Password managers - are they truly secure ?
Discussion
Dunno about 1Password, but I'd assume it's similar to Lastpass, where I can set a time on how long it stays logged in for. So with the browser extension in Chrome I can log in to Lastpass and it will automatically fill in any passwords on sites, or I can even use the links in the Lastpass interface to open the sites in the first place rather than browser favourites. I currently have it set to log me out again after a couple of minutes.
For some sites where I'm not really worried about security (ie forums) I have passwords saved in Chrome, but apparently it stores them in plain text so anyone who gets on to your machine can easily find your passwords in plain text for saved sites, so I really should remove them and stick to Lastpass. This also links back to earlier discussion about using a base password with variations for the site, if you leave your machine unlocked and someone else gets a look at it, they could identify the system pretty quickly.
For some sites where I'm not really worried about security (ie forums) I have passwords saved in Chrome, but apparently it stores them in plain text so anyone who gets on to your machine can easily find your passwords in plain text for saved sites, so I really should remove them and stick to Lastpass. This also links back to earlier discussion about using a base password with variations for the site, if you leave your machine unlocked and someone else gets a look at it, they could identify the system pretty quickly.
TameRacingDriver said:
keith333 said:
I use a password protected Excel spreadsheet. Should I change to using a password manager? I have no idea on how easy an Excel spreadsheet is to hack.
I would change if I was you. Excel files are not particularly difficult to crack but apart from anything else a proper password manager is full of useful functionality which makes it a much better and more useful choice. They can fill in passwords for you, generate random ones and so much more besides. And they're more secure.Also I'm assuming someone theoretically could see your passwords on the screen with an excel file (unless you hide them). Password managers don't do this unless you tell it to.
TartanPaint said:
keith333 said:
I use a password protected Excel spreadsheet. Should I change to using a password manager? I have no idea on how easy an Excel spreadsheet is to hack.
It takes me about 30 seconds to remove Excel password protection. It's not secure at all. Thanks.
TonyRPH said:
Download this *test* spreadsheet, crack it and then mail it back to me at the address contained within the spreadsheet.
Thanks.
I'll be interested if you get an email.Thanks.
We always advise against using Excel/Word password protection mostly because people lose/forget the passwords but my understanding was that Microsoft moved to AES encryption and that actually it was pretty robust.
Keepass stored in Dropbox for me, and I genuinely don't know the password for any of the 200ish accounts stored in that kdbx file as all were auto-generated strong passwords. When I was a consultant we used Keepass and I probably had another 200 accounts in there. The auto type functionality is excellent on a desktop, it's more clunky on my iPhone as I need to copy/paste from the app but I rarely need it on.
I honestly don't understand anyone arguing against their use, but I suspect those people don't fully understand it either, so I'll try not to engage in such debates. But if you choose not to use one, ask yourself if your password is stronger than O.rCI~E5F$L5;D1vo^Uj, a password I just generated in a second.
Actually, I have another downside to this approach - when the installer was setting up my Nest Thermostat it took him a while to connect it to my wifi...
I honestly don't understand anyone arguing against their use, but I suspect those people don't fully understand it either, so I'll try not to engage in such debates. But if you choose not to use one, ask yourself if your password is stronger than O.rCI~E5F$L5;D1vo^Uj, a password I just generated in a second.
Actually, I have another downside to this approach - when the installer was setting up my Nest Thermostat it took him a while to connect it to my wifi...
wiggy001 said:
Actually, I have another downside to this approach - when the installer was setting up my Nest Thermostat it took him a while to connect it to my wifi...
No WPS on Nest?That said, I hate that, my Netflix password for example is relatively simple, I really don't want to enter a 16 character with symbols on several smart tv's and over a dozen devices in total with a remote control.
TonyRPH said:
bhstewie said:
I'll be interested if you get an email.
We always advise against using Excel/Word password protection mostly because people lose/forget the passwords but my understanding was that Microsoft moved to AES encryption and that actually it was pretty robust.
