News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Let's debate password managers

    Posted on Michael432 Comment on the AskWoody Lounge

    Home Forums Tools Let's debate password managers

    Tagged: 

    This topic contains 76 replies, has 39 voices, and was last updated by  Raymond41 1 month, 1 week ago.

    • Author
      Posts
    • #1925567 Reply

      Michael432
      AskWoody_MVP

      There are 3 ways to keep track of hundreds of unique passwords:

      1. write them down on paper
      2. use password manager software
      3. use a formula to generate easy to remember passwords

      I blogged about using a formula here
      https://michaelhorowitz.com/BestPasswordAdvice.php
      I also cited 13 reasons why a formula is better than password manager software.
      Opinions …

      Get up to speed on router security at RouterSecurity.org

      3 users thanked author for this post.
    • #1925614 Reply

      OscarCP
      AskWoody Plus

      I agree that the paper and pencil solution is the safest. But I have my doubts about the “formula” approach. I prefer random-like passwords at least 12 characters long and changing them every two months, at least those I care enough about keeping safe, to do that.

      If one uses a formula, as I understand what is proposed in the blog, could not any enterprising soul bent on partaking of one’s savings figure them out, once enough of one’s passwords have been looked up with some adequate tool (if my bank can do it, why not others as well?) showing the same n-characters, arranged in the same groups in all of them, although these may be placed in different positions, making the figuring of other whole passwords as easy as if no formula had been used? And what then?

      Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W(?) + Mac&Lx

      1 user thanked author for this post.
      • #1926159 Reply

        Michael432
        AskWoody_MVP

        Certain high value passwords are indeed exceptions. The blog says that.

        Even if some had two of your passwords:

        BabeRuth-jungle
        BabeRuth-geemail

        for example, that does not let them figure out other passwords, even though they can tell that your passwords start with the same characters. I need to clarify that there are hard and soft formulas (my terminology). I was proposing a soft formula, where passwords have a common prefix (and hopefully also a common suffix) along with a variable component. A hard formula, like a hash, would generate a single fixed password for any website. Sounds like were considering a hard formula.

        Get up to speed on router security at RouterSecurity.org

      • #1944609 Reply

        Thomas
        AskWoody Plus

        Hi I use Sticky Password Manager and usually use 21 length of Password generated by the tool works well for me, sometimes I insert a space somewhere in the Password. I also use Bitwarden, the free version so I got my Passwords accessible on my Linux systems.

        All this works well with me and I never have been breached.

         

    • #1925615 Reply

      anonymous

      Formula works for me to an extent (e.g. I have a formula for PC password) but when you have in excess of fifty passwords to  manage, need to change them regularly and need to avoid  reusing and doubling up…

    • #1925704 Reply

      Paul T
      AskWoody MVP

      A formula is great if you just want passwords, but I also need user IDs, secret questions, CC  numbers etc and I want the credentials entered for me, including extra check boxes and those annoying second or third screens. A password manager is the only way to retain all that information in one secure place and enter it easily.

      cheers, Paul

      2 users thanked author for this post.
      • #1925715 Reply

        OscarCP
        AskWoody Plus

        Paul T: ” A password manager is the only way to retain all that information in one secure place and enter it easily.

        Agree about it being easy to use passwords using a password manager; now, about these also being kept in a secure place, well…

        I believe that this whole discussion started on the assumption that one’s computer, in final analysis, might not be the safest place to keep one’s passwords.

        Some of  the questions that might come too mind in this context are:

        What happens if someone steals the computer?

        What happens if the computer dies?

        What happens if the computer is lost?

        What happens if someone installs ransomware in the computer?

        What happens if the password manager files become corrupted?

        And so on.

        Of course, back ups are, in part, the answer to all of them, although not much help in cases (1), (3) and (4).

         

        Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W(?) + Mac&Lx

        • #1925719 Reply

          mn–
          AskWoody Lounger

          Agree about it being easy to use passwords using a password manager; now, about these also being kept in a secure place, well…

          I believe that this whole discussion started on the assumption that one’s computer, in final analysis, might not be the safest place to keep one’s passwords.

          Exactly.

          Now, there’s more than one way to mitigate these issues…

          First, I prefer to be able to access the stored passwords from multiple devices. Stored locally for offline use is a hard requirement for some things (passwords to equipment installed in locations with not ‘net access, etc) and makes it easier to do backups too.
          The local storage needs to be encrypted at a minimum, to help against theft and such.

          So, this means synchronizing the encrypted storage between devices.

          Against file corruption (both accidental and ransomware) it’d be helpful if the sync tool would automatically also store backups, but this should be possible with any backup tool that can read the files that the encrypted storage consists of.

          (Master key needs to be handled separately.)

          So, risk to password security from device theft and hardware breakage is mitigated by encryption and having copies on other devices (hope they don’t all get stolen or broken simultaneously). Risk from accidental or malicious file corruption is mitigated by having copies of the backups that can be restored on multiple devices…

    • #1925705 Reply

      mn–
      AskWoody Lounger

      Yes, the formula thing is … not very manageable in non-trivial situations.

      I use a password manager that has a tree structure and lets me share subtrees with other people. Some with my spouse, some with the children too.

    • #1925724 Reply

      Ascaris
      AskWoody_MVP

      If you create a formula to create passwords, the formula itself effectively becomes the password… not just for one, but for every site you visit.  If an attacker is able to figure out the formula from a few known passwords to other sites that may be compromised (by a security breach of any of the various sites you use), it gives that attacker the keys to the kingdom.

      If I was an attacker and I saw a password that started with something like “BabeRuth,” I would assume that was exactly what it is.  Making up a password that has only a bit of it that changes is not a new idea.  Using one’s favorite baseball player or other such thing as the password is as old as passwords, and adding stuff on the end is not much different.  Neither is obfuscating it by replacing the letter O with a zero or using nonstandard capitalization schemes.

      If two passwords were compromised, any doubt over the schema is removed.  If the total password length was 12 characters, generally regarded as a good length for a strong password (I prefer more, but YMMV), the password with “BabeRuth” already known becomes effectively four characters long, which is trivial to brute force even if those four are truly random.  It’s not, though.  Your proposal includes an example of “BabeRuthbook” for Barnes and Noble, though, and that’s far from random.  If I look at that password, and I know it’s for Barnes and Noble, bookstore, I’ve got a really good idea of your entire password schema.  It may take a few guesses to get “BabeRuthjungle” for Amazon, but it would probably be in the first five or so tries.

      I use passwords that are randomly generated (as much as random generation is possible on a computer) and that are of substantial length.  It’s extremely convenient, and requires no installation of anything, save for the bit that generates the passwords.  To login, I just click the username field and select the user ID I wish to use from the dropdown box, hit enter, and it fills in the username and password field.  In the rare cases where this does not work, I use an addon that acts in conjunction with the built-in Firefox password manager to force-fill the password in a location I specify.  No site has ever been able to block that.

      I never have to type or copy-paste passwords in on a per-site basis to log in.  There are no keypresses that can be keylogged, no clipboard access that can be read by any program.  Of course, if something has access to my keypresses or my clipboard, it means a nasty bit of code is already on my system (with admin rights in the case of the keylogger), so that’s pretty much game over in and of itself, but not having the password vulnerable to keyloggers or clipboard scrapers at least reduces the attack surface.

      A process that can read the password from memory would be able to grab it in any case, but that’s a good deal more difficult (with ASLR and the like) than the other two methods.

      As long as the encryption of the password store on the SSD is not broken, the odds of my passwords leaking is minimal.  Not zero, of course… nothing is 100% secure, but I think I’m in pretty good shape.  I’ve got the outer layer of self-encryption on my Swift laptop (even as compromised as it is, it costs nothing performance-wise, so I still have it set), then the layer of LUKS encryption, and under that, the Firefox/Waterfox master password (which encrypts the entire password store locally).

