Passwords

[googily]

Quote:

Originally Posted by Trooper If I wanted to adopt this recommendation, would DW and I have separate login names/master passwords in our LastPass browser extensions? Or would we share a master password? Note: I am planning to get the Premium version of LastPass.

Yes, you should each have your own LastPass accounts.

As mentioned, you can easily share individual site logins with each other, and when you come to a login page at a site you both have accounts with, you'll just be able to choose which one to use, in case sometimes you log in with your own and sometimes with the spouse's.

I would also keep your master LastPass passwords somewhere (lockbox, in an unmarked envelope or some such) where the other can find it.

I think your choice of LastPass is an excellent one. Having the phone app that can automatically pop up and fill in passwords is great.

They do also have the Emergency Sharing stuff for your LastPass accounts, but DH and I didn't know about it so I can't really give any guidance on that. (It's the life-preserver icon.)

Have patience in getting everything set up and getting used to how it works--it's not a 10-minute undertaking. But it is so worth it.

[Trooper]

Quote:

Originally Posted by googily Yes, you should each have your own LastPass accounts.

Thanks. Does this mean we need to pay for 2 subscriptions?

[googily]

Quote:

Originally Posted by Trooper Thanks. Does this mean we need to pay for 2 subscriptions?

Yup.

[Trooper]

Bummer. Didn't know I would be on the hook for $48/yr. Wondering if separate free accounts would do the job?

[googily]

I thought it's only $12.99 a year? To me, it's totally worth it, but you can try the free version to start and then see if the premium extras are things you need or want.

[Trooper]

Went up to $24/yr in August. I may try the free, but I also have a Quick books app (non-web) that I would like to secure. I think I may need premium for that.

[ChiliPepr]

Quote:

Originally Posted by mpeirce Safari doesn't store passwords in cookies. It encrypts them in your iCloud Keychain. Not insecure at all.

Oh really?

iCloud Keychain encryption bug exposes iOS passwords, credit card numbers - TechRepublic

Quote:

A largely unreported iOS security flaw undermined iCloud's end-to-end encryption capability, and could have allowed attackers to steal passwords, credit cards, and any other information on file, according to security firm Longterm Security.

[mpeirce]

Sigh

Security is never final. It's a cat and mouse game. Even the best systems have vulnerabilities - just like all software has bugs.

Apple has a very good record of quickly responding to new security vulnerabilities and designs its systems with security in mind from the ground up.

It should be noted that the bug discussed at that link (CVE-2017-2448) was fixed in iOS 10.13 back in March.

As always, it pays to keep your software updated to keep up with the latest security fixes.

[jollystomper]

I use KeePass and keep the database in an encrypted file in both home and in safe deposit box. I use several different ids and passwords for sites. I won't give out the full algorithm for security purposes , but starting with easy to remember phrases with words from multiple languages, and applying some personal math rules, make them easy to remember and very difficult to crack.

[Totoro]

My system:

I have a "root", that one is not written down. It is pretty long, but it is the only one I have to remember.

Then I have a website specific addendum, for this forum it could be "ERF949!". Those I have written down.

Every password then is: <root><specific>. Benefits:

• Unique password for each site
• No risk in theft of passwords, they don't know the root
• No memorization issues
• Don't have to change the root .. ever
• No central "master password"

It ain't perfect, but it works pretty well. As a bonus, the <specific> part follows a certain formula format, so most of the time I don't even have to lookup that part either.

[jonat]

You do not need both users to have LastPass Premium to share passwords with only one user. I have Premium, my wife does not, and sharing works fine.

[TimeMeasure]

I'll put in a word here for 1Password as a password manager.

A recent Wirecutter article mentioned it and compared it with LastPass. My recollection is that it said (paraphrasing) that LastPass was the best value (functionality for money) for many people, but 1Password was the best in terms of overall functionality if you don't mind paying a little more.

1Password can be purchased either as a standalone product, or as a subscription model. I use the standalone product, and have been consistently impressed by it on multiple counts:

• Security - If you read about their approach to securing your passwords, it's very well thought out.
• Functionality - Ability to store not only passwords, but secure notes, etc. Easy synchronization between all devices - Windows, iPhone, etc. Generates secure passwords, etc.
• User interface - Very simple and easy to navigate. Easily logs into web sites in only a click or two.
• Customer service - Stellar. Responsive, knowledgeable, genuinely friendly and helpful. At most companies, you'd be lucky to get one out of those three. Have never experienced anything like it elsewhere.

I cannot remember, ever, being genuinely impressed enough by any software that I truly think it's great value for the money, and gladly pay for it - with the exception of 1Password (and maybe iOS although that comes bundled with Apple hardware). I have no affiliation with the company, just a very satisfied customer.

As a tangent -

What I haven't found yet, and would like to, is a good password escrow system. It would be very handy to find a third party software service which could store my passwords, yet not have access to them, but which would be able to provide, upon my death, a key to the executor of my estate which would then grant them access to my passwords. Still looking for that solution...

[jonat]

Quote:

Originally Posted by TimeMeasure IWhat I haven't found yet, and would like to, is a good password escrow system. It would be very handy to find a third party software service which could store my passwords, yet not have access to them, but which would be able to provide, upon my death, a key to the executor of my estate which would then grant them access to my passwords. Still looking for that solution...

LastPass has such a feature, called Emergency Access, and I think some other password managers do too.

[Trooper]

Quote:

Originally Posted by jonat You do not need both users to have LastPass Premium to share passwords with only one user. I have Premium, my wife does not, and sharing works fine.

Thanks Steve. Do you and your wife use the same user name and password? Or completely separate LastPass accounts?
Also, what do you find is the benefit of your having LastPass premium, as opposed to both having the 'free' version?

[jonat]

Quote:

Originally Posted by Trooper Thanks Steve. Do you and your wife use the same user name and password? Or completely separate LastPass accounts? Also, what do you find is the benefit of your having LastPass premium, as opposed to both having the 'free' version?

We have separate accounts. I bought into Premium back when it was the only way to have multi-device access, plus I used the "advanced two-factor authentication" methods. I'd keep it now because I like the added features, plus it gets more responsive support. I have no problems paying modest costs for software and services - when I was working for Megacorp I was a developer of commercial software. As it happens, I accidentally renewed LastPass for multiple years twice, so I am paid through 2024! (My wife uses a free account.)

If I were starting out today, I would still buy Premium. The service is well worth $2/mo for me.

[Scuba]

Quote:

Originally Posted by Totoro My system: I have a "root", that one is not written down. It is pretty long, but it is the only one I have to remember. Then I have a website specific addendum, for this forum it could be "ERF949!". Those I have written down. Every password then is: <root><specific>. Benefits: Unique password for each site No risk in theft of passwords, they don't know the root No memorization issues Don't have to change the root .. ever No central "master password" It ain't perfect, but it works pretty well. As a bonus, the <specific> part follows a certain formula format, so most of the time I don't even have to lookup that part either.

This seems like a good system to me. Thanks for sharing

[Scuba]

For those of you who use software to track/keep your passwords, what makes you comfortable that they can't be hacked. DH is a former IT guy and he prefers not to trust any third parties with our passwords. He also will not use the cloud.

[BeachOrCity]

Quote:

Originally Posted by Totoro My system: I have a "root", that one is not written down. It is pretty long, but it is the only one I have to remember. Then I have a website specific addendum, for this forum it could be "ERF949!". Those I have written down. Every password then is: <root><specific>. Benefits: Unique password for each site No risk in theft of passwords, they don't know the root No memorization issues Don't have to change the root .. ever No central "master password" It ain't perfect, but it works pretty well. As a bonus, the <specific> part follows a certain formula format, so most of the time I don't even have to lookup that part either.

Above method is dangerous. If any site you use is hacked your "root" is then known. Your "specific" follows a system and can thus be figured out.
I used to do something like this, but stopped.

Bottom line is a commercial password manager is needed these days.

[Trooper]

Quote:

Originally Posted by Scuba For those of you who use software to track/keep your passwords, what makes you comfortable that they can't be hacked. DH is a former IT guy and he prefers not to trust any third parties with our passwords. He also will not use the cloud.

It's a good question, and one I am struggling with as well. For us, the benefits of cloud storage seem to outweigh the risks. Keep in mind, however, that we have just decided to use a password manager for the first time, and a cloud-based one at that, so we don't have much experience.

Historically, we have been somewhat lax in our use of passwords -- fairly easy to crack, using the same ones across multiple sites etc. I see the use of an automated password manager as a way to force more discipline in our process, while greatly reducing the hack risk. Automation is the only way I can see to 1) generate and deploy the use of very strong passwords and 2)'remember' them without the use of a cheat sheet.

The above paragraph addresses the question: 'do I automate or not'? If yes, then there's the question of cloud versus local. Again here we felt the benefits outweighed the risks. If I use PC-based (local) software, then I have the risk of my PC crashing and potentially losing passwords forever. I also lose the ability to sync passwords across mobile devices and the ability to access my passwords from a computer that is not mine -- say when traveling or away from home. Keeping passwords in our wallets is not an option, both from a convenience and a security perspective.

That's my take. I've done a fair amount of research recently and for now that's where we stand. Should things change we'll readdress at that point.

[jonat]

When choosing a password manager, look for one that explicitly describes how your information is protected. For LastPass, as an example, your "vault" is AES-encrypted on your local device and LastPass does not have the decryption key. The only thing LastPass sees is the encrypted "blob". They also separately derive the encryption key and the authentication hash (what they look for before sending the vault "blob" to your device) so that the authentication hash can't be used to derive the encryption key.

Sure, I can envision scenarios where some malware on my computer intercepts passwords, but many of the alternatives end up reducing security by making it harder to have unique, strong passwords, reduce availability and usability across multiple devices, and increase the chance that you'll lose all your information. I make the choice to use a password manager that minimizes my risk and maximizes convenience.