Password manager question

Discussion in 'Hangar Talk' started by Artimas, Mar 3, 2018.

  1. Artimas

    Artimas Pre-takeoff checklist

    Joined:
    Dec 10, 2013
    Messages:
    185
    Location:
    New Jersey
    Display Name:

    Display name:
    Artimas
    I have been looking at the popular password mangers like Lastpass, Dashlane, and Password1.
    The websites haven't helped me be able to figure out if my wife and I both need separate accounts or we can share one. Many, but not all of the sites we visit are the same with the same password. We would such across 4 devices between us.

    Any recommendations? We use mac and iOS.

    On another front, what's a good way to develop a strong but easy to remember master password for these apps?

    Thanks.
     
  2. Sac Arrow

    Sac Arrow Touchdown! Greaser!

    Joined:
    May 11, 2010
    Messages:
    16,176
    Location:
    Oakland, CA
    Display Name:

    Display name:
    Full Send Mode
    I don't trust online password managers.
     
    Norman, Hank S and nauga like this.
  3. Ryanb

    Ryanb Touchdown! Greaser! PoA Supporter

    Joined:
    Jul 21, 2010
    Messages:
    10,211
    Location:
    Tennessee
    Display Name:

    Display name:
    Ryan
    I’ve always just used my brain. If that fails me, than a pen and notepad work well. YMMV
     
  4. azure

    azure Final Approach

    Joined:
    Apr 2, 2005
    Messages:
    8,004
    Location:
    Varmint Country
    Display Name:

    Display name:
    azure
    I use LastPass on MacOS (High Sierra). I don't really trust it either -- I let it generate passwords, which I then save in a file just in case, as sometimes happens, it fails to correctly fill in the password field.

    The master password has to be something you can remember - so it is typically simpler, closer to common language (and therefore less secure) than the random strings the manager generates. So there is definitely a tradeoff. If you can think of a phrase that is not commonly used but that you know well, that's probably a good compromise, particularly if you replace some of the letters with digits or other special characters.
     
    overdrive148 likes this.
  5. overdrive148

    overdrive148 En-Route

    Joined:
    Apr 17, 2013
    Messages:
    3,572
    Location:
    San Antonio TX
    Display Name:

    Display name:
    overdrive148
    [​IMG]
     
  6. WannFly

    WannFly En-Route

    Joined:
    Nov 28, 2016
    Messages:
    4,483
    Location:
    KFAR
    Display Name:

    Display name:
    Priyo
    I use LastPass, for master password use a phrase like IPassedCheckR1de&1FlyWhen1cAn!


    Sent from my iPhone using Tapatalk
     
  7. kgruber

    kgruber En-Route

    Joined:
    Jan 3, 2007
    Messages:
    3,957
    Location:
    M94 Desert Aire Regional Airport
    Display Name:

    Display name:
    Skywag
    I just keep them in a text file.
     
  8. asicer

    asicer En-Route

    Joined:
    Jan 1, 2015
    Messages:
    4,252
    Display Name:

    Display name:
    asicer
    Diceware.

    https://en.wikipedia.org/wiki/Diceware

    Personally, 44 bits of entropy is not enough for me. I prefer at least 90bits.
     
  9. Let'sgoflying!

    Let'sgoflying! Touchdown! Greaser! PoA Supporter

    Joined:
    Feb 23, 2005
    Messages:
    17,001
    Location:
    west Texas
    Display Name:

    Display name:
    Dave Taylor
    I wonder how many have them on their computer in a file. So all is needed is one hack into someone's computer and a bonanza of passwords become available to them.
     
  10. Let'sgoflying!

    Let'sgoflying! Touchdown! Greaser! PoA Supporter

    Joined:
    Feb 23, 2005
    Messages:
    17,001
    Location:
    west Texas
    Display Name:

    Display name:
    Dave Taylor
    How many devices does the average person use, and how many websites need pw's?
    I am a low-use computer person and have 7 devices that I can think of offhand which I use and ~200 pw'd websites.
    None of the devices share usernames and passwords (I don't have an online manager).
    So every time a website thinks it's time to change pw's it is a significant effort (logging on and inserting the new pw on each device, telling browser to remember it) and frustration ('cannot get website to accept new pw on device #5', or forget the pw, or get it accepted but not remembered by the browser etc etc)
     
  11. wsuffa

    wsuffa Touchdown! Greaser!

    Joined:
    Feb 22, 2005
    Messages:
    22,169
    Location:
    DC Suburbs
    Display Name:

    Display name:
    Bill S.
    Lastpass has gone a bit downhill and become more arrogant since they were bought by LogMeIn. They do offer a family plan. They will not stay logged in across Firefox's private Windows. If you want to make it easier to use, you have to trade privacy.

    Either way, get one that allows 2factor authorization. Several options for the second factor, but it makes you much more secure on a mobile device.
     
  12. WannFly

    WannFly En-Route

    Joined:
    Nov 28, 2016
    Messages:
    4,483
    Location:
    KFAR
    Display Name:

    Display name:
    Priyo
    Having browser remember password is not a good idea, receiving that password is a child’s play


    Sent from my iPhone using Tapatalk
     
  13. EminiTrader

    EminiTrader Cleared for Takeoff

    Joined:
    Jun 15, 2013
    Messages:
    1,059
    Location:
    JAX
    Display Name:

    Display name:
    Emini Trader
    I use dashlane ans 2 factor authentication. Never had a problem.
     
  14. SixPapaCharlie

    SixPapaCharlie May the force be with you

    Joined:
    Aug 8, 2013
    Messages:
    14,080
    Location:
    North Texas
    Display Name:

    Display name:
    6PC
    We use keepass at work.
    It is pretty solid and it is local.
     
  15. eetrojan

    eetrojan Pattern Altitude

    Joined:
    Jan 19, 2012
    Messages:
    1,527
    Location:
    Orange County, CA
    Display Name:

    Display name:
    eetrojan
    And free.
     
  16. AKiss20

    AKiss20 Pre-Flight

    Joined:
    May 31, 2015
    Messages:
    93
    Location:
    Cambridge, MA
    Display Name:

    Display name:
    AKiss20
    1Password is quite good for those in the Apple ecosystem. Especially nice for those with a 2016+ MacBook Pro and can use touchid on the Mac.
     
  17. CC268

    CC268 Final Approach

    Joined:
    Nov 4, 2015
    Messages:
    5,524
    Display Name:

    Display name:
    CC268
    I use LastPass
     
  18. overdrive148

    overdrive148 En-Route

    Joined:
    Apr 17, 2013
    Messages:
    3,572
    Location:
    San Antonio TX
    Display Name:

    Display name:
    overdrive148
    What's your kind of password in comparison?
     
  19. Let'sgoflying!

    Let'sgoflying! Touchdown! Greaser! PoA Supporter

    Joined:
    Feb 23, 2005
    Messages:
    17,001
    Location:
    west Texas
    Display Name:

    Display name:
    Dave Taylor
    So I've heard.
    Show me, children. Your challenge is to go ahead and get my POA password, then post as me.
     
    Last edited: Mar 4, 2018
  20. denverpilot

    denverpilot Tied Down

    Joined:
    Nov 8, 2009
    Messages:
    50,403
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    I don’t really trust any of them fully, but I also don’t want to use the same password everywhere. So I use one.

    I’m a 1Password user. Works on both Mac and Windows. Integrates well with browsers and doesn’t seem picky about which browser. They all work.

    DEFINITELY had a major security problem a few years back. I liked their response to it and quickness of fix.

    Here’s the deal on it though. I do NOT use their cloud based thing they came out with. Or their family thing. Or their team thing.

    I use a single Dropbox account that’s dedicated to that job. That’s all it does is hold the encrypted files from 1Password. That’s it. It’s linked to all the machines that need to do 1Password stuff, and that means I don’t use Dropbox for other storage.

    You could. I just don’t like to mix. No reasons other than my own. I use other things for cloud file storage.

    That setup “feels” the best to me. I have a VERY small number of passwords that simply will never ever be in a password manager EVER and are only in my head. You have to choose if you need some of those or not on your own.

    With two-factor being prevalent and available these days, tools like 1Password only handle one half of that. I like that for the sites that are important but not enough to memorize the password and never put it in the manager. And also for work stuff. We require it for the most part, across the board for things.

    Downsides on TFA. If you’re using a number generator app on a mobile device, it’s a) A problem if your device battery dies. B) There’s way too many attack targets for a smartphone. But... it’s better than not doing it.

    And the hardware based PIN generators in the past from some really big names in security, have had mathematical flaws that made them vulnerable. The biggest and most egregious was RSA’s keyfob tokens that were busted but they never recalled them, didn’t offer money back, nothing. Just “buy new ones” from them. Scum suckers.

    At the end of the day, there’s going to be holes in all of these. Look at the patches and the quality of software now that we’re into the “daily patch” IT lifecycle and you’ll see it’s not getting better.

    But that also means most of these websites also have awful code and are going to get hacked. So your password won’t even be needed. Hahahaha.

    Perhaps a bit of a fatalistic view, but I see the sausage being made. It ain’t good. And we have a generation of “security” experts now who’ve never seen code. Let alone low level machine code. They don’t really understand what the machines are actually doing anymore. Which has made some of the hardware exploits that look at remnants of what’s in memory and what not, really impressive. The recent processor based exploits are brilliant. And still not properly fixed by Intel. Starting to doubt they’ll ever figure it out. They haven’t released working microcode that doesn’t screw up the hardware behavior yet. It’s been almost two months and they were notified long before this one went public.
     
