Password Managers - Security Concerns

[Blizzforte]

I have some questions regarding PW's. 

 

First, how do you protect your PW from viruses and keyloggers. You can have the best passwords, but when someone has access to your computer they see everything. 

 

Second, should one TFA the PW with a physical key or is it enough to use email for that? And why? You have a phone with you everywhere, anyway. 

 

Third, there are Apple Notes you can encrypt and there are PW notes. Which one is better to use and why? 

 

 

 

 

[badreg]

If your system has malware, then it's pretty much game over. No password manager or mitigation will completely protect you. Practice good cyber hygiene to avoid this in the first place.

 

Email for 2FA should be good enough for most people. Unless you have reason to believe that you are being specifically targeted, a physical token shouldn't be necessary.

[Blizzforte]

6 minutes ago, badreg said:

If your system has malware, then it's pretty much game over. No password manager or mitigation will completely protect you. Practice good cyber hygiene to avoid this in the first place.

 

Email for 2FA should be good enough for most people. Unless you have reason to believe that you are being specifically targeted, a physical token shouldn't be necessary.

Yes and that is also my point about the viruses and keyloggers. Cyber hygiene is important but what about Antivirus software? They should be necessary to prevent from these things shouldn't they? 

 

What about the third questions about notes? 

[badreg]

I have not used any antivirus in over 10 years besides Windows Defender, and I have not had any issues in that time. Just keep your browser, system and network devices updated and you should have no problems. Meanwhile, I have friends who call me every few months asking me why they keep getting infections on their machines. An ounce of prevention...

 

I have no experience with Apple products, so no idea.

[Blizzforte]

11 minutes ago, badreg said:

I have friends who call me every few months asking me why they keep getting infections on their machines.

What are they doing wrong? 

[Quinnell]

Just now, Blizzforte said:

What are they doing wrong? 

Probably downloading pr0n like it's 2001.

[BobVonBob]

Yep, if you've got a keylogger or malware you're done for no matter what you use, password managers are meant to mitigate external attacks from people guessing a weak password or using one you've shared between sites.

 

Windows comes with built in antivirus, it used to be garbage back in the XP/Vista days but now it's pretty solid. If you aren't clicking every ad you see you'll be fine nowadays.

 

Are encrypted and password locked notes not the same thing? I'd be surprised if Apple didn't encrypt the password locked notes since you still need a "password" (technically called a key, but it's the same idea and you can make a key from a password) to encrypt something.

[badreg]

14 minutes ago, Blizzforte said:

What are they doing wrong? 

I have no idea. But if I had to guess, I would imagine that they are more likely to click on random links or open random files or stick in a random USB drive.

 

Most people have no idea what proper cyber hygiene actually means, just like most people really had no idea (and probably still don't) about what actual hygiene is before the pandemic. It is now common knowledge to not touch your face or put random things in your mouth when you are not sure that your hands are clean. I was already doing those things before the pandemic. Most people open an Word or Excel file from a colleague without a second thought. Every file that I download, even it is from a colleague or trusted source, is run through VirusTotal before I touch it. It's not that I don't trust the sender. I just have no idea if their systems are infected.

 

Follow the same basic common sense that you do with COVID and apply it to your security.

[Glorious]

To add to what everyone said so far, you can add a PIN to the end of the password that is inside your password manager. 

 

The actual password: z9AKAP75U2y1234

What you store in the password manager: z9AKAP75U2y

 

When you log in just add the PIN. This way if someone got in your password manager they wouldn't have the real password. I wouldn't do this to every password, just the one important ones. 

 

Also, a password manager is not an all or nothing thing. If you want to leave out your banking or email passwords you can. What matters the most is that you're not reusing passwords.