Password Problems

JohnWinder

That is a quite a 'secure' solution but cumbersome (which reduces effective security as impacts usability and so availability):

A modified version is an offline encrypted file (encryption password in your AutoReply mail account), that contains only the master password. So that file only needs updating when the master password changes (much less often). 2FA still protects the live data.

Yes, it is. And NICE modification.

as long as...There is no copy of the unencrypted version of the file left on the computer (FYI some malware can search for deleted files).

Yes. So, command line removal method rather than to the trash bin, such has '-rm (drag file here)'. That makes it un-findable I think.

RobM99

400ixl said:

RobM99 said:

Writing down a password in code any good? 
e.g. "Terry's house number, Dad's car reg" with a special character if needed.
It'd be tough to guess 45JZT% for example!

That is too short and could be brute force attacked. You really need to be at a minimum of 12 characters and every site should be unique else if one site gets hacked then they have your password for all sites using that password.

You missed "e.g." It was only a suggestion.

400ixl

A decent password manager has pretty much everything discussed here covered.

They allow you to store your encrypted database on the web or locally, they support export, they support 2FA (software & hardware), they support password less through hardware dongles or FIDO, they support API access, they have master password recovery methods (e.g. recovery codes), they support emergency access features.

I haven't seen any hack here that isn't a scenario that isn't already covered by the top password managers (e.g. Bitwarden). No need to do anything outside of this as you are more likely to make a mistake and do something insecure than using their option which is often open source and scrutinised by security experts.

As for complex passwords not being recommended, that was for users who are not using things like password managers where they are then forced to write them down which is insecure. Where they are not written down then they are still the recommendation from the likes of NIST. Complex phrases are the next best thing but they still need to be multiple phrases of a decent length.

k_man

400ixl said:

A decent password manager has pretty much everything discussed here covered.

They allow you to store your encrypted database on the web or locally, they support export, they support 2FA (software & hardware), they support password less through hardware dongles or FIDO, they support API access, they have master password recovery methods (e.g. recovery codes), they support emergency access features.

I haven't seen any hack here that isn't a scenario that isn't already covered by the top password managers (e.g. Bitwarden). No need to do anything outside of this as you are more likely to make a mistake and do something insecure than using their option which is often open source and scrutinised by security experts.

As for complex passwords not being recommended, that was for users who are not using things like password managers where they are then forced to write them down which is insecure. Where they are not written down then they are still the recommendation from the likes of NIST. Complex phrases are the next best thing but they still need to be multiple phrases of a decent length.

 I completely agree that using a password manager is the best solution for virtually all users.
https://forums.moneysavingexpert.com/discussion/comment/79275141/#Comment_79275141
The discussion of complexity Vs length Vs memorable is moot for anything within the manager.

This was just a more general digression about security around password managers.

master password recovery methods (e.g. recovery codes),

Do you gave any details of master password recovery codes, as that is not something I am aware of(apart from for 2FA side)? It goes against the claim that password manager providers have no access to your master password or data.

Finally, I am not aware if any free versions of password managers that include emergency access.
However, IMO that feature alone is worth paying for.

JohnWinder

400ixl said:

A decent password manager has pretty much everything discussed here covered.

.... have master password recovery methods (e.g. recovery codes), they support emergency access features.

.... by the top password managers (e.g. Bitwarden).

...except the above email strategy to get at your forgotten master PW. Yes, Bitwarden has emergency access if there's someone you trust while you're in intensive care for a fortnight on a ventilator with COVID, otherwise you can use the email trick. And Bitwarden doesn't have recovery codes:

'Bitwarden has no knowledge of, way to retrieve, or way to reset your master password. There are, however, a few steps you can take to try to regain access to your vault:

1. Try logging in on another device.

2. Get a master password hint. If you have one setup, a hint will be emailed to your inbox. If you don't have a hint setup, you'll get an email reporting this.

3. If you have emergency access enabled, contact your trusted emergency contact to regain Read or Takeover access to your vault.

4. If your Organization uses admin password reset, reach out to your administrator to reset your master password.

If none of these options get you access to your vault, you will need to delete your account and start a new one:'

Prism

400ixl said:

As for complex passwords not being recommended, that was for users who are not using things like password managers where they are then forced to write them down which is insecure. Where they are not written down then they are still the recommendation from the likes of NIST. Complex phrases are the next best thing but they still need to be multiple phrases of a decent length.

Complex/long passwords are good. Its forced password complexity rules by the site/company that are not. So you might a a password that you are happy with but it doesn't meet the upper/lower/symbol/numeric requirements of the site - so therefore change the password to meet those requirements but there is no evidence that it makes the password any more secure than your own choice.

Password managers and education are the best options.