anyone use a password manager?

For a healthcare and an employee in marketing lost a USB with all members' personal data. What I found interesting was how long the cover-up was until the co could determine the penalties that were going to be assessed.

I'm not positive but flash forward 14 years, I don't think most people can plug into the USB ports on their laptops.

Interestingly in my career I have never not been a local admin on my own computer. I lost my laptop in the airport in Toronto a few years ago and if you can believe it at the time, our drives were not encrypted. Also, it was found within 36 hours and returned to me in a week. When I got it back, it was still powered on and asleep.

I once lost a USB with my tax return and I flipped out doing a credit freeze and considering those services. It was a false alarm and I found the USB at home 2 days later, but the freeze etc had lasting effects. Could not obtain credit, etc.

Don't understand the comment "I don't think most people can plug into the USB ports on their laptops". I use both of my USB ports on my laptop, one for my mouse and one for my two external drives.

Google has a built in password manager that can work in a Windows, Mac or Android environment. A discussion of the product can be found at https://www.pcmag.com/how-to/how-to-master-google-password-m....

I had posted earlier about looking at LanePass password manager looking good. After some trail and error and checking out other PW managers I came across Avira at https://www.avira.com/en/password-manager . This works well and is very easy to use. Has all the features needed for free including sync across all devices. Has a extension for my Brave Browser as well as others. I thing my hunt is over.

I tried the built in PW manager for Brave and Chrome and didn't feel that safe using them.

A good review of the Avira product can be found at https://www.safetydetectives.com/best-password-managers/avir....

The one thing that I didn't like about about Avira is the same thing I didn't like about many password managers, that being cloud storage as opposed to local storage.

You have the option to turn it off in the settings. Drawback is you lose the syn across devices. I guess once you get all the passwords set up on all devices you could then turn it off and turn back on as needed. I am really impressed with the features and ease of use.

"When ON, your data is stored in an encrypted format on Avira servers. This allows you to access your data from multiple devices".

"When OFF, your data is stored and accessible only locally. There is no sync between devices and your data is lost in case you lose your device".

Been using it for more than 20 years.

Never had an issue outside of their dropping their "To Go" versions (portable on a USB stick).

Devices are locked down. I know for a fact employees cannot save to the local drives nor install any software, and believe the USB ports do not work either.

If one considers tablets that are locked down using a MDM, the employee cannot do anything on them, other than run the apps on the profile.

A user who cannot save anything locally, it could be argued they have no need to be bringing things up via USB, it's a risk.

an app called Password Wallet for 10+ years without issue and there are no on-going fees.

See: https://www.selznick.com/products/passwordwallet/

The company that I had worked for had instructions about software and USB's BUT, we needed to install/upgrade software based on equipment we serviced.
I did run across a company where they had our equipment and we serviced it. The time to service it exponentially increased because we couldn't run the programs we required from the USB. All of what we needed had to go on their server. Then an IT person had to stand next to us and Copy down the required software. He also had to be there while we serviced it. The paranoia was unbelievable and created a problem for us and them.

One of our federal government agencies!

I'm all to well aware if idiotic stunts like that.

I'd need a memory dump when a program failed. Those agencies would "sanitize" the dump either electronically or physically in paper before I'd get it. Sometimes they'd "sanitize" the area I'd need to see.. .

Wunderful

I have been using the Google manager. I am thinking of using a proprietary PAW managere but don't want to pay for something I get for free. There are also the issues with what happens when the subscription ends and getting access to your passwords.

The free version of Avira browser extension has great features and very user friendly.https://www.avira.com/en/password-manager. Video https://youtu.be/e-5o2bYAcZM

FYI, there are USB sticks that will literally destroy your computer by zapping the USB port with a high voltage when the stick is inserted. So, if given a stick, unless you are very sure about it, DO NOT insert it into anything.

I was referring to how I handle passwords on my personal computer. I keep a backup flash drive in my desk at work, but that is to prevent loss of all my passwords if the primary flash drive goes belly-up.

Keeping it at work provides storage in a different location that is quite secure.

- Tom -

With USB drives and memory cards it is good to know your source. I would suspect that USB sticks, like SD cards are considered as fungible by some retailers, Amazon being one of them. Fungible assets simplify the exchange and trade processes, as fungibility implies equal value between the assets.

It is my understanding by a neighbor, a Best Buy regional manager, that Amazon sells the same product from many vendors, and the ordering system handles the sale. So let's say I give Amazon 100 counterfeit copies of a brand XYZ 128 GB SD flash drive to sell for me. Amazon also buys direct from the importer 100 copies of the genuine brand XYZ 128 GB flash drive for sell under the conditions “filled and shipped by Amazon”. All the flash drives labeled as brand XYZ, including the counterfeit ones, are placed in the same stock bin and the computer simply handles who made the purchase and a robot (most likely) draws the card from the bin. But in this example you have a 50/50 chance of getting a counterfeit card.

Amazon regards the products as fungible, meaning that a flash drive made by brand xyz is the same regardless of who is selling or providing it. Further, if a warehouse in Brooklyn runs out of stock of the brand XYZ 128 GB flash drive, the order may be filled from a warehouse in Harrisburg PA regardless of who has supplied the cards in any given bin.

Best Buy buys flash drives direct from the importer, probably thousands at a time, and then distributes them down the chain to the individual stores. There isn’t any middle person, the delivery process is direct from importer, to corporate level, to retail store. I would suspect you would find a similar scenario in a store like Staples.

Yes, Best Buy might be slightly more expensive; that $20 stick on Amazon might be $25 but it comes with some level of assurance that you are getting a genuine product. In addition, Best Buy has a price match policy that will match Amazon products that are shown to be filled and shipped by Amazon.

^^Product comingling. I hate that.

I get that logic, but not everyone shares that point of view.

Wife routinely tells me I'm too lax about home security. She wants me to make sure the doors and windows are locked, especially the balcony.

Why balcony? I've asked. We live on the 4th floor.

"Because someone might come in."

"For what? And where would they come from" I would ask.

"I don't know." She would say.

"I don't know either." I would respond. "I don't think people with skills like Batman, hopping building to building, climbing down balconies (no steps/fire escape here) would want ANYTHING is this home."

Then I'd get another 10 minutes of how I am not concerned about my family's safety.

And this goes on month after month.

…an update to 2.52 was just announced. The details are to be found at https://www.ghacks.net/2022/09/10/password-manager-keepass-2....

You are fooling yourself if sharing ALL you passwords with a third party is smart idea:

https://www.bleepingcomputer.com/news/security/lastpass-says...

If you have Lastpass all your passwords might be known and/or being sold. No joke. Obviously press release states there was no accessing of any customer data or encrypted password vaults. But would you trust they uncovered all the hackers actions when their own security was compromised.

Over 33 million people and 100,000 businesses just means the business is a gold mine for hacking. It certainly does not even mean the business uses basic security practices.

I use Crude Locker on my cell phone. I use dscrypt on my laptop.

I misspoke about no USB as I can plug in a headset...but ditto with you on a USB flash drive.

Those are so dangerous, as mentioned, a person losing member info on one unencrypted when I worked for a HMO, that's unreported in the news and very bad.

Longtime KeePass user, never any issues. Also comes in many flavors and is cross-platform. Many flavors will allow sync via web/cloud services but that's just an option.
https://keepass.info/

thanks for the information. I will try it.

When I said earlier I use a "very old" password manager I failed to mention that it was made for Windows 95. Still works great and I see no reason to change. I installed it on my wife's laptop as well and, since it's sooooooooooooooo old, I have n(o compunction about using a crack to "register" it to her name as well. The devs went away a very long time ago.)

My criteria is as follows:

1. Must be Portable (No installation is needed)
2. Is not in the cloud, must be local
3. Can be put on a thumb Drive
4. Free
5. No Ads
6. easy to use

Any ideas?

The free version of Avira browser extension has great features and very user friendly. https://www.avira.com/en/password-manager. Video https://youtu.be/e-5o2bYAcZM .You have the option to turn off the cloud and save passwords to computer or thumb drive.

https://keepass.info/

See https://www.pcworld.com/article/1339204/why-i-switched-to-bi...

I use PasswordSafe on a USB drive, but as an extra layer of protection, I also use Veracrypt (www.veracrypt.fr). Veracrypt encrypts a file, or disk, that becomes a volume when mounted with the correct password. Inside the volume is my encrypted password file, but any file can be put there.

Both PasswordSafe and VeraCrypt can be installed on a computer or USB drive , (portable mode).

Open VeraCrypt, click HELP and then open Beginner's Tutorial which will aid in building the encrypted container for the USB drive.

On my USB, I start VeraCrypt, selecting the encrypted "file/volume" choosing an available drive letter and the password file becomes available once the correct password is entered. I then start PasswordSafe selecting the password file.

VeraCrypt allows you to save the mounted volume as a favorite, and PasswordSafe can be configure to automatically , log into a website.

It it really that safe?

https://www.bleepingcomputer.com/news/security/lastpass-says...

One of the reasons I don’t like cloud based password managers. Supposedly passwords are safe,

LastPass got hacked again, but they reiterated it's not possible to steal passwords. I think we need to think about practicality as a factor.

What are the odds everyone here has a amazon, large bank, warehouse club, etc. account, with lots of info? Why trust those folks, they're always targeted and the basis of phishing, smishing, etc.?

You can always do what my wife does, and that is to keep all her passwords in a notebook. She was visibly upset when that notebook was misplaced a couple of months ago.

Do you remember I mentioned her aunt, does not lock her door to this day, in metro NYC? It makes absolutely no sense. The reasoning is that noone has ever broken in since they lived there in 1994, and the houses near them are all 1.5 mil+, and their house is only 1300 sq ft. Why would anyone want to go inside and steal anything?

There is never a problem until there is one.

It is todays world.

I have used Lastpass FREE for a VERY long time. Since it is just me and my wife, I have no need for the paid features, EXCEPT at one time mobile use was also free. However, there is a new one called Bit Warden. It started out with some operations that were not quite up to Lastpass. It is getting better, but its primary "better" feature now is I can use it on my mobile devices. Maybe that will go away to the paid version in the future as LP did, but for now.....
If you don't need the other features of LP, go for the free version, or try out BW.

yes it's called a notepad

That we get it free through work, the "family." My wife prefers a notebook, and as mentioned, she became very agitated when she couldn't find it.

The oddity is it seems as I found out, after 1 year, they want money. So I simply clicked deactivate, and reactivate, and free again. The only difference I notice is that I can access it on phones and computer, whereas for free, just one device, not a big deal.

I have been using Avira password manager for over a month now with no problems. You can sync it to your other devices if you desire. You have the option to go into settings and disable the cloud. Very user friendly see https://www.avira.com/en/password-manager. Video https://youtu.be/e-5o2bYAcZM

Have used Roboform for a number of years. It is a paid service but it always has sales that make it very very cheap. Has not let me down yet. Cannot convince my wife to use a password manager. She wants to write everything down and put it in a drawer.

That's odd. I've used LastPass for several years and am not paying for it. Every so often a message pops up asking for a donation but it's not required for continued use of LastPass. To be fair, I use LP on exactly one laptop and no other device of any kind, so maybe that makes a difference.

Phil

^^^^THIS^^^^

You’ve said the key words, “exactly one laptop.” Since March 16, 2021 LastPass Free will include access on one device type only. There are some features that are available in the paid version however; see https://www.lastpass.com/pricing/lastpass-premium-vs-free for a comparison.

See https://www.bleepingcomputer.com/news/security/lastpass-hack...

What the hackers can do with the info remains to be seen but if I had a LastPass account I would be changing my master password to something very strong.

Kind of like locking the barn door after the cows have gotten out. If they got your info, it's with your older weak master password. This is where I'm at. I haven't used LastPass for years, but I found out by trying today that yes I do still have an account and the master password is not 12 characters. Oh Boy!

Read the content at https://www.androidpolice.com/lastpass-vaults-leaked-after-a....

The hackers got the vaults and that is encrypted and there isn’t any way to get into them in theory. But that is dependent on just how strong the master password is. Hence the reason why you should change it ASAP and make it very strong.

And a password that's very strong should be at least 16 characters if not more, and it should use upper-case letters, lower-case letters, numbers, and punctuation and spaces. Not just some of these; one or more of each these! It should look like gibberish.

So for each website password, it's good strategy to let the password manager such as LastPass generate and remember a random strong password. For the strong password you use to unlock your password manager and be able to use your saved passwords, that's not a great idea, because you're not going to remember the random strong password, and you have to be able to type it easily. You shouldn't write it down somewhere, particularly where someone could find it by your computer. You have to be able to memorize it.

One good strategy to use for a secure master password is to take a favorite line or three of dialogue or lyrics from a favorite movie, show, or song, or something else you can easily and accurately remember that is at least 16 words long. Then take the first letter of each word. Some letters you can convert to numbers; for example, change the letter I to the number 1 and the letter O to the number 0. Add punctuation where it normally falls, and add a space somewhere you can remember. Use upper- and lower-case letters where they would normally fall in the quote, or have a specific sequence where you apply them. Practice typing it a few times while you speak the quote aloud, then use it daily, and you'll get it, remember it, and get faster at typing it. To anyone else, it will still look like gibberish and be very hard for hackers to stumble into.

For example... what's this well-known song lyric forming this strong secure password:
Y,amTssfa; nilaTth2s. 01biY.
(You could just do the first two parts of this, but longer is always safer, as long as you can remember it and type it quickly and accurately.)

Answer, Paul McCartney singing: "Yesterday, all my troubles seemed so far away; now it looks as though there here to stay. Oh I believe in Yesterday." (The T's are capitalized because I decided to capitalize the fifth character of each line.) Even if somebody thinks to try that lyric, they won't know your system for encoding it, which would likely be different from someone else's system.

Firefox has a handy password generator.

Here's a sample one for some site - Ty#A3C$Rei9!mNM0v@Zzi9!D2zP( . Good luck trying to hack that.... Or remember it.

So does Vivaldi.

To the guy recommending passwords be at least 16 characters, your chosen length is a matter of opinion. I personally use 12, though I generally do not use punctuation. Regardless, mine still would take longer than the current age of the universe to crack using brute force.

I stumbled apon this LastPass discussion in Mastodon and do not know the author. Someone here might find it interesting.

https://sfba.social/@epixoip@infosec.exchange/10958504975948...

Other than convenience what other benefit is there to cloud password stores?