Password managers - are they truly secure ?
Discussion
RizzoTheRat said:
But as above you can also store additional information in LastPass so can log in to it to look all the extra stuff up
Likewise, Dashlane lets you store additional notes against an entry so you could save stuff like this. It can also (with somewhat variable degrees of success) complete name/address details recognising the relevant fields and card details if you want it to.Not-The-Messiah said:
Been using lastpass for a bit now and it is useful just a sod when I forgot the password for that.
It interesting how people come up with their passwords in the first place. Myself and I know a few others use a mixture of old car registration plates of old cars.
#obligatoryxkcdIt interesting how people come up with their passwords in the first place. Myself and I know a few others use a mixture of old car registration plates of old cars.
https://xkcd.com/936/
Mojooo said:
I can understand it working on a browser extension
What if you need emergency access to email and you are on a computer with a basic browser. do you login to lastpass which then gives you the password?
Remember if you're using 2FA you'd likely need to have to have your phone with you to generate a code, so you'd usually just have the app on your phone.What if you need emergency access to email and you are on a computer with a basic browser. do you login to lastpass which then gives you the password?
To those of you using an offline password manager like KeePass, what do you do if your hard drive dies and the data held on it is unrecoverable? If you didn't keep back-ups of your .kdbx file (which many people won't due to security risks) then your entire database of passwords and private data is lost forever. Sure, there are numerous ways around this problem by saving the database file to another drive or USB stick for example, but it's cumbersome and inconvenient which defeats the whole point of having a password manager.
The online password managers that can sync across multiple platforms I'm sure are very good and of course you don't have to worry about losing all your passwords if your HDD dies, but to my mind entrusting all your financial affairs and personal info to an unknown third party company is A VERY BAD IDEA regardless of how many times they write on their flashy website that it all has military grade AES encryption and would take 10 billion years for them or anyone else to crack. Even the audits by professional security companies do nothing to convince me otherwise, but I expect many would say that's my issue to deal with and suggest I buy a hat made from tinfoil.
On a related note, what I would like to see become a 'rule' is for any site requiring a password to comply with a set format. You can create good, strong, unique AND easy to remember passwords yourself for all your log-ins but you're prevented from doing so due to virtually every site having a different criteria for their password format. For example: some sites insist on the use of a special character, yet many won't allow any non-alphanumeric characters. Likewise, some insist your password must exceed x number of characters and use an upper case letter and a number, but other sites have a relatively short password field and only allow letters.
The online password managers that can sync across multiple platforms I'm sure are very good and of course you don't have to worry about losing all your passwords if your HDD dies, but to my mind entrusting all your financial affairs and personal info to an unknown third party company is A VERY BAD IDEA regardless of how many times they write on their flashy website that it all has military grade AES encryption and would take 10 billion years for them or anyone else to crack. Even the audits by professional security companies do nothing to convince me otherwise, but I expect many would say that's my issue to deal with and suggest I buy a hat made from tinfoil.
On a related note, what I would like to see become a 'rule' is for any site requiring a password to comply with a set format. You can create good, strong, unique AND easy to remember passwords yourself for all your log-ins but you're prevented from doing so due to virtually every site having a different criteria for their password format. For example: some sites insist on the use of a special character, yet many won't allow any non-alphanumeric characters. Likewise, some insist your password must exceed x number of characters and use an upper case letter and a number, but other sites have a relatively short password field and only allow letters.
Lemming Train said:
To those of you using an offline password manager like KeePass, what do you do if your hard drive dies and the data held on it is unrecoverable? If you didn't keep back-ups of your .kdbx file (which many people won't due to security risks) then your entire database of passwords and private data is lost forever. Sure, there are numerous ways around this problem by saving the database file to another drive or USB stick for example, but it's cumbersome and inconvenient which defeats the whole point of having a password manager.
Like any important data, you have a good backup regime. I have the password file stored on my HDD, automatically synced to DropBox, and also automatically synced to my local NAS box, and also periodic backups.
Since the password file is heavily encrypted, I'm not too worried about the "security risks" of the file itself as it is never stored unencrypted. You can't be sure that the same is true of the online Password Managers.
anonymous said:
[redacted]
It would help immensely because you could create a complex (in terms of brute-forcing) but easy to remember 'main' password and simply add a speciific pattern of letters around it that relate to the website it's for. Eg. phL£mm1ngTr@in would be impossible to brute force ( 204 million years apparently ) but the 'main' password satisfies upper case, lower case, numerics and special char critieria, is easy to remember after a few uses and the first 2 letters to signify which site it's for. That's a very basic example and it would be best to add additional chars to disguise the ph bit so it's not obvious it's for pistonheads if someone managed to find out the main part of your password.Lemming Train said:
It would help immensely because you could create a complex (in terms of brute-forcing) but easy to remember 'main' password and simply add a speciific pattern of letters around it that relate to the website it's for. Eg. phL£mm1ngTr@in would be impossible to brute force ( 204 million years apparently ) but the 'main' password satisfies upper case, lower case, numerics and special char critieria, is easy to remember after a few uses and the first 2 letters to signify which site it's for. That's a very basic example and it would be best to add additional chars to disguise the ph bit so it's not obvious it's for pistonheads if someone managed to find out the main part of your password.
