Password managers - are they truly secure ?
Discussion
anonymous said:
[redacted]
A session token only maintains identity between pages for the duration of the session. There are plenty of sites which will allow you to tick a box when you log in so that you don't have to enter your credentials again. Not sites worth worrying about, of course, but people reuse passwords.
essayer said:
Also, reject the use of SMS authentication as much as possible, especially for anything you consider to be 'very important'
The theory is sound, but you have to trust that your mobile provider will never release your PAC to another network.
With Vodaphone at least you can enable SMS authentication on your mobile account which in turn stops anyone maliciously doing as you suggest.The theory is sound, but you have to trust that your mobile provider will never release your PAC to another network.
I use LastPass and find it pretty good, but don't really use it to it's full potential as I try to remember passwords and then log in to lastpass if I can't remember. This means I don't use as complex passwords as I could, but does mean I can log in to things from machines I don't have lastpass installed on, without having to look up long complicated passwords on my phone.
TartanPaint said:
- Ctrl-Alt-Del then Enter every time you leave a windows PC
I'm always surprised how many people don't know that Win-L does the same thing for less key presses.RizzoTheRat said:
I'm always surprised how many people don't know that Win-L does the same thing for less key presses.
On WinNT it was Win+W (presumably for "Lock Workstation" and it got changed to the far more sensible Win+L for Windows2000 onwards. Took me a while to retrain my muscle memory though. 
But, yes, it's second nature to lock my computer with Win+L
Also works on Ubuntu, btw.
Clockwork Cupcake said:
On WinNT it was Win+W (presumably for "Lock Workstation" and it got changed to the far more sensible Win+L for Windows2000 onwards. Took me a while to retrain my muscle memory though.
But, yes, it's second nature to lock my computer with Win+L
Also works on Ubuntu, btw.
I work in several big companies and in almost every single one you can walk in, find a computer of someone who's in a meeting/to the restroom and enjoy yourself.But, yes, it's second nature to lock my computer with Win+L
Also works on Ubuntu, btw.
Win+L is seriously underused.
Weren't they talking about solving it with Hello? Autolocking when you're away, unlocking when you're back?
ZesPak said:
I work in several big companies and in almost every single one you can walk in, find a computer of someone who's in a meeting/to the restroom and enjoy yourself.
Ours are always set to automatically screenlock after a couple of minutes, but its still surprising how many you see that aren't locked.I use the face recognition on my personal laptop and it's a bit of a pain at times as it's slower than just tapping in a password.
anonymous said:
[redacted]
Yes, I tried something like that for a while. But, as you say, it generally more trouble than it's worth. Not just for it locking whilst you're using it, but also sometimes failing to lock. It's better just to train yourself to just always hit Win+L before stepping away from your PC.
Clockwork Cupcake said:
Yes, I tried something like that for a while. But, as you say, it generally more trouble than it's worth. Not just for it locking whilst you're using it, but also sometimes failing to lock.
It's better just to train yourself to just always hit Win+L before stepping away from your PC.
You soon remember to lock in an office full of pranksters. The favourite quick one was a wallpaper change - usually based on a Google image search for "fat midget". Possibly not a search to try in most offices or workplaces though...It's better just to train yourself to just always hit Win+L before stepping away from your PC.
Harpoon said:
You soon remember to lock in an office full of pranksters. The favourite quick one was a wallpaper change - usually based on a Google image search for "fat midget". Possibly not a search to try in most offices or workplaces though...
Screenshot desktop, then flip it landscape, set it as the background and flip the screen with CTRL-ALT-UP or the Display settingsI didn't know about Win+L. Shame on me. I doubt I'll retrain my muscle-memory after all these years, but thanks anyway 
I've been playing with Bitwarden. It's really good.
Comparing the free versions, like for like, I prefer LastPass. It's a bit slicker, and there's no limit on Categories, and I like LastPass' pro-active audit tools.
However, I'm considering switching to Bitwarden as it works out cheaper than LastPass to share passwords with Mrs TP, Both products charge for this, but Bitwarden is cheaper. $1/m per user. $24/year for the two of us. I think I can justify that as we have a load of accounts (e.g. Netflix, Tesco grocery etc) which need shared passwords.
Although I got all excited by the self-hosting option in Bitwarden, having looked into it I see no advantage whatsoever to self-hosting for personal use. Definitely, some enterprises will use that option for CyberEssentials or ISO27001 compliance or general paranoia. However, there's no inherent insecurity in using the cloud version. In fact, I would trust Bitwarden/Azure's ability to secure a web server more than most people's ability to host services securely at home. I might do it just for the sake of it, but it's no better for anyone, and worse for most people.
I've been playing with Bitwarden. It's really good.
Comparing the free versions, like for like, I prefer LastPass. It's a bit slicker, and there's no limit on Categories, and I like LastPass' pro-active audit tools.
However, I'm considering switching to Bitwarden as it works out cheaper than LastPass to share passwords with Mrs TP, Both products charge for this, but Bitwarden is cheaper. $1/m per user. $24/year for the two of us. I think I can justify that as we have a load of accounts (e.g. Netflix, Tesco grocery etc) which need shared passwords.
Although I got all excited by the self-hosting option in Bitwarden, having looked into it I see no advantage whatsoever to self-hosting for personal use. Definitely, some enterprises will use that option for CyberEssentials or ISO27001 compliance or general paranoia. However, there's no inherent insecurity in using the cloud version. In fact, I would trust Bitwarden/Azure's ability to secure a web server more than most people's ability to host services securely at home. I might do it just for the sake of it, but it's no better for anyone, and worse for most people.
RizzoTheRat said:
I'm always surprised how many people don't know that Win-L does the same thing for less key presses.
Or Ctrl - Shift - Eject on a Mac (replace eject with power if you don't have an optical drive and so no eject button)As for password management, I use Dashlane across MacOS, iOS and Android.
Mr-B said:
Do these password managers cope with multi level passwords? i.e my bank asks for username, then password, then part of a pin number, then one of memorable place/singer/ and something else I can't remember, is there a facility to cope with all that?
KeyPass lets you store any amount of additional information. It's a little clunky but it works. Mr-B said:
Do these password managers cope with multi level passwords? i.e my bank asks for username, then password, then part of a pin number, then one of memorable place/singer/ and something else I can't remember, is there a facility to cope with all that?
I use Lastpass & it doesn't seem to cope with that level of complexity. Depending on the website it can often cope with a two stage login where you enter a username & the next screen asks for your password but I don't think any of them will cope with entering partial details. Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff