I agree with you. It is bound to be better than storing your passwords in plain view, text files, notepads etc. I don’t do that. I just about succeed at storing them in my head, but When I’m asked to change a password because a site was hacked I feel like I have to make it completely different to what it was, which significantly lowers my chances of storing it in my head… So the idea of using a password manager comes into play… then I have to wonder if (not being as intelligent as I’d like to be) I do so without noticing a flaw in the plan.
What if I forget the password that gives me access to all my passwords? What if the computer I’ve got the password file stored on… dies… what if, what if.
In other words - not totally confident in password managers compared to what I’ve done for years.
Yes, they can. Although there are some pretty big hurdles: DashLane, for example, doesn’t store your master password anywhere, so they’d have to get it off of one of your physical devices. (Where it’s stored with a much harder to crack encryption than MD5: AES-256 encryption with 10,000+ rounds of PBKDF2 salt.) And any time you try to access your DashLane passwords from a device where you haven’t accessed them previously, they have to first validate the device by clicking a link sent to your email. So without physical access to your computer, getting your passwords out is going to be a challenge.
As JSexton said, password managers aren’t perfect but good ones are far more secure than what most websites use. Especially for most people, who tend to reuse weak passwords rather than memorizing a different cryptographically-strong password for every site they visit.
I worried about these problems for a while when I started using a password manager, and I eventually realized that they’re not such huge problems. I mean, it would be a hassle, but it’s still not insurmountable. You lose your password manager and you start fresh, and every time you go to log into a site that’s not yet in your new password manager, you have to do the old “reset password” song and dance, and enter the new password. It works out. Just don’t ever lose the password for the email account where all those “reset password” notices are going to go.
Was an email actually sent out? I followed the link and changed my password…I just tried the new password on a different computer, and I was able to log in.
That happened to me when I forgot to enter my old password in the box at the top. :o
The widespread disclosure of the vBulletin vulnerability? Since the middle of November. Many sites migrated away from vBulletin or completely shut down their forums by Thanksgiving.
I’m bemused (but not surprised, given the less than enthusiastic response to reports of prior things like malicious ads being served) that it took 6 weeks for the SDMB management to alert users to this.
Still trying to figure out how and why the Straightdope sent the message to my work email. The only communication I have ever had with them is through my junk Yahoo account and I have never seen a message sent to my Yahoo account pop up in my work email.
I have a couple of times privately sent emails from my work account to one of the adminstrators a couple of years ago when there was a local Dopefest and to discuss a private matter, so perhaps my account got mingled in with the users accounts thanks to big brother Google. Not really going to sweat it since I most likely would not have found out about the hack so soon; I just kind of feel like I’ve been felt up in a friendly but creepy sort of way. :eek:
My Yahoo account. I just looked at it when I changed my password. That and I have been very careful not to give out any specific work information on the board, let alone my work email address.
Nope, when I originally set up the account (12 years ago) I didn’t know how to do that. I basically stopped using the account about eight years ago for just about everything and let junk email go there. The the Straightdope rarely if ever contacts you so I just never got around to moving it to another email account; in fact I considered it as a security feature having a message board only contact me thru a junk account. Still I go there about every other week now and delete loads of crap; got a couple of old email accounts like that. Been very careful not to link any of my email accounts and have been overly careful not to use my work email except for work and a chosen few people that I know and trust not to spam me. Also, my work is pretty good about preventing spam.
I’m pretty certain that it either may have my private contact with an admin that somehow got my work email mixed in with the users email list (not that i blame them as most social websites now aggressively try and raid your contacts list) or now that I think about it my work email may actually be in my Yahoo contacts and it got mined somehow.
No kidding. When I got the email I logged in to find out where I could report a phishing attempt. That’s when I saw the sticky. I still didn’t use the links, I went directly to my CP to change my password.
The only communication I have ever had with them is through my junk Yahoo account and I have never seen a message sent to my Yahoo account pop up in my work email.