Passwords

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
User avatar
LadyGeek
Site Admin
Posts: 95474
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: Passwords

Post by LadyGeek »

This thread is now in the Personal Consumer Issues forum (password).
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
casualflower
Posts: 382
Joined: Thu Jul 16, 2015 9:36 am

Re: Passwords

Post by casualflower »

Dead Man Walking wrote:Perhaps a technologically sophisticated poster could tell me if I'm safe from internet bandits.
Depends on your definition of "safe". As investors, we know that every avenue has risk and that risk is balanced by a reward. Some avenues are clearly losers on that line of risk/reward, some are winners. "Reward" here, I think, is primarily convenience.

Your strategy greatly reduces the risk of an anonymous person or organized attempt to steal usernames and passwords in large groups. But few individuals are in such danger.

Most hacking attempts are aimed at large institutions or at large aggregations of credit cards (where your liability would be completely absolved). "Ransomware" attacks have also made the news lately and again, are aimed at large institutions. Banks, etc require complicated password schemes primarily to cover their assets, not to make you safer.

An individual is most at risk from "phishing" attacks where someone calls or e-mails you and pretends to be from the IRS and claims you owe money or pretends to represent a foreign lottery winner who just needs a little financial help to gather their winnings or a friend arrested in England who needs bail money. Email hacking is usually used to infect your computer to use it to send spam or advertise annoying product or to generate these phishing attempts.

If someone hacks your personal bank account, you would actually not be liable, assuming you took some care in protecting your log in information.

So, you personally, DMW, don't have much too worry about from the popularly conceived notion of "hacking". But a couple things pop out at me.

One is, do you trust everyone that has access to your written passwords? Do you have a housecleaner or sketchy son-in-law who may stumble upon your notes and have 10 minutes at your computer? You're more at risk from a theft from someone you know, than a stranger.

Second, from a convenience standpoint, what would happen if you lost those notes, say in a small house fire? It would be pretty inconvenient to recover them (but certainly not impossible).

And random usernames is overkill. The sentiment is well meaning, but not necessary.
casualflower
Posts: 382
Joined: Thu Jul 16, 2015 9:36 am

Re: Passwords

Post by casualflower »

A few other features of LastPass (and presumably other password managers)...I store more than just passwords.

I store credit card numbers. I have two businesses, do volunteer board work with two organizations, etc etc and have close to 20 credit cards. I don't want to carry them around, so I create entries for them in LastPass and put their numbers in and have them available when I need them (as long as I need them while at a computer).

I store notes. I can create text files and write a private note to myself. I don't use it a lot, but once in a while it's handy to have a reference to a tidbit of investing wisdom, right where I know I can find it.

I also store answers to those security questions...mother's maiden name, first grade teacher, first pet, etc. I'm not giving out real answers to those! I generate (using LP's built in feature) random strings of 6-10 lower case letters for that.

I can share passwords with other people. The computer my kids use can have access to the Amazon password, but not banking. My sister can have access to our mother's banking which we're managing for her now, etc.

I probably access LastPass 25 times a day on average.
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Passwords

Post by Mudpuppy »

lotusflower wrote:
Kuna_Papa_Wengi wrote: I use Keepass2Android on my phone. I don't like the idea of keeping my passwords in the cloud.
Umm, so if not the cloud, how to do you back up your Keepass file? Either you back it up manually after every change (tedious tasks like that typically lead to sloppy behavior), or you don't back it up at all. Either of those leads to an availability problem for your data (cf my previous post).
You back up KeePass the same way you back up any local file.... It's just a binary blob to the perspective of a backup utility. And I would certainly hope people are practicing good backup practices for their local files. I would also hope people are not trusting cloud storage providers to properly back up data on the cloud and have some sort of local backup copy in case something should happen to their cloud storage provider.

In my case, that means an encrypted external hard drive that gets swapped weekly with another (identical) encrypted external hard drive stored in a locked cabinet at work. I'll also swap out the drives right before any traveling (so my work drive has the most recent backup). A script copies data over to that hard drive on a regular basis. All of my home drives also are installed in a mirrored software RAID array, so there are two physical hard drives (or SSDs) with redundant data in case one fails. This plan does suffer from a location weakness (e.g. a natural disaster that wipes out both my home and work locations), but otherwise guards against theft, accidental loss, damage, failing hardware, etc.

As you might suspect, I am a KeePass user. Rather than repeat what I've said in the past with respects to password lockers and password policies, I'll just point the OP to previous threads on this issue:

How Does a Password Manager Impact Day to Day (IOS and Mac): viewtopic.php?f=11&t=193858
Weak Bank Password Policies Leave 350 Million Vulnerable, Say Researchers: viewtopic.php?f=11&t=186131
Password Management and Safekeeping: viewtopic.php?f=11&t=181563
Password Management: viewtopic.php?f=11&t=169379
Another reason why you should never reuse passwords...: viewtopic.php?f=11&t=97664
mptfan
Posts: 7201
Joined: Mon Mar 05, 2007 8:58 am

Re: Passwords

Post by mptfan »

metrunt wrote: If someone hacks your personal bank account, you would actually not be liable, assuming you took some care in protecting your log in information.
It's not that simple. You have a limited period of time within which to report unauthorized activity to the bank, usually 60 days from the time you receive the first statement showing the unauthorized activity. If you do not notify the bank within that period of time, you are liable.
tm3
Posts: 772
Joined: Wed Dec 24, 2014 6:16 pm

Re: Passwords

Post by tm3 »

Could someone please elaborate a little on how the process with LastPass plays out?

For example, when I want to long into Bogleheads do I look up my LastPass generated password that I have stored in DropBox and type it in? Or is the process automated in some way?

How do I login if I am on a computer at work or on a friend's computer?
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Passwords

Post by Mudpuppy »

tm3 wrote:Could someone please elaborate a little on how the process with LastPass plays out?

For example, when I want to long into Bogleheads do I look up my LastPass generated password that I have stored in DropBox and type it in? Or is the process automated in some way?

How do I login if I am on a computer at work or on a friend's computer?
Are you sure you don't have LastPass and KeePass confused? LastPass stores the passwords for you, so you shouldn't have anything stored in DropBox.... and if you do, is it a secured backup copy of your LastPass database with proper encryption?

And you really shouldn't be using your friends computer to log in to financial websites or other high-value websites. Who knows what sort of malware might be on your friend's computer. It's just not a good practice. Wait until you get home.

Your work computer may also not be well-suited to checking your financial websites. It all depends on your employer's policy on monitoring computer use by employees. Even at my job, where I'm the one who set up my systems so I know exactly what it's set up to do in terms of logging, I minimize such activity because I don't want to be accused of using government time for personal business.
tm3
Posts: 772
Joined: Wed Dec 24, 2014 6:16 pm

Re: Passwords

Post by tm3 »

Thanks, yes I may have had them confused. But looking on the Lastpass www site I'm still unsure of the process -- do I open the LastPass app and copy the password from it onto the www site?

I never log on to financial www sites from a computer other than my own, but I was under the impression that LastPass users were using it for all email accounts and other password accounts (such as BH) -- I do access those from computers other than my own.
casualflower
Posts: 382
Joined: Thu Jul 16, 2015 9:36 am

Re: Passwords

Post by casualflower »

tm3 wrote:Could someone please elaborate a little on how the process with LastPass plays out?

For example, when I want to long into Bogleheads do I look up my LastPass generated password that I have stored in DropBox and type it in? Or is the process automated in some way?

How do I login if I am on a computer at work or on a friend's computer?
LastPass makes an "add-on" for several of the most popular browsers. These will allow you to auto=enter or copy and paste usernames/passwords easily.

From your friend's computer, you can also log into LastPass's website view your "vault" in a browser, copying and pasting passwords. You could also do that from your own computer, but the browser plugins are much more useful.
tm3
Posts: 772
Joined: Wed Dec 24, 2014 6:16 pm

Re: Passwords

Post by tm3 »

metrunt wrote:
tm3 wrote:Could someone please elaborate a little on how the process with LastPass plays out?

For example, when I want to long into Bogleheads do I look up my LastPass generated password that I have stored in DropBox and type it in? Or is the process automated in some way?

How do I login if I am on a computer at work or on a friend's computer?
LastPass makes an "add-on" for several of the most popular browsers. These will allow you to auto=enter or copy and paste usernames/passwords easily.

From your friend's computer, you can also log into LastPass's website view your "vault" in a browser, copying and pasting passwords. You could also do that from your own computer, but the browser plugins are much more useful.
Good explanation, thanks!
User avatar
Kevin M
Posts: 15750
Joined: Mon Jun 29, 2009 3:24 pm
Contact:

Re: Passwords

Post by Kevin M »

With LastPass, typically I click the icon for the LastPass extension at the top right of my Chrome browser, if necessary enter my LastPass master password (I have it set to log me out after a certain time of inactivity), then start typing the name of the site I want to log into until I see the LastPass login site I want to use in the drop-down window. Then I click on that, and the login process is initiated. For some sites, the entire login is automatic, but for others I need to click one or more additional times to move through the username and password screens, but no additional typing--just clicking.

There are other ways to do it, but this is the fastest for me.

Kevin
If I make a calculation error, #Cruncher probably will let me know.
Cindyjrn
Posts: 395
Joined: Mon Oct 27, 2014 5:40 pm

Re: Passwords

Post by Cindyjrn »

I've used LastPass premium for many years. So long in fact that I'm grandfathered in a lower rate than $12/year. I store everything there, including frequently used credit card information for making online purchases and bank routing information for filling out those forms which require a checking account instead of credit card. I also use the Android app which has become eminently more useful by allowing log in with your thumbprint instead of using your master password while trying to type on your phone. In the many years of using it, I've never had a single account breached, a single login compromised or a single case of credit card fraud perpetrated against me and I am a heavy online shopping user. Should anything happen to me, our oldest son knows my master password and can access all our password information. Continue to use your hidden books, complicated passphrases and whatnot, I'm not here trying to reinvent the wheel when it comes to security. Just as you trust your home security to companies that provides locks and alarms, I'm going with the pros here until they give me a reason not to. The simple fact of the matter is, even with internet access to your bank accounts, very little can be done with that money from the internet. I can barely move money into my Fidelity or Vanguard accounts with all their security and rules and regulations, I can't imagine some would be thief trying to get it out.
User avatar
BolderBoy
Posts: 6738
Joined: Wed Apr 07, 2010 12:16 pm
Location: Colorado

Re: Passwords

Post by BolderBoy »

lotusflower wrote:Just like mptfan if your passwords are not recorded anywhere except your mind that's pretty safe from everyone else
"Given the choice between spending $1 million trying to decrypt your passwords or spending $5 for a piece of pipe I'll use to beat the info out of you, which do you think I'll choose?"
"Never underestimate one's capacity to overestimate one's abilities" - The Dunning-Kruger Effect
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Passwords

Post by Epsilon Delta »

BolderBoy wrote:
lotusflower wrote:Just like mptfan if your passwords are not recorded anywhere except your mind that's pretty safe from everyone else
"Given the choice between spending $1 million trying to decrypt your passwords or spending $5 for a piece of pipe I'll use to beat the info out of you, which do you think I'll choose?"
False dichotomy. If your passwords are in a password manager they are encrypted under a master password. This is still susceptible to a lead pipe attack.

OTOH I don't think most people can remember more than a few strong passwords, so if you commit them to memory it may take a lot less than $1,000,000 to hack at least some of them.
User avatar
zaplunken
Posts: 1368
Joined: Tue Jul 01, 2008 9:07 am

Re: Passwords

Post by zaplunken »

JPH wrote:I can recommend Keepas. It's free and has worked well for me. I just click on "open website" and then "autotype" to inject the username and password.
That's nice, I have used KeePass for 3 or 4 years on a desktop pc. I was aware of the alt a to do this but most sites won't accept it. I tested Autotype on one of those and it fills and logs in. Is this what someone was discussing that they wouldn't use? It is easier than the copy and paste I do for the userid and password.
User avatar
czeckers
Posts: 1082
Joined: Thu May 17, 2007 3:49 pm
Location: USA

Re: Passwords

Post by czeckers »

I use a password manager. There are just way too many passwords to remember. However, I never store the actual password, but rather a hint.

Say I have a password that is 'fuzzy bunny', I'd write down the password as 'rabbit'. This way I can look up the password if I forget it, but the data would be useless to someone else. I know I forgo the convenience of having the password manager log me into websites automatically, but for me, that's a small price to pay for the peace of mind.

* Disclaimer: Fuzzy bunny is a purely fictitious password. Any resemblance to any real or imagined passwords is purely coincidental. :D
The Espresso portfolio: | | 20% US TSM, 20% Small Value, 10% US REIT, 10% Dev Int'l, 10% EM, 10% Commodities, 20% Inter-term US Treas | | "A journey of a thousand miles begins with a single step."
User avatar
zaplunken
Posts: 1368
Joined: Tue Jul 01, 2008 9:07 am

Re: Passwords

Post by zaplunken »

JPH wrote:I can recommend Keepas. It's free and has worked well for me. I just click on "open website" and then "autotype" to inject the username and password.
What is Auto Type? I looked at all the menus without success, I read about it but I don't understand how to use it. I tried to open a website by using "ctrl V" and "left ctrl A" and it doesn't prefill and log me on. Maybe some sites won't allow it? I do use "left ctrl A" for Fido and it does work there.
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Passwords

Post by Mudpuppy »

czeckers wrote:I use a password manager. There are just way too many passwords to remember. However, I never store the actual password, but rather a hint.

Say I have a password that is 'fuzzy bunny', I'd write down the password as 'rabbit'. This way I can look up the password if I forget it, but the data would be useless to someone else. I know I forgo the convenience of having the password manager log me into websites automatically, but for me, that's a small price to pay for the peace of mind.

* Disclaimer: Fuzzy bunny is a purely fictitious password. Any resemblance to any real or imagined passwords is purely coincidental. :D
That's a rather "warm and fuzzy" exercise if you use a local storage password locker that uses any reasonable level of strong encryption (e.g. KeePass) and if you use a reasonably strong password (e.g. couple dozen characters or more chosen from the alphanumeric+special charset). By that I mean it makes you feel good, but it doesn't actually encourage a better password practice or improve your overall password security.

The ability for an attacker to brute force a locally stored password locker with a strong password and strong encryption is nearly nil with modern technology. We're talking on the order of millennia of computational time to crack. An attacker is better off resorting to less expensive methods, like key loggers or browser-in-the-middle attacks, to catch the password as you enter it into the website. Even session hijacking would be an easier way of attacking the accounts if the attacker managed to get local access to your system, rather than brute forcing the password locker file.

The ability for the average human brain to remember hundreds of unique, reasonably complex passwords, even with a hint, is absolutely horrible. Brains just aren't designed for these sorts of tasks. This means most people will end up (a) reusing passwords, (b) using a pattern that an attacker could deduce after breaking a few sites where you use the same email address, or (c) reducing complexity of the passwords so they can be remembered. All of these weaken one's overall password security.

If you're truly concerned, set up a different locker for high-profile sites. Heck, even split that into multiple different lockers for high-profile sites if you wish. Just remember that the average human brain can only remember so many strong master passwords for the password locker.
User avatar
Doom&Gloom
Posts: 5398
Joined: Thu May 08, 2014 3:36 pm

Re: Passwords

Post by Doom&Gloom »

zaplunken wrote:
JPH wrote:I can recommend Keepas. It's free and has worked well for me. I just click on "open website" and then "autotype" to inject the username and password.
What is Auto Type? I looked at all the menus without success, I read about it but I don't understand how to use it. I tried to open a website by using "ctrl V" and "left ctrl A" and it doesn't prefill and log me on. Maybe some sites won't allow it? I do use "left ctrl A" for Fido and it does work there.
When you highlight an entry in KeePass, right-click on it. In the drop-down menu "Perform Auto-type" is the fourth item. Click on it and you should be cooking. (It seems that Ctr + V should do the same as well, but I have never done it that way.)

Note that you may have to click on the "User name" field on the particular website prior to attempting auto-type as the auto-type function will begin where your cursor is placed. Some sites seem to place it automatically in the "user name" field while others do not.
User avatar
zaplunken
Posts: 1368
Joined: Tue Jul 01, 2008 9:07 am

Re: Passwords

Post by zaplunken »

Doom&Gloom wrote:
When you highlight an entry in KeePass, right-click on it. In the drop-down menu "Perform Auto-type" is the fourth item. Click on it and you should be cooking. (It seems that Ctr + V should do the same as well, but I have never done it that way.)

Note that you may have to click on the "User name" field on the particular website prior to attempting auto-type as the auto-type function will begin where your cursor is placed. Some sites seem to place it automatically in the "user name" field while others do not.
I tried that (Ally Bank) but it doesn't work. Know how when you press ctrl F to find something? That place (bottom left corner) is where it puts the user name and password and then "can't find it" and doesn't open and load the data into the place to log in. Maybe it's Ally Bank? I use left ctrl A and some sites accept that and some don't for what ever reason, maybe this is the same.

Here's what I did - I opened my safe, high lighted Ally Bank, right clicked on that entry, right clicked on Perform Auto Type. I have auto type check box checked in the entry for Ally Bank. Not sure if I am doing anything wrong.

Not the end of the world but it would be easier than copy and pasting the user id and password into log on screens for sites.
User avatar
Doom&Gloom
Posts: 5398
Joined: Thu May 08, 2014 3:36 pm

Re: Passwords

Post by Doom&Gloom »

zaplunken wrote:
Doom&Gloom wrote:
When you highlight an entry in KeePass, right-click on it. In the drop-down menu "Perform Auto-type" is the fourth item. Click on it and you should be cooking. (It seems that Ctr + V should do the same as well, but I have never done it that way.)

Note that you may have to click on the "User name" field on the particular website prior to attempting auto-type as the auto-type function will begin where your cursor is placed. Some sites seem to place it automatically in the "user name" field while others do not.
I tried that (Ally Bank) but it doesn't work. Know how when you press ctrl F to find something? That place (bottom left corner) is where it puts the user name and password and then "can't find it" and doesn't open and load the data into the place to log in. Maybe it's Ally Bank? I use left ctrl A and some sites accept that and some don't for what ever reason, maybe this is the same.

Here's what I did - I opened my safe, high lighted Ally Bank, right clicked on that entry, right clicked on Perform Auto Type. I have auto type check box checked in the entry for Ally Bank. Not sure if I am doing anything wrong.

Not the end of the world but it would be easier than copy and pasting the user id and password into log on screens for sites.
I'm stumped. I don't have an Ally Bank account, but I went to their home page and used auto-type (using an old one of mine for a defunct site) and it filled in the user-name and password fields fine. Of course, I couldn't tell how it would have worked from that point. I even did it using the two different options for logging in that Ally present--not sure what that was, as I've never encountered an option like that before.

Hope someone will chime in to help you out here.
Gene2001
Posts: 42
Joined: Sat Jun 11, 2016 10:10 pm

Re: Passwords

Post by Gene2001 »

Lastpass Premium, but also go one step further to prtect lastpass and use a yubikey

https://www.yubico.com/why-yubico/
lazydavid
Posts: 5125
Joined: Wed Apr 06, 2016 1:37 pm

Re: Passwords

Post by lazydavid »

Gene2001 wrote:Lastpass Premium, but also go one step further to prtect lastpass and use a yubikey

https://www.yubico.com/why-yubico/
Yubikey is one excellent way of adding 2FA to Lastpass, but there are others as well. I personally use Google Authenticator, which is a time-based passcode generator, with the seed provided by Lastpass. There are several other options to choose from.

Bottom line is that adding a second factor is highly recommended where available, and hugely beneficial for something as critical as Lastpass. Pick something that works for you and use it.
Post Reply