Passwords
Re: Passwords
This thread is now in the Personal Consumer Issues forum (password).
-
- Posts: 382
- Joined: Thu Jul 16, 2015 9:36 am
Re: Passwords
Depends on your definition of "safe". As investors, we know that every avenue has risk and that risk is balanced by a reward. Some avenues are clearly losers on that line of risk/reward, some are winners. "Reward" here, I think, is primarily convenience.Dead Man Walking wrote:Perhaps a technologically sophisticated poster could tell me if I'm safe from internet bandits.
Your strategy greatly reduces the risk of an anonymous person or organized attempt to steal usernames and passwords in large groups. But few individuals are in such danger.
Most hacking attempts are aimed at large institutions or at large aggregations of credit cards (where your liability would be completely absolved). "Ransomware" attacks have also made the news lately and again, are aimed at large institutions. Banks, etc require complicated password schemes primarily to cover their assets, not to make you safer.
An individual is most at risk from "phishing" attacks where someone calls or e-mails you and pretends to be from the IRS and claims you owe money or pretends to represent a foreign lottery winner who just needs a little financial help to gather their winnings or a friend arrested in England who needs bail money. Email hacking is usually used to infect your computer to use it to send spam or advertise annoying product or to generate these phishing attempts.
If someone hacks your personal bank account, you would actually not be liable, assuming you took some care in protecting your log in information.
So, you personally, DMW, don't have much too worry about from the popularly conceived notion of "hacking". But a couple things pop out at me.
One is, do you trust everyone that has access to your written passwords? Do you have a housecleaner or sketchy son-in-law who may stumble upon your notes and have 10 minutes at your computer? You're more at risk from a theft from someone you know, than a stranger.
Second, from a convenience standpoint, what would happen if you lost those notes, say in a small house fire? It would be pretty inconvenient to recover them (but certainly not impossible).
And random usernames is overkill. The sentiment is well meaning, but not necessary.
-
- Posts: 382
- Joined: Thu Jul 16, 2015 9:36 am
Re: Passwords
A few other features of LastPass (and presumably other password managers)...I store more than just passwords.
I store credit card numbers. I have two businesses, do volunteer board work with two organizations, etc etc and have close to 20 credit cards. I don't want to carry them around, so I create entries for them in LastPass and put their numbers in and have them available when I need them (as long as I need them while at a computer).
I store notes. I can create text files and write a private note to myself. I don't use it a lot, but once in a while it's handy to have a reference to a tidbit of investing wisdom, right where I know I can find it.
I also store answers to those security questions...mother's maiden name, first grade teacher, first pet, etc. I'm not giving out real answers to those! I generate (using LP's built in feature) random strings of 6-10 lower case letters for that.
I can share passwords with other people. The computer my kids use can have access to the Amazon password, but not banking. My sister can have access to our mother's banking which we're managing for her now, etc.
I probably access LastPass 25 times a day on average.
I store credit card numbers. I have two businesses, do volunteer board work with two organizations, etc etc and have close to 20 credit cards. I don't want to carry them around, so I create entries for them in LastPass and put their numbers in and have them available when I need them (as long as I need them while at a computer).
I store notes. I can create text files and write a private note to myself. I don't use it a lot, but once in a while it's handy to have a reference to a tidbit of investing wisdom, right where I know I can find it.
I also store answers to those security questions...mother's maiden name, first grade teacher, first pet, etc. I'm not giving out real answers to those! I generate (using LP's built in feature) random strings of 6-10 lower case letters for that.
I can share passwords with other people. The computer my kids use can have access to the Amazon password, but not banking. My sister can have access to our mother's banking which we're managing for her now, etc.
I probably access LastPass 25 times a day on average.
Re: Passwords
You back up KeePass the same way you back up any local file.... It's just a binary blob to the perspective of a backup utility. And I would certainly hope people are practicing good backup practices for their local files. I would also hope people are not trusting cloud storage providers to properly back up data on the cloud and have some sort of local backup copy in case something should happen to their cloud storage provider.lotusflower wrote:Umm, so if not the cloud, how to do you back up your Keepass file? Either you back it up manually after every change (tedious tasks like that typically lead to sloppy behavior), or you don't back it up at all. Either of those leads to an availability problem for your data (cf my previous post).Kuna_Papa_Wengi wrote: I use Keepass2Android on my phone. I don't like the idea of keeping my passwords in the cloud.
In my case, that means an encrypted external hard drive that gets swapped weekly with another (identical) encrypted external hard drive stored in a locked cabinet at work. I'll also swap out the drives right before any traveling (so my work drive has the most recent backup). A script copies data over to that hard drive on a regular basis. All of my home drives also are installed in a mirrored software RAID array, so there are two physical hard drives (or SSDs) with redundant data in case one fails. This plan does suffer from a location weakness (e.g. a natural disaster that wipes out both my home and work locations), but otherwise guards against theft, accidental loss, damage, failing hardware, etc.
As you might suspect, I am a KeePass user. Rather than repeat what I've said in the past with respects to password lockers and password policies, I'll just point the OP to previous threads on this issue:
How Does a Password Manager Impact Day to Day (IOS and Mac): viewtopic.php?f=11&t=193858
Weak Bank Password Policies Leave 350 Million Vulnerable, Say Researchers: viewtopic.php?f=11&t=186131
Password Management and Safekeeping: viewtopic.php?f=11&t=181563
Password Management: viewtopic.php?f=11&t=169379
Another reason why you should never reuse passwords...: viewtopic.php?f=11&t=97664
Re: Passwords
It's not that simple. You have a limited period of time within which to report unauthorized activity to the bank, usually 60 days from the time you receive the first statement showing the unauthorized activity. If you do not notify the bank within that period of time, you are liable.metrunt wrote: If someone hacks your personal bank account, you would actually not be liable, assuming you took some care in protecting your log in information.
Re: Passwords
Could someone please elaborate a little on how the process with LastPass plays out?
For example, when I want to long into Bogleheads do I look up my LastPass generated password that I have stored in DropBox and type it in? Or is the process automated in some way?
How do I login if I am on a computer at work or on a friend's computer?
For example, when I want to long into Bogleheads do I look up my LastPass generated password that I have stored in DropBox and type it in? Or is the process automated in some way?
How do I login if I am on a computer at work or on a friend's computer?
Re: Passwords
Are you sure you don't have LastPass and KeePass confused? LastPass stores the passwords for you, so you shouldn't have anything stored in DropBox.... and if you do, is it a secured backup copy of your LastPass database with proper encryption?tm3 wrote:Could someone please elaborate a little on how the process with LastPass plays out?
For example, when I want to long into Bogleheads do I look up my LastPass generated password that I have stored in DropBox and type it in? Or is the process automated in some way?
How do I login if I am on a computer at work or on a friend's computer?
And you really shouldn't be using your friends computer to log in to financial websites or other high-value websites. Who knows what sort of malware might be on your friend's computer. It's just not a good practice. Wait until you get home.
Your work computer may also not be well-suited to checking your financial websites. It all depends on your employer's policy on monitoring computer use by employees. Even at my job, where I'm the one who set up my systems so I know exactly what it's set up to do in terms of logging, I minimize such activity because I don't want to be accused of using government time for personal business.
Re: Passwords
Thanks, yes I may have had them confused. But looking on the Lastpass www site I'm still unsure of the process -- do I open the LastPass app and copy the password from it onto the www site?
I never log on to financial www sites from a computer other than my own, but I was under the impression that LastPass users were using it for all email accounts and other password accounts (such as BH) -- I do access those from computers other than my own.
I never log on to financial www sites from a computer other than my own, but I was under the impression that LastPass users were using it for all email accounts and other password accounts (such as BH) -- I do access those from computers other than my own.
-
- Posts: 382
- Joined: Thu Jul 16, 2015 9:36 am
Re: Passwords
LastPass makes an "add-on" for several of the most popular browsers. These will allow you to auto=enter or copy and paste usernames/passwords easily.tm3 wrote:Could someone please elaborate a little on how the process with LastPass plays out?
For example, when I want to long into Bogleheads do I look up my LastPass generated password that I have stored in DropBox and type it in? Or is the process automated in some way?
How do I login if I am on a computer at work or on a friend's computer?
From your friend's computer, you can also log into LastPass's website view your "vault" in a browser, copying and pasting passwords. You could also do that from your own computer, but the browser plugins are much more useful.
Re: Passwords
Good explanation, thanks!metrunt wrote:LastPass makes an "add-on" for several of the most popular browsers. These will allow you to auto=enter or copy and paste usernames/passwords easily.tm3 wrote:Could someone please elaborate a little on how the process with LastPass plays out?
For example, when I want to long into Bogleheads do I look up my LastPass generated password that I have stored in DropBox and type it in? Or is the process automated in some way?
How do I login if I am on a computer at work or on a friend's computer?
From your friend's computer, you can also log into LastPass's website view your "vault" in a browser, copying and pasting passwords. You could also do that from your own computer, but the browser plugins are much more useful.
Re: Passwords
With LastPass, typically I click the icon for the LastPass extension at the top right of my Chrome browser, if necessary enter my LastPass master password (I have it set to log me out after a certain time of inactivity), then start typing the name of the site I want to log into until I see the LastPass login site I want to use in the drop-down window. Then I click on that, and the login process is initiated. For some sites, the entire login is automatic, but for others I need to click one or more additional times to move through the username and password screens, but no additional typing--just clicking.
There are other ways to do it, but this is the fastest for me.
Kevin
There are other ways to do it, but this is the fastest for me.
Kevin
If I make a calculation error, #Cruncher probably will let me know.
Re: Passwords
I've used LastPass premium for many years. So long in fact that I'm grandfathered in a lower rate than $12/year. I store everything there, including frequently used credit card information for making online purchases and bank routing information for filling out those forms which require a checking account instead of credit card. I also use the Android app which has become eminently more useful by allowing log in with your thumbprint instead of using your master password while trying to type on your phone. In the many years of using it, I've never had a single account breached, a single login compromised or a single case of credit card fraud perpetrated against me and I am a heavy online shopping user. Should anything happen to me, our oldest son knows my master password and can access all our password information. Continue to use your hidden books, complicated passphrases and whatnot, I'm not here trying to reinvent the wheel when it comes to security. Just as you trust your home security to companies that provides locks and alarms, I'm going with the pros here until they give me a reason not to. The simple fact of the matter is, even with internet access to your bank accounts, very little can be done with that money from the internet. I can barely move money into my Fidelity or Vanguard accounts with all their security and rules and regulations, I can't imagine some would be thief trying to get it out.
Re: Passwords
"Given the choice between spending $1 million trying to decrypt your passwords or spending $5 for a piece of pipe I'll use to beat the info out of you, which do you think I'll choose?"lotusflower wrote:Just like mptfan if your passwords are not recorded anywhere except your mind that's pretty safe from everyone else
"Never underestimate one's capacity to overestimate one's abilities" - The Dunning-Kruger Effect
- Epsilon Delta
- Posts: 8090
- Joined: Thu Apr 28, 2011 7:00 pm
Re: Passwords
False dichotomy. If your passwords are in a password manager they are encrypted under a master password. This is still susceptible to a lead pipe attack.BolderBoy wrote:"Given the choice between spending $1 million trying to decrypt your passwords or spending $5 for a piece of pipe I'll use to beat the info out of you, which do you think I'll choose?"lotusflower wrote:Just like mptfan if your passwords are not recorded anywhere except your mind that's pretty safe from everyone else
OTOH I don't think most people can remember more than a few strong passwords, so if you commit them to memory it may take a lot less than $1,000,000 to hack at least some of them.
Re: Passwords
That's nice, I have used KeePass for 3 or 4 years on a desktop pc. I was aware of the alt a to do this but most sites won't accept it. I tested Autotype on one of those and it fills and logs in. Is this what someone was discussing that they wouldn't use? It is easier than the copy and paste I do for the userid and password.JPH wrote:I can recommend Keepas. It's free and has worked well for me. I just click on "open website" and then "autotype" to inject the username and password.
Re: Passwords
I use a password manager. There are just way too many passwords to remember. However, I never store the actual password, but rather a hint.
Say I have a password that is 'fuzzy bunny', I'd write down the password as 'rabbit'. This way I can look up the password if I forget it, but the data would be useless to someone else. I know I forgo the convenience of having the password manager log me into websites automatically, but for me, that's a small price to pay for the peace of mind.
* Disclaimer: Fuzzy bunny is a purely fictitious password. Any resemblance to any real or imagined passwords is purely coincidental.
Say I have a password that is 'fuzzy bunny', I'd write down the password as 'rabbit'. This way I can look up the password if I forget it, but the data would be useless to someone else. I know I forgo the convenience of having the password manager log me into websites automatically, but for me, that's a small price to pay for the peace of mind.
* Disclaimer: Fuzzy bunny is a purely fictitious password. Any resemblance to any real or imagined passwords is purely coincidental.
The Espresso portfolio: |
|
20% US TSM, 20% Small Value, 10% US REIT, 10% Dev Int'l, 10% EM, 10% Commodities, 20% Inter-term US Treas |
|
"A journey of a thousand miles begins with a single step."
Re: Passwords
What is Auto Type? I looked at all the menus without success, I read about it but I don't understand how to use it. I tried to open a website by using "ctrl V" and "left ctrl A" and it doesn't prefill and log me on. Maybe some sites won't allow it? I do use "left ctrl A" for Fido and it does work there.JPH wrote:I can recommend Keepas. It's free and has worked well for me. I just click on "open website" and then "autotype" to inject the username and password.
Re: Passwords
That's a rather "warm and fuzzy" exercise if you use a local storage password locker that uses any reasonable level of strong encryption (e.g. KeePass) and if you use a reasonably strong password (e.g. couple dozen characters or more chosen from the alphanumeric+special charset). By that I mean it makes you feel good, but it doesn't actually encourage a better password practice or improve your overall password security.czeckers wrote:I use a password manager. There are just way too many passwords to remember. However, I never store the actual password, but rather a hint.
Say I have a password that is 'fuzzy bunny', I'd write down the password as 'rabbit'. This way I can look up the password if I forget it, but the data would be useless to someone else. I know I forgo the convenience of having the password manager log me into websites automatically, but for me, that's a small price to pay for the peace of mind.
* Disclaimer: Fuzzy bunny is a purely fictitious password. Any resemblance to any real or imagined passwords is purely coincidental.
The ability for an attacker to brute force a locally stored password locker with a strong password and strong encryption is nearly nil with modern technology. We're talking on the order of millennia of computational time to crack. An attacker is better off resorting to less expensive methods, like key loggers or browser-in-the-middle attacks, to catch the password as you enter it into the website. Even session hijacking would be an easier way of attacking the accounts if the attacker managed to get local access to your system, rather than brute forcing the password locker file.
The ability for the average human brain to remember hundreds of unique, reasonably complex passwords, even with a hint, is absolutely horrible. Brains just aren't designed for these sorts of tasks. This means most people will end up (a) reusing passwords, (b) using a pattern that an attacker could deduce after breaking a few sites where you use the same email address, or (c) reducing complexity of the passwords so they can be remembered. All of these weaken one's overall password security.
If you're truly concerned, set up a different locker for high-profile sites. Heck, even split that into multiple different lockers for high-profile sites if you wish. Just remember that the average human brain can only remember so many strong master passwords for the password locker.
- Doom&Gloom
- Posts: 5398
- Joined: Thu May 08, 2014 3:36 pm
Re: Passwords
When you highlight an entry in KeePass, right-click on it. In the drop-down menu "Perform Auto-type" is the fourth item. Click on it and you should be cooking. (It seems that Ctr + V should do the same as well, but I have never done it that way.)zaplunken wrote:What is Auto Type? I looked at all the menus without success, I read about it but I don't understand how to use it. I tried to open a website by using "ctrl V" and "left ctrl A" and it doesn't prefill and log me on. Maybe some sites won't allow it? I do use "left ctrl A" for Fido and it does work there.JPH wrote:I can recommend Keepas. It's free and has worked well for me. I just click on "open website" and then "autotype" to inject the username and password.
Note that you may have to click on the "User name" field on the particular website prior to attempting auto-type as the auto-type function will begin where your cursor is placed. Some sites seem to place it automatically in the "user name" field while others do not.
Re: Passwords
I tried that (Ally Bank) but it doesn't work. Know how when you press ctrl F to find something? That place (bottom left corner) is where it puts the user name and password and then "can't find it" and doesn't open and load the data into the place to log in. Maybe it's Ally Bank? I use left ctrl A and some sites accept that and some don't for what ever reason, maybe this is the same.Doom&Gloom wrote:
When you highlight an entry in KeePass, right-click on it. In the drop-down menu "Perform Auto-type" is the fourth item. Click on it and you should be cooking. (It seems that Ctr + V should do the same as well, but I have never done it that way.)
Note that you may have to click on the "User name" field on the particular website prior to attempting auto-type as the auto-type function will begin where your cursor is placed. Some sites seem to place it automatically in the "user name" field while others do not.
Here's what I did - I opened my safe, high lighted Ally Bank, right clicked on that entry, right clicked on Perform Auto Type. I have auto type check box checked in the entry for Ally Bank. Not sure if I am doing anything wrong.
Not the end of the world but it would be easier than copy and pasting the user id and password into log on screens for sites.
- Doom&Gloom
- Posts: 5398
- Joined: Thu May 08, 2014 3:36 pm
Re: Passwords
I'm stumped. I don't have an Ally Bank account, but I went to their home page and used auto-type (using an old one of mine for a defunct site) and it filled in the user-name and password fields fine. Of course, I couldn't tell how it would have worked from that point. I even did it using the two different options for logging in that Ally present--not sure what that was, as I've never encountered an option like that before.zaplunken wrote:I tried that (Ally Bank) but it doesn't work. Know how when you press ctrl F to find something? That place (bottom left corner) is where it puts the user name and password and then "can't find it" and doesn't open and load the data into the place to log in. Maybe it's Ally Bank? I use left ctrl A and some sites accept that and some don't for what ever reason, maybe this is the same.Doom&Gloom wrote:
When you highlight an entry in KeePass, right-click on it. In the drop-down menu "Perform Auto-type" is the fourth item. Click on it and you should be cooking. (It seems that Ctr + V should do the same as well, but I have never done it that way.)
Note that you may have to click on the "User name" field on the particular website prior to attempting auto-type as the auto-type function will begin where your cursor is placed. Some sites seem to place it automatically in the "user name" field while others do not.
Here's what I did - I opened my safe, high lighted Ally Bank, right clicked on that entry, right clicked on Perform Auto Type. I have auto type check box checked in the entry for Ally Bank. Not sure if I am doing anything wrong.
Not the end of the world but it would be easier than copy and pasting the user id and password into log on screens for sites.
Hope someone will chime in to help you out here.
Re: Passwords
Lastpass Premium, but also go one step further to prtect lastpass and use a yubikey
https://www.yubico.com/why-yubico/
https://www.yubico.com/why-yubico/
Re: Passwords
Yubikey is one excellent way of adding 2FA to Lastpass, but there are others as well. I personally use Google Authenticator, which is a time-based passcode generator, with the seed provided by Lastpass. There are several other options to choose from.Gene2001 wrote:Lastpass Premium, but also go one step further to prtect lastpass and use a yubikey
https://www.yubico.com/why-yubico/
Bottom line is that adding a second factor is highly recommended where available, and hugely beneficial for something as critical as Lastpass. Pick something that works for you and use it.