Cybersecurity and passwords

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
SpaethCo
Posts: 231
Joined: Thu Jan 14, 2016 12:58 am

Re: Cybersecurity and passwords

Post by SpaethCo »

AAA wrote: Wed Feb 05, 2020 7:59 pmBut this is confusing me - some sites suggest using passphrases such as preachy glutton legislate shorter monsoon author while other sites say to never use actual words.
Passphrases are a great way to get the character count up, but where they become a problem is if they reveal a system. We’re not just picking a single password for a single system — we’re picking hundreds of passwords for use on hundreds of different sites. When you think about secure passwords, most people also count on the services they use storing those passwords securely (ie, not storing them at all, instead using strong hashing). Since so many sites do a poor job of secure password storage, it’s safer to assume that at least 2-5 of the passwords you use on various sites are stored in clear text and are openly known at any point in time.

Once an attacker observes that you use passphrases of 4 words on one or two sites, they will modify their cracking ruleset to apply that logic to other data breach password lists and reduce the number of search attempts required by several orders of magnitude.

Basically: Assume 2-5 sites you use are storing your password in clear text, so assume any person or group looking to crack passwords from a new data breach already knows 2-5 of your existing passwords. If 5 of your passwords are revealed, can a human or machine discover the method by which they were created?
ARoseByAnyOtherName
Posts: 1000
Joined: Wed Apr 26, 2017 12:03 am

Re: Cybersecurity and passwords

Post by ARoseByAnyOtherName »

JohnFiscal wrote: Tue Feb 04, 2020 9:49 pm
ARoseByAnyOtherName wrote: Tue Feb 04, 2020 8:14 pm
Dakotah wrote: Tue Feb 04, 2020 7:58 pm
JohnFiscal wrote: Mon Feb 03, 2020 8:59 am ...
What happens when (not if) the computer storing your local Excel password file crashes/fails/gets stolen/etc?
At that point JohnFiscal either restores from their online/offsite backup (or possibly an external drive they have backed up to).

OR, JohnFiscal is a very, very sad Panda and will spend lots of time resetting passwords and hopefully using something better than a spreadsheet.
Some people like using MS Money (long obsolete), Quicken, Mint, etc. Others like using their own spreadsheets they've created. The discussions here about that are endless and neverending. So, same thing with password retention. Everybody will have a preferred system. All should be secure.
Except that some are more secure than others. A good password manager provides some protection against phishing attacks, as I mentioned above, whereas your spreadsheet doesn't provide any protection.

Which do you think is more likely to happen: a) the password manager gets hacked in such a way that your secrets are stolen and visible to a hacker, or b) you are phished?

And anyways my point above was about backups, not security. If you don't have an offsite backup of some sort (either offline or online) you are vulnerable a disaster wiping out your spreadsheet.
ARoseByAnyOtherName
Posts: 1000
Joined: Wed Apr 26, 2017 12:03 am

Re: Cybersecurity and passwords

Post by ARoseByAnyOtherName »

Folks, you are making this way more complicated than it needs to be.

The best practice for most people in most situations (meaning YOU if you are reading this) is to:

1) Use a good, reputable password manger.
2) Choose a strong master passphrase for said password manager.
3) Use that password manager to create unique passwords for each website that are long, random strings of characters.
4) Enable two-factor authentication wherever possible.

Is there some debate about this? Sure, it's not a law of physics or something. But there is a consensus that the advice above is a best practice for most people, and it's relatively cheap and easy to do.

If you want to use a spreadsheet, go ahead. If you want to use some wacky three-tier memorization scheme, be my guest. If you don't want to use a password manger, you be you. But please don't pretend that what you're doing is a best practice, and please don't recommend that other people do the same thing.

Don't believe me? Somebody mentioned NIST above. What does NIST have to say about this? Let's see (bolding/emphasis mine):

https://pages.nist.gov/800-63-FAQ/#q-b12
Q-B12:
What is NIST's position on the use of password managers?

A-B12:
Password managers offer greater security and convenience for the use of passwords to access online services.Greater security is achieved principally through the capability of most password manager applications to generate unique, long, complex, easily changed passwords for all online accounts and the secure encrypted storage of those passwords either through a local or cloud-based vault. Greater convenience is provided by the use of a single master password to access the password vault rather than attempting to memorize different passwords for all accounts. Most password manager applications offer additional capabilities that enhance both convenience and security such as storage of credit card and frequent flyer information and autofill functionality.

The compromise of the master secret to a password vault would require all passwords in the vault to be recreated. However, many password managers today provide two-factor capability and are designed in a way that cloud password services are not able to access the vault, even if compromised. Password managers contain much information that is valuable to cyber criminals, making them high-value targets, so securing these vaults is essential.

In SP 800-63B, NIST has not explicitly recommended the use of password managers, but recommends that verifiers permit the use of “paste” functionality so that the subscriber can use a password manager if desired. If using a password manager, subscribers should:
  • Choose a long passphrase for the master password to the password manager and protect it from being stolen. A passphrase can be made sufficiently long to protect against attacks while still allowing memorization.
  • Create unique passwords for all accounts or use the capability of most program managers to generate random, unique, complex passwords for each account.
  • Avoid password managers that allow recovery of the master password. Any compromise of the master password through account recovery tools can compromise the entire password vault.
  • Use multi-factor authentication for program manager applications that allow that capability.
  • Use the password generator capability in most password managers to generate complex, random text answers to online “security” questions for those sites still using them.
Gadget
Posts: 383
Joined: Fri Mar 17, 2017 1:38 pm

Re: Cybersecurity and passwords

Post by Gadget »

I've been a Lastpass user for years since it came out. I've recently grown frustrated with certain things about Lastpass, so I branched out and tried a few few different password managers. I thought the bogleheads community might appreciate my review/results. They are geared towards a married couple that needs to share many passwords. Single users may pick another option. For anyone that fears setting up passwords in a new password manager, that process was painless on all options I tried. The export/import functions work well on all of them.

Overall winner for a husband/wife that want to share passwords: 1password

Password managers I didn't bother to try out:
-Keepass: I tried this one years ago. While a tech guy like myself could use it, it doesn't pass the wife simplicity test. Glancing over its current state, I think that still applies today. Bitwarden seems to beat Keepass in user interface, while providing the same types of options for self hosting the password vault outside of the cloud.
-Dashlane: With their super bowl commercial and new UI, I was all ready to try it out. But unless I'm mistaken, they have literally no family/spouse password sharing possibilities. So it was instantly out of the running for me.

Password manager I've used for years:
1) Lastpass ($48/yr for family): I've been using Lastpass for years. When it first came out, I really liked it. My wife and I originally shared one account.
Lastpass was the first (I think) password manager to have a family plan option. I signed up for their family plan as soon as it came out since I was already a premium account holder. It was a great first attempt on their part, but it has not been meaningfully updated since it first came out years ago.
I've submitted multiple requests over the years for them to allow the password security checkup option on shared family folders. The security checkup is great, but it only works for your private vault. Which means it doesn't check or allow me to check my shared passwords with my spouse, or her passwords (which are probably the weakest).
I also don't like the new ownership group of Lastpass. It makes me nervous that they will somehow try to monetize my data. I don't understand the private equity group's intentions. Elliot Management in particular I have a bad taste due to their normal business practices in other fields.
While usable, the shared folders in Lastpass can be confusing. My wife would frequently add accounts, and they'd get stuck in her private vault. Then she'd be using my computer and couldn't find a password she thought was shared. It's also hard to explain, but passwords are hard to manage once they're in a shared folder. It's just a clunky interface for shared folders, but it gets the job done. And to be honest, there aren't many competitors in this area. You can at least move password between shared folders unlike Bitwarden.
One thing Lastpass does well is that their 2 factor authentication in the family plan can work for more than one account. With all other options I've seen (except 1password), only a single phone can receive the 2 factor authentication code. This was really annoying for my wife when I wasn't around back before lastpass families.
Lastpass has had a few breaches, but I actually like the transparency. I worry that the new private equity firm might hide breaches though because they likely affect customer outflow. I figure most password managers have cyber issues from time to time, and they only report them if they absolutely have to. I also don't mind if the password manager is open source or not. I'm a software engineer, and while I like open source, it doesn't necessarily mean it is more secure. Secure open source software requires a dedicated team of software developers to keep it up to date constantly. You could get that with open source, but you could also get a single developer who doesn't have time for all that because he doesn't get paid for his efforts.

Password managers I've been testing the past couple months:
2) BitWarden ($0 for couple): I really wanted to like Bitwarden. It's free. Free even for couples to share passwords. It's open source and has had independent security audits. It has a clean UI and is well polished. You can setup your own vault outside of their cloud if you want. I think it would be my recommendation for a single person. Where Bitwarden falls apart though is it's sharing implementation. It's designed for a large enterprise with an administrator who manages accounts and passwords.
Basically, instead of having shared vaults you have to setup a family organization. Then within the organization, you can have collections. These collections contain your shared passwords. You have to manage collections with user permissions like it's a large Windows server or something. Where it gets confusing, it's really hard to manage passwords in these collections. I was confused myself, which is a big no chance of adopting for my wife.
When passwords are in a collection within the organization, I swear you can't move them to another collection or private vault. They're stuck. You have to delete them, or export them, delete them, then reimport them to another collection. It makes no sense. Then sometimes when you move passwords from your vault to a shared collection, it leaves them in both places. Which means your autofill options on websites and apps are cluttered with duplicate entries. To fix this, I tried deleting a few of them. But in some cases, it would delete the passwords in both my vault and the collection. And there is no trash can where deleted passwords go like in Lastpass or 1Password. So they were just gone. At this point, I gave up. Even though it was free, Bitwarden has work to do on the shared password interface. But for a single user that doesn't need to share passwords, this might be the first option to try.

3) 1Password ($60/yr for family). I didn't think I'd like this one at all. It was originally a mac password manager. I'm an android guy, and all the reviews for it say you should probably look elsewhere if you aren't in the Apple Ecosystem. Reviews made it sound like it didn't work well on chromebooks or android phones, whch are my only devices. Most android sites said Lastpass is a better option for android/chromebook users.
The reviews were all apparently outdated and based on their older desktop software which was a $60 one time license. 1password now has a cloud option just like lastpass. It works just as well as Lastpass on Android phones and in Google Chrome. Personally, I think it's UI is a little prettier than Lastpass and Bitwarden, but that's not why I'd choose it over the others.
1Password finally gets how a couple would want to share passwords. Basically I can have multiple vaults for the family. I can easily move passwords between vaults. And best of all, any account setup as an admin of the family can view any vault at any time. All while still being able to filter vaults for everyday use. For instance, I have a Private Vault, a Husband's vault, a Shared Vault, and a Wife's Vault. My wife and I don't really need to keep anything in the private vaults, but we could. But we want the Husband vault (shared) and Wife's vault (shared) to be filtered out by default. In 1password, you can do this by changing what your account considers "all vaults" in preferences. So my preference is to view only my Husband's vault and the Shared vault by default to remove password clutter during autofill. Then if I need to, I can always go to Wife's vault for one of her financial accounts. But it won't clutter my autofill options by default.
1Password also excels in its security audit. I think they call it something like Password Warden, and it works for every vault you have. This one ups Lastpass, because Lastpass' equivalent feature only works for your private vault. I do wish this functionality was in the phone app instead of just the main website or PC apps, but to be fair no one else I'm aware of has this on the phone app either. Lastpass didn't anyway.
1Password supports 2 factor authentication, but another thing I love about 1password is that it has a secret key. As far as I'm concerned, this secret key is just as good as if I setup 2 factor on my phone, only easier to manage. I can just protect the secret key on my own, and I only need it when I setup a new device with 1password. This means I never have to bother with 2 factor approvals on my phone. Someone can chime in if I'm being ignorant, but as far as I can tell this secret key combined with my master password not only makes my master password more secure (and makes it impossible for a hacker to get your vault unlocked even if they have your master password), but it replaces the need for 2 factor authentication because it is something I have with me. The hacker can't get it. This is very wife friendly, because she hates 2 factor authentication. Her phone is rarely in her pocket like mine. Even a subpar masterpassword in 1password is secure due to it combining with the very long random secret key.
lotusflower
Posts: 289
Joined: Thu Oct 24, 2013 12:32 am

Re: Cybersecurity and passwords

Post by lotusflower »

SpaethCo wrote: Wed Feb 05, 2020 8:47 pm
AAA wrote: Wed Feb 05, 2020 7:59 pmBut this is confusing me - some sites suggest using passphrases such as preachy glutton legislate shorter monsoon author while other sites say to never use actual words.
Passphrases are a great way to get the character count up, but where they become a problem is if they reveal a system. We’re not just picking a single password for a single system — we’re picking hundreds of passwords for use on hundreds of different sites. When you think about secure passwords, most people also count on the services they use storing those passwords securely (ie, not storing them at all, instead using strong hashing). Since so many sites do a poor job of secure password storage, it’s safer to assume that at least 2-5 of the passwords you use on various sites are stored in clear text and are openly known at any point in time.

Once an attacker observes that you use passphrases of 4 words on one or two sites, they will modify their cracking ruleset to apply that logic to other data breach password lists and reduce the number of search attempts required by several orders of magnitude.

Basically: Assume 2-5 sites you use are storing your password in clear text, so assume any person or group looking to crack passwords from a new data breach already knows 2-5 of your existing passwords. If 5 of your passwords are revealed, can a human or machine discover the method by which they were created?
This is all correct, but it requires some cleverness, and clever effort is very expensive. IMO the threat of someone using human intelligence to crack your non-trivial password system is not a very realistic threat vector, unless you are a high-value target: a billionaire, an A-list celebrity, someone with >$1M in Bitcoin, or a target of nation-state espionage. AI is nowhere close to automating enough of this process to make it cheap enough to execute on a mass scale, and if mass attacks were possible, it would be incumbent on the banks to tighten security to avoid massive fraud protection payouts.

Cyber security is a lot like home security. You should take it seriously, but you don't have to be impenetrable, you just have to be better than most others at the time and you'll be fine. Maybe that level will keep rising and things will surely be different in 20 years (hopefully we'll have outgrown passwords by then) but for now most of the password ideas here are totally adequate for your financial security.
User avatar
AAA
Posts: 1365
Joined: Sat Jan 12, 2008 8:56 am

Re: Cybersecurity and passwords

Post by AAA »

I have found this thread very useful and I have a question - if a hacker steals the password database of a company, it appears that what they get is a collection of encrypted passwords (provided the company was not foolish enough to just store the passwords unencrypted). And then what I understand he does is try out different passwords until he gets a match with something in the database.

If that's the case, it seems he would have to know how the database was encrypted. Are there just a limited number of ways to do this or is there flexibility in how an actual password is converted to an encrypted one? If the latter, the hacker would not only have to guess the password but also guess the method of encryption, which seems to make his task much more difficult. So if some master password or key is used to do the encryption, the hacker would have to guess that along with his guessing the encryption algorithm and an individual password. Is that correct?
kevinf
Posts: 198
Joined: Mon Aug 05, 2019 11:35 pm

Re: Cybersecurity and passwords

Post by kevinf »

AAA wrote: Sat Feb 08, 2020 6:17 pm I have found this thread very useful and I have a question - if a hacker steals the password database of a company, it appears that what they get is a collection of encrypted passwords (provided the company was not foolish enough to just store the passwords unencrypted). And then what I understand he does is try out different passwords until he gets a match with something in the database.

If that's the case, it seems he would have to know how the database was encrypted. Are there just a limited number of ways to do this or is there flexibility in how an actual password is converted to an encrypted one? If the latter, the hacker would not only have to guess the password but also guess the method of encryption, which seems to make his task much more difficult. So if some master password or key is used to do the encryption, the hacker would have to guess that along with his guessing the encryption algorithm and an individual password. Is that correct?
https://www.comparitech.com/blog/inform ... g-salting/
User avatar
zaplunken
Posts: 1032
Joined: Tue Jul 01, 2008 9:07 am

Re: Cybersecurity and passwords

Post by zaplunken »

kevinf,

That link is amazing, I'm adding it to my Passwords folder in Bookmarks! I never really understood what encryption, hashes and salting was and how it was used but that site explains it so clearly!

Also, that link refers to passwords but wouldn't a company that uses these techniques for a password do the same for the userids and maybe security question answers too?
User avatar
AAA
Posts: 1365
Joined: Sat Jan 12, 2008 8:56 am

Re: Cybersecurity and passwords

Post by AAA »

It would seem from this that if a company follows good practices for setting up their password database it would be extremely difficult if not impossible for a hacker to make any use of it.
lotusflower
Posts: 289
Joined: Thu Oct 24, 2013 12:32 am

Re: Cybersecurity and passwords

Post by lotusflower »

AAA wrote: Sun Feb 09, 2020 9:30 am It would seem from this that if a company follows good practices for setting up their password database it would be extremely difficult if not impossible for a hacker to make any use of it.
Yes, if a company does everything right, including encryption design, server security, AND employee vetting, then you can trust the math of encryption which is currently thought to be unbreakable. But guess what, there are still breaches every few months (or maybe more that go unreported!).
User avatar
telemark
Posts: 2712
Joined: Sat Aug 11, 2012 6:35 am

Re: Cybersecurity and passwords

Post by telemark »

lotusflower wrote: Sun Feb 09, 2020 12:42 pm
AAA wrote: Sun Feb 09, 2020 9:30 am It would seem from this that if a company follows good practices for setting up their password database it would be extremely difficult if not impossible for a hacker to make any use of it.
Yes, if a company does everything right, including encryption design, server security, AND employee vetting, then you can trust the math of encryption which is currently thought to be unbreakable. But guess what, there are still breaches every few months (or maybe more that go unreported!).
Well, the point of all the encryption and salting is to protect you even in the event of a breach. Although if your password is 123456 or letmein, no encryption scheme is going to help much.

Mea culpa: I once implemented password verification using MD5. In my defense, it was in the mid-1990s and the other choices were DES or triple DES. The newer algorithms have parameters, so you can make them computationally more difficult as processing speeds increase.
lazydavid
Posts: 3279
Joined: Wed Apr 06, 2016 1:37 pm

Re: Cybersecurity and passwords

Post by lazydavid »

AAA wrote: Sun Feb 09, 2020 9:30 am
It would seem from this that if a company follows good practices for setting up their password database it would be extremely difficult if not impossible for a hacker to make any use of it.
There's one more important if....IF you have a long, complex password that is resistant to brute forcing. With processing speed where it is now, 50-80% of passwords will fall relatively quickly even from a properly hashed and salted database, because the passwords themselves are easy for cracking programs to guess.
1andDone
Posts: 30
Joined: Mon Apr 24, 2017 2:18 pm

Re: Cybersecurity and passwords

Post by 1andDone »

Gadget wrote: Thu Feb 06, 2020 9:48 am I've been a Lastpass user for years since it came out. I've recently grown frustrated with certain things about Lastpass, so I branched out and tried a few few different password managers. I thought the bogleheads community might appreciate my review/results. They are geared towards a married couple that needs to share many passwords. Single users may pick another option. For anyone that fears setting up passwords in a new password manager, that process was painless on all options I tried. The export/import functions work well on all of them.

Overall winner for a husband/wife that want to share passwords: 1password

Password managers I didn't bother to try out:
-Keepass: I tried this one years ago. While a tech guy like myself could use it, it doesn't pass the wife simplicity test. Glancing over its current state, I think that still applies today. Bitwarden seems to beat Keepass in user interface, while providing the same types of options for self hosting the password vault outside of the cloud.
-Dashlane: With their super bowl commercial and new UI, I was all ready to try it out. But unless I'm mistaken, they have literally no family/spouse password sharing possibilities. So it was instantly out of the running for me.

Password manager I've used for years:
1) Lastpass ($48/yr for family): I've been using Lastpass for years. When it first came out, I really liked it. My wife and I originally shared one account.
Lastpass was the first (I think) password manager to have a family plan option. I signed up for their family plan as soon as it came out since I was already a premium account holder. It was a great first attempt on their part, but it has not been meaningfully updated since it first came out years ago.
I've submitted multiple requests over the years for them to allow the password security checkup option on shared family folders. The security checkup is great, but it only works for your private vault. Which means it doesn't check or allow me to check my shared passwords with my spouse, or her passwords (which are probably the weakest).
I also don't like the new ownership group of Lastpass. It makes me nervous that they will somehow try to monetize my data. I don't understand the private equity group's intentions. Elliot Management in particular I have a bad taste due to their normal business practices in other fields.
While usable, the shared folders in Lastpass can be confusing. My wife would frequently add accounts, and they'd get stuck in her private vault. Then she'd be using my computer and couldn't find a password she thought was shared. It's also hard to explain, but passwords are hard to manage once they're in a shared folder. It's just a clunky interface for shared folders, but it gets the job done. And to be honest, there aren't many competitors in this area. You can at least move password between shared folders unlike Bitwarden.
One thing Lastpass does well is that their 2 factor authentication in the family plan can work for more than one account. With all other options I've seen (except 1password), only a single phone can receive the 2 factor authentication code. This was really annoying for my wife when I wasn't around back before lastpass families.
Lastpass has had a few breaches, but I actually like the transparency. I worry that the new private equity firm might hide breaches though because they likely affect customer outflow. I figure most password managers have cyber issues from time to time, and they only report them if they absolutely have to. I also don't mind if the password manager is open source or not. I'm a software engineer, and while I like open source, it doesn't necessarily mean it is more secure. Secure open source software requires a dedicated team of software developers to keep it up to date constantly. You could get that with open source, but you could also get a single developer who doesn't have time for all that because he doesn't get paid for his efforts.

Password managers I've been testing the past couple months:
2) BitWarden ($0 for couple): I really wanted to like Bitwarden. It's free. Free even for couples to share passwords. It's open source and has had independent security audits. It has a clean UI and is well polished. You can setup your own vault outside of their cloud if you want. I think it would be my recommendation for a single person. Where Bitwarden falls apart though is it's sharing implementation. It's designed for a large enterprise with an administrator who manages accounts and passwords.
Basically, instead of having shared vaults you have to setup a family organization. Then within the organization, you can have collections. These collections contain your shared passwords. You have to manage collections with user permissions like it's a large Windows server or something. Where it gets confusing, it's really hard to manage passwords in these collections. I was confused myself, which is a big no chance of adopting for my wife.
When passwords are in a collection within the organization, I swear you can't move them to another collection or private vault. They're stuck. You have to delete them, or export them, delete them, then reimport them to another collection. It makes no sense. Then sometimes when you move passwords from your vault to a shared collection, it leaves them in both places. Which means your autofill options on websites and apps are cluttered with duplicate entries. To fix this, I tried deleting a few of them. But in some cases, it would delete the passwords in both my vault and the collection. And there is no trash can where deleted passwords go like in Lastpass or 1Password. So they were just gone. At this point, I gave up. Even though it was free, Bitwarden has work to do on the shared password interface. But for a single user that doesn't need to share passwords, this might be the first option to try.

3) 1Password ($60/yr for family). I didn't think I'd like this one at all. It was originally a mac password manager. I'm an android guy, and all the reviews for it say you should probably look elsewhere if you aren't in the Apple Ecosystem. Reviews made it sound like it didn't work well on chromebooks or android phones, whch are my only devices. Most android sites said Lastpass is a better option for android/chromebook users.
The reviews were all apparently outdated and based on their older desktop software which was a $60 one time license. 1password now has a cloud option just like lastpass. It works just as well as Lastpass on Android phones and in Google Chrome. Personally, I think it's UI is a little prettier than Lastpass and Bitwarden, but that's not why I'd choose it over the others.
1Password finally gets how a couple would want to share passwords. Basically I can have multiple vaults for the family. I can easily move passwords between vaults. And best of all, any account setup as an admin of the family can view any vault at any time. All while still being able to filter vaults for everyday use. For instance, I have a Private Vault, a Husband's vault, a Shared Vault, and a Wife's Vault. My wife and I don't really need to keep anything in the private vaults, but we could. But we want the Husband vault (shared) and Wife's vault (shared) to be filtered out by default. In 1password, you can do this by changing what your account considers "all vaults" in preferences. So my preference is to view only my Husband's vault and the Shared vault by default to remove password clutter during autofill. Then if I need to, I can always go to Wife's vault for one of her financial accounts. But it won't clutter my autofill options by default.
1Password also excels in its security audit. I think they call it something like Password Warden, and it works for every vault you have. This one ups Lastpass, because Lastpass' equivalent feature only works for your private vault. I do wish this functionality was in the phone app instead of just the main website or PC apps, but to be fair no one else I'm aware of has this on the phone app either. Lastpass didn't anyway.
1Password supports 2 factor authentication, but another thing I love about 1password is that it has a secret key. As far as I'm concerned, this secret key is just as good as if I setup 2 factor on my phone, only easier to manage. I can just protect the secret key on my own, and I only need it when I setup a new device with 1password. This means I never have to bother with 2 factor approvals on my phone. Someone can chime in if I'm being ignorant, but as far as I can tell this secret key combined with my master password not only makes my master password more secure (and makes it impossible for a hacker to get your vault unlocked even if they have your master password), but it replaces the need for 2 factor authentication because it is something I have with me. The hacker can't get it. This is very wife friendly, because she hates 2 factor authentication. Her phone is rarely in her pocket like mine. Even a subpar masterpassword in 1password is secure due to it combining with the very long random secret key.
Very helpful review, thanks!
L82GAME
Posts: 312
Joined: Sat Dec 07, 2019 9:29 am

Re: Cybersecurity and passwords

Post by L82GAME »

^^^My wife and I use the paid subscription version of Dashlane and can share all passwords and secure notes across multiple platforms.
Gadget
Posts: 383
Joined: Fri Mar 17, 2017 1:38 pm

Re: Cybersecurity and passwords

Post by Gadget »

L82GAME wrote: Thu Jul 09, 2020 5:18 am ^^^My wife and I use the paid subscription version of Dashlane and can share all passwords and secure notes across multiple platforms.
That's relatively new though right? I think Dashlane came out with that shortly after the review I wrote back in February 2020. Might be a good option for people to try now.
tibbitts
Posts: 11547
Joined: Tue Feb 27, 2007 6:50 pm

Re: Cybersecurity and passwords

Post by tibbitts »

I would say just use a password manager.

If you use 2FA on all the accounts you use every day make sure you have the suicide prevention hotline on speed dial.
jebmke
Posts: 11265
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Cybersecurity and passwords

Post by jebmke »

L82GAME wrote: Thu Jul 09, 2020 5:18 am ^^^My wife and I use the paid subscription version of Dashlane and can share all passwords and secure notes across multiple platforms.
We do same, but with KeePass; of course, she knows she cannot use my log in credentials at financial institutions but our VG household account gives her access to everything anyway. She also has her own log in credentials to our online bank account.
When you discover that you are riding a dead horse, the best strategy is to dismount.
crinkles2
Posts: 69
Joined: Fri Nov 28, 2014 8:18 pm

Re: Cybersecurity and passwords

Post by crinkles2 »

tibbitts wrote: Thu Jul 09, 2020 8:31 am I would say just use a password manager.

If you use 2FA on all the accounts you use every day make sure you have the suicide prevention hotline on speed dial.
What does this mean?
Post Reply