Password vault or generator?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Topic Author
OldBallCoach
Posts: 338
Joined: Mon Dec 10, 2018 5:22 pm

Password vault or generator?

Post by OldBallCoach »

I sat down the other day to try and tidy some things up passwords wise...good lord I have about 50 different things I log into with it seems about 75 passwords....anyone have a better plan? Thanks in advance!!
ScubaHogg
Posts: 735
Joined: Sun Nov 06, 2011 3:02 pm

Re: Password vault or generator?

Post by ScubaHogg »

1Password is great.

https://1password.com/
“Unexpected Returns dominate the Expected Returns” - Ken French
smalliebigs
Posts: 193
Joined: Wed Jan 04, 2017 10:48 am

Re: Password vault or generator?

Post by smalliebigs »

Or lastpass. Take your pick! The ultimate security is when even you yourself doesn't know the password.
Chaconne
Posts: 208
Joined: Sat Dec 15, 2007 4:18 pm

Re: Password vault or generator?

Post by Chaconne »

One thing I don't understand about password managers is, how do they (or you) change the old passwords you've been using all along? Do you have to visit every website you frequent, log in, hit "change password" and then what? That's really the only hangup I have about starting to use a password manager. How it all gets started.
runner3081
Posts: 3689
Joined: Mon Aug 22, 2016 3:22 pm

Re: Password vault or generator?

Post by runner3081 »

smalliebigs wrote: Sun May 10, 2020 1:23 pm Or lastpass. Take your pick! The ultimate security is when even you yourself doesn't know the password.
Another vote for Lastpass.
smalliebigs
Posts: 193
Joined: Wed Jan 04, 2017 10:48 am

Re: Password vault or generator?

Post by smalliebigs »

Chaconne wrote: Sun May 10, 2020 2:30 pm One thing I don't understand about password managers is, how do they (or you) change the old passwords you've been using all along? Do you have to visit every website you frequent, log in, hit "change password" and then what? That's really the only hangup I have about starting to use a password manager. How it all gets started.
I use LastPass. Not sure how others handle it. If you do need to do a password reset, the browser plugin or app on your phone automatically will update the stored password.
penumbra
Posts: 314
Joined: Thu Mar 29, 2007 2:42 am

Re: Password vault or generator?

Post by penumbra »

I have 273 sites on my LastPass account. Works extremely well, couldn’t get by without it. Recommend it wholeheartedly!
I watch my wife, who hasn’t made the conversion, struggle with misremembered passwords, lost scraps of paper with data on them, and alarming emotional outbursts of frustration. Not a pretty site, but we all grow up at our own rate. 🥴
michaelingp
Posts: 390
Joined: Tue Jan 17, 2017 8:46 pm

Re: Password vault or generator?

Post by michaelingp »

Chaconne wrote: Sun May 10, 2020 2:30 pm One thing I don't understand about password managers is, how do they (or you) change the old passwords you've been using all along? Do you have to visit every website you frequent, log in, hit "change password" and then what? That's really the only hangup I have about starting to use a password manager. How it all gets started.
When you install the password manager, it will offer to import any passwords that your browser has (helpfully) saved for you. Then, each time you go to a site, the password manager will offer to save the password you used. Over time you build up the list of passwords that it manages for you. You can also do it manually. I would think most people start with their most sensitive accounts, like financial institutions. The first thing you do when you get your password manager is to log onto Vanguard or Fidelity or Schwab, and change your password, having the password manager generate a long, unique-to-that-site, random string of characters password for you. Passwords like your BH forum password can wait if you don't use the same password for sensitive accounts.
ScaledWheel
Posts: 143
Joined: Sat Jul 23, 2011 8:06 pm

Re: Password vault or generator?

Post by ScaledWheel »

penumbra wrote: Sun May 10, 2020 2:38 pm I have 273 sites on my LastPass account. Works extremely well, couldn’t get by without it. Recommend it wholeheartedly!
I watch my wife, who hasn’t made the conversion, struggle with misremembered passwords, lost scraps of paper with data on them, and alarming emotional outbursts of frustration. Not a pretty site, but we all grow up at our own rate. 🥴
Took about two years before my wife switched over to our family 1Password account and now she can't live without it. Makes it really easy to distribute work (like creating a city utility billing account) by sharing the login info in a shared vault.

I was getting frustrated at her frustration before she switched. I had the solution all ready you just have to use it! :D
Gadget
Posts: 398
Joined: Fri Mar 17, 2017 1:38 pm

Re: Password vault or generator?

Post by Gadget »

I used Lastpass for years (paid premium and family version). I'm not a fan of their new management/owner though, so I recently switched to 1password which I happen to like a lot better.

Here's my ranking of password managers I've used:

1. 1Password
2. Bitwarden
3. Lastpass
4. Keepass

If you're looking for just the best manager for families and the $60/yr cost doesn't bother you, I think 1password is the best by far.

