Do you use a password manager?

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
mptfan
Posts: 7004
Joined: Mon Mar 05, 2007 9:58 am

Re: Do you use a password manager?

Post by mptfan »

privateID wrote: Tue Sep 20, 2022 7:12 pm Even without passphrase encryption, you would have to enter your Google password to actually see a password in the Password Manager. In other words, my browser is open, I am logged into Google and Google still does not let me see the saved passwords unless I enter the password even though I am logged in.
Yes, but it is a single point of failure because if your Google password is compromised the attacker will have access to your passwords.
privateID
Posts: 460
Joined: Sat Oct 18, 2014 4:59 pm

Re: Do you use a password manager?

Post by privateID »

mptfan wrote: Tue Sep 20, 2022 7:17 pm
privateID wrote: Tue Sep 20, 2022 7:12 pm Even without passphrase encryption, you would have to enter your Google password to actually see a password in the Password Manager. In other words, my browser is open, I am logged into Google and Google still does not let me see the saved passwords unless I enter the password even though I am logged in.
Yes, but it is a single point of failure because if your Google password is compromised the attacker will have access to your passwords.
So you're saying if someone gets access to my device and knows my Google password, then I'm exposed. Well, yeah. I think I would be. I hope you don't store your google password in that stand alone password manager, because that would be a single point of failure too. By that logic, you may want to have multiple password managers to secure different passwords - less points of big failures. But I would say the whole point of the password manager is to remember one password for everything. I think that is secure enough as long as I keep that password secure.
Last edited by privateID on Tue Sep 20, 2022 7:47 pm, edited 1 time in total.
mptfan
Posts: 7004
Joined: Mon Mar 05, 2007 9:58 am

Re: Do you use a password manager?

Post by mptfan »

privateID wrote: Tue Sep 20, 2022 7:41 pm So you're saying if someone gets access to my device and knows my Google password, then I'm exposed. Well, yeah. I think I would be.
Right, but I wouldn't be. And I'm saying more than that...if someone knows your Google password then you are exposed, whether they have access to your device or not, unless you have strong two factor authentication set up and the other person also does not have access to that.
privateID
Posts: 460
Joined: Sat Oct 18, 2014 4:59 pm

Re: Do you use a password manager?

Post by privateID »

mptfan wrote: Tue Sep 20, 2022 7:43 pm
privateID wrote: Tue Sep 20, 2022 7:41 pm So you're saying if someone gets access to my device and knows my Google password, then I'm exposed. Well, yeah. I think I would be.
Right, but I wouldn't be. And I'm saying more than that...if someone knows your Google password then you are exposed, whether they have access to your device or not, unless you have strong two factor authentication set up and the other person also does not have access to that.
ok. I understand your point of view. My Google password is my most important password and I therefore am the only person on the planet that knows it. It is written down with my will if I die. I therefore do not share your concern.
User avatar
anon_investor
Posts: 12828
Joined: Mon Jun 03, 2019 1:43 pm

Re: Do you use a password manager?

Post by anon_investor »

KeePass and chill?
AnEngineer
Posts: 1758
Joined: Sat Jun 27, 2020 4:05 pm

Re: Do you use a password manager?

Post by AnEngineer »

privateID wrote: Tue Sep 20, 2022 7:55 pm
mptfan wrote: Tue Sep 20, 2022 7:43 pm
privateID wrote: Tue Sep 20, 2022 7:41 pm So you're saying if someone gets access to my device and knows my Google password, then I'm exposed. Well, yeah. I think I would be.
Right, but I wouldn't be. And I'm saying more than that...if someone knows your Google password then you are exposed, whether they have access to your device or not, unless you have strong two factor authentication set up and the other person also does not have access to that.
ok. I understand your point of view. My Google password is my most important password and I therefore am the only person on the planet that knows it. It is written down with my will if I die. I therefore do not share your concern.
I wouldn't even put the password with my will. I am much more concerned about losing access my master email account than a password manager. If someone gets in my email (not just password due to MFA), it's game over for so many things. If someone gets into my passwords, MFA still protects important accounts, though you may see someone impersonating me here. :)
privateID
Posts: 460
Joined: Sat Oct 18, 2014 4:59 pm

Re: Do you use a password manager?

Post by privateID »

I started to post in this conversation because I'm still learning. I just started to use the Google password manager this week. I haven't even turned on the Google passphrase encryption yet because it comes with some caveats. So, I'm still evaluating it. I understand the concern of a single point of failure with everything under Google. Some probably view that as a benefit (less passwords to remember, less companies that can be breached) and others view it as a problem. I get the point. Still looking to see other advantages/disadvantages concerning the security of Google vs other stand alone password managers.

Part of the reason I haven't turned on the Google Passphrase encryption is that I don't fully understand the relationship between a normal Google password and the passphrase. Can you set them to both to be the same? Or do you need to remember both of them - Google password and Google passphrase? Or maybe when you use a passphrase the password is obsolete?
SnowBog
Posts: 3478
Joined: Fri Dec 21, 2018 11:21 pm

Re: Do you use a password manager?

Post by SnowBog »

privateID wrote: Tue Sep 20, 2022 7:55 pm
mptfan wrote: Tue Sep 20, 2022 7:43 pm
privateID wrote: Tue Sep 20, 2022 7:41 pm So you're saying if someone gets access to my device and knows my Google password, then I'm exposed. Well, yeah. I think I would be.
Right, but I wouldn't be. And I'm saying more than that...if someone knows your Google password then you are exposed, whether they have access to your device or not, unless you have strong two factor authentication set up and the other person also does not have access to that.
ok. I understand your point of view. My Google password is my most important password and I therefore am the only person on the planet that knows it. It is written down with my will if I die. I therefore do not share your concern.
A password written down is already insecure... Especially in something unlikely to change, and potentially exposed to multiple people such as a will (which could end up being a public record available to anyone who asks if it goes through probate).

In my humble opinion, there is no such thing as a secure password, so don't fool yourself thinking yours is. All passwords can be compromised in some way (given enough time and focus). The intent of using unique long complex passwords, with a password manager, ideally protected by two-factor authentication - and used with two-factor authentication whenever possible, is to not make it easier for the hackers while making it easier for yourself.

Tl;dr: Password Manager (used properly) = better security and better user experience. Win - win.
solarcub
Posts: 177
Joined: Sat Feb 08, 2020 10:09 pm

Re: Do you use a password manager?

Post by solarcub »

gas_balloon wrote: Fri Aug 19, 2022 11:26 am
enad wrote: Fri Aug 19, 2022 11:17 am I've used jingles in the past like "ilwydfmt" care to guess that one? I can't ever get it out of my head and it's been over 25 years, but today it would look like this: 1Lwydfm| to meet the special case character
Right, whatever works for you. The point is, it's not that hard to remember one or two strong passwords. Event, jingle, song, nursery rhymes - whatever works for you to remember the password.
I assume this was just an example, but FYI, if you Google "ilwydfmt", it comes up, with the answer. This thread also comes up.
privateID
Posts: 460
Joined: Sat Oct 18, 2014 4:59 pm

Re: Do you use a password manager?

Post by privateID »

SnowBog wrote: Wed Sep 21, 2022 2:48 pm
privateID wrote: Tue Sep 20, 2022 7:55 pm
mptfan wrote: Tue Sep 20, 2022 7:43 pm
privateID wrote: Tue Sep 20, 2022 7:41 pm So you're saying if someone gets access to my device and knows my Google password, then I'm exposed. Well, yeah. I think I would be.
Right, but I wouldn't be. And I'm saying more than that...if someone knows your Google password then you are exposed, whether they have access to your device or not, unless you have strong two factor authentication set up and the other person also does not have access to that.
ok. I understand your point of view. My Google password is my most important password and I therefore am the only person on the planet that knows it. It is written down with my will if I die. I therefore do not share your concern.
A password written down is already insecure... Especially in something unlikely to change, and potentially exposed to multiple people such as a will (which could end up being a public record available to anyone who asks if it goes through probate).

In my humble opinion, there is no such thing as a secure password, so don't fool yourself thinking yours is. All passwords can be compromised in some way (given enough time and focus). The intent of using unique long complex passwords, with a password manager, ideally protected by two-factor authentication - and used with two-factor authentication whenever possible, is to not make it easier for the hackers while making it easier for yourself.

Tl;dr: Password Manager (used properly) = better security and better user experience. Win - win.
I didn't actually put my Google password in my will. I just meant it was written down on a paper in the same folder as my will.

And, yes, I totally agree that these things are not 100% secure no matter what we do. I personally would prefer one master password over my Google account and password manager rather than have one for Google and one for the password manager.
ScubaHogg
Posts: 1543
Joined: Sun Nov 06, 2011 3:02 pm

Re: Do you use a password manager?

Post by ScubaHogg »

This is a lot of posts to say, “yes, you should use a password manager”
Pierre-Simon Laplace’s original phrase for expected value was “mathematical hope.”
DrivingFun
Posts: 281
Joined: Wed Sep 19, 2007 6:12 pm

Re: Do you use a password manager?

Post by DrivingFun »

I've been using something like Password Safe for decades. Synchronization is achieved by using dropbox or similar. It's not nearly as sexy as the modern web based paid options, but it has worked well for me for so long that I haven't been compelled to switch.
User avatar
bertilak
Posts: 9663
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Do you use a password manager?

Post by bertilak »

David_w wrote: Tue Jul 19, 2022 6:48 pm I use an Excel file that is password protected
By not using one or the latest password managers, you are missing out on auto-fill of ID/PW fields. This has the advantages of:
  1. Saving you from typing (and typos) or going through the bother of copy-paste.
  2. Preventing you from filling in ID/PW on a fake page meant to steal your ID/PW or, perhaps suckering you into filling in other personal info.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
mrc
Posts: 1707
Joined: Sun Jan 10, 2016 6:39 am

Re: Do you use a password manager?

Post by mrc »

bertilak wrote: Thu Sep 22, 2022 2:00 pm
David_w wrote: Tue Jul 19, 2022 6:48 pm I use an Excel file that is password protected
By not using one or the latest password managers, you are missing out on auto-fill of ID/PW fields. This has the advantages of:
  1. Saving you from typing (and typos) or going through the bother of copy-paste.
  2. Preventing you from filling in ID/PW on a fake page meant to steal your ID/PW or, perhaps suckering you into filling in other personal info.
One of the most valuable feature of my password manager (1password) is the embedded URLS. I search for a site (e.g., bank, store, doctor) and open from within the manager. I no longer click on email links, but on the rare occasion when I did, and if the site is a spoof (e.g., flidety.com), the manger wouldn't have any credentials for that URL, and protect me from giving away the credentials at a fake site.
By the time you know enough to choose a good financial adviser, you don't need one. | bogleheads.org is my advisor: The ER is 0.0% and the advice always solid.
User avatar
Bagels
Posts: 131
Joined: Mon Apr 12, 2021 9:08 am

Re: Do you use a password manager?

Post by Bagels »

This is good information.
gavinsiu wrote: Sun Aug 14, 2022 8:51 am ...

3. Backup your vault. Most password manager allow you to export your vault for backup. The last time I suggested this on another forum, several people got really hostile becaues the export process may leave temp files. In my opinion, this is acceptible risk. In my opinion, the risk is that the vault may get corrupted, the vendor may suddenly go out of business without notice. You will want to double-check that you can restore. I tested the Bitwarden backup and noticed that encrypted export will fail because you can only import an encrypted export on the same account. I end up exporting it as a unencrypted JSON and then sticking it into a encrypted drive. You make the decision on what you want to do.
I like Bitwarden a lot. It's my first time handing passwords over to someone else's care. I got tired of not having passwords while traveling and needed to be able to log in to a vault. Like some of my favorite software, e.g. Standard Notes and ProtonMail, I find it a bit clunky but safe.
missing [b]madsinger[/b]’s monthly reports
David_w
Posts: 146
Joined: Sat Feb 09, 2019 8:20 am
Location: South Florida

Re: Do you use a password manager?

Post by David_w »

mrc wrote: Thu Sep 22, 2022 2:21 pm
bertilak wrote: Thu Sep 22, 2022 2:00 pm
David_w wrote: Tue Jul 19, 2022 6:48 pm I use an Excel file that is password protected
By not using one or the latest password managers, you are missing out on auto-fill of ID/PW fields. This has the advantages of:
  1. Saving you from typing (and typos) or going through the bother of copy-paste.
  2. Preventing you from filling in ID/PW on a fake page meant to steal your ID/PW or, perhaps suckering you into filling in other personal info.
One of the most valuable feature of my password manager (1password) is the embedded URLS. I search for a site (e.g., bank, store, doctor) and open from within the manager. I no longer click on email links, but on the rare occasion when I did, and if the site is a spoof (e.g., flidety.com), the manger wouldn't have any credentials for that URL, and protect me from giving away the credentials at a fake site.
I never click links and never have. I always go to the site on my own
HawkeyePierce
Posts: 2052
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Do you use a password manager?

Post by HawkeyePierce »

David_w wrote: Thu Sep 22, 2022 5:06 pm
mrc wrote: Thu Sep 22, 2022 2:21 pm
bertilak wrote: Thu Sep 22, 2022 2:00 pm
David_w wrote: Tue Jul 19, 2022 6:48 pm I use an Excel file that is password protected
By not using one or the latest password managers, you are missing out on auto-fill of ID/PW fields. This has the advantages of:
  1. Saving you from typing (and typos) or going through the bother of copy-paste.
  2. Preventing you from filling in ID/PW on a fake page meant to steal your ID/PW or, perhaps suckering you into filling in other personal info.
One of the most valuable feature of my password manager (1password) is the embedded URLS. I search for a site (e.g., bank, store, doctor) and open from within the manager. I no longer click on email links, but on the rare occasion when I did, and if the site is a spoof (e.g., flidety.com), the manger wouldn't have any credentials for that URL, and protect me from giving away the credentials at a fake site.
I never click links and never have. I always go to the site on my own
Defense based on a human always doing the right thing is worse than a program always doing the right thing. Computers don't get sleepy or sloppy or distracted.
User avatar
bertilak
Posts: 9663
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Do you use a password manager?

Post by bertilak »

HawkeyePierce wrote: Thu Sep 22, 2022 5:36 pm Defense based on a human always doing the right thing is worse than a program always doing the right thing. Computers don't get sleepy or sloppy or distracted.
Agreed. Above, I tried to emphasize convenience. If doing the right thing is the most convenient thing to do, that makes things safer. If you need to consciously analyze the situation every time it comes up to determine proper behavior, even if the analysis is trivial, sooner or later you will mess up. Besides, being so careful is tiresome.
Last edited by bertilak on Thu Sep 22, 2022 6:02 pm, edited 1 time in total.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
Uncle Morris
Posts: 99
Joined: Sun Jul 12, 2020 8:13 pm

Re: Do you use a password manager?

Post by Uncle Morris »

A while back, there was some discussion (not here, as far as I recall) about disabling autofill in one's password manager due to a risk of something or other. For the security experts here, what's the current thinking on that?
HawkeyePierce
Posts: 2052
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Do you use a password manager?

Post by HawkeyePierce »

Uncle Morris wrote: Thu Sep 22, 2022 6:02 pm A while back, there was some discussion (not here, as far as I recall) about disabling autofill in one's password manager due to a risk of something or other. For the security experts here, what's the current thinking on that?
Autofill by 1Password/LastPass/etc is safe. It helps avoid phishing attacks.
Northern Flicker
Posts: 11397
Joined: Fri Apr 10, 2015 12:29 am

Re: Do you use a password manager?

Post by Northern Flicker »

Set up 2FA using a device that will not be compromised if a machine where you type in any of your passwords or open your password safe is compromised. This includes segregating 2FA from devices whose access may be sufficient to reset a password (such as a phone with email).

If that seems onerous, just segregate 2FA for your more sensitive accounts.
Last edited by Northern Flicker on Thu Sep 22, 2022 7:31 pm, edited 1 time in total.
My postings represent my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
Uncle Morris
Posts: 99
Joined: Sun Jul 12, 2020 8:13 pm

Re: Do you use a password manager?

Post by Uncle Morris »

HawkeyePierce, is that for both manual (one click) and automatic autofill?

A quick search brings up discussions like:
https://www.omnicybersecurity.com/passw ... s-it-safe/
https://medium.com/@brianrusseldavis/ar ... 05edf952bf

Longer and more technical discussion here:
https://marektoth.com/blog/password-managers-autofill/
lutok
Posts: 26
Joined: Sat Sep 27, 2014 5:24 pm

Re: Do you use a password manager?

Post by lutok »

I have used Dashlane for many years. It has a password generator. I don't even know what my passwords are.
OpenMinded1
Posts: 802
Joined: Wed Feb 05, 2020 9:27 am

Re: Do you use a password manager?

Post by OpenMinded1 »

HawkeyePierce wrote: Thu Sep 22, 2022 6:07 pm
Uncle Morris wrote: Thu Sep 22, 2022 6:02 pm A while back, there was some discussion (not here, as far as I recall) about disabling autofill in one's password manager due to a risk of something or other. For the security experts here, what's the current thinking on that?
Autofill by 1Password/LastPass/etc is safe. It helps avoid phishing attacks.
Seems like if someone disables autofill, and they are using the long, random passwords that are recommended, they will probably copy and paste the passwords (and sometimes usernames) from the password manager instead. Does this pose a security threat? Can some bad actor somehow get to the passwords that were copied, and use them to get into password protected sites?
gavinsiu
Posts: 706
Joined: Sun Nov 14, 2021 12:42 pm

Re: Do you use a password manager?

Post by gavinsiu »

OpenMinded1 wrote: Fri Sep 23, 2022 6:18 am Seems like if someone disables autofill, and they are using the long, random passwords that are recommended, they will probably copy and paste the passwords (and sometimes usernames) from the password manager instead. Does this pose a security threat? Can some bad actor somehow get to the passwords that were copied, and use them to get into password protected sites?
There are several thoughts by security researcher on this. Clipboard attack are a concern. Most password manager alleviate this by deleting the content after 30 seconds (this is usually a setting). Note that some OS and utility may add a feature for clipboard history. If you use the clipboard to copy password, enabling the feature is a bad idea. Even if the password manager deletes the clipboard, the history of it will remain. On most password managers, the autofill does not use the clipboard also doesn't "type" it out. This means if you have a keylogger, it won't see the password manager typing out the password.

As for autofill, it is true that the anti-phishing feature of blocks most attempt by attacker to trick the person into autofilling. For maximum protection, disable autofill. According to one password, one danger for auto-fill is that if a users who manages bypass the anti-phishing mechanism, it can use it harvest your password. For maximum security, set it up so that you have to use a keyboard shortcut. You still have the anit-phishing feature. If you presss the keyboard shortcut, it will warn you if the site doesn't match.

https://blog.1password.com/1password-ke ... -the-loop/
OpenMinded1
Posts: 802
Joined: Wed Feb 05, 2020 9:27 am

Re: Do you use a password manager?

Post by OpenMinded1 »

gavinsiu wrote: Fri Sep 23, 2022 7:43 am
OpenMinded1 wrote: Fri Sep 23, 2022 6:18 am Seems like if someone disables autofill, and they are using the long, random passwords that are recommended, they will probably copy and paste the passwords (and sometimes usernames) from the password manager instead. Does this pose a security threat? Can some bad actor somehow get to the passwords that were copied, and use them to get into password protected sites?
There are several thoughts by security researcher on this. Clipboard attack are a concern. Most password manager alleviate this by deleting the content after 30 seconds (this is usually a setting). Note that some OS and utility may add a feature for clipboard history. If you use the clipboard to copy password, enabling the feature is a bad idea. Even if the password manager deletes the clipboard, the history of it will remain. On most password managers, the autofill does not use the clipboard also doesn't "type" it out. This means if you have a keylogger, it won't see the password manager typing out the password.

As for autofill, it is true that the anti-phishing feature of blocks most attempt by attacker to trick the person into autofilling. For maximum protection, disable autofill. According to one password, one danger for auto-fill is that if a users who manages bypass the anti-phishing mechanism, it can use it harvest your password. For maximum security, set it up so that you have to use a keyboard shortcut. You still have the anit-phishing feature. If you presss the keyboard shortcut, it will warn you if the site doesn't match.

https://blog.1password.com/1password-ke ... -the-loop/
Thanks for the info. I use LastPass and it's autofill feature, but have noticed that some sites won't autofill. One is an email service highly regarded for security. Don't know why it won't autofill. (And yes I'm going to the actual email service website, not a fake one.)

I'll have to make sure my clipboard history feature is turned off.
Last edited by OpenMinded1 on Fri Sep 23, 2022 8:53 am, edited 1 time in total.
Uncle Morris
Posts: 99
Joined: Sun Jul 12, 2020 8:13 pm

Re: Do you use a password manager?

Post by Uncle Morris »

I do the one-click of the password manager icon to fill the password on a site. Not automatic autofill, but I guess one could call it semi-automatic. It's not copy and paste.
gavinsiu
Posts: 706
Joined: Sun Nov 14, 2021 12:42 pm

Re: Do you use a password manager?

Post by gavinsiu »

OpenMinded1 wrote: Fri Sep 23, 2022 8:48 am Thanks for the info. I use LastPass and it's autofill feature, but have noticed that some sites won't autofill. One is an email service highly regarded for security. Don't know why it won't autofill. I'll have to make sure my clipboard history feature is turned off.
I find that this is because they have added some feature to block autofill or purposedly use a special field. Next time this happens, click on the password field instead of the user name field. Often, this might bring up the autofill for the login.
Gadget
Posts: 867
Joined: Fri Mar 17, 2017 1:38 pm

Re: Do you use a password manager?

Post by Gadget »

OpenMinded1 wrote: Fri Sep 23, 2022 8:48 am
Thanks for the info. I use LastPass and it's autofill feature, but have noticed that some sites won't autofill. One is an email service highly regarded for security. Don't know why it won't autofill. I'll have to make sure my clipboard history feature is turned off.
It's just lazy programming on the website's part. Or likely an old software requirement that never got updated based on outdated security principles.

There are hackers who can take advantage of auto-fill vulnerabilities and clipboard attacks if you get a virus on your computer. But turning off autofill to prevent them is not advisable because you are much much more likely to be targeted in a phishing attack that a password manager's autofill would prevent. So even aside from the convenience factor, autofill is generally safer for the average user. There's always compromises in security. But in general, autofill prevents way more target attack scenarios than it introduces.
Lastrun
Posts: 702
Joined: Wed May 03, 2017 6:46 pm

Re: Do you use a password manager?

Post by Lastrun »

OpenMinded1 wrote: Fri Sep 23, 2022 8:48 am ..... I use LastPass and it's autofill feature, but have noticed that some sites won't autofill. One is an email service highly regarded for security. Don't know why it won't autofill. (And yes I'm going to the actual email service website, not a fake one.)
Have you tried to right-click in the username box of the site and then it will show the Lastpass password and allow you to autofill that way? Under this method, it will indeed recognize the site, it just won't autofill when you open the webpage. This is not a cut and paste.

This vvvvvv
Gadget wrote: Fri Sep 23, 2022 8:59 am ...... But turning off autofill to prevent them is not advisable because you are much much more likely to be targeted in a phishing attack that a password manager's autofill would prevent. So even aside from the convenience factor, autofill is generally safer for the average user. There's always compromises in security. But in general, autofill prevents way more target attack scenarios than it introduces.
gavinsiu
Posts: 706
Joined: Sun Nov 14, 2021 12:42 pm

Re: Do you use a password manager?

Post by gavinsiu »

Turning off autofill does not mean you have to copy and paste your user name and password, it means that the user name and password is not filled automatically when the page loads. Depending on the password manager, you can still fill by either right-clicking on the field, selecting the password manager extension icon drop down, or some sort of keyboard shortcut. If you do this, the fill wont' work unless it matches the URL.

The chief reason why you don't autofill on page load is to avoid some sort of automated havesting of your user name and password by some sort of form if the hacker managed to bypass the password manager's url verification. This is all hypothetical though, since I have not heard of an instance of this happening, but the thread seemed credible enough and the prevention rather simple.
Post Reply