Password Managers

[Cobra9777]

So this brings up another issue. I’ve been following this thread with interest but I’m wondering, how do you actually use these managers? Things I’m wondering are like, do you have a program on each computer? Do you have to plug in a USB? What do you do to log in, do you bring up a program or does it know to log you in when you open the site? Just a general, how does this work or a link to a how to would be great.

PWSafe... Go to login page of a website, open PWSafe, enter master password, go to entry for website, copy & paste userID then password over to website. Done.

I only run it on our main desktop PC and my Android device. PWSafe uses no cloud storage. So in order to keep the two devices in sync, I manually copy the database file from the desktop PC to the Android device as needed. I never make changes or additions using the Android version.

When I'm setting up a new account at a website, the first thing I do is open PWSafe and set up a new entry for that site with randomly-generated userID and password. Then I just copy & paste that over to the new website account set up page.

 

[zinger1457]

Love KeyPass!

Might want to black out that password.

 

[CRLLS]

Safe or not, I use a simple Android APP called aWallet. I seldom, if ever, use my phone for entering my financial sites. I activate 2FA and use my laptop for checking those accounts. None of my sites are accessed directly from the aWallet. It simply stores the passwords for me to manually enter when required. I'm not terribly concerned about somebody hacking into my E-R and other social website credentials. DW has her own aWallet on her phone with her own passwords. However, the password to get into her and my aWallet are both the same. That way we both could get the other's passwords if the necessity arises. Nothing is 100% perfect.

Question on 2FA: Aren't the 1 time passcodes typically only valid for a short time, maybe 1-5 minutes? I can't imagine a case where I use that code and then space out for the next 15 minutes before entering that 2FA code. I also wonder if you log in using that code, that code has now been used and somebody else after that could not use the same code? It would only be logical with the term "1-time passcode"

 

[ShokWaveRider]

Might want to black out that password.

There is always one. LOL!

 

[ShokWaveRider]

Try Again, Love KeyPass!

Who would have thought that I needed a disclaimer? I may be old but not Senile, not yet at least.

 

[mpeirce]

If you are in the Apple ecosystem, you can use the built in functions such as Keychain (passwords generation and storage for web sites and apps), Secure Notes, Disk Encryption, etc. No extra charge.

See

https://support.apple.com/guide/security/welcome/web
and
Apple Platform Security White Paper for the nitty gritty details.

 

[JoeWras]

Try Again, Love KeyPass!

Who would have thought that I needed a disclaimer? I may be old but not Senile, not yet at least.

I use KeyPass too. There is an option to show the passwords as "*********" but still have the ability to copy the real one to the clipboard.

ShokWaveRider likes to surf naked.

 

[ShokWaveRider]

I use KeyPass too. There is an option to show the passwords as "*********" but still have the ability to copy the real one to the clipboard.

ShokWaveRider likes to surf naked.

I actually have that option set on mine, I disabled it and generated a random PW to show folks the feature "as a sample". I find it the best and easiest PW manager to use. I used to use a PW protected spreadsheet before KeyPass.

 

[JoeWras]

I actually have that option set on mine, I disabled it and generated a random PW to show folks the feature "as a sample". I find it the best and easiest PW manager to use. I used to use a PW protected spreadsheet before KeyPass.

So you usually surf with your baggies on, but took them off as an exhibition to us.

OK, I'll stop the nonsense. I started using KeyPass over a decade ago. I like it. I never got on the LastPass bandwagon and just stuck with KeyPass.

Like you, most of my passwords are generated and at least 12 chars long. I cannot recite them.

The language of the Vanguard policy disturbs me, though.

 

[Rianne]

I don't think I get too many of these SMS text messages but there are 2 areas of safety I can think of:
1) Have a good phone such as an iPhone with faceID
2) Make sure you have a strongish password with your phone service. Not a dumb password with them like "1234"

For Vanguard I only have them do 2FA if logging in from an unknown computer i.e. not my home PC.

+1 for me, but I use 2FA always, cell and home computer. I always delete the 2FA # super fast. It deletes both cell and home c. Knowing a good hacker is like having a doctor or lawyer in the family. I am now paranoid of 2 things:
1. Are you safe if you delete the 2FA immediately or can they capture it upon log in. If you're using encrypted passwords, what good is a 2FA #?

2. I let our neighbors use our wireless network password. I realize I may be somewhat an idiot, as they are very computer savvy.

 

[Lsbcal]

One thing I like about Lastpass and may be available on other PW managers is the ability to download a list of sites and passwords. I think i mentioned this before but I then save this to a flash drive in case something weird happens or I get locked out in some way.

Also there should be the capability to hold secure notes and even secure pictures. As an example of usage here, when we go on vacation out of the country expecially, I update a picture of my Excel file page that has all the info on credit card numbers and phone contacts, etc. Another reason to have a good, secure smartphone.

Since I have so many sites saved I think moving from one PW manager to another would be a real pain. So choose wisely.

+1 for me, but I use 2FA always, cell and home computer. I always delete the 2FA # super fast. It deletes both cell and home c. Knowing a good hacker is like having a doctor or lawyer in the family. I am now paranoid of 2 things:
1. Are you safe if you delete the 2FA immediately or can they capture it upon log in. If you're using encrypted passwords, what good is a 2FA #?

2. I let our neighbors use our wireless network password. I realize I may be somewhat an idiot, as they are very computer savvy.

Hmmm.... Why out of curiosity?

If you are looking around for an excuse to give them to stop this, you could say something like "my Vanguard brokerage policy forces me to close all security holes in their agreement with me or I could loose if there is a breach". Or some such thing.

 

[Rianne]

Hmmm.... Why out of curiosity?

They have access to our Wifi. Is it sort of like using Starbuck's Wifi? Easy for them to capture what I'm doing? I don't know. Feels like I gave them the password to our garage door. I do not understand what is hackable.
Edit: just saw your edit.

 

[Lsbcal]

I just don’t take any known chances with security. Don’t know how to assess the risk for you.

 

[target2019]

They have access to our Wifi. Is it sort of like using Starbuck's Wifi? Easy for them to capture what I'm doing? I don't know. Feels like I gave them the password to our garage door. I do not understand what is hackable.
Edit: just saw your edit.

Your risk level is beyond what many here would tolerate.

You've actually given an outsider their insider threat stature. Very poor security.

 

[jim584672]

They have access to our Wifi. Is it sort of like using Starbuck's Wifi? Easy for them to capture what I'm doing? I don't know. Feels like I gave them the password to our garage door. I do not understand what is hackable.
Edit: just saw your edit.

What if they download illegal content like movies or worse on your account. I would change that immediately.

 

[aja8888]

What if they download illegal content like movies or worse on your account. I would change that immediately.

Or what if they (using your access) get hacked. In essence, you are hacked.

 

[stlguy57]

1Password and 2FA where it is supported.

 

[Rianne]

Your risk level is beyond what many here would tolerate.

You've actually given an outsider their insider threat stature. Very poor security.

What's the difference between neighbors using your Wifi and using public Wifi?

 

[ShokWaveRider]

What's the difference between neighbors using your Wifi and using public Wifi?

YOU are responsible for what they DL and where they frequent.

Think about it, not that they would do any of these things.

1) Neighbor frequents Child Porn Sites
2) Neighbor frequents Terrorist Sites
3) Neighbor frequents sites that let you DL Illegal Movies etc.

Get the Picture?

 

[misanman]

What's the difference between neighbors using your Wifi and using public Wifi?

I think at a minimum you should have all your devices protected with strong passwords. A couple of years ago I noticed an unsecured wifi that clearly belonged to a neighbor. Connected to it just for kicks and logged in to their router (they never changed the default factory password). I jumped back off right away but it was scary to realize what I could have done to wreck havoc.

 

[The Cosmic Avenger]

+1 for me, but I use 2FA always, cell and home computer. I always delete the 2FA # super fast. It deletes both cell and home c. Knowing a good hacker is like having a doctor or lawyer in the family. I am now paranoid of 2 things:
1. Are you safe if you delete the 2FA immediately or can they capture it upon log in. If you're using encrypted passwords, what good is a 2FA #?

2. I let our neighbors use our wireless network password. I realize I may be somewhat an idiot, as they are very computer savvy.

If your router isn't more than 5-10 years old, it should have the capability to set up guest networks, basically a completely separate wifi network on the same router. That, and enacting parental controls (keeping them from anything that might get the FBI investigating) would be a reasonable precaution, especially considering that you're doing them a favor.

 

[Lsbcal]

If your router isn't more than 5-10 years old, it should have the capability to set up guest networks, basically a completely separate wifi network on the same router. That, and enacting parental controls (keeping them from anything that might get the FBI investigating) would be a reasonable precaution, especially considering that you're doing them a favor.

Router firmware updates are not at all clear for some manufacturers. Do they do it or let it languish? Because of this I recently replace my 2012 router with a Google mesh router. Google does automatic firmware updates. Only took 2 units to cover a big house. It has a guest network too although I haven't used this yet with guests. Very pleased with the performance.

 

[target2019]

They have access to our Wifi. Is it sort of like using Starbuck's Wifi? Easy for them to capture what I'm doing? I don't know. Feels like I gave them the password to our garage door. I do not understand what is hackable.
Edit: just saw your edit.

Your risk level is beyond what many here would tolerate.

You've actually given an outsider their insider threat stature. Very poor security.

What's the difference between neighbors using your Wifi and using public Wifi?

Neighbors using Rianne's WiFi with Rianne-supplied login credentials:
- Rianne has violated terms of service with her ISP
- Rianne is liable for illegal activity of neighbors through her WiFi
- Neighbors have access to Rianne's devices and network and may find sensitive documents

Neighbors (or really anyone) using Public WiFi as Guest
- Neighbors are responsible for following any terms of service with the provider of the Public Wifi.
- Neighbor does not have access to other devices (such as devices of people sitting in Starbucks) if security is implemented and not breached
- Rianne is not in any way liable for what another may or may not do on the Public WiFi.

Responsibility about security is a very complicated subject. When you don't follow basic security, you're subject to a large amount of loss/liability.

For reference, if I give my company's wireless password to another individual inside or outside of my company, I am subject to termination.

I think a point of confusion for you is what exactly WiFi is and isn't. WiFi is a technology that can carry data. Your home WiFi is not something you carry to Starbucks. Starbucks WiFi is not something that you carry home.

 

[Lsbcal]

Not clear if LastPass automatic injection of the password is allowed by VG. It is not in the browser but in the LastPass extension to Firefox in my case.

I am guessing they would see this as a security issue because if someone longs into the PC as you they can get at your accounts. Very unlikely on a home PC that is password protected I think and does not stay open when you walk away. But still VG may have an out if they are asked to make me whole.

Maybe I should call them about this?

Trying to answer my own question, I asked a VG rep about this. She said she was not a VG lawyer but that VG was looking for egregious violations of security. She thought that storing an encrypted password into a password manager would not count as a violation of policy because I was taking very cautious steps on security.

Admittedly this is a very very unlikely issue ... almost a non-issue. It would take someone breaking into ones PC, knowing how to get the Lastpass stored VG password, applying it at VG (cannot easily do this from a remote computer as per VG security options), and selling securites and moving the money to somewhere they control. That last step is not trivial either.

 

[JoeWras]

Trying to answer my own question, I asked a VG rep about this. She said she was not a VG lawyer but that VG was looking for egregious violations of security. She thought that storing an encrypted password into a password manager would not count as a violation of policy because I was taking very cautious steps on security.

Admittedly this is a very very unlikely issue ... almost a non-issue. It would take someone breaking into ones PC, knowing how to get the Lastpass stored VG password, applying it at VG (cannot easily do this from a remote computer as per VG security options), and selling securites and moving the money to somewhere they control. That last step is not trivial either.

Thanks for asking and doing homework for us!

I make sure to have all account changes and access attempts kick off notifications to both phone and email. Just in case someone gets on and changes something, I'll get notified. And hopefully with two methods of notify, they both can't be intercepted. Never say never, but very unlikely.