Is there a great solution to password storage?

[Linus_is_a_Badass]

LastPass is great and all, until you lose your master password and you literally cannot log back in. Then there is the problem of if they have your LastPass password, then they have them all. So the password has to be REALLY beefy IMO. So it's not any more convenient. As of now, I keep my username/password combos in text files in a folder. Before anyone goes "wow you're retarded", I get it, not secure internally. But it's convenient and that's the key thing that cannot be sacrificed. I need to be able to pop into a website within 10 seconds and the password has to be strong. So what is the solution to adding as much security as possible without compromising on this?

[tikker]

The advantage is you'll only need to remember one password if you use a manager though. You can make your argument for anything.

What if someone steals your laptop? They'll know all your passwords since you store them in plain text.

Password protected user account? What if they hack your account? Again all passwords are for the picking.

Oh, but what if... you get the gist.

 

I don't use a password manager since I remember pretty much all of them, but I guess you could group them by service or something, if the software allows it? For example, have one group for financial and personal stuff, one for general stuff, one for other things etc. You'll still have to remember a couple of passwords, but less (I assume) in total and if one of them gets compromised the others are still safe.

[dionkoffie]

You gain something, you loose something.

 

Keepass is a handy tool. My master password is a password that I've never used before and it's longer than 8 characters with all bits and pieces of weird characters hidden inside of it. Just make sure to never digitally store that password. the safest would be to memorize the password and write it down on a piece of paper and store it in a safe somewhere. lets be honest... you're more likely going to be hacked than your house broken into. 

 

keepass is REALLY hard to crack. especially with a strong af password. 

 

 

+ Enable 2-way authentication with a combination of what I just mentioned above IF for some magic mirage that password leaks out and they have your keepass file.  

[Christophe Corazza]

7 minutes ago, Linus_is_a_Badass said:

Then there is the problem of if they have your LastPass password, then they have them all.

 

You could set up two factor authentication. Even though it is safer, it is not ideal.

 

7 minutes ago, Linus_is_a_Badass said:

I keep my username/password combos in text files in a folder.

 

Possibly one of the worst things you can do!

 

8 minutes ago, Linus_is_a_Badass said:

But it's convenient and that's the key thing that cannot be sacrificed.

 

That's completely wrong, You should never prioritise convenience for security.

 

10 minutes ago, Linus_is_a_Badass said:

So what is the solution to adding as much security as possible without compromising on this?

 

As I have said in my first answer, use two factor authentication. Sometimes, password managers also supprt multi factor authentication.

[Mr.Humble]

I started using LastPass recently, and thanks to it I went from 3 passwords for ~30 sites to 25 safe passwords.
 

I also use 2 factor authentication, so logging into any website on a new computer requires up to 6* verification steps (and I'm not even kidding)

 

So far I'm happy with it, and I believe it to be a lot safer than "Passwords.txt". Actually thinking about biting the bullet on a Premium subscription.

 

Spoiler

* verification email, master password, fingerprint, 2 factor code for LastPass, site password, 2 factor for site

 

[blu4]

Just now, vojta.pokorny said:

I started using LastPass recently, and thanks to it I went from 3 passwords for ~30 sites to 25 safe passwords.
 

I also use 2 factor authentication, so logging into any website on a new computer requires up to 6* verification steps (and I'm not even kidding)

 

So far I'm happy with it, and I believe it to be a lot safer than "Passwords.txt". Actually thinking about biting the bullet on a Premium subscription.

 

  Reveal hidden contents

* verification email, master password, fingerprint, 2 factor code for LastPass, site password, 2 factor for site

 

6 verification steps? Can you name them all because I can only think of 3-4.

[Linus_is_a_Badass]

Okay, I'm saying that security can not be sacrificed, not that I put security under it. Regardless of if I should spend more time doing it the "right way", I won't. My passwords are all 16+ digit random passwords generated by lastpass. In case anyone was wondering. I do use 2 factor where available. The problem with some is that they use the authenticator app with no backup option. So what happened with that, was one time I put my phone case on backwards once without noticing and SOMEHOW it factory reset my phone. This caused a massive headache trying to access those accounts again. I'm not concerned about my passwords being stolen physically. I'm only really concerned my system may be compromised by some stupid mistake and it just sucks. All of my extremely important accounts are 2 factored anyways. That includes all of my emails, so I can recover those hacked accounts if need be. I need a list of the accounts, lest I forget about one of them.  And after getting rid of old accounts, I'm at a total of 55 accounts.

[Mr.Humble]

1 minute ago, Linus_is_a_Badass said:

Okay, I'm saying that security can not be sacrificed, not that I put security under it. Regardless of if I should spend more time doing it the "right way", I won't. My passwords are all 16+ digit random passwords generated by lastpass. In case anyone was wondering. I do use 2 factor where available. The problem with some is that they use the authenticator app with no backup option. So what happened with that, was one time I put my phone case on backwards once without noticing and SOMEHOW it factory reset my phone. This caused a massive headache trying to access those accounts again. I'm not concerned about my passwords being stolen physically. I'm only really concerned my system may be compromised by some stupid mistake and it just sucks. All of my extremely important accounts are 2 factored anyways. That includes all of my emails, so I can recover those hacked accounts if need be. I need a list of the accounts, lest I forget about one of them. 

But you can set up an emergency access to LastPass, wouldn't that cover a situation like this?

[Linus_is_a_Badass]

Yeah six is a lot. You have to have a lot to lose if you want to spend that long logging in IMO

[Mr.Humble]

2 minutes ago, blu4 said:

6 verification steps? Can you name them all because I can only think of 3-4.

It's in the spoiler

[Linus_is_a_Badass]

Just now, vojta.pokorny said:

But you can set up an emergency access to LastPass, wouldn't that cover a situation like this?

I'll have to check that out, I didn't know about that. Regardless it still was very annoying in general use for me.

[Mr.Humble]

Just now, Linus_is_a_Badass said:

Yeah six is a lot. You have to have a lot to lose if you want to spend that long logging in IMO

to be fair it's just when I log in on a new device, which LastPass will automatically block until I confirm the email

Normally it's 3-4

[Linus_is_a_Badass]

Stupid thought, just thought of letting it out there. I've thought of taking this list and putting it on an old phone that I completely remove internet access to. Then put a 4 digit password on it. And it would never leave my house so it's not a worry to my knowledge. Also it's not as fast, but it's reliable.

[Mr.Humble]

8 minutes ago, Linus_is_a_Badass said:

I'll have to check that out, I didn't know about that. Regardless it still was very annoying in general use for me.

And I was just looking into this and you can also set up a recovery phone number...

[Mr.Humble]

5 minutes ago, Linus_is_a_Badass said:

Stupid thought, just thought of letting it out there. I've thought of taking this list and putting it on an old phone that I completely remove internet access to. Then put a 4 digit password on it. And it would never leave my house so it's not a worry to my knowledge. Also it's not as fast, but it's reliable.

I mean it's better than keeping it not protected at all, but even better would be if you encrypted the phone

[Linus_is_a_Badass]

Just now, vojta.pokorny said:

I mean it's better than keeping it not protected at all, but even better would be if you encrypted the phone

it's time to stop, no more

[Linus_is_a_Badass]

2 minutes ago, vojta.pokorny said:

And I was just looking into this and you can also set up a recovery phone number...

If they came out with a way to unlock with some like USB device or something instead of a password, then with the recovery ability, I would use it.

[Linus_is_a_Badass]

Speaking of USB devices, isn't there a thing that encrypts passwords and has a key or something that you put in your USB port?

[Mr.Humble]

Just now, Linus_is_a_Badass said:

Speaking of USB devices, isn't there a thing that encrypts passwords and has a key or something that you put in your USB port?

Yeah, U2F key:
 

 

[Linus_is_a_Badass]

2 minutes ago, vojta.pokorny said:

Yeah, U2F key:
 

 

aw that sucks, each service has to support it, the thing doesn't just work with an authenticator. Do you know if it works with lastpass to store the master password?

[Mr.Humble]

4 minutes ago, Linus_is_a_Badass said:

aw that sucks, each service has to support it, the thing doesn't just work with an authenticator. Do you know if it works with lastpass to store the master password?

It doesn't 'store' your master password, it works as an additional verification step, and only with Premium LastPass.

I don't think the idea is that you just plug this in and log in wherever.

I was thinking a while back about using something like an old USB drive with a personal certificate loaded onto it to log into some services, but most (almost none) support logging in with a certificate and it would probably require some sort of scripting or coding - a skill that I do not posess

[Linus_is_a_Badass]

Being human nature to make things as easy as possible, I'm surprised that this hasn't been worked out.

[Christophe Corazza]

12 minutes ago, vojta.pokorny said:

Yeah, U2F key:

 

 

That might be a better solution in your situation compared to what you're using now (LastPass)

[Mr.Humble]

Just now, Linus_is_a_Badass said:

Being human nature to make things as easy as possible, I'm surprised that this hasn't been worked out.

There's an inherent tradeoff between security and comfort. Can't have everything from both at once, but you can set it up in a way that's a reasonable compromise for you

[Linus_is_a_Badass]

Just now, Christophe Corazza said:

 

That might be a better solution in your situation compared to what you're using now (LastPass)

No, because it has to be individually configured for each service, and on top of that, a majority of the services I use do not support it. And it's additional, as in it doesn't eliminate my need to know the passwords.