Password Managers

[NotTristan]

Just now, Tiberiusisgame said:

I agree with you completely. Get back to me on that when you've lost your life savings...

My point exactly lol. As Tiberiusisgame and I said earlier just write them down and keep your written down passwords safe, and somewhere not accessible to the average snooper

[shea99]

Just now, Tiberiusisgame said:

I agree with you completely. Get back to me on that when you've lost your life savings...

But it would only be for social media etc etc im planning on keeping my email banking paypal etc in your suggestion a piece of paper that only i have access to. I fully understand password guidelines i study security and thats the reason i dont want extremely sensitive data stored anyway 

[mikat]

Just now, NotTristan said:

My point exactly lol. As Tiberiusisgame and I said earlier just write them down and keep your written down passwords safe, and somewhere not accessible to the average snooper

I have all my important accounts behind 2fa or not in my password manager (like my banking info since that's not secured by password but by a device where you put your card in and enter your bank pin, then you type a code they give you, supply the code it gives you and tada you're in)

[NotTristan]

1 minute ago, shea99 said:

But it would only be for social media etc etc im planning on keeping my email banking paypal etc in your suggestion a piece of paper that only i have access to. I fully understand password guidelines i study security and thats the reason i dont want extremely sensitive data stored anyway

If you are studying what I am going to assume is cyber security, and you are willing to use a password manager, go ahead...

[shea99]

Just now, mikat said:

I have all my important accounts behind 2fa or not in my password manager (like my banking info since that's not secured by password but by a device where you put your card in and enter your bank pin, then you type a code they give you, supply the code it gives you and tada you're in)

This !

[shea99]

2 minutes ago, NotTristan said:

If you are studying what I am going to assume is cyber security, and you are willing to use a password manager, go ahead...

Computer forensics, we have a module on security. However your assumption that id happily go and store my bank credentials into a password manager is beyond me. If, christ forbid, someone did get my passwords from one of these the most theyd be getting is some social media accounts which are all on alternate emails anyway 

[Tiberiusisgame]

7 minutes ago, mikat said:

Oh I don't store my banking information in lastpass, it's not secured by password but by other means

Carrier pigeon one-time self-destructing pin code?

[shea99]

Just now, Tiberiusisgame said:

Carrier pigeon one-time self-destructing pin code?

can i steal that might be a good business venture

[Tiberiusisgame]

Just now, shea99 said:

Computer forensics, we have a module on security. However your assumption that id happily go and store my bank credentials into a password manager is beyond me. If, christ forbid, someone did get my passwords from one of these the most theyd be getting is some social media accounts which are all on alternate emails anyway 

A fair strategy; compartmentalization.

[NotTristan]

1 minute ago, shea99 said:

However your assumption that id happily go and store my bank credentials into a password manager is beyond me

I never said you used your bank info in a password manager. I'm just saying your silly for using one in the first place. IMO not worth the hassle.

[Tiberiusisgame]

1 minute ago, shea99 said:

can i steal that might be a good business venture

All yours.. and anyone else on this thread ;-)

[shea99]

Just now, NotTristan said:

I never said you used your bank info in a password manager. I'm just saying your silly for using one in the first place. IMO not worth the hassle.

IMO it is worth the hassle as writing down my social account passwords would be not only tedious but a waste of time when i can have a piece of 'for the most part safe and secure' software do it for me. Must be the student procrastinator side of me i think 

[mikat]

2 hours ago, Tiberiusisgame said:

Carrier pigeon one-time self-destructing pin code?

good one 

[paddy-stone]

I really can't see how writing your passwords down physically, and then having to tie them to an email addy, so basically leaking ALL your info, is more secure than using a password manager that has pretty good security, and can apply 2FA also, so use fingerprint or authenticator etc?

You can then use one master password to access anything online, you can change it every week or whatever you feel the need for. The passwords for sites can then be randomly generated characters that you couldn't give up even if you wanted to, 2FA again, so only YOU with your phone or whatever can access those sites still.

 

Writing it down in a book is dumb AF, unless you obscure the passwords and sites that they relate to, essentially creating a code... I hate to think what you would do if you lost that book for example, apart from the person that finds/or stole that book maybe accessing your private info etc, you also then would have no way of getting into your own accounts, unless you made a backup and kept that somewhere? then you have to think about security for that too. Plus when you're out and about and want to login to a site to check something, you'd have to get out your book and read it and type in the info, some eagle eyed crook sees this and you get rolled.

 

BTW with keepass the info is localized behind whatever security you have enabled. Mine is a very long random selection of characters that I can remember, it would take years to crack that code. I also have that backed up for obvious reasons, and available in the cloud. But you'd still need the long password and a keyfile to access it, and that's after getting into the online account, so think it's fairly safe, lol.

[WiiManic]

Yeah I'm seeing a lot of weird conflicting information from various points of view...

 

You need a system that protects you and lets you have secure passwords.

 

A secure password in this context is : 

1) Long/Complex - It needs to be a decent length (15+) and a mix of Letters, Number and Symbols.

2) Random - It should NOT relate to the site at all, nor you, nor anything. This also include "leet" speak,  like at this point every cracking tool replaces o with 0 etc.

3) Unique - The above two are pointless if you use that password on 10 sites! One gets hacked and now all 10 are vulnerable.

 

In general, I recommend using a password manager,  there is a reason people like Bruce Schneier recommend you use them ([1]).

I use KeyPass.

LastPass is nice, but it has also had a few issues ([2] [3]) and I just would rather put my trust in a local file that I control with a locally installed bit of software.

Writing them down is fine, as long as you are able to still get passwords that fit the above, and you secure the book, but in general I'd use a password manager instead.

 

Set it with a very strong password and don't use that password anywhere else.

Go in to the setting and make sure the encryption is set to something strong.

 

Few other bits to consider:

- You'll probably want it on multiple devices. You could stick it on a cloud service for convenience at the sake of reduced security, you could manually deal with it, or host your own cloud and share it that way. I've seen a lot of people use stuff like Resilio Sync too for it.

- Consider using a key file. Then you need both that key file and your long password to open it.

- Back it up! Obviously if you are sticking a bunch of passwords in it...Back it up. Also backup your key file in some fashion. (I've seen people with 10000 char key files who have literally printed out the whole thing).

- TURN ON 2FA EVERYWHERE. Just do it, you may as well.

[Tiberiusisgame]

Most of the conversations on this forum are opinion, allowing anyone and everyone to toss their 2 pence in. Often it doesn't matter all that much because little financial or personal harm can come from choosing the wrong CPU... this is very different.

 

 

Bruce Schneier isn't advocating that you use LastPass. He's advocating for his own password manager, which is open-source and doesn't cloud-store anything. He talks about creating memorable passwords so you don't need to store them, and never repeating a password, and that changing passwords frequently isn't necessarily a safe practice, either. Yes, of course MFA!

 

This article came out in 2014 before the first LastPass Breach and well after NIST's recent approval of new password rules. The game changes all the time.

 

Writing down passwords in a safe place is not leaking that information. That's misleading, frankly. You can't encrypt your passport or your checkbook. Do you put those in a safe? Then put your password book in safe as well. Do you leave them in your desk drawer? Fine, that's your accepted level of risk. How about your wallet? If you carry your passwords around with you, you're increasing the risk of theft. Your phone is one of the most-abused sensitive devices in your life, no matter how much you think you secure it. It travels with you, everywhere, it gets left on counters if you're careless, it gets handed to friends to read that absurd text from... you don't do that with your wallet.