Being old school I have different passwords for all sites written down in a Rolodex. With hundreds of items now there, is it better to simply get a password manager? Device based or cloud based? Paid or free? Are they safe?
I use Norton Identity Safe - pretty happy with it. It's free and while it has all sorts of functionality if you want it, it's pretty bare bones and no frills which I like
if your home is relatively secure. Anything off network would be, but it would be a jackpot for anyone who stole it from your home.
The other upside of a password manager is that they have generators to create much stronger passwords than what you probably have in that rolodex. And you can create a different strong password for every site while only having to remember one (ideally very strong) master password or pass phrase.
If you go the password manager route, I suggest one that is open source. Open source will have an entire community constantly looking for vulnerabilities to patch whereas proprietary is only as secure as the team working for that company.
it does not put your passwords on the Internet. It supports YubiKey if you want to use that feature. I am paranoid about putting my passwords on the Internet no matter how good the app is rated. Passwords should be 12 or more charaters long if the website allows.
Also, use two factor authentication on anything important.
I used LastPass before, but the Dashlane paid option is the best. It saves credit cards, checking and savings accounts, SS card, any other ID cards or credentials, manages passwords for all sites, offers varying layers of auto-generated random passwords, alerts you to passwords which are weak/duplicates (and if a site you're on has a breach I believe).
Then it also has a fully functional VPN where you can select the source country.
Finally, it uses one master password and it all saves to a cloud-based data center, and also syncs with your phone via their app. If you reformat your PC or your HD dies, all data is good to go upon re-installation.
Any place you store passwords can be hacked. I won’t store them on a cloud. Any file on your local machine can be also hacked by a motivated hacker.
I store them in a file on a thumb drive, kept physically separated from my machine. It’s password protected and encrypted, and only I know where It is. To me, your Rolodex is safer than a file stored on a internet connected computer.
For financial accounts, the advice in this thread to utilize two- factor authentication is sound.
Which one is best for depends on your computer and iPhone types. If you’re all Apple feel like the Apple iCloud keychain is pretty solid and it’s getting better.
If you’re PC and Android or any combination that is not all Apple then consider LastPass. LastPass has the most robust free product and it wins or places highly in every review.
You can Google best password manager and read PC Mag and Toms Hardware all the info you probably need.
I'm on Apple devices. I started using 1Password around a year ago. It's a godsend. I am using much more secure passwords now that I can store them all in one place. It's more than a password manager and has capabilities I'm not even exploring yet.
On my phone, the app will recognize me with FaceID; the previous phone recognized me with TouchID.
So better passwords ergo better security, better organization, easier retrieval. Not flawless but an upgrade.
2. Use a simple password algorithm for sites I don't think need high security (sorry BBI)
3. Use a very complex algorithm that I have memorized to access a program called BFOLDERS. It is where I keep all my sensitive info. It is electronic but is kept locally and not in the cloud.
Someone could get physical access to my device and hack it, but the password is pretty good. I'm willing to risk that to have the info electronic and not just paper and pencil.
I also keep the password to BFOLDERS on paper in my safe deposit box at my bank.
It's become impossible not to use one these days: bank accounts, credit cards, utility payments, Amazon, Netflix, etc., and most with different length, number, and special character requirements. Personally, I also don't believe in using something like LastPass because it's cloud-based, hence more vulnerable to hacking than my paranoid self is willing to accept -- and yes, I work in IT on both the programming and system administration sides.
I agree with the poster who said storing it on a thumb drive or portable USB drive is a good idea... as long as it's something that stays home. You definitely don't want to store passwords on something you might lose in a public place. I'd recommend having it on a second backup portable drive as well, since USB drives can fail in the blink of an eye.
With that said, I like KeepPass a lot. It's free, lightweight, portable, and easy enough to figure out fairly quickly. Just make sure your one master password is one you'll never forget, is long, and contains at least one number and one special character -- the more, the better. As a barometer, Microsoft (Active Directory) currently recommends a minimum of 8 characters with 1 number and 1 special character. I never go less than 15.
What’s really the jeopardy? LastPass is hacked, change your passwords. Especially with MFA, what’s really gonna happen? Also considering that these services aren’t storing a txt file and they’re all in the business of protecting data. Just seems unlikely to me and - I mean - you’re storing a password not a bearer bond.
I also don’t understand how a locally stored password helps you manage pwds especially on you different devices? Do you look up a long complex password on a local USB key every time you log in to you bank account?
Just asking - not judging. Maybe I’m not getting the serious risk.
What’s really the jeopardy? LastPass is hacked, change your passwords. Especially with MFA, what’s really gonna happen? Also considering that these services aren’t storing a txt file and they’re all in the business of protecting data. Just seems unlikely to me and - I mean - you’re storing a password not a bearer bond.
I also don’t understand how a locally stored password helps you manage pwds especially on you different devices? Do you look up a long complex password on a local USB key every time you log in to you bank account?
Just asking - not judging. Maybe I’m not getting the serious risk.
This. LastPass hashes your password file with the same or better encryption methods as do your financial institutions. If LastPass was hacked and your password file stolen, it wouldn’t do the hacker any good without your master password, which LastPass doesn’t know or store.
You're not just storing the password, you're storing a URL and a user name. If you've got MFA setup, you're fine. If not, you're screwed, especially if you're talking about hacking banking data.
What’s really the jeopardy? LastPass is hacked, change your passwords. Especially with MFA, what’s really gonna happen? ... you’re storing a password not a bearer bond.
trueblueinpw,
First off, thank you for your probing questions. This is an area I've sweated over. I don't pretend to have all the answers nor claim the best method.
What's really the jeopardy; Before I get into it, my belief is that even the most secure password storage method is faulty. No method is foolproof. The way I see it, we are talking about the degree of vulnerability between the various methods.
The jeopardy in the worst case, is losing your life savings. A hacker defeats the algorithms and gains access to your bank account, then drains the balance to 0. If LastPass were hacked, it's likely I wouldn't know in time to change my passwords. By then my life savings are gone.
Let's take a cloud based solution like LastPass; URL, user id and password data are stored online. There are 3 levels a hacker to defeat; 1. The master password to access the LastPass account 2. An individual encrypted password for a bank account, and 3. The 2 factor authentication for a bank acct (assuming this is used).
This really is a high degree of difficulty to overcome. I rate the security degree as high. Problem is, when dealing with life savings, a high degree of security is not enough. Who wants to be the first account holder at LastPass to become a victim of a motivated hacker?
On the value of login credentials; because this data is the key to your life savings, they are even more valuable than a bearer bond.
The other issue with Cloud solutions is; Yes they are in the business of protecting data, but what gives you confidence they can be trusted? You wouldn't give your credentials to your cousin or distant acquaintance, so why are you willing to trust your most sensitive data (account credentials) to people you don't know? A mature application replicates data to backup servers for disaster recovery. How many backup servers is the password data stored on, and how secure are they?
To answer your questions on the thumb drive method; No it doesn't help with multiple devices. I use a primary device for the financial stuff (banking and investing). Yes, I do load the thumb drive into a USB port, then decrypt the file to access the passwords. While this is inconvenient, it is a price I am willing to pay for 1. The higher degree of security it provides and 2. the peace of mind it provides.
What’s really the jeopardy? LastPass is hacked, change your passwords. Especially with MFA, what’s really gonna happen? ... you’re storing a password not a bearer bond.
trueblueinpw,
First off, thank you for your probing questions. This is an area I've sweated over. I don't pretend to have all the answers nor claim the best method.
What's really the jeopardy; Before I get into it, my belief is that even the most secure password storage method is faulty. No method is foolproof. The way I see it, we are talking about the degree of vulnerability between the various methods.
The jeopardy in the worst case, is losing your life savings. A hacker defeats the algorithms and gains access to your bank account, then drains the balance to 0. If LastPass were hacked, it's likely I wouldn't know in time to change my passwords. By then my life savings are gone.
Let's take a cloud based solution like LastPass; URL, user id and password data are stored online. There are 3 levels a hacker to defeat; 1. The master password to access the LastPass account 2. An individual encrypted password for a bank account, and 3. The 2 factor authentication for a bank acct (assuming this is used).
basically correct, but there is a little more security than this.
- LastPass doesn't store passwords. You need your Master Password to decrypt what they store and the decryption happens locally.
- If someone gets your master password and tries to log into LastPass from a different device or IP address then LastPass requires confirmation from your email account. So in addition to needing your master password, the hacker would have to already have access to your email (which is possible).
So you can add additional security by having 2FA on your email account and your financial accounts. It's much better if that 2FA is via an app that is tied to your device (not via a text message). This means the hacker would also need to have your phone or computer to defeat 2FA.
Finally, you can store hashed passwords in LastPass rather than real password, where the hashing algorithm is in your head and not in a computer. This makes access to the passwords less valuable to the hacker.
Of course, there is no perfect system so storing your passwords offline (and still hashing them even when you write them down!) is probably better.
for 99% of the websites where I need a password such as BBI. I also do not mind using it for credit card accounts because I am protected in the event of a breach.
However, for my bank accounts, my 401k account and Paypal... those passwords are saved between my ears. I am only using two banks right now so it is not that difficult to remember four passwords. These are the only four accounts where someone can potentially steal from me. I think Paypal potentially has some protection too.
When you see me post something here on BBI that you don't like, I have now laid the groundwork for blaming a hacker.
basically correct, but there is a little more security than this.
- LastPass doesn't store passwords. You need your Master Password to decrypt what they store and the decryption happens locally.
Do you mean LastPass doesn't store master passwords? It must the store individual account passwords.
A hacker need not defeat the master password that an individual user enters into a browser, to get to individual account passwords. If they were to breach the system or server where account credentials are stored, they are in.
A hacker need not defeat the master password that an individual user enters into a browser, to get to individual account passwords. If they were to breach the system or server where account credentials are stored, they are in.
It could mean that even if a hacker got your master password, they may not know what websites you have saved/encripted locally. I am sure they can guess Amazon and popular places like that, but they would likely have to test the login screen of thousands of banking institutions for example just to see if it auto populates. Maybe I just do not understand how it works.
A lot of people (rightly probably) don't trust storing sensitive info on a cloud. One solution is to store all passwords (and other sensitive info like Bank Account #s, SS number etc) on pieces of paper.
My version (not necessarily better) is kind of a mid-point. Since I want electronic versions of account #s, passwords etc so I don't have to retype them from paper copies when I use them.
Thus, I use a program like BFOLDERS (there are probably others). I have one sophisticated password I need to remember to open that program. I then store all sensitive info on it on my PC. When I am on the Internet and need it, I go to the program and find it and paste it when I need it. Because it is only on my PC, you need access to my PC and my password to get info in that program.
As a side note, I could have a copy on another device, like a phone. But the way to synch is only via a cable and/or WiFi, so again I am bypassing the cloud.
Do you mean LastPass doesn't store master passwords? It must the store individual account passwords.
A hacker need not defeat the master password that an individual user enters into a browser, to get to individual account passwords. If they were to breach the system or server where account credentials are stored, they are in.
Yes, the LastPass vault file contains a database of your accounts, sites, and passwords. That file is encrypted. It can only be decrypted with your master password, which LastPass does not store.
In order to get your passwords, they would have to:
1) Hack Lastpass’s servers and steal your vault file
2) Either know your master password or use a brute force attack to find it.
That’s a lot of effort and resources for something that might be worthless. You should worry more about your financial institution getting hacked. As Willy Sutton said, “Thats where the money is.”
RE: RE: RE: RE: RE: People worried about the cloud...
Safari/Apple/iCloud Keychain is essentially a password manager. Chrome has its own password manager and Firefox has theirs. I don't know the specifics for Microsoft but I'd expect they have something similar for IE or Edge. The passwords are remembered across devices but they're only good for the one browser, but you can copy and paste between browsers. The advantage is they're free.
Safari/Apple/iCloud Keychain is essentially a password manager. Chrome has its own password manager and Firefox has theirs. I don't know the specifics for Microsoft but I'd expect they have something similar for IE or Edge. The passwords are remembered across devices but they're only good for the one browser, but you can copy and paste between browsers. The advantage is they're free.
The problem is, if you have devices in more than one ecosystem, you can’t get to your passwords universally. Can’t get to your Apple universe passwords from a Windows or Android device for example.
LastPass works pretty much everywhere. It works in Windows, Mac and Linux. It has extensions for every major browser and apps for iOS, Android and Windows phone. All your devices synchronize with one another. And you get all that in the free version.
Awhile ago, I signed up for Last Pass premium and found that it remembered about 1/2 of my passwords. I ended up typing my master password to access Last Pass and then typing in the password for the site I was accessing. I asked a friend who also had Last Pass and he had the same experience. I stopped using it and didn’t renew. Did that ever happen to you?
Awhile ago, I signed up for Last Pass premium and found that it remembered about 1/2 of my passwords. I ended up typing my master password to access Last Pass and then typing in the password for the site I was accessing. I asked a friend who also had Last Pass and he had the same experience. I stopped using it and didn’t renew. Did that ever happen to you?
It not sure if I understand the problem you’re having. Some of your password/sites that you saved in LastPass are missing? Haven’t experienced any problems myself.
This linked article may help. Also, as a Premium member you’re entitled to priority tech support.
is a bit more expensive than the others but it is by far the best option if you want to use it on every device you own. If you're Mac/iOS only, 1password is very good too.
The other upside of a password manager is that they have generators to create much stronger passwords than what you probably have in that rolodex. And you can create a different strong password for every site while only having to remember one (ideally very strong) master password or pass phrase.
If you go the password manager route, I suggest one that is open source. Open source will have an entire community constantly looking for vulnerabilities to patch whereas proprietary is only as secure as the team working for that company.
Also, use two factor authentication on anything important.
Then it also has a fully functional VPN where you can select the source country.
Finally, it uses one master password and it all saves to a cloud-based data center, and also syncs with your phone via their app. If you reformat your PC or your HD dies, all data is good to go upon re-installation.
I store them in a file on a thumb drive, kept physically separated from my machine. It’s password protected and encrypted, and only I know where It is. To me, your Rolodex is safer than a file stored on a internet connected computer.
For financial accounts, the advice in this thread to utilize two- factor authentication is sound.
If you’re PC and Android or any combination that is not all Apple then consider LastPass. LastPass has the most robust free product and it wins or places highly in every review.
You can Google best password manager and read PC Mag and Toms Hardware all the info you probably need.
On my phone, the app will recognize me with FaceID; the previous phone recognized me with TouchID.
So better passwords ergo better security, better organization, easier retrieval. Not flawless but an upgrade.
2. Use a simple password algorithm for sites I don't think need high security (sorry BBI)
3. Use a very complex algorithm that I have memorized to access a program called BFOLDERS. It is where I keep all my sensitive info. It is electronic but is kept locally and not in the cloud.
Someone could get physical access to my device and hack it, but the password is pretty good. I'm willing to risk that to have the info electronic and not just paper and pencil.
I also keep the password to BFOLDERS on paper in my safe deposit box at my bank.
I use LastPass.
I agree with the poster who said storing it on a thumb drive or portable USB drive is a good idea... as long as it's something that stays home. You definitely don't want to store passwords on something you might lose in a public place. I'd recommend having it on a second backup portable drive as well, since USB drives can fail in the blink of an eye.
With that said, I like KeepPass a lot. It's free, lightweight, portable, and easy enough to figure out fairly quickly. Just make sure your one master password is one you'll never forget, is long, and contains at least one number and one special character -- the more, the better. As a barometer, Microsoft (Active Directory) currently recommends a minimum of 8 characters with 1 number and 1 special character. I never go less than 15.
I also don’t understand how a locally stored password helps you manage pwds especially on you different devices? Do you look up a long complex password on a local USB key every time you log in to you bank account?
Just asking - not judging. Maybe I’m not getting the serious risk.
I also don’t understand how a locally stored password helps you manage pwds especially on you different devices? Do you look up a long complex password on a local USB key every time you log in to you bank account?
Just asking - not judging. Maybe I’m not getting the serious risk.
This. LastPass hashes your password file with the same or better encryption methods as do your financial institutions. If LastPass was hacked and your password file stolen, it wouldn’t do the hacker any good without your master password, which LastPass doesn’t know or store.
trueblueinpw,
First off, thank you for your probing questions. This is an area I've sweated over. I don't pretend to have all the answers nor claim the best method.
What's really the jeopardy; Before I get into it, my belief is that even the most secure password storage method is faulty. No method is foolproof. The way I see it, we are talking about the degree of vulnerability between the various methods.
The jeopardy in the worst case, is losing your life savings. A hacker defeats the algorithms and gains access to your bank account, then drains the balance to 0. If LastPass were hacked, it's likely I wouldn't know in time to change my passwords. By then my life savings are gone.
Let's take a cloud based solution like LastPass; URL, user id and password data are stored online. There are 3 levels a hacker to defeat; 1. The master password to access the LastPass account 2. An individual encrypted password for a bank account, and 3. The 2 factor authentication for a bank acct (assuming this is used).
This really is a high degree of difficulty to overcome. I rate the security degree as high. Problem is, when dealing with life savings, a high degree of security is not enough. Who wants to be the first account holder at LastPass to become a victim of a motivated hacker?
On the value of login credentials; because this data is the key to your life savings, they are even more valuable than a bearer bond.
The other issue with Cloud solutions is; Yes they are in the business of protecting data, but what gives you confidence they can be trusted? You wouldn't give your credentials to your cousin or distant acquaintance, so why are you willing to trust your most sensitive data (account credentials) to people you don't know? A mature application replicates data to backup servers for disaster recovery. How many backup servers is the password data stored on, and how secure are they?
To answer your questions on the thumb drive method; No it doesn't help with multiple devices. I use a primary device for the financial stuff (banking and investing). Yes, I do load the thumb drive into a USB port, then decrypt the file to access the passwords. While this is inconvenient, it is a price I am willing to pay for 1. The higher degree of security it provides and 2. the peace of mind it provides.
Quote:
What’s really the jeopardy? LastPass is hacked, change your passwords. Especially with MFA, what’s really gonna happen? ... you’re storing a password not a bearer bond.
trueblueinpw,
First off, thank you for your probing questions. This is an area I've sweated over. I don't pretend to have all the answers nor claim the best method.
What's really the jeopardy; Before I get into it, my belief is that even the most secure password storage method is faulty. No method is foolproof. The way I see it, we are talking about the degree of vulnerability between the various methods.
The jeopardy in the worst case, is losing your life savings. A hacker defeats the algorithms and gains access to your bank account, then drains the balance to 0. If LastPass were hacked, it's likely I wouldn't know in time to change my passwords. By then my life savings are gone.
Let's take a cloud based solution like LastPass; URL, user id and password data are stored online. There are 3 levels a hacker to defeat; 1. The master password to access the LastPass account 2. An individual encrypted password for a bank account, and 3. The 2 factor authentication for a bank acct (assuming this is used).
basically correct, but there is a little more security than this.
- LastPass doesn't store passwords. You need your Master Password to decrypt what they store and the decryption happens locally.
- If someone gets your master password and tries to log into LastPass from a different device or IP address then LastPass requires confirmation from your email account. So in addition to needing your master password, the hacker would have to already have access to your email (which is possible).
So you can add additional security by having 2FA on your email account and your financial accounts. It's much better if that 2FA is via an app that is tied to your device (not via a text message). This means the hacker would also need to have your phone or computer to defeat 2FA.
Finally, you can store hashed passwords in LastPass rather than real password, where the hashing algorithm is in your head and not in a computer. This makes access to the passwords less valuable to the hacker.
Of course, there is no perfect system so storing your passwords offline (and still hashing them even when you write them down!) is probably better.
However, for my bank accounts, my 401k account and Paypal... those passwords are saved between my ears. I am only using two banks right now so it is not that difficult to remember four passwords. These are the only four accounts where someone can potentially steal from me. I think Paypal potentially has some protection too.
When you see me post something here on BBI that you don't like, I have now laid the groundwork for blaming a hacker.
basically correct, but there is a little more security than this.
- LastPass doesn't store passwords. You need your Master Password to decrypt what they store and the decryption happens locally.
Do you mean LastPass doesn't store master passwords? It must the store individual account passwords.
A hacker need not defeat the master password that an individual user enters into a browser, to get to individual account passwords. If they were to breach the system or server where account credentials are stored, they are in.
A hacker need not defeat the master password that an individual user enters into a browser, to get to individual account passwords. If they were to breach the system or server where account credentials are stored, they are in.
It could mean that even if a hacker got your master password, they may not know what websites you have saved/encripted locally. I am sure they can guess Amazon and popular places like that, but they would likely have to test the login screen of thousands of banking institutions for example just to see if it auto populates. Maybe I just do not understand how it works.
A lot of people (rightly probably) don't trust storing sensitive info on a cloud. One solution is to store all passwords (and other sensitive info like Bank Account #s, SS number etc) on pieces of paper.
My version (not necessarily better) is kind of a mid-point. Since I want electronic versions of account #s, passwords etc so I don't have to retype them from paper copies when I use them.
Thus, I use a program like BFOLDERS (there are probably others). I have one sophisticated password I need to remember to open that program. I then store all sensitive info on it on my PC. When I am on the Internet and need it, I go to the program and find it and paste it when I need it. Because it is only on my PC, you need access to my PC and my password to get info in that program.
As a side note, I could have a copy on another device, like a phone. But the way to synch is only via a cable and/or WiFi, so again I am bypassing the cloud.
Hope that helps.
A hacker need not defeat the master password that an individual user enters into a browser, to get to individual account passwords. If they were to breach the system or server where account credentials are stored, they are in.
Yes, the LastPass vault file contains a database of your accounts, sites, and passwords. That file is encrypted. It can only be decrypted with your master password, which LastPass does not store.
In order to get your passwords, they would have to:
1) Hack Lastpass’s servers and steal your vault file
2) Either know your master password or use a brute force attack to find it.
That’s a lot of effort and resources for something that might be worthless. You should worry more about your financial institution getting hacked. As Willy Sutton said, “Thats where the money is.”
Like Wells Fargo??
The problem is, if you have devices in more than one ecosystem, you can’t get to your passwords universally. Can’t get to your Apple universe passwords from a Windows or Android device for example.
LastPass works pretty much everywhere. It works in Windows, Mac and Linux. It has extensions for every major browser and apps for iOS, Android and Windows phone. All your devices synchronize with one another. And you get all that in the free version.
It not sure if I understand the problem you’re having. Some of your password/sites that you saved in LastPass are missing? Haven’t experienced any problems myself.
This linked article may help. Also, as a Premium member you’re entitled to priority tech support.
Vault items missing - ( New Window )