You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
I've always steered clear of a service like LastPass etc - having all your passwords in one place feels like an invitation for disaster if it's breached. Having said that I have a pw protected Excel sheet with a load of them on that I store locally (and backup).
So after this:
should I switch to a password management service? Or more importantly why should I not?
Google manages mine. Hope Collection #1 doesn't = Google!
The rest are just a thumb print away on my phone... if someone has my thumb I've got more things to worry about than passwords...
Apple looks after mine which requires a fingerprint to access.
I was basically the same as you until around Nov last year. I spoke with a friend-of-a-friend who works in IT security and he was able to convince me that my worries about LastPass (single-point of failure, etc) were unfounded. He rated their encryption and security practices highly (not sure what he knows more than any other man-on-the-street).
Long and short of it is that the number of sites that need an account now is so huge that I was struggling to maintain any sensible list of them and was forever performing password resets, so I've been using LastPass and I now find it invaluable.
I still have the nagging doubt about it though...
Watching this with interest.
We use Lastpass at work, and I use it for bits and pieces.
Cracking Lastpass must be on the hackers agenda.
Cracking Lastpass must be on the hackers agenda
How do you know that Lastpass isn't the hackers?
i use Keepass at work
No password to get into it - it requires a file stored elsewhere on the network.
So passwords stored on one server, file on another (in my own personal cloud drive). If you don't have access to both drives, you don't get in.
So in a home situation, store the passwords in a file on the C drive, then the access file on a USB stick (or two!) that only you have access to.
Cracking Lastpass must be on the hackers agenda
How do you know that Lastpass isn’t the hackers?
Both of these were (are?) among my concerns.
To put it in context the friend-of-a-friend I mentioned happily uses/recommends/trusts LastPass, but won't use WhatsApp as he doesn't trust their encryption and potential for back-doors.
Apple looks after mine
The rest are just a thumb print away on my phone
But surely the actual pw's are in some unknowable (and hackable given enough resources/luck) cloud as well as on your phone?
verses - thanks will have a look.
petec - cheers I was looking for an 'away from my desk' solution really.
Apple looks after mine which requires a fingerprint to access.
Apple look after mine, except it’s my Face.
If someone nicks my Face, I suspect all they’ll find are my passwords to PronHub or STW.
🤣
But surely the actual pw’s are in some unknowable (and hackable given enough resources/luck) cloud as well as on your phone?
Of course they are it'll take a lot luck to hack apple.
you can set up KeepPass to use a normal password to get in, or a single user, or a file
or a combination of all three
keepass gives you the option of storing/backing up the file anywhere you like rather than looking after it for you.
Its more hassle, but not having a central store to be broken into is a good thing. Even if someone cracks keepass, they'd need access to my password file before it mattered to me.
Google looks after most of mine and does a much better job than me at remembering them.
I had to log on manually to my bank account when I changed my phone, it took me about 3 hours before I managed to do it.
I use Password Safe. It just stores the passwords in a file, so you can store it where you like, with a password required to open it. Also an Android version, that works with fingerprint login. You can manually copy the file from the PC to Android, or sync it with a cloud service if you want.
Or it has options for 2-factor authentication, with a Yubikey.
Using two-factor would help address the concern around 'what if LastPass gets hacked?'. I've used it for a while, happy with the convenience vs. security balance. Was describing it to my Dad, he's not interested - sticking with his easily guessable password that's the same for everything.
https://lifehacker.com/is-lastpass-secure-what-happens-if-it-gets-hacked-1555511389
Interesting. Just checked my common email addresses on https://haveibeenpwned.com/
of the email addresses i commonly use
my most common address - 6 breaches
second 4
third 3
Both my Skype and Spotify have been hacked in the last couple of months - both were using my most common address and hadn't been updated in any of my security sweeps as I didn't realise (i log into them with a user id rather than the email address but you can use either....)
Lastpass user here. Apple is fine but Lastpass means you can store the additional data for your bank etc and text/notes.
Using two-factor would help address the concern around ‘what if LastPass gets hacked?
I think 2FA on non-trusted devices would put my mind at rest, thanks - I'll have a further look.
Use lastpass with 2FA. Also have 2FA on Google, Microsoft and banking. So anything important even if LastPass is compromised all people will get access to is things like my STW login.
...I think 2FA on non-trusted devices would put my mind at rest, thanks – I’ll have a further look...
It uses it everywhere I think regardless, you just have an option to remember me (i.e. stay authenticated) for a number of days on a trusted device.
I use Keepass with the password file stored on Google docs. That means it is backed up and synced to my phone and computers, so I can access and update one password list on any device. I also save some of the less critical passwords in Google's browser password management system, for convenience.
One of my old passwords that I used for lots of non critical websites is included in the latest hacked data, but it's come up before, so I think it was stolen a long time ago and had been floating around since then. If you go to the "have I been pwned" site there's a tool where you can check if your password text has ever been included in a breach. If you use a common password, that doesn't prove your specific account details have been stolen, but it might encourage you to set a new password just in case.
I think the best security measure is to use two factor authentication wherever possible. Google, PayPal and lots of banks offer this now. That way, even if your password is breached, your account can't be accessed without also getting hold of the other security factor, typically your phone.
If I was going to use a password manager, I'd be choosing an open source one. Lastpass is not open source, so wouldn't be on my list. Keepass would be my choice.
I used to be a sceptic about password managers, but now use last pass with 2FA.
My logic was, yes in theory last pass could be hacked but....
- It's their business - if they suffered a breach it would be the end of them. A very strong incentive to not be rubbish.
- They publish their security measures, and is generally well regarded.
- They'd not do anything schoolboy such as storing things in plain text, so as long as i use their 2FA it should be ok.
- I don't store my email account password in it, which also has a long pass phrase and 2FA via google, so in theory if there was a breach I could do damage limitation
The biggest factor was that it is massively more likely that i'll be hacked due to me recycling my three easy to remember passwords than because lastpass got hacked.
One other thing that password managers help with is making things accessible to the family if something happens to you. If you fall under the bus tomorrow, who's confident their family would have access to what they need to sort stuff, get family photos etc?
I use Lastpass with 2FA. They store salted hashes of your passwords, and never your master password. It's safer than most alternatives. Fingerprints are convenient on devices but on mine they're enabled after boot by a PIN so I'd surmise that they rank lower than a PIN for security. I use 2FA where available on logins like Ebay, Paypal, Amazon etc, and I'm tempted to get a Yubikey.
Security is always a trade-off with convenience and useability but my thinking is you don't have to outrun the bear, and if anyone really wants your stuff in particular there's always the $10 wrench approach.
We use LastPass in work and recommended it to clients.
My 2p:
It's a good tool for the security conscious, but it's a bit of a work prevention tool / PITA for users who can't be arsed with security.
It relies on a master password of course, once past than you can enter your existing ones, or better still it will auto generate the sort of password that's all but unhackable. Great, but it becomes a bit of a ballache with multiple devices and if you don't, can't or wont remember your master password / enter it every time you log into your PC it's a sod.
It's biggest failings are it's not very user friendly, I don't mean it doesn't work, it does - to a point, a few sites don't like it (or it, they) for some reason, so for example my ESET portal will tell me my password is wrong if Lastpass enters it, but not if I type it and of course the stuff you want to be secure, like your online banking, will already have 2FA, Biometrics or at least passwords that only require you to enter certain characters - none of which LP can do.
I'm absolutely certain they could make it far more user friendly, but in doing so they'd highlight the fact that other options are probably better. The biometric based Apple service, which is free to Apple device users is great, it can't auto-launch a site like LP can on a PC of course, but it's more secure, because it's more user friendly, LP seems awkward for people who don't want to use it because in some circumstances it is, so they'll do their best to circumvent it - auto remembered passwords in browsers, master passwords on sticky labels on monitors, or just allowing LP to remember the password for you. All of which greatly reduce it's effectiveness.
I think it appeals to IT Managers who are only thinking about being IT Managers and not the various roles of the people they're trying to support. It's a great tool for doing anyway with the dangerous "one password for everything" but for me, it's 'faster horses' when we should be looking at Biometrics or 2FA, or ideally both.
if they suffered a breach it would be the end of them. A very strong incentive to not be rubbish.
Hmmm.... you sure about that?
There's now an automated service being operated for breaking 2FA. You get tricked into visiting a fake website, and then it asks you to do the 2FA dance, and feeds your responses into the real 2FA website in real time.
I put my important passwords into a GPG-encrypted file and use pwgen to generate them.
I use last pass. As others said it's their business to keep things secure.
USB drives and Google docs surely just leaves you vulnerable to a physical break in at home?
The only downside is the 2fa when you don't have great reception. E.g. I want to log onto something on a PC because there isn't reception or wifi, it then sends the authentication to my phone's e-mail, which I can't then access.
I have an algorithm for creating passwords.
That's all I have to remember.
For financial stuff I beef it up a bit.
Lastpass et all, use 256 AES encryption to keep your passwords safe. They get encrypted before they leave your device for the lastpass servers. This is the safest encryption in use today and as yet has never been broken (although that day is getting closer).
I would trust my passwords here over any other method including written in a little notebook hidden in my locked house.
How do you pronounce this 'word'? pwned
How do you pronounce this ‘word’? pwned
"Owned" as in, "with bombers". With a "P" sound at the start.
I'm old school, all written in blood on a piece of vellum stored in the family vault.
Lastpass et all, use 256 AES encryption to keep your passwords safe. They get encrypted before they leave your device for the lastpass servers. This is the safest encryption in use today and as yet has never been broken (although that day is getting closer).
Although the most likely route of access would be keylogger / phishing attack where they get your password / private key from you direct...
Password manager with 2fa.
Or
Encrypted (pgp) file stored locally with a password generator.
I am not sure I would trust excels password protection.
As to the question about what happens if they hack your password manager - well they shouldn’t be storing your passwords unencrypted and shouldn’t know the key.
AFAIK iCloud Keychain works this way, passwords are encrypted in the cloud and the key is tired on your device. So they need to hack the cloud, steal your device and get your fingerprint/face.
Of course they could break the encryption but that is very very unlikely.
And that is why, governments asking for back doors to encryption is bad. If that gets out everything has gone to shit.
USB drives and Google docs surely just leaves you vulnerable to a physical break in at home?
Sorry, I meant that I store and sync the Keepass file on Google Drive, not that the passwords are in Google Docs. The Keepass file is encrypted, so even if someone manages to steal it, it cannot be accessed without the master password and a key file from my devices. So the attacker needs the Keepass file, the password and the correct key file. To get into Google Drive, the attacker would need to bypass 2FA.
2FA can be breached by man in the middle attacks, but that's not a straightforward process, so 2FA is still a lot better than just using a password.
Right I've just had a look at that "Have I been..." website and it is showing that my (Main) email address is part of the Collection#1 batch.
Whats the next steps? Is it just change the email password or do I....?
Ta
Lastpass and enable 2FA on everything.
Right I’ve just had a look at that “Have I been…” website and it is showing that my (Main) email address is part of the Collection#1 batch.
That will have 'unverified' on it most likely as they've not processed the data yet. They are just responding with that to every request.
2FA can be breached by man in the middle attacks, but that’s not a straightforward process, so 2FA is still a lot better than just using a password.
Did you read that on google? Man in the middle is very complex to do to people, I work for a company that sells companies software to do it for their enterprises. 2FA is very weak on it's own, SMS hijack, email servers not using encrypted mail or maybe just a bad admin of a mail server or mail relay passing on the 2FA emails.
The security around it is that most of the 2FA tokens are time limited so the attack time is very narrow.
Lastpass user - after recommendation from guys working in cybersecurity on Malvern science park (so ex qinetic/GCHQ types). Lastpass don't store the key for the AES256 encryption - that stays on your device and as mentioned the password is hashed and salted. Certainly a lot better than "memorable" and therefore replicated passwords that I'd otherwise use. Trots off to switch on 2FA......
Unverified - that's good. I've changed my password just in case to the super secret "def4ult" no one had better notified any scammers or naughty boys & girls.
Whats the next steps? Is it just change the email password or do I….?
I believe all it means is that an account that uses your email as a username is in the hack with an associated password.
It doesn't mean the password is the one for that email account itself, unless you use the same password for everything including the email account.
Did you read that on google? Man in the middle is very complex to do to people
"Not a straightforward process" means pretty much the same thing as "very complex" to me...
I work for a company that sells companies software to do it for their enterprises. 2FA is very weak on it’s own, SMS hijack, email servers not using encrypted mail or maybe just a bad admin of a mail server or mail relay passing on the 2FA emails.
The security around it is that most of the 2FA tokens are time limited so the attack time is very narrow.
2FA by email (rather than phone or token) doesn't sound particularly secure, because an attacker could typically access the email via a stolen password. Maybe not so bad in a corporate network?
2FA tokens have to be time limited by their very nature, or they would just be another static password that could be stolen and reused, and it wouldn't be 2FA.
I'd still say the same thing. 2FA is much better than just using a password on its own.