Passwoed Manager - Secure?

Al Launier

Member
Messages
1,683
Location
Bedford, NH
I'm curious what youthink of using an online Password Manager (PWM) software, how many actually useone, and which one do you prefer.

I'm somewhatapprehensive about using a PWM, such as Last Pass (supposedly highly rated - http://online-password-manager-review.toptenreviews.com/). The concern is obviously hacking vulnerability, or access by big brother, as the PWM data centers could be just asvulnerable as others. Once an I-site log-on account has been established, theinfo remains "out there" despite the encryption used by the site, andwhether the site is used or not. So, I have some concerns regarding the securetyaspect of using a PW Manager software to keep track of all my log-on info.


  • Is the PW Manager Encryption protection any better than what is provided by the site?
  • Does the PWM actually prevent the use of log-on info, i.e. does it block the log-on info from the site until the site is accessed by the user, as recognized by the user's PC ID, or is it just a convenient way to keep the list for the user?
  • With the PWM “issuing” the PW, who/what monitors the issuer?
  • Is it really a useful tool?
 
First I should state that I do not consider the internet very safe in nearly all respects ;-) I have no experience with an online manager but, the idea disturbs me. At work we use KeePass with good success. We have many passwords to track and most are randomly generated and frequently changed. Like a speed dial number on your phone leaves you forgetting the actual phone number, password managers can "help" you forget what the actual password is since you don't regularly see or type it. This is not a negative per se, just an observation.
 
I have been using Dashlane for three months. I have a thick notebook full of passwords and finally got tired of trying to create passwords I could remember easily without compromising all my sites. Dashlane syncs with my cell also. It tracks all the sites I have accounts on, tells me which passwords have been used on more than one site, tells me the strength of each password in terms of 'hackability' and will create passwords for you. It came in handy today after Yahoo got hacked. I got a notification from Dashlane even before Yahoo notified me. You can set it to automatically log you on to a site, manually log you on, or log you on only when you have entered a master password. They claim to be as secure as you can get on the internet--with high grade military encryption. Very pleased with it so far. YMMV
https://www.dashlane.com
 
I've used a couple of different ones, KeePass and 1Password keep the data files local, I think LastPass encrypts the passwords to 256 AES prior to sending them over SSL and store them encrypted. I don't store banking and email passwords, but use it for keeping track of various online forums and other like places. I found I just don't remember those and hate keeping them written down, so they work well for that purpose.
 
+1 to LastPass. Darren is correct they never get the unencrypted passwords as they are encrypted locally and then the encrypted version is sent to their site. imho your risk profile with something like that is about on par with having your local computer compromised. I certainly wouldn't trust ANY solution that stored unencrypted passwords or where the passwords were encrypted on their side.

There are some local password storage solutions like the ones Darren mentioned. The one I've used is password safe http://passwordsafe.sourceforge.net/ - which you could store a backup copy of in "the cloud" (gah "cloud" stupid name they're still just computers anyway...) because its an encrypted file. That's obviously slightly less convenient.

If you're really paranoid you could put the password safe files on something like an ironkey that adds another layer of hardware encryption on top before you can get to the safe. Although practically I don't really think it adds a lot of safety over an encrypted file (it is convenient for storing documents and encryption keys you don't want to encrypt for some reason).
 
I just use 'PassworD1' for everything. So far, so good! Easy to remember, and the capital 'D' really fools the hacksters. :thumb: :rofl:

Seriously, I don't trust online password managers, and don't even use a local one. Like Ted, I have a books of 'em, and it drives me crazy, but I've not taken the plunge into password managers.
 
One additional comment about Lastpass… they support multi factor authentication which makes it much more secure. Basically, you keep a small program on a USB thumb drive that generates one-time-use passwords. In order to access your password vault you need to know the vault password AND generate a key using the thumb drive. So, if a hacker cracks your vault password it does them no good unless they also possess your thumb drive. For convenience, it's possible to treat certain computers as trusted, requiring only the password after the initial 2-factor login.


--dave
 
I like the thought of the one time key generator that Dave mentioned. That ups the ante significantly. For those still keeping the written passwords, do you have some kind of back up plan in case the house burns down? Backing up books could be a real pain.
 
Don't trust the generator thingy's...I use acronym's pertaining to each site {that I frequently use, others in a book}, for instance, something along the lines of IE:> 4fwwfpw2c {for family wood-working forum pass-word to see} the only thing that changes is the site name :dunno: been working for me for over a decade or so....and btw, no, that is not my actual system per-Se ;):D
 
Folks, sorry for such a long post, but password security is something near and dear to my heart.

Ken's suggested approach works well, in that it uses a semi-random sequence of characters for the password. Many folks are not in that good of shape. In a former life I was a system administrator for a small company, and I would periodically run password-cracking software on our accounts. Every time I did it I would end up cracking several users' passwords. Imagine their surprise when I sent them an email with the subject, "Your password is <blah>" :thumb: This software used what are called "dictionary attacks"... it took a list of commonly used passwords and tried them. While it would take a person at a keyboard a lifetime to crack one, a computer can do it in seconds. The name is a bit of a misnomer too... I always got replies like, "but my password isn't a real word... it can't be in a dictionary!". Sorry folks, you have to assume that any non-random password (or at least, those that appear non-random to a typical user, e.g. someword123) is in a hacker's list somewhere, and if they can hack a website and get a copy of that system's password file they can eventually crack such passwords.

Now, I'd always used "strong" passwords in the past, and got to be quite overconfident in the protection that was providing. I might have different passwords for several key accounts, but as the need to register and create a password for website access has proliferated, I found myself using the same strong password for multiple sites. At last count, I have 217 unique accounts... no way I could remember that many distinct passwords, so why not just pick a good one and replicate it? Sound familiar?

Well, a couple of years ago, one of the sites I had an account on was hacked, and the hackers actually got the clear-text versions of the passwords for the site. In other words, they didn't have to do anything to crack the individual logins... once they were into the system they were able to read the passwords of everyone on that system. It didn't matter how secure MY password was... they could read it from this (inexcusable) site's files. Now, since that site, like many others, used my email address as my login, and that password was one that I used on multiple sites, I was faced with a very bad, very real situation... What would happen if those hackers started to try random systems (maybe email sites like Yahoo or Google, or banking sites, or healthcare sites, ... you get the picture). Since they knew one of my passwords, and they knew my email (login ID), they could try it on any number of systems automatically and might stumble on one that had the same data. Whoops... now I had to go to all of my accounts and change the password for each... bummer, and quite a time-sink.

So what lessons can we pick from this about password security? There are really two problems we have to deal with related to passwords... the first is how do we generate a strong password, and the second is how do we keep track of a unique password for each login we have? LastPass and similar programs try to address both questions. Most have a password-generation capability... some way to generate random, secure passwords. So, you don't have to come up with a good password... you can select what criteria you want the password to follow (e.g. how long, what characters, punctuation/special characters, etc.) and it will generate one for you. It will also store the information about that account (login, password, URL/web link, notes, yada, yada) securely so you don't have to remember it later. Many of these programs also provide some way to easily access the password information when you need it. In the case of LastPass, they have plugins for your web browser that will offer to fill in the login information for a site when it recognizes that you're visiting a site it knows about. Sweet! Now I don't even have to remember my passwords, which would be really hard to do with an ultra-secure, 25 random character password :eek:. (Honest... if someone were to ask me what my password is for this forum, I'd have to look it up. I never see it or type it anymore... I let LastPass do it for me.)

So, I bit the bullet, made the switch, and never looked back. I recommend you do the same. Take a look at the programs that are out there... find reviews and compare their features. Find something that works for you. Some of them store the passwords online in a secure format. Others only store it locally. Figure out what you're comfortable with and give it a shot. There are commercial versions, but many of the best options are free (Keepass, LastPass, and others), so that shouldn't get in your way. Many of these also have some capability to work on mobile devices like your phone or tablet, although that's often reserved for a premium version.

If you've got a system like Ken does for generating unique passwords and remembering them, great! You're in fine shape, and probably don't have to worry. If you're like I was and have a few passwords that you use for everything, whether or not those are strong passwords or trivial ones, then you owe it to yourself to look at the options.

<stepping off my soapbox :D>
 
I have Kaspersky PURE 3.0 & it has what they call an Encrypted Container for storing personal data on a virtual drive & requires you to have a password (PW) to access the container.

It still makes me wonder if a hacker can access the virtual drive & decrypt the access. Do any of you have this sort of "protection" & what do you think of it? Would this be a safe way to store private info, including PWs?
 
Thanks Mohammad. Those are good suggestions.
In trying to minimize the number of protection software on my PC and to avoid any potential software conflicts with my Kaspersky PURE 3.0, I wonder if the Kaspersky "Encrypted Container" is a viable alternative. Was wondering if anyone else has used this & how it worked.

PS the truecrypt link doesn't appear to be designed for Windows 8.1. The Wise Folder seems to be similar to the Kaspersky Encrypted Container in concept, but with limited, if any, encryption.
 
Last edited:
Top