If you're looking for the best free one, I think Bitwarden has recently overtaken Lastpass. I really liked Bitwarden for one person (probably near equal to 1password for a single user), but for sharing with a spouse I found it confusing to manage.

I could go into more details about pros and cons of each, but the overall summary is probably 1password for best paid app and Bitwarden for best free app.
dboeger1
Posts: 217
Joined: Fri Jan 13, 2017 7:32 pm

Re: Password vault or generator?

Post by dboeger1 »

OldBallCoach wrote: Sun May 10, 2020 1:18 pm ....anyone have a better plan?
Nope. I just started using a password manager (Bitwarden) a few weeks ago after being too lazy to do it for years, and it took me like a whole week, several hours per day, to update all of my accounts. It was totally worth it. I had never gotten a class action settlement or data breach email for most of my life, until the past few years when my accounts grew exponentially as I signed up for many different services to optimize my spending. In the past 2 years, I think I've gotten notified of 10ish data breaches and related class action lawsuits. Virtually all of my passwords were slight variations on the same thing I've used for almost 2 decades. It was well past time for me to take the plunge.

I can't tell if your topic is asking which to use out of the 2, but pretty much every password vault worth its salt today will have a password generation feature included, so you should take advantage of both features.
countdrak
Posts: 60
Joined: Fri Jan 13, 2017 12:47 pm

Re: Password vault or generator?

Post by countdrak »

+1 for 1Password. Nice intergration with all devices, doesn’t store password in the cloud but on local devices that are synced when on WiFi. Generates strong passwords and works seamlessly via app and browser plugins

Also I wouldn’t ever create my own passwords, so better to create the password and store it with the same software. You ONLY need to remember the master password, and it works with touchid and faceid on iOS (no need enter it every time).
Pacific
Posts: 1407
Joined: Tue Mar 06, 2007 8:19 pm
Location: Lost in the middle of the Pacific

Re: Password vault or generator?

Post by Pacific »

I have been using LastPass for several years. What confounds me is that while it works fine on web sites, I cannot get it to work on apps. For example, I use TuneIn on my browser and as an app. I cannot get LP to pop up the window on the app.

Anyone else have that problem?
User avatar
4nursebee
Posts: 1597
Joined: Sun Apr 01, 2012 7:56 am
Location: US

Re: Password vault or generator?

Post by 4nursebee »

I don't understand how such things can be secure. Can't someone bust into one website and get all your passwords?

I favor leaving the passwords on scraps of paper in the bolted to the floor safe, very heavy.
Pale Blue Dot
sd323232
Posts: 743
Joined: Thu Jun 21, 2018 4:45 pm

Re: Password vault or generator?

Post by sd323232 »

4nursebee wrote: Mon May 11, 2020 7:19 am I don't understand how such things can be secure. Can't someone bust into one website and get all your passwords?

I favor leaving the passwords on scraps of paper in the bolted to the floor safe, very heavy.
All data is encrypted with 256 bit encryption which will take 30 (add additional 49 zeros here) years to decrypt. And if you change all passwords every 2 years, i would say probability of your passwords being stolen is zero.
gtd98765
Posts: 665
Joined: Sun Jan 08, 2017 4:15 am

Re: Password vault or generator?

Post by gtd98765 »

4nursebee wrote: Mon May 11, 2020 7:19 am I don't understand how such things can be secure. Can't someone bust into one website and get all your passwords?

I favor leaving the passwords on scraps of paper in the bolted to the floor safe, very heavy.
No, someone cannot hack one website to get your passwords, since the password manager maker does not know your passwords, even if it stores them on its server or in the cloud. Your passwords are scrambled (encrypted ) before they ever leave your computer and cannot be unscrambled without your master password that only you know. As long as you use a long master password ("Four score and seven years ago" for example) there is no way for anyone else to unscramble them. Those detective movies and TV shows where the quirky computer expert decrypts a suspect's computer with no problem are fiction.
smalliebigs
Posts: 193
Joined: Wed Jan 04, 2017 10:48 am

Re: Password vault or generator?

Post by smalliebigs »

penumbra wrote: Sun May 10, 2020 2:38 pm I watch my wife, who hasn’t made the conversion, struggle with misremembered passwords, lost scraps of paper with data on them, and alarming emotional outbursts of frustration. Not a pretty site, but we all grow up at our own rate. 🥴
To be fair, complicated passwords on papers are now safer than simple passwords stored online.
4nursebee wrote: Mon May 11, 2020 7:19 am I don't understand how such things can be secure. Can't someone bust into one website and get all your passwords?

I favor leaving the passwords on scraps of paper in the bolted to the floor safe, very heavy.
That's kind of the point. Humans have a tenancy to just use the same (simple) password for all their websites. Once a hacker knows your email and password for one of them, chances are, all your logins are compromised.

With password managers all your passwords for different websites will be completely different, randomized, can be up to 32 characters long (or even longer), and even you don't know them. You have 1 master password that should be super long, but you rarely need to use it.
lazydavid
Posts: 3413
Joined: Wed Apr 06, 2016 1:37 pm

Re: Password vault or generator?