(my bold)We always advise against using Excel/Word password protection mostly because people lose/forget the passwords but my understanding was that Microsoft moved to AES encryption and that actually it was pretty robust.
Users of older versions of Office, or any xls or xlsx files which have not been converted to the latest and greatest version should still beware, but it was definitely not correct of me to say that all Excel spreadsheets can be easily unlocked.
TartanPaint said:
None of the various "10 minutes" methods worked. And a further 10 minutes of Googling for other newer methods turned up nothing. It looks fairly robust. A change to AES would explain this, so i'll stop trying.
Users of older versions of Office, or any xls or xlsx files which have not been converted to the latest and greatest version should still beware, but it was definitely not correct of me to say that all Excel spreadsheets can be easily unlocked.
Excel prior to 2007 was relatively easy to hack, but as you have found, 2007 and later versions are very secure.Users of older versions of Office, or any xls or xlsx files which have not been converted to the latest and greatest version should still beware, but it was definitely not correct of me to say that all Excel spreadsheets can be easily unlocked.
I learned this the hard way, as at a previous job I was given an Excel 2007 spreadsheet to which the password had been forgotten and I too said "yes, I'll hack it in on time..." little did I know!!!
This is interesting:
https://en.wikipedia.org/wiki/Microsoft_Office_pas...
It says there's a difference between overall workbook protection (AES since 2007, as you say Tony), and worksheet protection, which is still quite easy and only really designed to prevent accidental changes, not to provide security.
So, saving a workbook as xlsx and protecting the workbook (NOT the individual worksheet) should be enough.
Or, you know, use a password manager!
https://en.wikipedia.org/wiki/Microsoft_Office_pas...
It says there's a difference between overall workbook protection (AES since 2007, as you say Tony), and worksheet protection, which is still quite easy and only really designed to prevent accidental changes, not to provide security.
So, saving a workbook as xlsx and protecting the workbook (NOT the individual worksheet) should be enough.
Or, you know, use a password manager!
anonymous said:
[redacted]
Thanks - very helpful. I think continuing with the Keychain Access is fine for my use based on this. However, I do get the auto-generating strong passwords option that I can accept or decline. I note the comment about password managers highlighting sites that have had their credentials hacked so I shall be mindful of this in future.
Thanks.
TartanPaint said:
None of the various "10 minutes" methods worked. And a further 10 minutes of Googling for other newer methods turned up nothing. It looks fairly robust. A change to AES would explain this, so i'll stop trying.
Users of older versions of Office, or any xls or xlsx files which have not been converted to the latest and greatest version should still beware, but it was definitely not correct of me to say that all Excel spreadsheets can be easily unlocked.
Yes I thought very similar. Every so often we get asked if we can recover a password and with anything recent we just say forget it.Users of older versions of Office, or any xls or xlsx files which have not been converted to the latest and greatest version should still beware, but it was definitely not correct of me to say that all Excel spreadsheets can be easily unlocked.
10/10 for honesty - expect 5 pages of to and fro
bhstewie said:
TartanPaint said:
None of the various "10 minutes" methods worked. And a further 10 minutes of Googling for other newer methods turned up nothing. It looks fairly robust. A change to AES would explain this, so i'll stop trying.
Users of older versions of Office, or any xls or xlsx files which have not been converted to the latest and greatest version should still beware, but it was definitely not correct of me to say that all Excel spreadsheets can be easily unlocked.
Yes I thought very similar. Every so often we get asked if we can recover a password and with anything recent we just say forget it.Users of older versions of Office, or any xls or xlsx files which have not been converted to the latest and greatest version should still beware, but it was definitely not correct of me to say that all Excel spreadsheets can be easily unlocked.
10/10 for honesty - expect 5 pages of to and fro
We used to offer a service at our firm to crack/remove passwords from office docs, but I have noticed that this 'service' has been withdrawn!
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff