Many many Passwords

[OldShooter]

Really, worrying about long and complex passwords is fighting the last war. I have read that 95% of exploits are due to users freely providing passwords to phishing sites. Complex passwords and password managers are no defense against that.

For phishing safety I use a lot of personal caution, an aggressive spam filter, and set the mail reader to not download remote content when opening a message. I also like Schwab's blanket indemnification against unauthorized account activity. (https://international.schwab.com/se...//international.schwab.com/security-guarantee)

So far, so good.

 

[pacergal]

For non financial transaction websites I let my Apple software generate and keep those passwords. For financial sites I keep a little book for those usernames and passwords.

same here

 

[mpeirce]

My usernames for banks are also unique and never used any other place.

Excellent. Everyone should do this.

The financial sites I use allow one to easily change the username. I change ours every year.

 

[5Miler]

As mentioned above, I am a 1password user.

Coincidentally, I went to log on to my electric company account this morning as the new bill was just issued. After entering my credentials via 1password I was greeted with the message that my password had expired and had to create a new one. 1password automatically offered suggestions until I got one that fit the site requirements so I told it to use that one. It automatically updated both the site and my entry in 1password with the new credentials which is also shared with DGF. Done in less than a minute.

 

[mpeirce]

How do you find the password software ?

If you just use Apple it's built in.

Google also provides a built in password manager for Chrome and Android.

If you use multiple systems, there are a bunch of third party password managers.

PC Mag has a pretty good list to look at.

The NYTs Wirecutter recommends 1Password or Bitwarden.

I personally use Apple's built in password management. They recently added shared passwords so my DW and I are always up to date on important accounts that we both access.

 

[mpeirce]

I noticed there are a surprising number of people here who don't use password managers.

I'm curious why?

 

[Sunset]

I use KeePassXC

Works on various OS platforms, as I use both windows and Linux for financial stuff, etc.
I don't have it auto fill the username and password by choice.

Why I like it:
It stores the URL of the site for each entry as well as username and password, and it has a big space to store the questions and answers to the security questions, and any other info I want to add.
It's encrypted.
If I leave it open and power off the computer, when I turn on the computer it's back to encrypted and closed. Unlike when I use to use a spreadsheet that I encrypted I'd sometimes forget to close it and it was out on the open to be seen.

I can take it on a thumbdrive when I travel. (I do encrypt this file and other stuff on the thumbdrive as well).
I don't need internet access to use it.

 

[braumeister]

I've been using 1Password for over 15 years and never found anything to complain about. Lots to appreciate though. In addition to passwords, the ability to create secure notes about anything and store them in the same place is remarkably useful.

Family plan gives me my own vault, DW hers, and another shared one.

Syncing among devices is also instant and reliable.

 

[CDRE]

I maintain copies of an encrypted Excel spreadsheet located on a local drive, iphone, and icloud. I never save passwords in any browser or password manager. I view this as a lower risk from hackers and third party data breeches. YMMV

 

[Sunset]

A neighbor of mine walked out to the front of his house the other day. While he was there, someone went through his backdoor and took his PC, a tablet, a phone and a notepad with personal information. Since then, I have been trying to put my head around how to protect information without totally disabling my own free access. I have several computers, tablets and phones all connected to my internal router and my backup drives are external and not encrypted (xcopy type backups because of the ease of sharing the info). This seems hard to fix after-the-fact. It made me feel as if I needed to trash everything and start over clean.

I use external drives as well, but I encrypt my info.

I don't bother to encrypt my photos. So large drive I have an encrypted file/container of 1 GB and then my photo's directory.

You could use VeraCrypt , URL: https://veracrypt.fr/en/Home.html

I took this URL right from the program so it's correct.

It can make containers that are encrypted and you just open/mount them and copy the files into them and then unmount the containers. They are treated like a drive at the time.

 

[target2019]

I noticed there are a surprising number of people here who don't use password managers.

I'm curious why?

I think the setup and use of a password manager scares some off. Others are completely against cloud. And some users are against subscription costs.

Security is not a prime consideration until it's too late, IMO.

 

[easysurfer]

Took at peek at my password manager. The count now is at 385 passwords. I don't actively use all the accounts though as could use some cleaning up but too lazy to do .

 

[gwill1010]

... and took his PC, a tablet, a phone and a notepad with personal information.

Wow, this is why you don't write down passwords.

I keep my roboform master password sealed in an envelope in the safe. Wife will have it if I kick the bucket and everything is there. (FYI, I have nothing to hide, she can get into my phone & computer anytime)

Roboform, like all pw programs probably, has a text area that I keep a bunch of notes in. Fully encrypted.

 

[GalaxyBoy]

I rely solely on Apple’s keychain. It generates unique, complex passwords for all my sites that sync between all my Apple devices. I’m satisfied with the security; more so than a piece of paper or an unencrypted spreadsheet.

OTOH, I must say I’m glad dear old dad printed his out and left them in a notebook for after his death. As executor, I never could have found all his accounts, policies, bills, etc. without that list.

 

[gwill1010]

FYI, all these password manager only store encrypted information. They all have two factor authentication and you have to have your master pw to decode the saved passwords. I know with RoboForm if you lose the master password you are out of luck. No recovery process.

 

[OldShooter]

I noticed there are a surprising number of people here who don't use password managers.

I'm curious why?

A password manager is a hacker magnet. Trying to steal passwords on a retail basis is a low payoff activity. The ability to control a password manager gives the bad guys something they can sell -- for example, a bundle of 100 passwords to BOA, Fido, etc. accounts all gleaned from password managers.

Plus, I don't need one. I have only a few passwords I care about and my system for those is stored only in my head. I certainly have 100+ passwords that I don't care about, like the one to this site. So I don't take significant steps to protect those. Hence again no need for a password manager.

 

[rkser]

I am scared cold now, as a computer illiterate ,
Some of these accounts are very old, I do not know how to go from here.

Should I use Google Password Manager, which I have used on occasion which fills the box ?

How to correct these accounts first then I can pay for a password manager, which one to use ?
I got this email in parenthesis below from Google. My investment & banking accounts are safe (I think) as the passwords are very different than the often repeated PW I have used at these other sites. I cannot even delete my accounts on these sites.


"Some of your saved passwords were found in a data breach from a site or app that you use. Your Google Account is not affected.

To secure your accounts, Google Password Manager recommends changing your passwords now.

Check passwords
You can also see security activity at"

 

[Ian S]

Bitwarden works fine for me. 2FA with message to your cell phone is really great until your phone is lost or stolen then.. not so much.

 

[dixonge]

Took at peek at my password manager. The count now is at 385 passwords. I don't actively use all the accounts though as could use some cleaning up but too lazy to do .

I'm sure I have some unused sites or duplicates, but at 741 logins (not counting other secured notes, credit cards, identities, licenses, memberships, passports, etc.) I can't imagine trying to track all this manually.

After my brother and I began helping our Dad w/ his finances it quickly became obvious that his password system (writing down notes everywhere) wasn't working too well. At least now he is storing them in an Apple Notes document which is shared with me so I can easily access a site if he's changed passwords. I'd try to migrate him to 1Password but at 91 it's probably a bit late for that...

 

[target2019]

I am scared cold now, as a computer illiterate ,
Some of these accounts are very old, I do not know how to go from here.

Should I use Google Password Manager, which I have used on occasion which fills the box ?

How to correct these accounts first then I can pay for a password manager, which one to use ?
I got this email in parenthesis below from Google. My investment & banking accounts are safe (I think) as the passwords are very different than the often repeated PW I have used at these other sites. I cannot even delete my accounts on these sites.


"Some of your saved passwords were found in a data breach from a site or app that you use. Your Google Account is not affected.

To secure your accounts, Google Password Manager recommends changing your passwords now.

Check passwords
You can also see security activity at"

That is a good thing. What has happened that one or more of your accounts were compromised, or your data was stolen from yahoo (as an example). Your data then becomes part of hacker data stores on the dark web.

You should make sure the stored passwords are not duplicates, or short, and easy to guess.

That warning may persist if your login ID remains the same.

 

[dixonge]

A password manager is a hacker magnet. Trying to steal passwords on a retail basis is a low payoff activity. The ability to control a password manager gives the bad guys something they can sell -- for example, a bundle of 100 passwords to BOA, Fido, etc. accounts all gleaned from password managers.

Plus, I don't need one. I have only a few passwords I care about and my system for those is stored only in my head. I certainly have 100+ passwords that I don't care about, like the one to this site. So I don't take significant steps to protect those. Hence again no need for a password manager.

1Password encrypts all passwords before sync, so not even law enforcement can get your data from them. They *could* compel *you* to give them your master password, but it is hacker-proof at the server level. Nothing to steal but encrypted blobs.

 

[rkser]

On many sites my Login ID was my email

 

[W2R]

I've been using ERD50's password method for the past 7 years. For me it's convenient and works perfectly. Here's his explanation of his method and how it's done:

https://www.early-retirement.org/forums/f27/those-pesky-security-questions-82952.html#post1765353

 

[target2019]

1Password is secure by design. Learn how 1Password encrypts your data, protects your privacy, and safeguards your information. https://support.1password.com/1password-security/

I admit, it does get very technical and difficult to understand. But my kid says it's the safest.

That doesn't mean other PM's are not acceptable for use.

 

[target2019]

On many sites my Login ID was my email

That was a general weakness, and sites should not allow it.

I use random generated ID's where the site permits.

So you understand <your_email_address> is on hacker sites, along with the password(s) that were spilled by Yahoo, USG, and numerous other sites.

After you change Login ID, you would change your password to something very secure.

I don't use Google Password Manager, or I could be more useful with suggestions. Sorry.