you have one password that unlocks the password manager? If someone get that one password, do they get the keys to everything? Sorry if this is a dumb question, but I don;t have any experience with these.

Not a dumb question. The answer is that this is the beauty of the password manager -- you only have to memorize that one master password.

In my case, it would be practically impossible to guess, but easy for me to remember. DW also knows it, and it is written down and stored in the safe, as well as in the safe deposit box.

[easysurfer]

Quote:

Originally Posted by Willers I have a really ignorant question regarding these products. Don't you have one password that unlocks the password manager? If someone get that one password, do they get the keys to everything? Sorry if this is a dumb question, but I don;t have any experience with these.

Put another way, password manager is all the eggs in one basket. No password manager is eggs all over the place.

I'm for eggs in one basket with a well protected basket as the alternative is IMO, non manageable or carry it's own risks.

A good master password along with encryption of the password manager is that well protected basket .

[Rianne]

I trust my DH, but he leaves all his passwords neatly typed in a folder on his desk. I mentioned my niece and all her lovely (trustworthy) friends come over, spend the night sometimes. One click of their cell phone could take a picture of that neatly organized page and well...you know the rest. That's why for the most important websites we have voice activated pass codes and 2 step authentication. Then again, growing up, we left all the doors open, keys in the cars. Friends, relatives came and went as they pleased. That was 40 years ago. My car did get stolen, probably by someone who knew me, and police found it across town parked, in good condition.

[The Cosmic Avenger]

Quote:

Originally Posted by easysurfer Put another way, password manager is all the eggs in one basket. No password manager is eggs all over the place. I'm for eggs in one basket with a well protected basket as the alternative is IMO, non manageable or carry it's own risks. A good master password along with encryption of the password manager is that well protected basket .

Also, most of them, like Lastpass, let you set up two-factor authentication, which means either emailing or texting a code to a trusted email address or cell phone number, so that even if someone obtained your username and password, they couldn't get into your account. That's like having an armor-plated basket, IMO.

[Chuckanut]

Quote:

Originally Posted by aja8888 The answer to all my security questions is "banana". That keeps it simple. Like: Q. What was your first car? A. Banana etc. (it's really not banana)

Ugh. I can think of several reasons that is a mistake, including the fact that if just one site you do business with messes up and your data is lost to bad guys, they have the key to everything.

[Rianne]

Quote:

Originally Posted by Chuckanut Ugh. I can think of several reasons that is a mistake, including the fact that if just one site you do business with messes up and your data is lost to bad guys, they have the key to everything.

Yes, scrambling everything, even just a little, add cap, number, symbol and jumble up a phrase helps, i think. Misspelling words to the point of no return, phrases that make no sense. That's what l try to do. I have a fake name, fake b day, fake address in Facebook and I still got hacked. I had to shut down twice and my niece posts pictures of her kids, their school, the front of her house and posts little maps of where they went to dinner.

[Chuckanut]

Quote:

Originally Posted by Willers I have a really ignorant question regarding these products. Don't you have one password that unlocks the password manager? If someone get that one password, do they get the keys to everything? Sorry if this is a dumb question, but I don;t have any experience with these.

Yes, that is why you pick a weird password that is easy for you to remember but hard for others to guess.

You should also have 2nd factor authentication turned on. (I use a number generator app on my iPhone, codes sent to our phones are not secure) .

The password manager also notifies me whenever it is logged on via a previously unknown computer.

It's not perfect. Maybe when SQRL is actively used, I might go with that.

https://www.grc.com/sqrl/sqrl.htm

Quote:

A highly secure, comprehensive, easy-to-use replacement for usernames, passwords, reminders, one-time-code authenticators . . . and everything else.

[Willers]

Thanks everyone. I have a better understanding now. I've looked at these, but have never pulled the trigger. Maybe I'll give one a try.

[mpeirce]

One thing about password managers is that I really really hope there is a nice assortment of them rather than one dominant company for the foreseeable future.

When one gets hacked, and it's really only a matter of time before this happens, it's best if 80% of folks don't all use it.

[Alan]

Password manager or not, a very popular method of getting access to bank accounts is via social engineering so we are all trusting customer service people to keep our accounts secure, and those customer service people are not necessarily those in financial institutions as our accounts are usually associated with our email and phone numbers.

One example is the SIM card swap where thieves learn enough personal information to fool telephone customer service into getting your phone number assigned to their SIM and then phone your bank and get them to send validation codes to the phone number on record. I listened to someone being interviewed on how it happened to him. He noticed that he had “No Service” on his phone and started to inquire what was going on. In the hours it took for him to notice and for the phone company to disable his number his bank account had already had thousands transferred out.

What is SIM card fraud -- and how can you avoid it?

[walkinwood]

Quote:

Originally Posted by TromboneAl As time goes by, I go to more and more secure passwords. The next step would be to allow my password manager (EnPass, recommended over LastPass*) complete control to create passwords, fill them in, and store them. My worry is that a password like *^%#uyh*9076__&5$#@! would be trouble if EnPass ever died. Having 100 passwords like that would be worse. Does you give your password manager complete control? *I used to use LastPass, but found that EnPass lets me fill in a password with fewer clicks of the mouse. It has some other advantages as well.

I use LastPass and it generates and manages my passwords and has done so for a number of years now. I also use it to store other confidential information & form-fill data like credit cards for payment. I do use 2-factor authentication using the google authenticator.


It has trouble auto-filling some website logins & forms - most annoying for me is CapitalOne - but for the most part, it makes logging in easy & secure.

[TromboneAl]

Since posting this, enpass on my phone didn't work right, and I ended up having to enter a password like &*V6;9hhf manually. Couldn't copy and paste either.


That's what I was hoping to avoid.

[Tiger8693]

I also use 1Password. I really like making 1, memorable but extremely difficult PW to enter that program, and I then autogenerate all passwords for websites within that 1Password system. I have no clue what the PW's are for the individual websites, but if for some reason I fall, hit my head, and can't get into 1Password, it would be a pain but i can always go through the process of PW resets.

It seems fairly safe to me, so yes, I trust it.

[CoolRich59]

I use Dashlane but will be switching to LastPass. Except for my Yahoo email being hacked years ago, I’ve never had a problem with passwords.

My credit card, however, is another story. We just had our Chase Sapphire card compromised again. This must be at least the 5th time this card has been hacked. It’s pretty much an annual event.

[TromboneAl]

Quote:

Originally Posted by TromboneAl Since posting this, enpass on my phone didn't work right, and I ended up having to enter a password like &*V6;9hhf manually. Couldn't copy and paste either. That's what I was hoping to avoid.

I hadn't set up the syncing. This should no longer be a problem.