Password Apps, Good or Bad ?

[phlegethon]

Your passwords could be stored in a Chinese datacenter, and you wouldn't know it.

I also wouldn't care. If the Chinese government starts buying stuff with my Amazon account, I will find out soon enough and my credit card will not charge me. If they start reading my email, I think they will fall asleep pretty soon from wading through spam. Again, if you are really worried about state-level entities reading your electronic communication, then yes maybe password managers are a bad idea, but then again probably electronic communication might not be ideal either.

I am fine with having my credit card stored in the cloud. Every year or so one will get stolen, probably not from that but more likely from unscrupulous employees at companies, and they get reissued and it's just a minor inconvenience.

 

[phlegethon]

The auto sync does not always work,

I use it too, it's lacking in staying on top of things, and several times lately with all the changes to iOS it falls down

Unfortunately this is true, Apple has been pretty bad about fixing noncrashing bugs lately, and frankly computers seem to have gotten too complex to work very well in general. But for me I think the inconvenience of using a third party password manager would outweigh the benefits. I've always heard good things about 1Password though.

 

[Gunfighter14e2]

My brain is not working as it used too

Luckily It's be nice to Frank Friday, otherwise,...well you know.

 

[Lowlight]

Luckily It's be nice to Frank Friday, otherwise,...well you know.

The trolls on YT missed the message, I had to delete about a dozen troll accounts today

Lots of proxies over the last few days, we had a weird rush of signups here recently '

Then Panama spent the entire night trying to hack my WP side of the site. I Had a dozen notices of failed hack attempts.

Next time put the word out earlier in the week

 

[x_789]

Large company I work for allows Keepass. I been in IT for 20+ years and haven't found an issue with it. Use it at work and at home.

 

[Gunfighter14e2]

Next time put the word out earlier in the week

As the sight gets larger, an as we get older, it only gets worse. Trust me, old age sucks,...

 

[BytorJr]

I use Enpass which works ok but they totally screwed up a few months ago on an update. The advantage is that it can be on your own cloud, no cloud, stick or wherever.

The default passwords are now like 45 characters which a lot of companies don’t support including banks.

Sometimes it has problems syncing and getting backups to retrieve missingor trashed passwords is a pita

The BIGGEST issue I have is I tried to change to 1password and enpass writes out in a proprietary text document. Some folks have written Python scripts to convert but is not ideal and can fail.

 

[EddieNFL]

It's great that they're telling you how great they are, and that they're so great that they can fix an exploit before the exploit is even created/detected/used by nefarious not-so-greats.

Live long and prosper. Myself, I'll do things slightly differently.

I don't own a cell-phone, and I'm PROUD of that fact. Mankind has lived for eons and eons without it/them, and now all-the-sudden people can't even do their own breathing or blinking without being told to by their thumbs......

Beyond sad.

So, your advice is based on not owning a cellphone?

You don't drive, do you?

 

[308220]

I dont use ANY password apps or cloud services. I own 3 businesses, all internet related. I have to have 6-8 passwords for each entity across multiple websites. Because they each provide a different service to me.

I never use the same password twice. All my passwords are long. With numbers, upper/lower case letters and multiple characters. I also use 2 step authentication on a few sites. I NEVER allow a browser to save my passwords to my business related logins.

I keep a list on notepad (IOS) of all my passwords and a hardcopy locked away in a safe place if I were ever to lose my phone. Or it gets stolen. Also, use a passcode on your phone. 6 digit. No facial or fingerprint shit.

Ive never been cracked. I would NOT keep sensitive passwords on an Android, app or browser. No way.

Also, keep your PC up to date on firewall/virus protection. Clear your cache (CCleaner). And never open/download suspicious shit. You wont have any issues.

 

[MarinePMI]

Personally, I'd listen to hic28's comments, he deals with IT security in his day job.

A lot of these password managers are relatively secure, but just like a gun safe, they won't stop someone who is determined to get it, and has the resources to do it. Use them for what they are; a way to secure stuff from the vast majority of low level, flunky hackers. That being said, speaking from the other side of the green door...nothing is completely secure, nothing. You just have to weigh the risks and the ease of use against the inconveniences and PITA it is to reset forgotten passwords.

While Frank is popular, and can be a bit of a firebrand at times (intended as a compliment), I'd doubt he'd attract a trained cyber team to go after his shit...

 

[Sean the Nailer]

So, your advice is based on not owning a cellphone?

You don't drive, do you?

I've enough friends who do have cellphones, and also have learned of enough who have been hacked/ripped off, to know better.

Yes, I do drive. No, I don't free-dive. The title of the thread is/was called "password apps good or bad" I guess that's only for people who're allowed to have an opinion.

Be sure to let us all know who's allowed.

 

[EddieNFL]

I've enough friends who do have cellphones, and also have learned of enough who have been hacked/ripped off, to know better.

Yes, I do drive. No, I don't free-dive. The title of the thread is/was called "password apps good or bad" I guess that's only for people who're allowed to have an opinion.

Be sure to let us all know who's allowed.

So...heard it from a friend? Sounds awfully familiar. I know lots of pilots. I don't give advice about flying.

Everyone is allowed an opinion. Everyone is allowed to question opinions.

 

[OldSalty]

A metaphore comes to mind. Something about eggs...and a basket.

 

[TheMammoth]

gotta clarify that “using cell phones” is sms (text message) and yes, that is garbage

but using duo, MS Authenticator or google Authenticator is pretty safe

This.

A quick google.search points you to all the reading you need. Your gonna do what you want. I'm just telling you your phone and all the apps on it arent as secure as you think. Thats all.

Has Your iPhone Been Hacked? Google Reveals Massive Malware Attack

Prior to a February update, visiting specific sites on your iPhone could have sent your passwords, chat history and location data to unknown hackers.

www.newsweek.com

You keep posting things that are not only generally unrelated, but also misleading or outright contradictory. Listen to Frank.

I work in this space - deeply.

Security in this scenario comes down to a few items:

1. Good security cannot be had when you use weak passwords on sites
2. Or Reuse passwords.
3. It is more likely for a major site to be the source of authentication compromise, which then trickles down to mass compromise due to reuse.

Password management allows you to set very strong passwords and eliminate re-use.

Tips:
1. Pick a large one. Like lastpass which is very good.
2. Use 2FA with the password manager. IOS FaceID is very good for this.
3. Use unique and randomly generated passwords on each site limiting the points of failure to the password manager.
4. Back up the data to prevent loss.

When proper measures are taken, password management can result in an overall growth in security posture and not a failure.

Realize however that every major government has comprehensive access to these sites, either through legal channels or through zero-day exploitation.

BUT - they can attack a child site like amazon the same exact way anyway and get access.

This is basically one of the only posts here where someone finally understands what they're talking about and is staying on topic lol. If everyone here followed this advice most compromises would vanish.

Thank you.



For everyone else, please keep in mind that YOU failing is where almost all non-source compromises happen.

Stop being a dumb ass and clicking on random shit. Stop opening and clicking on emails you do not know the source of. Stop falling for phishing scams. Stop watching scuzzy porn sites on your phone. Stop using one email for everything you do.

TFA that doesn't use SMS. Multiple segregated and use-specific email addresses. Random NEVER reused passwords. Temporary credit card numbers. etc should all be BASELINE.

The password manager in combination with base level security and privacy measures on your part will result in a net-gain in security.

 

[padom]

This.


You keep posting things that are not only generally unrelated, but also misleading or outright contradictory. Listen to Frank.



This is basically one of the only posts here where someone finally understands what they're talking about and is staying on topic lol. If everyone here followed this advice most compromises would vanish.

Thank you.



For everyone else, please keep in mind that YOU failing is where almost all non-source compromises happen.

Stop being a dumb ass and clicking on random shit. Stop opening and clicking on emails you do not know the source of. Stop falling for phishing scams. Stop watching scuzzy porn sites on your phone. Stop using one email for everything you do.

TFA that doesn't use SMS. Multiple segregated and use-specific email addresses. Random NEVER reused passwords. Temporary credit card numbers. etc should all be BASELINE.

The password manager in combination with base level security and privacy measures on your part will result in a net-gain in security.

LMFAO. You sit here and tell me idk what Im talking about and Im posting unrelated shit...then you go ahead and say the EXACT same thing Ive been saying. Its not about the password manager, they work, they do their job. Thats not how your phone gets compromised...Click on phishing emails, links, visiting shady sites, those are all how your phone, tablet, pc, get compromised along with everything on it... Simple best practices are how you prevent this shit. I dont store anything I dont want to risk getting compromised on my phone. Has worked great. You can do what you want. I have 20+ years experience in the IT industry...I know a little bit

 

[TheMammoth]

LMFAO. You sit here and tell me idk what Im talking about and Im posting unrelated shit...then you go ahead and say the EXACT same thing Ive been saying. Its not about the password manager, they work, they do their job. Thats not how your phone gets compromised...Click on phishing emails, links, visiting shady sites, those are all how your phone, tablet, pc, get compromised along with everything on it...

You posted links implying that a password manager is compromised by a key logger when the only thing at the time was being discussed was the security of the manager itself. That's blatantly misleading, intercepting keystrokes and field insertion are vastly different attacks.

Anyone who isn't a retard knows these things and you kept responding to the person who asked the original question when I think it's pretty clear he knows more than the average person about keeping things on lock down.


But you are right I posted a bunch of baseline shit for idiots since the thread has gone off the rails and that didn't help keep it on track.

I have yet to see anything in this thread to dissuade anyone interested in maintaining peak personal security from using a manager.

 

[padom]

You posted links implying that a password manager is compromised by a key logger when the only thing at the time was being discussed was the security of the manager itself. That's blatantly misleading, intercepting keystrokes and field insertion are vastly different attacks.

Anyone who isn't a retard knows these things and you kept responding to the person who asked the original question when I think it's pretty clear he knows more than the average person about keeping things on lock down.


But you are right I posted a bunch of baseline shit for idiots since the thread has gone off the rails and that didn't help keep it on track.

I have yet to see anything in this thread to dissuade anyone interested in maintaining peak personal security from using a manager.

Are you coming to Frank's rescue? Frank's a big boy, Frank said what he had to say to me and made it clear he wanted to keep the convo on track strictly about the password manager software itself.

I didnt know he needed you to come in to his rescue and regurgitate what he already said.

 

[antithesis]

Large company I work for allows Keepass. I been in IT for 20+ years and haven't found an issue with it. Use it at work and at home.

Keepass is the bomb for personal passwords, especially those that are for highly sensitive accounts, but you need to have the mother of all passwords or a hardware encryption device like a yubico to protect the database. The mobile version is rather difficult to use, and nothing syncs without moving files + a manual import.

Pleasant Password Server is a network app that was built on top of Keepass. It is essentially a private, although typically corporate, form of online password servers.

When available, the best option is to use a Microsoft, Google, or your Amazon account setup with MFA to login to a site. MS and Google are doing well with their authentication apps to really cut down on password usage. I assume Amazon will follow. MS is ahead of the game as you can now use push notifications which only requires you to tap Accept on the phone when logging into something.

After that it really comes down to who you want to trust. For non-critical sites you can use pretty much anything, including auto-sync services from Google or TrendMicro, and online storage services such as Lastpass. For financial stuff, MFA is a must IMO and if it is not available there is no way I am putting the creds on someones cloud instance. Sure they are secure and someone is watching, but when the inevitable happens you won't be notified that it happened until months later. Even a good remembered password plus MFA (authenticator app or hardware token, not SMS or email pin) is better than some badass password.

As far as leetspeak, that shit is old and over with. Crackers have been incorporating the substitute characters for years. The best passwords are phrases (partial or full sentences with punctuation and proper camel case) that are corny (hard to guess) but mean something to you (easy for you to remember).

 

[TheMammoth]

It appears you got overruled, doofus.

 

[rob.sfo]

I’ve used LastPass for like a decade. Love it. I accept the compromises.

But I also use two-factor authentication for any important logins.

 

[Greg Langelius *]

I make a concerted effort never to post my OpSys, System protection, pictures, or any data encryption nomenclature on the web; knowing that none of these practices constitute an even rudimentary form of protection.

I recognize that I, myself, am the most likely cause of my own data breach.

Think about this; if I can access my own data store, the encryption has already been solved at least once, and probably more times in one day than I can write in consecutive 1's in the span of 20 breaths. ...Or 2's... Talk about a Googleplex of cycles over decades of time being required to crack encryption ignores one simple fact. Next year, and the year after, everything gets orders of magnitude faster and cheaper to crack. As long as there's data processing, this simple fact remains.

Should I drop a name? NSA...?

When I started in the data communications business, 120 baud was the fastest available rate of data transfer, and required a dialup phone line.

Greg

 

[_Windrider_]

Getting tired of dealing with passwords across multiple platforms where sometimes the phone remembers my stored web passwords, some times there is no stored password, and having to deal with passwords

Who uses the Password management apps

Dashlane
1Password

Which do you recommend if any at all?

I use eWallet. Syncs across all platforms and you can open a browser in the app that auto fills the PW for you.

 

[Crang]

I’ve used LastPass for like a decade. Love it. I accept the compromises.

But I also use two-factor authentication for any important logins.

Same here.