Password Managers

[ddrueding]

Start with the news: LastPass was recently hacked

Their response to this was so impressive that I signed up almost immediately. I've known I should be using some kind of password manager for quite some time, but this pushed me into it.

The software and interface are way better than I had anticipated, allowing automated changing of passwords on some sites and notifying you of password breaches on sites you use, prompting you to change them.

Anyone else here using a similar service?

 

[CougTek]

I've used Keepass for the last few years. It's ok. One problem I've had with it is more admin-related than anything else : I often forget the passwords I've written to open some seldom used keepass files. So these are unusable when I end up needing them.

I've never used lastpass.

 

[ddrueding]

Lastpass has an application and browser plug-in. So long as those are installed it does a great job tracking password changes. I'm actually spending some of today going into all my major services and having LastPass generate brutally long random strings as the new passwords, where there is no way I'd be able to login without using their service. This should help me remember to use the service when changing those passwords.

Another fun part of their tool was that it scanned all the local browsers, imported any saved credentials into the system, and then wiped them from the machine while disabling the built-in password manager.

 

[snowhiker]

I've been thinking about some type of password manager for a while now because some of my passwords are just too hackable.

I guess I could google the answers.

But anyways...Does Lastpass create backups of your PW file in case primary is lost/corrupted? Does it allow you to print a copy of your sites and passwords in case backup files/computers are lost/stolen?

I'd like a manager that prints out a simple list with: <site name> <url> <username> <password> <comment field1> <comment field2>

Even better a PW manager that has source code that one of you guys could check for back-doors and compile it for me )

 

[Tea]

That's the thing, isn't it Snowhiker. How can you trust the password manager?

 

[timwhit]

I've used LastPass for almost a year. It's decent, but not perfect. It kind of sucks on my Android phone. Maybe I don't know how to use it correctly though.

 

[Mercutio]

Lastpass uses salted hash lookups based on your master password to store everything. If you change your master password, it changes the salt value and the software has to rehash all your passwords. Even if someone got everything they store, they still can't see anything unless they want to sit there and recompute the values of their cracking dictionary or rainbow tables entries by an individual user's particular salt. It's very strong from a security standpoint.
Keepass and Roboform are other products in the same category. I think Roboform is possibly the best overall tool from a utility standpoint, since it will fill forms anywhere in your OS, but I don't know how secure it truly is.

I like to demo lastpass for general use password storage, especially for the sort of person who is offended at the idea that they might have to remember more than one password for anything. Also of note is its ability to generate on-demand high entropy passwords. That's extremely useful for those people who would just use the same thing over and over.

All in all I think it's a good tool for personal needs, but I can't bring myself to rely on it for business data, so I tend to use other memory tricks for dealing with admin passwords and the like on customer systems.

 

[LunarMist]

So a company provides a terrible service and you reward them with more business? That'll teach 'em. :doh:

 

[Mercutio]

They don't provide terrible service. They had a security leak. They disclosed it and communicated the extent of user exposure. That's substantially more than a lot of companies are willing to do. As it happens, exposure it this case is pretty limited unless the guys who got the data are targeting specific Lastpass user accounts and feel like throwing exahertz of compute cycles at cracking each of them. It's possible that they could extract some high-value passwords out of those individual accounts, but it's extremely unlikely they could do that for more than a very small number of accounts given the limitations of computing and the warning that users have now had that it might be a good idea to update their stored passwords.

 

[ddrueding]

So a company provides a terrible service and you reward them with more business? That'll teach 'em. :doh:

You don't know how good a company is until something goes wrong. Anyone should be able to look great when things go to plan, but a company willing to do what they can in a pinch is worth aligning yourself with.

<Anecdote> When I was having hardwood installed in the entire house, I took delivery of 6 pallets of the material and followed the directions on the box (tear open all the boxes and stack the material so that it acclimates before installation). I didn't notice until 2 days later that it was actually the wrong product. Within 2 hours the reseller was hand-loading the opened boxes into their own truck, drove it all the way to the mfgr (12 hours away), and hand-unloaded the right stuff 2 days later. They lost money to keep me happy. This is a company I can recommend. </Anecdote>

 

[LunarMist]

Great standards we have nowadays. :eyes: How about rewarding a company that is not f*cked up to begin with?

 

[ddrueding]

Great standards we have nowadays. :eyes: How about rewarding a company that is not f*cked up to begin with?

Who would that be? Is there a single company with more than 1M users that hasn't had a data breach?

 

[LunarMist]

Great standards we have nowadays. :eyes: How about rewarding a company that is not f*cked up to begin with?

Suppose I release product to market and it is defective and people die. Which is more important, the quality of product or how the dead bodies are cleaned up and families compensated afterwards?

 

[LunarMist]

Who would that be? Is there a single company with more than 1M users that hasn't had a data breach?

I think it is worse than a typical data breach (and rather ironic) since the core business is to secure passwords. It looks like a password list locked in the desk is more secure.

 

[ddrueding]

Not sure if you've looked into this (or read Mercs analysis) that closely. It is incredibly unlikely that anyone's actual passwords were compromised. At the same time, using this service means that changing all the passwords becomes pretty darn easy.

Keeping a single list locked up would be more secure, but it wouldn't work for most people as they need to access things from multiple places.

 

[Tea]

So a company provides a terrible service and you reward them with more business? That'll teach 'em. :doh:

Hey, it worked for Microsoft.

 

[Tea]

Suppose I release product to market and it is defective and people die. Which is more important, the quality of product or how the dead bodies are cleaned up and families compensated afterwards?

Neither, you dummy. It's all about the main game, which is of course the quality of the press release, and the effective massaging of the press corps so that they spin the headlines just right. Don't you know nuffin about running a business?

 

[sedrosken]

I use the same two passwords for everything. It's probably really insecure, but I have nothing that is absolutely mission-critical. Except the StorageForum account, of course. :grin: In all seriousness, when I start doing online banking and stuff like that, I'll need to look into software like this because all of a sudden I'll be on this big ol' kick to get everything secured, which means different passwords for everything.

 

[Mercutio]

I think it is worse than a typical data breach (and rather ironic) since the core business is to secure passwords. It looks like a password list locked in the desk is more secure.

In a typical data breach, you'd find out that internal safeguards don't exist or weren't actually being followed. Personally Identifying Information stored in an unencrypted format would be stolen and, since this is the USA, the only reason anyone would be notified of the issue is if the data breach included data about residents of California, since no other state or federal provision requires notification of stole private information collected by a third party. How long did it take Target to even figure out what the hell happened during its 2013 data breach?

 

[Howell]

keepass is perfectly adequate for everything I do on my phone and computer, and can share the same database between them. I've used lastpass right after they bought xmarks but stopped because it didn't provide enough utility for me. There are several companies who provide that kind of service and the ability to have the service change your passwords on a schedule and otherwise fully manage your passwords is cool.

 

[Will Rickards]

I use keepass on my computer and phone.
The small problem is keeping them in sync. I can't bring myself to store the kdbx file with all my password on dropbox.
Also I can't trust all my passwords in the cloud, salted hashes or not.

 

[Buck]

I use about a half dozen passwords with about 12 characters each that I change every few months. I just remember them.

 

[Bartender]

I use about a half dozen passwords with about 12 characters each that I change every few months. I just remember them.

You remember them? My ass...you have one 4 digit password that you can never remember and so had it tattooed on your backside.

 

[Bartender]

The Grammar Police briefly raised the security issue of passwords in this thread, to which P5 responded.

 

[Handruin]

You remember them? My ass...you have one 4 digit password that you can never remember and so had it tattooed on your backside.

I hope his backside never gets breached!

 

[ddrueding]

I use the same two passwords for everything. It's probably really insecure, but I have nothing that is absolutely mission-critical. Except the StorageForum account, of course. :grin: In all seriousness, when I start doing online banking and stuff like that, I'll need to look into software like this because all of a sudden I'll be on this big ol' kick to get everything secured, which means different passwords for everything.

This seems almost entirely legit. I didn't really find myself in trouble regarding passwords until I had to start diversifying my finances. Once the number of accounts exceeded a dozen or so I knew I was in trouble.

 

[Mercutio]

You remember them? My ass...you have one 4 digit password that you can never remember and so had it tattooed on your backside.

There are tricks you can do to remember passwords. I'm fond of using short pass phrases that are based on quotations from some particular media (e.g. poems of Robert Louis Stevenson or lines from the movie Clerks) that I associate with that customer as a seed for what I use. I might use the first letter of each word of a sentence or perhaps just a three or four word quote, depending on need, and I find that shifting the typed characters up one row on the keyboard can add a great deal of apparent entropy if the password rules require it.

 

[Clocker]

I'm thinking about taking the leap to a password manager. Cost is not a factor, within reason, but ease of use and security are important if course. The paid versions of Dashlane and Lastpass are on my shortlist. Anymore feedback on either?


DD...what are your thoughts on Lastpass now that you're about 3 months in? Anything about Dashlane sound particularly interesting to you?

 

[ddrueding]

Totally stoked about Lastpass still, in fact I've helped a few other people integrate it into their lives and am investigating the enterprise version for work. Dashlane seems fine, all the features seem to be there. One of the things I like about Lastpass is how well they handled their security breach, good to know that if it happens again they will likely take the right steps.

 

[Handruin]

I still keep my passwords in a local Keepass database vs using a utility similar to Lastpass. For times when I need a password, I copy the Keepass database from my encrypted backup to my phone and then retrieve it that way. It's less convenient but I feel (maybe foolishly) that it's a little more secure.

 

[ddrueding]

Lastpass made switching phones and reinstalling my main laptop much easier. I was also just informed that one of my vendors had a data breach, knowing that that password was unique and easily changed made that a much less stressful situation.

 

[Clocker]

I see that KeePass requires me to install software on my PC. This is ok for me at home but I'm prevented from doing so at work on my laptop. I do need to be able to access my password protected sites while at work. Does Lastpass have the same software installation requirement?

Note: I am able to install th Lastpass Chrome plug in at work it appears.

Note 2: Chrome has a KeePass 'App' available as well.

 

[ddrueding]

If you use Chrome, the plug in is all you need. There is a plug in for Firefox as well (which is all I use). IIRC, the Chrome plugin has more functionality.

 

[Clocker]

Interesting podcast on the breech. https://www.youtube.com/watch?v=ujDAYTXTpaM

 

[Clocker]

So I've moved to Lastpass and I'm liking it. The convenience is great and knowing that I have strong passwords on everything is reassuring.

DD, have you considered any two factor authentication methods? I was looking at the yubikey but it seems like it might be a pita to use with a smart phone. I guess it would only matter when I am logging in from an untrusted device, which is never and would not apply to my smartphone.

 

[ddrueding]

So I've moved to Lastpass and I'm liking it. The convenience is great and knowing that I have strong passwords on everything is reassuring.

DD, have you considered any two factor authentication methods? I was looking at the yubikey but it seems like it might be a pita to use with a smart phone. I guess it would only matter when I am logging in from an untrusted device, which is never and would not apply to my smartphone.

My new smartphone (LG G4) doesn't have a fingerprint reader on it (sad). If it did I wouldn't bother, but now you have me thinking it would be a nice thing to have. I'll have to look into whether the YubiKey Neo will allow me to unlock my phone and activate Lastpass via NFC. That could be really neat.

 

[Clocker]

I'm currently using Google Authenticator which is free.

 

[ddrueding]

I also use Google Authenticator for some stuff, but a physical key to unlock the smartphone seems like a great idea to me.

Another thing I just found out about is Intel True Key. Looks interesting.

 

[Chewy509]

FYI for those using LastPass

http://arstechnica.com/information-...ys-lastpass-password-manager-for-110-million/

 

[CougTek]

I've read it too yesterday. I don't use Lastpass, but if I did, I don't think I would be too happy about this.