Password managers

lazybloke · 2024-09-27T21:57:31+0100

All you have to do is remember one pass-phrase and a rule of how to combine it with the website name in a non-obvious way that generates a password that is unique for each site.
Append non-alphanumeric and year/month characters to meet complexity requirements and to cater for occasional password changes, and you're done; no need to write down any passwords.

dicko · 2024-09-27T22:03:38+0100

I updated to iOS 18 and I find a password App has appeared in my App Library. Delving into it all my saved passwords are there. I downloaded the Tesla App and it created a password for me it’s so complicated it’s probably un breakable.

si_c · 2024-09-27T22:05:32+0100

I use lastpass, and have done so for upwards of 10 years and due to wanting to use it on mobile devices I pay for the annual premium subscription. You can as @lazybloke says above keep track of something which you recombine based on rules, but honestly, that's a pain to keep track of after you get to several hundred passwords.

I only know my lastpass password, which is 20+ characters long and a mix of upper/lowercase/numbers/characters chosen at random and then memorised. All my other passwords are generated by lastpass, and I don't know them. There are some legacy sites which use different passwords that pre-date my usage of a password manager and I have my primary email account passwords memorised as well in case of difficulty.

It really doesn't matter which password manager you choose out of the mainstream ones, they all work well and you primarily want the ability to export your passwords if you need to.

richardfm · 2024-09-27T22:10:22+0100

Bitwarden is free for personal use and works across multiple devices.
It generates passwords or passphrases if that's what you want, without having to use Roboform or any third party application.
It recognises sites and applications that you have used it to store credentials for and enters them automatically.

Alex321 · 2024-09-28T00:03:13+0100

stephec said:
Forgive me for being a bit paranoid, but does that mean that a third party has your log in details for all your password protected locations, or is there some kind of safeguard where the third party can't access your accounts without authorisation from you?

The reputable ones such as lastpass or roboform store your data in encrypted form, and cannot decrypt it without your master password (which is also encrypted of course).

When you change your master password, it takes a few seconds while they re-encrypt all your data. For this reason, you have to be very careful not to lose your master password, as you can't just create a new one using a "forgot password?" link.

HMS_Dave · 2024-09-28T00:20:59+0100

I don't use any. My password is always password123. That way i can easily remember it.

Tenkaykev · 2024-09-28T00:32:13+0100

I

FrankCrank · 2024-09-28T03:29:48+0100

One of my jobs during my IT days was as a systems security analyst. A regular chore was setting up new userid's and passwords. We'd have a theme running on any particular day, and this particular day it was animals. So, an email was sent to a new user, with a new userid, and an initial password of hippo. A while later the new user's supervisor rang to complain. Apparently, the new user was a fairly large lady, and thought this was done on purpose. We eventually managed to explain that it was totally random.

Debade · 2024-09-28T10:38:44+0100

for those that use a notebook, still might need it for their password manager. However, you will only need one password. You can/should create a very complicated PW using 20 keys of mostly non repeating letters, numbers and symbols for the PW that allows entry to your PW manager. If you like, which is not a bad idea, change that every so often.

Then, your password manager will select a long random and different password for every site, and remember it for you. You can also change that password as often as you and the site allow.

But don’t stop there. You should set up 2 factor ID. So if your PW is compromised, the hacker will need to also have access to your second login. In some cases it is on another app or its finger print/Face ID. It can also be a code texted to you which should be your last choice. Pick a method where you control it.

If something should happen to you, your single PW can be accessed by a trusted family member or friend. Your info is in one place, it could include notes and instructions

I think there are differences of PW managers and some have been compromised but as far as I know, the tools of PW managers ALONG with the best two factor login tools are currently the safest approach.

tom73 · 2024-09-28T10:53:27+0100

dicko said:
I updated to iOS 18 and I find a password App has appeared in my App Library. Delving into it all my saved passwords are there. I downloaded the Tesla App and it created a password for me it’s so complicated it’s probably un breakable.

It's exactly the same as keychain Apple just moved it into an App to make it easy to use when not on Apple devices.

presta · 2024-09-28T14:43:00+0100

twentysix by twentyfive said:
I keep mine in a little notebook. Some of the web sites passwords are remembered on my PC (which I have allowed) but these are for web sites which I'm not overly concerned about. Banking etc is all paper and pen only.

I use a notebook/browser for the trivial stuff, and have banking etc well hidden elsewhere.

Freeweel said:
_59jS?k(&£t.c0

How did you find that?!

Freeweel said:
That's why you shouldn't use the same password across multiple accounts. Which, with a password manager, you don't.

What's the difference between one password for every account and one password for a manager that accesses every account?

Tenkaykev said:
View attachment 747129

I don't understand why any login page would allow 2^28 guesses at 1000 guesses/sec. All it takes is an upper limit and a delay.

Debade said:
In some cases it is on another app or its finger print

See Bruce Schneier's website for fingerprint security. There are 5 million people in America whose fingerprints were compromised when a government computer system got hacked. I don't know if they've managed to change their fingerprints.
Companies can be surprisingly stupid with passwords, I was once on the phone to a call centre when the operator said "Ooh, that's a very secure password you've got there!". Well, it was until the company put it all over their telephonists' screens....

Ming the Merciless · 2024-09-28T14:48:56+0100

Alex321 said:
The reputable ones such as lastpass or roboform store your data in encrypted form, and cannot decrypt it without your master password (which is also encrypted of course).

What key is used to encrypt the master password and where is that stored?

november4 · 2024-09-28T15:29:14+0100

I also used lastpass for about a decade, but changed last year to Dashlane, prefer it, but more or less the same and I forget what made me change, maybe pricing, but they were one of few companies that let me do free trial, and to import an export from lastpass.......some don't so thats a barrier to change

Only having to remember one masterpassword is a must have these days

Freeweel · 2024-09-28T15:32:45+0100

If you're genuinely interested in this stuff, you kind of need to do some google research or an appropriate degree; it's complicated!!

A quick lay guide to how encryption works here : the complexity and detail of the algorithms are probably something you'd want a mathematical doctorate before you get into.

As for why one password for your password manager is better than one password across all accounts. In brief...

Scenario one. Set up your manager with a strong password as per uk's national cyber security centre recommendations: three random words, like giraffetrampolinehedges. You'll be able to remember that: the cartoon pasted above is a good example. Plus, you'll almost certainly be required to implement two factor authentication, also previously mentioned. This means your master password is about as secure as it gets.

Scenario two. You use giraffetrampolinehedges as your password everywhere, from Amazon to Meta to the company you once bought a cycle top from. And one of them is either careless with your credential data (see the note about Meta, above) or (more often);you get sent a scam email which asks you to log onto a fake webpage, where you give away your password for free. Either way, your password is now compromised, and you probably don't even know. These passwords get sold for pennies en masse. I buy your details, and try the same credentials on your amazon account, to which you've added all your credit card details, and like most people you haven't turned on two factor authentication. Then I try a few other common accounts and get shopping in earnest. And if you've put the same password on your email too, you're stuffed.

It's a shame none of us gets taught this stuff at school but you can get good advice at www.ncsc.gov.uk to protect yourself. In the interim, think about a password manager.

Declaration of interest: my last role was in cyber security. It wasn't, however, working for a password management company.

Password managers

lazybloke

Considering a new username

dicko

Guru

si_c

Guru

richardfm

Veteran

Alex321

Guru

HMS_Dave

Grand Old Lady

Tenkaykev

Guru

FrankCrank

Old layabout

Debade

Über Member

tom73

Guru

presta

Guru

Ming the Merciless

There is no mercy

november4

Well-Known Member

Freeweel

Regular