Use a Password Mgr? Which One? Like It?

[OldShooter]

... hackers have software that will test lots of sites with multiple iterations. Takes only a few seconds.

In theory, yes, but only if the sites permit an unlimited number of failed logins. No competently designed site, and certainly no bank, will do that. You can test this easily; make a few failed logins at your bank's site and see what happens. I think you will find your account locked and you will get a security warning email with instructions on how to proceed.

The place an exhaustive password attack is feasible is the lock codes on our phones and tablets. It would be boring, but manually running an exhaustive attack on a 4-digit unlock code is very feasible. 1111, 1112, 1113, etc.

 

[MRG]

In theory, yes, but only if the sites permit an unlimited number of failed logins. No competently designed site, and certainly no bank, will do that. You can test this easily; make a few failed logins at your bank's site and see what happens. I think you will find your account locked and you will get a security warning email with instructions on how to proceed.

The place an exhaustive password attack is feasible is the lock codes on our phones and tablets. It would be boring, but manually running an exhaustive attack on a 4-digit unlock code is very feasible. 1111, 1112, 1113, etc.

+1

I've been involved in many different audits, SEC, FDIC, internal.... and every last one asks you to prove the application doesn't allow unlimited logins before the ID is disabled. Besides the disabled profile there are numerous checks for reporting on repeatedly resetting profiles and other issues with them.

 

[RetMD21]

I like Keepass which I don't think can be hacked and my data file is on my usb rather than the internet but I let my browser remember less important passwords and add good 2 factor for important sites

 

[OldShooter]

I like Keepass which I don't think can be hacked and my data file is on my usb rather than the internet but I let my browser remember less important passwords and add good 2 factor for important sites

The holy grail for hackers is to hack the individual password manager code as installed on user's machines. Hacking the various mother ships is a means to that end, not an end in itself. Once such a user-level hack is successful, the owner can sell it in bundles, say 100 user packs. The buyers of those bundles can then begin surveying the users' devices looking for financial bookmarks or apps to exploit.

 

[Rianne]

The holy grail for hackers is to hack the individual password manager code as installed on user's machines. Hacking the various mother ships is a means to that end, not an end in itself. Once such a user-level hack is successful, the owner can sell it in bundles, say 100 user packs. The buyers of those bundles can then begin surveying the users' devices looking for financial bookmarks or apps to exploit.

I thought encryption makes this difficult, but I guess not impossible, for hackers.

 

[OldShooter]

I thought encryption makes this difficult, but I guess not impossible, for hackers.

Assuming an encrypted password file, the user's client software must decrypt a password locally before it can be given to a site. So successfully hacking the client software makes this capability available to the hacker as well. That's the whole point of the hack.

... I'm no expert, but my oldest son is. He's a software engineer on Microsoft's security team and also spent 5 years with the NSA doing encryption work. He tells me that encrypted data can't be hacked without the encryption key, which would be on the user's device, not the vendor's servers. ...

While correct in locating the key, this post did make me smile. NSA is very successful in the business of cracking encrypted data without possessing the encryption key.

 

[Sunset]

Assuming an encrypted password file, the user's client software must decrypt a password locally before it can be given to a site. So successfully hacking the client software makes this capability available to the hacker as well. That's the whole point of the hack.

....

This is no different than anybody's password , even one kept in their brain.
If a hacker can hack the client software, they can read the password as a person types it in when visiting a site.

So nobody is safe.

 

[Sunset]

I doubt that anything encrypted was compromised. I'm no expert, but my oldest son is. He's a software engineer on Microsoft's security team and also spent 5 years with the NSA doing encryption work. He tells me that encrypted data can't be hacked without the encryption key, which would be on the user's device, not the vendor's servers. Regardless, it's troubling to see continued breaches.

Other than the NSA using publicly unknown back doors and software OS defects. It is true that strongly encrypted passwords are safe for now.

The big danger is that hackers are saving the databases full of encrypted information, because at some point quantum computers will be developed enough to be usable. At that point, they will be able to solve/break many encrypted passwords in the blink of an eye.

Thankfully all my passwords are very unique and random as some are in databases that have been stolen/hacked/copied.

 

[camfused]

I have just switched from LastPass to Bit Warden.

+1. I have been using Bit Warden on all my devices for at least a year now. I like it.

 

[tulak]

This is no different than anybody's password , even one kept in their brain.

If a hacker can hack the client software, they can read the password as a person types it in when visiting a site.



So nobody is safe.

Yep. In this case it’s actually safer to use a password manager since it autofills. No keystrokes to log.

 

[Chuckanut]

Other than the NSA using publicly unknown back doors and software OS defects. It is true that strongly encrypted passwords are safe for now.

The big danger is that hackers are saving the databases full of encrypted information, because at some point quantum computers will be developed enough to be usable. At that point, they will be able to solve/break many encrypted passwords in the blink of an eye.

Thankfully all my passwords are very unique and random as some are in databases that have been stolen/hacked/copied.

That assumes the passwords never change, which is probably a good assumption for most people. But, the knowledgeable people on this site can make a point of changing at least all of their passwords that guard important personal and financial information. And companies can simply require a password change.

Here's another view of quantum computing from Steve Gibson.
https://www.grc.com/sn/sn-899-notes.pdf

KerryOnAnon @MrIndigo_
Hi Steve! Finally listening to the latest episode #898 and I started wondering, is quantum computing going to be just a faster way to guess passwords or is there another attack vector?In other words, is it just going to be a faster way to brute force attack passwords?

Interes tingly enough, once we get quantum computing — assuming that we ever get quantum computing — it won't be any faster at brute forcing passwords. In fact, it would likely be far
slower and vastly more expensive than conventional hardware-accelerated hash-based password
brute forcing.
The important thing to understand here is thatsomeof today’s crypto, but only some of it,
depends upon the traditional, time-proven difficulty of factoring a very large number into its two,
half as large prime number components. That's it. That's all that the fervor surrounding quantum
computing is about. The ability to do a couple of things quickly that are currently
insurmountable. But it's only the asymmetric key crypto that quantum computing might be able
to someday weaken. NONE of the other crypto that we also depend upon today will be affected.
Symmetric key crypto, like our beloved AES ciphers or today's strong hashing algorithms will not
be affected at all. And won't need to be changed

 

[Sunset]

That assumes the passwords never change, which is probably a good assumption for most people. But, the knowledgeable people on this site can make a point of changing at least all of their passwords that guard important personal and financial information. And companies can simply require a password change.

..

I was going to mention this, how since my passwords are long and complex, I never bothered to change them as they are unbreakable (so far).

But now, I see the value in changing my financial passwords, and email passwords, etc.... so that the past 8 years of stolen database info of my passwords is out of date.

Maybe I need to change them every year or 6 months, I hate the thought of it as I'm so lazy...

 

[RetMD21]

The holy grail for hackers is to hack the individual password manager code as installed on user's machines. Hacking the various mother ships is a means to that end, not an end in itself. Once such a user-level hack is successful, the owner can sell it in bundles, say 100 user packs. The buyers of those bundles can then begin surveying the users' devices looking for financial bookmarks or apps to exploit.

So they would hack the individual copy of the encryption/password software on my pc rather than just trying to get the data file? I would like to know more about this.

 

[OldShooter]

So they would hack the individual copy of the encryption/password software on my pc rather than just trying to get the data file? I would like to know more about this.

Well, this is theoretical to the point, probably, of fantasy, but here's how I would try to be a bad guy:

1) Infect the user code because it is the user code that knows how to decrypt the password file. Easier said than done, of course.

2) Wait patiently until the user gave me his master password.

3) Decrypt the password file to obtain the URL/Password pairs.

4) Examine the password URLs to identify worthwhile targets like banks, brokerage firms, etc. Note that I don't have to be 100% accurate here; I might miss some but I don't care.

5) Encrypted email/VPN/send the targets list back to my mother ship.

Note that this is all hands-off. I might infect hundreds or thousands of user computers, then sell targets lists fifty or a hundred at a time to people who will exploit them.

 

[Rianne]

There are so many password managers out there. They seem to be targeting the popular ones, and I use LastPass. Would a more obscure little-known manager be better? I wouldn't know how to transfer my accounts to say, Bit Warden. Set up an account and one by one add all the accounts on LastPass to Bit Warden or another password manager.

What about two-factor authentication? Does that protect you?

 

[Chuckanut]

There are so many password managers out there. They seem to be targeting the popular ones, and I use LastPass. Would a more obscure little-known manager be better? I wouldn't know how to transfer my accounts to say, Bit Warden. Set up an account and one by one add all the accounts on LastPass to Bit Warden or another password manager.

What about two-factor authentication? Does that protect you?

Most of the password managers have a plan for converting from one manager to the other. You should be able to find that on their website. Just search for Convert LastPass to Bit Warden in your case.

2FA will help you also by providing something else to authenticate that you are you. If possible use a a physical device like a Yubikey or an authentication app like Authy or similar.

Also monitor your accounts and set up notifications for any changes to your contact data (that is usually automatic) and any withdrawal, transfer, buy or sell over some small amount. Login to each at least once a week and make sure nothing weird has happened.

