Are Password Managers Really Necessary?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
User avatar
Topic Author
RooseveltG
Posts: 705
Joined: Sun Sep 07, 2008 2:56 pm
Location: The Rust Belt

Are Password Managers Really Necessary?

Post by RooseveltG »

I use a Password Manager but friends claim they are unnecessary. They ask if I know anyone who has ever lost brokerage firm assets because their account was hacked and I cannot say that I do. They also do not worry about credit card fraud because they locked down their credit and liability is limited to $50 per card.

So are Password Managers necessary or are they overkill?

Thanks in advance.

Roosevelt
onourway
Posts: 3778
Joined: Thu Dec 08, 2016 2:39 pm

Re: Are Password Managers Really Necessary?

Post by onourway »

Even forgetting the security aspects, a password manager just makes my life SO MUCH EASIER.

Modern digital life requires a tremendous number of passwords. Previous to the existence of password managers that meant I spent a non-trivial amount of time trying to remember which password was used for which site, trying multiple combinations, and sometimes resorting to re-setting the password which requires several minutes of back and forth, coming up with a new password that meets the sites complexity requirements, and trying to capture that password somewhere it wouldn't be immediately lost.

I help many people in my life with their computer and networking issues. The most difficult part of the problem is often figuring out all their passwords so that we can actually move forward on solving the actual issue at hand.

Password management of some sort is a must, IMO.
Jags4186
Posts: 8198
Joined: Wed Jun 18, 2014 7:12 pm

Re: Are Password Managers Really Necessary?

Post by Jags4186 »

RooseveltG wrote: Mon Jan 08, 2018 9:01 am I use a Password Manager but friends claim they are unnecessary. They ask if I know anyone who has ever lost brokerage firm assets because their account was hacked and I cannot say that I do. They also do not worry about credit card fraud because they locked down their credit and liability is limited to $50 per card.

So are Password Managers necessary or are they overkill?

Thanks in advance.

Roosevelt
One of the best thing about using all Apple devices is that there is a built in password manager, Keychain, that syncs between all your devices. It works well enough for me. I don't use it because I'm worried about getting hacked, per se, but because so many websites have different password requirements, change requirements, etc. etc. etc. that it's impossible to keep them all straight. Which one needs a capital letter and a symbol, which one can't use a symbol, which one needs to be 10 characters long with at least 6 letters and 2 symbols and only prime numbers...
b42
Posts: 404
Joined: Thu Apr 11, 2013 7:00 pm

Re: Are Password Managers Really Necessary?

Post by b42 »

Password Managers are great for storing and managing tons of usernames and passwords (I have over 40 accounts spread across all types of websites (forums, banking, bills, etc.). It's also better to not re-use the same password across all sites, since if someone gains access to one account, they could in theory gain access to all the other ones.

For me, it's less about losing money...there's a nightmare scenario where someone isn't looking to steal, but instead wants to play around and make your life miserable. Imagine a hacker getting control of your email account(s) and either getting it suspended, or locking you out and then has full access to your email history and contacts. That's a few days of phone calls and work to fix everything.
User avatar
flamesabers
Posts: 1848
Joined: Fri Mar 03, 2017 11:05 am
Location: Rochester, MN

Re: Are Password Managers Really Necessary?

Post by flamesabers »

Yes, I would say password managers are necessary. Short of having a perfect memory or a personal algorithm that somehow satisfies the password requirements for all sites, it's impossible to remember all of my passwords for both my personal and work accounts.
mak1277
Posts: 1762
Joined: Fri Jan 09, 2015 3:26 pm

Re: Are Password Managers Really Necessary?

Post by mak1277 »

Just saw this article over the weekend for what it's worth.

https://www.theverge.com/2017/12/30/168 ... n-research
ERISA Stone
Posts: 1626
Joined: Tue Jun 24, 2014 8:54 am

Re: Are Password Managers Really Necessary?

Post by ERISA Stone »

I have 82 credentials currently stored in my password manager between personal and business. It was getting to be quite a chore to keep up with all of those passwords, assuming one takes the time to use different passwords and doesn't use the same one for each site. Also, my password manager LastPass generates random passwords for me.

Considering how inexpensive the product is, I might argue paying for LastPass is some of the best money I spend in terms of ease and the efficiency it creates.
User avatar
nisiprius
Advisory Board
Posts: 52215
Joined: Thu Jul 26, 2007 9:33 am
Location: The terrestrial, globular, planetary hunk of matter, flattened at the poles, is my abode.--O. Henry

Re: Are Password Managers Really Necessary?

Post by nisiprius »

Like "backup" and "viruses" I regard it all as a basically unsolvable problem. The computer industry has created a mess through decades of bad practices, and there is too much "blame the victim" that goes on.

There's not that much I can do about it. My data wasn't exposed in the Equifax breach because of anything wrong I did.

You do what you can.

The important thing is not to have the world's best lock on the front door, but to lock whatever lock you do have.

The situation with regard to credit cards may have changed. Some kind of consumer protection became weakened when they went to chipped cards. The protection may only be weakened if you are at a place that doesn't take chips and you have to swipe (like seemingly every pay-at-the-pump gas station in my town). Or maybe I'm wrong. At the moment, I think that, as with ATM cards, all the card companies continue to limit your responsibility to $50 but it's by policy and perhaps not by law.

The situation with brokerages is that although there are scenarios (hack into your account and have you buy pump-and-dumped stock), Vanguard and AFAIK other brokerages do not provide a way that you can pay a third party, only a way you can move money from the brokerage into your own bank account--and you prove it's yours in some way. Therefore, seemingly, hackers in brokerage accounts could do meaningless vandalistic mischief, but not take your money away from you.

The most sensitive situations would seem to be services that are intended to move money from your account to someone else's (e.g. bank bill-paying services, PayPal, etc.)

Identity theft could put you into a world of hurt even if the final outcome was not a huge dollar loss.
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.
Mordoch
Posts: 494
Joined: Sat Mar 10, 2007 10:27 am

Re: Are Password Managers Really Necessary?

Post by Mordoch »

mak1277 wrote: Mon Jan 08, 2018 9:25 am Just saw this article over the weekend for what it's worth.

https://www.theverge.com/2017/12/30/168 ... n-research
It should be noted this only potentially applies for browser password managers and not some of the other options out there.
lazydavid
Posts: 5155
Joined: Wed Apr 06, 2016 1:37 pm

Re: Are Password Managers Really Necessary?

Post by lazydavid »

nisiprius wrote: Mon Jan 08, 2018 9:30 am The situation with regard to credit cards may have changed. Some kind of consumer protection became weakened when they went to chipped cards. The protection may only be weakened if you are at a place that doesn't take chips and you have to swipe (like seemingly every pay-at-the-pump gas station in my town). Or maybe I'm wrong. At the moment, I think that, as with ATM cards, all the card companies continue to limit your responsibility to $50 but it's by policy and perhaps not by law.
It wasn't consumer protection, it was retailer protection that changed. Prior to the conversion, the card issuer shouldered the fraud risk for all "card present" transactions at physical retail locations. As of October 2015 if memory serves, they now only do so for chip-based transactions. The retailer is responsible for any fraud committed via a magstripe reader.

In either situation, the issuer will make the cardholder whole. For chip transactions, it ends there. For magstripe transactions, they will then issue a chargeback against the retailer to recover the lost funds.
User avatar
flamesabers
Posts: 1848
Joined: Fri Mar 03, 2017 11:05 am
Location: Rochester, MN

Re: Are Password Managers Really Necessary?

Post by flamesabers »

ERISA Stone wrote: Mon Jan 08, 2018 9:28 am I have 82 credentials currently stored in my password manager between personal and business. It was getting to be quite a chore to keep up with all of those passwords, assuming one takes the time to use different passwords and doesn't use the same one for each site.
I think what makes this all the more complicated is when websites require you to change your password every 60-90 days.
TravelGeek
Posts: 4902
Joined: Sat Oct 25, 2014 3:23 pm

Re: Are Password Managers Really Necessary?

Post by TravelGeek »

Yes. Absolutely. I have used password managers for over ten years. Absolutely cannot imagine not using one. How do you keep track of dozens (or in my case, > hundred) of credentials (username, password, answers to secret questions, account numbers) in a secure way?
User avatar
SmileyFace
Posts: 9184
Joined: Wed Feb 19, 2014 9:11 am

Re: Are Password Managers Really Necessary?

Post by SmileyFace »

I don't think they are necessary and also feel they can be dangerous as at least one was hacked in the past.
I DO believe you need to use different and strong passwords for each account and change them periodically however - if you can't devise a way of doing this without using a password manager - a password manager may be a better method than using the same password at multiple accounts or using weak passwords.
Teague
Posts: 2524
Joined: Wed Nov 04, 2015 5:15 pm

Re: Are Password Managers Really Necessary?

Post by Teague »

My "password manager" is a piece of paper with my various usernames and passwords written on it. This is folded over once (my version of encryption) and tucked in a drawer with a bunch of boring paperwork in it.

Pro: I don't have to worry about the security of the algorithm, or unknown back door vulnerabilities. Sure, a burglar could break in, find the paper, fire up my computer, and access my accounts. But I'm not an important or well-known person, so the odds of this happening are probably zero. Any burglar would be there to burgle, probably for their next dose of meth, not to transfer funds from my IRA to their offshore bank account.

Con: It is not terribly portable. But I do any important transactions from home anyway, so I don't really care about that.
Semper Augustus
ERISA Stone
Posts: 1626
Joined: Tue Jun 24, 2014 8:54 am

Re: Are Password Managers Really Necessary?

Post by ERISA Stone »

flamesabers wrote: Mon Jan 08, 2018 9:48 am
ERISA Stone wrote: Mon Jan 08, 2018 9:28 am I have 82 credentials currently stored in my password manager between personal and business. It was getting to be quite a chore to keep up with all of those passwords, assuming one takes the time to use different passwords and doesn't use the same one for each site.
I think what makes this all the more complicated is when websites require you to change your password every 60-90 days.
The cool thing about LastPass specifically is they will create and update the password for you if you request it. I have had a few issues with this feature from time to time so I always make sure to copy the new password they create and then go back and check it to confirm it saved properly.
lazydavid
Posts: 5155
Joined: Wed Apr 06, 2016 1:37 pm

Re: Are Password Managers Really Necessary?

Post by lazydavid »

I have 724 credentials stored in my password manager. Yes, it's necessary. :)
Jack FFR1846
Posts: 18502
Joined: Tue Dec 31, 2013 6:05 am
Location: 26 miles, 385 yards west of Copley Square

Re: Are Password Managers Really Necessary?

Post by Jack FFR1846 »

Never had a pw manager that wasn't paper with coded info, and never will. When a hacker figures out how to break into a manager, they'll clean you out.
Bogle: Smart Beta is stupid
crake
Posts: 275
Joined: Thu Mar 14, 2013 2:12 pm

Re: Are Password Managers Really Necessary?

Post by crake »

What is the alternative your friends are suggesting?

Using the same password for every login is a horrible idea. Even if it is a strong password you are now relying on dozens of sites to keep that password secure. All it takes is one breach and the hackers will have the key to every single one of your logins. An article which really enlightnened my on password security can be read here https://arstechnica.com/information-tec ... passwords/.

Any competent website who you give your password to will encrypt it before storing it. This used to give me some sense of security until I read the above article. Apparently the state of password cracking has become so advanced that crackers can uncover ~90% of encrypted passwords from leaked password databases. These passwords are than collected and shared throughout the internet. This is not a hypothetical situation. Anyone who wants can find databases containing millions of usernames and passwords that came from actual website hacks. If you have a dropbox, yahoo, or ebay account your password is out there and there is somewhere around a 90% chance that it has been cracked. Those are just a small fraction of the well known websites which have had data breaches.

Another alternative is to just write down passwords in an un-encrypted spreadsheet or piece of paper. This might be slightly better than just using the same password everywhere but it is incredibly vulnerable to physical theft or a hack to your personal computer. It also encourages the use of easy to guess, non-random passwords which are likely to be cracked if there is ever a data breach.

It is close to impossible to memorize different passwords for the dozens of accounts most people have so that is not even worth mentioning.

I am not sure where the reluctance to using a password manager would be coming from. It is one of the rare situations where the easiest method is also the most secure and robust. For an added bonus it also doesn't need to cost a dime. It is a lot like index investing in that sense.
DoTheMath
Posts: 671
Joined: Sat Jul 04, 2015 1:11 pm
Location: The Plains

Re: Are Password Managers Really Necessary?

Post by DoTheMath »

Teague wrote: Mon Jan 08, 2018 10:04 am My "password manager" is a piece of paper with my various usernames and passwords written on it. This is folded over once (my version of encryption) and tucked in a drawer with a bunch of boring paperwork in it.

Pro: I don't have to worry about the security of the algorithm, or unknown back door vulnerabilities. Sure, a burglar could break in, find the paper, fire up my computer, and access my accounts. But I'm not an important or well-known person, so the odds of this happening are probably zero. Any burglar would be there to burgle, probably for their next dose of meth, not to transfer funds from my IRA to their offshore bank account.

Con: It is not terribly portable. But I do any important transactions from home anyway, so I don't really care about that.
It's funny how things change. In the old pre-internet days, having your passwords on a slip of paper near your computer was the stereotype for bad computer security. Nowadays, the worry that someone will get your passwords by physically entering your home is the least of your worries!

As others have mentioned, the value of a password manager is in the many less obvious advantages. Like the Boglehead investment philosophy, much of it is based upon making it easy to be above average by removing a lot of human weaknesses from the process. For me it makes it easy to have long, complicated, unique passwords for every website. It's easier than having to type in even a single simple password for every site I visit. Plus, unlike Teague, I don't have to worry about my house burning down :D .
“I am losing precious days. I am degenerating into a machine for making money. I am learning nothing in this trivial world of men. I must break away and get out into the mountains...” -- John Muir
Broken Man 1999
Posts: 8626
Joined: Wed Apr 08, 2015 11:31 am
Location: West coast of Florida, near Champa Bay !

Re: Are Password Managers Really Necessary?

Post by Broken Man 1999 »

flamesabers wrote: Mon Jan 08, 2018 9:22 am Yes, I would say password managers are necessary. Short of having a perfect memory or a personal algorithm that somehow satisfies the password requirements for all sites, it's impossible to remember all of my passwords for both my personal and work accounts.
Exactly!

Remembering so many 20+ character passwords would tax my brain far too much. I don't repeat passwords, either, which means the passwords are not only very long, but also are not repeated. Those two characteristics cannot be satisfied without some type password manager, either via written records, or an online program or vault device manager. Written records and the vault device seem unsafe to me, so I use LastPass.

Broken Man 1999
“If I cannot drink Bourbon and smoke cigars in Heaven then I shall not go." - Mark Twain
mcraepat9
Posts: 1827
Joined: Thu Jul 16, 2015 11:46 am

Re: Are Password Managers Really Necessary?

Post by mcraepat9 »

Yes a password manager is necessary. When a hack happens to you and you lose money, are your friends going to make you whole and give you back $$$?

Credit card fraud I agree is a bit of a red herring - i am concerned mostly about my bank account and brokerage accounts.

There was a point in time when people were questioning whether seatbelts were overkill/unnecessary. Password manager use is about prudent risk management. There are bad actors out there - do you want to make yourself an easy target?
Amateur investors are not cool-headed logicians.
User avatar
SmileyFace
Posts: 9184
Joined: Wed Feb 19, 2014 9:11 am

Re: Are Password Managers Really Necessary?

Post by SmileyFace »

TravelGeek wrote: Mon Jan 08, 2018 9:49 am Yes. Absolutely. I have used password managers for over ten years. Absolutely cannot imagine not using one. How do you keep track of dozens (or in my case, > hundred) of credentials (username, password, answers to secret questions, account numbers) in a secure way?
I'll answer your question with a question:
How do you assure your password manager of choice is storing your credentials in a secure and hacker-proof way?
Millions of OneLogin customers took it on faith and were exposed this year.
LastPass in 2015...
I believe its only a matter of time before we hear of then next one.
Last edited by SmileyFace on Mon Jan 08, 2018 10:29 am, edited 1 time in total.
User avatar
SmileyFace
Posts: 9184
Joined: Wed Feb 19, 2014 9:11 am

Re: Are Password Managers Really Necessary?

Post by SmileyFace »

mcraepat9 wrote: Mon Jan 08, 2018 10:22 am Yes a password manager is necessary. When a hack happens to you and you lose money, are your friends going to make you whole and give you back $$$?
Will your password manager provider give you your $$$ back if they are hacked and lose your credentials?
crake
Posts: 275
Joined: Thu Mar 14, 2013 2:12 pm

Re: Are Password Managers Really Necessary?

Post by crake »

Jack FFR1846 wrote: Mon Jan 08, 2018 10:14 am Never had a pw manager that wasn't paper with coded info, and never will. When a hacker figures out how to break into a manager, they'll clean you out.
My passwords are encrypted utilizing an AES-256 bit encryption algorithm. It is the same algorithm used by the government to store top secret information.
A 256bit encryption is the mathematical equivalent of 2256 key possibilities. To put that into perspective, 232 is about 4.3 billion, and it keeps growing exponentially after that. What does this mean though? Well simply put, let’s say hypothetically all the super computers in the world (the ultimate brute force attack) decided to group up and tasked themselves to decrypt your AES-256 key so they could access your data. Assume they could look at 250 keys per second (which is approximately one quadrillion keys/second – a very generous assumption). A year is approximately 31,557,600 seconds. This means that by using the one billion super computers required to do this, they could check about 275 keys per year. At this rate it would take these computers 234 years (the age of our universe) to look at less than .01% of the entire key possibilities. The bottom line? No one will be breaking your encrypted data at Canadian Cloud Backup.
source: https://canadiancloudbackup.com/2014/07 ... tion-data/

The top security researchers in the world have been trying to break AES based encryption schemes for 20 years and have been unsuccessful. Do you really believe that your paper with coded info is more secure?
Leesbro63
Posts: 10639
Joined: Mon Nov 08, 2010 3:36 pm

Re: Are Password Managers Really Necessary?

Post by Leesbro63 »

How secure is Dropbox? Carbonite?
User avatar
SmileyFace
Posts: 9184
Joined: Wed Feb 19, 2014 9:11 am

Re: Are Password Managers Really Necessary?

Post by SmileyFace »

crake wrote: Mon Jan 08, 2018 10:27 am
Jack FFR1846 wrote: Mon Jan 08, 2018 10:14 am Never had a pw manager that wasn't paper with coded info, and never will. When a hacker figures out how to break into a manager, they'll clean you out.
My passwords are encrypted utilizing an AES-256 bit encryption algorithm. It is the same algorithm used by the government to store top secret information.
A 256bit encryption is the mathematical equivalent of 2256 key possibilities. To put that into perspective, 232 is about 4.3 billion, and it keeps growing exponentially after that. What does this mean though? Well simply put, let’s say hypothetically all the super computers in the world (the ultimate brute force attack) decided to group up and tasked themselves to decrypt your AES-256 key so they could access your data. Assume they could look at 250 keys per second (which is approximately one quadrillion keys/second – a very generous assumption). A year is approximately 31,557,600 seconds. This means that by using the one billion super computers required to do this, they could check about 275 keys per year. At this rate it would take these computers 234 years (the age of our universe) to look at less than .01% of the entire key possibilities. The bottom line? No one will be breaking your encrypted data at Canadian Cloud Backup.
source: https://canadiancloudbackup.com/2014/07 ... tion-data/

The top security researchers in the world have been trying to break AES based encryption schemes for 20 years and have been unsuccessful. Do you really believe that your paper with coded info is more secure?
Its not the 256 bit encryption that will be hacked - there will be some other vulnerability exploited that will take you by surprise (perhaps an error in the way your password manager provider is running their encryption; some sort of new man-in-the-middle, etc.).
I'm betting we will read yet another story about a password manager breach before Jack FFR1846 returns with a post about someone finding his piece of paper and figuring out what to do with it.
Northern Flicker
Posts: 15363
Joined: Fri Apr 10, 2015 12:29 am

Re: Are Password Managers Really Necessary?

Post by Northern Flicker »

I use two password safe instances both stored on a microSD card, and replicated on a second card, one for higher risk passwords and one for lower risk passwords.

Committing the highest risk financial passwords and passwords for devices in your physical possession to memory, and recording other passwords on paper and storing in a locked file cabinet might be a more secure practice overall.
crake
Posts: 275
Joined: Thu Mar 14, 2013 2:12 pm

Re: Are Password Managers Really Necessary?

Post by crake »

DaftInvestor wrote: Mon Jan 08, 2018 10:23 am
TravelGeek wrote: Mon Jan 08, 2018 9:49 am Yes. Absolutely. I have used password managers for over ten years. Absolutely cannot imagine not using one. How do you keep track of dozens (or in my case, > hundred) of credentials (username, password, answers to secret questions, account numbers) in a secure way?
I'll answer your question with a question:
How do you assure your password manager of choice is storing your credentials in a secure and hacker-proof way?
Millions of OneLogin customers took it on faith and were exposed this year.
LastPass in 2015...
I believe its only a matter of time before we hear of then next one.
I don't use a cloud based password manager for this reason. There are plenty of opensource password managers that have been thoroughly vetted by security researchers which are available for free. Passwordsafe and Keepass are two I can name off the top of my head.

Pointing out one flawed example doesn't nullify the use of all password managers.
ERISA Stone
Posts: 1626
Joined: Tue Jun 24, 2014 8:54 am

Re: Are Password Managers Really Necessary?

Post by ERISA Stone »

DaftInvestor wrote: Mon Jan 08, 2018 10:23 am
TravelGeek wrote: Mon Jan 08, 2018 9:49 am Yes. Absolutely. I have used password managers for over ten years. Absolutely cannot imagine not using one. How do you keep track of dozens (or in my case, > hundred) of credentials (username, password, answers to secret questions, account numbers) in a secure way?
I'll answer your question with a question:
How do you assure your password manager of choice is storing your credentials in a secure and hacker-proof way?
Millions of OneLogin customers took it on faith and were exposed this year.
LastPass in 2015...
I believe its only a matter of time before we hear of then next one.
Reddit explains it better than I can.
In short, the hacker would have to guess your master password to get the data. The password manager shouldn't be storing it on their servers, so the hacker would have to get it from you personally.

Most password managers (Lastpass included) use something like the "zero knowledge" model. This means they do not know your master password and do not store it anywhere. It is only used to decrypt your data when you need it then is thrown away instead of being stored with your data (what most websites do).

That means even if a hacker gets all the data the password manager has, they'd still have to try every possible password for your data to see if it works. Good managers use very expensive (slow) decryption methods on purpose, to make this guessing process take as long as possible for badguys.

Of course, this is all moot if you used your master password for another site that's been hacked (like Yahoo) or you used an incredibly obvious password (like password123). Hackers will try passwords you've used and most commonly-used passwords first, which will only take a few minutes.

So if you're worried about this, make sure you're using a long, unique password that you don't use anywhere else. Then it won't matter if your manager gets hacked, because it will take until the sun burns out to guess your password and unlock your data.
mcraepat9
Posts: 1827
Joined: Thu Jul 16, 2015 11:46 am

Re: Are Password Managers Really Necessary?

Post by mcraepat9 »

DaftInvestor wrote: Mon Jan 08, 2018 10:25 am
mcraepat9 wrote: Mon Jan 08, 2018 10:22 am Yes a password manager is necessary. When a hack happens to you and you lose money, are your friends going to make you whole and give you back $$$?
Will your password manager provider give you your $$$ back if they are hacked and lose your credentials?
Perhaps that was a poor argument, since password managers probably won't either. However:

https://www.troyhunt.com/password-manag ... aving-one/
Amateur investors are not cool-headed logicians.
User avatar
lthenderson
Posts: 8525
Joined: Tue Feb 21, 2012 11:43 am
Location: Iowa

Re: Are Password Managers Really Necessary?

Post by lthenderson »

For just the amount of time I save not having to "retrieve" forgotten passwords and being able to easily change a password with every institution that is hacked that I have used in my past, it is most definitely worth it!
User avatar
SmileyFace
Posts: 9184
Joined: Wed Feb 19, 2014 9:11 am

Re: Are Password Managers Really Necessary?

Post by SmileyFace »

crake wrote: Mon Jan 08, 2018 10:41 am
DaftInvestor wrote: Mon Jan 08, 2018 10:23 am
TravelGeek wrote: Mon Jan 08, 2018 9:49 am Yes. Absolutely. I have used password managers for over ten years. Absolutely cannot imagine not using one. How do you keep track of dozens (or in my case, > hundred) of credentials (username, password, answers to secret questions, account numbers) in a secure way?
I'll answer your question with a question:
How do you assure your password manager of choice is storing your credentials in a secure and hacker-proof way?
Millions of OneLogin customers took it on faith and were exposed this year.
LastPass in 2015...
I believe its only a matter of time before we hear of then next one.
I don't use a cloud based password manager for this reason. There are plenty of opensource password managers that have been thoroughly vetted by security researchers which are available for free. Passwordsafe and Keepass are two I can name off the top of my head.

Pointing out one flawed example doesn't nullify the use of all password managers.
There hasn't been a "singled flawed example" - there have been stories every year. I believe there was a keepass hack (one of your examples) found in a couple of years back as well. Perhaps you have an off-line separate machine you are running your password manager on so that you are sure no one will ever grab and hack your database file or exploit your passwords using some other vulnerability on your machine - or perhaps you are confident that whichever one you are using is applying algorithms properly - people need to use these solutions with caution. There is one thing we know for sure about cyber-security and that is that flaws continue to be found.
User avatar
SmileyFace
Posts: 9184
Joined: Wed Feb 19, 2014 9:11 am

Re: Are Password Managers Really Necessary?

Post by SmileyFace »

ERISA Stone wrote: Mon Jan 08, 2018 10:44 am
Reddit explains it better than I can.
Okay - if Reddit says I'm safe I will surely believe it :)

In "theory" the encryption algorithms and practices that password manager solutions provide is sound and perfectly secure.
In practice we know otherwise.
crake
Posts: 275
Joined: Thu Mar 14, 2013 2:12 pm

Re: Are Password Managers Really Necessary?

Post by crake »

DaftInvestor wrote: Mon Jan 08, 2018 10:33 am
crake wrote: Mon Jan 08, 2018 10:27 am
Jack FFR1846 wrote: Mon Jan 08, 2018 10:14 am Never had a pw manager that wasn't paper with coded info, and never will. When a hacker figures out how to break into a manager, they'll clean you out.
My passwords are encrypted utilizing an AES-256 bit encryption algorithm. It is the same algorithm used by the government to store top secret information.
A 256bit encryption is the mathematical equivalent of 2256 key possibilities. To put that into perspective, 232 is about 4.3 billion, and it keeps growing exponentially after that. What does this mean though? Well simply put, let’s say hypothetically all the super computers in the world (the ultimate brute force attack) decided to group up and tasked themselves to decrypt your AES-256 key so they could access your data. Assume they could look at 250 keys per second (which is approximately one quadrillion keys/second – a very generous assumption). A year is approximately 31,557,600 seconds. This means that by using the one billion super computers required to do this, they could check about 275 keys per year. At this rate it would take these computers 234 years (the age of our universe) to look at less than .01% of the entire key possibilities. The bottom line? No one will be breaking your encrypted data at Canadian Cloud Backup.
source: https://canadiancloudbackup.com/2014/07 ... tion-data/

The top security researchers in the world have been trying to break AES based encryption schemes for 20 years and have been unsuccessful. Do you really believe that your paper with coded info is more secure?
Its not the 256 bit encryption that will be hacked - there will be some other vulnerability exploited that will take you by surprise (perhaps an error in the way your password manager provider is running their encryption; some sort of new man-in-the-middle, etc.).
I'm betting we will read yet another story about a password manager breach before Jack FFR1846 returns with a post about someone finding his piece of paper and figuring out what to do with it.
See my above post, I do not have a password manager provider which can be exploited.

The risk to JackFFR1846 and others who store their passwords on paper is much more likely to come from a friend, relative, or handyman than a random burglar and to pretend it is impossible is naive.

To me this topic has so many parallels to index investing. The most well regarded financial experts recommend index investing. The most well regarded security experts recommend password managers. Index funds are the easiest way to invest. Password managers are the easiest way to secure your passwords. Despite this people still think that they can do better than the experts.
ERISA Stone
Posts: 1626
Joined: Tue Jun 24, 2014 8:54 am

Re: Are Password Managers Really Necessary?

Post by ERISA Stone »

DaftInvestor wrote: Mon Jan 08, 2018 10:54 am
In practice we know otherwise.
Proof?
TravelGeek
Posts: 4902
Joined: Sat Oct 25, 2014 3:23 pm

Re: Are Password Managers Really Necessary?

Post by TravelGeek »

Teague wrote: Mon Jan 08, 2018 10:04 am My "password manager" is a piece of paper with my various usernames and passwords written on it. This is folded over once (my version of encryption) and tucked in a drawer with a bunch of boring paperwork in it.

...

Con: It is not terribly portable. But I do any important transactions from home anyway, so I don't really care about that.
It's not portable at all, or are you going to travel with your paper list of credentials in your wallet?

And define "important transactions". I literally don't know the passwords to any of my airline accounts (or for that matter, the account numbers). Is making or changing a reservation an important transaction? Because there is no way I could only do those from home.

I also don't know my banks' passwords (they vaguely resemble sdjkh5G348@5h34o#*$&jkll). But I need to be able to check my credit card statements and/or pay bills while I am traveling.

My bet is that people who don't use password managers often tend to either reuse passwords across accounts and/or use weak passwords because it simply is a pain to maintain a long list of passwords like sdjkh5G348@5h34o#*$&jkll :)
crake
Posts: 275
Joined: Thu Mar 14, 2013 2:12 pm

Re: Are Password Managers Really Necessary?

Post by crake »

DaftInvestor wrote: Mon Jan 08, 2018 10:54 am
ERISA Stone wrote: Mon Jan 08, 2018 10:44 am
Reddit explains it better than I can.
Okay - if Reddit says I'm safe I will surely believe it :)

In "theory" the encryption algorithms and practices that password manager solutions provide is sound and perfectly secure.
In practice we know otherwise.
So your solution is just to use a method that is known to be flawed and less secure? When the defect in takata airbags was discovered did you go out and buy a 25 year old car without airbags?
Teague
Posts: 2524
Joined: Wed Nov 04, 2015 5:15 pm

Re: Are Password Managers Really Necessary?

Post by Teague »

TravelGeek wrote: Mon Jan 08, 2018 11:15 am
Teague wrote: Mon Jan 08, 2018 10:04 am My "password manager" is a piece of paper with my various usernames and passwords written on it. This is folded over once (my version of encryption) and tucked in a drawer with a bunch of boring paperwork in it.

...

Con: It is not terribly portable. But I do any important transactions from home anyway, so I don't really care about that.
It's not portable at all, or are you going to travel with your paper list of credentials in your wallet?

And define "important transactions". I literally don't know the passwords to any of my airline accounts (or for that matter, the account numbers). Is making or changing a reservation an important transaction? Because there is no way I could only do those from home.

I also don't know my banks' passwords (they vaguely resemble sdjkh5G348@5h34o#*$&jkll). But I need to be able to check my credit card statements and/or pay bills while I am traveling.

My bet is that people who don't use password managers often tend to either reuse passwords across accounts and/or use weak passwords because it simply is a pain to maintain a long list of passwords like sdjkh5G348@5h34o#*$&jkll :)
I don't travel for long periods, so the only account I may need to follow is my checking. I still have enough functioning brain cells (barely) to keep that password in my memory.
Semper Augustus
TravelGeek
Posts: 4902
Joined: Sat Oct 25, 2014 3:23 pm

Re: Are Password Managers Really Necessary?

Post by TravelGeek »

DaftInvestor wrote: Mon Jan 08, 2018 9:51 am I don't think they are necessary and also feel they can be dangerous as at least one was hacked in the past.
I DO believe you need to use different and strong passwords for each account and change them periodically however - if you can't devise a way of doing this without using a password manager - a password manager may be a better method than using the same password at multiple accounts or using weak passwords.
It is not best practice to require (or voluntarily) change passwords periodically. But if you do, or the system/site you use still follows the old recommendation, a password manager makes it easy to keep up with changes.

So given your concerns about password managers, I am curious how you personally achieve the following without the use of a password manager:

- strong and unique passwords for each of dozens of accounts
- protect them against loss (paper in wallet isn't safe) or accidental destruction (fire, flood, maid accidentally throws the list out)
- achieve portability (unless you absolutely only need them in one place ever, which isn't realistic for most people for most passwords)
ERISA Stone
Posts: 1626
Joined: Tue Jun 24, 2014 8:54 am

Re: Are Password Managers Really Necessary?

Post by ERISA Stone »

TravelGeek wrote: Mon Jan 08, 2018 11:29 am

It is not best practice to require (or change voluntarily) passwords periodically.

Is this true? I've always read you should change your passwords every six months or so, especially those related to financial institutions.
TravelGeek
Posts: 4902
Joined: Sat Oct 25, 2014 3:23 pm

Re: Are Password Managers Really Necessary?

Post by TravelGeek »

ERISA Stone wrote: Mon Jan 08, 2018 11:33 am
Is this true? I've always read you should change your passwords every six months or so, especially those related to financial institutions.
https://www.schneier.com/blog/archives/ ... _pass.html
User avatar
SmileyFace
Posts: 9184
Joined: Wed Feb 19, 2014 9:11 am

Re: Are Password Managers Really Necessary?

Post by SmileyFace »

ERISA Stone wrote: Mon Jan 08, 2018 11:03 am
DaftInvestor wrote: Mon Jan 08, 2018 10:54 am
In practice we know otherwise.
Proof?
Just google "Password Manager breach" and read about the breaches at OnePass, LastLogin, etc.
Some of the most secure banks have been hacked along with one of the big-three credit report agencies - google "breach", "hacked", etc and you can find lots of stories that provide proof that security practice is very different that stated theory.
All of these companies hire some of the smartest folks and use what they think are the most secure methods.
User avatar
SmileyFace
Posts: 9184
Joined: Wed Feb 19, 2014 9:11 am

Re: Are Password Managers Really Necessary?

Post by SmileyFace »

jalbert wrote: Mon Jan 08, 2018 10:39 am Committing the highest risk financial passwords and passwords for devices in your physical possession to memory, and recording other passwords on paper and storing in a locked file cabinet might be a more secure practice overall.
:sharebeer
User avatar
siamond
Posts: 6008
Joined: Mon May 28, 2012 5:50 am

Re: Are Password Managers Really Necessary?

Post by siamond »

DaftInvestor wrote: Mon Jan 08, 2018 10:23 am
TravelGeek wrote: Mon Jan 08, 2018 9:49 am Yes. Absolutely. I have used password managers for over ten years. Absolutely cannot imagine not using one. How do you keep track of dozens (or in my case, > hundred) of credentials (username, password, answers to secret questions, account numbers) in a secure way?
I'll answer your question with a question:
How do you assure your password manager of choice is storing your credentials in a secure and hacker-proof way?
Millions of OneLogin customers took it on faith and were exposed this year.
LastPass in 2015...
I believe its only a matter of time before we hear of then next one.
I have to hope that password managers are especially good at this (encrypted storage) and learning from past mistakes, but... yeah, it's a single point of failure. Plus I don't fully trust their employees... Personally, I reached the following compromise:
1. for all online accounts, except two, I use LastPass. Because it's convenient and because this feels way safer than my memory or a piece of paper.
2. the two exceptions are two investment accounts because this is where my retirement savings are. Those two are far more critical than anything else. For those two, I use a special password that I memorized, combined with a dongle they provide for strong 2-factor authentication.

This is the compromise that makes me sleep at night, while proving convenient....
ERISA Stone
Posts: 1626
Joined: Tue Jun 24, 2014 8:54 am

Re: Are Password Managers Really Necessary?

Post by ERISA Stone »

DaftInvestor wrote: Mon Jan 08, 2018 11:46 am
ERISA Stone wrote: Mon Jan 08, 2018 11:03 am
DaftInvestor wrote: Mon Jan 08, 2018 10:54 am
In practice we know otherwise.
Proof?
Just google "Password Manager breach" and read about the breaches at OnePass, LastLogin, etc.
Some of the most secure banks have been hacked along with one of the big-three credit report agencies - google "breach", "hacked", etc and you can find lots of stories that provide proof that security practice is very different that stated theory.
All of these companies hire some of the smartest folks and use what they think are the most secure methods.
Show me proof of a password manager getting hacked that allowed the hacker(s) to get access to a user's account.
DetroitRick
Posts: 1488
Joined: Wed Mar 23, 2016 9:28 am
Location: SE Michigan

Re: Are Password Managers Really Necessary?

Post by DetroitRick »

Unless your usage is very limited, they are the best alternative. Regardless of theoretical risks, it's useful to look at what happens if you don't use them. For most people that I've dealt with - they keep the same passwords forever, lose them, and/or keep them simple. All worse alternatives I believe. It's not that I'm worried about pure dollar liabilities from password misuse, it's the time, convenience and recovery issues from password mismanagement that concern me.

Certainly if you use lots of accounts across multiple devices, as so many people do now, password managers become especially critical. If you use 5 websites and one device, not so much. I had to laugh and agree when I read onourway's comment above - I can absolutely attest to the same thing. I get lots of people asking for my help with various device issues and I can't tell you how much wasted time results from people not keeping their passwords straight. Network passwords, router passwords, web passwords, all of it. It's gotten so bad for me that I have started refusing to help friends who don't either use password managers or keep good written logs. Too much time wasted before the real work starts.

Risks? Sure, but I've read and talked to enough experts to consider them to be manageable and reasonable. I can't think of one action in life that is totally risk free, so I go for balance. Besides, passwords should never be your sole line of defense. There are lots of things you should do simultaneously.

I'm currently using the paid version of Dashlane (cloud synched).
gotester2000
Posts: 620
Joined: Sun Nov 12, 2017 12:59 am

Re: Are Password Managers Really Necessary?

Post by gotester2000 »

Password managers are not necessary - similar to anti viruses, e-vaults,cloud backups etc. The simplest way that has worked for me is to minimize your personal data including accounts.

By the way, majority of hacking is due to improper usage of the system(online/offline) by the user and not due to some teenage kid cracking AES 256 encrypted passwords.
Tal-
Posts: 544
Joined: Fri Apr 22, 2016 10:41 pm

Re: Are Password Managers Really Necessary?

Post by Tal- »

The security of password managers feels like the key question, but I'm not sure I have the technical savvy to follow this discussion, or the distinction between a password manager being hacked and the good guy being at risk. So, let me ask a simple question:

In the last 3-5 years, how many people (or instances) have had a "bad guy" gain access to a personal account solely because they hacked (or otherwise gained access) to a password manager?
Debt is to personal finance as a knife is to cooking.
User avatar
Ged
Posts: 3945
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: Are Password Managers Really Necessary?

Post by Ged »

Mordoch wrote: Mon Jan 08, 2018 9:38 am
mak1277 wrote: Mon Jan 08, 2018 9:25 am Just saw this article over the weekend for what it's worth.

https://www.theverge.com/2017/12/30/168 ... n-research
It should be noted this only potentially applies for browser password managers and not some of the other options out there.
Interesting article. It reinforces my use of Ghostery to block ads and trackers.
ThriftyPhD
Posts: 870
Joined: Mon Jul 31, 2017 10:43 am

Re: Are Password Managers Really Necessary?

Post by ThriftyPhD »

RooseveltG wrote: Mon Jan 08, 2018 9:01 am So are Password Managers necessary or are they overkill?
If you can remember a unique 20+ random string of upper and lower case, with numbers and symbols, for every login you have, including those that need to be changed on some timescale, as well as those that have unique requirements, then no you don't need a password manager.

With hundreds of separate logins, the above is impossible for me.

Another useful security solution is to use a unique login on each website too. If you're RooseveltG on all websites, if one website gets breached they can link that to other accounts at other websites. But if you're AdvancedWalrusPainter on a different website, even if they get plain text password on website, they can't link it to your other account. An added layer of security, but yet another string that you need to keep in mind. Unfortunately many websites use your email address as a login, a practice which I feel needs to change.

On top of that, you have security questions. What is your Mother's maiden name? Don't put Roosevelt, that is probably known. Instead, put your mothers maiden name as T:/>^{+3BY$'uUKnpyz*wY%e9S5;-w9pf+;`(H{R/.ba$WqUtV. The $' is silent.

So, in that example a unique login, unique password, and 3 unique security questions for each website. Yeah, I'll stick to using a password manager.
Post Reply