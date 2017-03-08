Ask Slashdot: Should You Use Password Managers? 61
New submitter informaticsDude writes: What do Slashdot users recommend regarding the use of password managers? The recent election underscored the hackability of many personal accounts. One solution is to use different passwords for every digital experience. But, of course, humans are lousy at remembering large numbers of large random strings. Another solution is to use a password manager. However, password managers have been hacked in the past, in which case you lose everything. How do Slashdot users balance the competing risks? What is a person to do?
Should You Use Password Managers? (Score:1)
Yes.
Re: (Score:2)
Ian Betteridge's head just exploded.
Re:Should You Use Password Managers? (Score:4, Funny)
Some day I hope to see a submission with the headline: "Is Ian Betteridge's Law of Headlines Real ?". Sure, it might break the universe, but it's a risk we should be willing to take in the pursuit of truth.
Re: (Score:2, Interesting)
Why is lastpass a piece of crap, exactly?
Re: (Score:2)
+1 for 1Password.
I don't have strong enough words to endorse their Watchtower service, which tracks recent breaches, affected sites, and warns you about it so you can change your passwords on affected sites. It also reports about duplicate passwords used multiple places, last time they were changed, etc. That functionality of 1Password alone is worth the cost, especially if you have hundreds or thousands of passwords.
You can store your key database in multiple different places, you just have to choose the o
Re: (Score:2)
+1 for 1Password.
I would have said the same a month ago, but 1Password is changing their pricing to $36 a year subscription.
I'm switching to LastPass.
Re: (Score:2)
Hey, that's my Password (1Password) it satisifes all the usual criteria uper/ lowercase letters, including a # and length => 8 char.
(j/k of course)
Re: (Score:2)
> Lastpass is a piece of crap.
And that's the end of the rant? Aww.
I continue to recommend Lastpass. 1Password (for 70$), not at all.
keepass (Score:1)
http://keepass.info/
Re: (Score:3)
I also vote for KeePass. It's very nice and very extensible.
Re: (Score:2)
KeepAss keeps your ass secure.
Re: (Score:2)
That was my thought exactly!
Re: (Score:1)
I use Keepass on my desktop(s) and Keepass Touch on my iPhone, since I can securely upload the desktop databases to the phone.
1Password (Score:2)
I have been using 1Password for the past few years and since I keep everything local to wither my Mac or iPhone (using WiFi to sync) the only way I'll get hacked is if the attacker is already in my local network and if that's the case I'm already screwed. The data files have a master password that I have to remember, but it's much easier to remember 1 password and not hundreds, especially when different email accounts are also used. Is there a 100% secure system out there for passwords? Yes, but I'm sure a
Re:1Password (Score:4, Funny)
> Yes, but I'm sure a photogenic memory is super uncommon.
But my god are they beautiful to look at.
Re: (Score:2)
Re: Encrypted File, Encrypted USB (Score:1)
You had better use something in addition to that USB drive. One good static discharge and you're toast.
Use cloud storage like Google Drive or Dropbox and Keepass. It's encrypted, located locally and backed up to the cloud. Been working that way for years without any problems.
Keypass for me (Score:2)
KeePass (Score:1)
I don't trust cloud-based password managers. Use KeePass and encrypt your keyfile with a really strong password. If you want to access your keyfile from multiple devices, sync it to the cloud with box/dropbox/gdrive/etc. Even if the keyfile is stolen, it'd be very difficult to compromise if you use a strong password.
There's several options. (Score:2)
There's several options.
(1) Don't use a lot of password protected services; that way: less to remember.
(2) Live with being occasionally hacked.
(3) The Bratva solution: someone hacks you, send someone to shoot them in the head.
I don't know about you, but I'm kind of partial to #1, with #3 being a close second. I don't particularly like #2.
Re: (Score:3)
With every fucking site on the Internet now requiring you to have an account to even take a look at stuff (MassDrop, looking at ya), #1 is a no-go.
#2 is actually a valid option if you split your accounts into 3 main types:
- accounts essential to my well-being (mail, bank, etc) which mandate complex, unique, memorized passwords + 2-step authentication;
- accounts which are important but not essential (e.g. Steam), which mandate unique passwords with 2-factor auth but can be kept in a password manager;
- finall
Re: (Score:2)
4: Use password recovery.
Most sites allow you to reset passwords through a link sent through e-mail. Note: This is also why you should never register at a site using an e-mail provider you can't trust. Else whoever controls your e-mail can also reset all your passwords.
5: Remember them.
Buy and read a book on mnemonics. It's not wizardry to remember a few dozen different long passwords.
Use a password manager, don't store online (Score:4, Insightful)
Re: (Score:2)
+1. Second advice: don't use password managers with custom formats or custom encryption. My recommendation is Pass [passwordstore.org], with simple GPG encrypted files. Add the GUI of your choice over it.
Use a Local Not a Remot Passwords Manager (Score:5, Insightful)
Some password managers rely on remote servers or the cloud to store your password. That is risky for two reasons. (1) A service holding passwords for many users is a more likely target for hackers than your own individual computer. (2) If the server or cloud service goes down even temporarily, you are stuck without your passwords.
You should choose a password manager application that is installed within your computer and does not rely on you having an Internet connection. The application should use a master password -- actually a master pass-phrase -- to encrypt the individual passwords. That master pass-phrase itself is not stored anywhere. Instead, if it is entered incorrectly, it fails to decrypt any passwords. By "pass-phrase", I mean a longer expression containing blanks, punctuation, etc.
Note that Mozilla-based applications have internal password managers that reflect my second paragraph above.
Pick a patrern for your passwords (Score:2)
say like the sites name and select the letters and add in numbers. I use a couple different patterns depending on the type of site. That way I can remember 10's of passwords. 99% of the time it ends up no where near a dictionary word and they are all 8+ characters long.
Re: (Score:2)
I too use a password algorithm. You don't want to use letters in the site itself. You want to transform them so it's difficult to figure out the algorithm by looking at the passwords. Ideally someone would need to steal a bunch (like 8 or more) of your passwords and then spend a lot of time trying to reverse engineer them.
You can still use a password manager, just don't store the password. Store the algorithm ("First Algorithm"
.. "2015 Version" "Blue Algorithm" ... just make sure the name does NOT relate t
Hide it in plain sight. (Score:2)
Use firefox master password with mozilla sync (Score:2)
Yes. I recommend Firefox's password manager which can encrypt passwords stored in your browser with a master password. Then add to that Mozilla's sync feature to store an encrypted copy of your passwords on Mozilla's server. They are stored encrypted and cannot be recovered without the sync password and e-mail access. If you don't trust Mozilla's server, despite the passwords being encrypted, they provide the open source software so you can run your own server to sync your encrypted passwords to.
If someone
KeePass + Syncthing here (Score:2)
The issues with KeePass generally is synchronization of your password database. You can put it into a USB stick and it gets out of sync, or you can put it up in the cloud, but then it's sort of our of your control..
I use KeePass for my password database and then Syncthing to sync it on all my devices. It's light enough to work on a Raspberry Pi, so it's easy to setup a Syncthing cluster. Resilio (previously known as Bittorent Sync) works too, but I've never tried it personally.
The result is an Open Source
LastPass (Score:2)
I've been using LastPass for years. I tried pwsafe (nice, but at the time, didn't support Mac well) and KeePass (which I didn't like for reasons that I don't quite recall now; ended up moving back to pwsafe) before I switched to LastPass.
The deciding factors were (1) LastPass Premium works on Android. (And, now, you don't need Premium; the free version also works on Android.) (2) Syncs password changes across all devices, and (3) Professional Paranoid Steve Gibson gave it his seal of approval.
Some of the
Better off with paper in wallet. (Score:1)
Just keep a tiny address book in your wallet.
Any important passwords you keep there.
The unimportant stuff can use a common password.
Pass (Score:2)
I like this solution, probably a little too un-'user friendly' for most though.
https://www.passwordstore.org/ [passwordstore.org]
Good use for an old PDA (Score:2)
Save hints (Score:2)
For any normal person (not rich, famous, or powerful), just storing hints in a document is good enough. Something like:
EBay kxxxxbxxxx3xxx
Where the mask character x is not precisely replacing characters.
It's enough to remind me, but not enough to aid a casual attacker.
"pass" (aka passwordstore.org) (Score:2)
In as tech, Linux, and retro community as Slashdot, I give a particular shout to "pass" (passwordstore.org). Takes a little time to realize how simply powerful it is. And, it's literally nothing but GPG, Git, and a long but easy-to-read Bash script. Also, works really, really well for a team that needs a secrets vault. Back when we did that with KeePass, we'd always get out of sync. Now? It's a git-merge, just like the code.
Want more advanced security than that? My teams' GPG keys (and SSH keys for G
SuperGenPass (Score:2)
https://chriszarate.github.io/... [github.io]
SuperGenPass is a different kind of password solution. Instead of storing your passwords on your hard disk or online—where they are vulnerable to theft and data loss—SuperGenPass uses a hash algorithm to transform a master password into unique, complex passwords for the Web sites you visit.
SuperGenPass is a bookmarklet and runs right in your Web browser. It never stores or transmits your passwords, so it’s ideal for use on multiple and public computers. It
Yes and no... (Score:2)
I use a password manager that has Windows, Linux, Android and IOS clients. They all use the same encrypted data file that I keep on my dropbox.. I keep my day to day non-user critical account passwords in there so I can access them easily and quickly no matter where I find myself. But I don't put the important passwords (finical accounts and the like) in there, I just remember them.
But the PRIMARY thing you can do to keep yourself safe is to "DON'T use the same password on multiple sites!" Never, EVER u
Haha, no (Score:2)
Haha, no. For the same reason you don't keep all your valuables in one safe.
Should you drink water to stay alive? (Score:2)
I mean, you can probably live without for a while...
password safe (Score:2)
Use a manager, use 2fa (Score:2)
I use LastPass just fine, because every site where getting my login details would hurt, I use 2fa: Microsoft, my bank, PayPal, LastPass, Google, etc. Sure I'm picking up my phone once in a while but it's a good balance between secure and convenient. Far less secure are card details; mine got compromised recently but was detected and reversed almost immediately. Which is why I use PayPal whenever possible.