Password Security Catch-All Thread [2015-06-16: Update your LastPass master password]

Any opinions on LastPass vs 1Password? I'm looking for something to make us more secure, that'll also hopefully be very easy for my wife to learn and use, so I'm leaning towards paying for 1Password, but haven't seen much about it in this thread.

I use LastPass, and I have my wife using 1Password.

I have to say, I went with 1Password because I thought my wife would find it easier, but now I'm not so sure she wouldn't have been better off with LastPass. That 1Password is a separate app (which ties into the browser with extensions, yes, but unlocking the vault happens in the app window) has not gone over particularly well. LastPass is much more seamless if your intended use is all about managing Internet passwords from your browser.

I need to get my parents set up with one of these too, and now I'm starting to lean to LastPass, whereas before I was sure I was just going to get 1Password for them.

Do any of these have options to work with non browser apps, ala Steam, Impulse, or MMOs? It would be nice to lock down those accounts with random strong passwords.

Tigerbill wrote:

Do any of these have options to work with non browser apps, ala Steam, Impulse, or MMOs? It would be nice to lock down those accounts with random strong passwords.

Well, you can put anything you like into you lastpass vault and get it out via the browser app or the website itself. By no means integrated but at least available wherever you are.

DanB wrote:
Tigerbill wrote:

Do any of these have options to work with non browser apps, ala Steam, Impulse, or MMOs? It would be nice to lock down those accounts with random strong passwords.

Well, you can put anything you like into you lastpass vault and get it out via the browser app or the website itself. By no means integrated but at least available wherever you are.

True but I'm lazy. Would be nice of they had plugins for that kind of thing.

Tigerbill wrote:

Do any of these have options to work with non browser apps, ala Steam, Impulse, or MMOs? It would be nice to lock down those accounts with random strong passwords.

I believe that LastPass has an app that you can get (if you pay for it) that will work with non-browser stuff.

It doesn't seem that KeePass has its own official iPhone app. So out of the choices of MiniKeePass, iKeePass, MyKeePass, and KyPass, which is best?

I'm still struggling to understand how to make a password manager work for me.

I have an android phone, a windows 7 machine at home, an iPad, and a windows XP machine at work. At work, I can not access online storage sites (such as Dropbox). Sometimes I take my work laptop into secure facilities that will not allow cell phones and USB drives inside.

How do I actually go about using a password manager amongst all of these devices? It looks to me (with my limited understanding - thus the question) that I would have to do a LOT of manual transferring to make this work, which kind of defeats the "ease-of-use" of using a password manager, right? I'd have to do something like:

- install KeePass on my work laptop.
- install KeePass on my home machine, or use a USB stick.
- install KeePass app on phone
- install KeePass app on iPad.

put all passwords in db, host on DropBox (then it is available from home machine, phone, and iPad). Before going to work, refresh a copy to USB drive, take to work, install to local work copy. If I make changes at work, copy back to USB drive, take home, upload to DropBox.

Is that what I'm looking at here?

Basically, yes. There is a bit of manual syncing involved. Unless you're changing your passwords very often, or signing up for things a whole lot, though, it's really not that much of an inconvenience.

Khoram wrote:

I'm still struggling to understand how to make a password manager work for me.

I have an android phone, a windows 7 machine at home, an iPad, and a windows XP machine at work. At work, I can not access online storage sites (such as Dropbox). Sometimes I take my work laptop into secure facilities that will not allow cell phones and USB drives inside.

How do I actually go about using a password manager amongst all of these devices? It looks to me (with my limited understanding - thus the question) that I would have to do a LOT of manual transferring to make this work, which kind of defeats the "ease-of-use" of using a password manager, right? I'd have to do something like:

- install KeePass on my work laptop.
- install KeePass on my home machine, or use a USB stick.
- install KeePass app on phone
- install KeePass app on iPad.

put all passwords in db, host on DropBox (then it is available from home machine, phone, and iPad). Before going to work, refresh a copy to USB drive, take to work, install to local work copy. If I make changes at work, copy back to USB drive, take home, upload to DropBox.

Is that what I'm looking at here?

I have a usb stick on my keyring, it has by password database and the executables for KeepassX for Mac, Win and linux on it. That way I don't install them anywhere and I just run them straight from the USB stick. I do have to remember to occasionally, backup the password database manually.

Wouldn't really help you with syncing to the phone or ipad. As there is a keepass for android so I suppose I could ditch the usb stick and put everything on my phone's SD card.

Hmm ok, thanks for the clarification. I think I can make something like that work.

Quintin_Stone wrote:

It doesn't seem that KeePass has its own official iPhone app. So out of the choices of MiniKeePass, iKeePass, MyKeePass, and KyPass, which is best?

Anyone?

Quintin_Stone wrote:
Quintin_Stone wrote:

It doesn't seem that KeePass has its own official iPhone app. So out of the choices of MiniKeePass, iKeePass, MyKeePass, and KyPass, which is best?

Anyone?

No idea, quickly looking at the feature set iKeePass and KyPass appear to have native dropbox support so that's probably puts them ahead of the competition

Zappos.com password hashes possibly compromised.

Zappos announcement wrote:

We also recommend that you change your password on any other web site where you use the same or a similar password.

Better yet, never do this.

Khoram wrote:

I'm still struggling to understand how to make a password manager work for me.

I have an android phone, a windows 7 machine at home, an iPad, and a windows XP machine at work. At work, I can not access online storage sites (such as Dropbox). Sometimes I take my work laptop into secure facilities that will not allow cell phones and USB drives inside.

How do I actually go about using a password manager amongst all of these devices? It looks to me (with my limited understanding - thus the question) that I would have to do a LOT of manual transferring to make this work, which kind of defeats the "ease-of-use" of using a password manager, right? I'd have to do something like:

- install KeePass on my work laptop.
- install KeePass on my home machine, or use a USB stick.
- install KeePass app on phone
- install KeePass app on iPad.

put all passwords in db, host on DropBox (then it is available from home machine, phone, and iPad). Before going to work, refresh a copy to USB drive, take to work, install to local work copy. If I make changes at work, copy back to USB drive, take home, upload to DropBox.

Is that what I'm looking at here?

I point KeePass to my Dropbox\KeePass directory on my PCs so any changes there automatically sync. Then I use DropSync on my Android phone to automatically sync there. That way you can avoid the transfer to USB stick.

That doesn't solve his work machine problem, does it?

Sorry, I made the assumption that if he can plug a USB drive in at work he would also be able to just plug in his Android device and copy over the always up to date copy as needed.

Seeing as it's a work laptop, I guess one of the things he'll have to accept is limits to personal usage. Unless his passwords are regularly changing I wouldn't see it as a massive problem.

IMAGE(http://cache.gawkerassets.com/assets/images/17/2012/01/09c4f2162f6a3f9cd9f55d091f48b615.jpg)

Good info or not, that poster is ugly and poorly laid out. Information doesn't matter if nobody actually reads it because they can't parse your color scheme, lame font, and poor flow.

Great effort, terrible execution.

I've been using LastPass for a few months. It's great so far. One annoyance, that has nothing to do with LastPass, is that sites don't tell you their password policy until after you do something wrong. Maybe they'll say no special characters, but they don't say how many characters. Or if there is a limit, and you go past it, they truncate it, but LastPass saves the original version.

McChuck wrote:

I've been using LastPass for a few months. It's great so far. One annoyance, that has nothing to do with LastPass, is that sites don't tell you their password policy until after you do something wrong. Maybe they'll say no special characters, but they don't say how many characters. Or if there is a limit, and you go past it, they truncate it, but LastPass saves the original version.

The most annoying are sites that a) don't take special characters b) don't tell you and c) accept password changes that include special characters. So once you've diligently randomised all your passwords you can't log in to them. I found at least 6 sites like that when I switched to keypass

McChuck wrote:

I've been using LastPass for a few months. It's great so far. One annoyance, that has nothing to do with LastPass, is that sites don't tell you their password policy until after you do something wrong. Maybe they'll say no special characters, but they don't say how many characters. Or if there is a limit, and you go past it, they truncate it, but LastPass saves the original version.

Every time I run into a site like this, I reevaluate if it's a site that I really need to use or not.

Unfortunately, oftentimes, there's no easy replacement (I've got no choice but Microsoft's live.com account if I want to play Xbox Live), so I'm stuck playing the password neuter game. But I avoid it as much as possible.

Password length limitations in general is an indication that someone is doing something very wrong.

*Legion* wrote:
McChuck wrote:

I've been using LastPass for a few months. It's great so far. One annoyance, that has nothing to do with LastPass, is that sites don't tell you their password policy until after you do something wrong. Maybe they'll say no special characters, but they don't say how many characters. Or if there is a limit, and you go past it, they truncate it, but LastPass saves the original version.

Every time I run into a site like this, I reevaluate if it's a site that I really need to use or not.

Unfortunately, oftentimes, there's no easy replacement (I've got no choice but Microsoft's live.com account if I want to play Xbox Live), so I'm stuck playing the password neuter game. But I avoid it as much as possible.

Password length limitations in general is an indication that someone is doing something very wrong.

Same with password character limitations. The bank I use for my company only lets you use 8-10 characters, alphanumeric only. Bobby Tables horrifies them, I guess.

When I was a child (27 or so) I wrote a web app for a company that prevented quotes in names and passwords as a way to prevent SQL Injection. I got a lot of complaints from Irish people. Today I am horrified at the cheap tactic I employed. If I ever invent a time machine, after racing to the opening day of the Patent Office to file U.S. Patent Number 1, I will go to this day in my own history and smack myself.

Ugh.

Rather than use Last Pass or something like that, I ended up going with a USB stick and encryption with TrueCrypt (along with encrypted file backups on my desktop and laptop). It's worked very well, and I have it set up so I can just plug my USB stick into my laptop, desktop, or work computer, hit ctrl+alt+] to mount the USB and backup volume at the same time after entering in my password or ctrl+alt+[ to dismount the volumes when I'm done on the computer. It's nice to be able to make passwords that I don't have to remember.

Well, that might have been the only way to do it at the time, Mixolyde. They didn't come up with parameterized queries until kinda recently, right? Like, post-2000 sometime?

Malor wrote:

Well, that might have been the only way to do it at the time, Mixolyde. They didn't come up with parameterized queries until kinda recently, right? Like, post-2000 sometime?

Even without parameterized values, you can escape single quotes in most DBs.

Parameterized queries: If by "post-2000" you mean "mid-1980s at the latest" (SQL-86 had them), then sure. T_T;;; (Looking at a paper on INGRES from 1976, though, I'm pretty sure they go at least as far back as 1974.)

Ah, okay, maybe it was just the idea of using them for web security that didn't get into common knowledge until somewhat more recently. Or maybe I just never knew about it, because I wasn't working on that stuff myself.