Many many Passwords

[easysurfer]

All I know is my master password of the password manager(s).

Passwords are randomly generated. Seems to work well for me.

I'm actually more concerned about keyloggers stealing my keystrokes than my passwords getting guessed or brute force attacked.

 

[rk911]

How to remember the many passwords of different accounts I have ?

Do you use the password software where it puts in the password ? How do you find the password software ?

http://www.roboform.com
I use it on our PC, phones and tablet.

 

[Rianne]

I've been using LastPass without issue for about five years now. I have 150-200 passwords and secure notes stored there. Makes my life a lot easier.

Ditto. Plus I use a fingerprint log on. No issues.

 

[ERD50]

Could you explain how a bad guy can control a password manager? How do they gain control? ...

As I said below, they are getting into other sites, so if protection is so easy, why does any site with sensitive info get hacked? Why don't they all do this?

There are lots of things I can't explain. That doesn't mean that no one else can!

...

I don't trust my memory to remember complex and distinctly different passwords for my four bank accounts, my four credit cards, my two investment accounts, etc.

As I described below, with a complex but easily memorized (for you) keyword, it's easy to come up with an added phrase for each of those accounts.

IWT3O6as3dsbBG < sample keyword
It Was The 3rd of June (6) another sleepy (3-d's) dusty delta day, song by Bobbie Gentry

then add a phrase for each account ("--" is the keyword):

--$LBNK (Local Bank)
--!Bnkabc
--*BnkBCD
--%Bnkxyz

etc. And you can write thiose down, keep them in a file, whatever you want. I keep a paper copy in my wallet. They are useless w/o my memorized prefix.

-ERD50

 

[OldShooter]

Could you explain how a bad guy can control a password manager? How do they gain control?

One method would to hack a vendor and steal a copy of the source code. First study it for back doors that the vendor may have already provided. That would be wonderful. Assuming no back doors, create one. Then Option 1 is to slip that modified code into the vendor's distribution mechanism and let him distribute it for you. This has happened more than once, but AFIK not in the password manager space. Option 2 is to create and distribute a virus that finds users of the PWM and substitutes the modified code for the original.

I use 1Password and as far as I know the only ways for a bad guy to get at my passwords is if they are holding a gun to my head and commanding me to enter my master password and thus gain access to my account or somehow they get lucky and can hack my master password, which is extremely unlikely since it is a combination characters and numbers which form a mnemonic that only makes sense to me.

Your paradigm is too narrow. If I am a professional hacker the last thing I want to do is to hack individuals one at a time. Even if I am successful, my victim may not have anything worth stealing. I need volume in order to increase my chances of finding good stuff or to have enough victims that I can sell what I have stolen.

FWIW, I used to use your method which is pretty darn effective until you are traveling and want to check some credit card transactions or look at your credit card statement on your phone or tablet. Then you need to rely on your memory to recall a complex password.

No phone or tablet of mine has ever been used or will ever be used to access any of my financial accounts. It is somewhat of a mystery to me why anyone would have financial information on any hack prone & theft prone device carried when traveling. I can't conceive why I would ever need such a capability but if I did I would simply place a voice call to my rep at the institution.

I don't trust my memory to remember complex and distinctly different passwords for my four bank accounts, my four credit cards, my two investment accounts, etc.

Me neither but in my case I only have two logins: Schwab/Schwab Bank with debit card, where most of the money is and which has a strong guarantee against unauthorized access. Then one national megabank where I have my (only) credit card account, a HELOC with a zero balance and one other account with a couple hundred bucks.

That [Maginot Line]is an unfair comparison since the necessary skills are so wildly different. ...

Au contraire. The French built and fortified the Maginot Line to prevent the Germans from repeating their successful tactics in WWI. For WWII, the Germans invented the Blitzkrieg and attacked through Belgium, completely bypassing the Line. In this day and age, to concentrate on defense against individual password attacks is to build a line that no one will ever bother to attack.

... Of course nothing is perfect, and eventually criminals find a way around your defenses. ...

Exactly.

 

[OldShooter]

... why isn't everyone (of significance) doing this? Why are we ever hearing about compromised passwords at all? ...

Sometimes it happens, but IMO most of the buzz is in threads like this where no one has actually reported a compromised password and in paranoia-inducing communications from people who are selling password managers. I have read that 95% of exploits result from successful phishing expeditions, not compromised passwords.

That said, sometimes passwords get stolen. At DW's megabank the IT guys went a little crazy; pwds had to be changed monthly, pwds could not be reused, and pwd strength/complexity had to be evaluated as good. The result was DW and all of her troops had their current passwords on Post-It notes under their keyboards. I don't know that anything bad resulted from this crazy set of rules, but then I would not expect to.

 

[daver]

I've been using Bitwarden and like it. Just don't forget your master password...

"It protects user passwords with 256-bit AES encryption, which makes it basically impossible for hackers to access the data on Bitwarden's servers. Bitwarden also has a zero-knowledge policy, so not even Bitwarden staff can access your data."

 

[rkser]

I will buy 1password & go from there to each website.

Fortunately these websites are non consequential as these non important like target, Carfax , Home Depot etc….
Financial websites have different PWs & all have 2F authorization

Thankyou so much for everybody’s posts & support, I really appreciate it.

 

[Qs Laptop]

If someone captures you master password for 1Password, they would also require access to your installed app, browser with extension, and so on.



So, if they have my computer and my master password, and can crack my OS login, they would have access.



A detail that is missing, and I wouldn't think non-users of 1Password would understand this, is that with your master password and no access to your computer they will get nothing. This is because a secret key is involved.



Also, 1Password requires the secret key as well as a master password to install. So, if someone has the master password, secret key, and your vault they can get in. That's why MFA is important. One more layer for your security.



Of course nothing is perfect, and eventually criminals find a way around your defenses. That is one reason why I use 1Password. When a flaw is found in the wild, they address it ASAP.

Yes, as a 1Password user I know this, was wondering if OldShooter was aware of the secret Master Password that is unknown to 1Password. It is never stored on a server. It's written down or memorized by the user and entered into each PC, phone, or tablet. That's why I said the only way I can think that someone could get into my password vault is if they knew my Master Password, and they can't get at that unless I'm at the place where I keep it and are threatening me with physical harm. Alternatively, I suppose they could deconstruct my phone or tablet and somehow extract this encrypted information, but I guess individually hacking people is inefficient.

I just don't see a way for someone to easily get into my 1Password vault from a remote location.

 

[OldShooter]

... I just don't see a way for someone to easily get into my 1Password vault from a remote location.

Through a back door that they have managed to get into the 1Password code that you and a few hundred thousand other users are running. North Koreans, maybe. This is not science fiction; it has happened. For example: https://arstechnica.com/security/20...mping-out-in-cisco-routers-us-and-japan-warn/

Your paradigm is based on the idea that some black hat will attack your computer individually. Very unlikely IMO. Probability of a major payoff is too low.

 

[Chuckanut]

Follow the adventures of Lastpass since they were breached several times.

It’s not pretty.

https://www.wired.com/story/lastpass-engineer-breach-security-roundup/

This does not mean you should not use a password manager. It means nothing is 100% absolutely safe. Take precautions. For example, an email or test message any time any change happens to your account or a transaction occurs. No matter how small.

 

[Qs Laptop]

Through a back door that they have managed to get into the 1Password code that you and a few hundred thousand other users are running. North Koreans, maybe. This is not science fiction; it has happened. For example: https://arstechnica.com/security/20...mping-out-in-cisco-routers-us-and-japan-warn/



Your paradigm is based on the idea that some black hat will attack your computer individually. Very unlikely IMO. Probability of a major payoff is too low.

Then what is your point? If they're not going to access my computer and therefore not getting to my password vault, what's the problem with using 1Password?

 

[OldShooter]

Then what is your point? If they're not going to access my computer and therefore not getting to my password vault, what's the problem with using 1Password?

Once their modified code has been substituted for the existing 1Password executable in your computer they can do anything they want. They aren't just accesing your computer -- they own it. Most likely they will copy all the urls with corresponding passwords into a file, encrypt it and upload to their mother ship. But the could just as easily (or in addition) encrypt everything on your computer for a ransomware attack.

 

[Tracer]

http://www.roboform.com
I use it on our PC, phones and tablet.

I've been using RoboForm for over 15 yrs with virtually no issues. It's one of the oldest and surprisingly one of the least expensive password managers. The auto-form fill feature which fills out online forms with one click is worth the price alone IMO. I'm on my laptop and phone quite a lot. Having this has saved me a ton of time over the years.

I see the premium version which syncs to all your devices has a pretty good deal going on right now. Buy a year for $23.88 and get 6 months free.

https://www.roboform.com/lp?frm=offer-everywhere-referral&refid=rfo_2206225

 

[rk911]

Roboform Password Mgr

...I see the premium version which syncs to all your devices has a pretty good deal going on right now. Buy a year for $23.88 and get 6 months free.

https://www.roboform.com/lp?frm=offer-everywhere-referral&refid=rfo_2206225

That's the version I've been using since it was introduced. Muy Bueno!

 

[Sunset]

..

...... It is somewhat of a mystery to me why anyone would have financial information on any hack prone & theft prone device carried when traveling. I can't conceive why I would ever need such a capability but if I did I would simply place a voice call to my rep at the institution.

...

I agree carrying financial information while traveling is a risk, so I minimize it when I have to carry it by keeping it on a thumb drive, encrypted, inside an encrypted container and mixed in with many other useless files and photos.

I don't have any financial apps on my phones.

I find it pretty scary that you could phone up a rep from a foreign Country, and he would follow your instructions..

Especially now with AI being able to mimic people's voices and the normal social hacker skill of knowing key points to your life for the security questions.

 

[ownyourfuture]

Spreadsheet on a thumbdrive and a print out that I refer to and pen and ink changes/new passwords between updates. Some app only ones I just keep in my phone.

I thought I was the only one that did it that way

 

[target2019]

Then what is your point? If they're not going to access my computer and therefore not getting to my password vault, what's the problem with using 1Password?

This is the correct link if anyone is interested in the security incident at OKTA.

https://blog.1password.com/files/okta-incident/okta-incident-report.pdf

1Password filed an incident report based on OKTA connecting to 1Password. It's all explained in the post.

As described, this does not present problems for 1Password users. Keep in mind that companies are compelled to file security incident reports when something has happened. As mentioned several times, criminals and state are always trying to access targets all over the globe.

Since 1Password filed the report, and posted publicly, they are doing the right thing, IMO.

add: Okta Data Compromised Through Third-Party Vendor https://www.darkreading.com/remote-workforce/okta-employee-data-exposed-third-party-vendor

 

[EarlyandLate]

This is not a criticism, but, wow! Some of you appear to lead busy and complicated lives online. I got out my little notebook and counted. I have 18 active online accounts and only about 6 of those are what I would consider important.

 

[target2019]

This is not a criticism, but, wow! Some of you appear to lead busy and complicated lives online. I got out my little notebook and counted. I have 18 active online accounts and only about 6 of those are what I would consider important.

I have a large digital presence, yes. So does spouse and two children. Each has multiple devices.

After the USG spilled all of my personal details, learning about security seemed important...

I try to treat every login as critical. That way I have one set of guidelines to follow.

 

[NoiseBoy]

At least 90% of the places I go have passwords that are don't cares for me. So I often just use the name of the site as the password. Sometimes when they are fussy I'll append a couple of standard special characters like a pound and an ampersand or something.

Critical sites, like banks, get their own passwords built according to a system I have so they are always unique and never used any other place in my computer. My usernames for banks are also unique and never used any other place.

That really doesn't leave me with very much that I have to remember and pretty good security.

This is my process too. I let Chrome remember the passwords to these non-financially significant websites and I write down the unique passwords that i use for important URLs.

There are two other steps I take to try and protect myself online. First, I never use my Google or FB accounts to login to some other website. Okay sure, YouTube uses my Google account, but that's about it. If I'm buying something and there is a Guest checkout option, I usually use that. Otherwise, I just create an account and let Chrome remember it.

The second thing I do is I use a fake birthdate at any site that I think doesn't need to know my actual birthdate. Financial institutions, government websites, and healthcare prividers generally get the real day, but anyone else gets the right month and year, but I make myself a few days younger! I'm much more worried about having my identity stolen than I am about someone getting my CC number from some random online web store.

 

[target2019]

I will buy 1password & go from there to each website.

Fortunately these websites are non consequential as these non important like target, Carfax , Home Depot etc….
Financial websites have different PWs & all have 2F authorization

Thankyou so much for everybody’s posts & support, I really appreciate it.

One thing to mention is that you may see a conflict between Google and other browsers if you have allowed them to be password manager(s). So you'll have to turn that off in each browser, allowing 1Password to be *the password manager*.

 

[Qs Laptop]

Once their modified code has been substituted for the existing 1Password executable in your computer they can do anything they want. They aren't just accesing your computer -- they own it. Most likely they will copy all the urls with corresponding passwords into a file, encrypt it and upload to their mother ship. But the could just as easily (or in addition) encrypt everything on your computer for a ransomware attack.

If I'm understanding correctly you are saying someone will be able to hack into 1Password's internal programming code that runs their software stored on my computer alter it slightly and reupload it to my computer. Also, my computer's antivirus will not detect this.

They will then be able to download my list of URL and associated passwords.

Is that it?

Or are you saying that some hacker will get access to 1Password's programming code from 1Password's servers make some changes, upload the infected files, and somehow broadcast those changed files to hundreds of thousands of 1Passworld's users?

As far as anyone locking my files on my computer and demanding ransomware, well, that's why I back up everything important. I'd just say no to them, go buy another computer and spend a couple of days hassling with restoring my files and software.

 

[Qs Laptop]

This is the correct link if anyone is interested in the security incident at OKTA.

https://blog.1password.com/files/okta-incident/okta-incident-report.pdf

1Password filed an incident report based on OKTA connecting to 1Password. It's all explained in the post.

As described, this does not present problems for 1Password users. Keep in mind that companies are compelled to file security incident reports when something has happened. As mentioned several times, criminals and state are always trying to access targets all over the globe.

Since 1Password filed the report, and posted publicly, they are doing the right thing, IMO.

add: Okta Data Compromised Through Third-Party Vendor https://www.darkreading.com/remote-workforce/okta-employee-data-exposed-third-party-vendor

Thanks for posting this, it saved me a lot of Googling around to find it myself.

 

[Ian S]

I have not seen a clear explanation of how a passkey that utilizes a four digit PIN is so secure. I must be missing something.