Password Manager Risk Protection

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
Topic Author
Prudence
Posts: 570
Joined: Fri Mar 09, 2012 4:55 pm

Password Manager Risk Protection

Post by Prudence »

I'm gonna break down and start using a password manager, probably LastPass since it has received positive reviews. I have a PC and an android phone. I noticed LastPass had a scare in September that was fixed before any harm was done to users. So, I am wondering, after I start using LastPass, what should I do if anything in the way of safeguards?
User avatar
Ramjet
Posts: 645
Joined: Thu Feb 06, 2020 11:45 am
Location: Cleveland

Re: Password Manager Risk Protection

Post by Ramjet »

I find reddit/r/privacy is pretty good for questions like this

Check out KeePass too, free and open sourced
ARoseByAnyOtherName
Posts: 1000
Joined: Wed Apr 26, 2017 12:03 am

Re: Password Manager Risk Protection

Post by ARoseByAnyOtherName »

Prudence wrote: Mon Mar 02, 2020 4:19 pm I'm gonna break down and start using a password manager, probably LastPass since it has received positive reviews. I have a PC and an android phone. I noticed LastPass had a scare in September that was fixed before any harm was done to users. So, I am wondering, after I start using LastPass, what should I do if anything in the way of safeguards?
I strongly recommended using 1Password instead of LastPass. Partly due to LastPass having a checkered history of security issues, and partly because I think 1Password has a much better interface.

(No affiliation with either other than being a happy 1Password customer, and having tried LastPass on two other occasions in the past.)
Hockey10
Posts: 870
Joined: Wed Aug 24, 2016 12:20 pm
Location: Philadelphia suburbs

Re: Password Manager Risk Protection

Post by Hockey10 »

I have been using LastPass for about 1.5 years and have been very happy with it. There are a lot of security settings in LastPass that you can customize to your preferences.

There is a list of countries where you can specify where your account can be logged into from. If you never travel internationally, just check the US and leave the others unchecked. You can specify for it to auto-logout after a certain amount of time. I use 2-factor authentication through an app named Authy. This gives you a 6 digit number which changes every 30 seconds. There are many other security settings that I am not remembering right now.

For my master password, the only place it exists (besides in my head) is on a handwritten piece of paper which is stored in the safe deposit box. It is a long phrase with uppercase, lower case, numbers, and special characters.
Dominic
Posts: 422
Joined: Sat Jul 02, 2016 11:36 am

Re: Password Manager Risk Protection

Post by Dominic »

Ramjet wrote: Mon Mar 02, 2020 4:45 pm I find reddit/r/privacy is pretty good for questions like this

Check out KeePass too, free and open sourced
I use KeePass. There's no perfectly secure password manager (if your machine is compromised, all security goes out the window), but KeePass is very good. Everything is done locally, so you don't have to worry about someone else's server being compromised. Being open-source also lends credibility. I believe an EU agency recently audited KeePass and found no exploits.
User avatar
lthenderson
Posts: 5423
Joined: Tue Feb 21, 2012 12:43 pm
Location: Iowa

Re: Password Manager Risk Protection

Post by lthenderson »

Prudence wrote: Mon Mar 02, 2020 4:19 pm I'm gonna break down and start using a password manager, probably LastPass since it has received positive reviews. I have a PC and an android phone. I noticed LastPass had a scare in September that was fixed before any harm was done to users. So, I am wondering, after I start using LastPass, what should I do if anything in the way of safeguards?
I've used LastPass for a couple years and have been pleased with it. After the scare you mentioned, I simply went and changed all my passwords which was simple enough using LastPass and the fact that I no longer have to remember any of them other than the main one.
mhlambert
Posts: 21
Joined: Fri Jan 25, 2013 1:31 pm

Re: Password Manager Risk Protection

Post by mhlambert »

I've used LastPass for several years now and am very happy with it. (I use the premium version.) As your password manager contains the "keys to the kingdom" so to speak I use and recommend a hardware 2FA method. I use a YubiKey myself. Buy an extra one, configure your LastPass account with both, and put one in a safe or safe deposit box.
cyclist
Posts: 158
Joined: Fri Jun 21, 2013 9:04 am

Re: Password Manager Risk Protection

Post by cyclist »

+1 for 1Password.

Cyclist
ARoseByAnyOtherName
Posts: 1000
Joined: Wed Apr 26, 2017 12:03 am

Re: Password Manager Risk Protection

Post by ARoseByAnyOtherName »

Prudence wrote: Mon Mar 02, 2020 4:19 pm I'm gonna break down and start using a password manager, probably LastPass since it has received positive reviews. I have a PC and an android phone. I noticed LastPass had a scare in September that was fixed before any harm was done to users. So, I am wondering, after I start using LastPass, what should I do if anything in the way of safeguards?
There is nothing you can do to safeguard your passwords from a password manager. By definition that software has access to all the passwords you put in it.

You need to trust your password manager. If you don’t trust a given password manager you should find another password manager that you can trust.
zlandar
Posts: 320
Joined: Wed Apr 10, 2019 8:51 am

Re: Password Manager Risk Protection

Post by zlandar »

I use LastPass. They know they are a target of hackers and take steps to reduce the risk of info being stolen.
Topic Author
Prudence
Posts: 570
Joined: Fri Mar 09, 2012 4:55 pm

Re: Password Manager Risk Protection

Post by Prudence »

Point taken. Two concerns. How can I protect myself if the password manager (the firm) is attacked and compromised (they must be attacked every day)? What if I lose (or stolen and broken into or hacked) my PC or phone or any device where I have been using the password manager; am I ok? Is there no preemptive control for this risk?
mhalley
Posts: 8664
Joined: Tue Nov 20, 2007 6:02 am

Re: Password Manager Risk Protection

Post by mhalley »

I use keepass because I feel safer not having my passwords and usernames in the cloud. I have several backups of the information, and if the computer or ipad was stolen would have a backup. My linux pc and ipad do not leave the house so I would need to be burgled for them to be stolen. I don't keep it on my phone or do any financial transactions on the phone. If you did lose a device that had your password manage on it, hopefully you would have time to go in and change the various passwords before they hacked your manager. You could increase the protection by using a yubikey or other authenticator.
Last edited by mhalley on Mon Mar 02, 2020 8:38 pm, edited 1 time in total.
Winston19
Posts: 212
Joined: Mon Jan 21, 2019 5:42 pm

Re: Password Manager Risk Protection

Post by Winston19 »

Prudence wrote: Mon Mar 02, 2020 8:21 pm Point taken. Two concerns. How can I protect myself if the password manager (the firm) is attacked and compromised (they must be attacked every day)? What if I lose (or stolen and broken into or hacked) my PC or phone or any device where I have been using the password manager; am I ok? Is there no preemptive control for this risk?
Make sure you set up multi factor authentication on Lastpass (and other important sites).
SimonJester
Posts: 2227
Joined: Tue Aug 16, 2011 12:39 pm

Re: Password Manager Risk Protection

Post by SimonJester »

Prudence wrote: Mon Mar 02, 2020 8:21 pm Point taken. Two concerns. How can I protect myself if the password manager (the firm) is attacked and compromised (they must be attacked every day)? What if I lose (or stolen and broken into or hacked) my PC or phone or any device where I have been using the password manager; am I ok? Is there no preemptive control for this risk?
Use Keypass and store you password file locally with 2 factor authentication. Backup the password database with your preferred backup solution.
"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." - Benjamin Franklin
gtd98765
Posts: 702
Joined: Sun Jan 08, 2017 4:15 am

Re: Password Manager Risk Protection

Post by gtd98765 »

Prudence wrote: Mon Mar 02, 2020 8:21 pm Point taken. Two concerns. How can I protect myself if the password manager (the firm) is attacked and compromised (they must be attacked every day)? What if I lose (or stolen and broken into or hacked) my PC or phone or any device where I have been using the password manager; am I ok? Is there no preemptive control for this risk?
1. It does not matter if the password firm is attacked because they do not know your passwords, all of which are encrypted by a master password that only you know - and they don't. Some password managers have had their software audited by external firms to verify that they have the encryption right; some are open source so any expert could review the software. Even if your manager stores your encrypted passwords in the cloud, as long as you use a long and strong master password, that info in the cloud is useless to anyone else.

2. You should always enable your long and strong master password for the password manager on your laptop, phone, or wherever else you use it. As long as you have the manager set up so you need to enter the master password before using the manager - every time you log on to it - there is no risk of your passwords leaking even if your device is stolen.
ARoseByAnyOtherName
Posts: 1000
Joined: Wed Apr 26, 2017 12:03 am

Re: Password Manager Risk Protection

Post by ARoseByAnyOtherName »

Dear Prudence,

(sorry I had to)
Prudence wrote: Mon Mar 02, 2020 8:21 pm Point taken. Two concerns. How can I protect myself if the password manager (the firm) is attacked and compromised (they must be attacked every day)?
There is nothing you can do to protect against this, other than to choose a reputable password manager that you trust.
Prudence wrote: Mon Mar 02, 2020 8:21 pm What if I lose (or stolen and broken into or hacked) my PC or phone or any device where I have been using the password manager; am I ok? Is there no preemptive control for this risk?
This you can do something about, and the best defense is a strong master password for your password manager.

In addition, for your PC, you should always enable disk encryption. This is typically not an issue for phones or tablets because mobile devices tend to have their storage encrypted by default.
User avatar
Tejfyy
Posts: 106
Joined: Mon Aug 26, 2019 9:18 pm

Re: Password Manager Risk Protection

Post by Tejfyy »

I've been using Lastpass for years with no problems. That said, I do take all the precautions you can. Currently I'm using a grid for authentication. I have considered moving myself offline completely with passsafe.
I've been following Schneier for years. He's well-respected.
https://www.schneier.com/academic/passsafe/

Schneier:
"... My particular choices about security and risk is to only store passwords on my computer -- not on my phone -- and not to put anything in the cloud. In my way of thinking, that reduces the risks of a password manager considerably. Yes, there are losses in convenience."
Risks of Password Managers
https://www.schneier.com/blog/archives/ ... asswo.html
Post Reply