Talk to me about password managers, given the USPSA hack

[Nik Habicht]

So, the USPSA hack has got me thinking about password managers. What I know can be written in large print on a pinhead.

Apple offers a built in password manager. Companies like Last Pass offer a service -- they'll even generate strong passwords for your log-ins and store them securely in their software, allegedly encrypted and decrypted automatically and never sent in the clear.....

Should we all be using something like that to ensure that we have unique passwords everywhere?

Educate me -- please.....

[Butterpuc]

Apple has a built in password manager?

[BritinUSA]

Apple has a built in password manager?

KeyChain

It stores your passwords and has a series of password generators based on varying criteria.

I've been using it for a while and I plan to use it more extensively in future.

Edited November 27, 2014 by BritinUSA

[38SuperDub]

I looked a while back at a few of these - seem the big 3 are all pretty good: 1Pass, LastPass, Dashlane.

I finally signed up for one today - now every website has a completely different password randomly generated. Lesson learned

[ummm]

KeePass http://keepass.info/download.html

available for free on Windows, Linux, Android

also available for Mac / iStuff, might cost money in the Apple Garden, I dunno

also available on blackberry, palm pilots, etc

so you can have one encypted database which holds all your usernames / passwords, and share it everywhere with whatever sync software you use (I'd recommend SpiderOak's Hive service as it's free, runs on everything and is generally awesome).

I have my keepass db in my spideroak hive, so when I add a new password for some new site, no matter which device I'm using, every other device will get in sync with that new addition (because all those devices are running spideroak's hive, too, and the same keepass file works across all your devices).

Two pieces of free software and you're gtg everywhere. You can replace all the passwords you juggle with one (hopefully very complicated) password to secure Keepass.

Of course it has all the standard password keeping features, and then some, but remains very easy to use.

Edited November 27, 2014 by ummm

[ZackJones]

I used keychain for a little while but now I use a program called keeper. It works on EVERYTHING I use PC, Mac, iPhone, kindle, etc. it generates strong passwords and is easy enough to use that my wife finally shredded the sheet she had printed with all of the account passwords on it.

[Sarge]

I just have everything written down as well. I am just not computer savvy enough to fool with this. I would probably end up sending all of my passwords to the cloud or every person on the planet with the touch of a button. Or I would forget the password to get to my passwords and then be royally screwed.

[whitedog]

I'm with you Sarge. Have a book with stuff wrote down. Goes back 8 years of stuff. Should have really paid more attention to this crap when I was younger.....

[Vlad]

You all have gun safes right? Turns out a notebook might fit in it. Also turns out you can encode your own passwords in that book in case anyone gets access to it, a pattern like "always go up 3 letter on the 3ed letter and 3 down on the 6th)"

[basman]

Apple has a built in password manager?

KeyChain

It stores your passwords and has a series of password generators based on varying criteria.

I've been using it for a while and I plan to use it more extensively in future.

I see that it will sync on all devices, is that via the Cloud or just on my wireless network?

[gino_aki]

Been using roboform for years

[SonOfSpartans]

Use pass phrases. Phrase can be site relevant with site specific key.

[MarkCO]

I am thinking that those apps and programs woulds be a very target rich environment for a hacker.

[BritinUSA]

I see that it will sync on all devices, is that via the Cloud or just on my wireless network?

I think its through the iCloud service and when you set it up you define each device that you want to access the data, there are more details at the Apple Support page : HERE

[outerlimits]

I see that it will sync on all devices, is that via the Cloud or just on my wireless network?

I think its through the iCloud service and when you set it up you define each device that you want to access the data, there are more details at the Apple Support page : HERE

Yes, it is the cloud. Set up is simple.

[Graham Smith]

KeePass is a good little program (and free and can generate some hugely complex passwords) but it can be a bit tough to integrate to automatically log you in.

A lot of security experts recommend changing your password on a regular basis, but that leads to people forgetting what's what and they end up writing things down or using simple passwords.

Not all logins allow all the keyboard characters, and may require some particular things.

One "simple" trick is to use a simple combination (you can remember) of letters used in both lower and upper and interspersed with numbers and special characters. For example: d1v2c3D!V@C# All this is is DVC mixed with 123 lower case then shifted.

If you can create something like this then you can use that along with some other thing specific to the site. For example, if you bank is Acme Bank and Trust, then AcMe_d1v2c3D!V@C#

Of course, one of the biggest problems with something like this is that if you are using a tablet or phone, then shifted numbers don't exist and you have to remember what their special character equals are.

[ummm]

I am thinking that those apps and programs woulds be a very target rich environment for a hacker.

Sort of, but generally it's exactly the opposite. It's like saying, "I bet Fort Knox is a target for every criminal in America"...

The "sort of" part comes because sometimes the surrounding infrastructure is easily targeted (like the idiocy which led to the celebrities having their nude photos leaked from iCloud recently), but that's usually because of stupid human decisions, as it was in that case.

The stuff you see in the movies where there's always a person who can crack any secure system is purest fiction.

Edited November 27, 2014 by ummm

[Dranoel]

Pick a phrase that you can remember easily and involves some numbers but is totally unrelated to anything you do on the internet. Use the first letter of each word and the numbers.

Example: My 3 kids have watched Star Wars 17 times this year. = M3khwST17tty

I don't trust password managers. The manager can be hacked and then they have ALL your passwords.

Edited November 27, 2014 by Dranoel

[ummm]

The manager can be hacked and then they have ALL your passwords.

Back up this claim, please, or do you mean "can be" as in "cannot be proven to be impossible" ?

Edited November 27, 2014 by ummm

[mjohn]

Pick a phrase that you can remember easily and involves some numbers but is totally unrelated to anything you do on the internet. Use the first letter of each word and the numbers.

Example: My 3 kids have watched Star Wars 17 times this year. = M3khwST17tty

I don't trust password managers. The manager can be hacked and then they have ALL your passwords.

I don't understand how this would help. If you have 10 accounts that need a password, it appears to me that what you are suggesting, all 10 accounts would have the same password then.

I thought the point was to have unique passwords for each account.

I also do not trust password managers. It is only amount of time, before the password managers will become the next victim.

[ZackJones]

I don't trust password managers. The manager can be hacked and then they have ALL your passwords.

I don't know the specifics but your passwords are stored in an encrypted format so that if your password manager was hacked in the cloud the hacker would see the clear text password.

[Butterpuc]

One "simple" trick is to use a simple combination (you can remember) of letters used in both lower and upper and interspersed with numbers and special characters. For example: d1v2c3D!V@C# All this is is DVC mixed with 123 lower case then shifted.

If you can create something like this then you can use that along with some other thing specific to the site. For example, if you bank is Acme Bank and Trust, then AcMe_d1v2c3D!V@C#

I already do something similar to this and in general I would say it works well. Usually the websites list my password as "strong" but I still find myself forgetting part of the "code" and having to reset passwords more frequently than I like.

Some sort of safe password encryptor and gernerator is something that interests me.... I just don't know who to trust. I don't mind paying for this app, but I don't want a subscription service.

[D.Hayden]

I've used Keepass for years and really like it

but be aware of issues...

http://www.zdnet.com/citadel-malware-attacking-open-source-password-managers-7000036028/

look at the 2 factor authentication

[Miranda]

The manager can be hacked and then they have ALL your passwords.

Back up this claim, please, or do you mean "can be" as in "cannot be proven to be impossible" ?

hi Ummm,

semantics is a fun game. I play with meanings a lot.

I have a logic puzzle for you...

which is better for security?

knowing you are 'safe'

or

looking for better securities?

if insanity is left aside,

all crime is a risk vs profit evaluation.

So cracking a secure system is not a question of 'impossible'

it is more of a question of 'why try...'

BTW, "because it is there" is about where insanity starts....

miranda

[AJE]

I just have everything written down as well. I am just not computer savvy enough to fool with this. I would probably end up sending all of my passwords to the cloud or every person on the planet with the touch of a button. Or I would forget the password to get to my passwords and then be royally screwed.

Writing them down seems more secure to me than having them stored somewhere online.