Password managers

dutchfire

Deity
Retired Moderator
Joined
Jan 5, 2006
Messages
14,106
Location
-
So I've been reading a lot of articles suggesting people use password managers. Can someone here explain how they work (practically, not cryptographically), which one is good, how it works if I use multiple devices (some of the them 'public computers')?
 
I like LastPass, personally; the browser integration's pretty damn good.

Anyways, how it works is you sign up and put in a password, and this master password is used to lock everything up, so pick a good one and don't forget it. Then you save passwords to it, and it's encrypted before they send anything to the server. It also helps you generate passwords and stuff.

Then when you go to a login form, it'll give you an option to fill it in automatically. Also, if you have multiple logins (e.g. throwaway email addresses) it'll give you a choice of which to login with.

You can login to LastPass from any computer, so long as you've got the master password. You can also get a copy of Firefox Portable and install it into that.

Another one you may want to look into, if you don't like LastPass, is KeePass, which is open-source. Don't think the browser integration's as good though. There's a portbale version available on PortableApps so you can stick it on a USB drive and take it with you.

These two were also in my bookmarks. I haven't had a chance to test them, so use at own risk:
http://www.roadkil.net/program.php/P21/Password Store
http://www.cherbox.net/




Password managers are helpful because you can use many different passwords without getting them mixed up in your head or forgetting them. I started using LastPass after my accident, because my memory is shot and I have trouble remembering things.
 
So how do we know that LastPass's database won't get dumped?

That's my worry - and also why I try and use different passwords on every site. For that matter, if I can't remember the password on the first try I just use the 'reset password' function. It's really time consuming, but I know there's just about no way I'm going to remember the password anyway.
 
As I mentioned in #fiftychat, I use Keepass, and don't particularly care about accessing my passwords on devices that aren't mine. (If I really need to, I can use my phone to get the password.)

LastPass is my standard recommendation for people, for the easier browser integration and lack of needing to manage password database files.

So how do we know that LastPass's database won't get dumped?

That's my worry - and also why I try and use different passwords on every site. For that matter, if I can't remember the password on the first try I just use the 'reset password' function. It's really time consuming, but I know there's just about no way I'm going to remember the password anyway.

You don't know it won't get dumped, but all indications are that they're fairly good about security - meaning that the passwords are all hashed and salted, so if they do get dumped, the only way for someone to figure out the actual password is to bruteforce combination attempts against the hashed password. Now, in general, for password dumps, this is a fairly large problem still, since you can bruteforce a big proportion of poor passwords easily. (ie. check if every hash on a 10k password dump is the password "letmein1", you'll probably get a hundred hits or so) However, presumably you're using randomly generated passwords with LastPass and trying every 16-character random password hash will take a long time, so changing all your passwords would be still advised in the event of a dump, but you shouldn't have to worry about your passwords getting out before you change them.
 
Well, the LastPass .... thing is encrypted before it even leaves your computer, so there's a good thing there. If you're paranoid, you can use something local, like the KeePass I mentioned.

Also, XKCD has a pretty decent piece of advice:



Actually, a while ago (I think two years? I'd have to check my emails) something happened and LastPass sent an email to everyone and made them change their master password, even though good chances were that nothing actually happened. They're pretty tight with security.
 
Okay, I've considered some more.

I've got a couple of passwords that I need to login to machines (e.g. university network). These can't be put in a manager, since I need to type them before I login to any computer.

I've got a couple of logins that I don't particularly care about (burn e-mail accounts, last.fm, CFC and other sites I wouldn't really mind if someone hacked them). I suppose putting them in a password manager might be easier though.

That leaves a couple of things (primary e-mail accounts, dropbox) for which this will be useful, so I think I'm going to try it out.

Question: Does Lastpass also work well for Skype accounts and other passwords where you type the password not in your browser, but in a separate application?
 
Primary email account is probably something you shouldn't use a password manager for. I've got four passwords memorized: Keepass database, work computer, MS account, Google account. You should use two-factor authentication for your accounts where you memorize the password.

LastPass won't be integrated into non-browser apps, you'll have to copy/paste the password into those. Skype you should probably merge to your MS account and just use your MS account to login.
 
I think LastPass has an option to copy the pass to the clipboard, and it clears after a minute or two. (Though I use LastPass Pocket, which is a small application that lets you access the thing without using a browser.) I usually tend to overwrite the clipboard with a random url anyways.

Quick question while we're on this -- Every month or so, I export my lastpass passwords as csv. Currently I stick them inside a TrueCrypt file, but is there a better way to handle this?
 
Well, more organized, really.

Never realized I could import CSVs with KeePass. I think I will do that. Thank you.
 
I haven't used LastPass, but KeePass will work for anything that you can paste text into. So, for Skype, you'd copy the password in KeePass, and paste it into the password field in Skype, and you're set. By default it also clears the clipboard after IIRC 12 seconds, so you'd have 12 seconds to paste it or you'd have to copy it again. This is so if you don't copy something else later, someone can't just paste your password into Notepad 6 hours later.

I use KeePass, and like Zelig I don't particularly care about accessing all my passwords on devices that aren't mine. But this is also why I don't recommend it for things like your primary e-mail that you may need to access occasionally when on the run. So I have a separate, memorized password for GMail, and can access it wherever if I need to look something up. My CFC password is in KeePass; I can't log in to CFC from any old computer, but there's never been any time when I've actually needed to log into CFC in a time-sensitive manner, either.

If I did want to access CFC and stuff everywhere, I could either (1) use LastPass, (2) have it on a flash drive or something like that, or (3) GMail it [or similar] to myself. All of these are slightly less secure, assuming your master password is strong. Probably not an issue as long as you don't run WikiLeaks or something like that, though.

Overall, I'd highly recommend trying one. Instead of having 2-3 primary passwords as before and having to guess which one I used, and often using password recovery, I just copy-paste the unique password for the site I want to log into. It's both faster and more secure. I use the username storing ability, too, saving more headaches from "forgotten username" forms, and also use it as a convenient place to store, for example, frequent flyer numbers.
 
I, like others, use KeePass, but like Zelig usually recommend LastPass for easier browser integration and general ease of use. I have 3 memorised passwords, my work, my primary email, and my KeePass masterkey. KeePass has an option to automatically lock your p/w database after X minutes of inactivity, or after X minutes without looking at it, or whatever, so I don't have to manually lock it myself. This is nice.

I wouldn't say that KeePass is better security-wise, as I'm no expert, but the fact that it is much simpler is appealing to me, as there is less that could go wrong.

Similar to the other guys, I don't have a need to log in to computers that aren't mine. I always have my phone, which (a) has the KeePass database (sync'd via dropbox) on it, and (b) has the entire internet on it anyway.
 
I'm looking into LastPass and KeePass right now… not sure which is going to work best for me and my wife. One of our perpetual issues is that we can never remember our various Apple passwords - each Apple device has a separate password, and there are 3 AppleIDs between us (we were young and stupid - DON'T JUDGE US!!) - and Apple demands that you reset your password if you get it wrong twice in a row. Nazis. Nazis through and through :lol:

I'm a little confused about why/how/if people use BOTH KP and LP together - isn't that just sort of confusing? Or am I being my usual daft self?

ArsTechnica has done a few really fascinating articles on password stuff. I won't quote them, as there's nothing exactly pertinent to the topic here. But if you're curious about the technical aspects of hashing, salting, and why it's a big deal when Gawker or Sony get their password databases dumped, you'll need to read these:


http://arstechnica.com/security/2012/08/passwords-under-assault/4/
details the big picture of password insecurity, and how each breach can lead to further breaches of careless web services, and how that can wind up messing with your bank account

http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/
a diary of a guy who spends a weekend learning how to crack passwords. In a few hours. With freeware. On his pedestrian laptop.
 
I don't think anyone here really uses both LastPass and KeePass.

Yes, Arstechnica is excellent.

I'm not really sure why the appleid thing is much of a problem? Close the extra one so you have one AppleID each, and don't share. Memorize the passwords to your devices, (which should be diceware passwords for PCs, PINs for mobile devices) the AppleID you don't really need to memorize, I don't think you ever need it unless you're buying stuff in the apple store?

Apple devices are junky at KeePass anyway, I'd recommend LastPass for Apple users.
 
I have fallen into the habit of using both lastpass and keepass on my PC. Lastpass handles all my browser passwords where as KeePass stores passwords for non-browser clients such as Skype.

I really like lastpass on browsers because it gives you that ability to sign up and log into a new site in 10 seconds or so. Sure, on some sites you could use Twitter or fb to log in but I don't like making the task of tracking my activity any easier then necessary. I have heard some scary testimonies form ppl who played online games, made enemies who tracked them down in rl using their social media profiles.
 
I have fallen into the habit of using both lastpass and keepass on my PC. Lastpass handles all my browser passwords where as KeePass stores passwords for non-browser clients such as Skype.

I really like lastpass on browsers because it gives you that ability to sign up and log into a new site in 10 seconds or so. Sure, on some sites you could use Twitter or fb to log in but I don't like making the task of tracking my activity any easier then necessary. I have heard some scary testimonies form ppl who played online games, made enemies who tracked them down in rl using their social media profiles.

Ahh - KeePass for, say, AppleID and LastPass for forums and such - That makes sense.
 
Mmm I don't see the sense in that really. Why not just use LastPass for both?
 
Top Bottom