Choosing a password manager--advice needed

[lifeanon269]

StetsTerhune, you're absolutely right that ultimately it comes down to risk assessment and each individual will have to do that for themselves.

However, as Spork touched upon, there are certain considerations to take into account when going the phyiscal copy approach.

We live in a very mobile world and that means for a lot of people, they'll want/need access to those accounts from many different locations (work, home, vacation, etc). So if you go the physical route, then that immediately means that you'll need to be carrying around that physical copy in some form or another. While that physical copy might be very secure while it is stashed away at home, it won't be as secure when you're on the move.

Also, bad habits that might be OK for specific scenarios for the individual privately, they are almost never OK when in the business world. So if you develop those habits personally, you'd have to be very diligent to not allow those habits to carry over into an environment that requires a more stringent approach to security.

As Spork mentioned as well, keeping your passwords secret from bad actors shouldn't be your only concern. There are also many people in our lives, those we trust, that it might be important to keep our passwords secret from (for example, children).

While the physical approach might be OK for specific secluded "homebodies" that only ever use the internet from a single computer at home, the risk isn't low enough for the majority of internet users that I could ever feel comfortable recommending that advice to the general public.

[joonifloofeefloo]

I've really appreciated the entire discussion here, and the comic helped me SO MUCH, as did the little chart.

It's all convinced me to finally make a move to a manager, and that will be a project for this weekend.
It sounds like Keepass or Lastpass are what most people are satisfied with, and in that order, yes?

Keepass has had no security breaches, but Lastpass is synced across all devices. The latter sounds like a great boon to me personally (i.e., what will encourage me to use a manager, which increases my security overall).

Questions:

1. With keepass not synced across devices, how does a person manage this on multiple devices?

2. Given the breaches that have occured with Lastpass and similar programs, do most security folks here scream "NOT LASTPASS"? Or do you shrug off the security breaches, feeling satisfied with how those played out?

3. When I swap out computers (loaners from my school and kid's school), does one or the other (keepass/lastpass) have an advantage, in terms of preventing conniptions in me?(I'm thinking lastpass again/)

[Spork]

I've really appreciated the entire discussion here, and the comic helped me SO MUCH, as did the little chart.

It's all convinced me to finally make a move to a manager, and that will be a project for this weekend.
It sounds like Keepass or Lastpass are what most people are satisfied with, and in that order, yes?

Keepass has had no security breaches, but Lastpass is synced across all devices. The latter sounds like a great boon to me personally (i.e., what will encourage me to use a manager, which increases my security overall).

Questions:

1. With keepass not synced across devices, how does a person manage this on multiple devices?

2. Given the breaches that have occured with Lastpass and similar programs, do most security folks here scream "NOT LASTPASS"? Or do you shrug off the security breaches, feeling satisfied with how those played out?

3. When I swap out computers (loaners from my school and kid's school), does one or the other (keepass/lastpass) have an advantage, in terms of preventing conniptions in me?(I'm thinking lastpass again/)

KeePass hasn't had a large scale "breach" per se, but it has had vulnerabilities found just like the others.  The difference is that it's usually run locally on a machine rather than in a centralized hosted model.

Regarding your other questions, and as a security person with 15+ years in the business:

1.  There are methods to use DropBox or similar to sync your KeePass database to multiple devices.  I've tried it and it works fine, but it does require more work than something built to sync natively like LastPass.

2.  LastPass and Dashlane have both patched their vulnerabilities in a timely manner, as has KeePass for that matter, so I wouldn't run screaming from any of them.  Just manage your risk.  If they notify you of a breach and say you should change your master password, do it.

3.  LastPass will be easier simply because there are fewer moving parts.

This also depends on your requirements for "synced across devices".  What devices?

Are we talking about multiple computers?  Or extending to mobile devices?  I still have a fairly large (possibly bordering on irrational) distrust of most mobile devices.  I tend to only use passwords I deem "not important" on mobile. In a sense: I don't care about accessing passwords from them.  The passwords I use on mobile are passwords I'm okay with just saving in an app.

If we're just talking about multiple computers, the simplest method of sharing is to use a password manager that will run and store its data on a USB stick.  (Dear lord: have a religiously adhered to process that keeps a backup, please!)  Since I am a bit of a dinosaur and use linux and my own methods for password management... I can't really give honest recommendations on packages that will run in a USB environment.  I know pwsafe does... and I suspect many of them do.

[joonifloofeefloo]

Between my teen and me -and busienss/school/personal- it's two computers at a time (replaced frequently per school loaner system), one tablet, two phones.

Yes, I'm good about backing up. I have back up of archives in a safe deposit box, and keep current projects in DropBox. My computer died recently and I lost nothing, just opened a new loaner and carried on.

[joonifloofeefloo]

Thanks very much, GoingToMaine and Spork! I find this all so intimidating, so I really appreciate the directed help. I'm going to start playing around this eve and see what I experience as a first attempt...

[Shane]

For the past several years we've been using Keeper Security to store passwords and it works well for us. My wife and I share an account that is synced across all of our devices. The Android app we use accepts fingerprint sign in, so we don't even need to bother with typing in the master password when we're using our phones.

[lifeanon269]

I just wanted to share this information in case anyone finds it useful. It touches more on the concepts I talked about above (Length>Complexity), but talks about how you can take advantage of that fact to create really easy passwords to remember, but are also extremely stong passwords.

https://www.grc.com/haystack.htm

If anyone is still trying to decide on the best solution for a password manager and is finding it difficult, an option could be to take advantage of the password haystacking concept.

When an attacker has exhausted all their easier options for cracking a password (dictionary, rainbow tables, common passwords, etc), then their only other option is to do an exhaustive brute-force search. Once that's begun, the only thing that matters is length.

So how can you take advantage of this fact? Well, as the article talks about, all you need to do is come up with a simple and easy to remember password (for example, "Tig3r"), and then simply pad its length. Since all that matter is length, the padding will take care of that for you. All you need to do is worry about making sure that each site has a different password. Since an attacker isn't going to know what part of the password is different from site to site, each site's "key" only needs to be a few characters long.

What you could then do is simply create a key list for all your sites. For example, Amazon.com = ke2, ebay.com = pq5, etc...

You can then combine your password, with the key for that site, and then simply pad the rest with a character. So my passwords could look like this (using my example memorable password from above):

Amazon.com =
Tig3rke2!!!!!!!!!!!!

ebay.com =
Tig3rpq5!!!!!!!!!!!!

You could then simply store that key anywhere you'd like and have it with you anywhere you'd need it. It doesn't even need to be secure, since it isn't useful information to a hacker until other data breaches have also taken place. Let me explain...

Let's look at some scenarios:

Scenario 1) Compromising your actual website passwords is extremely difficult because of their length. That's already true and your secure from a password cracking/brute-force perspective. Nobody knows the concept behind your passwords since it is only in your head. Therefore, the strength of your 20 character passwords are just as strong as even the most randomized 20 character passwords.

Scenario 2) Let's say your Amazon.com password was exposed because you fell victim to a phishing website. So they didn't need to crack your password because you gave it away. All they know is that "Tig3rke2!!!!!!!!!!!!" is your Amazon.com password. They'd have no idea that the passwords for your other websites have patterns similar to it. They also have no idea of the existence of your key list. So your other websites are safe.

Scenario 3) Final scenario is that your key list is compromised. Since your website passwords haven't been compromised, they'll have no idea what those three characters for each website are for and would have no idea how to apply them. They're as good as nothing.

Long story short, password haystacking is a great way to create memorable passwords that are extremely difficult to crack. Your only chore is to design a method that takes advantage of the fact that length matters above all else to create different passwords for each website so that if one password is compromised, they all aren't.

If you're uneasy about using a password manager (and there is enough reason to be, IMO), then hopefully this advice is useful for coming up with another alternative that might be useful for some.

Final note, even if you do decide to use a password manager, you will still need to memorize at least one password. I highly recommend using the haystacking (length) technique as described.

[joonifloofeefloo]

lifeanon269: Loved every word of that, thank you!

All: Looked at keepass last night and was surprised to see the site so...industrial looking. I will go a bit further than first glance today, but I know that YNAB's esthetic is a huge part of what has kept me willing to stick with it, so I might consider a shinier option on the shininess account alone.

[joonifloofeefloo]

Okay, I'm down to Lastpass and Dashlane. The latter because, "...it can reset your passwords at once, saving you time and worry in the event of a major data breach." The cost doesn't bother me.

So, my one concern is, "...its read-only web interface, which prevents you from making any changes to your vault while away from your primary computer." If my primary computer dies or returned to its loaner company or I just choose not to have a computer for a while -relying on my tablet and phone as I sometimes do for weeks at a time- how do changes to the vault? In my particular lifestyle, is Lastpass better than Dashlane?

Or, has Lastpass by any chance developed the ability to change all passwords at once since the article quoted above was written?

[Rocket]

I'm not sure having a password manager reset all your passwords is a good thing.  You'd end up with not being able to log into half your accounts.  Every site handles password reseting differently and some use 2 factor authentication and other security measures.  I'm doubting it would work.

[With This Herring]

OP here--wow, never a dull moment on the MMM boards!

Thanks for the product recommendations, tech discussion and general security tips. So far, of the commercial products, Lastpass has received the most votes, followed by KeePass. Anyone else want to chime in?

I am not an IT person.  I am just a person who has passwords.  I do not value being able to access my financial accounts on computers outside of my home.  I have a dumbphone, so it doesn't need password access either.

I have been using KeePassX, which is cross-platform (and is, to my knowledge, the same program as KeePass).  I like that things are stored on my computer instead of the cloud.  I like that it will generate random passwords that are as long as I want and that I can limit the character set for those stupider websites that don't allow special characters.  It will also store answers to those security questions, so "Mother's maiden name" can be "ALargePileOfRocks" or "amsdiutpc384p9c!@#$%^&*("  I appreciate the auto-type feature, where you can set up a hot-key sequence that will allow you to press three keys and log in to a specific website.  This last part can be a bit fiddly.  Finally, I can set reminders for me to change the passwords on specific sites every week/month/six months/etc.

Also, I would like to complain that Merrill Lynch, for the account I had through an employer, required a six-character password with JUST letters and numbers, no special characters.  See confirmation here.  What the heck.  I hope this has been changed since the time I left that employer and closed that account.

[joonifloofeefloo]

I went with Dashlane (per accessing/swapping computers all over the lands). Love it! Thanks very much to everyone who has participated in this thread. That had been on my to-do list for a looooooooooong time, just didn't have the info I needed til this thread.

[Spork]

Also, I would like to complain that Merrill Lynch, for the account I had through an employer, required a six-character password with JUST letters and numbers, no special characters.  See confirmation here.  What the heck.  I hope this has been changed since the time I left that employer and closed that account.

I briefly had an online account with them a little over a year ago -- though directly with ML, not through an employer.  No special characters were allowed, but they allowed up to 20 characters. 

I've been amazed how many folks have silly/differing requirements.... differing ideas of what a "special" is... none allowed at all, etc.

[With This Herring]

Also, I would like to complain that Merrill Lynch, for the account I had through an employer, required a six-character password with JUST letters and numbers, no special characters.  See confirmation here.  What the heck.  I hope this has been changed since the time I left that employer and closed that account.

I briefly had an online account with them a little over a year ago -- though directly with ML, not through an employer.  No special characters were allowed, but they allowed up to 20 characters. 

I've been amazed how many folks have silly/differing requirements.... differing ideas of what a "special" is... none allowed at all, etc.

I'm just now finding this:

Enter and confirm your new Password. It must be 6 to 12 characters, using letters and numbers and no special characters (e.g. ?, *). Your Password should be unique to you and difficult for others to guess.

I think they have different requirements for different types of accounts.  For the employer account, my username was my account number.

[katsiki]

Finally, I can set reminders for me to change the passwords on specific sites every week/month/six months/etc.

Thanks for mentioning this!  I didn't realize it did this.  I use KeePass and will have to look into that feature.

[Abe]

I have a question about the security of the fingerprint detector on the Iphone. Assuming it's not stolen by someone who has recreated my fingerprint, is there a program that can use that to unlock a list of passwords stored on the phone for you to type into a computer or elsewhere?

[billybob]

easy way and cheap way to do it, is in gmail, open a draft and write it all down there, the draft will always save and you'll always have access to it

[Maurits28]

I'm surprised nobody mentioned Enpass. I use it for a long time now, very satisfied. It stores your password file locally, encrypted with one master password. https://www.enpass.io/


If you want to sync between devices, it can store the passwordfile on your personal Google drive or any of the other popular cloud services, or your own cloud server. So there is no central 'cloud' to be attacked like with LastPass. And even if they attack your personal Google Drive, they won't have the master password to decrypt it.

For computers it is free, if you want to add a mobile device, you pay once (no annual fees) per device. Which I think is reasonable.

It has a password generator where you can adjust the 'recipe'. It comes with plugins for Chrome/Firefox to store and automatically fill in passwords in your browser (if you want that), it runs on all platforms like Mac, Windows, Linux, Android, iOs etc.

[AshStash]

I have a question about the security of the fingerprint detector on the Iphone. Assuming it's not stolen by someone who has recreated my fingerprint, is there a program that can use that to unlock a list of passwords stored on the phone for you to type into a computer or elsewhere?

1password lets you access your passwords with your fingerprint (instead of your master password) on iOS devices

[tp_from_ks]

Any thoughts on Safari or other browsers that have password storage features built in besides what's been said about risk of cloud data?

I used Keepass for years before the majority of my computer usage changed to smartphone / tablet. Now I find Safari integration way too convenient for most things except financial accounts.