Password Management

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Topic Author
Call_Me_Op
Posts: 7423
Joined: Mon Sep 07, 2009 2:57 pm
Location: Milky Way

Password Management

Post by Call_Me_Op » Sun Jul 12, 2015 7:46 am

I did bring this up in the OPM thread, but felt that the topic is worthy of a new/separate thread. We all have many passwords for the various sites we access and are told we should regularly change them. We are also told that the passwords should be strong, which means they are difficult to remember. Some sort of password manager would seem to make sense. However, I am hesitant to put passwords - which I consider the absolute most sensitive data - on my computer or in "the cloud." I have seen calculator-size devices (no connection to the internet) that perform password management, but reviews are mixed. (They seem to be made in China, which doesn't give me a warm feeling either.) What do you do to manage your passwords?
Best regards, -Op | | "In the middle of difficulty lies opportunity." Einstein

62andret
Posts: 11
Joined: Wed Apr 15, 2015 8:41 am

Re: Password Management

Post by 62andret » Sun Jul 12, 2015 8:00 am

I use a spreadsheet that is in an encrypted disk image.

Over the years, I have tried many different methods, but kept coming back to this.

Good luck!

NightFall
Posts: 269
Joined: Wed Mar 12, 2014 4:38 pm

Re: Password Management

Post by NightFall » Sun Jul 12, 2015 8:03 am

Keep a plain text file of usernames and passwords but encrypt it with truecrypt. The computing resources necessary to break that encryption are immense. Far stronger than your passwords.

Topic Author
Call_Me_Op
Posts: 7423
Joined: Mon Sep 07, 2009 2:57 pm
Location: Milky Way

Re: Password Management

Post by Call_Me_Op » Sun Jul 12, 2015 8:03 am

62andret wrote:I use a spreadsheet that is in an encrypted disk image.

Over the years, I have tried many different methods, but kept coming back to this.
Is this something that can be done using Veracrypt?
Best regards, -Op | | "In the middle of difficulty lies opportunity." Einstein

User avatar
midareff
Posts: 6465
Joined: Mon Nov 29, 2010 10:43 am
Location: Biscayne Bay, South Florida

Re: Password Management

Post by midareff » Sun Jul 12, 2015 8:04 am

I use LastPass with long strong different passwords for all finan$ial $ites.

Topic Author
Call_Me_Op
Posts: 7423
Joined: Mon Sep 07, 2009 2:57 pm
Location: Milky Way

Re: Password Management

Post by Call_Me_Op » Sun Jul 12, 2015 8:05 am

NightFall wrote:Keep a plain text file of usernames and passwords but encrypt it with truecrypt. The computing resources necessary to break that encryption are immense. Far stronger than your passwords.
I have used Veracrypt a little in the past. One concern is that you need to decrypt the file while you are editing it (I think). Is that your understanding?
Best regards, -Op | | "In the middle of difficulty lies opportunity." Einstein

NightFall
Posts: 269
Joined: Wed Mar 12, 2014 4:38 pm

Re: Password Management

Post by NightFall » Sun Jul 12, 2015 8:08 am

Call_Me_Op wrote:
NightFall wrote:Keep a plain text file of usernames and passwords but encrypt it with truecrypt. The computing resources necessary to break that encryption are immense. Far stronger than your passwords.
I have used Veracrypt a little in the past. One concern is that you need to decrypt the file while you are editing it (I think). Is that your understanding?
Yes. Almost anything encrypted will have to be decrypted to use it. If you're very paranoid, keep it on a computer not connected to a network.

62andret
Posts: 11
Joined: Wed Apr 15, 2015 8:41 am

Re: Password Management

Post by 62andret » Sun Jul 12, 2015 8:30 am

I don't know about Veracrypt.
Since I have a mac I use the disk utility to make the disk image.

Truecrypt is no more, but there are a couple of groups that are taking the old code and redoing it.

MnD
Posts: 4395
Joined: Mon Jan 14, 2008 12:41 pm

Re: Password Management

Post by MnD » Sun Jul 12, 2015 8:41 am

midareff wrote:I use LastPass with long strong different passwords for all finan$ial $ites.
Has anyone used a product like Lastpass with a financial integration service like Mint, Personal Capital or Yodlee?
Do they play well together? Conceptually it seems like the LastPass would make it very difficult for the integration products to be able to access and update accounts.
70/30 AA, Global market cap equity. Rebalance if FI <25% or >35%. Weighted ER< .10%. 5% of annual portfolio balance SWR, Proportional (to AA) withdrawals.

jchef
Posts: 263
Joined: Wed Aug 29, 2012 7:04 am

Re: Password Management

Post by jchef » Sun Jul 12, 2015 9:16 am

Keepass is probably what you are looking for. You're in complete control of the password database and if you don't want to put it in the cloud, then you don't have to. It's free and open source, and available for all of the major desktop and mobile platforms. It's easy to use and has plenty of advanced features if you want them, but you certainly don't need to use them.

Just be sure to make many backups of your password database.

Afty
Posts: 1121
Joined: Sun Sep 07, 2014 5:31 pm

Re: Password Management

Post by Afty » Sun Jul 12, 2015 9:41 am

I also use Keepass, and it works pretty well. As jchef wrote, it's just a normal program that stores passwords in an encrypted file. There's no browser integration, and no cloud storage unless you do it yourself (I do, FWIW). It's open source, so you're not dependent on a company that might go out of business or change their business model. And there are clients for iOS, Android, and Windows Phone.

The other advantage over using a text or Excel file is that Keepass can generate random passwords for you, so there is no chance of reuse. I have no idea what my password is for pretty much any website.

User avatar
heartwood
Posts: 1438
Joined: Sat Nov 23, 2013 1:40 pm

Re: Password Management

Post by heartwood » Sun Jul 12, 2015 10:02 am

I've used Lastpass for years, generally with simpler passwords, but with more complex or generated PWs for financial accounts. With the coming of 2 factor verification availability I'm more comfortable with simpler passwords and am considering going to ones I can actually remember. Am I deluding myself?

jchef
Posts: 263
Joined: Wed Aug 29, 2012 7:04 am

Re: Password Management

Post by jchef » Sun Jul 12, 2015 10:14 am

heartwood wrote:I've used Lastpass for years, generally with simpler passwords, but with more complex or generated PWs for financial accounts. With the coming of 2 factor verification availability I'm more comfortable with simpler passwords and am considering going to ones I can actually remember. Am I deluding myself?
If hackers can manage to steal a password file, it's likely they will also be able steal the necessary information to recreate the second factor of the 2 factor authentication.


And once they have the password file, simpler passwords are much easier to extract from the password hash file than more complex passwords. So I would strongly advice to keep on using a password manager and randomly generated complex passwords.
Last edited by jchef on Sun Jul 12, 2015 10:15 am, edited 1 time in total.

User avatar
Sunny Sarkar
Posts: 2418
Joined: Fri Mar 02, 2007 1:02 am
Location: Flower Mound, TX
Contact:

Re: Password Management

Post by Sunny Sarkar » Sun Jul 12, 2015 10:14 am

Call_Me_Op wrote: I am hesitant to put passwords - which I consider the absolute most sensitive data - on my computer or in "the cloud."
I use LastPass. The way it works, it keeps a locally (on the user's computer) encrypted blob of the passwords on the cloud in such a way that even LastPass wouldn't be able to decrypt the passwords if they wanted to - which means that even if they are stolen from the cloud, it's useless to the hackers.

Additional safety measures that can be taken are:
(1) use a really long nonsensical master pass-phrase (https://xkcd.com/936/) and change it often
(2) multi-factor authentication
(3) use a separate security email address (https://lastpass.com/support.php?cmd=showfaq&id=2465)
(4) type only a part of the master password and copy paste the other part to safeguard from keyloggers
(5) randomize the usernames too (why not? lastpass is remembering them as well)
All that adds up to pretty rock solid security as far as I'm concerned :sharebeer
"Cost matters". "Stay the course". "Press on, regardless". ― John C. Bogle

User avatar
Doom&Gloom
Posts: 3097
Joined: Thu May 08, 2014 3:36 pm

Re: Password Management

Post by Doom&Gloom » Sun Jul 12, 2015 10:28 am

jchef wrote:Keepass is probably what you are looking for. You're in complete control of the password database and if you don't want to put it in the cloud, then you don't have to. It's free and open source, and available for all of the major desktop and mobile platforms. It's easy to use and has plenty of advanced features if you want them, but you certainly don't need to use them.

Just be sure to make many backups of your password database.
Afty wrote:I also use Keepass, and it works pretty well. As jchef wrote, it's just a normal program that stores passwords in an encrypted file. There's no browser integration, and no cloud storage unless you do it yourself (I do, FWIW). It's open source, so you're not dependent on a company that might go out of business or change their business model. And there are clients for iOS, Android, and Windows Phone.

The other advantage over using a text or Excel file is that Keepass can generate random passwords for you, so there is no chance of reuse. I have no idea what my password is for pretty much any website.
Another KeePass user here. You can easily have two (or more) KeePass databases. You can omit your critical financial account passwords from one of the databases and put that one "in the cloud" while keeping your primary database only on your home PC (and backups, of course.)

That assumes that you will never need to access those accounts from another device. It is what I do, and not at all inconvenient. YMMV.

User avatar
Sunny Sarkar
Posts: 2418
Joined: Fri Mar 02, 2007 1:02 am
Location: Flower Mound, TX
Contact:

Re: Password Management

Post by Sunny Sarkar » Sun Jul 12, 2015 10:43 am

Most people I know who use Keepass sync across multiple devices using a cloud storage like Dropbox - and to me that felt less secure than storing everything in LastPass.
"Cost matters". "Stay the course". "Press on, regardless". ― John C. Bogle

jchef
Posts: 263
Joined: Wed Aug 29, 2012 7:04 am

Re: Password Management

Post by jchef » Sun Jul 12, 2015 10:56 am

Sunny Sarkar wrote:Most people I know who use Keepass sync across multiple devices using a cloud storage like Dropbox - and to me that felt less secure than storing everything in LastPass.
It shouldn't be any less secure as long as you trust the math of the encryption and hashing. And if you don't trust the math, you should have a problem with both Keepass and LastPass.


And with Keepass being open source, it allows experts to look at the code to see if they can find bugs. While that certainly doesn't guarantee the software works perfectly, it's better than the situation with LastPass, where you just have to trust them.

dognose
Posts: 277
Joined: Sun Apr 11, 2010 7:57 pm
Location: Arizona

Re: Password Management

Post by dognose » Sun Jul 12, 2015 10:58 am

Surprised that no one has mentioned Dashlane, a great product. Last year, the Wall Street Journal rated the various password products and Dashlane came out on top. I would provide a link to the article, but the WSJ won't let me do so. You can find the review by Googling "Wall Street Journal and Dashlane." The product is free and there is a premium version for about $30 per year. The free version works great.

User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Password Management

Post by Epsilon Delta » Sun Jul 12, 2015 11:18 am

heartwood wrote:I've used Lastpass for years, generally with simpler passwords, but with more complex or generated PWs for financial accounts. With the coming of 2 factor verification availability I'm more comfortable with simpler passwords and am considering going to ones I can actually remember. Am I deluding myself?
I think you're confused.

If you're using a password manager to remember and enter your passwords there's no reason to not use the most random and longest passwords supported by the web site and manager. If you're not remembering them and not typing them, the cost is indistinguishable from zero and there are advantages to complex passwords, even if you are using two factor verification.

On the other hand the three factors are:
  • Something you are (e.g. fingerprints)
  • Something you have (e.g. dongle)
  • Something you know (e.g. password)
Each of these things protects against different types of attack, so for maximum security you use more than one. A password in a password manager really isn't something you know, so 2 factor identification using a dongle and a password manager is something you have and something else you have. This does add security, particularly if you keep the two things you have separate, but it does leave you open to some attacks that a memorized password would protect against. Of course if you're going to memorize a password it has to be short enough to memorize.

Mordoch
Posts: 371
Joined: Sat Mar 10, 2007 11:27 am

Re: Password Management

Post by Mordoch » Sun Jul 12, 2015 11:46 am

Sunny Sarkar wrote:Most people I know who use Keepass sync across multiple devices using a cloud storage like Dropbox - and to me that felt less secure than storing everything in LastPass.
Especially if you are taking sufficient advantage of the 1 second delay function for Keepass and only have it on non-phone systems (or tolerate really slow times for emergency use on the phone) its really not a true concern if someone actually does get the file if you trust the basic encryption and other protective features along with having a strong enough master password.

Basically short of the NSA or possibility Chinese intel spending allot of time and resources specifically targeting you, the file is simply going to be too resource intensive to actually successfully determine the password or break the encryption. (Even in those cases its not necessarily clear if they can actually manage it right now.) Even if the password could theoretically be broken with a powerful enough cracking cluster system in a few years, no-one is actually going to take the time to do that.

stan1
Posts: 7977
Joined: Mon Oct 08, 2007 4:35 pm

Re: Password Management

Post by stan1 » Sun Jul 12, 2015 11:47 am

Epsilon Delta wrote:
On the other hand the three factors are:
  • Something you are (e.g. fingerprints)
  • Something you have (e.g. dongle)
  • Something you know (e.g. password)
One problem: an "unnamed" nation state now has fingerprints for 1M+ Americans so the whole assumption that fingerprints uniquely identify someone is invalid. Imagine burglars or foreign intelligence officers wearing gloves customized with fingerprints from this database. Also causes the whole iPhone TouchID concept to fail. Same could eventually happen with retina scans or other biometric data. Can never assume the three factors are safe from compromise. Has to be a way to re-issue when compromised (can't do that with biometrics).

User avatar
heartwood
Posts: 1438
Joined: Sat Nov 23, 2013 1:40 pm

Re: Password Management

Post by heartwood » Sun Jul 12, 2015 12:05 pm

Epsilon Delta wrote:
heartwood wrote:I've used Lastpass for years, generally with simpler passwords, but with more complex or generated PWs for financial accounts. With the coming of 2 factor verification availability I'm more comfortable with simpler passwords and am considering going to ones I can actually remember. Am I deluding myself?
I think you're confused.

If you're using a password manager to remember and enter your passwords there's no reason to not use the most random and longest passwords supported by the web site and manager. If you're not remembering them and not typing them, the cost is indistinguishable from zero and there are advantages to complex passwords, even if you are using two factor verification.

On the other hand the three factors are:
  • Something you are (e.g. fingerprints)
  • Something you have (e.g. dongle)
  • Something you know (e.g. password)
Each of these things protects against different types of attack, so for maximum security you use more than one. A password in a password manager really isn't something you know, so 2 factor identification using a dongle and a password manager is something you have and something else you have. This does add security, particularly if you keep the two things you have separate, but it does leave you open to some attacks that a memorized password would protect against. Of course if you're going to memorize a password it has to be short enough to memorize.
I agree with you, but didn't fully explain my question. I'm fine with LastPass on my laptop and have no concern about how complex the PWs are. It's when I want to access sites from my tablet or phone. I don't pay for LastPass to sync across my devices. I also don't like the LastPass interface I'm forced to use on my tablet/phone. So to access a site with 2 factor verification I prefer a PW I've memorized along with a texted code. Something like a9z5t2l7g1 that I know because I've used it repeatedly, now with a text code or an app installed on my phone/tablet that requests approval a la outlook.com.

I get the brute force idea that could crack a9z5t2l7g1. If I look at my outlook or gmail accounts for security attempts I can see several/many from Vietnam, China, Russia, Bolivia, etc. I know their trying. But won't they have to brute force it and get a random code that expires in 10 minutes too?

stan1
Posts: 7977
Joined: Mon Oct 08, 2007 4:35 pm

Re: Password Management

Post by stan1 » Sun Jul 12, 2015 12:30 pm

heartwood wrote:If I look at my outlook or gmail accounts for security attempts I can see several/many from Vietnam, China, Russia, Bolivia, etc. I know their trying. But won't they have to brute force it and get a random code that expires in 10 minutes too?
What do you mean by this? Are you looking at your spam folder, or are you getting a legitimate email from Google (not in your spam folder) saying "confirm password change request". There is very little reason to look at your spam folder unless you think an important email is missing. There are going to be many emails with links to bad websites in your spam folder.

User avatar
heartwood
Posts: 1438
Joined: Sat Nov 23, 2013 1:40 pm

Re: Password Management

Post by heartwood » Sun Jul 12, 2015 12:50 pm

stan1 wrote:
heartwood wrote:If I look at my outlook or gmail accounts for security attempts I can see several/many from Vietnam, China, Russia, Bolivia, etc. I know their trying. But won't they have to brute force it and get a random code that expires in 10 minutes too?
What do you mean by this? Are you looking at your spam folder, or are you getting a legitimate email from Google (not in your spam folder) saying "confirm password change request". There is very little reason to look at your spam folder unless you think an important email is missing. There are going to be many emails with links to bad websites in your spam folder.
If you go to the lower right of your gmail screen it shows "last account activity". Click "details" under that and you get an activity information popup showing concurrent sessions, the IP addresses that have accessed the account recently. I was mistaken. Gmail is not where I saw the above countries, it was in hotmail/outlook accounts I use. You can similarly check security in outlook mail. It will show actual failed logon attempts. It was those I recalled. I confused it with gmail because I fetch hotmail/outlook mail into gmail. Outlook was showing logons from the Bay area where the gmail server is located and fetching my mail a few times a day.

User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Password Management

Post by Epsilon Delta » Sun Jul 12, 2015 1:00 pm

stan1 wrote:
Epsilon Delta wrote:
On the other hand the three factors are:
  • Something you are (e.g. fingerprints)
  • Something you have (e.g. dongle)
  • Something you know (e.g. password)
One problem: an "unnamed" nation state now has fingerprints for 1M+ Americans so the whole assumption that fingerprints uniquely identify someone is invalid. Imagine burglars or foreign intelligence officers wearing gloves customized with fingerprints from this database. Also causes the whole iPhone TouchID concept to fail. Same could eventually happen with retina scans or other biometric data. Can never assume the three factors are safe from compromise. Has to be a way to re-issue when compromised (can't do that with biometrics).
There's a difference between theory and practice here. The purpose of something you are is not that it's secret, it's that it can't be duplicated. Re-issue is not needed if you use it correctly.

The problem with fingerprints is that people aren't checking fingerprints correctly. To make sure the fingerprint represents "something you are" they need to make sure that the print is in skin, attached to a living finger, and maybe check for scars. And they need to trust the finger print scanner.

Of course a iPhone doesn't do that and it's nonsense to use fingerprints in that way. However for high security situations you can add the extra checks and using fingerprints or other biometrics is useful.

MarkBarb
Posts: 279
Joined: Mon Aug 03, 2009 11:59 am

Re: Password Management

Post by MarkBarb » Sun Jul 12, 2015 1:05 pm

I'm a KeePass/Dropbox user. Very convenient. Very secure. I've considered LastPass, but I don't see a compelling advantage to it. With KeePass, I also store a lot of non-password info that is nice to have secure but available.

MarkBarb
Posts: 279
Joined: Mon Aug 03, 2009 11:59 am

Re: Password Management

Post by MarkBarb » Sun Jul 12, 2015 1:09 pm

I should add that in addition to storing long, randomly generated passwords in my vault, I generate long, random user names for sites like banking and investing. That and 2-factor authentication.

Some key principals:
1) Don't be someone that hackers want to hack. If you are, you need to be even more cautious.
2) You don't have to be perfectly secure, just secure enough that hackers will move on to the next target instead of wasting time on you.
3) Avoid putting your eggs in a basket that is exposed to mass-attack. Having something unique about your approach helps avoid this. For example, using KeePass but adding a non-stored prefix or suffix to your more critical passwords that isn't stored.

stan1
Posts: 7977
Joined: Mon Oct 08, 2007 4:35 pm

Re: Password Management

Post by stan1 » Sun Jul 12, 2015 1:12 pm

OK, I don't have a Hotmail account and I don't use POP3 so maybe others can talk to those, but for Google Mail you can look at what devices have tried to access your account in the past 28 days -- do you see any you do not recognize?

Directions on how to do this are here:
https://support.google.com/mail/answer/ ... authuser=0

The activity shown on your account could be coming from your POP3 service or other 3rd party services you've signed up for. Or, it could mean you have malware on your computer.

Do you have two factor authentication enabled for Google?
Have you followed the procedures on the Google security checkup website (e.g. text message verification, etc.)

User avatar
heartwood
Posts: 1438
Joined: Sat Nov 23, 2013 1:40 pm

Re: Password Management

Post by heartwood » Sun Jul 12, 2015 1:38 pm

stan1 wrote: Do you have two factor authentication enabled for Google?
Have you followed the procedures on the Google security checkup website (e.g. text message verification, etc.)
yes, all of it.

Hence my initial question re simpler PWs and 2 step.

stan1
Posts: 7977
Joined: Mon Oct 08, 2007 4:35 pm

Re: Password Management

Post by stan1 » Sun Jul 12, 2015 1:51 pm

heartwood wrote:
stan1 wrote: Do you have two factor authentication enabled for Google?
Have you followed the procedures on the Google security checkup website (e.g. text message verification, etc.)
yes, all of it.

Hence my initial question re simpler PWs and 2 step.
I'd change the email account passwords and stop using all third party applications/services to see if the access from the foreign countries stops. I would be very concerned if I saw what you are describing (although I still don't understand how you are seeing these access attempts). There is no reason you should see access to your email accounts from servers in Russia, China, or Vietnam and I would immediately stop any service/app that let this happen.

User avatar
heartwood
Posts: 1438
Joined: Sat Nov 23, 2013 1:40 pm

Re: Password Management

Post by heartwood » Sun Jul 12, 2015 2:05 pm

stan1 wrote:
heartwood wrote:
stan1 wrote:
I'd change the email account passwords and stop using all third party applications/services to see if the access from the foreign countries stops. I would be very concerned if I saw what you are describing (although I still don't understand how you are seeing these access attempts). There is no reason you should see access to your email accounts from servers in Russia, China, or Vietnam and I would immediately stop any service/app that let this happen.
There was no access, only attempts at access. What I described is specific to a throwaway hotmail account I've been using for many years. The account has a medium level name with a special character in it. It's the one I use on any site that I don't want to associate with me and don't really have a relationship with but requires an account. None immediately come to mind, but for instance its not what I use for BH, although that's also a throwaway account name.

The hotmail name while somewhat unusual has been used for a long time in a lot of situations. I'm guessing that the name is out there in a lot of venues. Again guessing, people are trying to logon to my account from Vietnam, etc. Hotmail shows the attempt, and shows it was not successful. Seeing that activity (and two uses of my email on yet another account for someone's FB account outside the US and for a Sprint phone account and purchase) led me to look at all my accounts, establish 2 factor on all, change PW in some cases.

I'm still asking for opinions as to whether a memorized random PW together with 2 factor is good enough, say for Vanguard access.

astrohip
Posts: 492
Joined: Tue Dec 21, 2010 4:29 pm
Location: Houston TX

Re: Password Management

Post by astrohip » Sun Jul 12, 2015 2:36 pm

I use LastPass, with two factor authentication where it makes sense. I allow LP to create nonsensical passwords, that are for all purposes, unbreakable.

heartwood wrote:I'm still asking for opinions as to whether a memorized random PW together with 2 factor is good enough, say for Vanguard access.
In general, yes. You are at 99.999% secure at that point. IF (big if) your password is strong. With a weak pw, I'd move you to 99.9%.
"Happiness is not about doing, it’s about being." - R Branson

Gemini
Posts: 996
Joined: Sun May 20, 2012 8:10 am

Re: Password Management

Post by Gemini » Sun Jul 12, 2015 2:51 pm

I am currently using KeePass offline. I carry it around on a jump drive. It is very tedious at times and becomes a major pain when some computers that I use do not allow access of external hardware. I am thinking of taking the plunge with LastPass, but worried about all of the recent hacking that went on there. I also looked at 1Password, but the price is more and the reviews place LastPass ahead.

ubermax
Posts: 1510
Joined: Tue Feb 11, 2014 2:19 pm
Location: Connecticut

Re: Password Management

Post by ubermax » Sun Jul 12, 2015 3:02 pm

Spreadsheet , Excel - actually have 2 spreadsheets , one for the more important stuff like financial info in which I actually have a cell with a link to the target and then in other cells the username, password, and maybe answers to the security questions , if any - this setup makes it easy for my wife when she pays the bills electronically .

The other spreadsheet is for things like Ebay , Bogleheads , etc. and is without a target link .

Watts
Posts: 80
Joined: Sun Jan 05, 2014 10:04 am
Location: Texas

Re: Password Management

Post by Watts » Sun Jul 12, 2015 3:14 pm

I've been using 1Password for several years. Big fan. It is traditionally a Mac application with an excellent iPhone/iPad app that integrates very well with all browsers. The nice thing about 1Password is you can keep the password file completely offline on your computer if you want. If you want to take advantage of syncing between devices, however, you'll either have to sync over WiFi or keep your data file on Dropbox. Nowadays, there are also Windows and Android apps, but I haven't looked into them at all. The computer is dedicated to building great apps, and they are releasing new updates regularly.

JohnFiscal
Posts: 757
Joined: Mon Jan 06, 2014 4:28 pm
Location: Florida

Re: Password Management

Post by JohnFiscal » Sun Jul 12, 2015 3:34 pm

62andret wrote:I use a spreadsheet that is in an encrypted disk image.

Over the years, I have tried many different methods, but kept coming back to this.
This is what I do as well.

It also allows me to make screenprints of the verification questions and answers, etc., take notes, etc.

I also have links at the top to my two favorite sites for generating complex random passwords. I use these sites to generate a new password (and even sign-in user name), usually running 5 at once, then picking my favorite from the batch.

User avatar
Toons
Posts: 13424
Joined: Fri Nov 21, 2008 10:20 am
Location: Hills of Tennessee

Re: Password Management

Post by Toons » Sun Jul 12, 2015 3:54 pm

LastPass
Use Multifactor authentication with it :happy
Last edited by Toons on Sun Jul 12, 2015 9:22 pm, edited 2 times in total.
"One does not accumulate but eliminate. It is not daily increase but daily decrease. The height of cultivation always runs to simplicity" –Bruce Lee

Sidney
Posts: 6736
Joined: Thu Mar 08, 2007 6:06 pm

Re: Password Management

Post by Sidney » Sun Jul 12, 2015 4:57 pm

Gemini wrote:I am currently using KeePass offline. I carry it around on a jump drive. It is very tedious at times and becomes a major pain when some computers that I use do not allow access of external hardware. I am thinking of taking the plunge with LastPass, but worried about all of the recent hacking that went on there. I also looked at 1Password, but the price is more and the reviews place LastPass ahead.
If you have a smartphone you may be able to store and access your KeePass file on it. I have a copy of my KeePass file on my phone. It doesn't include PWs for VG or banks since I don't need access to those when I am away. I have a separate KeePass file for those PWs on my home computer.
I always wanted to be a procrastinator.

Gemini
Posts: 996
Joined: Sun May 20, 2012 8:10 am

Re: Password Management

Post by Gemini » Sun Jul 12, 2015 5:34 pm

Sidney wrote:
Gemini wrote:I am currently using KeePass offline. I carry it around on a jump drive. It is very tedious at times and becomes a major pain when some computers that I use do not allow access of external hardware. I am thinking of taking the plunge with LastPass, but worried about all of the recent hacking that went on there. I also looked at 1Password, but the price is more and the reviews place LastPass ahead.
If you have a smartphone you may be able to store and access your KeePass file on it. I have a copy of my KeePass file on my phone. It doesn't include PWs for VG or banks since I don't need access to those when I am away. I have a separate KeePass file for those PWs on my home computer.
How?

And then how will I use it to get on websites? Use my phone?

crg11
Posts: 444
Joined: Sat Jan 04, 2014 8:16 am

Re: Password Management

Post by crg11 » Sun Jul 12, 2015 7:53 pm

1Password for me. Syncs effortlessly and their blog is fantastic, lots of articles about their design decisions and various security matters. I completely trust my password security with their apps.

https://blog.agilebits.com

Sidney
Posts: 6736
Joined: Thu Mar 08, 2007 6:06 pm

Re: Password Management

Post by Sidney » Sun Jul 12, 2015 8:10 pm

Gemini wrote:
Sidney wrote:
Gemini wrote:I am currently using KeePass offline. I carry it around on a jump drive. It is very tedious at times and becomes a major pain when some computers that I use do not allow access of external hardware. I am thinking of taking the plunge with LastPass, but worried about all of the recent hacking that went on there. I also looked at 1Password, but the price is more and the reviews place LastPass ahead.
If you have a smartphone you may be able to store and access your KeePass file on it. I have a copy of my KeePass file on my phone. It doesn't include PWs for VG or banks since I don't need access to those when I am away. I have a separate KeePass file for those PWs on my home computer.
How?

And then how will I use it to get on websites? Use my phone?
Whatever device you use when you use the jump drive.
I always wanted to be a procrastinator.

User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Password Management

Post by Epsilon Delta » Sun Jul 12, 2015 9:10 pm

heartwood wrote:
I'm still asking for opinions as to whether a memorized random PW together with 2 factor is good enough, say for Vanguard access.
Once you've selected a password just a bit more complex than "password" or your mother's maiden name the longer password is protecting against errors of the other party. You only need a complex password for a web site that makes egregious errors (such as allowing many rapid log in attempts or leaking inadequately hashed password files). Can you trust such a web site to properly implement 2 factor?

I don't know the answer to that one. It's possible that the site administration has enough separation between the factors that one will fail but not the other. But it's also possible that everything will fail due to a common root cause: the web site is being run by a Wally.

Mordoch
Posts: 371
Joined: Sat Mar 10, 2007 11:27 am

Re: Password Management

Post by Mordoch » Sun Jul 12, 2015 9:23 pm

heartwood wrote:I agree with you, but didn't fully explain my question. I'm fine with LastPass on my laptop and have no concern about how complex the PWs are. It's when I want to access sites from my tablet or phone. I don't pay for LastPass to sync across my devices. I also don't like the LastPass interface I'm forced to use on my tablet/phone. So to access a site with 2 factor verification I prefer a PW I've memorized along with a texted code. Something like a9z5t2l7g1 that I know because I've used it repeatedly, now with a text code or an app installed on my phone/tablet that requests approval a la outlook.com.

I get the brute force idea that could crack a9z5t2l7g1. If I look at my outlook or gmail accounts for security attempts I can see several/many from Vietnam, China, Russia, Bolivia, etc. I know their trying. But won't they have to brute force it and get a random code that expires in 10 minutes too?
On top of what has already been said, another major issue is reusing the same password. Even if a site is properly implementing two factor authentication, they could be botching protecting your password. (Even leaving it in plain text so no brute forcing is needed.) If the hacker finds flaws so they can bypass two factor authentication used at other sites, they could then try your password there and you could be in trouble. (This situation is especially dangerous if you the same username at different locations.) If there ends up being a specific bug with a widely used two factor authentication method, you could find yourself compromised at multiple sites.

I would suggest considering using Keepass since it does have versions that you can use on your tablet and smartphone without paying extra. (You can use a site like dropbox to specifically sync the devices.)

ABQ4804
Posts: 414
Joined: Sun Jul 24, 2011 4:08 pm

Re: Password Management

Post by ABQ4804 » Mon Jul 13, 2015 1:15 am

We use the Keeper app. It's free to start out, and you can sort the passwords into categories or folders. If you pay $10/year, it will back up to the cloud. Used it for 2+ years now and very reliable.

User avatar
midareff
Posts: 6465
Joined: Mon Nov 29, 2010 10:43 am
Location: Biscayne Bay, South Florida

Re: Password Management

Post by midareff » Mon Jul 13, 2015 6:18 am

MnD wrote:
midareff wrote:I use LastPass with long strong different passwords for all finan$ial $ites.
Has anyone used a product like Lastpass with a financial integration service like Mint, Personal Capital or Yodlee?
Do they play well together? Conceptually it seems like the LastPass would make it very difficult for the integration products to be able to access and update accounts.

I'm not sure how that would work. I use M* to update excel sheets/workbooks on demand at home and VG updates accounts still held at Fidelity and Fidelity updates from FIA Card Services so I don't think any of that should be a problem. An 18 character upper/lower case alpha numeric is what it is whether you use a service (LastPass) to auto store and enter of enter it yourself.

User avatar
heartwood
Posts: 1438
Joined: Sat Nov 23, 2013 1:40 pm

Re: Password Management

Post by heartwood » Mon Jul 13, 2015 6:36 am

What do people use on their android phone or android tablet? Unless its changed, last time I tried LastPass on my phone it worked as an independent browser rather than an app within Chrome and had a cost for syncing between devices. Still true? Is there an add-on app to Chrome on my phone that does PW management?

broadstone
Posts: 121
Joined: Wed Jan 14, 2015 1:14 pm
Location: USA

Re: Password Management

Post by broadstone » Mon Jul 13, 2015 7:40 am

Another vote for Lastpass. Have been a pro user for many years. Make sure you get the Yubi key for extra protection.

https://lastpass.com/yubico/

User avatar
Blues
Posts: 1772
Joined: Wed Dec 10, 2008 11:58 am
Location: Blue Ridge Mtns

Re: Password Management

Post by Blues » Mon Jul 13, 2015 7:50 am

LastPass. Make sure to use a strong master password as well as complex passwords for all financial (and other important) sites.
(It goes without saying that you should not use any password for more than one site.)

Also avail yourself of multi-factor authentication where available plus limits and restrictions on access via other computers, voice recognition, foreign country log-ins etc. Most of these are easy to set up and offer very little hassle factor.
“Tactics without strategy is the noise before defeat.” - Sun Tzu | "Everybody has a plan until they get punched in the mouth." - Mike Tyson

jchef
Posts: 263
Joined: Wed Aug 29, 2012 7:04 am

Re: Password Management

Post by jchef » Mon Jul 13, 2015 9:26 am

heartwood wrote:What do people use on their android phone or android tablet? Unless its changed, last time I tried LastPass on my phone it worked as an independent browser rather than an app within Chrome and had a cost for syncing between devices. Still true? Is there an add-on app to Chrome on my phone that does PW management?
I use KeePass as my password manager. There are versions of KeePass available for all on the mobile platforms.

KeePassDroid and Keepass2Android are the two main ports available for Android. KeePassDroid is probably simpler to use. Keepass2Android has more advanced features, if you want them. Both of the ports are free and open source.


KeePassDroid just uses copy and paste to the clipboard, so you can use it with any application. Keepass2Android can use the same method, but it also can use a special keyboard which it claims is more secure.

Silence Dogood
Posts: 1226
Joined: Tue Feb 01, 2011 9:22 pm

Re: Password Management

Post by Silence Dogood » Mon Jul 13, 2015 9:56 am

I use LastPass.

I always make my passwords as long and complex as allowed (and, of course, never use the same password twice). Even if it's not a financial account, it doesn't hurt me in any way to make the password as difficult as possible.

I also have multi-factor authentication set up in order to log in to Lastpass from an unrecognized device. Even then, I have multi-factor authentication set up for other sites, like GMail and financial accounts. For GMail and Vanguard I have it set up so I have to use multi-factor even if the device is recognized.

LastPass is very simple to use, yet very secure.
Last edited by Silence Dogood on Mon Jul 13, 2015 9:57 am, edited 1 time in total.

Post Reply