For the longest time, I didn't see the point in getting a password manager. It just seemed like one more place to have your passwords stolen, except this time, it would be ALL your passwords instead of one at a time. When I read about the data breach at LastPass, I thought I was right.
However, now my logins are getting unwieldy. I'm doing more things on the internet, each with a new login. I'm beginning to lose track of them all. Most of them are pretty inconsequential, so I'm more willing to put those logins into something like a password manager.
I read this post
but it was written a while ago.Anyone have any recommendations for a specific password manager or just about password managers in general?
As an alternative to a password manager, have you considered making a unique login for each website based on some algorithm? Most of my logins share a pattern, but they are unique, and they don't contain any part of the website's name, though I do use the name to generate the password. This way, I can remember all my passwords without a manager, but they are all unique, contain several symbols, and long.
Thats actually a good idea, even using a letter in the websites name will probably work fine. Do you think the systematic crackers are thorough enough to crunch though the extra combinations that allows for? I would think there were enough easy targets that it would just keep things simple. Or say something a little more complicate like if my password is ABC123 for hubski it might be ABC123K (Iterate the first letter of the the website by 3 as the last letter). If the pattern gets too complicate you have issues solving it in a quick period of time. You could for example add 'h' onto all the letters of your password but then you would have to do more letter math thats kind of slow and annoying.
I saw an algorithm suggestion manager at reddit recently. I thought it looked interesting. But I also thought that if someone could make a list like that, then it could also be easy for a computer to go through that list pretty easily. The obstacle I face with algorithms is that they have to be clever enough that other people won't have thought of them or they'll be easy to crack. I'm not that confident in my ability to outsmart people who are trying to crack passwords all day. On the other hand, if it's super clever, would it be easy to remember? Thanks for the suggestion. I'm glad it's working for you. Maybe if I learn more about it, I'll feel more comfortable with it.
To reiterate the earlier recommendations, use KeePass or KeePassX. They're open source, so you (or anyone) can audit the code to see how it works. Your password database is stored entirely on your own computer, so you are not trusting any online service to not get hacked. They also have a great password generator built in, so you don't even have to think about making new passwords for each site.
I use Keepass (the original). It's cross-platform, can automate logins (just have the web page up and hit CTRL+V in Keepass), and stores an encrypted file that's easy to back up. Plus it's all local, so you're not trusting someone else with your passwords.
Ditto on Keepass. If, like me, you want to synchronize your password database across multiple machines using some sort of online file sharing service (Dropbox, etc.), I recommend encrypting the database with both a password and a key file. Copy the key file between machines with a flash drive--don't put it on the internet or send it via email. That way if your encrypted database gets leaked by your file sharing service, the attacker would need to brute-force both your password and the key file.
KeePassX I'll just say one thing that is important to remember with password managers in general: use a really hard password, since you are putting all the eggs in one basket. - No less than 8 characters. - Avoid common substitutions (0 instead of o, 1 instead of l, underscore instead of space etc). Recently Numberphile made a longer episode with showcasing password cracking and typical strategies behind identifying weaknesses in passwords by using lists of leaked / cracked ones. EDIT: I've meant this video, just copied wrong address: but both are on topic and pretty cool.
Thanks for sharing the video. I've seen most of the stuff he's been saying. It was nice to have it all in one place. His advice on the four word password was novel. I've never heard that before. His take on passwords being around for a while since there would have to be a way to authenticate if the Google algorithm didn't work to authorize access to the system, gave me more information. I wondered what would happen if the system failed to authenticate your movements.
Probably the same thing that happens after you change your password. Send you an email and if you have some extra level of authentication it would also require it as additional confirmation. I would not be surprised if it would also revoke all active logins. In general, it feels like a pain in the ass to jump all the hoops because your phone moved in a weird way. Just imagine, you ride on a bus or in a car, sudden deceleration happens and you get logged out because their authentication system interprets it as "Someone tried to wrestle the phone out of your hand! WOOP! WOOP! Increasing security measures!" or something like that ;P. Regarding videos, sorry if it seemed patronising to you (and it was not my intention). I've shared the videos mainly because seeing how quickly you can crack passwords and what makes it harder speak to me much more than reading some article, oftentimes filled with unintuitive numbers. Example: Think fast! Your password will take 18500 hours to break. How many years it that? About two years and forty days. One year is 8760 hours. I wondered what would happen if the system failed to authenticate your movements.
I don't know how many the other free password managers allow, but based on their webpage, TrueKey only allows 15 for free. That doesn't sound like much to me. I don't want to have to upgrade if I have more than 15 passwords to manage. Thanks for sharing. Do you like TrueKey?
I was about to start using it because my new laptop has it preinstalled, but I don't have any close recommendations. I was expecting to get some info from here. It claims to have good security levels, using AES 256 cripting and local data store as well as a nice privacy police but still I don't know if start using it.
https://www.troyhunt.com/logmein-now-owns-lastpass-heres-how-to/ Take a read of that.
I'm not exactly sure what I'm supposed to be getting out of that. The author shows his audience how to migrate from LastPass to 1Password. He doesn't explain why 1Password is better except that LastPass got merged with a company that got a hit on its reputation for advertising free forever but then needing to move to a premium model later. Are you recommending 1Password? Why is it superior to the other password managers?
I like dashlane a lot, but I find every 3 months or so it just stops working for me for a while. Either the browser extension stops working (current problem), or it won't open the application outside of the browser extenstion, or something else. So I recommend it, but with reservations.
I use LastPass but I don't keep anything super crazy sensitive in it, like private keys or bank or my main gmail. We went with it because their enterprise version allows you to share folders between people, which is super helpful when you have a ton of clients and all team members need stuff like hosting, social media, ftp, etc. It's super handy. However...yeah...if you're looking for the most secure thing ever LastPass probably isn't going to be it.