Do you use a password manager?

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills.
Accrual
Posts: 135
Joined: Tue Feb 07, 2017 2:22 pm

Re: Do you use a password manager?

Post by Accrual »

I use KeePassXC
Eno Deb
Posts: 757
Joined: Sun Feb 03, 2019 3:08 pm

Re: Do you use a password manager?

Post by Eno Deb »

bertilak wrote: Sat Jul 30, 2022 10:03 am
oldcomputerguy wrote: Sat Jul 30, 2022 9:42 am
bertilak wrote: Sat Jul 30, 2022 7:48 am LastPass not only records ID/PW but automatically remembers them and fills them into a web page for me. I need not open up an application (KeePass) to copy and paste from. KeePass is a step up from using a spreadsheet but is still a manual process.
I use Keepass here, along with the KeePassHttp-Connector browser plugin. The plugin queries KeePass and fills in username/password fields for me.
I prefer not to use add-ons that may or may not keep up with updates to the main program. It is just one more thing that needs to be managed. It's no big deal in and of itself, but these things pile up. It contributes to the one step forward, two steps back syndrome!
The browser extensions are automatically updated by the browser by default.

The extensions are far safer than copy/paste, since every piece of software on your computer (including the malicious variety) can access the clipboard and capture what you copy. I use KeepassXC with the corresponding browser plugin and it uses an authenticated and encrypted connection for communication between the extension and the password manager.
User avatar
bertilak
Posts: 10711
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Do you use a password manager?

Post by bertilak »

Question about 1Password.

I have it all set up and working on my laptop in the Edge browser. Well, mostly.

When I go to a web page with ID/PW fields, 1Password does not pre-fill them. I need to take some action, like click on one of those fields, to get 1Password to fill them in. Is this normal? Is there some configuration option?

LastPass has those fields pre-filled when the page opens.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
random_walker_77
Posts: 2207
Joined: Tue May 21, 2013 8:49 pm

Re: Do you use a password manager?

Post by random_walker_77 »

bertilak wrote: Sun Jul 31, 2022 10:17 am Question about 1Password.

I have it all set up and working on my laptop in the Edge browser. Well, mostly.

When I go to a web page with ID/PW fields, 1Password does not pre-fill them. I need to take some action, like click on one of those fields, to get 1Password to fill them in. Is this normal? Is there some configuration option?

LastPass has those fields pre-filled when the page opens.
I don't know if 1Password has an option to change that behavior, but I personally find it reassuring that my password manager requires my action to fill in the ID/PW fields. There have been previous hacks where "invisible" forms were on pages that then sucked in information that browsers had automatically pre-filled. Since password managers only pre-fill pages on the proper domain, it mostly wouldn't matter. Unless someone had hacked the domain to insert a bogus page, probably at an obscure URL, and somehow got you to visit that page...

As background, over the years, there have been various exploits that take advantage of placing elements onto a page, either in the same color as the background, or shrunken down to 1 pixel in size, or placed there, but hidden behind an image or some such. If had malicious intentions and you could coax a browser to autofill a credit card number in without the end user knowing, that'd be useful right?

There's sneakiness in tech, both from the malicious and the legitimate. Over 20 years ago, I remember hearing about the innovation of adding a single-pixel image to html emails. Since the browser would auto-load the image for display, an advertiser could just make sure these images had unique URLs. Their web server logs would then tell them if that image had ever been retrieved, and if so, at what time, thereby telling them if the email had been opened, and at what time of day. If you're running a email ad campaign, that's good info to know.
User avatar
bertilak
Posts: 10711
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Do you use a password manager?

Post by bertilak »

random_walker_77 wrote: Sun Jul 31, 2022 11:00 am
bertilak wrote: Sun Jul 31, 2022 10:17 am Question about 1Password.

I have it all set up and working on my laptop in the Edge browser. Well, mostly.

When I go to a web page with ID/PW fields, 1Password does not pre-fill them. I need to take some action, like click on one of those fields, to get 1Password to fill them in. Is this normal? Is there some configuration option?

LastPass has those fields pre-filled when the page opens.
I don't know if 1Password has an option to change that behavior, but I personally find it reassuring that my password manager requires my action to fill in the ID/PW fields.
So, perhaps that's intended.

I can see how it might make it harder for someone to "hack" past the security. I think I can live with it!
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
User avatar
bertilak
Posts: 10711
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Do you use a password manager?

Post by bertilak »

bertilak wrote: Sun Jul 31, 2022 11:40 am
random_walker_77 wrote: Sun Jul 31, 2022 11:00 am
bertilak wrote: Sun Jul 31, 2022 10:17 am Question about 1Password.

I have it all set up and working on my laptop in the Edge browser. Well, mostly.

When I go to a web page with ID/PW fields, 1Password does not pre-fill them. I need to take some action, like click on one of those fields, to get 1Password to fill them in. Is this normal? Is there some configuration option?

LastPass has those fields pre-filled when the page opens.
I don't know if 1Password has an option to change that behavior, but I personally find it reassuring that my password manager requires my action to fill in the ID/PW fields.
So, perhaps that's intended.
Probably not intentional since it behaves differently on different web pages. Some pre-fill the ID/PW fields. (Most? I don't have enough to generalize.)
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
Kingghoti
Posts: 66
Joined: Sun Jul 19, 2020 9:57 am

Re: Do you use a password manager?

Post by Kingghoti »

:confused
bertilak wrote: Sun Jul 31, 2022 10:17 am Question about 1Password.

I have it all set up and working on my laptop in the Edge browser. Well, mostly.

When I go to a web page with ID/PW fields, 1Password does not pre-fill them. I need to take some action, like click on one of those fields, to get 1Password to fill them in. Is this normal? Is there some configuration option?

LastPass has those fields pre-filled when the page opens.
FWIW, LastPass has a Do Not Autofill switch, settable by individual site. Perhaps also as a global switch but I’ve not had need to use that. Best!
User avatar
Marmot
Posts: 592
Joined: Sun Oct 10, 2010 1:44 pm
Location: Phoenix, AZ

Re: Do you use a password manager?

Post by Marmot »

I did not read the replies. We use Norton that comes with our virus protection.
Marty....don't go to the year 2020....Dr. Emmett Brown
SurferLife
Posts: 701
Joined: Sun Jun 15, 2014 1:57 am

Re: Do you use a password manager?

Post by SurferLife »

I use Yojimbo on my Mac. It's nice because it does other things as well that I use.
palaheel
Posts: 626
Joined: Wed Mar 22, 2017 7:35 am

Re: Do you use a password manager?

Post by palaheel »

Does anyone have any experience with NordPass?
Nothing to say, really.
nesky
Posts: 9
Joined: Tue Nov 17, 2020 7:21 pm

Re: Do you use a password manager?

Post by nesky »

This topic seems to come up a lot.

KeePassXC for local (user defined) storage, very simple to implement and use on a single machine. May need to use other apps for iOS and Android to access your database.

Bitwarden as a cloud stored manager.

I’ve used both with great experiences (I pay the yearly donation for Bitwarden) for years with zero issues, both are open source and typically at the top of many ‘lists’ in privacy/security communities and forums online. I won’t touch any other password managers personally.
User avatar
bertilak
Posts: 10711
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Do you use a password manager?

Post by bertilak »

As a long time (well, medium time) user of LastPass I decided to try out 1Password. It was a reasonably successful trial, but I eventually decided LastPass was easier to use so dropped the idea of using 1Password. The ways I can characterize the "easier" are:
  • I seemed to be constantly clicking on things to get 1Password to fill in ID/PW fields and the sequence of doing this didn't seem consistent. Probably my inexperience, but I couldn't get "experienced!"
  • Use of YubiKey 2FA was simple with LastPass an unavailable with 1Password. I think 1Password might have a way to use YubiKey (lots of hints!) but I couldn't figure it out. There were places that said "coming soon" but I wasn't sure if that meant the actual use of YubiKey or just some swizzle on it.
Bottom line, LastPass works and is easy to use.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
homebuyer6426
Posts: 1830
Joined: Tue Feb 07, 2017 8:08 am

Re: Do you use a password manager?

Post by homebuyer6426 »

I use the same "base" password for most of my accounts but then I have a suffix that I can easily remember which is different for each. Uppercase and lower case letters, numbers, and a symbol in every one.

I don't like the idea of a single point of failure so this works better for me.
45% Total Stock Market | 52% Consumer Staples | 3% Short Term Reserves
RetiOpening
Posts: 98
Joined: Fri Jan 21, 2022 1:53 pm

Re: Do you use a password manager?

Post by RetiOpening »

homebuyer6426 wrote: Thu Aug 04, 2022 9:51 am I use the same "base" password for most of my accounts but then I have a suffix that I can easily remember which is different for each. Uppercase and lower case letters, numbers, and a symbol in every one.

I don't like the idea of a single point of failure so this works better for me.
If there is a data breach at any one of your accounts and your password makes its way to the dark web, are you concerned that your method of suffixing could be deciphered? I had a similar system--base password + an admittedly unimaginative suffix--for a very long time. Just last week, after quite a bit of research and YouTube videos, I made the switch over to Bitwarden, and let's just say it's something I wish I had done 10 years ago. I get a strange comfort from all my passwords looking something like this: *xoCiuBv24;op8x9)92$dcnCRcknS$. If a website gives me a 64-character limit, oh, you better believe I'll be generating a password that uses all 64. :D
User avatar
squirrel1963
Posts: 1253
Joined: Wed Jun 21, 2017 10:12 am
Location: Portland OR area

Re: Do you use a password manager?

Post by squirrel1963 »

Yes absolutely it's worth every penny,

In the past I used 1password and now I use lastpass, both products are used by some of megacorp I worked for. Many of my infosec, IT, and security architect former coworkers highly endorse both, so it's good enough for me.
I've also done some security although I'm by no means an SME.
I see no need doing anything else, also because I really like them.
LMP | Liability Matching Portfolio | safe portfolio: TIPS ladder + I-bonds + Treasuries | risky portfolio: US stocks / US REIT / International stocks
homebuyer6426
Posts: 1830
Joined: Tue Feb 07, 2017 8:08 am

Re: Do you use a password manager?

Post by homebuyer6426 »

RetiOpening wrote: Tue Aug 09, 2022 12:36 am
homebuyer6426 wrote: Thu Aug 04, 2022 9:51 am I use the same "base" password for most of my accounts but then I have a suffix that I can easily remember which is different for each. Uppercase and lower case letters, numbers, and a symbol in every one.

I don't like the idea of a single point of failure so this works better for me.
If there is a data breach at any one of your accounts and your password makes its way to the dark web, are you concerned that your method of suffixing could be deciphered? I had a similar system--base password + an admittedly unimaginative suffix--for a very long time. Just last week, after quite a bit of research and YouTube videos, I made the switch over to Bitwarden, and let's just say it's something I wish I had done 10 years ago. I get a strange comfort from all my passwords looking something like this: *xoCiuBv24;op8x9)92$dcnCRcknS$. If a website gives me a 64-character limit, oh, you better believe I'll be generating a password that uses all 64. :D
If you're concerned about the decipherability you can make the "custom" part of each password make sense only to you. Like ask yourself the same question for each service. "What year was the founder born", or even better "3 words to describe your opinion of this company" etc. Most of the time thieves are casting a wide net running automated programs that just match exact passwords between accounts. It's unlikely they're going to spend any real human-time deciphering your suffix pattern unless you're an extremely high value target and they know it. Even if they did it's unlikely to work as most systems incorporate something to stop/slow down too many guesses.

But, I'm glad you like Bitwarden. I'm not comfortable with that level of centralization.
45% Total Stock Market | 52% Consumer Staples | 3% Short Term Reserves
SnowBog
Posts: 4680
Joined: Fri Dec 21, 2018 10:21 pm

Re: Do you use a password manager?

Post by SnowBog »

homebuyer6426 wrote: Tue Aug 09, 2022 10:12 am
RetiOpening wrote: Tue Aug 09, 2022 12:36 am
homebuyer6426 wrote: Thu Aug 04, 2022 9:51 am I use the same "base" password for most of my accounts but then I have a suffix that I can easily remember which is different for each. Uppercase and lower case letters, numbers, and a symbol in every one.

I don't like the idea of a single point of failure so this works better for me.
If there is a data breach at any one of your accounts and your password makes its way to the dark web, are you concerned that your method of suffixing could be deciphered? I had a similar system--base password + an admittedly unimaginative suffix--for a very long time. Just last week, after quite a bit of research and YouTube videos, I made the switch over to Bitwarden, and let's just say it's something I wish I had done 10 years ago. I get a strange comfort from all my passwords looking something like this: *xoCiuBv24;op8x9)92$dcnCRcknS$. If a website gives me a 64-character limit, oh, you better believe I'll be generating a password that uses all 64. :D
If you're concerned about the decipherability you can make the "custom" part of each password make sense only to you. Like ask yourself the same question for each service. "What year was the founder born", or even better "3 words to describe your opinion of this company" etc. Most of the time thieves are casting a wide net running automated programs that just match exact passwords between accounts. It's unlikely they're going to spend any real human-time deciphering your suffix pattern unless you're an extremely high value target and they know it. Even if they did it's unlikely to work as most systems incorporate something to stop/slow down too many guesses.

But, I'm glad you like Bitwarden. I'm not comfortable with that level of centralization.
You should look into brute force attacks and password spray attacks...

If an attacker were to get two of your passwords, it wound be easy for them to recognize the pattern. As they get more, it's just that much easier.

If your pattern is to add a year, or three adjectives, etc. - now the attacker can easily script a process to try those specific combinations.

And sadly, there's tools on the market to help them do this, so it isn't exactly like they need to individually invest time targeting you specifically. You've just made it easier for them to use automated processes to attempt to access your accounts.

This is why the recommendation is to not reuse any passwords, parts of passwords, or use any sort of "pattern" in your passwords. Those things make your accounts significantly weaker then using unique random complex passwords in every account. Most people aren't good at doing that - especially remembering them - hence the recommendation for a password manager to do it for you.
homebuyer6426
Posts: 1830
Joined: Tue Feb 07, 2017 8:08 am

Re: Do you use a password manager?

Post by homebuyer6426 »

SnowBog wrote: Tue Aug 09, 2022 11:14 am
You should look into brute force attacks and password spray attacks...

If an attacker were to get two of your passwords, it wound be easy for them to recognize the pattern. As they get more, it's just that much easier.

If your pattern is to add a year, or three adjectives, etc. - now the attacker can easily script a process to try those specific combinations.

And sadly, there's tools on the market to help them do this, so it isn't exactly like they need to individually invest time targeting you specifically. You've just made it easier for them to use automated processes to attempt to access your accounts.

This is why the recommendation is to not reuse any passwords, parts of passwords, or use any sort of "pattern" in your passwords. Those things make your accounts significantly weaker then using unique random complex passwords in every account. Most people aren't good at doing that - especially remembering them - hence the recommendation for a password manager to do it for you.


Password manager - single point of failure.

I am a software engineer and familiar with brute force attacks. It's pretty rare these days to find a well-known service that'll just let you keep pounding it with passwords and not introduce a delay or eventual lockout. That's without even mentioning the added protection of 2 factor authentication.
45% Total Stock Market | 52% Consumer Staples | 3% Short Term Reserves
User avatar
fetch5482
Posts: 1721
Joined: Fri Aug 15, 2014 4:55 pm

Re: Do you use a password manager?

Post by fetch5482 »

random_walker_77 wrote: Tue Jul 19, 2022 2:46 pm I use bitwarden. It's well-regarded, undergoes regular security audits, and makes it easy to generate secure passwords and unique usernames (https://bitwarden.com/help/generator/). They allow you to have unique strong passwords, unique usernames for each site, and autofill into valid sites. This last point means that if it won't autofill, you need to doublecheck that you're not on a spoofed phishing website.

I was happy with the free plan, but upgraded last year to the $10/yr plan in order to support it and for more secure file transfer (as compared to email attachments).
+1 for Bitwarden. I switched from LastPass to Bitwarden several years ago (even before LasstPass changed their freemium model) and have been very happy with it. The open source repository makes me more confident that the passwords are handled correctly and never decrypted over the wire. I also pay the $10 annually to use the secure file transfer and built-in 2FA code generation features; although its mostly just to support the developer since I can get away with just what is provided in the free offering. Similar to LastPass, Bitwarden supports all the major clients (Android, iOS, all popular browsers, Mac, Windows, Linux).
(AGE minus 23%) Bonds | 5% REITs | Balance 80% US (75/25 TSM/SCV) + 20% International (80/20 Developed/Emerging)
SnowBog
Posts: 4680
Joined: Fri Dec 21, 2018 10:21 pm

Re: Do you use a password manager?

Post by SnowBog »

homebuyer6426 wrote: Tue Aug 09, 2022 12:00 pm
SnowBog wrote: Tue Aug 09, 2022 11:14 am
You should look into brute force attacks and password spray attacks...

If an attacker were to get two of your passwords, it wound be easy for them to recognize the pattern. As they get more, it's just that much easier.

If your pattern is to add a year, or three adjectives, etc. - now the attacker can easily script a process to try those specific combinations.

And sadly, there's tools on the market to help them do this, so it isn't exactly like they need to individually invest time targeting you specifically. You've just made it easier for them to use automated processes to attempt to access your accounts.

This is why the recommendation is to not reuse any passwords, parts of passwords, or use any sort of "pattern" in your passwords. Those things make your accounts significantly weaker then using unique random complex passwords in every account. Most people aren't good at doing that - especially remembering them - hence the recommendation for a password manager to do it for you.


Password manager - single point of failure.

I am a software engineer and familiar with brute force attacks. It's pretty rare these days to find a well-known service that'll just let you keep pounding it with passwords and not introduce a delay or eventual lockout. That's without even mentioning the added protection of 2 factor authentication.
Not sure how you figure a password manager is a single point of failure...

If the concern is somehow the password manager "quits working" and you end up locked out of your accounts, you can "export" your passwords and create a local backup whenever you want. Likewise, modern browsers (I use the new Edge) have their own password management. So, my passwords exist both in LastPass and in Microsoft Edge.

If the concern is an attacker could get your passwords from the password manager... The good one's store passwords in a manner that aren't available to the company, or any attacker, without your "master password". So, they'd need to access your account and have your master password.

And my Microsoft account is effectively "passwordless", so unless someone steals my device and has my biometrics, they aren't gaining access to my account.

So, the odds of an attacker compromising my account by gaining access to either my Microsoft account (where they'd need my device and biometrics) and/or compromising a password management solution and having my master password are much smaller than an attacker (and their tools) figuring out your "pattern".

But the reality is there is nothing that will prevent every possible compromise. So, its ultimately a judgement call for how much risk you are willing to accept, and in what way.
jebmke
Posts: 25271
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Do you use a password manager?

Post by jebmke »

SnowBog wrote: Tue Aug 09, 2022 1:55 pm If the concern is somehow the password manager "quits working" and you end up locked out of your accounts, you can "export" your passwords and create a local backup whenever you want.
This is what I do even with Keepass which is not online. I print a copy to a PDF file which gets stashed in a Veracrypt folder along with a few other similar files.
Stay hydrated; don't sweat the small stuff
bogler52
Posts: 45
Joined: Sat Dec 31, 2016 3:07 pm

Re: Do you use a password manager?

Post by bogler52 »

Yes. I use a password manager and love it. I also highly recommend using one.

The best way (IMO) to use a password manager is as follows:

- Store ALL of your passwords in there
- Once they are in there CHANGE all of them*.
- Use your password manager on your computer, cell phone, everywhere.

*Password managers should have an auto-generate mode i.e., it'll create a random password for you. It probably looks like gd%sdsd34sd9 or some gobbledegook. You'll never remember these passwords which is OK. If you get locked out of an account with a password you know it does't matter - you're still locked out and will need to reset it. Using an auto-generated password makes your passwords more secure (long, complex strings), and will ensure you don't reuse any passwords.

The password manager should also have an auto-fill function so you can automatically create and save new passwords /login detials. It should auto-populate your login details when you got to a site. Ex: when I log into Bogleheads my password manager suggests my login details, I select OK, and it logs me in. I don't have to type anything.

I think they are worth the annual cost for the convince and safety. If you decide you don't like it you should be able to take your data with you.
GAAP
Posts: 2548
Joined: Fri Apr 08, 2016 12:41 pm

Re: Do you use a password manager?

Post by GAAP »

I've used password managers for decades. I've been using keepass for at least half of that time since it is cross-platform and open source.

I would never trust my passwords to the security of an online service, or store them in a general purpose application file regardless of the application's supposed level of encryption.
“Adapt what is useful, reject what is useless, and add what is specifically your own.” ― Bruce Lee
Eno Deb
Posts: 757
Joined: Sun Feb 03, 2019 3:08 pm

Re: Do you use a password manager?

Post by Eno Deb »

homebuyer6426 wrote: Tue Aug 09, 2022 12:00 pmPassword manager - single point of failure.
Use an offline password manager and keep multiple backups of the database in different locations. Also, I'd strongly recommend a Keepass compatible app to avoid vendor lock-in. The database format is supported by multiple apps on each major platform, so even if the app you choose was discontinued you could seemlessly switch to an alternative.

Any scheme you could come up with to "generate" memorable passwords drastically reduces the entropy, which makes them easy to de-hash or even brute-force.

Longer term I hope we'll eventually get away from passwords entirely. There is currently a major industry initiative to establish passwordless login via "passkeys", which are much more secure.
User avatar
squirrel1963
Posts: 1253
Joined: Wed Jun 21, 2017 10:12 am
Location: Portland OR area

Re: Do you use a password manager?

Post by squirrel1963 »

homebuyer6426 wrote: Tue Aug 09, 2022 12:00 pm
SnowBog wrote: Tue Aug 09, 2022 11:14 am
You should look into brute force attacks and password spray attacks...

If an attacker were to get two of your passwords, it wound be easy for them to recognize the pattern. As they get more, it's just that much easier.

If your pattern is to add a year, or three adjectives, etc. - now the attacker can easily script a process to try those specific combinations.

And sadly, there's tools on the market to help them do this, so it isn't exactly like they need to individually invest time targeting you specifically. You've just made it easier for them to use automated processes to attempt to access your accounts.

This is why the recommendation is to not reuse any passwords, parts of passwords, or use any sort of "pattern" in your passwords. Those things make your accounts significantly weaker then using unique random complex passwords in every account. Most people aren't good at doing that - especially remembering them - hence the recommendation for a password manager to do it for you.


Password manager - single point of failure.

I am a software engineer and familiar with brute force attacks. It's pretty rare these days to find a well-known service that'll just let you keep pounding it with passwords and not introduce a delay or eventual lockout. That's without even mentioning the added protection of 2 factor authentication.
What do you mean by a single point of failure? Given you are a software engineer you presumably understand that the whole premise of encryption and asymmetric encryption is that it's computationally cheap to encrypt/decrypt if you know the password, but computationally unfeasible use brute force attack as long as the password is of a sufficient length, given that the number of possible combinations of an N bits hey is 2^N, so an 8 bit key requires 2^8 = 256 trials, but a 64 bits key requires 2^64 = 1.8 * 10^19 trials. Key lengths of 256 bits are now common, and a 256 bits key requires 1.1 * 10^77 trials. Even using a server farm with dedicated hardware it is still very difficult to do so and it is incredibly expensive. Only spy agencies of nation states have sufficient technical and financial resources to do that, they are not going to spend millions of dollars to break your Lastpass or 1Password password. So brute force attacks is unfeasible in the vast majority of cases given a sufficiently long and complex passwords.

The real weakness is always the human factor, phishing and other social engineering techniques are much cheaper and easier. This is why security requires a wholistic (end-to-end) approach and it is never really about the strength of encryption algorithms and key length.

The alternative of not using a password manager means either having a simple password which is easy to guess with a dictionary attack or writing it down on paper which is obviously very insecure.
LMP | Liability Matching Portfolio | safe portfolio: TIPS ladder + I-bonds + Treasuries | risky portfolio: US stocks / US REIT / International stocks
homebuyer6426
Posts: 1830
Joined: Tue Feb 07, 2017 8:08 am

Re: Do you use a password manager?

Post by homebuyer6426 »

squirrel1963 wrote: Wed Aug 10, 2022 5:43 pm
homebuyer6426 wrote: Tue Aug 09, 2022 12:00 pm
SnowBog wrote: Tue Aug 09, 2022 11:14 am
You should look into brute force attacks and password spray attacks...

If an attacker were to get two of your passwords, it wound be easy for them to recognize the pattern. As they get more, it's just that much easier.

If your pattern is to add a year, or three adjectives, etc. - now the attacker can easily script a process to try those specific combinations.

And sadly, there's tools on the market to help them do this, so it isn't exactly like they need to individually invest time targeting you specifically. You've just made it easier for them to use automated processes to attempt to access your accounts.

This is why the recommendation is to not reuse any passwords, parts of passwords, or use any sort of "pattern" in your passwords. Those things make your accounts significantly weaker then using unique random complex passwords in every account. Most people aren't good at doing that - especially remembering them - hence the recommendation for a password manager to do it for you.


Password manager - single point of failure.

I am a software engineer and familiar with brute force attacks. It's pretty rare these days to find a well-known service that'll just let you keep pounding it with passwords and not introduce a delay or eventual lockout. That's without even mentioning the added protection of 2 factor authentication.
What do you mean by a single point of failure? Given you are a software engineer you presumably understand that the whole premise of encryption and asymmetric encryption is that it's computationally cheap to encrypt/decrypt if you know the password, but computationally unfeasible use brute force attack as long as the password is of a sufficient length, given that the number of possible combinations of an N bits hey is 2^N, so an 8 bit key requires 2^8 = 256 trials, but a 64 bits key requires 2^64 = 1.8 * 10^19 trials. Key lengths of 256 bits are now common, and a 256 bits key requires 1.1 * 10^77 trials. Even using a server farm with dedicated hardware it is still very difficult to do so and it is incredibly expensive. Only spy agencies of nation states have sufficient technical and financial resources to do that, they are not going to spend millions of dollars to break your Lastpass or 1Password password. So brute force attacks is unfeasible in the vast majority of cases given a sufficiently long and complex passwords.

The real weakness is always the human factor, phishing and other social engineering techniques are much cheaper and easier. This is why security requires a wholistic (end-to-end) approach and it is never really about the strength of encryption algorithms and key length.

The alternative of not using a password manager means either having a simple password which is easy to guess with a dictionary attack or writing it down on paper which is obviously very insecure.
Yes that line of reasoning makes a lot of sense but it assumes that a service is going to let you keep trying passwords at a high rate of speed without slowdown or lockout (used to be true), you don't use 2 factor authentication (why would you not for important finances?) and that thieves aren't interested in taking the path of least resistance. I have never had an account compromised with my method and I don't need to worry about storing/updating offline backups because I can remember them.

In the end if you are an extremely high-value target (I'm not), a determined aggressor can always find a way into your accounts if they are willing to use torture, blackmail, etc. So your focus should be on keeping the masses of low-effort thieves at bay more than worrying about the rare extremely determined attacker. Just my 2 cents.
45% Total Stock Market | 52% Consumer Staples | 3% Short Term Reserves
afan
Posts: 8169
Joined: Sun Jul 25, 2010 4:01 pm

Re: Do you use a password manager?

Post by afan »

bogler52 wrote: Tue Aug 09, 2022 2:22 pm Yes. I use a password manager and love it. I also highly recommend using one.

The best way (IMO) to use a password manager is as follows:

- Store ALL of your passwords in there
- Once they are in there CHANGE all of them*.
- Use your password manager on your computer, cell phone, everywhere.

*Password managers should have an auto-generate mode i.e., it'll create a random password for you. It probably looks like gd%sdsd34sd9 or some gobbledegook. You'll never remember these passwords which is OK. If you get locked out of an account with a password you know it does't matter - you're still locked out and will need to reset it. Using an auto-generated password makes your passwords more secure (long, complex strings), and will ensure you don't reuse any passwords.

The password manager should also have an auto-fill function so you can automatically create and save new passwords /login detials. It should auto-populate your login details when you got to a site. Ex: when I log into Bogleheads my password manager suggests my login details, I select OK, and it logs me in. I don't have to type anything.

I think they are worth the annual cost for the convince and safety. If you decide you don't like it you should be able to take your data with you.
I agree with all of this but note that you can get a manager with this functionality for free.
We don't know how to beat the market on a risk-adjusted basis, and we don't know anyone that does know either | --Swedroe | We assume that markets are efficient, that prices are right | --Fama
afan
Posts: 8169
Joined: Sun Jul 25, 2010 4:01 pm

Re: Do you use a password manager?

Post by afan »

I doubt there are many sites where crooks can attempt brute force attacks online. The payoff to these password cracks is when one comes by a large cache of passwords. There are many lists each running to the tens of millions available for free, others for costs that crackers are willing to pay. The the criminals run their attacks on these lists. They only attempt online logins once they have cracked the passwords.
We don't know how to beat the market on a risk-adjusted basis, and we don't know anyone that does know either | --Swedroe | We assume that markets are efficient, that prices are right | --Fama
bugleheadd
Posts: 916
Joined: Fri Nov 29, 2019 10:25 am

Re: Do you use a password manager?

Post by bugleheadd »

Excel is my password manager
User avatar
bertilak
Posts: 10711
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Do you use a password manager?

Post by bertilak »

bugleheadd wrote: Thu Aug 11, 2022 8:13 am Excel is my password manager
A password manager like LastPass does some things a spreadsheet doesn't do:
  1. Automatically looks up a saved URL for you.
  2. Enters ID/PW for you so you don't have to copy-n-paste.
  3. If you get lured to (or stumble onto) a bogus website the password manager will let you know it is something new so you can be careful. This is a great security feature.
  4. Saves a URL once you log in to it, enabling the above convenience and security features. Browser integration.
KeePass is a great replacement for a spreadsheet but doesn't have all the above features.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
gavinsiu
Posts: 4470
Joined: Sun Nov 14, 2021 11:42 am

Re: Do you use a password manager?

Post by gavinsiu »

afan wrote: Thu Aug 11, 2022 8:00 am I doubt there are many sites where crooks can attempt brute force attacks online. The payoff to these password cracks is when one comes by a large cache of passwords. There are many lists each running to the tens of millions available for free, others for costs that crackers are willing to pay. The the criminals run their attacks on these lists. They only attempt online logins once they have cracked the passwords.
The reason why a large cache of password are great is because a hacker can mine it for common password. Really bad website will store the password in cleartext which is a super bad practice. Most sites will instead store not the password but a hash of the password. When you enter a password, it calls a hash function that transform it into a hash. The hash is one way so you cannot take a hash and restore it to a password. This is why if you locked in your account, the system will ask you to reset the password. If you can get the actual password, you should delete your account since it's will only be a matter of time before the site is hacked.

You can't reverse a hash, but you can create a dictionary where you would pre-generate every combination of a password and then search by hash. By increasing the length, you increase the size of the dictionary table to a point where it become infeasible.

People cannot remember a large number of long passwords. This is why it's good to use a password manager because it can store a long password that you cannot remember.
gavinsiu
Posts: 4470
Joined: Sun Nov 14, 2021 11:42 am

Re: Do you use a password manager?

Post by gavinsiu »

bertilak wrote: Thu Aug 11, 2022 8:35 am
bugleheadd wrote: Thu Aug 11, 2022 8:13 am Excel is my password manager
A password manager like LastPass does some things a spreadsheet doesn't do:
  1. Automatically looks up a saved URL for you.
  2. Enters ID/PW for you so you don't have to copy-n-paste.
  3. If you get lured to (or stumble onto) a bogus website the password manager will let you know it is something new so you can be careful. This is a great security feature.
  4. Saves a URL once you log in to it, enabling the above convenience and security features. Browser integration.
KeePass is a great replacement for a spreadsheet but doesn't have all the above features.
I agree with you. I think the ability to validate URL is probably one of the best feature. If you are not paying attention, you might not see that you are logging into bogleheads.orc instead of bogleheads.org. The most clever version of this hack is to use an alternate character set so that the URL looks just like the original.

There might be hacks that steal your clipboard. I notice that a lot of password manager have a feature enable where if you copy the password, it will only keep it around for 30 seconds.
User avatar
Doom&Gloom
Posts: 5398
Joined: Thu May 08, 2014 3:36 pm

Re: Do you use a password manager?

Post by Doom&Gloom »

One of the best uses I have for KeePass is to keep up with DW's passwords.

DW refuses to use a PW manager because "I can remember them." Most of her passwords are related to one another or to the site she is using in some fashion, and she has recently begun tossing in a capital letter, a number, and a symbol. It looks random enough to her and there is no convincing her otherwise. So far the biggest flaw in her system is when she forgets to tell me she has established a PW for a new site so I can't record it and she subsequently forgets it. But it is only a matter of time ...
olefoodie
Posts: 36
Joined: Sun Dec 12, 2021 1:45 pm

Re: Do you use a password manager?

Post by olefoodie »

I have used Roboform Everywhere (on multiple devices) for many years and am happy with it. It doesn't seem to be a popular one among folks on this forum, so now I'm wondering if I'm missing something with the other ones that are being used. If you switched from Roboform to one of these other ones, please let me know what added features in the new one was worth the switch and maybe I will consider a switch as well! Thx.
afan
Posts: 8169
Joined: Sun Jul 25, 2010 4:01 pm

Re: Do you use a password manager?

Post by afan »

bertilak wrote: Thu Aug 11, 2022 8:35 am
bugleheadd wrote: Thu Aug 11, 2022 8:13 am Excel is my password manager
A password manager like LastPass does some things a spreadsheet doesn't do:
  1. Automatically looks up a saved URL for you.
  2. Enters ID/PW for you so you don't have to copy-n-paste.
  3. If you get lured to (or stumble onto) a bogus website the password manager will let you know it is something new so you can be careful. This is a great security feature.
  4. Saves a URL once you log in to it, enabling the above convenience and security features. Browser integration.
KeePass is a great replacement for a spreadsheet but doesn't have all the above features.
One can enter the URL as a column in a spreadsheet. Copy and paste to get to the correct site.

As the discussion above indicates, not everyone wants something that automatically enters username and password.
We don't know how to beat the market on a risk-adjusted basis, and we don't know anyone that does know either | --Swedroe | We assume that markets are efficient, that prices are right | --Fama
Freefun
Posts: 1237
Joined: Sun Jan 14, 2018 2:55 pm

Re: Do you use a password manager?

Post by Freefun »

1Password fan here. I don’t pay for a subscription.
Remember when you wanted what you currently have?
Kingghoti
Posts: 66
Joined: Sun Jul 19, 2020 9:57 am

Re: Do you use a password manager?

Post by Kingghoti »

Rainbow tables help break passwords (find clear text passwords) that generate a hash found on the hash table. They don’t help break a particular password but can spray a lot of valid hits in an unpredictable manner

The security breach and resultant brute force attack to think of is not brute forcing a website login. Of course the account locks up. It’s gaining the hash file and using VSLIC technology or graphics cards like for mining to brute force billions of tries to get a hash collision(match). If the attacker knows which hashed value corresponds to your account it becomes worrisome only if the hashing function is weak.

That’s why the password manager only has the hashed values. Well-implemented, as pointed out above, the brute-ness of force needed is unimaginable.

It’d do no one any good if they breached the vendor and got a leaked file. Well except for maybe a few nation state actors.:D
User avatar
squirrel1963
Posts: 1253
Joined: Wed Jun 21, 2017 10:12 am
Location: Portland OR area

Re: Do you use a password manager?

Post by squirrel1963 »

homebuyer6426 wrote: Thu Aug 11, 2022 7:31 am
squirrel1963 wrote: Wed Aug 10, 2022 5:43 pm
homebuyer6426 wrote: Tue Aug 09, 2022 12:00 pm
SnowBog wrote: Tue Aug 09, 2022 11:14 am
You should look into brute force attacks and password spray attacks...

If an attacker were to get two of your passwords, it wound be easy for them to recognize the pattern. As they get more, it's just that much easier.

If your pattern is to add a year, or three adjectives, etc. - now the attacker can easily script a process to try those specific combinations.

And sadly, there's tools on the market to help them do this, so it isn't exactly like they need to individually invest time targeting you specifically. You've just made it easier for them to use automated processes to attempt to access your accounts.

This is why the recommendation is to not reuse any passwords, parts of passwords, or use any sort of "pattern" in your passwords. Those things make your accounts significantly weaker then using unique random complex passwords in every account. Most people aren't good at doing that - especially remembering them - hence the recommendation for a password manager to do it for you.


Password manager - single point of failure.

I am a software engineer and familiar with brute force attacks. It's pretty rare these days to find a well-known service that'll just let you keep pounding it with passwords and not introduce a delay or eventual lockout. That's without even mentioning the added protection of 2 factor authentication.
What do you mean by a single point of failure? Given you are a software engineer you presumably understand that the whole premise of encryption and asymmetric encryption is that it's computationally cheap to encrypt/decrypt if you know the password, but computationally unfeasible use brute force attack as long as the password is of a sufficient length, given that the number of possible combinations of an N bits hey is 2^N, so an 8 bit key requires 2^8 = 256 trials, but a 64 bits key requires 2^64 = 1.8 * 10^19 trials. Key lengths of 256 bits are now common, and a 256 bits key requires 1.1 * 10^77 trials. Even using a server farm with dedicated hardware it is still very difficult to do so and it is incredibly expensive. Only spy agencies of nation states have sufficient technical and financial resources to do that, they are not going to spend millions of dollars to break your Lastpass or 1Password password. So brute force attacks is unfeasible in the vast majority of cases given a sufficiently long and complex passwords.

The real weakness is always the human factor, phishing and other social engineering techniques are much cheaper and easier. This is why security requires a wholistic (end-to-end) approach and it is never really about the strength of encryption algorithms and key length.

The alternative of not using a password manager means either having a simple password which is easy to guess with a dictionary attack or writing it down on paper which is obviously very insecure.
Yes that line of reasoning makes a lot of sense but it assumes that a service is going to let you keep trying passwords at a high rate of speed without slowdown or lockout (used to be true), you don't use 2 factor authentication (why would you not for important finances?) and that thieves aren't interested in taking the path of least resistance. I have never had an account compromised with my method and I don't need to worry about storing/updating offline backups because I can remember them.

In the end if you are an extremely high-value target (I'm not), a determined aggressor can always find a way into your accounts if they are willing to use torture, blackmail, etc. So your focus should be on keeping the masses of low-effort thieves at bay more than worrying about the rare extremely determined attacker. Just my 2 cents.
Completely agree and I'm not a HVT either :-) I was simply responding to the opinion that a password manager is a single point of failure. If the password manager is kept offline you could in theory use brute force attack at full speed to decrypt the stored data and get to all the passwords. In practice it is not feasible and in any case I much prefer the convenience of an online password manager which is also protected with 2FA.
LMP | Liability Matching Portfolio | safe portfolio: TIPS ladder + I-bonds + Treasuries | risky portfolio: US stocks / US REIT / International stocks
User avatar
bertilak
Posts: 10711
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Do you use a password manager?

Post by bertilak »

afan wrote: Thu Aug 11, 2022 4:23 pm
bertilak wrote: Thu Aug 11, 2022 8:35 am
bugleheadd wrote: Thu Aug 11, 2022 8:13 am Excel is my password manager
A password manager like LastPass does some things a spreadsheet doesn't do:
  1. Automatically looks up a saved URL for you.
  2. Enters ID/PW for you so you don't have to copy-n-paste.
  3. If you get lured to (or stumble onto) a bogus website the password manager will let you know it is something new so you can be careful. This is a great security feature.
  4. Saves a URL once you log in to it, enabling the above convenience and security features. Browser integration.
KeePass is a great replacement for a spreadsheet but doesn't have all the above features.
One can enter the URL as a column in a spreadsheet. Copy and paste to get to the correct site.

As the discussion above indicates, not everyone wants something that automatically enters username and password.
I agree. Not everyone wants that but there are reasons why LastPass, 1Password, and similar are so popular. Someone asking, "Do you use a password manager?" might appreciate the summary.

If you're not asking, that's fine.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
GumSprings
Posts: 42
Joined: Mon Sep 02, 2019 11:12 am

Re: Do you use a password manager?

Post by GumSprings »

All the opinions from tech savvy people is confusing. Every time I consider using a 3rd party product such as LastPass, I come back to the same conclusion. For better or worse, I’m fully imbedded in Apple’s ecosystem so KeyChain seems to make the most since for me. My MacBook is encrypted and protected with a strong password. The finger print biometric is super convenient. My iPhone would be difficult for someone to break into. It’s not a perfect plan but it keeps things very simple. It also minimizes the number of companies that I have to worry about getting hacked.
Striving for Simplicity
SnowBog
Posts: 4680
Joined: Fri Dec 21, 2018 10:21 pm

Re: Do you use a password manager?

Post by SnowBog »

GumSprings wrote: Sat Aug 13, 2022 11:13 am All the opinions from tech savvy people is confusing. Every time I consider using a 3rd party product such as LastPass, I come back to the same conclusion. For better or worse, I’m fully imbedded in Apple’s ecosystem so KeyChain seems to make the most since for me. My MacBook is encrypted and protected with a strong password. The finger print biometric is super convenient. My iPhone would be difficult for someone to break into. It’s not a perfect plan but it keeps things very simple. It also minimizes the number of companies that I have to worry about getting hacked.
I'm not overly familiar with Apple's Keychain, so my assessment might be flawed... But my impression is its about 70% of what you "need" from a Password Manager.

I believe it stores passwords for you, and does so in a nice secure fashion! That's the heart of what you need any way!

The one key piece I don't recall it doing (last I looked) was to generate strong unique passwords. That's really the primary point of a password manager is that all of your passwords should be strong unique passwords.

So used as it is, (again based on last I had looked) Keychain will let you save "password" for your password everywhere it's accepted. That defeats the purpose. A good password manager will generate a strong unique password, and point out any that are duplicates, weak, and many will show you those which have been found in password lists on the dark web.

But if you are diligent in not reusing passwords, creating strong random passwords (ideally 15+ characters when allowed with numbers, symbols, upper and lower, etc.) for each site, things like Keychain can be used to get effect.

As a side note, should you ever want to do things outside of the Apple ecosystem, you could check out Microsoft's Authenticator application. It works in a similar fashion to KeyChain, and can be used in place of KeyChain on iOS but also on Android and Windows. I set this up recently for a relative who uses both Windows and iOS (previously Android). As far as I can tell, works seamlessly on Apple - they need to login to something - issues the biometric checks, and then let's them use the stored password (same as KeyChain). The primary downside, like with KeyChain - is that it does not generate strong passwords or alert them to weak ones. (Microsoft's Edge browser [not sure on iOS] can sync passwords with Authenticator and can generate strong unique passwords.) And unfortunately my attempts to get this relative to use unique passwords continues to fail. But I'm slightly relieved since they switched to an iOS device because Apple forced them to lock their phone (whereas their Android device was never locked).
GumSprings
Posts: 42
Joined: Mon Sep 02, 2019 11:12 am

Re: Do you use a password manager?

Post by GumSprings »

SnowBog wrote: Sat Aug 13, 2022 12:13 pm
GumSprings wrote: Sat Aug 13, 2022 11:13 am All the opinions from tech savvy people is confusing. Every time I consider using a 3rd party product such as LastPass, I come back to the same conclusion. For better or worse, I’m fully imbedded in Apple’s ecosystem so KeyChain seems to make the most since for me. My MacBook is encrypted and protected with a strong password. The finger print biometric is super convenient. My iPhone would be difficult for someone to break into. It’s not a perfect plan but it keeps things very simple. It also minimizes the number of companies that I have to worry about getting hacked.
I'm not overly familiar with Apple's Keychain, so my assessment might be flawed... But my impression is its about 70% of what you "need" from a Password Manager.

I believe it stores passwords for you, and does so in a nice secure fashion! That's the heart of what you need any way!

The one key piece I don't recall it doing (last I looked) was to generate strong unique passwords. That's really the primary point of a password manager is that all of your passwords should be strong unique passwords.

So used as it is, (again based on last I had looked) Keychain will let you save "password" for your password everywhere it's accepted. That defeats the purpose. A good password manager will generate a strong unique password, and point out any that are duplicates, weak, and many will show you those which have been found in password lists on the dark web.

But if you are diligent in not reusing passwords, creating strong random passwords (ideally 15+ characters when allowed with numbers, symbols, upper and lower, etc.) for each site, things like Keychain can be used to get effect.

As a side note, should you ever want to do things outside of the Apple ecosystem, you could check out Microsoft's Authenticator application. It works in a similar fashion to KeyChain, and can be used in place of KeyChain on iOS but also on Android and Windows. I set this up recently for a relative who uses both Windows and iOS (previously Android). As far as I can tell, works seamlessly on Apple - they need to login to something - issues the biometric checks, and then let's them use the stored password (same as KeyChain). The primary downside, like with KeyChain - is that it does not generate strong passwords or alert them to weak ones. (Microsoft's Edge browser [not sure on iOS] can sync passwords with Authenticator and can generate strong unique passwords.) And unfortunately my attempts to get this relative to use unique passwords continues to fail. But I'm slightly relieved since they switched to an iOS device because Apple forced them to lock their phone (whereas their Android device was never locked).
KeyChain does in fact generate strong unique passwords automatically. It also makes recommendations to changing weak passwords. Maybe in the past it didn’t have these features.

Thanks for the suggestion regarding Microsoft Authenticator.
Striving for Simplicity
SnowBog
Posts: 4680
Joined: Fri Dec 21, 2018 10:21 pm

Re: Do you use a password manager?

Post by SnowBog »

GumSprings wrote: Sat Aug 13, 2022 12:50 pm
SnowBog wrote: Sat Aug 13, 2022 12:13 pm
GumSprings wrote: Sat Aug 13, 2022 11:13 am All the opinions from tech savvy people is confusing. Every time I consider using a 3rd party product such as LastPass, I come back to the same conclusion. For better or worse, I’m fully imbedded in Apple’s ecosystem so KeyChain seems to make the most since for me. My MacBook is encrypted and protected with a strong password. The finger print biometric is super convenient. My iPhone would be difficult for someone to break into. It’s not a perfect plan but it keeps things very simple. It also minimizes the number of companies that I have to worry about getting hacked.
I'm not overly familiar with Apple's Keychain, so my assessment might be flawed... But my impression is its about 70% of what you "need" from a Password Manager.

I believe it stores passwords for you, and does so in a nice secure fashion! That's the heart of what you need any way!

The one key piece I don't recall it doing (last I looked) was to generate strong unique passwords. That's really the primary point of a password manager is that all of your passwords should be strong unique passwords.

So used as it is, (again based on last I had looked) Keychain will let you save "password" for your password everywhere it's accepted. That defeats the purpose. A good password manager will generate a strong unique password, and point out any that are duplicates, weak, and many will show you those which have been found in password lists on the dark web.

But if you are diligent in not reusing passwords, creating strong random passwords (ideally 15+ characters when allowed with numbers, symbols, upper and lower, etc.) for each site, things like Keychain can be used to get effect.

As a side note, should you ever want to do things outside of the Apple ecosystem, you could check out Microsoft's Authenticator application. It works in a similar fashion to KeyChain, and can be used in place of KeyChain on iOS but also on Android and Windows. I set this up recently for a relative who uses both Windows and iOS (previously Android). As far as I can tell, works seamlessly on Apple - they need to login to something - issues the biometric checks, and then let's them use the stored password (same as KeyChain). The primary downside, like with KeyChain - is that it does not generate strong passwords or alert them to weak ones. (Microsoft's Edge browser [not sure on iOS] can sync passwords with Authenticator and can generate strong unique passwords.) And unfortunately my attempts to get this relative to use unique passwords continues to fail. But I'm slightly relieved since they switched to an iOS device because Apple forced them to lock their phone (whereas their Android device was never locked).
KeyChain does in fact generate strong unique passwords automatically. It also makes recommendations to changing weak passwords. Maybe in the past it didn’t have these features.

Thanks for the suggestion regarding Microsoft Authenticator.
Then it sounds like you are set! And good to know KeyChain has the generation side as well!

My two cents - "which" password manager is far less important than using strong unique passwords. It's just that password managers - including Keychain - do the "hard work" of remembering those for us. So we benefit from stronger passwords AND get ease of use with password managers!
quietseas
Posts: 901
Joined: Fri Dec 27, 2013 3:43 pm

Re: Do you use a password manager?

Post by quietseas »

Unique is even more important than very strong. If your email address that is often used as part of a login is breached with any password that pair will be out in the wild whether the password is P@55w0rD or F8q3wasr)r54FUr_)fdk#4_4Yr

Therefore you want to use a different password every place you use your email address as a login (and especially don't re-use your email account password anywhere). Of course also turn on multi-factor for important accounts like Google, Vanguard, etc.

If you are high profile and likely to be targeted you don't have a lot of choices. Apple is supposed to put a highly locked down "Lockdown Mode" into the next iOS and macOS releases but it will lose a lot of capability. I expect many people will not want to use it unless you are high profile and vulnerable to nation state hackers.
https://www.apple.com/newsroom/2022/07/ ... y-spyware/
SnowBog
Posts: 4680
Joined: Fri Dec 21, 2018 10:21 pm

Re: Do you use a password manager?

Post by SnowBog »

quietseas wrote: Sat Aug 13, 2022 5:20 pm Unique is even more important than very strong.
Personally, I don't separate the two...

For example, if my password at Bogleheads is "Bogleheads2022**" and my password at portfolio visualizer is "PortfolioVisualizer2022**" — technically those are both unique. (Which is better then having the same password everywhere.)

Likewise, if my password at both was "F8q3wasr)r54FUr_)fdk#4_4Yr" - technically those are strong. They will likely never be breached via someone breaking or guessing the password, but it only takes one insecure site or one successful phishing attempt and my password is compromised, putting my other accounts at risk.

But when I have unique passwords that don't follow any sort of pattern and are individually strong passwords, you've made it significantly harder for hackers. That's a win in my book.

If you really wanted to go all out, you'd also use unique usernames at every site as well. That's a step further than I normally take, but it's not a bad idea...
User avatar
tuningfork
Posts: 884
Joined: Wed Oct 30, 2013 8:30 pm

Re: Do you use a password manager?

Post by tuningfork »

SnowBog wrote: Sat Aug 13, 2022 5:41 pm If you really wanted to go all out, you'd also use unique usernames at every site as well. That's a step further than I normally take, but it's not a bad idea...
I mostly use unique usernames for my financial accounts. Mostly because I started doing that after I had created a couple of accounts that I probably haven't gone back to change the usernames. I don't go so far as to use fully random password-like usernames because I think that could cause trouble if I ever needed tech support. I also don't use a particular pattern in my usernames, so if someone discovers my Vanguard username, they cannot derive my Fidelity username from it. I don't remember my usernames or my passwords, but my password manager does.

I also use unique usernames at sites where I want to be anonymous. I don't use my bogleheads username at any other site.

Another step that may be worth taking is to use different email addresses for different purposes. I use one email address anywhere I want to remain completely anonymous, such as bogleheads. If someone were to crack into the bogleheads user database and wanted to track me down, they won't get very far. That email address won't match me at financial sites, nor at any other site that has my real name. I have several email addresses I use for specific kinds of sites. I don't use unique email addresses everywhere, but some people do.

If I use an email address at a site different from my normal email address, I make a note of it in my password manager.
User avatar
enad
Posts: 1581
Joined: Fri Aug 12, 2022 2:50 pm

Re: Do you use a password manager?

Post by enad »

what happens when you forget the password to the password manager?
What Goes Up Must come down -- David Clayton-Thomas (1968), BST
User avatar
theac
Posts: 802
Joined: Fri Dec 12, 2008 5:00 am

Re: Do you use a password manager?

Post by theac »

enad wrote: Sat Aug 13, 2022 10:04 pm what happens when you forget the password to the password manager?
Make sure you don't! :D

But to play it safe, after you download a backup-doc containing all your passwords from your Password Manager, also include the password to the Password Manager in that doc, just in case.

Then put it all in an encrypted folder for security reasons, which will also have a password.

If you forget that password, it's probably a good clue that it's time to leave all your financial matters to someone else now, and to just spend your time in a rocker on the porch, listening to the birds sing...which is what I would probably do at that point. :happy

Or, you could write the password to the encrypted folder on small pieces of paper and hide then in secret places around the house. Then if you forget where you put them, if you put enough, you might get lucky and find at least one of them.
Last edited by theac on Sat Aug 13, 2022 11:43 pm, edited 2 times in total.
"We keep you alive to serve this ship. Row well...and live." Ben Hur...and The Taxman! hahaha (a George Harrison song)
SnowBog
Posts: 4680
Joined: Fri Dec 21, 2018 10:21 pm

Re: Do you use a password manager?

Post by SnowBog »

enad wrote: Sat Aug 13, 2022 10:04 pm what happens when you forget the password to the password manager?
Depends on the password manager.

In the case of Microsoft Authenticator/Edge (I'd assume the same of Apple's Keychain), they are tied into your Microsoft (or Apple) identity. So you'd recover it the same as you do that account.

For LastPass, IIRC they can send a recovery email, which I think can only work on a computer that already has the master database. In other words a "local" recovery.

Properly setup, all the above can be done where they require access to a local device. So someone would have to have access to your device, physically and with a valid account.
User avatar
enad
Posts: 1581
Joined: Fri Aug 12, 2022 2:50 pm

Re: Do you use a password manager?

Post by enad »

theac wrote: Sat Aug 13, 2022 11:34 pm
enad wrote: Sat Aug 13, 2022 10:04 pm what happens when you forget the password to the password manager?
Make sure you don't! :D
Years ago when I was forgetting passwords I decided to replace certain letters in the alphabet i.e. @ for a, 0 for o, | for t, 3 for e, $ for s, and so on. I incorporate part of the websites name in my password and rotate amongst several passwords written in Latin letters but from words in a foreign language (I speak and think in several languages fluently). If you can remember the movie Firefox with Clint Eastwood when he was trying to fire the rearward missile in the plane he stole and nothing was happening he recalled that one of the scientists told him it's very important for you to think in Russian and when he the view screen came alive and he was able to fire the missile. So to with me, I have to think of the word in the particular foreign language then make the substitutions for the Latin letters (above) and type in the password. This actually has worked for websites I haven't visited in years. Things get wonky when a website changes its name but that's only happened once so far. The beauty is that I started using special characters long before they were required and I only have to really remember a few passwords in English then translate based on the type of website it is. Bills one language, emails another language, everything else a 3rd language. And I wrote my scheme down on a paper in a 3-ring binder in a fireproof safe to be opened in case something happens to me so my wife will know what to do. This works for me, but may not work for everyone. If the password manager has a tie-in to another company or the cloud (internet), then it's not for me.
What Goes Up Must come down -- David Clayton-Thomas (1968), BST
Post Reply