Password Managers

Recommended Posts

SpeedyTheSnail    876

I've searched Neowin but found nothing.

 

What do you all think about the security of password managers? Is it wise to trust a developer to store your passwords, whether or not you paid for the software? What if the developer has hidden malicious intentions, or is inexperienced in security.

 

Could you all recommend any programs for storing passwords, if so, why? What evidence is there to support your argument? 

 

I ask this because at school some guy who has been in the IT industry uses an app on his phone that integrates with Google Chrome, to save his passwords. He raved about it, however in this day an age I am already weary enough to trust the website with storing my password and details, let alone allow a second party to hold my credentials.

 

Just a side note, I would never store my passwords in a plain text document that was encrypted. That would be silly :D.

Share this post


Link to post
Share on other sites
Xahid    5,089

The easier solution is just save the password in plain text and then encrypt it with "Fort" like encryption programs.

Share this post


Link to post
Share on other sites
+Zagadka    2,225

Not all password managers sync to remote storage. I think that Avast's stores locally encrypted, for example, but any major vendor can be trusted to an extent. I don't use mine (currently using LastPass) for anything sensitive, just to manage the myriad of net passwords that I care about but can survive having compromised (things from forum accounts to Netflix etc). This lets you use more unique passwords for each site and prevents all accounts being vulnerable (provided your master pass is safe, of course). I think I have around 40 sites stored, most of which I rarely use and could never remember passwords for effectively without sharing them between sites too much. For critical important sites, such as banks and places that can be charged (Amazon, email accounts, etc) I'd recommend keeping the passwords in your head.

Share this post


Link to post
Share on other sites
+BudMan    3,032

I use lastpass, and have been using it for years.  I store my bank passwords in there I have that much trust in them.  There is also the 2Fa part that even if someone got the password from lastpass account they would still need to beat the 2fa, etc..

 

I currently have 255 sites in my lastpass,  Plus other notes and such in there for info that are not website logins..

Share this post


Link to post
Share on other sites
Malisk    141

I use 1Password. I haven't heard of a breach yet and think it's better for your personal security than especially sharing passwords out of convenience.

Share this post


Link to post
Share on other sites
+Danielx64    575
11 minutes ago, BudMan said:

I use lastpass, and have been using it for years.  I store my bank passwords in there I have that much trust in them.  There is also the 2Fa part that even if someone got the password from lastpass account they would still need to beat the 2fa, etc..

 

I currently have 255 sites in my lastpass,  Plus other notes and such in there for info that are not website logins..

BudMan, what would you say about sticky passwords?

Share this post


Link to post
Share on other sites
+BudMan    3,032

sticky passwords?  Until you mentioned it have never heard of them.

 

Taking a look at their website - 30$ a year to be able to sync your passwords.. lastpass is FREE ;)  I have premium for $12 a year..

 

I don't see anything there that would tempt me to switch that is for sure..

Share this post


Link to post
Share on other sites
Premgenius    26

I use Dashlane because I got a good discount otherwise would have chosen LastPass. Dashlane syncs into all my devices and is further protected by 2FA. Apart from 100+ passwords it has a digital wallet and secure notes and some of the passwords are shared with family members for family accounts and allows them to have either Limited (view only) or Full (View and Edit) permissions to these shared passwords through their own individual accounts.

Share this post


Link to post
Share on other sites
thisdude    23
11 hours ago, BudMan said:

I use lastpass, and have been using it for years.  I store my bank passwords in there I have that much trust in them.  There is also the 2Fa part that even if someone got the password from lastpass account they would still need to beat the 2fa, etc..

 

I currently have 255 sites in my lastpass,  Plus other notes and such in there for info that are not website logins..

I have been using Lastpass for over 2 years now and LOVE IT! I always recommend it to family and friends. Like Budman pointed out they have great security. There's been a couple attacks on their sites in their time however they took the proper precaustions in how they set up their servers that nothing important was accessed.

 

You can Google the Security Now! podcast with Leo Laporte and Steve Gibson and they've had the owner on several times to talk about the attacks and Lastpass software and security.  If Steve Gibson gives them the thumbs up I trust his recommendations.

Share this post


Link to post
Share on other sites
Boo Berry    2,264

LastPass is the best one I've found in regards to actual services. For self-hosting, I'd go KeePass.

Share this post


Link to post
Share on other sites
Anibal P    2,036

I've been using Enpass on my windows PC and Android phone, encrypted DB on my Dropbox account

Best of both worlds and no need to worry about the devs getting hacked 

Share this post


Link to post
Share on other sites
+warwagon    10,435
13 hours ago, BudMan said:

I use lastpass, and have been using it for years.  I store my bank passwords in there I have that much trust in them.  There is also the 2Fa part that even if someone got the password from lastpass account they would still need to beat the 2fa, etc..

 

I currently have 255 sites in my lastpass,  Plus other notes and such in there for info that are not website logins..

 

486 passwords here! :D

Share this post


Link to post
Share on other sites
+BudMan    3,032
13 hours ago, LoboVerde said:

If Steve Gibson gives them the thumbs up I trust his recommendations.

Yeah lets be clear - I do not have the same feelings for that quack...  He is a sky is falling poseur.. Glad you enjoy his podcasts, etc.  But mostly his loves to spread FUD and Panic..

 

http://attrition.org/errata/charlatan/steve_gibson/

Share this post


Link to post
Share on other sites
InsaneNutter    1,003

I use 1Password and sync the data using Dropbox, I don't really want to store all my data on 1Password's new cloud service, so Dropbox is ideal and the 1Password mobile app can read data from Dropbox too.

 

1Password encrypts the data, my Dropbox used 2 factor authentication and i'm still in full control of the data, meaning i can make an offline copy and store it on an encrypted USB drive. That's good enough for me.

Share this post


Link to post
Share on other sites
Lamp0    558

I have been meaning to give LastPass a go. Though I find I can remember my passwords fine for the most part & like the notion that I actually know them.

Share this post


Link to post
Share on other sites
cork1958    1,180

Personally, have never and will never use a password manager! Wouldn't trust one in a million years!! I simply remember my passwords although I do have them stored secretly.

 

 

Share this post


Link to post
Share on other sites
Mindovermaster    1,221

I use LastPass, I also keep a paper with all my passwords. So, if LastPass has issues, I have another source.

Share this post


Link to post
Share on other sites
thisdude    23
9 hours ago, BudMan said:

Yeah lets be clear - I do not have the same feelings for that quack...  He is a sky is falling poseur.. Glad you enjoy his podcasts, etc.  But mostly his loves to spread FUD and Panic..

 

http://attrition.org/errata/charlatan/steve_gibson/

Hm, interesting. I'm going to have to check the validity of what this page is claiming. But I will say I doubt he'd try to pretend to be a "sky is falling" person that doesn't even make sense.

 

Do you know who's website that is? http://attrition.org

 

Share this post


Link to post
Share on other sites
+BudMan    3,032

Do some research on that nut job... He has called so many the "sky is falling" issues out for years and years trying to call attention to himself.  Raw Sockets was going to kill the internet ;)

 

http://www.theregister.co.uk/2001/06/25/steve_gibson_really_is_off/

 

Here is a quote of his..

"When those insecure and maliciously potent Windows XP machines are mated to high-bandwidth Internet connections, we are going to experience an escalation of Internet terrorism the likes of which has never been seen before."

 

While he can make things easy for the lay person to understand sometimes - he is like chicken little, and loves to cry wolf!!

 

 

Share this post


Link to post
Share on other sites
+mram    155

I use Lastpass.  Highly recommend.  2-factor everything possible though, and be smart.

 

I have 150+ sites in my Lastpass vault, all with unique passwords.  If you don't have unique passwords for each site, you do run risks, so password managers are a must.

 

I don't understand the lack of trust in password managers.  I think the risks of password management outweigh the risks of compromised sites.   For example, lets say you have an account at "Joe's Company".  If "Joe's Company" ever got hacked, any data about you is compromised, and everywhere else where you have the same user/pass is also potentially compromised.  Additionally you'll never really know if "Joe's Company" was ever compromised.  It could be years ... look at Yahoo for example.  So if you want to truly be secure you need different user/pass for every site you ever visit and unless you come up with a weird "system" for everything, you might as well KISS principle the thing under the guidance of a password manager.

 

Companies like Lastpass make it their business to do this.  They consistently invite people to try to hack them.  They iterate constantly on their security.  It's documented and trackable.   They have had a breach in the past, and responded appropriately and fixed the symptom as well as stated there was no disclosure of user data and notified the public.   That speaks volumes to me.  (I'm just saying: it's ok to be paranoid, but there should be reasonable limits to paranoia -- everyone gets hacked but what is the real risk of this?  How is it handled?  This kind of stuff differentiates real security companies vs ones just going through the motions.  I can reference issues where security issues were pointed to Lastpass and there were patches within 24 hours!)

 

I have tried 1Password, and while I did like it, they were less cloud friendly.  And honestly, Lastpass is cheaper, if not outright free.  

Share this post


Link to post
Share on other sites
Anibal P    2,036
10 minutes ago, mram said:

I use Lastpass.  Highly recommend.  2-factor everything possible though, and be smart.

 

I have 150+ sites in my Lastpass vault, all with unique passwords.  If you don't have unique passwords for each site, you do run risks, so password managers are a must.

 

I don't understand the lack of trust in password managers.  I think the risks of password management outweigh the risks of compromised sites.   For example, lets say you have an account at "Joe's Company".  If "Joe's Company" ever got hacked, any data about you is compromised, and everywhere else where you have the same user/pass is also potentially compromised.  Additionally you'll never really know if "Joe's Company" was ever compromised.  It could be years ... look at Yahoo for example.  So if you want to truly be secure you need different user/pass for every site you ever visit and unless you come up with a weird "system" for everything, you might as well KISS principle the thing under the guidance of a password manager.

 

Companies like Lastpass make it their business to do this.  They consistently invite people to try to hack them.  They iterate constantly on their security.  It's documented and trackable.   They have had a breach in the past, and responded appropriately and fixed the symptom as well as stated there was no disclosure of user data and notified the public.   That speaks volumes to me.  (I'm just saying: it's ok to be paranoid, but there should be reasonable limits to paranoia -- everyone gets hacked but what is the real risk of this?  How is it handled?  This kind of stuff differentiates real security companies vs ones just going through the motions.  I can reference issues where security issues were pointed to Lastpass and there were patches within 24 hours!)

 

I have tried 1Password, and while I did like it, they were less cloud friendly.  And honestly, Lastpass is cheaper, if not outright free.  

 

A certain subset of people here actually believe they are smarted than the rest of us and that they can memorize 100+ "unique" passwords

Of course all it takes is to crack the code for one and you have them all, but remember, they are smarter and better than the rest of us 

Share this post


Link to post
Share on other sites
SpeedyTheSnail    876

Everybody here seems to speak about last pass (well okay not everybody, but the majority).


I have a terrible memory, maybe because I don't get enough sleep. I'm going to look up a few of these tomorrow.

 

One of the things I was talking with one of my neighbors about was cloud storage being inherently unsafe, or rather expect no privacy. Of course if somebody were to snoop around your house they may have a better chance of getting your password than if you used a password manager to store it (if you wrote the password down that is). Nobody can read your mind (yet).

Share this post


Link to post
Share on other sites
+mram    155
25 minutes ago, SpeedyTheSnail said:

One of the things I was talking with one of my neighbors about was cloud storage being inherently unsafe, or rather expect no privacy. Of course if somebody were to snoop around your house they may have a better chance of getting your password than if you used a password manager to store it (if you wrote the password down that is). Nobody can read your mind (yet).

Sure, that's a fair argument.  But understand that virtually everything is going to the cloud, in general -- cloud based computing is everywhere.

 

The issue isn't so much about whether your data is accessible by "bad guys" it's whether they can do anything with IF they get it.  Encryption is a great thing.  Think of it like burying a safe somewhere hidden.  Sure you might find it, but then you have to open it.  And then when you get in there you will have to translate it.  And decode it.  And understand it.

 

And also understand that Lastpass (like most reputable vendors I understand) do not keep a "master key" for many varied reasons.  I work in IT and I could tell you reasonably with assurances that most companies who are involved in this stuff really don't want this access, as insidious as you might think they would be.  You're just not allowed legally to refuse access and still have a "back door" ... it's either legally allowable or you can create a self-securing solution by simply not having the "master key" at all.

 

So having said that, assume the hypothetical worst case:  Data is (again, hypothetically) stolen from Lastpass, and they never knew about it, and you never found out.  It would take the bad guys a long time, like years if even possible**, to decrypt your specific blobs of data to get your passwords.  If you were doing good security practices, you would've cycled your passwords anyway by then and there's really no issue.  

 

In short, that's a heck of a lotta "ifs" and a whole lot of reasons to have faith -- especially given that encryption is just getting better and better.  In short, encrypted cloud data is generally safe, as long as you're not bad about it.  Lastpass even gives you good tools to change passwords automatically, it checks environments for you, alerts for changes, etc.  I'm not trying to push Lastpass so much as provide general awareness into cloud computing being generally safe -- but one should always investigate what is being utilized for protection, how they have reacted to attempts, what resilience they have had to attacks, what bug checks have been done against them, etc.

 

** brute-force decryption of an aes-256 key is damn near impossible by modern standards.  Of course computers get better, but so will encryption, so I expect by the time one could reasonably move the brute-force decryption of an AES-256 key down to mere decades of supercomputer work, we would have moved to AES-512 or whatever.  In a nutshell "never say never" but the idea that someone could randomly decrypt an AES-256 encrypted blob of data is pretty much impossible by modern standards.  But even for the sake of argument, I'm assuming it is possible... so I must have a screw loose.

Share this post


Link to post
Share on other sites
Nerd Rage    317

Ive tried most of them, used Roboform for years, but switched to Dashlane a couple years back.  Much cleaner and user friendly UI.  Not without it's issues, but it's the best one I've tried imo.

Share this post


Link to post
Share on other sites
T3X4S    4,529
On 2/11/2017 at 6:22 AM, BudMan said:

sticky passwords?  Until you mentioned it have never heard of them.

 

Taking a look at their website - 30$ a year to be able to sync your passwords.. lastpass is FREE ;)  I have premium for $12 a year..

 

I don't see anything there that would tempt me to switch that is for sure..

I paid for the premium as well.  A nice little chrome add-on and my password sync travels across all of my devices.

Why even consider some no-named password manager from some company you never heard of where you are considering the possibility of "... if the developer has hidden malicious intentions, or is inexperienced in security..." ?

LastPass will do what you need, is well known, has multifactor authentication.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.