Do You Trust Your Password Manager?

Can 2 people use a SIM card? If my cell is working, does not show "no service" can someone still steal your SIM? So, hacker calls my cell company, says cell lost, need a new phone or SIM. Cell company requires pass code. Hacker must know my address. I read that article and I'm confused. There are so many hurdles to overcome to get control of a SIM card.
 
TromboneAl said:
Yesterday, my new reliance on Enpass got me again. Lena and I share our Kindle account, so when she needed to enter a password on her phone to read a book, I had to manually enter it.

It's very hard to enter a password like 7^%$j*9%$34^()776%% on a tiny phone.
Click to expand...

1Password lets you share your passwords.
 
TromboneAl said:
Yesterday, my new reliance on Enpass got me again. Lena and I share our Kindle account, so when she needed to enter a password on her phone to read a book, I had to manually enter it.

It's very hard to enter a password like 7^%$j*9%$34^()776%% on a tiny phone.
Click to expand...


Sometimes, need generated passwords which are writable and not confusing. I suppose, not totally random but more human friendly.

The generator I use now has an option to avoid confusing characters. Also, here's a website I like that can produce writeable passwords:

https://passwordcreator.org/#great
 
TromboneAl said:
I may have been using it differently or it's different on Firefox. Here are the forms for LastPass and Enpass compared (for Firefox):

YEOf7ol.jpg


For Lastpass, the only way to copy the password was to choose to view it, select it, and copy it.

As for security, Enpass stores the passwords on my computer, if I understand it correctly. OTOH, it has a way of syncing to my phone via a file stored somewhere (I don't want to say where).
Click to expand...

Oh! I see, I had the same issue in Firefox, I just don't use it often enough to notice. I did fix it by installing the binary, although I had to restart FF again because the first time LP was disabled.

I mean, Enpass sounds fine, but don't let this problem stop you from using LP, it's easy to fix!
 
Last edited:
If you have the LastPass plug in installed on Firefox, and you go to the web site in question then click the LP asterisk, there should be an option to copy the password to the clipboard without going in to edit the entry.
 
sengsational said:
If you have the LastPass plug in installed on Firefox, and you go to the web site in question then click the LP asterisk, there should be an option to copy the password to the clipboard without going in to edit the entry.
Click to expand...

Yeah, if I'd known that, I might not have switched. There were some other problems I had with LastPass.

What do you think of this article:

Stop Using Password Manager Browser Extensions.
 
I have been using LastPass for about 2 years now. In order to protect the possibility of LP going under, I export my passwords to an excel file on a thumb drive stored in our safe. I also password protect the excel file.

LP can be a little quirky but overall I feel safer with it than without...

TromboneAl said:
What do you think of this article:

Stop Using Password Manager Browser Extensions.
Click to expand...

...until I read this. UGH!
 
I'd much prefer a password manager I control locally on my computer. With the browser extensions, seems can't be sure what is happening in the background.

From that article:

An encrypted text file on your computer is safer than a browser extension password manager. Think of how it would be compromised: Someone would need to get at least user-level access to your computer and then either read it when it's temporarily unencrypted, or wait for you to unencrypt it. That cannot be done by efficient attackers at scale. And if they've compromised your machine, you have bigger things to worry about.
Click to expand...
 
I’ve been using LastPass for about a year and a half now and am satisfied with it. It’s definitely preferable to my former plain text file on the computer!

I probably learned of LastPass here. I’ve also recently enabled and tested multifactor authentication (another thing mentioned here) and that gives me extra confidence.

I’ve thought about going Premium to help keep Logmein (the company) alive, but haven’t as it seems to have a large product line.

But: still haven’t added passwords yet for my banking and investment accounts. Going super slow on those, but even without there are around 100 passwords and secure notes I’ve entered. The latter are great for storing credit card numbers, exp dates, and security codes.
 
I've gone back to LastPass. Enpass had some disadvantages, and a new upgrade introduced bugs. I'll have to trust that security isn't that much worse with a web-based system.
 
TromboneAl said:
I may have been using it differently or it's different on Firefox. Here are the forms for LastPass and Enpass compared (for Firefox):
<snip>
For Lastpass, the only way to copy the password was to choose to view it, select it, and copy it.

As for security, Enpass stores the passwords on my computer, if I understand it correctly. OTOH, it has a way of syncing to my phone via a file stored somewhere (I don't want to say where).
Click to expand...
I've been using LastPass for many year. I'm a huge fan. I pay for the premium as I have so many sites/password. I also like the ability to 'share' (with/without visible password) with others like family members.

I mainly use Chrome but I do have Firefox as my backup.
Firefox does have a LastPass add-in. It seems to work like my Chrome one.
HRGEKko.jpg
 
eroscott said:
I mainly use Chrome but I do have Firefox as my backup.
Firefox does have a LastPass add-in. It seems to work like my Chrome one.
HRGEKko.jpg
Click to expand...

LastPass works with Safari too. As I've slowly added more passwords and notes to my vault, I've gotten more comfortable with its user interface and don't mind it. Seems I use it more and more frequently. I've added two-factor authentication and use LastPass' authenticator.

It's a far better solution than collecting usernames and passwords in a text file! If I understand the security approach correctly, your vault does not exist on LastPass' servers or on the network in an unencrypted form at any time. I think that's true with your master password as well.
 
I would not use both the password manager and the LastPass authenticator with it. If they want to get into one's Last Pass account they should need to crack LastPass and some other separate company also, not just LastPass.
 
Chuckanut said:
I would not use both the password manager and the LastPass authenticator with it. If they want to get into one's Last Pass account they should need to crack LastPass and some other separate company also, not just LastPass.
Click to expand...


I’m good with it, but others may not be.
 
Chuckanut said:
I would not use both the password manager and the LastPass authenticator with it. If they want to get into one's Last Pass account they should need to crack LastPass and some other separate company also, not just LastPass.
Click to expand...

That's not how TOTP works. It's vulnerable when the account is being set up, but after that they would have to use a man-in-the-middle attack to get the code. LastPass staff can't possibly access your one-time codes even if they were so inclined.
 
Last edited:
Image below is from the bottom of the www.lastpass.com website page.

I also use LastPass on my Android based phone (Pixel 2XL) to fill in passwords on some applications I use. It has fingerprint authorization which I love.

GD4HS7W.jpg
 
The Cosmic Avenger said:
That's not how TOTP works. It's vulnerable when the account is being set up, but after that they would have to use a man-in-the-middle attack to get the code. LastPass staff can't possibly access your one-time codes even if they were so inclined.
Click to expand...

I use LastPass and its authenticator and never have to enter a code, even though I’m sure it does generate one. If I access LastPass on my MacBook it will need authentication every 30 days and when I run the authenticator on my iPhone I simply have to first use my fingerprint and then touch the green checkmark box and LastPass on my MacBook accepts the verification and continues as if I had typed in a code.
 
Alan said:
I use LastPass and its authenticator and never have to enter a code, even though I’m sure it does generate one. If I access LastPass on my MacBook it will need authentication every 30 days and when I run the authenticator on my iPhone I simply have to first use my fingerprint and then touch the green checkmark box and LastPass on my MacBook accepts the verification and continues as if I had typed in a code.
Click to expand...

Great comment. Youtube video on what you are talking about.

[update]Not sure this works for me tho. I didn't see how I could use it on both my phone and my wifes phone as we share the same lastpass acct and log into in it from multiple computers. Plus my kid needs access in case we both die (plane, car crash, etc). Need to research.[/update]


LastPass page with links to phone apps:
https://lastpass.com/auth/
 
Last edited:
eroscott said:
Image below is from the bottom of the www.lastpass.com website page.

I also use LastPass on my Android based phone (Pixel 2XL) to fill in passwords on some applications I use. It has fingerprint authorization which I love.

GD4HS7W.jpg
Click to expand...
Can you use touch ID on a Macbook that has a reader?
 
I just started using Authy with uses the same algos as Google Auth so that is what I can pick under Lastpass. It works for multiple devices (phone, chrome, native desktop, tablet, etc) and can work with your spouse and executor as an example.

See 'FAQ' https://support.authy.com/hc/en-us

3gKNCFB.jpg
 
LastPass on Android has been popping a toast saying "Decrypting Sites" *before* I type my master password. Ever since Logmein bought them, I've been planning on leaving, but too lazy.
 
steelyman said:
It's a far better solution than collecting usernames and passwords in a text file! If I understand the security approach correctly, your vault does not exist on LastPass' servers or on the network in an unencrypted form at any time. I think that's true with your master password as well.
Click to expand...
It used to be the only place your master password was stored was in your head. From early on, they had a default one time password set up so they could offer password recovery to bozos who forgot their master password. That meant that if LastPass was hacked, your vault could be opened. But I turned that password recovery off. That meant I could feel ok about my vault being stored on LastPass servers. It had a long password that had a randomish segment.


This authenticator is convenient, but if you don't type your master password, then it, or OTP's associated with your vault ARE stored and held by someone other than you. Those may be "well protected", but we all know how that usually works out.
 
You must log in or register to reply here.

Similar threads

H
Anyone use Google Password Manager?
Replies
14
Views
739
target2019
target2019
Janet H
Forum Update - We're back! Ask your questions here.
6 7 8
Replies
182
Views
4K
ERD50
E
PaunchyPirate
Helping an elderly parent stay on top of their financial accounts
Replies
24
Views
944
1242Vintage
1
S
Google Password Manager Failed
Replies
10
Views
973
rk911
rk911
S
Do you want to manage it?
2
Replies
31
Views
2K
djsander
D

Latest posts

Back
Top Bottom