Passwords

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Topic Author
brak
Posts: 477
Joined: Thu Apr 24, 2008 6:00 am

Passwords

Post by brak »

Is there a program or an app or something that will help me both generate passwords for my many different accounts and keep track of them? I want my accounts to stay secure and I know changing passwords frequently is important to do...but how???? Thanks.
mancich
Posts: 1217
Joined: Fri Sep 05, 2014 2:05 pm

Re: Passwords

Post by mancich »

I use Lastpass and have never had a problem. If you want a local password program only (I.e. One that resides only on your hard drive and is not web-based), you can't go wrong with KeePass. :beer
Loandapper
Posts: 226
Joined: Mon Jul 21, 2014 11:49 am

Re: Passwords

Post by Loandapper »

Last Pass Premium account. It will change the way you use the internet for the better.
mbcruiser
Posts: 64
Joined: Thu Sep 18, 2014 7:48 am

Re: Passwords

Post by mbcruiser »

I've used https://sourceforge.net/projects/passwordsafe/ for years. It's simple, secure, and syncs readily with my pc, android phone, and tablet. It's free as well.
CincyGuy
Posts: 55
Joined: Fri Jul 12, 2013 12:15 pm

Re: Passwords

Post by CincyGuy »

Highly recommend LastPass as well (premium - only $12/year - if you do a lot of stuff on your smartphone).
mhalley
Posts: 10424
Joined: Tue Nov 20, 2007 5:02 am

Re: Passwords

Post by mhalley »

I use KEEpass, free, local or you can use Dropbox or other web based storage for the file.
http://keepass.info/
lazydavid
Posts: 5124
Joined: Wed Apr 06, 2016 1:37 pm

Re: Passwords

Post by lazydavid »

LastPass and OnePassword are both awesome. LastPass is a subscription service that stores your encrypted passwords for you, while OnePassword is a software application that you purchase, and you are responsible for syncing your password vault between devices (I use Dropbox for this). Between the two I prefer LastPass, and I'm actually getting ready to roll out the Enterprise version in my company.

In either case, the concept is the same. You create one strong, easy-to-remember passphrase that you use exclusively for the password manager. Mine is well over 30 characters. The most important part is that this password is NEVER used for anything else. Then you use the tool to randomly generate unique passwords (like: 7tp-sK4,qY&j}E4r )for each site, store them and enter them for you. Make sure you disable your browser's password manager, as it is nowhere near as secure as the best of the 3rd party utilities.
User avatar
JPH
Posts: 1427
Joined: Mon Jun 27, 2011 8:56 pm

Re: Passwords

Post by JPH »

I can recommend Keepas. It's free and has worked well for me. I just click on "open website" and then "autotype" to inject the username and password.
While the moments do summersaults into eternity | Cling to their coattails and beg them to stay - Townes Van Zandt
tibbitts
Posts: 23588
Joined: Tue Feb 27, 2007 5:50 pm

Re: Passwords

Post by tibbitts »

brak wrote:Is there a program or an app or something that will help me both generate passwords for my many different accounts and keep track of them? I want my accounts to stay secure and I know changing passwords frequently is important to do...but how???? Thanks.
I'm not sure it's been established that changing passwords frequently is important, but obviously having reasonably complex and unique passwords is. Also keep in mind when you're generating passwords that for some purposes you're going to have to key those in manually in one way or another (such as on a virtual keyboard.)
User avatar
LazyNihilist
Posts: 1005
Joined: Sat Feb 19, 2011 8:56 pm

Re: Passwords

Post by LazyNihilist »

I would also highly recommend KeePass. I've been using it for the past 2 years.
http://keepass.info/
The strong do what they can and the weak suffer what they must -Thucydides
DoTheMath
Posts: 670
Joined: Sat Jul 04, 2015 1:11 pm
Location: The Plains

Re: Passwords

Post by DoTheMath »

tibbitts wrote: I'm not sure it's been established that changing passwords frequently is important, but obviously having reasonably complex and unique passwords is. Also keep in mind when you're generating passwords that for some purposes you're going to have to key those in manually in one way or another (such as on a virtual keyboard.)
I've always wondered about the advice to frequently change passwords. I can't see the use of it. If anything, it seems like it would encourage people to use weak passwords and/or use passwords more than once since those would be easier to remember.

True security comes from having strong passwords which are unique to each login account (to ensure that if one is hacked on the backend, the rest of your accounts are safe). A password manager makes this easy to do. I use 1password and am happy with it.
“I am losing precious days. I am degenerating into a machine for making money. I am learning nothing in this trivial world of men. I must break away and get out into the mountains...” -- John Muir
User avatar
midareff
Posts: 7711
Joined: Mon Nov 29, 2010 9:43 am
Location: Biscayne Bay, South Florida

Re: Passwords

Post by midareff »

Loandapper wrote:Last Pass Premium account. It will change the way you use the internet for the better.
Same here although I don't use mobile devices for access. Makes using 12 and 14+ character alpha numeric passwords easy peasy.
inverter
Posts: 1021
Joined: Mon Jul 27, 2015 1:40 pm
Location: New York, NY

Re: Passwords

Post by inverter »

Highly recommend LastPass Premium.
User avatar
Toons
Posts: 14459
Joined: Fri Nov 21, 2008 9:20 am
Location: Hills of Tennessee

Re: Passwords

Post by Toons »

"One does not accumulate but eliminate. It is not daily increase but daily decrease. The height of cultivation always runs to simplicity" –Bruce Lee
User avatar
triceratop
Posts: 5838
Joined: Tue Aug 04, 2015 8:20 pm
Location: la la land

Re: Passwords

Post by triceratop »

I highly recommend LastPass too. Another option is to store it in a plaintext file and GPG-encrypt it, like pass does

The other option is to use hunter2 as your password on all sites. It has worked well for me: easy to remember.
"To play the stock market is to play musical chairs under the chord progression of a bid-ask spread."
zeep
Posts: 146
Joined: Sat Oct 04, 2008 3:03 pm

Re: Passwords

Post by zeep »

Dashlane is another vendor similar to Lastpass. They have a nice interface, are simple to use, and synch nicely across devices. Dashlane premium, however, is more expensive than Lastpass premium. Lots of reviews online for both. Unless you need sync across devices, you may do fine with the free version of either. Personally, I find synching to be a tremendous benefit.

Much like choosing between similar index funds, it matters less which one you choose since they are pretty similar, but I highly recommend using a password manager.
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Passwords

Post by Epsilon Delta »

DoTheMath wrote: I've always wondered about the advice to frequently change passwords. I can't see the use of it. If anything, it seems like it would encourage people to use weak passwords and/or use passwords more than once since those would be easier to remember.
Changing passwords limits the time an exposed password will be useful. This probably matters more in an office where passwords leak through shoulder surfing or are lent/borrowed. These shouldn't happen, but they do. The number of administrative assistants and tech support people who have the passwords of everybody they've ever worked for is much larger than it should be*. Expiring passwords every six months or so is an easy countermeasure. If one of the AAs is compromised the damage is limited to only the people they've worked with in the last six months.

Also if Moore's law is true the time to break a password is linear in complexity, not exponential. This suggests that passwords should be changed occasionally (every few years should be more than enough).

* It should be zero.
Last edited by Epsilon Delta on Tue Jul 12, 2016 10:30 am, edited 1 time in total.
Nummerkins
Posts: 673
Joined: Tue Jun 01, 2010 4:41 pm

Re: Passwords

Post by Nummerkins »

I use a combination of Dashlane and KeePass/Dropbox. I am slowly phasing KeePass out in favor of Dashlane. I like the UI much better than LastPass.
Today's high is tomorrow's low.
mervinj7
Posts: 2496
Joined: Thu Mar 27, 2014 3:10 pm

Re: Passwords

Post by mervinj7 »

Like many others, I use Lastpass Premium ($12/year) for almost all our accounts. Works fairly well on my home Macbook Pro, work PC, and Android smartphone. If you do use Lastpass, use two-factor authentication for added security. Upside is that SOMEONE needs both your long memorized password and your phone to sign in. Downside is that YOU need both your long memorized password and your phone to sign in.
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Passwords

Post by Epsilon Delta »

mervinj7 wrote:Like many others, I use Lastpass Premium ($12/year) for almost all our accounts. Works fairly well on my home Macbook Pro, work PC, and Android smartphone. If you do use Lastpass, use two-factor authentication for added security. Upside is that SOMEONE needs both your long memorized password and your phone to sign in. Downside is that YOU need both your long memorized password and your phone to sign in.
Lastpass on your phone plus using the phone as a physical token is not two factor security.
mervinj7
Posts: 2496
Joined: Thu Mar 27, 2014 3:10 pm

Re: Passwords

Post by mervinj7 »

Epsilon Delta wrote:
mervinj7 wrote:Like many others, I use Lastpass Premium ($12/year) for almost all our accounts. Works fairly well on my home Macbook Pro, work PC, and Android smartphone. If you do use Lastpass, use two-factor authentication for added security. Upside is that SOMEONE needs both your long memorized password and your phone to sign in. Downside is that YOU need both your long memorized password and your phone to sign in.
Lastpass on your phone plus using the phone as a physical token is not two factor security.
Fair enough. But the assumption here is that you have a locked phone (as everyone should). But I agree that if you lose your phone AND its unlocked/culprit has your phone passcode AND the culprit has your lastpass password, it's a security risk. However, using some form of authentication app will still make it difficult for someone to sign into lastpass from another device/computer.
User avatar
Kevin M
Posts: 15750
Joined: Mon Jun 29, 2009 3:24 pm
Contact:

Re: Passwords

Post by Kevin M »

Another satisfied LastPass customer here. The free version is fine, but I splurge for the premium version for the rare times I use it on my phone.

No experience with other password managers, but one thing about LP is that the wide variation in website designs requires some diligence in setting up an effective LP site for some logins. The basic setup process works well for many sites, but for some I have to use the "save all entered data" approach to create a working LP site. Also sometimes need two LP sites for logins that span web pages (e.g., username on page one, password on page two), but sometimes can manually merge the two into one by adding the fields from one LP site to the other. The most problematical sites are those that use different URLs on the username and password pages, in which case two LP sites may be required, one for username and one for password.

On some sites you can complete the entire login process by just launching the LP site, but many sites require a few additional clicks, regardless of the LP settings.

Also, some sites generate some sort of error when you first hit the page with an LP login, but you can often "cancel" out of the error message or click some other link on the error screen to get back to the login page, and then the LP login works.

Last issue I'll mention is that when a login webpage design is changed, it may require changing or creating a new LP site to work with the new design.

Kevin
If I make a calculation error, #Cruncher probably will let me know.
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Passwords

Post by Epsilon Delta »

mervinj7 wrote:
Epsilon Delta wrote:
mervinj7 wrote:Like many others, I use Lastpass Premium ($12/year) for almost all our accounts. Works fairly well on my home Macbook Pro, work PC, and Android smartphone. If you do use Lastpass, use two-factor authentication for added security. Upside is that SOMEONE needs both your long memorized password and your phone to sign in. Downside is that YOU need both your long memorized password and your phone to sign in.
Lastpass on your phone plus using the phone as a physical token is not two factor security.
Fair enough. But the assumption here is that you have a locked phone (as everyone should). But I agree that if you lose your phone AND its unlocked/culprit has your phone passcode AND the culprit has your lastpass password, it's a security risk. However, using some form of authentication app will still make it difficult for someone to sign into lastpass from another device/computer.
As you say, fair enough. It's safer than not doing it, it just doesn't completely eliminate a single point failure.

I get grumpy about security, it's so badly done. There's kludge upon kludge layered on to improve security. Many of these really do improve security, but they don't fix the original problems Password managers are a case in point. If you have the computing power to run a password manager you have the computing power to run a true challenge and response system. This would deal with a bunch of issues all at once that are currently dealt with layers of complexity, but it would require changes by the people running the servers, and they just don't care.
DoTheMath
Posts: 670
Joined: Sat Jul 04, 2015 1:11 pm
Location: The Plains

Re: Passwords

Post by DoTheMath »

Epsilon Delta wrote: Changing passwords limits the time an exposed password will be useful. This probably matters more in an office where passwords leak through shoulder surfing or are lent/borrowed. These shouldn't happen, but they do. The number of administrative assistants and tech support people who have the passwords of everybody they've ever worked for is much larger than it should be*. Expiring passwords every six months or so is an easy countermeasure. If one of the AAs is compromised the damage is limited to only the people they've worked with in the last six months.

Also if Moore's law is true the time to break a password is linear in complexity, not exponential. This suggests that passwords should be changed occasionally (every few years should be more than enough).

* It should be zero.
I take your point that there are circumstances where password changes are helpful, especially in an organizational setting like you describe. But it sounds like we agree that it is a second rate measure compared to using good security practices in the first place. For the home user I think regular password changes is mostly security theater.
“I am losing precious days. I am degenerating into a machine for making money. I am learning nothing in this trivial world of men. I must break away and get out into the mountains...” -- John Muir
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Passwords

Post by Epsilon Delta »

DoTheMath wrote:
Epsilon Delta wrote: Changing passwords limits the time an exposed password will be useful. This probably matters more in an office where passwords leak through shoulder surfing or are lent/borrowed. These shouldn't happen, but they do. The number of administrative assistants and tech support people who have the passwords of everybody they've ever worked for is much larger than it should be*. Expiring passwords every six months or so is an easy countermeasure. If one of the AAs is compromised the damage is limited to only the people they've worked with in the last six months.

Also if Moore's law is true the time to break a password is linear in complexity, not exponential. This suggests that passwords should be changed occasionally (every few years should be more than enough).

* It should be zero.
I take your point that there are circumstances where password changes are helpful, especially in an organizational setting like you describe. But it sounds like we agree that it is a second rate measure compared to using good security practices in the first place. For the home user I think regular password changes is mostly security theater.
Yes for a home user it's mostly theater. Not entirely, but it's a long way down the list.

However changing passwords is a necessary step going from insecure to secure. e.g. after a breach or if you have been sloppy and decide to turn over a new leaf.
Topic Author
brak
Posts: 477
Joined: Thu Apr 24, 2008 6:00 am

Re: Passwords

Post by brak »

Can people please define what "good security practices' on a computer involve? Thanks.
takeshi
Posts: 1175
Joined: Thu Oct 03, 2013 10:02 pm

Re: Passwords

Post by takeshi »

brak wrote:Is there a program or an app or something that will help me both generate passwords for my many different accounts and keep track of them? I want my accounts to stay secure and I know changing passwords frequently is important to do...but how???? Thanks.
Use a password manager.
http://lifehacker.com/5529133/five-best ... d-managers

Don't overlook prior threads as well. There have been a number of threads on password managers.
jayjayc
Posts: 637
Joined: Tue Jun 25, 2013 11:38 pm

Re: Passwords

Post by jayjayc »

brak wrote:Can people please define what "good security practices' on a computer involve? Thanks.
here's a really good list of 10 best practices https://ist.mit.edu/security/tips
jayjayc
Posts: 637
Joined: Tue Jun 25, 2013 11:38 pm

Re: Passwords

Post by jayjayc »

triceratop wrote: The other option is to use hunter2 as your password on all sites. It has worked well for me: easy to remember.
or use dadada. If it's good enough for Mark Zuckerberg, then it's good enough for me too.
http://www.wsj.com/articles/mark-zucker ... 1465251954

jk, Lastpass premium user here.
Pacific
Posts: 1609
Joined: Tue Mar 06, 2007 7:19 pm
Location: Lost in the middle of the Pacific

Re: Passwords

Post by Pacific »

Loandapper wrote:Last Pass Premium account. It will change the way you use the internet for the better.
+1
casualflower
Posts: 382
Joined: Thu Jul 16, 2015 9:36 am

Re: Passwords

Post by casualflower »

LastPass Premium for years now.

Just make sure your main LP password is sufficiently entropic.
User avatar
bertilak
Posts: 10711
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Passwords

Post by bertilak »

Has anyone used BOTH LastPass and KeePass and do you recommend one over the other?

I am currently satisfied with KeePass but am always open to change, if it is for the better. I have a huge number of passwords saved in it so would be reluctant to change due to the tedium of transferring passwords.

KeePass has an Android app that integrates well. It has a simple way of inserting ID/password without doing copy/paste. Works better than on a PC where one needs two, two-step processes (copy/paste), for ID and password. It's kind of clunky compared to the Android process. I make the password database available via OneDive. I'm sure any of the popular cloud services would work.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
lazydavid
Posts: 5124
Joined: Wed Apr 06, 2016 1:37 pm

Re: Passwords

Post by lazydavid »

bertilak wrote:I am currently satisfied with KeePass but am always open to change, if it is for the better. I have a huge number of passwords saved in it so would be reluctant to change due to the tedium of transferring passwords.
Don't let that be a barrier. I transferred 700+ passwords from 1Password into LastPass in about 15 seconds. I'm sure they have a utility for KeePass as well.
bertilak wrote:KeePass has an Android app that integrates well. It has a simple way of inserting ID/password without doing copy/paste. Works better than on a PC where one needs two, two-step processes (copy/paste), for ID and password. It's kind of clunky compared to the Android process. I make the password database available via OneDive. I'm sure any of the popular cloud services would work.
Lastpass does the same thing, on Android AND PC. On my PC browsers, it autofills my credentials for me, so I just click a button to sign in. On Android, in a browser AND most apps, if it recognizes that I have a login, it pops up a prompt, I swipe my fingerprint, then confirm the credential I want to use and I'm signed in.
Sidney
Posts: 6784
Joined: Thu Mar 08, 2007 5:06 pm

Re: Passwords

Post by Sidney »

brak wrote:Can people please define what "good security practices' on a computer involve? Thanks.
If you are referring to more broadly than passwords, I'd suggest starting a separate thread.
I always wanted to be a procrastinator.
mptfan
Posts: 7201
Joined: Mon Mar 05, 2007 8:58 am

Re: Passwords

Post by mptfan »

I am uncomfortable giving my passwords to a company or third party software, or, allowing a company or software to generate passwords for me to access my asset accounts. Companies can be hacked. LastPass was hacked...

http://lifehacker.com/lastpass-hacked-t ... 1711463571

In my opinion, if I do not share my username with anyone, AND I have a sufficiently random and long passphrase that only I know, AND I use two factor authentication (for example with Vanguard), AND I never respond to unsolicited emails that may be phishing emails, then I am secure. Am I wrong about this?
User avatar
bertilak
Posts: 10711
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Passwords

Post by bertilak »

I tried to install LastPass and it failed.
  • First: Says my email is already in use so tried "Logon Existing Account" instead of "Activate New Account" using PW I had stored in KeePass.
  • Second: Says PW invalid so I tried password hint. Got the hint in email. Hint was obvious to me but password associated with that was same as I already tried so still didn't work.
  • Third: I tried a few more passwords and got locked out.
  • Fourth: I tried "Account Recovery" and got an email with link to recovery web page. Clicked on the recover button. Failed with "LastPass plugin not installed" but Firefox shows me it is installed.
  • Fifth: Plugin set to "ask for activation" so I changed it to "always activate," restated FF (again) but got same message about plugin not installed.
  • Uninstalled and started over up to point of Account Recovery. Says recovery still pending so go away!
  • Seventh: I GAVE UP, and uninstalled LastPass!
Firefox on Win 10.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
lotusflower
Posts: 323
Joined: Thu Oct 24, 2013 12:32 am

Re: Passwords

Post by lotusflower »

mptfan wrote:I am uncomfortable giving my passwords to a company or third party software, or, allowing a company or software to generate passwords for me to access my asset accounts. Companies can be hacked. LastPass was hacked...

http://lifehacker.com/lastpass-hacked-t ... 1711463571

In my opinion, if I do not share my username with anyone, AND I have a sufficiently random and long passphrase that only I know, AND I use two factor authentication (for example with Vanguard), AND I never respond to unsolicited emails that may be phishing emails, then I am secure. Am I wrong about this?
So if your long and random passphrase is the same at all sites, then this is much less secure than trusting a password manager. If any site stores your passphrase insecurely (either unencrypted or without a salt) and gets hacked, then all your other sites are compromised at the same time. If you don't understand about the LinkedIn breach, rainbow tables, and password salts, then your homework is to read up on this.

If you are using different passphrases for each site, then how do you remember them all unless you are a savant or are they not really random? Or do you keep them written down on paper where they could be stolen. Please tell me you don't keep them in Excel!

I agree that it is hard to trust a third party but security is very hard and trusting yourself to do it right is like defending yourself pro se in court. (As in, "A man who is his own lawyer has a fool for a client").

LastPass and KeePass and their ilk have withstood a lot of scrutiny and have specialists trying to keep them secure. That's whey the lastpass breach didn't actually leak any user passwords, because the Lastpass folks knew how to store your data securely. They recommended changing passwords as a precaution. I personally use KeePass with the vault stored on Dropbox, but I would trust any of the major players in this space over trusting a homebrew method.
jebmke
Posts: 25271
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Passwords

Post by jebmke »

lotusflower wrote:If you are using different passphrases for each site, then how do you remember them all unless you are a savant or are they not really random? Or do you keep them written down on paper where they could be stolen. Please tell me you don't keep them in Excel!
Everyone knows that the best place to keep passwords is on a post-it note stuck to the display. How else is your electrician going to log into your bank account?
Stay hydrated; don't sweat the small stuff
mhalley
Posts: 10424
Joined: Tue Nov 20, 2007 5:02 am

Re: Passwords

Post by mhalley »

If you don't want to do the 2-4 step copy paste/copy paste with KEEpass you can get a browser extention to do it for you. I used one in the past, but as I recall it was complicated to install. It worked ok, but when I had to reinstall Windows after a virus I elected to keep the clunky process. The one you want would be under the integration & transfer heading. (Keeform, etc).
http://keepass.info/plugins.html
mptfan
Posts: 7201
Joined: Mon Mar 05, 2007 8:58 am

Re: Passwords

Post by mptfan »

lotusflower wrote: If you are using different passphrases for each site, then how do you remember them all unless you are a savant or are they not really random? Or do you keep them written down on paper where they could be stolen. Please tell me you don't keep them in Excel!
I use different passphrases for my bank and investment accounts. For example, for Vanguard, my passphrase might me "I like chocolate ice cream" so my password is "ilcic" and for my bank it might be "I like frozen yogurt" so my password would be "ilfy". Of course these are not my real passphrases, the real ones are much longer (more than 10 characters) and unique and only I know them and I don't use them for any other site. I do not write them down anywhere, but I do keep a reminder word written down that triggers me to remember my passphrase, like "ice cream"... only I would know the full passphrase related to that word. Again, I am using simplistic examples to illustrate what I do, the real passphrase is much longer and unique, and even if someone saw my one word memory trigger word it would be impossible for them to know 1) that there was a long passphrase associated with that word, and 2) what the passphrase is. I also add a special character or two to the passphrase that only I know. The full passphrase or password is never written or saved anywhere.
mptfan
Posts: 7201
Joined: Mon Mar 05, 2007 8:58 am

Re: Passwords

Post by mptfan »

lotusflower wrote: LastPass and KeePass and their ilk have withstood a lot of scrutiny and have specialists trying to keep them secure. That's whey the lastpass breach didn't actually leak any user passwords, because the Lastpass folks knew how to store your data securely. They recommended changing passwords as a precaution. I personally use KeePass with the vault stored on Dropbox, but I would trust any of the major players in this space over trusting a homebrew method.
I agree their ilk have a strong incentive to keep their data secure, but the hackers also have a strong incentive to break the security. I also understand that the lastpass hack did not leak any user passwords...not this time...maybe next time they will? I accept that it is unlikely, and I understand that they use hashes and other methods so that even if they are hacked the actual passwords themselves are protected, I get that, but unlikely is not impossible. I do know that if I do not use lastpass or their ilk, it would be impossible for someone to get my password to my investment and bank accounts by hacking lastpass. So the odds go from highly unlikely to impossible, and I choose impossible.

I understand your point about a homebrew method being potentially more vulnerable, but I am willing to accept that risk. I don't think there are any right or wrong answers here, just opinions, and each person has the right to make their own judgment.
Kuna_Papa_Wengi
Posts: 67
Joined: Sun Mar 08, 2015 1:55 pm
Location: Rocinante

Re: Passwords

Post by Kuna_Papa_Wengi »

I use Keepass2Android on my phone. I don't like the idea of keeping my passwords in the cloud.
lotusflower
Posts: 323
Joined: Thu Oct 24, 2013 12:32 am

Re: Passwords

Post by lotusflower »

mptfan wrote: Again, I am using simplistic examples to illustrate what I do, the real passphrase is much longer and unique, and even if someone saw my one word memory trigger word it would be impossible for them to know 1) that there was a long passphrase associated with that word, and 2) what the passphrase is. I also add a special character or two to the passphrase that only I know. The full passphrase or password is never written or saved anywhere.
Okay, that sounds pretty good to me, as long as the passwords are at least 12 characters to defeat brute-force attacks. Of course I'm just another amateur but am a programmer and have done a fair amount of research. The other benefit of KeePass is that I have shared the master password with my wife in case I am incapacitated. Last time I looked at LastPass's marketing info they stresses that a good system has to provide both security and availability, and your system has an availability problem. While that may not be a problem for your specific case, most people get a better level of overall security with a leading password manager.
cachemoney
Posts: 54
Joined: Fri Jul 08, 2016 9:57 am

Re: Passwords

Post by cachemoney »

I strongly recommend LastPass to all friends/family/co-workers. Like it's been said random and unique passwords for EVERY website you have a login can be automatically logged in while you only need to remember and input ONE password. Using on mobile apps is also a benefit if you pay the $12 fee.

Also it has a built in security challenge (password analyzer) that shows you how well your passwords are. If (when) a site breach happens you can see if your password for that site has been compromised. You can even have LastPass change a site password on its own (I've used it on Amazon.com).
User avatar
czeckers
Posts: 1082
Joined: Thu May 17, 2007 3:49 pm
Location: USA

Re: Passwords

Post by czeckers »

Any concern that LastPass will get hacked, exposing everyone's passwords? There is a steady news stream of this company or that getting hacked and turning out to be not as secure as people thought it was (Snapchat stores the pics that disappear, what?).

I use an app to store passwords on my phone, but never the actual password-- just a reminder of it. However, I have to manually enter the passwords. Something that works across various platforms would be nice.
The Espresso portfolio: | | 20% US TSM, 20% Small Value, 10% US REIT, 10% Dev Int'l, 10% EM, 10% Commodities, 20% Inter-term US Treas | | "A journey of a thousand miles begins with a single step."
lotusflower
Posts: 323
Joined: Thu Oct 24, 2013 12:32 am

Re: Passwords

Post by lotusflower »

Kuna_Papa_Wengi wrote:I use Keepass2Android on my phone. I don't like the idea of keeping my passwords in the cloud.
Umm, so if not the cloud, how to do you back up your Keepass file? Either you back it up manually after every change (tedious tasks like that typically lead to sloppy behavior), or you don't back it up at all. Either of those leads to an availability problem for your data (cf my previous post).

Personally I'm too worried about Android security to let my Keepass data anywhere near my phone or to do any banking on my phone. However that situation is probably improving rapidly with Android 6 and the popularity of mobile banking, but I'm still wary.

Edward Snowden said "Encryption works. Properly implemented strong cryptosystems are one of the few things that you can rely on." Keepass is open-source and people who know encryption can and do inspect the code. Whether or not your database is stored in the cloud it is encoded with AES encryption and so it should be quite secure if the implementation is correct.

If you type a letter and use strong encryption, you can drop a million copies of it in Times Square and no one will be able to read it, that's what Snowden is saying. The cloud itself is no more of a risk than the sidewalk of times square, as long as your data is encrypted.
lotusflower
Posts: 323
Joined: Thu Oct 24, 2013 12:32 am

Re: Passwords

Post by lotusflower »

czeckers wrote:Any concern that LastPass will get hacked, exposing everyone's passwords? There is a steady news stream of this company or that getting hacked and turning out to be not as secure as people thought it was (Snapchat stores the pics that disappear, what?).
Sure there's a concern. But as was already mentioned, LastPass did get hacked, and yet the attackers were unable to get at anyone's passwords because LastPass's team is doing a good job. I think you are way better going with the experts than rolling your own. Just like mptfan if your passwords are not recorded anywhere except your mind that's pretty safe from everyone else, but you still can have data availability problems if you are incapacitated or if you haven't used one in a while and you can't quite remember it correctly.
Dead Man Walking
Posts: 1212
Joined: Wed Nov 07, 2007 5:51 pm

Re: Passwords

Post by Dead Man Walking »

I'm a technologically challenged old man. For my financial accounts, I use usernames that make no sense and use all of spaces available and passwords that use letters, numbers, and special characters for all of the spaces available. I have to consult my handwritten notes to log on because I can't remember my username and password. I may be wrong, but I assume that a hacker would be frustrated trying to determine what my username was let alone what my password was. I only access these accounts using my desktop computer that has antivirus, malware, and spyware protection.

I use my Kindle to surf the web, read email, and post here. My passwords for nonfinancial sites are not too sophisticated. If my Kindle is compromised, I have a 3 pound hammer that will resolve the problem.

Perhaps a technologically sophisticated poster could tell me if I'm safe from internet bandits. Thanks in advance.

DMW
User avatar
abuss368
Posts: 27850
Joined: Mon Aug 03, 2009 2:33 pm
Location: Where the water is warm, the drinks are cold, and I don't know the names of the players!
Contact:

Re: Passwords

Post by abuss368 »

We can not remember them all and are not comfortable with an app or other technology storing them. As such, we simply write them down in a book and this has worked so well.

Years ago it was easy to remember. Today, everything is more characters, symbols, upper case, lower case, and maybe symbols! And then, the password can not be reused or must change every month!
John C. Bogle: “Simplicity is the master key to financial success."
peppers
Posts: 1650
Joined: Tue Oct 25, 2011 7:05 pm

Re: Passwords

Post by peppers »

Dead Man Walking wrote:I'm a technologically challenged old man. For my financial accounts, I use usernames that make no sense and use all of spaces available and passwords that use letters, numbers, and special characters for all of the spaces available. I have to consult my handwritten notes to log on because I can't remember my username and password. I may be wrong, but I assume that a hacker would be frustrated trying to determine what my username was let alone what my password was. I only access these accounts using my desktop computer that has antivirus, malware, and spyware protection.

I use my Kindle to surf the web, read email, and post here. My passwords for nonfinancial sites are not too sophisticated. If my Kindle is compromised, I have a 3 pound hammer that will resolve the problem.

Perhaps a technologically sophisticated poster could tell me if I'm safe from internet bandits. Thanks in advance.

DMW
I am not technologically sophisticated, but I understand the merits of a three pound hammer....primitive but effective. :wink:
"..the cavalry ain't comin' kid, you're on your own..."
Post Reply