If the password file is encrypted - as the tools supposedly do - that might not do the virus much good. Sure, they could copy it and try to decrypt it, but it’s tough and I don’t know if the typical virus writer / hacker has the time or resources to bother.
That said, some of them do, at least, have the URLs themselves stored unencrypted - so while a hacker might not find out my Citibank password, they could find out that at least I had a Citibank account.
As silly as that sounds: IMHO (and I’m not a security person): for the average user that might not be a bad alternative, since then your passwords aren’t accessible by anyone without physical access to your computer. The average burglar isn’t likely to bother even if he’s stealing the computer/ OK, he might grab it - so put the paper in some slightly less visible spot!. But the kind of person who does a break-and-enter isn’t likely to be all that good at cybercrime.
Where it falls down obviously is if you’re in an office where you might genuinely be a target of some kind of corporate espionage, for example. Or if you’ve got an untrustworthy household member (but if you’ve got one of those you have bigger problems).
Decryption programs exist. It is a matter of difficulty in identifying the decryption key.
Youre correct in it depending on the hacker diligence and resources. One might presume, if the have the diligence to steal the data, they may have the resources to break it. Especially for common programs.
I generally use KeePass; lately I’ve been trying out Dashlane (a newcomer to the field). I may or may not end up switching, depeninding on how the Dashlane Android app (coming out RSN) works out.
One useful trick with KeePass is to install the “Hostname in Titlebar” extension so that the Firefox titlebar shows both the page title and the page URL and then select the “match if the host component of the URL is contained in the target window title” option in KeePass (Options / Advanced / Auto-Type). That will enable KeePass to recognize the login window for autofilling (click the username box and hit Ctrl-Alt-A or whatever you changed it to) even if it’s called something stupidly generic like “Login”.
Back in the day when we only knew him for playing a dreadfully-written Marty Stu, that could work something like Alexandra Petri’s suggestion for The Most Secure Password Of All Time:
Thanks for the responses. I had given up in the four months between this post and the next so I’m only now getting back to it. Note also that the last response was about six months ago. So …
… the suggestions seem to be KeePass, PassWard and 1Password … any further comments??
I imagined a very secure website that you subscribed to and entered via a supersafe password. In my mind, all of your info would reside there, You wouldn’t need a thumb drive to access it from anywhere in the world. Is that not possible or just not safe enough?
I hope the previous 44 posts in this thread were helpful for you, then.
I’m going to try out 1Password. In the past I’ve just used variations on the same password for most sites where I don’t care much about security (you know, like the SDMB) and more difficult/unique passwords for stuff like online banking, but it seems like at least two or three times a month I have to go through a password reset on some account or another because I’ve forgotten which password I used, so I’m going to try out a manager app. Thanks for all the suggestions above.
I’ve been recommending against 1Password if you use an Android-based smartphone. We set it up back when we were using iPod Touches as PDAs. As noted upthread, we use Dropbox to sync the information to our desktop and to each other’s handhelds.
When I got my Droid, I found that Android just has a readonly version now - you can load (via dropbox) passwords created on other devices but you can’t create them on the phone. So, I either edit / add via the desktop, or via the iPod Touch.
HOWEVER!!!
They are finally getting ready to release a full-featured Android version. I believe it’s in beta test. So if 1Password otherwise meets your requirements, it should be back in the running for Android users.
Isn’t LastPass something like that? I prefer KeePass + DropBox though, just because it doesn’t involve “trusting” the online storage provider (DropBox) with cleartext passwords. I.e. if some rogue employee of DropBox wants access to my stuff, even if he has unrestricted access to everything that I have ever transmitted to their servers ever, he still can’t have it, because I’ve sent them nothing non-encrypted.
Of course that’s probably being overly paranoid, but if you’re only overly paranoid about one thing in the world, make it your password manager.
It’s not at ALL “overly paranoid”. KeePass and 1Password (and the others that use Dropbox etc,. I presume) store data encrypted for that very reason.
Not just a Dropbox employee, but a hacker - for example, there was an incident in the past year where a Dropbox employee’s account was hacked and they got a list of subscriber emails, and subscribers started getting spam. There was also a well-publicized incident a couple years back in which a glitch let you log into your Dropbox account by typing in anything at all for the password. In that case, having your password vault encrypted would keep them from doing anything.
Our 1password has a single master password that’s used to encrypt it locally and on the handhelds. The password is one that we have not written down anywhere (I suppose I should write it down and put that in our safety deposit box for estate-planning reasons) and it’s one that wouldn’t be easily guessed based on dictionary attacks or other means.
To address something you mentioned: if someone uses any cloud service, you’re surrendering control of your data. The services have good intentions, but security screwups or legal action or other things beyond your control may well result in your data being accidentally or deliberately shared.
We’ve put some thought into it, and have decided that for password-vault purposes, the combination of their terms of service and the fact that Dropbox doesn’t have the password-vault decryption key, are sufficient risk-mitigation that the benefits exceed the risk.
This is the big mental stumbling block I had to overcome before committing to the KeePass/Dropbox solution. On one hand, I am letting my passwords, albeit in encrypted form, out of my control which is a risk. On the other hand, as a result of doing so, I habitually use much more complex passwords (essentially as many random characters as each site permits), and unique ones for each site where before I was constrained by what I could remember. The increase in security from that, IMO, more than offsets the risk that someone will successfully gain access to and crack my password file.
Also as a side-effect, I sign up for a lot more things than before, knowing that I’ll remember the password later.
1Password’s desktop version does as well. It has add-ons for Firefox and Internet Explorer, that you can use to fill in userID/passwords and also capture things as you enter them. It works with varying degrees of success on some sites, but there’s always copy-and-paste.
I use Pocket on my phone. Prowled what was the Google Market (now Play Store) to find a well-reviewed app that looked straightforward and secure. I’ve been satisfied with it.
One virtue is that once I get my husband to set it up on his phone, he can access the same list I have, which would help him a lot if something were to happen to me.
But the system doesn’t need to be a Password Manager. There are systems in place to easily handle passwords, even complex ones like you describe. For instance, if your password requires at least two caps, two lowercase, two special characters and 15 overall digits you can start with your phone number.
555-555-1234
Right off the bat, you have 12 digits. Now, for your caps and lowers, start at the top left of your keyboard at the Q. So next time you change your password it would be:
QQqq555-555-1234
Then, after 90 days, move on to the next letter on the keyboard. WWww555-555-1235. All you ever have to change is one letter, and you go in order, so it shouldn’t be hard to remember the password.
Sweet Jesus, what would I do without a password manager. It’s impossible to remember all the passwords at work. Must be at least 10 characters long. Must have a capital letter, special character and a number. Can’t repeat your last 10. Must change every 90 to 180 days, depending on which one. I even have one that doesn’t allow me to you 3 consecutive letters that are in my name. Doesn’t have to be consecutive in my name now. I don’t know how the hell they expect you to remember this stuff…
I didn’t research really. I surfed around the apps on my phone and avoided ones that linked to the internet, though I may go back for one of those.
