Passwords

[marko]

I got that. With LastPass, when you visit a website and log in with your username and password, LastPass has a drop down window that asks if you want to save that info. You click yes and that entry is saved. When you return to that website, LastPass will automatically fill the login info, you just click enter.

This is also an automatice feature for those using Chromebooks (and Chrome in general I suppose?). Same thing: log in and a drop down asks if you want to save it. Also recognizes if you change the PW later on.

The benefit here is that even if I log in on someone else's/library computer all my PWs are there for my use but gone after I log out.

 

[Trooper]

Hi all...great thread. I'm finally researching password managers, and have (I think) narrowed it down to Dashlane and LastPass.

But I have a potentially dumb question about how they fundamentally work. One requirement for the software is that my DW and I be able to use it "jointly" because we want access to the same accounts, like our Vanguard accts, credit union, credit card, etc.

However, there are certain websites - SSA.gov for example - where the URL is the same but the login information is obviously different because the info that's presented is based on the userid/PW.

How would any of the web-based password managers handle that?

 

[Music Lover]

The few passwords I have that are complicated, I keep on a piece of paper hidden in my house. For someone to find them, they would have to first break into my house, and then locate a hidden scrap of paper that is hidden very well.

The odds of that happening are non-existent.

 

[aja8888]

The few passwords I have that are complicated, I keep on a piece of paper hidden in my house. For someone to find them, they would have to first break into my house, and then locate a hidden scrap of paper that is hidden very well.

The odds of that happening are non-existent.

Even if that happened, would they know what the passwords were for?

 

[easysurfer]

Hi all...great thread. I'm finally researching password managers, and have (I think) narrowed it down to Dashlane and LastPass.

But I have a potentially dumb question about how they fundamentally work. One requirement for the software is that my DW and I be able to use it "jointly" because we want access to the same accounts, like our Vanguard accts, credit union, credit card, etc.

However, there are certain websites - SSA.gov for example - where the URL is the same but the login information is obviously different because the info that's presented is based on the userid/PW.

How would any of the web-based password managers handle that?

I haven't used either of the ones you mentioned but wonder if you'd just make a separate entry for each SSA login. For a local password manager, that's what I'd do. Separate login and password for each individual, but same URL.

 

[Sunset]

Hi all...great thread. I'm finally researching password managers, and have (I think) narrowed it down to Dashlane and LastPass.

But I have a potentially dumb question about how they fundamentally work. One requirement for the software is that my DW and I be able to use it "jointly" because we want access to the same accounts, like our Vanguard accts, credit union, credit card, etc.

However, there are certain websites - SSA.gov for example - where the URL is the same but the login information is obviously different because the info that's presented is based on the userid/PW.

How would any of the web-based password managers handle that?

I don't use web-based password manageers, as I don't want all my info on the web, too big a target.
So I use KeePass on my machine locally.

You can organize or group entries, so you might have a group called Stocks and in it use the following field to make an entry:

Mr X Vanguard account as the title, then the rest of the info.
Mrs X Vanguard account as the title, then the rest of the info

So you could have multiple Vanguard accounts, each with their own login if needed.
The same for SSA,
Just make one entry for Mr X , and one entry for Mrs X, each has their own password and username.

The comment section is where you would put in the fake answers to the security questions like: Mother's maiden name is GreenMartians (because the real one is not a secret).

 

[Sunset]

Even if that happened, would they know what the passwords were for?

No, but they could take a picture of the list, and then from a library try Chase.com with every name and password, then Bank of America... etc....

Something would probably trigger as correct

 

[BeachOrCity]

With lastpass latest version pretty straight forward. Create a shared family folder for joint accounts. Done. Strongly suggest you dont share lastpass account itself. Creat two accounts as a family. Make each of you ypthe others rescue account with a 24 hour wait time. This last item is for safety if you get hacked but will allow you to rcover if you lose your master password.

Hi all...great thread. I'm finally researching password managers, and have (I think) narrowed it down to Dashlane and LastPass.

But I have a potentially dumb question about how they fundamentally work. One requirement for the software is that my DW and I be able to use it "jointly" because we want access to the same accounts, like our Vanguard accts, credit union, credit card, etc.

However, there are certain websites - SSA.gov for example - where the URL is the same but the login information is obviously different because the info that's presented is based on the userid/PW.

How would any of the web-based password managers handle that?

 

[googily]

With lastpass latest version pretty straight forward. Create a shared family folder for joint accounts. Done. Strongly suggest you dont share lastpass account itself. Creat two accounts as a family. Make each of you ypthe others rescue account with a 24 hour wait time. This last item is for safety if you get hacked but will allow you to rcover if you lose your master password.

+1. LastPass is quite happy to save multiple logins for the same URL. You just give each one its own name to know which one to choose as needed.

Also, be careful about sharing single sign-ons for financial accounts, because if something happens to one of you, the bank may freeze that online account if it is tied to the SSN of the deceased. DH's online access to his banking accounts was locked/limited within a week of his death. Thankfully we had joint access to most of them, so I was still able to get to them via my sign-ons.

Everyone absolutely should have their own sign-ons to all accounts if you are joint account holders. If you're not joint account holders (for, say, the cable company), the main account holder should add the spouse as an account holder. Trust me, this will make a tough time easier down the road.

And, as mentioned above, LastPass makes it very easy to share account information between separate LastPass accounts, and can even do it without sharing the actual password, if that's a concern.

DH and I went to LastPass back in 2012, and having all of his passwords in one place greatly helped me with handling things when he was sick and then after he died.

For those of you who are married but keep your passwords in some format that only you understand, you might want to think about this.

 

[braumeister]

However, there are certain websites - SSA.gov for example - where the URL is the same but the login information is obviously different because the info that's presented is based on the userid/PW.

How would any of the web-based password managers handle that?

1Password does that well. Explained on this page:

https://1password.com/families/

 

[Music Lover]

No, but they could take a picture of the list, and then from a library try Chase.com with every name and password, then Bank of America... etc....

Something would probably trigger as correct

And the odds of that happening...?

Password security is a situation where the simplest system...pen and paper, is likely the most secure way to save them for most people. No one can hack my computer or a password site and gain access to my passwords. Even if a thief broke into my house and walked out with my computer, he still won't have any passwords.

 

[easysurfer]

And the odds of that happening...?

Password security is a situation where the simplest system...pen and paper, is likely the most secure way to save them for most people. No one can hack my computer or a password site and gain access to my passwords. Even if a thief broke into my house and walked out with my computer, he still won't have any passwords.

Sounds like a "money in the mattress" password system.

Just don't smoke too close to the password list unless you have a good backup .

 

[donheff]

And the odds of that happening...?

Password security is a situation where the simplest system...pen and paper, is likely the most secure way to save them for most people. No one can hack my computer or a password site and gain access to my passwords. Even if a thief broke into my house and walked out with my computer, he still won't have any passwords.

Interesting, this is the method Bruce Schneier recommended a few years back. IIRC he recommended keeping a couple of copies - one in your wallet and one somewhere at home (not under your keyboard). If you lose your wallet change all your passwords. But how often do you lose your wallet/

 

[Music Lover]

Sounds like a "money in the mattress" password system.

Just don't smoke too close to the password list unless you have a good backup .

A good backup is a second piece of paper.

Considering how often supposedly "secure" sites are hacked, and then how long many of them wait before informing the victimized people, I'll stick with my tried and true method.

 

[Trooper]

I don't use web-based password manageers, as I don't want all my info on the web, too big a target.
So I use KeePass on my machine locally.

Thanks Sunset. I do like the fact that KeePass runs locally, but unfortunately we don't do all of our 'surfing' from a single box. I understand that the PW data can be synced across multiple devices but kind of a headache. DW wants something simple, that runs across multiple devices (2 PCs, iPad, phone) and any other PC we may need to use while traveling for example. Also there's the risk of a PC crash that you don't have with cloud based solutions.

One day we'll all be sitting around the campfire saying "Remember when we had to actually use passwords to authenticate ourselves?" Can't wait

 

[savory]

The few passwords I have that are complicated, I keep on a piece of paper hidden in my house. For someone to find them, they would have to first break into my house, and then locate a hidden scrap of paper that is hidden very well.

The odds of that happening are non-existent.

I kind of do the same thing but use a thumb drive. I actually use two thumb drives. The second is a back-up.

Keepass is loaded on my thumb drives. I use a Kingston which means the person who finds/steals my Kingston thumb drive must know the password to the Kingston. And, the password to the Keepass password manager. Both of those passwords can be written down and should be complex. I remember mine.

Too many attempts and the drive locks and reformats:

Put a lock on your personal data with Kingston’s DataTraveler® Locker+
G3. It’s a safe and convenient way to secure receipts, bank statements
and other sensitive documents with hardware encryption and password
protection for a double layer of data security. The drive locks down and
reformats after 10 failed login attempts, so users can rest assured that
their data is safe even if the drive is lost or stolen.​

The advantage for me with this approach is Keepass offers many conveniences for managing my sites and logging-in that are not available with pen/paper. Yet it keeps me off the cloud with my passwords, since they are all in my thumb drive which is important to me.

BTW, Keepass is simply my choice and not connected to the thumb drive approach. I expect other password managers, non-web based, would work and offer many of the same benefits.

I just purchased my 8GB Kingston for $20 from Wal-Mart. My DW purchased hers last year for $10 somewhere.

 

[Trooper]

+1. LastPass is quite happy to save multiple logins for the same URL. You just give each one its own name to know which one to choose as needed.

Also, be careful about sharing single sign-ons for financial accounts, because if something happens to one of you, the bank may freeze that online account if it is tied to the SSN of the deceased. DH's online access to his banking accounts was locked/limited within a week of his death. Thankfully we had joint access to most of them, so I was still able to get to them via my sign-ons.

Everyone absolutely should have their own sign-ons to all accounts if you are joint account holders. If you're not joint account holders (for, say, the cable company), the main account holder should add the spouse as an account holder. Trust me, this will make a tough time easier down the road.

And, as mentioned above, LastPass makes it very easy to share account information between separate LastPass accounts, and can even do it without sharing the actual password, if that's a concern.

DH and I went to LastPass back in 2012, and having all of his passwords in one place greatly helped me with handling things when he was sick and then after he died.

For those of you who are married but keep your passwords in some format that only you understand, you might want to think about this.

Great advice, thanks googily.

 

[Sunset]

I kind of do the same thing but use a thumb drive. I actually use two thumb drives. The second is a back-up.

Keepass is loaded on my thumb drives. I use a Kingston which means the person who finds/steals my Kingston thumb drive must know the password to the Kingston. And, the password to the Keepass password manager. Both of those passwords can be written down and should be complex. I remember mine.

Too many attempts and the drive locks and reformats:

Put a lock on your personal data with Kingston’s DataTraveler® Locker+
G3. It’s a safe and convenient way to secure receipts, bank statements
and other sensitive documents with hardware encryption and password
protection for a double layer of data security. The drive locks down and
reformats after 10 failed login attempts, so users can rest assured that
their data is safe even if the drive is lost or stolen.​

The advantage for me with this approach is Keepass offers many conveniences for managing my sites and logging-in that are not available with pen/paper. Yet it keeps me off the cloud with my passwords, since they are all in my thumb drive which is important to me.

BTW, Keepass is simply my choice and not connected to the thumb drive approach. I expect other password managers, non-web based, would work and offer many of the same benefits.

I just purchased my 8GB Kingston for $20 from Wal-Mart. My DW purchased hers last year for $10 somewhere.

When traveling I'll encrypt keepass within something like veracrypt along with other documents. Problem is all this is on the laptop, something a thief wants to steal. So while I'm secure, I worry someone will steal the laptop.

When you use the Kingston thumb drive, can I plug it into a new computer and have access to KeePass in the situation where my laptop gets stolen while traveling ? Or is the encryption dedicated to the 1 laptop ?

 

[easysurfer]

A good backup is a second piece of paper.

Considering how often supposedly "secure" sites are hacked, and then how long many of them wait before informing the victimized people, I'll stick with my tried and true method.

Sounds like you have a working system for you.

I do carry along a few major passwords on paper when traveling as a "Just in case" I don't have access electronically. When I return home, the paper gets shredded. I wouldn't want to maintain a list of long length passwords with special characters though. My handwriting isn't that legible .

 

[savory]

When traveling I'll encrypt keepass within something like veracrypt along with other documents. Problem is all this is on the laptop, something a thief wants to steal. So while I'm secure, I worry someone will steal the laptop.

When you use the Kingston thumb drive, can I plug it into a new computer and have access to KeePass in the situation where my laptop gets stolen while traveling ? Or is the encryption dedicated to the 1 laptop ?

Encryption is in the thumb drive. That is my understanding and a reason I like the Kingston. I think there are other thumb drive brands that do the same thing.

 

[audreyh1]

Sounds like a "money in the mattress" password system.

Just don't smoke too close to the password list unless you have a good backup .

Keep a copy in your safe deposit box.

 

[easysurfer]

When traveling I'll encrypt keepass within something like veracrypt along with other documents. Problem is all this is on the laptop, something a thief wants to steal. So while I'm secure, I worry someone will steal the laptop.

When you use the Kingston thumb drive, can I plug it into a new computer and have access to KeePass in the situation where my laptop gets stolen while traveling ? Or is the encryption dedicated to the 1 laptop ?

If I bring along a laptop when traveling, I have my laptop set up to remotely wake up my home desktop and connect via remote software. That way, if my laptop gets stolen, all the thief gets is a password protected laptop with an encrypted password file. Commands to wake up my desktop on my phone , not on laptop .

 

[GrayHare]

Pen and paper password lists are easy to obfuscate in any number of manners only you know. For example, to what you write you might prefix an extra character. That's too simple but merely an example. If you later look up a forgotten password, only you know to skip that prefix character. Should a thief find your list he might quickly dismiss it if the passwords exactly as written do not work.

 

[audreyh1]

I have a set of passwords in a password protected file on an encrypted disk image (virtual drive) that requires a password to mount.

Passwords to sites I don't consider sensitive I let the MacOS keychain remember for me. These would be non-financial and non-government sites. I don't consider it critical if someone breaks into one of my vendor accounts, for example, because I don't have sensitive personal information there.

 

[Nemo2]

Keep a copy in your safety deposit box.

We have a copy of our safety deposit box under our mattress...secure, or what?