Password Managers

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
CaptainMarvel
Posts: 12
Joined: Thu Jan 15, 2015 2:01 am

Password Managers

Postby CaptainMarvel » Tue Jun 13, 2017 8:49 pm

Has anyone used password managers such as last pass and 1 password? I'm considering paying for one and was curious whether folks here thought it was worth the costs. Also, has it been as equally easy to use on a mobile device vs. a computer?

Thanks


User avatar
Toons
Posts: 11662
Joined: Fri Nov 21, 2008 10:20 am
Location: Hills of Tennessee

Re: Password Managers

Postby Toons » Tue Jun 13, 2017 8:55 pm

LastPass for years here.
Indespensable for me
50 passwords or more.
Sign in on all devices.
Works great...
Search password manager in search box for threads :happy
"One does not accumulate but eliminate. It is not daily increase but daily decrease. The height of cultivation always runs to simplicity" –Bruce Lee

Saving$
Posts: 1428
Joined: Sat Nov 05, 2011 8:33 pm

Re: Password Managers

Postby Saving$ » Tue Jun 13, 2017 11:56 pm

Keepass
Free
Works on any platform (windows, Android, Apple) and synchs between them.
Have been using it for over 10 years

Sandtrap
Posts: 1188
Joined: Sat Nov 26, 2016 6:32 pm

Re: Password Managers

Postby Sandtrap » Wed Jun 14, 2017 12:45 am

Toons wrote:LastPass for years here.
Indespensable for me
50 passwords or more.
Sign in on all devices.
Works great...
Search password manager in search box for threads :happy

+1 :D

takeshi
Posts: 924
Joined: Thu Oct 03, 2013 10:02 pm

Re: Password Managers

Postby takeshi » Wed Jun 14, 2017 9:20 am

CaptainMarvel wrote:Has anyone used password managers such as last pass and 1 password?

Password managers have been a fairly common topic here. Don't overlook existing discussions as a resource. Granted, some of these are s couple of years old now.
https://www.bogleheads.com/forum/viewto ... 1&t=213356
https://www.bogleheads.com/forum/viewto ... 1&t=181563
https://www.bogleheads.com/forum/viewto ... 1&t=163450
https://www.bogleheads.com/forum/viewto ... 1&t=147119
https://www.bogleheads.com/forum/viewto ... 1&t=177315

CaptainMarvel wrote:I'm considering paying for one and was curious whether folks here thought it was worth the costs. Also, has it been as equally easy to use on a mobile device vs. a computer?

Worth is always a highly subjective matter regardless of topic. Even with those that find a password manager worth the cost (there are free ones as well) they don't all agree on which specific one to use as their specific requirements and priorities can and do differ. So you really have to find the best fitting solution for you based on your own priorities.

Given that I couldn't memorize unique & complex passwords to every site I visit a password manger was a must for me. I currently have 220 logins stored. I've used 1Password for years but there are other good options out there as well as reviews and comparisons in addition to prior discussions on this site. I find it a bit more cumbersome to use 1Password on a mobile device than on a computer as I use the Chrome extension quite a bit and it is quick and easy to use. 1Password does work with Safari but it's a bit more cumbersome to use. 1Password has several different sync options if you want to use the same vault on multiple devices but you can also only use a local vault and avoid the cloud if desired. It also provides me information such aswhich passwords are weak, which ones are subject to Heartbleed & other vulnerabilities, etc.

All that said, I purchased 1Password when it was offered with a one time charge. It's now subscription based and I'm not sure I'd go with the subscription if I was selecting a solution today.

User avatar
JaneyLH
Posts: 260
Joined: Wed Oct 16, 2013 7:16 pm

Re: Password Managers

Postby JaneyLH » Wed Jun 14, 2017 2:08 pm

Dashlane has been a great password manager. My husband and I use the same subscription on 2 PCs, 3 mobile devices, managing 500+ separate passwords. Has worked flawlessly.

deskjockey
Posts: 51
Joined: Sat Dec 03, 2016 11:15 am

Re: Password Managers

Postby deskjockey » Wed Jun 14, 2017 2:28 pm

I used Keepass for many years before switching to LastPass two years ago. Keepass is good, but I ended up going with Lastpass because of its ability to sync multiple devices instantly. I use it on a computer, two tablets, and a phone. Like all password managers, it has its quirks, but you can try it for free (with all of the key features enabled, too, except for family sharing).

mrtiger
Posts: 17
Joined: Sun Nov 13, 2016 9:35 pm

Re: Password Managers

Postby mrtiger » Wed Jun 14, 2017 3:06 pm

1Password user here. Highly recommended since 1password cloud sync can be turned off! I'm a strong believer that anything in the cloud can be hacked!

User avatar
oldcomputerguy
Posts: 1408
Joined: Sun Nov 22, 2015 6:50 am
Location: In the middle of five acres of woods

Re: Password Managers

Postby oldcomputerguy » Wed Jun 14, 2017 3:12 pm

I store no passwords in the cloud. My password manager is my own brain, backed up by a LibreOffice Writer document stored I our safe.
:wink:
Anybody know why there's a 20-pound frozen turkey up in the light grid?

DetroitRick
Posts: 334
Joined: Wed Mar 23, 2016 9:28 am

Re: Password Managers

Postby DetroitRick » Wed Jun 14, 2017 4:24 pm

I'm still happily using Dashlane. Been using it for about 2+ years now, but just switched to paid version (cloud-based sync across devices) in February. $30/year with unlimited devices (they're now advertising $40/year so I guess it's gone up since I subscribed, but still worth it to me).

It works well for me, because I just had too many passwords to not use a password manager anymore. It really reached critical mass when I increased smartphone use for banking. Dashlane does a decent job of issuing security alerts too, when sites get compromised. Password generation and changes are easy. They have a decent dashboard where they assess all your password integrity.

simmias
Posts: 177
Joined: Sun May 17, 2015 4:18 pm

Re: Password Managers

Postby simmias » Wed Jun 14, 2017 4:39 pm

deskjockey wrote:I used Keepass for many years before switching to LastPass two years ago. Keepass is good, but I ended up going with Lastpass because of its ability to sync multiple devices instantly. I use it on a computer, two tablets, and a phone. Like all password managers, it has its quirks, but you can try it for free (with all of the key features enabled, too, except for family sharing).

You can essentially do the same thing with KeePass. Enable key files, store the password-protected database in the cloud (where it's useless without the key), then have the key file on the devices you use.

jebmke
Posts: 5995
Joined: Thu Apr 05, 2007 2:44 pm

Re: Password Managers

Postby jebmke » Wed Jun 14, 2017 4:41 pm

simmias wrote:
deskjockey wrote:I used Keepass for many years before switching to LastPass two years ago. Keepass is good, but I ended up going with Lastpass because of its ability to sync multiple devices instantly. I use it on a computer, two tablets, and a phone. Like all password managers, it has its quirks, but you can try it for free (with all of the key features enabled, too, except for family sharing).

You can essentially do the same thing with KeePass. Enable key files, store the password-protected database in the cloud (where it's useless without the key), then have the key file on the devices you use.

this is what I do. I almost never need it from a phone/tablet -- I rarely use them for any place that would require a password, certainly never a financial site -- but I like having the db backed up.
When you discover that you are riding a dead horse, the best strategy is to dismount.

User avatar
lthenderson
Posts: 1966
Joined: Tue Feb 21, 2012 12:43 pm
Location: Iowa

Re: Password Managers

Postby lthenderson » Wed Jun 14, 2017 8:13 pm

I use the free version of Lastpass and have been happy with it. I would note that it isn't as simple using it on my mobile device as my desktop but it isn't all that difficult either. When you use the Lastpass app on your phone, in order to use the quick method, you generally have to use the webpage versions of what you are trying to access instead of the app designed for use on phones. I personally like the customized apps from the company better but Lastpass won't automatically fill in the passwords. So to work around this issue, I log into my Lastpass app and they have a button that allows you to copy your password to a clipboard. You then open the app that you wish to access (I set mine to remember my username) and paste my password into the appropriate box. It's one extra step and requires some forethought but worth the effort to access apps designed for phones versus entire webpages.

AlwaysBeClimbing
Posts: 67
Joined: Fri Mar 31, 2017 10:39 am

Re: Password Managers

Postby AlwaysBeClimbing » Thu Jun 15, 2017 3:40 pm

KeepassX. Crossplatform, opensource and secure(hopefully).

dadu007
Posts: 46
Joined: Mon Feb 22, 2010 11:10 am

Re: Password Managers

Postby dadu007 » Thu Jun 15, 2017 7:17 pm

I use Dashlane paid version. As above, it allows syncing across ALL PCs and iOS products. Absolutely indispensable to me now and it has eliminated that dreaded password anxiety and stress. HIGHLY recommended. Hard to believe, but I have 468 passwords stored (some are for the wife and kids).

cheesepep
Posts: 689
Joined: Wed Feb 17, 2010 10:58 pm

Re: Password Managers

Postby cheesepep » Thu Jun 15, 2017 7:30 pm

I use Apple's Keychain.

KATNYC
Posts: 232
Joined: Fri Apr 07, 2017 4:34 pm

Re: Password Managers

Postby KATNYC » Thu Jun 15, 2017 8:31 pm

We have used Roboform for a few years and like it.
It's the free version.

User avatar
VictoriaF
Posts: 16588
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: Password Managers

Postby VictoriaF » Fri Jun 16, 2017 6:55 am

A recent Workshop on Security and Human Behaviour (SHB 2017), https://www.cl.cam.ac.uk/~rja14/shb17/ , featured a relevant paper "Expert password management," http://www.cl.cam.ac.uk/~rja14/shb17/stobert.pdf .

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

Mudpuppy
Posts: 4986
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Password Managers

Postby Mudpuppy » Fri Jun 16, 2017 1:50 pm

oldcomputerguy wrote:I store no passwords in the cloud. My password manager is my own brain, backed up by a LibreOffice Writer document stored I our safe.
:wink:

Not sure if the wink emoticon meant this was a joke, but in case you're serious, the human brain is really horrible at managing passwords. If one refuses to use password managers, then it's better to write everything down and secure the paper than to rely on one's brain to remember unique passwords to every site one uses.

Personally, I use KeePass for most sites and have a long, complex password on it. I have a handful of memorized long passwords for frequently used logins (Surface Pro 3, work network logins, and so on) that aren't in KeePass simply because I use them often enough that I can remember them without needing KeePass to store them. I also have a few "high security" passwords that are stored on paper kept in my possession or locked up, rather than on KeePass.

Mudpuppy
Posts: 4986
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Password Managers

Postby Mudpuppy » Fri Jun 16, 2017 2:01 pm

VictoriaF wrote:A recent Workshop on Security and Human Behaviour (SHB 2017), https://www.cl.cam.ac.uk/~rja14/shb17/ , featured a relevant paper "Expert password management," http://www.cl.cam.ac.uk/~rja14/shb17/stobert.pdf .

Victoria

That paper hits on one of my academic paper pet peeves: nary a visualization to be found. Even with subjective interviews, one can develop broad categories in which to place the common threads and make a chart from it. And yet there's this perception in some parts of academia that droning on for pages is somehow preferable to summarizing one's salient points in a succinct narrative supported with compelling visualizations.

This drove me nuts in graduate school, particularly when I had to write a paper with someone who preferred to drone on. It was followed closely by my other academic pet peeve: inability to summarize the works of others in one's own words. There was one who I was surprised made it through undergraduate school at an accredited USA state university when every "summary" was a flagrant plagiarism of the original authors' wording.

User avatar
oldcomputerguy
Posts: 1408
Joined: Sun Nov 22, 2015 6:50 am
Location: In the middle of five acres of woods

Re: Password Managers

Postby oldcomputerguy » Fri Jun 16, 2017 2:16 pm

Mudpuppy wrote:
oldcomputerguy wrote:I store no passwords in the cloud. My password manager is my own brain, backed up by a LibreOffice Writer document stored I our safe.
:wink:

Not sure if the wink emoticon meant this was a joke, but in case you're serious, the human brain is really horrible at managing passwords. If one refuses to use password managers, then it's better to write everything down and secure the paper than to rely on one's brain to remember unique passwords to every site one uses.


Precisely why I have the written document in the safe. There are only two or three sites I use on a daily basis which require passwords, and I use a different one on each, each one with a complex "root" portion (which I have memorized) in common plus a "suffix" portion specific to each site that follows rules based on where I'm logging in. I have no problem remembering the "suffix" rule, which only leaves me to memorize the one complex "root" portion. For anything else, if I can't remember the password, I have the paper handy.
Anybody know why there's a 20-pound frozen turkey up in the light grid?

User avatar
VictoriaF
Posts: 16588
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: Password Managers

Postby VictoriaF » Fri Jun 16, 2017 2:39 pm

Mudpuppy wrote:
VictoriaF wrote:A recent Workshop on Security and Human Behaviour (SHB 2017), https://www.cl.cam.ac.uk/~rja14/shb17/ , featured a relevant paper "Expert password management," http://www.cl.cam.ac.uk/~rja14/shb17/stobert.pdf .

Victoria

That paper hits on one of my academic paper pet peeves: nary a visualization to be found. Even with subjective interviews, one can develop broad categories in which to place the common threads and make a chart from it. And yet there's this perception in some parts of academia that droning on for pages is somehow preferable to summarizing one's salient points in a succinct narrative supported with compelling visualizations.

This drove me nuts in graduate school, particularly when I had to write a paper with someone who preferred to drone on. It was followed closely by my other academic pet peeve: inability to summarize the works of others in one's own words. There was one who I was surprised made it through undergraduate school at an accredited USA state university when every "summary" was a flagrant plagiarism of the original authors' wording.


I agree with you about the need to summarize and emphasize substance. The primary author of this particular paper is from ETH in Zurich, and there could be some academic cultural differences. Many years ago, my friends were joking that it was easier to learn English and read computer science books in English than to read computer books in Russian.

My main take-aways from this paper are that:
1. computer experts frequently do not follow prudent security practices (I suppose this is similar to physicians not following prudent diet and exercise)
2. experts use password managers for a small number of critical passwords (I thought that password managers are good for storing hundreds of passwords, most of which are unimportant)
3. writing some passwords on paper is permissible if the paper is properly guarded

An important point is that the sample size in this study was fairly small.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

2015
Posts: 533
Joined: Mon Feb 10, 2014 2:32 pm

Re: Password Managers

Postby 2015 » Fri Jun 16, 2017 3:00 pm

VictoriaF wrote:
Mudpuppy wrote:
VictoriaF wrote:A recent Workshop on Security and Human Behaviour (SHB 2017), https://www.cl.cam.ac.uk/~rja14/shb17/ , featured a relevant paper "Expert password management," http://www.cl.cam.ac.uk/~rja14/shb17/stobert.pdf .

Victoria

That paper hits on one of my academic paper pet peeves: nary a visualization to be found. Even with subjective interviews, one can develop broad categories in which to place the common threads and make a chart from it. And yet there's this perception in some parts of academia that droning on for pages is somehow preferable to summarizing one's salient points in a succinct narrative supported with compelling visualizations.

This drove me nuts in graduate school, particularly when I had to write a paper with someone who preferred to drone on. It was followed closely by my other academic pet peeve: inability to summarize the works of others in one's own words. There was one who I was surprised made it through undergraduate school at an accredited USA state university when every "summary" was a flagrant plagiarism of the original authors' wording.


I agree with you about the need to summarize and emphasize substance. The primary author of this particular paper is from ETH in Zurich, and there could be some academic cultural differences. Many years ago, my friends were joking that it was easier to learn English and read computer science books in English than to read computer books in Russian.

My main take-aways from this paper are that:
1. computer experts frequently do not follow prudent security practices (I suppose this is similar to physicians not following prudent diet and exercise)
2. experts use password managers for a small number of critical passwords (I thought that password managers are good for storing hundreds of passwords, most of which are unimportant)
3. writing some passwords on paper is permissible if the paper is properly guarded

An important point is that the sample size in this study was fairly small.

Victoria


These were my takeaways, and I was suprised by them.

I used Keepass for a virtually all passwords, even for many non-critical sites. The only exception are those nuisance sites which force you to "sign up" (similar practice to the experts cited, and my reasoning is similar to those regarding the inconvenience. Further, do I really care if someone gets my email address/faux password from Wade Pfau's required blog sign up were it to be hacked? I keep a separate dedicated throwaway email for such sign ups). I don't believe in writing passwords on paper or storing them behind anything other than encryption and certainly not anywhere in the cloud.

Thanks for the paper, btw; I personally didn't need any visualizations to get the point(s).

User avatar
VictoriaF
Posts: 16588
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: Password Managers

Postby VictoriaF » Fri Jun 16, 2017 3:17 pm

2015 wrote: Thanks for the paper, btw; I personally didn't need any visualizations to get the point(s).


2015,

Here is another paper you may be interested in, "Digital Privacy at the U.S. Border" by the Electronic Frontier Foundation (EFF), https://www.eff.org/files/2017/03/10/di ... .10.17.pdf . Even if you are not an intended audience of this paper, you may appreciate technical recommendations in Part 3, starting on page 39.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

Mudpuppy
Posts: 4986
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Password Managers

Postby Mudpuppy » Fri Jun 16, 2017 3:22 pm

2015 wrote:Thanks for the paper, btw; I personally didn't need any visualizations to get the point(s).

I never said I needed them. I said it's a pet peeve. Big difference. One of the ABET student learning outcomes for computer science is the ability to communicate effectively with a wide range of audiences, which includes not only presenting information at the appropriate level for the audience in question, but also includes effectively relaying information in succinct summaries and compelling visualizations.

