Password manager question

Artimas

Pre-takeoff checklist
Joined
Dec 10, 2013
Messages
214
Location
New Jersey
Display Name

Display name:
Artimas
I have been looking at the popular password mangers like Lastpass, Dashlane, and Password1.
The websites haven't helped me be able to figure out if my wife and I both need separate accounts or we can share one. Many, but not all of the sites we visit are the same with the same password. We would such across 4 devices between us.

Any recommendations? We use mac and iOS.

On another front, what's a good way to develop a strong but easy to remember master password for these apps?

Thanks.
 
I’ve always just used my brain. If that fails me, than a pen and notepad work well. YMMV
 
I use LastPass on MacOS (High Sierra). I don't really trust it either -- I let it generate passwords, which I then save in a file just in case, as sometimes happens, it fails to correctly fill in the password field.

The master password has to be something you can remember - so it is typically simpler, closer to common language (and therefore less secure) than the random strings the manager generates. So there is definitely a tradeoff. If you can think of a phrase that is not commonly used but that you know well, that's probably a good compromise, particularly if you replace some of the letters with digits or other special characters.
 
I use LastPass on MacOS (High Sierra). I don't really trust it either -- I let it generate passwords, which I then save in a file just in case, as sometimes happens, it fails to correctly fill in the password field.

The master password has to be something you can remember - so it is typically simpler, closer to common language (and therefore less secure) than the random strings the manager generates. So there is definitely a tradeoff. If you can think of a phrase that is not commonly used but that you know well, that's probably a good compromise, particularly if you replace some of the letters with digits or other special characters.
password_strength.png
 
I use LastPass, for master password use a phrase like IPassedCheckR1de&1FlyWhen1cAn!


Sent from my iPhone using Tapatalk
 
I wonder how many have them on their computer in a file. So all is needed is one hack into someone's computer and a bonanza of passwords become available to them.
 
How many devices does the average person use, and how many websites need pw's?
I am a low-use computer person and have 7 devices that I can think of offhand which I use and ~200 pw'd websites.
None of the devices share usernames and passwords (I don't have an online manager).
So every time a website thinks it's time to change pw's it is a significant effort (logging on and inserting the new pw on each device, telling browser to remember it) and frustration ('cannot get website to accept new pw on device #5', or forget the pw, or get it accepted but not remembered by the browser etc etc)
 
Lastpass has gone a bit downhill and become more arrogant since they were bought by LogMeIn. They do offer a family plan. They will not stay logged in across Firefox's private Windows. If you want to make it easier to use, you have to trade privacy.

Either way, get one that allows 2factor authorization. Several options for the second factor, but it makes you much more secure on a mobile device.
 
How many devices does the average person use, and how many websites need pw's?
I am a low-use computer person and have 7 devices that I can think of offhand which I use and ~200 pw'd websites.
None of the devices share usernames and passwords (I don't have an online manager).
So every time a website thinks it's time to change pw's it is a significant effort (logging on and inserting the new pw on each device, telling browser to remember it) and frustration ('cannot get website to accept new pw on device #5', or forget the pw, or get it accepted but not remembered by the browser etc etc)

Having browser remember password is not a good idea, receiving that password is a child’s play


Sent from my iPhone using Tapatalk
 
I use dashlane ans 2 factor authentication. Never had a problem.
 
We use keepass at work.
It is pretty solid and it is local.
 
1Password is quite good for those in the Apple ecosystem. Especially nice for those with a 2016+ MacBook Pro and can use touchid on the Mac.
 
Having browser remember password is not a good idea, receiving that password is a child’s play
So I've heard.
Show me, children. Your challenge is to go ahead and get my POA password, then post as me.
 
Last edited:
I don’t really trust any of them fully, but I also don’t want to use the same password everywhere. So I use one.

I’m a 1Password user. Works on both Mac and Windows. Integrates well with browsers and doesn’t seem picky about which browser. They all work.

DEFINITELY had a major security problem a few years back. I liked their response to it and quickness of fix.

Here’s the deal on it though. I do NOT use their cloud based thing they came out with. Or their family thing. Or their team thing.

I use a single Dropbox account that’s dedicated to that job. That’s all it does is hold the encrypted files from 1Password. That’s it. It’s linked to all the machines that need to do 1Password stuff, and that means I don’t use Dropbox for other storage.

You could. I just don’t like to mix. No reasons other than my own. I use other things for cloud file storage.

That setup “feels” the best to me. I have a VERY small number of passwords that simply will never ever be in a password manager EVER and are only in my head. You have to choose if you need some of those or not on your own.

With two-factor being prevalent and available these days, tools like 1Password only handle one half of that. I like that for the sites that are important but not enough to memorize the password and never put it in the manager. And also for work stuff. We require it for the most part, across the board for things.

Downsides on TFA. If you’re using a number generator app on a mobile device, it’s a) A problem if your device battery dies. B) There’s way too many attack targets for a smartphone. But... it’s better than not doing it.

And the hardware based PIN generators in the past from some really big names in security, have had mathematical flaws that made them vulnerable. The biggest and most egregious was RSA’s keyfob tokens that were busted but they never recalled them, didn’t offer money back, nothing. Just “buy new ones” from them. Scum suckers.

At the end of the day, there’s going to be holes in all of these. Look at the patches and the quality of software now that we’re into the “daily patch” IT lifecycle and you’ll see it’s not getting better.

But that also means most of these websites also have awful code and are going to get hacked. So your password won’t even be needed. Hahahaha.

Perhaps a bit of a fatalistic view, but I see the sausage being made. It ain’t good. And we have a generation of “security” experts now who’ve never seen code. Let alone low level machine code. They don’t really understand what the machines are actually doing anymore. Which has made some of the hardware exploits that look at remnants of what’s in memory and what not, really impressive. The recent processor based exploits are brilliant. And still not properly fixed by Intel. Starting to doubt they’ll ever figure it out. They haven’t released working microcode that doesn’t screw up the hardware behavior yet. It’s been almost two months and they were notified long before this one went public.
 
Like a few others, I use LastPass as well. However, I've noticed a few sites that seem to block LastPass from working. Chase and Capital One are the ones that come immediately to mind. Not sure why they're doing that.
 
Yes, I like the ability to just use long mixed case words without symbols or numbers. I tend to use famous names of signficance to me.
 
Like a few others, I use LastPass as well. However, I've noticed a few sites that seem to block LastPass from working. Chase and Capital One are the ones that come immediately to mind. Not sure why they're doing that.
Do they actually block it, or do they just not allow certain characters that LP wants to use? The character set is somewhat configurable, and you can always generate passwords one after the other until you get one that doesn't have the forbidden characters.
 
I don’t really trust any of them fully, but I also don’t want to use the same password everywhere. So I use one.

I’m a 1Password user. Works on both Mac and Windows. Integrates well with browsers and doesn’t seem picky about which browser. They all work.

DEFINITELY had a major security problem a few years back. I liked their response to it and quickness of fix.

Here’s the deal on it though. I do NOT use their cloud based thing they came out with. Or their family thing. Or their team thing.

I use a single Dropbox account that’s dedicated to that job. That’s all it does is hold the encrypted files from 1Password. That’s it. It’s linked to all the machines that need to do 1Password stuff, and that means I don’t use Dropbox for other storage.

You could. I just don’t like to mix. No reasons other than my own. I use other things for cloud file storage.

That setup “feels” the best to me. I have a VERY small number of passwords that simply will never ever be in a password manager EVER and are only in my head. You have to choose if you need some of those or not on your own.

With two-factor being prevalent and available these days, tools like 1Password only handle one half of that. I like that for the sites that are important but not enough to memorize the password and never put it in the manager. And also for work stuff. We require it for the most part, across the board for things.

Downsides on TFA. If you’re using a number generator app on a mobile device, it’s a) A problem if your device battery dies. B) There’s way too many attack targets for a smartphone. But... it’s better than not doing it.

And the hardware based PIN generators in the past from some really big names in security, have had mathematical flaws that made them vulnerable. The biggest and most egregious was RSA’s keyfob tokens that were busted but they never recalled them, didn’t offer money back, nothing. Just “buy new ones” from them. Scum suckers.

At the end of the day, there’s going to be holes in all of these. Look at the patches and the quality of software now that we’re into the “daily patch” IT lifecycle and you’ll see it’s not getting better.

But that also means most of these websites also have awful code and are going to get hacked. So your password won’t even be needed. Hahahaha.

Perhaps a bit of a fatalistic view, but I see the sausage being made. It ain’t good. And we have a generation of “security” experts now who’ve never seen code. Let alone low level machine code. They don’t really understand what the machines are actually doing anymore. Which has made some of the hardware exploits that look at remnants of what’s in memory and what not, really impressive. The recent processor based exploits are brilliant. And still not properly fixed by Intel. Starting to doubt they’ll ever figure it out. They haven’t released working microcode that doesn’t screw up the hardware behavior yet. It’s been almost two months and they were notified long before this one went public.
Nate, 1Password has supported 2FA for a long time now. Go edit on any resource and there is a one time password option that will bring up a little dialog that can scan a 2FA QR code.

Is it smart to have your 2FA in your 1Password. Eh, not really, but it’s sure convienant.
 
Nate, 1Password has supported 2FA for a long time now. Go edit on any resource and there is a one time password option that will bring up a little dialog that can scan a 2FA QR code.

Is it smart to have your 2FA in your 1Password. Eh, not really, but it’s sure convienant.

That’s probably why I never noticed it. I don’t want them in there. :)
 
My passwords are saved in an Excel file to an internal storage hard drive in my computer. That drive is password protected and the password to the drive is heavily encrypted. I have never had a problem with anyone stealing one of my passwords. I wouldn't want to put my passwords in the cloud.
 
My passwords are saved in an Excel file to an internal storage hard drive in my computer. That drive is password protected and the password to the drive is heavily encrypted. I have never had a problem with anyone stealing one of my passwords. I wouldn't want to put my passwords in the cloud.
Agreed, and that's one of the reasons I don't use LP's cloud-based service. Though the chances of their getting hacked may be minuscule, it's an additional bit of peace of mind that I like. My password file isn't itself password-protected, but it's readable only by root and the chances of someone gaining root access on my home computer are close to zero, given that no one else has physical access to it and my router does not forward any requests to it from any port.
 
Liz,

I do business with a local shop when I can't handle a problem. They know I am both a backup freak an very security conscious. The owner of the shop said I had all my ducks in a row.
 
Do they actually block it, or do they just not allow certain characters that LP wants to use? The character set is somewhat configurable, and you can always generate passwords one after the other until you get one that doesn't have the forbidden characters.

It appears they actually block it. LastPass hasn't generated any passwords for me. It's still using the ones I've had for years. Somehow the sites are preventing LastPass (and the browser) from populating the fields. There's also some other sites where the fields won't autopopulate, and I have to manually select it.
 
It appears they actually block it. LastPass hasn't generated any passwords for me. It's still using the ones I've had for years. Somehow the sites are preventing LastPass (and the browser) from populating the fields. There's also some other sites where the fields won't autopopulate, and I have to manually select it.
That's a bummer. I have yet to encounter any sites that actually block it. :(
 
Back
Top