Password Managers

[Midpack]

I'm open to other POVs here.

I'm still on the fence with this one. I use strong unique passwords (randomly generated using Excel), change them at some frequency and don't reuse usernames/passwords for sensitive sites (I do reuse passwords for non sensitive sites like forums, etc.). My passwords aren't on my PC for more than a few seconds a year, they're on a USB or paper - so they're almost unhackable (unless by a key logger?).

I have no doubt an uncompromised password manager is still a much more robust solution to password strength and management. However, password managers can be hacked, you can do a search to confirm (but 1 credible example below). Almost every online entity glowingly swears they're security is bulletproof - until they're hacked. We've seen that over and over again. Some hackers are just as sophisticated and creative as the "good guys" and that doesn't seem likely to change?

The question that has haunted these programs is: How is it possibly safe to put all your passwords in one basket? If someone steals it, you’re hosed.

A new study has identified security flaws in five of the most popular password managers. [ 1Password, Dashlane, KeePass, LastPass and RoboForm] 1Password, LastPass and Roboform even exposed master passwords, used to unlock all your other passwords. “The ‘lock’ button on password managers is broken — some more severely than others,” said lead researcher Adrian Bednarek.

Now for some counterintuitive advice: I still think you should use a password manager. So do the ethical hackers with Independent Security Evaluators who came to me with news of the flaws — and other security pros I spoke to about the study, published Tuesday. You wouldn’t stop using a seat belt because it couldn’t protect you from every kind of vehicle accident. The same applies to password managers.

But the research, which finds password manager users are vulnerable to targeted malware attacks, does shine a light on ways to bolster our defenses. And it speaks to a bigger truth that gets lost in headlines about breaches and bugs: Online safety isn’t about being unhackable; it’s about not being the lowest-hanging fruit.

The best answer may well be from the article "Yes, there is risk in storing all your passwords in one place with a password manager. But it’s helpful to look at the risk like a hacker: There’s no “safe” and “unsafe.” There’s “safer than,” or “better than.” Being 100 percent safe would require disconnecting from the Internet and moving to an undisclosed bunker." Unfortunately, they also suspect more hackers may target password managers, escalating the battle and successful attacks.

https://www.washingtonpost.com/tech...-have-security-flaw-you-should-still-use-one/

 

[OldShooter]

I don't use a password manager. Never have. Who watches the watchers?

Most sites where I don't care I have a simple scheme for PWDs and let Firefox remember them for me.

Sites where I care, I create passwords according to a scheme, then memorize the passwords and they are never written down or stored anywhere. I also do not do important things like banking on phones or tablets, only at home. None of my financial activity has any real urgency, so why take a risk?

Worst case at home I am vulnerable to a keystroke logger, but then a password manager is also at risk I think.

 

[easysurfer]

I think there is a strong inverse relationship between convenience and password safety.

I use a password manager program, but one that is not in the cloud but locally on my PC, stored on an encrypted password file and backed up. My passwords and answers to challenge questions are randomly generated. Works for me as I prefer having the passwords under my control (not through a subscription in the cloud). At the same time, I want passwords complex enough for safety and not taxing my brain cells having to try and remember a pattern.

 

[PJHawk]

LastPass & Multi-Factor Authentication

 

[misanman]

LastPass & Multi-Factor Authentication

+1

 

[easysurfer]

LastPass & Multi-Factor Authentication

For me, local password manager + 2FA and also VeraCrypt for sensitive data.

 

[savory]

Keepass with password storage on a Kingston DataTraveler Thumb Drive. I back it up with a second Kingston. Nothing on my computer or the cloud. If my computer is stolen, my passwords (thumbdrive) would also have to be stolen.

I have a strong Kingston password that allows 10 chances for entry before it self destructs. If opened, there is another password to crack which opens Keepass. I expect however, if they get the first one, they will get the second. So, I need to remember two passwords and the location of my thumb drives, which I store in two locations.

I am not sure Keepass is the best alternative but I like the program and last I checked gets good marks. Obviously, it does not protect other ways of learning passwords.

This was the approach suggested by SIL who had some knowledge about security.

 

[Cobra9777]

I use Password Safe (PWSafe), which was developed by Bruce Schneier, an internationally recognized expert on IT security. The passwords are all stored locally. I've used PWSafe since around 2004. Never had any issue with it.

I just checked, and I have 338 entries in PWSafe. Probably one-third of those are obsolete, so I have some clean-up to do. But for the remainder, there's no way I could remember them, especially since I let the program generate very strong 25-character strings that I use not just for passwords, but also for user IDs and answers to security questions, which I store in the notes for each entry. The master password is also 25 characters and quite strong, but easy enough that DW and I can both remember it and type it quickly.

I'm a believer in password managers even though I know they're not unhackable. Nothing is unhackable. But it's such a vast improvement over many people's repetitive use of weak passwords, that it makes me a less likely target.

My daughter is so disorganized with passwords that she usually just resets the password every time she needs to log on to some site that she doesn't use everyday. She makes no attempt to remember passwords at all except for the 4-5 she logs onto regularly.

 

[chicamuxen]

LastPass & Multi-Factor Authentication

I do the same.

 

[davebarnes]

We use 1Password. Standalone and not the service.
You could get my master using a key logger.
You could get my master by cracking into iCloud. But, if Apple gets cracked, then I join millions (a hundred million?) of other losers.

I am very happy with 1Password and have been for over a decade. I need something to manage 529 logins.

 

[easysurfer]

I use Password Safe (PWSafe), which was developed by Bruce Schneier, an internationally recognized expert on IT security. The passwords are all stored locally. I've used PWSafe since around 2004. Never had any issue with it.

I just checked, and I have 338 entries in PWSafe. Probably one-third of those are obsolete, so I have some clean-up to do. But for the remainder, there's no way I could remember them, especially since I let the program generate very strong 25-character strings that I use not just for passwords, but also for user IDs and answers to security questions, which I store in the notes for each entry. The master password is also 25 characters and quite strong, but easy enough that DW and I can both remember it and type it quickly.

I'm a believer in password managers even though I know they're not unhackable. Nothing is unhackable. But it's such a vast improvement over many people's repetitive use of weak passwords, that it makes me a less likely target.

My daughter is so disorganized with passwords that she usually just resets the password every time she needs to log on to some site that she doesn't use everyday. She makes no attempt to remember passwords at all except for the 4-5 she logs onto regularly.

I use a program that is similar to Password Safe. But I don't use the built-in password generator but instead a separate program for generating.

The reason is because sometimes I may want a password that is writable and not confusing. So, I'd want a password instead of all the special characters or confusing characters like zero vs the letter o. Thus, I use a more flexible password generator program.

 

[Midpack]

I just checked, and I have 338 entries in PWSafe. Probably one-third of those are obsolete, so I have some clean-up to do.

I need something to manage 529 logins.

I guess I should have included that caveat. I have about a dozen highly sensitive username/passwords and about 125 non-sensitive more than half are essentially obsolete.


Not to criticize, but what leads one to have 338 or 529 logins?

 

[easysurfer]

I guess I should have included that caveat. I have about a dozen highly sensitive username/passwords and about 125 non-sensitive more than half are essentially obsolete.


Not to criticize, but what leads one to have 338 or 529 logins?

Just checked, I have 284.

 

[braumeister]

I use a program that is similar to Password Safe. But I don't use the built-in password generator but instead a separate program for generating.

The reason is because sometimes I may want a password that is writable and not confusing. So, I'd want a password instead of all the special characters or confusing characters like zero vs the letter o. Thus, I use a more flexible password generator program.

I've used 1Password ever since it first came out and I'm very happy with it.

In the case mentioned here, the random string its password generator comes up with is very easy to edit before letting it enter the string. So if I want to use different special characters (for example), I just change them on the fly. Then 1Password remembers it just as I modified it.

In the case of losing my phone with the authenticator app, I'm glad to see that more places (like brokerages) are letting you set up voice recognition so you can deal with recovery. Ever since Schwab started doing this, others have copied them. Seems to work very well, and I actually had to use it once while traveling in Europe.

 

[Cobra9777]

I use a program that is similar to Password Safe. But I don't use the built-in password generator but instead a separate program for generating.

The reason is because sometimes I may want a password that is writable and not confusing. So, I'd want a password instead of all the special characters or confusing characters like zero vs the letter o. Thus, I use a more flexible password generator program.

I override the system-generated password for apps like Netflix and YouTube TV that I know I'll probably have to type using a TV remote. But I still start with the system-generated password and then pare it down to 8-10 characters with no confusing 0 vs O or 1 vs l. I sometimes have to pare it down to conform to the requirements of a specific site, some of which restrict certain characters or number of characters, etc.

But for the vast majority, I never type any of these passwords on any computer or on my phone (PWSafe runs on Android as well), and I certainly don't write them down anywhere. So the more complicated the better.

 

[Cobra9777]

...Not to criticize, but what leads one to have 338 or 529 logins?

As I said, I've been using PWSafe since 2004, so about one-third (maybe higher) are obsolete, like an ISP or mobile phone carrier I no longer subscribe to. Some of my old work passwords are still on there as well.

For the remaining active stuff, this is for both DW and myself and we also store some of DMIL's passwords there. Basically, the high number is just the natural result of consistently using the password manager for 16 years of active internet usage. It's mostly websites but also includes lots of stuff like the pin for various debit cards, SSIDs and passwords for various routers, credit card numbers, SS/DOB/etc for family members, codes for combination locks, PC passwords, pins to unfreeze credit for two people at 3 agencies each, and codes for devices like our Obi VoIP adapter, cameras, and smart deadbolt.

 

[easysurfer]

For me, I use a program (Windows only) called Awesome Password Generator. I have that as a Quick Launch item and a password that has a special character, non-confusing is just a mouse click and copy paste away. Less taxing on my brain than overriding.

But manually overriding as mentioned in above posts surely will work also.

I attached a portion screen grab as an example.

 

[Midpack]

For me, I use a program (Windows only) called Awesome Password Generator. I have that as a Quick Launch item and a password that has a special character, non-confusing is just a mouse click and copy paste away. Less taxing on my brain than overriding.

But manually overriding as mentioned in above posts surely will work also.

I attached a portion screen grab as an example.

I do the same with Excel.

 

[big-papa]

I'm open to other POVs here.

I'm still on the fence with this one. I use strong unique passwords (randomly generated using Excel), change them at some frequency and don't reuse usernames/passwords for sensitive sites (I do reuse passwords for non sensitive sites like forums, etc.). My passwords aren't on my PC for more than a few seconds a year, they're on a USB or paper - so they're almost unhackable (unless by a key logger?).

I have no doubt an uncompromised password manager is still a much more robust solution to password strength and management. However, password managers can be hacked, you can do a search to confirm (but 1 credible example below). Almost every online entity glowingly swears they're security is bulletproof - until they're hacked. We've seen that over and over again. Some hackers are just as sophisticated and creative as the "good guys" and that doesn't seem likely to change?
The best answer may well be from the article "Yes, there is risk in storing all your passwords in one place with a password manager. But it’s helpful to look at the risk like a hacker: There’s no “safe” and “unsafe.” There’s “safer than,” or “better than.” Being 100 percent safe would require disconnecting from the Internet and moving to an undisclosed bunker." Unfortunately, they also suspect more hackers may target password managers, escalating the battle and successful attacks.

https://www.washingtonpost.com/tech...-have-security-flaw-you-should-still-use-one/

The article was written in Feb last year. In the article, it stated that LastPass and RoboForm were going to make fixes the same week the article was published.

Like others, I used Lastpass with a very long, multi-language, password and 2F.

 

[Nemo2]

KeePass.......and our access is..."Oh no, I've done it again".

 

[The Cosmic Avenger]

LastPass & Multi-Factor Authentication

+3
Midpack, the biggest flaw with your method is that the passwords are unencrypted, which as you say, could mean that if your computer is compromised that all your passwords are, too. LastPass keeps only encrypted data, so even if they wanted to, no one at the company could read them*. And I use these settings for added protection:

• two-factor authentication
• automatically logs me out when I close the browser, or after 5 minutes of inactivity
• only allows access from US locations
• email verification required for new logins
• when I log in on one device, all other devices are logged out
• sensitive passwords require the master password to be re-entered every time

* "Your data is encrypted and decrypted at the device level. Data stored in your vault is kept secret, even from LastPass. Your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass." ref. https://www.lastpass.com/how-lastpass-works

 

[dadu007]

Dashlane (paid version).
Syncs between all PCs/Macs/iPhones.
Warns you of passwords used for multiple accounts.
For many sites it can "auto-change" your password.
Also has a password generator; you can choose the level of encryption.
Very much like LastPass.

I love it.

 

[RonBoyd]

FWIW, I have used (essentially) the same 8-character password for everything since the mid-seventies. I say "essentially" because I do use a variation for sensitive sites (banking, etc. and those sites that require a special character -- which I simply add onto the end).

I have, to this point, never had anyone "hack" into any of my accounts -- and I have hundreds of them.

I know I should be knocking on wood for revealing this but I am just sayin. (Not to mention the fact that the administrators of this site now have my universal password.)

 

[Midpack]

+3
Midpack, the biggest flaw with your method is that the passwords are unencrypted, which as you say, could mean that if your computer is compromised that all your passwords are, too. LastPass keeps only encrypted data, so even if they wanted to, no one at the company could read them.

My passwords aren’t encrypted, but they’re not on my PC either. I only enter them as needed, deliberately keep my sessions short, and erase all history after every session on any sensitive sites. Am I missing something? My biggest fear is a key logger with my setup.

And the author on the WP article is wrong?

A new study has identified security flaws in five of the most popular password managers. [ 1Password, Dashlane, KeePass, LastPass and RoboForm] 1Password, LastPass and Roboform even exposed master passwords, used to unlock all your other passwords. “The ‘lock’ button on password managers is broken — some more severely than others,” said lead researcher Adrian Bednarek.

I’m not suggesting it’s likely, but I’ve seen language just like what you quoted from other online resources, and watched many of them get hacked...

But it’s a tradeoff, I wouldn’t have asked if I wasn’t seriously considering a password manager. Thanks.

 

[Pellice]

I use LastPass. I also make use of some its other capabilities. I have some documents stored in the vault. I use the notes function to make notes about some sites. I like the organization and search capabilities. It's worth the cost.