Recommended Posts

I've searched Neowin but found nothing.

 

What do you all think about the security of password managers? Is it wise to trust a developer to store your passwords, whether or not you paid for the software? What if the developer has hidden malicious intentions, or is inexperienced in security.

 

Could you all recommend any programs for storing passwords, if so, why? What evidence is there to support your argument? 

 

I ask this because at school some guy who has been in the IT industry uses an app on his phone that integrates with Google Chrome, to save his passwords. He raved about it, however in this day an age I am already weary enough to trust the website with storing my password and details, let alone allow a second party to hold my credentials.

 

Just a side note, I would never store my passwords in a plain text document that was encrypted. That would be silly :D.

Link to comment
https://www.neowin.net/forum/topic/1322074-password-managers/
Share on other sites

Not all password managers sync to remote storage. I think that Avast's stores locally encrypted, for example, but any major vendor can be trusted to an extent. I don't use mine (currently using LastPass) for anything sensitive, just to manage the myriad of net passwords that I care about but can survive having compromised (things from forum accounts to Netflix etc). This lets you use more unique passwords for each site and prevents all accounts being vulnerable (provided your master pass is safe, of course). I think I have around 40 sites stored, most of which I rarely use and could never remember passwords for effectively without sharing them between sites too much. For critical important sites, such as banks and places that can be charged (Amazon, email accounts, etc) I'd recommend keeping the passwords in your head.

I use lastpass, and have been using it for years.  I store my bank passwords in there I have that much trust in them.  There is also the 2Fa part that even if someone got the password from lastpass account they would still need to beat the 2fa, etc..

 

I currently have 255 sites in my lastpass,  Plus other notes and such in there for info that are not website logins..

11 minutes ago, BudMan said:

I use lastpass, and have been using it for years.  I store my bank passwords in there I have that much trust in them.  There is also the 2Fa part that even if someone got the password from lastpass account they would still need to beat the 2fa, etc..

 

I currently have 255 sites in my lastpass,  Plus other notes and such in there for info that are not website logins..

BudMan, what would you say about sticky passwords?

sticky passwords?  Until you mentioned it have never heard of them.

 

Taking a look at their website - 30$ a year to be able to sync your passwords.. lastpass is FREE ;)  I have premium for $12 a year..

 

I don't see anything there that would tempt me to switch that is for sure..

I use Dashlane because I got a good discount otherwise would have chosen LastPass. Dashlane syncs into all my devices and is further protected by 2FA. Apart from 100+ passwords it has a digital wallet and secure notes and some of the passwords are shared with family members for family accounts and allows them to have either Limited (view only) or Full (View and Edit) permissions to these shared passwords through their own individual accounts.

11 hours ago, BudMan said:

I use lastpass, and have been using it for years.  I store my bank passwords in there I have that much trust in them.  There is also the 2Fa part that even if someone got the password from lastpass account they would still need to beat the 2fa, etc..

 

I currently have 255 sites in my lastpass,  Plus other notes and such in there for info that are not website logins..

I have been using Lastpass for over 2 years now and LOVE IT! I always recommend it to family and friends. Like Budman pointed out they have great security. There's been a couple attacks on their sites in their time however they took the proper precaustions in how they set up their servers that nothing important was accessed.

 

You can Google the Security Now! podcast with Leo Laporte and Steve Gibson and they've had the owner on several times to talk about the attacks and Lastpass software and security.  If Steve Gibson gives them the thumbs up I trust his recommendations.

13 hours ago, BudMan said:

I use lastpass, and have been using it for years.  I store my bank passwords in there I have that much trust in them.  There is also the 2Fa part that even if someone got the password from lastpass account they would still need to beat the 2fa, etc..

 

I currently have 255 sites in my lastpass,  Plus other notes and such in there for info that are not website logins..

 

486 passwords here! :D

13 hours ago, LoboVerde said:

If Steve Gibson gives them the thumbs up I trust his recommendations.

Yeah lets be clear - I do not have the same feelings for that quack...  He is a sky is falling poseur.. Glad you enjoy his podcasts, etc.  But mostly his loves to spread FUD and Panic..

 

http://attrition.org/errata/charlatan/steve_gibson/

I use 1Password and sync the data using Dropbox, I don't really want to store all my data on 1Password's new cloud service, so Dropbox is ideal and the 1Password mobile app can read data from Dropbox too.

 

1Password encrypts the data, my Dropbox used 2 factor authentication and i'm still in full control of the data, meaning i can make an offline copy and store it on an encrypted USB drive. That's good enough for me.

9 hours ago, BudMan said:

Yeah lets be clear - I do not have the same feelings for that quack...  He is a sky is falling poseur.. Glad you enjoy his podcasts, etc.  But mostly his loves to spread FUD and Panic..

 

http://attrition.org/errata/charlatan/steve_gibson/

Hm, interesting. I'm going to have to check the validity of what this page is claiming. But I will say I doubt he'd try to pretend to be a "sky is falling" person that doesn't even make sense.

 

Do you know who's website that is? http://attrition.org

 

Do some research on that nut job... He has called so many the "sky is falling" issues out for years and years trying to call attention to himself.  Raw Sockets was going to kill the internet ;)

 

http://www.theregister.co.uk/2001/06/25/steve_gibson_really_is_off/

 

Here is a quote of his..

"When those insecure and maliciously potent Windows XP machines are mated to high-bandwidth Internet connections, we are going to experience an escalation of Internet terrorism the likes of which has never been seen before."

 

While he can make things easy for the lay person to understand sometimes - he is like chicken little, and loves to cry wolf!!

 

 

I use Lastpass.  Highly recommend.  2-factor everything possible though, and be smart.

 

I have 150+ sites in my Lastpass vault, all with unique passwords.  If you don't have unique passwords for each site, you do run risks, so password managers are a must.

 

I don't understand the lack of trust in password managers.  I think the risks of password management outweigh the risks of compromised sites.   For example, lets say you have an account at "Joe's Company".  If "Joe's Company" ever got hacked, any data about you is compromised, and everywhere else where you have the same user/pass is also potentially compromised.  Additionally you'll never really know if "Joe's Company" was ever compromised.  It could be years ... look at Yahoo for example.  So if you want to truly be secure you need different user/pass for every site you ever visit and unless you come up with a weird "system" for everything, you might as well KISS principle the thing under the guidance of a password manager.

 

Companies like Lastpass make it their business to do this.  They consistently invite people to try to hack them.  They iterate constantly on their security.  It's documented and trackable.   They have had a breach in the past, and responded appropriately and fixed the symptom as well as stated there was no disclosure of user data and notified the public.   That speaks volumes to me.  (I'm just saying: it's ok to be paranoid, but there should be reasonable limits to paranoia -- everyone gets hacked but what is the real risk of this?  How is it handled?  This kind of stuff differentiates real security companies vs ones just going through the motions.  I can reference issues where security issues were pointed to Lastpass and there were patches within 24 hours!)

 

I have tried 1Password, and while I did like it, they were less cloud friendly.  And honestly, Lastpass is cheaper, if not outright free.  

10 minutes ago, mram said:

I use Lastpass.  Highly recommend.  2-factor everything possible though, and be smart.

 

I have 150+ sites in my Lastpass vault, all with unique passwords.  If you don't have unique passwords for each site, you do run risks, so password managers are a must.

 

I don't understand the lack of trust in password managers.  I think the risks of password management outweigh the risks of compromised sites.   For example, lets say you have an account at "Joe's Company".  If "Joe's Company" ever got hacked, any data about you is compromised, and everywhere else where you have the same user/pass is also potentially compromised.  Additionally you'll never really know if "Joe's Company" was ever compromised.  It could be years ... look at Yahoo for example.  So if you want to truly be secure you need different user/pass for every site you ever visit and unless you come up with a weird "system" for everything, you might as well KISS principle the thing under the guidance of a password manager.

 

Companies like Lastpass make it their business to do this.  They consistently invite people to try to hack them.  They iterate constantly on their security.  It's documented and trackable.   They have had a breach in the past, and responded appropriately and fixed the symptom as well as stated there was no disclosure of user data and notified the public.   That speaks volumes to me.  (I'm just saying: it's ok to be paranoid, but there should be reasonable limits to paranoia -- everyone gets hacked but what is the real risk of this?  How is it handled?  This kind of stuff differentiates real security companies vs ones just going through the motions.  I can reference issues where security issues were pointed to Lastpass and there were patches within 24 hours!)

 

I have tried 1Password, and while I did like it, they were less cloud friendly.  And honestly, Lastpass is cheaper, if not outright free.  

 

A certain subset of people here actually believe they are smarted than the rest of us and that they can memorize 100+ "unique" passwords

Of course all it takes is to crack the code for one and you have them all, but remember, they are smarter and better than the rest of us 

Everybody here seems to speak about last pass (well okay not everybody, but the majority).


I have a terrible memory, maybe because I don't get enough sleep. I'm going to look up a few of these tomorrow.

 

One of the things I was talking with one of my neighbors about was cloud storage being inherently unsafe, or rather expect no privacy. Of course if somebody were to snoop around your house they may have a better chance of getting your password than if you used a password manager to store it (if you wrote the password down that is). Nobody can read your mind (yet).

25 minutes ago, SpeedyTheSnail said:

One of the things I was talking with one of my neighbors about was cloud storage being inherently unsafe, or rather expect no privacy. Of course if somebody were to snoop around your house they may have a better chance of getting your password than if you used a password manager to store it (if you wrote the password down that is). Nobody can read your mind (yet).

Sure, that's a fair argument.  But understand that virtually everything is going to the cloud, in general -- cloud based computing is everywhere.

 

The issue isn't so much about whether your data is accessible by "bad guys" it's whether they can do anything with IF they get it.  Encryption is a great thing.  Think of it like burying a safe somewhere hidden.  Sure you might find it, but then you have to open it.  And then when you get in there you will have to translate it.  And decode it.  And understand it.

 

And also understand that Lastpass (like most reputable vendors I understand) do not keep a "master key" for many varied reasons.  I work in IT and I could tell you reasonably with assurances that most companies who are involved in this stuff really don't want this access, as insidious as you might think they would be.  You're just not allowed legally to refuse access and still have a "back door" ... it's either legally allowable or you can create a self-securing solution by simply not having the "master key" at all.

 

So having said that, assume the hypothetical worst case:  Data is (again, hypothetically) stolen from Lastpass, and they never knew about it, and you never found out.  It would take the bad guys a long time, like years if even possible**, to decrypt your specific blobs of data to get your passwords.  If you were doing good security practices, you would've cycled your passwords anyway by then and there's really no issue.  

 

In short, that's a heck of a lotta "ifs" and a whole lot of reasons to have faith -- especially given that encryption is just getting better and better.  In short, encrypted cloud data is generally safe, as long as you're not bad about it.  Lastpass even gives you good tools to change passwords automatically, it checks environments for you, alerts for changes, etc.  I'm not trying to push Lastpass so much as provide general awareness into cloud computing being generally safe -- but one should always investigate what is being utilized for protection, how they have reacted to attempts, what resilience they have had to attacks, what bug checks have been done against them, etc.

 

** brute-force decryption of an aes-256 key is damn near impossible by modern standards.  Of course computers get better, but so will encryption, so I expect by the time one could reasonably move the brute-force decryption of an AES-256 key down to mere decades of supercomputer work, we would have moved to AES-512 or whatever.  In a nutshell "never say never" but the idea that someone could randomly decrypt an AES-256 encrypted blob of data is pretty much impossible by modern standards.  But even for the sake of argument, I'm assuming it is possible... so I must have a screw loose.

On 2/11/2017 at 6:22 AM, BudMan said:

sticky passwords?  Until you mentioned it have never heard of them.

 

Taking a look at their website - 30$ a year to be able to sync your passwords.. lastpass is FREE ;)  I have premium for $12 a year..

 

I don't see anything there that would tempt me to switch that is for sure..

I paid for the premium as well.  A nice little chrome add-on and my password sync travels across all of my devices.

Why even consider some no-named password manager from some company you never heard of where you are considering the possibility of "... if the developer has hidden malicious intentions, or is inexperienced in security..." ?

LastPass will do what you need, is well known, has multifactor authentication.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.