Passwords

[audreyh1]

We have a copy of our safety deposit box under our mattress...secure, or what?

I use a bank safe deposit box as "off site storage" in case my house burns down. We put some backup drives there. Important documents we don't usually need. More stuff when we're traveling. And, an encrypted copy of passwords.

 

[Ian S]

Hi all...great thread. I'm finally researching password managers, and have (I think) narrowed it down to Dashlane and LastPass.

But I have a potentially dumb question about how they fundamentally work. One requirement for the software is that my DW and I be able to use it "jointly" because we want access to the same accounts, like our Vanguard accts, credit union, credit card, etc.

However, there are certain websites - SSA.gov for example - where the URL is the same but the login information is obviously different because the info that's presented is based on the userid/PW.

How would any of the web-based password managers handle that?

LastPass allows for multiple logins per url. You select the appropriate login from a drop down box. There's probably an even better way for separate family members but I haven't looked at that.

 

[Trooper]

+1. LastPass is quite happy to save multiple logins for the same URL. You just give each one its own name to know which one to choose as needed.

Also, be careful about sharing single sign-ons for financial accounts, because if something happens to one of you, the bank may freeze that online account if it is tied to the SSN of the deceased. DH's online access to his banking accounts was locked/limited within a week of his death. Thankfully we had joint access to most of them, so I was still able to get to them via my sign-ons.

Everyone absolutely should have their own sign-ons to all accounts if you are joint account holders. If you're not joint account holders (for, say, the cable company), the main account holder should add the spouse as an account holder. Trust me, this will make a tough time easier down the road.

And, as mentioned above, LastPass makes it very easy to share account information between separate LastPass accounts, and can even do it without sharing the actual password, if that's a concern.

DH and I went to LastPass back in 2012, and having all of his passwords in one place greatly helped me with handling things when he was sick and then after he died.

For those of you who are married but keep your passwords in some format that only you understand, you might want to think about this.

If I wanted to adopt this recommendation, would DW and I have separate login names/master passwords in our LastPass browser extensions? Or would we share a master password? Note: I am planning to get the Premium version of LastPass.

 

[harley]

These days the experts are starting to warn people away from shorter passwords even with special symbols. Much longer passwords--which can be phrases that are far more easily remembered--are considered far more secure.

This is a great visual explanation:

That process actually goes along with this article about the creator of password rules. https://www.nbcnews.com/tech/securi...now-about-passwords-says-man-who-made-n790711. As usual, everything you know is wrong.

 

[limeyx]

Hi all...great thread. I'm finally researching password managers, and have (I think) narrowed it down to Dashlane and LastPass.

But I have a potentially dumb question about how they fundamentally work. One requirement for the software is that my DW and I be able to use it "jointly" because we want access to the same accounts, like our Vanguard accts, credit union, credit card, etc.

However, there are certain websites - SSA.gov for example - where the URL is the same but the login information is obviously different because the info that's presented is based on the userid/PW.

How would any of the web-based password managers handle that?

Dashlane handles this just fine as it will prompt you for all logins that match the site and you can log in with any one you choose

It does have some issues with Google/Gmail but I think this is because of the google way of doing things which is just frustrating

I love Dashlane and they explicitly support sharing of an account between two people (you can search on their site)

They also support Yubikey two-factor authentication although this is a bit tricky to setup for a shared account (but not that bad if the directions they gave me work)

 

[googily]

If I wanted to adopt this recommendation, would DW and I have separate login names/master passwords in our LastPass browser extensions? Or would we share a master password? Note: I am planning to get the Premium version of LastPass.

Yes, you should each have your own LastPass accounts.

As mentioned, you can easily share individual site logins with each other, and when you come to a login page at a site you both have accounts with, you'll just be able to choose which one to use, in case sometimes you log in with your own and sometimes with the spouse's.

I would also keep your master LastPass passwords somewhere (lockbox, in an unmarked envelope or some such) where the other can find it.

I think your choice of LastPass is an excellent one. Having the phone app that can automatically pop up and fill in passwords is great.

They do also have the Emergency Sharing stuff for your LastPass accounts, but DH and I didn't know about it so I can't really give any guidance on that. (It's the life-preserver icon.)

Have patience in getting everything set up and getting used to how it works--it's not a 10-minute undertaking. But it is so worth it.

 

[Trooper]

Yes, you should each have your own LastPass accounts.

Thanks. Does this mean we need to pay for 2 subscriptions?

 

[googily]

Thanks. Does this mean we need to pay for 2 subscriptions?

Yup.

 

[Trooper]

Bummer. Didn't know I would be on the hook for $48/yr. Wondering if separate free accounts would do the job?

 

[googily]

I thought it's only $12.99 a year? To me, it's totally worth it, but you can try the free version to start and then see if the premium extras are things you need or want.

 

[Trooper]

Went up to $24/yr in August. I may try the free, but I also have a Quick books app (non-web) that I would like to secure. I think I may need premium for that.

 

[ChiliPepr]

Safari doesn't store passwords in cookies. It encrypts them in your iCloud Keychain. Not insecure at all.

Oh really?

iCloud Keychain encryption bug exposes iOS passwords, credit card numbers - TechRepublic

A largely unreported iOS security flaw undermined iCloud's end-to-end encryption capability, and could have allowed attackers to steal passwords, credit cards, and any other information on file, according to security firm Longterm Security.

 

[mpeirce]

Sigh

Security is never final. It's a cat and mouse game. Even the best systems have vulnerabilities - just like all software has bugs.

Apple has a very good record of quickly responding to new security vulnerabilities and designs its systems with security in mind from the ground up.

It should be noted that the bug discussed at that link (CVE-2017-2448) was fixed in iOS 10.13 back in March.

As always, it pays to keep your software updated to keep up with the latest security fixes.

 

[jollystomper]

I use KeePass and keep the database in an encrypted file in both home and in safe deposit box. I use several different ids and passwords for sites. I won't give out the full algorithm for security purposes , but starting with easy to remember phrases with words from multiple languages, and applying some personal math rules, make them easy to remember and very difficult to crack.

 

[Totoro]

My system:

I have a "root", that one is not written down. It is pretty long, but it is the only one I have to remember.

Then I have a website specific addendum, for this forum it could be "ERF949!". Those I have written down.

Every password then is: <root><specific>. Benefits:

• Unique password for each site
• No risk in theft of passwords, they don't know the root
• No memorization issues
• Don't have to change the root .. ever
• No central "master password"

It ain't perfect, but it works pretty well. As a bonus, the <specific> part follows a certain formula format, so most of the time I don't even have to lookup that part either.

 

[jonat]

You do not need both users to have LastPass Premium to share passwords with only one user. I have Premium, my wife does not, and sharing works fine.

 

[TimeMeasure]

password managers

I'll put in a word here for 1Password as a password manager.

A recent Wirecutter article mentioned it and compared it with LastPass. My recollection is that it said (paraphrasing) that LastPass was the best value (functionality for money) for many people, but 1Password was the best in terms of overall functionality if you don't mind paying a little more.

1Password can be purchased either as a standalone product, or as a subscription model. I use the standalone product, and have been consistently impressed by it on multiple counts:

• Security - If you read about their approach to securing your passwords, it's very well thought out.
• Functionality - Ability to store not only passwords, but secure notes, etc. Easy synchronization between all devices - Windows, iPhone, etc. Generates secure passwords, etc.
• User interface - Very simple and easy to navigate. Easily logs into web sites in only a click or two.
• Customer service - Stellar. Responsive, knowledgeable, genuinely friendly and helpful. At most companies, you'd be lucky to get one out of those three. Have never experienced anything like it elsewhere.

I cannot remember, ever, being genuinely impressed enough by any software that I truly think it's great value for the money, and gladly pay for it - with the exception of 1Password (and maybe iOS although that comes bundled with Apple hardware). I have no affiliation with the company, just a very satisfied customer.

As a tangent -

What I haven't found yet, and would like to, is a good password escrow system. It would be very handy to find a third party software service which could store my passwords, yet not have access to them, but which would be able to provide, upon my death, a key to the executor of my estate which would then grant them access to my passwords. Still looking for that solution...

 

[jonat]

IWhat I haven't found yet, and would like to, is a good password escrow system. It would be very handy to find a third party software service which could store my passwords, yet not have access to them, but which would be able to provide, upon my death, a key to the executor of my estate which would then grant them access to my passwords. Still looking for that solution...

LastPass has such a feature, called Emergency Access, and I think some other password managers do too.

 

[Trooper]

You do not need both users to have LastPass Premium to share passwords with only one user. I have Premium, my wife does not, and sharing works fine.

Thanks Steve. Do you and your wife use the same user name and password? Or completely separate LastPass accounts?
Also, what do you find is the benefit of your having LastPass premium, as opposed to both having the 'free' version?

 

[jonat]

Thanks Steve. Do you and your wife use the same user name and password? Or completely separate LastPass accounts?
Also, what do you find is the benefit of your having LastPass premium, as opposed to both having the 'free' version?

We have separate accounts. I bought into Premium back when it was the only way to have multi-device access, plus I used the "advanced two-factor authentication" methods. I'd keep it now because I like the added features, plus it gets more responsive support. I have no problems paying modest costs for software and services - when I was working for Megacorp I was a developer of commercial software. As it happens, I accidentally renewed LastPass for multiple years twice, so I am paid through 2024! (My wife uses a free account.)

If I were starting out today, I would still buy Premium. The service is well worth $2/mo for me.

 

[Scuba]

My system:

I have a "root", that one is not written down. It is pretty long, but it is the only one I have to remember.

Then I have a website specific addendum, for this forum it could be "ERF949!". Those I have written down.

Every password then is: <root><specific>. Benefits:

• Unique password for each site
• No risk in theft of passwords, they don't know the root
• No memorization issues
• Don't have to change the root .. ever
• No central "master password"

It ain't perfect, but it works pretty well. As a bonus, the <specific> part follows a certain formula format, so most of the time I don't even have to lookup that part either.

This seems like a good system to me. Thanks for sharing

 

[Scuba]

For those of you who use software to track/keep your passwords, what makes you comfortable that they can't be hacked. DH is a former IT guy and he prefers not to trust any third parties with our passwords. He also will not use the cloud.

 

[BeachOrCity]

My system:

I have a "root", that one is not written down. It is pretty long, but it is the only one I have to remember.

Then I have a website specific addendum, for this forum it could be "ERF949!". Those I have written down.

Every password then is: <root><specific>. Benefits:

• Unique password for each site
• No risk in theft of passwords, they don't know the root
• No memorization issues
• Don't have to change the root .. ever
• No central "master password"

It ain't perfect, but it works pretty well. As a bonus, the <specific> part follows a certain formula format, so most of the time I don't even have to lookup that part either.

Above method is dangerous. If any site you use is hacked your "root" is then known. Your "specific" follows a system and can thus be figured out.
I used to do something like this, but stopped.

Bottom line is a commercial password manager is needed these days.

 

[Trooper]

For those of you who use software to track/keep your passwords, what makes you comfortable that they can't be hacked. DH is a former IT guy and he prefers not to trust any third parties with our passwords. He also will not use the cloud.

It's a good question, and one I am struggling with as well. For us, the benefits of cloud storage seem to outweigh the risks. Keep in mind, however, that we have just decided to use a password manager for the first time, and a cloud-based one at that, so we don't have much experience.

Historically, we have been somewhat lax in our use of passwords -- fairly easy to crack, using the same ones across multiple sites etc. I see the use of an automated password manager as a way to force more discipline in our process, while greatly reducing the hack risk. Automation is the only way I can see to 1) generate and deploy the use of very strong passwords and 2)'remember' them without the use of a cheat sheet.

The above paragraph addresses the question: 'do I automate or not'? If yes, then there's the question of cloud versus local. Again here we felt the benefits outweighed the risks. If I use PC-based (local) software, then I have the risk of my PC crashing and potentially losing passwords forever. I also lose the ability to sync passwords across mobile devices and the ability to access my passwords from a computer that is not mine -- say when traveling or away from home. Keeping passwords in our wallets is not an option, both from a convenience and a security perspective.

That's my take. I've done a fair amount of research recently and for now that's where we stand. Should things change we'll readdress at that point.

 

[jonat]

When choosing a password manager, look for one that explicitly describes how your information is protected. For LastPass, as an example, your "vault" is AES-encrypted on your local device and LastPass does not have the decryption key. The only thing LastPass sees is the encrypted "blob". They also separately derive the encryption key and the authentication hash (what they look for before sending the vault "blob" to your device) so that the authentication hash can't be used to derive the encryption key.

Sure, I can envision scenarios where some malware on my computer intercepts passwords, but many of the alternatives end up reducing security by making it harder to have unique, strong passwords, reduce availability and usability across multiple devices, and increase the chance that you'll lose all your information. I make the choice to use a password manager that minimizes my risk and maximizes convenience.