Do you need a password manager?

Topic

New Reply

PUBLIC DEFENDER By Brian Livingston It seems we all have to deal with different usernames and passwords for every website we visit and every device we
[See the full post at: Do you need a password manager?]

12 users thanked author for this post.

WSGeo, ibe98765, lmacri, J9438, Myst, AlphaCharlie, fisher75, BobbyB, SueW, Kathy Stevens, DLivesInTexas, abbodi86

Reply | Quote

Replies

Don’t tell anyone — It’s SECRET!

I never see any of the reviews mention the one PWM I’ve been using for years and it is superb.  There’s a version for Windows and Android though not with identical functionality.  If anyone wants the website just let me know…

3 users thanked author for this post.

Tom in Az, agoldhammer, windbg

Reply | Quote

I too use Password Safe. But I use it with a Yubikey – another factor. Syncing is easy, I put it on a USB drive.

But as for trying your password at Have I Been Pwned – once you try it haven’t you put it into their database? What a simple way to accumulate millions of passwords!

My main gripe is about usernames, though. How many lazy websites insist on using your email for a username? It makes it easy to target specific people. Where ever possible I use a random string for my username as well. It’s easy to do with a local password manager like Password Safe.

3 users thanked author for this post.

Blizzard, J9438, windbg

Reply | Quote

I am sorry but I just don’t get it. If you have your laptop stolen at the airport or coffee shop and the perp does a brute force attack to get into the laptop with your “PIN”, then since your laptop has Passkey access to say AskWoody, can’t the perp then go right into Woody?

But with a Password to Woody the perp would be stopped.

3 users thanked author for this post.

ibe98765, astro46, agoldhammer

Reply | Quote

Sticky Password has its own password to open, just like any other cloud based manager. You eliminate the mass attack at the cloud site. Plus, anytime I am using a library or coffee shop my laptop is locked to an immovable object. Much more worried about a mass attack hence no cloud based for me.

Reply | Quote

J9438 wrote:

If you have your laptop stolen at the airport or coffee shop and the perp does a brute force attack to get into the laptop with your “PIN”, then since your laptop has Passkey access to say AskWoody, can’t the perp then go right into Woody?

It could take years to brute force even a four-digit PIN due to TPM 2.0 anti-hammering lockout period after 32 attempts (then one per 10 mins).

1 user thanked author for this post.

J9438

Reply | Quote

For me the one and only password manager is Sticky Password. Why do I feel that it is the only one I will ever use? It is because it is not web based.  If you want to sync it with your phone or laptop or desktop, it is done via wifi. Unlike Last Pass that was hacked, Sticky Password will never be hacked if you set it up properly. And, unlike the others, you buy a lifetime license not an annual fee.

1 user thanked author for this post.

teuhasn2

Reply | Quote

With Sticky Password, users have the option to elect either cloud-based storage of passwords like the better-known password managers, or local only. It is the best password manager for those who want local-only storage but still want to be able to sync updates to their stored passwords across devices. This syncing is not automatic when passwords are updated but done manually by the user between one pair of devices at a time over the user’s home wifi network until all are using the same database; it only takes a few seconds for each pair of devices. Syncing does require either a lifetime license (which periodically is “on sale”) or a subscription.

Reply | Quote

b wrote:

t could take years to brute force even a four-digit PIN

Humm. On a Google search one site “LogMeOnce” has the summary that they can crack a 6 digit PIN instantly. Don’t know if that is just hype but does concern me.

Another one in Apple Discussions said their iPhone 6 digit password was broken in 15 minutes and thief turned off Find my Phone???

Quite a few other claims but did not open any of them to see the actual times.

All of this is quite a dilemma. I know I could get a Yubi key but then that gets lost, broken, or like any other electronic device just quits working. I could set the PIN count to max 10 but then I get messed up or the perp tries 11 times and all my data is erased. Or your face ages and you are locked out. Or your fingerprint wears down or is injured.

Seems no really good  solution.

 

Reply | Quote

J9438 wrote:

Humm. On a Google search one site “LogMeOnce” has the summary that they can crack a 6 digit PIN instantly.

Not with TPM 2.0 anti-hammering. Six digits would take 19 years.

1 user thanked author for this post.

J9438

Reply | Quote

If a thief enters the wrong PIN 11 times — and you have anti-hammering technology in place, such as a TPM chip — your data is not erased. Such a rule would allow any malicious person to erase your data by simply entering random PINs 11 times. As someone else mentioned, TPM allows a certain number of wrong guesses, and then additional guesses cannot be made except 10 minutes apart. That interval allows legitimate people who really cannot remember their PIN to keep trying. But it makes brute-force guessing too slow for hackers (who can easily buy millions of credentials on the Dark Web).

Reply | Quote

B. Livingston wrote:

Did you notice a pattern there? Out of the 19 password managers that were reviewed, the following five were recommended by the greatest number of test labs:

• Bitwarden, Dashlane, 1Password, NordPass, Keeper

Another thing I noticed is that not one of those five appeared on all 19 reviewers.  I just checked over 100 passwords stored in my password-protected Excel file at Have I Been Pwned, and all of them were clear.  And there’s this:

“Firefox Sync

If you have a Mozilla account and enabled the Sync functionality, your sync login data (usernames, passwords, hostnames) is fully encrypted once it’s created and/or modified. However, Mozilla cannot decrypt your usernames and passwords when they are stored on the sync server.

If you forget your Mozilla account email and password, Mozilla will not be able to recover your sync data as we do not have access to it.”

I don’t feel the need for a password manager, nor do I feel the need for a passkey until passwords are no longer accepted.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

1 user thanked author for this post.

Mr. Austin

Reply | Quote

I use BitWarden as they now support Passkeys while using your desktop browser and if you have their browser extension installed Passkeys are a snap to create and use.  My default browser is Brave but if I also open up Edge the same passkey is available to me and since Bitwarden is cloud-based, if I switch from my desktop PC to my laptop, my passkeys are still available to me whenever I need them.  Bitwarden supposedly is working on a way to make the stored passkey available on mobile devices as well.

Here’s my complaint….  It seems to me that most websites that need to really verify that it’s you whose logging in are more then content to text you a one-time authentication code instead of implementing passkeys.  I hate authentication codes as I have to stop, find my phone and then have to remember the code so I can type it in on my desktop or laptop where a passkey would be so more effective for both parties.  What I find odd too is that PayPal says they support Passkeys but they don’t support them from a desktop browser.  So the reality is that few sites actually support passkeys and despite how easy they are to use when fully implemented, full implementation is still quite a ways off.

Reply | Quote

I’m a lawyer, so uploading attorney-client data to the cloud has always been off-limits, regardless of how well I think it may be encrypted. I have always been suspicious of the cloud, mainly because most vendors offer small amounts of data free (say under 5 GB). I believe the rubric that if something on the internet is free, then you must be the product. I wonder what vendors look for when scanning uploaded data? I won’t belabor my local backup system here.

I have hundreds of passwords stored in Roboform. However, they are easily exportable to other password managers if it becomes necessary to change. I’ve used Roboform since 2003 and find myself reluctant to part with it.

I have some questions and comments concerning the article.

(1) I suspect that checking your password against the “Have I Been Pwned” website merely adds another password to the database of compromised passwords. Despite the site’s claim that it does not store passwords, Microsoft’s track record for truth-in- advertising has not been good.

(2) Passkeys (to my mind) are a troubling new development because of their heavy reliance on biometric data, even if the biometrics are allegedly stored on a local device. Unless you disconnect from the internet, local devices are in constant communication with external servers. Non-technical persons like me have no idea what data is being uploaded to those servers.

Yes, I know TSA is now requiring biometric facial recognition scans to fly domestically, and law-abiding citizens are required to submit biometric data when entering or leaving the country, but that does not make submission of biometric data any more palatable. Good proles, of course, should be willing to submit any biometric data requested at all times and in all places.

(3) If you refuse to provide biometric data, what options are left? Passkeys apparently can be created with a mere PIN. What if FIDO, Google, Amazon et al. decide a PIN is not good enough? Why are Passkeys are superior to (for example) RSA SecurID or Yubikey? Could SecurID or Yubikey be used as the third leg of a Passkey in lieu of biometric data?

We are entering a Brave New World of authentication. I find these new methods difficult to understand and somewhat disturbing.

8 users thanked author for this post.

rizzquery, unbob, SkipH, Mark, WSbobby-p, J9438, BobbyB, Michael Marchand

Reply | Quote

1. I can confirm that the website “Have I Been Pwned” does not store passwords that you test by entering them. I’ve entered some passwords multiple times over the years, and the site has never said my passwords match the database of 12 billion credentials that are circulating on the Dark Web. I’m a sample of one, of course. But if you have any indications that HIBP is storing user data, let me know and I’ll publish the evidence. Microsoft does not own or run HIBP.
2. If your phone or laptop recognizes you by your face (biometric data), it should never transmit a picture of your face across the Internet. Instead, when challenged by a server, your device should reply, “Yes, an authorized person presented a correct face today.” Your device would then use public/private key handshaking to sign you in to the server. By contrast, uses of biometric data by third parties is a topic we should be concerned about. For instance, in order to present evidence to the IRS last year, I was required to send to ID.me a video selfie of my face turning slightly from left to right (to ensure I was not holding up a photo). The IRS announced in February 2022 that it would shift away from facial recognition. At this writing, all they’ve accomplished is to add the alternative of a video chat with a live agent. As another example, I was required to submit a video selfie in 2021 at a big-box store to qualify for credit when buying a new WASHER/DRYER! The reason for these intrusive requirements, of course, is that criminals steal billions of dollars every year through online fraud. We absolutely need positive means to prove we are who we say we are. Passkeys won’t solve every problem, but they are a step in the right direction.
3. I recommend the use of tiny USB-port devices such as the Yubikey. A photo of one such device appeared in my Nov. 20, 2023, column, and I’ve also attached it. These plug-ins can be used to sign you in to your device without a password (or, alternatively, you can still enter a password, if your fingers happen to be covered in grease or whatever). Your passkey, which is stored in a secure enclave on your device, would then respond correctly to challenges, getting you into Web servers that support passkeys. I can’t cover here what to do if some hated government agency — say, the Kremlin — demands from you a facial scan for admittance. That’s a separate topic, but with the amount of fraud on the Net, we’re all certain to some day face that (no pun intended).

6 users thanked author for this post.

AlphaCharlie, Mr. Austin, unbob, TechTango, WSbobby-p, J9438

Reply | Quote

Brian

Thank you for the link to Pwned Passwords.

We try to be careful with the use of our passwords.

However, the ability to check in from time to time to see if any of the hundreds of passwords that we use are available online is important.

Reply | Quote

Brian’s explanation of the difference between passwords and passkeys, focusing on the storage issue, was excellent and helpful in understanding the risks/benefits of each.  One aspect not fully developed, however, is the risk of device loss when replacement is complicated or lengthy.

For instance, I travel frequently to other countries with my Google Fi phone.  If I lose the phone, I can’t get a replacement phone with the same number until I return to the USA (due to geography activation criteria).  It could be months before I return.  In that circumstance, I want another device (such as a laptop) to have the passkey program on it.  Authy was a good program until they announced they would stop supporting their desktop version this summer.  So far, I have been unable to find a program with good mobile phone AND desktop support.

Being a belt and suspenders person, I am leery of relying on passkeys until I know I have a readily available backup program.  Thoughts or suggestions?

Reply | Quote

You can sync a passkey across multiple devices that you use, such as a smartphone, a laptop, and a desktop computer. If you lose your phone in a foreign country, you can get a new phone and sync your passkey to it. See the FIDO white paper, which says, “If the user had set up a number of FIDO credentials for different relying parties on their phone, and then got a new phone, that user should be able to expect that all their FIDO credentials will be available on their new phone.” [Emphasis in the original.] If you travel a lot, a good idea would be to get a customizable number that can be configured to forward calls to your new number (if your phone is lost and you get a new one).

Reply | Quote

Long ago I used a commercial one, I forget which. Then they got hacked. Now I just use FF. I use FF sync basically only when I am installing a new build of windows or linux.

Is there any real reason not to use FF?

Thanks!

Reply | Quote

Saving credentials in FF means you can’t use them in another browser, or an app (Excel etc). It also means you can’t store other info, like CC data, Passport info, SS number, insurance details etc.

Get a password manager and store all your important data in it, then you have a simple, portable, independent store of your valuable data – and make a backup of the password store, you can never be too careful.

cheers, Paul

1 user thanked author for this post.

windbg

Reply | Quote

KeepassXC is my favourite, its open source, regularly maintained, creates a Cross platform encrypted Database and it even suggests passwords of what ever complexity that you choose. I assume its good on Linux but it works well on MacOS, Windoze 10 & 11 and Android. I would imagine it’ll work in iOS and best of all the Program is gloriously free including updates you can find it in Github or the Home Page.

2 users thanked author for this post.

Mark, Fred

Reply | Quote

As long as password managers or anything sending me a confirmation code to then enter can use a landline phone line OR an e-mail address!  So many now require a smartphone as the only option to receive the confirmation code.  So, if you do not have a smartphone, you’re screwed.  In my case, I don’t use that site–since I can no longer access it.  [Didn’t realize that many companies are not interested in keeping customers or continuing getting business.]

Reply | Quote

Passkeys don’t require separate two-factor authentication:

What is a passkey and how does it work?

Passkeys are a form of authentication that allow you to quickly create and sign into accounts – without having to use a less secure password. This single-step, secure login method replaces traditional authentication methods, as well as the two-factor authentication (2FA) process.

Passwordless Future: A Comprehensive Passkeys FAQ [BITWARDEN RESOURCES]

1 user thanked author for this post.

J9438

Reply | Quote

Passkeys are a form of two-factor authentication. The first factor is that you were able to sign in to your device using a PIN, a fingerprint, your face, or whatever. The second factor is that the device contains a private key. This enables the device to correctly respond to a challenge sent by a server (which holds a public key). What passkeys don’t require is servers sending you 2FA codes via email or text message; both methods are vulnerable to hackers.

1 user thanked author for this post.

J9438

Reply | Quote

I also use PasswordSafe on my PC and Android phone.  I think the reason it doesn’t get much love is that the interface is rather clunky.  I’ve been using it ever since it came out years ago.  It’s easy to configure and I like the fact that it is not integrated into my browser.  I would rather go through the extra step of copying the password into the browser than having it remembered other than for news and streaming sites.  Anything with financial information is set to 2FA.   There is also a Yubi Key option for those who want more security.

2 users thanked author for this post.

Tom in Az, windbg

Reply | Quote

I used Lastpass for years as it was said to be the best. Frankly, I was never that happy with it because it seemed like their updates often broke something. Then, after the Big Breach, I decided to move away. In fact, since I no longer have a need for remote access to a password manager, I decided to go with a local, off-line product.

I decided on KeypassXC. Although the UI isn’t exactly modern looking, as a developer from way back, it’s fine with me. It offers the Argon2 key derivation functions and supports Yubikey. I’ve been using it for almost a year and I’m very satisfied with it.

Reply | Quote

WUBRINY wrote:

I’m a lawyer, so uploading attorney-client data to the cloud has always been off-limits, regardless of how well I think it may be encrypted. I have always been suspicious of the cloud, mainly because most vendors offer small amounts of data free (say under 5 GB). I believe the rubric that if something on the internet is free, then you must be the product. I wonder what vendors look for when scanning uploaded data? I won’t belabor my local backup system here.

I have hundreds of passwords stored in Roboform. However, they are easily exportable to other password managers if it becomes necessary to change. I’ve used Roboform since 2003 and find myself reluctant to part with it.

I have some questions and comments concerning the article.

(1) I suspect that checking your password against the “Have I Been Pwned” website merely adds another password to the database of compromised passwords. Despite the site’s claim that it does not store passwords, Microsoft’s track record for truth-in- advertising has not been good.

(2) Passkeys (to my mind) are a troubling new development because of their heavy reliance on biometric data, even if the biometrics are allegedly stored on a local device. Unless you disconnect from the internet, local devices are in constant communication with external servers. Non-technical persons like me have no idea what data is being uploaded to those servers.

Yes, I know TSA is now requiring biometric facial recognition scans to fly domestically, and law-abiding citizens are required to submit biometric data when entering or leaving the country, but that does not make submission of biometric data any more palatable. Good proles, of course, should be willing to submit any biometric data requested at all times and in all places.

(3) If you refuse to provide biometric data, what options are left? Passkeys apparently can be created with a mere PIN. What if FIDO, Google, Amazon et al. decide a PIN is not good enough? Why are Passkeys are superior to (for example) RSA SecurID or Yubikey? Could SecurID or Yubikey be used as the third leg of a Passkey in lieu of biometric data?

We are entering a Brave New World of authentication. I find these new methods difficult to understand and somewhat disturbing.

You expressed some valid concerns and the answer to many is that it depends on if the data is encrypted or not and if it’s encrypted, when did the encryption take place.  I seldom store anything in the cloud that’s not encrypted and I make sure that when encryption takes place, it’s done on my  local PC ahead of it being stored in the vault.  From a data perspective many tools have the ability to encrypt/decrypt data and one of those is Bitwarden which is also a cloud-based password vault that can create the passkey pair and stores the private passkey.

 

Reply | Quote

Chris wrote:

My main gripe is about usernames, though. How many lazy websites insist on using your email for a username?

I agree wholeheartedly. Everybody in the world now knows your email address and if you have your name as your email address the hackers are one step closer to hacking you. Yet, almost every web site forces you to use the email address as your userid.

With a non email userid, a good password, and text code you actually have 3 step authorization but nobody wants to do that anymore. Convenience or security. And we wonder why so much hacking is happening.

3 users thanked author for this post.

rizzquery, windbg, WSbobby-p

Reply | Quote

Not everyone in the world knows our e-mail addresses.

We use an email service provider that allows us to have up to 100 “alias” e-mail addresses.

So, if someone like AskWoody asks us for an address we simply setup a new address such as askwoodyaquestion@xxxxxx.com.

We then record both the email address and password in our “password manager”.

 

2 users thanked author for this post.

rizzquery, J9438

Reply | Quote

I NEED a Password Manager! As mentioned, it’s become impossible for me to keep track of so many, with different passwords for all the sites that I have to visit. I am eagerly looking forward to learning more from Brian in this series of articles. I had done from research of password managers myself recently but that just became too confusing trying to figure out the  pro’s and con’s and features of each. Alas, Brian looks to be coming to my rescue in trying to decide on what password manager might meet my needs best!

THANKS, BRIAN !

Reply | Quote

I don’t use and never needed password manager and I don’t save passwords in browsers.
I remember user/password for all the sites I browse daily / weekly.
I have a small list of rarely visited sites in a password protected 7zip txt file.

1 user thanked author for this post.

NaNoNyMouse

Reply | Quote

Will passkeys take the place of authenticator apps.  what is the relations between passkeys and authenticator apps?

 

(btw: I currently don’t use either. I have been considering starting with an authenticator app but don’t completely trust google or MS) and there seems to be one issue or another with the others.   I have been using Roboform for years. )

Reply | Quote

“check whether your email address and any passwords you use appear in databases of stolen credentials that are widely sold on the Internet. The easiest way to do this is to visit the password-checking page of a website named Have I Been Pwned”

The problem with checking your email address appears to be that if your email address shows up and you change your password as a result, your address will still always show up whether there has been a newer breach of your address or not. So after the first time you are none the wiser.

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

3 users thanked author for this post.

windbg, WSGeo, NaNoNyMouse

Reply | Quote

“whether you need one at all.”

If you use a single email address and the same password for every logon, then you will not need a PWM!

I, OTOH, have around 300 email addresses, most through a temporary email service, 10 or so through Google GMail, so need one.  I have used KeePass since forever.

Reply | Quote

Did you notice a pattern there? Out of the 19 password managers that were reviewed, the following five were recommended by the greatest number of test labs:

• Bitwarden, Dashlane, 1Password, NordPass, Keeper

And I wonder how many of the above programs are part of an Affiliate program and offer some sort of bounty back for click throughs?

Reply | Quote

Here’s another potential exposure of passwords you may not think of.  I certainly didn’t.

My TV kaputted a couple of months back.  It was just under 3 years old.  Luckily, I had an extended warranty, which reimbursed me for the original cost.

I went to Costco and picked up a replacement.  After using it for a week, I had ran into some issues that I didn’t like, so I returned it, as Costco allows (up to 90 days for any reason).

However, when I returned the TV, I forgot to reset it to manufacturers base.  It went back with accounts/passwords for Amazon Prime, YouTube and YouTube TV.

I didn’t remember this until I got home and was setting up the replacement.  I immediately changed those app passwords.

It’s possible whoever evaluates returned TV’s at Costco does an automatic rest on all returned TV’s but you never know.

Reply | Quote

Kathy Stevens wrote:

Not everyone in the world knows our e-mail addresses.

I would like to think that. I also have an alias I use but have NEVER given that out except to legitimate sites that FORCE me to use an email as my userid. Yet, I keep getting more and more scam mail to that address. I have no idea how they know but they do.  It is no coincidence that when I change say phone providers or insurance companies suddenly a few days later I get a new scam mail. I will note the vast majority of these are from a name@gmail.

 

Reply | Quote

In our case, if we begin to get spam addressed to one of our more than 80 email addresses, we can simply terminate the address in question and create a new “alias”.

Then all we have to do is log into the account that was associated with the old address and up date it with the new address.

Spam gone.

Our email service provider also offers a service that monitors spam traffic and, if the spam volume is high enough, blocks traffic from the host server.

Reply | Quote

B. Livingston wrote:

Passkeys are a form of two-factor authentication. The first factor is that you were able to sign in to your device using a PIN, a fingerprint, your face, or whatever. The second factor is that the device contains a private key

What happens if I have a mix of sites where some are set up with passkeys and some still use passwords?

Do I still sign into my desktop PC with my normal sign in (long password, face id, whatever) and then when I, say, go to Amazon.com does Amazon just instantly open my account because of the passkey in my PC?

But then if I go to one of the password only sites, can I still use ID/password or is passkey all or nothing on the device?

I am also concerned about the enormous time it will cost consumers to set passkeys up. If the average user has several PCs (desktop, laptop, cell phones) and has probably between 10 and 100 web accounts (banks, retail, health, insurance, retirement, woody, etc) it will take hours and hours of work to set all these to passkey. I have enough to do as is!!

I am also concerned what happens if my PC disk crashes or I have to upgrade to a new Win 11. Will I have to redo all my passkeys since those are specific to the device?

Also if this is confusing to me, a reasonably knowledgeable user, how are all the non Woody people out there going to understand this? I know people that still do not even use a sign in for their PC. They just turn it on.

Thanks.

Reply | Quote

Kathy Stevens wrote:

Not everyone in the world knows our e-mail addresses.

We use an email service provider that allows us to have up to 100 “alias” e-mail addresses.

So, if someone like AskWoody asks us for an address we simply setup a new address such as askwoodyaquestion@xxxxxx.com.

We then record both the email address and password in our “password manager”.

 

Yes! Exactly!

I’ve been doing the same for at least 15 years. I never give my “real” email address when registering on a new website (business, service, forum, etc). No offense, but anyone not doing this is a fool or ignorant of the consequences of giving out your email address to the world.

Two services (both free) I’ve used for many years with great success are: http://erine.email and http://spamgourmet.com

 

1 user thanked author for this post.

Mr. Austin

Reply | Quote

B. Livingston wrote:

If your phone or laptop recognizes you by your face (biometric data), it should never transmit a picture of your face across the Internet.

To me, there will never, ever be acceptable reasons to trust any company, any where, at any time, to *not* transmit such a thing. For over two decades I’ve had an interest in reading the news about the largest scale thefts of data. They are now commonplace.

And although I realize these things, one of the most hacked and hackable organizations in the world, the US guv’mint, has beacoup information on me. Coming back into the US recently I avoided some fairly long lines at customs, when my face was scanned with a camera at an automated Global Entry Pass kiosk. The rest of our traveling party had their suitcases opened by customs. I didn’t have to do that.

The guv’mint’s machine took of photo of me and allowed me through. No attendant needed to run the thing. No one else in line. Just one guy directing me to the kiosk while he stood back and let the machine recognize me and let me through.

But I prefer to have choices over which organizations and companies know about me, and which do not.

Human, who sports only naturally-occurring DNA ~ oneironaut ~ broadcaster

2 users thanked author for this post.

windbg, Fred

Reply | Quote

Hi Brian,

In your article you list three ways that hackers could gain access to your passwords. Those are all valid scenarios, but you missed the one that is by far the most common – phishing.

If a hacker wants your M365, Google, Facebook, bank, etc credentials they are just going to trick you into giving your password to them. It used to be that phishers had plenty of success with simply asking people to send their passwords, credit card numbers, etc in plain text email. As people have become more paranoid, those sorts of simplistic phishing attempts aren’t as successful anymore. Now phishers will trick you into visiting a website that looks identical to the login page that you are accustomed to seeing. Through the use of phishing toolkits like Modlishka or Evilginx, they can even steal your MFA codes, because these tools are actually presenting the real login page to you through a man-in-the-middle proxy. With a MITM proxy you are actually logging into your online account (M365, Google, etc), but in the process the phisher has harvested your password, your MFA code and your session cookie.

The cyber security community has been saying – for more than 20 years – that passwords are dead as a security technology. MFA technologies (even the weak ones like email and SMS codes) are a crucial stop gap measure along the path to more robust forms of authentication. Unfortunately, MFA wasn’t rolled out as part of a coordinated standards effort, so we now have an incredibly splintered landscape of MFA approaches that cause most regular people no end of frustration.  Password managers are also an important security enhancement, but they too are a band-aid aimed at dealing with the incredibly poor password choices that the vast majority of people make.

Today, the only web authentication that can protect you against phishing toolkits like Modlishka, is a FIDO authentication method. Hardware tokens, like Yubikeys, are currently the most secure FIDO authentication method. Passkeys are the newest FIDO authentication method and I hold out some hope that they will really catch on but, from what I’ve seen over the past 20+ years, there will be an incredibly long tail of websites that either never adopt FIDO authentication or it will take them more than a decade to do so.

 

<span style=”text-decoration: underline;”>At this time the best advice I can offer is this (in descending order of importance):</span>

• Treat your email account as the most security sensitive account you have, because it is. If a hacker compromises your email account, they can simply reset your password at your bank, social media account, etc. They can also impersonate you to your friends, vendors, customers, etc. I can’t stress enough that your email is the keystone in the arch of your online identity, if it is compromised the attacker can now act as you just about anywhere online and thus the whole arch will fall.
• Use trustworthy devices. As you pointed out Brian, if your PC is compromised, all bets are off. Most PCs, whether Windows, Mac or Linux are not really very trustworthy as most people don’t know how to configure them to be secure and to maintain them properly. iOS devices are significantly more secure and easier to maintain than most PCs and Android devices are somewhere between the two. If your email address is the keystone in the arch of your digital identity, your devices are the ground that is holding up the arch. Shaky ground or a poor foundation will cause even the most robustly built arch to fall.
• Use a reputable password manager (there are lots of really bad ones)
• Your password manager must be protected by a long master password
• If your password manager is accessible through a website, make sure you use phishing proof authentication, either as the primary authenticator or as a second factor and only ever access your account from a trusted and trustworthy device
• Never re-use passwords anywhere. You should use a unique password for every site/service/account.
• Passwords should be randomly generated and since your password manager is managing them for you they should be 20+ characters long because, well why not?
• Wherever possible, use phishing proof authentication (FIDO) such as Yubikeys or passkeys, either as a primary factor or a second factor
• Never ever store your passwords in password protected Excel files. Anyone who spends a few minutes looking online for Excel macros for defeating password protected spreadsheets will learn that Microsoft NEVER should have added this feature to Excel. It gives people a false sense of security where there is absolutely none.
• Avoid trying to be clever, such as rolling your own password manager. It’s just so easy to get it wrong in ways that can leave your passwords exposed without you understanding why (I’m looking at you 7zip encrypted text file).
• Because, your email account is so security sensitive, you really should not use any of the thousands of integrated online services that you can authorize to read and send email on your behalf – Eg Grammarly, most CRM tools for businesses, etc.  I know they’re convenient and perhaps even helpful, but if their systems are compromised, then it’s possible that an attacker can access your most sensitive online accounts.  I fully expect to see a dramatic rise in OAuth related account compromises in the next few years, because this spider web of SaaS integrations is creating a vast and largely invisible landmine of tokens, both in your browsers and on SaaS servers.
• Finally, realize that no matter how secure you may think your devices and authentication methods are, if you’re storing sensitive data in online accounts, that data is now out of your control and can be compromised despite your best efforts. In fact chances are extremely good (based on breach statistics), that you will have at least one of your online accounts directly compromised or compromised in a breach this year. The state of many (most?) companies’ cyber security is much worse than you might expect. I’m not telling you to go live in the woods without any Internet connection, but rather that at some point you have to decide to what degree you want to participate in society. For better or for worse, more and more of our world is moving online and increasingly you won’t have the option of opting out. Perhaps it would be wise to strive for some measure of spiritual detachment from our highly materialistic world and accept that you really can’t maintain control of your “stuff”. You can do the very best you can, but beyond a certain point you’ll just tie yourself in paranoid knots and your quality of life will suffer.

4 users thanked author for this post.

dg1261, zat_so, ibe98765, windbg

Reply | Quote

I forgot to add one incredibly important point.  The more effort you put into protecting your data using encryption, the more likely you are to eventually have an accident that permanently and irretrievably results in the loss of your data.

Encryption, as employed by password managers and many other security tools, is not something that can be unlocked by a call to the help desk of your password manager vendor.  If you lose your encryption keys, your data is completely gone forever.

1Password has a good feature for consumers called the Emergency Kit.  It’s a PDF that you can download, print and then store in a safe deposit box.  DO NOT LEAVE THE PDF FILE ON YOUR PC, this is much worse than a password protected Excel file.  The reason I recommend a safe deposit box is that this becomes your “help desk”.  You can always go to your bank, prove your identity to them and gain access to your safe deposit box.  This way your Emergency Kit paper won’t be lost in your filing cabinet, destroyed in a flood or fire, etc.

Having a 1Password family or team account is also a hedge against complete loss of your data, but this also increases your attack surface because now an attacker can compromise your family member and thus gain access to your vaults.  I still think the safe deposit box is currently the best option for people that really want to protect their stuff, but they still want to protect themselves, from themselves.

A safe deposit box isn’t cheap, but depending on the value of the secrets you’re protecting with encryption (think of the ridiculous stories of people losing millions in Bitcoin due to not having a securely stored paper copy of their Bitcoin wallet address), it might actually be cheap insurance.

2 users thanked author for this post.

dg1261, windbg

Reply | Quote

KeePass has an “Emergency Sheet” with recovery data.

You can create one manually for other managers.

cheers, Paul

Reply | Quote

b wrote:

Passkeys don’t require separate two-factor authentication:

Correct me if I am wrong, but let’s say a person has 50 accounts to access on their PC:

Scenario 1) A hacker gets into your PC by your accidental clicking of a link in an email. If all 50 accounts are set up with Keypass or Authenticator App, the hacker looks at your Favorites list and accesses any or all instantly. You cannot change the embedded access codes and don’t have time to phone call 50 accounts. You’ve had it!

Scenario 2)  A hacker gets into your PC by your accidental clicking of a link in an email. If all 50 accounts are set up with unique ID/passwords, the hacker looks at your Favorites list but does not have the passwords so cannot do anything unless you were stupid enough to store the passwords on your desktop.  You have plenty of time to change the passwords as a precaution.

Solution) My solution to this which lazy companies and lazy people probably won’t do is:

A web site should be initially accessed by the current ID/password and then for the 2fa initiate the request for the passkey or authenticator app code.

This should lock out both scenarios. Since people seem to prefer convenience over security I doubt this would ever happen.

To look at this another way I always use a hardware steering wheel lock on my car. When the thief uses a copycat FOB my steering wheel lock is the keypass that stops the thief. The thief without a copycat FOB is stopped by my regular door lock (the password). Yes, inconvenient but more secure. (I know the thief has other ways but then you need 3fa (siren alarm).

2 users thanked author for this post.

windbg, Mr. Austin

Reply | Quote

“To look at this another way I always use a hardware steering wheel lock on my car.”

Takes 15-30 seconds to remove.  Search YouTube for examples of how to do it.

Reply | Quote

J9438 wrote:

If all 50 accounts are set up with Keypass

Passkeys require biometric authentication…

“With passkeys, users can sign in to apps and websites with a biometric sensor (such as a fingerprint or facial recognition), PIN, or pattern, freeing them from having to remember and manage passwords.”

https://www.passkeys.com/

2 users thanked author for this post.

J9438, TechTango

Reply | Quote

Passkeys do not require biometric authentication.

The source you quoted says you can sign in to your device using a biometric sensor, PIN (e.g., a password), or a pattern (e.g., sliding your finger on your smartphone screen). Once you are signed in to your device, if it has a passkey set up, a Web server recognizes you without your having to enter another password.

This is effected using a public/private key challenge, which your device is capable of responding to correctly. No username or password is ever sent across the Net or stored by the server. The server stores only the public key that is used to form challenges.

Reply | Quote

Alex5723 wrote:

freeing them from having to remember and manage passwords.”

Sorry I am confused but does that mean if I have, say, Amazon set up for keypass and I then go to http://www.amazon.com and it then asks me for a PIN? Seems like having 50 different PINs is same as keeping up with 50 different passwords. I won’t even go into how I would submit a facial on a desktop.

I was under the impression that on Authenticator a code was generated that the website accessed on the PC and that keypass was similar so was like an automatic sign in. Thanks.

Reply | Quote

J9438 wrote:

Sorry I am confused but does that mean if I have, say, Amazon set up for keypass and I then go to http://www.amazon.com and it then asks me for a PIN? Seems like having 50 different PINs is same as keeping up with 50 different passwords. I won’t even go into how I would submit a facial on a desktop.

No. You have one PIN, which doesn’t leave your computer, for all stored passkeys.

J9438 wrote:

I was under the impression that on Authenticator a code was generated that the website accessed on the PC and that keypass was similar so was like an automatic sign in. Thanks.

I don’t think it helps much to compare passkeys with an authenticator app, because an authenticator provides 2FA/MFA for passwords and passkeys are about eliminating passwords.

2 users thanked author for this post.

Alex5723, J9438

Reply | Quote

Passkeys are a one time setup and do not use additional authentication / code, but they are tied to your device.

cheers, Paul

1 user thanked author for this post.

J9438

Reply | Quote

b wrote:

You have one PIN

So does a web site ask you to enter that PIN or does it just get it from your PC?

b wrote:

an authenticator provides 2FA/MFA for passwords

So does a web site ask you to enter the authenticator generated code after entering a password.  That sounds like what I wanted in 2635586 above.

Paul T wrote:

Passkeys are a one time setup

So that sounds like to scenario I mentioned above in2635586 where a hack would have instant access to all accounts since there is one PIN for ALL accounts if opens account without needing manual entry of the PIN.

Sorry I am so stupid but a lot of others probably have the same questions if never used passkeys or authenticators.

Reply | Quote

Yes, once hacked a malicious user can get into your stuff. The same is true of a password manager, but not 2FA, although if you have all the details you can reset stuff anyway.
The point is, if you are hacked, all bets are off.

The advantage of passkeys is you don’t have dozens of credentials to store and logon is a simple, enter your PIN. And you can supplement with 2FA.

cheers, Paul

1 user thanked author for this post.

J9438

Reply | Quote

Paul T wrote:

Yes, once hacked a malicious user can get into your stuff. The same is true of a password manager, but not 2FA, although if you have all the details you can reset stuff anyway.
The point is, if you are hacked, all bets are off.

The passkey PIN (or face/fingerprint) protected by TPM has to be entered on the computer storing the private passkey, so remote attack would fail.

Paul T wrote:

The advantage of passkeys is you don’t have dozens of credentials to store and logon is a simple, enter your PIN. And you can supplement with 2FA.

Passkeys are a form of 2FA but can’t be supplemented with anything.

1 user thanked author for this post.

J9438

Reply | Quote

b wrote:

Passkeys are a form of 2FA but can’t be supplemented with anything

Of course they can. You are not limited to only using passkeys to authenticate users on your system.

cheers, Paul

Reply | Quote

Paul T wrote:

b wrote:

Passkeys are a form of 2FA but can’t be supplemented with anything

Of course they can. You are not limited to only using passkeys to authenticate users on your system.

cheers, Paul

I didn’t realize “supplement” meant “still use passwords” (especially after “The advantage of passkeys is you don’t have dozens of credentials to store”).

Reply | Quote

If a hacker is able to plant a Trojan horse on your device, it does not mean that the hacker would immediately have access to all the websites that you’ve established accounts with.

The Trojan would have be to able to run your device, open Web browsers on it, and so forth. Why would a hacker bother to do this on your one machine? He or she could easily sign in to websites using some of the 12 billion username/password combinations that are widely available for sale on the Dark Web.

Understandably, if someone breaks into your office or home and steals your computer, the thief can then do anything that your computer can do. (The thief can sign in to banking websites using passwords that you carelessly stored in your browser, etc.)

But no technology can help you if someone can break in and physically possess your device. Keep them locked up and secure.

1 user thanked author for this post.

J9438

Reply | Quote

B. Livingston wrote:

Keep them locked up and secure

And encrypt the disk.

cheers, Paul

1 user thanked author for this post.

J9438

Reply | Quote

B. Livingston wrote:

Understandably, if someone breaks into your office or home and steals your computer, the thief can then do anything that your computer can do. (The thief can sign in to banking websites using passwords that you carelessly stored in your browser, etc.)

Unless browser passwords are protected with a custom primary password:

Keep your saved passwords private with custom primary password [Edge]

1 user thanked author for this post.

J9438

Reply | Quote

J9438 wrote:

b wrote: an authenticator provides 2FA/MFA for passwords.
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
So does a web site ask you to enter the authenticator generated code after entering a password.

Yup, that’s exactly how it works!

1 user thanked author for this post.

J9438

Reply | Quote

The best password to use is the name used in the Shari Lewis song Tiki Tiki Timbo

Reply | Quote

B. Livingston wrote:

Why would a hacker bother to do this on your one machine?

Recently I miss typed a web address by one character and a hacker was waiting at that address. I even had something called Acronis that is suppose to guard against mistyping an address and that let the hacker through. It can happen to anyone anytime.

Geo wrote:

Yup, that’s exactly how it works!

So Authenticator seems to me the ideal solution if one does not mind dealing with passwords and keeps them safe through the above safeguards mentioned. You get the security of individual site 2fa and the authenticator codes are not transmitted  like text and change every few seconds.

I will note I wanted to use than on a desktop for a site that only offers Google Authenticator but Google does not offer that app except on phones. I did find, however, a Chrome Authenticator extension that seems to do the same thing but had mixed reviews with some having great success and others miserable failures with it not working.

Reply | Quote

J9438 wrote:

Recently I miss typed a web address by one character and a hacker was waiting at that address. I even had something called Acronis that is suppose to guard against mistyping an address and that let the hacker through. It can happen to anyone anytime.

That’s something that passkeys absolutely prevent, because a passkey can only be used for the completely genuine site which created it.

J9438 wrote:

So Authenticator seems to me the ideal solution if one does not mind dealing with passwords and keeps them safe through the above safeguards mentioned. You get the security of individual site 2fa and the authenticator codes are not transmitted  like text and change every few seconds.

I use Microsoft Authenticator all the time (and as a password manager), but an authenticator app can’t protect against typo-squatting or phishing like passkeys.

1 user thanked author for this post.

J9438

Reply | Quote

Recently I miss typed a web address by one character and a hacker was waiting at that address. I even had something called Acronis that is suppose to guard against mistyping an address and that let the hacker through. It can happen to anyone anytime.

You don’t have a firewall?  That should have kept you safe.

Also, running with scripting turned off solves problems like this.  But then you might have to enable scripting at each new website (some still work with scripting disabled, many do not).  This is easy to do with NoScript in Firefox with NS shown in the status bar, so you can enable/disable scripts directly.

Although admittedly, this is all a bit complex for non-techies.

1 user thanked author for this post.

J9438

Reply | Quote

J9438 wrote:

Recently I miss typed a web address by one character and a hacker was waiting at that address

Any proper A/V running web protection would have block bogus URLs.

2 users thanked author for this post.

J9438, Fred

Reply | Quote

Yes, MalwareBytes as browser-adon, free of charge.
And MalwareBytes Antimalware , payed licence, active running is guarding the searchstring going to the internet.
Together they are quite effective.
Even Bitdefender free version does good, also in combination with the browser adon from MalwareBytes.

* _ ... _ *

2 users thanked author for this post.

J9438, Alex5723

Reply | Quote

ibe98765 wrote:

You don’t have a firewall?

I have a firewall through a major ISP provider. Hung off that is the firewall in a brand new top line router. I also have a popular antivirus app. All of them did not stop it.

I guess it is because it was a very legitimate business used by many but with one wrong letter I typed in the web address. Apparently some hacker figured out people would make that mistake and accidentally go there.

All the firewalls and AV cannot stop everything. Businesses, however, should try to make their web address as simple and typing error proof as possible and have their testers try all combinations of their addresses and lock up similar ones.

Reply | Quote

Alex5723 wrote:

Any proper A/V running web protection would have block bogus URLs.

As I said to ieb98765 above, they all failed. This one slipped through the cracks.

Reply | Quote

Fred wrote:

Yes, MalwareBytes

Yes Malware free missed it and so did Acronis that claims active protection against mistyped addresses.

Just one of those once in a million occurrences,

Reply | Quote

J9438 wrote:

Recently I miss typed a web address by one character and a hacker was waiting at that address.

Another reason why bookmarking sites (assuming it’s not a one-off) is a good idea.

1 user thanked author for this post.

J9438

Reply | Quote

zat_so wrote:

Another reason why bookmarking

2 thoughts on that. Yes, for general sites like Amazon that probably everyone has. However, for your bank, not a good idea because if the hacker gets in, the hacker now knows the bank you use, and if the hacker already has a dossier on you could call the bank and … well you know.

It is better to keep those web addresses on an encrypted list somewhere that you can click kind of like an encrypted bookmark.

After all, the world of hacking is all about getting all the keys to your life and then walking right in.

Security is NOT convenient. To beat the hackers you need data access by unique userid (not your email address) then unique password then device generated authenticator on a device protected by some kind of token or other sign in ID at minimum.

Until then the wolves will continue to plunder the sheep. (Or until we can trap the wolves.)

1 user thanked author for this post.

zat_so

Reply | Quote

J9438 wrote:

However, for your bank, not a good idea because if the hacker gets in, the hacker now knows the bank you use, and if the hacker already has a dossier on you could call the bank and …

A valid point I hadn’t really considered. I guess it comes down to which you think is more likely/riskier – that a hacker gains control of your device, or that you mistype an URL.

1 user thanked author for this post.

J9438

Reply | Quote

“In the second installment of this four-part series, I’ll explain how these programs shape up in terms of the use cases listed above.

I got my password manager long ago. Back then, there were few choices that allowed unlimited devices. I hope you include such limitations in your next installment – we’re looking for a change. Thanks.

Reply | Quote

Mason wrote:

I still think the safe deposit box is currently the best option for people that really want to protect their stuff

Not necessarily so.  Read this story:

“There are an estimated 25 million safe deposit boxes in America, and they operate in a legal gray zone within the highly regulated banking industry. There are no federal laws governing the boxes; no rules require banks to compensate customers if their property is stolen or destroyed.”

https://www.nytimes.com/2019/07/19/business/safe-deposit-box-theft.html

Then there is the problem of when the safe box holder dies.  No one will be able to get access to that box unless they have the death certificate and are the estate administrator.  If you don’t have an estate or a legal administrator, good luck…

2 users thanked author for this post.

windbg, dg1261

Reply | Quote

ibe98765 wrote:

Mason wrote: “I still think the safe deposit box is currently the best option for people that really want to protect their stuff”

Not necessarily so. Read this story

That NY Times story appears to be behind a paywall, but here’s an unrelated though similar TV story that aired just recently:

Inside Edition: Woman Sees Lost $10K Necklace From Safe Deposit Box on TV

That said, Mason’s post nevertheless has a lot of good information in it. I may not fully agree with a couple of the specifics, but that would just be nitpicking so I’ll refrain as I wouldn’t want to detract from his otherwise excellent and useful post.

Reply | Quote

You can often beat MSM paywalls by going through the https://archive.ph/

Here is the unpaywall link to the article:

https://archive.is/63xoB

1 user thanked author for this post.

SueW

Reply | Quote

I wonder why the lack of love for Roboform. It gets mentioned here by a couple of people, but is only in one of the lists, and is the last one in it. I’ve been pretty happily using it for years on PC laptop and Android. Am I missing something?

Reply | Quote

Yes, the bit where Brian explained why many managers are not mentioned. “They have to be in the top recommended.”

cheers, Paul

Reply | Quote

Understood. I’m just wondering what’s seen as wrong with it that causes it to not be in the top recommended.

Reply | Quote

You need to read the reviews, as Brian did.

cheers, Paul

Reply | Quote