Post by lazydavid »

4nursebee wrote: Mon May 11, 2020 7:19 am I don't understand how such things can be secure. Can't someone bust into one website and get all your passwords?
If the bad guys already know your master password, absolutely (in that case they don't even have to break into the website, they can just log in to the application as you). If your master password is easy to crack, yes. Otherwise, no.

My master password is 40+ characters (but easy to remember and easy to type), and essentially impossible to brute force by any known method. Without that, the encryption itself must be cracked. We don't currently have the computing power to do that before the universe implodes.
Gadget
Posts: 398
Joined: Fri Mar 17, 2017 1:38 pm

Re: Password vault or generator?

Post by Gadget »

Pacific wrote: Mon May 11, 2020 3:34 am I have been using LastPass for several years. What confounds me is that while it works fine on web sites, I cannot get it to work on apps. For example, I use TuneIn on my browser and as an app. I cannot get LP to pop up the window on the app.

Anyone else have that problem?
I don't use that particular TuneIn app. But does Lastpass not work for you on ANY app, or just that one?

Lastpass always worked fine for me on Android apps, but some were better than others. The app has to allow it and code it properly for both Android and iOS. For instance, PayPal in their infinite wisdom basically bans password managers from being used on Android (not sure about iOS). No password manager I've used has ever worked with PayPal on Android. I always have to manually open the password manager, manually copy the password, and manually paste it. Because PayPal is stupid. And their are lots of stupid/lazy app devs.

But if you can't get Lastpass to autofill any app, then I think you're doing something wrong. You might want to rerun the autofill and/or accessibility instruction settings for Lastpass on your Android/iOS device.
blueman457
Posts: 463
Joined: Sun Jul 26, 2015 12:19 pm

Re: Password vault or generator?

Post by blueman457 »

+1 Bitwarden

I moved away from Lastpass to Bitwarden due to some poor 2FA implementation from Lastpass.

Blue Man
apex84
Posts: 173
Joined: Sun Mar 11, 2007 12:51 am
Location: Chicago

Re: Password vault or generator?

Post by apex84 »

Happy with 1Password. You can generate, store, and autofill unique passwords for every site. Any time I have any concern about a given site, I just change the password. It also includes 2 factor authentication (I used to use Google Authenticator) for those sites that support it.

About security:
https://support.1password.com/1password ... lsrc=aw.ds

Choosing a master password:
https://support.1password.com/strong-master-password/

You can click the link on that page for a randomly generated master password. I don't know if they had that when we set it up. I used Diceware.
https://theworld.com/~reinhold/diceware.html
BeneIRA
Posts: 843
Joined: Sat Nov 29, 2014 8:43 pm

Re: Password vault or generator?

Post by BeneIRA »

Another +1 for 1Password. After putting in the setup time, life is a lot easier since it autofills from the application.
Luke Duke
Posts: 1068
Joined: Tue Jun 18, 2013 11:44 am
Location: Texas

Re: Password vault or generator?

Post by Luke Duke »

ScaledWheel wrote: Sun May 10, 2020 6:31 pm
penumbra wrote: Sun May 10, 2020 2:38 pm I have 273 sites on my LastPass account. Works extremely well, couldn’t get by without it. Recommend it wholeheartedly!
I watch my wife, who hasn’t made the conversion, struggle with misremembered passwords, lost scraps of paper with data on them, and alarming emotional outbursts of frustration. Not a pretty site, but we all grow up at our own rate. 🥴
Took about two years before my wife switched over to our family 1Password account and now she can't live without it. Makes it really easy to distribute work (like creating a city utility billing account) by sharing the login info in a shared vault.

I was getting frustrated at her frustration before she switched. I had the solution all ready you just have to use it! :D
This came to mind
https://youtu.be/-4EDhdAHrOg
tm3
Posts: 189
Joined: Wed Dec 24, 2014 7:16 pm

Re: Password vault or generator?

Post by tm3 »

What happens if you forget your master password (I know, I know, but I'm getting older and older ......).
Juice3
Posts: 230
Joined: Sun Nov 05, 2017 7:40 am
Location: The Web
Contact:

Re: Password vault or generator?

Post by Juice3 »

lazydavid wrote: Mon May 11, 2020 8:37 am
4nursebee wrote: Mon May 11, 2020 7:19 am I don't understand how such things can be secure. Can't someone bust into one website and get all your passwords?
If the bad guys already know your master password, absolutely (in that case they don't even have to break into the website, they can just log in to the application as you). If your master password is easy to crack, yes. Otherwise, no.

My master password is 40+ characters (but easy to remember and easy to type), and essentially impossible to brute force by any known method. Without that, the encryption itself must be cracked. We don't currently have the computing power to do that before the universe implodes.
No, the password manager process must be cracked not necessarily the master password encryption that is one way to do so.

Password Managers may be harder to crack but are much more appealing to crack as you may get passwords to millions of financial accounts. Compromising the scrap of paper under my keyboard will get you 1 account. Personally my scrap of paper is only a password hint not the actual password. So you only get a clue to use in your guessing.

Chains are only as strong as the weakest link.
lazydavid
Posts: 3413
Joined: Wed Apr 06, 2016 1:37 pm

Re: Password vault or generator?

Post by lazydavid »

tm3 wrote: Mon May 11, 2020 10:47 am What happens if you forget your master password (I know, I know, but I'm getting older and older ......).
Account recovery is very complicated due to the way password managers work. You do not want the vendor to be able to restore access to your account, because that would mean they could give it to someone else. There are ways around this using things like device-specific one-time-passcodes (which means your desktop is different than your laptop is different from your phone). Here's the process for Lastpass: https://support.logmeininc.com/lastpass ... d-lp020010

Short version: If you're worried about forgetting it, write it down and put it in your safe.
lazydavid
Posts: 3413
Joined: Wed Apr 06, 2016 1:37 pm

Re: Password vault or generator?

Post by lazydavid »

Juice3 wrote: Mon May 11, 2020 11:06 am No, the password manager process must be cracked not necessarily the master password encryption that is one way to do so.
This is true. But as in most things security, if your device is already compromised, then all bets are off.
killjoy2012
Posts: 1149
Joined: Wed Sep 26, 2012 5:30 pm

Re: Password vault or generator?

Post by killjoy2012 »

The problem is, all of these password tools have problems, limits and/or security risks.

- Some only work on one device. That's great for your primary PC, but becomes a problem when you need to access the resource from phone/tablet.
- Some leverage a cloud service to store your passwords out on the Internet to overcome that device issue, but that presents risk. Encrypted? Sure. How well? Who knows. There's also potential ways to decrypt data other than brute forcing. e.g. incorrectly implemented encryption, security vulnerability, back doors, etc. Implementing encryption properly is hard, and very few people/companies do it correctly.
- 1Password supports Wifi sync, but only between iOS and MacOS. Using Windows? Using Droid? Sorry...
- Even without a cloud sync component, you also have to worry about vulnerabilities in the password tool itself. e.g. With as many people that use LastPass, it becomes increasingly targeted by the Bad Guys.

MFA is usually a better control, but that has its own challenges too if not properly implemented. And its not transparent to the user.
palanzo
Posts: 1666
Joined: Thu Oct 10, 2019 4:28 pm

Re: Password vault or generator?

Post by palanzo »

lazydavid wrote: Mon May 11, 2020 8:37 am
4nursebee wrote: Mon May 11, 2020 7:19 am I don't understand how such things can be secure. Can't someone bust into one website and get all your passwords?
If the bad guys already know your master password, absolutely (in that case they don't even have to break into the website, they can just log in to the application as you). If your master password is easy to crack, yes. Otherwise, no.

My master password is 40+ characters (but easy to remember and easy to type), and essentially impossible to brute force by any known method. Without that, the encryption itself must be cracked. We don't currently have the computing power to do that before the universe implodes.
Before they can log into your password application they would first have to compromise the device on which the password vault is stored. Not so easy.
palanzo
Posts: 1666
Joined: Thu Oct 10, 2019 4:28 pm

Re: Password vault or generator?

Post by palanzo »

Juice3 wrote: Mon May 11, 2020 11:06 am
lazydavid wrote: Mon May 11, 2020 8:37 am
4nursebee wrote: Mon May 11, 2020 7:19 am I don't understand how such things can be secure. Can't someone bust into one website and get all your passwords?
If the bad guys already know your master password, absolutely (in that case they don't even have to break into the website, they can just log in to the application as you). If your master password is easy to crack, yes. Otherwise, no.

My master password is 40+ characters (but easy to remember and easy to type), and essentially impossible to brute force by any known method. Without that, the encryption itself must be cracked. We don't currently have the computing power to do that before the universe implodes.
No, the password manager process must be cracked not necessarily the master password encryption that is one way to do so.

Password Managers may be harder to crack but are much more appealing to crack as you may get passwords to millions of financial accounts. Compromising the scrap of paper under my keyboard will get you 1 account. Personally my scrap of paper is only a password hint not the actual password. So you only get a clue to use in your guessing.

Chains are only as strong as the weakest link.
In that case I will use a $5 wrench to get your password :mrgreen:

https://xkcd.com/538/
Prudence
Posts: 564
Joined: Fri Mar 09, 2012 4:55 pm

Re: Password vault or generator?

Post by Prudence »

countdrak wrote: Sun May 10, 2020 8:48 pm +1 for 1Password. Nice intergration with all devices, doesn’t store password in the cloud but on local devices that are synced when on WiFi. Generates strong passwords and works seamlessly via app and browser plugins

Also I wouldn’t ever create my own passwords, so better to create the password and store it with the same software. You ONLY need to remember the master password, and it works with touchid and faceid on iOS (no need enter it every time).
So, with 1Password, is it essential to back up your devices?
palanzo
Posts: 1666
Joined: Thu Oct 10, 2019 4:28 pm

Re: Password vault or generator?

Post by palanzo »

Prudence wrote: Mon May 11, 2020 12:41 pm
countdrak wrote: Sun May 10, 2020 8:48 pm +1 for 1Password. Nice intergration with all devices, doesn’t store password in the cloud but on local devices that are synced when on WiFi. Generates strong passwords and works seamlessly via app and browser plugins

Also I wouldn’t ever create my own passwords, so better to create the password and store it with the same software. You ONLY need to remember the master password, and it works with touchid and faceid on iOS (no need enter it every time).
So, with 1Password, is it essential to back up your devices?
Not essential if you sync the vault over WiFi. It's always a good idea of course. I back up my MacBook so I can always recover the vault I needed.
onourway
Posts: 2722
Joined: Thu Dec 08, 2016 3:39 pm

Re: Password vault or generator?

Post by onourway »

killjoy2012 wrote: Mon May 11, 2020 12:21 pm The problem is, all of these password tools have problems, limits and/or security risks.

- Some only work on one device. That's great for your primary PC, but becomes a problem when you need to access the resource from phone/tablet.
- Some leverage a cloud service to store your passwords out on the Internet to overcome that device issue, but that presents risk. Encrypted? Sure. How well? Who knows. There's also potential ways to decrypt data other than brute forcing. e.g. incorrectly implemented encryption, security vulnerability, back doors, etc. Implementing encryption properly is hard, and very few people/companies do it correctly.
- 1Password supports Wifi sync, but only between iOS and MacOS. Using Windows? Using Droid? Sorry...
- Even without a cloud sync component, you also have to worry about vulnerabilities in the password tool itself. e.g. With as many people that use LastPass, it becomes increasingly targeted by the Bad Guys.

MFA is usually a better control, but that has its own challenges too if not properly implemented. And its not transparent to the user.
Most of these concerns are unfounded. There are few if any services that are limited to a single device any longer unless you specifically refuse to place the vault in the cloud. However anyone who understands how the vault is secured shouldn't have any significant concerns about storage in the cloud because it's essentially impossible for anyone to do anything with the file even if they have a copy of it.

Not using a password manager is pretty well guaranteed to have far bigger security issues than using one and even giving away the vault file to anyone who wants it online.
Gadget
Posts: 398
Joined: Fri Mar 17, 2017 1:38 pm

Re: Password vault or generator?

Post by Gadget »

For those talking about 1Password syncing options... 1Password now works just like Lastpass and the other cloud solutions where it will sync all devices over the cloud.

You can, however, sync them to a local database. Just keep that in mind. 1Password used to not have a cloud sync solution.

But I think if you setup a new 1Password account, it's going to steer you towards the cloud syncing solution, which is much more user friendly and harder to screw up. That's what I use, and all my devices sync to the cloud. But I suppose if you don't want anything in the cloud, you can use the local implementation of 1Password.
jhsu802701
Posts: 152
Joined: Fri Apr 03, 2020 2:42 pm

Re: Password vault or generator?

Post by jhsu802701 »

My vote is for KeePassX. It's not only free and open source but also available for Linux, MacOS, and Windows. Thus, I'm covered not only in my preferred platform (Linux) but other platforms as well.
User avatar
Johnsson
Posts: 351
Joined: Mon Jul 17, 2017 2:28 pm

Re: Password vault or generator?

Post by Johnsson »

Dashlane.
'In theory there is no difference between theory and practice. In practice there is.' Yogi Berra
ikowik
Posts: 173
Joined: Tue Dec 23, 2014 6:52 pm

Re: Password vault or generator?

Post by ikowik »

jhsu802701 wrote: Mon May 11, 2020 2:12 pm My vote is for KeePassX. It's not only free and open source but also available for Linux, MacOS, and Windows. Thus, I'm covered not only in my preferred platform (Linux) but other platforms as well.
KeePassX is not actively developed anymore. KeePassXC is, and is also open source and available for download free- of course if you like it, a donation would be fine. KeePassXC also has browser plugins for Firefox and Chrome. Neither of these will be as polished as 1Password or LastPass, but perfectly usable and use similar strong encryption.
Juice3
Posts: 230
Joined: Sun Nov 05, 2017 7:40 am
Location: The Web
Contact:

Re: Password vault or generator?

Post by Juice3 »

palanzo wrote: Mon May 11, 2020 12:26 pm
Juice3 wrote: Mon May 11, 2020 11:06 am Chains are only as strong as the weakest link.
In that case I will use a $5 wrench to get your password :mrgreen:

https://xkcd.com/538/
Love it. So you are saying that the correct valuation for password vault companies is $5*number of users / number of vault companies.

Gonna be a rough holiday season for them.
Juice3
Posts: 230
Joined: Sun Nov 05, 2017 7:40 am
Location: The Web
Contact:

Re: Password vault or generator?

Post by Juice3 »

lazydavid wrote: Mon May 11, 2020 11:08 am
Juice3 wrote: Mon May 11, 2020 11:06 am No, the password manager process must be cracked not necessarily the master password encryption that is one way to do so.
This is true. But as in most things security, if your device is already compromised, then all bets are off.
OFC, your device is also only 1 other way. The general problem with password vaulting is it adds additional attack surfaces to the process. The general advantage is that password vault users use strong passwords (thus avoiding brute force attacks).

Here is a $50 way to do with a device compromise approach.
https://hackerwarehouse.com/product/key ... AMQAvD_BwE
This way likely creates more plausible deniability than hitting someone with a pipe wrench, "wasn't me".
HawkeyePierce
Posts: 1597
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Password vault or generator?

Post by HawkeyePierce »

You are far far more likely to suffer due to a credential-stuffing attack than due to someone installing a physical keylogger on your machine.

Bringing that hypothetical threat in just muddles what are exceptionally clear waters: password managers improve security for the average user.
tibbitts
Posts: 12296
Joined: Tue Feb 27, 2007 6:50 pm

Re: Password vault or generator?

Post by tibbitts »

gtd98765 wrote: Mon May 11, 2020 7:41 am
4nursebee wrote: Mon May 11, 2020 7:19 am I don't understand how such things can be secure. Can't someone bust into one website and get all your passwords?

I favor leaving the passwords on scraps of paper in the bolted to the floor safe, very heavy.
No, someone cannot hack one website to get your passwords, since the password manager maker does not know your passwords, even if it stores them on its server or in the cloud. Your passwords are scrambled (encrypted ) before they ever leave your computer and cannot be unscrambled without your master password that only you know. As long as you use a long master password ("Four score and seven years ago" for example) there is no way for anyone else to unscramble them. Those detective movies and TV shows where the quirky computer expert decrypts a suspect's computer with no problem are fiction.
Yes, someone can "bust into" a password manager website, even just in the sense of compromising your personal account, and get all your passwords. That's how password managers work. You can enable 2FA in which case supplying the 2nd factor would be necessary to "bust in", but it's still possible, just less likely.

Having said that I use a password manager, because the alternatives, including the floor safe, have more disadvantages.
Gadget
Posts: 398
Joined: Fri Mar 17, 2017 1:38 pm

Re: Password vault or generator?

Post by Gadget »

tibbitts wrote: Mon May 11, 2020 6:30 pm
gtd98765 wrote: Mon May 11, 2020 7:41 am
4nursebee wrote: Mon May 11, 2020 7:19 am I don't understand how such things can be secure. Can't someone bust into one website and get all your passwords?

I favor leaving the passwords on scraps of paper in the bolted to the floor safe, very heavy.
No, someone cannot hack one website to get your passwords, since the password manager maker does not know your passwords, even if it stores them on its server or in the cloud. Your passwords are scrambled (encrypted ) before they ever leave your computer and cannot be unscrambled without your master password that only you know. As long as you use a long master password ("Four score and seven years ago" for example) there is no way for anyone else to unscramble them. Those detective movies and TV shows where the quirky computer expert decrypts a suspect's computer with no problem are fiction.
Yes, someone can "bust into" a password manager website, even just in the sense of compromising your personal account, and get all your passwords. That's how password managers work. You can enable 2FA in which case supplying the 2nd factor would be necessary to "bust in", but it's still possible, just less likely.

Having said that I use a password manager, because the alternatives, including the floor safe, have more disadvantages.
This is incorrect. A password manager only keeps the encrypted data stored in the cloud. The company can't access your data. It's not going to be "hacked" unless the company was extremely negligent in their implementation. That's what 3rd party audits are for, which all the recommended password managers have done.

There are other attack vectors. I'm not saying a hacker can't get to your passwords through a password manager via some other vulnerability (usually via a vulnerability on your personal device). But this idea that a hacker getting into the cloud at the password manager vault has free reign on all your passwords needs to end. Every single average user is safer using a password manager. At least assuming they switch to strong unique passwords on all websites when they get a password manager.

https://www.comparitech.com/blog/inform ... g-salting/ Read up on this if you want to understand more.
palanzo
Posts: 1666
Joined: Thu Oct 10, 2019 4:28 pm

Re: Password vault or generator?

Post by palanzo »

tibbitts wrote: Mon May 11, 2020 6:30 pm
gtd98765 wrote: Mon May 11, 2020 7:41 am
4nursebee wrote: Mon May 11, 2020 7:19 am I don't understand how such things can be secure. Can't someone bust into one website and get all your passwords?

I favor leaving the passwords on scraps of paper in the bolted to the floor safe, very heavy.
No, someone cannot hack one website to get your passwords, since the password manager maker does not know your passwords, even if it stores them on its server or in the cloud. Your passwords are scrambled (encrypted ) before they ever leave your computer and cannot be unscrambled without your master password that only you know. As long as you use a long master password ("Four score and seven years ago" for example) there is no way for anyone else to unscramble them. Those detective movies and TV shows where the quirky computer expert decrypts a suspect's computer with no problem are fiction.
Yes, someone can "bust into" a password manager website, even just in the sense of compromising your personal account, and get all your passwords. That's how password managers work. You can enable 2FA in which case supplying the 2nd factor would be necessary to "bust in", but it's still possible, just less likely.

Having said that I use a password manager, because the alternatives, including the floor safe, have more disadvantages.
I'm sorry but that is not how password managers work. One can keep the vault on a local device. The use of a website is entirely optional. And even if you chose to use a website without the master passphrase the encrypted vault on a website is completely useless. Furthermore if the user chose to protect the vault on the website with a hardware key then there is no way to "bust in" the website. It is not the case that is is still possible, just less likely.

You might want to take a look at some of the security white papers to understand how password managers work.
tibbitts
Posts: 12296
Joined: Tue Feb 27, 2007 6:50 pm

Re: Password vault or generator?

Post by tibbitts »

palanzo wrote: Mon May 11, 2020 7:04 pm
tibbitts wrote: Mon May 11, 2020 6:30 pm
gtd98765 wrote: Mon May 11, 2020 7:41 am
4nursebee wrote: Mon May 11, 2020 7:19 am I don't understand how such things can be secure. Can't someone bust into one website and get all your passwords?

I favor leaving the passwords on scraps of paper in the bolted to the floor safe, very heavy.
No, someone cannot hack one website to get your passwords, since the password manager maker does not know your passwords, even if it stores them on its server or in the cloud. Your passwords are scrambled (encrypted ) before they ever leave your computer and cannot be unscrambled without your master password that only you know. As long as you use a long master password ("Four score and seven years ago" for example) there is no way for anyone else to unscramble them. Those detective movies and TV shows where the quirky computer expert decrypts a suspect's computer with no problem are fiction.
Yes, someone can "bust into" a password manager website, even just in the sense of compromising your personal account, and get all your passwords. That's how password managers work. You can enable 2FA in which case supplying the 2nd factor would be necessary to "bust in", but it's still possible, just less likely.

Having said that I use a password manager, because the alternatives, including the floor safe, have more disadvantages.
I'm sorry but that is not how password managers work. One can keep the vault on a local device. The use of a website is entirely optional. And even if you chose to use a website without the master passphrase the encrypted vault on a website is completely useless. Furthermore if the user chose to protect the vault on the website with a hardware key then there is no way to "bust in" the website. It is not the case that is is still possible, just less likely.

You might want to take a look at some of the security white papers to understand how password managers work.
You are correct that a password manager that is designed to use only a local device is not vulnerable to attack via the internet, but it's still vulnerable to revealing all the passwords it contains to someone having the required credentials and the physical device. I didn't think of the case of not storing passwords on a password manager's servers because that doesn't seem useful to me, but it's fine if other people choose to do that.
doneat53
Posts: 98
Joined: Tue Jul 04, 2017 1:23 pm

Re: Password vault or generator?

Post by doneat53 »

Another perhaps unrecognized benefit of password managers is the ability to share your master password with your spouse or next of kin. Alternatively you can share an account. The point being that if you've ever had a parent or loved one die suddenly, sifting through old computer files or postit notes around the computer to try to figure out passwords can be a real headache. With a password manager your spouse or next of kin can simply log in and deal with bills, records, email, etc. Sounds trivial until you actually have to do it.

doneat
gtd98765
Posts: 665
Joined: Sun Jan 08, 2017 4:15 am

Re: Password vault or generator?

Post by gtd98765 »

tibbitts wrote: Mon May 11, 2020 7:14 pm
You are correct that a password manager that is designed to use only a local device is not vulnerable to attack via the internet, but it's still vulnerable to revealing all the passwords it contains to someone having the required credentials and the physical device. I didn't think of the case of not storing passwords on a password manager's servers because that doesn't seem useful to me, but it's fine if other people choose to do that.
It's kind of a tautology that someone with a master password and a hardware key, if used, can decrypt everything stored in the manager's vault. That's the point. But if a hacker does not have those things, the passwords are just gibberish and therefore useless to a thief.

Using a password manager is the single best way for the average user to protect the financial and other accounts s/he has on line. It is not possible for a hacker to break into an online vault and steal passwords from any of the major vendors. It would likewise be impossible for a hacker to break into the vault if stolen from a computer as long as the user keeps the Master Password a secret. It is irresponsible to tell people otherwise to discourage use of a tool that will help keep them safe.
tibbitts
Posts: 12296
Joined: Tue Feb 27, 2007 6:50 pm

Re: Password vault or generator?

Post by tibbitts »

gtd98765 wrote: Mon May 11, 2020 8:20 pm
tibbitts wrote: Mon May 11, 2020 7:14 pm
You are correct that a password manager that is designed to use only a local device is not vulnerable to attack via the internet, but it's still vulnerable to revealing all the passwords it contains to someone having the required credentials and the physical device. I didn't think of the case of not storing passwords on a password manager's servers because that doesn't seem useful to me, but it's fine if other people choose to do that.
It's kind of a tautology that someone with a master password and a hardware key, if used, can decrypt everything stored in the manager's vault. That's the point. But if a hacker does not have those things, the passwords are just gibberish and therefore useless to a thief.

Using a password manager is the single best way for the average user to protect the financial and other accounts s/he has on line. It is not possible for a hacker to break into an online vault and steal passwords from any of the major vendors. It would likewise be impossible for a hacker to break into the vault if stolen from a computer as long as the user keeps the Master Password a secret. It is irresponsible to tell people otherwise to discourage use of a tool that will help keep them safe.
Maybe you missed the part where I said I do use a password manager that does store copies of its password vault on its network servers. All of my important logins and passwords are stored there. But the fact is that by justing giving my one master password (or two-factor capability, if I enable that) to another person, that other person can access all my logins and passwords. I felt the original reply was misleading in that it suggested there was not a single point of failure (or possibly two if you optionally enable two-factor.) There is.
palanzo
Posts: 1666
Joined: Thu Oct 10, 2019 4:28 pm

Re: Password vault or generator?

Post by palanzo »

tibbitts wrote: Mon May 11, 2020 7:14 pm
palanzo wrote: Mon May 11, 2020 7:04 pm
tibbitts wrote: Mon May 11, 2020 6:30 pm
gtd98765 wrote: Mon May 11, 2020 7:41 am
4nursebee wrote: Mon May 11, 2020 7:19 am I don't understand how such things can be secure. Can't someone bust into one website and get all your passwords?

I favor leaving the passwords on scraps of paper in the bolted to the floor safe, very heavy.
No, someone cannot hack one website to get your passwords, since the password manager maker does not know your passwords, even if it stores them on its server or in the cloud. Your passwords are scrambled (encrypted ) before they ever leave your computer and cannot be unscrambled without your master password that only you know. As long as you use a long master password ("Four score and seven years ago" for example) there is no way for anyone else to unscramble them. Those detective movies and TV shows where the quirky computer expert decrypts a suspect's computer with no problem are fiction.
Yes, someone can "bust into" a password manager website, even just in the sense of compromising your personal account, and get all your passwords. That's how password managers work. You can enable 2FA in which case supplying the 2nd factor would be necessary to "bust in", but it's still possible, just less likely.

Having said that I use a password manager, because the alternatives, including the floor safe, have more disadvantages.
I'm sorry but that is not how password managers work. One can keep the vault on a local device. The use of a website is entirely optional. And even if you chose to use a website without the master passphrase the encrypted vault on a website is completely useless. Furthermore if the user chose to protect the vault on the website with a hardware key then there is no way to "bust in" the website. It is not the case that is is still possible, just less likely.

You might want to take a look at some of the security white papers to understand how password managers work.
You are correct that a password manager that is designed to use only a local device is not vulnerable to attack via the internet, but it's still vulnerable to revealing all the passwords it contains to someone having the required credentials and the physical device. I didn't think of the case of not storing passwords on a password manager's servers because that doesn't seem useful to me, but it's fine if other people choose to do that.
And how would someone get the passphrase that is in your head? The $5 wrench?

It's very useful to keep the vault on one or more synced devices like 1Password allows.

Going back to keeping the vault on a server. Unless someone has your passphrase, your hardware key or a $5 wrench, there is no way to "bust in". Your understanding of password managers and security is not correct. I am concerned that people will read your comments and think that they are correct.
palanzo
Posts: 1666
Joined: Thu Oct 10, 2019 4:28 pm

Re: Password vault or generator?

Post by palanzo »

gtd98765 wrote: Mon May 11, 2020 8:20 pm
tibbitts wrote: Mon May 11, 2020 7:14 pm
You are correct that a password manager that is designed to use only a local device is not vulnerable to attack via the internet, but it's still vulnerable to revealing all the passwords it contains to someone having the required credentials and the physical device. I didn't think of the case of not storing passwords on a password manager's servers because that doesn't seem useful to me, but it's fine if other people choose to do that.
It's kind of a tautology that someone with a master password and a hardware key, if used, can decrypt everything stored in the manager's vault. That's the point. But if a hacker does not have those things, the passwords are just gibberish and therefore useless to a thief.

Using a password manager is the single best way for the average user to protect the financial and other accounts s/he has on line. It is not possible for a hacker to break into an online vault and steal passwords from any of the major vendors. It would likewise be impossible for a hacker to break into the vault if stolen from a computer as long as the user keeps the Master Password a secret. It is irresponsible to tell people otherwise to discourage use of a tool that will help keep them safe.
+1

tibbitts keeps on repeating that the bad guys can "bust in" to the online vault. He is incorrect and it is irresponsible to keep saying this.
Post Reply