Concern about password manager

Topic

New Reply

I just installed Roboform Everywhere and have a concern. If someone gets access to my computer, they can just log into all the sites for which I have saved a password! That seems awfully insecure. I take pretty good care of my laptop, but it might get stolen. Then I would have a real problem. I am considering uninstalling Roboform. Please tell me your opinion about this concern.

Reply | Quote

Replies

I don’t use a password manager but seems to me there’d be a Master password needed to access the program’s data.

Before you wonder "Am I doing things right," ask "Am I doing the right things?"

Reply | Quote

Bill,

I don’t have RF Everywhere but I do use RF Desktop and it requires a master password I’d assume that RFE does also?

If so loosing your laptop should require the finder to know 2 passwords! Your Laptop’s logon password and your RFE master password. These should both be of sufficient length and complexity to make this almost impossible. If you have bitlocker available you can add another level of complexity as clearing the logon password isn’t all that hard for the knowledgeable PC user. HTH :cheers:

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

Bill,

I don’t have RF Everywhere but I do use RF Desktop and it requires a master password I’d assume that RFE does also?

If so loosing your laptop should require the finder to know 2 passwords! Your Laptop’s logon password and your RFE master password. These should both be of sufficient length and complexity to make this almost impossible. If you have bitlocker available you can add another level of complexity as clearing the logon password isn’t all that hard for the knowledgeable PC user. HTH :cheers:

The laptop’s Windows logon password is easily bypassed by any moderately knowledgeable thief.

Jerry

Reply | Quote

First rule of PC security is if you lose physical control of the device you have no security.

Joe

--Joe

Reply | Quote

I wouldn’t be without my password manager – I can’t possibly remember all the details about all the sites I use. I have a long and complex password and a re-lock timeout of 5 minutes, plus lock on Windows logout / sleep. I sleep happily!

cheers, Paul

Reply | Quote

Jerry,

Didn’t I say that? :confused: :cheers:

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

I imagined that what you are talking about is sitting down at your device, logging in and then- whatever- use your imagination.

the steps you might take are:

1. right click on the roboform symbol, at the top of the menu box select ‘logoff’ a symbol of a key.
2. ditto step one, part one, then select options, then select security, finally set up your “auto” log off. However you want it to be.

The whole idea of a master password manager is convenience. If you sign in to RF and then get up and walk away, then beware.

Reply | Quote

Roboform Everywhere uses a master password. You can set roboform to logoff with a variety of options. You set these options by going to Roboform Options/Security.

Reply | Quote

Thanks to all for your replies. I’ll delve deeper into RoboForm’s setup.:)

Reply | Quote

Actually, RG, RoboForm Desktop does not _require_ a master password. When it asks you for one when you install or update, clicking cancel at that window installs it without a master password.

Reply | Quote

Actually, RG, RoboForm Desktop does not _require_ a master password. When it asks you for one when you install or update, clicking cancel at that window installs it without a master password.

Rodsmine,

Yeah but who would do that? 37551-headbang Oh yeah, all those people getting millions from Nigerian diplomats! 35623-ROTFLOL

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

…Yeah but who would do that?…

Actually I regularly have to help customers who have forgotten passwords.

There are ways of discovering passwords previously used on a PC.

Am not going into detail (don’t want to make it any easier for the baddies) but it is not terribly hard to recover any passwords you have used on your computer – it only requires certain knowledge about how Windows stores passwords and how to access those stored passwords.

Advise against using “RoboForm” or any other “login manager” – they are too easy to “crack”.

Rather, keep a notebook for your computer in which you write down details of each login, but keep the notebook separate from your computer (especially if it is a laptop or other mobile device).

Since you must use a “password manager” such as RoboForm, etc., at least if you have maintained a separate notebook you can go in and change passwords in the sad event that your laptop (or other device) is stolen.

Reply | Quote

Advise against using “RoboForm” or any other “login manager” – they are too easy to “crack”.

Seriously? So you have software to easily crack AES 256 bit encryption coupled with a few thousand PBKDF2 iterations? You should post a technical article about that, I am sure it would have a huge impact in the field of cryptography.

Reply | Quote

Seriously? So you have software to easily crack AES 256 bit encryption coupled with a few thousand PBKDF2 iterations? You should post a technical article about that, I am sure it would have a huge impact in the field of cryptography.

Sorry, I didn’t explain properly.

What I meant was that it is not terribly hard to discover passwords stored on a Windows computer. Once the “master password” is discovered by an intruder, then the intruder can access any other login details (usernames & passwords) stored in programs like “RoboForm”, “Dashlane”, etc. By “intruder” I mean someone who has gained physical access to the computer, whether a thief, prankster, or other baddie.

When I am asked to help with lost or forgotten passwords, it most often involves email accounts, but sometimes Windows user account passwords.

Reply | Quote

I hope this is not off-topic, but I thought I’d post what I, a retired non-techie, do vis a vis a password manager etc.

I happen to use LastPass, but the principles are the same I believe:
I have a master password for LastPass.
All my sites that use a password are encrypted in Steganos Locknote.
I use LastPass to “remember” the sites I want to log-on to automatically.
For the other, I look them up in Locknote and copy the unencrypted password as neccessary.

I keep a copy of everything that is in Locknote (copied to a Word document, in the clear) that I keep in my bank safe deposit box.

That way, if I pass, my wife and/or 2 kids (none of whom is very technical) can “take care of business.”

Still here, and gaining much useful information here at WindowsSecrets.

Best,
Dick

PS,
Periodically I run the “security check” that LastPass offers; and I make sure that I have no duplicate passwords, and they are all “strong.”

Reply | Quote

Running 2 password managers is a bit over the top I think. I use 1 for everything.

cheers, Paul

Reply | Quote

Thanks for clearing that up.

Indeed the weak point of the password managers is the single password, even if it is one of its most valuable features – that is, the fact that such password is the only one a user needs to remember.

Some password managers allow you to configure the use of two step authentication, based on a mobile phone, to allow access to their stored passwords (and other data). That is a mechanism to add a bit more security and makes a password manager’s weakest link a bit stronger.

So, for normal use, I think password managers who have these features can be used with some advantage over alternative methods. I do use one and I couldn’t go back to the time where I didn’t use it. Plus the smartphone scenario adds a bit more complexity to the situation, unless the password manager is supported, which is very useful when it happens.

Reply | Quote

The essence of a Password Manager is the Master password, so if it is “not terribly hard to discover”, what is the point?

Reply | Quote

The essence of a Password Manager is the Master password, so if it is “not terribly hard to discover”, what is the point?

Maybe instead of just “not terribly hard to discover” I should have stated “not terribly hard to discover for a competent computer programmer/technician/hacker/other who has advanced skills and knowledge about how these things work”.

While I generally advise against using “password manager” programs I recognise that most ordinary users find advantages in using these programs, mostly simple convenience.

However, in certain situations failure to keep records of username/password details separate from the computer (e.g.: as I have previously stated, by writing them into a notebook kept separate from the computer) can easily result in serious inconveniencies.

Hypothetical scenario: you are using “RoboForm” (or some other password manager) on your laptop; you go on a trip somewhere, during which your laptop is stolen; if you don’t have a separate record of all those login details (usernames/passwords) do you really think it is going to be easy to recover? And in the meantime(while you are recovering) there is a strong likelihood the thief can access all those stored logins if the thief is savvy enough to discover your “master password”.

Is it really worth risking not keeping a separate record?

Reply | Quote

Is it really worth risking not keeping a separate record?

Again, some of the password managers allow access to your data from anywhere you can use an internet browser or even from your phone. In that case, the need for a separate record diminishes. There is also the possibility of exporting the data to a file, which you can maintain encrypted, using something as simple as WinZip (again using encryption like AES 256 bit) and store somewhere you know you can access even if a computer is stolen. I would favor this option over a physical notebook.

Reply | Quote

Again, some of the password managers allow access to your data from anywhere you can use an internet browser or even from your phone. In that case, the need for a separate record diminishes. There is also the possibility of exporting the data to a file, which you can maintain encrypted, using something as simple as WinZip (again using encryption like AES 256 bit) and store somewhere you know you can access even if a computer is stolen. I would favor this option over a physical notebook.

Obviously for your purposes keeping a separate notebook would be somewhat superfluous. But most of my customers lack the degree of comfort with these newer technologies you obviously possess.

Typically, my customers have one computer (and maybe a touchpad), which is/are shared by husband & wife; usually either husband or wife takes overall control and the other partner is subservient.

All is fine until something goes badly wrong (HHD failure, “grandkids stayed the weekend”, virus infection, etc.)

Suddenly they can’t access their email, online banking, or some other functionality, because there is a problem of some kind with their login (usually password). This is why I say it is a very good idea to record such login details manually in a separate notebook kept somewhere conveniently accessible but not nearby the computer.

Reply | Quote

Obviously for your purposes keeping a separate notebook would be somewhat superfluous. But most of my customers lack the degree of comfort with these newer technologies you obviously possess.

Typically, my customers have one computer (and maybe a touchpad), which is/are shared by husband & wife; usually either husband or wife takes overall control and the other partner is subservient.

All is fine until something goes badly wrong (HHD failure, “grandkids stayed the weekend”, virus infection, etc.)

Suddenly they can’t access their email, online banking, or some other functionality, because there is a problem of some kind with their login (usually password). This is why I say it is a very good idea to record such login details manually in a separate notebook kept somewhere conveniently accessible but not nearby the computer.

Yes, I understand your point of view. I suppose we all need to adapt to the specific circumstances we need to deal with :).

Reply | Quote

Dick-Y
If you are cut&pasting out of your Steganos Locknote program may I ask you if you have encountered the situation where (presumably for security reasons :confused:) pasting does not work and if so if you have found a workaround?

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

I am so tired of writing down all the passwords I made up, then have problems finding them in the book I use.

Do I need to be a techie to use these programs?

thanks again for your input.

Glenda

Reply | Quote

I am so tired of writing down all the passwords I made up, then have problems finding them in the book I use.

Do I need to be a techie to use these programs?

thanks again for your input.

Glenda

You don’t need to be a techie. The one I use, LastPass, fills the information for you automatically, in most cases. It asks if you want to save any login details, when they change or the site is new and is not saved. It’s rather easy to use. I am a complete convert, now (I started using it around 2 years ago).

Reply | Quote

Glenda,

No you do not need to be a techie. However, you will have some learning curve as with any new program. Read the documentation be it printed or online and you’ll at least have the basics. Then of course you can always ask questions on the finer points here as well as the manufacture’s web site. FWIW my favorite is RoboForm, Desktop version as I personally don’t like the idea of storing my passwords on the cloud no matter how many assurances are given.

HTH :cheers:

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

If you want to be a techie have a go at KeePass. You can make it do all sorts of things, but you have to do most of the work manually.

cheers, Paul

Reply | Quote