I would suggest that if you think that "phL#mm!ngTr@1n" is even remotely secure for a site commonly known as PH and a user ID LemmingTrain, then you should leave the thinking to the grownups.Honestly, people universally are terrible at security, and the people behind the major password managers are serious professionals who really, really know what they're doing.
Lemming Train said:
It would help immensely because you could create a complex (in terms of brute-forcing) but easy to remember 'main' password and simply add a speciific pattern of letters around it that relate to the website it's for. Eg. phL£mm1ngTr@in would be impossible to brute force ( 204 million years apparently ) but the 'main' password satisfies upper case, lower case, numerics and special char critieria, is easy to remember after a few uses and the first 2 letters to signify which site it's for. That's a very basic example and it would be best to add additional chars to disguise the ph bit so it's not obvious it's for pistonheads if someone managed to find out the main part of your password.
I don't think you understand how password cracking works. Blind brute forcing is rarely the first line of attack - dictionary attacks & rainbow attacks are used first and would crack that in moments. And even before that, it would try combinations of your username and other social engineering attacks.
Edited by Clockwork Cupcake on Friday 24th August 23:49
deckster said:
Lemming Train said:
It would help immensely because you could create a complex (in terms of brute-forcing) but easy to remember 'main' password and simply add a speciific pattern of letters around it that relate to the website it's for. Eg. phL£mm1ngTr@in would be impossible to brute force ( 204 million years apparently ) but the 'main' password satisfies upper case, lower case, numerics and special char critieria, is easy to remember after a few uses and the first 2 letters to signify which site it's for. That's a very basic example and it would be best to add additional chars to disguise the ph bit so it's not obvious it's for pistonheads if someone managed to find out the main part of your password.
I would suggest that if you think that "phL#mm!ngTr@1n" is even remotely secure for a site commonly known as PH and a user ID LemmingTrain, then you should leave the thinking to the grownups.Clockwork Cupcake said:
Lemming Train said:
It would help immensely because you could create a complex (in terms of brute-forcing) but easy to remember 'main' password and simply add a speciific pattern of letters around it that relate to the website it's for. Eg. phL£mm1ngTr@in would be impossible to brute force ( 204 million years apparently ) but the 'main' password satisfies upper case, lower case, numerics and special char critieria, is easy to remember after a few uses and the first 2 letters to signify which site it's for. That's a very basic example and it would be best to add additional chars to disguise the ph bit so it's not obvious it's for pistonheads if someone managed to find out the main part of your password.
I don't think you understand how password cracking works. Blind brute forcing is rarely the first line of attack - dictionary attacks & rainbow attacks are used first and would crack that in moments.I'm interested in reading your supporting evidence for that statement seeing as a cursory check of half a dozen or so 'password strength checker' sites have all agreed that the password is "very strong" and would take millions of years to crack.
I think what worries me is that people will read these threads and think there are good reasons not to use a password manager.
As I said I'm a bit of a hypocrite in that I don't put my bank details in mine, but I only have one bank account and it has 2FA on it too.
Everything else goes in it and I'd be screwed without it.
As I said I'm a bit of a hypocrite in that I don't put my bank details in mine, but I only have one bank account and it has 2FA on it too.
Everything else goes in it and I'd be screwed without it.
Turn7 said:
Sounds like a recipe for disaster letting some software control and dictate passowrds, but it apppears pleanty use them...
So, good or bad ?
It is getting harder and harder to remember all the PWs these days....
They are not without risks, but like most security technologies they are better than the most common alternative, reusing password.So, good or bad ?
It is getting harder and harder to remember all the PWs these days....
Having one password and deriving variants from it using a 'system' is "security through obscurity". You only need two passwords to be compromised and you're wide open. In fact, you only need one to be compromised if the 'system' is fairly obvious.
By analogy, think of hiding a key to your front door under the third plant pot on the right. It's only secure for as long as nobody knows it's there. Now imagine you own hundreds of properties, and you *always* hide a key under the third plant pot on the right, at every single one of them.
Once this 'secret' gets out, you have no security.
By analogy, think of hiding a key to your front door under the third plant pot on the right. It's only secure for as long as nobody knows it's there. Now imagine you own hundreds of properties, and you *always* hide a key under the third plant pot on the right, at every single one of them.
Once this 'secret' gets out, you have no security.
Distinguish between important passwords and unimportant passwords.
For example, I consider the PistonHeads password to be unimportant. If I lose it, what is the worst that can happen? Someone will come on here and write a load of junk! Well, I do that anyway.
Think of a word 8 - 12 letters long, say 'blacksmith', write that down in cryptic form, say 'farrier'. Add a number that only you know, I use military numbers for example. Add another word, or name, say, a teacher at school. Capitalised randomly.
So your password written down is :- FaRRier military intake art teacher at Borstal. Who is ever going to get that?
Keep a list, change them from time to time.
O.K. What is the huge flaw?
For example, I consider the PistonHeads password to be unimportant. If I lose it, what is the worst that can happen? Someone will come on here and write a load of junk! Well, I do that anyway.
Think of a word 8 - 12 letters long, say 'blacksmith', write that down in cryptic form, say 'farrier'. Add a number that only you know, I use military numbers for example. Add another word, or name, say, a teacher at school. Capitalised randomly.
So your password written down is :- FaRRier military intake art teacher at Borstal. Who is ever going to get that?
Keep a list, change them from time to time.
O.K. What is the huge flaw?
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff