Passwords

[spud99]

Keepass on phone

Thanks Sunset. I do like the fact that KeePass runs locally, but unfortunately we don't do all of our 'surfing' from a single box. I understand that the PW data can be synced across multiple devices but kind of a headache. DW wants something simple, that runs across multiple devices (2 PCs, iPad, phone) and any other PC we may need to use while traveling for example. Also there's the risk of a PC crash that you don't have with cloud based solutions.

One day we'll all be sitting around the campfire saying "Remember when we had to actually use passwords to authenticate ourselves?" Can't wait

When I travel I like to use keepass on my phone. A put a copy of the database on my phone for accessing my info on the road. If you wanted, you could sync your data using Dropbox or Google Drive. Might be good to call your database file something non distinct like recipe.ideas.doc

 

[target2019]

For those of you who use software to track/keep your passwords, what makes you comfortable that they can't be hacked. DH is a former IT guy and he prefers not to trust any third parties with our passwords. He also will not use the cloud.

What your DH says is true. However, ask him about insider threats. What is the strategy to prevent an insider from obtaining the password(s)?

 

[mpeirce]

Might be good to call your database file something non distinct like recipe.ideas.doc

Interesting. I have an encrypted file that I keep a number of private items in and I call it: "recipes". I wonder if that word comes to mind for this type of thing.

Guess that's getting changed this afternoon.

 

[aja8888]

Interesting. I have an encrypted file that I keep a number of private items in and I call it: "recipes". I wonder if that word comes to mind for this type of thing.

Guess that's getting changed this afternoon.

Yeah, the recipes folder are always the first place to get looked at by hackers. How about "old work files" instead.

 

[mpeirce]

Is any password scheme fool proof? Certainly not!

Even keeping them in your head isn't really good enough if someone really wants to get yours. Someone who is very determined could break into your house and hide a camera that records your typing on your keyboard. I doubt they would bother to do that to me, but "they" certainly might for someone of high enough "value".

(And frankly, some people on this forum have high enough net worths to be worthy targets. It's not only state actors that are willing to go to these lengths)

Password managers are by far the best solution for "most people". They are pretty darn secure and are certainly way more secure than most people's schemes for generating and keeping track of passwords.

And pay attention, best practices change over time.

 

[mpeirce]

Yeah, the recipes folder are always the first place to get looked at by hackers. How about "old work files" instead.

I went with "Grandpa's Prescriptions".

D'oh! Time to come up with another name...

 

[jim584672]

"sensitive passwords" will throw them off. They would never believe it.

 

[Peter]

I just installed the lastpass extension to my browser. Set up account, with strong master password. Entered details for a sample webpage.

Now, whenever I open my browser, the lastpass icon shows up, and I can log into the sample webpage without entering a password. Great. But ... this means anyone with access to my computer also has access to all my passwords.

Am I missing something here?

 

[jonat]

LastPass, by default, installs so that it "remembers your password". Do this:

- Click on the LastPass icon, select Preferences. On the General page, check the box "Automatically log out when all browsers are closed" (leave the text box blank), and also "Automatically log out after idle" (set its text box to 120 or some other limit you're comfortable with")
- Log out of LastPass (using the icon menu)
- Log in again, this time uncheck the "Remember Password" box

 

[Peter]

Thanks, Jonat, that shows that I was indeed 'missing something'!

 

[jonat]

I also recommend that LastPass users set a “Security email” address to be one different from your LastPass account address and one for which you don’t need LastPass to access. This is used in circumstances when LastPass wants to make sure it is you making a request, most often if you log in from a computer not seen before it will ask for verification to that email address. If you also enable two-factor authentication (very highly recommended), you can disable that check, but the security email is used for other things as well.

Note that LastPass stores a local copy of your vault after you log in, so if you don’t have Internet access you can still get access to your passwords on that device. (This too can be disabled.)