MSE guide discussion - 60 seconds on password managers

Former_MSE_Nick

Hi all,

We've written a new guide to Password Managers and we'd love your feedback.


Thanks,

MSE Nick

Fitzmichael

Google asks each time if I want them to store my password and I tick Yes, so is this secure or do I need to use one of your methods.

AndyPix

Fitzmichael wrote: »

Google asks each time if I want them to store my password and I tick Yes, so is this secure or do I need to use one of your methods.

It is secure "ish" , the password is stored as a hash in the computer rather than plain text.
These can be cracked however by someone who knows what they are doing

bsod

"should I write my passwords down? Generally speaking, this isn't a good idea"

Really?

but copying them to the clipboard, installing and entering them into browser storage or extension or phone app, or handing them over to a far away company/server/country/government, then paying them in the hope they are competent/honest/secure is?

Password managers are a target, they have been hacked or had weaknesses or privacy concerns exposed in the past, and most likely will continue to do so, but no mention of that in your article which instead just names some of them and gives them free publicity.

Ink and brain can't be hacked, both available with no monthly charge or adverts, terms and conditions apply.

A more succinct article would be:

6 seconds on password management:

Note the passwords down IN CODE somewhere safe and convenient, make them lengthy, mix/slot in some numbers mid-word/phrase, and don't choose anything obvious like offspring/pet names, football teams, or birthdays

Forget complicated password schemes and strange characters, because they are no more secure, and you will undoubtedly forget them or !!!! them up once you get to more than three

AndyPix

Password managers in general are useless imho.


You dont need different passwords for everything , you should only need 3 "tiers" of password.


tier 3 - Used for anything and everything that wants you to create an account for these days.
You dont care if this one gets out as it doesnt access anything important.


tier 2 - used for stuff like email etc. This password is private and it would hurt a bit if it got out, but wouldnt cause you any financial loss


tier 1 - Use this one for your bank, paypal etc . Stuff like that.
Make it super complicated and hard to guess, Only use it for banks and things like that. These places are unlikely to get hacked - and if they do then a password manager would have been no use anyway.




In short, if you use the same password for facebook as you do for your online banking, then you dont deserve to have money in your bank

anotheruser

Why password managers exist I don't know.
Surely it's these programs that hackers/whatever you want to call them would target?

I use an unsecured notepad document, named something "normal" for a computer, in a less obvious place than "My Documents"... it's worked so far.


Alternatively, set levels:

One level is forums, I don't mind if my password gets stolen; I'll just register a new account. I use the same one for many sites, however I secure a little by using a different username - so it's not like the "hacker" can trace me around the net.

Emails is another level. Those passwords (for the two main emails I use) are the same, but very secure. Passwords for other emails I use are less secure as they are as good as throw-away addresses anyway.

Banking is another level; usually the same password, but they have good security anyway (IE, pick random letters from a different password).


So I break all the rules, but it works for me.


Here's some fun: howsecureismypassword.net. Some people might say "I would never type my password into a random website" - the website doesn't know what website the password is for so get off your high horse and see how secure it is.

My least secure says: 200 milliseconds
My medium-secure says: 16 hours
My most secure says: 3000 years

EDIT: Ha ha, person above me says about levels too!

John_Gray

anotheruser wrote: »

I use an unsecured notepad document

Even better would be an encrypted text document which is actually a .EXE file but opens out to a notepad-like editor with your now decrypted text therein. I use LockNote. Rename it to any filename.EXE you like! (You still have to choose a password, of course...)

S0litaire

A good rule is:

If the site offers 2fa turn it on!

YES it can be a pain to grab your mobile to get that text message. but in the long run it's a lot more secure.

Also if really paranoid look into getting something like the "Yubico" USB keys

I've got a couple of the basic "blue" fido 2fa keys.

Google had an offer a while back 3/4 off.

Instead of Google sending out a text message you plug this into the machine and tap the button. That then authenticates you. (Integration only works with chrome browsers at the moment). It's a bit more secure. You can get more advanced versions that link directly into lastpass and do multiple types of logins.

AndyPix

Look like im going to be ok for a while ...

Jivesinger

AndyPix wrote: »

Look like im going to be ok for a while ...

I imagine that's on the basis that computers aren't getting any more powerful in that time - which is perhaps unlikely. Still, it seems like a decent password...

To those who organise their passwords in 'tiers', I would suggest that their main email accounts are given the highest priority, the same as the ones for banking etc.

There's a lot of information which can be gleaned from your email account, and also any other account which has a password reset feature will be using your email address. Other services may use email in similar ways to 'prove' it is you they are dealing with.

AndyPix

Ha theres no way im giving google my banking password