Are Password Managers Really Necessary?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
User avatar
Epsilon Delta
Posts: 7055
Joined: Thu Apr 28, 2011 7:00 pm

Re: Are Password Managers Really Necessary?

Post by Epsilon Delta » Sun Feb 11, 2018 10:02 pm

RustyShackleford wrote:
Sun Feb 11, 2018 9:53 pm
b42 wrote:
Mon Jan 08, 2018 10:09 am
t's also better to not re-use the same password across all sites, since if someone gains access to one account, they could in theory gain access to all the other ones.
Isn't that exactly what a password manager does though ?
First of all a password manager does not have a password. It has an encryption key.

Second. Yes. But the only dunderhead who can leak the password manager key is you. However much of a dunderhead you are it is as nothing compared to the collective dunderheadedness of a couple of dozen random web sites.

TravelGeek
Posts: 1476
Joined: Sat Oct 25, 2014 3:23 pm

Re: Are Password Managers Really Necessary?

Post by TravelGeek » Sun Feb 11, 2018 10:22 pm

Leesbro63 wrote:
Sun Feb 11, 2018 4:53 pm

How do I know if my password manager IS in the cloud? I actually assume it is. And if I want it to be not there, how does it work at my desktop computer? Yeah, I sound naive, I know.
Which password manager and version are you using? On what platform/devices?

gundlached
Posts: 95
Joined: Wed Nov 18, 2015 12:45 pm

Re: Are Password Managers Really Necessary?

Post by gundlached » Mon Feb 12, 2018 9:08 am

I can't imagine not having a password system of some kind. I just use a password protected excel file with 100+ usernames and passwords. Security might not be as sophisticated as some of the branded online managers, but then again, it's not on the cloud.

User avatar
Leesbro63
Posts: 5079
Joined: Mon Nov 08, 2010 4:36 pm

Re: Are Password Managers Really Necessary?

Post by Leesbro63 » Mon Feb 12, 2018 11:46 am

TravelGeek wrote:
Sun Feb 11, 2018 10:22 pm
Leesbro63 wrote:
Sun Feb 11, 2018 4:53 pm

How do I know if my password manager IS in the cloud? I actually assume it is. And if I want it to be not there, how does it work at my desktop computer? Yeah, I sound naive, I know.
Which password manager and version are you using? On what platform/devices?
I use the free version of DASHLANE on my desktop (only).

TravelGeek
Posts: 1476
Joined: Sat Oct 25, 2014 3:23 pm

Re: Are Password Managers Really Necessary?

Post by TravelGeek » Mon Feb 12, 2018 12:57 pm

Leesbro63 wrote:
Mon Feb 12, 2018 11:46 am

I use the free version of DASHLANE on my desktop (only).
Never used it, but from what I can gather from their website the free version does not synchronize between devices and should not use cloud storage for the secured information. It does seem to come with 30 days of premium service, which offers synchronization; not sure if that means that initially your data was stored in the cloud. Perhaps their security whitepaper answers it:

https://www.dashlane.com/download/Dashl ... ec2017.pdf

User avatar
Hyperborea
Posts: 494
Joined: Sat Apr 15, 2017 10:31 am
Location: Silicon Valley

Re: Are Password Managers Really Necessary?

Post by Hyperborea » Mon Feb 12, 2018 1:30 pm

gundlached wrote:
Mon Feb 12, 2018 9:08 am
I can't imagine not having a password system of some kind. I just use a password protected excel file with 100+ usernames and passwords. Security might not be as sophisticated as some of the branded online managers, but then again, it's not on the cloud.
How are you generating the passwords though? Are you using a good system to generate them? Something that is random?
"Plans are worthless, but planning is everything." - Dwight D. Eisenhower

RustyShackleford
Posts: 1242
Joined: Thu Sep 13, 2007 12:32 pm
Location: NC

Re: Are Password Managers Really Necessary?

Post by RustyShackleford » Mon Feb 12, 2018 2:39 pm

Epsilon Delta wrote:
Sun Feb 11, 2018 10:02 pm
RustyShackleford wrote:
Sun Feb 11, 2018 9:53 pm
b42 wrote:
Mon Jan 08, 2018 10:09 am
t's also better to not re-use the same password across all sites, since if someone gains access to one account, they could in theory gain access to all the other ones.
Isn't that exactly what a password manager does though ?
First of all a password manager does not have a password. It has an encryption key.

Second. Yes. But the only dunderhead who can leak the password manager key is you. However much of a dunderhead you are it is as nothing compared to the collective dunderheadedness of a couple of dozen random web sites.
I am a hardware engineer, not a software one, but the distinction between encryption key and passwd is not obvious to me, except that the encryption key is likely to be longer and more inscrutable in nature; it's still a string of characters, that if misplaced or hacked, can unlock the whole thing.

Also, I don't know if it's the collective dunderheadedness of all my websites, given that my own personal dunderheadness, impressive as it may be, does not extend to using the same password at multiple websites, at least of the sensitive type like financial accounts.

I'm not trying to be argumentative for no reason. I'd really like to, and am seriously considering, employing a password manager. But, for example, the scenario where I have to use an un-trusted computer, maybe at a not-so-savvy friend's house or in some public place, how does that work exactly ? Do I have to type in my encryption key somehow ?

quantAndHold
Posts: 1354
Joined: Thu Sep 17, 2015 10:39 pm

Re: Are Password Managers Really Necessary?

Post by quantAndHold » Mon Feb 12, 2018 3:05 pm

RustyShackleford wrote:
Mon Feb 12, 2018 2:39 pm
Epsilon Delta wrote:
Sun Feb 11, 2018 10:02 pm
RustyShackleford wrote:
Sun Feb 11, 2018 9:53 pm
b42 wrote:
Mon Jan 08, 2018 10:09 am
t's also better to not re-use the same password across all sites, since if someone gains access to one account, they could in theory gain access to all the other ones.
Isn't that exactly what a password manager does though ?
First of all a password manager does not have a password. It has an encryption key.

Second. Yes. But the only dunderhead who can leak the password manager key is you. However much of a dunderhead you are it is as nothing compared to the collective dunderheadedness of a couple of dozen random web sites.
I am a hardware engineer, not a software one, but the distinction between encryption key and passwd is not obvious to me, except that the encryption key is likely to be longer and more inscrutable in nature; it's still a string of characters, that if misplaced or hacked, can unlock the whole thing.

Also, I don't know if it's the collective dunderheadedness of all my websites, given that my own personal dunderheadness, impressive as it may be, does not extend to using the same password at multiple websites, at least of the sensitive type like financial accounts.

I'm not trying to be argumentative for no reason. I'd really like to, and am seriously considering, employing a password manager. But, for example, the scenario where I have to use an un-trusted computer, maybe at a not-so-savvy friend's house or in some public place, how does that work exactly ? Do I have to type in my encryption key somehow ?
You unlock the password manager with your password (which the password manager software turns into an encryption key). The basic difference between you the password dunderhead and the website dunderheads is that you are presumably not storing the password manager key anywhere online. The password manager company doesn’t store it either. They just use what you type in to decrypt the encrypted password database. The various website dunderheads, on the other hand, may be doing the right thing, and storing the salted hash of your password in a way such that the actual password can’t be recovered. Or they might not be. It’s a total crapshoot. And if you reuse passwords across accounts, you’re gonna lose that bet eventually.

As far as the password manager on the untrusted computer...you would type in your password to unlock the password manager. But I wouldn’t do that on an untrusted computer, with or without a password manager. I only access the “important” accounts from trusted computers, and the password manager account is probably the most important account of all.

TravelGeek
Posts: 1476
Joined: Sat Oct 25, 2014 3:23 pm

Re: Are Password Managers Really Necessary?

Post by TravelGeek » Mon Feb 12, 2018 3:09 pm

RustyShackleford wrote:
Mon Feb 12, 2018 2:39 pm
I'm not trying to be argumentative for no reason. I'd really like to, and am seriously considering, employing a password manager. But, for example, the scenario where I have to use an un-trusted computer, maybe at a not-so-savvy friend's house or in some public place, how does that work exactly ? Do I have to type in my encryption key somehow ?
If you don't trust the computer, don't enter credentials for an account you don't want to see compromised. With portable devices (smartphone, tablet) I am very rarely without my own hardware these days.

RustyShackleford
Posts: 1242
Joined: Thu Sep 13, 2007 12:32 pm
Location: NC

Re: Are Password Managers Really Necessary?

