Password managers - are they truly secure ?
Discussion
The Mad Monk said:
Distinguish between important passwords and unimportant passwords.
For example, I consider the PistonHeads password to be unimportant. If I lose it, what is the worst that can happen? Someone will come on here and write a load of junk! Well, I do that anyway.
Think of a word 8 - 12 letters long, say 'blacksmith', write that down in cryptic form, say 'farrier'. Add a number that only you know, I use military numbers for example. Add another word, or name, say, a teacher at school. Capitalised randomly.
So your password written down is :- FaRRier military intake art teacher at Borstal. Who is ever going to get that?
Keep a list, change them from time to time.
O.K. What is the huge flaw?
Respectfully you are probably the huge flaw.For example, I consider the PistonHeads password to be unimportant. If I lose it, what is the worst that can happen? Someone will come on here and write a load of junk! Well, I do that anyway.
Think of a word 8 - 12 letters long, say 'blacksmith', write that down in cryptic form, say 'farrier'. Add a number that only you know, I use military numbers for example. Add another word, or name, say, a teacher at school. Capitalised randomly.
So your password written down is :- FaRRier military intake art teacher at Borstal. Who is ever going to get that?
Keep a list, change them from time to time.
O.K. What is the huge flaw?
How many passwords do you store using this system?
Where do you store them?
How do you keep them with you at all the times you need them?
b
hstewie said:
hstewie said: Respectfully you are probably the huge flaw.
How many passwords do you store using this system?
Where do you store them?
How do you keep them with you at all the times you need them?
The first line of your response sums up my life!How many passwords do you store using this system?
Where do you store them?
How do you keep them with you at all the times you need them?
I have just had a countup. I have 99 passwords, they are typed up as a Word document, saved, and then I have them printed on a sheet of A4.
I keep my phone in a folding case type thing. A folded sheet of A4, with the borders trimmed off goes in there easily.
The Mad Monk said:
The first line of your response sums up my life!
I have just had a countup. I have 99 passwords, they are typed up as a Word document, saved, and then I have them printed on a sheet of A4.
I keep my phone in a folding case type thing. A folded sheet of A4, with the borders trimmed off goes in there easily.
So, really, there would be no difference between you keeping your list *with* your phone and keeping it *in* your phone with something like KeePass and a local password file that is not shared to the cloud. I have just had a countup. I have 99 passwords, they are typed up as a Word document, saved, and then I have them printed on a sheet of A4.
I keep my phone in a folding case type thing. A folded sheet of A4, with the borders trimmed off goes in there easily.
The advantage of KeyPass over your paper list is that it can generate cryptographically secure genuinely unique passwords for each site you need a password for.
Edit:
The Mad Monk said:
I have 99 passwords
"I got 99 passwords but my security is 1" 
Edited by Clockwork Cupcake on Saturday 25th August 09:27
The Mad Monk said:
The first line of your response sums up my life!
I have just had a countup. I have 99 passwords, they are typed up as a Word document, saved, and then I have them printed on a sheet of A4.
I keep my phone in a folding case type thing. A folded sheet of A4, with the borders trimmed off goes in there easily.
Didn't mean it quite that way I have just had a countup. I have 99 passwords, they are typed up as a Word document, saved, and then I have them printed on a sheet of A4.
I keep my phone in a folding case type thing. A folded sheet of A4, with the borders trimmed off goes in there easily.
Honestly, what you're doing might be "good enough" but you're making your life more difficult than you need to.
I don't know what phone you have but carrying an encrypted iPhone or Android phone alongside a piece of paper with all your passwords on it is, quaint
I get that for some people a password manager can be a bit of a leap of faith but if you haven't tried one I'd suggest doing so.
anonymous said:
[redacted]
I drop my list of passwords. You find it. You work out that 'farrier' is another word for 'blacksmith'. Now, what was my military intake number? Who was my favourite teacher at the second school I went to? What was granny Mary's year of birth?You have sorted that out and you can now post as me on here!
Seriously, what is the flaw in my system?
I struggle with stuff on my smartphone, stuff like calendars, so I am sure I would struggle with a password keeper.
I think it's worth reiterating that a good password vault isn't just a safe place to store your passwords but will also help with creating them.
With something like KeePass, if the website you need to create a password for says "you must use 8-20 characters, and it must contain at least one capital letter, one number, and a punctuation mark" then you call up the password generator, tick a few boxes, set the length to 20, and it generates the most cryptographically secure password it can from those criteria. That is far more secure than any derived password you can come up with, simply because it isn't derived.
With something like KeePass, if the website you need to create a password for says "you must use 8-20 characters, and it must contain at least one capital letter, one number, and a punctuation mark" then you call up the password generator, tick a few boxes, set the length to 20, and it generates the most cryptographically secure password it can from those criteria. That is far more secure than any derived password you can come up with, simply because it isn't derived.
The arguments against using a Password Manager seem to be very similar to the justifications for not vaccinating your children. An unsubstantiated report that the MMR jab might give your kids autism, which has since been debunked, is used as justification for not vaccinating your children at all. In the same way, unsubstantiated reports that Password Managers may be insecure (which have been debunked) is justification for not using one at all and using something way less secure instead.
anonymous said:
[redacted]
And what if you forget the master password, which of course would need to be super secure and cryptic, so not something you'd that choose by choice yourself, thus making it difficult to remember? It's the key to all your other super secure passwords like 6mRKn2qXgxGKKazgiy1V6pzZFSUcpjYb3B8erq5ejfN3Y1KXj6W8ZryIhClqf14Dceu9nckswyDesboJnL and izVS7XSci2aOcug/Fk6YeaiV9JGEUgULbR//ar8QPMXsAkP75IKOgH+b/LW2w6hb974xyOlcOtruvXtqG that you now have no chance of guessing and oh look, the password reset button doesn't work on the website it's for because you've since changed your email address and no longer have access to the old one in order to reset your password and log-in.There is also the personal security issue of having all your log-ins and passwords stored in one place. If you were to get mugged whilst out and about and the thieves forced you to unlock your phone screen and saw the nice little 1pass icon sat there in the middle of the screen, you'd soon find yourself with a knife blade against your skin as they demand the password and then systematically empty every single one of your accounts from the handy list of log-ins and passwords you have stored for them all.
Lemming Train said:
And what if you forget the master password, which of course would need to be super secure and cryptic, so not something you'd that choose by choice yourself, thus making it difficult to remember? It's the key to all your other super secure passwords like 6mRKn2qXgxGKKazgiy1V6pzZFSUcpjYb3B8erq5ejfN3Y1KXj6W8ZryIhClqf14Dceu9nckswyDesboJnL and izVS7XSci2aOcug/Fk6YeaiV9JGEUgULbR//ar8QPMXsAkP75IKOgH+b/LW2w6hb974xyOlcOtruvXtqG that you now have no chance of guessing and oh look, the password reset button doesn't work on the website it's for because you've since changed your email address and no longer have access to the old one in order to reset your password and log-in.
There is also the personal security issue of having all your log-ins and passwords stored in one place. If you were to get mugged whilst out and about and the thieves forced you to unlock your phone screen and saw the nice little 1pass icon sat there in the middle of the screen, you'd soon find yourself with a knife blade against your skin as they demand the password and then systematically empty every single one of your accounts from the handy list of log-ins and passwords you have stored for them all.
I think you've simply come up with the most extreme example possible and used it to try and paint password managers as a bad thing.There is also the personal security issue of having all your log-ins and passwords stored in one place. If you were to get mugged whilst out and about and the thieves forced you to unlock your phone screen and saw the nice little 1pass icon sat there in the middle of the screen, you'd soon find yourself with a knife blade against your skin as they demand the password and then systematically empty every single one of your accounts from the handy list of log-ins and passwords you have stored for them all.
In that scenario, yes of course, you're done for.
In Mad Monk's scenario they've got your piece of paper, so you're done for.
In any scenario, at some point, you're done for.
Lemming Train said:
And what if you forget the master password, which of course would need to be super secure and cryptic, so not something you'd that choose by choice yourself, thus making it difficult to remember? It's the key to all your other super secure passwords like 6mRKn2qXgxGKKazgiy1V6pzZFSUcpjYb3B8erq5ejfN3Y1KXj6W8ZryIhClqf14Dceu9nckswyDesboJnL and izVS7XSci2aOcug/Fk6YeaiV9JGEUgULbR//ar8QPMXsAkP75IKOgH+b/LW2w6hb974xyOlcOtruvXtqG that you now have no chance of guessing and oh look, the password reset button doesn't work on the website it's for because you've since changed your email address and no longer have access to the old one in order to reset your password and log-in.
There is also the personal security issue of having all your log-ins and passwords stored in one place. If you were to get mugged whilst out and about and the thieves forced you to unlock your phone screen and saw the nice little 1pass icon sat there in the middle of the screen, you'd soon find yourself with a knife blade against your skin as they demand the password and then systematically empty every single one of your accounts from the handy list of log-ins and passwords you have stored for them all.
You need to remember one long password and ideally have hardware 2FA to provide an extra layer of security.There is also the personal security issue of having all your log-ins and passwords stored in one place. If you were to get mugged whilst out and about and the thieves forced you to unlock your phone screen and saw the nice little 1pass icon sat there in the middle of the screen, you'd soon find yourself with a knife blade against your skin as they demand the password and then systematically empty every single one of your accounts from the handy list of log-ins and passwords you have stored for them all.
I'd bet a small amount of money that your average moped-driving, knife-carrying London scumbag can't even spell LastPass, let alone know what it is if they made you unlock your phone. Do any major banks not have 2FA these days? So even if somebody did have your banking password, how are they going to get past the 2FA?
bhstewie said:
hstewie said: In Mad Monk's scenario they've got your piece of paper, so you're done for.
Please forgive me, because I really don't want to do this to death, but:-My passwords are not written in plain English.
1. You found my piece of paper.
2. You deduced that 'farrier' is cryptic for 'blacksmith'.
3. What is, say, my intake number?
4. Who was my Art teacher?
5. When was my maternal grandmother born?
I have just looked at KeePass (whatever it's called)and didn't understand it!
anonymous said:
[redacted]
Stew's picture above sums up that comment quite nicely:coupe said:
Don't be daft. Yes, you want a secure master password, but you only need to remember *one* not hundreds.
But if your master password gets compromised (eg. accidental or by force) that's just as much a flaw as writing them down on a bit of paper.coupe said:
And having a password manager doesn't make it more of a liability to physical threats. If you have a knife to your throat, demanding access to your online banking, they'll get it regardless of whether it's in a password manager, a mnemonic written down, or just "password" on a sticky note on your screen.
Giving access to your online banking is one thing. Giving them a complete list of log-ins and passwords for all your other financial assets such as credit cards, savings accounts, shares accounts is quite something else. coupe said:
Using a password manager doesn't magically mean there is no way for you to be hacked or have your credentials forced out of you. It's just better than all the alternatives we've been able to come up with.
"Better" is debatable. I don't disagree that having long string of jumbled characters is the better for 'general' password security but I don't agree that having all your sensitive data stored in one place is wise and certainly not when entrusted to a third party provider, regardless of the claims by techie geeks whom assure us it's all 100% secure military grade encryption and so nothing to worry about. It's well and good in theory but I refer you back to Stewie's picture.The Mad Monk said:
Please forgive me, because I really don't want to do this to death, but:-
My passwords are not written in plain English.
1. You found my piece of paper.
2. You deduced that 'farrier' is cryptic for 'blacksmith'.
3. What is, say, my intake number?
4. Who was my Art teacher?
5. When was my maternal grandmother born?
I have just looked at KeePass (whatever it's called)and didn't understand it!
Apologies, maybe I'm getting confused.My passwords are not written in plain English.
1. You found my piece of paper.
2. You deduced that 'farrier' is cryptic for 'blacksmith'.
3. What is, say, my intake number?
4. Who was my Art teacher?
5. When was my maternal grandmother born?
I have just looked at KeePass (whatever it's called)and didn't understand it!
So let's say that your website password is "blacksmith48765" for one website and "cobblerMrSmith" for another.
Are you saying your piece of paper simply says:
website 1 - farrier
website 2 - shoe repairer
And you remember all of the rest and it's a totally different system for each one?
Lemming Train said:
"Better" is debatable. I don't disagree that having long string of jumbled characters is the better for 'general' password security but I don't agree that having all your sensitive data stored in one place is wise and certainly not when entrusted to a third party provider, regardless of the claims by techie geeks whom assure us it's all 100% secure military grade encryption and so nothing to worry about. It's well and good in theory but I refer you back to Stewie's picture.
And how is your solution better? Being threatened with a wrench to reveal your master password or being threatened with a wrench to explain how your 'system' works? They say that a little knowledge is a dangerous thing. You have just enough knowledge to draw entirely incorrect conclusions from it.
I refer you again to my anti-vaxer analogy, and how deluded parents reject all vaccinations due to one grain of poorly-understood 'knowledge' from which they draw dangerous conclusions.
anonymous said:
[redacted]
This. Exactly this. 
anonymous said:
[redacted]
Quite. It's like saying that homeopathy definitely works, despite what all the "medical geeks" (ie. doctors, researchers, and other medical professionals) say. Rejecting the advice of experts because you think you know better than them and, worse, using dismissive and disparaging terms for them, is simply laughable.
anonymous said:
[redacted]
Oh what do they know about security, cryptology, cryptography, cryptanalysis, and hacking? 
Bunch of maths nerds and spacky techy tech geeks.
https://www.youtube.com/watch?v=XczIlID_GPM
Edited by Clockwork Cupcake on Saturday 25th August 11:21
anonymous said:
[redacted]
The cynical might say that they waited until they'd manage to crack their databases. But I'm sure that's not the case as they only have our best interests at heart and I know they're not really watching everything I type 
Hang on, that's a knock at the door. Be right ba
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff