We’d like to remind Forumites to please avoid political debate on the Forum.

This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

Password Managers and Banking?

124»

Comments

  • Bobblehat
    Bobblehat Posts: 978 Forumite
    Eighth Anniversary 500 Posts I've been Money Tipped! Name Dropper
    Just to be clear and qualify ….. how naïve I may have been in thinking JUST a PM would do the trick :/
    One thing that might simplify my needs … I don't do apps, as I don't use a smartphone, in fact I only infrequently use a mobile phone, but I do own a simple one for the odd occasion I need one. 

    (I think I heard a distant murmur of  ..... Luddite!)
  • Prism
    Prism Posts: 3,852 Forumite
    Seventh Anniversary 1,000 Posts Name Dropper
    Another thing to keep in mind is that you should be able to tell someone your password (or they steal it) and that still wouldn't help them get full access to your account. 2FA with a mobile phone is the minimum level of security you want, ideally a smart phone based app.
  • Bobblehat
    Bobblehat Posts: 978 Forumite
    Eighth Anniversary 500 Posts I've been Money Tipped! Name Dropper
    Prism said:
    Another thing to keep in mind is that you should be able to tell someone your password (or they steal it) and that still wouldn't help them get full access to your account. 2FA with a mobile phone is the minimum level of security you want, ideally a smart phone based app.
    Difficult if I don't own a smart phone! Maybe?
  • Prism
    Prism Posts: 3,852 Forumite
    Seventh Anniversary 1,000 Posts Name Dropper
    Bobblehat said:
    Prism said:
    Another thing to keep in mind is that you should be able to tell someone your password (or they steal it) and that still wouldn't help them get full access to your account. 2FA with a mobile phone is the minimum level of security you want, ideally a smart phone based app.
    Difficult if I don't own a smart phone! Maybe?
    Indeed. Its getting to the point that a regular mobile is a requirement but a smartphone is the more secure option going forward.
  • BurningSnowman
    BurningSnowman Posts: 54 Forumite
    Part of the Furniture 10 Posts Combo Breaker
    edited 20 May 2020 at 8:33AM
    Sorry for resurrecting an old-ish thread. I'm here and thinking about this both because of the Easyjet breach in today's email (where I signed up so long ago I was using a shared, weak, already-leaked password – now changed!). And because version 2 of my simple deterministic password mobile app was approved for Android+iOS app stores since the weekend :)
    I'm belatedly throwing that in the ring because I've not seen anyone specifically write about this strategy. It's not a new idea – the specific protocol/set of conventions I used/followed has been about and in browser extensions etc. since at least 2007. The idea is to not have a central server or store generated passwords anywhere, by using irreversible "hashes" from a consistent starting point (your master password, the site's domain name and some preferences) to always reach the same end point (your totally secure post-breach-announcement easyjet.com password). So nothing to get hacked as you have not shared any part of your credentials with a third party server, which might be attractive for banking. When EasyJet next reveal a breach, your other passwords are also not impacted.
    I wrote about some of the benefits (in my view) in a possibly too detailed blog. But I would just urge keeping it in mind as an option. The post also mentions that LastPass actually doesn't have the best track record, though I'm certainly not a hard opponent of central password managers generally. I will sometimes choose to save passwords with one if I need easy sharing (basically impossible with the deterministic approach), if they're not that critical, or if I'm too lazy to vary my normal deterministic rules to fit a site's criteria.
    The other caveat to remember is that if you forget your preferences (these are safe to save anywhere) and lose your device or you forget your master password you cannot recover your passwords. Both a strength and an important limitation.
    There are browser extensions which are not my doing following this protocol. I mostly use a port of PasswordMaker X on Firefox but there are numerous options listed on the (perhaps outdated) https://passwordmaker.org/
    v2 of the mobile app now lets you set up profiles so you can do things like always add a number, or always leave out symbols, to meet certain site's requirements while choosing your "best" defaults for those without silly limits. Again, this is not groundbreaking and is standard in lots of good browser extensions, but I couldn't find a still-maintained mobile app offering the same. It's free and open source with more info at https://passwordmaker.webful.uk/ – and it would be great to get any feedback. I can make a web build too if it would help anyone vs. the existing extensions.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 352.1K Banking & Borrowing
  • 253.6K Reduce Debt & Boost Income
  • 454.2K Spending & Discounts
  • 245.2K Work, Benefits & Business
  • 600.8K Mortgages, Homes & Bills
  • 177.5K Life & Family
  • 259K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16K Discuss & Feedback
  • 37.7K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture