Password Manager Risk Protection

[Prudence]

I'm gonna break down and start using a password manager, probably LastPass since it has received positive reviews. I have a PC and an android phone. I noticed LastPass had a scare in September that was fixed before any harm was done to users. So, I am wondering, after I start using LastPass, what should I do if anything in the way of safeguards?

[Ramjet]

I find reddit/r/privacy is pretty good for questions like this

Check out KeePass too, free and open sourced

[ARoseByAnyOtherName]

I'm gonna break down and start using a password manager, probably LastPass since it has received positive reviews. I have a PC and an android phone. I noticed LastPass had a scare in September that was fixed before any harm was done to users. So, I am wondering, after I start using LastPass, what should I do if anything in the way of safeguards?

I strongly recommended using 1Password instead of LastPass. Partly due to LastPass having a checkered history of security issues, and partly because I think 1Password has a much better interface.

(No affiliation with either other than being a happy 1Password customer, and having tried LastPass on two other occasions in the past.)

[Hockey10]

I have been using LastPass for about 1.5 years and have been very happy with it. There are a lot of security settings in LastPass that you can customize to your preferences.

There is a list of countries where you can specify where your account can be logged into from. If you never travel internationally, just check the US and leave the others unchecked. You can specify for it to auto-logout after a certain amount of time. I use 2-factor authentication through an app named Authy. This gives you a 6 digit number which changes every 30 seconds. There are many other security settings that I am not remembering right now.

For my master password, the only place it exists (besides in my head) is on a handwritten piece of paper which is stored in the safe deposit box. It is a long phrase with uppercase, lower case, numbers, and special characters.

[Dominic]

I find reddit/r/privacy is pretty good for questions like this

Check out KeePass too, free and open sourced

I use KeePass. There's no perfectly secure password manager (if your machine is compromised, all security goes out the window), but KeePass is very good. Everything is done locally, so you don't have to worry about someone else's server being compromised. Being open-source also lends credibility. I believe an EU agency recently audited KeePass and found no exploits.

[lthenderson]

I'm gonna break down and start using a password manager, probably LastPass since it has received positive reviews. I have a PC and an android phone. I noticed LastPass had a scare in September that was fixed before any harm was done to users. So, I am wondering, after I start using LastPass, what should I do if anything in the way of safeguards?

I've used LastPass for a couple years and have been pleased with it. After the scare you mentioned, I simply went and changed all my passwords which was simple enough using LastPass and the fact that I no longer have to remember any of them other than the main one.

[mhlambert]

I've used LastPass for several years now and am very happy with it. (I use the premium version.) As your password manager contains the "keys to the kingdom" so to speak I use and recommend a hardware 2FA method. I use a YubiKey myself. Buy an extra one, configure your LastPass account with both, and put one in a safe or safe deposit box.

[cyclist]

+1 for 1Password.

Cyclist

[ARoseByAnyOtherName]

I'm gonna break down and start using a password manager, probably LastPass since it has received positive reviews. I have a PC and an android phone. I noticed LastPass had a scare in September that was fixed before any harm was done to users. So, I am wondering, after I start using LastPass, what should I do if anything in the way of safeguards?

There is nothing you can do to safeguard your passwords from a password manager. By definition that software has access to all the passwords you put in it.

You need to trust your password manager. If you don’t trust a given password manager you should find another password manager that you can trust.

[zlandar]

I use LastPass. They know they are a target of hackers and take steps to reduce the risk of info being stolen.

[Prudence]

Point taken. Two concerns. How can I protect myself if the password manager (the firm) is attacked and compromised (they must be attacked every day)? What if I lose (or stolen and broken into or hacked) my PC or phone or any device where I have been using the password manager; am I ok? Is there no preemptive control for this risk?

[mhalley]

I use keepass because I feel safer not having my passwords and usernames in the cloud. I have several backups of the information, and if the computer or ipad was stolen would have a backup. My linux pc and ipad do not leave the house so I would need to be burgled for them to be stolen. I don't keep it on my phone or do any financial transactions on the phone. If you did lose a device that had your password manage on it, hopefully you would have time to go in and change the various passwords before they hacked your manager. You could increase the protection by using a yubikey or other authenticator.

[Winston19]

Point taken. Two concerns. How can I protect myself if the password manager (the firm) is attacked and compromised (they must be attacked every day)? What if I lose (or stolen and broken into or hacked) my PC or phone or any device where I have been using the password manager; am I ok? Is there no preemptive control for this risk?

Make sure you set up multi factor authentication on Lastpass (and other important sites).

[SimonJester]

Point taken. Two concerns. How can I protect myself if the password manager (the firm) is attacked and compromised (they must be attacked every day)? What if I lose (or stolen and broken into or hacked) my PC or phone or any device where I have been using the password manager; am I ok? Is there no preemptive control for this risk?

Use Keypass and store you password file locally with 2 factor authentication. Backup the password database with your preferred backup solution.

[gtd98765]

Point taken. Two concerns. How can I protect myself if the password manager (the firm) is attacked and compromised (they must be attacked every day)? What if I lose (or stolen and broken into or hacked) my PC or phone or any device where I have been using the password manager; am I ok? Is there no preemptive control for this risk?

1. It does not matter if the password firm is attacked because they do not know your passwords, all of which are encrypted by a master password that only you know - and they don't. Some password managers have had their software audited by external firms to verify that they have the encryption right; some are open source so any expert could review the software. Even if your manager stores your encrypted passwords in the cloud, as long as you use a long and strong master password, that info in the cloud is useless to anyone else.

2. You should always enable your long and strong master password for the password manager on your laptop, phone, or wherever else you use it. As long as you have the manager set up so you need to enter the master password before using the manager - every time you log on to it - there is no risk of your passwords leaking even if your device is stolen.

[ARoseByAnyOtherName]

Dear Prudence,

(sorry I had to)

Point taken. Two concerns. How can I protect myself if the password manager (the firm) is attacked and compromised (they must be attacked every day)?

There is nothing you can do to protect against this, other than to choose a reputable password manager that you trust.

What if I lose (or stolen and broken into or hacked) my PC or phone or any device where I have been using the password manager; am I ok? Is there no preemptive control for this risk?

This you can do something about, and the best defense is a strong master password for your password manager.

In addition, for your PC, you should always enable disk encryption. This is typically not an issue for phones or tablets because mobile devices tend to have their storage encrypted by default.

[Tejfyy]

I've been using Lastpass for years with no problems. That said, I do take all the precautions you can. Currently I'm using a grid for authentication. I have considered moving myself offline completely with passsafe.
I've been following Schneier for years. He's well-respected.
https://www.schneier.com/academic/passsafe/

Schneier:
"... My particular choices about security and risk is to only store passwords on my computer -- not on my phone -- and not to put anything in the cloud. In my way of thinking, that reduces the risks of a password manager considerably. Yes, there are losses in convenience."
Risks of Password Managers
https://www.schneier.com/blog/archives/ ... asswo.html