📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

Online password managers... beware?

2»

Comments

  • TMSG
    TMSG Posts: 233 Forumite
    Fourth Anniversary 100 Posts Name Dropper
    @NorthYorkie Yeah, I"ve tried that but whatever I did I couldn't get the darned thing to give me my 2FA/MFA TOTP codes.
    Speaking of which I second what @Vitor has said. Activate MFA for everything that's important (or even better everything that offers it) and try to keep away from SMS-based methods. One of my banks uses this and I'm pestering them to change this, so far without success :disappointed:
  • Frozen_up_north
    Frozen_up_north Posts: 2,854 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Photogenic
    flaneurs_lobster said:
    Be good if you could have a word with the 90% of banks and BSs I log into that still insist on 2FA via SMS.
    It is really odd the number that still use SMS, which has long been regarded as not particularly secure.

  • B0bbyEwing
    B0bbyEwing Posts: 1,631 Forumite
    1,000 Posts Third Anniversary Name Dropper
    Hmm. Seeing have you thought of doing this doing that & the other. 

    Isn't there risk with everything?

    Judt need to choose which risk you're most comfortable with & go with that. 
  • MyRealNameToo
    MyRealNameToo Posts: 917 Forumite
    500 Posts Name Dropper
    B0bbyEwing said:
    Isn't there risk with everything?

    Judt need to choose which risk you're most comfortable with & go with that. 
    There is but there is also a balance between risk and convenience. You could come up with a highly convoluted scheme combining both digital and physical distributed storage that reduces the risk further but you require a few days planning each time you want to access a password and it can only be done when the bank has a time slot for you to visit your safety deposit box etc so not so useful when your card has just been declined in Tesco and you need to check your balance to see why. 
  • dosh37
    dosh37 Posts: 496 Forumite
    Part of the Furniture 100 Posts Photogenic Name Dropper
    I know someone who uses a password manager but he adds a fixed substring to his passwords before they are used. The substring is kept in his head and not written down.
    That way, if the main 'password manager' password is ever compromised, it is less likely that the real passwords can be guessed even when they are revealed.
    The substring doesn't need to be added to the beginning or end of the passwords - it could be inserted anywhere as long as you remember where.
    The more characters and more obscure the substring the better but it takes longer to enter.

  • Vitor
    Vitor Posts: 721 Forumite
    500 Posts First Anniversary Photogenic Name Dropper
    edited Today at 10:37AM
    but it takes longer to enter -

    Kind of loses the benefit of auto-fill in password managers; if the password always contains something you remember, might as well revert to formulaic passwords such as first and last two letters of the website's domain plus the secret string. 

    NB the vulnerability in the OP's post doesn't affect password managers build into the web-browser itself, such as Edge.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 351.3K Banking & Borrowing
  • 253.2K Reduce Debt & Boost Income
  • 453.8K Spending & Discounts
  • 244.3K Work, Benefits & Business
  • 599.5K Mortgages, Homes & Bills
  • 177.1K Life & Family
  • 257.8K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.2K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture