Thread: Password managers – yeah, nah, what?

Crikey FF, with that level of PW security either you have real wealth, or are setting down a challenge to genius hackers. How are your scripts protected? Encryption?

The one thing that bothers me is that when any "data repository" is cracked/hacked/poorly managed the data loss is often very substantial, and affects many thousands perhaps even millions of "customers." The "service providers" aren't exactly forth coming about admitting or notifying the hack in a timely manner either - to mitigate their reputation / brand damage.

I much prefer the less convenient, manage it myself approach, with the old "gun security" approach ammo / bolt /rifle all stored in separate locations. Multi source authentication is a good thing imo - except when a telco incompetently disconnects your mobile number. Try living without OTP authentication for a month!

I'm always flabbergasted by parents whose whole digital life is on their mobile phone and they hand it over to appease a tantrum throwing child to allow them to play games.

Asking for a friend - What happens when finger print ID can't be used? i.e. finger injured, burns, amputation etc.

I usually find my fingerprint doesn't work on Mondays after a busy weekend in the garden. Back to the password until the scars wear off/grow out...

The point of password managers is to make it easy to have a unique password per site, which limits the damage caused by a breach.

And encourage use of more complex passwords, which reduce somewhat the possibility of being "hacked".

Originally Posted by Mobyturns

Asking for a friend - What happens when finger print ID can't be used? i.e. finger injured, burns, amputation etc.

Oh, this couldn't have come at a better time. In 2 hours I am going out to buy a new phone as my old one doesn't support the Covid check-in app. The new phone uses fingerprint recognition.
Every trip to the US I get stuck at the Immigration desk as I have very poor fingerprints due to work and sanding on the woodlathe and their machine can't read them. Luckily they have my iris scan so that's my backup.
I hope that the phone has some alternative way of getting in?
Rgds,
Crocy.

Originally Posted by Mobyturns

Crikey FF, with that level of PW security either you have real wealth, or are setting down a challenge to genius hackers. How are your scripts protected? Encryption?

Heh heh, I must setting up a challenge then. The scripts are scripted not enscripted, although I suppose the en dash is enscripted.

Originally Posted by Mobyturns

Asking for a friend - What happens when finger print ID can't be used? i.e. finger injured, burns, amputation etc.

My phone is like the coppers – multiple prints are taken. Even if my finger is slightly wet it won't read the print, which tells me it has a very narrow focus of accuracy (good).

I use Nortons password manager because it was free with our Nortons antivirus subscription.

I find it works very well. In my work I have hundreds of internet sites that need the URL, username and password remembered. What I use most is the notes section where I can record all of those incidental bits of info you need in the modern world.

Syncs with my phone, laptop, home desktop, tablet, blah blah so I always have access to the info.

I use KeePass.

Open source. Data stored locally. Not at Mercy of a company claiming to be secure.

Not as seamless as paid options but I like it for above reasons.

I do backup the encrypted password file.

Use a long master passphrase.

Hi crocy
Fingerprint is optional.
You can still leave your phone unlocked, or pin, or pattern, or password.
Your choice to mitigate the risk of a lost device.

Everything on a computer can be accessed by someone not trusted, one way or the other. That includes password managers. I simply use a mini notebook. They come in all sizes and shapes; one can even get ones with a wood hard cover: Wooden notebook journal mini pocketbook | Etsy
Someone could nick it as well but that's a lot harder than hacking a computer. I admit it's a bit low tech, maybe not appealing to everyone.

Originally Posted by AndyJ

Everything on a computer can be accessed by someone not trusted, one way or the other. That includes password managers. I simply use a mini notebook. They come in all sizes and shapes; one can even get ones with a wood hard cover: Wooden notebook journal mini pocketbook | Etsy
Someone could nick it as well but that's a lot harder than hacking a computer. I admit it's a bit low tech, maybe not appealing to everyone.

Whilst physical access makes hacking etc easier, it is not as bad quite as you imply.

Password managers can be set to auto logout. If you have this set for a brief interval, then the database is closed as soon as you have used it.

A strong passphrase (easy to remember, very hard to hack) and the encryption on these files make them incredibly safe.

Yes, if you leave your computer unlocked and password manager unlocked and someone can access your computer there is risk. Windows passwords are not perfect protection by themselves.

Physical access - easy to take a paper notebook.

Edit: I took your post to mean physical access.
Most of the above still applies to network hacking.
If you end up with a keylogger, you are in trouble whatever way you store passwords, because they can be recorded as input.

Password managers encourage strong passwords (because you don't have to remember or type them) and, much more importantly, unique passwords per site.

The vast majority of hacks are hacking of a site / database and then using that information to access other sites. (I e. Not having unique passwords).

The yield from hacking your home network (having through firewall etc) is very low and doesn't often happen. Spam email with links to data harvesting sites / malware are common. The protection against those are not opening dodgy emails / following dodgy links.

It is VERY important to use a unique password for your email address.

Email password is essentially your master password whether you like it or not, as almost all sites allow password reset by email

A note of caution.
I had KeePass, for the same reasons, local storage, long master password, multiple backups etc.
But now it doesn't open any of the password data base files, claims file corruption.
I tried other versions of Keepass, same result.
I would be exporting the password data base file if possible as an additional backup.

Cheers
Keith

Originally Posted by pippin88

I use KeePass.

Open source. Data stored locally. Not at Mercy of a company claiming to be secure.

Not as seamless as paid options but I like it for above reasons.

I do backup the encrypted password file.

Use a long master passphrase.

I store my db file on OneDrive. It allows me to use the same db across a range of devices and computers, and if corrupted, I can restore from a previous version.

Originally Posted by verawood

But now it doesn't open any of the password data base files, claims file corruption.

Gday Lance

I tried to restore from a previous off disk version; but nothing worked.
That's why I posted my cautionary tale.
So I still maintain it wd be a good idea to export it occasionally to another file format so it can be imported if required.

Cheers
Keith

Originally Posted by LanceC

I store my db file on OneDrive. It allows me to use the same db across a range of devices and computers, and if corrupted, I can restore from a previous version.

I use an external flash drive to store my passwords and lock it in a safe.
Use a computer that is never connected to the internet when viewing your passwords.
Also have passwords printed in case the flash drive fails. The printed version makes paying bills ect easy. The printed version is also locked up in my safe when finished.