      If some web-based method of compromising the Firefox password store were devised, it would probably be found and made public before it happened to me, just based on the law of averages, and the fix would be in the next release of Waterfox, which receives all of the Firefox security updates.  It could hit me first, but it’s not very likely, and it would depend on there being an exploitable flaw in the first place (that can be exploited even though I have scripts heavily restricted with uMatrix).

      As for the 13 reasons:

      There is a learning curve with all software. Techies underestimate how much of a pain this can be for non-techies.

      It doesn’t get easier than clicking in the username box and selecting one from the dropdown list.  It’s a lot less painful than having to type passwords.  The password store would have to be secured by some form of encryption, like any other sensitive data on the hard drive or SSD, which can be accomplished by selecting a master password in Firefox/Waterfox.  Since it is only one password, there’s no need to make it memorable with regard to any one site.  I actually just created a random string and made up a mnemonic to apply to it to make it memorable.

      No software runs on every Operating System or supports every web browser,

      I don’t use every operating system or every web browser.  If I can find one thing that works for my browser and my OS, that’s good enough.  Most people are looking for something that suits their needs, not everyone’s.

      Firefox and Waterfox both run on anything that I would be using to browse password-protected sites, and several that I would not: there are versions of each for Windows, Mac, Linux, and Android.  The iOS version of Firefox (like every other browser) is so hamstrung by Apple’s restrictions that I have no idea what its actual capabilities are.  It may well have a password manager that is as good as what Firefox has to offer natively, in which case I would have no problem with it in that one way, if I wanted to use a mobile platform.  In other ways… that’s another topic.

      The most secure Operating System most people have access to is a Chromebook running in Guest Mode. A formula works there, a password manager does not.

      I don’t use Chrome or anything else Google if I can avoid it, and if I did, it would not be in guest mode.  Passwords as strong as mine are not feasible without persistent data storage.  That’s a problem for people who use that platform to solve, not for me.  There’s no use in limiting myself to a solution based on what would work for a platform I do not use and would not use.

      All software has bugs, password managers included. Not only might you be vulnerable to a bug, but you certainly are on the hook for keeping the password manager software up to date.

      It’s part of the browser.  That needs to be kept updated regardless of whether you use its password manager.  Even if it wasn’t, it would probably be available in an APT repo somewhere, so it would be updated just as easily as the browser itself, though I would certainly want to vet it first if/when I ever saw it available as an update to make sure it was the real deal if it was a PPA.

      With a password manager you have to trust that it works correctly.

      That’s the same with all software, and is particularly important with anything related to security.  Still, the password manager is really super simple.  The rest of the browser, not so much!

      A formula lets you write down the variable part of the password – safely.

      That’s not really what I would call safe.  If it is evident what the book is for, as it would be, that effectively shortens the password to the same string for each site in the list… “BabeRuth” in your example.

      When a password manager generates passwords for you, it may create a password that is too long for the target system, or, that contains characters the target system does not allow.

      If you want “BabeRuthbook” to be your password for Barnes & Noble, but it demands you have at least one number and one special character, you’re in the same situation.  If the password generator generated a password that is too long, hit backspace a time or two; if it doesn’t like some character, hit the button and generate another one.  It’s only happened to me a handful of times, and it’s always been simple to fix it in a couple of seconds.

      Some websites do not allow passwords to be pasted into the logon form.

      That only matters the first time I enter a password for a site during the account creation phase (if it does this, generally it is in the ‘confirm password’ field, and even then I have never let that stop me from doing it anyway (though it simulates keypresses, and is therefore subject to the same keylogging risk as typing a password).  Otherwise, there’s no copy/paste at all.  It’s entered by the browser itself, and it ignores autocomplete=off.

      A formula is free, some password managers are also free, but some are not.

      Firefox is free.  If someone out there finds that a paid one fits his needs better than anything for free, that’s great, but I only need a solution for me.  I’m not trying to find one universal solution for everyone.  There isn’t one.

      The security of web browser extensions.

      Not everyone that uses the Firefox password manager even uses addons, and the newer Webextensions addons are not, by design, able to access the unencrypted passwords or the file system at all.  All they can access are the encrypted hashes.

      Even so, web browser extensions are software.  It always pays to be careful when using any software.  If you run anything that turns out to be malicious on your machine, whether or not it is related to security, it could have a malicious payload that compromises your security.

      Anyone who uses a malicious addon is potentially at risk of having the password stolen, even if they never use any password manager to store passwords.  If it gets typed into a password field, it’s in the browser just as surely as if it was pulled from a password store somewhere.

      When using someone else’s computer, the password manager software is not available

      For me, that’s not a bug… that’s a feature.  I don’t want to be able to enter my passwords into any PC that I personally do not know has been operated and maintained properly.  I have no way of knowing if someone else has been clicking on every unsolicited email attachment or if they have been downloading and running “warez” that are probably full of malware.

      My PCs are used by me and me alone… every thing that is done to them was done to them by me.

      What if you want to switch away from a password manager you are currently using?

      Then I will switch.  At best, it’s a simple matter of importing the Firefox data.  At worst, it’s no harder than if you wanted to switch from your method to mine (enter the passwords into each site by your existing means and save it in the new manager by whatever method it uses).

      All your eggs in one basket? Really?

      Typing each password into the same browser on the same computer is just as much “putting all your eggs in one basket” as having that browser store them for you.  If there is malware on the system, whether it be a malicious addon, virus, worm, Trojan horse, or whatever else, your passwords are not safe even if you never have any password manager save anything.

      Having one password schema that ties together every password you use is even worse.  If I see a password “BabeRuthbook” for Barnes & Noble, a place to buy a book, I’ve already got your entire password scheme figured out.  If one password is compromised, they are all compromised.

      If you see “F9J&WZX”1FSf5m.” on my Barnes & Noble account (the quotation mark in the center is part of the password), that’s all you’ve got.  You’re no closer to getting any of the other passwords than if you had no info at all about my Barnes & Noble account.

      Group "L" (KDE Neon User Edition 5.17.2).

      7 users thanked author for this post.
      • #1926177 Reply

        Michael432
        AskWoody_MVP

        If you create a formula to create passwords, the formula itself effectively becomes the password… not just for one, but for every site you visit.

        This is a mis-understanding. My fault. See my above reply regarding hard vs. soft formulas.

        If two passwords were compromised, any doubt over the schema is removed.

        Two passwords for the same account name/email address. Varying email addresses is another whole topic. See http://www.DefensiveComputingChecklist.com for more on that.

        Your proposal includes an example of “BabeRuthbook” for Barnes and Noble, though, and that’s far from random.

        That was a brutally simplistic example to illustrate the concept. I clearly said that “MickeyMantlebook” was better, “MickeyMantle-book” better still and
        “Mickey-book-Mantle” better still. That’s an 18 character long password with almost no thought behind it.

        And, yes, a password formula is less than perfect, but it is still surely better than what many people use and thus would be a big improvement for many. So too would writing down passwords on paper, at least that avoids re-using a password.

        When using someone else’s computer, the password manager software is not available
        For me, that’s not a bug… that’s a feature.

        Touche 🙂

        Get up to speed on router security at RouterSecurity.org

    • #1925996 Reply

      xrobwx71
      AskWoody Lounger

      When you guys say I use a _____ to ______ Please fill in the blanks so others can try or research what you have experienced. Please and Thanks 🙂

      My 1st, #1, AllStar advice? Have a valid backup image of your drives.

      Macrium Free

      Aomie Backupper

      Acronis True Image (not free but very good)

      The universe is hostile. so Impersonal. devour to survive.

      So it is. So it's always been. ~Maynard James Keenan

    • #1926124 Reply

      zero2dash
      AskWoody Lounger

      Many of your arguments (OP) are factually incorrect especially when you consider KeePass as an option.

      * KeePass is multiplatform and runs on everything, short of mobile devices. However, there are KeePass forks that are available on mobile devices.

      * KeePass does not need a browser plugin to interact with web forms, that’s what its auto-type feature is for.

      * KeePassXC being open source and hosted on GitHub means that it can be trusted because it is subject to code review and scrutiny.

      I see a lot of your reasons against knee jerk reactions are themselves knee jerk in nature. A little more research would have gone a long way, here.

      I use KeePassXC (just recently switched from KeePass since XC is a fork that is truly cross-platform) and store my KDBX DB file both locally and in Google Drive. The DB is encrypted, so Google cannot snoop it. My passwords are available anywhere I want.

      5 users thanked author for this post.
      • #1926161 Reply

        cyberSAR
        AskWoody Plus

        Couldn’t live without KeePass. My eyes are getting old and I would have trouble looking at a printed sheet with my hundreds of passwords – many of which are 30+ characters. Many years ago I used the formula approach but realized if someone got hold of a couple they’d be able to figure  out all of them.

      • #1926166 Reply

        OscarCP
        AskWoody Plus

        zero2dash: Who is OP? Is it me, and you missed the “C”? If it is me, would you please be kind enough to explain which arguments are factually incorrect? You are explaining why you like a particular product, not explaining your dismissal of those arguments. Assuming, of course, that you are replying to my comments.

        Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W(?) + Mac&Lx

      • #1944755 Reply

        rc primak
        AskWoody_MVP

        Please keep track of the differences between Keepass (which only works on Windows and a few other Oses) and KeepassX (which is truly cross-platform and available as a portable version). Both have portable databases which are encrypted and suitable for Cloud Storage and syncing among different devices. Keepass has been ported to Ubuntu and Mint Linux, but not to some other Linux distros. Keepass has some features not supported in KeepassX.

        https://superuser.com/questions/878902/whats-the-difference-between-keepass-and-keepassx

         

        -- rc primak

        • #1944773 Reply

          rc primak
          AskWoody_MVP

          And also note that KeepassXC is itself a fork of KeepassX. This all gets a bit confusing, but the differences are significant. The fork was developed because development of KeepassX seems to have stagnated, resulting in some missing features. Personally, I’d use the fork if for no other reason, security improvements may have taken place while KeepassX development has been dormant.

          -- rc primak

    • #1926821 Reply

      SteveTree
      AskWoody Lounger

      We all have different needs so, no argument for or against different systems, just questions.

      I used a formula approach many years ago at work for network logon and for restricted databases accessed.  After an initial period, requirements changed and we were forced to update passwords monthly. I kept it working by inserting numbers in strategic positions that matched the month and an abbreviation of the month. Simplified  example 01JanPassword; 02FebPassword (substitute ‘Password’ with complex password).  Other rules changed. I updated my formula.  Eventually we shifted to a one-password system and once logged on, the password in the environment set permissions for levels of access into different systems, other than when accessing external organisation databases. From that experience as security requirements evolved:

      1. Security experts (rules me out) advise frequent change of password. Where do you go after BabeRuthjungle?
        You could use BabeRuthjungle1, BabeRuthjungle2, BabeRuthjungle3 etc but it is lazy and  inadequate to meet the purpose the change is forced.
        Assuming you do solve that problem, how do you make that formula work with 100 websites? Change them all on the same day? Write a checklist and update next time you log on?
      2. Some sites have different rules. The website I just singed up with  this morning wants something 8-15 characters long with 2 numbers (no other rules). Others set different rules. My standard random passwords generated by a password manager is 24 characters long, containing a mix of letters, upper cast, lower case and mixed characters so is virtually uncrackable.  The manager allows me to temporarily change rules to generate a password for sites that have different requirements . Back to the point, what if you come across a website sets a rule that does not fit your current formula approach?
        Again, assuming you solve the problem, how do you make it work with 100 other websites?

      Group A (but Telemetry disabled Tasks and Registry)
      Win 7 64 Pro desktop
      Win 10 32 Home portable

      1 user thanked author for this post.
    • #1926959 Reply

      bbearren
      AskWoody MVP

      My password manager is a password-protected Excel spreadsheet.  A dictionary attack is useless on any of my passwords, as they are all combinations of upper and lower case letters, numbers, special characters, and no recognizable words.

      It has been my experience that password fields that won’t allow right-click/paste seem to not understand Ctrl + V.  Whenever I register at a new site, I create the password in my spreadsheet first, then paste it into the password field for the site; that way, I don’t forget to store it.

      I let Firefox remember many of my passwords, such as for this site, which simplifies things a great deal.

      Create a fresh drive image before making system changes, in case you need to start over!
      "The problem is not the problem. The problem is your attitude about the problem. Savvy?"—Jack Sparrow
      "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns
      "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

      1 user thanked author for this post.
      • #1928994 Reply

        wavy
        AskWoody Plus

        Same here!
        Though I promise myself i will start using keeppass, the excel spreadsheet has worked for 20 some years. I use GRC.com to generate a good password which usually needs to be truncated and is often chopped up and rearranged for kicks and giggles…

        🍻

        Just because you don't know where you are going doesn't mean any road will get you there.
    • #1927149 Reply

      Paul T
      AskWoody MVP

      It has been my experience that password fields that won’t allow right-click/paste seem to not understand Ctrl + V.

      KeePass gets around that by “Auto-Typing” the characters for you – like using a very fast keyboard.
      Other managers inject the password directly into the field.

      cheers, Paul

    • #1927394 Reply

      Ascaris
      AskWoody_MVP

      Security experts (rules me out) advise frequent change of password. Where do you go after BabeRuthjungle?

      That’s changing.  It turns out that forcing password changes just leads to people using simpler passwords with the least amount of change that the policy permits, increasing the use of bad passwords like “qwerty” or “1234” or whatever they can get it to accept, often appending or incrementing a number at the end, as you indicate.  Now a lot of the supposed experts are coming around to the idea that a password should be changed when there is reasonable suspicion of it being compromised, but not based on the passage of a unit of time.

      That, of course, means nothing if the site or organization in question insists on password changes anyway.  These policies have the least impact on users of password managers… any password is as good as any other, so go ahead, generate a new one, it makes no difference.  The only real annoyance about this for me is that I have to manually sync the password on my other PCs, since I’ve chosen not to use any sync features or service, but it doesn’t happen so often that the convenience of auto sync would outweigh the niggling worry that having my password database somewhere “out there” will lead to disaster, even with assurances that it is encrypted before transit.

       

      Group "L" (KDE Neon User Edition 5.17.2).

      1 user thanked author for this post.
      • #1929004 Reply

        wavy
        AskWoody Plus

        I had a nice long secure p/w memorized for a .gov I worked at. They made mandatory periodic changes to ones password. I added a 1 or 2 to the end of a much shorter p/w for years after that b/s.

        🍻

        Just because you don't know where you are going doesn't mean any road will get you there.
    • #1927395 Reply

      Paul T
      AskWoody MVP

      Security experts (rules me out) advise frequent change of password

      Not anymore. See the NIST guidelines.
      https://www.enzoic.com/surprising-new-password-guidelines-nist/

      cheers, Paul

    • #1927930 Reply

      bbearren
      AskWoody MVP

      KeePass gets around that by “Auto-Typing” the characters for you – like using a very fast keyboard. Other managers inject the password directly into the field.

      Perhaps I didn’t make that very clear.  In my experience, when a password field rejects a right-click/paste, I just use Ctrl + V (my password is already copied to the clipboard) and my password gets pasted into the field and I’m logged in.

      Create a fresh drive image before making system changes, in case you need to start over!
      "The problem is not the problem. The problem is your attitude about the problem. Savvy?"—Jack Sparrow
      "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns
      "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

      1 user thanked author for this post.
      • #1929009 Reply

        wavy
        AskWoody Plus

        and if you use Palemoon the Toolbar Buttons addon lets you add a button that pastes when Ctr V does NOT work 😎

        🍻

        Just because you don't know where you are going doesn't mean any road will get you there.
        2 users thanked author for this post.
        • #1944768 Reply

          rc primak
          AskWoody_MVP

          I’ve had very few experiences with web sites which reject right-click paste but also reject a keyboard ctrl-v. Still, this is good to know about. Maybe a similar extension exists for other browsers. I haven’t tried the available extensions for Chrome, and one of them has an unprintable (against the rules of this site) word in its title.

          -- rc primak

          • This reply was modified 2 months ago by  rc primak.
          • This reply was modified 2 months ago by  rc primak.
    • #1929178 Reply

      OscarCP
      AskWoody Plus

      Paul T ( #1927395 ) has made a very interesting comment here, including a link to an article (in the site of a company called “Enzoic”) about a new set of proposed password-management guidelines coming from the National Institute of Standards (NIST), that this is required to provide, whenever opportune, as advice to the government to be implemented across all government agencies, once approved. A proposal that, as the article explains, could turn upside-down existing best practices (and, in my opinion, even that is an understatement!)

      I copy a relevant excerpt from the article here:

      “NIST 800-63-3: Digital Identity Guidelines has made some long overdue changes when it comes to recommendations for user password management.

      The new framework recommends, among other things:

      • Remove periodic password change requirements
        This is one that legions of corporate employees forced to create a new password every month will surely be happy about. There have been multiple studies that have shown requiring frequent password changes to actually be counterproductive to good password security, but the industry has doggedly held on to the practice. Hopefully, these new recommendations will change that.
      • Drop the algorithmic complexity song and dance
        No more arbitrary password complexity requirements needing mixtures of upper case letters, symbols and numbers. Like frequent password changes, it’s been shown repeatedly that these types of restrictions often result in worse passwords.
      • Require screening of new passwords against lists of commonly used or compromised passwords
        This is one near and dear to our hearts here at Enzoic. One of the best ways to ratchet up the strength of your users’ passwords is to screen them against lists of dictionary passwords and known compromised passwords.

      But these items listed in the article are not all the changes most users would probably welcome (once the reasons for them are sufficiently explained and understood). For example, there is the proposal to allow people to see the actual characters they are entering in the password field and not just asterisks.

      The full NIST proposal can be read here:

      https://pages.nist.gov/800-63-3/sp800-63b.html

      The relevant section is this:
      5112-Memorized Secret Verifiers

      Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W(?) + Mac&Lx

    • #1929188 Reply

      geekdom
      AskWoody Plus

      From the local archives:

      Worst Passwords Ever

      Group G{ot backup} TestBeta On hiatus.
      Win7Pro · x64 · SP1 · i3-3220 · RAM 8GB · Firefox: uBlock Origin - NoScript · HDD · Canon Printer · Microsoft Security Essentials · Windows: Backup - System Image - Rescue Disk - Firewall
      • #1929531 Reply

        SteveTree
        AskWoody Lounger

        From the local archives:

        Worst Passwords Ever

        From the local archives: Worst Passwords Ever

        My heroes. Hackers busy with low hanging fruit means less chance those of us who use complex passwords will become victims.

        The worst I saw bearing in mind the person’s job is close to a tie.

        One was a teacher who gave his password to students.  He tried to give it to me. Far from green around the gills, I refused. When something goes wrong they are quick to whistle and point, dragging you into things you could have avoided with a refusal.

        The other example was when I was in a role that managed a door security access system (as well as many other things). I configured access for about 600 staff, correctly allocating each to work areas required to complete their tasks (bulk database work, not manual. Staff below me edited manually. After initial bulk configuration, my role was audit).  Our Regional Security Advisor turned up one day. This was the man regionally responsible for spreading the message about system security, including developing strong passwords and not sharing them.  His role trumped mine so he was granted full administrator access. I left him alone with the system. MISTAKE! Among the changes that had staff screaming about non-access , he dropped my access to non-administrator. I phoned. He refused to come back. He gave me his password that I still remember almost 20 years later QWOPZXNM.

        Group A (but Telemetry disabled Tasks and Registry)
        Win 7 64 Pro desktop
        Win 10 32 Home portable

        2 users thanked author for this post.
        • #1930754 Reply

          geekdom
          AskWoody Plus

          Corporate politics trumps good sense. If top brass doesn’t endorse safe computer practice, neither will lower echelon staff.

          Group G{ot backup} TestBeta On hiatus.
          Win7Pro · x64 · SP1 · i3-3220 · RAM 8GB · Firefox: uBlock Origin - NoScript · HDD · Canon Printer · Microsoft Security Essentials · Windows: Backup - System Image - Rescue Disk - Firewall
          • #1931342 Reply

            SteveTree
            AskWoody Lounger

            Perhaps I’ve seen too much of the dark side of humanity but IMO endorsing is not enough. ABC123 written on a PostIt stuck on a monitor may seem to have little value but if that’s what a user chooses to do, that is the key to the safe. Overall security is only as strong as the weakest point.

            Group A (but Telemetry disabled Tasks and Registry)
            Win 7 64 Pro desktop
            Win 10 32 Home portable

            • #1931415 Reply

              geekdom
              AskWoody Plus

              Establishing policies and procedures is necessary and must come from top brass and have some teeth. If top brass does not endorse a “safe computer makes a safe company” there is no chance of enforcing a safe policy. There are several facets to enabling slack behavior.

              As a technical person, you may advise safe practice to personnel, but unless top brass endorses and enforces safe practice, you will be told by Postit ABC 123 that any safety practices are unnecessary.

              Under the scenario I have described, top brass will emerge unscathed; Postit ABC 123 will emerge unscathed; the company, however, will be at risk; and technical staff will clean up the ensuing mess.

              Group G{ot backup} TestBeta On hiatus.
              Win7Pro · x64 · SP1 · i3-3220 · RAM 8GB · Firefox: uBlock Origin - NoScript · HDD · Canon Printer · Microsoft Security Essentials · Windows: Backup - System Image - Rescue Disk - Firewall
              • This reply was modified 2 months, 1 week ago by  geekdom.
              1 user thanked author for this post.
    • #1929560 Reply

      Lugh
      AskWoody_MVP

      3 ways to keep track of hundreds of unique passwords:
      1. write them down on paper
      2. use password manager software
      3. use a formula to generate easy to remember passwords

      1. That isn’t remotely practical for hundreds. You can’t sort on paper.
      3. That isn’t remotely practical for hundreds. The formula is of course, but the itsy bitsies added to both ends—absolutely no way the average user will remember them.

      writing down passwords on paper, at least that avoids re-using a password

      How? You can’t sort on paper. Nobody is going to write down their new password and then carefully scan thru hundreds of others in multiple pages of this notebook they have to carry everywhere, which of course everyone quickly figures out is their password notebook.

      I use an input manager [Roboform] because I often need to input far more than login info on websites, and I have a keyboard shortcut to add some gibberish after the auto-password. The prime consideration of this method is it’s convenient, and therefore not subject to the usage degradation over time which most techie ‘solutions’ have suffered.

      The gibberish is merely a minor extra layer, since it’s also convenient. As such, it—or a password manager alone—is a better recommendation for the general public than other totally impractical ‘solutions’.

      Lugh.
      ~
      Alienware Aurora R6; Win10 Home x64 1803; Office 365 x32
      i7-7700; GeForce GTX 1060; 16GB DDR4 2400; 1TB SSD, 256GB SSD, 4TB HD

      • #1931036 Reply

        OscarCP
        AskWoody Plus

        Concerning the possible problem caused by the number of passwords, such as the 100s mentioned by Lugh: that is the situation for some users, not all. I went over my list of login entries and came up with their total number: 16. Going through that list is not a problem for me, and I suspect that my case might not be such a rare exception.

        This is not an objection to Lugh’s statement, because he must be referring to some cases he has come across in his own work or someone he knows has. In cases of numerous passwords (and user id’s) such as those Lughs has referred to, the “paper-and-pencil” approach, using an actual list written in pencil, on paper, is certainly impractical. What I would do in such a case, is to create an ASCII file with three entries in each record: the user ID, password and the name of their corresponding site and  afterwards, in order to use it, read this list with an editor that has a search feature, so one can search for the name of the site one wants to login into. That will bring in the desired record with the necessary information right away. The file can be in some external storage medium, the easiest to use being a USB flash drive, a.k.a. a pen drive. It can be plugged in the computer and the list copied to it, before deleting it permanently (bleaching it, if this is thought to be necessary) from the computer HD or SSD. For future use, the USB drive can be plugged in the computer, the file with the list opened and the needed password searched as described; once this password is found, it can be copied from the document on the drive and pasted on the login page of a Web site, or any on other place requiring it. The file with the list will never be stored on the PC itself because, once created, it is copied to the USB and then permanently deleted from the PC. Further additions and modifications can be made to the USB drive copy for future use. This approach, in fact, can be used with any list, whether long or short.

        Of course, this suggestion, meant to simplify work, may be vulnerable to some kind of attack. Still, I think it is quite safe.

        As I see it, the practical objective is not to be totally safe, but quite safe. Quite safe is good enough, at least for me.

        Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W(?) + Mac&Lx

        • #1944775 Reply

          rc primak
          AskWoody_MVP

          SSDs cannot be “bleached” selectively. (This is because of wear-leveling.)

          -- rc primak

    • #1929583 Reply

      SteveTree
      AskWoody Lounger

      Paul T ( #1927395 ) has made a very interesting comment here, including a link to an article (in the site of a company called “Enzoic”) about a new set of proposed password-management guidelines coming from the National Institute of Standards (NIST), that this is required to provide, whenever opportune, as advice to the government to be implemented across all government agencies, once approved. A proposal that, as the article explains, could turn upside-down existing best practices (and, in my opinion, even that is an understatement!)

      Agreed. I read that as applying  in government and large organisations (often closed systems) where many people are less than cautious with passwords and take the laziest method possible to comply with rules. They write passwords on desk blotters, sticky notes, deliberately share them… all sorts of bad practices. Forcing password changes and rules probably does increase the incidence of sloppy habits.

      People access public networks are more likely to be exposed to hacking activity (in my case, logon details nabbed twice but not cracked).

      Complex passwords and regular password changes increase security. In a high risk environment it makes sense to beef up personal security no matter what government guidelines recommend.

      Group A (but Telemetry disabled Tasks and Registry)
      Win 7 64 Pro desktop
      Win 10 32 Home portable

      1 user thanked author for this post.
    • #1930119 Reply

      Lawrence Patterson
      AskWoody Plus

      To add my two cents and a couple of decades supporting users, about a year ago I created the concept of @passwordphrasing / “Six Easy Steps to Password Phrasing” in trying to get the non-technical among us to change our mindset on passwords.

      Has the evangelism been totally successful, no, as many individuals are set in their ways, regardless if they’re using totally insecure concepts and they agree with you.  And is it the perfect solution, again no, though it helps avoid being the low hanging fruit that many baddies are looking for.

      And let’s not kid ourselves, having the most complex password in place doesn’t fully protect you if your hash is copied and the baddies have the will and computing power to break it.  Underlying the reason not to use the same password on different accounts.

      Do to my professional supporting requirements, I’m using Keeper Security password manager as it provides a number of my users the ease they’re looking for and the ability to administrate using a guiding hand (allowing protection and choice at the same time).

      Take care,

      IT Manager Geek

    • #1930791 Reply

      anonymous

      Has anyone mentioned SQRL, aka “Squirrel” From Steve Gibson?

      Secure Quick Reliable Login
      https://www.grc.com/sqrl/sqrl.htm

      2 users thanked author for this post.
      • #1933031 Reply

        wavy
        AskWoody Plus

        nice but IIRC each web site must implement a SQRL server function.

        🍻

        Just because you don't know where you are going doesn't mean any road will get you there.
        1 user thanked author for this post.
      • #1944763 Reply

        rc primak
        AskWoody_MVP

        So what happens when hackers impersonate or infiltrate the app?

        -- rc primak

    • #1932259 Reply

      anonymous

      Password – 12 factor verification.
      https://media.wired.com/photos/5d6993723447060009806c4c/master/w_1600%2Cc_limit/20190902-kurzweil-12factor.jpg

      Moderator note: Please include a description of contents related to posted links.

    • #1944608 Reply

      dsliesse
      AskWoody Lounger

      I use KeePass for the passwords that have to be really strange or that I use only once or twice a year (e.g., for the state insurance exchange).  Easy enough to copy and paste the passwords.

      An important point, though, is that I store them only on my desktop at the office.  The ones I use at home are based on an easy-to-remember formula that has many possible results, and I use the individual passwords often enough to know which one is for which site.

      My biggest problem with passwords is sites that don’t allow strong ones!  The Social Security Administration, for example, makes a big deal of creating a password and then tells you it must be exactly 8 characters, contain at least 1 letter and 1 numeral, and it’s case-insensitive!  Does anyone have an example of a less-secure set of password requirements?  Yeesh!

      1 user thanked author for this post.
      • #1944777 Reply

        rc primak
        AskWoody_MVP

        Well, for awhile, Social Security only allowed the use of passcodes sent to a smart phone. That’s worse.

        -- rc primak

    • #1944619 Reply

      dsliesse
      AskWoody Lounger

      I did forget to mention that good password managers also have the ability to generate passwords based on rules you provide (minimum/maximum length, required/acceptable characters, etc.).  If you happen to get one that doesn’t qualify, just generate another.

      1 user thanked author for this post.
    • #1944779 Reply

      rc primak
      AskWoody_MVP

      I agree that typing passwords through a single browser (especially if you aren’t clearing cookies and caches frequently) is putting all your security eggs in one basket, and a very leaky basket at that. But using a browser extension to store passwords is almost as bad.

      Ideally the password management software and its database will not reside inside the same device. That is, the (encrypted) database is on a remote secure server (with end-to-end encryption) or stored on a flash drive or SD Card.

      Portable password managers store both the software and the database on the same removable device, and may thus be less secure. (KeepassXC does not have to store the database with the program even when used as a portable app. This may not be a unique feature to this product.)

      -- rc primak

    • #1944784 Reply

      rc primak
      AskWoody_MVP

      To take things in a different direction, let’s consider the recommendations from most security pros. They are recommending doing away with typed passwords altogether. Precisely for many of the reasons people have posted in this thread. People make lousy password managers, and software is always prone to hacking. Biometrics are not ideal, and can be fooled, but this is the direction most researchers have been recommending for years now.

      Microsoft wants you to STOP using PASSWORDS (and here’s why you should listen to them)

      https://www.express.co.uk/life-style/science-technology/793816/Microsoft-Update-Password-Forgot

      Why Passwords Might (Finally) Go Away

      https://www.pcmag.com/commentary/364693/why-passwords-might-finally-go-away

      -- rc primak

      • This reply was modified 2 months ago by  rc primak.
      • This reply was modified 2 months ago by  rc primak.
      • This reply was modified 2 months ago by  rc primak.
      • This reply was modified 2 months ago by  rc primak.
      • This reply was modified 2 months ago by  rc primak.
      • This reply was modified 2 months ago by  rc primak.
      • This reply was modified 2 months ago by  rc primak.
      • This reply was modified 2 months ago by  rc primak.
      • This reply was modified 2 months ago by  rc primak.
      1 user thanked author for this post.
    • #1944787 Reply

      WillFastie
      AskWoody Plus

      Credentials are inconvenient and thus the primary attraction of password managers is to reduce that inconvenience. Therein lies the trap.

      I have used the password manager SplashID for nearly 20 years. It was developed for Palm devices and came with a Windows app that allowed syncing of the database between a Windows PC and the Palm device. As Palm faded, apps for iOS, Android, Windows phones, and Mac evolved. SplashData also evolved to provide a browser-based solution ala LastPass and Dashlane. (This is wide support although not universal.)

      I do not use the Web solutions. To this day, I manually sync between my primary desktop and my phone. The database never hits the Web. When away from my primary PC, I use my phone to lookup credentials and type them in on a foreign system. (My use of foreign systems is rare and I never use them to access my financial accounts.)

      This is in no way convenient.

      I do consider it very safe; the database has never been breached or compromised and it does not live anywhere on the Web.

      As for passwords, I do use a formula but it is not one that can be guessed. Because I may have to enter credentials manually, I wanted passwords that were easy to type; random strings are tedious and prone to error. For convenience (I know), I adopted pairs of English words with punctuation and digits, such as Granitic-Woolskin-60, a design that satisfies the requirements for almost all systems. But while this password system is based on a formula, no part of the password reveals the formula.

      For more examples, see https://www.fastie.com/help/passwords.php.

      Web-based password managers are convenient. Inconvenience keeps the boogeyman away.

      Steve Gibson is definitely the man.

      1 user thanked author for this post.
      • #1945276 Reply

        Michael432
        AskWoody_MVP

        Well thought out scheme. I agree that inconvenience is absolutely needed for security.

        Get up to speed on router security at RouterSecurity.org

    • #1944809 Reply

      agoldhammer
      AskWoody Plus

      I have been using the Win version of  Password Safe for a lot of years.  It’s a stand alone program and not integrated into a web browser which is a feature I prefer.  I only have to remember the master password to open it.  It has also been ported to Android OS so my database of passwords can be used on my phone and tablet (though the databases have to be manually transferred.  My password database is automatically backed up daily to my Amazon cloud account so there are redundant copies in case on piece of equipment fails.

      There are lots of ways to configure the password generator depending on the web site’s policies regarding letters, numbers and special characters.

    • #1944835 Reply

      MWmC
      AskWoody Plus

      I use 1Password. I agree that formulas are essential for those passwords that cannot be used with 1Password — such as the password for 1Password itself, or for my Chromebook. In those cases, i do indeed use a formula to generate a long password.

      I agree that web extensions are to be avoided, but the time wasted with forgotten passwords or trying to remember how a formula had to be modified for a site that didn’t allow certain characters, isn’t worth it. Password managers, in my opinion, are absolutely the way to go.

    • #1944897 Reply

      grandma78633
      AskWoody Plus

      I am an old “fuddy duddy” and do not trust my passwords to “password managers” – – they HAVE been hacked.  And paper tends to fall into a black hole in my office.

      I have used an encrypted file program (Secret! by Linkesoft) for over 20 years that resides on my computer and on my smart phone and I sync them weekly.  Sync feature is not automatic, but works well.  This also means I only have to give my children (estate executor) ONE password for them to have access to all of my online accounts.  And at my age, that is a comfort.

      1 user thanked author for this post.
    • #1944898 Reply

      Slowpoke47
      AskWoody Plus

      Greetings from the Stone Age.  I keep passwords on 3×5 index cards in an old-fashioned alphabetically indexed steel card file, which allows room for other login info for a given site- i.e., answers to secondary questions such as favorite ice cream flavor and suchlike.  New cards easily added.

      Said card file lives in the safe along with other valuables.

      Windows 7 HP and Linux Mint Mate 19.2

      1 user thanked author for this post.
      • #1945271 Reply

        Michael432
        AskWoody_MVP

        This approach makes sense for many people. Certainly way better than re-using passwords. I would suggest however, that you make xerox copies of the index cards every now and then. At least the most important ones. And keep the copy in a different location, if possible.

        Get up to speed on router security at RouterSecurity.org

    • #1944895 Reply

      anonymous

      How to Safely Write Down a Password

      As we all know, passwords (PWs) must never be written down and they must never be a word, something related to you, or a set of adjacent keys on the keyboard. Hackers can break word based PWs in a few seconds with easy to get hacker programs. Since accounts on different systems and web pages should have different PWs, we are tempted to write them down. The bulk of the calls to a Help Desk are to recover forgotten PWs. We need a safe way to write them down so we don’t have to worry about forgetting them and someone else can’t get them if they get a copy of our list. Don’t do what a person did at an AF base in Denver. She had a cloth cover for her monitor and embroidered her PW on the cover!!!!

      PWs need to be long.  There are several ways to make a good PW that will be easy to remember. For example, use a math or science thing like A**2+B**2is=C**2, Fis=M*(dv/dt) or 3.1415is~~PI or a friend’s (not yours) car license place with symbols like (14943JY). Another approach is to build an acronym like “Four score and seven years ago, our fathers” =  4Sa7Ya,of. However, don’t use a common phrase like this one.

      Here is a way to safely write down PWs. First, select a word or phrase with at least as many different letters as your longest password. It should not have any association with you or the system. It is never written down nor told to anyone. Don’t forget it!

      For this example, “washingtondc”. Next, type the following. Identify each system with a unique name. It would be a good idea for the name not to be related to the actual system’s name.

      a   b   c   d   e   f   g   h   i    j    k   l    m  n   o   p   q   r   s   t    u   v   w  x   y   z
      First
      PAL
      a   b   c   d   e   f   g   h   i    j    k   l    m  n   o   p   q   r   s   t    u   v   w  x   y   z

      Type random letters, numbers, and special characters in all the spaces under the alphabet. The characters should have the following characteristics:

      1. Some of the letters should be the same as the alphabet letter they are under as eventually, you will get a password where this correspondence occurs.
      2. Use a few capital letters as good PWs must use capital letters.
      3. If the password must be all numbers, then use only numbers for the fill characters.
      4. When you change the password, be sure to change all the fill characters.
      5. Avoid using any keyboard sequences such as 23456, asdfg, or words.

      a   b   c   d   e   f   g   h   i    j    k   l    m  n   o   p   q   r   s   t    u   v   w  x   y   z
      First       d   h   3   g   i    5   m  $   3   j    L  v   m  [   /    &  2   k   y   T  b   4   @ 9   *   w

      PAL       7   0   q   H  6   M g   % b   t    i    l    [   2   3   4   z   e   X  w  i    v   *   c   S   n
      a   b   c   d   e   f   g   h   i    j    k   l    m  n   o   p   q   r   s   t    u   v   w  x   y   z

      Replace (overstrike) each letter of the password underneath the corresponding letter of the key word. If your key word has a repeated letter, just skip the second occurrence of the letter. If helpful, you can put the number of characters the PW has after the system’s name or a particular special character for the next letter in the sequence if you are sure the PW will not have that special character. For some additional protection, the second PW on the list can start with the second letter in the key and go back to the first letter if necessary, the third PW with the third letter, etc. Also, for a really long PW where the key word does not have enough different letters, you could put the last letters next to the site name or make a second line with only the last letters.

      For example: Let the key word be californiausa. First is F=M*dv/dt and PAL is ds3S+. For First, type “F” under “w”, “=” under “a”, and “M“ under “s”, etc.

      a   b   c   d   e   f   g   h   i    j    k   l    m  n   o   p   q   r   s   t    u   v   w  x   y   z
      First  9   =   v   F   )   i    d   v   E  *   j    L  M +   d   v   &  2   /    M /    t    4   F   9   *   w
      PAL-5    s   (   d   H  6   +   g   #   S   t    i    3   [   S   7   4   z   d   3   w  i    v   d   c   S   N
      a   b   c   d   e   f   g   h   i    j    k   l    m  n   o   p   q   r   s   t    u   v   w  x   y   z

      • #1945693 Reply

        wavy
        AskWoody Plus

        ? I just don’t get it. 🤔

        🍻

        Just because you don't know where you are going doesn't mean any road will get you there.
        1 user thanked author for this post.
    • #1944896 Reply

      kapnkirk
      AskWoody Plus

      I, also, have been using Password Safe for at least 10 years. It’s available free across Windows, Mac, Linux. On Mac it’s called PwSafe as I recall. You can set complexity rules for passwords for each entry. It provides you with a hierarchical folder structure to organize your passwords and a place to write notes for each entry. It’s super handy and I use it to store other sensitive information such as family members SS numbers, etc. I try to look at each sites password rules and use the maximum length they allow.

      I also use LastPass for convenience but avoid putting really important passwords there. My “master” generator of passwords is always Password Safe.

      For websites that don’t allow you to paste passwords (as an idiotic “security” feature – NOT) in Firefox you can do this: about:config | set “dom.event.clipboardevents.enabled” to false are restart FF.

       

      3 users thanked author for this post.
    • #1944989 Reply

      George S. Augustas
      AskWoody Plus

      Hey, everyone. Since you are asking:
      As far as remembering passwords, this technique works for me.

      I keep all my passwords in a Word document. Each entry is in this format:

      Name of web site: Ask Woody (new line)
      URL: AskWoody.com (new line)
      User ID: user name or e-mail (new line)
      [Optional: e-mail address (new line)]
      Password: (password) (new line)
      Password Reset Date (new line)
      Any other comments {Enter} (End ¶)

      Save the document as Password.docx. The document is password protected. I only have to remember the password for the Password document. The passwords for each web site can be as unique or as long as I want them. New entries are added at the end of the document.

      When I go to a web site where I need to log in, I simply open the password document, search for the web site, highlight the password, and press CTRL-C. Then I jump back to the web site and paste it into the password field. (A few web sites don’t allow this, so I may have to remember it or jot it down temporarily.)

      If I want the passwords to use on another device, I just copy the entire document.

      I sometimes use a web site called Secure Password generator to generate long random passwords. If I don’t like a password it suggests, I can modify it a bit before I use it.

      I never forget a password, and it’s totally free.

      1 user thanked author for this post.
    • #1945026 Reply

      rpetruzz
      AskWoody Plus

      Rarely will I get involved in a discussion over “preferences”.  In this case though I find myself puzzled and decided to contribute to this one.  I think that the original poster’s premise on passwords as a formula borders on naive and is in my opinion adolescent in it’s approach.  Something that a number of posters above have already articulated so I won’t belabor that.

      I was a software developer over 40 years on everything from IBM System 3, System 38, AS/400, Microsoft DOS, Microsoft Windows, IBM AIX and Linux using languages from RPG, Cobol, C, Visual Basic and ultimately coding for Oracle DB and Web systems in Javascript, HTML and Java.  Why bore you with this?  So you can understand that I’m pretty agnostic when it comes to systems and software.  My preference is always to use what works best for me in any given situation.

      In almost all the discussions that I read about password managment and password managers the one solution I rarely see mentioned is the one I enjoy the most.  It’s Dashlane. I suspect that is probably because the Dashlane Premium is very expensive.  I’m paying $60 a year for it now.  I’ve used this product for over 3 years now and my wife uses it too.  For that money we get so much more than a simple password manager.  1st it runs on every platform / OS that I use.  I have a Windows 10 laptop and desktop, but I’m also very invested in the Apple iOS ecosystem.  I have my iPhone and iPad as well as my Macbook Pro.  The Macbook being my retirement hobby to learn the Swift language.  Dashlane works extremely well across all of my devices.  And my data synchronizes across all of my Dashlane installations which are on every platform I own.

      Everywhere I have Dashlane it applies passwords on almost every web page I go to (nothing is perfect). It even works on web pages in iOS on my iPhone and iPad. I have hundreds of passwords stored in Dashlane. I doubt that I know 90% of them. I almost exclusively let Dashlane’s password generator create a password for me and most times I never even see it. Dashlane is that reliable for me.

      Beyond password management, Dashlane allows me to selectively share passwords with my wife, who also has Dashlane Premium. And she shares certain ones with me. Securely sharing passwords is a real convenience for us.

      Also I have the ability to have my credit cards entered into Dashlane and it fills in my CC information for me when making purchases.  It will also do so for my name and address when making purchases online.

      It has a secure note capability that allows me to put sensitive information in a location where I can access it from my phone and iPad when not at my laptop or desktop.  This has proven to be a real benefit time and time again.

      And Dashlane Premium also provides me with a VPN on my iPhone and iPad when I’m forced to use public wifi locations.

      Yes it is expensive, but I’m willing to pay for all of the convenience to me that it provides.  Its cross platform support makes it the most useful application.

      • #1945166 Reply

        Michael432
        AskWoody_MVP

        If you want convenience, fine. But convenience is the enemy of security. Always has been. Always will be.

        Every approach has its pros and cons. You make it sound like your approach is all upside which is never the case.

        I’ll see your 40 years as a computer techie, and raise you one 🙂

        Get up to speed on router security at RouterSecurity.org

        • #1945206 Reply

          rpetruzz
          AskWoody Plus

          Think just how boring life would be if there were only ONE way to do everything. For me I like convenience and as to risk… well there is risk with every security solution.  I’m comfortable with the one I’ve chosen.

           

    • #1945163 Reply

      Mikey
      AskWoody Plus

      I guess I’m the other user of Roboform. Got a few problems, but seems to satisfy most objections. I use long, complex passwords which work on most sires, but websites themselves seem to be hostile to automated password managers in many cases.

      1 user thanked author for this post.
    • #1945178 Reply

      JTinLV
      AskWoody Plus

      This pretty much follows my thinking after reading both the blog post from the OP and then this response. Some of the points in the blog have to do with having to be able to use something on essentially every OS out there, which most people do not do (although this community is likely the exception or that).
      I have been using LastPass for a number of years and found it to be simple and easy to use, so much so that I have installed the free version on the computers of a number of non-tech people I wind up “supporting”. They only need to remember the one master password (I usually ask them to give that to me as well, which I store in an encrypted file with a pseudonym for when they forget it). LastPass and other similar applications include the ability to fine tune the generated password to meet site requirements (number, letters, caps, special characters either used or not used) which, as noted, the “formula” does not support and therefore the user would have to remember the special case for some sites where they had to use a symbol or number in the formula and where they did not. And for a relatively small fee, which the programmers are certainly entitled to, I use it on my phone and a second computer (desk and laptop) and everything is synced.

      The listed “breaches” of LastPass are all older, have been resolved and pretty much everything gets attacked these days, including government systems on a regular basis. If that was a criteria for not trusting anything, then you need to stick to driving to the bank and talking with a teller (ATMs can be hacked, you know) and only paying cash for everything. 🙂

    • #1945313 Reply

      GoneToPlaid
      AskWoody Plus

      I save all of my passwords in an encrypted text file which is not stored in a location which is indexed by the Windows Search function. Instead, the encrypted file is saved on a separate partition for which I have disallowed indexing by the Windows Search function. I never save any sensitive stuff in My Documents since this folder by default is indexed by Windows. In fact (at least in Win7), not indexing Users and everything under Users (includes My Documents), breaks the Windows Search function in some search scenarios. This seems to apply to all special folders such as My Documents.

      If you desire to further defeat malware from quickly finding a saved password file, even in non-indexed locations on your computer, you can use Shellbag Analyzer & Cleaner to blow out all folders on your computer which you have accessed. Moreover, Shellbags within the Windows Registry also records all other computers (and the computer name) which you access via your local network. Every folder or other computer or every other folder on another networked computer which you access does get stored under Shellbags within your computer’s Windows Registry. Shellbags within the Windows Registry is yet another area which malware may search. When using Shellbag Analyzer & Cleaner, do not ever blow out the default Control Panel Shellbags. Shellbag Analyzer & Cleaner does give you a warning about this. If Shellbag Analyzer & Cleaner gives you a warning that you need to reboot your computer before you make any changes in Windows Explorer, instead of rebooting you can simply log off and then log back into Windows. Get Shellbag Analyzer & Cleaner straight from the author from here:

      https://privazer.com/en/download-shellbag-analyzer-shellbag-cleaner.php

      If you want to further sanitize your computer, then you might consider using PrivaZer by the same author. Get PrivaZer straight from the author from here:

      https://privazer.com/en/download.php

      I have no affiliation with the author of the above software.

      I never use the words “password” or “login” within the text file or in the file name. I also never use “.com” or “.net” within the text file. The reason for saving the file to a non-indexed location is that most password stealing malware will scan the Windows search index for files or file contents which contain “password” or “login” or “.COM” or “.NET”. Similarly, I avoid using the “@” character within the test file. My AV program is configured to block access to the partition if any new or unknown process tries to access the partition.

      I always use CCleaner to clear all browsing history after I have closed my web browser. This is a really good thing to do, since sometimes poorly coded JavaScript can keep the web browser running in the background even though the web browser appears to have been closed. This occurs once in a blue moon. Sometimes the issue is caused by a web browser extension or add-on which must be tracked down and removed.

      Some web sites set super cookies in IE which, even if you were using a different web browser, CCleaner will skip cleaning since CCleaner can’t handle the complex super cookie. In this scenario go to Control Panel >> Internet Options >> General and then delete all Browsing History. This issue can occur after visiting porn web sites.

      I never delete previously used passwords in my text file. This allows me to easily search and verify that I am not about to reuse a previously used password. I never save my login names (which usually is one of my alternate email addresses) or passwords for online banking, online purchasing, or bill and card payments in my web browsers.

      I periodically check my email addresses with HaveIBeenPowned to see if any of my email addresses are the subject of a recent data breach. If so, I generate a new alternate email address and then replace the the breached email address and password with the new email address on all other web sites for which I used the breached email address. For the breached web site, I generate a different new email address and a new password. This different yet new email address will never be used for any other web site since I figure, “Hacked once, probably will get hacked again.” The thing about changing all other web sites to the new alternate email address is to make those web sites throw errors when hackers try to use the breached email address or the new email address for the hacked web site. If the old breached email address is no longer valid on all other web sites, then the hacker can’t even begin to try either my old breached password or derivatives of my breached password.

      All passwords contain random special characters. If a web site allows it, I make sure that passwords are at least 14 characters long.

      I hope that this post is helpful to everyone in terms of reducing their risks after a given web site is reported as breached, and in terms of things to do if you store your passwords anywhere on your computer.

    • #1945328 Reply

      aaron451
      AskWoody Plus

      A lot of comments about Keypass, but what about Lastpass? No one like that?

    • #1945251 Reply

      djudice
      AskWoody Plus

      I use Dashlane and I love it.  I wish I could impact the speed that it auto-fills passwords sometimes, but other than that it has saved me many hours of work.  It syncs password across all of my workstations as well as my iphone, and across all 3 browsers that I use, Firefox, Chrome and IE11.  I despise Edge and refuse to use it but it might work with it too if I tried it.

    • #1945435 Reply

      Dan
      AskWoody Plus

      I have used RoboForm for years and have been satisfied with it. Realistically it is the best for me since I do have many accounts and a very poor memory. Lost computers and data many times but always been able to obtain passwords and relevant data. Just my 2 cents worth.

    • #1945449 Reply

      Sueska
      AskWoody Plus

      I use and like Lastpass. In general, avoid using password managers for storing passwords for more secure accounts such as banking, financial, email, paypal, etc. Use an old fashioned address book/phone book, 2 factor authentication, and cyrptic password hints for my more secure accounts. On occasion when somewhat uncertain about whether I really want to store a password with a password manager, will edit the password to add or subtract some characters and leave myself a cryptic note in the Lastpass note section. LastPass has a security checkup which looks for easy and duplicate passwords. If you need a copy of your Lastpass accounts you can export your lastpass list (which includes passwords) and store a digital or paper copy in your safety deposit box. Delete this password list from my device immediately. These additional steps may be viewed by some as totally unnecessary, but in the end one has use whatever methods make them feel safest.

      1 user thanked author for this post.
    • #1945603 Reply

      OscarCP
      AskWoody Plus

      There are some really good recommendations here. But I still think that for those of us that use computers at a fixed and reasonably safe location, such as at home or in the office of a small business, creating and keeping passwords in an encrypted text (ASCII) file on a USB flash drive or some other external storage device — but a small USB flash one is probably the easiest to use — is a simple and convenient solution. When one needs to enter a password online, plug in the USB drive, copy and paste the needed password from the drive to the password field on screen, and is done. Of course: what happens when, now and then, one goes on a trip and needs to carry the computer along, if the USB drive is let behind or, even worse, disappears in transit or a hotel…

      My best answer is to keep backups of the encrypted passwords’ file in some other device(s) at home or the small business’ office (but what if the shop is burglarized?), and, as usual, hope you’ll be lucky. Because I believe that there is nothing safer than this, even if this is not perfectly safe. Sadly, nothing is perfect in our sublunary world, there is always some risk in everything we do and only varying degrees of safety.

      Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W(?) + Mac&Lx

      1 user thanked author for this post.
    • #1945713 Reply

      Steve S.
      AskWoody Plus

      We each have our prefered way. Mine has been Keepass for many years. Between my wife and I, we’re running it on Windows 7, Windows 10, Linux and Android. Why I like it:

      It does not store any passwords in the browser nor any browser extension – reducing the attack surface. I only have to remember one master password – which can be routinely changed in order to minimize risk. The password file is strongly encrypted. It can be set to lock its workspace after a predetermined number of seconds of inactivity.

      I can select a url from within the database and Keepass will automatically start my default browser and open a tab at the sign-in page. A simple right-click on “auto-type” fills in the username and password and I’m signed in. It has a notes section in each entry that allows us to input phone numbers, security questions & answers, over-the-phone verbal “passwords” and any other info desired. It can create randomized passwords for new entries. It has good search capabilities. It can find weak, similar or duplicate passwords.

      We synch all our devices by storing the encrypted password file on Dropbox and setting all our devices to point to that online location. (If I update an entry, it will automatically be reflected on all devices.)

      I have installed an add-on for Keepass that will check all my passwords against the “Have I Been Pwnd” databreach listing. Since I don’t want this to be done by online checking, I download the HIBP database as it is updated and have the extension do all password checking locally on my computer. Plus it has lots of other “geeky” capabilities… 😉

      It’s a good balance between security and convenience that works for us quite nicely. We have around 300 entries, by the way.

      “The only truly secure computer is the one that’s had the heavy sledge hammer treatment.”

      Win7 Pro x64 (Group B), Win10 Pro x64 1809, Linux Mint + a cat with 'tortitude'.

      1 user thanked author for this post.
    • #1945825 Reply

      wimdepuit
      AskWoody Plus

      Great subject!  I use a pw manager and love it, except when I hate it.  That’s life.  My daughter has a different approach: she just hits “Forgot Password”, gets a new one and she’s in.

      Discuss.

      1 user thanked author for this post.
    • #1947050 Reply

      alphacharlie
      AskWoody Plus

      A lot of comments about Keypass, but what about Lastpass? No one like that?

      I have been very happy with LastPass for at least 5 years. My wife prefers a paper notebook.

      1 user thanked author for this post.
    • #1948118 Reply

      anonymous

      I’ve used roboform for many years and find it convenient.  Am able to access it on iPhone and iPad when away from home.

    • #1957855 Reply

      baggins
      AskWoody Plus

      Soft formula has worked for me for years. At some point, a loved one may need access to your files/websites. You can share a file of your passwords with them if you are unable to provide the info they need. Gives you the flexibility necessary for different password protocols (characters are not universal). Passwords are a necessary pain and, at the end of the day, ultimately are effective only if everybody is honest.

    • #1976194 Reply

      Raymond41
      AskWoody Plus

      I have just read this debate with interest.

      Started using Password managers with RoboForm, (paid) but when thy changed it and wanted more monies I then tried over the years, a number of different managers, probably the best of lot was Last-pass, I used for a number of years until it became a bit of a problem.

      I have a problem with buying software that is ‘Rental’, so am now using Bitwarden which I find is excellent.

      Ray

      1 user thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Let's debate password managers

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Cancel