Many many Passwords

[OldShooter]

If I'm understanding correctly you are saying someone will be able to hack into 1Password's internal programming code that runs their software stored on my computer alter it slightly and reupload it to my computer. Also, my computer's antivirus will not detect this.

They will then be able to download my list of URL and associated passwords.

Is that it?

For the last time: You are too self-centered. Attacking small, inconsequential users individually is almost certainly a waste of time. The likelihood of it happening is IMO near zero.

Or are you saying that some hacker will get access to 1Password's programming code from 1Password's servers make some changes, upload the infected files, and somehow broadcast those changed files to hundreds of thousands of 1Passworld's users?

Yes, that is one of a near infinity of malware scenarios. I cite it because it has already been observed in the wild more than once.

As far as anyone locking my files on my computer and demanding ransomware, well, that's why I back up everything important. I'd just say no to them, go buy another computer and spend a couple of days hassling with restoring my files and software.

If the backups are accessible to the malware, say on an NAS, then they will have been encrypted too. If not, then you still have the risk that the machine was already infected when you backed it up.

This is my last response to you. I'm just not interesting in arguing. Believe what you like.

 

[mpeirce]

I have not seen a clear explanation of how a passkey that utilizes a four digit PIN is so secure. I must be missing something.

What 4 digit code is that?

 

[Qs Laptop]

For the last time: You are too self-centered. Attacking small, inconsequential users individually is almost certainly a waste of time. The likelihood of it happening is IMO near zero.

Yes, that is one of a near infinity of malware scenarios. I cite it because it has already been observed in the wild more than once.

If the backups are accessible to the malware, say on an NAS, then they will have been encrypted too. If not, then you still have the risk that the machine was already infected when you backed it up.

This is my last response to you. I'm just not interesting in arguing. Believe what you like.

I'm not arguing, I'm genuinely wanting to find out how a password manager gets hacked and how it might affect me.

As I said, for years I used your method of using the same password and username on inconsequential websites and having a difficult to crack password on important and financial websites. However, as I added more and more accounts and branched off to phone and tablet usage, memorizing difficult passwords and user names was just not practical anymore.

At some point it becomes necessary to trust someone else with your data, it's impossible to function in the digital age without doing so. I am going to trust that the number one rated password manager, 1Password, has got their act together and has got sufficient safeguards in place to prevent a hack of their own source code.

 

[target2019]

I'm not arguing, I'm genuinely wanting to find out how a password manager gets hacked and how it might affect me.

As I said, for years I used your method of using the same password and username on inconsequential websites and having a difficult to crack password on important and financial websites. However, as I added more and more accounts and branched off to phone and tablet usage, memorizing difficult passwords and user names was just not practical anymore.

At some point it becomes necessary to trust someone else with your data, it's impossible to function in the digital age without doing so. I am going to trust that the number one rated password manager, 1Password, has got their act together and has got sufficient safeguards in place to prevent a hack of their own source code.

There are so many attack vectors (ways to get ya) that are being tested, some successfully.

MoveIt is a recent successful attack. The software is used by many companies to allow secure file transfer between customers and companies.

Using social engineering, criminals gained admin access. Then they altered the code, and the next update sent the hacked programming to EVERY CLIENT.

https://www.theverge.com/23892245/moveit-cyberattacks-clop-ransomware-government-business

That's an attack vector. Every device on the internet has vulnerabilities. known and otherwise. With and without password manager you can be attacked in many ways. The question is, are your defenses all up to date? Do you understand physical as well as digital intrusion?

 

[mpeirce]

That's an attack vector. Every device on the internet has vulnerabilities. known and otherwise. With and without password manager you can be attacked in many ways. The question is, are your defenses all up to date? Do you understand physical as well as digital intrusion?

Most people have virtually no idea how do protect themselves. IF you do understand this, great, fine tune your defenses.

Otherwise, most people should trust their platform vendor: Apple or Google.

Personally I trust Apple a lot more (having seen it all up close - Apple security people are very professional and trustworthy). I've got everyone in my family using Apple products and using their security infrastructure. And only installing apps from the App Stores.

Google is also way better than many of the third parties (LastPass!). Some of the third parties are excellent, but how to choose? Most people have no real criteria for choosing.

You can do a lot worse than Google and Apple.

 

[Ian S]

What 4 digit code is that?

For example, the PIN that unlocks your phone. All descriptions of passkeys that I've seen suggest that if you unlock your phone by using your PIN, then you can get into a website without a password.

 

[mpeirce]

For example, the PIN that unlocks your phone. All descriptions of passkeys that I've seen suggest that if you unlock your phone by using your PIN, then you can get into a website without a password.

Firstly, at least on iPhone, having an unlocked phone isn't sufficient to login to a site (or app). Each time it needs a password or passcode to log in it reauthenticates. So if you unlock your phone and someone swipes it and tries to go to Fidelity.com to help themselves, that's not sufficient.

There there is the issue of authenticating on your device. After every reboot (only necessary after a system update in most cases), you need to enter the PIN correctly. After that, you can use the handy biometrics, though entering your code is always an option.

A few folks still use 4 digit PINs. The default (out of the box) these days is 6 digit and it's easy to use a custom long numeric or alphanumeric code. Though long code are less convenient to enter, they rarely need to be entered.

Even with a 4 digit passcode, it's not that that easy to guess. After four wrong guesses, iOS enforces a delay. First 1 minute, then 5 minutes, then 15. The 9th and subsequent guesses are delayed every hour. And you can set your phone to erase all data on your phone after 10 tries rendering it useless to a thief.

https://support.apple.com/guide/security/passcodes-and-passwords-sec20230a10d/web

 

[Tracer]

My most important login is my Fidelity. Yes, I use my password manager to access with a very long and strong password. However all my accounts in Fidelity are on "lockdown" which means once in there, even I can't mess with the accounts unless I remove the lockdown with 2FA.

 

[Trooper]

Lass Pass has had quite a few data breaches, not sure that's where I'd secure my passwords.

https://www.csoonline.com/article/574291/timeline-of-the-latest-lastpass-data-breaches.html

It's a fair point, but I mitigate that by changing my key financial passwords annually and checking balances for nefarious activity monthly.

I've considered switching to 1Password but that means training DW on another application.

 

[target2019]

Most people have virtually no idea how do protect themselves. IF you do understand this, great, fine tune your defenses.

Otherwise, most people should trust their platform vendor: Apple or Google.

Personally I trust Apple a lot more (having seen it all up close - Apple security people are very professional and trustworthy). I've got everyone in my family using Apple products and using their security infrastructure. And only installing apps from the App Stores.

Google is also way better than many of the third parties (LastPass!). Some of the third parties are excellent, but how to choose? Most people have no real criteria for choosing.

You can do a lot worse than Google and Apple.

Yes, users make choices.

I happen to prefer and trust Google over Apple, Windows over Apple. I also prefer to have my passwords in 1Password's cloud instead of Apple, Google, MS, AWS, and so on.

I've believed since first using desktops that self-education is required, and I try to share my knowledge when it makes sense. I try to stay away from the Apple fan comments. It's just a waste of time. People get from A to B in many types of cars, and safely.

Most threads here eventually devolve in partisanship or "I know the best way and I don't understand why you use X, Y or Z. It really is very immature when posts go that way.

Many are content to know what they know, while I prefer to look for what I don't know.

My mention of attack vectors isn't meant to compel you or anyone to fine-tune your defenses. It's to draw attention to things like physical security. If that's not meant for discussion, I just don't get. We all have to reach into other knowledge domains from time to time, don't we?

 

[bobandsherry]

For example, the PIN that unlocks your phone. All descriptions of passkeys that I've seen suggest that if you unlock your phone by using your PIN, then you can get into a website without a password.

The real passkey is that device PLUS your 4 digit code. Now if you let someone get access to you device with just a 4 digit code that's on you. My device has facial rec, with 6 digit code to access if FR fails - and if I understand correctly even with 6 digit code it doesn't unlock the passkey function. But I could be wrong.

 

[tenant13]

Bitwarden.

 

[BGH1]

We use 1 password as well

 

[JohnRM]

Bitwarden

Bitwarden.

I use Bitwarden, it's free and seems reliable. Sometimes I am bored and change a password here or there, and check for defunct sites. I assume some extra risk because I have too many sites with passwords. My wife keeps hers in a little notebook she squirrels away. Life is full of risks.

 

[samcat]

We use Bitwarden and love it!

 

[indiajust]

I was a beta user at maskme. It got bought by Blur. That got bought by Ironvest.

Much like 1 pass and last pass, it is an authenticated web access that auto pastes fields for login/pw. It generates pw of whatever length/complexity you need, with adjustments for certain character requirements.

But I adopted it because it goes 2 steps further:

Critically, it generates unique email addresses for each service you subscribe to. If they get hacked, you don't lose everything tied to that email. Login and generate a new one, kill the old email. Big boost for privacy, huge bonus for ease of recovery after the inevitable hack.

You set the junk email to forward to your desired "home" email address. I use this for the IRS, since they have been hacked twice and given away all my information. Since I can discard the old email, I lose nothing other than the time to set up a new email forwarder.

Second, third party authentication via application. This is a big security boost because the auth codes come from Symantec/Authy/Twilio... not a 4 digit code via SMS.

They can hack your phone and SMS, but still have no access to login codes.

I have had multiple IRS and state tax authority hacks. Phone hacks. Yet no one has managed to get to the money.

Ironvest also offers forwarding phone numbers and masked virtual credit cards as well.

https://ironvest.com

I have noticed Apple/microsoft now offer forwarding emails and many banks offer virtual credit cards. Still, these folks offer it all at a good price point.

 

[DonnyMcJr64]

I use Keepass files and Keepass client on MAC and PC, Strongbox client on iPhone and sync the keepass file to all devices through Dropbox. Haven't had any issues and not relying on a company to store my passwords and hope they don't get hacked. The keypads file itself is well encrypted and has a ridiculously long/complex password so I feel relatively safe. All of the clients we use also have generators built in to gen new passwords when needed.

 

[Deuce]

I use the built-in Apple password manager. I have never had a problem. I don’t trust Google.

 

[Deuce]

I use the built-in Apple password manager. I would be afraid to use anything made by Google as they make their money by selling information.

 

[Badger19]

Norton

Norton 360 suite covers all my devices for threats and includes a great password vault called Identity Safe. You need to remember 1 key password (I use a short, easy to remember phrase). It's pretty good at inserting usernames and passwords if you let it. It will store a url and open it in it's own proprietary secure browser and enter credentials. Has a nice notes feature and is searchable across it's content. It manages almost 200 credential sets for me including the combination to our safe, bike padlock codes, etc.. 95% of the time it opens with biometrics, but I can require the secret password for any or all sets. Since I don't have to memorize passwords, I can use its feature to suggest random, complex codes. 360 has these and so many other features running in the background or at my fingertips for a subscription costing a little over $100 per year.

 

[meleana]

I have a list. It drives me crazy with all these passwords!

 

[lemming]

What is happening with Google taking the sign in fingerprint on my computer to open multiple sites? Sure it might be ok with the fingerprint but if they use the pin that opens up everything. How did they get permission to do that

 

[tomc5179]

I've been using Dashlane for years and have been happy so far.

 

[orbops]

My wife and I use an interesting technique that I heard about years ago. We take the first 4-5 characters of the web address and add a PIN at the end. So that way we don't need to memorize or lookup passwords for each site. We do use Excel as a backup password manager for when a website changes their address.

 

[Sunset]

My wife and I use an interesting technique that I heard about years ago. We take the first 4-5 characters of the web address and add a PIN at the end. So that way we don't need to memorize or lookup passwords for each site. We do use Excel as a backup password manager for when a website changes their address.

That is a pretty short password and the lack of special characters is restrictive.

Can be sure this is also know in the hacker community and pretty easily brute forced, as they already know the first 3/4/5/6/7 characters of the password, and can just try on the next bunch.

Hopefully you are leaving out that you add some special characters before your PIN and a couple afterwards.