Do you use a password manager?

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills.
User avatar
Vulcan
Posts: 2996
Joined: Sat Apr 05, 2014 11:43 pm

Re: Do you use a password manager?

Post by Vulcan »

anon_investor wrote: Wed Jul 20, 2022 7:22 pm
Vulcan wrote: Wed Jul 20, 2022 6:57 pm
afan wrote: Wed Jul 20, 2022 5:56 pm
Vulcan wrote: Tue Jul 19, 2022 10:23 pm
afan wrote: Tue Jul 19, 2022 9:49 pm If someone gets into your unlocked computer,
... it's game over.
Not necessarily. The password manager has its own password. Someone who had access to the computer but not the password would still have to crack the password manager.
It's game over in a thousand different ways. Keylogger, screengrabber, you name it
So Yubikey?
Funny you should ask. We're discussing this very issue in a parallel thread.

If your local machine is pwned, not even youbikey will protect you.
If you torture the data long enough, it will confess to anything. ~Ronald Coase
SheenaTL
Posts: 12
Joined: Tue Apr 19, 2022 9:53 am

Re: Do you use a password manager?

Post by SheenaTL »

tennisplyr wrote: Tue Jul 19, 2022 3:27 pm A family member suggested this informal system:

-8 (or more) digit password
-first 4 digits represent the site your logging into (eg, Facebook site= Face….)
-last 4 digits are reusable letters/numbers/symbols (eg, Facebook site= “Faceplyr”)

Another eg:
-Bogleheads: “Boglplyr”
Not sure if that's a jest but it's a well-known terrible idea. Any systematic system is prone to being exposed by one security failure.

If one password gets hacked from one compromised website, all your password are basically instantly guessable. Just stick with password manager and randomly generated passwords, and use 2FA on the more important accounts.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Do you use a password manager?

Post by anon_investor »

Vulcan wrote: Wed Jul 20, 2022 7:26 pm
anon_investor wrote: Wed Jul 20, 2022 7:22 pm
Vulcan wrote: Wed Jul 20, 2022 6:57 pm
afan wrote: Wed Jul 20, 2022 5:56 pm
Vulcan wrote: Tue Jul 19, 2022 10:23 pm
... it's game over.
Not necessarily. The password manager has its own password. Someone who had access to the computer but not the password would still have to crack the password manager.
It's game over in a thousand different ways. Keylogger, screengrabber, you name it
So Yubikey?
Funny you should ask. We're discussing this very issue in a parallel thread.

If your local machine is pwned, not even youbikey will protect you.
Is a Chromebook less susceptible to being pwned?

At a certain point you can stop everything, but isn't a password manager protected by a Yubikey good enough?
carolinaman
Posts: 5463
Joined: Wed Dec 28, 2011 8:56 am
Location: North Carolina

Re: Do you use a password manager?

Post by carolinaman »

mptfan wrote: Wed Jul 20, 2022 1:05 pm
carolinaman wrote: Wed Jul 20, 2022 10:52 amI am told password managers have great security. I am sure that is true, but many hacks of major companies come from within. Some employee sells the data to hackers who use it steal from customers of the company. IMO, it is just a question of time before this happens to password manager companies. They are very big and lucrative target.
You are comparing apples to oranges. Yes companies get hacked all the time, and sometimes employees steal data, but you can't compare reputable password managers to the Equifax's and Target's of the world because password managers build their entire business model around protecting passwords, it is their very reason to exist, so they take extraordinary measures to protect and encrypt their customer data and they employ people who work on the bleeding edge of online security and encryption. They go so far as to create a "zero knowledge" structure where none of their employees know your master password and none of the employees can access your data, even if they wanted to, because your data is encrypted and only you have the password.

I don't blame you for being skeptical about password managers, you should be, and I was too for a long time, but I have done my research and I have become educated and I have learned that using a reputable password manager and following reasonable security practices is much safer than not.
Thanks. Can you point me to research that corroborates what you are saying? I would like to research this.
mptfan
Posts: 7217
Joined: Mon Mar 05, 2007 8:58 am

Re: Do you use a password manager?

Post by mptfan »

Even though it’s not surprising to hear the question “are password managers safe to use?”, the vast majority of cyber-security specialists agree that password managers are indeed the most secure way to protect your passwords.
...
The zero-knowledge architecture used by the top password managers encrypts passwords before they leave your device. When they’re on a server, even the provider has no way to decipher them.
...
Despite all the concerns listed above, good password managers are extremely difficult to compromise. The usage of AES-256 encryption, the “zero-knowledge” technique, and the possibility to use two-factor authentication make password managers a much safer and easier option than basically anything else available at the moment.

https://cybernews.com/best-password-man ... gers-safe/

Password managers sound complicated, but their security fundamentals are pretty simple to understand. In a nutshell, they rely on a specific cryptography technique called zero-knowledge encryption that ensures nobody except you can access your saved passwords. This is in addition to all of the usual online encryption practices, such as end-to-end encryption and encryption-at-rest.
...
It’s for this reason that no credible password manager service will ever record your master password or keep a copy of the encryption keys used to decrypt your vault. In other words, the application has “zero knowledge” of the encrypted passwords.

https://www.androidauthority.com/passwo ... e-3080353/
User avatar
BolderBoy
Posts: 6753
Joined: Wed Apr 07, 2010 12:16 pm
Location: Colorado

Re: Do you use a password manager?

Post by BolderBoy »

tarheel91 wrote: Tue Jul 19, 2022 11:26 pm
tuningfork wrote: Tue Jul 19, 2022 7:35 pm The term "autofill" is a bit of a misnomer. I have Bitwarden configured to not *automatically* autofill my credentials. The username and password fields remain blank when I visit a site and I have to tell Bitwarden to "autofill" the credentials. It's an extra step over having the browser automatically fill them in when it sees username and password fields. Similar to copy/paste except that Bitwarden will refuse to do it if I'm on a site it doesn't know about. All the anti-phishing protection with the peace of mind that the password manager won't reveal usernames and passwords without me telling it to.
This is an interesting point. I wonder if keepass (or its derivatives) has this feature.
Yes.
"Never underestimate one's capacity to overestimate one's abilities" - The Dunning-Kruger Effect
User avatar
BolderBoy
Posts: 6753
Joined: Wed Apr 07, 2010 12:16 pm
Location: Colorado

Re: Do you use a password manager?

Post by BolderBoy »

tarheel91 wrote: Wed Jul 20, 2022 12:00 amAre there any known vulnerabilities with KeepassXC (or Keepass)?
Not with KeepassXC so far - it is entirely open-source and written in C++, I think. Even the associated libraries that it uses are all open-source.

Keepass is only open-source insofar as the source code but NOT including the C# libraries. They are proprietary to Microsoft.

This difference is most of the reason I switched to the XC implementation.
"Never underestimate one's capacity to overestimate one's abilities" - The Dunning-Kruger Effect
User avatar
BolderBoy
Posts: 6753
Joined: Wed Apr 07, 2010 12:16 pm
Location: Colorado

Re: Do you use a password manager?

Post by BolderBoy »

Now that I've read the whole thread up to this point, let me say to the OP that a password manager is mostly a convenience item in that it lets you create complicated, LONG passwords which can be different for every website you visit and remembers them for you. That is the cybersecurity holy grail - long, complicated passwords that are unique for each website.

And while you are at it, use the PW manager's pw generating function to create non-sensical usernames for each site you visit (if the site allows same).
"Never underestimate one's capacity to overestimate one's abilities" - The Dunning-Kruger Effect
Jags4186
Posts: 8198
Joined: Wed Jun 18, 2014 7:12 pm

Re: Do you use a password manager?

Post by Jags4186 »

I’m all Apple and use keychain.
Kingghoti
Posts: 66
Joined: Sun Jul 19, 2020 9:57 am

Re: Do you use a password manager?

Post by Kingghoti »

mptfan wrote: Thu Jul 21, 2022 3:24 pm Even though it’s not surprising to hear the question “are password managers safe to use?”, the vast majority of cyber-security specialists agree that password managers are indeed the most secure way to protect your passwords.
...
The zero-knowledge architecture used by the top password managers encrypts passwords before they leave your device. When they’re on a server, even the provider has no way to decipher them.
...
Despite all the concerns listed above, good password managers are extremely difficult to compromise. The usage of AES-256 encryption, the “zero-knowledge” technique, and the possibility to use two-factor authentication make password managers a much safer and easier option than basically anything else available at the moment.

https://cybernews.com/best-password-man ... gers-safe/

Password managers sound complicated, but their security fundamentals are pretty simple to understand. In a nutshell, they rely on a specific cryptography technique called zero-knowledge encryption that ensures nobody except you can access your saved passwords. This is in addition to all of the usual online encryption practices, such as end-to-end encryption and encryption-at-rest.
...
It’s for this reason that no credible password manager service will ever record your master password or keep a copy of the encryption keys used to decrypt your vault. In other words, the application has “zero knowledge” of the encrypted passwords.

https://www.androidauthority.com/passwo ... e-3080353/
In other words, if you forget/lose your personal master encryption key, you are out of luck. Your data is gone.

The company cannot get, does not know, cannot "reset" the password. This is not due to their business process or practices. It is due to mathematics. Decrypting without the key is a "It takes longer than the age of the universe" type of problem.

This is difficult for most of us to appreciate and realize; it is so different from our everyday experience with "Click here if you forgot your password" links on our account web pages.

That said, there are options you can set up such as a "rescue" codes for "in case of my death." None of these are digital or accessible/usable. None are retrievable from the password manager vendor or by the vendor. You must create them physically, save them, and and use them locally. Usually you PRINT OUT a QR code or 64-charcter key and put it somewhere secure. It's all on you, the user.

Best,
AnEngineer
Posts: 2414
Joined: Sat Jun 27, 2020 4:05 pm

Re: Do you use a password manager?

Post by AnEngineer »

Kingghoti wrote: Fri Jul 22, 2022 9:12 am
mptfan wrote: Thu Jul 21, 2022 3:24 pm Even though it’s not surprising to hear the question “are password managers safe to use?”, the vast majority of cyber-security specialists agree that password managers are indeed the most secure way to protect your passwords.
...
The zero-knowledge architecture used by the top password managers encrypts passwords before they leave your device. When they’re on a server, even the provider has no way to decipher them.
...
Despite all the concerns listed above, good password managers are extremely difficult to compromise. The usage of AES-256 encryption, the “zero-knowledge” technique, and the possibility to use two-factor authentication make password managers a much safer and easier option than basically anything else available at the moment.

https://cybernews.com/best-password-man ... gers-safe/

Password managers sound complicated, but their security fundamentals are pretty simple to understand. In a nutshell, they rely on a specific cryptography technique called zero-knowledge encryption that ensures nobody except you can access your saved passwords. This is in addition to all of the usual online encryption practices, such as end-to-end encryption and encryption-at-rest.
...
It’s for this reason that no credible password manager service will ever record your master password or keep a copy of the encryption keys used to decrypt your vault. In other words, the application has “zero knowledge” of the encrypted passwords.

https://www.androidauthority.com/passwo ... e-3080353/
In other words, if you forget/lose your personal master encryption key, you are out of luck. Your data is gone.

The company cannot get, does not know, cannot "reset" the password. This is not due to their business process or practices. It is due to mathematics. Decrypting without the key is a "It takes longer than the age of the universe" type of problem.

This is difficult for most of us to appreciate and realize; it is so different from our everyday experience with "Click here if you forgot your password" links on our account web pages.

That said, there are options you can set up such as a "rescue" codes for "in case of my death." None of these are digital or accessible/usable. None are retrievable from the password manager vendor or by the vendor. You must create them physically, save them, and and use them locally. Usually you PRINT OUT a QR code or 64-charcter key and put it somewhere secure. It's all on you, the user.

Best,
Since it's storing passwords, even if you lose access, you can just go through and reset all your passwords on the actual accounts and start over.
tibbitts
Posts: 23716
Joined: Tue Feb 27, 2007 5:50 pm

Re: Do you use a password manager?

Post by tibbitts »

Kingghoti wrote: Fri Jul 22, 2022 9:12 am That said, there are options you can set up such as a "rescue" codes for "in case of my death." None of these are digital or accessible/usable. None are retrievable from the password manager vendor or by the vendor. You must create them physically, save them, and and use them locally. Usually you PRINT OUT a QR code or 64-charcter key and put it somewhere secure. It's all on you, the user.
At least some password managers enable those features for only their fee-based products, not their free products. You can of course export your information, but that exposes it in plain text and it's easy to do things like leave temporary files around, etc.
User avatar
MikeWillRetire
Posts: 790
Joined: Fri Jun 29, 2012 12:36 pm

Re: Do you use a password manager?

Post by MikeWillRetire »

afan wrote: Wed Jul 20, 2022 5:56 pm
Vulcan wrote: Tue Jul 19, 2022 10:23 pm
afan wrote: Tue Jul 19, 2022 9:49 pm If someone gets into your unlocked computer,
... it's game over.
Not necessarily. The password manager has its own password. Someone who had access to the computer but not the password would still have to crack the password manager.
I found that if someone accesses your computer, they can access google password manager without needing the password. I couldn't find a good way to log out of google password manager. Even if you log out of your google account, the password manager still autofills the passwords. That's one of the reasons why I chose 1 Password. You can log out of it easily.
SnowBog
Posts: 4699
Joined: Fri Dec 21, 2018 10:21 pm

Re: Do you use a password manager?

Post by SnowBog »

MikeWillRetire wrote: Fri Jul 22, 2022 11:44 am
afan wrote: Wed Jul 20, 2022 5:56 pm
Vulcan wrote: Tue Jul 19, 2022 10:23 pm
afan wrote: Tue Jul 19, 2022 9:49 pm If someone gets into your unlocked computer,
... it's game over.
Not necessarily. The password manager has its own password. Someone who had access to the computer but not the password would still have to crack the password manager.
I found that if someone accesses your computer, they can access google password manager without needing the password. I couldn't find a good way to log out of google password manager. Even if you log out of your google account, the password manager still autofills the passwords. That's one of the reasons why I chose 1 Password. You can log out of it easily.
This is a tradeoff between security and convenience.

Any OS/browser option is likely to default to "just work".

Not sure about 1 Password, but if they are like others (LastPass, etc.) they have a "browser extension" likely with an option to "auto sign in" so that they "just work" as well. You have the option of turning that off such that you have to login each time - that's the tradeoff.

Personally, I use strong authentication on my local devices which are all encrypted - such that I'm not worried about someone gaining access to my login on a device or its data. If my family have accounts on my devices, they are non-admin accounts, so they can't install anything that will cause issues. As such, my preference is convenience.
User avatar
bltkmt
Posts: 246
Joined: Fri Mar 01, 2013 3:56 pm

Re: Do you use a password manager?

Post by bltkmt »

Another satisfied LastPass user here.
User avatar
FoundingFather
Posts: 407
Joined: Fri Dec 18, 2020 9:20 pm

Re: Do you use a password manager?

Post by FoundingFather »

mrmass wrote: Tue Jul 19, 2022 2:54 pm
djshackesq wrote: Tue Jul 19, 2022 2:51 pm
MathWizard wrote: Tue Jul 19, 2022 2:50 pm 1 Password

Recommended by IT security professionals that I trust.

This is not free however.
This is the right answer.
This is the way.
Another happy 1Password user. I really like the way you can manage passwords for the entire family. I give my children access to only certain things, while I share all logins with my wife, etc.

Founding Father
"I do not think myself equal to the Command I am honored with." -George Washington (excerpt from Journals of the Continental Congress, 16 June 1775)
DetroitRick
Posts: 1488
Joined: Wed Mar 23, 2016 9:28 am
Location: SE Michigan

Re: Do you use a password manager?

Post by DetroitRick »

Yes. I'm a long-term Dashlane user across all our devices.

I like - simple and stable interface on Windows and Android, decent reviews, VPN, password generator, good password health tool.
My latest cost is $60 yearly. Last price increase was 2019.
sixtyforty
Posts: 656
Joined: Tue Nov 25, 2014 11:22 am
Location: USA

Re: Do you use a password manager?

Post by sixtyforty »

I've been using Bitwarden for the past few years. Prior to that used Lastpass.
"Simplicity is the ultimate sophistication" - Leonardo Da Vinci
LSLover
Posts: 294
Joined: Thu May 19, 2016 1:39 pm

Re: Do you use a password manager?

Post by LSLover »

So, if you have a password manager,using an aggregator like Quicken or Personal Capital becomes impossible?
User avatar
tuningfork
Posts: 885
Joined: Wed Oct 30, 2013 8:30 pm

Re: Do you use a password manager?

Post by tuningfork »

LSLover wrote: Sat Jul 23, 2022 9:52 am So, if you have a password manager,using an aggregator like Quicken or Personal Capital becomes impossible?
No problem. As long as you trust the aggregator, you can copy/paste the username and password from your password manager. Just don't do that if you're potentially being phished.
User avatar
abuss368
Posts: 27850
Joined: Mon Aug 03, 2009 2:33 pm
Location: Where the water is warm, the drinks are cold, and I don't know the names of the players!
Contact:

Re: Do you use a password manager?

Post by abuss368 »

meadowrue wrote: Tue Jul 19, 2022 2:10 pm If so, which one would you recommend? I have always used 3-4 different passwords and easily remember them (though they are not “easy” passwords per se) but I handle all the finances in our house and fear that my mental recall of passwords would leave DH in quite a bind were something to happen to me. Not to mention the hacking/security risk of using the same password for more than one site (I know, this is not smart!) How safe are password managers, and how exactly do they work? Thank you!
I use Apple’s password feature for all non important and non financially sensitive websites.

For and financial sensitive websites (there are only a few), I have it memorized and written down on paper. Nothing to be hacked!

Best.
Tony
John C. Bogle: “Simplicity is the master key to financial success."
afan
Posts: 8191
Joined: Sun Jul 25, 2010 4:01 pm

Re: Do you use a password manager?

Post by afan »

MikeWillRetire wrote: Fri Jul 22, 2022 11:44 am
afan wrote: Wed Jul 20, 2022 5:56 pm
Vulcan wrote: Tue Jul 19, 2022 10:23 pm
afan wrote: Tue Jul 19, 2022 9:49 pm If someone gets into your unlocked computer,
... it's game over.
Not necessarily. The password manager has its own password. Someone who had access to the computer but not the password would still have to crack the password manager.
I found that if someone accesses your computer, they can access google password manager without needing the password. I couldn't find a good way to log out of google password manager. Even if you log out of your google account, the password manager still autofills the passwords. That's one of the reasons why I chose 1 Password. You can log out of it easily.
That is scary.

But I do not use a password manager that lives online, or that autofills anything. Autofilling means that anyone who gets as far as attempting to login from your computer is in. If all they get is the opportunity to enter username and password, then having the computer does not get them in.

The manager is a password protected file on my computer. It is backed up locally, but the file remains encrypted on the backup. Someone with access to my computer or the backup would need to crack the password of the manager to open the file.
My laptop might be stolen while it is unlocked, in which case the thief could access the unencrypted information on it. But they would have another hill to climb to get the passwords. The local backup never leaves my desk. Someone would have to break into the house to steal the backup. If they did all they would have is an encrypted file, with no password.

Nothing is perfect, but this is safer than using an account with autofill. I agree that properly implemented zero knowledge online storage of the file should be as safe. But again, not with autofill.
We don't know how to beat the market on a risk-adjusted basis, and we don't know anyone that does know either | --Swedroe | We assume that markets are efficient, that prices are right | --Fama
DoTheMath
Posts: 671
Joined: Sat Jul 04, 2015 1:11 pm
Location: The Plains

Re: Do you use a password manager?

Post by DoTheMath »

afan wrote: Sat Jul 23, 2022 11:33 am
MikeWillRetire wrote: Fri Jul 22, 2022 11:44 am
afan wrote: Wed Jul 20, 2022 5:56 pm
Vulcan wrote: Tue Jul 19, 2022 10:23 pm
afan wrote: Tue Jul 19, 2022 9:49 pm If someone gets into your unlocked computer,
... it's game over.
Not necessarily. The password manager has its own password. Someone who had access to the computer but not the password would still have to crack the password manager.
I found that if someone accesses your computer, they can access google password manager without needing the password. I couldn't find a good way to log out of google password manager. Even if you log out of your google account, the password manager still autofills the passwords. That's one of the reasons why I chose 1 Password. You can log out of it easily.
That is scary.

But I do not use a password manager that lives online, or that autofills anything. Autofilling means that anyone who gets as far as attempting to login from your computer is in. If all they get is the opportunity to enter username and password, then having the computer does not get them in.

The manager is a password protected file on my computer. It is backed up locally, but the file remains encrypted on the backup. Someone with access to my computer or the backup would need to crack the password of the manager to open the file.
My laptop might be stolen while it is unlocked, in which case the thief could access the unencrypted information on it. But they would have another hill to climb to get the passwords. The local backup never leaves my desk. Someone would have to break into the house to steal the backup. If they did all they would have is an encrypted file, with no password.

Nothing is perfect, but this is safer than using an account with autofill. I agree that properly implemented zero knowledge online storage of the file should be as safe. But again, not with autofill.
Even with autofill, a reputable password manager should ask for your master password before filling in any information. This is what 1password does. Once you've entered your master password you have some amount of time before it agains requires you to enter the master password. In 1password this is adjustable and mine is set to something like 5 minutes. After that much time has elapsed, you have to give it the master password to login into anything, autofill or otherwise.


I don't know about google, but hopefully this is changeable or it's an obvious security flaw.
“I am losing precious days. I am degenerating into a machine for making money. I am learning nothing in this trivial world of men. I must break away and get out into the mountains...” -- John Muir
RedDog
Posts: 289
Joined: Sat Dec 05, 2015 3:36 pm

Re: Do you use a password manager?

Post by RedDog »

Vulcan wrote: Tue Jul 19, 2022 4:07 pm
mptfan wrote: Tue Jul 19, 2022 3:54 pm
Vulcan wrote: Tue Jul 19, 2022 3:41 pm My Google account is already the key to my digital kingdom, and I prefer not to trust any other 3rd parties to get this critical piece right, nor do I want to have to install additional software on multiple devices.
The biggest issue with this is your Google account becomes a single point of failure. As you said, it is the key to your digital kingdom.
It is the key regardless. Your email is your key. There's no way around it.

I'd rather not add new points of failure.
Could I get your opinion of the IPhone OS password manager?

BTW, as a non-IT professional…I’ve used the Chrome password manager for sometime and have found it to be very functional.
moorso
Posts: 202
Joined: Sun Feb 16, 2014 3:04 pm

Re: Do you use a password manager?

Post by moorso »

Using fidsafe by fidelity. Seems to work fine.
moorso
Posts: 202
Joined: Sun Feb 16, 2014 3:04 pm

Re: Do you use a password manager?

Post by moorso »

Using fidsafe by fidelity. Seems to work fine. Dont know how secure it is though, any insight?
FlamePoint
Posts: 223
Joined: Wed Nov 11, 2020 9:45 pm

Re: Do you use a password manager?

Post by FlamePoint »

Jags4186 wrote: Thu Jul 21, 2022 6:40 pm I’m all Apple and use keychain.
+1

I also like that keychain will alert you to duplicate passwords and ones possibly compromised via a data leak.
User avatar
tuningfork
Posts: 885
Joined: Wed Oct 30, 2013 8:30 pm

Re: Do you use a password manager?

Post by tuningfork »

afan wrote: Sat Jul 23, 2022 11:33 am
MikeWillRetire wrote: Fri Jul 22, 2022 11:44 am I found that if someone accesses your computer, they can access google password manager without needing the password. I couldn't find a good way to log out of google password manager. Even if you log out of your google account, the password manager still autofills the passwords. That's one of the reasons why I chose 1 Password. You can log out of it easily.
If that's how Google Chrome's password feature works, it is horribly insecure and should never be used by anyone.

That is scary.

But I do not use a password manager that lives online, or that autofills anything. Autofilling means that anyone who gets as far as attempting to login from your computer is in. If all they get is the opportunity to enter username and password, then having the computer does not get them in.
That's not how autofill works with all properly implemented password managers (Lastpass, 1Password, Bitwarden, etc.). You must first supply the password to the password manager before it will "autofill" the username and password of the site you're visiting. You can then logout or lock the password manager, or if you're lazy you can let it time out and autologout.
Nothing is perfect, but this is safer than using an account with autofill. I agree that properly implemented zero knowledge online storage of the file should be as safe. But again, not with autofill.
As stated many times in this thread, a properly implemented (i.e. not Google Chrome) password manager with autofill is safer than not using autofill as it provides protection from phishing web sites.
FlamePoint
Posts: 223
Joined: Wed Nov 11, 2020 9:45 pm

Re: Do you use a password manager?

Post by FlamePoint »

RedDog wrote: Sat Jul 23, 2022 12:51 pm
Vulcan wrote: Tue Jul 19, 2022 4:07 pm
mptfan wrote: Tue Jul 19, 2022 3:54 pm
Vulcan wrote: Tue Jul 19, 2022 3:41 pm My Google account is already the key to my digital kingdom, and I prefer not to trust any other 3rd parties to get this critical piece right, nor do I want to have to install additional software on multiple devices.
The biggest issue with this is your Google account becomes a single point of failure. As you said, it is the key to your digital kingdom.
It is the key regardless. Your email is your key. There's no way around it.

I'd rather not add new points of failure.
Could I get your opinion of the IPhone OS password manager?

BTW, as a non-IT professional…I’ve used the Chrome password manager for sometime and have found it to be very functional.
Works great on Apple products. Stores your passwords in the cloud so if you have multiple Apple devices you can access your passwords across them.

If you use a non Apple device on a regular basis it may not be as convenient since you will need to type in your login/password on it. 95% of my time is spent on my iPhone and IPad.
increment
Posts: 1735
Joined: Tue May 15, 2018 2:20 pm

Re: Do you use a password manager?

Post by increment »

moorso wrote: Sat Jul 23, 2022 1:02 pm Using fidsafe by fidelity. Seems to work fine.
As far as I can tell, Fidsafe offers just to store your passwords. It doesn't offer to generate long, random passwords, or to autofill them where appropriate (to prevent you from entering passwords into phishing sites).
RedDog
Posts: 289
Joined: Sat Dec 05, 2015 3:36 pm

Re: Do you use a password manager?

Post by RedDog »

FlamePoint wrote: Sat Jul 23, 2022 1:35 pm
RedDog wrote: Sat Jul 23, 2022 12:51 pm
Vulcan wrote: Tue Jul 19, 2022 4:07 pm
mptfan wrote: Tue Jul 19, 2022 3:54 pm
Vulcan wrote: Tue Jul 19, 2022 3:41 pm My Google account is already the key to my digital kingdom, and I prefer not to trust any other 3rd parties to get this critical piece right, nor do I want to have to install additional software on multiple devices.
The biggest issue with this is your Google account becomes a single point of failure. As you said, it is the key to your digital kingdom.
It is the key regardless. Your email is your key. There's no way around it.

I'd rather not add new points of failure.
Could I get your opinion of the IPhone OS password manager?

BTW, as a non-IT professional…I’ve used the Chrome password manager for sometime and have found it to be very functional.
Works great on Apple products. Stores your passwords in the cloud so if you have multiple Apple devices you can access your passwords across them.

If you use a non Apple device on a regular basis it may not be as convenient since you will need to type in your login/password on it. 95% of my time is spent on my iPhone and IPad.
Thank you!
TN_Boy
Posts: 4134
Joined: Sat Jan 17, 2009 11:51 am

Re: Do you use a password manager?

Post by TN_Boy »

abuss368 wrote: Sat Jul 23, 2022 10:39 am
meadowrue wrote: Tue Jul 19, 2022 2:10 pm If so, which one would you recommend? I have always used 3-4 different passwords and easily remember them (though they are not “easy” passwords per se) but I handle all the finances in our house and fear that my mental recall of passwords would leave DH in quite a bind were something to happen to me. Not to mention the hacking/security risk of using the same password for more than one site (I know, this is not smart!) How safe are password managers, and how exactly do they work? Thank you!
I use Apple’s password feature for all non important and non financially sensitive websites.

For and financial sensitive websites (there are only a few), I have it memorized and written down on paper. Nothing to be hacked!

Best.
Tony
Well, except that as people have pointed out, if a keystroke logger got onto your computer, the passwords would be stolen. Or if your financial institution was hacked.

There is always something which can be hacked .... I doubt that avoiding a good password manager reduces your risk at all, but if it works for you! I assume you also write down things like the answers to the security questions? (Which should not be like, true answers in most cases).
maxim81
Posts: 82
Joined: Sat Apr 19, 2008 7:03 pm

Re: Do you use a password manager?

Post by maxim81 »

yes and if someone got hold to your fingerprint or thumb, it's game over as well :beer
User avatar
cashboy
Posts: 708
Joined: Tue Sep 11, 2018 5:03 pm
Location: USA

Re: Do you use a password manager?

Post by cashboy »

+1 on keepass.

OP

initially i downloaded it just to play with it since it was free. I started using it with just a single web site as a test. i quickly came to love it and now can't live without it.

just about every website you interact with nowadays require you to have an account, and it got tiresome for me to keep track of it all and generate unique and complex passwords.

my suggestion is to download it and use it to play around with a singe non-critical website that you have to login to - ex: public library. see if you like the concept of a password manager.
Three-Fund Portfolio: FSPSX - FXAIX - FXNAX (with slight tilt of CASH - Canned Beans - Rice - Bottled Water)
User avatar
Youngblood
Posts: 712
Joined: Fri Jan 04, 2008 6:18 am

Re: Do you use a password manager?

Post by Youngblood »

FlamePoint wrote: Sat Jul 23, 2022 1:32 pm
Jags4186 wrote: Thu Jul 21, 2022 6:40 pm I’m all Apple and use keychain.
+1

I also like that keychain will alert you to duplicate passwords and ones possibly compromised via a data leak.
iCloud keychain also.

A pages password protected file too.
"I made my money by selling too soon." | Bernard M. Baruch
afan
Posts: 8191
Joined: Sun Jul 25, 2010 4:01 pm

Re: Do you use a password manager?

Post by afan »

DoTheMath wrote: Sat Jul 23, 2022 12:43 pm [

Even with autofill, a reputable password manager should ask for your master password before filling in any information. This is what 1password does. Once you've entered your master password you have some amount of time before it agains requires you to enter the master password. In 1password this is adjustable and mine is set to something like 5 minutes. After that much time has elapsed, you have to give it the master password to login into anything, autofill or otherwise.

I don't know about google, but hopefully this is changeable or it's an obvious security flaw.
Mine also times out. But once you log back in, all you get to do is copy and paste passwords.
We don't know how to beat the market on a risk-adjusted basis, and we don't know anyone that does know either | --Swedroe | We assume that markets are efficient, that prices are right | --Fama
Gaston
Posts: 1220
Joined: Wed Aug 21, 2013 7:12 pm

Re: Do you use a password manager?

Post by Gaston »

We use 1Password for families. Things we like about it:

- You can have multiple vaults. One for you, one for spouse, one for each child, plus a shared vault that all family members can access. Each vault is private to the individual, except the shared vault. With the shared vault, no one asks What is the Netflix password?

- If you travel to dodgy countries, you can also hide your vault (ie, remove it from your smartphone or laptop) so that authorities cannot see it / access it.

- Generates long, secure passwords for websites and apps. Has a Watchtower service to warn you of weak passwords and of websites that have been hacked.

- Works on Windows, Mac, iOS, and Android.

- Generates 2FA codes for websites and apps, so you don't need Google Authenticator, Authy or similar authentication apps.

- Holds images of simple documents (passports, driver's license, social security card, health insurance card, etc).

- Can enter and hold text as secure notes (eg, combination to a safe, crypto wallet password).
“My opinions are just that - opinions.”
Gaston
Posts: 1220
Joined: Wed Aug 21, 2013 7:12 pm

Re: Do you use a password manager?

Post by Gaston »

case_of_ennui wrote: Tue Jul 19, 2022 4:08 pm I use a notepad in my nightstand drawer. I need to look into some of these. I just have trouble trusting third parties with my important passwords.
The above is a fair comment. Some might want to use a 3rd-party password manager but do not want to fully trust a 3rd-party. There is a solution for this that often is recommended to investigative journalists, diplomats and other high profile hacking targets for use on their key accounts. It goes something like this.

1. Invent a 4 or 6 digit secret code. Store it in your head or in your bank safety deposit box. Let's say it's 2246.

2. Let the 3rd-party password manager generate a password for a website that you wish to use. Let's say the password manager generates 275Hty@M4&b.

3. When you create the account for the website, let the password manager autofill the 275Hty@M4&b password, then manually enter 2246 at the end.

4. Every time you sign onto the website in the future, do the same as point #3 above. This way, only you know the full password.

In this model, you only have to remember a single secret code (2246) but you use it for all your key websites.
“My opinions are just that - opinions.”
AnEngineer
Posts: 2414
Joined: Sat Jun 27, 2020 4:05 pm

Re: Do you use a password manager?

Post by AnEngineer »

MikeWillRetire wrote: Fri Jul 22, 2022 11:44 am
afan wrote: Wed Jul 20, 2022 5:56 pm
Vulcan wrote: Tue Jul 19, 2022 10:23 pm
afan wrote: Tue Jul 19, 2022 9:49 pm If someone gets into your unlocked computer,
... it's game over.
Not necessarily. The password manager has its own password. Someone who had access to the computer but not the password would still have to crack the password manager.
I found that if someone accesses your computer, they can access google password manager without needing the password. I couldn't find a good way to log out of google password manager. Even if you log out of your google account, the password manager still autofills the passwords. That's one of the reasons why I chose 1 Password. You can log out of it easily.
I don't understand this concern. If you let someone have access to your computer using using your account you'd better trust them completely, as they could install a variety of security compromises.
Topic Author
meadowrue
Posts: 747
Joined: Wed May 04, 2022 3:55 pm

Re: Do you use a password manager?

Post by meadowrue »

Gaston wrote: Sat Jul 23, 2022 4:34 pm
case_of_ennui wrote: Tue Jul 19, 2022 4:08 pm I use a notepad in my nightstand drawer. I need to look into some of these. I just have trouble trusting third parties with my important passwords.
The above is a fair comment. Some might want to use a 3rd-party password manager but do not want to fully trust a 3rd-party. There is a solution for this that often is recommended to investigative journalists, diplomats and other high profile hacking targets for use on their key accounts. It goes something like this.

1. Invent a 4 or 6 digit secret code. Store it in your head or in your bank safety deposit box. Let's say it's 2246.

2. Let the 3rd-party password manager generate a password for a website that you wish to use. Let's say the password manager generates 275Hty@M4&b.

3. When you create the account for the website, let the password manager autofill the 275Hty@M4&b password, then manually enter 2246 at the end.

4. Every time you sign onto the website in the future, do the same as point #3 above. This way, only you know the full password.

In this model, you only have to remember a single secret code (2246) but you use it for all your key websites.
This is really clever. Thanks for sharing. I am the OP who is also a bit of a scaredy cat when it comes to anything other than the old-fashioned “write it down and lock it away.” I feel like I need a better strategy and this might be it!
“We must free ourselves of the hope that the sea will ever rest. We must learn to sail in high winds.”—Aristotle Onassis
fourwheelcycle
Posts: 1968
Joined: Sun May 25, 2014 5:55 pm

Re: Do you use a password manager?

Post by fourwheelcycle »

tibbitts wrote: Fri Jul 22, 2022 11:12 am
Kingghoti wrote: Fri Jul 22, 2022 9:12 am That said, there are options you can set up such as a "rescue" codes for "in case of my death."
At least some password managers enable those features for only their fee-based products, not their free products.
Bitwarden (a zero knowledge password manager) has a very good version of the emergency access feature. It is only available to premium subscribers, but the annual premium fee is only $10. I use it to provide our adult children access to our key financial info if I die or become incapacitated. Our children only need to have free Bitwarden accounts to participate. If they request access to my passwords from Bitwarden, an email notice comes to me. If I don't respond and deny access, Bitwarden gives them the access I have previously approved when I put them on my emergency access list.
User avatar
martincmartin
Posts: 900
Joined: Wed Jul 02, 2014 3:04 pm
Location: Boston, MA USA

Re: Do you use a password manager?

Post by martincmartin »

meadowrue wrote: Tue Jul 19, 2022 2:10 pm I have always used 3-4 different passwords and easily remember them
Have you seen which of them have been compromised?

https://haveibeenpwned.com/

https://haveibeenpwned.com/Passwords
Topic Author
meadowrue
Posts: 747
Joined: Wed May 04, 2022 3:55 pm

Re: Do you use a password manager?

Post by meadowrue »

martincmartin wrote: Sun Jul 24, 2022 7:12 am
meadowrue wrote: Tue Jul 19, 2022 2:10 pm I have always used 3-4 different passwords and easily remember them
Have you seen which of them have been compromised?

https://haveibeenpwned.com/

https://haveibeenpwned.com/Passwords
Thanks for the links. My email address has been in 5 data breaches! My phone number is ok. I changed all my passwords yesterday across every single account while I decide about a password manager. I greatly appreciate all the responses here.
“We must free ourselves of the hope that the sea will ever rest. We must learn to sail in high winds.”—Aristotle Onassis
tibbitts
Posts: 23716
Joined: Tue Feb 27, 2007 5:50 pm

Re: Do you use a password manager?

Post by tibbitts »

fourwheelcycle wrote: Sun Jul 24, 2022 6:21 am
tibbitts wrote: Fri Jul 22, 2022 11:12 am
Kingghoti wrote: Fri Jul 22, 2022 9:12 am That said, there are options you can set up such as a "rescue" codes for "in case of my death."
At least some password managers enable those features for only their fee-based products, not their free products.
Bitwarden (a zero knowledge password manager) has a very good version of the emergency access feature. It is only available to premium subscribers, but the annual premium fee is only $10. I use it to provide our adult children access to our key financial info if I die or become incapacitated. Our children only need to have free Bitwarden accounts to participate. If they request access to my passwords from Bitwarden, an email notice comes to me. If I don't respond and deny access, Bitwarden gives them the access I have previously approved when I put them on my emergency access list.
I was only trying to let people know that if they're looking for that feature in their free password manager and not finding it, it might be because it's just not there. For some the adult child or equivalent already uses the same product and already has unlimited access so it's not an issue, however loss of access using the password for some reason still would be.
fourwheelcycle
Posts: 1968
Joined: Sun May 25, 2014 5:55 pm

Re: Do you use a password manager?

Post by fourwheelcycle »

tibbitts wrote: Sun Jul 24, 2022 10:30 am I was only trying to let people know that if they're looking for that feature in their free password manager and not finding it, it might be because it's just not there.
An effective emergency access feature is also "just not there" on many fee-only password managers. Dashlane used to have it, but dropped it. 1Password has never had it. I use the licensed version of 1Password as my primary password manager. I love it, but it has never offered an emergency access feature like Bitwarden's current feature or Dashlane's now discontinued feature.

Unfortunately, 1Password is discontinuing its licensed version. In the future, 1Password will only offer its subscription-based version. Looking at a cost of $10 per year for Bitwarden, with its excellent emergency access feature, vs. $60 per year for 1Password's subscription version, with no emergency access feature, I will give serious consideration to using Bitwarden as my only password manager.
User avatar
MikeWillRetire
Posts: 790
Joined: Fri Jun 29, 2012 12:36 pm

Re: Do you use a password manager?

Post by MikeWillRetire »

AnEngineer wrote: Sat Jul 23, 2022 6:58 pm
MikeWillRetire wrote: Fri Jul 22, 2022 11:44 am
afan wrote: Wed Jul 20, 2022 5:56 pm
Vulcan wrote: Tue Jul 19, 2022 10:23 pm
afan wrote: Tue Jul 19, 2022 9:49 pm If someone gets into your unlocked computer,
... it's game over.
Not necessarily. The password manager has its own password. Someone who had access to the computer but not the password would still have to crack the password manager.
I found that if someone accesses your computer, they can access google password manager without needing the password. I couldn't find a good way to log out of google password manager. Even if you log out of your google account, the password manager still autofills the passwords. That's one of the reasons why I chose 1 Password. You can log out of it easily.
I don't understand this concern. If you let someone have access to your computer using using your account you'd better trust them completely, as they could install a variety of security compromises.
I'm not concerned about the people that I allow access to the computer. I'm more concerned about others who could gain access. Our home computer is awakened with a 4 digit pin, so if they somehow figure out the pin, they then have access to google passwords, even if I log out of chrome. For that reason, I chose 1 Password because it requires me to log in to use it.
AnEngineer
Posts: 2414
Joined: Sat Jun 27, 2020 4:05 pm

Re: Do you use a password manager?

Post by AnEngineer »

MikeWillRetire wrote: Sun Jul 24, 2022 2:11 pm
AnEngineer wrote: Sat Jul 23, 2022 6:58 pm
MikeWillRetire wrote: Fri Jul 22, 2022 11:44 am
afan wrote: Wed Jul 20, 2022 5:56 pm
Vulcan wrote: Tue Jul 19, 2022 10:23 pm
... it's game over.
Not necessarily. The password manager has its own password. Someone who had access to the computer but not the password would still have to crack the password manager.
I found that if someone accesses your computer, they can access google password manager without needing the password. I couldn't find a good way to log out of google password manager. Even if you log out of your google account, the password manager still autofills the passwords. That's one of the reasons why I chose 1 Password. You can log out of it easily.
I don't understand this concern. If you let someone have access to your computer using using your account you'd better trust them completely, as they could install a variety of security compromises.
I'm not concerned about the people that I allow access to the computer. I'm more concerned about others who could gain access. Our home computer is awakened with a 4 digit pin, so if they somehow figure out the pin, they then have access to google passwords, even if I log out of chrome. For that reason, I chose 1 Password because it requires me to log in to use it.
I see the difference, but it still makes doesn't make sense to me. Anyone who gets past the pin can install a keylogger or something and get access to your passwords and more. Unauthorized access to my user account is game over in so many ways.
User avatar
MikeWillRetire
Posts: 790
Joined: Fri Jun 29, 2012 12:36 pm

Re: Do you use a password manager?

Post by MikeWillRetire »

disregard, I meant to reply to a previous poster.
Last edited by MikeWillRetire on Sun Jul 24, 2022 3:53 pm, edited 1 time in total.
cacophony
Posts: 1363
Joined: Tue Oct 16, 2007 9:12 pm

Re: Do you use a password manager?

Post by cacophony »

MikeWillRetire wrote: Sun Jul 24, 2022 2:28 pm I'm curious what do you do to prevent unauthorized access to your computer?
The basics:

- Prevent physical access to your computer. In other words, keep it locked in your house/etc when not in use
- Keep your OS and application software up to date
- Be very mindful of what you install, especially if it's lessor known. Do research on the app and make sure you're installing from the official trustworthy source.
- Use a browser that's known to be secure and try to avoid sketchy sites
- Keep your router firmware up-to-date
Last edited by cacophony on Sun Jul 24, 2022 6:51 pm, edited 1 time in total.
User avatar
MikeWillRetire
Posts: 790
Joined: Fri Jun 29, 2012 12:36 pm

Re: Do you use a password manager?

Post by MikeWillRetire »

AnEngineer wrote: Sun Jul 24, 2022 2:17 pm
MikeWillRetire wrote: Sun Jul 24, 2022 2:11 pm
AnEngineer wrote: Sat Jul 23, 2022 6:58 pm
MikeWillRetire wrote: Fri Jul 22, 2022 11:44 am
afan wrote: Wed Jul 20, 2022 5:56 pm

Not necessarily. The password manager has its own password. Someone who had access to the computer but not the password would still have to crack the password manager.
I found that if someone accesses your computer, they can access google password manager without needing the password. I couldn't find a good way to log out of google password manager. Even if you log out of your google account, the password manager still autofills the passwords. That's one of the reasons why I chose 1 Password. You can log out of it easily.
I don't understand this concern. If you let someone have access to your computer using using your account you'd better trust them completely, as they could install a variety of security compromises.
I'm not concerned about the people that I allow access to the computer. I'm more concerned about others who could gain access. Our home computer is awakened with a 4 digit pin, so if they somehow figure out the pin, they then have access to google passwords, even if I log out of chrome. For that reason, I chose 1 Password because it requires me to log in to use it.
I see the difference, but it still makes doesn't make sense to me. Anyone who gets past the pin can install a keylogger or something and get access to your passwords and more. Unauthorized access to my user account is game over in so many ways.
I am curious to find out what you do to prevent this unauthorized access?
Post Reply