Password Management
-
- Posts: 9881
- Joined: Mon Sep 07, 2009 2:57 pm
- Location: Milky Way
Password Management
I did bring this up in the OPM thread, but felt that the topic is worthy of a new/separate thread. We all have many passwords for the various sites we access and are told we should regularly change them. We are also told that the passwords should be strong, which means they are difficult to remember. Some sort of password manager would seem to make sense. However, I am hesitant to put passwords - which I consider the absolute most sensitive data - on my computer or in "the cloud." I have seen calculator-size devices (no connection to the internet) that perform password management, but reviews are mixed. (They seem to be made in China, which doesn't give me a warm feeling either.) What do you do to manage your passwords?
Best regards, -Op |
|
"In the middle of difficulty lies opportunity." Einstein
Re: Password Management
I use a spreadsheet that is in an encrypted disk image.
Over the years, I have tried many different methods, but kept coming back to this.
Good luck!
Over the years, I have tried many different methods, but kept coming back to this.
Good luck!
Re: Password Management
Keep a plain text file of usernames and passwords but encrypt it with truecrypt. The computing resources necessary to break that encryption are immense. Far stronger than your passwords.
-
- Posts: 9881
- Joined: Mon Sep 07, 2009 2:57 pm
- Location: Milky Way
Re: Password Management
Is this something that can be done using Veracrypt?62andret wrote:I use a spreadsheet that is in an encrypted disk image.
Over the years, I have tried many different methods, but kept coming back to this.
Best regards, -Op |
|
"In the middle of difficulty lies opportunity." Einstein
Re: Password Management
I use LastPass with long strong different passwords for all finan$ial $ites.
-
- Posts: 9881
- Joined: Mon Sep 07, 2009 2:57 pm
- Location: Milky Way
Re: Password Management
I have used Veracrypt a little in the past. One concern is that you need to decrypt the file while you are editing it (I think). Is that your understanding?NightFall wrote:Keep a plain text file of usernames and passwords but encrypt it with truecrypt. The computing resources necessary to break that encryption are immense. Far stronger than your passwords.
Best regards, -Op |
|
"In the middle of difficulty lies opportunity." Einstein
Re: Password Management
Yes. Almost anything encrypted will have to be decrypted to use it. If you're very paranoid, keep it on a computer not connected to a network.Call_Me_Op wrote:I have used Veracrypt a little in the past. One concern is that you need to decrypt the file while you are editing it (I think). Is that your understanding?NightFall wrote:Keep a plain text file of usernames and passwords but encrypt it with truecrypt. The computing resources necessary to break that encryption are immense. Far stronger than your passwords.
Re: Password Management
I don't know about Veracrypt.
Since I have a mac I use the disk utility to make the disk image.
Truecrypt is no more, but there are a couple of groups that are taking the old code and redoing it.
Since I have a mac I use the disk utility to make the disk image.
Truecrypt is no more, but there are a couple of groups that are taking the old code and redoing it.
Re: Password Management
Has anyone used a product like Lastpass with a financial integration service like Mint, Personal Capital or Yodlee?midareff wrote:I use LastPass with long strong different passwords for all finan$ial $ites.
Do they play well together? Conceptually it seems like the LastPass would make it very difficult for the integration products to be able to access and update accounts.
70/30 AA for life, Global market cap equity. Rebalance if fixed income <25% or >35%. Weighted ER< .10%. 5% of annual portfolio balance SWR, Proportional (to AA) withdrawals.
Re: Password Management
Keepass is probably what you are looking for. You're in complete control of the password database and if you don't want to put it in the cloud, then you don't have to. It's free and open source, and available for all of the major desktop and mobile platforms. It's easy to use and has plenty of advanced features if you want them, but you certainly don't need to use them.
Just be sure to make many backups of your password database.
Just be sure to make many backups of your password database.
Re: Password Management
I also use Keepass, and it works pretty well. As jchef wrote, it's just a normal program that stores passwords in an encrypted file. There's no browser integration, and no cloud storage unless you do it yourself (I do, FWIW). It's open source, so you're not dependent on a company that might go out of business or change their business model. And there are clients for iOS, Android, and Windows Phone.
The other advantage over using a text or Excel file is that Keepass can generate random passwords for you, so there is no chance of reuse. I have no idea what my password is for pretty much any website.
The other advantage over using a text or Excel file is that Keepass can generate random passwords for you, so there is no chance of reuse. I have no idea what my password is for pretty much any website.
Re: Password Management
I've used Lastpass for years, generally with simpler passwords, but with more complex or generated PWs for financial accounts. With the coming of 2 factor verification availability I'm more comfortable with simpler passwords and am considering going to ones I can actually remember. Am I deluding myself?
Re: Password Management
If hackers can manage to steal a password file, it's likely they will also be able steal the necessary information to recreate the second factor of the 2 factor authentication.heartwood wrote:I've used Lastpass for years, generally with simpler passwords, but with more complex or generated PWs for financial accounts. With the coming of 2 factor verification availability I'm more comfortable with simpler passwords and am considering going to ones I can actually remember. Am I deluding myself?
And once they have the password file, simpler passwords are much easier to extract from the password hash file than more complex passwords. So I would strongly advice to keep on using a password manager and randomly generated complex passwords.
Last edited by jchef on Sun Jul 12, 2015 10:15 am, edited 1 time in total.
- Sunny Sarkar
- Posts: 2443
- Joined: Fri Mar 02, 2007 12:02 am
- Location: Flower Mound, TX
- Contact:
Re: Password Management
I use LastPass. The way it works, it keeps a locally (on the user's computer) encrypted blob of the passwords on the cloud in such a way that even LastPass wouldn't be able to decrypt the passwords if they wanted to - which means that even if they are stolen from the cloud, it's useless to the hackers.Call_Me_Op wrote: I am hesitant to put passwords - which I consider the absolute most sensitive data - on my computer or in "the cloud."
Additional safety measures that can be taken are:
(1) use a really long nonsensical master pass-phrase (https://xkcd.com/936/) and change it often
(2) multi-factor authentication
(3) use a separate security email address (https://lastpass.com/support.php?cmd=showfaq&id=2465)
(4) type only a part of the master password and copy paste the other part to safeguard from keyloggers
(5) randomize the usernames too (why not? lastpass is remembering them as well)
All that adds up to pretty rock solid security as far as I'm concerned
"Buy-and-hold, long-term, all-market-index strategies, implemented at rock-bottom cost, are the surest of all routes to the accumulation of wealth" - John C. Bogle
- Doom&Gloom
- Posts: 5417
- Joined: Thu May 08, 2014 3:36 pm
Re: Password Management
jchef wrote:Keepass is probably what you are looking for. You're in complete control of the password database and if you don't want to put it in the cloud, then you don't have to. It's free and open source, and available for all of the major desktop and mobile platforms. It's easy to use and has plenty of advanced features if you want them, but you certainly don't need to use them.
Just be sure to make many backups of your password database.
Another KeePass user here. You can easily have two (or more) KeePass databases. You can omit your critical financial account passwords from one of the databases and put that one "in the cloud" while keeping your primary database only on your home PC (and backups, of course.)Afty wrote:I also use Keepass, and it works pretty well. As jchef wrote, it's just a normal program that stores passwords in an encrypted file. There's no browser integration, and no cloud storage unless you do it yourself (I do, FWIW). It's open source, so you're not dependent on a company that might go out of business or change their business model. And there are clients for iOS, Android, and Windows Phone.
The other advantage over using a text or Excel file is that Keepass can generate random passwords for you, so there is no chance of reuse. I have no idea what my password is for pretty much any website.
That assumes that you will never need to access those accounts from another device. It is what I do, and not at all inconvenient. YMMV.
- Sunny Sarkar
- Posts: 2443
- Joined: Fri Mar 02, 2007 12:02 am
- Location: Flower Mound, TX
- Contact:
Re: Password Management
Most people I know who use Keepass sync across multiple devices using a cloud storage like Dropbox - and to me that felt less secure than storing everything in LastPass.
"Buy-and-hold, long-term, all-market-index strategies, implemented at rock-bottom cost, are the surest of all routes to the accumulation of wealth" - John C. Bogle
Re: Password Management
It shouldn't be any less secure as long as you trust the math of the encryption and hashing. And if you don't trust the math, you should have a problem with both Keepass and LastPass.Sunny Sarkar wrote:Most people I know who use Keepass sync across multiple devices using a cloud storage like Dropbox - and to me that felt less secure than storing everything in LastPass.
And with Keepass being open source, it allows experts to look at the code to see if they can find bugs. While that certainly doesn't guarantee the software works perfectly, it's better than the situation with LastPass, where you just have to trust them.
Re: Password Management
Surprised that no one has mentioned Dashlane, a great product. Last year, the Wall Street Journal rated the various password products and Dashlane came out on top. I would provide a link to the article, but the WSJ won't let me do so. You can find the review by Googling "Wall Street Journal and Dashlane." The product is free and there is a premium version for about $30 per year. The free version works great.
- Epsilon Delta
- Posts: 8090
- Joined: Thu Apr 28, 2011 7:00 pm
Re: Password Management
I think you're confused.heartwood wrote:I've used Lastpass for years, generally with simpler passwords, but with more complex or generated PWs for financial accounts. With the coming of 2 factor verification availability I'm more comfortable with simpler passwords and am considering going to ones I can actually remember. Am I deluding myself?
If you're using a password manager to remember and enter your passwords there's no reason to not use the most random and longest passwords supported by the web site and manager. If you're not remembering them and not typing them, the cost is indistinguishable from zero and there are advantages to complex passwords, even if you are using two factor verification.
On the other hand the three factors are:
- Something you are (e.g. fingerprints)
- Something you have (e.g. dongle)
- Something you know (e.g. password)
Re: Password Management
Especially if you are taking sufficient advantage of the 1 second delay function for Keepass and only have it on non-phone systems (or tolerate really slow times for emergency use on the phone) its really not a true concern if someone actually does get the file if you trust the basic encryption and other protective features along with having a strong enough master password.Sunny Sarkar wrote:Most people I know who use Keepass sync across multiple devices using a cloud storage like Dropbox - and to me that felt less secure than storing everything in LastPass.
Basically short of the NSA or possibility Chinese intel spending allot of time and resources specifically targeting you, the file is simply going to be too resource intensive to actually successfully determine the password or break the encryption. (Even in those cases its not necessarily clear if they can actually manage it right now.) Even if the password could theoretically be broken with a powerful enough cracking cluster system in a few years, no-one is actually going to take the time to do that.
Re: Password Management
One problem: an "unnamed" nation state now has fingerprints for 1M+ Americans so the whole assumption that fingerprints uniquely identify someone is invalid. Imagine burglars or foreign intelligence officers wearing gloves customized with fingerprints from this database. Also causes the whole iPhone TouchID concept to fail. Same could eventually happen with retina scans or other biometric data. Can never assume the three factors are safe from compromise. Has to be a way to re-issue when compromised (can't do that with biometrics).Epsilon Delta wrote:
On the other hand the three factors are:
- Something you are (e.g. fingerprints)
- Something you have (e.g. dongle)
- Something you know (e.g. password)
Warning: I am about 80% satisficer (accepting of good enough) and 20% maximizer
Re: Password Management
I agree with you, but didn't fully explain my question. I'm fine with LastPass on my laptop and have no concern about how complex the PWs are. It's when I want to access sites from my tablet or phone. I don't pay for LastPass to sync across my devices. I also don't like the LastPass interface I'm forced to use on my tablet/phone. So to access a site with 2 factor verification I prefer a PW I've memorized along with a texted code. Something like a9z5t2l7g1 that I know because I've used it repeatedly, now with a text code or an app installed on my phone/tablet that requests approval a la outlook.com.Epsilon Delta wrote:I think you're confused.heartwood wrote:I've used Lastpass for years, generally with simpler passwords, but with more complex or generated PWs for financial accounts. With the coming of 2 factor verification availability I'm more comfortable with simpler passwords and am considering going to ones I can actually remember. Am I deluding myself?
If you're using a password manager to remember and enter your passwords there's no reason to not use the most random and longest passwords supported by the web site and manager. If you're not remembering them and not typing them, the cost is indistinguishable from zero and there are advantages to complex passwords, even if you are using two factor verification.
On the other hand the three factors are:Each of these things protects against different types of attack, so for maximum security you use more than one. A password in a password manager really isn't something you know, so 2 factor identification using a dongle and a password manager is something you have and something else you have. This does add security, particularly if you keep the two things you have separate, but it does leave you open to some attacks that a memorized password would protect against. Of course if you're going to memorize a password it has to be short enough to memorize.
- Something you are (e.g. fingerprints)
- Something you have (e.g. dongle)
- Something you know (e.g. password)
I get the brute force idea that could crack a9z5t2l7g1. If I look at my outlook or gmail accounts for security attempts I can see several/many from Vietnam, China, Russia, Bolivia, etc. I know their trying. But won't they have to brute force it and get a random code that expires in 10 minutes too?
Re: Password Management
What do you mean by this? Are you looking at your spam folder, or are you getting a legitimate email from Google (not in your spam folder) saying "confirm password change request". There is very little reason to look at your spam folder unless you think an important email is missing. There are going to be many emails with links to bad websites in your spam folder.heartwood wrote:If I look at my outlook or gmail accounts for security attempts I can see several/many from Vietnam, China, Russia, Bolivia, etc. I know their trying. But won't they have to brute force it and get a random code that expires in 10 minutes too?
Warning: I am about 80% satisficer (accepting of good enough) and 20% maximizer
Re: Password Management
If you go to the lower right of your gmail screen it shows "last account activity". Click "details" under that and you get an activity information popup showing concurrent sessions, the IP addresses that have accessed the account recently. I was mistaken. Gmail is not where I saw the above countries, it was in hotmail/outlook accounts I use. You can similarly check security in outlook mail. It will show actual failed logon attempts. It was those I recalled. I confused it with gmail because I fetch hotmail/outlook mail into gmail. Outlook was showing logons from the Bay area where the gmail server is located and fetching my mail a few times a day.stan1 wrote:What do you mean by this? Are you looking at your spam folder, or are you getting a legitimate email from Google (not in your spam folder) saying "confirm password change request". There is very little reason to look at your spam folder unless you think an important email is missing. There are going to be many emails with links to bad websites in your spam folder.heartwood wrote:If I look at my outlook or gmail accounts for security attempts I can see several/many from Vietnam, China, Russia, Bolivia, etc. I know their trying. But won't they have to brute force it and get a random code that expires in 10 minutes too?
- Epsilon Delta
- Posts: 8090
- Joined: Thu Apr 28, 2011 7:00 pm
Re: Password Management
There's a difference between theory and practice here. The purpose of something you are is not that it's secret, it's that it can't be duplicated. Re-issue is not needed if you use it correctly.stan1 wrote:One problem: an "unnamed" nation state now has fingerprints for 1M+ Americans so the whole assumption that fingerprints uniquely identify someone is invalid. Imagine burglars or foreign intelligence officers wearing gloves customized with fingerprints from this database. Also causes the whole iPhone TouchID concept to fail. Same could eventually happen with retina scans or other biometric data. Can never assume the three factors are safe from compromise. Has to be a way to re-issue when compromised (can't do that with biometrics).Epsilon Delta wrote:
On the other hand the three factors are:
- Something you are (e.g. fingerprints)
- Something you have (e.g. dongle)
- Something you know (e.g. password)
The problem with fingerprints is that people aren't checking fingerprints correctly. To make sure the fingerprint represents "something you are" they need to make sure that the print is in skin, attached to a living finger, and maybe check for scars. And they need to trust the finger print scanner.
Of course a iPhone doesn't do that and it's nonsense to use fingerprints in that way. However for high security situations you can add the extra checks and using fingerprints or other biometrics is useful.
Re: Password Management
I'm a KeePass/Dropbox user. Very convenient. Very secure. I've considered LastPass, but I don't see a compelling advantage to it. With KeePass, I also store a lot of non-password info that is nice to have secure but available.
Re: Password Management
I should add that in addition to storing long, randomly generated passwords in my vault, I generate long, random user names for sites like banking and investing. That and 2-factor authentication.
Some key principals:
1) Don't be someone that hackers want to hack. If you are, you need to be even more cautious.
2) You don't have to be perfectly secure, just secure enough that hackers will move on to the next target instead of wasting time on you.
3) Avoid putting your eggs in a basket that is exposed to mass-attack. Having something unique about your approach helps avoid this. For example, using KeePass but adding a non-stored prefix or suffix to your more critical passwords that isn't stored.
Some key principals:
1) Don't be someone that hackers want to hack. If you are, you need to be even more cautious.
2) You don't have to be perfectly secure, just secure enough that hackers will move on to the next target instead of wasting time on you.
3) Avoid putting your eggs in a basket that is exposed to mass-attack. Having something unique about your approach helps avoid this. For example, using KeePass but adding a non-stored prefix or suffix to your more critical passwords that isn't stored.
Re: Password Management
OK, I don't have a Hotmail account and I don't use POP3 so maybe others can talk to those, but for Google Mail you can look at what devices have tried to access your account in the past 28 days -- do you see any you do not recognize?
Directions on how to do this are here:
https://support.google.com/mail/answer/ ... authuser=0
The activity shown on your account could be coming from your POP3 service or other 3rd party services you've signed up for. Or, it could mean you have malware on your computer.
Do you have two factor authentication enabled for Google?
Have you followed the procedures on the Google security checkup website (e.g. text message verification, etc.)
Directions on how to do this are here:
https://support.google.com/mail/answer/ ... authuser=0
The activity shown on your account could be coming from your POP3 service or other 3rd party services you've signed up for. Or, it could mean you have malware on your computer.
Do you have two factor authentication enabled for Google?
Have you followed the procedures on the Google security checkup website (e.g. text message verification, etc.)
Warning: I am about 80% satisficer (accepting of good enough) and 20% maximizer
Re: Password Management
yes, all of it.stan1 wrote: Do you have two factor authentication enabled for Google?
Have you followed the procedures on the Google security checkup website (e.g. text message verification, etc.)
Hence my initial question re simpler PWs and 2 step.
Re: Password Management
I'd change the email account passwords and stop using all third party applications/services to see if the access from the foreign countries stops. I would be very concerned if I saw what you are describing (although I still don't understand how you are seeing these access attempts). There is no reason you should see access to your email accounts from servers in Russia, China, or Vietnam and I would immediately stop any service/app that let this happen.heartwood wrote:yes, all of it.stan1 wrote: Do you have two factor authentication enabled for Google?
Have you followed the procedures on the Google security checkup website (e.g. text message verification, etc.)
Hence my initial question re simpler PWs and 2 step.
Warning: I am about 80% satisficer (accepting of good enough) and 20% maximizer
Re: Password Management
There was no access, only attempts at access. What I described is specific to a throwaway hotmail account I've been using for many years. The account has a medium level name with a special character in it. It's the one I use on any site that I don't want to associate with me and don't really have a relationship with but requires an account. None immediately come to mind, but for instance its not what I use for BH, although that's also a throwaway account name.stan1 wrote:heartwood wrote:stan1 wrote:
I'd change the email account passwords and stop using all third party applications/services to see if the access from the foreign countries stops. I would be very concerned if I saw what you are describing (although I still don't understand how you are seeing these access attempts). There is no reason you should see access to your email accounts from servers in Russia, China, or Vietnam and I would immediately stop any service/app that let this happen.
The hotmail name while somewhat unusual has been used for a long time in a lot of situations. I'm guessing that the name is out there in a lot of venues. Again guessing, people are trying to logon to my account from Vietnam, etc. Hotmail shows the attempt, and shows it was not successful. Seeing that activity (and two uses of my email on yet another account for someone's FB account outside the US and for a Sprint phone account and purchase) led me to look at all my accounts, establish 2 factor on all, change PW in some cases.
I'm still asking for opinions as to whether a memorized random PW together with 2 factor is good enough, say for Vanguard access.
Re: Password Management
I use LastPass, with two factor authentication where it makes sense. I allow LP to create nonsensical passwords, that are for all purposes, unbreakable.
In general, yes. You are at 99.999% secure at that point. IF (big if) your password is strong. With a weak pw, I'd move you to 99.9%.heartwood wrote:I'm still asking for opinions as to whether a memorized random PW together with 2 factor is good enough, say for Vanguard access.
"Happiness is not about doing, it’s about being." - R Branson
Re: Password Management
I am currently using KeePass offline. I carry it around on a jump drive. It is very tedious at times and becomes a major pain when some computers that I use do not allow access of external hardware. I am thinking of taking the plunge with LastPass, but worried about all of the recent hacking that went on there. I also looked at 1Password, but the price is more and the reviews place LastPass ahead.
Re: Password Management
Spreadsheet , Excel - actually have 2 spreadsheets , one for the more important stuff like financial info in which I actually have a cell with a link to the target and then in other cells the username, password, and maybe answers to the security questions , if any - this setup makes it easy for my wife when she pays the bills electronically .
The other spreadsheet is for things like Ebay , Bogleheads , etc. and is without a target link .
The other spreadsheet is for things like Ebay , Bogleheads , etc. and is without a target link .
Re: Password Management
I've been using 1Password for several years. Big fan. It is traditionally a Mac application with an excellent iPhone/iPad app that integrates very well with all browsers. The nice thing about 1Password is you can keep the password file completely offline on your computer if you want. If you want to take advantage of syncing between devices, however, you'll either have to sync over WiFi or keep your data file on Dropbox. Nowadays, there are also Windows and Android apps, but I haven't looked into them at all. The computer is dedicated to building great apps, and they are releasing new updates regularly.
-
- Posts: 1113
- Joined: Mon Jan 06, 2014 3:28 pm
- Location: US citizen now retired in Canada. Subject to income tax in both.
Re: Password Management
This is what I do as well.62andret wrote:I use a spreadsheet that is in an encrypted disk image.
Over the years, I have tried many different methods, but kept coming back to this.
It also allows me to make screenprints of the verification questions and answers, etc., take notes, etc.
I also have links at the top to my two favorite sites for generating complex random passwords. I use these sites to generate a new password (and even sign-in user name), usually running 5 at once, then picking my favorite from the batch.
Re: Password Management
LastPass
Use Multifactor authentication with it
Use Multifactor authentication with it
Last edited by Toons on Sun Jul 12, 2015 9:22 pm, edited 2 times in total.
"One does not accumulate but eliminate. It is not daily increase but daily decrease. The height of cultivation always runs to simplicity" –Bruce Lee
Re: Password Management
If you have a smartphone you may be able to store and access your KeePass file on it. I have a copy of my KeePass file on my phone. It doesn't include PWs for VG or banks since I don't need access to those when I am away. I have a separate KeePass file for those PWs on my home computer.Gemini wrote:I am currently using KeePass offline. I carry it around on a jump drive. It is very tedious at times and becomes a major pain when some computers that I use do not allow access of external hardware. I am thinking of taking the plunge with LastPass, but worried about all of the recent hacking that went on there. I also looked at 1Password, but the price is more and the reviews place LastPass ahead.
I always wanted to be a procrastinator.
Re: Password Management
How?Sidney wrote:If you have a smartphone you may be able to store and access your KeePass file on it. I have a copy of my KeePass file on my phone. It doesn't include PWs for VG or banks since I don't need access to those when I am away. I have a separate KeePass file for those PWs on my home computer.Gemini wrote:I am currently using KeePass offline. I carry it around on a jump drive. It is very tedious at times and becomes a major pain when some computers that I use do not allow access of external hardware. I am thinking of taking the plunge with LastPass, but worried about all of the recent hacking that went on there. I also looked at 1Password, but the price is more and the reviews place LastPass ahead.
And then how will I use it to get on websites? Use my phone?
Re: Password Management
1Password for me. Syncs effortlessly and their blog is fantastic, lots of articles about their design decisions and various security matters. I completely trust my password security with their apps.
https://blog.agilebits.com
https://blog.agilebits.com
Re: Password Management
Whatever device you use when you use the jump drive.Gemini wrote:How?Sidney wrote:If you have a smartphone you may be able to store and access your KeePass file on it. I have a copy of my KeePass file on my phone. It doesn't include PWs for VG or banks since I don't need access to those when I am away. I have a separate KeePass file for those PWs on my home computer.Gemini wrote:I am currently using KeePass offline. I carry it around on a jump drive. It is very tedious at times and becomes a major pain when some computers that I use do not allow access of external hardware. I am thinking of taking the plunge with LastPass, but worried about all of the recent hacking that went on there. I also looked at 1Password, but the price is more and the reviews place LastPass ahead.
And then how will I use it to get on websites? Use my phone?
I always wanted to be a procrastinator.
- Epsilon Delta
- Posts: 8090
- Joined: Thu Apr 28, 2011 7:00 pm
Re: Password Management
Once you've selected a password just a bit more complex than "password" or your mother's maiden name the longer password is protecting against errors of the other party. You only need a complex password for a web site that makes egregious errors (such as allowing many rapid log in attempts or leaking inadequately hashed password files). Can you trust such a web site to properly implement 2 factor?heartwood wrote:
I'm still asking for opinions as to whether a memorized random PW together with 2 factor is good enough, say for Vanguard access.
I don't know the answer to that one. It's possible that the site administration has enough separation between the factors that one will fail but not the other. But it's also possible that everything will fail due to a common root cause: the web site is being run by a Wally.
Re: Password Management
On top of what has already been said, another major issue is reusing the same password. Even if a site is properly implementing two factor authentication, they could be botching protecting your password. (Even leaving it in plain text so no brute forcing is needed.) If the hacker finds flaws so they can bypass two factor authentication used at other sites, they could then try your password there and you could be in trouble. (This situation is especially dangerous if you the same username at different locations.) If there ends up being a specific bug with a widely used two factor authentication method, you could find yourself compromised at multiple sites.heartwood wrote:I agree with you, but didn't fully explain my question. I'm fine with LastPass on my laptop and have no concern about how complex the PWs are. It's when I want to access sites from my tablet or phone. I don't pay for LastPass to sync across my devices. I also don't like the LastPass interface I'm forced to use on my tablet/phone. So to access a site with 2 factor verification I prefer a PW I've memorized along with a texted code. Something like a9z5t2l7g1 that I know because I've used it repeatedly, now with a text code or an app installed on my phone/tablet that requests approval a la outlook.com.
I get the brute force idea that could crack a9z5t2l7g1. If I look at my outlook or gmail accounts for security attempts I can see several/many from Vietnam, China, Russia, Bolivia, etc. I know their trying. But won't they have to brute force it and get a random code that expires in 10 minutes too?
I would suggest considering using Keepass since it does have versions that you can use on your tablet and smartphone without paying extra. (You can use a site like dropbox to specifically sync the devices.)
Re: Password Management
We use the Keeper app. It's free to start out, and you can sort the passwords into categories or folders. If you pay $10/year, it will back up to the cloud. Used it for 2+ years now and very reliable.
Re: Password Management
MnD wrote:Has anyone used a product like Lastpass with a financial integration service like Mint, Personal Capital or Yodlee?midareff wrote:I use LastPass with long strong different passwords for all finan$ial $ites.
Do they play well together? Conceptually it seems like the LastPass would make it very difficult for the integration products to be able to access and update accounts.
I'm not sure how that would work. I use M* to update excel sheets/workbooks on demand at home and VG updates accounts still held at Fidelity and Fidelity updates from FIA Card Services so I don't think any of that should be a problem. An 18 character upper/lower case alpha numeric is what it is whether you use a service (LastPass) to auto store and enter of enter it yourself.
Re: Password Management
What do people use on their android phone or android tablet? Unless its changed, last time I tried LastPass on my phone it worked as an independent browser rather than an app within Chrome and had a cost for syncing between devices. Still true? Is there an add-on app to Chrome on my phone that does PW management?
-
- Posts: 177
- Joined: Wed Jan 14, 2015 12:14 pm
- Location: USA
Re: Password Management
Another vote for Lastpass. Have been a pro user for many years. Make sure you get the Yubi key for extra protection.
https://lastpass.com/yubico/
https://lastpass.com/yubico/
Re: Password Management
LastPass. Make sure to use a strong master password as well as complex passwords for all financial (and other important) sites.
(It goes without saying that you should not use any password for more than one site.)
Also avail yourself of multi-factor authentication where available plus limits and restrictions on access via other computers, voice recognition, foreign country log-ins etc. Most of these are easy to set up and offer very little hassle factor.
(It goes without saying that you should not use any password for more than one site.)
Also avail yourself of multi-factor authentication where available plus limits and restrictions on access via other computers, voice recognition, foreign country log-ins etc. Most of these are easy to set up and offer very little hassle factor.
Re: Password Management
I use KeePass as my password manager. There are versions of KeePass available for all on the mobile platforms.heartwood wrote:What do people use on their android phone or android tablet? Unless its changed, last time I tried LastPass on my phone it worked as an independent browser rather than an app within Chrome and had a cost for syncing between devices. Still true? Is there an add-on app to Chrome on my phone that does PW management?
KeePassDroid and Keepass2Android are the two main ports available for Android. KeePassDroid is probably simpler to use. Keepass2Android has more advanced features, if you want them. Both of the ports are free and open source.
KeePassDroid just uses copy and paste to the clipboard, so you can use it with any application. Keepass2Android can use the same method, but it also can use a special keyboard which it claims is more secure.
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
Re: Password Management
I use LastPass.
I always make my passwords as long and complex as allowed (and, of course, never use the same password twice). Even if it's not a financial account, it doesn't hurt me in any way to make the password as difficult as possible.
I also have multi-factor authentication set up in order to log in to Lastpass from an unrecognized device. Even then, I have multi-factor authentication set up for other sites, like GMail and financial accounts. For GMail and Vanguard I have it set up so I have to use multi-factor even if the device is recognized.
LastPass is very simple to use, yet very secure.
I always make my passwords as long and complex as allowed (and, of course, never use the same password twice). Even if it's not a financial account, it doesn't hurt me in any way to make the password as difficult as possible.
I also have multi-factor authentication set up in order to log in to Lastpass from an unrecognized device. Even then, I have multi-factor authentication set up for other sites, like GMail and financial accounts. For GMail and Vanguard I have it set up so I have to use multi-factor even if the device is recognized.
LastPass is very simple to use, yet very secure.
Last edited by Silence Dogood on Mon Jul 13, 2015 9:57 am, edited 1 time in total.