  21. asicer

    asicer En-Route

    Joined:
    Jan 1, 2015
    Messages:
    4,252
    Display Name:

    Display name:
    asicer
    Diceware. 7+ words (90+ bits).
     
    overdrive148 likes this.
  22. Anymouse

    Anymouse En-Route

    Joined:
    Jul 30, 2007
    Messages:
    3,164
    Location:
    Clinton, AR (Sometimes)
    Display Name:

    Display name:
    Total Stud Bush Pilot
    Like a few others, I use LastPass as well. However, I've noticed a few sites that seem to block LastPass from working. Chase and Capital One are the ones that come immediately to mind. Not sure why they're doing that.
     
  23. flyingron

    flyingron Touchdown! Greaser!

    Joined:
    Jul 31, 2007
    Messages:
    17,061
    Location:
    Catawba, NC
    Display Name:

    Display name:
    FlyingRon
    Yes, I like the ability to just use long mixed case words without symbols or numbers. I tend to use famous names of signficance to me.
     
  24. azure

    azure Final Approach

    Joined:
    Apr 2, 2005
    Messages:
    8,004
    Location:
    Varmint Country
    Display Name:

    Display name:
    azure
    Do they actually block it, or do they just not allow certain characters that LP wants to use? The character set is somewhat configurable, and you can always generate passwords one after the other until you get one that doesn't have the forbidden characters.
     
  25. jesse

    jesse Administrator Management Council Member

    Joined:
    Oct 2, 2005
    Messages:
    15,749
    Location:
    Lincoln, NE
    Display Name:

    Display name:
    Jesse
    Nate, 1Password has supported 2FA for a long time now. Go edit on any resource and there is a one time password option that will bring up a little dialog that can scan a 2FA QR code.

    Is it smart to have your 2FA in your 1Password. Eh, not really, but it’s sure convienant.
     
  26. denverpilot

    denverpilot Tied Down

    Joined:
    Nov 8, 2009
    Messages:
    50,403
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    That’s probably why I never noticed it. I don’t want them in there. :)
     
  27. Norman

    Norman En-Route Gone West

    Joined:
    May 3, 2013
    Messages:
    4,861
    Location:
    cone of confusion
    Display Name:

    Display name:
    KPTK
    My passwords are saved in an Excel file to an internal storage hard drive in my computer. That drive is password protected and the password to the drive is heavily encrypted. I have never had a problem with anyone stealing one of my passwords. I wouldn't want to put my passwords in the cloud.
     
    azure likes this.
  28. azure

    azure Final Approach

    Joined:
    Apr 2, 2005
    Messages:
    8,004
    Location:
    Varmint Country
    Display Name:

    Display name:
    azure
    Agreed, and that's one of the reasons I don't use LP's cloud-based service. Though the chances of their getting hacked may be minuscule, it's an additional bit of peace of mind that I like. My password file isn't itself password-protected, but it's readable only by root and the chances of someone gaining root access on my home computer are close to zero, given that no one else has physical access to it and my router does not forward any requests to it from any port.
     
    Norman likes this.
  29. Norman

    Norman En-Route Gone West

    Joined:
    May 3, 2013
    Messages:
    4,861
    Location:
    cone of confusion
    Display Name:

    Display name:
    KPTK
    Liz,

    I do business with a local shop when I can't handle a problem. They know I am both a backup freak an very security conscious. The owner of the shop said I had all my ducks in a row.
     
  30. Anymouse

    Anymouse En-Route

    Joined:
    Jul 30, 2007
    Messages:
    3,164
    Location:
    Clinton, AR (Sometimes)
    Display Name:

    Display name:
    Total Stud Bush Pilot
    It appears they actually block it. LastPass hasn't generated any passwords for me. It's still using the ones I've had for years. Somehow the sites are preventing LastPass (and the browser) from populating the fields. There's also some other sites where the fields won't autopopulate, and I have to manually select it.
     
  31. azure

    azure Final Approach

    Joined:
    Apr 2, 2005
    Messages:
    8,004
    Location:
    Varmint Country
    Display Name:

    Display name:
    azure
    That's a bummer. I have yet to encounter any sites that actually block it. :(
     
  32. Anymouse

    Anymouse En-Route

    Joined:
    Jul 30, 2007
    Messages:
    3,164
    Location:
    Clinton, AR (Sometimes)
    Display Name:

    Display name:
    Total Stud Bush Pilot
    The Chase issue is documented on their site. Didn't bother to look up the other stuff.
     
  33. azure

    azure Final Approach

    Joined:
    Apr 2, 2005
    Messages:
    8,004
    Location:
    Varmint Country
    Display Name:

    Display name:
    azure
    Ah. I don't have a Chase account.