Password Protection

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Carolina Shagger
Posts: 14
Joined: Mon Aug 10, 2009 5:21 am

Re: Password Protection

Post by Carolina Shagger » Sun Oct 08, 2017 9:14 pm

I originally started this (most recent) thread and have appreciated all the responses, even those that have gone over my head. After doing some "research" I'm firmly convince what others have echoed that I definitely need to do this. I understand the principle of different, hard to crack, passwords for every different site and that the password protectors will keep track of all this because I just don't have enough imagination or yellow sticky notes to put on my computer to do this.
But as I understand it, to get into a password protection program I need to have to have a "master" password. And I presume this needs to be equally strong, but easily remembered (the older I get the more difficult it is becoming).
Is this correct? And if so, what suggestions do you have for establishing this master password.
And again thanks for all your responses

lotusflower
Posts: 87
Joined: Thu Oct 24, 2013 12:32 am

Re: Password Protection

Post by lotusflower » Sun Oct 08, 2017 11:22 pm

Carolina Shagger wrote:
Sun Oct 08, 2017 9:14 pm
Is this correct? And if so, what suggestions do you have for establishing this master password.
I wouldn't work too hard on the password. Supposedly 9-10 characters is long enough to be unbreakable and every extra character makes it hundreds of times harder to attack. So be safe and make it at least 15-20 chars. I think it's fine to include words but it needs other unrelated characters too, so that an automated program could never crack it by, say running all existing written works through it, or perhaps running every email you've ever written or received through it (or for that matter all emails any human has ever written or received). Just take a few different unrelated things from your life, maybe some words and numbers and some punctuation, and run them together, and you should be fine.

The next step is how you secure it. My wife and I both know our master password and how to access the Keypass, and I made her practice and start using it so that she can access everything if I am incapacitated so we don't need a written copy.

Then I wrote it in a sealed envelope and gave it to my parents for use in case we are both incapacitated. You just reminded me I was going to give the dropbox credentials to get the keypass file to a different relative in another state and I haven't done that yet. For lastpass users you might want to give the username to a different relative or to your lawyer. If you don't have any dependents it may not matter if all of the passwords die with you.

User avatar
Hyperborea
Posts: 360
Joined: Sat Apr 15, 2017 10:31 am
Location: Silicon Valley

Re: Password Protection

Post by Hyperborea » Sun Oct 08, 2017 11:45 pm

I think at this point we've entered fantasy land. For every regular person reading this thread they should use a password manager. Use one of the well regarded ones and don't worry if it stores the encrypted passwords in the cloud. Use a strong password and enable two factor authentication.

If you are worried about somebody being able to break the encryption then what about trained ninjas breaking into your home, making a copy of your hard disk and using your local key store to raid your accounts? It's probably a far more likely event. Who cares if you've encrypted both the drive and the local key store because we've already assumed above that encryption doesn't work.

Perhaps you should worry about more likely things than the encryption being broken - key loggers, electro-magnetic eavesdropping of your monitor (Van Eck phreaking), spouses running off with the local waitress/pool boy and taking all your money, or CIA trained ESP agents reading your mind and stealing your password.

User avatar
F150HD
Posts: 1127
Joined: Fri Sep 18, 2015 7:49 pm

Re: Password Protection

Post by F150HD » Sat Oct 21, 2017 12:33 pm

Looking at Password managers, and was pondering the 'free' Lastpass version but am having trouble pulling the trigger on it.

Things are 'free' for a reason....often to later force you to upgrade to a paid service or...

Dont need any features I'm seeing in the Premium list.

Anyone w/ the free version have concerns over using it?

Lacrocious
Posts: 296
Joined: Thu Mar 22, 2007 9:45 pm
Location: Wisconsin

Re: Password Protection

Post by Lacrocious » Mon Oct 23, 2017 10:08 pm

LastPass has gone the opposite direction. Their Free version used to not do the synchronization between devices. It was didn't have many limits except the synchronization - which means you could try it out for free, but if you want passwords on your phone and tablet and laptops - you had to pop for the Premium version for $12/Year. I did that for many years. Currently, everything is in the free version except advanced 2-factor authentication; one-many sharing; emergency access and a few other minor things. I have kept premium to help support them, but have been thinking I could downgrade without any impact to functionality. See: https://lastpass.com/features_joinpremium4.php

They are also promoting their new LastPass Family access - $4/month with accounts for 5 people in your family and easy sharing between them. My adult kids have their own accounts - so I don't have much use at this point, but I could see it as useful for people.

Try the free version and then see if you want/need the pay versions.
- L

User avatar
Sandtrap
Posts: 2338
Joined: Sat Nov 26, 2016 6:32 pm
Location: Hawaii😀 Northern AZ.😳

Re: Password Protection

Post by Sandtrap » Mon Oct 23, 2017 11:45 pm

I use "OneSafe".
I have been wondering if it is safe to store the passwords to Vanguard and other financial institutions as "autofill" on the "Keychain" on my new MacBook Pro with fingerprint?
Or should I continue to enter them manually for sites like that?
Thoughts?

carofe
Posts: 297
Joined: Thu Mar 20, 2014 7:21 pm

Re: Password Protection

Post by carofe » Mon Oct 23, 2017 11:56 pm

I have been using Dashlane for a year now. It works great on all devices. It encrypts everything locally, their servers only have the encrypted version of my passwords. I used to use KeePass but I wanted to use a Password Manager with good support, easy to use and intuitive so I could get my wife to use it.
US Total Stock Market + Intermediate Term Bond. That's it.

TravelGeek
Posts: 1158
Joined: Sat Oct 25, 2014 3:23 pm

Re: Password Protection

Post by TravelGeek » Sat Oct 28, 2017 5:59 pm

lazydavid wrote:
Sun Oct 08, 2017 8:11 pm
Because it's simple. The entire AES algorithm can be printed on a single sheet of paper, and is therefore easily examined by anyone. We know exactly what it does, and how it does it, and we therefore know why there are no practical attacks on it.
One problem is that even a mathematically bullet proof algorithm needs to be implemented by a human. And we generally don’t know how good a job they do unless we (or someone skilled) have the ability to review their code (one of the arguments for open source apps like KeePass).

I am reminded of the first password manager I ever used, SplashID. I started in the days of the Palm Pilot, so... 15 years ago maybe? SplashID was pretty popular. Maybe still is, I don’t know.

Anyway, about five years ago it was discovered by independent security researchers that SplashID had a major flaw: it was storing the master password in such a way this it was easily recoverable by someone with access to the data file.

https://elcomsoft.com/WP/BH-EU-2012-WP.pdf
“SplashID Safe for iPhone ($9.99) [18]. This app uses SQLite database and encrypts data in it like most other apps we have analyzed, only it uses Blowfish instead of AES. Master password is used as a Blowfish key to encrypt user data.

What sets this app apart, however, is that it stores master password in the database using reversible encryption. That is, it uses hard-coded key “g.;59?^/0n1X*{OQlRwy” to encrypt master password using Blowfish algorithm and then stores the result in the database. Obviously, the master password can be instantly recovered by sinply decrypting the data.”
:shock: :oops:
So in this case it wasn’t even the core encryption algorithm’s implementation itself that was flawed, but rather the surrounding code.

(I obviously no longer use SplashID, and I store the password vault of my current password manager in the cloud for synchronization and safe-keeping purposes)

User avatar
abuss368
Posts: 11628
Joined: Mon Aug 03, 2009 2:33 pm
Location: Where the water is warm, the drinks are cold, and I don't know the names of the players!

Re: Password Protection

Post by abuss368 » Sat Oct 28, 2017 8:30 pm

Pen and paper.
John C. Bogle: "You simply do not need to put your money into 8 different mutual funds!" | | Disclosure: Three Fund Portfolio + U.S. & International REITs

TravelGeek
Posts: 1158
Joined: Sat Oct 25, 2014 3:23 pm

Re: Password Protection

Post by TravelGeek » Sat Oct 28, 2017 10:14 pm

abuss368 wrote:
Sat Oct 28, 2017 8:30 pm
Pen and paper.
My password manager has 415 records. Granted, some of them are not logins (I also store things like drivers license info, SSN numbers, passport info, ...). That would be a pain in the neck to manage on paper.

User avatar
abuss368
Posts: 11628
Joined: Mon Aug 03, 2009 2:33 pm
Location: Where the water is warm, the drinks are cold, and I don't know the names of the players!

Re: Password Protection

Post by abuss368 » Sun Oct 29, 2017 8:02 am

TravelGeek wrote:
Sat Oct 28, 2017 10:14 pm
abuss368 wrote:
Sat Oct 28, 2017 8:30 pm
Pen and paper.
My password manager has 415 records. Granted, some of them are not logins (I also store things like drivers license info, SSN numbers, passport info, ...). That would be a pain in the neck to manage on paper.
Wow! I was referring to just passwords. We have no where near that quantity.
John C. Bogle: "You simply do not need to put your money into 8 different mutual funds!" | | Disclosure: Three Fund Portfolio + U.S. & International REITs

David Scubadiver
Posts: 522
Joined: Thu Mar 24, 2016 8:40 am

Re: Password Protection

Post by David Scubadiver » Sun Oct 29, 2017 9:32 am

corner559 wrote:
Sat Oct 07, 2017 10:12 pm
tmhudg wrote:
Fri Oct 06, 2017 9:07 am
Check out LastPass. I cannot recommend this highly enough. Yes, you have to trust your info "in the cloud", and that it is all properly encrypted and protected, but, IMHO, the benefits outweigh the risk.
I can't imagine a worse place to store your passwords than in the cloud.
How about a sticky note on your montotor? Or your spouses notebook next to the keyboard?

lotusflower
Posts: 87
Joined: Thu Oct 24, 2013 12:32 am

Re: Password Protection

Post by lotusflower » Sun Oct 29, 2017 3:28 pm

abuss368 wrote:
Sat Oct 28, 2017 8:30 pm
Pen and paper.
Extremely risky.

lazydavid
Posts: 1130
Joined: Wed Apr 06, 2016 1:37 pm

Re: Password Protection

Post by lazydavid » Mon Oct 30, 2017 11:17 am

TravelGeek wrote:
Sat Oct 28, 2017 5:59 pm
lazydavid wrote:
Sun Oct 08, 2017 8:11 pm
Because it's simple. The entire AES algorithm can be printed on a single sheet of paper, and is therefore easily examined by anyone. We know exactly what it does, and how it does it, and we therefore know why there are no practical attacks on it.
One problem is that even a mathematically bullet proof algorithm needs to be implemented by a human. And we generally don’t know how good a job they do unless we (or someone skilled) have the ability to review their code (one of the arguments for open source apps like KeePass).
Agreed, key management is paramount. Luckily, we know how LastPass did this, and I described it at a high level in my post. In short, the master password is used as an input into the PBKDF2 algorithm, which is a one-way function and therefore irreversible by design. They even provide a static, offline page implemented entirely in JavaScript so that interested parties/users can confirm their claims that this is the way it operates:

https://lastpass.com/js/enc.php

As always, trust, but verify.

dcabler
Posts: 290
Joined: Wed Feb 19, 2014 11:30 am

Re: Password Protection

Post by dcabler » Mon Oct 30, 2017 2:51 pm

For a long time, I've used a USB drive that itself is encrypted with a long, tough password and whose files are also individually encrypted.
Bitlocker is used to encrypt the USB drive is 256 bit encryption
The version of Excel I have where I keep my passwords is 128 bit encryption also with a long, tough password

I see that the basics of something like Keepass is also 256bit encryption and dropbox can be used to synchronize across multiple machines. Dropbox encryption is also 256 bit. Now Keepass is open source and there are plenty of add-ons that attempt to make life a little easier, but it would seem to me encrypting the excel file I already have and using dropbox for syncing isn't too far off to what Keepass at its core does. And there are other ways to get to 256 bit on the excel file as well (such as pkware, etc.)

All of that said, I'm looking closely at Lastpass right now due to a scare regarding my USB drive when traveling overseas recently.

lotusflower
Posts: 87
Joined: Thu Oct 24, 2013 12:32 am

Re: Password Protection

Post by lotusflower » Mon Oct 30, 2017 6:21 pm

dcabler wrote:
Mon Oct 30, 2017 2:51 pm
For a long time, I've used a USB drive that itself is encrypted with a long, tough password and whose files are also individually encrypted.
Bitlocker is used to encrypt the USB drive is 256 bit encryption
The version of Excel I have where I keep my passwords is 128 bit encryption also with a long, tough password

I see that the basics of something like Keepass is also 256bit encryption and dropbox can be used to synchronize across multiple machines. Dropbox encryption is also 256 bit. Now Keepass is open source and there are plenty of add-ons that attempt to make life a little easier, but it would seem to me encrypting the excel file I already have and using dropbox for syncing isn't too far off to what Keepass at its core does. And there are other ways to get to 256 bit on the excel file as well (such as pkware, etc.)

All of that said, I'm looking closely at Lastpass right now due to a scare regarding my USB drive when traveling overseas recently.
Yes, one risk is hacking but another risk is losing your device, or perhaps having it seized at a border crossing (there are still countries where entering with an encrypted hard drive is dangerous). Cloud backups are much easier to manage than local device backups.

Personally, I think the Dropbox encryption doesn't count. It's a fine company, but they will decrypt your data with a warrant or a national security letter. But that also means that they can be hacked. In fact, in their early days, they misstated whether it was possible for them to decrypt your data: https://cbsnews.com/news/at-dropbox ... nd-update/

Is this a big deal? I don't really think so. I mean, if the NSA wants your data they are going to get it. But the fact remains that Dropbox is not secure in the way that LastPass and Keepass claim to be secure. LastPass claims that they do not store enough information to decrypt your files, and that the final magic that opens up your vault remains locally in your browser and is never transmitted to them. Likewise Keypass decryption is only done locally and claims not to have any backdoors and is open-source.

Similarly, I think Excel is a great product but it's totally likely that there is a backdoor and that the therefore encryption is not trustable. Maybe there is no backdoor but that's not for lack of trying on behalf of the government. https://boingboing.net/2013/09/11/how-t ... oft-t.html It may the same situation as Dropbox, and again, that may be enough that you are comfortable.

Also if you are using an older version of Excel the encryption is trivial to break.

Probably your Excel system is almost as good as Keepass. Keepass has a nicer user interface, good searching within the vault, and plenty of text fields where you can store account numbers, URLs, and security questions. If you put your Excel file in an encypted zip file or a veracrypt container and store that on Dropbox that should be just as secure and only a little bit more annoying to use. The other advantage Keepass has is a fancy cut-and-paste mechanism that defeats most keyloggers (something you might unknowingly have been infected with from any number of web sites showing GIFs of cute animals)

c.coyle
Posts: 18
Joined: Thu Aug 03, 2017 5:10 pm

Re: Password Protection

Post by c.coyle » Mon Oct 30, 2017 6:56 pm

Carolina Shagger wrote:
Fri Oct 06, 2017 9:01 am
With all the latest news about accounts being hacked, can someone recommend a good program that will create, and hopefully remember, different strong passwords for different accounts?
Since I use two different computers will the program allow me to go from one computer to another or does the information all reside on only one computer.
Thanks in advance for your help.
1. Download and install Keepass on both of your computers.

2. Create a Keepass encrypted file (.kdbx extension) on one of your computers. Store all your passwords in it.

3. Upload the .kdbx file to your Dropbox or Spideroak folder.

4. You can now access a single encrypted password file from either computer. Plus, new or changed passwords are automatically synced between both.

5. You have now achieved what cloud-based password managers like Lastpass do, but way more securely.

lazydavid
Posts: 1130
Joined: Wed Apr 06, 2016 1:37 pm

Re: Password Protection

Post by lazydavid » Mon Oct 30, 2017 8:24 pm

I wouldn't exactly described a process that is functionally equivalent to how LastPass works and EXACTLY the same as 1Password, as "way more securely". The proper phrase is "just as securely".

hoops777
Posts: 1918
Joined: Sun Apr 10, 2011 12:23 pm

Re: Password Protection

Post by hoops777 » Mon Oct 30, 2017 9:30 pm

How safe are my passwords that are stored on my iPad if I have the IPad set on my security passcode so nobody can open it?
I was trying 1Password and it was a pain in the butt.I am the only one who uses my iPad and it automatically fills in all my logins.The only ones I do not have saved are my brokerage account and my bank.
K.I.S.S........so easy to say so difficult to do.

c.coyle
Posts: 18
Joined: Thu Aug 03, 2017 5:10 pm

Re: Password Protection

Post by c.coyle » Tue Oct 31, 2017 6:22 pm

lazydavid wrote:
Mon Oct 30, 2017 8:24 pm
I wouldn't exactly described a process that is functionally equivalent to how LastPass works and EXACTLY the same as 1Password, as "way more securely". The proper phrase is "just as securely".
No, way more secure. That is because only you have the encrypted file's password, not Dropbox, Lastpass, etc. The only time you enter it is locally, on your computer, offline. Nobody else ever has your password. It never leaves you. You never send it over the internet or anywhere. It never resides, in any form, on someone else's server.

So, even if Dropbox gets hacked, the hackers get your encrypted file, not your password.
Last edited by c.coyle on Tue Oct 31, 2017 6:30 pm, edited 1 time in total.

User avatar
Hyperborea
Posts: 360
Joined: Sat Apr 15, 2017 10:31 am
Location: Silicon Valley

Re: Password Protection

Post by Hyperborea » Tue Oct 31, 2017 6:30 pm

c.coyle wrote:
Tue Oct 31, 2017 6:22 pm
lazydavid wrote:
Mon Oct 30, 2017 8:24 pm
I wouldn't exactly described a process that is functionally equivalent to how LastPass works and EXACTLY the same as 1Password, as "way more securely". The proper phrase is "just as securely".
No, way more secure. That is because only you have the encrypted file's password, not Dropbox, Lastpass, etc. The only time you enter it is locally, on your computer. Nobody else ever has your password. It never leaves you. You never send it over the internet or anywhere. It never resides, in any form, on someone else's server.

So, even if Dropbox gets hacked, the hackers get your encrypted file, not your password.
Ummm……that's the way that Lastpass works too. Everything you put in bold above applies to Lastpass.

lotusflower
Posts: 87
Joined: Thu Oct 24, 2013 12:32 am

Re: Password Protection

Post by lotusflower » Tue Oct 31, 2017 6:33 pm

c.coyle wrote:
Tue Oct 31, 2017 6:22 pm
lazydavid wrote:
Mon Oct 30, 2017 8:24 pm
I wouldn't exactly described a process that is functionally equivalent to how LastPass works and EXACTLY the same as 1Password, as "way more securely". The proper phrase is "just as securely".
No, way more secure. That is because only you have the encrypted file's password, not Dropbox, Lastpass, etc. The only time you enter it is locally, on your computer. Nobody else ever has your password. It never leaves you. You never send it over the internet or anywhere. It never resides, in any form, on someone else's server.

So, even if Dropbox gets hacked, the hackers get your encrypted file, not your password.


According to Lastpass, your password is not transmitted and there is no way they can decrypt your vault if you lose your password. They don't really have any incentive to be lying about this and the math behind it is well-known.

You're right about Dropbox and most other cloud services though. That's still a good company and the cloud is still a great idea especially for redundant backups, but the security is inherently not as good.

c.coyle
Posts: 18
Joined: Thu Aug 03, 2017 5:10 pm

Re: Password Protection

Post by c.coyle » Tue Oct 31, 2017 6:35 pm

Hyperborea wrote:
Tue Oct 31, 2017 6:30 pm
c.coyle wrote:
Tue Oct 31, 2017 6:22 pm
lazydavid wrote:
Mon Oct 30, 2017 8:24 pm
I wouldn't exactly described a process that is functionally equivalent to how LastPass works and EXACTLY the same as 1Password, as "way more securely". The proper phrase is "just as securely".
No, way more secure. That is because only you have the encrypted file's password, not Dropbox, Lastpass, etc. The only time you enter it is locally, on your computer. Nobody else ever has your password. It never leaves you. You never send it over the internet or anywhere. It never resides, in any form, on someone else's server.

So, even if Dropbox gets hacked, the hackers get your encrypted file, not your password.
Ummm……that's the way that Lastpass works too. Everything you put in bold above applies to Lastpass.
I didn't put anything in bold.

This is cut from Lastpass' web page: "Once you save a password in LastPass, you'll always have it when you need it; logging in is fast and easy." (Emphasis added) What does logging in mean?

EDIT: This is from a few weeks ago: https://darknet.org.uk/2017/03/last ... passwords/

User avatar
Hyperborea
Posts: 360
Joined: Sat Apr 15, 2017 10:31 am
Location: Silicon Valley

Re: Password Protection

Post by Hyperborea » Tue Oct 31, 2017 6:42 pm

c.coyle wrote:
Tue Oct 31, 2017 6:35 pm
Hyperborea wrote:
Tue Oct 31, 2017 6:30 pm
c.coyle wrote:
Tue Oct 31, 2017 6:22 pm
lazydavid wrote:
Mon Oct 30, 2017 8:24 pm
I wouldn't exactly described a process that is functionally equivalent to how LastPass works and EXACTLY the same as 1Password, as "way more securely". The proper phrase is "just as securely".
No, way more secure. That is because only you have the encrypted file's password, not Dropbox, Lastpass, etc. The only time you enter it is locally, on your computer. Nobody else ever has your password. It never leaves you. You never send it over the internet or anywhere. It never resides, in any form, on someone else's server.

So, even if Dropbox gets hacked, the hackers get your encrypted file, not your password.
Ummm……that's the way that Lastpass works too. Everything you put in bold above applies to Lastpass.
I didn't put anything in bold.

This is cut from Lastpass' web page: "Once you save a password in LastPass, you'll always have it when you need it; logging in is fast and easy." (Emphasis added) What does logging in mean?

EDIT: This is from a few weeks ago: https://darknet.org.uk/2017/03/last ... passwords/
Badly worded on my part. Everything that you wrote above that I bolded for emphasis.

lotusflower
Posts: 87
Joined: Thu Oct 24, 2013 12:32 am

Re: Password Protection

Post by lotusflower » Tue Oct 31, 2017 6:57 pm

c.coyle wrote:
Tue Oct 31, 2017 6:35 pm
Hyperborea wrote:
Tue Oct 31, 2017 6:30 pm
c.coyle wrote:
Tue Oct 31, 2017 6:22 pm
lazydavid wrote:
Mon Oct 30, 2017 8:24 pm
I wouldn't exactly described a process that is functionally equivalent to how LastPass works and EXACTLY the same as 1Password, as "way more securely". The proper phrase is "just as securely".
No, way more secure. That is because only you have the encrypted file's password, not Dropbox, Lastpass, etc. The only time you enter it is locally, on your computer. Nobody else ever has your password. It never leaves you. You never send it over the internet or anywhere. It never resides, in any form, on someone else's server.

So, even if Dropbox gets hacked, the hackers get your encrypted file, not your password.
Ummm……that's the way that Lastpass works too. Everything you put in bold above applies to Lastpass.
I didn't put anything in bold.

This is cut from Lastpass' web page: "Once you save a password in LastPass, you'll always have it when you need it; logging in is fast and easy." (Emphasis added) What does logging in mean?

EDIT: This is from a few weeks ago: https://darknet.org.uk/2017/03/last ... passwords/
from https://lastpass.com/how-it-works
Your data is encrypted and decrypted at the device level. Data stored in your vault is kept secret, even from LastPass. Your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass.

c.coyle
Posts: 18
Joined: Thu Aug 03, 2017 5:10 pm

Re: Password Protection

Post by c.coyle » Tue Oct 31, 2017 7:05 pm

Hyperborea wrote:
Tue Oct 31, 2017 6:42 pm

Badly worded on my part. Everything that you wrote above that I bolded for emphasis.

Absolutely no problem.

My point is simply this: If you have to send any data to a remote computer in order to get at your passwords, there is the potential for hacking. I realize that Lastpass sends you the encrypted file and that you decrypt it locally, but the increased risk - probably slight - is there. And, apparently the big problem with Lastpass is caused by browser extensions leaking passwords. I think the Keepass / Dropbox setup avoids this problem.

lotusflower
Posts: 87
Joined: Thu Oct 24, 2013 12:32 am

Re: Password Protection

Post by lotusflower » Tue Oct 31, 2017 7:30 pm

c.coyle wrote:
Tue Oct 31, 2017 7:05 pm
My point is simply this: If you have to send any data to a remote computer in order to get at your passwords, there is the potential for hacking. I realize that Lastpass sends you the encrypted file and that you decrypt it locally, but the increased risk - probably slight - is there. And, apparently the big problem with Lastpass is caused by browser extensions leaking passwords. I think the Keepass / Dropbox setup avoids this problem.
I actually use Keepass+Dropbox like you, but if LastPass/1Password are doing it like they say, then it's the same. Per their web site that I quoted, Lastpass is more like a single-purpose dropbox that only lets you store one file, plus some really well-done browser integration.

Keepass can still be vulnerable to keyloggers, and when Keypass is in memory ALL your passwords are decrypted and are vulnerable to targeted malware. Any process running at system level can access that memory and steal passwords. If you have admin rights on your machine this could be just about any program you downloaded from the web. As far as I remember, LastPass only decrypts passwords one at a time so on that account it's quite a bit safer (couldn't confirm this with a quick perusal, though). Anyway, I think it's unfair and incorrect to keep saying that one is inherently better than the other based on some incorrect assumptions.

At some point your password is decrypted and handed off to some javascript in your browser and all systems have a vulnerability there if the javascript has been hijacked. I don't think there is any way to secure against this unless you never add any extensions to your browser.

I think all these are all pretty good solutions and they are way better than a spreadsheet or a piece of paper. All of the exploits we've been discussing are extremely rare and perhaps have never happened in the wild.

hoops777
Posts: 1918
Joined: Sun Apr 10, 2011 12:23 pm

Re: Password Protection

Post by hoops777 » Tue Oct 31, 2017 9:13 pm

So which manager is easiest to use for an IPad being used by a non-techie one finger typist backed up by my wife who is living in 1980 in terms of technology :D
K.I.S.S........so easy to say so difficult to do.

masteraleph
Posts: 486
Joined: Wed Nov 04, 2009 9:45 am

Re: Password Protection

Post by masteraleph » Tue Oct 31, 2017 9:42 pm

hoops777 wrote:
Tue Oct 31, 2017 9:13 pm
So which manager is easiest to use for an IPad being used by a non-techie one finger typist backed up by my wife who is living in 1980 in terms of technology :D
1Password is the most expensive of them, but also is really, really well integrated with iOS. If your iPad is recent enough to have a fingerprint scanner in it, you can use that to unlock the app rather than having to type in your master password. And you can set it up so that when you are at a login screen on Safari, you can press the Action/Share button (the little box with the arrow sticking up) to bring up 1Password which, after logging in, will let you fill in the username/password categories on the page.

lazydavid
Posts: 1130
Joined: Wed Apr 06, 2016 1:37 pm

Re: Password Protection

Post by lazydavid » Wed Nov 01, 2017 5:18 am

c.coyle wrote:
Tue Oct 31, 2017 6:22 pm
No, way more secure. That is because only you have the encrypted file's password, not Dropbox, Lastpass, etc. The only time you enter it is locally, on your computer, offline. Nobody else ever has your password. It never leaves you. You never send it over the internet or anywhere. It never resides, in any form, on someone else's server.

So, even if Dropbox gets hacked, the hackers get your encrypted file, not your password.
Wrong. As I said, 1Password works exactly the same way. And I mean EXACTLY. You create a LOCAL password vault, using a master password that never leaves your computer. How you sync that to other devices is up to you. I chose Dropbox, but there are lots of options.

LastPass is similar, but not identical. In it, you do not create and save a local file, but ALL the encryption and decryption is done locally on your machine. Only the encrypted blobs are sent up to LastPass. Your master password is never sent over the internet.
c.coyle wrote:
Tue Oct 31, 2017 7:05 pm
If you have to send any data to a remote computer in order to get at your passwords, there is the potential for hacking. I realize that Lastpass sends you the encrypted file and that you decrypt it locally, but the increased risk - probably slight - is there.
How is getting an encrypted blob from one cloud service an increased risk over getting an encrypted blob from another cloud service?

Your point about browser extensions is fair, but applies to any PM that is even remotely easy to use. That is definitely one area we have to be conscious that the vendors are reputable and coding correctly. I have 709 passwords in my vaults, and have to log into one service/server or another several hundred times per day. Searching, copying and pasting is not an option. So either I have to have memorable passwords (bad) that I can type quickly, or use a PM that can autofill. I wound up with LastPass Enterprise, because it has a bunch of manageability features (including some that increase security further), and allows teams to securely share selected passwords (vendor accounts, etc) without sharing everything.

Post Reply