I have lots of passwords. I manage them, so to speak, by remembering the ones I use the most frequently, and the ones I don’t, just hitting “forgot my password” when I log-on to a site and stare blankly at the log-in page.
But I’ve heard that there are password managers, where you store your passwords on-line.
But isn’t that dangerous? because if it gets hacked, all your passwords are there, ready and waiting.
But if it is safe, are there some that are better/easier to use/more highly recommended for a techno-peasant?
That is a real concern, but as good password manager keeps the passwords encrypted, so if you have a strong password, they probably won’t be able to finbd yours. The important things is to have a strong password. The good thing is that you only have to remember is the one password.
Password managers such as LastPass and 1Password are highly rated and very secure. In a gist, properly implemented, there is no risk of the master password being cracked and the individual passwords stolen. In addition, the encryption and decryption are performed locally, and only the encrypted file stored online. For a physical analogy, imagine a sealed envelope that is passed through the mail but only opened in a secured environment. The primary difference between encryption and physical barriers is that proper encryption is essentially impenetrable even with the most advanced technology.
I use 1Password at home and I have to use LastPass at work because that’s what the company provides. They both work, but I find 1Password a lot nicer to use.
I have a manila folder at home with pieces of paper in them. Each piece of paper describes one on-line account that I have: The user name, password, security questions and answers, and other details I might need to know.
The manila folder itself is labeled in an only-slightly-obvious way, and is stored on a nearby table alone with a dozen or so other manila folders.
It can only be hacked by someone who physically enters my home. And anyone who enters my home probably isn’t looking for passwords to steal.
There are also password managers where you don’t store your passwords online. KeepassX is an example (and the one I use).
The passwords are stored in an encrypted file. If you want to have it available everywhere, you can put that file in, say, Dropbox, but you don’t have to.
Even though there is some risk in keeping passwords encrypted online, it’s still much much better than what most people do, which is use the same easily crackable password for everything.
someone please tell me if I am correct or not: If Senegoid’s computer gets infected with a keystroke reader, it will see his passwords easily, but not if uses a password manager.
alternatively: Senegoid’s papers could describe files in the computer, and those files contain only the password. When you need a password, go there, and copy and paste to the website. That will be safe from keystroke readers. And if your papers have nicknames instead of actual file names, it will be safe from home invaders too.
Senegoid, do you surf only from home? How do you access your passwords at work, or on your phone away from home?
I’ve never quite understood this theory. If you have a keystroke reader on your computer, odds are the same malicious program can be designed to also access the copy/paste function, and get the contents at the same time as you paste them into the password field.
Is there some reason why this should actually be more secure, that I’m unaware of?
As for recommendations, I use LastPass, and I don’t hesitate to recommend it because it serves me effectively.
I’d love to use password managers like Lastpass, but I have the problem that I access online services from multiple computers - and one of them is my employer-issued laptop on which I’m not supposed to install third-party software.
I assume this means that I wouldn’t be able to use any Lastpass-protected services on the work machine, as I would no longer know the “real” password for the site, and wouldn’t have Lastpass available to log in for me?
LastPass technically can just work as an encrypted website. They have browser addons for all the major browsers, which will autofill fields for you, but if even that isn’t allowed, you can simply log into their encrypted website and access your passwords by using ‘copy password’ and paste it into where you want.
Yes, that brings in the very concern of copy/paste I just brought up, but if you have malicious password-grabbing software on your computer I’m not sure there really is a way to keep your password from being identified by it at all.
Right, the on-line accounts in question are for HOME use ONLY. I use Linux, which is not heavily targeted for malware. I run my browser with JavaScript disabled, I don’t click on links with reckless abandon (much), haven’t downloaded or installed any new software for years. So I don’t worry too terribly much.
I did change my Google password last year after they got hacked.
Whether LastPass and 1Password are “very secure” is pure speculation on your part. Both of these systems are proprietary; the source code is not made public so there is no way for users and reviewers to check for themselves that the products are free of security flaws or backdoors. Whether or not you should use such proprietary password managers ultimately comes down to how much you trust the companies behind them, as they freely admit:
Fortunately, no one need place their trust in one of these inscrutable black boxes, as there already exist a number of non-proprietary password managers that you can use instead. Free software has the complete source code available, so you can read through and compile it on your own and satisfy yourself that its security claims are genuine. (Or more likely, if you’re not a programmer or security expert, you could refer it to someone who is, or trust the judgment of the larger community of programmers and security professionals who have already examined the code.)
Examples of free-software password managers include the Mitro brower plugin, KWallet for the KDE desktop environment, and the GNOME Keyring for the GNOME desktop. And if you’re running the popular Firefox or SeaMonkey web browsers, you’ve already got a free password manager installed: the Software Security Device.
The OP specifically asked about safety and security, so the merits of free versus proprietary software are quite germane. Simply put, security claims of free software are in general falsifiable, whereas those of proprietary software are not.
Yeah, I use KeePass, too. I prefer not keeping my password vault in the cloud, although the risk is probably not that great. If you only have a few devices that you want to access passwords on, you can accept the minor hassle of keeping the file in synch manually. Every so often, I copy my password vault from my desktop to my phone and tablet.
Some keyloggers are hardware devices that sit between the keyboard connection and the USB port. Those only have access to the keys pressed, and cannot snoop the clipboard.
An attacker might use a hardware keylogger if he were attacking an installation with strong software security policies but weak physical security policies. Most corporations have pretty tight software controls, but when was the last time you pulled your computer out and looked at what was plugged in the back?
From everything I know and have read I think your method is safest. You can’t hack paper. Properly maintained it should be 100% accurate and 100% secure, as long as the bad guys don’t have physical access to your paper(s).
I go one step further and answer security questions that some sites require with dumb answers, like for “Mother’s Maiden Name” I would put “4323.” For another site I might put “Baseball.” This has two advantages, first of all you aren’t giving real personal information to the site, and secondly if one site gets hacked and the hackers get your security question answers then you don’t have to worry about those answers compromising your security questions on other sites. Write the security question and answers down with the login information for each site.
Yes, but for some people it may not be convenient. If you use multiple computers (say, one at home and one at the office), then you need to remember to take your paper with you all the time, or else you need to keep a separate copy in each location and keep them synchronized. Also, if you use a large number of websites, then organizing the list is a chore—either you record the websites in the order you register an account there, in which case it can take you a while to find the site’s entry later, or you keep the list in alphabetical order, in which case you can’t really use a single piece of paper but need something with lots of space, like a booklet.
Electronic managers can solve these problems by organizing and synchronizing your passwords for you, and may have other benefits such as suggesting secure passwords (or at least detecting and warning against cryptographically weak ones), and automatically filling in login fields when you visit websites.
One thing I’m not clear on: I use PCs for home and work use, but I also have an iPhone and iPad. I can’t see using a password manager only on the PC, since I sometimes want to open password-protected sites on my IOS devices.
How does this work? I don’t want to add a whole bunch of complexity to opening up sites on one architecture or the other.
