How do you keep track of passwords?

Sunset said:
I use keepass, its like lastpass but not on the web.
So I don't worry that a web server will be hacked (it must be a big target).
The encrypted file is stored locally on my machine and I can copy it to a flash drive or other machine (laptop) to travel.
I only need to remember 1 password to open it and then have access to 100's of different usernames and passwords for the sites I visit.
I also own some domains, so I have unlimited email accounts for the sites that need you to use email for the username.
I forward all these disposable emails to a real email account so I can get reminders/spam
Click to expand...

+1
I read the debates on the BH forum regarding keepass vs. lastpass and decided I wasn't comfortable with lastpass as it's on the web. I know it's encrypted but my personal preference is to have it on my laptop. I personally swear by keepass.
 
Last edited:
Lsbcal said:
Mobil devices seem to me to be less secure because (1) who wants to have a password on a smartphone when a call comes in?
Click to expand...
First, "mobile devices" encompasses more than just telephones. Second, LastPass has its own login separate from that of the mobile device, itself, so there is no LastPass-imposed password prompt simply to answer a phone call.
Lsbcal said:
(2) one uses networks that are possibly insecure when on the road
Click to expand...
Given the measures employed by LastPass, itself, any perceived difference in how "insecure" the networks possibly are, in the different contexts, is negligible. In other words, if public networks were "less" secure then home networks wouldn't be secure enough - but they are.
Lsbcal said:
(3) more likely to have a tablet/smartphone/laptop stolen when on the road.
Click to expand...
Ditto: The level of security that needed to be offered by LastPass had to be so high that the difference between having a device with your encrypted password blob on it stolen and not having that happen had to be negligible, or LastPass itself wouldn't be secure enough.

Lsbcal said:
If I did have Lastpass on my mobil device, I would just turn it on just to logon and then turn it off
Click to expand...
That's generally what many people do, as far as I know: They boot up LastPass as they're web surfing and using apps, and then shut it down. I have it set up to reprompt for a secondary (short) password each time a password is made available to me via password-specific paste, as well as every X minutes.

Lsbcal said:
as the vault makes all your passwords visible (by clicking on the "eye" on a password in the entry form).
Click to expand...
I have it set up such that that requires a re-entry of the full vault password every X minutes... I think 5 minutes.

Lsbcal said:
Logging in on a cell phone connection probably is more secure then a hotel wifi.
Click to expand...
Again, if there was actually a significant difference vis a vis LastPass in this regard, then LastPass wouldn't have been secure enough for any use.

I am far more concerned about my passport being stolen when I travel.
 
After researching all the available password managers for Mac/Apple, I settled on LastPass. Security reviews say it's very good, and I like it. While it's web-based, it doesn't pass actual password information to it's servers since all the encryption happens locally on your machine. Thus, unless someone accesses my computer or tablet directly (i.e. by breaking into my house) and they have my LastPass master password, no one should have access to any of my password information. I have randomly generated passwords for all financial accounts, a few easier ones for various internet forums... all I have to do is remember my master password and all the info is available any time I need it. Frankly, I like not knowing a lot of my passwords by memory. It keeps me from checking financials at work, etc. My wife doesn't like that she doesn't know the passwords, but I'll convert her soon enough. :)
 
bUU said:
That's generally what many people do, as far as I know: They boot up LastPass as they're web surfing and using apps, and then shut it down. I have it set up to reprompt for a secondary (short) password each time a password is made available to me via password-specific paste, as well as every X minutes.

I have it set up such that that requires a re-entry of the full vault password every X minutes... I think 5 minutes.
Click to expand...
At some point, worrying about some of this stuff borders on paranoia, but yes, I too close out LastPass on the rare occasion that I use it on a mobile device. I get the password, then close the program. Thus, to get my passwords from my phone or tablet, someone has to: (1) steal the mobile device; (2) know my PIN or mimic my fingerprint; (3) know my LastPass password.

At home, I suppose someone could use a keylogger to access my computer, if they can get on my network. That requires them to: (1) be close to my house (or inside it physically on the computer); (2) know and find my hidden network name; (3) break the WPA password; and (4) know/hack my LastPass master password.

At that point, it'd be easier for them to obtain my credit card information via radio intercept at a gas station, which has happened to me once and was easy to correct...

In any event, I get emails from my two most prominent financial institutions any time anyone accesses the accounts from anywhere except my home computer, so there's so much redundancy built in I don't lose sleep over it.

A lot of this security stuff is more about making yourself a hard target, not being the "hardest target". You don't have to be the fastest gazelle on the savannah, you just can't be the slowest.
 
bUU said:
...

I have it set up such that that requires a re-entry of the full vault password every X minutes... I think 5 minutes.
...
Again, if there was actually a significant difference vis a vis LastPass in this regard, then LastPass wouldn't have been secure enough for any use.
...
Click to expand...
I admit I've not used Lastpass on mobil and am perhaps misjudging it. I really didn't follow your use of LastPass on mobil. Could you explain it more fully?

Do you logon to Lastpass before connecting to a hotel wifi so the network does not see your Lastpass password entry? Or is it the case that the network cannot ever see your Lastpass entry as no keylogger can exist on your mobil device?

Again, I'm no security expert and along with many here I'm still learning and willing to learn new things.
 
If someone could get a keylogger onto my tablet they could just as well keylog our brokerage passwords. Two passwords and they essentially have everything we own. Like I said, LastPass had to be so secure that the substantive difference between the standard scenario and your worst case scenario would be negligible.
 
nash031 said:
At some point, worrying about some of this stuff borders on paranoia, but yes, I too close out LastPass on the rare occasion that I use it on a mobile device. I get the password, then close the program. Thus, to get my passwords from my phone or tablet, someone has to: (1) steal the mobile device; (2) know my PIN or mimic my fingerprint; (3) know my LastPass password.
...
Click to expand...
Let's say you logon to a hotel wifi network. Have you entered the LastPass password before logging on? Do you use the same LastPass vault that you have for home use? Or do you employ maybe a LastPass vault that is more limited for travel use?

Just trying to understand best practices with this tool. I hope I'm not coming across as disapproving of anyone here.

Maybe I should be asking this stuff on the LastPass forum.
 
Last edited:
Sunset said:
I use keepass, its like lastpass but not on the web.
So I don't worry that a web server will be hacked (it must be a big target).
The encrypted file is stored locally on my machine and I can copy it to a flash drive or other machine (laptop) to travel.
I only need to remember 1 password to open it and then have access to 100's of different usernames and passwords for the sites I visit.
I also own some domains, so I have unlimited email accounts for the sites that need you to use email for the username.
I forward all these disposable emails to a real email account so I can get reminders/spam
Click to expand...

I use Keepass but store it on a 2 thumb drives. One is for backup. I just purchased a wireless thumb drive for use on my tablet when travelling. My security adviser, SIL , says that it is best to connect and disconnect your passwords and not leave them on the hard drive, even Keepass. I find it to be fairly easy.

I just got the Yubikey, a Google product, that works with Lastpass and Chrome. It provides two factor authentication at point-of-use. Very convenient vs. the phone, for example. If you are using Lastpass it offers another level of protection. But as SIL says, it adds another level of protection at the front door but not the back. But, an improvement. Having said this, without the help of my SIL, I think I would have made my way to the cemetery before figuring out how to install it on my computer. Once set up, the two-factor is an easy click and go.
 
Last edited:
Lbscal, I'd suggest searching the BH forum. They covered this stuff (including in depth debates regarding lastpas) ad nauseum when the heartbleed bug was all the rage.
 
CoolChange said:
I use software to generate long, randomized passwords and store them.

My user ID's are also significantly different across most sites, especially anything related to my finances.

Two Open Source software tools that I can personally recommend for this purpose can be found at the following sites: KeePass Password Safe and Password Safe

If you go this route, backups of the files and using a pass phrase (master password) that is complex but which you have no real chance of forgetting are very important.
Click to expand...

For extra safety, even parts of ID's can be randomly generated. For example, John Doe's id may be JDxxxx where xxxx are random numbers. All a copy/paste away with a good password keeper, so not much pain. :)
 
Lsbcal said:
Let's say you logon to a hotel wifi network. Have you entered the LastPass password before logging on? Do you use the same LastPass vault that you have for home use? Or do you employ maybe a LastPass vault that is more limited for travel use?

Just trying to understand best practices with this tool. I hope I'm not coming across as disapproving of anyone here.

Maybe I should be asking this stuff on the LastPass forum.
Click to expand...

On the very rare occasion that I use it from my smartphone, it's usually to view a password for entry on some other device. I think I've actually used the vault once by copying the password and then pasting it into another app via the LP app option.

In order to access the vault, I entered my LastPass master password, yes. The vault wasn't any different than the one on my computer. Could someone put a keylogger on my phone? Sure, if I download some app that has one attached that no security expert already identified, or jailbreak my phone to allow installation of apps outside those that Apple signs. I think the possibility that someone could remotely install a keylogger on my smartphone is pretty remote without me doing something to allow it or them having a direct hack into the network, my phone, and my AppleID.

I rarely (I mean like once ever) access my financials - thus LastPass - from anywhere but home, and think that this likely mitigates what little risk there is. Again, not trying to make myself the fastest gazelle on the savannah, just trying not to be the slowest.
 
I use Keepass on Windows, Mac, Android, iPhone, and iPad between DW and myself. I'd use any of the major encrypted storage lockers, this one just worked best for me at the time I started using it. I have 454 accounts saved in it currently, including notes about the PIN to get my car radio working after disconnecting the battery, where the title to the car is located, all my credit/debit card info and any other important information that I'll never remember. I've had something like it since my first Palm Pilot.
 
Lsbcal said:
Let's say you logon to a hotel wifi network. Have you entered the LastPass password before logging on? Do you use the same LastPass vault that you have for home use? Or do you employ maybe a LastPass vault that is more limited for travel use?

Just trying to understand best practices with this tool. I hope I'm not coming across as disapproving of anyone here.

Maybe I should be asking this stuff on the LastPass forum.
Click to expand...
You connect to an open wifi and go to a random web page then are redirected to the hotel's terms agreement page.

Now you have Internet access, and all of your non-encrypted traffic is sniffable.

You click on the LastPass plug-in that you had previously installed. JavaScript starts running on your local machine (no network traffic) and you get a password dialog. The password is used to decrypt your "vault" which is just a blob of truely random looking data; the only time it has meaning is when it is used with the correct password and correct algorithm. The blob can be on your local device, or can come down from the LastPass server. So what the bad guy sees while sniffing the connection is a blob of data from LastPass. No reasonable way for the bad guy to decrypt it. Your decrypted vault is only available locally and never goes over the network.

When you allow LastPass to enter a password into a non-encrypted web page, that, of course, would be sniffable, but that is out of the control of the password manager.

If you must use a machine in the hotel lobby, you almost can't do that safely, but LastPass offers a list of one time passwords that you can print out from a safe computer in advance. You enter the first unused one time password (you would presumably carry this list in your wallet for these kinds of emergencies), which would decrypt your vault. You never are prompted for your "keys to the kingdom" real LastPass master key. You grab the password for the site you must get to, quit LastPass (which securely wipes memory), use the site you needed to get to, then change your password on that site as soon as you get back to a secure computer.
 
I'm always looking for the ideal password manager. Was using MyPadlock (Windows only). But the password file got clobbered (thanks for backups and rollback software) after some windows updates. I've used AnyPassword, Password Safe and right now like Password Corral (Windows only). It's sort of a mixture of geekish and simple at the same time. Plus, there's a hide password option which encrypts user names and passwords on screen -- great to avoid any rubbernecking :)
 
Another keepass user, plus minikeepass on the iphone. I keep my encrypted database in the cloud, so I'm using the same database on the home pc, the work pc, the ipad and both iphones.

Another plus is that there's a version that doesn't need to be installed so it can even be run off a thumb drive. That was handy when megacorp wiped all non-approved software off my work machine the other week.

Edit: I checked and I have 150 entries in the database, including 36 work-related entries that will go away once I RE.

Plus: I got a chuckle the other day when I called the local library because I was having login troubles. When the librarian logged into my account I heard a long pause, then she said to someone near her desk, "What's that ? It can't be his password!" Then I knew I had forgotten that I'd used keepass to generate a random password. She didn't know quite what to make of something like ilO,p!HnTpvNP.X@HnRD as a password! :D
 
Last edited:
That's poor practice if they can see your password, luckily it's only preventing someone from checking out books in your name. The best practice is for them to only keep a salted hash of the password. That's why most of the time, the password reset process involves them creating a new password, sending it to you, and then you are forced to change it.
 
Thanks Sengsational, that was a good description of what's going on with LastPass.
 
I used Keepass, but found it cumbersome. I moved over to LastPass about a year ago and have been very happy. I pay the $10/year, since I use it on multiple devices and want to support its development.

I'd also recommend enabling two factor authentication. This way even if somebody does figure out my LastPass password, they still can't get to my other passwords.
 
sengsational said:
That's poor practice if they can see your password, luckily it's only preventing someone from checking out books in your name. The best practice is for them to only keep a salted hash of the password. That's why most of the time, the password reset process involves them creating a new password, sending it to you, and then you are forced to change it.
Click to expand...

I couldn't agree more, and that experience reinforced in me why it's so important not to use the same password for all accounts.
 
I always use the same password for non financial sites.
 
Last edited:
1Password, but I don't copy or sync it through any cloud service. In case of disaster and something happening to me, DW has my master password in her 1Password, and vice versa. I also have our master passwords on paper (but not identified) buried in a file cabinet as an additional fallback. My multiple redundant backup scheme also assures that our encrypted password files are never lost.
 
kiki said:
I used Keepass, but found it cumbersome. I moved over to LastPass about a year ago and have been very happy. I pay the $10/year, since I use it on multiple devices and want to support its development.

I'd also recommend enabling two factor authentication. This way even if somebody does figure out my LastPass password, they still can't get to my other passwords.
Click to expand...

Nope. Didn't find Keepass cumbersome at all; in fact, just the opposite, quite easy and robust. Lastpass, OTOH, has been breached, as they found "suspicious activity" on their network.

See this: https://blog.lastpass.com/2015/06/lastpass-security-notice.html/

I predicted this and that's why I went with Keepass; info stays in my control.
 
You must log in or register to reply here.

Similar threads

Janet H
Forum Downtime - software update scheduled April 23/24
2
Replies
36
Views
1K
Out of Steam
Out of Steam
Janet H
Forum Update - We're back! Ask your questions here.
11 12 13
Replies
303
Views
8K
skyking1
skyking1
PaunchyPirate
Helping an elderly parent stay on top of their financial accounts
Replies
24
Views
996
1242Vintage
1
M
How do you start/operate a website?
Replies
20
Views
1K
gauss
gauss
E
The Eagles - Lip Syncing? Milli Vanilli redux?
2
Replies
31
Views
2K
Koolau
Koolau

Latest posts

Back
Top Bottom