Post by RustyShackleford » Mon Feb 12, 2018 11:58 pm

quantAndHold wrote:
Mon Feb 12, 2018 3:05 pm
As far as the password manager on the untrusted computer...you would type in your password to unlock the password manager. But I wouldn’t do that on an untrusted computer, with or without a password manager. I only access the “important” accounts from trusted computers, and the password manager account is probably the most important account of all.
Ok, that sounds reasonable. But not all compromisings of a password are from doing something as obvious as typing it into untrusted hardware. Probably few of us practice perfect security hygiene. Are you absolutely sure of security at public hotspots ? That kind of thing. Not likely, but if it does, you've compromised all your accounts, not just the one. Maybe it's ok, but it scares me.

User avatar
triceratop
Moderator
Posts: 4376
Joined: Tue Aug 04, 2015 8:20 pm
Location: la la land

Re: Are Password Managers Really Necessary?

Post by triceratop » Tue Feb 13, 2018 12:15 am

nisiprius wrote:
Mon Jan 08, 2018 2:45 pm
My issue with "password managers" is that I've needed online passwords for at least thirty years. I've never had either a gadget or a piece of software that lasted long enough to be a long term solution for anything, and there have in fact been constant problems version skew, companies going out of business, etc.

I mean, to me, saying "I love my password manager" sounds like "I store all my passwords on punched cards," or "I have all my passwords on a Syquest cartridge," or "My password manager runs on VAX/VMS and I just log onto everything through my VAX."
This is incorrect. OpenPGP has been a secure way to encrypt files only to oneself, such as those containing password information for 21 years. It is a testament to open source software. These days, there are robust tools built on top of this means of securing one's passwords, such as zx2c4's password-store project.
"To play the stock market is to play musical chairs under the chord progression of a bid-ask spread."

User avatar
Hyperborea
Posts: 494
Joined: Sat Apr 15, 2017 10:31 am
Location: Silicon Valley

Re: Are Password Managers Really Necessary?

Post by Hyperborea » Tue Feb 13, 2018 2:17 am

RustyShackleford wrote:
Mon Feb 12, 2018 11:58 pm
quantAndHold wrote:
Mon Feb 12, 2018 3:05 pm
As far as the password manager on the untrusted computer...you would type in your password to unlock the password manager. But I wouldn’t do that on an untrusted computer, with or without a password manager. I only access the “important” accounts from trusted computers, and the password manager account is probably the most important account of all.
Ok, that sounds reasonable. But not all compromisings of a password are from doing something as obvious as typing it into untrusted hardware. Probably few of us practice perfect security hygiene. Are you absolutely sure of security at public hotspots ? That kind of thing. Not likely, but if it does, you've compromised all your accounts, not just the one. Maybe it's ok, but it scares me.
Not sure how the public hotspots issue affects a password manager. Your master password never leaves your machine. Also, you should probably be using a VPN of some sort when out on a public WiFi connection anyways.
"Plans are worthless, but planning is everything." - Dwight D. Eisenhower

User avatar
tadamsmar
Posts: 7541
Joined: Mon May 07, 2007 12:33 pm

Re: Are Password Managers Really Necessary?

Post by tadamsmar » Tue Feb 13, 2018 3:53 am

lazydavid wrote:
Mon Jan 08, 2018 10:43 am
nisiprius wrote:
Mon Jan 08, 2018 10:30 am
The situation with regard to credit cards may have changed. Some kind of consumer protection became weakened when they went to chipped cards. The protection may only be weakened if you are at a place that doesn't take chips and you have to swipe (like seemingly every pay-at-the-pump gas station in my town). Or maybe I'm wrong. At the moment, I think that, as with ATM cards, all the card companies continue to limit your responsibility to $50 but it's by policy and perhaps not by law.
It wasn't consumer protection, it was retailer protection that changed. Prior to the conversion, the card issuer shouldered the fraud risk for all "card present" transactions at physical retail locations. As of October 2015 if memory serves, they now only do so for chip-based transactions. The retailer is responsible for any fraud committed via a magstripe reader.

In either situation, the issuer will make the cardholder whole. For chip transactions, it ends there. For magstripe transactions, they will then issue a chargeback against the retailer to recover the lost funds.
Here's the law (regulation) on the limit of your responsibility for credit cards:
Horn's case is covered by what's known as "Reg E," a set of regulations issued by the Federal Reserve that governs all manner of electronic transactions. That includes online banking, ATM withdrawals and debit card payments. The rules bear some similarities to those regulating credit cards — where consumer liability is capped at $50 — but there are some important distinctions. In short, consumers who don't act quickly in the face of an ATM or debit card fraud face the possibility of losing everything in the checking account.

Horn got her money back because she went to the bank immediately after discovering the losses. When an ATM card, PIN number, or online banking password is stolen, consumers must report the loss within two days of receiving their bank statement that reflects the fraud, according to Reg E. Consumers who do so are only liable for $50 in losses, much like credit cards. But waiting a third day can be costly; liability jumps to $500. And if a consumer waits more than 60 days, the liability is unlimited.
The $50 limit in not just a policy and it does not apply if you don't report the fraud in a timely fashion.

The may be a policy to extend the time limit for reporting beyond 2 days, but there will still be a time limit I think.

User avatar
tadamsmar
Posts: 7541
Joined: Mon May 07, 2007 12:33 pm

Re: Are Password Managers Really Necessary?

Post by tadamsmar » Tue Feb 13, 2018 4:11 am

Alternatives to password managers:

1. Use an encrypted file.

2. Use shorter a "password" within your longer passwords for important accounts and keep the short one secure or never write it down. Even if the file is stolen, it's still somewhat hard to break the passwords.

I don't think using secure passwords for all sites is important. I don't care much if my accounts on some sites are hacked.

Your passwords and login security for brokerage and mutual fund accounts are very important because you have zero legal protections if your account is hacked. Also, business bank accounts have almost zero legal protections.

With personal bank accounts and credit cards, you have pretty good legal projections if you detect and report fraud in a timely fashion. So monitoring transactions is arguably more important than password security.

lazydavid
Posts: 1363
Joined: Wed Apr 06, 2016 1:37 pm

Re: Are Password Managers Really Necessary?

Post by lazydavid » Tue Feb 13, 2018 5:43 am

tadamsmar wrote:
Tue Feb 13, 2018 3:53 am
lazydavid wrote:
Mon Jan 08, 2018 10:43 am
nisiprius wrote:
Mon Jan 08, 2018 10:30 am
The situation with regard to credit cards may have changed. Some kind of consumer protection became weakened when they went to chipped cards. The protection may only be weakened if you are at a place that doesn't take chips and you have to swipe (like seemingly every pay-at-the-pump gas station in my town). Or maybe I'm wrong. At the moment, I think that, as with ATM cards, all the card companies continue to limit your responsibility to $50 but it's by policy and perhaps not by law.
It wasn't consumer protection, it was retailer protection that changed. Prior to the conversion, the card issuer shouldered the fraud risk for all "card present" transactions at physical retail locations. As of October 2015 if memory serves, they now only do so for chip-based transactions. The retailer is responsible for any fraud committed via a magstripe reader.

In either situation, the issuer will make the cardholder whole. For chip transactions, it ends there. For magstripe transactions, they will then issue a chargeback against the retailer to recover the lost funds.
Here's the law (regulation) on the limit of your responsibility for credit cards:
Horn's case is covered by what's known as "Reg E," a set of regulations issued by the Federal Reserve that governs all manner of electronic transactions. That includes online banking, ATM withdrawals and debit card payments. The rules bear some similarities to those regulating credit cards — where consumer liability is capped at $50 — but there are some important distinctions. In short, consumers who don't act quickly in the face of an ATM or debit card fraud face the possibility of losing everything in the checking account.

Horn got her money back because she went to the bank immediately after discovering the losses. When an ATM card, PIN number, or online banking password is stolen, consumers must report the loss within two days of receiving their bank statement that reflects the fraud, according to Reg E. Consumers who do so are only liable for $50 in losses, much like credit cards. But waiting a third day can be costly; liability jumps to $500. And if a consumer waits more than 60 days, the liability is unlimited.
The $50 limit in not just a policy and it does not apply if you don't report the fraud in a timely fashion.

