[NA]Password managers

Discussion in 'Technical Corner' started by Let'sgoflying!, Oct 23, 2021.

  1. Let'sgoflying!

    Let'sgoflying! Touchdown! Greaser! PoA Supporter

    Joined:
    Feb 23, 2005
    Messages:
    18,724
    Location:
    west Texas

    Display name:
    Dave Taylor
    It's time. Small biz use and personal use.

    Who is good now?

    Price is important but ease of use is even more so.

    When I start using one of these, will the first 2 weeks be hell while I tell it all my site passwords? Or does it automatically pull those somehow?

    I found this thread from 8 mo ago.
     
  2. Piperonca

    Piperonca Line Up and Wait PoA Supporter

    Joined:
    Jun 11, 2015
    Messages:
    524

    Display name:
    Piperonca
    Let'sgoflying! and murphey like this.
  3. murphey

    murphey Touchdown! Greaser! PoA Supporter

    Joined:
    Aug 21, 2008
    Messages:
    10,515
    Location:
    Colorado

    Display name:
    murphey
    Our security boss also likesand uses 1password
     
    Let'sgoflying! likes this.
  4. jrhillma

    jrhillma Filing Flight Plan

    Joined:
    Dec 28, 2018
    Messages:
    6

    Display name:
    jrhillma
    I used to use 1Password but switched a couple of years ago to Keeper. Can't remember why. Both work. It won't be hell putting your username/password in whichever vault you choose. I'd characterize it more as tedious and mildly aggravating. Second @Piperonca suggestion on plain language. I use a slightly modified approach to what you see in the XKCD strip.
     
    Let'sgoflying! likes this.
  5. Albany Tom

    Albany Tom Line Up and Wait PoA Supporter

    Joined:
    Jul 23, 2021
    Messages:
    805

    Display name:
    Albany Tom
    For small business bank accounts, you really need to be using 2 factor authentication. I know that's separate to the password issue. Last I knew, FDIC protection does not apply to commercial accounts.
     
    Piperonca and Let'sgoflying! like this.
  6. Grant.Baker

    Grant.Baker Filing Flight Plan

    Joined:
    Aug 6, 2018
    Messages:
    12

    Display name:
    Grant.Baker
    I use LastPass. I’ve found it pretty simple to use.
     
    FormerHangie and Let'sgoflying! like this.
  7. Brad W

    Brad W Line Up and Wait

    Joined:
    Nov 19, 2019
    Messages:
    761

    Display name:
    BLW2
    I used to use 1password, but switched to lastpass when I moved away from apple.
    I like lastpass, but I haven't shopped this topic lately so I don't know what's considered the best these days....
     
    Grant.Baker likes this.
  8. t3chiman

    t3chiman Pre-Flight PoA Supporter

    Joined:
    May 18, 2017
    Messages:
    44

    Display name:
    t3chiman
    Bitwarden paid version, with Yubikey as "something you have" to protect your password manager, and for 2 Factor Authorization on whatever individual accounts allow it.
     
  9. Kenny Phillips

    Kenny Phillips En-Route

    Joined:
    Jul 29, 2018
    Messages:
    4,320

    Display name:
    Kenny Phillips
    I used to shy away from password managers, but now all of my important accounts have multi-factor security (mostly a phone ping) so I may start using one.
     
  10. Everskyward

    Everskyward Experimenter PoA Supporter

    Joined:
    Mar 19, 2005
    Messages:
    33,319

    Display name:
    Everskyward
    I use 1Password. Got sick of keeping lists.
     
  11. c177tx

    c177tx Pre-Flight

    Joined:
    Sep 12, 2013
    Messages:
    89
    Location:
    Georgetown, Texas

    Display name:
    GWM
    I use 3m post it notes, and post them around my display screen
     
  12. Let'sgoflying!

    Let'sgoflying! Touchdown! Greaser! PoA Supporter

    Joined:
    Feb 23, 2005
    Messages:
    18,724
    Location:
    west Texas

    Display name:
    Dave Taylor
    That might be the best solution.
    Post a photo so I can get the idea?
     
    JoshN, Flocker, c177tx and 1 other person like this.
  13. DaleB

    DaleB Final Approach

    Joined:
    Aug 24, 2011
    Messages:
    5,187
    Location:
    Omaha, NE

    Display name:
    DaleB
    It would be great if so many sites/systems didn’t actively prevent it. Nearly all require the inclusion of numbers and special characters (which I don’t object to), and many will reject passwords that contain plaintext words no matter what else you have in them.
     
    Piperonca likes this.
  14. wsuffa

    wsuffa Touchdown! Greaser!

    Joined:
    Feb 22, 2005
    Messages:
    23,728
    Location:
    DC Suburbs

    Display name:
    Bill S.
    I dumped Lastpass after about 5 years when the got sold to LogMeIn, raised prices, were less supportive, and had buggy releases. Settled on Keeper after trying others. Dashlane is quite good, but very expensive. None are perfect, and none can auto fill/auto save all logins because some website and app designers do different things and the password managers can't identify which field is which.

    That said, I wouldn't try to go without a PM these days.
     
    sarangan likes this.
  15. Piperonca

    Piperonca Line Up and Wait PoA Supporter

    Joined:
    Jun 11, 2015
    Messages:
    524

    Display name:
    Piperonca
    I have my own easy to remember mental algorithm to satisfy those, ranging from brief to lengthy, depending on the criticality of the site. Sometimes use Dr. Seuss words or make up new ones not in any dictionary. Length is good. What can be aggravating is that some will not let you use blank spaces either. And will limit the number of characters to eight or ten, for example.

    One thing I like about 1Password is that its main password can be a pass-phrase. Love that. And I have never written mine down.

    Last but not least, there's Travel Mode: https://support.1password.com/travel-mode/
     
  16. Everskyward

    Everskyward Experimenter PoA Supporter

    Joined:
    Mar 19, 2005
    Messages:
    33,319

    Display name:
    Everskyward
    That might work if the only place you need to sign in is on one computer. What do you do about accounts on your phone, tablet, etc.?
     
  17. dmspilot

    dmspilot En-Route

    Joined:
    Oct 20, 2006
    Messages:
    4,675

    Display name:
    Display name:
    The purpose of FDIC protection is prevent bank runs, so it shouldn't matter what type of account (investment banking excluded, which is quite different from deposit & loan banking).
     
  18. Sac Arrow

    Sac Arrow Touchdown! Greaser!

    Joined:
    May 11, 2010
    Messages:
    18,296
    Location:
    Oakland, CA

    Display name:
    Bro do you even lift
    I think it would be a disaster if an online password manager was hacked. No siree Bob for the Sac.
     
  19. Piperonca

    Piperonca Line Up and Wait PoA Supporter

    Joined:
    Jun 11, 2015
    Messages:
    524

    Display name:
    Piperonca
  20. AKBill

    AKBill En-Route

    Joined:
    Nov 29, 2014
    Messages:
    3,486
    Location:
    Juneau, AK

    Display name:
    AKBill
    I use an Exel spread sheet. I try to keep the passwords close to the same but every account asks for something a little different.
     
  21. Let'sgoflying!

    Let'sgoflying! Touchdown! Greaser! PoA Supporter

    Joined:
    Feb 23, 2005
    Messages:
    18,724
    Location:
    west Texas

    Display name:
    Dave Taylor
    Good God, did you understand all that? I don't claim superior intellect but 'Master Password (MP) of 4 words, from a Password Generator which only happens on your device' is somehow protected from hacking (ie no one can ever access your computer?) has me stumped.
    "The MP is the only thing you need to remember" but then it immediately tells of the Secret Key(SK) you will need. Somehow this is also produced only on your device and it immune to hacking.
    And I presume to access your password-associated data, you need to submit the MP or SK online (how else can they free up your info) but it will be secure from theft, even if you do so.

    "1Password uses industry-standard 256-bit AES encryption, derived from your Master Password and Secret Key along with a random number generator."

    I have no idea what this means. Sounds like a third password if it is generating something from the MP and SC and the "RNG" noted. Impossibly confusing.

    It does sound like you would need to enter two huge passwords (the MP and SK) every time in order to access your websites if you use 1Password, no? (why/how not?)
     
  22. Piperonca

    Piperonca Line Up and Wait PoA Supporter

    Joined:
    Jun 11, 2015
    Messages:
    524

    Display name:
    Piperonca
    Negatory...I confess to not understanding much of it myself. I do some reading on the subject to try, but with limited success. All I know is the automatic transmission works on my truck, and user reports say brand L is better than brand H. I can drive a stick, too, but those aren't commonly sold anymore.

    I have my iPhone set with with face ID to allow me to cut/paste a different password generated on the phone. I tap that and see my passwords. No entry involved, just a couple keystrokes. Auto handier than the stick.

    All I can recommend is the free trial. I went through Keepass, Keeper, and a few others to eventually stop at 1Password. YMMV.

    Edit: They have good user support, and could probably explain the methodology much better than me.
     
    Last edited: Oct 24, 2021
    Let'sgoflying! likes this.
  23. asicer

    asicer Final Approach PoA Supporter

    Joined:
    Jan 1, 2015
    Messages:
    7,120

    Display name:
    asicer
    Put a screenshot of your passwords on your lock screen. Don't forget to include your lock screen passcode, though.
     
  24. Grant.Baker

    Grant.Baker Filing Flight Plan

    Joined:
    Aug 6, 2018
    Messages:
    12

    Display name:
    Grant.Baker
    Your master password is all you have to remember. That is combined with the secret key (which you don't need to know, it's stored on your devices) and a random number generator to generate a 256-bit code. That code is what's sent across the internet and what's stored on their server along with your encrypted data. This prevents somebody from intercepting your data along the way and seeing your password. So an attacker would need to have access to one of your devices to get the secret key and they would need to get or guess your master password.

    The reason (or at least a couple reasons) for a long, unique password is to protect against "dictionary" or "brute force" attacks. A dictionary attack is where the attacker's computer system goes through a "dictionary", which could include a database of previously hacked passwords, and tries each word as the password. That's why commonly substituted letters/numbers are ineffective here. For example, they would build their list to substitute zero for letter o/O in every word when they build their dictionary. A brute force attack is similar, except it uses every combination of characters from all alphabets. In a brute force attack, each character increases the difficulty of cracking the password exponentially.

    Disclaimer: I have some web development experience and have read up on security/encryption, but I'm not a security expert.
     
    Let'sgoflying! and Piperonca like this.
  25. Everskyward

    Everskyward Experimenter PoA Supporter

    Joined:
    Mar 19, 2005
    Messages:
    33,319

    Display name:
    Everskyward
    I have way too many passwords for that. 1Password is so much easier.
     
  26. Everskyward

    Everskyward Experimenter PoA Supporter

    Joined:
    Mar 19, 2005
    Messages:
    33,319

    Display name:
    Everskyward
    You only need to know your Master Password. It will fill in the site password (or you can use copy/paste). If you log in to 1PW using the Master Password, you can find the secret key. I think I have only used the secret key in order to set up the app on other devices. It's not that complicated to use. You also don't *need* to use it to log in to your sites. If you remember the password for the site, you can type it in yourself.
     
    Let'sgoflying! and Piperonca like this.
  27. Piperonca

    Piperonca Line Up and Wait PoA Supporter

    Joined:
    Jun 11, 2015
    Messages:
    524

    Display name:
    Piperonca
    To save time I allow 1PW to autofill the master password with facial recognition, so two taps and I'm in, as described earlier. From there I can copy/pasta or just enter a password on the site where it's needed once my memory is temporarily refreshed. 1PW will do much more, but I want to keep the whole thing simple.
     
    Let'sgoflying! and Everskyward like this.
  28. Albany Tom

    Albany Tom Line Up and Wait PoA Supporter

    Joined:
    Jul 23, 2021
    Messages:
    805

    Display name:
    Albany Tom
    FDIC does a couple of things, one as you mentioned is to protect consumers from bank failure, and that's specifically what the insurance does. But another thing they do is create federal banking regulations as part of their oversight function. Those regulations force banks to hold consumers harmless from a variety of bad activities, including unauthorized electronic funds transfers. Quite a few years ago, a school district in this area had fraudulent activity occur on one of their bank deposit accounts. The ruling at the time was that the bank was NOT liable to reimburse the school district for that activity, because the account was government, not consumer. NY senator or congressman Schumer at the time promised to try have FDIC change those regulations to protect businesses and governments as well as individuals. No idea if that has been done. The advice at the time was to ensure that any corporate accounts had a block on any foreign funds transfers, and that businesses use corporate credit, rather than debit cards, issued with banks that would provide their company with fraud protection. Unlike with consumer accounts, it was not a given that you'd have it.

    I'm a computer guy, not banking guy, but a starter to FDIC's interpretation of their regs is here: https://www.fdic.gov/regulations/laws/rules/6500-580.html

    It reads worse than FAA docs, in terms of clarity.
     
    Let'sgoflying! likes this.
  29. Let'sgoflying!

    Let'sgoflying! Touchdown! Greaser! PoA Supporter

    Joined:
    Feb 23, 2005
    Messages:
    18,724
    Location:
    west Texas

    Display name:
    Dave Taylor
    I just got 1Password. (I didn't. Probably this week. But for learning purposes...)

    Now I want to log on to...mmm POA.
    Right now, my devices all remember my PWs and I don't have to actually log in, POA pops to the unread messages.
    So, what is the new process going to be? What steps, how many steps.

    What is the shortest MP I can have?
     
  30. c177tx

    c177tx Pre-Flight

    Joined:
    Sep 12, 2013
    Messages:
    89
    Location:
    Georgetown, Texas

    Display name:
    GWM
    Well my rotary phone sits next to my computer screen, and I use a number 2 pencil on my Big Chief tablet.
     
    Everskyward likes this.
  31. Everskyward

    Everskyward Experimenter PoA Supporter

    Joined:
    Mar 19, 2005
    Messages:
    33,319

    Display name:
    Everskyward
    If your device automatically logs in to POA, etc, it still will. 1PW will offer to save it, but you really only need it if you log out, change browsers, or computers, so that the automatic log in fails.
     
    Let'sgoflying! likes this.
  32. JOhnH

    JOhnH Touchdown! Greaser!

    Joined:
    May 20, 2009
    Messages:
    13,007
    Location:
    Florida

    Display name:
    Right Seater
    That's what my boss used to do. But some evil individual taught him a lesson.
    I have no idea who that evil individual was.
     
  33. AggieMike88

    AggieMike88 Touchdown! Greaser!

    Joined:
    Jan 13, 2010
    Messages:
    19,777
    Location:
    Denton, TX

    Display name:
    The original "I don't know it all" of aviation.
    Reminds me of my first computer…

    Eventually I had to replace the monitor because couldn’t see the word processing screen through all the white out.
     
    c177tx likes this.
  34. Brad W

    Brad W Line Up and Wait

    Joined:
    Nov 19, 2019
    Messages:
    761

    Display name:
    BLW2
    it's been too long for me to comment about 1password's current functions
    but I can comment about LastPass as a parallel....
    your browser would continue to remember the password as it does now
    but the option that's considered to be better practice is to have your browser forget the password (well and probably even change it since the one remembered is not secure...)
    then
    the browser has a lastpass extension running
    and when you use it to fill the passwords for the web site, it will relate the password to that web site URL. This is all done within the encrypted password manager....
    Then the next time you open that URL, lastpass, assuming you have it unlocked using your mater password, will autofill user name and password.
    You can even use tools to generate new passwords, fill in forms such as "me"...it'll fill in typical forms such as name, address, phone number, etc...
    and you can store a payment card to autofill payments when you buy stuff.
    Occasionally, a web site is formatted in an odd way and the autofill might fill the username but not the password automatically, for example. In that case you can simply click on the extension and there's a tool to copy the password for that site.... you don't actually even see the password unless you want to...then you an manually paste it in....

    Same thing when you use your phone...or another computer...it's nearly seamless. Really works well
     
  35. Rushie

    Rushie En-Route

    Joined:
    Jun 21, 2006
    Messages:
    2,755

    Display name:
    Rushie
    I still use KeePass. I guess I’m happy with it. It works. Any reason I shouldn’t trust it?
     
  36. TrueCourse

    TrueCourse Pre-takeoff checklist

    Joined:
    Dec 10, 2019
    Messages:
    338

    Display name:
    TrueCourse
    When I was searching for my first password manager (way later than I should have) there was an article discussing the freebies vs the pay for service choices and I became convinced I was better off paying. I didn’t save the article otherwise I’d note it here. After many years of keeping a master sheet printed somewhere or reading off my “notes” for passwords I finally gave in. Couldn’t be happier and after reading how the whole system works (Keeper) I think it’s safe enough.
     
    Let'sgoflying! likes this.
  37. Leyrah

    Leyrah Filing Flight Plan

    Joined:
    Oct 17, 2021
    Messages:
    4

    Display name:
    Leyrah
    I'm a software engineer and a security researcher by trade. I use 1password. They have published papers about how their application works and I can assure you, as a professional who does this for a living, that it is extremely secure.
    If any of you are interested in details regarding implementation or why/how it's secure feel free to ask.

    One bonus points about 1password is that they allow password sharing, this is important for me since me and my wife share password for some sites (such as bank, credit card, amazon etc) and from what I tried, other password managers either do not support it or do it poorly.
    Migrating to a password manager may sound like a hassle but once you set it up you kinda forget it's there since it effectively logs you in for all websites.
     
  38. Brad W

    Brad W Line Up and Wait

    Joined:
    Nov 19, 2019
    Messages:
    761

    Display name:
    BLW2
    Lastpass shares very well. Even has a family package option.
    A while back when I switched from 1password, that one was more in line with apple, while lastpass was more android/PC oriented....or at least that was my understanding. I don't know if that's still the case. Functionally they seem to be very similar.