If you suddenly lose cell phone service for no good reason, be immediate suspicious. A lot of 2FA systems require a text message to be sent to your phone. Unfortunately, texting and phone ownership security have notoriously week security. Bad guys switch your phone number to their phone and intercept the 2FA text messages.

Needless to say never used information about yourself or family members that can easily be discovered - birthdays, maiden name, zip codes, street number, etc. Password managers come with random password generators. Use them.

 

[Jerry1]

I just use a spreadsheet that I save encrypted. Not sure what I’d get with a password manager above what the spreadsheet gives me but the spreadsheet seems to be working pretty good.

 

[RetMD21]

Well, this is theoretical to the point, probably, of fantasy, but here's how I would try to be a bad guy:

1) Infect the user code because it is the user code that knows how to decrypt the password file. Easier said than done, of course.

2) Wait patiently until the user gave me his master password.

3) Decrypt the password file to obtain the URL/Password pairs.

4) Examine the password URLs to identify worthwhile targets like banks, brokerage firms, etc. Note that I don't have to be 100% accurate here; I might miss some but I don't care.

5) Encrypted email/VPN/send the targets list back to my mother ship.

Note that this is all hands-off. I might infect hundreds or thousands of user computers, then sell targets lists fifty or a hundred at a time to people who will exploit them.

Well your system would catch my password file at the vulnerable point when I have attached the usb and I am unlocking the file.

I think KeePass works like a specialized version of Jerry1's spreadsheet

 

[Gotadimple]

I just use a spreadsheet that I save encrypted. Not sure what I’d get with a password manager above what the spreadsheet gives me but the spreadsheet seems to be working pretty good.

You might get a bit of ease in logging into a website.

With Lastpass, at least, your vault is a database of user ids/passwords/URLs. When you accessed a URL, Lastpass either pre-fills the fields, or sets up an icon where you can click and pre-fill. Alternatively, if you use a password manager on a mobile device, you can use the vault like a list of favorites to access a site and pre-fill login credentials.

It really is a matter of preference.

- Rita

 

[Pellice]

You might get a bit of ease in logging into a website.

With Lastpass, at least, your vault is a database of user ids/passwords/URLs. When you accessed a URL, Lastpass either pre-fills the fields, or sets up an icon where you can click and pre-fill. Alternatively, if you use a password manager on a mobile device, you can use the vault like a list of favorites to access a site and pre-fill login credentials.

It really is a matter of preference.

- Rita

You get a LOT of ease in logging onto a website. I imagine most people who are not using a password manager are allowing their browser to save their passwords online, and I think that the Google password manager (for example) is less secure than mine. Plus, Lastpass, the one I use, will automatically update a website's password whenever I do it online.

I cannot imagine people are cutting and pasting passwords from their spreadsheet into a login screen every time. Or maybe they are?

 

[RetMD21]

I just use a spreadsheet that I save encrypted. Not sure what I’d get with a password manager above what the spreadsheet gives me but the spreadsheet seems to be working pretty good.

I have AES encryption, SHA-256 hash, protection against dictionary and guessing attacks, in-memory protection but maybe an encrypted excel is fine too.

 

[Trooper]

For those that use a password manager ( I do), how often do you change the master password?

 

[Sunset]

I just use a spreadsheet that I save encrypted. Not sure what I’d get with a password manager above what the spreadsheet gives me but the spreadsheet seems to be working pretty good.

I get to organize by category: banks, shopping, brokerages, rewards, etc

I also get a spot to save the security question and answers for each site with the site information. Meaning when I select say a login for bank X, I have access to my username, password, security questions and anything else i want to store there, like the branch address, or manager name, or my balance, etc.

What else I get is automatic clearing of the password that I copy and paste when logging in. Previously I used a spreadsheet, and sometimes I'd find an hour later when I pasted , it was my password !! The manager clears the clipboard at however many seconds I've selected so now that doesn't happen.

 

[ShokWaveRider]

KeyPassXC - No cloud to get hacked. Why would one keep one's info like that on someone else's server. . I worked in the industry, Cloud too in my later years and Nuclear companies would not store their data in the cloud for this reason. May have changed, but they were adamant about it at the time and we got the business because we stored data on local servers not in the cloud.

JMHO - I have never stored any of my data that I have control of in the Cloud ever since. With all the data breaches one reads about I am happy that I don't.

 

[RetMD21]

Update on the LastPass "security incident." Customer security vault data was copied but should be unencryptable if you used a long enough password and didn't reuse your master password https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

I like keeping important passwords out of the cloud