Thread: Password managers – yeah, nah, what?

I use dashlane. You do need to set a robust password to get into it, or as you note, it's a potential risk.

I was sceptical at first, but I reckon my online life is considerably safer now. As I'm on a Macbook most of the time, my fingerprint authorises dashlane to fill in each website's password.

They claim not to be able to access your data, and if you forget the master password, there's no way for them (or you) to recover the data.

It does have an app to update passwords, but I tend to do it manually. And with passwords like e!E6d9OCTQuccGv@U&, anything less than a quantum computer is going to take many months to brute force it.

I pay for their premium/family subscription, so my passwords sync across all my devices, and I can share with family members who use it as well.

Of course criminals would much rather you click on that dodgy link, and save them all the trouble of messing with passwords.

Like discouraging the burglars, you really just want your house to look harder to get into than next door to avert most of the trouble

FF, just to make sure you understand the basics...

Imagine you have a simple text file, and on each line you have a username, password and website name. This way, when you want to go to a web site, or anything else that requires a password, instead of remembering it, you can just look it up in your text file. Now you can use a very complicated password, and never need to use the same password twice, as you don't need to remember anything.

That is essentially all a password manager is. The key difference is that your list of usernames and passwords is encrypted, and you need to provide a master password to open the file, so that others can't read your password list.

I use 1Password and like Bernmc feel that overall I am better off. I am amazed at how many passwords it has captured and I use it every now and then to audit and close accounts I don't need.
It has a password generator that allows you to choose the method - random, memorable, length, numbers, symbols etc. It also has a feature that highlights reused passwords and passwords that have been exposed in known hacks - that is where your user name and password were known to have been included in the data breach.
My wife does not agree and uses her own system of encrypted hand written notes - like 'sister pet mum' where the password is her sister's cat's name and mum's birth year. She is regularly failing to decode her own codes and has to reset the password.

Originally Posted by LanceC

FF, just to make sure you understand the basics...

Imagine you have a simple text file, and on each line you have a username, password and website name. This way, when you want to go to a web site, or anything else that requires a password, instead of remembering it, you can just look it up in your text file. Now you can use a very complicated password, and never need to use the same password twice, as you don't need to remember anything.

That is essentially all a password manager is. The key difference is that your list of usernames and passwords is encrypted, and you need to provide a master password to open the file, so that others can't read your password list.

Thanks Lance. A couple of things come out of that (and your summary is more or less what I thought):
1. All my passwords would have to be reset, and that is QUITE a process that will involve dozens of emails (and I won't be able to remember all the places that have passwords...it's probably in Windows or Firefox or Chrome somewhere).
2. Not withstanding Bern's comment about several months of brute force to crack an 18 character pw..... that one pw opens the key to EVERYTHING, so if my computer was on (as it always is except overnight....coz I'm always bloody here, atm) then someone could get into ANY site, including my Microsoft accounts and so on.
3. My banking pw cannot be remembered on the site (just doesn't work) so presumably the pwm is useless for that. AFAIK this pw is only able to be 6 characters which seems incredibly weak, but perhaps I need to talk to them about that.

The part I don't understand is how the pwm can regularly change the pw on all these sites – if I want to do it manually I have to click a box, answer an email, often get a code sent to my phone etc etc. How does the pwm get around that?

I tried a few but I've relied on the same one for almost 20 years now and always use a different password for every user registration. I use Password Safe. The biggest problem I've found over the years as my number of sites and passwords continued to increase was coming up with a filing hierarchy that was simple to navigate.

For a while I followed a theory that you don't actually need to remember every password for a lot of sites that you visit infrequently, just opt for a password reset each time you return visit, but that assumes the email address you used for registration is still valid.

Firefox now offers Relay which will generate a new email alias on the fly for sites wanting email ids for registration so you can now have separate emails as well as passwords for every site.

Password managers are just places to keep track of passwords, they won't automatically update site access credentials for you, that is and should be something that you do intentionally. If you never use the same password across multiple sites I can't see any reason to go about changing them without a legitimate reason like the site was hacked.

bottom line -

Screen Shot 2021-09-10 at 10.30.55.png

Still in development, and can only do certain sites

I use KeePass, it's free and does everything I need it for. As someone who has to remember over 100 different passwords, it's essential. It's secure and significantly better than having a spreadsheet or bit of paper.

Like anything you need to maintain it to be effective, and you kinda commit once you choose a particular application as transferring details is quite cumbersome.

KeePass for me too. I use it simply, it seems you could do a lot with it but you would need to understand some convoluted program language to do so. I even use it to keep serial, purchase and receipts for equipment in it too. You can have attachments within each password entry.

I have used lastpass for years but have moved to bitwarden recently as they p'd me off.

bitwarden is free.

You don't need to reset any passwords. As you visit each site you log in as normal and the manager should ask you if you want to add that login to your database.

The biggest security issue with them is if the company is fraudulent and can access your passwords, so you need to go with a reputable provider.

Some charge some are free for private use. Some prices are more reasonable than others.

I learned about them years ago in a casual remark from one of the people at my credit union. I have been very happy with the move.

Many browsers will do it for you (opera) on your own computer. The advantage with a manager is your passwords are synced across devices.

2c

Originally Posted by FenceFurniture

Thanks Lance. A couple of things come out of that (and your summary is more or less what I thought):
1. All my passwords would have to be reset, and that is QUITE a process that will involve dozens of emails (and I won't be able to remember all the places that have passwords...it's probably in Windows or Firefox or Chrome somewhere).

You don't need to reset your passwords, or even know of all the passwords you have. Just pick a day, and start using the password manager. Every time you have to come up with a new password, just stick it into your PWM. Over time it will grow and encompass most of them.

Originally Posted by FenceFurniture

2. Not withstanding Bern's comment about several months of brute force to crack an 18 character pw..... that one pw opens the key to EVERYTHING, so if my computer was on (as it always is except overnight....coz I'm always bloody here, atm) then someone could get into ANY site, including my Microsoft accounts and so on.

Most password managers suggest a passphrase as the master password. That said, a 12 character password is going to take a lot of computing power a long time to crack. Unless you house state secrets, you simply aren't going to be the target of that sort of attack.

Originally Posted by FenceFurniture

3. My banking pw cannot be remembered on the site (just doesn't work) so presumably the pwm is useless for that. AFAIK this pw is only able to be 6 characters which seems incredibly weak, but perhaps I need to talk to them about that.

No, you can still store your password, and just copy and paste across to the bank's website. And if, like some dodgy sites they won't allow you to paste, just view the password and type it in yourself. Remember, at the most basic level, all PWMs are simply a secure place you can record passwords so you don't have to remember them.

Originally Posted by FenceFurniture

The part I don't understand is how the pwm can regularly change the pw on all these sites – if I want to do it manually I have to click a box, answer an email, often get a code sent to my phone etc etc. How does the pwm get around that?

That is a feature, which I would suggest most users of PWMs, myself included, never use.

I just use the one built in to Chrome; it syncs with my phone via my Google account and it also checks to see if passwords have potentially been compromised or leaked and prompts you to change them

I use Bitwarden, and I tried a version of Keepass - KeepassXC - the appeal was I could keep all passwords off the net.
BUT something went wrong and my password files wont open; even my saved backups.
I shall continue to try, but not holding my breath.

Originally Posted by tonzeyd

I use KeePass, it's free and does everything I need it for. As someone who has to remember over 100 different passwords, it's essential. It's secure and significantly better than having a spreadsheet or bit of paper.

Like anything you need to maintain it to be effective, and you kinda commit once you choose a particular application as transferring details is quite cumbersome.

Originally Posted by damian

The biggest security issue with them is if the company is fraudulent and can access your passwords, so you need to go with a reputable provider.

Some charge some are free for private use. Some prices are more reasonable than others.

Call me a sceptic, but if I was going to provide a dodgy pwm, I'd definitely put a mildly painful price on it (say 10-15 bucks a year) to give it the appearance of legitimacy. A small earner on the side, if nothing else gained.

I'm sure we all know of the Anti-Virus/Malware provider that was accused of sending out the virus in the first place so they could say "Look how good we are at killing that nasty virus" when o'course it wasn't nasty at all, and was super easy for them to kill...