Password Managers

[gauss]

+3
Midpack, the biggest flaw with your method is that the passwords are unencrypted, which as you say, could mean that if your computer is compromised that all your passwords are, too. LastPass keeps only encrypted data, so even if they wanted to, no one at the company could read them*. And I use these settings for added protection:

• two-factor authentication
• automatically logs me out when I close the browser, or after 5 minutes of inactivity
• only allows access from US locations
• email verification required for new logins
• when I log in on one device, all other devices are logged out
• sensitive passwords require the master password to be re-entered every time

* "Your data is encrypted and decrypted at the device level. Data stored in your vault is kept secret, even from LastPass. Your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass." ref. https://www.lastpass.com/how-lastpass-works

Note this all assumes that lastpass continues to operate normally as described. What happens if they have a rogue programmer who modifies the javascript code that runs on your client and uploads/stores your password to somewhere he controls. A hypothetical, but possible situation. Do they have defenses against it? Probably some. Are they infallible? We will see as time unfolds.

I say this as a person who has started using Lastpass several years ago - but only on the laptop and not with the automatic plugin -- I have to lookup and copy/paste the password each time.

The advantage of having them all stored in one place and up to date, so that I could rapidly change them all if I needed started to outweigh the risk of having them there. Well unless the hacker that got access to my pwds, also deleted all the accounts in Lastpass to extend his time to have access. Dooh...

-gauss
p.s. I posted in the other thread regarding unauthorized Fidelity hacks, about a strategy I am considering to protect my financial assets and why I am starting to think this way

 

[Jerry1]

How is a password manager different than a spreadsheet with a password to protect the opening of the spreadsheet? It’s on my computer, so I guess that’s a risk, but I thought, maybe incorrectly, that breaking into a password protected spreadsheet was very difficult. In fact, I thought, again, maybe incorrectly, that passwording an Excel spreadsheet was encrypting it.

Then I thought the only difference was the manual process needed to cut and past the user name and password at the login screen, which is really no big deal.

 

[easysurfer]

How is a password manager different than a spreadsheet with a password to protect the opening of the spreadsheet? It’s on my computer, so I guess that’s a risk, but I thought, maybe incorrectly, that breaking into a password protected spreadsheet was very difficult. In fact, I thought, again, maybe incorrectly, that passwording an Excel spreadsheet was encrypting it.

Then I thought the only difference was the manual process needed to cut and past the user name and password at the login screen, which is really no big deal.

I prefer a password manager. One reason is the passwords are automatically sorted when saved. I'm sure you can do some sorting with a spreadsheet, but to me, why do the extra effort.

 

[jim584672]

No password manager for me. I do whole disk encryption, Veracrypt for Windows, or Linux which has whole disk encryption turned on. Passwords are stored with simple text files which sit in a Veracrypt container. No passwords are similar and all are as long as possible and random. Linux is my go to system for secure work, Windows is on the laptop. I don't store any passwords in browsers.

 

[target2019]

How is a password manager different than a spreadsheet with a password to protect the opening of the spreadsheet? It’s on my computer, so I guess that’s a risk, but I thought, maybe incorrectly, that breaking into a password protected spreadsheet was very difficult. In fact, I thought, again, maybe incorrectly, that passwording an Excel spreadsheet was encrypting it.

Then I thought the only difference was the manual process needed to cut and past the user name and password at the login screen, which is really no big deal.

The most secure app will encrypt the data at rest, and in transit. I'm not sure a typical spreadsheet does that.

 

[The Cosmic Avenger]

My passwords aren’t encrypted, but they’re not on my PC either. I only enter them as needed, deliberately keep my sessions short, and erase all history after every session on any sensitive sites. Am I missing something? My biggest fear is a key logger with my setup.

Or any malware that copies your files. The users and authors of malware tends to look for files with useful information. With LastPass, there is a decryption key, but anyone who obtained that would still need the two-factor authentication AND (in my case) to be within the United States, AND access to my email to add a new computer.

Good security doesn't rely on a single layer. It relies on many, any one of which will prevent access if not properly defused.

 

[Katsmeow]

I'm open to other POVs here.

I'm still on the fence with this one. I use strong unique passwords (randomly generated using Excel), change them at some frequency and don't reuse usernames/passwords for sensitive sites (I do reuse passwords for non sensitive sites like forums, etc.).[/URL]

And the author on the WP article is wrong?

No, he isn't wrong. Your were responding to a post talking about how password managers (such as LastPass) encrypt your data. The study in the article is not talking about a breach that happened at the password manager. The article was talking about a vulnerability on the user's end where stuff if stored on their computer. It was a fairly unlikely thing to really happen to people as it would require someone accessing the computer or having a keylogger.

I use a password manager. I don't store my master password online. I use randomly generated passwords for the most important sites. For thing that aren't that important I have a typical password scheme that I use and vary. I think I have done as much as I can reasonably do.

 

[CDRE]

How is a password manager different than a spreadsheet with a password to protect the opening of the spreadsheet? It’s on my computer, so I guess that’s a risk, but I thought, maybe incorrectly, that breaking into a password protected spreadsheet was very difficult. In fact, I thought, again, maybe incorrectly, that passwording an Excel spreadsheet was encrypting it.

Then I thought the only difference was the manual process needed to cut and past the user name and password at the login screen, which is really no big deal.

Bolded is correct for later versions of MS Office. The earlier versions of Excel did not have current Excel encryption strength of 128bit. The companies that will recover (for a Fee) your lost password Excel spreadsheet can not offer their services on the later versions of Excel.

 

[donheff]

I use Password Safe (PWSafe), which was developed by Bruce Schneier, an internationally recognized expert on IT security. The passwords are all stored locally. I've used PWSafe since around 2004. Never had any issue with it.

+1 I keep the master password file on a cloud server so I can access it from multiple devices. The password file is encrypted so I am not worried about hacking. The password to open the file though the PS app remains local and is only in my head.

 

[Midpack]

No, he isn't wrong. Your were responding to a post talking about how password managers (such as LastPass) encrypt your data. The study in the article is not talking about a breach that happened at the password manager. The article was talking about a vulnerability on the user's end where stuff if stored on their computer. It was a fairly unlikely thing to really happen to people as it would require someone accessing the computer or having a keylogger.

I use a password manager. I don't store my master password online. I use randomly generated passwords for the most important sites. For thing that aren't that important I have a typical password scheme that I use and vary. I think I have done as much as I can reasonably do.

Still trying to better understand. Maybe I’m not getting it, but exactly where the vulnerability exists isn’t what’s most important to me, the password manager left the passwords, even master passwords in some cases vulnerable. Encryption is great, but it didn’t matter in those cases. No?

It found the Windows 10 apps for 1Password, Dashlane, KeePass, LastPass and RoboForm left some passwords exposed in a computer’s memory when the apps were in “locked” mode. To a hacker with access to the PC, passwords that should have been hidden were no more secure than a text file on your computer desktop. (The researchers studied only Windows apps, but say it may affect Apple Macs and mobile operating systems, too.)

The companies had a range of responses. LastPass and RoboForm told me they would issue updates this week. Dashlane said it has documented the issue for some time and has been working on fixes, but it has higher-priority security concerns. KeePass and 1Password shrugged it off as a known limitation with Windows and an accepted risk.

But all said, I’m sure using a password manager is less risky than any method 99.99% of users alone could devise. My scheme is better than people who don’t care, but most likely less than a good password manager. There’s no perfectly safe scheme, only bad, good, better and best...

 

[mountainsoft]

I use my own password manager I wrote years ago that uses 256-bit AES encryption. The master password is encrypted within the data itself so there's no way to recover the master or access your other passwords if you forget it. There are no back doors or anything to gain access. It works well for me.

Even though my password manager can copy/paste user names and passwords, I don't like random passwords. On the off chance you have to type the password in (some sites disable pasting), it's awkward and error prone to type in random letters and numbers. I prefer random combinations of words and numbers, something like Pickle-9842-Truck. The longer the better, and always use a different password for every site.

Keep in mind, the recipient site is a bigger target than your password manager. The last time I had a password hacked was because the web site had been hacked and they got my password from there.

 

[Jerry1]

The last time I had a password hacked was because the web site had been hacked and they got my password from there.

That appears to be what happened to me. Thankfully, Gmail noticed that logging into my Gmail account from Vietnam wasn't typical and blocked it. Also thankfully, it is an e-mail and password that I use for web sites like this one and not my main e-mail. When I went to log in to clean it out, which I do about once a month, I had to answer the security questions (what?). When I got in, I could see the login attempts. Of course they forced a password change and I also changed the passwords associated with any sites that I used that e-mail for.

Note also that I made a critical mistake. The password for the e-mail was the same as I use for the sites it's associated with. Of course I didn't really care because this is my less critical stuff, but it seem highly likely that they got my e-mail and password from a site I'm a member of and tried it on my Gmail account. Note - it wasn't this site. I don't use that e-mail for this site because I actually care about my e-mail notifications from this site.

 

[Lsbcal]

I really like Lastpass on the iPhone. With face recognition it is easy to login and see my accounts, etc. I only do this stuff at home using our google wifi router. Mostly I view the accounts on our home PC.

If I were on a trip and got desperate I could turn off wifi and use cellular only to do the access. This might be necessary for some sort of reservation where I supply the Visa info.

About once a year I dump a copy of Lastpass passwords to an encrypted Excel file on a memory stick. Just in case.

I really don't know how easy it would be to crack Lastpass but suspect it would take a lot of effort. So if you are a high value target (like a CIA agent) then maybe you need to take extra precautions.

 

[mpeirce]

Semi related: consider changing you account ID on a regular basis. And certainly don’t use the same ID in different places.

This really only applies to important accounts.

 

[mpeirce]

I’m fine using Apple’s built in keychain password management for all my non-important accounts.

 

[Katsmeow]

Still trying to better understand. Maybe I’m not getting it, but exactly where the vulnerability exists isn’t what’s most important to me, the password manager left the passwords, even master passwords in some cases vulnerable. Encryption is great, but it didn’t matter in those cases. No?

But all said, I’m sure using a password manager is less risky than any method 99.99% of users alone could devise. My scheme is better than people who don’t care, but most likely less than a good password manager. There’s no perfectly safe scheme, only bad, good, better and best...

As I understand it the vulnerability has nothing to do with encryption. Most people worried about password managers are worried about the password manager company being hacked and their passwords scooped up. One huge way the companies guard against this is that they don't store your master password. So even if someone did hack the company and got data they wouldn't get your master password.

This vulnerability really deals with leaving passwords in Windows memory. I use LastPass. No one really has access to my computer except me. DH knows the password to my computer so he could unlock it but no one else knows it. So I am not that worried about someone sitting down at my desk and looking into my Windows 10 memory and seeing my master password.

The reason it was vulnerable is, I think, because I have Last Pass set up on my computer so that I don't log out of it after every use. I use it multiple times a day to log in at various sites. So I am logged in throughout the day. As I understand this vulnerability, what was happening was that this was allowing my master password to be able to be found in memory in Windows 10.

I do think that is a vulnerability but it seems like a really small one to me for my usage. I do think it is good to correct it. The vulnerability I worry about more is a keylogger. So I try to prevent that through other software on my computer.

I do use a password manager because things are just unmanageable for me without doing it. I think it is the best way to practically handle lots of passwords so you don't reuse passwords or create variations that are easy to guess.

I don't store my master password in any electronic form. The password I worry about the most are the ones for where my investments are held. (Well, the bank but I don't usually keep large sums of money there). The thing that I do that I think best guards me on my investments is that I usually log into each account on every business day. So if anything untoward were to happen I would notice it right away.

 

[djfiii]

I didn't read every post here, but I've worked in InfoSec for ~20 years; I try to stop bad guys on the interwebs for a living, and I use LastPass.

You can certainly point to obscure ways a bad guy might get at your password vault, but frankly, you aren't worth the effort. The name of the game in security is making it "hard enough" for a bad guy to get to you, that they move on and target someone easier. There's always someone easier. And in the consumer attack space, it's a volume game. They target the "fish in the barrel", so to speak. And Nation States aren't focused on individuals anyway, unless they happen to also be high ranking government officials or execs at critical infra companies, etc. North Korea doesn't care about your Vanguard account.

Another thing you can do that helps a LOT, is have two email accounts. Use one for 95% of your activity (facebook, email, forums like this, etc.) and use the other ONLY for financial sites (your bank, brokerage, etc.). NEVER use that second email to communicate with others, or to create accounts on sites like this. One primary way bad guys compromise people is they'll get a username/password from a hacked site (say, a forum like this) - and then try that same username/password at a bunch of financial sites, knowing that most people use the same username/password at multiple sites. If you only ever use that second email address for a handful of financial sites, it's WAY more likely that email will never appear in a dump of credentials on the dark web.

Hope that helps!

 

[ERD50]

I've mentioned it before, but I keep a password 'key' to every sensitive site I access stored on my computer. I don't encrypt it, and I even keep a paper copy printed right next to my computer, in my wallet, and on Google drive, and it is as secure as anything I can imagine.

And I can access most financial sites by memory, even though the password is long and complex, and I have a poor memory.

The 'key' to this is that my 'key' is only part of the password. I have memorized a prefix and suffix, and that isn't written down anywhere near my password keys, or anywhere on my computer.

Example: If my prefix/suffix keys that I've memorized are "APPLE123" and "zebra789", and my local bank requires a special character, my local bank password is APPLE123lclbnk$zebra789. So all I have written down is "lclbnk$", and that's easy to remember.

Every other secure password for secure sites uses those prefix/suffix keys, and a short, easy to recall middle key. I've been using this for several years now, and it works great.

I do not trust a password manager to store everything, what if they get hacked?

-ERD50

 

[djfiii]

I've mentioned it before, but I keep a password 'key' to every sensitive site I access stored on my computer. I don't encrypt it, and I even keep a paper copy printed right next to my computer, in my wallet, and on Google drive, and it is as secure as anything I can imagine.

And I can access most financial sites by memory, even though the password is long and complex, and I have a poor memory.

The 'key' to this is that my 'key' is only part of the password. I have memorized a prefix and suffix, and that isn't written down anywhere near my password keys, or anywhere on my computer.

Example: If my prefix/suffix keys that I've memorized are "APPLE123" and "zebra789", and my local bank requires a special character, my local bank password is APPLE123lclbnk$zebra789. So all I have written down is "lclbnk$", and that's easy to remember.

Every other secure password for secure sites uses those prefix/suffix keys, and a short, easy to recall middle key. I've been using this for several years now, and it works great.

I do not trust a password manager to store everything, what if they get hacked?

-ERD50

Your way is fine, but too complicated for most people. If most people were that disciplined, stupid passwords wouldn't be a problem, but here we are.

Regarding a password manager getting hacked - see my prior post. You aren't worth the effort, and you would have to be compromised individually (which isn't zero risk, but it's lower risk than alternative approaches for most folks).

The password manager company isn't storing your passwords. They store encrypted gibberish, and only you have the key to decrypt that gibberish (your master password). That is never stored by the password manager company.

Edit: case in point: Last Pass was actually hacked in 2015, and no passwords were compromised. It also showed how good their detection / incident response processes are. https://www.lastpass.com/security/what-if-lastpass-gets-hacked

 

[Katsmeow]

Example: If my prefix/suffix keys that I've memorized are "APPLE123" and "zebra789", and my local bank requires a special character, my local bank password is APPLE123lclbnk$zebra789. So all I have written down is "lclbnk$", and that's easy to remember.

Every other secure password for secure sites uses those prefix/suffix keys, and a short, easy to recall middle key. I've been using this for several years now, and it works great.

I do something similar for the passwords I have at non-financial sites. What I have read is the negative of this approach is that if someone hacks your bank APPLE123lclbnk$zebra789 they might be able to to figure out the pattern. Particularly if they get your password on two places. So, let's say you also do APPLE123Amex$zebra789 and both get hacked and are sold to a third party who scans the lists and sees your email address associated with two similar passwords with only the middle different (this would be automated of course). Then, there is no trick to finding the "middle" as that is only a relatively few characters long and is easy to figure out.

So - while I like that system -- I don't use it for financial sites. For those I use individual passwords that have no overlap (in most instances these are randomly generated).

I do not trust a password manager to store everything, what if they get hacked?

They do not have your master password. So they can't store your passwords in a way that is usable without having the master password. It is entirely possible they get hacked. This is why they don't have your master password. It can't be hacked from them as they don't have it.

 

[razztazz]

This has happened to me. You have to change a password. Either because of a compromise OR it's one of those things (my medical insurance site does this) that requires that you change your password every 90 or 120 days. And they have this requirement that there cannot be more than 3 consecutive characters from your previous password. Otherwise they will tell you your new password is "not different enough" from your last one. I suppose they are already hip to the possibility of somebody being able to "work patterns". If I'm using long prefixes and/or suffixes I'd need to change them too.

 

[Gumby]

I started using ERD50's method when he first wrote about it. I also never turn off two factor verification where it is available, so you'd need to hack both my computer and my phone.

 

[BeachOrCity]

Most sites where I don't care I have a simple scheme for PWDs and let Firefox remember them for me.

Vanguards policy is if you store your PW in your browser, they won't commit to being responsible for fraud on your account resulting from it.
https://personal.vanguard.com/us/help/SecurityOnlineFraudPledgeContent.jsp

 

[BeachOrCity]

Fundamentally I think the golden rule for all of this should be "SLOW DOWN". Many "features" of security apps and operating systems are designed to make things more convenient for you (quicker). Quicker frequently puts you at greater risk.

Many people put their passwords or access to them in browsers or browser extensions (even lastpass extensions are problematic IMO). Don't do that. Either type it in, or if you use a password manager use their APP (not the browser integrated option) to lookup your password and copy it, then paste it back in.

Don't access your accounts thru links. Type it in or access it from your bookmark.

Use the 2FA options when offered.

Change your passwords at least once per year, including master passwords if applicable.

In answer to the OP question. Unless you seriously only have a few passwords, I don't see how one can be secure these days and not use a PW manager.

 

[Rianne]

This thread is about password managers. I use Lastpass. My concern is WiFi. I do not trust any WiFi other than mine at home. Which presents a problem when we travel. If I use my own data, is that using my WiFi and not the hotels? Does Lastpass protect you in outside WiFi as well?