[NA]Password managers

Let'sgoflying!

Let'sgoflying!

Touchdown! Greaser!
Joined
Feb 23, 2005
Messages
20,771
Location
west Texas
Display Name
Display name:
Dave Taylor
It's time. Small biz use and personal use.

Who is good now?

Price is important but ease of use is even more so.

When I start using one of these, will the first 2 weeks be hell while I tell it all my site passwords? Or does it automatically pull those somehow?

I found this thread from 8 mo ago.
 
I used to use 1Password but switched a couple of years ago to Keeper. Can't remember why. Both work. It won't be hell putting your username/password in whichever vault you choose. I'd characterize it more as tedious and mildly aggravating. Second @Piperonca suggestion on plain language. I use a slightly modified approach to what you see in the XKCD strip.
 
For small business bank accounts, you really need to be using 2 factor authentication. I know that's separate to the password issue. Last I knew, FDIC protection does not apply to commercial accounts.
 
I used to use 1password, but switched to lastpass when I moved away from apple.
I like lastpass, but I haven't shopped this topic lately so I don't know what's considered the best these days....
 
Bitwarden paid version, with Yubikey as "something you have" to protect your password manager, and for 2 Factor Authorization on whatever individual accounts allow it.
 
I used to shy away from password managers, but now all of my important accounts have multi-factor security (mostly a phone ping) so I may start using one.
 
I use 1Password. Got sick of keeping lists.
 
Piperonca said:
1Password. Works very well for me. Also consider plain language pass-phrases: https://xkcd.com/936/
Click to expand...
It would be great if so many sites/systems didn’t actively prevent it. Nearly all require the inclusion of numbers and special characters (which I don’t object to), and many will reject passwords that contain plaintext words no matter what else you have in them.
 
I dumped Lastpass after about 5 years when the got sold to LogMeIn, raised prices, were less supportive, and had buggy releases. Settled on Keeper after trying others. Dashlane is quite good, but very expensive. None are perfect, and none can auto fill/auto save all logins because some website and app designers do different things and the password managers can't identify which field is which.

That said, I wouldn't try to go without a PM these days.
 
DaleB said:
It would be great if so many sites/systems didn’t actively prevent it. Nearly all require the inclusion of numbers and special characters (which I don’t object to), and many will reject passwords that contain plaintext words no matter what else you have in them.
Click to expand...
I have my own easy to remember mental algorithm to satisfy those, ranging from brief to lengthy, depending on the criticality of the site. Sometimes use Dr. Seuss words or make up new ones not in any dictionary. Length is good. What can be aggravating is that some will not let you use blank spaces either. And will limit the number of characters to eight or ten, for example.

One thing I like about 1Password is that its main password can be a pass-phrase. Love that. And I have never written mine down.

Last but not least, there's Travel Mode: https://support.1password.com/travel-mode/
 
c177tx said:
I use 3m post it notes, and post them around my display screen
Click to expand...
That might work if the only place you need to sign in is on one computer. What do you do about accounts on your phone, tablet, etc.?
 
Albany Tom said:
FDIC protection does not apply to commercial accounts.
Click to expand...

The purpose of FDIC protection is prevent bank runs, so it shouldn't matter what type of account (investment banking excluded, which is quite different from deposit & loan banking).
 
I think it would be a disaster if an online password manager was hacked. No siree Bob for the Sac.
 
I use an Exel spread sheet. I try to keep the passwords close to the same but every account asks for something a little different.
 
Piperonca said:
To each his own. https://blog.1password.com/what-if-1password-gets-hacked/
Click to expand...

Good God, did you understand all that? I don't claim superior intellect but 'Master Password (MP) of 4 words, from a Password Generator which only happens on your device' is somehow protected from hacking (ie no one can ever access your computer?) has me stumped.
"The MP is the only thing you need to remember" but then it immediately tells of the Secret Key(SK) you will need. Somehow this is also produced only on your device and it immune to hacking.
And I presume to access your password-associated data, you need to submit the MP or SK online (how else can they free up your info) but it will be secure from theft, even if you do so.

"1Password uses industry-standard 256-bit AES encryption, derived from your Master Password and Secret Key along with a random number generator."

I have no idea what this means. Sounds like a third password if it is generating something from the MP and SC and the "RNG" noted. Impossibly confusing.

It does sound like you would need to enter two huge passwords (the MP and SK) every time in order to access your websites if you use 1Password, no? (why/how not?)
 
Negatory...I confess to not understanding much of it myself. I do some reading on the subject to try, but with limited success. All I know is the automatic transmission works on my truck, and user reports say brand L is better than brand H. I can drive a stick, too, but those aren't commonly sold anymore.

I have my iPhone set with with face ID to allow me to cut/paste a different password generated on the phone. I tap that and see my passwords. No entry involved, just a couple keystrokes. Auto handier than the stick.

