Password managers - are they truly secure ?
Discussion
deckster said:
The cynical might say that they waited until they'd manage to crack their databases.
You seem to think that these databases have some kind of proprietary encryption. They don't - they use the best industry-standard encryption available. And if that had been compromised, we'd know about it. bigandclever said:
Farrier isn’t another word for blacksmith. I have no other input to this topic 
True !!I admit that despite being a techie (well I was a while ago, anyway), I am still sceptical of the value of password managers. I write down my passwords in a form that I think would be uninterpretable to anyone else .. for example, part of the password for a particular site might say "green". To me that means a particular car that I once owned - but only I know whether the field contains the make, model, registration number, person I bought it from, town I lived in, wife at the time, or any combination of parts thereof. Part of the password will relate to the specific site, while using roman numerals instead of arabic also confuses. Another part might indicate which of my particular obfuscation methods I'm using for this password so even knowing how it hangs together for one will not expose it for another. It's all intuitive for me, my main concern being if I have a stroke.
gothatway said:
I admit that despite being a techie (well I was a while ago, anyway), I am still sceptical of the value of password managers. I write down my passwords in a form that I think would be uninterpretable to anyone else
Ok... but that's like saying that you're sceptical of the value of a calculator because you have a pencil and paper, and know how to do long division and multiplication. Or you're sceptical of the value of the telephone because you can drive round to a friend's house, knock on their door, and talk to them face to face. Or you're sceptical of the value of a contacts list in your phone or your email client because you have a Filofax. All of these 'systems' just seem to be a longhand and inferior way of emulating the functionality of a password manager simply to avoid using a password manager.
anonymous said:
[redacted]
It does slightly, because having all your info in one place means anyone who gets in knows what accounts you have, rather than just the one you tell them about. As most people's 2FA is through thier phone, either via text or email, that's fairly easily compromised the same way.
I have one account that has a card reader to get and authentication code, which is a good system.
I use LastPass though.
I use keepass with both a master password and separate keypass file needed to gain access to it. I have the keepass database file stored on Dropbox but every month I email the file to myself as a backup.
I use 2fa on any accounts that allow it such as Gmail and my own hosted openconnect VPN instances . I use the Google authenticator client for 2fa keys.
Works very well.
I use 2fa on any accounts that allow it such as Gmail and my own hosted openconnect VPN instances . I use the Google authenticator client for 2fa keys.
Works very well.
bladerunner1968 said:
I use keepass with both a master password and separate keypass file needed to gain access to it. I have the keepass database file stored on Dropbox but every month I email the file to myself as a backup.
I use 2fa on any accounts that allow it such as Gmail and my own hosted openconnect VPN instances . I use the Google authenticator client for 2fa keys.
Works very well.
I don’t actually know what you said there! I use 2fa on any accounts that allow it such as Gmail and my own hosted openconnect VPN instances . I use the Google authenticator client for 2fa keys.
Works very well.
Anyways; I’m more worried about physical security. Still think my house (and all my nice shiny stuff), car and bike enjoy less security than my PH account! This thread has motivated me to have another look at that lot, so thanks!
rog007 said:
I don’t actually know what you said there!
Anyways; I’m more worried about physical security. Still think my house (and all my nice shiny stuff), car and bike enjoy less security than my PH account! This thread has motivated me to have another look at that lot, so thanks!
What didn't you understand? Happy to provide more detailsAnyways; I’m more worried about physical security. Still think my house (and all my nice shiny stuff), car and bike enjoy less security than my PH account! This thread has motivated me to have another look at that lot, so thanks!
anonymous said:
[redacted]
Very simply, because not everybody has the appropriate certificates or the appetite to maintain them securely. It would be a good idea for hosted services like GMail though I agree (if it's not already available, I haven't checked). Also for many people, instant messaging like Facebook or Whatsapp are rapidly replacing email and they already have pretty good security, have more functionality than email, and are far simpler for most people to use.My opinion really is that the email standards that we currently use are a massively outdated legacy technology that was never intended for the kind of pervasive public adoption that we now have. The proprietary standards (Exchange etc.) are better but will never achieve critical mass so long as they are controlled by a single company that makes you pay for them. Realistically the whole thing needs ripping out and replacing from the ground up, but personally I think as above what will actually happen is that email will continue to dwindle in usage as people move to other technologies organically.
