I can see this working, but you would have to go in a change all the passwords on the same day or so to link them up. But then all the passwords would be the same. All my areas that require a password also require a periodic change, but that time frame changes from site to site. It’s really crazy. Why aren’t we advanced enough for eye scans or voice recognition.
As another poster said: you can have hundreds of different passwords.
Some you use once a year. Some you use daily. Some require mixed case. Some don’t care. Some require 1 or more numbers. Some do, but the number can’t be the first thing. Some only allow a subset of the special characters (I ran into trouble with that ones - was constructing a password using their rules, but the rules never said “can’t use exclamation point” or whatever). Some must differ from the previous by x characters.And so on.
The only way that approach would work with zillions of different passwords would be to keep a list of the rules and maybe the last 2 characters (or whatever you usually change). So your seed is 555-555-1234 and you know that’s your phone number, and on site one you say “last used aAa@, includes dashes”. On another you say “no dashes, replace dashes with A then B, last used BC” or whatever.
Someone finding such a list would need to know the “seed” value to get anywhere.
Getting back to some of the OP’s queestions: I did a little research, but a friend had specifically recommended 1Password and that’s what I wound up going with. And to clarify something I phrased badly earlier when mentioning MSecure: it sounded like I said 1Password was free on the Amazon Android market. Well it is, but that’s the readonly version. mSecure was the one that was free at Amazon (and if it works as well as 1Password’s iOS version, it would be worth paying for!!).
True. The other thing is that you’re also putting trust in whoever wrote your password manager software. I use KeyPass and trust it because it is open source and it has been popular for years, and the author says many people have inspected the code. Also, the general tenor of his writings suggests someone who understands security issues well.
By contrast, I have backed off using the (not affiliated) Android version, KeePassDroid, at least for high security things, because I have been alarmed at some of the design decisions that I have read about from its developers. For example, until fairly recently it stored decrypted passwords in a SQLite database on the device. When this point was raised by someone who had installed a SQLite viewer and found his own passwords in plain text, a developer just said “it doesn’t matter, because the attacker would need root access on the Android device to read the SQLite database” :eek: . That seemed complacent to me.
I believe KeePassDroid no longer stores password data persisitently, but it did shake my faith in the app.
I’ve been using Roboform for so long that I’ve never really bothered to try the other options. I know my mom uses Last Pass and it seems to work well.
I use the Roboform Anywhere option these days and don’t really mind the subscription fee. This is software I use everyday, multiple times a day, on multiple devices, and it always always always works flawlessly. It also works with applications, like, say the iTunes or OneNote. Aside from the password manager, I like the password generator option and the Safe Notes option for mission critical stuff like my router info.
They used to offer a desktop model before everything moved to the cloud. It looks like they’re doing away with that and are now moving to the cloud version. It makes sense - a lot of people will want mobile access. The do still offer a USB version too, so you could keep everything on your USB key. You can see all the different versions which are available here:
A quality password manager will decrypt data only as needed, then quickly re-encrypt theses entries and clear your clipboard. If you use a homegrown solution like a spreadsheet or text file, all of your confidential data is exposed after decryption, and it can end up in page files, memory dumps, automatic backup files, etc. Good password managers use strong key derivation functions, so it is harder to crack your password. Mature password managers like KeePass and LastPass offer multiple types of two-factor authentication and one-time passwords.
If you are using some kind of system to remember your passwords, you may have overestimated your ability to outsmart the password crackers. Millions of passwords have been exposed or cracked over the past few of years, and researchers have had ample time to identify and share human selected password patterns. Password crackers only use a true brute force attack (an exhaustive search of all possibilities) against small keyspaces like pin codes, swipe patterns, 8 character passwords, etc. Attackers will use a word list containing millions entries, then apply complex, efficient rules to crack passwords that don’t immediately fall to their word list. 15+ characters of mixed alpha/numeric/special characters from a quality random password generator will provide more protection than a memorable system.
True, but I have come round to the opinion that password strength, in itself, is overrated. As long as the password is not found in attackers’ password lists, rainbow tables etc. it is probably OK. I’m not sure that attackers use brute force much in real life. Phishing and dictionary-based attacks find plenty of “low hanging fruit”, not to mention slack security practices such as sites who store your password in plain text (sometimes they even email a confirmation like “Your new password is opensesame3” :rolleyes:)
My favourite definition of a secure password is that it is one that no one else has used (I guess with some caveats such as not using something that can be linked to you, such your own full name etc.) It is not necessary to aim for a certain number of characters or a certain amount of entropy, although uncommon passwords naturally tend to score well on those counts too.
To me the real value of password managers is that they offer an easy way of making all your passwords different, so that one successful attack doesnt mean you have to change all your other passwords. That the generated passwords might as well have insane 80-bit entropy or whatever is just a side bonus. I’ve tried manual site-specific password schemes something like the ones described above. They’re OK but keep getting tripped up by conflicting password restriction rules, such as eight-character maximums, so you end up having to remember several variants of the scheme. I find KeePass more convenient.
i do something close to this. a basic level password for forums and non-financial sites, a second level password for more important sites, and a critical password for financial and main accounts. the first two i upgrade every couple years, the last one changes regularly.
Spurred by this thread (I hadn’t been using a PW manager), I did a couple of hours of research and settled on LastPass. Price is reasonable ($0 to $12), and doesn’t require DropBox, and based on their “scare” last year it seems like they reacted in a way that I would hope they would.
I have a database. the table is password-protected (with a single password).
I disagree. Here are a few of examples from a dump of over 122 million passwords cracked last year using a desktop computer with a single GPU. These passwords weren’t in his word list, so he used a rules-based John the Ripper attack: “resworb beW a gnisseccA.A”, “n47= …Timeout Delay: {”, and “pmar fo ytilibacilppa 5.1”. Ars Technica recently profiled a cracker with a 500 million entry word list and an efficient 25 GPU cluster. You can only imagine the kinds of rules-based, hybrid, and combinator attacks that he is capable of.
Using strings from a very good random password generator eliminates the attacks that crackers normally use, and forces them into an exhaustive test of all possible combinations.
I agree, sort of, that password strength as measured by the “quality” measure of password managers is not the best measure of whether or not you are going to get hacked. But, using the password manager construct random character string passwords pretty much ensuring the property you desire – that you’re getting a password that is not in any password list/rainbow table.
Discounting “social engineering” attacks as being unavoidable, typical attacks (of which there have been a few high-profile ones lately) tend to rely on password hashes from a site being leaked, and offline use of brute force to crack the table. A ridiculous (like 75%+) percentage of passwords – the “p@a$$w0rd” people – fall amazingly quickly.
Yes, but there are precious few real-life cases of people with site-specific, non-obvious passwords being hurt by their passwords being compromised. The hash dumps I have seen have been from non-critical websites, not banks or people who take security seriously. If you have a GPU rack and want to spend a day or two cracking a load of hashes from LinkedIn or something, knock yourself out.
Anyway, once you get up into the 30-bit range of password strength, other factors become more likely points of compromise. There’s no point in worrying about password strength beyond that point, unless you’re talking about national secrets or something.
Oh, those password evaluators can certainly be misleading. The strength of a password depends in part on the details of the scheme used to select it, which the password evaluator cannot know (or at least, they never ask, and seem to naively assume that you chose the characters completely at random).
Extreme example: a password like “sdVsdy£34ygr2Am76&09” may look strong, but it really only has one bit of entropy, under the scheme that I used to select it. That’s almost as bad as you can get. Except… how about “H&78ytf65fgio0o09J9T&76%e4u(U” ? That is even worse! It has zero bits of entropy, under another scheme that I have just designed.
I use 1Password although I wish I hadn’t started. In theory it’s a great idea. synching to all my mobile devices via icloud and dropbox. Except it doesn’t work with dropbox with new installations (company still promising to fix that with an update) and took 2 weeks of effort to get it to synch via icloud.
And in all that time the company supprt were useless. But having typed all my passwords into the damn thing I’m stuck using it. But at least it works now. Although not with dropbox still.
When you say “new installations” what do you mean? Just want to make sure I follow.
It was an annoyance that it won’t do Dropbox sync without first doing a sync to a desktop version. As in, I had it set up on my iPod Touch, but couldn’t sync to my husband’s device via Dropbox - until I set up the desktop version of the 1Password software.
Fortunately, they make the desktop version available for a 30 day free trial. That’s enough to set it up, sync, then delete (or just quit using) the desktop version; after that one sync, it can go from one handheld to another without needing the desktop version.
It’s a bit odd that they’ve got it set up to work that way. But at least it was a one-time annoyance. Note that this was a year or so back, before iCloud sync was an option (I think).
Note: I did, a year or so later, wind up redownloading the desktop software, and paying the thirty bucks (or whatever) to keep it active.
Without using the desktop version (at least that once), the only way to get my data to my husband’s handheld was to do a full export (via wi-fi), then restore onto his which of course would overlay anything he’d entered.
I more or less arbitrarily chose KeePass (which I installed on a thumb drive) from a couple mentioned in a discussion of this comic, I forget where.
I use Secure+ for my iPhone. Thing is though, I still use hints as to which sites the passwords actually go to. So, if someone actually hacked my cell -and-my manager, they’d have to know what in the hell I was even talking about to get there in the first place to use them. No handy links for anyone!
I do that for a couple of sites I’m, um, especially secretive about. Also, for passwords I kept in clear in Notepad files until shortly after I hit “send” on this post. I should probably do it for everything on KeePass
Needless to say, of course, my password for KeePass itself is something I’ve never used before, never used subsequently, and has no connection to me or to any of my other passwords that I can think of.
New purchasers (is people not upgrading from a previous version) of the new version 4 are finding dropbox syching doesn’t work. The company acknowledge this and are trying to fix it. Like I said - the damn thing would not even synch via iCloud until I found an old post in their support site via google that suggested deleting the file in iCloud and starting again.
It would have helped if their Support Staff had suggested that straight off. I expect paid apps to just work, like every other ipad app I ever purchased does. I deeply resent being an unpaid beta tester.
The desktop version doesn’t yet have the facility to synch to mobile versions according to the company FAQ. Sounds like you’re running Version 3. Stick with it. You have to buy v4 all over again.
Huh. Thanks for the info - I didn’t know any of that. You’re right, we definitely do NOT want to downgrade.
That’s some pretty essential functionality there, that they seem to have screwed up :(.