for display only
Big Blue Interactive The Corner Forum  
Back to the Corner

Archived Thread

NFT: Password manager, yea, or no?

Stan in LA : 7/2/2020 8:02 pm
Being old school I have different passwords for all sites written down in a Rolodex. With hundreds of items now there, is it better to simply get a password manager? Device based or cloud based? Paid or free? Are they safe?

?
Yea  
ImThatGuy : 7/2/2020 8:23 pm : link
I use Norton Identity Safe - pretty happy with it. It's free and while it has all sorts of functionality if you want it, it's pretty bare bones and no frills which I like
Nothing is safe on the internet  
Ben in Tampa : 7/2/2020 8:30 pm : link
But I absolutely recommend one.
Passwords on paper can be safer  
widmerseyebrow : 7/2/2020 8:42 pm : link
if your home is relatively secure. Anything off network would be, but it would be a jackpot for anyone who stole it from your home.

The other upside of a password manager is that they have generators to create much stronger passwords than what you probably have in that rolodex. And you can create a different strong password for every site while only having to remember one (ideally very strong) master password or pass phrase.

If you go the password manager route, I suggest one that is open source. Open source will have an entire community constantly looking for vulnerabilities to patch whereas proprietary is only as secure as the team working for that company.
Also always use two factor authentication  
widmerseyebrow : 7/2/2020 8:44 pm : link
when available no matter what route you take.
Highly recommend LastPass  
Jim in Fairfax : 7/2/2020 8:57 pm : link
.
I use the cheaper option  
Bill L : 7/2/2020 9:12 pm : link
Write it on a sticky note and stick it to the monitor.
I use Password Safe  
US1 Giants : 7/2/2020 9:33 pm : link
it does not put your passwords on the Internet. It supports YubiKey if you want to use that feature. I am paranoid about putting my passwords on the Internet no matter how good the app is rated. Passwords should be 12 or more charaters long if the website allows.

Also, use two factor authentication on anything important.
I Highly Recommend Dashlane  
jamison884 : 7/2/2020 10:30 pm : link
I used LastPass before, but the Dashlane paid option is the best. It saves credit cards, checking and savings accounts, SS card, any other ID cards or credentials, manages passwords for all sites, offers varying layers of auto-generated random passwords, alerts you to passwords which are weak/duplicates (and if a site you're on has a breach I believe).

Then it also has a fully functional VPN where you can select the source country.

Finally, it uses one master password and it all saves to a cloud-based data center, and also syncs with your phone via their app. If you reformat your PC or your HD dies, all data is good to go upon re-installation.
Nay  
Gregorio : 7/2/2020 10:32 pm : link
Any place you store passwords can be hacked. I won’t store them on a cloud. Any file on your local machine can be also hacked by a motivated hacker.

I store them in a file on a thumb drive, kept physically separated from my machine. It’s password protected and encrypted, and only I know where It is. To me, your Rolodex is safer than a file stored on a internet connected computer.

For financial accounts, the advice in this thread to utilize two- factor authentication is sound.


Yea  
trueblueinpw : 7/2/2020 10:37 pm : link
Which one is best for depends on your computer and iPhone types. If you’re all Apple feel like the Apple iCloud keychain is pretty solid and it’s getting better.

If you’re PC and Android or any combination that is not all Apple then consider LastPass. LastPass has the most robust free product and it wins or places highly in every review.

You can Google best password manager and read PC Mag and Toms Hardware all the info you probably need.
Yes, 100%  
81_Great_Dane : 7/2/2020 11:37 pm : link
I'm on Apple devices. I started using 1Password around a year ago. It's a godsend. I am using much more secure passwords now that I can store them all in one place. It's more than a password manager and has capabilities I'm not even exploring yet.

On my phone, the app will recognize me with FaceID; the previous phone recognized me with TouchID.

So better passwords ergo better security, better organization, easier retrieval. Not flawless but an upgrade.
My methods:  
Jay in Toronto : 7/3/2020 11:29 am : link
1. Use two-step authentication when possible

2. Use a simple password algorithm for sites I don't think need high security (sorry BBI)

3. Use a very complex algorithm that I have memorized to access a program called BFOLDERS. It is where I keep all my sensitive info. It is electronic but is kept locally and not in the cloud.

Someone could get physical access to my device and hack it, but the password is pretty good. I'm willing to risk that to have the info electronic and not just paper and pencil.

I also keep the password to BFOLDERS on paper in my safe deposit box at my bank.


Yes, it's a must for me  
ZogZerg : 7/3/2020 12:05 pm : link
Family of 4 has a ton of passwords to keep track of.

I use LastPass.
Thanks everyone for the insight  
Stan in LA : 7/3/2020 12:54 pm : link
Appreciate it.
Bitwarden is the best and safest in my opinion  
moespree : 7/3/2020 1:54 pm : link
.
Jay in Toronto  
Samiam : 7/3/2020 2:24 pm : link
Can you explain step #3 better to a non techie?
Password Keepers  
Scott in Seattle : 7/3/2020 2:31 pm : link
It's become impossible not to use one these days: bank accounts, credit cards, utility payments, Amazon, Netflix, etc., and most with different length, number, and special character requirements. Personally, I also don't believe in using something like LastPass because it's cloud-based, hence more vulnerable to hacking than my paranoid self is willing to accept -- and yes, I work in IT on both the programming and system administration sides.

I agree with the poster who said storing it on a thumb drive or portable USB drive is a good idea... as long as it's something that stays home. You definitely don't want to store passwords on something you might lose in a public place. I'd recommend having it on a second backup portable drive as well, since USB drives can fail in the blink of an eye.

With that said, I like KeepPass a lot. It's free, lightweight, portable, and easy enough to figure out fairly quickly. Just make sure your one master password is one you'll never forget, is long, and contains at least one number and one special character -- the more, the better. As a barometer, Microsoft (Active Directory) currently recommends a minimum of 8 characters with 1 number and 1 special character. I never go less than 15.
People worried about the cloud...  
trueblueinpw : 7/3/2020 3:40 pm : link
What’s really the jeopardy? LastPass is hacked, change your passwords. Especially with MFA, what’s really gonna happen? Also considering that these services aren’t storing a txt file and they’re all in the business of protecting data. Just seems unlikely to me and - I mean - you’re storing a password not a bearer bond.

I also don’t understand how a locally stored password helps you manage pwds especially on you different devices? Do you look up a long complex password on a local USB key every time you log in to you bank account?

Just asking - not judging. Maybe I’m not getting the serious risk.
RE: People worried about the cloud...  
Jim in Fairfax : 7/3/2020 5:17 pm : link
In comment 14928440 trueblueinpw said:
Quote:
What’s really the jeopardy? LastPass is hacked, change your passwords. Especially with MFA, what’s really gonna happen? Also considering that these services aren’t storing a txt file and they’re all in the business of protecting data. Just seems unlikely to me and - I mean - you’re storing a password not a bearer bond.

I also don’t understand how a locally stored password helps you manage pwds especially on you different devices? Do you look up a long complex password on a local USB key every time you log in to you bank account?

Just asking - not judging. Maybe I’m not getting the serious risk.


This. LastPass hashes your password file with the same or better encryption methods as do your financial institutions. If LastPass was hacked and your password file stolen, it wouldn’t do the hacker any good without your master password, which LastPass doesn’t know or store.

What's Wrong with the Cloud?  
Scott in Seattle : 7/3/2020 5:17 pm : link
You're not just storing the password, you're storing a URL and a user name. If you've got MFA setup, you're fine. If not, you're screwed, especially if you're talking about hacking banking data.
RE: People worried about the cloud...  
Gregorio : 7/4/2020 1:53 am : link
In comment 14928440 trueblueinpw said:
Quote:
What’s really the jeopardy? LastPass is hacked, change your passwords. Especially with MFA, what’s really gonna happen? ... you’re storing a password not a bearer bond.



trueblueinpw,
First off, thank you for your probing questions. This is an area I've sweated over. I don't pretend to have all the answers nor claim the best method.

What's really the jeopardy; Before I get into it, my belief is that even the most secure password storage method is faulty. No method is foolproof. The way I see it, we are talking about the degree of vulnerability between the various methods.

The jeopardy in the worst case, is losing your life savings. A hacker defeats the algorithms and gains access to your bank account, then drains the balance to 0. If LastPass were hacked, it's likely I wouldn't know in time to change my passwords. By then my life savings are gone.

Let's take a cloud based solution like LastPass; URL, user id and password data are stored online. There are 3 levels a hacker to defeat; 1. The master password to access the LastPass account 2. An individual encrypted password for a bank account, and 3. The 2 factor authentication for a bank acct (assuming this is used).

This really is a high degree of difficulty to overcome. I rate the security degree as high. Problem is, when dealing with life savings, a high degree of security is not enough. Who wants to be the first account holder at LastPass to become a victim of a motivated hacker?

On the value of login credentials; because this data is the key to your life savings, they are even more valuable than a bearer bond.

The other issue with Cloud solutions is; Yes they are in the business of protecting data, but what gives you confidence they can be trusted? You wouldn't give your credentials to your cousin or distant acquaintance, so why are you willing to trust your most sensitive data (account credentials) to people you don't know? A mature application replicates data to backup servers for disaster recovery. How many backup servers is the password data stored on, and how secure are they?

To answer your questions on the thumb drive method; No it doesn't help with multiple devices. I use a primary device for the financial stuff (banking and investing). Yes, I do load the thumb drive into a USB port, then decrypt the file to access the passwords. While this is inconvenient, it is a price I am willing to pay for 1. The higher degree of security it provides and 2. the peace of mind it provides.
RE: RE: People worried about the cloud...  
markky : 7/4/2020 8:38 am : link
In comment 14928596 Gregorio said:
Quote:
In comment 14928440 trueblueinpw said:


Quote:


What’s really the jeopardy? LastPass is hacked, change your passwords. Especially with MFA, what’s really gonna happen? ... you’re storing a password not a bearer bond.





trueblueinpw,
First off, thank you for your probing questions. This is an area I've sweated over. I don't pretend to have all the answers nor claim the best method.

What's really the jeopardy; Before I get into it, my belief is that even the most secure password storage method is faulty. No method is foolproof. The way I see it, we are talking about the degree of vulnerability between the various methods.

The jeopardy in the worst case, is losing your life savings. A hacker defeats the algorithms and gains access to your bank account, then drains the balance to 0. If LastPass were hacked, it's likely I wouldn't know in time to change my passwords. By then my life savings are gone.

Let's take a cloud based solution like LastPass; URL, user id and password data are stored online. There are 3 levels a hacker to defeat; 1. The master password to access the LastPass account 2. An individual encrypted password for a bank account, and 3. The 2 factor authentication for a bank acct (assuming this is used).





basically correct, but there is a little more security than this.
- LastPass doesn't store passwords. You need your Master Password to decrypt what they store and the decryption happens locally.
- If someone gets your master password and tries to log into LastPass from a different device or IP address then LastPass requires confirmation from your email account. So in addition to needing your master password, the hacker would have to already have access to your email (which is possible).

So you can add additional security by having 2FA on your email account and your financial accounts. It's much better if that 2FA is via an app that is tied to your device (not via a text message). This means the hacker would also need to have your phone or computer to defeat 2FA.

Finally, you can store hashed passwords in LastPass rather than real password, where the hashing algorithm is in your head and not in a computer. This makes access to the passwords less valuable to the hacker.

Of course, there is no perfect system so storing your passwords offline (and still hashing them even when you write them down!) is probably better.
I use a password manager...  
EricJ : 7/4/2020 9:44 am : link
for 99% of the websites where I need a password such as BBI. I also do not mind using it for credit card accounts because I am protected in the event of a breach.

However, for my bank accounts, my 401k account and Paypal... those passwords are saved between my ears. I am only using two banks right now so it is not that difficult to remember four passwords. These are the only four accounts where someone can potentially steal from me. I think Paypal potentially has some protection too.

When you see me post something here on BBI that you don't like, I have now laid the groundwork for blaming a hacker.
RE: RE: RE: People worried about the cloud...  
Gregorio : 7/4/2020 10:00 am : link
In comment 14928647 markky said:
Quote:

basically correct, but there is a little more security than this.
- LastPass doesn't store passwords. You need your Master Password to decrypt what they store and the decryption happens locally.


Do you mean LastPass doesn't store master passwords? It must the store individual account passwords.

A hacker need not defeat the master password that an individual user enters into a browser, to get to individual account passwords. If they were to breach the system or server where account credentials are stored, they are in.
RE: RE: RE: RE: People worried about the cloud...  
EricJ : 7/4/2020 10:06 am : link
In comment 14928688 Gregorio said:
Quote:

A hacker need not defeat the master password that an individual user enters into a browser, to get to individual account passwords. If they were to breach the system or server where account credentials are stored, they are in.


It could mean that even if a hacker got your master password, they may not know what websites you have saved/encripted locally. I am sure they can guess Amazon and popular places like that, but they would likely have to test the login screen of thousands of banking institutions for example just to see if it auto populates. Maybe I just do not understand how it works.
RE: Jay in Toronto  
Jay in Toronto : 7/4/2020 10:47 am : link
In comment 14928419 Samiam said:
Quote:
Can you explain step #3 better to a non techie?


A lot of people (rightly probably) don't trust storing sensitive info on a cloud. One solution is to store all passwords (and other sensitive info like Bank Account #s, SS number etc) on pieces of paper.

My version (not necessarily better) is kind of a mid-point. Since I want electronic versions of account #s, passwords etc so I don't have to retype them from paper copies when I use them.

Thus, I use a program like BFOLDERS (there are probably others). I have one sophisticated password I need to remember to open that program. I then store all sensitive info on it on my PC. When I am on the Internet and need it, I go to the program and find it and paste it when I need it. Because it is only on my PC, you need access to my PC and my password to get info in that program.

As a side note, I could have a copy on another device, like a phone. But the way to synch is only via a cable and/or WiFi, so again I am bypassing the cloud.

Hope that helps.
RE: RE: RE: RE: People worried about the cloud...  
Jim in Fairfax : 7/4/2020 12:36 pm : link
In comment 14928688 Gregorio said:
Quote:
Do you mean LastPass doesn't store master passwords? It must the store individual account passwords.

A hacker need not defeat the master password that an individual user enters into a browser, to get to individual account passwords. If they were to breach the system or server where account credentials are stored, they are in.

Yes, the LastPass vault file contains a database of your accounts, sites, and passwords. That file is encrypted. It can only be decrypted with your master password, which LastPass does not store.

In order to get your passwords, they would have to:
1) Hack Lastpass’s servers and steal your vault file
2) Either know your master password or use a brute force attack to find it.

That’s a lot of effort and resources for something that might be worthless. You should worry more about your financial institution getting hacked. As Willy Sutton said, “Thats where the money is.”
RE: RE: RE: RE: RE: People worried about the cloud...  
EricJ : 7/4/2020 7:02 pm : link
In comment 14928751 Jim in Fairfax said:
Quote:
You should worry more about your financial institution getting hacked. As Willy Sutton said, “Thats where the money is.”


Like Wells Fargo??
most browsers have their own password manager  
Ron from Ninerland : 7/4/2020 8:48 pm : link
Safari/Apple/iCloud Keychain is essentially a password manager. Chrome has its own password manager and Firefox has theirs. I don't know the specifics for Microsoft but I'd expect they have something similar for IE or Edge. The passwords are remembered across devices but they're only good for the one browser, but you can copy and paste between browsers. The advantage is they're free.
Thanks Jay  
Samiam : 7/4/2020 9:19 pm : link
It helps
RE: most browsers have their own password manager  
Jim in Fairfax : 7/4/2020 10:47 pm : link
In comment 14928887 Ron from Ninerland said:
Quote:
Safari/Apple/iCloud Keychain is essentially a password manager. Chrome has its own password manager and Firefox has theirs. I don't know the specifics for Microsoft but I'd expect they have something similar for IE or Edge. The passwords are remembered across devices but they're only good for the one browser, but you can copy and paste between browsers. The advantage is they're free.

The problem is, if you have devices in more than one ecosystem, you can’t get to your passwords universally. Can’t get to your Apple universe passwords from a Windows or Android device for example.

LastPass works pretty much everywhere. It works in Windows, Mac and Linux. It has extensions for every major browser and apps for iOS, Android and Windows phone. All your devices synchronize with one another. And you get all that in the free version.
Jim in Fairfax  
Samiam : 7/5/2020 5:08 pm : link
Awhile ago, I signed up for Last Pass premium and found that it remembered about 1/2 of my passwords. I ended up typing my master password to access Last Pass and then typing in the password for the site I was accessing. I asked a friend who also had Last Pass and he had the same experience. I stopped using it and didn’t renew. Did that ever happen to you?
RE: Jim in Fairfax  
Jim in Fairfax : 7/6/2020 12:15 pm : link
In comment 14929088 Samiam said:
Quote:
Awhile ago, I signed up for Last Pass premium and found that it remembered about 1/2 of my passwords. I ended up typing my master password to access Last Pass and then typing in the password for the site I was accessing. I asked a friend who also had Last Pass and he had the same experience. I stopped using it and didn’t renew. Did that ever happen to you?

It not sure if I understand the problem you’re having. Some of your password/sites that you saved in LastPass are missing? Haven’t experienced any problems myself.

This linked article may help. Also, as a Premium member you’re entitled to priority tech support.


Vault items missing - ( New Window )
I kept them on paper  
Rick5 : 7/6/2020 12:27 pm : link
until about 4 months ago. I use Norton now. I love using a password manager.
Dashlane  
Josh in the City : 7/6/2020 12:28 pm : link
is a bit more expensive than the others but it is by far the best option if you want to use it on every device you own. If you're Mac/iOS only, 1password is very good too.
+1 for LastPass  
Heisenberg : 7/6/2020 1:06 pm : link
I used it personally and my company started this year as an enterprise customer and it works well for both cases.
Back to the Corner