Any thoughts on using password managers?

[nbstl68]

So, I'm going through my usual panic again...you know...when some company of forum sends you THAT email...the one that says, "oh, so sorry...we just realized we were hacked...about 6 months ago and some or all of your personal data, email, user name, hashed passwords etc. etc. appear to have been taken and no doubt shared on the dark web...Soo, you may want to change your password and check your credit report".

Ugh.

My question here is has anyone used a password manager app before, (like LastPass, LogmeOnce, PasswordBoss, Keeper etc., etc. ) or even just letting iMac (desktop or their cloud passkey storage) or even Chrome to keep all your passwords "safe" in one place?

Are these a good idea or are they just a treasure trove for hackers to get ALL your ID\PWs in one place if they hack and crack one master password for your password manager account?

If they ARE a good idea, why?
And then any recommendations, (I have a PC, MAC, android devices, so would need something totally cross platform.)

Since these work with web based sites, would they work for security camera direct GUI log ins as well?

 

[looney2ns]

I've used this: World's Best Password Manager | RoboForm for probably 8-9 years. Works for me. Syncs changes across different machines.
Yes, it can log in your Security cams as well.

But nayr will be along shortly to tell me how insecure it is.

 

[randytsuch]

I use lastpass on PC, macbook and android phone.
You just need to make and remember one hard password, for lastpass.

Lastpass creates passwords for your other accounts, and they are basically unbreakable.
I just asked lastpass for a 12 char password, and this is what I got: jtHg9Sz*%$hE
You can turn off special characters if required.

 

[nayr]

get your self some U2F keys: Amazon.com: FIDO U2F Security Key: Computers & Accessories

and at least secure your email with it, since once your into your email everything else is compromised.. I got one for me and my wife, then I bought us some cheap ones, associated them as backup and put them in our saftey deposit box incase the main ones ever get lost/stolen/destroyed.

Wish my banks would start using the damn things.. I got one of the higher end Yubi keys that have a PGP key and use that to encrypt a file on my owncloud storage that has all the rest of my credentials...

 

[Dodutils]

KeePass for general password storage is great but RoboForm permit to handle a full form fields content (not only remember a password field) I use it a lot when I need to test my web development and need to full fill forms with tons of fields, KeepPass can also fill form fields but this function is not as easy to setup as RoboForm that has been created for such purpose.

Avoid any browser password storage feature, NEVER click "remember my password" those passwords can easily be recovered.

And by the way for all people using OpenVPN server to reach their home/business network, you can easy add Google Authenticator OTP layer (and it will never communicate with any Google server, "Google Authenticator" is only the name of the OTP system).

 

[randytsuch]

And by the way for all people using OpenVPN server to reach their home/business network, you can easy add Google Authenticator OTP layer (and it will never communicate with any Google server, "Google Authenticator" is only the name of the OTP system).

Can you give a little more information?
Guess I could google it

 

[Dodutils]

Can you give a little more information?
Guess I could google it

In two words, you install the GA (Google Authenticator) libs on your server, set a new pam.d for it, change openvpn.conf to activate the GA plugin, generate the OTP secret key thru GA command line for each user account, then you install GA "client" on your smartphone or PC, create a profile using this secret OTP Key and that's it, you know have a One Time password regenerated every 30 seconds. Take care your server is time synchonized as timing is very important.

 

[nayr]

if your going through all that trouble might as well just create your own Certificate Authority and start handing out certs, I use x509 (client cert) auth for my Wifi, VPN and Home Automation portal.. no passwords are even required, each device gets its own cert and I can just revoke that device from the network if it gets lost/stolen/damaged/etc.

 

[nbstl68]

I think things like Google authenticator, x509 are a bit over my head currently. I have never heard of U2F keys. Just looked at that link and it looks interesting but how would I use it say with my phone or tablet remote when needing to sign into anything?
Looks like you have to have a USB port. If USB ports are locked out, (like at my office for example) , I would not be able to say, sign into my bank account, right?

So are Passcode manager apps just a bad idea in general? Can they be hacked just like any other company's database? and then you lose basically all your ID\PW or other information all in one attack?

(The U2F link mentioned you could also use IT for passcode managers??)

 

[nayr]

the higher end ones have NFC, which would work w/Android Phones Tablets... Apple guys are SOL since you dont get NFC.

and yeah they can be used with password managers, I believe LastPass works with U2F.. you can also get tokens that have a display and will generate you a one time password if your unable to plug the token in.

 

[nbstl68]

So it looks like a U2F key is just a 2nd level additional hardware based password, is that basically correct?
From their web site it looks like yubikey (or any other U2F device?) is very limited to just a handful of sites where you could use it, like Gmail or Dropbox or just a few others...plus then you have to register or otherwise communicate with each site to arrange to use it?

Because: "A YubiKey is a small device that you register with a service or site that supports two-factor authentication. Two-factor authentication means that each time you log in, the service will request proof that you have your YubiKey in addition to your regular username and password.

I was thinking it would work like an app based password manager for any site.
Other than just for my Gmail account as @nayr suggested, or securing my personal computer login or the login of a PW manager I do not really see it fitting my needs.

I really like the OTP concept though, like we use at the office for remote VPN.
It looks like I could use a U2F key with OTP in conjunction with say, LastPass password manager.
LastPass and YubiKey for Individuals | Yubico


I assume that would make your passwords or whatever info is in LastPass completely unbreakable or darn near to it, yes?!


But is this overkill...Are password manager apps like those discussed actually a pretty safe bet or not?

 

[nayr]

I dont have any trust in password managers: LastPass hacked; security compromised for good

I store them using open source crypto tools into a local file that I keep in house, if I need my randomly generated 25 character work password and im away.. then I VPN in, grab the file, then decrypt it.. Work's password complexity requirements are so stringent it often takes me a few attempts at generating a RANDOM password to meet all the requirements.. I generate passwords with linux CLI tool pwgen

Your email account is the keys to your kingdom, get into that and you can reset the passwords on everything else.. you definitely need 2-factor auth for your email, for this site? fuckit, its got a random password that my browser remembers.. if its compromised, oh well.. its just a forum w/nothing dangerous within reach... if its my bank/gmail or anything otherwise critical, I jump through a bunch of hoops because its not supposed to be easy to getinto.

 

[randytsuch]

Seems like lastpass would be safe with 2 factor authorization, which you can easily do with your phone. Going to look some more into 2fa now. lastpass has a bunch of options, I'm sure all the good password programs do.

If I was smarter, I would do what nayr does, but I don't think I can come up with something safe by myself.

 

[nbstl68]

Your email account is the keys to your kingdom, get into that and you can reset the passwords on everything else..

I did not get this for a sec...then realized I assume you mean that basically every site will use your email to send you password reset links...so yeah, Id not really though about that for a directed hack!
Im in the process of starting new email accounts anyway, mostly because the spam has gotten out of control but a clean start + U2F key seems like a good idea.
Do these U2F keys require a pw to use or if someone steals it and maybe knows my email address could they use it to get in?

Is gmail any more "secure" than using yahoo or some other less popular email option?

Where would I find an OTP token with display for personal use? (I googled but only came up with business class server implementation stuff.)
That seems like

 

[tangent]

Is gmail any more "secure" than using yahoo or some other less popular email option?

Where would I find an OTP token with display for personal use? (I googled but only came up with business class server implementation stuff.)
That seems like

Yes. Yahoo mail is pretty much one of the least secure options out there. They're trying to make it better but they can't filter spam for shit either.
Now don't go deleting your old account, keep it secure and protect it should you need for password resets on other accounts you've forgotten about.

Google Authenticator / Authy are the free otp type options. U2F is better.

Yes you should use a password manager, more importantly generate random unique passwords for each site.

 

[nbstl68]

So my wife brought up a point that could kill using a PW manager for us since we both have \ use the same banking sites and thus use the one ID\PWs for each account.
PW managers work great it would seem for home computers and your personal devices...but she does a lot of stuff like banking, paying credit cards, using Amazon or Paypal at the office for example. We do not have the ability to access USB drives, (they are locked down) nor the ability to install programs or apps on office computers.
Since PW managers such as LastPass require you load web browser plug-ins and U2F keys to use USB connection, how would we be able to sign into any such accounts from the office, (or for that matter say from a public computer like at the library or hotel if necessary, although not a recommended practice I know)?

It seems using a PW manager would effectively lock me out of using it at all from the office or from a computer or mobile device I do not own.

 

[nayr]

It seems using a PW manager would effectively lock me out of using it at all from the office or from a computer or mobile device I do not own.

and thats not necessarily a bad thing.. corporate networks are known to have alot of spyware tools installed by IT, are often ravaged by hackers/malware, and far more likely to be targeted for social engineering than your home.

Generally its not advisable to access financial accounts from a computer or mobile device you do not own and administrate your self.

 

[randytsuch]

When I first got my new work computer, I didn't have admin rights, and lastpass still worked. IT installed chrome for me, and lastpass was already installed as a chrome plug in, so maybe that's why it worked. I don't think my wife had admin rights either, and she has lastpass working on her work pc. You and your wife could try, and see what happens.

You don't have to use a special usb key with lastpass, or other password programs. They just make it safer, because you need the account login name, password, and usb key to log in. But you could use google authenticator(GA) or something similar instead of the usb key.

With GA, you will get a 6 digit code on your phone. You need the login name, PW and this code to log in. This will work for email too, to make your email more secure. The USB key or GA (or similar) are options for lastpass and logging into google.

Randy

 

[nbstl68]

Interesting. maybe plug-ins are allowed\blocked as an app install.
I think I'll test out the LP and Chrome plugin on a computer at the office to see if it works.

I totally agree...but try telling the wife ...she's the one who has been using the same ID and PW on all her and our shared sites that I'm trying to come up with a good solution overall.
I get that there is not always time to do this stuff at home in the a.m or p.m. after work though. I'm sure lots of people risk do banking and shopping at the office. Risky but she won't change that habit...too stubborn.


She'd never go for the "extra work" of the U2F key thing and maybe not even GA 2nd level auth. Her laziness in this area to not want to be hassled seems to override her security concern.
I love her go-to excuse for everything..."well, it's never happened before so why should I do X....?"
How do you try to have a logical discussion when you get that response, ha-ha?

 

[randytsuch]

Using lastpass, and different random passwords for every site is really no extra work, so hopefully you can at least get her to do that, and its WAY better than using same password for all accounts.

Maybe baby steps, start with lastpass (or something else if you prefer), and after she gets used to that see if she will go for GA. Also, lastpass makes an authenticator which they claim is easy to use.

Or get a more secure wife