My other degree is in biology, and their formulation of an academic paper is highly technical, but also far more effective at communicating the main points. I can read the abstract of a biology paper and know the hypothesis being tested, the experimental design, and the major conclusions. If you want to be cited by others, you have to have a compelling result and you also have to communicate it effectively. Otherwise, it's just another publication for the CV.

ImNotABot
Posts: 78
Joined: Wed Apr 20, 2016 3:26 pm

Suggestions for password storage services?

Postby ImNotABot » Fri Jun 16, 2017 10:48 pm

[Thread merged into here, see below (Page 2). --admin LadyGeek]

I find I avoid signing up for new services (even if they are beneficial or worthwhile in some way), because I don't want another user name/password to manage.

Anyone can suggest some password storage services that they use?

BetterSaveThanLater
Posts: 1
Joined: Fri Jun 16, 2017 11:12 pm

Re: Suggestions for password storage services?

Postby BetterSaveThanLater » Fri Jun 16, 2017 11:22 pm

1Password (https://1password.com) from AgileBits.

I've found it's the easiest to use and manage. It's also secure and helps create unique passwords for every log-in and service.

The WatchTower feature also checks all of your log-ins against their database of data breaches, so you know when any service's account information should be reset.

I purchased the desktop and iOS app. They also have a subscription service.

Although, if creating a log-in is really the barrier to joining a service, I'd also ask whether you really want to join.

User avatar
whaleknives
Posts: 1210
Joined: Sun Jun 24, 2012 7:19 pm

Re: Suggestions for password storage services?

Postby whaleknives » Fri Jun 16, 2017 11:41 pm

I don't have any personal experience (yet), but these have been recommended to me:

with KeePassX as the most secure, but less user-friendly.

_____
*Name correction from obafgkm
Last edited by whaleknives on Sat Jun 17, 2017 11:53 am, edited 1 time in total.
"I'm an indexer. I own the market. And I'm happy." (John Bogle, "BusinessWeek", 8/17/07) ☕ Maritime signal flag W - Whiskey: "I require medical assistance."

User avatar
Rob5TCP
Posts: 2857
Joined: Tue Jun 05, 2007 7:34 pm
Location: New York, NY

Re: Suggestions for password storage services?

Postby Rob5TCP » Sat Jun 17, 2017 7:06 am

I use Keepass (not Keepass X - which originally was derived from Keepass)
it is not as elegant or as easily integrated into browsers as two of the most popular
Dashlane
LastPass


I like that Keepass keeps your information locally on your drive and not in the cloud.
Plus if you like options, Keepass gives you far more capabilities.
That said, the plain interface, and not as easily integrated in various browsers puts off some.
To my non techie friends, I have been recommending Dashlane.

Recent review in PC Mag
http://www.pcmag.com/article2/0,2817,2407168,00.asp

These are the best free:
http://www.pcmag.com/article2/0,2817,2475964,00.asp
Last edited by Rob5TCP on Sat Jun 17, 2017 7:17 am, edited 2 times in total.

onourway
Posts: 281
Joined: Thu Dec 08, 2016 3:39 pm

Re: Suggestions for password storage services?

Postby onourway » Sat Jun 17, 2017 7:10 am

I have used Password Safe for years and am very happy with it. I like that it's free, open source, and you have complete control over where the encrypted data file is stored. If you want more convenience you can store the file on Dropbox/iCloud, etc. and there are inexpensive apps that integrate with the TouchID sensor, etc. It isn't as fully featured as some of the commercial services, but it has been very reliable for me and easy to use across a number of different platforms.

User avatar
obafgkm
Posts: 166
Joined: Fri Mar 11, 2016 9:12 am

Re: Suggestions for password storage services?

Postby obafgkm » Sat Jun 17, 2017 7:20 am

whaleknives wrote:I don't have any personal experience (yet), but these have been recommended to me:

  • Password1


It is actually "1Password". I've used this for several years, and I have had (almost) no problems with it. The few times I have, the customer support has been quick and helpful. I also like that the password file resides encrypted on my computer and not at a password manager's website.

jebmke
Posts: 5995
Joined: Thu Apr 05, 2007 2:44 pm

Re: Suggestions for password storage services?

Postby jebmke » Sat Jun 17, 2017 7:34 am

I use KeePass. Store the KP database on my Google drive.
When you discover that you are riding a dead horse, the best strategy is to dismount.

User avatar
TomatoTomahto
Posts: 5937
Joined: Mon Apr 11, 2011 1:48 pm

Re: Suggestions for password storage services?

Postby TomatoTomahto » Sat Jun 17, 2017 7:41 am

It doesn't get much love on BH, but I've been happy with RoboForm. Keeps my passwords, credit cards, passport and FF info, address, DL, etc., ready to fill in forms. Works on my Windows 10 PC, MacBook, iPad, iPhone, and my wife gets a copy also.

cutterinnj
Posts: 163
Joined: Wed Jun 01, 2011 10:08 pm

Re: Suggestions for password storage services?

Postby cutterinnj » Sat Jun 17, 2017 7:57 am

I use Apple iCloud passwords.

Downside is it only works on my Mac.

User avatar
JPH
Posts: 593
Joined: Mon Jun 27, 2011 8:56 pm

Re: Suggestions for password storage services?

Postby JPH » Sat Jun 17, 2017 8:15 am

I use KeePass and like it. I find it a bit awkward to change/update the passwords. Also, some sites don't want to accept data from the autotype feature, and then I have to copy/paste username and password. I have not tried any others.
While the moments do summersaults into eternity | Cling to their coattails and beg them to stay - Townes Van Zandt

User avatar
BolderBoy
Posts: 2933
Joined: Wed Apr 07, 2010 12:16 pm
Location: Colorado

Re: Suggestions for password storage services?

Postby BolderBoy » Sat Jun 17, 2017 8:25 am

JPH wrote:I use KeePass and like it. I find it a bit awkward to change/update the passwords. Also, some sites don't want to accept data from the autotype feature, and then I have to copy/paste username and password. I have not tried any others.

+1. Agreed that some sites require copy/paste, a nuisance but not horrible.

My first PW manager was Roboform. I liked it until the annual subscription nonsense started so ditched it 10 years ago and changed to KeePass. Never looked back.
“Where you stand, depends on where you sit” - Rufus Miles | "Never underestimate one's capacity to overestimate one's abilities"

ddurrett896
Posts: 574
Joined: Wed Nov 05, 2014 3:23 pm

Re: Suggestions for password storage services?

Postby ddurrett896 » Sat Jun 17, 2017 8:33 am

jebmke wrote:I use KeePass. Store the KP database on my Google drive.


Is this easy to setup? I looked on their website and it wasn't user friendly :confused

User avatar
Watty
Posts: 10493
Joined: Wed Oct 10, 2007 3:55 pm

Re: Suggestions for password storage services?

Postby Watty » Sat Jun 17, 2017 8:42 am

I may be a bit of a luddite but I don't like the idea of trusting any software with any important password information like my financial signons. I know that there are safeguards but there is a lot of incentive for people to try to hack them.

For unimportant signups like for access to some free news services I just use a separate junk email address and the same account name and password.

onourway
Posts: 281
Joined: Thu Dec 08, 2016 3:39 pm

Re: Suggestions for password storage services?

Postby onourway » Sat Jun 17, 2017 8:52 am

Watty wrote:I may be a bit of a luddite but I don't like the idea of trusting any software with any important password information like my financial signons. I know that there are safeguards but there is a lot of incentive for people to try to hack them.

For unimportant signups like for access to some free news services I just use a separate junk email address and the same account name and password.


I don't think that it's possible for most people to keep the number of passwords required by the modern internet - certainly not complex ones without reusing them across multiple sites. I think that a single, extremely complex password encrypting a locally stored safe, with that password stored nowhere but in your head, is as secure as you can get today.

scooterdog
Posts: 117
Joined: Fri Mar 29, 2013 7:42 am
Location: Potomac MD

Re: Suggestions for password storage services?

Postby scooterdog » Sat Jun 17, 2017 8:56 am

BolderBoy wrote:My first PW manager was Roboform. I liked it until the annual subscription nonsense started so ditched it 10 years ago and changed to KeePass. Never looked back.


Another prior long-time user of Roboform, until they changed their model and it wasn't worth the money. Switched also 10y ago but to LastPass, and have been happily using it ever since.

YMMV but I utilize along with LastPass a kind of code for all my passwords. I take a three letter prefix with an uppercase (say 'Sco' short for 'scooterdog'), a consistent four digit number (say '2293' a number I just made up, but I have a secondary number that I use for work and other high-value sites like financial ones), and a four letter suffix specific to the site I'm logging into (say 'bogl' for this site). An additional character punctuation ("!" or "#" etc) is an optional one, typically in concert with the secondary number.

So the code for Bogleheads would be 'Sco2293bogl', it's saved to LastPass, and if a site requires regular changing of passwords I can simply add a rotating list of punctuation.

Works for me...

2015
Posts: 533
Joined: Mon Feb 10, 2014 2:32 pm

Re: Password Managers

Postby 2015 » Sat Jun 17, 2017 10:24 am

My statement wasn't a swipe at anyone saying they needed visualizations. I, too, like visualizations and find them very helpful. I've just gotten very good (IMHO) at skimming long papers (and books as well) and getting the meat of what I need out of them. I think this comes from reading so many non-fiction business books all the time, and the fact that every nanosecond there's some new paper on some new or old topic by some academic or practitioner or author on something (e.g., Blanchett's latest paper). I skim these things in an effort to thwart confirmation and overconfidence bias, but don't waste time attempting to extract every last detail. After all, there'll be another new paper on this very same topic with some "new" twist tomorrow.

OTOH, this paper was particularly enlightening with respect to a few similarities between my practices and those of the experts polled. Maybe I'm doing something right after all. :beer

2015
Posts: 533
Joined: Mon Feb 10, 2014 2:32 pm

Re: Password Managers

Postby 2015 » Sat Jun 17, 2017 10:46 am

VictoriaF wrote:
2015 wrote: Thanks for the paper, btw; I personally didn't need any visualizations to get the point(s).


2015,

Here is another paper you may be interested in, "Digital Privacy at the U.S. Border" by the Electronic Frontier Foundation (EFF), https://www.eff.org/files/2017/03/10/di ... .10.17.pdf . Even if you are not an intended audience of this paper, you may appreciate technical recommendations in Part 3, starting on page 39.

Victoria


Excellent paper, thank you! After reading, it reinforces why I never use any device other than a dedicated computer to access financial sites (in secure browsing mode), why I never store anything in the cloud, and why the time to think about data security is always in advance. Border agents would find nothing more than a casual browsing history on my phone should they be interested (although they might learn something from the BH site found there!).

User avatar
CardinalRule
Posts: 26
Joined: Sun Jan 15, 2017 11:01 am
Location: Pacific Northwest

Re: Password Managers

Postby CardinalRule » Sat Jun 17, 2017 12:09 pm

I have been using 1Password for Windows, for years. Currently I am on Version 4. I really like it, including how the extension integrates with Chrome and syncs securely and locally with my iPhone.

If 1Password's developers ever force to keep my password "vault" in the cloud, as opposed to on my own computer and mobile device, I will look elsewhere. The data breaches at LastPass and OneLogin have left me very skeptical about security in the cloud. That said, I do like that for its cloud-based solution, 1Password does not store users' encryption key. And so if data were stolen, it theoretically could not be decrypted by a hacker.

mrtiger wrote:1Password user here. Highly recommended since 1password cloud sync can be turned off! I'm a strong believer that anything in the cloud can be hacked!

Mudpuppy
Posts: 4986
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Suggestions for password storage services?

Postby Mudpuppy » Sat Jun 17, 2017 2:23 pm

Watty wrote:I may be a bit of a luddite but I don't like the idea of trusting any software with any important password information like my financial signons. I know that there are safeguards but there is a lot of incentive for people to try to hack them.

For unimportant signups like for access to some free news services I just use a separate junk email address and the same account name and password.

That's not a very secure approach. If one junk login site is compromised, they are all compromised. Then you have to change the passwords at all the other trivial sites, which is a huge headache and time waster. At the very least, switch to using the throw-away email address and a password manager for the junk login sites, so each login can have its own unique password. It would save having to reset passwords if one site is compromised. And if you don't need the trivial account anymore, see how you might close it at that site. Many people are walking around with way too many throw-away accounts that could probably be closed by contacting site administrators.

And if you use a program with a locally stored password database file, your concerns about hacking are minimized. For example, take KeePass and its variants, which store the passwords in an encrypted local file by default. In order for an attacker to attack the encryption on the password file, they first have to have access to your local file system (assuming you don't opt to put the encrypted password file on your Dropbox/Google Drive/etc. account, which is another can of worms entirely). If they have access to your local file system, they could just as easily install a keylogger or browser-in-the-middle exploit, so the game is already lost regardless of whether or not you use KeePass.

On the other hand, by using KeePass with a locally stored file, you can increase your site-specific passwords to the maximum complexity allowed by that site, using a randomly generated password created by KeePass. Then you don't really have to worry much about password attacks (at least until quantum computing becomes a feasible method of attacking passwords). Your password will be complex enough to withstand most attacks even if the financial site is infiltrated to the point that the attackers can get the site's password database. Of course, if the financial site is compromised to that level, there are bigger issues at hand than whether or not your password is secure, but the basic premise holds for sites of less importance too.

And you can have multiple password database files with KeePass, so you could have one file for your trivial accounts with just a complex master password and another file for your financial accounts that uses both a complex password and key-file. The key-file makes it that much harder for attackers to attack your financial password database file, particularly if you opt to store the files on cloud storage like Dropbox, Google Drive, or so on.

User avatar
VictoriaF
Posts: 16588
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: Suggestions for password storage services?

Postby VictoriaF » Sat Jun 17, 2017 2:31 pm

Mudpuppy wrote:And you can have multiple password database files with KeePass, so you could have one file for your trivial accounts with just a complex master password and another file for your financial accounts that uses both a complex password and key-file. The key-file makes it that much harder for attackers to attack your financial password database file, particularly if you opt to store the files on cloud storage like Dropbox, Google Drive, or so on.


Excellent advice. I would further add that one should guard the primary email accounts similarly to financial accounts, if not more. If one's credit card is misused, the loss is minimal. A hacked email account may lead to a chain reaction of calamities.

What is a key-file? Do you use Yubikey?

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

mhalley
Posts: 4507
Joined: Tue Nov 20, 2007 6:02 am

Re: Suggestions for password storage services?

Postby mhalley » Sat Jun 17, 2017 2:38 pm

KEEpass is not as easy to setup as others, but it is not what I would call hard. There is a mobile app called MiniKeePass, and I just emailed my KEEpass file to myself and it imported to it seemlessly.

Mudpuppy
Posts: 4986
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Suggestions for password storage services?

Postby Mudpuppy » Sat Jun 17, 2017 2:41 pm

VictoriaF wrote:
Mudpuppy wrote:And you can have multiple password database files with KeePass, so you could have one file for your trivial accounts with just a complex master password and another file for your financial accounts that uses both a complex password and key-file. The key-file makes it that much harder for attackers to attack your financial password database file, particularly if you opt to store the files on cloud storage like Dropbox, Google Drive, or so on.


Excellent advice. I would further add that one should guard the primary email accounts similarly to financial accounts, if not more. If one's credit card is misused, the loss is minimal. A hacked email account may lead to a chain reaction of calamities.

What is a key-file? Do you use Yubikey?

KeePass defines a key-file as any file you choose on your file system when you create the password database file. It has to be a file that is not changed, because KeePass takes a "hash" of the binary of the file to create a secondary "key" from the file. If the key-file changes by even one bit, it no longer generates the same key, so you won't be able to open the password database file. For this reason, you should have a good backup of whatever file you choose to be a key-file, just in case it gets accidentally deleted or modified.

So it is not quite as secure as a YubiKey, but still adds an additional layer that the attacker has to defeat.

mhalley
Posts: 4507
Joined: Tue Nov 20, 2007 6:02 am

Re: Suggestions for password storage services?

Postby mhalley » Sat Jun 17, 2017 2:43 pm

A key file can be any file you choose, but it should be one with lots of random data. From KEEpass FAQ:


You don't even have to remember a long, complicated master passphrase. The database can also be locked using a key file. A key file is basically a master password in a file. Key files are typically stronger than master passwords, because the key can be a lot more complicated; however it's also harder to keep them secret.

A key file can be used instead of a password, or in addition to a password (and the Windows user account in KeePass 2.x).
A key file can be any file you choose; although you should choose one with lots of random data.
A key file must not be modified, this will stop you opening the database. If you want to use a different key file, you can change the master key and use a new/different key file.
Key files must be backed up or you won't be able to open the database after a hard disk crash/re-build. It's just the same as forgetting the master password. There is no backdoor.

namekevaste
Posts: 18
Joined: Fri May 05, 2017 6:12 pm

Re: Suggestions for password storage services?

Postby namekevaste » Sat Jun 17, 2017 2:45 pm

A key file is a digital file that can be used by applications like keepass to secure your password database. You typically use the key file in combination with a password (composite password). This makes it nearly impossible to hack the database using brute force or rainbow tables since you have to have the key file AND know the password to open the databse. You can use any file as you key file - however, if the key file gets modified in any way, you will not be able to open the database. However, you can avoid this by emailing a copy of the file to yourself and archiving the email.
I have not had trouble with using autotype on any sites. Some sites require modification of the autotype sequence - typically insertion of additional {TAB} keystrokes between user name and password.


Return to “Personal Consumer Issues”

Who is online

Users browsing this forum: Google [Bot], jlawrence01, John Z, Mordoch, pqwerty, StoneBob and 71 guests