# Password Managers



## dfw_pilot

_I wrote this elsewhere but wanted to post it here at TLF. It dovetails with Ware's post about World Password Day._

*Password Managers*

I want to give a shout out to using a password manager. Ye olde days of using junk passwords like "qeadzcwrsfxv1331" and "dadof3g8kids" just isn't going to cut it in today's online world, especially now that hackers use computers that can brute force guesses at 8 billion guesses per second. (Those two passwords mentioned were cracked in a matter of minutes)

*Strong Passwords*

A few years ago, I would have thought that dadof3g8kids would have been just fine. However, with today's cracking programs like Hashcat, the assault is on. Crackers today have lots of weapons, like dictionary lists, rainbow tables, and more importantly, millions of cracked passwords to make better guesses. People who use their own simple systems like a decent base password and then add something to the front, like adding amzn in front of [email protected] for their Amazon password are tempting fate. Worse, if Amazon sends out a notice that a password change is required, what will the new one be? "[email protected]"? Good luck trying to remember that.

On the front end, most web sites will only allow a few login attempts before a user is locked out. These programs that make billions of guesses per second are not working on the front end. They are attacking the password file that was stolen from a web site (like Linkedn, HomeDepot, Target, RockYou) and then bombard it with guesses. Ars Technica got a hold of a password file that had 16,000 passwords in it, and even though it was hashed with MD5, three experts were able to grab most of the passwords in less than a day. One was able to get 90% of them in less than 24 hours.

My unsolicited advice is to spend a few hours and get setup with a password manager, to take your passwords from "letmein3" to: "2PcaP[Hhxhy8f#wTYQkWRe43Gt8". With a password manager, you only have to remember your one, master password to open the system, and then it stores, saves, and automatically fills in your long, computer generated, RANDOM passwords into your browser when needed. I don't know my TLF, Gmail, Amazon, Apple, Chase, or Wells Fargo passwords (well, I could look them up in the program) I just know my master password.

*Defense*

Using a password manager will help defend against three big threats today. 1) Password Reuse across multiple sites, 2) Generating strong passwords, and 3) Keeping passwords safe and organized.

_Password reuse_ is probably the biggest problem people get into with passwords. They use a so-so password when they sign up for an account at CuteKittenVideos.com and then use the same password at Gmail or Amazon. The web admins at the kitten site don't take security too seriously and only hash (obscure) the passwords with something like MD5 or SHA1, which are outdated algorithms to keep passwords hidden from plain text. When that password file gets stolen, all the cracked passwords get added to the list of known passwords and hackers go to town on other sites using the same credentials. Do yourself a huge favor and never use the same password across any site. You are asking for trouble if you do. A password manager will help with this.

_Strong Passwords_ are hard to remember and even harder for humans to think of. We are creatures that are anything but random and do things like add capitalization to the first letter in a password and add numbers and symbols to the end of our passwords. Or, we add numbers to replace letters and use common words placed together in logical order (so we can remember it). We end up with junk passwords like "n3xtb1gth1ng" or "1368555av" that get cracked in a matter of minutes when data from a site is stolen. A password manager will prevent this, too. Generating a strong password is a breeze when using a manager.

_Safe and organized_, complicated passwords need to be handled with care. They need to be easily accessible, and synced across our devices. The more seamlessly they are integrated into our daily flow, the more likely they will be used. Strong passwords are useless if they aren't put to use because they are in a complicated system that doesn't work. Password managers will solve this.

*Recommendation*

I like and use 1Password but I know a lot of people like LastPass as well. Those would be my two recommendations as a place to start. Both work cross platform and cross device. Both also have options to access your data if you are away from your phone/computer and need to log into your bank, for example.

*Master Password*

The achilles heel of a manager would be the master password you select to secure it. If you read nothing else, read THIS on how to make a secure password. I use Diceware because it's simple, random, easy to remember, and combines the ideas that link talks about. You roll a die five times and get a number, like 21114 which corresponds to a word on the Diceware list as: climb. Do that several times and you'll have four or five truly random words that can be separated by spaces that make a very secure password that is easy to remember. "climb hull fjord wailful harpoon". Understanding this stuff is more about math than intuition and increased security comes from adding _entropy_ to your password, not more characters. Adding a fifth word to a four word Diceware password adds much more entropy to a password than a few characters like %$#.

Today's encryption for protecting passwords in password managers is stunningly good, like AES 128 and AES 256. With a strong master password with AES 256 encryption and all of today's computing power combined, it would take around 6,000 times *the age of the Universe* to brute force into your manager. Software wise, you are safe. At this point, if a three letter government agency wants your data, a hammer to your family's heads is faster and easier, but the point is the encryption, for now, is good. For hackers, it's much easier to simply ask you for your password than try to brute force attack their way into your system. Don't fall for phishing scams or leave your password manager unlocked while away from your computer. Certainly don't click on links from your e-mail account; go to the source website and log in from there.

*MFA*

I want to put a word out on securing your e-mail, especially with MFA (Multi Factor Authentication). You can read here about Matt Honan's epic hack where he lost years worth of family pictures and lots of his digital life, all because he didn't use MFA (he was and is a password manager user). If you secure any password at all with a manager, please do yourself a huge favor and protect your e-mail password. I would argue that it's almost better to protect your (Gmail) account more than your bank account. Why? Because so many of your online accounts, banks or otherwise, use your e-mail in terrible password recovery methods. If you lose access to your e-mail via hacking, the attacker can reset almost anything else in your digital life, and then you are completely hosed. A strong password is a great step, but combined with MFA it's even better.

Gmail, and others, offer MFA where you need two things (the multi part) to log in: something you have, and something you know. The something you know is your password. The something you have would be a token with a code on it. This would be on your phone with TOTP protocol, like Google Authenticator, or built into programs like 1Password, or a text message code. You are probably familiar with TOTP because that's what runs the six digit codes on the little tokens you get from a bank. With MFA enabled on your account, even if someone hacks your password, they don't have the "something you have" the TOTP code on your phone, or the text message that is sent to your phone. So, when logging in, you are asked for your password and your code and you are ahead of 90% of everyone else in securing your account. In the case of Gmail and probably others, it only asks for your code when you log in from an untrusted computer (you aren't in Romania today?) or every 30 days. The inconvenience factor is tiny, but the payoffs are huge. MFA truly works and is trusted by banks: think debit card plus pin number. The pin is only 4 digits, but without both the card and the pin, your money is safe. Here is a nice list of sites that use MFA to secure their access.

*Tip*

Finally, here is a (semi)pro tip on those stupid account security questions. Most of the answers to these questions about you can be found online. Your mother's maiden name, high school mascot, first child's name, etc. are terrible questions. With a password manager, the answers to all these questions for me are gibberish. We honeymooned in KDhRJWBbWmvGhoKiXhFY and my first car was a EoRBNemksMUZbckyxpyn. Password managers make this a snap and easily prevents someone from trying a reset based on simple information found on Google. Plus, it saves me trying to remember the inane answer of my favorite restaurant: was it Jimmy's, jimmies, Jimmy . . . crap, I'm locked out.

*Links*

For further reading, information, and education:

Passwords under assault

Crackers make minced meat out of your passwords

Password Managers


----------



## pennstater2005

@dfw_pilot Which one would be easier to access when away from your computer or phone? I find that happens to me a fair amount.


----------



## dfw_pilot

1Password has a Dropbox option where you can login to your Dropbox account and access your passwords that way.

I think LastPass is web based, so it might be easier but @Ware could speak to that because he uses it.

Forgot to mention that 1Password also has a subscription plan that is accessible via the web. There are also other managers that are meant to go on a USB (or hack one yourself) that you could carry with you.


----------



## Ware

Yes, LastPass is web based. I have only used it on my own/work computers, but I'm pretty sure you could log into your "Vault" from any computer. On my computers I use their browser extensions that let you autofill the username/password fields...


----------



## pennstater2005

dfw_pilot said:


> 1Password has a Dropbox option where you can login to your Dropbox account and access your passwords that way.
> 
> I think LastPass is web based, so it might be easier but @Ware could speak to that because he uses it.
> 
> Forgot to mention that 1Password also has a subscription plan that is accessible via the web. There are also other managers that are meant to go on a USB (or hack one yourself) that you could carry with you.


I like the Dropbox option. I need to get into one of these password managers. I do use *similar* passwords for multiple websites which I shouldn't be doing. Safari has it's own password manager that prompts me every once in awhile to use it. I'm not sure how good it would be. And, again if I was on anything but one of my connected Apple devices I wouldn't be able to login.


----------



## samjonester

I use lastpass. It's got mobile support, browser extensions, and a website that you can log in on any machine with. 1password is a very strong choice as well. Just pick one and use it. You can't go wrong.

Outside of storing passwords, password managers make it super easy to generate strong passwords. This is more important than storing them in a vault IMO.

Your bank account is only as secure as the random junk site where you used the same login credentials. NEVER use the same credentials for multiple sites, because it's a complete crapshoot that every site you visit securely stores your credentials.

I'm a software consultant, so I know just how terrible security can be when people are allowed to make decisions that let them to "go faster".


----------



## pennstater2005

I need to do this. It seems a bit overwhelming. Honestly, I tried LastPass once and couldn't figure it out for mobile and ending up just losing the $12 a year or whatever it was.


----------



## Richard Slater

I personally use KeePass formatted databases and various clients for iPhone, Android, Windows and Mac.

My rationale for doing this, much like simple origami, is two-fold:

1) KeePass gives me access to brute force resilient memory-hard algorithms such as Argon2.
2) I have many clients, and thus an obligation to maintain a security boundary between clients.

I also heavily use my YubiKey for MFA as it allows the cryptographic material to be stored away from my phone, it's physically attached to my keys.


----------



## Ware

pennstater2005 said:


> ...I tried LastPass once and couldn't figure it out for mobile and ending up just losing the $12 a year or whatever it was.


Mobile use was the most difficult part of my transition to LastPass. It was a little cumbersome to exit whatever browser/app I was using to go get the the password I needed from the LastPass app, but then I figured out they also have an extension for the mobile versions of Chrome and Safari. With Apple Touch ID enabled it works pretty well.


----------



## pennstater2005

Ware said:


> pennstater2005 said:
> 
> 
> 
> ...I tried LastPass once and couldn't figure it out for mobile and ending up just losing the $12 a year or whatever it was.
> 
> 
> 
> Mobile use was the most difficult part of my transition to LastPass. It was a little cumbersome to exit whatever browser/app I was using to go get the the password I needed from the LastPass app, but then I figured out they also have an extension for the mobile versions of Chrome and Safari. With Apple Touch ID enabled it works pretty well.
Click to expand...

Thanks! I'll have to watch that later. I need to use a password manager. I have a fair amount of sensitive information on various websites and I have poor password protection currently.


----------



## jonthepain

I've been using lastpass for a few years now. It's ok. I'd look around for a new one, but don't really have time to research and learn a new app

Certainly a whole hell of a lot better than no pword manager at all.

One plus is that I've had my 21 yr old memorize my master password, so if something happens to me, they can find all of my financial accounts etc and log in to them effortlessly.


----------



## Ware

jonthepain said:


> One plus is that I've had my 21 yr old memorize my master password, so if something happens to me, they can find all of my financial accounts etc and log in to them effortlessly.


Another nice feature LastPass offers is they allow you to set up "People I Trust" that can access the account in the event of an emergency. When a trusted contact requests emergency access to your vault, they have to wait for the period of time you specify before being allowed access. During that time window, you can decline their request to access your vault. The wait time options are:

Immediately
3, 6, 12, 24, or 48 hours
3, 7, 14, 21, or 30 days​
They also have a LastPass Family option where you can set up multiple users and share passwords for common accounts.


----------



## jonthepain

didn't know that, thx


----------



## IaHawk

I use Lastpass but you can't go wrong with 1Password either. What you need to focus on is making sure you have a unique password for each account AND most importantly, setup MFA when possible. I work for an IT consulting firm and the number of account compromises we have seen this year due to user's getting their credentials phished (entered their username/password into a fake website) is skyrocketing. If they would have had MFA setup, the attackers would not have been able to access their account.

Just take a Saturday morning, get a cup of coffee and spend a few hours on it. You will feel so much better! And not trying to hijack a thread but I do the same for backups! I still have a external HD I backup to with Time Machine but I also use a cloud backup service... backblaze.com.


----------



## Colonel K0rn

Ware said:


> pennstater2005 said:
> 
> 
> 
> ...I tried LastPass once and couldn't figure it out for mobile and ending up just losing the $12 a year or whatever it was.
> 
> 
> 
> Mobile use was the most difficult part of my transition to LastPass. It was a little cumbersome to exit whatever browser/app I was using to go get the the password I needed from the LastPass app, but then I figured out they also have an extension for the mobile versions of Chrome and Safari. With Apple Touch ID enabled it works pretty well.
Click to expand...

Thank you for posting this. The browser in the LastPass iOs app sucks, so I'm so glad that you posted this.

On an aside, I was actually talking to Ware about the fact that I was glad that he and @dfw_pilot made the thread a couple of months ago. I switched over, and it does take a while to add everything to LastPass, but feel much better knowing that I have a lot more of my accounts switched over (all the important ones).

I received an email 12 days ago from My Heritage where I had done some genealogy research for my family, and I created an account there last year. There was a breach in their security where over 92 MILLION user email addresses and hashed passwords were found offsite... not a small breach. But I was glad that I had already taken steps to secure my logins.

That being said, it's not a matter of "if" you'll have an account compromised, but "when". Take precautions.


----------



## Noclssgt

I too have been using lastpass for a few years, I also use duo for 2fa to keep the account safe.
Honestly, i have no idea what my passwords are because i rotate them out and have lastpass create new passwords for me (usually 15-18 characters). I started using it for creating VPN tunnel preshared keys as well...which makes it fun when the other side wants to exchange the key over the phone, l


----------



## dfw_pilot

Bumping this thread back up to share some fraud incidents I've had the past few days.

I'm not sure I'm out of the woods yet. It started with PayPal alerting me of a fraudulent expense. Then I noticed a large charge to my credit card with Amazon. I tried to log into my Amazon account, and I couldn't because the password _had been changed!_ PayPal, Amazon, and Chase are all investigating while I get a new credit card, and Chase has notified all three credit bureaus.

I use a password manager, and I have two-factor authentication turned on for PayPal, Amazon, Gmail, and Chase uses their own two-factor system. The point here, is to be extra vigilant, even when using strong passwords and multi-factor authentication, like TOTP.

Then I noticed that my Gmail account had been accessed. The sneaky hacker somehow *gained access to my Gmail* account. Even with a strong password and 2FA, they got in. What they did was set up several filters. They set these filters up to delete from my inbox anything from PayPal, Amazon, Target, and a few other places. This prevented me from immediately seeing any activity from those vendors. I noticed these filters, scanned my trash, and saw a bunch of unread e-mail in my trash from those companies. I feel violated. Here's a picture of my Google history inside my Gmail account that wasn't me. Look at what they were searching for:










I don't share my passwords or click links in e-mail to get to sites like Gmail or Amazon, and I certainly don't enter my one time password (TOTP) into forms except the site I'm logging into. I travel a lot, and I wonder if I was exposed to a Man-In-The-Middle attack (MITM) at some point. Possibly a hotel or Starbucks WiFi? I'm still not sure. However, because I use a password manager, it was effortless to change passwords. I hope that's the end of it, but we'll see. I'm on pins and needles now. Every morning I wake up I wonder if I'll have more e-mail alerting me to account access or fraudulent spending.

So be careful out there, and check your spam/trash/filters in your e-mail account regularly. Change your passwords regularly, even if you use a password manager with strong passwords. This all hammers home the idea that your e-mail account needs to be as safe or safer than your bank account, because gaining access to that allows hackers to do a lot of damage across lots of accounts.

Finally, I'm waiting to hear from Amazon as to how my account password was changed. It's very possible that with access to my e-mail, it was changed easily. It's also possible the hacker simply called them on the phone and sounded legit. In the end, we do what we can, and trust technology and corporate policy to keep us safe. Beyond that, there isn't much else to do.


----------



## pennstater2005

@dfw_pilot That's pretty scary.


----------



## g-man

Interesting.

https://arstechnica.com/information-technology/2018/12/iranian-phishers-bypass-2fa-protections-offered-by-yahoo-mail-and-gmail/


----------



## dfw_pilot

That _is_ interesting. I'm going to look into using a USB key on my travel laptop. My "hack" occurred when I was asleep, but I have had a program that checked my Gmail each minute. I've since disabled it.


----------



## Colonel K0rn

Wow @dfw_pilot, sorry to hear that happened to you. I do have to say that because of the post you guys did earlier this year about password managers, I made the shift to LastPass, and it's made my life much easier. I'm glad that I have it, and I rest more easily knowing that I have more security than I did.

What was really an eye-opener was when I got my father and mother set up for LastPass. My dad didn't understand the value of it, and when I showed him how many passwords were stored on his laptop in Chrome, he was surprised. What was really shocking is when I said, "Dad, why in the hell would you use the same password with slight variations for 23 other accounts? Do I *really* need to point out how foolish it is to share the same password for your main bank account and your Chick-Fil-A rewards app and your King Soopers discount card?" :shock: "Remember how panicked you were when you left your laptop at security in DIA when you flew here to visit last year?"

He understood why he needed it when I said that. :lol:


----------



## dfw_pilot

:thumbup:

Very true - password reuse gets a lot of people in trouble.


----------



## Delmarva Keith

Then at the ramparts, the watchmen let them in. I had a credit card hacked when the call center was bamboozled into changing the email and password by some caller that knew just enough about me to trick them with some sob story. I have since set up a "magic word" with them where say they won't talk to a caller who doesn't know that word. They already screwed that up too (I called back another time to see what would happen and they didn't ask the magic word).

I think a huge percentage of the risk is created by the companies themselves. It's not helpful to have impenetrable passwords when the companies will allow access or recovery with a protocol (or lack thereof) that includes human factors risk.

I use two factor whenever it's offered but not enough offer it.


----------



## dfw_pilot

Delmarva Keith said:


> I think a huge percentage of the risk is created by the companies themselves.


This. I too use a password manager and 2FA where available, but if social engineering gets hackers into the company side, it's all for nothing. I have 2FA on my Amazon account, but if my e-mail is hacked, the password is changeable in seconds.

I have since gone to using a hardware token for Gmail logins, without a TOTP backup, only printed codes.


----------



## dfw_pilot

Facebook passwords visible to employees by accident. I could have had lots of fun with this.


----------



## dfw_pilot

[media]https://youtu.be/OFN3YvueWdk[/media]​


----------



## Ware

Bumping this discussion. A new year is a great time to get serious about password management. :thumbup:


----------



## Teej

Ware said:


> Bumping this discussion. A new year is a great time to get serious about password management. :thumbup:


Agreed! And generating new passwords if yours have been in use for a while.


----------



## daniel3507

I've been pretty happy with LastPass. Using their password generator makes it easy to get a complex password and having LastPass on all devices makes it super simple to use.


----------



## tommyboy

X2 on Lastpass. Although it has been purchased by a larger company. So will have to keep my eyes and ears wide open. So far so good.


----------



## jeffjunstrom

Just found this thread, and am definitely intrigued, as I'm guilty of all the aforementioned password sins. Two questions: 1) any follow up on what the "best" one is, or are the top ones all really good and just pick one?, and 2) what about devices other than computer/tablet/phones...i.e., entering my Netflix password on my TV, etc.? For those, would I have to login into the password manager and enter the random password? And what happens when it changes?


----------



## dfw_pilot

1) I don't think there is a best. You need to see what your preferences are, threat level is, tolerance to dealing with devices, etc. KeyPass XC is great for Linux. Some people like to have information synced across devices, others don't want that security threat. YMMV. Between KeyPass XC, LastPass, and 1Password, I don't think you can go wrong. I'm happy with 1Password, FWIW.

2) For devices that aren't connected to the password manager/platform, you'll want to have a strong random password, but that isn't too crazy to type in. IE, for your Netflix password that must be typed in manually, choose something like "xpH8_VUbfew6dRm" not: "eYL]J]qNCJib6XZoq2}iBVpdhCx9XrEPmTvaqHUC"

ETA: When you password changes, you must update devices with the new password. So, make use of your password manager to save a new password for Netflix. Log into Netflix via desktop with your old weak password and then update your login with the new stronger password. Then log into each Neflix device with your new stronger password.


----------



## jeffjunstrom

dfw_pilot said:


> 2) For devices that aren't connected to the password manager/platform, you'll want to have a strong random password, but that isn't too crazy to type in. IE, for your Netflix password that must be typed in manually, choose something like "xpH8_VUbfew6dRm" not: "eYL]J]qNCJib6XZoq2}iBVpdhCx9XrEPmTvaqHUC"


But what happens when the login/service has both a web based application and a non-device application, like Netflix, Comcast, etc.? I can login to Netflix on my phone, tablet, computer, and TV. Does that affect anything? Or once the password is set by the Password Manager, I won't have to change it (unless/until prompted by the service)?


----------



## dfw_pilot

Wherever you view Netflix (Netflix Comcast?), I would assume you'd need to log in so Netflix knows who you are. Where ever that login occurs is where you'd need to type in your new Netflix account password. If the device, like a TV, stores an old password, it will probably lock you out and ask for your new password. In that case, you type in the new password that you've updated first via a desktop computer at Netflix.com. But, I may not be following your question correctly.


----------



## jeffjunstrom

dfw_pilot said:


> Wherever you view Netflix (Netflix Comcast?), I would assume you'd need to log in so Netflix knows who you are. Where ever that login occurs is where you'd need to type in your new Netflix account password. If the device, like a TV, stores an old password, it will probably lock you out and ask for your new password. In that case, you type in the new password that you've updated first via a desktop computer at Netflix.com. But, I may not be following your question correctly.


No I think you've got it. I guess I was confusing myself. I was under the impression that the Manager not only created and kept but also routinely changed your passwords at these sites. My concern was the the password would be changed for my login at Netflix.com, and I'd have to update it again on my TV, where character input is less than ideal.


----------



## dfw_pilot

Yes, you got it. Password managers _store_ the passwords. On most desktop and mobile phones, they can also auto-submit them. However, they do not change the passwords anywhere. That's something the user needs to do. Slowly, methodically, and carefully. It will take some time to go through all your accounts (I have nearly 500 logins), but over time, you'll get there, and be much safer for it. :thumbup:


----------



## Dkrem

+1 to Lastpass, I've been using it for a couple years now managing 350+ sets of credentials for home and work. It has been recommended by every IT security person I have asked.


----------



## Ben S

I use Lastpass as well and really like it. Also please turn on two-factor authentication on all accounts that support it. Even if you just let your browser save your passwords , it's better than nothing as long as each password is 100% unique. Chrome now has a native password generator. Here's some more nerdy login stuff:

Perfect Passwords

A post about the future of login

An audio follow up to the above


----------



## kds

+1 for 1Password. I've been using it for about 6 years with no issues.


----------



## ENC_Lawn

@ware @dfw_pilot So I have read the above but am still a little confused.

Do I understand the cliff notes.

You pay for a password manager site.

You create 1 strong unique password for that site...and then they manager your passwords for all of your other sites you visit?

I am guessing they are constantly changing these passwords for the other sites...or the just create a super strong password from the beginning.

Thanks


----------



## Ware

@ENC_Lawn

Yes, I use LastPass. The only password I have to remember is my master passphrase that I use to get into LastPass. Inside my LastPass "Vault" are all my passwords for various sites, organized in folders by category. The folders help keep things organized, but you don't have to assign them to a folder.



I use the LastPass browser extension to help fill passwords when I visit a site. For example, when I am logged in to the LastPass browser extension (using my master passphrase) and visit the Ace Hardware website, the browser extension recognizes that I have a password stored for acehardware.com and gives me an option to fill the stored username and password. Side note here - you can have multiple usernames/passwords stored for the same site.



LastPass doesn't change the passwords for the sites you have stored, but they do have a tool to help you generate secure passwords. You basically tell it how long it should be and what types of characters should be used. Once you generate a secure password, you can fill it in the password field of the site you're on, or copy it to your clipboard. As you can see, the secure password is not something you would be able to remember, and you don't have to.



Another nice feature is if I'm on a site and change a password, the LastPass browser extension asks me if I want to update the stored password for that site's stored username/password combo - so you don't have to worry about copying it over, etc.

All these screenshots are from the desktop, but it works similarly for mobile devices. I'll post that sequence from my phone in a bit.


----------



## Ware

This is what it looks like when I go to log in to the same site on my iPhone. When I am prompted for my username and password, I tap Passwords above the keyboard.



It prompts me for biometric login to LastPass.



Then it finds the username/password combo(s) I have stored in my LastPass vault for the URL I'm at.



From there I tap my selection and it autofills into the site for login.


----------



## Ware

@ENC_Lawn that was a quick and dirty demo. Let me know if you have additional questions.


----------



## Ware

I know it has been mentioned before, but it's worth mentioning again - the real beauty in a password manager is you don't have to remember any of your passwords and all of your passwords can be unique. So if acehardware.com has a data breach, I don't have to worry about the same email/username and password combo being used anywhere else (like my bank).

The security is one thing, but not having to remember individual passwords anymore is truly life changing. :thumbup:


----------



## pennstater2005

I finally got onboard and started using google password manager. I'm already completely into their platform so it was a very easy transition.


----------



## ENC_Lawn

@Ware Awesome right up and thank you!

Is there any website you wouldn't recommend for a password manager site.

Such as banking sites.

It's probably a dumb questions...but giving a password manager my banking user / id....just makes me "I guess I am uneducated on the password manager topic" a little nervous.

However I know you like a lot of TLF forum members do your due your homework / research on any product.

I guess long story short...is there any reason not to use a password manager for banking sites...etc?


----------



## Ware

@ENC_Lawn I suppose with anything there is risk, but for me the benefits of using a reputable password manager outweigh the risks of the alternatives (weak passwords, reusing passwords, etc.). Strong, unique passwords combined with multi-factor authentication (which most financial institutions use now) should be pretty secure.


----------



## ENC_Lawn

Ware said:


> @ENC_Lawn I suppose with anything there is risk, but for me the benefits of using a reputable password manager outweigh the risks of the alternatives (weak passwords, reusing passwords, etc.). Strong, unique passwords combined with multi-factor authentication (which most financial institutions use now) should be pretty secure.


 :thumbup:


----------



## LAG Gamecock

I started using LastPass at Christmas time when it was offered thru work. I found I had a bad habit of reusing passwords over and over. Now I have LastPass generate strong passwords and it keeps track of them. The biggest pain has just been updating all my passwords to all the different sites I go to. It has been easy to use from computer to mobile device.


----------



## RubyFired22

I prefer open source products. My favorite is Bitwarden. 
Pretty sure last pass is proprietary.


----------



## Dkrem

Yep, I love LastPass. it also supports import and export functions for getting started using it or saving all your stuff for archival or printed/memory stick in a safety box type storage.


----------



## ionicatoms

Guys, 

After many years, I gave up LastPass today. Found a decent criticism of it that I thought you might find useful.

Welcome to nginx!



> I recently wrote a post detailing the recent #LastPass breach from a #password cracker's perspective, and for the most part it was well-received and widely boosted. However, a good number of people questioned why I recommend ditching LastPass and expressed concern with me recommending people jump ship simply because they suffered a breach. Even more are questioning why I recommend #Bitwarden and #1Password, what advantages they hold over LastPass, and why would I dare recommend yet another cloud-based password manager (because obviously the problem is the entire #cloud, not a particular company.)
> So, here are my responses to all of these concerns!
> Let me start by saying I used to support LastPass. I recommended it for years and defended it publicly in the media. If you search Google for "jeremi gosney" + "lastpass" you'll find hundreds of articles where I've defended and/or pimped LastPass (including in Consumer Reports magazine). I defended it even in the face of vulnerabilities and breaches, because it had superior UX and still seemed like the best option for the masses despite its glaring flaws. And it still has a somewhat special place in my heart, being the password manager that actually turned me on to password managers. It set the bar for what I required from a password manager, and for a while it was unrivaled.
> But things change, and in recent years I found myself unable to defend LastPass. I can't recall if there was a particular straw that broke the camel's back, but I do know that I stopped recommending it in 2017 and fully migrated away from it in 2019. Below is an unordered list of the reasons why I lost all faith in LastPass:
> 
> - LastPass's claim of "zero knowledge" is a bald-faced lie. They have about as much knowledge as a password manager can possibly get away with. Every time you login to a site, an event is generated and sent to LastPass for the sole purpose of tracking what sites you are logging into. You can disable telemetry, except disabling it doesn't do anything - it still phones home to LastPass every time you authenticate somewhere. Moreover, nearly everything in your LastPass vault is unencrypted. I think most people envision their vault as a sort of encrypted database where the entire file is protected, but no -- with LastPass, your vault is a plaintext file and only a few select fields are encrypted. The only thing that would be worse is if...
> - LastPass uses shit #encryption (or "encraption", as @sc00bz calls it). Padding oracle vulnerabilities, use of ECB mode (leaks information about password length and which passwords in the vault are similar/the same. recently switched to unauthenticated CBC, which isn't much better, plus old entries will still be encrypted with ECB mode), vault key uses AES256 but key is derived from only 128 bits of entropy, encryption key leaked through webui, silent KDF downgrade, KDF hash leaked in log files, they even roll their own version of AES - they essentially commit every "crypto 101" sin. All of these are trivial to identify (and fix!) by anyone with even basic familiarity with cryptography, and it's frankly appalling that an alleged security company whose product hinges on cryptography would have such glaring errors. The only thing that would be worse is if...
> - LastPass has terrible secrets management. Your vault encryption key always resident in memory and never wiped, and not only that, but the entire vault is decrypted once and stored entirely in memory. If that wasn't enough, the vault recovery key and dOTP are stored on each device in plain text and can be read without root/admin access, rendering the master password rather useless. The only thing that would be worse is if...
> - LastPass's browser extensions are garbage. Just pure, unadulterated garbage. Tavis Ormandy went on a hunting spree a few years back and found just about every possible bug -- including credential theft and RCE -- present in LastPass's browser extensions. They also render your browser's sandbox mostly ineffective. Again, for an alleged security company, the sheer amount of high and critical severity bugs was beyond unconscionable. All easy to identify, all easy to fix. Their presence can only be explained by apathy and negligence. The only thing that would be worse is if...
> - LastPass's API is also garbage. Server-can-attack-client vulns (server can request encryption key from the client, server can instruct client to inject any javascript it wants on every web page, including code to steal plaintext credentials), JWT issues, HTTP verb confusion, account recovery links can be easily forged, the list goes on. Most of these are possibly low-risk, except in the event that LastPass loses control of its servers. The only thing that would be worse is if...
> - LastPass has suffered 7 major #security breaches (malicious actors active on the internal network) in the last 10 years. I don't know what the threshold of "number of major breaches users should tolerate before they lose all faith in the service" is, but surely it's less than 7. So all those "this is only an issue if LastPass loses control of its servers" vulns are actually pretty damn plausible. The only thing that would be worse is if...
> - LastPass has a history of ignoring security researchers and vuln reports, and does not participate in the infosec community nor the password cracking community. Vuln reports go unacknowledged and unresolved for months, if not years, if not ever. For a while, they even had an incorrect contact listed for their security team. Bugcrowd fields vulns for them now, and most if not all vuln reports are handled directly by Bugcrowd and not by LastPass. If you try to report a vulnerability to LastPass support, they will pretend they do not understand and will not escalate your ticket to the security team. Now, Tavis Ormandy has praised LastPass for their rapid response to vuln reports, but I have a feeling this is simply because it's Tavis / Project Zero reporting them as this is not the experience that most researchers have had.
> You see, I'm not simply recommending that users bail on LastPass because of this latest breach. I'm recommending you run as far way as possible from LastPass due to its long history of incompetence, apathy, and negligence. It's abundantly clear that they do not care about their own security, and much less about your security.
> So, why do I recommend Bitwarden and 1Password? It's quite simple:
> 
> I personally know the people who architect 1Password and I can attest that not only are they extremely competent and very talented, but they also actively engage with the password cracking community and have a deep, _deep_ desire to do everything in the most correct manner possible. Do they still get some things wrong? Sure. But they strive for continuous improvement and sincerely care about security. Also, their secret key feature ensures that if anyone does obtain a copy of your vault, they simply cannot access it with the master password alone, making it uncrackable.
> Bitwarden is 100% open source. I have not done a thorough code review, but I have taken a fairly long glance at the code and I am mostly pleased with what I've seen. I'm less thrilled about it being written in a garbage collected language and there are some tradeoffs that are made there, but overall Bitwarden is a solid product. I also prefer Bitwarden's UX. I've also considered crowdfunding a formal audit of Bitwarden, much in the way the Open Crypto Audit Project raised the funds to properly audit TrueCrypt. The community would greatly benefit from this.
> Is the cloud the problem? No. The vast majority of issues LastPass has had have nothing to do with the fact that it is a cloud-based solution. Further, consider the fact that the threat model for a cloud-based password management solution should _start_ with the vault being compromised. In fact, if password management is done correctly, I should be able to host my vault anywhere, even openly downloadable (open S3 bucket, unauthenticated HTTPS, etc.) without concern. I wouldn't do that, of course, but the point is the vault should be just that -- a vault, not a lockbox.
> I hope this clarifies things! As always, if you found this useful, please boost for reach and give me a follow for more password insights!


----------



## g-man

ionicatoms said:


> Guys,
> 
> After many years, I gave up LastPass today. Found a decent criticism of it that I thought you might find useful.


I would like to add that I would not use the google or microsoft password manager. While I do think it is better than nothing, I feel that there is risks with all your eggs in one basket. Bitwarden is free and open source.


Lastly, checking your email here is pretty interesting: https://haveibeenpwned.com/


----------

