anyone use a password manager?

 

Because our work uses LastPass, we got an offer to use it at home for free (separate family account).

Well, I just discovered it's expired!

Kind of scary, I don't think I have to pay $4/mo for my passwords, cuz that would not make sense. I can still log in but it says expired.

I'll find out what's going on tomorrow.

It's been very convenient, and I figured since it's a corporate product, it must be secure.

<<Page 3

none

zx1100e1 wrote:

Other than convenience what other benefit is there to cloud password stores?

None other. But I have currently 73 user logins and passwords, what is a practical way to manage them? Maybe use something easily remembered and the same for all 73, jimmy1 or get fancy, jimmy 987? lol

With the latest LastPass hack it seems hackers are getting better and stealing more info with each successful go.

Still, it seems the key to the LastPass kingdom, is one's master password. LastPass doesn't know it, doesn't have it, only the client does. It's the only way to decrypt the stolen information.

So as a precaution, I've updated mine to a strong password, that even I don't know. So if a hacker were to put a gun to my head, and ask me to speak my master password, I can confidently, and truthfully say, I don't know it, as the bullet is fired.

It was generated by Apple passwords, and that's the only place it exists.

What is “Apple passwords?

Are you referring to iCloud Keychain

--
John from PA

cloud password stores

Well the fact that its convenient enables you to not have to remember each login/password combination, so each place you need to log into can have a different username and password combination.

I think that's a crucial point in password-based world we live in.

Now maybe someone might steal your entire password vault because its in the cloud... but that's why you have to choose wisely and find a provider that can secure their system down.

Security and convenience is often opposites in the spectrum. In this case, I would argue that the convenience of storing passwords in the cloud enables better security... until someone cracks your vault.

cloud password stores

Well the fact that its convenient enables you to not have to remember each login/password combination, so each place you need to log into can have a different username and password combination.

I think that's a crucial point in password-based world we live in.

Now maybe someone might steal your entire password vault because its in the cloud... but that's why you have to choose wisely and find a provider that can secure their system down.

Security and convenience is often opposites in the spectrum. In this case, I would argue that the convenience of storing passwords in the cloud enables better security... until someone cracks your vault.

I believe

John from PA wrote:

Are you referring to iCloud Keychain

That is it, as it has AutoFill Passwords toggled on, and it generated a strong password into the LastPass login screen when I was at the screen to enter a new master password.

Again I learned long ago, rather than to try to defeat encryption, it makes more sense to simply obtain a password. A sticky note on the monitor, the notebook that has them all handwritten in it, or, more practically, to phish or smish. It's not practical to randomly guess even with a computer, other than simple passwords like jimmy1, Jimmy1, etc....

Does anyone remember the days of the bank safety deposit box (do they even exist, I've never had one, my parents did), where 2 keys were needed to open the drawer? Encryption is a little more than that. I believe what one often misses with LastPass is that they don't know your master password, the decryption from what I understand is done at the client side. So hackers need it and sure, they can send a bogus email to get it. But they can't physically steal it from LastPass since it was designed that way. They refer to their architecture as Zero Knowledge.

Funny, used to hear the term "no knowledge" in NYC whenever a public servant did something against policy lol

Only time will tell…

John, you are correct about the encryption being done at the local level; quoting the LastPass people, “Your data is encrypted and decrypted at the device level. Data stored in your vault is kept secret, even from LastPass.” But those same people are the ones that just weeks ago, said there wasn’t any way for a hacker to access customer vaults.

--
John from PA

if you didn't

If YOU used a less than 12 character master password, as LP suggests, then your data might be more vulnerable to brute force password guessing. That would allow access to the rest of your passwords.
So again, the LP system is probably about as secure as you are going to get. Perfect? NOTHING IS. But the most vulnerable part of it is YOU.

So what are your options? Most secure, don't use the internet.
Least secure, write them down, use the same password.

again

trying to inject practicality.

There are songs written about people that when they hear a knock on their door, they stay very quiet, and hope the entity knocking goes away. this is very safe.

I have 73 usernames and logins, and I'm a nobody. If I were to call goldman sachs and ask for just a little investment advice, they'd say get your info on CNBC or CNN 3 mos late just like everyone else except our clients lol

My co. uses LastPass. They're not the biggest co. in the world but they do have 18,000 employees. That was my reasoning for deciding to get something going with managing these passwords other than a notebook. Or a local app.

I've even seen people say, don't get XM radio, they'll automatically charge you because you gave them your CC! For these extremists, yes, I don't think online is a good idea, best to do things locally.

For the rest of us, unfortunately, we have to compromise. We cannot boil the ocean. my .02

Alerts and 2FA

ruggb wrote:

...
So again, the LP system is probably about as secure as you are going to get. Perfect? NOTHING IS. But the most vulnerable part of it is YOU.

So what are your options? Most secure, don't use the internet.
Least secure, write them down, use the same password.

As I think I wrote earlier, besides preventing access to your accounts, you can set activity alerts that are texted or emailed to you that let you know there was activity on your account, and if you didn't initiate the activity, you can prevent further transactions on the account and change your other accounts passwords. You can also add 2FA to accounts that offer it meaning that even with a username and password, bad actors won't gain access to your accounts without knowing even more about you.

Interesting, a competitor says $100 might get you in

A competitor to LastPass says that in many cases $100 can get you into a user’s vault. LastPass likes to say a million years or something similar, but that is for a 12 position randomly generated password. But many people don’t use such a password, they may use something like a pass phrase. Something like ‘the phillies lost the series in 2022” may be significant to an individual, but becomes easier to crack.

The link to the content is at https://www.iclarified.com/88686/lastpass-passwords-are-crac....

--
John from PA

In my mind

John from PA wrote:

A competitor to LastPass says that in many cases $100 can get you into a user’s vault. LastPass likes to say a million years or something similar, but that is for a 12 position randomly generated password. But many people don’t use such a password, they may use something like a pass phrase. Something like ‘the phillies lost the series in 2022” may be significant to an individual, but becomes easier to crack.

The link to the content is at https://www.iclarified.com/88686/lastpass-passwords-are-crackable-for-100-says-rival-1password.

I am on the right track, when even I don't know my LastPass master password. If I don't know it, it can't have been something like "Davey1" or "Flyers4EV3R!"

I liken this topic to walking into a casino and you can see the roulette wheel's previous 25 results (because this obviously helps to determine what the next spin will result in). lol

What if a super computer has an algorithm to determine what strong passwords Apple is likely to come up with, then apply it to LastPass, all in one shot, and, charge only $19.95 plus shipping and handling to do so? (this price is only for the first 100 callers, then it goes up to $24.95)

Well, at this point, I'd probably say, I did as much as I possibly could to try to manage 73+ user logins, and they still got me, so I did my reasonable best. Sometimes, we do lose, we don't always win. But other times, we're boiling the ocean...

What happens if...

johnnatash4 wrote:

I am on the right track, when even I don't know my LastPass master password. If I don't know it, it can't have been something like "Davey1" or "Flyers4EV3R!"

If you don't know the master password, and supposedly LastPass doesn't know it either, what happens if the LastPass server crashes or is hacked by ransomware?

As least with my product, no passwords are resident in the cloud. They are only present on my laptop and a few other devices. Backups, which include the encrypted database are made monthly. If any of three devices crash, then I can access my vault using the copy on either of the other two devices. If I get a new laptop, I simply install the utility and copy the vault over from a device or a previous backup.

--
John from PA

Password manager

All of the password managers I checked out all had the export/import function. So you can export all your passwords to a file anytime you feel it is necessary. Avira saves as a CSV file .Doesn't make any difference if on cloud or saved onto the computer. I update my passwords to a USB drive in case the password manager site goes down or the computer fails.

--
Charlie. Nuvi 265 WT and Nuvi 2597 LMT. MapFactor Navigator - Offline Maps & GPS.
<<Page 3