Password Protection

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Carolina Shagger
Posts: 14
Joined: Mon Aug 10, 2009 5:21 am

Password Protection

Post by Carolina Shagger » Fri Oct 06, 2017 9:01 am

With all the latest news about accounts being hacked, can someone recommend a good program that will create, and hopefully remember, different strong passwords for different accounts?
Since I use two different computers will the program allow me to go from one computer to another or does the information all reside on only one computer.
Thanks in advance for your help.

tmhudg
Posts: 49
Joined: Fri Apr 26, 2013 10:56 am

Re: Password Protection

Post by tmhudg » Fri Oct 06, 2017 9:07 am

Check out LastPass. I cannot recommend this highly enough. Yes, you have to trust your info "in the cloud", and that it is all properly encrypted and protected, but, IMHO, the benefits outweigh the risk.

User avatar
lthenderson
Posts: 2294
Joined: Tue Feb 21, 2012 12:43 pm
Location: Iowa

Re: Password Protection

Post by lthenderson » Fri Oct 06, 2017 9:07 am

There are many many threads on this subject if you do a search. I use LastPass which allows me to do exactly what you want. Others use KeyPass and there are two or three others frequently mentioned in those past threads.

orlandoman
Posts: 411
Joined: Tue Oct 19, 2010 7:27 am

Re: Password Protection

Post by orlandoman » Fri Oct 06, 2017 9:16 am

Take a look at https://www.roboform.com/ & https://www.stickypassword.com/, each have a free/paid version and have been around for years & have millions of users. I use both & have for years.
Subaru Ambassador in Central Florida

woldemariam
Posts: 14
Joined: Wed Aug 31, 2016 3:00 pm

Re: Password Protection

Post by woldemariam » Fri Oct 06, 2017 9:59 am

I use KeePass https://keepass.info/

It is 100% free and works great on Windows and Android.

mhalley
Posts: 5060
Joined: Tue Nov 20, 2007 6:02 am

Re: Password Protection

Post by mhalley » Fri Oct 06, 2017 10:33 am

The first decision to make is do you want your data in the cloud or on your computer. Cloud is more convenient for multiple devices, but you have to worry about Dropbox or whatever being hacked. I decided to keep the data on my devices, so I chose KEEpass.

User avatar
Rob5TCP
Posts: 2917
Joined: Tue Jun 05, 2007 7:34 pm
Location: New York, NY

Re: Password Protection

Post by Rob5TCP » Fri Oct 06, 2017 10:42 am

mhalley wrote:
Fri Oct 06, 2017 10:33 am
The first decision to make is do you want your data in the cloud or on your computer. Cloud is more convenient for multiple devices, but you have to worry about Dropbox or whatever being hacked. I decided to keep the data on my devices, so I chose KEEpass.
+1 for Keypass.

Make sure your password that you use for your password manager is truly secure.
I prefer to have my own backups and not have it in the cloud.
Some cloud based managers have been hacked.

Lastpass was hacked (LastPass stated no passwords were compromised).
This article from a couple of years ago discusses vulnerabilities in various cloud based password manager.
https://siliconangle.com/blog/2014/07/1 ... abilities/

simple man
Posts: 83
Joined: Sun Nov 22, 2009 10:44 am

Re: Password Protection

Post by simple man » Fri Oct 06, 2017 10:53 am

I had heard at one point (I think on BH) that if you give your password data to a third party, you can end up waiving any liability protection you might have from say someone hacking your bank account or other financial account. Not sure if its true, but it does have some logic to it...I do not feel comfortable having all my passwords in the cloud subject to a single hack. Diversify your key passwords and use 2FA on major accounts.

User avatar
Toons
Posts: 11904
Joined: Fri Nov 21, 2008 10:20 am
Location: Hills of Tennessee

Re: Password Protection

Post by Toons » Fri Oct 06, 2017 10:58 am

LastPass for years here.
2 factor authentification.
Nothing is 100% foolproof
https://www.lastpass.com/
"One does not accumulate but eliminate. It is not daily increase but daily decrease. The height of cultivation always runs to simplicity" –Bruce Lee

rxtra8
Posts: 48
Joined: Wed Jun 10, 2015 1:12 pm

Re: Password Protection

Post by rxtra8 » Fri Oct 06, 2017 11:10 am

Rob5TCP wrote:
Fri Oct 06, 2017 10:42 am
mhalley wrote:
Fri Oct 06, 2017 10:33 am
The first decision to make is do you want your data in the cloud or on your computer. Cloud is more convenient for multiple devices, but you have to worry about Dropbox or whatever being hacked. I decided to keep the data on my devices, so I chose KEEpass.
+1 for Keypass.

Make sure your password that you use for your password manager is truly secure.
I prefer to have my own backups and not have it in the cloud.
Some cloud based managers have been hacked.

Lastpass was hacked (LastPass stated no passwords were compromised).
This article from a couple of years ago discusses vulnerabilities in various cloud based password manager.
https://siliconangle.com/blog/2014/07/1 ... abilities/
I like the idea of local control for financial passwords, but am considering a password manager for the other sites; probably use Apple Keychain. Unfortunately Keepass will not work for Mac. Any similar alternatives for Mac?

I was considering this device: Mooltipass (just Google it).

2015
Posts: 772
Joined: Mon Feb 10, 2014 2:32 pm

Re: Password Protection

Post by 2015 » Fri Oct 06, 2017 11:17 am

Rob5TCP wrote:
Fri Oct 06, 2017 10:42 am
mhalley wrote:
Fri Oct 06, 2017 10:33 am
The first decision to make is do you want your data in the cloud or on your computer. Cloud is more convenient for multiple devices, but you have to worry about Dropbox or whatever being hacked. I decided to keep the data on my devices, so I chose KEEpass.
+1 for Keypass.

Make sure your password that you use for your password manager is truly secure.
I prefer to have my own backups and not have it in the cloud.
Some cloud based managers have been hacked.

Lastpass was hacked (LastPass stated no passwords were compromised).
This article from a couple of years ago discusses vulnerabilities in various cloud based password manager.
https://siliconangle.com/blog/2014/07/1 ... abilities/
Thanks for the link. Never saw it before. This was my favorite part regarding Lastpass:
LastPass was also affected by a CSRF bug that allows attackers to see which devices and apps are running the software. The bug also gives attackers access to a user’s entire master password-encrypted vault.

LastPass has issued a statement playing down the risk, stating that it issued a patch last September to fix these problems.

“If you are concerned that you’ve used bookmarklets before September 2013 on non-trustworthy sites, you may consider changing your master password and generating new passwords, though we don’t think it is necessary,” said the company’s chief information officer Joe Siegrist.
Yea. Sure. This coming from the company's CIO.

I have always been adamantly opposed to storing anything in the cloud, much less the Keys to my Financial Kingdom. In my view, a cloud-based password manager breach is a black swan just dying to happen. Equifax should be yet another wake-up call for those choosing to store vital information of any sort in cloud-based locations.

Keepass stored on external devices only, in conjunction with a laptop dedicated exclusively to financial transactions (alternatively, use of bank mode within such a device), and certainly not accessed via a cell phone (!), is about as "foolproof" as I've been able to find.

orlandoman
Posts: 411
Joined: Tue Oct 19, 2010 7:27 am

Re: Password Protection

Post by orlandoman » Fri Oct 06, 2017 12:53 pm

FYI, Sticky Password, https://www.stickypassword.com/ has the option to sync multiple devices locally via your home wifi network with paid version (in cloud is optional). Most, others can only sync multiple devices via cloud.
Subaru Ambassador in Central Florida

DetroitRick
Posts: 412
Joined: Wed Mar 23, 2016 9:28 am

Re: Password Protection

Post by DetroitRick » Fri Oct 06, 2017 3:12 pm

With two Windows pcs and an Android smartphone, I wouldn't be without one anymore. You might find this recent article from PC Magazine helpful, especially the list of functions that the various password managers support. You can then determine which functions are important to you.

https://www.pcmag.com/article2/0,2817,2407168,00.asp

I've been using Dashlane on our devices since early last year, and am very satisfied. While it's comparatively expensive, you can always try the free version first to see if you like it. That free version is full featured, except that it doesn't synch across devices (it's what I first started with). Should you like it, you can then just buy it and add that capability. Takes seconds to add or delete devices as needed.

Now that I've been using a password manager for a while, I would never go back (I had previously used an encrypted spreadsheet). No big concerns here about synching to the cloud - I have additional security measures in place where it matters.

Carolina Shagger
Posts: 14
Joined: Mon Aug 10, 2009 5:21 am

Re: Password Protection

Post by Carolina Shagger » Fri Oct 06, 2017 8:19 pm

Thank you for all your responses. I admit I am leery of the cloud (isn't that just someone else's computer?). I like the possibility of linking the computers in-house via our Wi-Fi network.
I admit I am late to the party on this as I have had my identity stolen and used at least twice (once to file my federal income tax return two years ago). The latest Equifax fiasco finally got me off my duff to do something!
I'll be reviewing the links you provided. Thanks again

lazydavid
Posts: 1071
Joined: Wed Apr 06, 2016 1:37 pm

Re: Password Protection

Post by lazydavid » Sat Oct 07, 2017 6:14 am

As long as you select a secure master password, there's no reason to be concerned about your passwords being stored by a cloud service. The key to decrypt the password store is protected by your master password, usually using an algorithm like PBKDF2 which is very slow and therefore highly resistant to cracking. That decryption generally (meaning most services operate this way, not that it happens just some of the time with any given service) only occurs on your device, not at the cloud provider.

Here's the username and password for one of my accounts, as stored by 1password:

/clcuUuVGqKOkVtszUoenN6aVI9/el73QptHkYTu2oWGfp1SGg/EQf3nP5bheQEZegA6FVz86zUdOxhYcp4g7nRwVtHGjtRHnilJn/oUoxzI8U3SfieiPN3u1PZ5iBWA7sZk9UqKZxbR/0xSHadhE9JluS8aPHk4JTu8zeOA+FDgD25qO8e1qdpqhrM4bzXVge6NT6xOLRlPZvruZlxuIvrLn4yygvMzjLg8UZSvRfPXv79L1Nc0Q86ltsObRN7dSCpRsqOyw75VgSKlldX09en5mBdZyVD0Xt/vLHbRMc4CiXpD6PgPeIO4gTSOCub0Bf26+qvn2CxlAESKtGTf05outvEB97addAOKuN3p4eJ00EmyKrEfr1U8f3TSIC9Ec43uul/8T2typfZBK+ztGLJmO6MYZ+7I80X+LtJ8qQgiHgH4atgTKPjcW9eSfjBY2j5Jm+go7ot+mn59iPyDmn9tmMdwylFcW1gt0ykJvG4eOasa3+6jw8RCZpzUYdvqpNjMSe307pqdLIPInQQcnrRYiJkY1s2Fc4a5sr3s4HNVyeeC/bGh4kD+YQIcrFYTMTCX7nGonZJVfqy7g6V4eV3NOLloIsibZVnlCrniSbavtNCre7dW0jjP5O8tPN4UT46VqxufUR9SV3QDhGHQxOxzhyOPNKGI1LcistFkwUGTK4knSTTltGI+fudRy8V/hAmMo520ijA1nZqOf4n7hy/ZmqeVoyuhB0DGL5CMautiO9bndIiOtn07GA/ik4p3aAhJqW0ZUh+WfwR5wESj8LsALIcP3lpfeN7k+4P8dmaU04sTSnxrOmsjfEdszCW5NyptdEj028Mkv2ak+fIgsHFYI1x8A2EWGB44DAAsj1d4cVBgG4DcZTZZ2LGZ1BmMti3Yn5b157IH7zciupuSRLHscdfXzbR3WZXw1KkaB+oSBPBjVKpdgxzXHXZu1aLd00NEGEaRxNOw==

I am not now any less secure having this posted publicly for the entire world to see. This is why it's safe to use reputable cloud-based password management services like LastPass, or store your password vault from software like 1password or keepass on Dropbox or another cloud storage provider.

2015
Posts: 772
Joined: Mon Feb 10, 2014 2:32 pm

Re: Password Protection

Post by 2015 » Sat Oct 07, 2017 10:02 am

lazydavid wrote:
Sat Oct 07, 2017 6:14 am
As long as you select a secure master password, there's no reason to be concerned about your passwords being stored by a cloud service. The key to decrypt the password store is protected by your master password, usually using an algorithm like PBKDF2 which is very slow and therefore highly resistant to cracking. That decryption generally (meaning most services operate this way, not that it happens just some of the time with any given service) only occurs on your device, not at the cloud provider.

Here's the username and password for one of my accounts, as stored by 1password:

/clcuUuVGqKOkVtszUoenN6aVI9/el73QptHkYTu2oWGfp1SGg/EQf3nP5bheQEZegA6FVz86zUdOxhYcp4g7nRwVtHGjtRHnilJn/oUoxzI8U3SfieiPN3u1PZ5iBWA7sZk9UqKZxbR/0xSHadhE9JluS8aPHk4JTu8zeOA+FDgD25qO8e1qdpqhrM4bzXVge6NT6xOLRlPZvruZlxuIvrLn4yygvMzjLg8UZSvRfPXv79L1Nc0Q86ltsObRN7dSCpRsqOyw75VgSKlldX09en5mBdZyVD0Xt/vLHbRMc4CiXpD6PgPeIO4gTSOCub0Bf26+qvn2CxlAESKtGTf05outvEB97addAOKuN3p4eJ00EmyKrEfr1U8f3TSIC9Ec43uul/8T2typfZBK+ztGLJmO6MYZ+7I80X+LtJ8qQgiHgH4atgTKPjcW9eSfjBY2j5Jm+go7ot+mn59iPyDmn9tmMdwylFcW1gt0ykJvG4eOasa3+6jw8RCZpzUYdvqpNjMSe307pqdLIPInQQcnrRYiJkY1s2Fc4a5sr3s4HNVyeeC/bGh4kD+YQIcrFYTMTCX7nGonZJVfqy7g6V4eV3NOLloIsibZVnlCrniSbavtNCre7dW0jjP5O8tPN4UT46VqxufUR9SV3QDhGHQxOxzhyOPNKGI1LcistFkwUGTK4knSTTltGI+fudRy8V/hAmMo520ijA1nZqOf4n7hy/ZmqeVoyuhB0DGL5CMautiO9bndIiOtn07GA/ik4p3aAhJqW0ZUh+WfwR5wESj8LsALIcP3lpfeN7k+4P8dmaU04sTSnxrOmsjfEdszCW5NyptdEj028Mkv2ak+fIgsHFYI1x8A2EWGB44DAAsj1d4cVBgG4DcZTZZ2LGZ1BmMti3Yn5b157IH7zciupuSRLHscdfXzbR3WZXw1KkaB+oSBPBjVKpdgxzXHXZu1aLd00NEGEaRxNOw==

I am not now any less secure having this posted publicly for the entire world to see. This is why it's safe to use reputable cloud-based password management services like LastPass, or store your password vault from software like 1password or keepass on Dropbox or another cloud storage provider.
Reputable? Exactly what is "reputable" these days? Equifax qualified as supposedly highly "reputable". Until it wasn't.

Re encryption. See Alan Turing. http://www.turing.org.uk/scrapbook/ww2.html

In WWII, The Germans thought the Enigma cipher machine was "safe", too. Until it wasn't.
Most German communications were enciphered on the Enigma cipher machine. It was based on rotors whose movement produced ever-changing alphabetic substitutions.

In its military use, the basic machine was greatly enhanced by a plugboard, visible on the front of the machine.

The ciphers it produced were supposed to be unbreakable even by someone in possession of the machine. Ideas of great logical ingenuity were needed to defeat it.
...

In fact, the Enigma had to be broken afresh over and over again. The hardware in the picture is not the whole story, and capturing it did not allow Enigma messages to be read. The German use of the Enigma depended on systems for setting the keys for each message transmitted, and it was these key-systems that had to be broken. There were many such systems, often changing, and the hardware was changed as well from time to time.

The brilliant pre-war work by Polish mathematicians enabled them to read Enigma messages on the simplest key-systems. The information they gave to Britain and France in 1939 may have been crucial, but it was not sufficient for the continuation and extension of Enigma breaking over the next six years. New ideas were essential.

In late 1939, Alan Turing and another Cambridge mathematician, Gordon Welchman, designed a new machine, the British Bombe. The basic property of the Bombe was that it could break any Enigma-enciphered message, provided that the hardware of the Enigma was known and that a plain-text 'crib' of about 20 letters could be guessed accurately.

AntsOnTheMarch
Posts: 244
Joined: Mon May 29, 2017 5:47 pm

Re: Password Protection

Post by AntsOnTheMarch » Sat Oct 07, 2017 10:24 am

So many of these threads.

I use 1Password on iPad and iPhone. It syncs over iCloud. I'd have to pay for Mac version so I use keychain on Mac but all my most complete data is in 1Password (including notes and PINs from recent freezes).

From my limited understanding, hacking is not simple because the passwords are not actually stored on cloud. Data is encrypted or some other very secure method is used. So if 1Password site was hacked, I'd need to investigate further before becoming alarmed.

Laspass seems very popular here. Last time I tried it, I didn't like the interface and had trouble importing data from 1Password--which I found through a google search is not uncommon. Since I'm already happy with 1Password, I scrapped it. Ymmv.

User avatar
mrc
Posts: 950
Joined: Sun Jan 10, 2016 6:39 am
Location: right here

Re: Password Protection

Post by mrc » Sat Oct 07, 2017 10:51 am

2015 wrote:
Sat Oct 07, 2017 10:02 am
In WWII, The Germans thought the Enigma cipher machine was "safe", too. Until it wasn't.
Pretty sure a lot more resources were devoted to cracking enigma than my lousy account credentials.

As for Equifax — touché.
A great challenge of life: Knowing enough to think you're doing it right, but not enough to know you're doing it wrong. — Neil deGrasse Tyson

MP123
Posts: 132
Joined: Thu Feb 16, 2017 3:32 pm

Re: Password Protection

Post by MP123 » Sat Oct 07, 2017 11:42 am

mrc wrote:
Sat Oct 07, 2017 10:51 am
2015 wrote:
Sat Oct 07, 2017 10:02 am
In WWII, The Germans thought the Enigma cipher machine was "safe", too. Until it wasn't.
Pretty sure a lot more resources were devoted to cracking enigma than my lousy account credentials.

As for Equifax — touché.
Hmmmm... Seems to me that any hacker kid with a laptop has far far more computer resources and computing power than existed on the entire planet when Turing cracked the Enigma.

Jeff Albertson
Posts: 384
Joined: Sat Apr 06, 2013 7:11 pm
Location: Springfield

Re: Password Protection

Post by Jeff Albertson » Sat Oct 07, 2017 1:03 pm

from the lastpass.com site:
Your sensitive data is encrypted
We use the same encryption algorithm that the US Government uses for Top Secret data. (AES256)

Only you know the key to decrypt your data
We do not store this key anywhere, so the private data that we store in our database is basically meaningless to hackers (and to us!). This is why it is so important to not forget your LastPass password.
https://lastpass.com/safety.php

Jeff Albertson
Posts: 384
Joined: Sat Apr 06, 2013 7:11 pm
Location: Springfield

Re: Password Protection

Post by Jeff Albertson » Sat Oct 07, 2017 1:28 pm

This past post is very helpful, IMHO, especially the part about reducing the risk of keyloggers.
viewtopic.php?p=2195927#p2195927
Step 6: Make LastPass master password safer - I stopped typing the whole master password (pass phrase actually) to reduce the risk from keyloggers. I copy/paste part of my password and type the rest - this is actually easier for me than typing the whole master password because I purposely made it very long.
I use a very long master password. When I log in, I use Lastpass' virtual keyboard to enter half the password and copy & paste the rest.

User avatar
Hyperborea
Posts: 287
Joined: Sat Apr 15, 2017 10:31 am
Location: Silicon Valley

Re: Password Protection

Post by Hyperborea » Sat Oct 07, 2017 2:18 pm

Jeff Albertson wrote:
Sat Oct 07, 2017 1:28 pm
This past post is very helpful, IMHO, especially the part about reducing the risk of keyloggers.
viewtopic.php?p=2195927#p2195927
Step 6: Make LastPass master password safer - I stopped typing the whole master password (pass phrase actually) to reduce the risk from keyloggers. I copy/paste part of my password and type the rest - this is actually easier for me than typing the whole master password because I purposely made it very long.
I use a very long master password. When I log in, I use Lastpass' virtual keyboard to enter half the password and copy & paste the rest.
I would suggest enabling one of the two factor authentication methods. Even the simple paper grid option would be a big step up in security if you don't/won't use one of the cell phone authenticators or hardware keys.

2015
Posts: 772
Joined: Mon Feb 10, 2014 2:32 pm

Re: Password Protection

Post by 2015 » Sat Oct 07, 2017 6:39 pm

Jeff Albertson wrote:
Sat Oct 07, 2017 1:03 pm
from the lastpass.com site:
Your sensitive data is encrypted
We use the same encryption algorithm that the US Government uses for Top Secret data. (AES256)

Only you know the key to decrypt your data
We do not store this key anywhere, so the private data that we store in our database is basically meaningless to hackers (and to us!). This is why it is so important to not forget your LastPass password.
https://lastpass.com/safety.php
Two questions:

Is this the same U.S. government that had the OPM hacked?

Per the LastPass website, what does "basically" meaningless mean?

I highly recommend engaging in what author Daniel Kahneman (and others) refers to as second stage thinking [and read the book!] when it comes to matters as important as your data.

So based on the LastPass website, you have decided they're "reputable" and "safe". Based on what? They're word (hello Equifax)? For your average Joe--and that's just about all of us--online data storage vendors are a black box. We have know way of knowing what's under the hood, regardless of their claims. Are you really willing to trust something as crucial as all of your account information to this black box?

BTW, have you heard about the extensive data breach that occurred at, of all places, Deloitte??

https://www.engadget.com/2017/09/25/del ... ty-breach/
Deloitte, a major US and global accounting firm, revealed that it was hit with a cybersecurity breach that may have extended from October of last year through this past March, the Guardian reports. The company -- one of the world's Big Four accounting firms -- which works with large banks, global firms and government agencies, among others, provides tax and auditing services, operations consulting, merger and acquisition assistance and, wait for it, cybersecurity advice.
If you don't think global actors are targeting sites such as LastPass hourly, you're fooling yourself. It's not your "lousy credentials" you should be concerned with, it's what you don't know that you don't know about LastPass and other online data storage vendors that you should be worried about.

Jeff Albertson
Posts: 384
Joined: Sat Apr 06, 2013 7:11 pm
Location: Springfield

Re: Password Protection

Post by Jeff Albertson » Sat Oct 07, 2017 7:02 pm

yea, the boogieman is out there, boooooooo

You want credentials, try Steve Gibson. He discusses lastpass price increases in August and also said:
For me, what I care most is about the security guarantees that LastPass offers and the quality of their service, that is, going forward. As with the CA business, trust is hard-earned and easily lost. And so far Joe and company, even after the LogMeIn acquisition, have never let us down.

So I'm not switching. I still think it's the right solution. But I certainly just wanted - because many people were wondering what I thought. You know, I mean, I don't know what's going on behind the scenes. It would be interesting to know, and we never will, what the effect is for LogMeIn. This is the nature of a parent acquiring something like this is they want to monetize it. And they now have built, thanks to Joe and their acquisition, a leading password manager that I think, independent of its cost or its pricing, is the one I still believe is the one to use.
https://www.grc.com/sn/sn-623.htm
I would agree. Is Logmein going to continue with aggressive support of the product or just milk it.
Last edited by Jeff Albertson on Sat Oct 07, 2017 9:18 pm, edited 1 time in total.

lazydavid
Posts: 1071
Joined: Wed Apr 06, 2016 1:37 pm

Re: Password Protection

Post by lazydavid » Sat Oct 07, 2017 7:38 pm

2015 wrote:
Sat Oct 07, 2017 10:02 am
Reputable? Exactly what is "reputable" these days? Equifax qualified as supposedly highly "reputable". Until it wasn't.
Reputable is a service whose technology has been examined by someone I trust and found to have been done correctly. LastPass and 1Password both meet this bar
2015 wrote:
Sat Oct 07, 2017 10:02 am
Re encryption. See Alan Turing. http://www.turing.org.uk/scrapbook/ww2.html

In WWII, The Germans thought the Enigma cipher machine was "safe", too. Until it wasn't.
Cryptography has changed a LOT since WWII. One of the largest changes is that we've gone from a paradigm where the security of the encryption depended upon the secrecy of the algorithm. Once the secret of the algorithm is broken, the security of the encryption goes out the window. That's what happened with Enigma and the Bombe that Bletchley Park used to reverse-engineer the cipher.

The world learned some hard lessons and today, encryption algorithms are open standards, published and audited for all the world to see. The ONLY thing that needs to remain secret is the key. We know the math is secure, because it's been tested and proven for decades by some of the smartest people in the world.

The credential sample I posted is encrypted using a randomly-generated AES256 symmetric key, which is unbreakable with any modern or near horizon technology. THAT key is combined with my my very complex master password, comprised of somewhere between 20 and 40 characters, and the results are encrypted using somewhere between 5,000 and 10,000 iterations of PBKDF2 (the count is user-configurable). Again, this algorithm is purposefully designed to be slow, to make it even more difficult to brute-force. A modern server-class processor is capable of doing around 15k ciphers per second, so this means that the sample I posted can be brute-forced at the rate of 1-3 guesses per second, per processor used, assuming you know how many iterations I've selected. Since a complex 30 character password has approximately 30^90 possibilities, it should be crackable after 4.364 x 10^132 attempts (half of the total search space). No matter how much horsepower you throw at the problem, it's not going to fall in the lifetime of my great great great great great grandchildren. Advances in processor technology will eventually make it possible, but when it does, I won't care, because I will have been dead for millennia. Have fun with my shutterfly account in 4134. :)

lazydavid
Posts: 1071
Joined: Wed Apr 06, 2016 1:37 pm

Re: Password Protection

Post by lazydavid » Sat Oct 07, 2017 7:43 pm

lazydavid wrote:
Sat Oct 07, 2017 7:38 pm
2015 wrote:
Sat Oct 07, 2017 10:02 am
Reputable? Exactly what is "reputable" these days? Equifax qualified as supposedly highly "reputable". Until it wasn't.
Reputable is a service whose technology has been examined by someone I trust and found to have been done correctly. LastPass and 1Password both meet this bar
2015 wrote:
Sat Oct 07, 2017 10:02 am
Re encryption. See Alan Turing. http://www.turing.org.uk/scrapbook/ww2.html

In WWII, The Germans thought the Enigma cipher machine was "safe", too. Until it wasn't.
Cryptography has changed a LOT since WWII. One of the largest changes is that we've gone from a paradigm where the security of the encryption depended upon the secrecy of the algorithm. Once the secret of the algorithm is broken, the security of the encryption goes out the window. That's what happened with Enigma and the Bombe that Bletchley Park used to reverse-engineer the cipher.

The world learned some hard lessons and today, encryption algorithms are open standards, published and audited for all the world to see. The ONLY thing that needs to remain secret is the key. We know the math is secure, because it's been tested and proven for decades by some of the smartest people in the world.

The credential sample I posted is encrypted using a randomly-generated AES256 symmetric key, which is unbreakable with any modern or near horizon technology. THAT key is combined with my my very complex master password, comprised of somewhere between 20 and 40 characters, and the results are encrypted using somewhere between 5,000 and 10,000 iterations of PBKDF2 (the count is user-configurable). Again, this algorithm is purposefully designed to be slow, to make it even more difficult to brute-force. A modern server-class processor is capable of doing around 15k ciphers per second, so this means that the sample I posted can be brute-forced at the rate of 1-3 guesses per second, per processor used, assuming you know how many iterations I've selected. Since a complex 30 character password has approximately 30^90 possibilities, it should be crackable after 4.364 x 10^132 attempts (half of the total search space). No matter how much horsepower you throw at the problem, it's not going to fall in the lifetime of my great great great great great grandchildren. Advances in processor technology will eventually make it possible, but when it does, I won't care, because I will have been dead for millennia. Have fun with my shutterfly account in 4134. :)
2015 wrote:
Sat Oct 07, 2017 6:39 pm
Is this the same U.S. government that had the OPM hacked?
Encryption algorithms and security practices are not anywhere near the same thing. One is based on immutable mathematical laws, and the other is based on the actions of very fallible humans.

Messner8000
Posts: 50
Joined: Sun May 21, 2017 8:03 am

Re: Password Protection

Post by Messner8000 » Sat Oct 07, 2017 8:14 pm

Is it bad form to interrupt a great thread with a really dumb (but related) question?

Everyone is always talking about these password manager programs. I recently downloaded LastPass. Here is what I don't get. LastPass lets me access all my accounts on my computer using my master password. Which is very convenient. But let's say someone figures out one of my individual passwords (not the master password) for, say, Bank Account X website. Can't they then just sign into that account from a different computer? What protection is LastPass providing in that circumstance? I feel like I must be missing something really basic here about password managers.....

User avatar
Rob5TCP
Posts: 2917
Joined: Tue Jun 05, 2007 7:34 pm
Location: New York, NY

Re: Password Protection

Post by Rob5TCP » Sat Oct 07, 2017 8:34 pm

Messner8000 wrote:
Sat Oct 07, 2017 8:14 pm
Is it bad form to interrupt a great thread with a really dumb (but related) question?

Everyone is always talking about these password manager programs. I recently downloaded LastPass. Here is what I don't get. LastPass lets me access all my accounts on my computer using my master password. Which is very convenient. But let's say someone figures out one of my individual passwords (not the master password) for, say, Bank Account X website. Can't they then just sign into that account from a different computer? What protection is LastPass providing in that circumstance? I feel like I must be missing something really basic here about password managers.....
Password managers allow you to use very long complex passwords that would be difficult for you to remember without a password manager. It's not 100% secure, nothing is. But, you have a much better chance of having a hacker NOT being able to access your account if you do have a long complex password (2 factor authentication is also very useful).

lotusflower
Posts: 66
Joined: Thu Oct 24, 2013 12:32 am

Re: Password Protection

Post by lotusflower » Sat Oct 07, 2017 8:53 pm

Messner8000 wrote:
Sat Oct 07, 2017 8:14 pm
Is it bad form to interrupt a great thread with a really dumb (but related) question?

Everyone is always talking about these password manager programs. I recently downloaded LastPass. Here is what I don't get. LastPass lets me access all my accounts on my computer using my master password. Which is very convenient. But let's say someone figures out one of my individual passwords (not the master password) for, say, Bank Account X website. Can't they then just sign into that account from a different computer? What protection is LastPass providing in that circumstance? I feel like I must be missing something really basic here about password managers.....
Once your passwords are in the system, you shouldn't have them anywhere else that could be stolen, like in any other text or spreadsheet files on your computer. It's probably okay to print them out from LastPass and put them in a safe deposit box, though I personally would not do that.

It's possible that a password could be compromised on the other side, by hacking into the back. However, there are ways to store your password safely on those servers and by now just about all big web sites and hopefully every single bank are doing it correctly. When you create your password, it is coded with a one-way function that is mathematically impossible* to reverse, and that's what get stored. Then when you authenticate in the future, you browser runs the same encoder and only sends the result over the web (and that connection is also encrypted), and that's what is verified to let you in. Because of the one-way functions, the only way to generate the right code is to know the password you or LastPass has selected, which you should take pains to keep very secret.

The problem LastPass etc. solve, is that keeping so many secrets memorized (they must all be different for good security) is very difficult for humans.

Mordoch
Posts: 322
Joined: Sat Mar 10, 2007 11:27 am

Re: Password Protection

Post by Mordoch » Sat Oct 07, 2017 9:05 pm

Messner8000 wrote:
Sat Oct 07, 2017 8:14 pm
But let's say someone figures out one of my individual passwords (not the master password) for, say, Bank Account X website. Can't they then just sign into that account from a different computer? What protection is LastPass providing in that circumstance? I feel like I must be missing something really basic here about password managers.....
To emphasize a previous point a bit more clearly, the password from your password manager can be something like "^hU8%*V#a3:dO!c6fg~(f_<d". The odds of being able to brute force a hashed password like this (this is merely simulated random password rather than being as random as a password manager can create) are preposterously low and you are realistically going to be dead of old age long before this password would be successfully guessed assuming someone even was willing to put that effort into doing so. To explain the math slightly, a case sensitive truly random password like the one above basically gets 95 more possible combinations every single time you add a single additional character so the number of possibly combinations gets truly ridiculous when as long as the example above if brute forcing it is the only option.

Furthermore, even if a particular website spectacularly screws up and puts your password in plain text (hopefully not a bank) this will not do a hacker that discovers this any good comprising any other accounts you have since the password manager can store a completely unique password for each one like the one above rather than using the same one or a similar one which could be guessed more easily starting from the known password. (At least in terms of the password component of things.)
Last edited by Mordoch on Sat Oct 07, 2017 9:16 pm, edited 1 time in total.

lotusflower
Posts: 66
Joined: Thu Oct 24, 2013 12:32 am

Re: Password Protection

Post by lotusflower » Sat Oct 07, 2017 9:16 pm

Carolina Shagger wrote:
Fri Oct 06, 2017 8:19 pm
Thank you for all your responses. I admit I am leery of the cloud (isn't that just someone else's computer?). I like the possibility of linking the computers in-house via our Wi-Fi network.
I admit I am late to the party on this as I have had my identity stolen and used at least twice (once to file my federal income tax return two years ago). The latest Equifax fiasco finally got me off my duff to do something!
I'll be reviewing the links you provided. Thanks again
The great thing about the cloud is that it's not just someone else's computers, but rather a distributed network of fault-tolerant computers. I personally think the wifi method is too risky for me, my house could catch fire. Sure I can keep a backup at work but I would have to keep vigilant about doing regular backups (in my case that is a glaring weakness) and local earthquake could still wipe out all copies. Sure I could mail a hard drive to my mom every few weeks, with a return box for her to send the previous one back; you get the picture. The cloud is far superior.

When you mitigate risks, you not only have to consider data theft, but all the other problems that might cause you to lose data, including forgetfulness, natural disasters, and incompetence (oops, I didn't realize which folder was selected and I pressed the delete key etc., happens to all of us sometimes) The cloud, when used with appropriate security, mitigates many of those risks at once. By appropriate security, I mean commonly available encryption and best practices for passwords, which many others have described.

As far as LastPass, I personally use KeePass (stored on Dropbox), but I wouldn't hesitate to choose or recommend LastPass. The difference between them and Equifax or a bank is that protecting your data is their #1 and only core competence. Remember, you aren't even Equifax's customer, you and your data is their product. Securing that data is not something they are incentivized to do since it's for sale to the highest bidder (a letter to your congressperson is wholly appropriate, but probably a waste of time). In contrast LastPass is totally incentized to protect you. They will probably go out of business if they have a big breach, and they spend all day, every day thinking about how to protect you from that.

ThriftyPhD
Posts: 116
Joined: Mon Jul 31, 2017 10:43 am

Re: Password Protection

Post by ThriftyPhD » Sat Oct 07, 2017 9:31 pm

Mordoch wrote:
Sat Oct 07, 2017 9:05 pm
Furthermore, even if a particular website spectacularly screws up and puts your password in plain text (hopefully not a bank) this will not do a hacker that discovers this any good comprising any other accounts you have since the password manager can store a completely unique password for each one like the one above rather than using the same one or a similar one which could be guessed more easily starting from the known password. (At least in terms of the password component of things.)
I want to repeat this, because I think it's one of the very important parts of password managers. People can have hundreds, if not thousands, of different logins. You might be surprised how many you have if you don't have them stored in one location. Each should have a different, unique password. Each security question should have a different, random gibberish answer. (Mother's Maiden Name? JG[XLYvQeJaRr}MF)GrxVMkNhf6yrdK?gHyY4KjA9hFAtRwDm+43c3PwgzYTJy#y). It's impossible to remember this many unique passwords, especially since they should be random like the above maiden name. This is why many people reuse passwords, which is a much bigger risk.

Some website you use WILL be hacked. The password you use there will potentially be cracked. If you use that password anywhere else, you're at risk. Reusing passwords opens you up to security risks much more so than the risk of your password manager being compromised.

User avatar
corner559
Posts: 429
Joined: Wed Nov 07, 2007 3:05 am

Re: Password Protection

Post by corner559 » Sat Oct 07, 2017 10:12 pm

tmhudg wrote:
Fri Oct 06, 2017 9:07 am
Check out LastPass. I cannot recommend this highly enough. Yes, you have to trust your info "in the cloud", and that it is all properly encrypted and protected, but, IMHO, the benefits outweigh the risk.
I can't imagine a worse place to store your passwords than in the cloud.

lotusflower
Posts: 66
Joined: Thu Oct 24, 2013 12:32 am

Re: Password Protection

Post by lotusflower » Sat Oct 07, 2017 10:33 pm

corner559 wrote:
Sat Oct 07, 2017 10:12 pm
tmhudg wrote:
Fri Oct 06, 2017 9:07 am
Check out LastPass. I cannot recommend this highly enough. Yes, you have to trust your info "in the cloud", and that it is all properly encrypted and protected, but, IMHO, the benefits outweigh the risk.
I can't imagine a worse place to store your passwords than in the cloud.
If your data is properly encrypted, you can print it up on handbills and pass them out in Times Square and it will be perfectly safe. It's much more risky to keep that data on storage devices in your home, where they could burn, get stolen, get dropped, get wet, etc.

Messner8000
Posts: 50
Joined: Sun May 21, 2017 8:03 am

Re: Password Protection

Post by Messner8000 » Sun Oct 08, 2017 7:40 am

Thanks, everyone, for responding to my question - things make a lot more sense now. I now realize that transitioning to a password manager is a much bigger task than I thought - needing to change the passwords for all of my sights, then install the program on my wife's computer and my computer and our smart phones and set it up so we can share account access (since we both access many of the same password-protected sites). Seems like a worthwhile endeavor though!

DoTheMath
Posts: 188
Joined: Sat Jul 04, 2015 1:11 pm
Location: The Plains

Re: Password Protection

Post by DoTheMath » Sun Oct 08, 2017 8:10 am

lotusflower wrote:
Sat Oct 07, 2017 10:33 pm
corner559 wrote:
Sat Oct 07, 2017 10:12 pm
tmhudg wrote:
Fri Oct 06, 2017 9:07 am
Check out LastPass. I cannot recommend this highly enough. Yes, you have to trust your info "in the cloud", and that it is all properly encrypted and protected, but, IMHO, the benefits outweigh the risk.
I can't imagine a worse place to store your passwords than in the cloud.
If your data is properly encrypted, you can print it up on handbills and pass them out in Times Square and it will be perfectly safe. It's much more risky to keep that data on storage devices in your home, where they could burn, get stolen, get dropped, get wet, etc.
+1 There is a lot of unnecessary scare-mongering in this thread. Properly encrypted data is secure. Fort Knox secure. I use 1password with my encrypted password file stored on Dropbox. If someone accesses that file through dropbox (unlikely since I have 2F authentication, but possible) or by stealing my laptop, I will continue to sleep like a baby. My master password is long, complicated, and has never been used anywhere else for anything. A direct attack to decrypt my password file would take centuries regardless of the computing power thrown at it.

When I use my master password, all decrypting happens locally on my laptop. Having the encrypted password file in the cloud has no meaningful affect on my security level.

When you hear of websites being hacked, it's because they have failed to properly encrypt things or other human mistakes, not because the math has failed.

A password manager is highly recommended for all. It makes it easy to have complicated passwords which are completely unique for every website. Then even if a password is obtained from a hack on one website, every other website is just as secure as before.

1password works great on the mac and is fairly easy to use. The others folks have recommended are fine as well.
“I am losing precious days. I am degenerating into a machine for making money. I am learning nothing in this trivial world of men. I must break away and get out into the mountains...” -- John Muir

ThriftyPhD
Posts: 116
Joined: Mon Jul 31, 2017 10:43 am

Re: Password Protection

Post by ThriftyPhD » Sun Oct 08, 2017 8:51 am

Messner8000 wrote:
Sun Oct 08, 2017 7:40 am
Thanks, everyone, for responding to my question - things make a lot more sense now. I now realize that transitioning to a password manager is a much bigger task than I thought - needing to change the passwords for all of my sights, then install the program on my wife's computer and my computer and our smart phones and set it up so we can share account access (since we both access many of the same password-protected sites). Seems like a worthwhile endeavor though!
You don't need to change your current passwords. Step one is to simply enter all of your current logins. When I did this, it was very informative. For one, I didn't realize how many different logins I had. I also had thought that I was using a large number of unique passwords, but when I entered them all in I realized most were reusing a pretty simple password.

Once you have them in the password manager, life gets much easier going forward. Any NEW login is stronger. Some websites force you to change your password frequently, these are now much easier to deal with. You can also slowly go back and change some of your older, less secure passwords. Not a huge rush to do this, especially if you start with your 'important' logins, but overtime you'll get everything transitioned. Installing on multiple devices is simple, and everything just syncs over. Makes it very easy when you get a new computer, or you setup a new login, your wife would immediately have access too.

DetroitRick
Posts: 412
Joined: Wed Mar 23, 2016 9:28 am

Re: Password Protection

Post by DetroitRick » Sun Oct 08, 2017 9:32 am

Messner8000 wrote:
Sun Oct 08, 2017 7:40 am
Thanks, everyone, for responding to my question - things make a lot more sense now. I now realize that transitioning to a password manager is a much bigger task than I thought - needing to change the passwords for all of my sights, then install the program on my wife's computer and my computer and our smart phones and set it up so we can share account access (since we both access many of the same password-protected sites). Seems like a worthwhile endeavor though!
I think you will actually find transitioning to be VERY easy and VERY quick. As ThriftyPHD points out, you most definitely do not need to change passwords as part of your migration. You can do that later, or not at all.

Many of these programs will evaluate the security of your existing passwords, and you can act on or ignore these evaluations. When you do make password changes, you will probably also find the process is faster for you when using these products anyway. Most of these programs can generate a new password for you (optional), and then save the new password as part of the change process.

Installation on multiple devices is also quite easy. For example when I do this in Dashlane, the process takes, at worst, maybe 2 minutes. You download the program to the new device, then sign in, and finally enter the new device authentication code that they immediately send you. The synch then completes, and you are up and running. I would expect the other password managers to be similarly quick and easy, because people need to add and remove devices all the time.

tuningfork
Posts: 246
Joined: Wed Oct 30, 2013 8:30 pm

Re: Password Protection

Post by tuningfork » Sun Oct 08, 2017 11:42 am

ThriftyPhD wrote:
Sun Oct 08, 2017 8:51 am
Messner8000 wrote:
Sun Oct 08, 2017 7:40 am
Thanks, everyone, for responding to my question - things make a lot more sense now. I now realize that transitioning to a password manager is a much bigger task than I thought - needing to change the passwords for all of my sights, then install the program on my wife's computer and my computer and our smart phones and set it up so we can share account access (since we both access many of the same password-protected sites). Seems like a worthwhile endeavor though!
You don't need to change your current passwords. Step one is to simply enter all of your current logins. When I did this, it was very informative. For one, I didn't realize how many different logins I had. I also had thought that I was using a large number of unique passwords, but when I entered them all in I realized most were reusing a pretty simple password.

Once you have them in the password manager, life gets much easier going forward. Any NEW login is stronger. Some websites force you to change your password frequently, these are now much easier to deal with. You can also slowly go back and change some of your older, less secure passwords. Not a huge rush to do this, especially if you start with your 'important' logins, but overtime you'll get everything transitioned. Installing on multiple devices is simple, and everything just syncs over. Makes it very easy when you get a new computer, or you setup a new login, your wife would immediately have access too.
Yep, and getting started is even easier than entering all your current logins into the password manager. With LastPass installed, just go to a web site, log in the old fashioned way, and LastPass will offer to save your login info. Next time you can login with LastPass,

You should probably change passwords on your most important accounts right away, such as your primary email and your financial accounts. The rest can wait until a rainy day. LastPass has a "Security Challenge" which will show you which sites have weak passwords, which sites have been compromised, and which ones you reuse passwords. You can use this as a guide to which passwords you should change first.

gtd98765
Posts: 30
Joined: Sun Jan 08, 2017 4:15 am

Re: Password Protection

Post by gtd98765 » Sun Oct 08, 2017 11:50 am

Carolina Shagger wrote:
Fri Oct 06, 2017 8:19 pm
Thank you for all your responses. I admit I am leery of the cloud (isn't that just someone else's computer?). I like the possibility of linking the computers in-house via our Wi-Fi network.
I admit I am late to the party on this as I have had my identity stolen and used at least twice (once to file my federal income tax return two years ago). The latest Equifax fiasco finally got me off my duff to do something!
I'll be reviewing the links you provided. Thanks again
Regarding storing encrypted passwords in the cloud: others have pointed out how many millennia it would take to decrypt a properly-encrypted password, such as those created by any password manager; I thought I would remind people that TV police procedurals where the quirky computer expert decrypts any hard drive in a few minutes are fiction. This does not happen in real life, even with the zillions of dollars the NSA spends on such exploits.

2015
Posts: 772
Joined: Mon Feb 10, 2014 2:32 pm

Re: Password Protection

Post by 2015 » Sun Oct 08, 2017 12:12 pm

lazydavid wrote:
Sat Oct 07, 2017 7:43 pm
lazydavid wrote:
Sat Oct 07, 2017 7:38 pm
2015 wrote:
Sat Oct 07, 2017 10:02 am
Reputable? Exactly what is "reputable" these days? Equifax qualified as supposedly highly "reputable". Until it wasn't.
Reputable is a service whose technology has been examined by someone I trust and found to have been done correctly. LastPass and 1Password both meet this bar

This "bar", then, is your own opinion, and in no way establishes that any online storage vendor is "reputable". Again, it's a black box,
and virtually no one knows what goes on inside that black box. The choice to trust that black box becomes a personal one, but no use of appeal to authority bias substantiates it.

2015 wrote:
Sat Oct 07, 2017 10:02 am
Re encryption. See Alan Turing. http://www.turing.org.uk/scrapbook/ww2.html

In WWII, The Germans thought the Enigma cipher machine was "safe", too. Until it wasn't.
Cryptography has changed a LOT since WWII. One of the largest changes is that we've gone from a paradigm where the security of the encryption depended upon the secrecy of the algorithm. Once the secret of the algorithm is broken, the security of the encryption goes out the window. That's what happened with Enigma and the Bombe that Bletchley Park used to reverse-engineer the cipher.

The world learned some hard lessons and today, encryption algorithms are open standards, published and audited for all the world to see. The ONLY thing that needs to remain secret is the key. We know the math is secure, because it's been tested and proven for decades by some of the smartest people in the world.

The most dangerous words in investing, "this time it's different", can be equally dangerous when applied to other assumptions as well. How do you know the math is secure? How does "tested" and "proven for decades" correlate to what is possible now or in near future? And just who are these "smartest people in the world?"

The credential sample I posted is encrypted using a randomly-generated AES256 symmetric key, which is unbreakable with any modern or near horizon technology. THAT key is combined with my my very complex master password, comprised of somewhere between 20 and 40 characters, and the results are encrypted using somewhere between 5,000 and 10,000 iterations of PBKDF2 (the count is user-configurable). Again, this algorithm is purposefully designed to be slow, to make it even more difficult to brute-force. A modern server-class processor is capable of doing around 15k ciphers per second, so this means that the sample I posted can be brute-forced at the rate of 1-3 guesses per second, per processor used, assuming you know how many iterations I've selected. Since a complex 30 character password has approximately 30^90 possibilities, it should be crackable after 4.364 x 10^132 attempts (half of the total search space). No matter how much horsepower you throw at the problem, it's not going to fall in the lifetime of my great great great great great grandchildren. Advances in processor technology will eventually make it possible, but when it does, I won't care, because I will have been dead for millennia. Have fun with my shutterfly account in 4134. :)

How do you know this? As the Germans discovered during WWII, you have no idea what nation state actors have been/are/will be working on with respect to breaking current encryption standards. Your explanations are repeatedly based on first order thinking, as opposed to second order thinking. Again, it's not what we know that we should be concerned with, but what we don't know that we don't know.
2015 wrote:
Sat Oct 07, 2017 6:39 pm
Is this the same U.S. government that had the OPM hacked?
Encryption algorithms and security practices are not anywhere near the same thing. One is based on immutable mathematical laws, and the other is based on the actions of very fallible humans.
Another example of first order thinking. Nothing, but nothing, is "immutable." Just ask any turkey the day before Thanksgiving how immutable any "law" of anyone's current understanding of reality is. Language used to describe reality can never be reality. Just because we want to believe something is so doesn't make it so. Truth is, we really don't know how "secure" anything is, no matter how much we wish it so. Do you really want to trust your financial security to such a context?

Security is a trade off between convenience and security. For those who are biased towards convenience through the use of online storage vendors, go for it. But at least be cognizant of that bias, and of the reason for such a choice. Call it fear-mongering, if you will. I call it thinking deeper about such things.

MP123
Posts: 132
Joined: Thu Feb 16, 2017 3:32 pm

Re: Password Protection

Post by MP123 » Sun Oct 08, 2017 12:49 pm

gtd98765 wrote:
Sun Oct 08, 2017 11:50 am

Regarding storing encrypted passwords in the cloud: others have pointed out how many millennia it would take to decrypt a properly-encrypted password, such as those created by any password manager; I thought I would remind people that TV police procedurals where the quirky computer expert decrypts any hard drive in a few minutes are fiction. This does not happen in real life, even with the zillions of dollars the NSA spends on such exploits.
When (not if) the current level of encryption is broken we'll all be the last to know. This could happen not just by advances in computing power but also by new mathematical discoveries relating to prime factorization which underlies all of modern cryptography.

Whether it's the NSA, NK, China, Hackers, or whoever they certainly won't be announcing it until the damage is done. Seems to me that putting your encrypted data on someone else's computer is just tempting fate although I can see the convenience of it too.

lotusflower
Posts: 66
Joined: Thu Oct 24, 2013 12:32 am

Re: Password Protection

Post by lotusflower » Sun Oct 08, 2017 1:16 pm

2015 wrote:
Sun Oct 08, 2017 12:12 pm
Another example of first order thinking. Nothing, but nothing, is "immutable." Just ask any turkey the day before Thanksgiving how immutable any "law" of anyone's current understanding of reality is. Language used to describe reality can never be reality. Just because we want to believe something is so doesn't make it so. Truth is, we really don't know how "secure" anything is, no matter how much we wish it so. Do you really want to trust your financial security to such a context?

Security is a trade off between convenience and security. For those who are biased towards convenience through the use of online storage vendors, go for it. But at least be cognizant of that bias, and of the reason for such a choice. Call it fear-mongering, if you will. I call it thinking deeper about such things.
Well but you have to model all the threats. There are threats that:
maybe bankers regularly collude with Congress to rip you off.
maybe bankers regularly collude with Vladimir Putin to rip you off.
maybe dialing for dummies (social engineering) will work against the CSRs working at your bank.
maybe many many PhDs and security experts are wrong about the math of modern encryption.
maybe the NSA and maybe other nation-states have cracked encryption and are keeping it a secret (that would probably require a constant stream of assassinations).
maybe LastPass is a corrupt organization.
maybe LastPass/1Password/Keepass are incompetent
maybe KeePass, even though it is open source, has a back door into it somewhere.
maybe the NSA has convinced the major browser or OS vendors to give them a back door.
maybe some of the top-level trusted SSL certificates that every browser trusts by default, including ones from China, have been compromised.
maybe you clicked on something somewhere on the web that installed a keystroke logger.
maybe you will make a mistake in the way you handle your password files and storage devices if you are only storing them locally

You will really never be able to eliminate all those threats, and if you are really thinking deeper, then you should come to realize that the threat of Lastpass/1Password/Keepass being corrupt or incompetent does not dominate that list of threats. There are so many benefits to those systems and so many other threat vectors that it doesn't make sense to obsess about those particular unlikely threats.

While it's true that security is in general a trade-off against convenience, I don't think it's logical to say that a cloud-based system is inferior. It's certainly less convenient than just using the same secret password on all sites, but we all know that that is not secure at all.

So my advice remains to use one of those systems, be vigilant against fraud as best you can, and sleep well at night.

lotusflower
Posts: 66
Joined: Thu Oct 24, 2013 12:32 am

Re: Password Protection

Post by lotusflower » Sun Oct 08, 2017 1:20 pm

MP123 wrote:
Sun Oct 08, 2017 12:49 pm
gtd98765 wrote:
Sun Oct 08, 2017 11:50 am

Regarding storing encrypted passwords in the cloud: others have pointed out how many millennia it would take to decrypt a properly-encrypted password, such as those created by any password manager; I thought I would remind people that TV police procedurals where the quirky computer expert decrypts any hard drive in a few minutes are fiction. This does not happen in real life, even with the zillions of dollars the NSA spends on such exploits.
When (not if) the current level of encryption is broken we'll all be the last to know. This could happen not just by advances in computing power but also by new mathematical discoveries relating to prime factorization which underlies all of modern cryptography.

Whether it's the NSA, NK, China, Hackers, or whoever they certainly won't be announcing it until the damage is done. Seems to me that putting your encrypted data on someone else's computer is just tempting fate although I can see the convenience of it too.
This would basically be a black swan event that is no more likely than any other crazy things that could affect your portfolio, like us losing a nuclear war against North Korea or hyperinflation of the US Dollar. Sure keep your eyes open, but the technology is good and the math is sound. Banks are already using the same technology to protect your data on the back end. Until something crazy and unpredictable changes the status quo (that's the black swan) then you should trust the math and use the encryption.

lotusflower
Posts: 66
Joined: Thu Oct 24, 2013 12:32 am

Re: Password Protection

Post by lotusflower » Sun Oct 08, 2017 1:44 pm

lotusflower wrote:
Sun Oct 08, 2017 1:20 pm
MP123 wrote:
Sun Oct 08, 2017 12:49 pm
gtd98765 wrote:
Sun Oct 08, 2017 11:50 am

Regarding storing encrypted passwords in the cloud: others have pointed out how many millennia it would take to decrypt a properly-encrypted password, such as those created by any password manager; I thought I would remind people that TV police procedurals where the quirky computer expert decrypts any hard drive in a few minutes are fiction. This does not happen in real life, even with the zillions of dollars the NSA spends on such exploits.
When (not if) the current level of encryption is broken we'll all be the last to know. This could happen not just by advances in computing power but also by new mathematical discoveries relating to prime factorization which underlies all of modern cryptography.

Whether it's the NSA, NK, China, Hackers, or whoever they certainly won't be announcing it until the damage is done. Seems to me that putting your encrypted data on someone else's computer is just tempting fate although I can see the convenience of it too.
This would basically be a black swan event that is no more likely than any other crazy things that could affect your portfolio, like us losing a nuclear war against North Korea or hyperinflation of the US Dollar. Sure keep your eyes open, but the technology is good and the math is sound. Banks are already using the same technology to protect your data on the back end. Until something crazy and unpredictable changes the status quo (that's the black swan) then you should trust the math and use the encryption.
Also the same encryption technology/math is used by SSL to protect your data between your browser, and through your ISP and across the network and into the bank. If you don't trust the encryption, don't ever use the web either. Just do your banking in person at your branch (where they will use that same encryption technology to update your accounts on the central severs).

Alchemist
Posts: 225
Joined: Sat Aug 30, 2014 6:35 am
Location: Florida

Re: Password Protection

Post by Alchemist » Sun Oct 08, 2017 2:54 pm

There are different kinds of risk that must be weighed against each other when making cyber security choices. In the case of password managers, everyone should have one. The only real discussion point to me is whether or not to have one with cloud backup/sync capability. Personally I have decided that I am comfortable using a zero-knowledge encryption scheme employed by the major PW managers like LastPass or Dashlane. I personally use Dashlane. If 256 AES encryption is breakable or compromised, the amount of problems in the world are far higher than the safety of my passwords. Financial, governmental, and military information is then all exposed as well. Worrying if the best encryption standard available isn't secure enough is like worrying about where to put your money if a comet hits the earth next Tuesday.....it just won't matter.

PW managers allow you to have very strong, unique passwords on all your accounts. If you use a cloud backup/sync option it means that the potential for you to lose that data is very small. If you do not use a cloud storage system, then you need some kind of manual off site back up. Having that data in one place or, even worse, stored on a single device means the loss of that device locks you out of everything. This is, unlike worries about encryption math, a real and probable risk. If my house and my computers were destroyed I could restore everything easily. It is all backed up, encrypted, with only me having the decryption key. If I only had local backups, then a hurricane while I am away from home, a robbery, fire, unexpected hard drive failure, ect ect would all take my data and account access away. Cloud storage with strong encryption is both safe and removes these risks.

Cloud backup removes a great deal of likely risks and only incurs a very small, highly unlikely risk that can be made even more unlikely through things like very strong pass phrases and the use of two factor authentication.

2015
Posts: 772
Joined: Mon Feb 10, 2014 2:32 pm

Re: Password Protection

Post by 2015 » Sun Oct 08, 2017 3:42 pm

Alchemist wrote:
Sun Oct 08, 2017 2:54 pm
There are different kinds of risk that must be weighed against each other when making cyber security choices. In the case of password managers, everyone should have one. The only real discussion point to me is whether or not to have one with cloud backup/sync capability. Personally I have decided that I am comfortable using a zero-knowledge encryption scheme employed by the major PW managers like LastPass or Dashlane. I personally use Dashlane. If 256 AES encryption is breakable or compromised, the amount of problems in the world are far higher than the safety of my passwords. Financial, governmental, and military information is then all exposed as well. Worrying if the best encryption standard available isn't secure enough is like worrying about where to put your money if a comet hits the earth next Tuesday.....it just won't matter.

This is a very good point, although I'm not sure I totally agree with the correlation.

PW managers allow you to have very strong, unique passwords on all your accounts. If you use a cloud backup/sync option it means that the potential for you to lose that data is very small. If you do not use a cloud storage system, then you need some kind of manual off site back up. Having that data in one place or, even worse, stored on a single device means the loss of that device locks you out of everything. This is, unlike worries about encryption math, a real and probable risk. If my house and my computers were destroyed I could restore everything easily. It is all backed up, encrypted, with only me having the decryption key. If I only had local backups, then a hurricane while I am away from home, a robbery, fire, unexpected hard drive failure, ect ect would all take my data and account access away. Cloud storage with strong encryption is both safe and removes these risks.

Not if that data was again backed up in a local safe deposit box.

Cloud backup removes a great deal of likely risks and only incurs a very small, highly unlikely risk that can be made even more unlikely through things like very strong pass phrases and the use of two factor authentication.
Now this was a well thought out response. The last two paragraphs in particular are a good description of balance between risks that must be considered. I am still not convinced that the risk due to online storage exposure is either small or highly unlikely, but I do realize this a personal conclusion which each of us must come to.

From The Seventh Sense:
Networked connections in the virtual world can control what you see and believe about your real world, can monitor you, and can even impact what occurs in the physical world (i.e., algorythms, malware, bots, viruses that destroy infrastructure). Because of these dangers, some advise: a) don’t own a computer; b) don’t turn it on; and c) don’t use it. Therefore, it all comes down to a question of Trust—who are you trusting when you connect to a network with your internet activity patterns, your personal, health, financial, psychological, emotional data and information, to be tracked,analyzed, synthesized, and possibly used against you. With the centralized power inherent in networks afforded to information giants such as Google, Microsoft, and Apple, they function as Gatekeepers, determining who is inside and who is outside much relied upon informtion. As they grow, living outside their networks becomes increasingly hard as few alternatives exist to connect to networks.

vdubgeek
Posts: 4
Joined: Tue Jan 01, 2008 10:41 pm

Re: Password Protection

Post by vdubgeek » Sun Oct 08, 2017 3:48 pm

1Password is what I've used for years. Great OSX support, with iphone and ipad clients as well. I highly recommend it, though I've also heard good things about Lasspass as well.

lazydavid
Posts: 1071
Joined: Wed Apr 06, 2016 1:37 pm

Re: Password Protection

Post by lazydavid » Sun Oct 08, 2017 8:11 pm

2015 wrote:
Sun Oct 08, 2017 12:12 pm
The most dangerous words in investing, "this time it's different", can be equally dangerous when applied to other assumptions as well. How do you know the math is secure? How does "tested" and "proven for decades" correlate to what is possible now or in near future? And just who are these "smartest people in the world?"
Because it's simple. The entire AES algorithm can be printed on a single sheet of paper, and is therefore easily examined by anyone. We know exactly what it does, and how it does it, and we therefore know why there are no practical attacks on it.

But whatever floats your boat. Using any online services (including this website) is probably too risky for you, so you should avoid doing so. And certainly not for anything like financial data. TLS could be a sham, just like AES and everything else. :oops:

Feel free to call it "second order questioning" or "looking deeper", or whatever you choose. I'll call it by its real name--"unsubstantiated paranoia".

2015
Posts: 772
Joined: Mon Feb 10, 2014 2:32 pm

Re: Password Protection

Post by 2015 » Sun Oct 08, 2017 9:05 pm

lazydavid wrote:
Sun Oct 08, 2017 8:11 pm
2015 wrote:
Sun Oct 08, 2017 12:12 pm
The most dangerous words in investing, "this time it's different", can be equally dangerous when applied to other assumptions as well. How do you know the math is secure? How does "tested" and "proven for decades" correlate to what is possible now or in near future? And just who are these "smartest people in the world?"
Because it's simple. The entire AES algorithm can be printed on a single sheet of paper, and is therefore easily examined by anyone. We know exactly what it does, and how it does it, and we therefore know why there are no practical attacks on it.

By reason of the explosion in artificial intelligence and capabilities over human intelligence and capabilities alone, this is no longer guaranteed. In fact, it has been argued that human intelligence is not the only intelligence in existence and may even grow extinct at some point in the future, maybe sooner, maybe later.

But whatever floats your boat. Using any online services (including this website) is probably too risky for you, so you should avoid doing so. And certainly not for anything like financial data. TLS could be a sham, just like AES and everything else. :oops:

Feel free to call it "second order questioning" or "looking deeper", or whatever you choose. I'll call it by its real name--"unsubstantiated paranoia".
Even a mild emotional response is dangerous to clear thinking. Use of exaggerations and phrases such as "unsubstantiated paranoia" are opinions, not facts.

Here's the problem I have with just about every response in this thread. They are all linear, based on first stage, linear thinking. We are increasingly and exponentially living in a non-linear world, where cause and effect are no longer linked, and where we are living in systems and nests of systems. The effects, consequences, secondary and unintended consequences of many actions taken in such systems are unknown and unknowable. In these systems, the near becomes far and the far becomes near, with all of the attendant dangers and risks that involves. Google refers to this phenomena as "Map Reduce."

From Wikipedia on a criticism of Stephen Hawking's The Grand Design:
Dr. Marcelo Gleiser, in his article "Hawking And God: An Intimate Relationship", stated that "contemplating a final theory is inconsistent with the very essence of physics, an empirical science based on the gradual collection of data. Because we don’t have instruments capable of measuring all of Nature, we cannot ever be certain that we have a final theory. There’ll always be room for surprises, as the history of physics has shown again and again. In fact, I find it quite pretentious to imagine that we humans can achieve such a thing.
A post above attempted to respond to that which is unknowable with respect to encryption breach possibility by laying out and responding to what might be knowable. This is doing nothing more than creating a convenient narrative (as often happens in investing) to support a position. Another post referred to an encryption breach as likely as a comet strike. Once again, this is false thinking equating the possibility of an encryption breach as on par with that of a comet strike. Bottom line: it's not possible to make decisions regarding the risk of online data storage based on what is unknown and unknowable.

From Trev Griffin:
What is new about business today is that the many systems that make up businesses, markets and an economies are part of globally connected digital networks. We live in an interconnected, or rather a hyper-connected society. Organizations and markets “behave” like networks. This triggers chaotic (complex) rather than linear behavior. When systems get connected via digital networks, feedback effects become stronger. When feedback effects get stronger, outcomes become more uncertain and nonlinear. Nassim Taleb calls this phenomenon Extremistan. Taleb advises that in such an environment: “Be prepared for the fact that the next large surprise, technological or historical, will not resemble what you have in mind (big surprises are what some people call ‘unknown unknowns’). In other words, learn to be abstract, and think in second order effects rather than being anecdotal – which I show to be against human nature. And crucially, rare events in Extremistan are more consequential by their very nature: the once-every-hundred-year flood is more damaging than the 10 year one, and less frequent.”
OTOH, based on Alchemest's excellent analysis above, I would agree that for the average person just trying to make it in this world, in terms of job, family, finances, retirement, and a host of other responsibilities, an online password manager is an excellent choice. Most people have neither the time nor the inclination to create an elaborate off line back up system such as I have. For that reason, and for the risks Alchemist pointed out with offline data storage that would effect most people, I would wholeheartedly recommend an online password manager. For reasons I have pointed out previously, this is simply not an avenue I personally will pursue.

Post Reply