Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@. Skimlinks & other affiliated links are turned on

Search
  • FIRST POST
    • Former MSE Nick
    • By Former MSE Nick 7th Nov 16, 3:17 PM
    • 254Posts
    • 78Thanks
    Former MSE Nick
    MSE guide discussion - 60 seconds on password managers
    • #1
    • 7th Nov 16, 3:17 PM
    MSE guide discussion - 60 seconds on password managers 7th Nov 16 at 3:17 PM


    Hi all,

    We've written a new guide to Password Managers and we'd love your feedback.



    Thanks,

    MSE Nick
    Last edited by Former MSE Nick; 15-11-2016 at 10:56 AM.
Page 1
    • Fitzmichael
    • By Fitzmichael 21st Nov 16, 12:32 PM
    • 127 Posts
    • 57 Thanks
    Fitzmichael
    • #2
    • 21st Nov 16, 12:32 PM
    • #2
    • 21st Nov 16, 12:32 PM
    Google asks each time if I want them to store my password and I tick Yes, so is this secure or do I need to use one of your methods.
    • AndyPix
    • By AndyPix 21st Nov 16, 12:50 PM
    • 3,965 Posts
    • 3,338 Thanks
    AndyPix
    • #3
    • 21st Nov 16, 12:50 PM
    • #3
    • 21st Nov 16, 12:50 PM
    Google asks each time if I want them to store my password and I tick Yes, so is this secure or do I need to use one of your methods.
    Originally posted by Fitzmichael

    It is secure "ish" , the password is stored as a hash in the computer rather than plain text.
    These can be cracked however by someone who knows what they are doing
    Running with scissors since 1978
    • bsod
    • By bsod 21st Nov 16, 12:55 PM
    • 1,222 Posts
    • 736 Thanks
    bsod
    • #4
    • 21st Nov 16, 12:55 PM
    • #4
    • 21st Nov 16, 12:55 PM
    "should I write my passwords down? Generally speaking, this isn't a good idea"

    Really?

    but copying them to the clipboard, installing and entering them into browser storage or extension or phone app, or handing them over to a far away company/server/country/government, then paying them in the hope they are competent/honest/secure is?

    Password managers are a target, they have been hacked or had weaknesses or privacy concerns exposed in the past, and most likely will continue to do so, but no mention of that in your article which instead just names some of them and gives them free publicity.

    Ink and brain can't be hacked, both available with no monthly charge or adverts, terms and conditions apply.

    A more succinct article would be:

    6 seconds on password management:

    Note the passwords down IN CODE somewhere safe and convenient, make them lengthy, mix/slot in some numbers mid-word/phrase, and don't choose anything obvious like offspring/pet names, football teams, or birthdays

    Forget complicated password schemes and strange characters, because they are no more secure, and you will undoubtedly forget them or !!!! them up once you get to more than three
    Last edited by bsod; 21-11-2016 at 2:39 PM.
    Don't you dare criticise what you cannot understand
    • AndyPix
    • By AndyPix 21st Nov 16, 1:03 PM
    • 3,965 Posts
    • 3,338 Thanks
    AndyPix
    • #5
    • 21st Nov 16, 1:03 PM
    • #5
    • 21st Nov 16, 1:03 PM
    Password managers in general are useless imho.


    You dont need different passwords for everything , you should only need 3 "tiers" of password.


    tier 3 - Used for anything and everything that wants you to create an account for these days.
    You dont care if this one gets out as it doesnt access anything important.


    tier 2 - used for stuff like email etc. This password is private and it would hurt a bit if it got out, but wouldnt cause you any financial loss


    tier 1 - Use this one for your bank, paypal etc . Stuff like that.
    Make it super complicated and hard to guess, Only use it for banks and things like that. These places are unlikely to get hacked - and if they do then a password manager would have been no use anyway.




    In short, if you use the same password for facebook as you do for your online banking, then you dont deserve to have money in your bank
    Running with scissors since 1978
    • anotheruser
    • By anotheruser 21st Nov 16, 1:14 PM
    • 2,641 Posts
    • 1,552 Thanks
    anotheruser
    • #6
    • 21st Nov 16, 1:14 PM
    • #6
    • 21st Nov 16, 1:14 PM
    Why password managers exist I don't know.
    Surely it's these programs that hackers/whatever you want to call them would target?

    I use an unsecured notepad document, named something "normal" for a computer, in a less obvious place than "My Documents"... it's worked so far.


    Alternatively, set levels:

    One level is forums, I don't mind if my password gets stolen; I'll just register a new account. I use the same one for many sites, however I secure a little by using a different username - so it's not like the "hacker" can trace me around the net.

    Emails is another level. Those passwords (for the two main emails I use) are the same, but very secure. Passwords for other emails I use are less secure as they are as good as throw-away addresses anyway.

    Banking is another level; usually the same password, but they have good security anyway (IE, pick random letters from a different password).


    So I break all the rules, but it works for me.


    Here's some fun: howsecureismypassword.net. Some people might say "I would never type my password into a random website" - the website doesn't know what website the password is for so get off your high horse and see how secure it is.

    My least secure says: 200 milliseconds
    My medium-secure says: 16 hours
    My most secure says: 3000 years

    EDIT: Ha ha, person above me says about levels too!
    Last edited by anotheruser; 21-11-2016 at 1:20 PM.
    • John Gray
    • By John Gray 21st Nov 16, 1:23 PM
    • 5,299 Posts
    • 3,110 Thanks
    John Gray
    • #7
    • 21st Nov 16, 1:23 PM
    • #7
    • 21st Nov 16, 1:23 PM
    I use an unsecured notepad document
    Originally posted by anotheruser
    Even better would be an encrypted text document which is actually a .EXE file but opens out to a notepad-like editor with your now decrypted text therein. I use LockNote. Rename it to any filename.EXE you like! (You still have to choose a password, of course...)
    • S0litaire
    • By S0litaire 21st Nov 16, 1:37 PM
    • 3,468 Posts
    • 2,190 Thanks
    S0litaire
    • #8
    • 21st Nov 16, 1:37 PM
    • #8
    • 21st Nov 16, 1:37 PM
    A good rule is:

    If the site offers 2fa turn it on!

    YES it can be a pain to grab your mobile to get that text message. but in the long run it's a lot more secure.

    Also if really paranoid look into getting something like the "Yubico" USB keys

    I've got a couple of the basic "blue" fido 2fa keys.

    Google had an offer a while back 3/4 off.

    Instead of Google sending out a text message you plug this into the machine and tap the button. That then authenticates you. (Integration only works with chrome browsers at the moment). It's a bit more secure. You can get more advanced versions that link directly into lastpass and do multiple types of logins.
    Laters

    Sol

    "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
    • AndyPix
    • By AndyPix 21st Nov 16, 1:59 PM
    • 3,965 Posts
    • 3,338 Thanks
    AndyPix
    • #9
    • 21st Nov 16, 1:59 PM
    • #9
    • 21st Nov 16, 1:59 PM
    Look like im going to be ok for a while ...


    Running with scissors since 1978
    • Jivesinger
    • By Jivesinger 21st Nov 16, 3:08 PM
    • 1,215 Posts
    • 736 Thanks
    Jivesinger
    Look like im going to be ok for a while ...
    Originally posted by AndyPix
    I imagine that's on the basis that computers aren't getting any more powerful in that time - which is perhaps unlikely. Still, it seems like a decent password...

    To those who organise their passwords in 'tiers', I would suggest that their main email accounts are given the highest priority, the same as the ones for banking etc.

    There's a lot of information which can be gleaned from your email account, and also any other account which has a password reset feature will be using your email address. Other services may use email in similar ways to 'prove' it is you they are dealing with.
    • AndyPix
    • By AndyPix 21st Nov 16, 3:12 PM
    • 3,965 Posts
    • 3,338 Thanks
    AndyPix
    Ha theres no way im giving google my banking password
    Running with scissors since 1978
    • securityguy
    • By securityguy 21st Nov 16, 3:20 PM
    • 2,414 Posts
    • 3,682 Thanks
    securityguy
    "It is secure "ish" , the password is stored as a hash in the computer rather than plain text."

    Really? Could you explain how you think that works? If the local computer stores a hash of the password, how would it supply the original to the website that is being authenticated to?

    Local password safes are just a special case of password managers: they store an encrypted version of the password, not hashed.
    • Jivesinger
    • By Jivesinger 21st Nov 16, 3:24 PM
    • 1,215 Posts
    • 736 Thanks
    Jivesinger
    Ha theres no way im giving google my banking password
    Originally posted by AndyPix
    No but if someone rings your bank pretending to be you and saying they've forgotten the password, how are they going to contact you?

    And if the attacker has already used your email account to get a password reset with your mobile provider, and requested a replacement SIM for your mobile beforehand, you could be in trouble.

    It won't work with everyone, and perhaps you personally have other ways to prevent this sort of scenario, but generally someone who knows your email password can cause a lot of trouble.
    • AndyPix
    • By AndyPix 21st Nov 16, 3:30 PM
    • 3,965 Posts
    • 3,338 Thanks
    AndyPix
    "It is secure "ish" , the password is stored as a hash in the computer rather than plain text."

    Really? Could you explain how you think that works? If the local computer stores a hash of the password, how would it supply the original to the website that is being authenticated to?

    Local password safes are just a special case of password managers: they store an encrypted version of the password, not hashed.
    Originally posted by securityguy



    Yeah sorry im quite busy here ...





    I was referring to the windows passwords which are stored in the sam registry hive (system32\config\sam). Hashed using LM or NTLM
    Running with scissors since 1978
    • AndyPix
    • By AndyPix 21st Nov 16, 3:33 PM
    • 3,965 Posts
    • 3,338 Thanks
    AndyPix
    No but if someone rings your bank pretending to be you and saying they've forgotten the password, how are they going to contact you?
    .
    Originally posted by Jivesinger

    I would hope that the last thing they would do would be to email me a new password !!
    I would expect a letter inthe post with a scratch off thing
    Running with scissors since 1978
    • securityguy
    • By securityguy 21st Nov 16, 3:35 PM
    • 2,414 Posts
    • 3,682 Thanks
    securityguy
    I was referring to the windows passwords which are stored in the sam registry hive (system32\config\sam). Hashed using LM or NTLM
    Originally posted by AndyPix
    That's right. And that relates to storing website passwords how...?
    • jack_pott
    • By jack_pott 21st Nov 16, 3:46 PM
    • 4,691 Posts
    • 6,064 Thanks
    jack_pott
    6 seconds on password management:

    Note the passwords down IN CODE somewhere safe and convenient, make them lengthy, mix/slot in some numbers mid-word/phrase, and don't choose anything obvious like offspring/pet names, football teams, or birthdays

    Forget complicated password schemes and strange characters, because they are no more secure, and you will undoubtedly forget them or !!!! them up once you get to more than three
    Originally posted by bsod
    ...and then don't use it for PlusNet. When I was on the phone to them the operator said "ooh, that's a really secure password you've got there!"

    Well, yes, it was until your system plastered it all over your screen.
    • AndyPix
    • By AndyPix 21st Nov 16, 3:47 PM
    • 3,965 Posts
    • 3,338 Thanks
    AndyPix
    It doesnt - As i said i have my hands full and was skim reading.


    My humble apologies
    Running with scissors since 1978
    • Fightsback
    • By Fightsback 21st Nov 16, 4:05 PM
    • 2,475 Posts
    • 1,442 Thanks
    Fightsback

    My least secure says: 200 milliseconds
    My medium-secure says: 16 hours
    My most secure says: 3000 years

    EDIT: Ha ha, person above me says about levels too!
    Originally posted by anotheruser
    For now, until quantum computers.
    Science isn't exact, it's only confidence within limits.
    • rmg1
    • By rmg1 21st Nov 16, 4:38 PM
    • 2,950 Posts
    • 768 Thanks
    rmg1
    Just checked my main passwords I use for various things.
    The slowest was 34,000 years so I think I'm reasonably safe.

    I agree that brain and (potentially) ink are best (but I've never written a password down in my life!).
    Flagellation, necrophilia and bestiality - Am I flogging a dead horse?

    Any posts are my opinion and only that. Please read at your own risk.
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

595Posts Today

6,219Users online

Martin's Twitter