Many many Passwords

[rkser]

I wrote down the websites & passwords in my phone contacts.

If I lose my phone, they will have access to all my financial accounts with passwords written & other websites.

How do I go about correcting these, I know I have my work cut out,

Google email says -

Passwords checked for 214 sites and apps
60 compromised passwords
Change these passwords now
228 reused passwords
Create unique passwords
55 accounts using a weak password
Create strong passwords

 

[mpeirce]

After my brother and I began helping our Dad w/ his finances it quickly became obvious that his password system (writing down notes everywhere) wasn't working too well. At least now he is storing them in an Apple Notes document which is shared with me so I can easily access a site if he's changed passwords.

Sharing an Apple Note isn't a bad approach really.

Shared notes
Notes that aren’t end-to-end encrypted with a passphrase can be shared with others. Shared notes still use the CloudKit encrypted data type for any text or attachments that the user puts in a note. ... CloudKit manages the process by which participants can encrypt and decrypt each other’s data.

I use Apple's new Shared Password groups with my Dad. When any of those passwords get updated, I can access the update immediately. These passwords are also end-to-end encrypted. That's better than the security on Shared Notes.

Also, the reason I switched my Dad from a shared note to the shared password groups feature is that if someone wandered his computer while it was logged in and unlocked, they could access the shared note. When someone tries to view passwords, the system forces a reauthentication. Keeps neighbors or house cleaners from accessing it.

 

[Chuckanut]

1Password encrypts all passwords before sync, so not even law enforcement can get your data from them. They *could* compel *you* to give them your master password, but it is hacker-proof at the server level. Nothing to steal but encrypted blobs.

Just make sure your iteration level is set high. 1, 5 or even 100 iterations when encrypting the password is not enough. The more iterations the bigger and messier the gobbly-gook of encryption becomes. That’s what we want.

Here’s a table that show the estimated time to crack a password based upon its size and the various characters used:

 

[5Miler]

I wrote down the websites & passwords in my phone contacts.

If I lose my phone, they will have access to all my financial accounts with passwords written & other websites.

How do I go about correcting these, I know I have my work cut out,

Google email says -

Passwords checked for 214 sites and apps
60 compromised passwords
Change these passwords now
228 reused passwords
Create unique passwords
55 accounts using a weak password
Create strong passwords

I was in similar shape before I started using a password manager 2 years ago. I had hundreds of passwords that were the same or simple variations of the same password. I was a lazy mess as far as security went.

Just pick a password manager based upon your specific needs as even free ones will be way ahead of Google for security.

Here's a short list of free password managers in the below URL any of which will work fine.

https://www.forbes.com/advisor/business/software/best-free-password-manager/

 

[easysurfer]

I'd go nuts without a password manager.

Along with the manager. Use a password generator (either as part of the manager or separate program) that allows you to specify various criterion (password length, number/character/special symbol) combinations so the generator is flexible enough to meet all the different mumbo jumbo patterns.

 

[bobandsherry]

Lots of recommendations for 1Password, but I'm not into paying when other free options exist which are just as good for my use. That said, I use Bitwarden.

FWIW...
https://www.forbes.com/advisor/business/bitwarden-vs-1password/

 

[OldShooter]

1Password encrypts all passwords before sync, so not even law enforcement can get your data from them. They *could* compel *you* to give them your master password, but it is hacker-proof at the server level. Nothing to steal but encrypted blobs.

Yup. Everything is hacker-proof.

Until it isn't.

 

[dixonge]

Yup. Everything is hacker-proof.

Until it isn't.

Just make sure your iteration level is set high. 1, 5 or even 100 iterations when encrypting the password is not enough. The more iterations the bigger and messier the gobbly-gook of encryption becomes. That’s what we want.

Here’s a table that show the estimated time to crack a password based upon its size and the various characters used:

How about 650,000 iterations?

"There are 650,000 iterations, or functions, of PBKDF2 in the current version of 1Password. This means anyone who tries to guess an account password needs to perform the same calculations. Any hacking attempts are virtually useless since your account password is combined with your Secret Key, which is only on your devices."

https://support.1password.com/pbkdf2/

 

[target2019]

I wrote down the websites & passwords in my phone contacts.

If I lose my phone, they will have access to all my financial accounts with passwords written & other websites.

How do I go about correcting these, I know I have my work cut out,

Google email says -

Passwords checked for 214 sites and apps
60 compromised passwords
Change these passwords now
228 reused passwords
Create unique passwords
55 accounts using a weak password
Create strong passwords

I would go down the list and find the most important sites to me. Then you'll have to go to each site and change your password. I think it will be easier if you go to each site and choose "forgot password" and then follow instructions. When you go back to the site, following instructions, at some point Google will ask to update the password for the site. Or it should.

So when you decide to change a password, I would let Google pick a very secure one, and use that. Just in case, you should copy the password, as you may have to manually update the password in browser password manager.

You should have a very strong password to open this manager. Much to learn.

If you do go for a different free password manager, you'll need to make sure that gets updated daily. Also look behind the scenes to make sure your data is encrypted and at rest. The company making the software should show on their website the security credentialing they have.

 

[target2019]

How about 650,000 iterations?

"There are 650,000 iterations, or functions, of PBKDF2 in the current version of 1Password. This means anyone who tries to guess an account password needs to perform the same calculations. Any hacking attempts are virtually useless since your account password is combined with your Secret Key, which is only on your devices."

https://support.1password.com/pbkdf2/

Some don't want to believe how secure the 1Password design is. Most will not read or understand the specs.

We are way past the free software model. The bad guys are light years beyond what most are employing.

 

[bobandsherry]

Some don't want to believe how secure the 1Password design is. Most will not read or understand the specs.



We are way past the free software model. The bad guys are light years beyond what most are employing.

And that probably explains why Google, Amazon, Microsoft, etc are going down the path of passkeys. Will make all these password managers useless for the most part.

https://fortune.com/2023/10/11/google-passkeys-default-option-ending-passwords/

Article is behind a paywall, here is version Google showed.

https://www.google.com/amp/s/fortun...passkeys-default-option-ending-passwords/amp/

 

[target2019]

And that probably explains why Google, Amazon, Microsoft, etc are going down the path of passkeys. Will make all these password managers useless for the most part.

https://fortune.com/2023/10/11/google-passkeys-default-option-ending-passwords/

Well, 1Password supports passkeys. Major problem is that sites have to implement this, and there's no big rush. I guess we'll see what this all means some day.

 

[bobandsherry]

Well, 1Password supports passkeys. Major problem is that sites have to implement this, and there's no big rush. I guess we'll see what this all means some day.

Passkey is based on device and as explained in article:

"Passkeys are being touted as a*replacement for passwords. By using your fingerprint, a scan of your face, or your screen lock PIN, you’re automatically logged into an app or website (once you approve the request). Basically, it’s using your device to prove that you’re really you."

Where already implemented today I just use my face, thumbprint or device passcode to login to a website or application. Not sure of why 1Password is needed and perhaps this marketing of such is to keep their product relevant while it's not?

 

[mpeirce]

Passkey is based on device and as explained in article:

"Passkeys are being touted as a*replacement for passwords. By using your fingerprint, a scan of your face, or your screen lock PIN, you’re automatically logged into an app or website (once you approve the request). Basically, it’s using your device to prove that you’re really you."

Where already implemented today I just use my face, thumbprint or device passcode to login to a website or application. Not sure of why 1Password is needed and perhaps this marketing of such is to keep their product relevant while it's not?

Sigh. Passkeys really have nothing to do with biometric authentication.

The trouble, I suppose, is that there is no way for "normal folks" to understand how passkeys actually work (good luck explaining public key encryption to most people).

Passkey do require software support (you can't remember a passkey like you can remember a (poor) password, and all this software uses biometric authentication. So they tout this feature as the main reason to use passkeys.


The real beauty of passcodes is that they can't be easily guessed and since your passkeys aren't sent to remote sites, they can't be "breached" or stolen from servers.

 

[OldShooter]

How about 650,000 iterations? ...

Remember the Maginot Line? It was impenetrable too. Bad guys will not attack by trying to crack passwords.

 

[bobandsherry]

Sigh. Passkeys really have nothing to do with biometric authentication.



The trouble, I suppose, is that there is no way for "normal folks" to understand how passkeys actually work (good luck explaining public key encryption to most people).



Passkey do require software support (you can't remember a passkey like you can remember a (poor) password, and all this software uses biometric authentication. So they tout this feature as the main reason to use passkeys.





The real beauty of passcodes is that they can't be easily guessed and since your passkeys aren't sent to remote sites, they can't be "breached" or stolen from servers.

From a users perspective, Passkeys are activated by biometric authentication. Kind of like typing a website domain and routes to the site based on the IP . What happens behind the curtain is of no consequence to the user, it just needs to work.

From what I've read, and briefly, what 1Paasword is doing with passkey is basically what Authenticator does today, and Authenticator is free.

 

[5Miler]

I am not currently using passkeys as while I don't mind being an early adopter of new tech, I try to avoid being on the bleeding edge in order to save myself some grief.

I have no desire to allow Amazon, Google or Apple to control my passkey access to the very limited number of sites that have implemented the technology so far. I will continue to use 1password as it just adds passkeys as another tool since user names and passwords will probably not be eliminated from all accounts in my lifetime so a password manager will still be needed.

I'm not quite sure of the nuances of how passkeys will be implemented across platforms but I do know I will try not to be tied to using one device such as my phone in order to authenticate access to an account. If I can use 1password to authenticate with multiple devices, that is the option I prefer as I have a long list of devices and operating systems I use frequently. I can even use 1password on my Apple Watch, how cool is that? Most of the time at home, I'm not even sure where the heck my iphone is located.

 

[Trooper]

I've been using LastPass without issue for about five years now. I have 150-200 passwords and secure notes stored there. Makes my life a lot easier.

 

[bobandsherry]

I've been using LastPass without issue for about five years now. I have 150-200 passwords and secure notes stored there. Makes my life a lot easier.

Lass Pass has had quite a few data breaches, not sure that's where I'd secure my passwords.

https://www.csoonline.com/article/574291/timeline-of-the-latest-lastpass-data-breaches.html

 

[target2019]

Passkey is based on device and as explained in article:

"Passkeys are being touted as a*replacement for passwords. By using your fingerprint, a scan of your face, or your screen lock PIN, you’re automatically logged into an app or website (once you approve the request). Basically, it’s using your device to prove that you’re really you."

Where already implemented today I just use my face, thumbprint or device passcode to login to a website or application. Not sure of why 1Password is needed and perhaps this marketing of such is to keep their product relevant while it's not?

Bob, a passkey is an alternative way of providing login authentication. It provides the same function as a password.

1Password supplies the features of other password managers, so when someone uses it, they are using it in the same way that other users just go with Apple, Google, or MS solutions. Essentially, we have entrusted some authentication to a 3rd party.

1Password works across all of our devices, and is supported in a direct way. Most days the apps are updated for patches and features. One spectacular feature is that we have a family version. So, our four users have an incredibly useful feature. The cost is about $60 USD per year. The sharing features alone are worth the price of admission.

I trust you will be very content with your current provider and solution. It's all good in my mind. There's always a learning curve as well as new tech developments on the horizon.

 

[Midpack]

Just make sure your iteration level is set high. 1, 5 or even 100 iterations when encrypting the password is not enough. The more iterations the bigger and messier the gobbly-gook of encryption becomes. That’s what we want.

Here’s a table that show the estimated time to crack a password based upon its size and the various characters used:

I don't know if that's accurate or not, but it's reassuring if it is. Thanks.

 

[Qs Laptop]

A password manager is a hacker magnet. Trying to steal passwords on a retail basis is a low payoff activity. The ability to control a password manager gives the bad guys something they can sell -- for example, a bundle of 100 passwords to BOA, Fido, etc. accounts all gleaned from password managers.

Could you explain how a bad guy can control a password manager? How do they gain control?

I use 1Password and as far as I know the only ways for a bad guy to get at my passwords is if they are holding a gun to my head and commanding me to enter my master password and thus gain access to my account or somehow they get lucky and can hack my master password, which is extremely unlikely since it is a combination characters and numbers which form a mnemonic that only makes sense to me.

FWIW, I used to use your method which is pretty darn effective until you are traveling and want to check some credit card transactions or look at your credit card statement on your phone or tablet. Then you need to rely on your memory to recall a complex password.

IOW, the chances of a bad guy gaining access to my 1Password account and getting into your Fido account are about the same, the difference being I only have to remember one password, plus I can easily change passwords on sites and have no need to remember them.

I don't trust my memory to remember complex and distinctly different passwords for my four bank accounts, my four credit cards, my two investment accounts, etc.

 

[Qs Laptop]

Remember the Maginot Line? It was impenetrable too.

That is an unfair comparison since the necessary skills are so wildly different.

It is akin to saying, "If we can go to the moon we can invent teleportation" or "we can cure cancer" or (fill in whatever.)

 

[target2019]

Could you explain how a bad guy can control a password manager? How do they gain control?

I use 1Password and as far as I know the only ways for a bad guy to get at my passwords is if they are holding a gun to my head and commanding me to enter my master password and thus gain access to my account or somehow they get lucky and can hack my master password, which is extremely unlikely since it is a combination characters and numbers which form a mnemonic that only makes sense to me.

FWIW, I used to use your method which is pretty darn effective until you are traveling and want to check some credit card transactions or look at your credit card statement on your phone or tablet. Then you need to rely on your memory to recall a complex password.

IOW, the chances of a bad guy gaining access to my 1Password account and getting into your Fido account are about the same, the difference being I only have to remember one password, plus I can easily change passwords on sites and have no need to remember them.

I don't trust my memory to remember complex and distinctly different passwords for my four bank accounts, my four credit cards, my two investment accounts, etc.

If someone captures you master password for 1Password, they would also require access to your installed app, browser with extension, and so on.

So, if they have my computer and my master password, and can crack my OS login, they would have access.

A detail that is missing, and I wouldn't think non-users of 1Password would understand this, is that with your master password and no access to your computer they will get nothing. This is because a secret key is involved.

Also, 1Password requires the secret key as well as a master password to install. So, if someone has the master password, secret key, and your vault they can get in. That's why MFA is important. One more layer for your security.

Of course nothing is perfect, and eventually criminals find a way around your defenses. That is one reason why I use 1Password. When a flaw is found in the wild, they address it ASAP.

 

[ERD50]

I noticed there are a surprising number of people here who don't use password managers.

I'm curious why?

A password manager is a hacker magnet. ....

Plus, I don't need one. I have only a few passwords I care about and my system for those is stored only in my head. I certainly have 100+ passwords that I don't care about, like the one to this site. So I don't take significant steps to protect those. Hence again no need for a password manager.

1Password encrypts all passwords before sync, so not even law enforcement can get your data from them. They *could* compel *you* to give them your master password, but it is hacker-proof at the server level. Nothing to steal but encrypted blobs.

I will plead some level of ignorance regarding these security measures, but if it's that simple, why isn't everyone (of significance) doing this? Why are we ever hearing about compromised passwords at all?

Two issues I have with many of the password managers is, if I let my browser manage them, and someone gets into my device, they have access to everything. Not good. The other is this 2FA approach - if I lose my device, and need that to complete the 2FA, I'm locked out, and that could be bad.

I've been using ERD50's password method for the past 7 years. For me it's convenient and works perfectly. Here's his explanation of his method and how it's done:

https://www.early-retirement.org/forums/f27/those-pesky-security-questions-82952.html#post1765353

Glad it has helped you, and it's still working well for me. I use a generic, simple password for sites that I just don't really care about security issues. And for ones I care about, the short version is - create a keyword of numbers, lower case and uppercase letters that is complex, yet easy to remember (some sort of acronym system helps, the letters to a phrase, plus some numbers, etc). Write it down, but don't keep it with your actual passwords. It will become easy to remember, because you will use it regularly.

For each unique site, and a short added phrase with any required special characters. You can write this down, because it is useless w/o your memorized keyword.

-ERD50