Password Managers

[ownyourfuture]

Warning: Old school on steroids
I keep all my usernames passwords security questions etc. on a simple text file, kept on a password-protected Flash drive. Also store my old tax returns, etc. on the same drive.

I print 2 copies twice a year. I keep one in the file cabinet next to my computer desk, & give the other one to my younger brother. Six months later, I'll have added a few new sites, & deleted some as well. I make the changes, print 2 new pages, & shred the old ones.

[Sojourner]

Haven't seen it mentioned yet, but BitWarden is a password manager worth checking out. It's open source and has all the key features and security protocols of more well-known apps like LastPass. The basic/free version is chock full of features, and the paid/premium version is only $10/year.

https://www.safetydetectives.com/blo...anager-better/

[tenant13]

Quote:

Originally Posted by Sojourner Haven't seen it mentioned yet, but BitWarden is a password manager worth checking out. It's open source and has all the key features and security protocols of more well-known apps like LastPass. The basic/free version is chock full of features, and the paid/premium version is only $10/year. https://www.safetydetectives.com/blo...anager-better/

That's what I use and I absolutely love it. Free version is already perfect but I paid $10 for the ability to upload documents' scans. They don't display instantly - you need to download them but it's good to have that ability in case your passport gets stolen or something.

[indiajust]

just to clarify, 2FA is not just a text message. Need something like Authy or a fob with a synchronized code generator.

I like Blur and others for their ability to generate unique emails as logins, as well as unique passwords.

[indiajust]

Concur with diagnosis. Cannot outrun the bear, just need to run faster than the herd. Hard target.

[Tuirc]

I’m a Cybersecurity professional of some extended period of time. You could probably do what you describe and never be compromised. But, I doubt you are as thorough as you explained in real life. It would truly be astonishing if you were. People create exceptions to these routines because of the situations you encounter when logging into things. If you don’t then congrats, there’s one of you on the planet.

I use LastPass and have for some years now. It has literally changed my life. I have a profile that creates randomly generated 20 character passwords (would do longer but encounter too many sites that won’t support them yet). My passwords are sync’d between my local computer and handheld devices. My wife also uses so I can share a password if necessary inside the app. The passwords are created locally and sync’d through the cloud, so even LastPass does not have the PW. Thus there is nothing to compromise. They have been attacked several times by hackers, but never successfully. If you research, you will find that most cyber professionals use LastPass.

[Tuirc]

Concur. You should 2FA everything you can. I’m disappointed that more things do not have 2FA in this day and age. The worst 2FA is an email. Next worst is a text. Both have been compromised. Use an app if possible, better still is using something like Yubikey. I have one for work and one for personal. They can work on your phone too with NFC.

[PointBreeze]

Quote:

Originally Posted by donheff +1 I keep the master password file on a cloud server so I can access it from multiple devices. The password file is encrypted so I am not worried about hacking. The password to open the file though the PS app remains local and is only in my head.

+1

I’ve used PWSafe for many years and am very pleased with it.

[RetMD21]

Quote:

Originally Posted by djfiii I didn't read every post here, but I've worked in InfoSec for ~20 years; I try to stop bad guys on the interwebs for a living, and I use LastPass. ... Another thing you can do that helps a LOT, is have two email accounts. Use one for 95% of your activity (facebook, email, forums like this, etc.) and use the other ONLY for financial sites (your bank, brokerage, etc.). NEVER use that second email to communicate with others, or to create accounts on sites like this. One primary way bad guys compromise people is they'll get a username/password from a hacked site (say, a forum like this) - and then try that same username/password at a bunch of financial sites, knowing that most people use the same username/password at multiple sites. If you only ever use that second email address for a handful of financial sites, it's WAY more likely that email will never appear in a dump of credentials on the dark web. Hope that helps!

It does help! I have been using Keepass for years but I am experimenting with LastPass for the 95% of less important passwords. I really like the fact that it can scan for duplicate passwords. I have been fixing those. Keeping Keepass on my Usb seems more secure.

I did adopt the separate email address for financial sites, probably on advice from this forum. Password resets will go to the email that no one knows.

[a60dan]

Quote:

Originally Posted by Midpack I'm open to other POVs here. I'm still on the fence with this one. I use strong unique passwords (randomly generated using Excel), change them at some frequency and don't reuse usernames/passwords for sensitive sites (I do reuse passwords for non sensitive sites like forums, etc.). My passwords aren't on my PC for more than a few seconds a year, they're on a USB or paper - so they're almost unhackable (unless by a key logger?). I have no doubt an uncompromised password manager is still a much more robust solution to password strength and management. However, password managers can be hacked, you can do a search to confirm (but 1 credible example below). Almost every online entity glowingly swears they're security is bulletproof - until they're hacked. We've seen that over and over again. Some hackers are just as sophisticated and creative as the "good guys" and that doesn't seem likely to change? The best answer may well be from the article "Yes, there is risk in storing all your passwords in one place with a password manager. But it’s helpful to look at the risk like a hacker: There’s no “safe” and “unsafe.” There’s “safer than,” or “better than.” Being 100 percent safe would require disconnecting from the Internet and moving to an undisclosed bunker." Unfortunately, they also suspect more hackers may target password managers, escalating the battle and successful attacks. https://www.washingtonpost.com/techn...still-use-one/

When I needed to step in to manage my mother’s affairs, she had some fairly sophisticated passwords in a paper notebook.

I quickly realized that I would soon lose my mind, and that my passwords were nowhere as secure as hers. The stronger the password, the more often I’d have to reset it.

I gave LastPass free version a try. It has improved the strength of all my passwords, and two factor authentication works very well for me.

I use it across:
Chrome book
Windows PC ( home & work)
Windows laptop
iPhone
iPad

I use browsers:
Firefox
Chrome
Safari
Old Internet Explorer

I use Google Authenticator for the two factor authentication for LastPass.

The rare day that I forgot my phone, I had great difficulty getting in to LastPass at work, which required some resourcefulness to access anything requiring authentication.

Realizing how difficult it would be would for the family when I follow in my mother’s steps, I promptly wrote an “If I’m hit by a bus” letter for the family.

It ends with “Might need to cut off my right thumb and press on iPhone fingerprint sensor” 😊

In the engineering domain, I’ve learned that every design has risk and compromises.

[steelyman]

Quote:

Originally Posted by a60dan It ends with “Might need to cut off my right thumb and press on iPhone fingerprint sensor” [emoji4]

A good laugh for a Saturday morning!

I’m glad I don’t have FaceID!

[target2019]

A concern we all share is the future of a password manager product we use. For example, LastPass (LogMeIn parent) was recently sold to a private equity firm. So we always need to review applications, and how dependent we may become on them.
https://www.pcmag.com/news/lastpass-...e-equity-firms

[Rianne]

Quote:

Originally Posted by Tuirc I’m a Cybersecurity professional of some extended period of time. You could probably do what you describe and never be compromised. But, I doubt you are as thorough as you explained in real life. It would truly be astonishing if you were. People create exceptions to these routines because of the situations you encounter when logging into things. If you don’t then congrats, there’s one of you on the planet. I use LastPass and have for some years now. It has literally changed my life. I have a profile that creates randomly generated 20 character passwords (would do longer but encounter too many sites that won’t support them yet). My passwords are sync’d between my local computer and handheld devices. My wife also uses so I can share a password if necessary inside the app. The passwords are created locally and sync’d through the cloud, so even LastPass does not have the PW. Thus there is nothing to compromise. They have been attacked several times by hackers, but never successfully. If you research, you will find that most cyber professionals use LastPass.

+1

[Lsbcal]

Quote:

Originally Posted by target2019 A concern we all share is the future of a password manager product we use. For example, LastPass (LogMeIn parent) was recently sold to a private equity firm. So we always need to review applications, and how dependent we may become on them. https://www.pcmag.com/news/lastpass-...e-equity-firms

Thanks for the head's up. I don't really need LastPass premium which has experienced price increases. For the free product I'd be OK with paying a little.

But this is one reason why I dump my LastPass contents to an Excel file. Just in case I have to make a product or strategy change.

[nkemp]

I think the OP's question relates to using a password manager or not. I propose that that is not a good question to ask given that the problem is not really well defined. In other words it looks like a solution looking for a problem.

The question each of us must ask is what do we need to protect and what is the importance/risk of what we are protecting. Then you can look at password managers and encryption software and notebooks and so on. Applying each as needed to give you the security you desire.

For example, how would you protect access to nuclear secrets vs this forum? Or how about your 401K at TRoweCost.com. Does it change if the 401K account has $5,000 vs $5,000,001?

Google's/Chrome's password manager might be great for forums, given one's own your comfort needs, but maybe not so for saving banking info. Definitely not for nuclear secrets. Given TRoweCost's internal watchdog functions and transaction alerts, maybe some will feel that Chrome's password manager is more than enough. Others maybe not

Here is one approach to identifying the problem and picking solutions. Create a security plan:
- List out all the accounts you have logins for
- Add to the list any data you want to protect and manage in your security plan
- Break /sort the list into levels of sensitivity. For some that may be 3 levels, others may feel more comfortable with 10 levels.
- Indicate for each site any site side protection (such as transaction alerts)
- For each level, identify a solution that meets your needs. For the nuclear secrets, maybe you just have to memorize the keys to a code encrypting a code encrypting a code yielding the login info.

Consider also what you are protecting. Is it a login, or is it sensitive data stored at the login. For example, maybe you store in the cloud scans of your credit cards, driver's licenses, passports and the like for easy access should they be lost/stolen. One level of security is a login/password to the location where the image is stored. Another level of protection (albeit weak) is changing the file name's extension (from .jpg to .doc). Another level is some form of file lock or encryption or compression with lock.

So the answer to the OP's question is ............. it depends. Sorry

BTW ... a nice feature of Chrome's password manager (enter https://passwords.google.com/ to see yours) is that it will do a password checkup and list any sites where the password is known to be compromised. It also lists duplicate passwords

BTW2 ... Don't forget to lock your PC if it is running and you are away from it. Your PC password and Google password (IE, Firefox, etc) may be the most important passwords you have since, for many, it is the keys to so many other accounts if Chrome (or potentially other password managers) stores the passwords.

[triangle]

I have been using KeePass for about 15 years or so. Choose it for the multi-platform support and have been happy with it. Besides having too many accounts to keep track of I could not imagine doing without a password manager because of:

1. Keeping track of notes and "security questions". While many sites have cut down on these insecurity questions, I always make up nonsense answers and need to write them down.
2. Recovery when mobile. I resisted using the cloud for password storage for a long time but then I was traveling outside the country with just a smartphone when it turned into a brick. I bought another phone and remembered the passwords to a few primary accounts and made it back home. But the thought of being stranded due to device theft, breakage, etc and not being able to book a hotel online, flight, check certain accounts, etc, made me reconsider. (I have looked for a password manger that supports a split data store, so that I could chose which half to back up in the cloud. But I have not found one and such a feature would probably confuse most users)

[savory]

Quote:

Originally Posted by triangle I have been using KeePass for about 15 years or so. Choose it for the multi-platform support and have been happy with it. Besides having too many accounts to keep track of I could not imagine doing without a password manager because of: Keeping track of notes and "security questions". While many sites have cut down on these insecurity questions, I always make up nonsense answers and need to write them down. Recovery when mobile. I resisted using the cloud for password storage for a long time but then I was traveling outside the country with just a smartphone when it turned into a brick. I bought another phone and remembered the passwords to a few primary accounts and made it back home. But the thought of being stranded due to device theft, breakage, etc and not being able to book a hotel online, flight, check certain accounts, etc, made me reconsider. (I have looked for a password manger that supports a split data store, so that I could chose which half to back up in the cloud. But I have not found one and such a feature would probably confuse most users)

I follow a similar approach, using Keepass as well. But when I travel I put about 3 account PW on my iPad or phone. I am not sure if it would be safer in the cloud. But the time frame is fairly short so I am assuming a reasonable risk on my phone. When I return home, I delete the phone passwords.

[dixonge]

Quote:

Originally Posted by a60dan It ends with “Might need to cut off my right thumb and press on iPhone fingerprint sensor” 😊

A very true concern! Although, you can have more than one person with fingerprints on an iPhone. Better than keeping a loved one's finger in the freezer...

This and other issues/concerns I ran across caused me to dump my plan of having all passwords inside of my Apple keychain. The main issue was when I went back to the Chrome browser and the keychain only works with Safari. Also, no keychain access if I'm on my wife's phone or iPad.

So now the only thing I really use the keychain for is for my fingerprint to access my Bitwarden password manager. All the rest of my passwords are inside Bitwarden. I have switched all of my *important* apps/sites to randomly generated passwords and have implemented 2FA using the Authy authenticator app if possible. Bit of a pain, but it feels better knowing I'm more secure, especially from SIM swap scams...

[kcowan]

I am wondering what these important sites are? I have only two and they are DWs and my bank/investment accounts. We memorize them.

All the other sites like this one are saved in Chrome. So we also need power on passwords or fingerprints to access them.

[Chuckanut]

I am considereing converting from LastPass to BitWarden.

I am wondering if others have done that and well the conversion went.

Any surprises? Is there something in LastPass you miss by using BitWarden?

Overall, how do the two compare?