deckster said:
Very simply, because not everybody has the appropriate certificates or the appetite to maintain them securely. It would be a good idea for hosted services like GMail though I agree (if it's not already available, I haven't checked). Also for many people, instant messaging like Facebook or Whatsapp are rapidly replacing email and they already have pretty good security, have more functionality than email, and are far simpler for most people to use.
My opinion really is that the email standards that we currently use are a massively outdated legacy technology that was never intended for the kind of pervasive public adoption that we now have. The proprietary standards (Exchange etc.) are better but will never achieve critical mass so long as they are controlled by a single company that makes you pay for them. Realistically the whole thing needs ripping out and replacing from the ground up, but personally I think as above what will actually happen is that email will continue to dwindle in usage as people move to other technologies organically.
^^My opinion really is that the email standards that we currently use are a massively outdated legacy technology that was never intended for the kind of pervasive public adoption that we now have. The proprietary standards (Exchange etc.) are better but will never achieve critical mass so long as they are controlled by a single company that makes you pay for them. Realistically the whole thing needs ripping out and replacing from the ground up, but personally I think as above what will actually happen is that email will continue to dwindle in usage as people move to other technologies organically.
Exactly.
Send 100 people you know a signed email and how many will know what to actually do to check it?
deckster said:
My opinion really is that the email standards that we currently use are a massively outdated legacy technology that was never intended for the kind of pervasive public adoption that we now have. The proprietary standards (Exchange etc.) are better but will never achieve critical mass so long as they are controlled by a single company that makes you pay for them. Realistically the whole thing needs ripping out and replacing from the ground up, but personally I think as above what will actually happen is that email will continue to dwindle in usage as people move to other technologies organically.
The world "email" itself is a misnomer and creates a false expectation. In the early days, one of the proposed names for the concept was "e-postcard" rather than "e-mail" (yes, it did originally have a hyphen). I think that if that had been adopted instead than people might have a more realistic idea of the (lack of) security and privacy in an email. A postcard has no security and can be read by pretty much anyone in the chain between sender and recipient. And the same is true of an unencrypted email. Secure email isn't going to happen until the likes of gmail et al make it pervasive. If I send my mum an email she is not going to have the desire or ability to verify and decode it unless it is done seamless and invisibly.
I'm just having a quick play with the free version of 1Password.
It's on my mobile and also my chromebook.
When i visit one of the websites that i have the password stored in 1Password, i have to type my username in (its not automatically supplied) and then when i go to the password, i get the option to supply the password from 1Password, but only after i enter the Master Password.
Is this flow correct, or do i have something set wrong? My MasterPaswword is long and convoluted, i wasn't expecting to have to enter it each time but i guess you need to prove to 1Password you are the right person for it to supply the log in password for the site?
It's on my mobile and also my chromebook.
When i visit one of the websites that i have the password stored in 1Password, i have to type my username in (its not automatically supplied) and then when i go to the password, i get the option to supply the password from 1Password, but only after i enter the Master Password.
Is this flow correct, or do i have something set wrong? My MasterPaswword is long and convoluted, i wasn't expecting to have to enter it each time but i guess you need to prove to 1Password you are the right person for it to supply the log in password for the site?
Currently its running on my Samsung S8 and Pixel Chromebook. The Chromebook is as a plug-in. I havent tried it on a windows desktop yet.
I've never tried the facial or fingerprint scanner, so am currently stuck with entering the master password.
I'll persevere and see how things go. I have a month to trial it.
I also want to try lastpass. I think they are both (lastpass & 1password) pretty much the same concept?
I've never tried the facial or fingerprint scanner, so am currently stuck with entering the master password.
I'll persevere and see how things go. I have a month to trial it.
I also want to try lastpass. I think they are both (lastpass & 1password) pretty much the same concept?
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff