Question about Password Managers

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
User avatar
Topic Author
daytona084
Posts: 871
Joined: Mon Feb 01, 2010 10:47 pm

Question about Password Managers

Post by daytona084 »

I know there are many threads already about password managers and I don't really want to start another, but I've read a lot here on the forum, and elsewhere, and I don't see my particular concern addressed.

It seems that in almost all of the discussion it's assumed that the user is on his/her own device (usually a laptop/PC) using a web browser with a password manager. It's also assumed that all of the passwords to one's various sites are long and complex... to the extent that the user does not actually know any of them. This does not seem to be a position I want to put myself in. Say I am in a hotel lobby and I want to use the hotel's computer to print a boarding pass. I have no clue what my airline password is. Or say I am at the library or a friend's home and I want to check an email. I have no clue what my email password is. Yes, I know there might be a phone or mobile device that could help, but what if there's a problem? (lost phone, dead battery, out of service area, etc).

I know some password managers (LastPass for instance) are accessible in the cloud. (And some Bogleheads won't stand for that). KeePass, on the other hand, is only local. So if I am on someone else's device, I am out of luck, correct?

What is the best solution for this concern?
Lee_WSP
Posts: 3267
Joined: Fri Apr 19, 2019 5:15 pm
Location: Arizona

Re: Question about Password Managers

Post by Lee_WSP »

daytona084 wrote: Mon Aug 24, 2020 11:16 am It's also assumed that all of the passwords to one's various sites are long and complex... to the extent that the user does not actually know any of them. This does not seem to be a position I want to put myself in.
Then you choose your own password for those sites. The password manager stores & generates random passwords, it does not choose them for you. You choose how to generate the password for the site in question.
I know some password managers (LastPass for instance) are accessible in the cloud. (And some Bogleheads won't stand for that). KeePass, on the other hand, is only local. So if I am on someone else's device, I am out of luck, correct?

What is the best solution for this concern?
Lastpass passwords are stored on your phone and are accessible after unlock without internet access. Of greater concern is typing in a string of truly random letters and numbers. So for situations in which you may need to physically type in the password, I suggest a long pass phrase instead. I also suggest not re-using the pass phrase either.
mptfan
Posts: 6209
Joined: Mon Mar 05, 2007 9:58 am

Re: Question about Password Managers

Post by mptfan »

daytona084 wrote: Mon Aug 24, 2020 11:16 am I know some password managers (LastPass for instance) are accessible in the cloud. (And some Bogleheads won't stand for that). KeePass, on the other hand, is only local. So if I am on someone else's device, I am out of luck, correct?

What is the best solution for this concern?
My advice is to choose a password manager that is accessible in the cloud, that way you can access it from any device, including someone else's device. In my opinion if you choose a reputable password manager and you use a strong password for your password manager and setup strong two factor authentication, then your online password vault is very secure and the risk of someone accessing your vault is so extremely low that you should not worry about it. I know I don't. Once you get used to doing that you will wonder how you got along without it. And yes, you can choose whatever password you want for whatever service, you don't have to use a long random password for each account.

I recently decided to start using a separate password manager other than the password manager built into Chrome which I have been using for a while. I did a lot of research and read and watched a number of reviews, and I tried several password managers using their free version or their free 30 day trials, including Lastpass, Dashlane, Bitwarden, 1Password and Keeper. The features that are most important to me are ... a well designed and intuitive UI, the ability to use two factor authentication using physical U2F security keys and not being limited to only using a specific model of security key made by Yubikey (yes I'm looking at you Lastpass), the ability to easily share passwords with my SO, and having access to all of the account features using only Chrome OS without the need to use a Windows or Mac app to access all of the features (yes I'm looking at you Dashlane). I chose Keeper. There was a bit of an initial learning curve, and it does take time to transfer all of your login credentials, but now that I understand how to use it I am very happy with it and I am getting to the point where I am wondering how I got along without it for so long!
Last edited by mptfan on Mon Aug 24, 2020 12:39 pm, edited 4 times in total.
DoTheMath
Posts: 418
Joined: Sat Jul 04, 2015 1:11 pm
Location: The Plains

Re: Question about Password Managers

Post by DoTheMath »

To echo what others are saying, you have to investigate the various options and your expected use scenarios and decide which one fits the bill. For example, I use 1password locally (not the cloud based version they push hard now) so for everyday usage, everything happens locally on my computer. However, it also allows me to keep my encrypted vault of passwords in my dropbox folder which, in turn, I can access through a browser if needed. I haven't done it in years, but this does give me the option of accessing my 1password vault while traveling.
“I am losing precious days. I am degenerating into a machine for making money. I am learning nothing in this trivial world of men. I must break away and get out into the mountains...” -- John Muir
squirm
Posts: 2946
Joined: Sat Mar 19, 2011 11:53 am

Re: Question about Password Managers

Post by squirm »

You should know what your email password is. I don't use a password manager for my email.
if i'm at the hotel lobby using their computer, i just pull up lastpass on my phone to get the password for say southwest to print passes. after i'm done,i'll close the browser or reboot the computer.
mptfan
Posts: 6209
Joined: Mon Mar 05, 2007 9:58 am

Re: Question about Password Managers

Post by mptfan »

squirm wrote: Mon Aug 24, 2020 4:14 pm You should know what your email password is. I don't use a password manager for my email.
I agree. I only keep two passwords in my head...one for email and one for the password manager.

The current best practice for creating a strong password is to use a passphrase instead of a password...

https://www.useapassphrase.com/
atikovi
Posts: 1006
Joined: Tue Sep 10, 2019 7:20 pm
Location: Suburban Washington DC

Re: Question about Password Managers

Post by atikovi »

mptfan wrote: Mon Aug 24, 2020 4:20 pm I agree. I only keep two passwords in my head...one for email and one for the password manager.
So what's the point of these managers and why are they better than having the same password for a hundred sites? I mean, if you need a PW for the PW manager, anyone that hacks that has access to all your sites anyway.
stan1
Posts: 8937
Joined: Mon Oct 08, 2007 4:35 pm

Re: Question about Password Managers

Post by stan1 »

atikovi wrote: Mon Aug 24, 2020 4:37 pm
mptfan wrote: Mon Aug 24, 2020 4:20 pm I agree. I only keep two passwords in my head...one for email and one for the password manager.
So what's the point of these managers and why are they better than having the same password for a hundred sites? I mean, if you need a PW for the PW manager, anyone that hacks that has access to all your sites anyway.
Any password manager has better security than johnssockemporium.com
Northern Flicker
Posts: 6522
Joined: Fri Apr 10, 2015 12:29 am

Re: Question about Password Managers

Post by Northern Flicker »

mptfan wrote: My advice is to choose a password manager that is accessible in the cloud, that way you can access it from any device, including someone else's device.
Never type in the master key for your cloud-based password safe on someone else's device. Once you do, the ability to decide if it could have been compromised is out of your control, so you have to assume it might have been compromised, and take corrective actions as if it were.
Last edited by Northern Flicker on Mon Aug 24, 2020 4:45 pm, edited 1 time in total.
Risk is not a guarantor of return.
atikovi
Posts: 1006
Joined: Tue Sep 10, 2019 7:20 pm
Location: Suburban Washington DC

Re: Question about Password Managers

Post by atikovi »

stan1 wrote: Mon Aug 24, 2020 4:41 pm
atikovi wrote: Mon Aug 24, 2020 4:37 pm
mptfan wrote: Mon Aug 24, 2020 4:20 pm I agree. I only keep two passwords in my head...one for email and one for the password manager.
So what's the point of these managers and why are they better than having the same password for a hundred sites? I mean, if you need a PW for the PW manager, anyone that hacks that has access to all your sites anyway.
Any password manager has better security than johnssockemporium.com
No such site.
Broken Man 1999
Posts: 5064
Joined: Wed Apr 08, 2015 11:31 am
Location: West coast of Florida, inland on high ground!

Re: Question about Password Managers

Post by Broken Man 1999 »

I have been using the free version of LastPass for years, and I have finally convinced DW to use it as well. Her passwords were pitiful, and she repeated them over multiple accounts. :shock:

My master password is a statement, so I can use away from home, though I never do.

And, I have only had to rebuild it once. :oops:

Broken Man 1999
“If I cannot drink Bourbon and smoke cigars in Heaven then I shall not go. " -Mark Twain
trinc
Posts: 66
Joined: Fri Oct 24, 2014 9:09 am

Re: Question about Password Managers

Post by trinc »

and no one worries about a corrupt password vault ?

plus it seems it's only ask good as your master key ( which most likely wouldn't be a generated strong password ).

Tim
jebmke
Posts: 11443
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Question about Password Managers

Post by jebmke »

squirm wrote: Mon Aug 24, 2020 4:14 pm i just pull up lastpass on my phone to get the password for say southwest to print passes.
I have never had to log in to SW to get a boarding pass. When I travel, all I have to do is enter the reservation code (5 characters or so) and it pulls up my boarding passes.
When you discover that you are riding a dead horse, the best strategy is to dismount.
Broken Man 1999
Posts: 5064
Joined: Wed Apr 08, 2015 11:31 am
Location: West coast of Florida, inland on high ground!

Re: Question about Password Managers

Post by Broken Man 1999 »

trinc wrote: Mon Aug 24, 2020 5:05 pm and no one worries about a corrupt password vault ?

plus it seems it's only ask good as your master key ( which most likely wouldn't be a generated strong password ).

Tim
I don't worry about it.

My statement is very long, very personal, with no connection to info that could give anyone any type of a hint and I don't think anyone would crack it.

Broken Man 1999
“If I cannot drink Bourbon and smoke cigars in Heaven then I shall not go. " -Mark Twain
mptfan
Posts: 6209
Joined: Mon Mar 05, 2007 9:58 am

Re: Question about Password Managers

Post by mptfan »

trinc wrote: Mon Aug 24, 2020 5:05 pm and no one worries about a corrupt password vault ?
All reputable password managers use a "zero knowledge" protocol for storing passwords which means that even if the vault is compromised, your passwords are not revealed, only long random hashes that are essentially useless, and the password manager itself cannot even decipher your passwords even if they wanted to. So even though the password manager does everything it can to protect my passwords, and their business model is built around doing just that...yes, it's possible the vault could be compromised, but even if it is, the hacker would still not get any of my passwords.

I too was skeptical, but after doing my research and learning about how the major password managers protect passwords, I came to the conclusion that it is actually safer for me to store my passwords in Keeper than to try and keep track of them myself.
Last edited by mptfan on Mon Aug 24, 2020 5:19 pm, edited 2 times in total.
Northern Flicker
Posts: 6522
Joined: Fri Apr 10, 2015 12:29 am

Re: Question about Password Managers

Post by Northern Flicker »

trinc wrote: Mon Aug 24, 2020 5:05 pm and no one worries about a corrupt password vault ?

plus it seems it's only ask good as your master key ( which most likely wouldn't be a generated strong password ).

Tim
With Keepass (which can be stored in the cloud) you can use a very long passphrase, and it will indicate how many non-redundant bits there are in a cryptohash of the compressed password. the password can be a couple of sentences with 20+ words, and generate a 128-256 bit password.

With Keepass you also can iterate the encryption algorithm millions of times so that each decryption try takes 5 or 6 or 10 seconds (however long you are willing to wait forvtour own attempt to succeed or fail) of actual CPU time to increase the CPU cost and running time of a single guess in a guessing attack.
Risk is not a guarantor of return.
atikovi
Posts: 1006
Joined: Tue Sep 10, 2019 7:20 pm
Location: Suburban Washington DC

Re: Question about Password Managers

Post by atikovi »

mptfan wrote: Mon Aug 24, 2020 5:14 pm
trinc wrote: Mon Aug 24, 2020 5:05 pm and no one worries about a corrupt password vault ?
All reputable password managers use a "zero knowledge" protocol for storing passwords which means that even if the vault is compromised, your passwords are not revealed, only long random hashes that are essentially useless, and the password manager itself cannot even decipher your passwords even if they wanted to.
How different is that from what your bank or even internet forum uses?
mptfan
Posts: 6209
Joined: Mon Mar 05, 2007 9:58 am

Re: Question about Password Managers

Post by mptfan »

atikovi wrote: Mon Aug 24, 2020 5:19 pm How different is that from what your bank or even internet forum uses?
I am not an expert in the area of computer cryptography, so I'm not qualified to answer that, but based on the research I've done I am confident that the level of security is indeed different and Keeper's business model is built around keeping their data secure and that's good enough for me.
Last edited by mptfan on Mon Aug 24, 2020 5:24 pm, edited 1 time in total.
Northern Flicker
Posts: 6522
Joined: Fri Apr 10, 2015 12:29 am

Re: Question about Password Managers

Post by Northern Flicker »

mptfan wrote: Mon Aug 24, 2020 5:14 pm
trinc wrote: Mon Aug 24, 2020 5:05 pm and no one worries about a corrupt password vault ?
All reputable password managers use a "zero knowledge" protocol for storing passwords which means that even if the vault is compromised, your passwords are not revealed, only long random hashes that are essentially useless, and the password manager itself cannot even decipher your passwords even if they wanted to. So even though the password manager does everything it can to protect my passwords, and their business model is built around doing just that...yes, it's possible the vault could be compromised, but even if it is, the hacker would still not get any of my passwords.

I too was skeptical, but after doing my research and learning about how the major password managers protect passwords, I came to the conclusion that it is actually safer for me to store my passwords in Keeper than to try and keep track of them myself.
If the password safe can return the passwords to you or to an application in cleartext form, then the passwords can be compromised if the password safe is compromised.
Risk is not a guarantor of return.
zie
Posts: 149
Joined: Sun Mar 22, 2020 4:35 pm

Re: Question about Password Managers

Post by zie »

daytona084 wrote: Mon Aug 24, 2020 11:16 am Say I am in a hotel lobby and I want to use the hotel's computer to print a boarding pass. I have no clue what my airline password is. Or say I am at the library or a friend's home and I want to check an email. I have no clue what my email password is. Yes, I know there might be a phone or mobile device that could help, but what if there's a problem? (lost phone, dead battery, out of service area, etc).
This is a valid concern, Password Managers do not have a good plan for solving this issue.

What I do, my phone has my passwords in it, via my PW manager. For passwords I know I'll have to type in on occasion(like your airline password in this case) I use pass phrases (i.e. random words strung together). Then my phone can show me the password and I can type it in.

If I can't use my phone for some reason, my tablet also can access my passwords. If both happen to not be working, then I'm having a bad day.

Lots of sites will let you go through the ' I lost my password' flow, and reset your password via your email address. So Assuming you can access your email, then it's just an annoying day and not a really bad day.

Otherwise, you best hope you have a loved-one you can ask to open your password manager for you over a phone call or something.

But yes, we do need a better solution than a password manager, but sadly the tech isn't really around for that. There is some work being done around U2F, which is a physical device(like a USB stick) that you can carry around, which obviously brings it's own worst-case scenarios.

Generally most security/internet people agree though that despite the problems, password managers are currently the best we have, right now.

Luckily in your airline ticket problem, the airline counter @ the airport will be able to help you, assuming you have ID, which is required now for getting past security and flying anymore anyway. Most real-world issues have analog equivalents like this still, though I imagine with time they will start to go away. McDonalds (as an example) is drastically trying to hurry that up in some of their stores, requiring one to use their kiosk machine(s) to order food. Amazon is trying with their own grocery stores as well.
mptfan
Posts: 6209
Joined: Mon Mar 05, 2007 9:58 am

Re: Question about Password Managers

Post by mptfan »

Northern Flicker wrote: Mon Aug 24, 2020 5:24 pm If the password safe can return the passwords to you or to an application in cleartext form, then the passwords can be compromised if the password safe is compromised.
I used to think that too, but that's just not true.
brad.clarkston
Posts: 971
Joined: Fri Jan 03, 2014 8:31 pm
Location: Kansas City, MO

Re: Question about Password Managers

Post by brad.clarkston »

mptfan wrote: Mon Aug 24, 2020 4:20 pm
squirm wrote: Mon Aug 24, 2020 4:14 pm You should know what your email password is. I don't use a password manager for my email.
I agree. I only keep two passwords in my head...one for email and one for the password manager.

The current best practice for creating a strong password is to use a passphrase instead of a password...

https://www.useapassphrase.com/
I don't, there's no reason to keep a weak e-mail password anymore. The only password to remember is your password manager's phrase based password on your phone to find the password needed and 2fa (I use Authy with a pin to get into the app) into e-mail.

If they can break bitwarden/Authy+pin/protonmail without a spear phishing attack there pretty darn good.
lazydavid
Posts: 3347
Joined: Wed Apr 06, 2016 1:37 pm

Re: Question about Password Managers

Post by lazydavid »

atikovi wrote: Mon Aug 24, 2020 5:19 pm
mptfan wrote: Mon Aug 24, 2020 5:14 pm
trinc wrote: Mon Aug 24, 2020 5:05 pm and no one worries about a corrupt password vault ?
All reputable password managers use a "zero knowledge" protocol for storing passwords which means that even if the vault is compromised, your passwords are not revealed, only long random hashes that are essentially useless, and the password manager itself cannot even decipher your passwords even if they wanted to.
How different is that from what your bank or even internet forum uses?
Some will do it the right way. Many will not. There have been THOUSANDS of site breaches where it turned out credentials were stored in plaintext, or in some easily-recoverable fashion (like weak, unsalted hashes). Legitimate Password Managers know they hold the keys to the kingdom and a compromise means they are out of business, so they make absolutely certain that there is no way to recover the vaults contents without knowing the master password.

With regards to the printing a boarding pass using a hotel computer: I've literally never done this in my entire life, and cannot for the life of me figure out why this would be desirable. Either use the mobile boarding pass on your phone/watch, or print it at the kiosk at the airport. Takes 15 seconds at most.
Last edited by lazydavid on Mon Aug 24, 2020 5:29 pm, edited 2 times in total.
mptfan
Posts: 6209
Joined: Mon Mar 05, 2007 9:58 am

Re: Question about Password Managers

Post by mptfan »

brad.clarkston wrote: Mon Aug 24, 2020 5:26 pm I don't, there's no reason to keep a weak e-mail password anymore.
My email password is not weak.
brad.clarkston
Posts: 971
Joined: Fri Jan 03, 2014 8:31 pm
Location: Kansas City, MO

Re: Question about Password Managers

Post by brad.clarkston »

atikovi wrote: Mon Aug 24, 2020 5:19 pm
mptfan wrote: Mon Aug 24, 2020 5:14 pm
trinc wrote: Mon Aug 24, 2020 5:05 pm and no one worries about a corrupt password vault ?
All reputable password managers use a "zero knowledge" protocol for storing passwords which means that even if the vault is compromised, your passwords are not revealed, only long random hashes that are essentially useless, and the password manager itself cannot even decipher your passwords even if they wanted to.
How different is that from what your bank or even internet forum uses?
It's not, the system most banks use is the same one BitWarden and LastPass uses.
brad.clarkston
Posts: 971
Joined: Fri Jan 03, 2014 8:31 pm
Location: Kansas City, MO

Re: Question about Password Managers

Post by brad.clarkston »

mptfan wrote: Mon Aug 24, 2020 5:25 pm
Northern Flicker wrote: Mon Aug 24, 2020 5:24 pm If the password safe can return the passwords to you or to an application in cleartext form, then the passwords can be compromised if the password safe is compromised.
I used to think that too, but that's just not true.
It's not returned cleartext.
mptfan
Posts: 6209
Joined: Mon Mar 05, 2007 9:58 am

Re: Question about Password Managers

Post by mptfan »

brad.clarkston wrote: Mon Aug 24, 2020 5:27 pm It's not, the system most banks use is the same one BitWarden and LastPass uses.
He asked about banks and internet forums.
mptfan
Posts: 6209
Joined: Mon Mar 05, 2007 9:58 am

Re: Question about Password Managers

Post by mptfan »

lazydavid wrote: Mon Aug 24, 2020 5:27 pm With regards to the printing a boarding pass using a hotel computer: I've literally never done this in my entire life, and cannot for the life of me figure out why this would be desirable. Either use the mobile boarding pass on your phone/watch, or print it at the kiosk at the airport. Takes 15 seconds at most.
I've done it and I can tell you why it would be desirable...you may be running late for your flight or you simply want to minimize the time spent checking in or doing anything at the airport other than going directly to the security line. I don't agree that it takes 15 seconds at most to check in at the airport...for one thing the check in area and the check in kiosks are in a different location than the security line, so the mere fact that you have to go to the check in area and use a kiosk (and hope there are no lines to use the kiosks, I have experienced bottlenecks at kiosks before) takes longer simply by adding walking time to the check in area and then from the check in area to the security line as compared to going directly to the security line, not to mention the extra time it may take to figure out where you need to go to check in at an unfamiliar airport. Especially if you are not checking bags and can skip the check in area entirely. It's true if you have to check bags you have to go to the check in area anyway, but you can still avoid the kiosks and go straight to bag drop and that saves time. And I find it easier to check in before I go to the airport and know that I have my boarding pass and all my paperwork in order when I get to the airport and I don't have to stop and figure out my booking number and passport number, etc. all over again when I get to the airport. Also hotel computers usually have a desk area for you to work on while checking in whereas kiosks do not. And I've learned the hard way that airlines often overbook, and checking in earlier makes it less likely that you will be bumped.
Northern Flicker
Posts: 6522
Joined: Fri Apr 10, 2015 12:29 am

Re: Question about Password Managers

Post by Northern Flicker »

mptfan wrote: Mon Aug 24, 2020 5:25 pm
Northern Flicker wrote: Mon Aug 24, 2020 5:24 pm If the password safe can return the passwords to you or to an application in cleartext form, then the passwords can be compromised if the password safe is compromised.
I used to think that too, but that's just not true.
If you define compromise of the passwords as retrieval of them in cleartext form, then it is true by definition.

I think maybe you are confusing the method used to stored passwords on the service side of a service doobg authentication by passwords. Aservice will store a cryotohash of the password and when you authenticate by supplying the cleartext passeord to the service, it will use that to generate a cryptohash and compare to the stored cryptohash. This is different from a password safe. If a password safe can generate tour passeords as cleartext, then the passeords could be compromised if the password safe is compromised.
Risk is not a guarantor of return.
mptfan
Posts: 6209
Joined: Mon Mar 05, 2007 9:58 am

Re: Question about Password Managers

Post by mptfan »

Northern Flicker wrote: Mon Aug 24, 2020 5:55 pm
mptfan wrote: Mon Aug 24, 2020 5:25 pm
Northern Flicker wrote: Mon Aug 24, 2020 5:24 pm If the password safe can return the passwords to you or to an application in cleartext form, then the passwords can be compromised if the password safe is compromised.
I used to think that too, but that's just not true.
If you define compromise of the passwords as retrieval of them in cleartext form, then it is true by definition.

I think maybe you are confusing the method used to stored passwords on the service side of a service doobg authentication by passwords. Aservice will store a cryotohash of the password and when you authenticate by supplying the cleartext passeord to the service, it will use that to generate a cryptohash and compare to the stored cryptohash. This is different from a password safe. If a password safe can generate tour passeords as cleartext, then the passeords could be compromised if the password safe is compromised.
Ok, allow me to be more clear, I did not meant to say that your statement was not true by definition because it is. What I meant to say was... I used to think that password managers return passwords in clear text, but I have learned that they do not, they return them to you in a form that cannot be deciphered without your master password. It is my understanding that all reputable password managers do not know your passwords and cannot decipher them even if they wanted to.
atikovi
Posts: 1006
Joined: Tue Sep 10, 2019 7:20 pm
Location: Suburban Washington DC

Re: Question about Password Managers

Post by atikovi »

When I started on the internet 25 or so years ago I had an 8 character fairly well known but uncommon word for my password which was fine for 10 years and across 100 or so places I registered at. Then the websites required a combination of letters and numbers in your passwords so I just added three numbers to the end of my password on any new sites I registered at. That was fine for another ten or so years and another couple hundreds places I registered at. Then five years ago they started requiring special characters and upper and lower case letters in passwords. So I added a $ or ! to the end of my password and capitalized the first character. So now I'm registered at probably over 500 sites and use the same PW from 25 years ago with just a few minor variations. Maybe I'm just lucky, but I haven't had a hack yet.
lazydavid
Posts: 3347
Joined: Wed Apr 06, 2016 1:37 pm

Re: Question about Password Managers

Post by lazydavid »

mptfan wrote: Mon Aug 24, 2020 5:35 pm
lazydavid wrote: Mon Aug 24, 2020 5:27 pm With regards to the printing a boarding pass using a hotel computer: I've literally never done this in my entire life, and cannot for the life of me figure out why this would be desirable. Either use the mobile boarding pass on your phone/watch, or print it at the kiosk at the airport. Takes 15 seconds at most.
I've done it and I can tell you why it would be desirable...you may be running late for your flight or you simply want to minimize the time spent checking in or doing anything at the airport other than going directly to the security line. I don't agree that it takes 15 seconds at most to check in at the airport...for one thing the check in area and the check in kiosks are in a different location than the security line, so the mere fact that you have to go to the check in area and use a kiosk (and hope there are no lines to use the kiosks, I have experienced bottlenecks at kiosks before) takes longer simply by adding walking time to the check in area and then from the check in area to the security line as compared to going directly to the security line, not to mention the extra time it may take to figure out where you need to go to check in at an unfamiliar airport. Especially if you are not checking bags and can skip the check in area entirely. It's true if you have to check bags you have to go to the check in area anyway, but you can still avoid the kiosks and go straight to bag drop and that saves time. And I find it easier to check in before I go to the airport and know that I have my boarding pass and all my paperwork in order when I get to the airport and I don't have to stop and figure out my booking number and passport number, etc. all over again when I get to the airport. Also hotel computers usually have a desk area for you to work on while checking in whereas kiosks do not. And I've learned the hard way that airlines often overbook, and checking in earlier makes it less likely that you will be bumped.
Nope, still not desirable. Printing it at the hotel is going to add a minimum of 3-5 minutes to your arrival time at the gate, more if it means you now have to go to the lobby whereas you might not if you did express checkout. Downloading your boarding pass onto your phone while you're in the cab/shuttle adds zero seconds.
User avatar
Topic Author
daytona084
Posts: 871
Joined: Mon Feb 01, 2010 10:47 pm

Re: Question about Password Managers

Post by daytona084 »

atikovi wrote: Mon Aug 24, 2020 6:07 pm When I started on the internet 25 or so years ago I had an 8 character fairly well known but uncommon word for my password which was fine for 10 years and across 100 or so places I registered at. Then the websites required a combination of letters and numbers in your passwords so I just added three numbers to the end of my password on any new sites I registered at. That was fine for another ten or so years and another couple hundreds places I registered at. Then five years ago they started requiring special characters and upper and lower case letters in passwords. So I added a $ or ! to the end of my password and capitalized the first character. So now I'm registered at probably over 500 sites and use the same PW from 25 years ago with just a few minor variations. Maybe I'm just lucky, but I haven't had a hack yet.
It appears from your post that you are committing the cardinal sin: same password on multiple sites.

There was a big breach at my email provider several years ago. They got a bunch of passwords, and posted on the dark web, or sold, email address + password combinations. Recently they have been sending out phishing emails where they reveal the password and claim to have damaging or embarrassing info and are demanding ransom. Fortunately for me it was an old password that has since been changed. But if I had used the same password for all my sites, any of them that used email address for the login would be totally compromised.
User avatar
Topic Author
daytona084
Posts: 871
Joined: Mon Feb 01, 2010 10:47 pm

Re: Question about Password Managers

Post by daytona084 »

lazydavid wrote: Mon Aug 24, 2020 6:24 pm
mptfan wrote: Mon Aug 24, 2020 5:35 pm
lazydavid wrote: Mon Aug 24, 2020 5:27 pm With regards to the printing a boarding pass using a hotel computer: I've literally never done this in my entire life, and cannot for the life of me figure out why this would be desirable. Either use the mobile boarding pass on your phone/watch, or print it at the kiosk at the airport. Takes 15 seconds at most.
I've done it and I can tell you why it would be desirable...you may be running late for your flight or you simply want to minimize the time spent checking in or doing anything at the airport other than going directly to the security line. I don't agree that it takes 15 seconds at most to check in at the airport...for one thing the check in area and the check in kiosks are in a different location than the security line, so the mere fact that you have to go to the check in area and use a kiosk (and hope there are no lines to use the kiosks, I have experienced bottlenecks at kiosks before) takes longer simply by adding walking time to the check in area and then from the check in area to the security line as compared to going directly to the security line, not to mention the extra time it may take to figure out where you need to go to check in at an unfamiliar airport. Especially if you are not checking bags and can skip the check in area entirely. It's true if you have to check bags you have to go to the check in area anyway, but you can still avoid the kiosks and go straight to bag drop and that saves time. And I find it easier to check in before I go to the airport and know that I have my boarding pass and all my paperwork in order when I get to the airport and I don't have to stop and figure out my booking number and passport number, etc. all over again when I get to the airport. Also hotel computers usually have a desk area for you to work on while checking in whereas kiosks do not. And I've learned the hard way that airlines often overbook, and checking in earlier makes it less likely that you will be bumped.
Nope, still not desirable. Printing it at the hotel is going to add a minimum of 3-5 minutes to your arrival time at the gate, more if it means you now have to go to the lobby whereas you might not if you did express checkout. Downloading your boarding pass onto your phone while you're in the cab/shuttle adds zero seconds.
This wasn't meant to be a discussion about the merits of printing a boarding pass in the hotel. It was just an example of needing a to retrieve a password that's locked up in a password manager and not in my brain. I am sure there are dozens of examples of logging in to websites on devices other than one's home computer, where most password managers reside. (Particularly for the many Bogleheads who don't trust "the cloud")
atikovi
Posts: 1006
Joined: Tue Sep 10, 2019 7:20 pm
Location: Suburban Washington DC

Re: Question about Password Managers

Post by atikovi »

daytona084 wrote: Mon Aug 24, 2020 6:31 pm
atikovi wrote: Mon Aug 24, 2020 6:07 pm When I started on the internet 25 or so years ago I had an 8 character fairly well known but uncommon word for my password which was fine for 10 years and across 100 or so places I registered at. Then the websites required a combination of letters and numbers in your passwords so I just added three numbers to the end of my password on any new sites I registered at. That was fine for another ten or so years and another couple hundreds places I registered at. Then five years ago they started requiring special characters and upper and lower case letters in passwords. So I added a $ or ! to the end of my password and capitalized the first character. So now I'm registered at probably over 500 sites and use the same PW from 25 years ago with just a few minor variations. Maybe I'm just lucky, but I haven't had a hack yet.
It appears from your post that you are committing the cardinal sin: same password on multiple sites.

There was a big breach at my email provider several years ago. They got a bunch of passwords, and posted on the dark web, or sold, email address + password combinations. Recently they have been sending out phishing emails where they reveal the password and claim to have damaging or embarrassing info and are demanding ransom. Fortunately for me it was an old password that has since been changed. But if I had used the same password for all my sites, any of them that used email address for the login would be totally compromised.
I get those extortion messages asking for $900 in bitcoin. Says they caught and recorded me doing embarrassing things over the webcam. Total BS as my computer doesn't even have a camera. :happy
lazydavid
Posts: 3347
Joined: Wed Apr 06, 2016 1:37 pm

Re: Question about Password Managers

Post by lazydavid »

daytona084 wrote: Mon Aug 24, 2020 6:39 pm This wasn't meant to be a discussion about the merits of printing a boarding pass in the hotel. It was just an example of needing a to retrieve a password that's locked up in a password manager and not in my brain. I am sure there are dozens of examples of logging in to websites on devices other than one's home computer, where most password managers reside. (Particularly for the many Bogleheads who don't trust "the cloud")
That's fair. And though I've never been (and never will be) in that specific situation, I do run into cases on a weekly basis where I need to log in to a service on a device that is not my PC, phone, or tablet. But since one of those devices is never more than 25 feet from me, it doesn't turn out to be a big deal. If I need to sign into a streaming service on one of my FireTVs for example, I just grab my phone (or whatever), grab the password out of LastPass and key it in manually. Same if my son needs me to sign into a gaming service on his laptop because it inexplicably logged him out. Sure, it's way less convenient than a situation where the password manager can enter it for me, but it works just fine.
simple man
Posts: 151
Joined: Sun Nov 22, 2009 10:44 am

Re: Question about Password Managers

Post by simple man »

Many hacks occur because many people use the same id and password for different sites. So, assume Target or Sports Illustrated get hacked and thousands of id/password pairs get taken. The hackers then run those id/password pairs against, for instance, a thousand known major sites - e.g. banks, brokerages, bitcoin, amazon, etc...Inevitably, they will gain access from those sites where the people were reusing the id/passwords. Password managers allow you to have a different quality password for all of your sites and avoid this issue.
User avatar
Topic Author
daytona084
Posts: 871
Joined: Mon Feb 01, 2010 10:47 pm

Re: Question about Password Managers

Post by daytona084 »

Many thanks for all the replies so far... A lot of very good replies, gives me a lot to consider.

I was under the impression that all password managers require the user to change all their passwords over to their own long self-generated passwords. Good to know that's not the case, at least for most of them. So my primary fear (being stuck somewhere with no way to get into anything) is easily resolved.

Seems like one goal is to have a plan where logins from a remote location can be done reliably with a minimum of hassle but still be secure. I think this would vary depending on which password manager is chosen.

My current situation is that I record passwords in a Google doc - - but not completely... Enough so I can figure out the password but not enough for someone who might access the document. Obviously this level of security could be improved.

Now if I could just get DW to quit using the same password over multible sites :x
User avatar
BolderBoy
Posts: 5012
Joined: Wed Apr 07, 2010 12:16 pm
Location: Colorado

Re: Question about Password Managers

Post by BolderBoy »

daytona084 wrote: Mon Aug 24, 2020 11:16 amKeePass, on the other hand, is only local. So if I am on someone else's device, I am out of luck, correct?
No, KeepassXC (is better than Keepass) has a portable version - put it and your [encrypted] password database on a thumb drive and take it with you.
"Never underestimate one's capacity to overestimate one's abilities" - The Dunning-Kruger Effect
otinkyad
Posts: 287
Joined: Wed Jun 01, 2016 5:35 pm

Re: Question about Password Managers

Post by otinkyad »

daytona084 wrote: Mon Aug 24, 2020 7:18 pm Seems like one goal is to have a plan where logins from a remote location can be done reliably with a minimum of hassle but still be secure. I think this would vary depending on which password manager is chosen.
I still think your premise is false. There is no way to securely enter a password on a device that you don’t own. If you are entering passwords on a hotel computer, the use of a password manager is security theater.
otinkyad
Posts: 287
Joined: Wed Jun 01, 2016 5:35 pm

Re: Question about Password Managers

Post by otinkyad »

brad.clarkston wrote: Mon Aug 24, 2020 5:27 pm
atikovi wrote: Mon Aug 24, 2020 5:19 pm
mptfan wrote: Mon Aug 24, 2020 5:14 pm
trinc wrote: Mon Aug 24, 2020 5:05 pm and no one worries about a corrupt password vault ?
All reputable password managers use a "zero knowledge" protocol for storing passwords which means that even if the vault is compromised, your passwords are not revealed, only long random hashes that are essentially useless, and the password manager itself cannot even decipher your passwords even if they wanted to.
How different is that from what your bank or even internet forum uses?
It's not, the system most banks use is the same one BitWarden and LastPass uses.
This seems misleading, as was mptfan’s use of the word “hash” to mean “encrypted blob”. It may be that well-implemented (I would not say “most”) web sites only store a one-way password hash and not your password itself. That doesn’t make them zero-knowledge, which would mean you never send the web site your actual password to log in. It’s not impossible, I’ve just never heard of anyone other than password managers doing it.
lazydavid
Posts: 3347
Joined: Wed Apr 06, 2016 1:37 pm

Re: Question about Password Managers

Post by lazydavid »

otinkyad wrote: Mon Aug 24, 2020 10:39 pm This seems misleading, as was mptfan’s use of the word “hash” to mean “encrypted blob”. It may be that well-implemented (I would not say “most”) web sites only store a one-way password hash and not your password itself. That doesn’t make them zero-knowledge, which would mean you never send the web site your actual password to log in. It’s not impossible, I’ve just never heard of anyone other than password managers doing it.
This is absolutely true. I run a website for a SaaS company that gets extremely high marks for security from several major independent bodies, and also undergoes continuous external penetration testing and static source code analysis for vulnerabilities. And even we receive the plaintext password from our clients via an encrypted channel. This is extremely helpful when changing back-end identity managers. During the transition, we can hash this password the "old way" to authenticate the user, and then also hash and store the "new way" so they can authenticate against the new system in the future.

As you point out, a system like ours (which is indeed fairly common) is not zero trust. That does not mean it's insecure, in one respect it's the opposite since it means even if a hash were to ever be made public, it could not be used to authenticate. These are just different, albeit related, concepts.
Last edited by lazydavid on Tue Aug 25, 2020 8:27 am, edited 1 time in total.
Jeff Albertson
Posts: 832
Joined: Sat Apr 06, 2013 7:11 pm
Location: Springfield

Re: Question about Password Managers

Post by Jeff Albertson »

You probabily don't want to use your iphone's Keychain password manager -

"Last week, a friend of mine had his iPhone stolen. What follows is the sequence of events that started as an unfortunate event and ended up with $30,000 in unauthorized wire transfers, $2,500 spent on the AppStore, and accounts of multiple services compromised."
https://twitter.com/hprange/status/1291366907271151616
atikovi
Posts: 1006
Joined: Tue Sep 10, 2019 7:20 pm
Location: Suburban Washington DC

Re: Question about Password Managers

Post by atikovi »

Jeff Albertson wrote: Tue Aug 25, 2020 7:10 am You probabily don't want to use your iphone's Keychain password manager -

"Last week, a friend of mine had his iPhone stolen. What follows is the sequence of events that started as an unfortunate event and ended up with $30,000 in unauthorized wire transfers, $2,500 spent on the AppStore, and accounts of multiple services compromised."
https://twitter.com/hprange/status/1291366907271151616
I would think some details were left out. First, how can you do a wire by phone? I've always had to go to my bank in person to do that. Second, even if that happened, unauthorized or criminally processed wire transfers can be reversed within a short window of time. I assume the recipient of the wire was in on it and so had to have a bank account to receive it so it shouldn't be hard to trace.
User avatar
BogleFanGal
Posts: 650
Joined: Mon Mar 20, 2017 6:59 pm

Re: Question about Password Managers

Post by BogleFanGal »

On the password manager topic, saw below article posted on the elliott.org blog today. Apparently, some lastpass users have run into a situation where their master PW suddenly doesn't work. Has that happened to anyone here? A royal pain, I'd imagine, as you'd have to reset all your PWs from scratch.

https://www.elliott.org/blog/help-my-la ... s-the-fix/
"Life would be infinitely happier if we could only be born at the age of eighty and gradually approach eighteen." Mark Twain
brad.clarkston
Posts: 971
Joined: Fri Jan 03, 2014 8:31 pm
Location: Kansas City, MO

Re: Question about Password Managers

Post by brad.clarkston »

BogleFanGal wrote: Wed Aug 26, 2020 11:33 am On the password manager topic, saw below article posted on the elliott.org blog today. Apparently, some lastpass users have run into a situation where their master PW suddenly doesn't work. Has that happened to anyone here? A royal pain, I'd imagine, as you'd have to reset all your PWs from scratch.

https://www.elliott.org/blog/help-my-la ... s-the-fix/
That was a horrible blog post by an obvious ludite with some really bad suggestions. He left out allot I'm sure there was other things going on. I'm betting he had a family issue that corrupted his side of the key which would make it unrecoverable. If that's the case any manager would have that issue.

I used Lastpass's paid service for years before switching to BitWarden's paid service and never had a issue with support it was easy to get to via chat and phone and the people was knowledgeable.

Lastpass is no less secure or broken than any other manager including google and apple which is not a better solution.
DoTheMath
Posts: 418
Joined: Sat Jul 04, 2015 1:11 pm
Location: The Plains

Re: Question about Password Managers

Post by DoTheMath »

If you think your information has never been accessed, you might be surprised. Here's a legitimate website which catalogs email addresses which have shown up in security breaches:

https://haveibeenpwned.com
“I am losing precious days. I am degenerating into a machine for making money. I am learning nothing in this trivial world of men. I must break away and get out into the mountains...” -- John Muir
atikovi
Posts: 1006
Joined: Tue Sep 10, 2019 7:20 pm
Location: Suburban Washington DC

Re: Question about Password Managers

Post by atikovi »

DoTheMath wrote: Wed Aug 26, 2020 12:10 pm If you think your information has never been accessed, you might be surprised. Here's a legitimate website which catalogs email addresses which have shown up in security breaches:

https://haveibeenpwned.com
Doesn't mean much. Anytime you give out your email address it will post there. Unless they get your password, who cares?
lazydavid
Posts: 3347
Joined: Wed Apr 06, 2016 1:37 pm

Re: Question about Password Managers

Post by lazydavid »

atikovi wrote: Wed Aug 26, 2020 1:42 pm
DoTheMath wrote: Wed Aug 26, 2020 12:10 pm If you think your information has never been accessed, you might be surprised. Here's a legitimate website which catalogs email addresses which have shown up in security breaches:

https://haveibeenpwned.com
Doesn't mean much. Anytime you give out your email address it will post there. Unless they get your password, who cares?
That's not correct. The count you receive when plugging your email address into that site is how many times your credentials for a site were publicly exposed in data breaches. They also identify which specific breaches you were a part of, so you know which credentials were compromised.
atikovi
Posts: 1006
Joined: Tue Sep 10, 2019 7:20 pm
Location: Suburban Washington DC

Re: Question about Password Managers

Post by atikovi »

Says one of my emails was pwned in a dozen different breaches.

2,844 Separate Data Breaches logo
2,844 Separate Data Breaches (unverified): In February 2018, a massive collection of almost 3,000 alleged data breaches was found online. Whilst some of the data had previously been seen in Have I Been Pwned, 2,844 of the files consisting of more than 80 million unique email addresses had not previously been seen. Each file contained both an email address and plain text password and were consequently loaded as a single "unverified" data breach.

Compromised data: Email addresses, Passwords

Adobe logo
Adobe: In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text. The password cryptography was poorly done and many were quickly resolved back to plain text. The unencrypted hints also disclosed much about the passwords adding further to the risk that hundreds of millions of Adobe customers already faced.

Compromised data: Email addresses, Password hints, Passwords, Usernames

Anti Public Combo List logo
Anti Public Combo List (unverified): In December 2016, a huge list of email address and password pairs appeared in a "combo list" referred to as "Anti Public". The list contained 458 million unique email addresses, many with multiple different passwords hacked from various online systems. The list was broadly circulated and used for "credential stuffing", that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password. For detailed background on this incident, read Password reuse, credential stuffing and another billion records in Have I Been Pwned.

Compromised data: Email addresses, Passwords

B2B USA Businesses logo
B2B USA Businesses (spam list): In mid-2017, a spam list of over 105 million individuals in corporate America was discovered online. Referred to as "B2B USA Businesses", the list categorised email addresses by employer, providing information on individuals' job titles plus their work phone numbers and physical addresses. Read more about spam lists in HIBP.

Compromised data: Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses

Collection #1 logo
Collection #1 (unverified): In January 2019, a large collection of credential stuffing lists (combinations of email addresses and passwords used to hijack accounts on other services) was discovered being distributed on a popular hacking forum. The data contained almost 2.7 billion records including 773 million unique email addresses alongside passwords those addresses had used on other breached services. Full details on the incident and how to search the breached passwords are provided in the blog post The 773 Million Record "Collection #1" Data Breach.

Compromised data: Email addresses, Passwords

Covve logo
Covve: In February 2020, a massive trove of personal information referred to as "db8151dd" was provided to HIBP after being found left exposed on a publicly facing Elasticsearch server. Later identified as originating from the Covve contacts app, the exposed data included extensive personal information and interactions between Covve users and their contacts. The data was provided to HIBP by dehashed.com.

Compromised data: Email addresses, Job titles, Names, Phone numbers, Physical addresses, Social media profiles

Data Enrichment Exposure From PDL Customer logo
Data Enrichment Exposure From PDL Customer: In October 2019, security researchers Vinny Troia and Bob Diachenko identified an unprotected Elasticsearch server holding 1.2 billion records of personal data. The exposed data included an index indicating it was sourced from data enrichment company People Data Labs (PDL) and contained 622 million unique email addresses. The server was not owned by PDL and it's believed a customer failed to properly secure the database. Exposed information included email addresses, phone numbers, social media profiles and job history data.

Compromised data: Email addresses, Employers, Geographic locations, Job titles, Names, Phone numbers, Social media profiles

Exploit.In logo
Exploit.In (unverified): In late 2016, a huge list of email address and password pairs appeared in a "combo list" referred to as "Exploit.In". The list contained 593 million unique email addresses, many with multiple different passwords hacked from various online systems. The list was broadly circulated and used for "credential stuffing", that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password. For detailed background on this incident, read Password reuse, credential stuffing and another billion records in Have I Been Pwned.

Compromised data: Email addresses, Passwords

Houzz logo
Houzz: In mid-2018, the housing design website Houzz suffered a data breach. The company learned of the incident later that year then disclosed it to impacted members in February 2019. Almost 49 million unique email addresses were in the breach alongside names, IP addresses, geographic locations and either salted hashes of passwords or links to social media profiles used to authenticate to the service. The data was provided to HIBP by dehashed.com.

Compromised data: Email addresses, Geographic locations, IP addresses, Names, Passwords, Social media profiles, Usernames

Onliner Spambot logo
Onliner Spambot (spam list): In August 2017, a spambot by the name of Onliner Spambot was identified by security researcher Benkow moʞuƎq. The malicious software contained a server-based component located on an IP address in the Netherlands which exposed a large number of files containing personal information. In total, there were 711 million unique email addresses, many of which were also accompanied by corresponding passwords. A full write-up on what data was found is in the blog post titled Inside the Massive 711 Million Record Onliner Spambot Dump.

Compromised data: Email addresses, Passwords

Verifications.io logo
Verifications.io: In February 2019, the email address validation service verifications.io suffered a data breach. Discovered by Bob Diachenko and Vinny Troia, the breach was due to the data being stored in a MongoDB instance left publicly facing without a password and resulted in 763 million unique email addresses being exposed. Many records within the data also included additional personal attributes such as names, phone numbers, IP addresses, dates of birth and genders. No passwords were included in the data. The Verifications.io website went offline during the disclosure process, although an archived copy remains viewable.

Compromised data: Dates of birth, Email addresses, Employers, Genders, Geographic locations, IP addresses, Job titles, Names, Phone numbers, Physical addresses


So what does that mean and why is it important? And for heavens sake don't quote all that when posting.
Post Reply