Gone Posted February 11, 2017 Share Posted February 11, 2017 I've searched Neowin but found nothing. What do you all think about the security of password managers? Is it wise to trust a developer to store your passwords, whether or not you paid for the software? What if the developer has hidden malicious intentions, or is inexperienced in security. Could you all recommend any programs for storing passwords, if so, why? What evidence is there to support your argument? I ask this because at school some guy who has been in the IT industry uses an app on his phone that integrates with Google Chrome, to save his passwords. He raved about it, however in this day an age I am already weary enough to trust the website with storing my password and details, let alone allow a second party to hold my credentials. Just a side note, I would never store my passwords in a plain text document that was encrypted. That would be silly :D. Link to comment Share on other sites More sharing options...
Xahid Posted February 11, 2017 Share Posted February 11, 2017 The easier solution is just save the password in plain text and then encrypt it with "Fort" like encryption programs. Link to comment Share on other sites More sharing options...
+Zagadka Subscriber² Posted February 11, 2017 Subscriber² Share Posted February 11, 2017 Not all password managers sync to remote storage. I think that Avast's stores locally encrypted, for example, but any major vendor can be trusted to an extent. I don't use mine (currently using LastPass) for anything sensitive, just to manage the myriad of net passwords that I care about but can survive having compromised (things from forum accounts to Netflix etc). This lets you use more unique passwords for each site and prevents all accounts being vulnerable (provided your master pass is safe, of course). I think I have around 40 sites stored, most of which I rarely use and could never remember passwords for effectively without sharing them between sites too much. For critical important sites, such as banks and places that can be charged (Amazon, email accounts, etc) I'd recommend keeping the passwords in your head. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted February 11, 2017 MVC Share Posted February 11, 2017 I use lastpass, and have been using it for years. I store my bank passwords in there I have that much trust in them. There is also the 2Fa part that even if someone got the password from lastpass account they would still need to beat the 2fa, etc.. I currently have 255 sites in my lastpass, Plus other notes and such in there for info that are not website logins.. thisdude, Danielx64, xendrome and 1 other 4 Share Link to comment Share on other sites More sharing options...
Malisk Posted February 11, 2017 Share Posted February 11, 2017 I use 1Password. I haven't heard of a breach yet and think it's better for your personal security than especially sharing passwords out of convenience. pqt 1 Share Link to comment Share on other sites More sharing options...
Danielx64 Posted February 11, 2017 Share Posted February 11, 2017 11 minutes ago, BudMan said: I use lastpass, and have been using it for years. I store my bank passwords in there I have that much trust in them. There is also the 2Fa part that even if someone got the password from lastpass account they would still need to beat the 2fa, etc.. I currently have 255 sites in my lastpass, Plus other notes and such in there for info that are not website logins.. BudMan, what would you say about sticky passwords? Link to comment Share on other sites More sharing options...
+BudMan MVC Posted February 11, 2017 MVC Share Posted February 11, 2017 sticky passwords? Until you mentioned it have never heard of them. Taking a look at their website - 30$ a year to be able to sync your passwords.. lastpass is FREE I have premium for $12 a year.. I don't see anything there that would tempt me to switch that is for sure.. Link to comment Share on other sites More sharing options...
Premgenius Posted February 11, 2017 Share Posted February 11, 2017 I use Dashlane because I got a good discount otherwise would have chosen LastPass. Dashlane syncs into all my devices and is further protected by 2FA. Apart from 100+ passwords it has a digital wallet and secure notes and some of the passwords are shared with family members for family accounts and allows them to have either Limited (view only) or Full (View and Edit) permissions to these shared passwords through their own individual accounts. Nerd Rage 1 Share Link to comment Share on other sites More sharing options...
thisdude Posted February 11, 2017 Share Posted February 11, 2017 11 hours ago, BudMan said: I use lastpass, and have been using it for years. I store my bank passwords in there I have that much trust in them. There is also the 2Fa part that even if someone got the password from lastpass account they would still need to beat the 2fa, etc.. I currently have 255 sites in my lastpass, Plus other notes and such in there for info that are not website logins.. I have been using Lastpass for over 2 years now and LOVE IT! I always recommend it to family and friends. Like Budman pointed out they have great security. There's been a couple attacks on their sites in their time however they took the proper precaustions in how they set up their servers that nothing important was accessed. You can Google the Security Now! podcast with Leo Laporte and Steve Gibson and they've had the owner on several times to talk about the attacks and Lastpass software and security. If Steve Gibson gives them the thumbs up I trust his recommendations. +Warwagon 1 Share Link to comment Share on other sites More sharing options...
Boo Berry Posted February 11, 2017 Share Posted February 11, 2017 LastPass is the best one I've found in regards to actual services. For self-hosting, I'd go KeePass. xendrome 1 Share Link to comment Share on other sites More sharing options...
Anibal P Posted February 12, 2017 Share Posted February 12, 2017 I've been using Enpass on my windows PC and Android phone, encrypted DB on my Dropbox account Best of both worlds and no need to worry about the devs getting hacked Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted February 12, 2017 MVC Share Posted February 12, 2017 13 hours ago, BudMan said: I use lastpass, and have been using it for years. I store my bank passwords in there I have that much trust in them. There is also the 2Fa part that even if someone got the password from lastpass account they would still need to beat the 2fa, etc.. I currently have 255 sites in my lastpass, Plus other notes and such in there for info that are not website logins.. 486 passwords here! Link to comment Share on other sites More sharing options...
+BudMan MVC Posted February 12, 2017 MVC Share Posted February 12, 2017 13 hours ago, LoboVerde said: If Steve Gibson gives them the thumbs up I trust his recommendations. Yeah lets be clear - I do not have the same feelings for that quack... He is a sky is falling poseur.. Glad you enjoy his podcasts, etc. But mostly his loves to spread FUD and Panic.. http://attrition.org/errata/charlatan/steve_gibson/ Link to comment Share on other sites More sharing options...
+InsaneNutter MVC Posted February 12, 2017 MVC Share Posted February 12, 2017 I use 1Password and sync the data using Dropbox, I don't really want to store all my data on 1Password's new cloud service, so Dropbox is ideal and the 1Password mobile app can read data from Dropbox too. 1Password encrypts the data, my Dropbox used 2 factor authentication and i'm still in full control of the data, meaning i can make an offline copy and store it on an encrypted USB drive. That's good enough for me. AStaUK 1 Share Link to comment Share on other sites More sharing options...
Lamp0 Posted February 12, 2017 Share Posted February 12, 2017 I have been meaning to give LastPass a go. Though I find I can remember my passwords fine for the most part & like the notion that I actually know them. Link to comment Share on other sites More sharing options...
cork1958 Posted February 12, 2017 Share Posted February 12, 2017 Personally, have never and will never use a password manager! Wouldn't trust one in a million years!! I simply remember my passwords although I do have them stored secretly. Link to comment Share on other sites More sharing options...
Mindovermaster Moderator Posted February 12, 2017 Moderator Share Posted February 12, 2017 I use LastPass, I also keep a paper with all my passwords. So, if LastPass has issues, I have another source. Link to comment Share on other sites More sharing options...
thisdude Posted February 12, 2017 Share Posted February 12, 2017 9 hours ago, BudMan said: Yeah lets be clear - I do not have the same feelings for that quack... He is a sky is falling poseur.. Glad you enjoy his podcasts, etc. But mostly his loves to spread FUD and Panic.. http://attrition.org/errata/charlatan/steve_gibson/ Hm, interesting. I'm going to have to check the validity of what this page is claiming. But I will say I doubt he'd try to pretend to be a "sky is falling" person that doesn't even make sense. Do you know who's website that is? http://attrition.org Link to comment Share on other sites More sharing options...
+BudMan MVC Posted February 13, 2017 MVC Share Posted February 13, 2017 Do some research on that nut job... He has called so many the "sky is falling" issues out for years and years trying to call attention to himself. Raw Sockets was going to kill the internet http://www.theregister.co.uk/2001/06/25/steve_gibson_really_is_off/ Here is a quote of his.. "When those insecure and maliciously potent Windows XP machines are mated to high-bandwidth Internet connections, we are going to experience an escalation of Internet terrorism the likes of which has never been seen before." While he can make things easy for the lay person to understand sometimes - he is like chicken little, and loves to cry wolf!! Link to comment Share on other sites More sharing options...
+mram Subscriber² Posted February 13, 2017 Subscriber² Share Posted February 13, 2017 I use Lastpass. Highly recommend. 2-factor everything possible though, and be smart. I have 150+ sites in my Lastpass vault, all with unique passwords. If you don't have unique passwords for each site, you do run risks, so password managers are a must. I don't understand the lack of trust in password managers. I think the risks of password management outweigh the risks of compromised sites. For example, lets say you have an account at "Joe's Company". If "Joe's Company" ever got hacked, any data about you is compromised, and everywhere else where you have the same user/pass is also potentially compromised. Additionally you'll never really know if "Joe's Company" was ever compromised. It could be years ... look at Yahoo for example. So if you want to truly be secure you need different user/pass for every site you ever visit and unless you come up with a weird "system" for everything, you might as well KISS principle the thing under the guidance of a password manager. Companies like Lastpass make it their business to do this. They consistently invite people to try to hack them. They iterate constantly on their security. It's documented and trackable. They have had a breach in the past, and responded appropriately and fixed the symptom as well as stated there was no disclosure of user data and notified the public. That speaks volumes to me. (I'm just saying: it's ok to be paranoid, but there should be reasonable limits to paranoia -- everyone gets hacked but what is the real risk of this? How is it handled? This kind of stuff differentiates real security companies vs ones just going through the motions. I can reference issues where security issues were pointed to Lastpass and there were patches within 24 hours!) I have tried 1Password, and while I did like it, they were less cloud friendly. And honestly, Lastpass is cheaper, if not outright free. Link to comment Share on other sites More sharing options...
Anibal P Posted February 13, 2017 Share Posted February 13, 2017 10 minutes ago, mram said: I use Lastpass. Highly recommend. 2-factor everything possible though, and be smart. I have 150+ sites in my Lastpass vault, all with unique passwords. If you don't have unique passwords for each site, you do run risks, so password managers are a must. I don't understand the lack of trust in password managers. I think the risks of password management outweigh the risks of compromised sites. For example, lets say you have an account at "Joe's Company". If "Joe's Company" ever got hacked, any data about you is compromised, and everywhere else where you have the same user/pass is also potentially compromised. Additionally you'll never really know if "Joe's Company" was ever compromised. It could be years ... look at Yahoo for example. So if you want to truly be secure you need different user/pass for every site you ever visit and unless you come up with a weird "system" for everything, you might as well KISS principle the thing under the guidance of a password manager. Companies like Lastpass make it their business to do this. They consistently invite people to try to hack them. They iterate constantly on their security. It's documented and trackable. They have had a breach in the past, and responded appropriately and fixed the symptom as well as stated there was no disclosure of user data and notified the public. That speaks volumes to me. (I'm just saying: it's ok to be paranoid, but there should be reasonable limits to paranoia -- everyone gets hacked but what is the real risk of this? How is it handled? This kind of stuff differentiates real security companies vs ones just going through the motions. I can reference issues where security issues were pointed to Lastpass and there were patches within 24 hours!) I have tried 1Password, and while I did like it, they were less cloud friendly. And honestly, Lastpass is cheaper, if not outright free. A certain subset of people here actually believe they are smarted than the rest of us and that they can memorize 100+ "unique" passwords Of course all it takes is to crack the code for one and you have them all, but remember, they are smarter and better than the rest of us Link to comment Share on other sites More sharing options...
Gone Posted February 13, 2017 Author Share Posted February 13, 2017 Everybody here seems to speak about last pass (well okay not everybody, but the majority). I have a terrible memory, maybe because I don't get enough sleep. I'm going to look up a few of these tomorrow. One of the things I was talking with one of my neighbors about was cloud storage being inherently unsafe, or rather expect no privacy. Of course if somebody were to snoop around your house they may have a better chance of getting your password than if you used a password manager to store it (if you wrote the password down that is). Nobody can read your mind (yet). Link to comment Share on other sites More sharing options...
+mram Subscriber² Posted February 13, 2017 Subscriber² Share Posted February 13, 2017 25 minutes ago, SpeedyTheSnail said: One of the things I was talking with one of my neighbors about was cloud storage being inherently unsafe, or rather expect no privacy. Of course if somebody were to snoop around your house they may have a better chance of getting your password than if you used a password manager to store it (if you wrote the password down that is). Nobody can read your mind (yet). Sure, that's a fair argument. But understand that virtually everything is going to the cloud, in general -- cloud based computing is everywhere. The issue isn't so much about whether your data is accessible by "bad guys" it's whether they can do anything with IF they get it. Encryption is a great thing. Think of it like burying a safe somewhere hidden. Sure you might find it, but then you have to open it. And then when you get in there you will have to translate it. And decode it. And understand it. And also understand that Lastpass (like most reputable vendors I understand) do not keep a "master key" for many varied reasons. I work in IT and I could tell you reasonably with assurances that most companies who are involved in this stuff really don't want this access, as insidious as you might think they would be. You're just not allowed legally to refuse access and still have a "back door" ... it's either legally allowable or you can create a self-securing solution by simply not having the "master key" at all. So having said that, assume the hypothetical worst case: Data is (again, hypothetically) stolen from Lastpass, and they never knew about it, and you never found out. It would take the bad guys a long time, like years if even possible**, to decrypt your specific blobs of data to get your passwords. If you were doing good security practices, you would've cycled your passwords anyway by then and there's really no issue. In short, that's a heck of a lotta "ifs" and a whole lot of reasons to have faith -- especially given that encryption is just getting better and better. In short, encrypted cloud data is generally safe, as long as you're not bad about it. Lastpass even gives you good tools to change passwords automatically, it checks environments for you, alerts for changes, etc. I'm not trying to push Lastpass so much as provide general awareness into cloud computing being generally safe -- but one should always investigate what is being utilized for protection, how they have reacted to attempts, what resilience they have had to attacks, what bug checks have been done against them, etc. ** brute-force decryption of an aes-256 key is damn near impossible by modern standards. Of course computers get better, but so will encryption, so I expect by the time one could reasonably move the brute-force decryption of an AES-256 key down to mere decades of supercomputer work, we would have moved to AES-512 or whatever. In a nutshell "never say never" but the idea that someone could randomly decrypt an AES-256 encrypted blob of data is pretty much impossible by modern standards. But even for the sake of argument, I'm assuming it is possible... so I must have a screw loose. Anibal P 1 Share Link to comment Share on other sites More sharing options...
Nerd Rage Posted February 13, 2017 Share Posted February 13, 2017 (edited) Ive tried most of them, used Roboform for years, but switched to Dashlane a couple years back. Much cleaner and user friendly UI. Not without it's issues, but it's the best one I've tried imo. Link to comment Share on other sites More sharing options...
T3X4S Posted February 13, 2017 Share Posted February 13, 2017 On 2/11/2017 at 6:22 AM, BudMan said: sticky passwords? Until you mentioned it have never heard of them. Taking a look at their website - 30$ a year to be able to sync your passwords.. lastpass is FREE I have premium for $12 a year.. I don't see anything there that would tempt me to switch that is for sure.. I paid for the premium as well. A nice little chrome add-on and my password sync travels across all of my devices. Why even consider some no-named password manager from some company you never heard of where you are considering the possibility of "... if the developer has hidden malicious intentions, or is inexperienced in security..." ? LastPass will do what you need, is well known, has multifactor authentication. Link to comment Share on other sites More sharing options...
Recommended Posts