anyone use a password manager?

You’re fooling yourself if you think a corporate program is safer, more secure. Look at all the different high profile accounts that have been hacked.

Having said that, us small fry probably will never be hacked.
On my iCrap I use a free password manager called “ Tiny Password manager “ It uses a code and/or fingerprint to access your saved passwords.
Only drawback is the free version has to be entered manually for your iphone and/or iPad individually.
I don’t know if it’s available for Android.

I beg to differ.

I hate cliches but the one that comes to mind from the last decade is, "boiling the ocean."

As a person who has to work day in, day out, now 60% in the office, I can't possibly be aware of every single thing that exists in the world. So if corporations have a practice in place of securing information, I have to think to myself, is it better than a notebook like in the 90's with all my password's written down?

I saw the one where if you cut off a person's finger, it measure's the temp so the fingerprint is still rendered useless, but that was in the movies.

These days I mean just ordinary things require certificates and a chain and root intermediate and user ones that can be deleted and revoked and unexportable. I don't need to understand them lol if I spent my time doing so I'd be fired for not doing my own job.

my .02

p.s. what I'm talking about above, is simply loggin into a corp VPN.

The old days there was a fob with an ever changing number that had to be entered.

Today, there's pre auth. You can't even get to a login without the said device having root and intermediate certs. Then, on top of that, a Certificate Authority has to recognize the user, issue a user cert, before the user even can now login to the VPN. This has to be better than a post it with a password lol and again I don't need to understand it beyond that because I'm not an InfoSec person...

I use the pw manager in the browser. I would not trust a cloud based pw manager. That said, devices such as tablets and phones have no business going to money related websites IMO.

I’m older than dirt and have written a lot of code, maintained a lot of code, and lived with commercial code and associated maintenance. I don’t trust when I have that option.

I have no experience with password managers. Do they provide a clear text file for backup/restore? Besides Windows and Android do any run on Linux which I use more than any other OS?

Do the authors have the wherewithal to protect their product on their servers and on your devices?

I use a spreadsheet with about a dozen tabs and sometimes >100 entries per tab. It keeps the login URL, user-id or email address, password (sometimes the last few passwords), and the query/response pairs that some sites require.

Note: I haven’t written any code worth talking about this century. If I’ve made any assumptions that I should reconsider I’d like to hear.

Used it for years. Works on all computers you wish to have it on and your smartphone. The other great thing about it is if you get a spoof email that directs you to a phoney site made to look like another well known one roboform will not show option to input password. I'm pretty good about not falling for bad actor sites but this is an added feature.

I switched over to Bitwarden just about 2 years ago now. Unhappy with Google Password management, since Chrome and all Google apps are all under just one Google password protecting your account, I wanted some additional Risk Management security for my passwords. Prudence says saving the "keys to the kingdom" with just one service provider is foolish for security purposes. Breach once, access to all!

Reviewed all of the bigger players, but settled on Bitwarden Premium ($10/year with 1 GB of protected file storage) for two reason. 1) Open source applications where programming cryptographers have sifted through their code to find exploits and report what they found to Bitwarden and 2) HIPPA compliant.

What I like, browser plug-in allows for only 5 wrong pin # entries, enter the 6th time and you need to use your master password, so make it as strong as possible - the only one you really need to remember. I tried it once and sure enough, it just works.

The passwords are synced back to my Bitwarden account, 256 bit AES encryption backed up to MS AZURE cloud server, accessible on all of my devices and only you know the password to decrypt your passwords for Bitwarden.

Lose/forget your master password, you are in real trouble.

Cross OS apps, web access and plug-ins are available. I run mine on Windows, Linux, iOS, Android 13, Chrome, Firefox and Edge, all work without a hiccup.

The choice is yours. Any password manager, outside of your browser password manager is a smart choice to increase the security of your on-line accounts and web sites. Check them all out.

2-step authentication is the next point to enact, but that is off topic at this time in this discussion.

Check out bitwarden.

I use it mainly on chrome as an extension and on mobile devices.

Source code is available for those capable of reviewing it. Supposedly it has been audited.

I'm hazy on the details, but the free version is quite capable. They claim you can even run your own instance on a personal server if you want. The paid version allows the use of hardware tokens.

There are few other password managers but you have to evaluate the degree of security and the convenience. I'm aware of a program called Keypass which stores your password in an encrypted file LOCALLY. To make it work on a mobile device, people sync it on a service such as dropbox.

Programs like Bitwarden and Lastpass also stores everything encrypted but have some added conveniences of recognizing web pages and apps and automatically filling in the correct username/password. Supposedly, only encrypted files are stored on their servers.

I'm not a security expert but I make it a point to use randomly generated passwords. The use of login/password is ubiquitous. I don't know about you, but I'm at the point where I can't keep track of which services I have used, say 4 years ago which isn't even that long of a time.

There is a slight inconvenience when the device/chrome doesn't recognize the application or website for the login prompt, but I think its worth it.

HIGHLY recommend a password manager to everyone. It takes some time (say a week) to start using it and then get used to it. Its one of the few things I feel strongly about... and nobody listens, just one of those things I guess.

I take a picture of my password list and store it in a password protected folder on my iPhone. That way, both the phone and file folder passwords have to be breached for a hacker to gain access.

I use Password Safe (on Windows) and have for years. One of the things I like about it is the encrypted password file is totally local as opposed to being resident in the cloud. It is also free. Once a month I back up the My Documents folder so I keep the PW file in that folder. There is also an app called PwSafe that offers full compatibility with the Password Safe file, and again it keeps the file on the device, not the cloud. That I keep on multiple iPads (mine and the wife’s). When I make significant changes to the “master”, the Windows machine, I email the file to myself and my wife, then store it in an appropriate place on the iPads.

Link https://pwsafe.org/

I’ll post the PwSafe later when I get hands on my iPad. ADDED LINK https://apps.apple.com/us/app/pwsafe-2-password-safe/id93892...

The version for an iPad might be a one-time $2.99.

The pwsafe website said: "... Designed by renowned security technologist Bruce Schneier ...". That's quite a credential.

I have been using it for 10+ years and swear by it.

If you are concerned about security, read https://www.schneier.com/academic/passsafe/.

Another vote for Bitwarden. Been using for a couple years now.

a couple names came up...I will check them out.

Have not asked our security team yet about what happened. Very glad my wife never set hers up. It seems mine is intact, but I would need to pay for family or premium.

As an example, I have two pensions and a bond account. I log in every 5-10 years, how would I ever find a spreadsheet or post it with the info?

The only time I ever check the pensions is when they offer to buy them out. Of course I don't go for it. Hint: Neither is anywhere near $6,200/mo. I read that is the "only" time one should ever consider a buyout. For those who have a high monthly amount, and if they suspect their employer is going out of business. Otherwise they're offering pennies on the dollar to rid themselves of an annuity where they have an obligation.

On my computers I use a very old password manager program called (drumroll please....) Password Manager. It's simple, clean, and easy. It hasn't been available for quite some time so not likely anybody will target it.

On my Android phone I use a program called aWallet. Works well and allows me fingerprint authentication.

It's important to think about whether, and how, you want to sync your passwords across your devices (phone, tablet, computers, etc.)

Personally I don't like syncing passwords in the cloud. To me, they're vulnerable there, particularly for financial accounts. I know, cloud-stored passwords are encrypted six-ways-to-Sunday, but there have been cloud storage breaches for at least some password managers, repeatedly. So I don't trust cloud storage and syncing of passwords or financial documents and prefer to sync locally. This means that my devices use my wifi router to talk to each other at home, so that when I create or change a password or save a financial document, it gets passed around under my direction to my other devices. Of course, if you do choose local-only syncing, you do need a really good, reliable system of backing up your passwords including off-site storage, so that fire, whatever, doesn't lock you out of all your accounts. If you're not good about backing up, it's probably better to sync passwords from the cloud.

If you want to do local syncing of passwords, one of the best password managers to use is Sticky Password. https://www.stickypassword.com/free-password-manager-vs-prem...

You can have a free account with Sticky Password with no syncing. That means you would have to manually type each new or changed password once into each device, which I do not recommend for people with multiple phone, tablet, and computer devices. The problem with manually typing in each password is that it discourages the use of deep, complex, random passwords unique to each login account you use--for example:
2Yw|PHm3LIav6?Jml8YD}axJ
You want the password manager to generate random, deep, complex passwords like that which would be a pain in the butt to type, and you want them to be unique to each website. So you want to sync these across your devices, and you want the password manager to create and manage the chore of remembering, entering, and syncing them across devices.

If you get a non-free premium account from Sticky Password (at $30 a year, or $200 lifetime but currently on sale for $100), you can sync all your devices either in the cloud with them and/or locally as you choose.

I think the local syncing is where Sticky Password stands out. I don't know that it's as good as other better-known password managers if you only want to sync in the cloud, which is where most all of them do it.

I have been using Lastpass for FREE for MANY years now. Yes, hackers have tried, but have not been successful.

I have been using Lastpass FREE for many years now. Hackers have tried, but have not been successful. You should be able to open your own free account and transfer your data to it. Or download the data to a CSV file then upload to your new account.
It only cost - I think now $24./yr if you want more options like mobile use. My wife has her account and I have mine. I can't sync accounts, but I can transfer passwords 1 at a time as needed. Mobile might be nice, but I have managed so far.

Roboform.

https://www.roboform.com/key-features

I also use PasswordSafe to keep track of all my passwords, just in case something goes wrong with the browser. It's a great (free, open source) product for Windoze and Linux: https://pwsafe.org/

Ditto on Password Safe as a PC-based backup. I use LastPass Free on the computers. I try very hard not to do much, especially with passwords or finances, on my smartphone. The smartphone will, however, unlock my car and start the engine which is my backup in case my fob is lost/died or has a weak battery when I'm not near home and the backup fob.

Interesting, it was in fact one year that went by, and so the features were lost. I asked our infosec team about it, and they said they do not recall any co-wide email promoting it hahahahahahahaha

Turns out LastPass must have popped up in the corporate version saying a benefit is free for home.

At any rate, I deactivated, then reactivated, and now I see, it's good for a year again. So I can use mobile and the web extension. I have so many obscure accounts saved that as mentioned I may login every 5-10 years. Again, I feel if the corp is going to pay for it, it must be ok.

Fortunately no problems at the consumer level.

https://nakedsecurity.sophos.com/2022/08/29/lastpass-source-...

Keepass is open source, free, has great encryption.

This is what we use. Use it on both Windows and our Android phones (KeePassDroid) and tablets. Database is local on each device so I have to manually copy revised db to each device when there are changes. Minor amount of maintenance for a good free product.

Easy to use and has been solid as far I we know

I've absolutely no faith in password managers.

I suspect one of these days one or more of the modules in them could be somehow replaced and have all your passwords sent out into the either to parts unknown.

My passwords are stored in a box, in a 5,000 lb fire & water proof safe having an 7 digit turn and 3 position handle to open it.

Nothing on any electronic device is ever safe

Check some reviews, not user friendly, but it is free. See https://www.pcmag.com/reviews/keepass-234

B Badass, I agree with you about keeping data safe, but memorizing many, many strong pw's, at least for me, is too daunting a task to even consider. And having to run to a 5,000 pound safe every time I need a pw is likewise impractical, again speaking for myself. I've used LastPass for several years and am willing to trade security for convenience until that decision bites me in the ass. Then maybe I'll reconsider my position.

Phil

everything seen in the movies.

Take phone conversations.

How do you know someone can't listen to your conversation?

In the old days, physical access was needed as it traveled over a pair of wires.

How about today?

Say you're a big wig at a co. is your voicemail secure such that only you can access it? How about your computer?

I agree with many that practicality has to come into play.

But, I see the other side too. I myself was unaware that cars had black boxes. None of mine do--newest is 2011.

I go all the way back to not boiling the ocean, it's gonna boil already as things are going.

In my case, it came down to going into the corp LastPass, deleting my personal families link, then re-adding it. Now all the features were back and I did see a 1 year expiration. I would think if they truly wanted to collect the $4/mo, they would make this action not possible. It never says it's a trial. But then again there is a 1 year expiration--sort of inconsistent.

So called "black boxes" (proper name Event Data Recorder or EDR) have been in some of the major American car brands, like Buick, Chevy and Cadillac, since about 1994. What they recorded in those days however is a far cry from what is recorded today!

The National Highway Traffic Safety Administration has been using them to collect car accident data since early in the 2000s. If your car is from 2013 or later, you are almost guaranteed to have a black box. Less than 5 percent of new cars came without one in 2013, and they are mandated in all new vehicles since 2014.

A list of cars that have EDR's can be found at https://rimkus.com/media/pdfs/Event-Data-Recorder-Vehicle-Li...

It's hard to strike the balance between security and convenience for oneself let alone a group (family, teams, small businesses, large corporations)

But I think the encrypted passwords stored online is a reasonable solution. Even if someone steals the encrypted password files, they will still have to be motivated enough to want to crack it.

Like if they are motivated enough to lift your 5000 lbs safe, they will still have to crack it open.

All of this assumes that nobody is pointing a gun to our heads.

Been using RoboForm for years and years. Can’t remember not having it. Works on my android, iPhone, iPad, computer and chrome book. Always sync’d, always up to date.

To my surprise, our 2006 and our 2011 are in fact on that list! lol

2007 is not.

Very interesting. Thanks!

p.s. I would assume velocity would be a basic event that's recorded?

I imagine my '22 stinger records LOTS more info than a car from 2007. Not to mention, car comes factory equipped with a LTE modem. My money says car is reporting back to the mothership periodically or under certain conditions. I never did activate the kia uvo service, but there's no easy way to disconnect or disable the lte module.

I still don't care for and will never use a cloud password service, but this vid may be of interest to those who use lastpass.

https://www.youtube.com/watch?v=8vIq2Gc6SSE

I have this nifty piece of paper with all my usernames and passwords that I keep under my keyboard.

My wife and I dined last night with a couple that did something similar. Unfortunately, while on a 2-week vacation, they kept on putting pictures somewhere (Twitter, TicTok or other media I’m not familiar with) for friends and family. When they returned their home had been broken into, the computer and password sheet stolen, and their checking account had $7000 removed. For those that aren’t aware most smartphones have very detailed location info imbedded in the images. So a backyard picture from July 4th can yield your home address and your vacation pictures can yield where you have been.

I would suspect, but don’t know for sure, that the odds of having your home broken into is higher than the odds of your password being cracked when using a good password manager with a good “master password. So if you use a cheat don’t keep it near your computer. Stash it somewhere where thieves are not likely to go; perhaps something like a book in a bookcase.

Bitwarden! Open source (better for security audits) and available on most platforms.

I switched from LastPass some time ago.

My mom has a 2 car garage not locked and no opener. She leaves an overturned plastic cup with a spare key on a shelf. I asked her not to do so but she scolded me like I'm in 5th grade.

My wife's relatives live in metro NY and never lock their house. Their logic? Homes are 1.6 mil around us and we have an original one that's 1/3 the value. Nobody would choose our house to break into.

In both the above cases, the people are pretty high IQ. Interesting, huh? Knock on wood nothing has happened in 30 years...

I, too, use Sticky Password. It works well on my Windows and Android devices. Like other posts, there is no way I could key long, complex passwords with upper case, lower case, numbers, and special characters.

I keep Bluetooth & GPS off except when I want them on. I'm too lazy to do that for Wi-Fi though.

Some phones use triangulation from towers to determine an position approximate position.

Funny thing the other day, a college classmate sent a picture of two guys from our class, not seen recently by many (we graduated in 1965). The idea was to guess who they were because they very obviously had changed in 57 years. The two guys were standing on the street opposite a restaurant on Long Island but the restaurant could not be seen in the picture. In short order I responded that I did not know who they were, but they likely just had lunch at "so-n-so" restaurant. Google had identified the latitude and longitude as the restaurant. Further info said the time was 2 PM. Everything imbedded in the image metadata.

I did that until I had way too many places I visit needing a password and a lot of those are asking to change them on a regular basis, Roboform does the work for me now.

I understand that a tracker may do that. Out of ignorance I'd think that that is far fetched for the camera app to do that.

Having read about the sophistication of Pixel and Iphone cameras maybe a couple of dozen lines of code to do this isnt far fetched.

Lots of stuff going on in that iPhone to determine its position. See https://www.engadget.com/2011-04-27-iphone-101-location-data.... Scroll down to read content on how to disable the feature on an app by app basis, or disable on the entire phone.

On an iPhone, it actually is quite easy to see the metadata related to an image. The metadata includes the device model and photo settings as well as the date/time and latitude/longitude. If this is acquired by GPS, as it would likely be if you are outdoors, it is accurate down to a few feet.

On iOS 15 or later

1. Go to the Photos app.
2. Open the image for which you want to see the metadata.
3. Tap the i icon at the bottom or simply swipe up the image.

This will reveal details about where the photo was taken, the camera settings, etc. Some of the data shown can be changed by tapping on Adjust, then Save as you exit.

With iOS 14 or earlier, somewhat complicated.

Not sure how it is done on an Android device.

After seeing some of the posts it got me interested in installing a password manager. Trying out LastPass and like the features so far. https://www.lastpass.com/

I have been using the 1Password family plan. Makes it easy to setup password sharing for different family members.

I religiously use a different password for each web site. I keep the passwords in an Excel file on a flash drive that is on a lanyard around my neck, and on a backup flash drive kept in a locked desk at work, which happens to be at an aerospace company with 24/7 security guards.

For me, this has the advantages of being able to use long passwords that can be copied and pasted as needed, just by plugging in the flash drive, and of no worries about forgetting a master password. When the flash drive is not plugged in, there is no password data on my computer, and I flush the cache frequently when online.

- Tom -

They let you put an external USB storage device into your work machine?

I was only allowed to insert USB devices that That were issued by the company!

Company I used to work for also required "only company provided" usb storage devices, but additionally required that writable media be encrypted (even CD/DVDs). Any unencrypted usb stick or hard drive inserted into the computer was automatically encrypted!
Mark