Password Security Catch-All Thread

DanB wrote:
NSMike wrote:

On iOS I've used MiniKeePass, and KeePassDroid on Android.

i use KyPass on iOS, its good

I will have to look into those iOS options. Thanks to both of you!

This story about someone getting their 2 Factor enabled Google account hacked via the cellphone number is a bit disturbing.

Gremlin wrote:

This story about someone getting their 2 Factor enabled Google account hacked via the cellphone number is a bit disturbing.

Yeah, the problem there is that it wasn't two separate factors. SMS auth factor and password reset by phone ends up boiling both factors down to just one: having control of your phone number.

Takeaways:
* don't use SMS as an auth factor. It is incredibly vulnerable to a targeted attack. This attack would have been defeated by a OTP-based second factor.
* consider taking your phone off of your Google accounts. Google pesters you to add it in for password recovery, but as this case shows, that is a definite weak point in the password factor.
* more generally, if you're using multi-factor authentication, make sure they're really separate factors. Password seems separate from SMS at first until the idea of resetting password by phone is taken into account. Unfortunately, this can be non-obvious.

Yeah, hardware tokens, like Blizzard's Authenticator, are safer. They're less convenient, of course, but most software tokens are intimately married with a phone, and that phone is intertwined with a phone number and SMS, and is suspect to attack from multiple different angles.

Physical tokens, ones that have no networking, are quite difficult (though not impossible) to exploit remotely.

So, I used to do pretty great just remembering all my passwords. I never had issues jumping from one thing to another and just typing them all in.

Over time though, I seem to be losing some of that and it seems like with every year I end up doing password recovery just a little more often.

Is Lastpass/KeePass still the generally preferred solutions for this for desktops? How does it even work? I've never needed it before so I've never paid any attention to it.

The last couple pages seem to err toward KeePass. Just curious what has changed recently, if anything.

I'm still very happy with Lastpass. It is a browser plugin that remembers your passwords, generates new passwords and recommends improved passwords for your sites. You can copy passwords for non-browser uses like game clients etc.

If you pay for it you can use it on mobile devices as well. The free version works fine on your PC though. You can also get it in a bundle with xmarks which I like.

It's fairly simple to use, unless a site is unconventional somehow. I've had ones with different domain names that confuse issues, but it's easy to figure out.

I've been perfectly happy with KeePass; I vastly prefer open-source for my security solutions. But keep in mind that I'm primarily operating from one desktop. If you need a mobile/roaming solution, Lastpass is somewhat better.

I'm still using LastPass after all these years.

+1 more to LastPass and its mobile app.

I've actually switcheD from Lastpass to 1password. I like using the software a lot more than the web based UI because it's a lot cleaner and easier to organize things.

I was using Lastpass for 3 years and made the switch. It's personal preference really since they all do the same thing.

I've been switching over to lastpass and am loving it. At first I really didn't like having all my passwords stored using some service but after reading about their security and how it works I'm comfortable using it for everything now. I do use the two factor authentication with it through the Google Authenticator app on my phone for added security.

Personally, I just don't think storing your passwords on any cloud service is a good idea. You have only their word that they can't decrypt your files -- and the government, at the very least, can require them to lie to you.

KeePass is totally doable on mobile. I've used Dropbox to keep my password database in sync with all of my devices, and each device I've used (iOS and Android) has a viable KeePass app.

It's probably not as convenient as LastPass, but I think that sacrificing that convenience adds to the security of the solution. It being slightly less convenient for me makes it dramatically less convenient for a thief.

Malor wrote:

Personally, I just don't think storing your passwords on any cloud service is a good idea. You have only their word that they can't decrypt your files -- and the government, at the very least, can require them to lie to you.

Hence why I use KeePass.

NSMike wrote:

KeePass is totally doable on mobile. I've used Dropbox to keep my password database in sync with all of my devices, and each device I've used (iOS and Android) has a viable KeePass app.

It's probably not as convenient as LastPass, but I think that sacrificing that convenience adds to the security of the solution. It being slightly less convenient for me makes it dramatically less convenient for a thief.

Yeah, I should have mentioned that: there are mobile apps for it (though you have to trust the app maker and DropBox (and maybe Apple)) a bit.

RoboForm is also one and they have standalone and mobile versions.

But I just use keepass because I don't need any passwords for anything while at work and I use my phone like a feature phone not a smart one.

NSMike wrote:

KeePass is totally doable on mobile. I've used Dropbox to keep my password database in sync with all of my devices, and each device I've used (iOS and Android) has a viable KeePass app.

It's probably not as convenient as LastPass, but I think that sacrificing that convenience adds to the security of the solution. It being slightly less convenient for me makes it dramatically less convenient for a thief.

Can I just use a USB drive or something of that nature for that instead of dropbox?

If that's easy to set up sounds like KeePass will end up being my choice.

Zero interest in a mobile app.

I'm not sure if there is a portable version of the application that you can put on a USB stick, but it sounds like such a likely use case that I'd bet there is, or that it's already portable.

Thin_J wrote:
NSMike wrote:

KeePass is totally doable on mobile. I've used Dropbox to keep my password database in sync with all of my devices, and each device I've used (iOS and Android) has a viable KeePass app.

It's probably not as convenient as LastPass, but I think that sacrificing that convenience adds to the security of the solution. It being slightly less convenient for me makes it dramatically less convenient for a thief.

Can I just use a USB drive or something of that nature for that instead of dropbox?

If that's easy to set up sounds like KeePass will end up being my choice.

Zero interest in a mobile app.

Keepass is designed to be portable without installation. You can carry around on USB together with the copy of your database and it works and doesn't leave anything behind.

KeePass is indeed portable and can run off a USB stick. It can also be setup to use a password, key file, and a particular Windows User Account as authentication factors, if you want to go that route.

Malor wrote:

You have only their word that they can't decrypt your files

That's not exactly true, at least in the case of LastPass. Being a browser extension in 100% JavaScript, the code is completely open for you to see exactly what it does.

Granted, you and I aren't likely in a position to do a worthwhile audit of the LP code, but others are, and have.

The big concern would be a malicious update pushed out and used before anyone audits it. But it's not something they would really be able to do without eventually being discovered and bringing their company to an instant end. (Since you're downloading the extension as published on your browser's extension repository, they wouldn't likely be able to target you with a specifically crafted download).

But I sure would like the idea of more transparent auditing. Apparently, they have ongoing 3rd party auditors that produce nightly reports, which get sent out to enterprise customers that have signed an NDA.

There is definitely a degree of trust in LastPass required, but it's not the case that the system is completely opaque and you have nothing but their word to go on.

Malor wrote:

Personally, I just don't think storing your passwords on any cloud service is a good idea. You have only their word that they can't decrypt your files -- and the government, at the very least, can require them to lie to you.

Thata's not assuming the services you have don't already give the .gov a backdoor access to everything already. Which we know they do.

wanderingtaoist wrote:

Keepass is designed to be portable without installation. You can carry around on USB together with the copy of your database and it works and doesn't leave anything behind.

Sounds perfect

Thanks to everyone for the responses and help. I'm not exactly excited about the process of actually getting it all set up but I think it'll be worthwhile once I do.

*Oof. Yeah. Changing aaaaaaaaaaaall these passwords is a nightmare. But I do kinda feel better already even only having done my email and every account in any way attached to my finances.

Thin_J wrote:

*Oof. Yeah. Changing aaaaaaaaaaaall these passwords is a nightmare. But I do kinda feel better already even only having done my email and every account in any way attached to my finances.

That's the way I did, and sell it to other people: critical stuff and anything money-related immediately. Everything else the next time you use each account. That makes The Big Switch a lot more palatable.

It'll be worth it once you need to refind your password for that one obscure site you signed up for three years ago.

Figured this was the place to post.

I had my credit card info stolen and used fraudulently, so I'm preparing to update all my passwords as a hyper-paranoid response (many of these passwords are probably hard to crack but very old, hence I think it's time for a wholesale update). Here's the thing: I have some passwords in use across numerous devices, OSes and browsers. The biggest concern to me is my Gmail accounts, which are linked to my Android smartphone, if I can't get back into those, I'm hosed. I'd like to move to a password manager, one which works on Windows, Linux and Android (and Firefox and Chrome) and can auto-create super-secure passwords where applicable, but I also think I should update things like work account logins. I'll admit I feel very nervous about having all of my password information in one place, feels like it's easier to snag all at once that way. I have a decent memory, so my issue with changing passwords is trying to get the new ones to replace the old ones in my mind. Personally, I've found that muscle memory seems to be very helpful in that regard: if I have to type a new password many, many times shortly after I change it, it's easier to remember. If I change it and then don't use it, even for a day or two, it's extremely hard to remember.

TL;DR: I'm fishing for suggestions on moving to a password manager that will work on my home computers (Windows), work computers (Linux), my smartphone (Android), and all the web browsers in between (mainly Firefox, but also Chrome on occasion), preferably one which can auto-generate and auto-fill in passwords, but if I change my Gmail password, I have to be able to update it on my smartphone without there being any kind of circular logic/dependence. I have two-factor set up to my smartphone on at least Gmail and Dropbox for extra security (SMS two-factor, so still vulnerable to some extent). I like my system for manually generating passwords, but it's an exhausting process, so any convenience that fellow Goodjers can share with me is greatly appreciated.

LastPass. Ticks all your boxes: multiple OSes, multiple browsers, mobile app, auto-generate and auto-fill (and auto-login), uses two-factor authentication itself (Google Authenticator), and all your passwords are kept safe.

Sorry to hear about the theft. Hope it gets resolved soon.

LastPass. The $12 for the mobile/premium account is well worth it.

clover wrote:

LastPass. The $12 for the mobile/premium account is well worth it.

100% agreed. $12/year is a pittance for the convenience & additional security... not to mention all of the brainspace that's been freed up by not having to remember which password goes with which website.

I think last pass also added a function to auto magically change your password for you in the background for some services.

I am surprised not many people around here are using 1Password. I actually switched over from Lastpass and like the experience better. At the end of the day however, they do the same thing.