Question about Password Managers

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
lazydavid
Posts: 3347
Joined: Wed Apr 06, 2016 1:37 pm

Re: Question about Password Managers

Post by lazydavid »

It means you had credentials or other information exposed in at least a dozen different data breaches. Just to pick two, in the Adobe hack, the credentials you had used on Adobe.com using the email address you entered into the engine, were made public. So the password you had on Adobe.com at that time is known to the world, and will also be used in combination with your email address in credential stuffing attacks on every other website under the sun. So you should have by now changed your password on Adobe.com, as well as on any other site where you may have used the same password.

In the Anti Public Combo List, you had credentials for at least one site, but possibly several or many, exposed in a compound list. This page doesn't get more specific than that, but that information is available.

There are some on there that are not credential breaches, but rather the release/theft of personal information (not including passwords) associated with your email address. These are less severe, but good to be aware of.
Broken Man 1999
Posts: 5064
Joined: Wed Apr 08, 2015 11:31 am
Location: West coast of Florida, inland on high ground!

Re: Question about Password Managers

Post by Broken Man 1999 »

Well, I know from experience if you lose/forget your LastPass master password, you will be spending some time rebuilding your password vault. Your hint most likely would work, but I don't want to depend on a hint, someone else might want to use it.

I had to rebuild my vault because my written copy of my extremely long master password was shredded by accident. I could remember probably 75% of the 40-50 character password, but that didn't hack it (no pun intended). That was when I moved to a long statement for my master password.

Broken Man 1999
“If I cannot drink Bourbon and smoke cigars in Heaven then I shall not go. " -Mark Twain
atikovi
Posts: 1006
Joined: Tue Sep 10, 2019 7:20 pm
Location: Suburban Washington DC

Re: Question about Password Managers

Post by atikovi »

lazydavid wrote: Wed Aug 26, 2020 2:06 pm So you should have by now changed your password on Adobe.com, as well as on any other site where you may have used the same password.
I have used the same usernames, email addresses and passwords or a few variations there of, for over 20 years and on probably over 500 sites I registered on. Have never had any issues. My take is the chance of some Russian hacker putting together anything from these breaches of hundreds of millions of email addresses is less likely than me winning the Powerball.
linuxizer
Posts: 1622
Joined: Wed Jan 02, 2008 7:55 am

Re: Question about Password Managers

Post by linuxizer »

Password safe is a pretty standard file format, with apps for Windows, MacOS, Linux. There are apps for both iOS and Android that can read it and have integrated Dropbox support. Dropbox is cloud-based obviously but a Dropbox security breach in this case would just give them the encrypted file.

Reasonably secure for stuff like website passwords.
HawkeyePierce
Posts: 1488
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Question about Password Managers

Post by HawkeyePierce »

atikovi wrote: Wed Aug 26, 2020 2:32 pm
lazydavid wrote: Wed Aug 26, 2020 2:06 pm So you should have by now changed your password on Adobe.com, as well as on any other site where you may have used the same password.
I have used the same usernames, email addresses and passwords or a few variations there of, for over 20 years and on probably over 500 sites I registered on. Have never had any issues. My take is the chance of some Russian hacker putting together anything from these breaches of hundreds of millions of email addresses is less likely than me winning the Powerball.
Their attacks are automated. Credential stuffing attacks are very inexpensive for the attacker.
DoTheMath
Posts: 418
Joined: Sat Jul 04, 2015 1:11 pm
Location: The Plains

Re: Question about Password Managers

Post by DoTheMath »

atikovi wrote: Wed Aug 26, 2020 1:42 pm
DoTheMath wrote: Wed Aug 26, 2020 12:10 pm If you think your information has never been accessed, you might be surprised. Here's a legitimate website which catalogs email addresses which have shown up in security breaches:

https://haveibeenpwned.com
Doesn't mean much. Anytime you give out your email address it will post there. Unless they get your password, who cares?
As lazydavid said, that's straight false.

If you appear on their "breach" list, that means your information was possibly obtained as part of a known hack [1]. As you can see from atikovi's example, what sort of information was exposed can vary. Sometimes passwords, sometimes personal info like addresses, employers, etc. If you look at atikovi's list and imagine I have some or all of that info, you can imagine how it might not be hard for me to attack your other accounts, guess your mother's maiden name, your childhood street name, apply for credit in your name, and all sorts of fun stuff.

Being on this list does not mean that info was or will be used against you in an nefarious way [2]. It does mean that info is probably now in the wild. And if you are the sort who reuses passwords (including those who make minor changes and pretend that is a new password), then this should seriously worry you. Especially when this is only a partial list, and when most companies take months (at best!) to tell their users about data breaches.

A good quality password manager lets you have strong and completely unique passwords for every important website. Those passwords are extremely unlikely to be hacked by direct attack, and even if Adobe screws up on their end the rest of your accounts are just as safe as they always were.

To me it's a no-brainer to use a password manager or equivalent.





From the website:

[1] A "breach" is an incident where data is inadvertently exposed in a vulnerable system, usually due to insufficient access controls or security weaknesses in the software. HIBP aggregates breaches and enables people to assess where their personal data has been exposed.

[2] The website is hosted by 1password and they have an obvious incentive here to gloss over the fact that some number of breaches of your information will never come to anything. But that's luck, which is not a boglehead approved strategy for running your life :-).
“I am losing precious days. I am degenerating into a machine for making money. I am learning nothing in this trivial world of men. I must break away and get out into the mountains...” -- John Muir
atikovi
Posts: 1006
Joined: Tue Sep 10, 2019 7:20 pm
Location: Suburban Washington DC

Re: Question about Password Managers

Post by atikovi »

So how does a PW manager work? Right now when I go to Bogleheads or most internet forums, I'm already logged in. Don't have to do anything to post. Even for online banking, my username and PW is already populated and just have to click the SIGN IN button. Would a PW manager be this seamless as well?
RetiredAL
Posts: 990
Joined: Tue Jun 06, 2017 12:09 am
Location: SF Bay Area

Re: Question about Password Managers

Post by RetiredAL »

Certain readers of this thread may be interested in this -

Ross Anderson is doing a "crowd" edit of his upcoming 3rd edition of "Security Engineering".

https://www.cl.cam.ac.uk/~rja14/book.html

Below the new chapters are the 2nd edition chapters.
sycamore
Posts: 1226
Joined: Tue May 08, 2018 12:06 pm

Re: Question about Password Managers

Post by sycamore »

atikovi wrote: Wed Aug 26, 2020 2:57 pm So how does a PW manager work?
I suggest you read an overview of PW managers so you know what features they have and how they work. Here's a good starting point: https://www.nytimes.com/wirecutter/revi ... -managers/
atikovi wrote: Wed Aug 26, 2020 2:57 pm Right now when I go to Bogleheads or most internet forums, I'm already logged in.
Note that the "already logged in" depends on the web site. Some sites will force you to login after a certain amount of time (say, 2 weeks).
atikovi wrote: Wed Aug 26, 2020 2:57 pm Don't have to do anything to post. Even for online banking, my username and PW is already populated and just have to click the SIGN IN button. Would a PW manager be this seamless as well?
Yes, though it may depend on which PW manager you're talking about.

Also, some PW managers let you configure whether or not to auto-populate the username and password fields. Some even support "auto-logon."
Northern Flicker
Posts: 6522
Joined: Fri Apr 10, 2015 12:29 am

Re: Question about Password Managers

Post by Northern Flicker »

mptfan wrote: Mon Aug 24, 2020 5:58 pm
Northern Flicker wrote: Mon Aug 24, 2020 5:55 pm
mptfan wrote: Mon Aug 24, 2020 5:25 pm
Northern Flicker wrote: Mon Aug 24, 2020 5:24 pm If the password safe can return the passwords to you or to an application in cleartext form, then the passwords can be compromised if the password safe is compromised.
I used to think that too, but that's just not true.
If you define compromise of the passwords as retrieval of them in cleartext form, then it is true by definition.

I think maybe you are confusing the method used to stored passwords on the service side of a service doobg authentication by passwords. Aservice will store a cryotohash of the password and when you authenticate by supplying the cleartext passeord to the service, it will use that to generate a cryptohash and compare to the stored cryptohash. This is different from a password safe. If a password safe can generate tour passeords as cleartext, then the passeords could be compromised if the password safe is compromised.
Ok, allow me to be more clear, I did not meant to say that your statement was not true by definition because it is. What I meant to say was... I used to think that password managers return passwords in clear text, but I have learned that they do not, they return them to you in a form that cannot be deciphered without your master password. It is my understanding that all reputable password managers do not know your passwords and cannot decipher them even if they wanted to.
You have an incorrect understanding. You supply the master password to the password safe software to "open" the safe. The safe is encrypted with the master password. Passwords in the safe may be encrypted individually as well. The master password enables decryption of the passwords.

Breach of the password safe would mean unauthorized access to the unencrypted passwords. This is most likely to occur by attacking the protocol you use (eg keystroke filter to capture your master password, or other filter to capture the cleartext password when it is communicated to you or some software login dialogue) and not by attacking the encryption scheme head-on and breaking it, although that is also possible.
Risk is not a guarantor of return.
MarkBarb
Posts: 494
Joined: Mon Aug 03, 2009 11:59 am

Re: Question about Password Managers

Post by MarkBarb »

mptfan wrote: Mon Aug 24, 2020 5:27 pm
brad.clarkston wrote: Mon Aug 24, 2020 5:26 pm I don't, there's no reason to keep a weak e-mail password anymore.
My email password is not weak.
Indeed. In many cases, getting access to someone's e-mail is like getting the keys to the kingdom because they can do password resets on many other accounts if they have access to your e-mail.
MarkBarb
Posts: 494
Joined: Mon Aug 03, 2009 11:59 am

Re: Question about Password Managers

Post by MarkBarb »

Broken Man 1999 wrote: Wed Aug 26, 2020 2:20 pm Well, I know from experience if you lose/forget your LastPass master password, you will be spending some time rebuilding your password vault. Your hint most likely would work, but I don't want to depend on a hint, someone else might want to use it.

I had to rebuild my vault because my written copy of my extremely long master password was shredded by accident. I could remember probably 75% of the 40-50 character password, but that didn't hack it (no pun intended). That was when I moved to a long statement for my master password.

Broken Man 1999
I talked to a guy a couple of days ago that doesn't use a password safe. He won't use one that doesn't have a way to reset his master password for him if he loses it. I tried to explain that giving them that ability means giving them and people that hack their systems access to all of your passwords, but that didn't seem to bother him.
squirm
Posts: 2946
Joined: Sat Mar 19, 2011 11:53 am

Re: Question about Password Managers

Post by squirm »

Just write your master password down and hide it somewhere in your house. Even if someone finds it they won't know what it is.
User avatar
BogleFanGal
Posts: 650
Joined: Mon Mar 20, 2017 6:59 pm

Re: Question about Password Managers

Post by BogleFanGal »

brad.clarkston wrote: Wed Aug 26, 2020 11:45 am
BogleFanGal wrote: Wed Aug 26, 2020 11:33 am On the password manager topic, saw below article posted on the elliott.org blog today. Apparently, some lastpass users have run into a situation where their master PW suddenly doesn't work. Has that happened to anyone here? A royal pain, I'd imagine, as you'd have to reset all your PWs from scratch.

https://www.elliott.org/blog/help-my-la ... s-the-fix/
That was a horrible blog post by an obvious ludite with some really bad suggestions. He left out allot I'm sure there was other things going on. I'm betting he had a family issue that corrupted his side of the key which would make it unrecoverable. If that's the case any manager would have that issue.

I used Lastpass's paid service for years before switching to BitWarden's paid service and never had a issue with support it was easy to get to via chat and phone and the people was knowledgeable.

Lastpass is no less secure or broken than any other manager including google and apple which is not a better solution.
Good to hear. I've used LP for years and really like it. But I'm not a security expert, so it was a bit concerning to read that people's master PW no longer worked for some reason. Seemed strange to me, but he says quite a few people wrote to his team encountering this as well - and he's fairly reputable as far as a consumer advocate, so was a bit concerned.
"Life would be infinitely happier if we could only be born at the age of eighty and gradually approach eighteen." Mark Twain
Jeff Albertson
Posts: 832
Joined: Sat Apr 06, 2013 7:11 pm
Location: Springfield

Re: Question about Password Managers

Post by Jeff Albertson »

MarkBarb wrote: Wed Aug 26, 2020 5:27 pm
Broken Man 1999 wrote: Wed Aug 26, 2020 2:20 pm Well, I know from experience if you lose/forget your LastPass master password, you will be spending some time rebuilding your password vault. Your hint most likely would work, but I don't want to depend on a hint, someone else might want to use it.

I had to rebuild my vault because my written copy of my extremely long master password was shredded by accident. I could remember probably 75% of the 40-50 character password, but that didn't hack it (no pun intended). That was when I moved to a long statement for my master password.

Broken Man 1999
I talked to a guy a couple of days ago that doesn't use a password safe. He won't use one that doesn't have a way to reset his master password for him if he loses it. I tried to explain that giving them that ability means giving them and people that hack their systems access to all of your passwords, but that didn't seem to bother him.
You can access your passwords, without the master password, by using biometric verification, such as a finger touch sensor, on a phone or tablet for some password managers (Lastpass is one).
I also export my passwords from Lastpass periodically to have a backup.
squirm
Posts: 2946
Joined: Sat Mar 19, 2011 11:53 am

Re: Question about Password Managers

Post by squirm »

With lastpass (at least how I use it) I have to enter my password when opening the app the first time along with the authy app. When it goes into the background and I go to use it again, I can use fingerprint.
squirm
Posts: 2946
Joined: Sat Mar 19, 2011 11:53 am

Re: Question about Password Managers

Post by squirm »

I will admit my heart stops and I freak when I don't enter the password right thinking someone got in and changed it and I'm screwed forever. Freaken everything is in my lastpass.
drummerboy
Posts: 171
Joined: Wed Apr 20, 2016 1:08 pm

Re: Question about Password Managers

Post by drummerboy »

simple man wrote: Mon Aug 24, 2020 7:08 pm Many hacks occur because many people use the same id and password for different sites. So, assume Target or Sports Illustrated get hacked and thousands of id/password pairs get taken. The hackers then run those id/password pairs against, for instance, a thousand known major sites - e.g. banks, brokerages, bitcoin, amazon, etc...Inevitably, they will gain access from those sites where the people were reusing the id/passwords. Password managers allow you to have a different quality password for all of your sites and avoid this issue.
Exactly!

Everyone is "afraid" of password managers, but in reality their current situation without one is much, much worse. Use a password manager!!

Step 1: EVERY site should have a unique password. Better yet, if your email provider allows it, use some different email addresses for various sites that is DIFFERENT from your actual email address. Most hacks occur because someone gets a database from a company that lists your email address.

Step 2: Don't be afraid of "cloud-based" password managers. They have true "end-to-end" encryption. That means if 1Password's servers get hacked (or their administrator panel), they have NO WAY to un-encrypt your data. This is different from Dropbox, etc that just encrypt data at rest.

The biggest thing with password managers is usability. If you know how to use them, you'll use it more. I happen to be a 1Password user. My wife and kids all have their own accounts and use strong, unique passwords everywhere and have no challenges understanding how to use it.

Besides my master password, you also need to know a unique code that is created with my login account. After I initialize my computer, no one ever sees this, but it helps encrypt my data. It adds a 2nd factor. I can add a "3rd" factor which would be something like Authy or a Yubikey.

In summary, a password manager is a lot better than any simple setup most people use (sticky notes, re-using passwords, etc).
brad.clarkston
Posts: 971
Joined: Fri Jan 03, 2014 8:31 pm
Location: Kansas City, MO

Re: Question about Password Managers

Post by brad.clarkston »

While I'm a big advocate for open source BitWarden the one thing LastPass does far better on the paid side is there password checkups, that's the one big knock I have on 1Password is it doesn't have anything like that. Once you start using the password checkup tools it's an eye opener just how bad your various passwords are.

Even with a password manager I still recommend you change any financial or amazon/paypal passwords yearly via the manager just to be safe.
You also want to change any financial recovery question answers to something made up that no one can guess and write them down in a keepass database for safe keeping.
drummerboy
Posts: 171
Joined: Wed Apr 20, 2016 1:08 pm

Re: Question about Password Managers

Post by drummerboy »

brad.clarkston wrote: Wed Aug 26, 2020 8:54 pm LastPass does far better on the paid side is there password checkups, that's the one big knock I have on 1Password is it doesn't have anything like that. Once you start using the password checkup tools it's an eye opener just how bad your various passwords are.
1Password does have a feature like that. It’s called Watchtower. It highlights: weak passwords, reused passwords, and any passwords that have been found in data breach situations.

It is eye-opening. Before I started using a password manager, I thought I was doing well. Now I realize that I used to be very exposed. All of the paid password managers are well worth the money.
brad.clarkston
Posts: 971
Joined: Fri Jan 03, 2014 8:31 pm
Location: Kansas City, MO

Re: Question about Password Managers

Post by brad.clarkston »

drummerboy wrote: Wed Aug 26, 2020 9:24 pm
brad.clarkston wrote: Wed Aug 26, 2020 8:54 pm LastPass does far better on the paid side is there password checkups, that's the one big knock I have on 1Password is it doesn't have anything like that. Once you start using the password checkup tools it's an eye opener just how bad your various passwords are.
1Password does have a feature like that. It’s called Watchtower. It highlights: weak passwords, reused passwords, and any passwords that have been found in data breach situations.

It is eye-opening. Before I started using a password manager, I thought I was doing well. Now I realize that I used to be very exposed. All of the paid password managers are well worth the money.
Thanks! I'll take a look at it. I moved to BitWarden as I'm a open source advocate but all three are worth the price (free or paid).
User avatar
BogleFanGal
Posts: 650
Joined: Mon Mar 20, 2017 6:59 pm

Re: Question about Password Managers

Post by BogleFanGal »

could someone quickly highlight the advantages of a paid LastPass account for a single user with typical non-biz needs? Are there extra protections you believe merit the cost?
"Life would be infinitely happier if we could only be born at the age of eighty and gradually approach eighteen." Mark Twain
Jeff Albertson
Posts: 832
Joined: Sat Apr 06, 2013 7:11 pm
Location: Springfield

Re: Question about Password Managers

Post by Jeff Albertson »

BogleFanGal wrote: Thu Aug 27, 2020 9:55 am could someone quickly highlight the advantages of a paid LastPass account for a single user with typical non-biz needs? Are there extra protections you believe merit the cost?
check the lastpass homepage: https://www.lastpass.com/
One advantage is 'Priority tech support'. It seems the Elliot guy didn't think he was getting his money's worth of service from the free version of lastpass.
LookinAround
Posts: 253
Joined: Tue Mar 27, 2018 5:41 am
Location: Chicagoland

Re: Question about Password Managers

Post by LookinAround »

mptfan wrote: Mon Aug 24, 2020 11:33 am The features that are most important to me are ... <snip> the ability to use two factor authentication using physical U2F security keys and not being limited to only using a specific model of security key made by Yubikey (yes I'm looking at you Lastpass),
Don't know if it's already mentioned or how long past you checked 2FA for LastPass, but it supports more the Yubikey now. I use the Google Authenticator app for 2FA with LastPass. I retired all my Yubikeys
mptfan
Posts: 6209
Joined: Mon Mar 05, 2007 9:58 am

Re: Question about Password Managers

Post by mptfan »

LookinAround wrote: Thu Aug 27, 2020 3:36 pm
mptfan wrote: Mon Aug 24, 2020 11:33 am The features that are most important to me are ... <snip> the ability to use two factor authentication using physical U2F security keys and not being limited to only using a specific model of security key made by Yubikey (yes I'm looking at you Lastpass),
Don't know if it's already mentioned or how long past you checked 2FA for LastPass, but it supports more the Yubikey now. I use the Google Authenticator app for 2FA with LastPass. I retired all my Yubikeys
Maybe I wasn't clear...I know you can use other authentication methods besides a security key, but physical security keys are the gold standard of two factor authentication methods and if you choose to use a security key then Lastpass forces you to use a specific type of Yubikey made by Yubico, and it's one of their more expensive models... and I don't know why, that seems artificially restrictive, perhaps they have a sweetheart deal with Yubikey. I can tell you that is not a common practice in my experience... I use security keys to secure a number of my accounts, including Google and including Keeper, and they both allow me to use any security key of my choice, I am not forced to use a Yubikey or a specific model of Yubikey.

Please understand that Yubikeys are a specific brand name of security keys made by a company called Yubico. They are great, and I like Yubico, I appreciate what they have done for account security, this is nothing against Yubico or Yubikeys, but you do pay a premium to get a Yubikey, whereas you can get security keys from a variety of other manufacturers, and most of them are less expensive than Yubikeys and in most cases serve exactly the same function. But for some reason, when I investigated this, I found out that if you want to use a security key to secure your Lastpass account you must use a specific more expensive model of Yubikey. If I recall correctly, the specific model they force you to use cost $50 each, whereas I can get security keys from other manufacturers for $12 to $20. Yubikey also has a model for $20 I think. I do not like to just have one security key, it's too risky, I like to have backups.
Post Reply