Who here use a password manager? Password manager OneLogin hacked.

August 31, 2017, 04:33 PM

quote:
Originally posted by ensigmatic:
The problem with many of these password managers is they force you to keep a copy of your password store on their servers. Two problems: If they close their doors (as happened with one such password management app): You're screwed. Secondly: Yes, your password store is encrypted, but, because that's explicitly what they're storing it's readily-identifiable as a password store and thus a high-value target.

If a bad guy gets a copy of your password store they have all the time in the world to begin attacking it. Even home-brew purpose-built "cracking farms" (multiple computers running multiple graphics cards each--the GPUs of which are very good for this purpose) can brute-force even the strongest encryption in a surprisingly short amount of time.

Logmeonce gives you the option to store on YOUR computer Not the cloud.

August 31, 2017, 04:46 PM

steve495

I'm using LastPass. The interface is not always perfect and it's a bit "in your way" sometimes, but it works well in my opinion.

August 31, 2017, 04:55 PM

smschulz

Many of my IT clients solve the problem by just taping their password to their monitor.

August 31, 2017, 06:58 PM

maladat

quote:
Originally posted by ensigmatic:
The problem with many of these password managers is they force you to keep a copy of your password store on their servers. Two problems: If they close their doors (as happened with one such password management app): You're screwed. Secondly: Yes, your password store is encrypted, but, because that's explicitly what they're storing it's readily-identifiable as a password store and thus a high-value target.

If a bad guy gets a copy of your password store they have all the time in the world to begin attacking it. Even home-brew purpose-built "cracking farms" (multiple computers running multiple graphics cards each--the GPUs of which are very good for this purpose) can brute-force even the strongest encryption in a surprisingly short amount of time.

Dashlane uses AES-256.

The best algorithm currently known for breaking AES takes, on average, 1/4 the time of brute forcing it.

So how long would that take?

http://www.eetimes.com/document.asp?doc_id=1279619

Here's a 2012 article where they conservatively estimated that 128-bit AES would take the then-fastest supercomputing cluster in the world about 1 billion billion years to brute force.

Using the best exploit currently known, we could get that down to 250 million billion years.

256-bit AES is 2^128 times harder to crack than 128-bit AES.

That's about 300000000000000000000000000000000000000 times harder.

That is far from a "surprisingly short amount of time," at least as long as you use a reasonably secure password. If your password is "password" or "dog123" or something, all bets are off.

AES could always he cracked tomorrow, of course, but there are very strong mathematical arguments that there shouldn't be a significant exploit.

August 02, 2021, 04:59 PM

Pipe Smoker

quote:
Originally posted by r0gue:
Yeah, there are a bunch of them out there now. My preference is LastPass with 2 factor auth.
<snip>

CNET reports some vulnerabilities in LastPass:

“No, LastPass isn't flawless: A vulnerability privately reported in September 2019 was a scary flaw that could potentially compromise passwords. But the company patched it before it was known to be exploited in the wild. It was one of several vulnerabilities that have been discovered in LastPass over the years.

More recently, however, privacy concerns emerged around LastPass's Android app when a privacy advocacy project discovered seven web trackers within the mobile app.

In light of these privacy concerns and LastPass's new restrictions on its free-tier service, we're currently in the process of reevaluating LastPass's rank in our list of top password managers. Read our LastPass review”

https://www.google.com/amp/s/w...st-password-manager/

August 02, 2021, 06:23 PM

WaterburyBob

I used Last Pass years ago - but then they got hacked. Since then I use note cards and store them in my safe.
Certainly not perfect, but they will never be read by hackers.

August 03, 2021, 06:54 AM

henryaz

I've been using 1Password on my Mac for many years now. I use the stand-alone version, not the newer web version, so my encrypted vault is stored locally. I have it on 2 Macs and my iPhone. The master vault is on one Mac, and the other two devices sync with that. Syncing is done on the local network, with no cloud involvement at all.

August 03, 2021, 07:57 AM

mark123

Bitwarden with a self hosted setup is where I’m moving from iOS keychain.

August 03, 2021, 09:07 AM

Pyker

What's the scoop on the iphone native password manager?

August 03, 2021, 09:19 AM

V-Tail

quote:
Originally posted by henryaz:

I've been using 1Password on my Mac for many years now. I use the stand-alone version, not the newer web version, so my encrypted vault is stored locally. I have it on 2 Macs and my iPhone. The master vault is on one Mac, and the other two devices sync with that. Syncing is done on the local network, with no cloud involvement at all.

I have a "how to" question about this. I too, use the non-web version on two Macs, one at home and one in my office at the hangar, and also in an iPhone.

Right now, everything is synced through the cloud, DropBox if I remember correctly, or might be iCloud.

Here's my question: If I wanted to take the cloud out of the picture, but still keep the two Macs (in different locations) synced, could I make the iPhone version the "master" and have the Mac desktop installations of 1Password sync automatically whenever the iPhone connects to the local network? If so, how to set this up?

August 03, 2021, 09:26 AM

ensigmatic

If everything's sync'd via iCloud, I really wouldn't worry about it. The keychain, itself, is encrypted, then the data is again encrypted in iCloud storage.

In such a case the odds of against anybody ever getting what's in your keyring are astronomically high.

August 03, 2021, 09:34 AM

Pipe Smoker

quote:
Originally posted by ensigmatic:
If everything's sync'd via iCloud, I really wouldn't worry about it. The keychain, itself, is encrypted, then the data is again encrypted in iCloud storage.

In such a case the odds of anybody ever getting what's in your keyring are astronomically high.

Maybe:
In such a case the odds against anybody ever getting what's in your keyring are astronomically high.

August 03, 2021, 09:37 AM

ensigmatic

quote:
Originally posted by Pipe Smoker:
Maybe:
In such a case the odds against anybody ever getting what's in your keyring are astronomically high.

Yes. Corrected. Thanks!

August 03, 2021, 09:40 AM

NavyGuy

quote:
Originally posted by ensigmatic:
If they close their doors (as happened with one such password management app): You're screwed.

Not so with Dashlane. (and probably most of the others) You can occasionally down load a list of all of your stored passwords. Print it out , or make a digital copy which in either case it's then up to you to secure the downloaded list. Safe? off site? in your wife's bra drawer?

August 03, 2021, 10:03 AM

Rey HRH

quote:
Originally posted by ravens1775:
quote:
Originally posted by V-Tail:
1Password

Same here. I like it. I only use local storage for the password vault.

I use 1Password also after some studying up on the topic. I used to have a list of sites with passwords but the passwords are in code. But reusing passwords was easy. When I started using a password manager, it was like the feeling you get after years of regularly hitting your shin against the table - it felt such a relief. I have 257 individual passwords / logins.

For website logins that I want to keep especially secure, I learned one trick. When you record a new password or change to a new password, save the password to your password manager but before saving to the actual site, add another string of characters that you memorize.

That way, even if the password in the password manager is decrypted, it still won't work because it doesn't have the second part which you only memorize.

"It did not really matter what we expected from life, but rather what life expected from us. We needed to stop asking about the meaning of life, and instead to think of ourselves as those who were being questioned by life – daily and hourly. Our answer must consist not in talk and meditation, but in right action and in right conduct. Life ultimately means taking the responsibility to find the right answer to its problems and to fulfill the tasks which it constantly sets for each individual." Viktor Frankl, Man's Search for Meaning, 1946.

August 03, 2021, 10:24 AM

nhracecraft

I am my own 'Password Manager', and I'm unhackable....100% secure!

August 03, 2021, 10:43 AM

cyanide357

Bitwarden is a good option. It's open source and the host option is affordable ($10/year if you need functionality beyond the free tier).

You can also self host an instance if you are so inclined.

August 03, 2021, 10:55 AM

JimTheo

I use Keypass and sync IPhones, Macbook Pro, Window 10 and wifes Iphone by using Dropbox as the master repository. The database is encrypted so is OK on dropbox, no website has my stuff to get hacked. pretty basic but effective and cheap. Open source. I did donate as it is only fair.
https://keepass.info/

August 03, 2021, 10:56 AM

architect

quote:
Originally posted by nhracecraft:
I am my own 'Password Manager', and I'm unhackable....100% secure!

It is tempting to this so, but it is hard, if not impossible, to reconcile that approach with the need to maintain a different password, of sufficient variability and complexity, for each use case/login. Very few people have that good a memory.

Even then you are vulnerable to "false flag" attacks, e.g. a website that masquerades as another prompting you to enter a password that has value on the forged site.

So the truth is that you can be "hacked" through social engineering and other methods. Mitnick's "The Art of Deception" provides many examples of how this might occur.

Trusting one's integrity, intellect, and abilities has proven flawed for many many people. It may be wiser to acknowledge one's own limitations, and use a tool, like a password vault, to help overcome them.

So as to not veer too far off the topic, the password vault I have found that best fits my use profile is called "b-folders." It does not save to the cloud by default, and uses device-to-device syncing. Its biggest shortcoming is that it isn't available for iOS. I also use the Apple Keychain on macOS and iOS.

August 03, 2021, 11:25 AM

NavyGuy

quote:
Originally posted by architect:
quote:
Originally posted by nhracecraft:
I am my own 'Password Manager', and I'm unhackable....100% secure!
It is tempting to this so, but it is hard, if not impossible, to reconcile that approach with the need to maintain a different password, of sufficient variability and complexity, for each use case/login. Very few people have that good a memory.

Even then you are vulnerable to "false flag" attacks, e.g. a website that masquerades as another prompting you to enter a password that has value on the forged site.

So the truth is that you can be "hacked" through social engineering and other methods. Mitnick's "The Art of Deception" provides many examples of how this might occur.

Trusting one's integrity, intellect, and abilities has proven flawed for many many people. It may be wiser to acknowledge one's own limitations, and use a tool, like a password vault, to help overcome them.

So as to not veer too far off the topic, the password vault I have found that best fits my use profile is called "b-folders." It does not save to the cloud by default, and uses device-to-device syncing. Its biggest shortcoming is that it isn't available for iOS. I also use the Apple Keychain on macOS and iOS.

In addition, I use Dashlane's password generator and use the longest password allowable by the particular site, with upper and lower case letters, numbers and symbols. Hand typing these is very tedious.