Passwords and Internet security

In this day and age we are now expected to have many user accounts and passwords for ever increasing sites be they different real estates, banks, US counties, Aust councils, etc etc

How are folks managing the plethora of accounts? I know that some time ago @Simon Hampel posted some comments about an off line program which managed all his accounts via one master password.

Just looked at 2 different online offerings which seem to have similar criteria but it would seem you need to trust some nebulous company who could disappear tomorrow leaving you in a gigantic hole.

The 2 online sites are :
#1 Password Manager & Vault App, Enterprise SSO & MFA | LastPass
Never forget another password | Dashlane

So how are you managing your user account / password nightmare?

 

I have password fatigue. It's crazy the variations, upper and lower case, digits numbers and characters.

 

I've been trying out Lastpass and 1Password to work out which is most usable for the family.

(@Simon Hampel - not as hardcore as having my own repository yet though).

I much prefer 1Password's security model but find it a little unreliable particularly on mobile. Lastpass has been pretty easy to use.

Dashlane, Lastpass and 1Password are all mainstream. Try out which one works for you.

P.S. I wouldn't recommend putting really critical passwords in the tool or those where your could expose yourself to liability in terms/conditions - like banking or main email account. For everything else it is great!

 

I also use 1 password

 

If you can't trust it for these things, you're back at square one.

 

Another very happy 1Password user here. Everything is in there. Works really well on iOS.

 

Read the terms and conditions of your internet banking carefully. Password managers are good but are vulnerable to compromise (think malware) like anything.

Not really, they are really convenient and good for most sites. However, by their very nature they are a big target. If you leave your main email account out, then at least you can reset the passwords if the password manager was compromised. If you have a few layers of security then it reduces the risk should one be compromised.

I'll go back to worrying that I'm being followed ....

 

Two factor authentication Always as a minimum. The days of a single password are over. Do not rely on single password unless absolutely necessary. A password vault will store your password and allow you to use something else but still sends a single authentication. Two factor is setup on the other side of the authentication not your side.
If you must use a single password ignore all the upper/lower/number/character stuff and just use a sentence as long as it is 12 or more its good. “ilikeapplesinmay” you can change to “ilikeapplesinjune” and continue for each month changing every month. Remember this will protect you from brute force attacks but not leaks/compromises that commonly use “pass-the-hash” and never require the attacker to decrypt the password. You must change at least monthly.

 

Personally, I'm not comfortable being in breach of the T&Cs but each to their own.

 

I am using keepass and store password file in USB drive. Drawback is if u cant access your USB, u cant access your passwords. Also you cant access it on mobile as they have not released authorised app. There are some unauthorised apps but i wouldn't trust them. I guess thats the inconvenience you have to go through if you do not want to put your password in someone's online servers and do jot want to pay as keepass is free.

 

Its important that you understand that password managers and vaults do not increase security. It is far more likely your password is compromised by the system you use it to access and not by your device. This is because the system is a higher value target (thousand of users compromised in lieu of just you). Forget them. Use simple passwords at 12 or more characters changing them monthly and use two factor authentication (2FA) at all possible times. 2FA protects you from someone else losing control of the hashed version of your password.

 

Microsoft released their public preview for FIDO2 - hardware security keys in the last few days. Their view on the world is passwordless.

 

Yes, but what password managers do is make it manageable to have unique passwords for every login. So when your password is compromised it is only one account that is affected, not a whole bunch of accounts for which you have used the same password.

 

Pretty happy with Lastpass, here.
Not sure if the other mobs have it, but I like the emergency sharing option. My partner and I have given each other access if we require it i.e. one of us gets incapacitated.
We're slowly filling out our respective "What to do in the event of death" type notes. i.e. which social media accounts exist and need closing, funeral arrangements, etc.

 

2FA through either a hard key, device, txt/email or token makes it irrelevant. They are a requirement of the past.