Password managers can let you down

Topic

New Reply

I’ve long been puzzled by the enthusiasm many people have for password managers such as LastPass, which is my choice. Every once in a while I come across a situation in which I breathe a great sigh of relief knowing that I didn’t commit myself completely to a password manager. A few minutes ago is an example. I went to log on to Syncplicity. Normally LastPass would enter my ID and password automatically. However, suddenly, Syncplicity changed their logon screen. Now it asks only for my ID on a first screen. LastPass doesn’t recognize the new logon screen and fails to enter anything. After entering my ID manually, the screen is redrawn and asks for my password. Again, LastPass fails to enter anything. I am happy that I have used a low-level password there that I can remember easily. If I had used one more difficult to remember or, heaven forbid, allowed LastPass to create one for me, something truly random-looking, I would be totally at the mercy of LastPass. At this stage, I could go to my “vault” on the LastPass site and look up the password. But if something happened to LastPass or its site, I would be barred from Syncplicity forever.

I think passwords are a terrible measure for security. If you get too fancy with them in an effort to achieve ultimate security, you put yourself at risk of losing access to your data. If you use simple passwords, or re-use the same one at multiple sites, you put yourself at risk of being hacked.

Reply | Quote

Replies

David, You made a very good point so I thought I would check. I disabled my router but could still get my passwords in LastPass using Google Chrome. I guess this means they are stored locally and synced.

However, I too share your concerns so keep an encrypted backup in MiniKeePass on my phone. A little bit of a pain to keep MiniKeePass updated but not as much as being locked out whilst I’m away from PC.

Reply | Quote

David, You made a very good point so I thought I would check. I disabled my router but could still get my passwords in LastPass using Google Chrome. I guess this means they are stored locally and synced.

However, I too share your concerns so keep an encrypted backup in MiniKeePass on my phone. A little bit of a pain to keep MiniKeePass updated but not as much as being locked out whilst I’m away from PC.

If you agree to pay $1 / month, you have access to the mobile version of LastPass, which allows access to everything in your LastPass vault.

Reply | Quote

Actually, hacking individual passwords is a low occurrence event compared to data breaches like the recent Target, Macy’s situation. Now Sears is investigating a similar data breach. I’ve never read of a case where an individual password was hacked on line. I’ve quit obsessing about strong passwords and just try to insure they are different on the sites I really care about – mainly financial.

Jerry

Reply | Quote

Judging from the number of times my friends have had their email accounts taken over by spammers, I’d say password breaking is extremely common.

Yes, I agree that serious sites need passwords that are more complicated than everyday passwords.

Reply | Quote

This is one reason for not using an on-line, automated login, password manager. I use a local manager that only enters credentials when I ask it to. I can store the database anywhere I want – I have several copies – and it will run on any device I want to use. I can even load the manager software on a PC I’ve never used and access my database in the cloud, or on a USB stick.

cheers, Paul

Reply | Quote

Paul:
Which one do you use, out of curiousity?
Dick

Reply | Quote

I’ve long been puzzled by the enthusiasm many people have for password managers such as LastPass, which is my choice. Every once in a while I come across a situation in which I breathe a great sigh of relief knowing that I didn’t commit myself completely to a password manager. A few minutes ago is an example. I went to log on to Syncplicity. Normally LastPass would enter my ID and password automatically. However, suddenly, Syncplicity changed their logon screen. Now it asks only for my ID on a first screen. LastPass doesn’t recognize the new logon screen and fails to enter anything. After entering my ID manually, the screen is redrawn and asks for my password. Again, LastPass fails to enter anything. I am happy that I have used a low-level password there that I can remember easily. If I had used one more difficult to remember or, heaven forbid, allowed LastPass to create one for me, something truly random-looking, I would be totally at the mercy of LastPass. At this stage, I could go to my “vault” on the LastPass site and look up the password. But if something happened to LastPass or its site, I would be barred from Syncplicity forever.

I think passwords are a terrible measure for security. If you get too fancy with them in an effort to achieve ultimate security, you put yourself at risk of losing access to your data. If you use simple passwords, or re-use the same one at multiple sites, you put yourself at risk of being hacked.

Are you aware that you can use the LastPass browser add-on, browse the sites list, choose a site, right click it and then have several options to access the password (and the username):

1. use the option to copy the password and then paste it wherever you need.
2. choose edit, to edit the login details, which allows you to change the password or simply view it, by clicking the icon that mimics an eye.

If you have a problem with a site, like the one you reported here, the LastPass add-on has the site at the bottom of it’s dialog, so you just have to click it to access the Edit, Copy Username and Copy Password options. You can use any of them to gain easy access to your login data.

So, I am sorry, I can’t agree with your comment at all. Maybe you didn’t know about these options, but they are there and they aren’t really that hard to find. LastPass allows you to use it in multiple ways, from a completely automated login scenario to a totally manual situation, which other options in between – such as the option to copy username and copy password, that you can then paste wherever you need.

I have yet to find a situation where LastPass has failed me, and this includes using the mobile version to access some websites from my phone. Sometimes on the phone, where there is no browser add-on, I just open the app, use the option to copy the password and just paste it, to login to a website. Now I always use complex passwords and don’t even bother trying to remember any password, any longer. I know I can access it whenever needed, be that through the browser add-on, LastPass website or on the phone.

Reply | Quote

Yes, I did realize that I can go to my LastPass online “vault” and get the password there, then go back to the webpage and enter it manually. In fact, that’s what I did. But at that point I began to worry about the next possibility. What if something happened to LastPass and I’d used an impossible-to-remember password? I’d be locked out permanently. Maybe I’ll look into the suggestion above of a local password manager.

Reply | Quote

Yes, I did realize that I can go to my LastPass online “vault” and get the password there, then go back to the webpage and enter it manually. In fact, that’s what I did. But at that point I began to worry about the next possibility. What if something happened to LastPass and I’d used an impossible-to-remember password? I’d be locked out permanently. Maybe I’ll look into the suggestion above of a local password manager.

No, it’s not like that. If you are on the site, LastPass allows you immediate access to your details, they are accessible through the list at the bottom of the browser add-on dialog, no need to go to any vault.
Also, LastPass add-ons keep local encrypted copies of your passwords, so you don’t even need internet access either to login to LastPass or to access passwords from the list. Plus, LastPass allows you to export all your passwords, to csv format (not advised, unless you then encrypt it yourself) or to an encrypted file, which you can then import again, to LastPass, in case you need.

In Windows 8, there is a LastPass app that, again, if used before, will keep a local encrypted copy of your data and that will work without internet access, so in the event of LastPass being down, would allow you access to anything you need.

The problem with password managing is pretty similar to the problem of backups. Should you keep only local backups? Should the cloud be used? Wouldn’t it be better to use both? Can a cloud outage be overcome?

All these questions can be answered and have been answered by LastPass’s features. My appreciation for LastPass results from all these possibilities having been covered – there are local copies of your data, which is kept encrypted and no data travels to the server without encryption. The fact that you add the cloud, means that even if your computer has issues, or you are away from your computer, you will have a copy of your data safely accessible, either through a safe computer or a smartphone app. You can also activate two-factor authentication, providing an additional measure of security.
The fact that all the apps (both browser extensions and local apps, such as in Windows 8) work even without Internet access, offers the guarantee that even a cloud outage can be overcome. Finally, you can have copies of all your data exported, which is really the final guarantee.

LastPass is clearly a well thought product and the fact that you may have not asked all these questions before, doesn’t mean others haven’t asked them, starting with LastPass itself.

To finish this, I will add that I don’t know of a website that doesn’t allow you to reset a password, which adds yet another solution if things get horribly wrong.

No do your own check and ask yourself if your (or any) local password manager offers all these guarantees.

Reply | Quote

+10 for LastPass. Using a local password manager (KeePass for example) works great if it’s just you AND you never loose the stupid thumb drive. I live in a household and the idea of trying to keep multiple independent password keepers in sync is a logistical nightmare. That’s why I’ve opted for LastPass. Encrypted remotely. Encrypted locally. Available on pc, laptop, mac, windows, droid, kindle, you name it. I can download a copy of the password in the event that LP goes dark. Totally complex usernames and passwords for every site that I don’t have to remember. I totally love this product.

As a side note, the only problems I’ve ever had with ‘hacking’ were all physical attacks. I had my cc number used without permission, most likely stolen from a place of business by the cashier and banking data stolen when an employee of a check processing center left with a box of tapes. My on-line life (which started with CompuServe in ’85 or ’86) has actually been pretty calm so, while there are concerns, I don’t sweat it all that much.

Reply | Quote

I have been using LastPass for a couple of years, with no complaints.
I would like to check something about how it works, from the more knowledgeable folks here.

I believe that there is an encrypted copy of my vault stored at LastPass.
In addition, there is a local copy of my vault stored on my laptop, where I use it frequently. In fact, that local copy is how LP can still tell me about my userids and passwords even when I am not connected to any network at all, right?

Now, on rare occasions, I use my wife’s laptop, which is setup for two users. So I log in to my own username on that machine (it is Windows XP at the moment, will be Win 7 soon), then use the installed copy of LastPass to sign in to some website. I think it UPDATES the local copy of the vault at that time, thus keeping the vault synchronized at all three places (LP server, my laptop, her laptop).

Is that correct or do I have a misunderstanding?
Thank you.

Reply | Quote

I use KeePass, which is open source. It doesn’t automatically add entries to the database or automatically fill them in, but it’s secure, reliable and portable.

cheers, Paul

Reply | Quote

The best password manager is your brain! Create a password that means something to you in the context of the site, and use that to remember the password. Say you are on your banking site – try something obscure like bUtchsUn1890 – Butch and Sundance 1890……. this is the second month, so the second letter of the two words are uppercase….. and then change each month! No hacker will try to get that, and it will be easy to “re-generate” your password using a system of working out where you are and what your password should be.

What I am trying to indicate is that you don’t need to necessarily remember your password (but that works too!) you just need to remember the system – much easier to remember, and it will be far more effective because you can build in automatic changes…..

Reply | Quote

The best password manager is your brain! Create a password that means something to you in the context of the site, and use that to remember the password. Say you are on your banking site – try something obscure like bUtchsUn1890 – Butch and Sundance 1890……. this is the second month, so the second letter of the two words are uppercase….. and then change each month! No hacker will try to get that, and it will be easy to “re-generate” your password using a system of working out where you are and what your password should be.

What I am trying to indicate is that you don’t need to necessarily remember your password (but that works too!) you just need to remember the system – much easier to remember, and it will be far more effective because you can build in automatic changes…..

That only works if you have a few websites. Have more than a few and the specificity of each will be hard to remember. I know because that’s the way I did it before. Once I moved to LastPass, things became a lot easier. Not only remembering them was no longer needed, but the actual passwords used could be longer and more complex and actually unique, since you no longer depend on a “generation algorithm”.

Reply | Quote

ruirib, I have read all your replies and seems you really know what your talking about. My question has always been, “how do we know that the Password manager site will not or can not be hacked” Seems they would be a prime target for some super computer savvy hacker, knowing they could get passwords to so many financial web sites. And is it not true that all someone would have to have is the information you use to access the password manager. And speaking of that, I assume you change that information on a regular basis, how do you remember it.

Reply | Quote

My question has always been, “how do we know that the Password manager site will not or can not be hacked”

Yes, this is the real issue for me. I don’t trust anyone with my passwords, not even a password manager. That’s why I use a system as described above, based on long pass phrase (not a password) to which I add a letter (at the beginning, end, or somewhere in the middle) from the URL of the site I’m visiting. That makes it unique for each site.

So the pass phrase “MyAuntSuzyIs62AndBoughtTonsOfFeathers”. Then you might replace ‘Of’ with the second letter of the domain name of the site. So for ‘www.example.com’ the pass phrase is “MyAuntSuzyIs62AndBoughtTonsxFeathers” and for ‘www.amazon.com’ it becomes “MyAuntSuzyIs62AndBoughtTonsmFeathers”.

This isn’t my real system ;-), but you can see how easy it would be to invent your own. And I guarantee the more bizarre is your passphrase, the more impossible it will be to forget it.

Reply | Quote

ruirib, I have read all your replies and seems you really know what your talking about. My question has always been, “how do we know that the Password manager site will not or can not be hacked” Seems they would be a prime target for some super computer savvy hacker, knowing they could get passwords to so many financial web sites. And is it not true that all someone would have to have is the information you use to access the password manager. And speaking of that, I assume you change that information on a regular basis, how do you remember it.

Well, you need to presume that it can be hacked, so the question is how do they protect against it. Encryption is the key and topshot has addressed it already – if the cost to decryption is high enough, you can feel reasonably safe.

There is been a situation in the past where LastPass notified users of suspicious activity in their network. They were transparent about it and a hack was never confirmed. There were no news of any users complaining about having any of their accounts exploited. You are, obviously, placing some trust in the provider, trusting them to monitor their servers and network and always making sure they have the very best possible encryption technology to provide some assurance to their users.

Your master password is your encryption key, so it must be a good one. The password can be changed by logging in to your account at LastPass’s website.

Reply | Quote

I use RoboForm as my password manager. This is an entirely on the computer program and storage and is quite secure. I don’t trust storage of passwords in the cloud or on off-computer sites. I make a copy of all of my passwords on paper and place them in a bank safe deposit box. I change all important passwords with totally random, long passwords every three months, especially those involved with finances and personal and health matters.

Reply | Quote

Just wanted to put in a word for Roboform, which I have used for many years. As with Keepass, it has many features which allow it to accommodate various situations. I regularly backup my Roboform database locally and (encrypted) on a cloud server, and I keep the database on a flashdrive with a “to-go” app. Keepass is undoubtedly a fine password manager, but there are others.

Reply | Quote

I have discovered yet another problem with the Chrome PW keeper. It never seems to forget, even if you ask it to! My bank uses a series of security questions (among other things) to increase the security. When I attempt to log in, using my userid, it enters whatever I answered the last time I answered one of the security questions! Then it errors out, and each time it enters a DIFFERENT answer, until the third attempt and then it locks me out! I have unchecked all the boxes in Chrome, yet it still tries to guess the answers. It’s such an aggravation that I am near to pulling what little hair I have left, OUT! Password keepers just seem to me to be an ideal way for someone to hack into your system. Not really worth the trouble.

Reply | Quote

I went to log on to Syncplicity. Normally LastPass would enter my ID and password automatically. However, suddenly, Syncplicity changed their logon screen. Now it asks only for my ID on a first screen. LastPass doesn’t recognize the new logon screen and fails to enter anything.

LastPass sometimes doesn’t recognize new login screens. That’s when you need to re-train it for the site. Next time use the Save All Entered Data option (video explanation at the bottom).

Reply | Quote

Password manager or system? Either is good provided you learn how to use it. I have spent the last ten years trying to educate our local seniors computer club to stop putting passwords on post-it notes by the side of their computers and to stop using the same password for everything. It is very clear to me that the biggest vulnerability in most computer systems is the user. There are many free password managers; use one and learn to use it effectively and make sure that you have backups of the database. I use KeePass and it works for me on Windows PC’s and laptops as well as Android Phone and Tablet and on my Linux systems. I haven’t tried it but I believe has unofficial support on OSX, iOS, Blackberry and Palm OS. So it doesn’t matter what combination of devices you have you can use the same database. I automatically keep two cloud based copies and three local backup copies to keep me feeling comfortable with what has become an essential tool. http:/keepass.info

Reply | Quote

LastPass can and has been exploited. However, all your data is still encrypted and would take a LOOOOONG time to decipher even with multiple supercomputers. Now if the hacker also knew your master password….

Reply | Quote

LastPass can and has been exploited. However, all your data is still encrypted and would take a LOOOOONG time to decipher even with multiple supercomputers. Now if the hacker also knew your master password….

Actually, your data is not just encrypted, but is ‘salted’ and encrypted. https://en.wikipedia.org/wiki/Salt_(cryptography)
Even if your passwords are weak, it would be very very difficult to crack them even if LastPass was hacked and someone acquired access.

Reply | Quote

I use LastPass and mostly have it generate a password for me. As I’m doing that, I open my separate (encrypted) password list and enter the new information. The password and any additional stuff like “Secret Questions” is always duplicated. LastPass could fold and I would lose only the convenience.

Reply | Quote

LastPass also provides another level of protection that not many know about. If you travel overseas LastPass will not allow you to access your vault from the foreign country. It is necessary to inform LastPass that it is OK to use the vault from the foreign location. So if some person overseas should try to use your LastPass password it would do them little good. LastPass needs to send you an email and you click on a link to allow access from a foreign country. Many of the compromises come from overseas and adding this level of protection is desireable.

Reply | Quote

LastPass definitely has its strengths and weaknesses, but all-in-all I find it the best pw manager for me. There is no danger of lastpass “going away” and losing your passwords because they are stored locally, encrypted on your computer (or mobile device). For example, if you’re on your phone, wifi tablet, etc, and don’t for whatever reason have internet access, you just log in and check the “force local login” box to use the local copy. This causes lastpass to use the local encrypted copy instead of the one stored on lastpass.com.

Lastpass.com is targeted by hackers, certainly. But the good part is, your passwords are only stored on their servers in encrypted form. Your master password unlocks them, and it is never transmitted to lastpass. That is why if you forget your master password, all your passwords are lost and lastpass cannot help you since they don’t know it.

Is it theoretically possible that some hackers could gain access to data on lastpass.com’s servers, obtain your encrypted passwords, and decrypt them? Yes. But they would need to be using extremely powerful computers and even then it might take years (millenia) to break the encryption. So, I’m cool with that.

Reply | Quote

I use Password Safe, which requires you to select your site to be accessed, then click-and-paste your username and password. A bit longer than the tools that automatically paste in these items, but never causes a problem if the site you are trying to access changes its code. It also allows you to go in and unhide the password when you hit that rare website that won’t allow copy-and-paste to enter the password. As with other such programs, you only need to remember your master password to access it.

Reply | Quote

I use Password Safe, which requires you to select your site to be accessed, then click-and-paste your username and password. A bit longer than the tools that automatically paste in these items, but never causes a problem if the site you are trying to access changes its code. It also allows you to go in and unhide the password when you hit that rare website that won’t allow copy-and-paste to enter the password. As with other such programs, you only need to remember your master password to access it.

I use Password Safe too and have done for about 10 years.

I currently have 623 passwords in 33 groups of folders, subfolders, sub-subfolders, etc.

It does exactly what it says on the tin.

It was probably the inspiration for LastPass, KeyPass, etc. Not that that is a bad thing…

Nil illigitimi carborundum

Reply | Quote

I use lastpass and like it a lot. One thing I have wondered: Is it safer to use the autologin feature for sites rather than typing in my lastpass master password to login to a site? Would the autologin potentially avoid a keylogger hack?

Reply | Quote

I use LastPass, which I find very convenient, but also have memorized a several step algorithm in building unique passwords that allows me to manually enter a password should I not be able to use the LastPass service. I believe the idea for the algorithm was suggested by Fred Langa long ago, before his current association with Windows Secrets. It simply involves having a root term that is used in every password, for example “mouse”, and prefixing it with part of the domain name of the website requiring the password, say, for example, on this website (domain name: windowssecrets.com) the first four letters “wind”.

I also have a couple of other steps in the algorithm, such as using the special characters above the keys 1,2,3,4,5 (!,@,#,$,% – QWERTY keyboard) for the vowels a,e,i,o,u and capitalizing the second letter of the prefix. But these simple memorized steps allow me to build passwords such as “wIndm$%s@” for the windowssecrets.com domain which are rated as very strong by most password evaluators, but allow me to recreate them easily should I find myself without the services of LastPass.

I have been using this system for many, many years now and have rarely had a problem remembering the password for a site. But one problem I have been experiencing is that here in the age of mobile devices, one cannot always expect to be using a QWERTY keyboard, around which this algorithm is somewhat dependent. What I didn’t mention above is that I also use a letter key offset when building my domain name prefix, for example, one key to the right of the original letter, so that the password above would be “eOmfm$%s@“. So I have been giving some thought to modifying my algorithm to be keyboard independent, but I haven’t settled on any new rules yet.

Reply | Quote

You can export your site information and form fill data to an external file, and you can protect those files if you want. If LastPass has issues, the info is still there.

Reply | Quote

This is quite out of my field of knowledge, but I believe any password that is other than a completely random set of characters is vulnerable to decryption. The length of time (or cost) to decrypt the password will depend on the length of the key and the number of permutations in the character set. So, any key built with an algorithm is less than random regardless of the complexity of the algorithm. Someone with more knowledge of this topic might wish to comment? Also, I believe this is what compromised the Enigma machine for the German army/navy in WWII.

Reply | Quote

I believe any password that is other than a completely random set of characters is vulnerable to decryption

All passwords can be decrypted, it’s the time required to do so that stymies attackers. The biggest factor here is password length as any attack must test all possibilities up to the length of your chosen password, so the longer the password the more possibilities exist – we are assuming the attacker does not know the password length.
A relatively simple password that is 20 characters long is inherently more secure than a short random password, plus it’s easier to remember.

Test these two passwords at GRC and see how you get on.
onetwothreefourfives
fZ;@0-*z+`

cheers, Paul

Reply | Quote

STrange I don’t see that anyone has mentioned Yubikey. Used in conjunction with lastpass and properly set up It is impregnable. And a darn site easier the TFA/ Well as long as you dont lose your yubikey. I cannot get into my LP account without Yubikey from anywhere, especially my phone.
I really wish access to my phone was tied to my Yubi as well but thats another story.
Yubikey anyone?
sj

Reply | Quote

This is certainly interesting, but what happens when one loses the physical YubiKey?

STrange I don’t see that anyone has mentioned Yubikey. Used in conjunction with lastpass and properly set up It is impregnable. And a darn site easier the TFA/ Well as long as you dont lose your yubikey. I cannot get into my LP account without Yubikey from anywhere, especially my phone.
I really wish access to my phone was tied to my Yubi as well but thats another story.
Yubikey anyone?
sj

Reply | Quote

I used Roboform for years with my “Lifetime license” that I purchased to support them… Until they decided that my Lifetime had apparently outlived their usefulness. They upgraded their software and demanded additional yearly payments, even from their previously loyal users. I continued to use Roboform until it would no longer work with newer versions of browsers. I pleaded with Roboform to honor Lifetime Licenses for those of us who had supported them early in the game, and referred many other customers, and to charge the annual fees to their new users as they came on board. I received a pretty derogatory reply. I decided that if they couldn’t be trusted to honor the terms which they had initiated, I didn’t want to trust them with my sensitive information. Character matters. I’ve been a very happy and loyal Lastpass user for several years now!

Reply | Quote

I have never been comfortable with online storage of my passwords. On my Windows 7 PC, they are encrypted via EFS in a text file on my hard drive. I keep a backup copy on my hard drive but outside of the EFS envelope. That backup is encrypted by Truecrypt. Finally, I have a third copy on an Ironkey usb drive. I can travel with the IK and use its built-in browser, secure password entry, and VPN servers. It adds a little work to copy the text file after I add or change passwords, but that doesn’t happen often enough to be a bother.

I recently started using RoboForm. I needed something to manage 50+ different logons using 25+ different passwords. It works very well with one-page logons, but can be problematic with multi-page bank logons.

I subscribed to the Roboform Everywhere feature, expecting to use it for my iPhone. I then found out there is no way to transfer passwords from my desktop PC to my iPhone except via the company’s servers. Of course, I may be overly cautious. When uploading the Robo password file to their servers, it is encrypted locally first. So even if the Robo server is hacked, the hackers will only see the Robo file I encrypted on my PC before uploading it.

For the time being, I am also being overly cautious with the iPhone. I have not ever used it to access any bank site, or even a purchase site like Amazon.

Reply | Quote

I use a belts and suspenders system. Dashlane is my password manager. Access to the program is of course password protected. It has a few sites where it blows the password process as noted above. Adding passwords to new sites is trouble free and it will suggest strong passwords during the process.

However, long before a password manager and to replace index cards I put all my sites passwords in a table on a Word file. I still add to it even if a new one is stored in Dashlane. The Word file is stored in an encrypted usb drive which is password protected.

Sounds complicated but only takes a couple of minutes.

Reply | Quote

And don’t forget to make provisions for your estate survivor or heirs/beneficiaries/executor so that he/she has access to your financial accounts when you shuffle off! All that stuff locked behind passwords can make cleaning up your affairs a nightmare for that person!

I just use a password protected spreadsheet which I printout for use beside the pc at home and in a packet for my survivors. And no it is not named “passwords.xls”.

Reply | Quote

And don’t forget to make provisions for your estate survivor or heirs/beneficiaries/executor so that he/she has access to your financial accounts when you shuffle off! All that stuff locked behind passwords can make cleaning up your affairs a nightmare for that person!

I just use a password protected spreadsheet which I printout for use beside the pc at home and in a packet for my survivors. And no it is not named “passwords.xls”.

Be careful. Your survivors may not have any legal right to access accounts online. Even your executor is likely legally obliged to provide proper documentation before having access to your accounts. It is a risk to bypass the law simply because you have passwords and have not informed the bank/brokerage etc. of the death.

As for a password protected spreadsheet, in Excel 2010, the default encryption is 128 bit. That is not considered very secure. It would not meet HIPPA standards, for example, for your medical provider protecting your private information.

And when you “printout for use beside the pc at home,” what do you do with the printout that has all your bank info on it after you are finished at your pc?

Reply | Quote

Be careful. Your survivors may not have any legal right to access accounts online. Even your executor is likely legally obliged to provide proper documentation before having access to your accounts. It is a risk to bypass the law simply because you have passwords and have not informed the bank/brokerage etc. of the death.

As for a password protected spreadsheet, in Excel 2010, the default encryption is 128 bit. That is not considered very secure. It would not meet HIPPA standards, for example, for your medical provider protecting your private information.

And when you “printout for use beside the pc at home,” what do you do with the printout that has all your bank info on it after you are finished at your pc?

If you make provisions, as in a will, won’t you have to at the very least consult with a lawyer to make the will official, and the lawyer you consult with should have the relevant knowledge for your area, and be able to tell you if you can or cannot make said provisions?

Reply | Quote

I also use KeePass. If you store the password file in a cloud such as DropBox or SkyDrive (now OneDrive) you can easily share it between your PC and Android/iOS phone. If you use it on the PC it has the ability to auto-enter your details into any login page. Some of my websites like Capital One Bank have the same kind of login screen that takes just my username, then a second screen to enter my password. With those I’ll just cut and paste my UserID and password from KeePass one at a time. I haven’t had a problem with KeePass yet, been using it for nearly a year now.

Craig

Reply | Quote

What does the forum think of Password Corral v4 ?

Reply | Quote

Open source, I’ve used it for years to store all of my passwords. I also export the list (strongly encrypted, of course) to my Google Drive as a backup. Also, online I use both Roboform and LastPass. Roboform for the pc at home and LastPass when using the workplace pc as it’s accessible from anywhere as long as you have the extension or add-on installed.

Actually, I never thought that having a password compromised was my biggest threat. To me the biggest threat is clicking on an unknown link, either online or within an email. I recall IBM’s motto from a few years ago, “THINK.” It’s still a valid sentiment today, particularly when online.

Reply | Quote

Hi, newly registered although I Have been receiving the newsletters for a long time now.

After reading this entire thread, I felt compelled to add my own opinion(s) and thus registered.

Regarding the methodologies mentioned here, there are definitely advantages, but also disadvantages, to the methods that have been mentioned.

Let’s start with Lastpass. It’s great that you have an online repository that can keep track of all your passwords. However, if you’re like me and like to make things complicated, such as running multiple versions of browsers for testing, or running multiple profiles in the same browser, again for testing, then using something like LastPass becomes inconvenient. Using the UtiluFox application, I have every version of Firefox from 2 through 28, then have Aurora (currently 29) and Nightly builds (30). It is a pain trying to load up all of them and integrate LastPass into every single profile. At the same time, it is a pain when I load up a specific profile / version for testing a very specific error message that a user might encounter only to realize that I need secure access via login to the site in question in order to test.

Furthermore, there is a discussion we had over at CalendarofUpdates a few years back regarding how anything digital is never going to be 100% uncrackable. It may take years, even decades, but it can be done. Large data breaches as mentioned in earlier posts are caused by a single account being compromised and hackers then exploiting that account to gain access to the servers, other accounts, etc. until they hit pay dirt. In the case of LastPass, the same holds true. If they happen to crack just one account that has admin level privileges to their backend servers, and find the right accounts to exploit, and find the right servers to take over, even if encrypted, there o all your passwords.

Furthermore, let’s remember that in today’s world, it’s not about a single person sitting at a single terminal hacking your accounts. In today’s world they purveyors of malicious code and criminal organizations have many more sophisticated tools at hand to carry out their objectives. From the so called botnets and other forms of distributed computing, they can easily achieve performance levels beyond that of a single supercomputer at any given time, with the added benefit of being able to supply attacks from all around the world, and using proxies and other tools to hide their tracks and make it a lot harder to be traced than if it were one, single supercomputer in a single location that was attempting to hack your account.

So, the argument that your passwords are always safe is misleading – nothing online is ever going to be truly safe. But an argument can be made that the folks at LP have done very well in terms of anticipating malicious attacks and learning from previous attempts / successful attacks to strengthen their security measures.

Now, as far as KeePass is concerned, this is my app of choice. It’s local, but there are so many different ports of the application to other operating systems that it is now a moot point about KeePass not working in any particular OS. It is open source, so you can always look at the source code yourself, or build the binaries from source yourself in case you’re paranoid about the prebuilt binaries. Finally, it exists in 2 different versions, one that does not require .NET and one that does.

The advantage to KP is that it is local – I can use the same KP database (and app) across 20, 30, even 25784 browsers (if I had that many) without doing one thing differently than I am doing now. I can add browsers without having to add in any extensions to the browser to make KP work with it. Don’t get me wrong, but there are add-ons to browsers as well as plugins for KP for integrating KP better into your browser, but I do not use those – b/c I also take my database with me, which I’ll talk about in a bit. It has built in security measures to protect your database from prying eyes, not just encryption, but also the ability to use additional key files, number of encryption rounds performed on the database itself, and many more that you can read about on the KP website. There are a myriad of plugins for importing passwords from other systems and a few for exporting to them as well. It has support (again via plugin) for TOTP temp passwords su0pplied in TFA systems.

But where KP really shines is that it also has the ability to store a lot more than just passwords. Code snippets, SSL certificates, Notes, URLs, documents, exported registry entries (.REG files), retains a history of your editing of entries, allows you to set password expiration time and date, ability to synchronize and backup databases, and a heavy duty auto-type feature for entering your username and password (and other data) automatically. Some of these features may be present only in the Professional version (version 2.xx, the one that requires .NET) but neither version has any associated charge. Both are 100% free. And other plugins also allow it to be used as a password repository for programs like PuTTy, FTP managers, etc. You can even use KP through TrueCrypt and other HD encryption methods. And, the best part, is that there is a PortableApps version that allows you to use it via the PortableApps menu, and there are also non-installing portable versions (ZIPped) in case you are not into using PortableApps, but still want to use KP from, say, a UFD or external HD.

I use KP to manage my PW database, between PWs for online services, passwords for client computers, remote desktop logins, and all of the keys from my MSDN / (now defunct) TechNet accounts. Add to that all of my registration keys for various software that I use / have bought, and I have well over 1400 unique PW entries. I synchronize my PW with my Google Drive account (but NOT my keyfile), and have it marked for offline use on all of my Android devices, for instant portability. I can use KP through RDP, even allowing for its TCATO via a plugin.

It’s the best of both worlds – Password safety and encryption and portability. But therein lies the disadvantage as well – it is local, and if someone get s a hold of your device and manages to get a keylogger installed, then they have all the ingredients to access your password – your database, keyfile, and password. However, that has not happened to me yet – and I am a very long time user of KP.

For those using alternate methods like using a text file or word document – I’d urge you to look into KeePass as a better solution because of its portability and because it has been ported over to many other operating systems – you may be able to view a text file on your phone, but is it easily searchable? Is it easily synchronizable? For Word documents, what about a situation where you don’t have access to Word?

Finally, addressing the use of strong passwords by using something that you make up – an XKCD comic says it all: http://xkcd.com/936/

In closing, I’ll add one final thing – the need for TFA. If any site that you visit has some sort of system set up for Two Factor Authentication (also called Two Step Verification) start using it immediately .

Thanks for reading through my soliloquy.

Reply | Quote

Windows 8 has a basic password manager in Web Credentials, but I’m doubtful if it can compare with a third-party password manager. I’ve also found it somewhat erratic – for some websites it enters the username and password automatically, while for others I have to type the first letter of the username, which then appears in full, then I have to click on the username to fill in the password field. What are other people’s experiences with this method?

Reply | Quote

Password managers are fine and good for individual users, but what about corporations? One of my concerns is that our assistants use logins to website to access records, reports, etc., some more than others. If one of those assistants leave the company, how will we ever know what websites they are registered to in the name of the company? Creates a liability condition I’m afraid will one day bite us back. Are there good enterprise password managers where, if someone leaves, as the IT manager I can change their master password and then see all the websites they visit and change those passwords as well? Recommendations from experience?

Reply | Quote

Password managers are fine and good for individual users, but what about corporations? One of my concerns is that our assistants use logins to website to access records, reports, etc., some more than others. If one of those assistants leave the company, how will we ever know what websites they are registered to in the name of the company? Creates a liability condition I’m afraid will one day bite us back. Are there good enterprise password managers where, if someone leaves, as the IT manager I can change their master password and then see all the websites they visit and change those passwords as well? Recommendations from experience?

LastPass now has an enterprise version, where passwords are managed centrally and individual users can be granted access: https://lastpass.com/enterprise_overview.php

There is a free trial for Last Pass Enterprise going on now.

Reply | Quote

@NKYadav–I am, like you, a long-time follower of the newsletters and the lounge, but I haven’t figured out how to show your quote in a reply. So I just wanted to let you know that I appreciate your comments, but with all the abbreviations you have inserted, I am having great difficulties in what you are saying (I am a senior who doesn’t recognize the difference between LOL and TFA systems, etc.–and when I try to search on Ixquick, I get everything from soup to nuts, AND I think both were there).

I have been a ROBOFORM Pro user for many years, but they now only provide their updates/renewals through CNET downloads, and I suspect that part of my recent problems have come from the attached crapware/malware/etc. that I didn’t detect. If you, or others could either expand the TFA, TOTP, RDP, TCATO, etc., or tell me that they are nothing of concern to someone like me, it would certainly be appreciated
Thanks.

Reply | Quote

@NKYadav–I am, like you, a long-time follower of the newsletters and the lounge, but I haven’t figured out how to show your quote in a reply. So I just wanted to let you know that I appreciate your comments, but with all the abbreviations you have inserted, I am having great difficulties in what you are saying (I am a senior who doesn’t recognize the difference between LOL and TFA systems, etc.–and when I try to search on Ixquick, I get everything from soup to nuts, AND I think both were there).

I have been a ROBOFORM Pro user for many years, but they now only provide their updates/renewals through CNET downloads, and I suspect that part of my recent problems have come from the attached crapware/malware/etc. that I didn’t detect. If you, or others could either expand the TFA, TOTP, RDP, TCATO, etc., or tell me that they are nothing of concern to someone like me, it would certainly be appreciated
Thanks.

Here are a couple of places to find those pesky abbreviations. One can be accessed by category, the other in many ways also. I find them invaluable:

http://www.acronymslist.com/

http://www.acronymfinder.com/

Hope you find them useful

Reply | Quote

I would love to hear the criticisms and thoughts from those smarter than me, but, I use an Excel spreadsheet with columns labeled name, acct number, login name (partially obliterated but a good hint to me, then a password code referencing another spreadsheet, and the url for the site.
The spreadsheet and the password spreadsheet are kept in a TrueVault file.
I just cut and paste or click on the link for the url in the opened spreadsheet. My problem with the passwords made from the first word of sentences is I seem to always get them wrong (always). I pick some theme, city names, minerals, etc. and substitute some numbers for the letters adding a character at the end.
Is this fairly good? What are my vulnerabilities? Thanks.

Reply | Quote

I would love to hear the criticisms and thoughts from those smarter than me, but, I use an Excel spreadsheet with columns labeled name, acct number, login name (partially obliterated but a good hint to me, then a password code referencing another spreadsheet, and the url for the site.
The spreadsheet and the password spreadsheet are kept in a TrueVault file.
I just cut and paste or click on the link for the url in the opened spreadsheet.
Is this fairly good? What are my vulnerabilities? Thanks.

Sounds good to me. It’s basically what I did for years, until I got Roboform. I went to Roboform for convenience, not because I thought it was more secure.

Reply | Quote

If any of you have lingering doubts about the security of LastPass, I invite you to watch Steve Gibson’s (SpinRite, ShieldsUP) long and somewhat laborious dissertation on LastPass and why you are not at risk if the LP servers or your local computer are compromised: http://blog.lastpass.com/2010/07/lastpass-gets-green-light-from-security.html

With my 268 unique and strong passwords, and a roster of very useful features, I couldn’t imagine using any other product. Although the free version offers everything I need for use on all of my computers at home and work, I gladly paid the $12 for the premium subscription to support continued development.

Reply | Quote

One major issue that seems under-reported: the security of the ownership of a company such as LastPass.

Were a sizeable offer made for the company, ownership might change hands & the new owners may prove untrustworthy or downright nefarious.

Nobody would be the wiser – until the deeds were done.

Reply | Quote

There are several enterprise password managers. Pleasant Password Server is based on KeePass.

cheers, Paul

Reply | Quote

@NKYadav–I am, like you, a long-time follower of the newsletters and the lounge, but I haven’t figured out how to show your quote in a reply. So I just wanted to let you know that I appreciate your comments, but with all the abbreviations you have inserted, I am having great difficulties in what you are saying (I am a senior who doesn’t recognize the difference between LOL and TFA systems, etc.–and when I try to search on Ixquick, I get everything from soup to nuts, AND I think both were there).

I have been a ROBOFORM Pro user for many years, but they now only provide their updates/renewals through CNET downloads, and I suspect that part of my recent problems have come from the attached crapware/malware/etc. that I didn’t detect. If you, or others could either expand the TFA, TOTP, RDP, TCATO, etc., or tell me that they are nothing of concern to someone like me, it would certainly be appreciated
Thanks.

I use the all the time, so I can see how they may cause confusion. I also re-edited my post for additional typographical mistakes that I did not catch the first time.

LP = LastPass, shortened. KP = KeePass, also shortened. PW – password. TOTP is a Time-based One-Time Password

.NET = a programming framework developed and used by Microsoft on Windows operating systems. See https://en.wikipedia.org/wiki/.NET_Framework

.REG = a file extension for a text-based file that contains information from the registry / to be imported into the registry. See http://filext.com/file-extension/REG

SSL = Secure Socket Layers, a method employed to make connections to networks more secure (in a nutshell, before others start trying to correct me here). See https://en.wikipedia.org/wiki/Transport_Layer_Security

URLs = Uniform Resource Locator – see https://en.wikipedia.org/wiki/Uniform_resource_locator

FTP = File Transfer Protocol, another method to access your files over a network, see https://en.wikipedia.org/wiki/File_Transfer_Protocol

UFD = USB Flash Device, see https://en.wikipedia.org/wiki/USB_flash_drive

HD = Hard Drive.

MSDN = Microsoft Developer Network. See https://en.wikipedia.org/wiki/Microsoft_Developer_Network

RDP = Remote Desktop Protocol. See https://en.wikipedia.org/wiki/Remote_Desktop_Protocol

TCATO is, according to KeePass’s website, Two Channel Auto Type Obfuscation, and it is linked to the wiki page from KeePass explaining all about it.

TFA is two factor Authentication, as explained in the next sentence (and also called Two Step Verification).

I think that covers almost all of the ones I used.

There are several enterprise password managers. Pleasant Password Server is based on KeePass.

cheers, Paul

Nice. May have to look into that if the features of KP Pro don’t suit my needs moving forward. Thanks Paul.

Reply | Quote

Well I wasn’t trying to write an estate planning guide. Just trying to remind people that this online stuff lives on after the owner shuffles on. Lots of tools in addition to a will are out there: transfer on death docs, designation of beneficiary docs, successor trustee doc, etc will give your survivor(s) legal access to the stuff you leave behind without having to involve the local and federal governments.

Reply | Quote

I have used Roboform account for many many years.It automatically sync’s every day to my online everywhere account with them and I also do a printouts.I have over a hundred passwords and the important ones get changed every 3 months or so.All of the passwords are high strength.You can also set a master password for them all.I love it and no reason to ever change unless someone can prove my online everywhere account with them is not safe.

Reply | Quote

Yubikey is great, but it is a physical item which you must not lose. I find a password I can remember is a preferable method.

cheers, Paul

Reply | Quote

I use a ‘system’ for making passwords most of the time, so have some similarity between passwords, making some easy to remember. For financial accounts and my main e-mail, I use complex ones, and which might (as an example only) include the name of my first girlfriend, with 1stgf as part of the typed password, making it hard to crack if someone else does sight it in spite of precautions. Such mnemonic systems only go so far though, as different websites have different password rules, hence the need to record them.

Never use Net cafes, I did a handful of times until I saw around two dozen malware processes running on the computer there. Management will claim they are safe, by which they mean (if it’s not just spin) that the computers are re-imaged nightly. That won’t save you unless you’re the first customer of the day.

Call me a Luddite, but I still keep all my passwords in a Microsoft Word document. When travelling I have it on my laptop, in a document secured by the excellent freeware AxCrypt, as well as the laptop’s boot password (and I password the BIOS when travelling, as well as requiring passwords on wake from sleep/hibernate). In case of laptop loss, major breakage or theft I have a copy online similarly secured in a personal file storage account (only when travelling), with a very good password on that account. That password would be needed in a disaster, so I put it (encoded) in the planner that goes with me everywhere. If I was travelling a month and lost my laptop, I’d buy a cheap replacement for the trip, and sell it afterwards and choose a better one (if not too cash strapped from all the holidaying).

And a fairly recent passwords list if the sh1te really hit the fan is available in my full offsite partition backup, on a small external hard drive, which is of course entirely encrypted and kept with a trusted family member. I swap it out with a more recent drive full of backups every couple of months.

The ‘passwords in a document’ system involves more typing than KeePass or similar, but I don’t have to pay a company to store my passwords or rely on perhaps inferior freeware, don’t have to have a website login method the password-storage program will work with, don’t have to worry if the password software company gets hacked, and what guarantee is there that any company won’t get hacked, especially those with something as inviting as thousands of users’ complete passwords lists on their servers (encryptions have been broken in the past). Also, I can add whatever notes I want to each account name/password set, including the e-mail address used to sign up, which varies since I use Spamgourmet (which rules). I can even add a note when a site sucks by abusing the e-mail address I gave them, etc.

I’m not giving up the paper planner soon either, guess I’m part Luddite and part geek. A lot depends on personal preferences. But I will observe that in the decade I spent as systems analyst, I did learn that the lower tech solutions are sometimes by far the best solutions.

Asus N53SM & N53SN 64-bit laptops (Win7 Pro & Win10 Pro 64-bit multiboots), venerable HP Pavilion t760 32-bit desktop (XP & Win7 Pro multiboot), Oracle VirtualBox VM's: XP & Win7 32-bit, XP Mode, aged Samsung Galaxy S4, Samsung Galaxy Tab A 2019s (8" & 10.1"), Blu-ray burners, digital cameras, ext. HDDs (latest 5TB!), AnyDVD, Easeus ToDo Backup Home, Waterfox, more. Me: Aussie card-carrying Windows geek.

Reply | Quote

If you can take all those steps to keep an inherently insecure document pretty well secured, then just how secure would a KeePass database, that is already encrypted by default, be?

As for LastPass users, well, KeePass is Open Source, and other than the professional version relying upon .NET, it’s completely free, with no advertising at all, and no fee to upgrade to a premium use.

It does take some work to get all of the features that I use it for to work (no inherent support for TFA challenge / response, you have to use a plugin, same goes for favicons for websites) but it also has the advantages of being able to store files, like SSL certificates, etc. and being available offline, with no usage restrictions on how many times you use it per hour / day / week / month / year.

Mind you, I’m not saying anyone here is wrong for their particular method of storing passwords – I’m simply pointing out that, given a chance, I think that KeePass would work very very well as a substitute for most of the methods posted here.

Reply | Quote

I’ve long been puzzled by the enthusiasm many people have for password managers such as LastPass, which is my choice. Every once in a while I come across a situation in which I breathe a great sigh of relief knowing that I didn’t commit myself completely to a password manager. A few minutes ago is an example. I went to log on to Syncplicity. Normally LastPass would enter my ID and password automatically. However, suddenly, Syncplicity changed their logon screen. Now it asks only for my ID on a first screen. LastPass doesn’t recognize the new logon screen and fails to enter anything. After entering my ID manually, the screen is redrawn and asks for my password. Again, LastPass fails to enter anything. I am happy that I have used a low-level password there that I can remember easily. If I had used one more difficult to remember or, heaven forbid, allowed LastPass to create one for me, something truly random-looking, I would be totally at the mercy of LastPass. At this stage, I could go to my “vault” on the LastPass site and look up the password. But if something happened to LastPass or its site, I would be barred from Syncplicity forever.

I think passwords are a terrible measure for security. If you get too fancy with them in an effort to achieve ultimate security, you put yourself at risk of losing access to your data. If you use simple passwords, or re-use the same one at multiple sites, you put yourself at risk of being hacked.

I’ve experienced this with other sites too, apparently some websites think there is a security feature in presenting the User ID first. I have to disaggree that LastPass cannot handle this – If the URL is correct and the web site certificate has not be stolen or hacked; Lastpass will dutifully enter the user ID – So I simply click Enter, and LastPass enters the password and voila!

The only concern I have with LastPass is when I’m entering the console password, the only one you need to enter – if there is no SSL session in force at that time, Rapport may not be able to block any keyloggers or screencapture malware onboard. Since I enter my passwords in more than just browsers, I like to use LastPass on those too, so I use Keyscrambler to at least obfuscate the console password. Unfortunately then you have to rely on Keyscramber for keyloggers. Turning off Keyscramber, and then enable keylog blocking in Rapport, and only entering the console password during an SSL session, would be better. That way, as long as I have LastPass set to remain logged in with the many granular settings, I wouldn’t have to do it again for a while. Using CCleaner on limited accounts will eliminate most contracted malware temporarily anyway, and can make any session safer during vulnerable events.

LastPass can recognize when you are at the wrong URL and I’ve been getting popups when trying to enter into non SSL windows that don’t encrypt login credentials. I’m not sure if it is LastPass warning me or my Comodo Dragon browser, but not all passwords out there are critical for security so I don’t worry about them unless I was trying to log on to a shopping or banking site. Lastpass will not enter the credentials to the wrong URL or SSL certificate; so I realized each time that happened that I was redirected to a poser site. It has saved my bacon more than once! WOT can help in this endeavor, too, as it sometimes knows when you have stumbled onto a disreputable site and will block it. MBAM will also block any out going to a malicious site, and will block any incoming from such also. This – I’m sure has save many an individual from letting out their personal data.

The blended defense is the only way now-a-days. I’ve only mentioned the tip of the security solution iceberg!

Reply | Quote

NKYadav,

I agree with you… up to a point. I’ve been using KeePass for many years on an encrypted USB stick (backed up to an identical encrypted USB stick).

More recently I’ve been using MiniKeePass on my iPhone and no longer use my encrypted USB stick for password storage. Not only do I use KeePass and now MiniKeePass to store website login and password details but loads of other data (bank account details, security door codes, remote access passwords, software license keys, etc.).

36445-keepass
Click to enlarge

I’ve now been using LastPass for about 6 months and like its simplicity. Following a suggestion by ruirib I’m going to look into the benefits of a paid version of LastPass for mobile use for simplicity’s sake.

However, I suspect I may continue to use KeePass (and MiniKeePass) because so much more can be stored in it than just online login/password data.

Hope this helps…

(PS – For anyone who worries about the ‘crackability’ of their passwords, try checking them at GRC’s Password Checker.)

Reply | Quote

NKYadav,

I agree with you… up to a point. I’ve been using KeePass for many years on an encrypted USB stick (backed up to an identical encrypted USB stick).

More recently I’ve been using MiniKeepPass on my iPhone and no longer use my encrypted USB stick for password storage. Not only do I use KeePass and now MiniKeePass to store website login and password details but loads of other data (bank account details, security door codes, remote access passwords, software license keys, etc.).

36445-keepass
Click to enlarge

I’ve now been using LastPass for about 6 months and like its simplicity. Following a suggestion by ruirib I’m going to look into the benefits of a paid version of LastPass for mobile use for simplicity’s sake.

However, I suspect I may continue to use KeePass (and MiniKeePass) because so much more can be stored in it than just online login/password data.

Hope this helps…

(PS – For anyone who worries about the ‘crackability’ of their passwords, try checking them at GRC’s Password Checker.)

Rick,

LastPass allows you to save Secure Notes, for which you can even force anyone to wanting to access them to insert your LastPass password again. All the Secure Notes are kept encrypted, just like the passwords.
This means that LastPass can be used to keep other important info, not just passwords, so if you use it, it seems you won’t need KeePass.

Reply | Quote

Rick,

LastPass allows you to save Secure Notes, for which you can even force anyone to wanting to access them to insert your LastPass password again. All the Secure Notes are kept encrypted, just like the passwords.
This means that LastPass can be used to keep other important info, not just passwords, so if you use it, it seems you won’t need KeePass.

Thank you, Rui. After reading up on the advantages, I’ve signed up to LastPass Premium (and Xmarks Premium). Now just have to download/install them both everywhere.

Reply | Quote

Thank you, Rui. After reading up on the advantages, I’ve signed up to LastPass Premium (and Xmarks Premium). Now just have to download/install them both everywhere.

Hope you enjoy it. There are some UI quirks, but it’s a good choice anyway :).

Reply | Quote

Thanks, Rui, and everyone else for an informative discussion. Never having used a password manager, I’m finding this a good introduction, and I’m strongly considering using Last Pass.

The group also should be proud that the comments have been on topic and courteous. No one has told anyone else that they’re full of feces or a complete dumb a–.

Reply | Quote

Thanks, Rui, and everyone else for an informative discussion. Never having used a password manager, I’m finding this a good introduction, and I’m strongly considering using Last Pass.

The group also should be proud that the comments have been on topic and courteous. No one has told anyone else that they’re full of feces or a complete dumb a–.

I confess I was rather skeptical of using password managers. I always thought I could manage all my passwords through my own password creating algorithm, but as the number of sites used increased, that became a lot harder. I now use much longer and safer passwords and with LastPass’s other features, I keep some relevant info safer, too. If you get a good password manager, you will soon find out how useful it can be and probably even wonder how you could have done without it for so long :).

Reply | Quote

Passwords just got more secure for Android users

http://www.zdnet.com/passwords-just-got-more-secure-for-android-users-7000027834/#ftag=RSS4d2198e

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

Passwords just got more secure for Android users

KeePass2Android has had secure password pasting in Android for ages, and it’s free.

cheers, Paul

Reply | Quote

I started using Roboform last year, somewhat hesitantly, after first trying a freeware password mgr whose name I forget. I now use it all the time. I do have some issues/questions.

It seems that all PMs have problems with multipage logins. There are workarounds but they don’t always work. On some sites, or where a site has multiple ways of getting to log in, Roboform may think it’s got the page right but enter data in the wrong place. Then I have to find a login page that matches what R-f can handle.

Another issue I have specifically with R-f is that the individual pw files, while encrypted, have plain text names. Anyone who got a directory list of my hard drive would have a very complete list of every bank, stock broker, and website I visit. Roboform says this is not going to change. The only workaround is to name each password with something unintelligible, but then I have to remember that, say, MLZPK is Chase Bank and OpenDoors is really Windows Secrets.

I have the version of Roboform that I can sync to my iPhone. I haven’t tried it yet. For one thing, I am very skeptical of the security of anything on the iPhone. Beyond that, R-f does not allow simply copying the password files from a PC to the iPhone. It requires going through their servers. Until now, I have totally avoided putting any important data “in the cloud.” Too many stories of server breaches.

The saving grace of Roboform is that one does not send unencrypted files to R-f servers, not even over SSL. (Let’s not talk about Heartbleed.) The pw files are encrypted locally, saved that way on R-f servers, and downloaded to the iPhone in the original, encrypted form. In theory, even if some bad guys or some government had access to R-f’s servers, all they’d get is my encrypted pw files. On this basis, I am considering using this feature. On the other hand, they’d also get the complete list of all my banks, etc. (see above) This could be used in social engineering attacks.

Reply | Quote

@RandySea

Let’s generously call multipage logins a work-in-progress. You are correct that they are a pain to work with.

If someone has access to a complete directory listing of your PC you’ve got big, big problem. Even so, if you use strong credentials you should not be completely vulnerable. If you have a RoboForm Everywhere subscription you can use a copy of RoboForm to-go which is RoboForm on a thumb drive. Your credentials are stored on the thumb drive. That way none of the password data would reside on the PC.

Joe

--Joe

Reply | Quote

Good comments, Joe. In theory, I assume if someone gets my hard drive they will at least be slowed down with all my data folders on my D: partition in EFS.

I guess the worry about the file list of password files is if someone breaks into Roboform’s servers. But as you say, with strong credentials on all my financial websites, maybe it’s not something to worry about.

I guess I am not ready to give up the convenience of having Roboform on my PC.

One of my backups is an Ironkey usb drive. I have not gotten Roboform Anywhere to work on it. However, the IK has a built-in Firefox browser, connection to VPN servers, and an autologon. It doesn’t work as well as Roboform on some website, but it does work. I think it is about as secure as I can hope for.

Reply | Quote