The may be a policy to extend the time limit for reporting beyond 2 days, but there will still be a time limit I think.
Though accurate, this has absolutely nothing to do with my point. I never said card issuers were reducing consumer protection, please feel free to point out where I did. Nothing changed on the consumer end of things--they still have a maximum $50 liability (within 2 days as you point out), and most issuers waive customer liability entirely, even if not reported within the required timeframe.

What changed is who eats the cost for fraud. In the old days it was always the issuer for card-present transactions, unless there was proof that the retailer was complicit. But now a retailer who swipes a chip card takes on the fraud risk themselves. The issuer will reverse any fraudulent transactions to make themselves whole (having already made the cardholder whole). If the transaction used the chip reader, the issuer absorbs the loss just like before.

User avatar
tadamsmar
Posts: 7541
Joined: Mon May 07, 2007 12:33 pm

Re: Are Password Managers Really Necessary?

Post by tadamsmar » Tue Feb 13, 2018 8:26 am

lazydavid wrote:
Tue Feb 13, 2018 5:43 am
tadamsmar wrote:
Tue Feb 13, 2018 3:53 am
lazydavid wrote:
Mon Jan 08, 2018 10:43 am
nisiprius wrote:
Mon Jan 08, 2018 10:30 am
The situation with regard to credit cards may have changed. Some kind of consumer protection became weakened when they went to chipped cards. The protection may only be weakened if you are at a place that doesn't take chips and you have to swipe (like seemingly every pay-at-the-pump gas station in my town). Or maybe I'm wrong. At the moment, I think that, as with ATM cards, all the card companies continue to limit your responsibility to $50 but it's by policy and perhaps not by law.
It wasn't consumer protection, it was retailer protection that changed. Prior to the conversion, the card issuer shouldered the fraud risk for all "card present" transactions at physical retail locations. As of October 2015 if memory serves, they now only do so for chip-based transactions. The retailer is responsible for any fraud committed via a magstripe reader.

In either situation, the issuer will make the cardholder whole. For chip transactions, it ends there. For magstripe transactions, they will then issue a chargeback against the retailer to recover the lost funds.
Here's the law (regulation) on the limit of your responsibility for credit cards:
Horn's case is covered by what's known as "Reg E," a set of regulations issued by the Federal Reserve that governs all manner of electronic transactions. That includes online banking, ATM withdrawals and debit card payments. The rules bear some similarities to those regulating credit cards — where consumer liability is capped at $50 — but there are some important distinctions. In short, consumers who don't act quickly in the face of an ATM or debit card fraud face the possibility of losing everything in the checking account.

Horn got her money back because she went to the bank immediately after discovering the losses. When an ATM card, PIN number, or online banking password is stolen, consumers must report the loss within two days of receiving their bank statement that reflects the fraud, according to Reg E. Consumers who do so are only liable for $50 in losses, much like credit cards. But waiting a third day can be costly; liability jumps to $500. And if a consumer waits more than 60 days, the liability is unlimited.
The $50 limit in not just a policy and it does not apply if you don't report the fraud in a timely fashion.

The may be a policy to extend the time limit for reporting beyond 2 days, but there will still be a time limit I think.
Though accurate, this has absolutely nothing to do with my point. I never said card issuers were reducing consumer protection, please feel free to point out where I did. Nothing changed on the consumer end of things--they still have a maximum $50 liability (within 2 days as you point out), and most issuers waive customer liability entirely, even if not reported within the required timeframe.

What changed is who eats the cost for fraud. In the old days it was always the issuer for card-present transactions, unless there was proof that the retailer was complicit. But now a retailer who swipes a chip card takes on the fraud risk themselves. The issuer will reverse any fraudulent transactions to make themselves whole (having already made the cardholder whole). If the transaction used the chip reader, the issuer absorbs the loss just like before.
I should have quoted Nisiprius directly. He said that the $50 limit was a policy and perhaps not a law, and you quoted him (see above) without pointing out out this problem with his statement, so I was pointing out the regulations. I meant to be expanding on your statement, not contradicting your correct points.

User avatar
tadamsmar
Posts: 7541
Joined: Mon May 07, 2007 12:33 pm

Re: Are Password Managers Really Necessary?

Post by tadamsmar » Tue Feb 13, 2018 8:40 am

lazydavid wrote:
Tue Feb 13, 2018 5:43 am
-they still have a maximum $50 liability (within 2 days as you point out), and most issuers waive customer liability entirely, even if not reported within the required timeframe.
lazydavid wrote:
Tue Feb 13, 2018 5:43 am
In either situation, the issuer will make the cardholder whole.
They do extend the timeframe, but I is there not timeframe? There are apparently situations where they will not make you whole. See this:

https://www.creditcards.com/credit-card ... s-1282.php

I am a big advocate of focusing on preventing situations where you will not get reimbursed for a fraud, not just password security or even account security. Since one can't be perfect, one needs to prioritize. I have been hacked and scammed a couple of times and those had nothing to do with passwords. Once an old credit card was usde fraudulently, probably due to a records hack that had nothing to do with my security behavior. A company called Safe Cart somehow put a monthly charge on my Paypal account that I am disputing. Many complain about Safe Cart, but it appears they have some kind of legal "scam" going where they charge you for services that you don't even know you are getting.

goaties
Posts: 205
Joined: Fri Jan 29, 2010 4:15 pm

Re: Are Password Managers Really Necessary?

Post by goaties » Tue Feb 13, 2018 9:56 am

Use of a password manager helps me keep from becoming low-hanging fruit. With it, I create lengthy nonsensical passwords AND unique logins AND unique answers to security questions for every account. The whole shebang. For instance, I am "goaties" on absolutely no other website anywhere. This might help stanch the bleeding should one account be hacked.

Of course, that's not much protection against a charming hacker calling customer service and sweet-talking their way into your accounts. The human element is still the weakest link.

TravelGeek
Posts: 1476
Joined: Sat Oct 25, 2014 3:23 pm

Re: Are Password Managers Really Necessary?

Post by TravelGeek » Tue Feb 13, 2018 10:17 am

tadamsmar wrote:
Tue Feb 13, 2018 4:11 am
Alternatives to password managers:

1. Use an encrypted file.
That essentially is a password manager, with a crappy user interface.

I am perfectly willing to pay $30 for a piece of software that I use several times a day (and you don’t even have to; there are free tools like Keepass that probably are perfectly reasonable for most people).

bo105954027
Posts: 35
Joined: Wed Mar 30, 2016 4:00 pm

Re: Are Password Managers Really Necessary?

Post by bo105954027 » Tue Feb 13, 2018 11:30 am

Not necessary.

I have hundreds of online accounts. Here is how I keep them:

1. Memorize a number that I will never never forget. Let's say it is 142536.
2. Create a Google Sheet with two columns: Account Name and Password.
3. Whenever I create a new online account, I always set up the password in the format of [non-number string] + [142536]. For example, !Aws142536, @Yahooemail142536.
4. Keep the new account name and password in Google Sheet in such a way that ONLY the [non-number string] section is saved. Always keep 142536 in mind and never reveal it anywhere. For example, !Aws, !Yahooemail. I know my real password is the combination of the string plus my special number.
5. Enjoy your own online account database! It is on Cloud and accessible whenever wherever you have connection to Internet.
Time in the market beats timing the market.

User avatar
triceratop
Moderator
Posts: 4376
Joined: Tue Aug 04, 2015 8:20 pm
Location: la la land

Re: Are Password Managers Really Necessary?

Post by triceratop » Tue Feb 13, 2018 11:37 am

bo105954027 wrote:
Tue Feb 13, 2018 11:30 am
Not necessary.

I have hundreds of online accounts. Here is how I keep them:

1. Memorize a number that I will never never forget. Let's say it is 142536.
2. Create a Google Sheet with two columns: Account Name and Password.
3. Whenever I create a new online account, I always set up the password in the format of [non-number string] + [142536]. For example, !Aws142536, @Yahooemail142536.
4. Keep the new account name and password in Google Sheet in such a way that ONLY the [non-number string] section is saved. Always keep 142536 in mind and never reveal it anywhere. For example, !Aws, !Yahooemail. I know my real password is the combination of the string plus my special number.
5. Enjoy your own online account database! It is on Cloud and accessible whenever wherever you have connection to Internet.
What if your google password is compromised? Then your entire online identity is owned.
"To play the stock market is to play musical chairs under the chord progression of a bid-ask spread."

RustyShackleford
Posts: 1242
Joined: Thu Sep 13, 2007 12:32 pm
Location: NC

Re: Are Password Managers Really Necessary?

Post by RustyShackleford » Tue Feb 13, 2018 1:34 pm

triceratop wrote:
Tue Feb 13, 2018 11:37 am
bo105954027 wrote:
Tue Feb 13, 2018 11:30 am
Not necessary.

I have hundreds of online accounts. Here is how I keep them:

1. Memorize a number that I will never never forget. Let's say it is 142536.
2. Create a Google Sheet with two columns: Account Name and Password.
3. Whenever I create a new online account, I always set up the password in the format of [non-number string] + [142536]. For example, !Aws142536, @Yahooemail142536.
4. Keep the new account name and password in Google Sheet in such a way that ONLY the [non-number string] section is saved. Always keep 142536 in mind and never reveal it anywhere. For example, !Aws, !Yahooemail. I know my real password is the combination of the string plus my special number.
5. Enjoy your own online account database! It is on Cloud and accessible whenever wherever you have connection to Internet.
What if your google password is compromised? Then your entire online identity is owned.
No, because that numeric string, that is memorized and never written down, remains unknown to the compromiser. However, those of advancing years might worry somewhat about forgetting that numeric string. Also, let's suppose one entire password is compromised (including the numeric string); then a clever hacker might realize that numeric string is key to breaking your other passwords, if the site-specific part of the password were somehow related to the website/account name (e.g. vgd142536).

Also, it seems this method (which admittedly I use something similar, but am contemplating a password manager, and so am playing devil's advocate here to try to assuage my concerns) fails to incorporate what I understand to be one of the huge advantages of password managers: They actually generate the passwords for you, and better yet (if I understand correctly), automatically use them to log into websites.
Last edited by RustyShackleford on Tue Feb 13, 2018 1:37 pm, edited 1 time in total.

RustyShackleford
Posts: 1242
Joined: Thu Sep 13, 2007 12:32 pm
Location: NC

Re: Are Password Managers Really Necessary?

Post by RustyShackleford » Tue Feb 13, 2018 1:35 pm

DELETE (why the heck can't I delete my own post ?!?)

User avatar
triceratop
Moderator
Posts: 4376
Joined: Tue Aug 04, 2015 8:20 pm
Location: la la land

Re: Are Password Managers Really Necessary?

Post by triceratop » Tue Feb 13, 2018 1:38 pm

RustyShackleford wrote:
Tue Feb 13, 2018 1:34 pm
triceratop wrote:
Tue Feb 13, 2018 11:37 am
bo105954027 wrote:
Tue Feb 13, 2018 11:30 am
Not necessary.

I have hundreds of online accounts. Here is how I keep them:

1. Memorize a number that I will never never forget. Let's say it is 142536.
2. Create a Google Sheet with two columns: Account Name and Password.
3. Whenever I create a new online account, I always set up the password in the format of [non-number string] + [142536]. For example, !Aws142536, @Yahooemail142536.
4. Keep the new account name and password in Google Sheet in such a way that ONLY the [non-number string] section is saved. Always keep 142536 in mind and never reveal it anywhere. For example, !Aws, !Yahooemail. I know my real password is the combination of the string plus my special number.
5. Enjoy your own online account database! It is on Cloud and accessible whenever wherever you have connection to Internet.
What if your google password is compromised? Then your entire online identity is owned.
No, because that numeric string, that is memorized and never written down, remains unknown to the compromiser. Those of advancing years might worry somewhat about forgetting that numeric string though. Also, let's suppose one entire password is compromised (including the numeric string); then a clever hacker might realize that numeric string is key to breaking your other passwords.

Also, it seems this method (which admittedly I use something similar, but am contemplating a password manager, and so am playing devil's advocate here to try to assuage my concerns) fails to incorporate what I understand to be one of the huge advantages of password managers: They actually generate the passwords for you, and better yet (if I understand correctly), automatically use them to log into websites.
(emphasis mine)

That's my entire point. If your google password includes the numeric key, as is the case as described, then compromising the google password compromises one's entire identity. No attacker will fail to realize what you've done.

This is a terribly insecure suggestion. I hope no one does it.
"To play the stock market is to play musical chairs under the chord progression of a bid-ask spread."

RustyShackleford
Posts: 1242
Joined: Thu Sep 13, 2007 12:32 pm
Location: NC

Re: Are Password Managers Really Necessary?

Post by RustyShackleford » Tue Feb 13, 2018 2:08 pm

triceratop wrote:
Tue Feb 13, 2018 1:38 pm
That's my entire point. If your google password includes the numeric key, as is the case as described, then compromising the google password compromises one's entire identity. No attacker will fail to realize what you've done.
Well, all one's passwords would include the numeric key, right, doesn't just have to be the google one. But it only compromises one's entire identity if it's fairly predictable what the site-specific part of the password is (the part other than the numeric key); if it's random gibberish, maybe not so easy, but if it's something like 'Vgd' or "Fidelity' (as I suspect it is, don't ask me how I know) then you're entirely correct.

User avatar
zaplunken
Posts: 871
Joined: Tue Jul 01, 2008 9:07 am

Re: Are Password Managers Really Necessary?

Post by zaplunken » Tue Feb 13, 2018 2:26 pm

It is amazing that people create terrible systems that they think are brilliant when a safe and secure password manager can be had for free. :oops: OK by me, I'm not the low hanging fruit. :beer

User avatar
triceratop
Moderator
Posts: 4376
Joined: Tue Aug 04, 2015 8:20 pm
Location: la la land

Re: Are Password Managers Really Necessary?

Post by triceratop » Tue Feb 13, 2018 2:36 pm

RustyShackleford wrote:
Tue Feb 13, 2018 2:08 pm
triceratop wrote:
Tue Feb 13, 2018 1:38 pm
That's my entire point. If your google password includes the numeric key, as is the case as described, then compromising the google password compromises one's entire identity. No attacker will fail to realize what you've done.
Well, all one's passwords would include the numeric key, right, doesn't just have to be the google one. But it only compromises one's entire identity if it's fairly predictable what the site-specific part of the password is (the part other than the numeric key); if it's random gibberish, maybe not so easy, but if it's something like 'Vgd' or "Fidelity' (as I suspect it is, don't ask me how I know) then you're entirely correct.
I don’t believe you read the system description in full because point (4) clearly says the non-numeric part of the password is written in the google sheet.
"To play the stock market is to play musical chairs under the chord progression of a bid-ask spread."

Nowizard
Posts: 1315
Joined: Tue Oct 23, 2007 5:33 pm

Re: Are Password Managers Really Necessary?

Post by Nowizard » Tue Feb 13, 2018 5:22 pm

Nope.

Tim

smallpotato
Posts: 4
Joined: Thu Jul 07, 2016 11:48 am

Re: Are Password Managers Really Necessary?

Post by smallpotato » Tue Feb 13, 2018 5:40 pm

RustyShackleford wrote:
Mon Feb 12, 2018 2:39 pm
I am a hardware engineer, not a software one, but the distinction between encryption key and passwd is not obvious to me,...
"Encryption key" implies implementation, "password" tells you nothing. What truly happens with the string you cast to the ether is only a guess but to assume encryption happens when using an "encryption key" seems reasonable. It is extremely easy to fool web site users. Browser tech is pretty good if you stick to secure sites.

I couldn't operate without a password manager. I have a couple hundred passwords split into 3 different roles - all random strings. The manager makes it easy. I use KeePass and my "encryption key" phrase shouldn't* leave whatever device I'm using at the time.

* I'm a software guy. I can't vouch for software but did present what I believe happens. :)

RustyShackleford
Posts: 1242
Joined: Thu Sep 13, 2007 12:32 pm
Location: NC

Re: Are Password Managers Really Necessary?

Post by RustyShackleford » Tue Feb 13, 2018 11:55 pm

Ok, I'm almost convinced. Definitely want an offline (not in cloud) one though, so I'm gonna try Keepass. But the single-point-of-failure issue continues to haunt me. For example, I just searched 'keepass' and at least 3 sites came up that look like legit places to get it. Is one of them illegit - will it phone home with my passwords once I've got it up and running ?

It turns out that Keepass doesn't run on OSX (without installing some other stuff that kinda emulates Windows). So I tried Macpass and KeepassXC, another variant of Keepass native to OSX. However, these things don't work on mobile devices at all, so if you ever need to access one of your websites (with non-memorized password) from your phone, forget it.

Post Reply