All I can recommend is the free trial. I went through Keepass, Keeper, and a few others to eventually stop at 1Password. YMMV.

Edit: They have good user support, and could probably explain the methodology much better than me.
 
Last edited:
Everskyward said:
That might work if the only place you need to sign in is on one computer. What do you do about accounts on your phone, tablet, etc.?
Click to expand...
Put a screenshot of your passwords on your lock screen. Don't forget to include your lock screen passcode, though.
 
Let'sgoflying! said:
Good God, did you understand all that? I don't claim superior intellect but 'Master Password (MP) of 4 words, from a Password Generator which only happens on your device' is somehow protected from hacking (ie no one can ever access your computer?) has me stumped.
"The MP is the only thing you need to remember" but then it immediately tells of the Secret Key(SK) you will need. Somehow this is also produced only on your device and it immune to hacking.
And I presume to access your password-associated data, you need to submit the MP or SK online (how else can they free up your info) but it will be secure from theft, even if you do so.

"1Password uses industry-standard 256-bit AES encryption, derived from your Master Password and Secret Key along with a random number generator."

I have no idea what this means. Sounds like a third password if it is generating something from the MP and SC and the "RNG" noted. Impossibly confusing.

It does sound like you would need to enter two huge passwords (the MP and SK) every time in order to access your websites if you use 1Password, no? (why/how not?)
Click to expand...

Your master password is all you have to remember. That is combined with the secret key (which you don't need to know, it's stored on your devices) and a random number generator to generate a 256-bit code. That code is what's sent across the internet and what's stored on their server along with your encrypted data. This prevents somebody from intercepting your data along the way and seeing your password. So an attacker would need to have access to one of your devices to get the secret key and they would need to get or guess your master password.

The reason (or at least a couple reasons) for a long, unique password is to protect against "dictionary" or "brute force" attacks. A dictionary attack is where the attacker's computer system goes through a "dictionary", which could include a database of previously hacked passwords, and tries each word as the password. That's why commonly substituted letters/numbers are ineffective here. For example, they would build their list to substitute zero for letter o/O in every word when they build their dictionary. A brute force attack is similar, except it uses every combination of characters from all alphabets. In a brute force attack, each character increases the difficulty of cracking the password exponentially.

Disclaimer: I have some web development experience and have read up on security/encryption, but I'm not a security expert.
 
asicer said:
Put a screenshot of your passwords on your lock screen. Don't forget to include your lock screen passcode, though.
Click to expand...
I have way too many passwords for that. 1Password is so much easier.
 
Let'sgoflying! said:
Good God, did you understand all that? I don't claim superior intellect but 'Master Password (MP) of 4 words, from a Password Generator which only happens on your device' is somehow protected from hacking (ie no one can ever access your computer?) has me stumped.
"The MP is the only thing you need to remember" but then it immediately tells of the Secret Key(SK) you will need. Somehow this is also produced only on your device and it immune to hacking.
And I presume to access your password-associated data, you need to submit the MP or SK online (how else can they free up your info) but it will be secure from theft, even if you do so.

"1Password uses industry-standard 256-bit AES encryption, derived from your Master Password and Secret Key along with a random number generator."

I have no idea what this means. Sounds like a third password if it is generating something from the MP and SC and the "RNG" noted. Impossibly confusing.

It does sound like you would need to enter two huge passwords (the MP and SK) every time in order to access your websites if you use 1Password, no? (why/how not?)
Click to expand...
You only need to know your Master Password. It will fill in the site password (or you can use copy/paste). If you log in to 1PW using the Master Password, you can find the secret key. I think I have only used the secret key in order to set up the app on other devices. It's not that complicated to use. You also don't *need* to use it to log in to your sites. If you remember the password for the site, you can type it in yourself.
 
Everskyward said:
You only need to know your Master Password. It will fill in the site password (or you can use copy/paste).
Click to expand...
To save time I allow 1PW to autofill the master password with facial recognition, so two taps and I'm in, as described earlier. From there I can copy/pasta or just enter a password on the site where it's needed once my memory is temporarily refreshed. 1PW will do much more, but I want to keep the whole thing simple.
 
dmspilot said:
The purpose of FDIC protection is prevent bank runs, so it shouldn't matter what type of account (investment banking excluded, which is quite different from deposit & loan banking).
Click to expand...

FDIC does a couple of things, one as you mentioned is to protect consumers from bank failure, and that's specifically what the insurance does. But another thing they do is create federal banking regulations as part of their oversight function. Those regulations force banks to hold consumers harmless from a variety of bad activities, including unauthorized electronic funds transfers. Quite a few years ago, a school district in this area had fraudulent activity occur on one of their bank deposit accounts. The ruling at the time was that the bank was NOT liable to reimburse the school district for that activity, because the account was government, not consumer. NY senator or congressman Schumer at the time promised to try have FDIC change those regulations to protect businesses and governments as well as individuals. No idea if that has been done. The advice at the time was to ensure that any corporate accounts had a block on any foreign funds transfers, and that businesses use corporate credit, rather than debit cards, issued with banks that would provide their company with fraud protection. Unlike with consumer accounts, it was not a given that you'd have it.

I'm a computer guy, not banking guy, but a starter to FDIC's interpretation of their regs is here: https://www.fdic.gov/regulations/laws/rules/6500-580.html

It reads worse than FAA docs, in terms of clarity.
 
I just got 1Password. (I didn't. Probably this week. But for learning purposes...)

Now I want to log on to...mmm POA.
Right now, my devices all remember my PWs and I don't have to actually log in, POA pops to the unread messages.
So, what is the new process going to be? What steps, how many steps.

What is the shortest MP I can have?
 
Let'sgoflying! said:
I just got 1Password. (I didn't. Probably this week. But for learning purposes...)

Now I want to log on to...mmm POA.
Right now, my devices all remember my PWs and I don't have to actually log in, POA pops to the unread messages.
So, what is the new process going to be? What steps, how many steps.

What is the shortest MP I can have?
Click to expand...
If your device automatically logs in to POA, etc, it still will. 1PW will offer to save it, but you really only need it if you log out, change browsers, or computers, so that the automatic log in fails.
 
c177tx said:
I use 3m post it notes, and post them around my display screen
Click to expand...
That's what my boss used to do. But some evil individual taught him a lesson.
I have no idea who that evil individual was.
 
c177tx said:
I use 3m post it notes, and post them around my display screen
Click to expand...
Reminds me of my first computer…

Eventually I had to replace the monitor because couldn’t see the word processing screen through all the white out.
 
it's been too long for me to comment about 1password's current functions
but I can comment about LastPass as a parallel....
your browser would continue to remember the password as it does now
but the option that's considered to be better practice is to have your browser forget the password (well and probably even change it since the one remembered is not secure...)
then
the browser has a lastpass extension running
and when you use it to fill the passwords for the web site, it will relate the password to that web site URL. This is all done within the encrypted password manager....
Then the next time you open that URL, lastpass, assuming you have it unlocked using your mater password, will autofill user name and password.
You can even use tools to generate new passwords, fill in forms such as "me"...it'll fill in typical forms such as name, address, phone number, etc...
and you can store a payment card to autofill payments when you buy stuff.
Occasionally, a web site is formatted in an odd way and the autofill might fill the username but not the password automatically, for example. In that case you can simply click on the extension and there's a tool to copy the password for that site.... you don't actually even see the password unless you want to...then you an manually paste it in....

Same thing when you use your phone...or another computer...it's nearly seamless. Really works well
 
I still use KeePass. I guess I’m happy with it. It works. Any reason I shouldn’t trust it?
 
When I was searching for my first password manager (way later than I should have) there was an article discussing the freebies vs the pay for service choices and I became convinced I was better off paying. I didn’t save the article otherwise I’d note it here. After many years of keeping a master sheet printed somewhere or reading off my “notes” for passwords I finally gave in. Couldn’t be happier and after reading how the whole system works (Keeper) I think it’s safe enough.
 
I'm a software engineer and a security researcher by trade. I use 1password. They have published papers about how their application works and I can assure you, as a professional who does this for a living, that it is extremely secure.
If any of you are interested in details regarding implementation or why/how it's secure feel free to ask.

One bonus points about 1password is that they allow password sharing, this is important for me since me and my wife share password for some sites (such as bank, credit card, amazon etc) and from what I tried, other password managers either do not support it or do it poorly.
Migrating to a password manager may sound like a hassle but once you set it up you kinda forget it's there since it effectively logs you in for all websites.
 
Lastpass shares very well. Even has a family package option.
A while back when I switched from 1password, that one was more in line with apple, while lastpass was more android/PC oriented....or at least that was my understanding. I don't know if that's still the case. Functionally they seem to be very similar.
 
AKBill said:
I use an Exel spread sheet. I try to keep the passwords close to the same but every account asks for something a little different.
Click to expand...

This is definitely not a good approach. Something I used to do, btw.
First, it opens you up for "I got one password, it's easy to get others" - today's computers can pretty quickly cycle through "little different"
Excel sheet itself is very unsecured even if pw protected. Someone gets your computer or gets into it and it becomes a problem. Including a simple fact that you lose access to your excel
Doesn't work well if you are using mobile away from your excel or have no access to your computer.

PW manager is pretty much a must these days. Not only for security, but for convenience. I use LastPass(paid) Family. Works pretty well. They have been hacked in the past few years, yet no pwds have been compromised as far as I know.

Honestly, if you torture me, i couldn't tell you more than a few passwords out of hundreds accounts. Apple, LastPass, Windows, and a few others that I have to use constantly.
 
You must log in or register to reply here.
Back
Top