Is a password manager safe from hacking? Or else I'll be as screwed as SD is now...

See subject. I’m in my panic room. And I really am the same Leo Bloom from before. Really.

Nothing is safe.

Why do you ask?

Ummm…, are you doing a Dustin Hoffman?

Well, maybe a Laurence Olivier.
No, I have no idea what your OP means. But, nothing is 100% safe. A keylogger will get you pretty much anything.

Read any good bulletin boards lately?

You really need to be less coy.

I just saw the announcement. It’s not exactly obvious.

Define “safe”. No, a password manager is not completely impervious to hacking. It is probably much safer than the sites where you would otherwise be entering poorly-constructed passwords.

The thread currently in ATMB about the hack has some discussion of password managers if you want to wade through it.

Yup, what TroutMan says. It’s not perfect but better than what you’d be doing otherwise.

everything is susceptible to hacking, including password managers. What those tools do is make it easier for you to keep track of different passwords across multiple sites. Thus avoiding the practice of using one username and password everywhere.

And that’s why it matters that the straight dope was hacked. Not because someone can log in and post to this message board, but because they can use the email and password you use for this site to access your other accounts.

If you used the same password at the SMDB as on your bank account, for example, you’d better go change that one ASAP.

Someone on the SDMB gave me the idea years ago of using a strong password that incorporates the initials of the website, so that, as an example, my password here might be swordfish01SDMB, while my Gmail pasword would be swordfish01GM.

I would imagine that’s more secure than using a password manager, since I doubt hackers look at the individual passwords and try to suss out password the pattern I use; they presumably just try the passwords they have on a variety of other services. If you are worried about it, though, you could mung the site-specific part of your password using a rot cypher (using the next letter of the alphabet, swordfish01TENC for the SDMB, for example).

FTR, thread topic is/was discussed, w/ good posts, on the first ATMB thread posted about this.

I think it should continue here, but double check…

ETA: Isn’t the password “haddock?”

Apologies. Such a short thread and I didn’t read it through.

Apologies particularly to beowulf, who can now be coy with me.

Password managing services like LastPass are gauranteed to be safer in at least one way: their hashing and/or salting algorithms for how they store the passwords are going to be the best available. If you choose a secure password in the first place, even if hacked, no hacker is going to be able to brute force their way to your password since all they will have is an extremely well-hashed and salted version of it.

Just bought 1Password. Lock that barn!

Since I first saw it I was intrigued by the xkcd strip about plain language codes and entropy referenced, developed, and commented on here.

Could someone here smart look at it, maybe flip through some comments there, and give a summary, with their own $0.02?

I do not use online password managers.

My password manager is Keepass. It exists in a thumb drive at home (duplicated with another thumb drive elsewhere). It cannot be hacked.

I’d lose my data stick. They look a lot like the used cartridges of e-cigs, as I found out to my regret recently.

Anyway, found this on the 1Password cite, with a cross link in conjunction with Diceware passphrase generator, as of April recommending five words.

Those pages have more than I’ll never need to know, so I respectfully withdraw my bleg. But anyone else’s $0.02 are still nice.

Any kind of logic you build into your passwords makes them (in principle) easier to work out. In practice, you’re probably right - hackers probably won’t be spending time handcrafting their assault on your accounts.

The key security benefit of a password manager is the same security benefit of a wallet - having placed all your eggs in one basket, you tend to carry it more carefully.

Mangetout already answered this but I’l reiterate:


Password crackers most definitely take such recipes into account. I linked to this article before, it’s a little long but highly informative insight into how actual crackers operate.

One of the take-home point is that it takes only a few minutes to brute-force all 6-character passwords. Beyond that, there are various tricks, but trying various recipes plays a big part, and it will take only a few more minutes to brute-force yours. In practice, it’s going to be even less because no part of your password is random.

Really, most security experts seem to agree that some form of password management system is the best form of defence. Unless you’re able to memorise dozens of either very long or very random passwords.

The only thing safer than a password manager is having a photographic memory and using unique, long, unrelated PWs for every site that requires one. I use a combination of KeePass and Dropbox that makes my passwords available at home, work, and on my mobile devices. The password list is protected by a single, long, unguessable PW. KeePass will generate unique long Bin64 passwords for every site I use.