Password managers - are they truly secure ?
Discussion
Troy Hunt writes some good stuff on security, including password managers eg
https://www.troyhunt.com/password-managers-dont-ha...
https://www.troyhunt.com/password-managers-dont-ha...
Yes password managers are a very good idea
No they are not perfect, they do not solve every password related security issue, and they do introduce thier own risks, but they eliminate more.
The only thing i can think of that would be a worse idea than 'letting software control and dictate passwords' would be letting people do it
No they are not perfect, they do not solve every password related security issue, and they do introduce thier own risks, but they eliminate more.
The only thing i can think of that would be a worse idea than 'letting software control and dictate passwords' would be letting people do it
Personally swear by KeePass. Free, open source, not hosting your info on a server (unless you wish to use cloud backups to sync across devices, even then the file is encrypted and only accessible by you), extra security possible such as using a USB key as a second authentication factor. Not quite as integrated as the likes of Lastpass, but it was the first I encountered and once you get used to it, it all becomes second nature.
ging84 said:
The only thing i can think of that would be a worse idea than 'letting software control and dictate passwords' would be letting people do it
This is very much my opinion. Although clearly not zero, the risks of using a well-run and mature password manager are much, much smaller than those associated with trying to remember them all yourself.Turn7 said:
Sounds like a recipe for disaster letting some software control and dictate passowrds, but it apppears pleanty use them...
So, good or bad ?
It is getting harder and harder to remember all the PWs these days....
If you can truly live with the downsides there's no issue with:So, good or bad ?
It is getting harder and harder to remember all the PWs these days....
- A little black book somewhere very very safe (until it gets stolen)
- An encrypted USB stick with a password database on it
If you use something like 1Password and you read the white papers (and understand them, I'm not a mathematician) they are as secure as anything can be i.e. until someone finds a bug.
Then you're into what kind of bug and how quickly they fix it.
The alternative is to do what too many people do which is to recycle/reuse the same passwords, and the risk of those being compromised because the sites you use them on have an issue is massively more IMO.
Read the Troy Hunt link and as much other stuff from him as you can - I find it deals with things in a very pragmatic way and tends to put it into terms normal people can understand.
I swear, LastPass is one of the greatest tools out there.
LastPass has incredible browser plugins and phone apps. If your phone has a fingerprint sensor, LastPass is brilliant. I don't know about iOS, but on Android it will detect the login form in other apps and fill it in for you after you authenticate with your fingerprint. It works flawlessly 90% of the time, and the other 10% you can just open the LastPass app and copy/paste the password manually without ever typing it.
Meaning you never even see your own passwords, and so you can make them as insanely complicated as you like without worrying about remembering them.
Other features I like are the security audit, which will warn you to change passwords you use on multiple sites, and the automatic password changer which can do a password change on the common sites (amazon, ebay, farcebook etc) with one click.
You can also nominate another person to hand over all your passwords to if you croak.
If you need to share passwords with families, there's a paid version which supports that. There's also a paid team version for business use, but I've never tried it.
KeePass (free) works ok for teams. It's not a web/cloud tool, it just stores all your passwords in an encrypted file, which you can share with others. If one person in the team changes a password, anyone else using the file will be notified that it's changed and can reopen the file. Not sophisticated, but it works. It's free, that's the main thing.
LastPass has incredible browser plugins and phone apps. If your phone has a fingerprint sensor, LastPass is brilliant. I don't know about iOS, but on Android it will detect the login form in other apps and fill it in for you after you authenticate with your fingerprint. It works flawlessly 90% of the time, and the other 10% you can just open the LastPass app and copy/paste the password manually without ever typing it.
Meaning you never even see your own passwords, and so you can make them as insanely complicated as you like without worrying about remembering them.
Other features I like are the security audit, which will warn you to change passwords you use on multiple sites, and the automatic password changer which can do a password change on the common sites (amazon, ebay, farcebook etc) with one click.
You can also nominate another person to hand over all your passwords to if you croak.
If you need to share passwords with families, there's a paid version which supports that. There's also a paid team version for business use, but I've never tried it.
KeePass (free) works ok for teams. It's not a web/cloud tool, it just stores all your passwords in an encrypted file, which you can share with others. If one person in the team changes a password, anyone else using the file will be notified that it's changed and can reopen the file. Not sophisticated, but it works. It's free, that's the main thing.
I personally would pay for Premium as that allows the use of 2FA including hardware tokens like a Yubikey
https://www.lastpass.com/multifactor-authenticatio...
https://support.logmeininc.com/lastpass/help/yubik...
1Pass has a nice integration with HaveIBeenPwned to check for logins compromised by data breaches
https://www.troyhunt.com/were-baking-have-i-been-p...
https://www.lastpass.com/multifactor-authenticatio...
https://support.logmeininc.com/lastpass/help/yubik...
1Pass has a nice integration with HaveIBeenPwned to check for logins compromised by data breaches
https://www.troyhunt.com/were-baking-have-i-been-p...
boyse7en said:
Is last pass free worth using or is it the premium one that is needed? I need a way to organise passwords across Android phone/home mac/work mac
Free is all I've ever used. Seriously, try it. I've never seen an advert. (EDIT: I found the adverts. They're only on the webapp, and adblock takes care of them).2FA would be a bonus, but if you don't have it you can still:
Always lock your workstation (this is good habit)
- Use a hot corner on OSX to lock the screen
- Ctrl-Alt-Del then Enter every time you leave a windows PC
Use your phone's lock features. Decide for yourself based on the handset model which is the most secure for you.
Set a really long master passphrase on LastPass, and require it to be re-entered once an hour.
Require LastPass to always re-prompt for particular sites/payment details.
Edited by TartanPaint on Thursday 23 August 09:25
Edited by TartanPaint on Thursday 23 August 09:41
keith333 said:
I use a password protected Excel spreadsheet. Should I change to using a password manager? I have no idea on how easy an Excel spreadsheet is to hack.
I would change if I was you. Excel files are not particularly difficult to crack but apart from anything else a proper password manager is full of useful functionality which makes it a much better and more useful choice. They can fill in passwords for you, generate random ones and so much more besides. And they're more secure.Also I'm assuming someone theoretically could see your passwords on the screen with an excel file (unless you hide them). Password managers don't do this unless you tell it to.
TameRacingDriver said:
Personally swear by KeePass. Free, open source, not hosting your info on a server (unless you wish to use cloud backups to sync across devices, even then the file is encrypted and only accessible by you), extra security possible such as using a USB key as a second authentication factor. Not quite as integrated as the likes of Lastpass, but it was the first I encountered and once you get used to it, it all becomes second nature.
Same here. The file that stores all your passwords is encrypted with military-grade encryption. If you are extra-paranoid you can keep it on a secure USB stick so that it never goes on the cloud, although I choose to put it on my DropBox so I can access it from multiple devices.
As you say, it is not as convenient to use or as integrated, but I consider it to be more secure.
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff