Password managers.
 

After watching something about internet security, they advised upon getting a password manager.

How safe are these?

Is there any evidence of unscrupulous people using these in order to obtain passwords?

Can anyone recommend a good one?

What if the password manager itself gets hacked?

Thanks.

Re: Password managers.
 

I have been testing "Lastpass" for a couple of months, it seems to work ok.

Re: Password managers.
 

I've been using LastPass for a few years now. They got hacked a couple of years ago but due the the encription no-ones passwords were comprimised.

All in all very happy with it.

I would never trust any password manager.

Re: Password managers.
 

Thanks for the replies everyone.

Why wouldn't you trust them Infamous, have you had a bad experience with one?

Re: Password managers.
 

A lot of password managers store your details on a web server, although they might be encrypted, passwords can still be broken using brute force dictionary methods.

I use Steganos Password Manager which saves the files to your PC which, IMHO, makes it inherently safer

Something feels wrong about providing someone else with your passwords. It is a centralized, externally-managed, more-humans-involved-than-just-you point of failure, which if not accidentally mishandled, could otherwise be deliberately misused.

Re: Password managers.
 

Last Pass is awesome, i use it on a PC.

Re: Password managers.
 

Corrected (spellcheck).

Re: Password managers.
 

I use it on both PC and mobile, since you no longer need premium to do so

Re: Password managers.
 

I use lastpass on my mobile, which requires my fingerprint.

TBH in your own home you could just write them down

Re: Password managers.
 

Lastpass auto fills them, and auto logs you in.

Re: Password managers.
 

They got hacked at one point and encrypted passwords stolen. That was probably less of an issue than:

1) the problems with their browser extensions (which fill in the passwords for you) that actually meant anyone running a website could completely pwn your computer. Remote code execution.

2) again an extension/addon issue which allowed any website to read your unencrypted password for any site they wanted. Basically it tricked the addon in to thinking you was on the site the password was for.

Both extremely bad issues and as with ANY software, it's unknown if there are other issues waiting to be found.

In reply to original poster....TL;DR Use Lastpass or Keepass2/KeepassX. Lastpass has prettiest interface and less hassle auto password entry. Keepass has not such a great interface and the way it inputs passwords is a bit of a hack on windows if I remember rightly. might not be everyones cup of tea. Keepass you can keep locally off the cloud if you want or sync to something like dropbox or manually if you want to use the passwords elsewhere too. Ignore 1Password.

At least having different passwords for different sites is a good start but you should let the password manager generate a secure password for you.
I'm paranoid through 'being involved in security' and penetrated enough systems and decrypted enough databases which has scared me enough to never want to store anything on the cloud, so would never use Lastpass, but for the average person it's an ok choice. I would recommend it to family as an easy choice, if I had not set them up other options.

Saying all that about LastPass...the other password managers, especially ones where your passwords are stored locally on your computer have another issues. Once you enter your master password to decrypt your password database, the decrypted passwords are in memory. Even though some try and make it difficult to just read the passwords straight from memory, it can be done and there are public/private tools to do so.

You already need to be infected by something to do that though. Whereas RAT's or traditional malware may have keyloggers or read your browser when you login to get passwords for the sites you visit, having a password manager open could potentially mean someone could read the memory and get ALL your passwords, even for sites you have not visited since infection. The chances of this happening are slim. Unless you are a journalist or something that the NSA/GCHQ's of the world are targeting, you shouldn't really worry. A determined hacker targeting you for whatever reason and is aware enough to read the process's, spot the password manager and then know about the tools to read the memory, is possible but again slim.

There is more of a chance that the sites you visit will get compromised and your username/passwords stolen from those, than your password manager.

Re: Password managers.
 

I use Last Pass and even bought the next one up so I can use it with the app on my mobile. Yes there is some risk with it all but its mainly forums and other none important sites I have on there, all the important ones either have a different password I know or I use 2 factor like I do to even access my last pass.

Re: Password managers.
 

I use the manager that's built into Firefox. The passwords are stored locally and can be protected with a master password.

I've not heard that it's ever been compromised but anything is possible.

Re: Password managers.
 

I think this is the critical point. Nothing is 100% secure but you shouldn't let perfect be the enemy of good. Most people are not the target of sophisticated attacks and you're order of magnitude more likely to have accounts compromised by using a shared password across sites than having someone hack a password manager then bother trying to break the encryption on your stored password set. Most password managers encrypt your data with your master password.

Most of these 'hackers' are script kiddies buying data breaches in bulk and automating e-mail/password combinations against a multitude of sites. They deal in volume with each credential worth less than a penny. They don't have the time or will to concentrate on any specific person. Having a unique password and enabling 2 factor will prevent 99% of the risk.

Even keeping them on a notepad in the home is good.

Re: Password managers.
 

I use LastPass and pay for Premium. I can use the same tool on Windows, Linux, Android. I install, login and all my passwords are available. Nice and easy. I can also "share" logins but keep the password secure - so I have setup Dropbox for each of the kids, then shared the password securely with them and setup the client on their PC's.

LastPass can autochange the password on some sites making that task a little easier, you can generate a OTP pad so you can get into your account should you forget your password. For some devices it can store a key on the device so you can use that device to access your account if you forget the password. It supports some 2FA mechanisms. You can also store secure notes. Another good feature is you can force master password entry for some records.

I don't know what my password is for many sites now, it's a random string of letters, numbers, symbols as long as the site will allow.

I do NOT keep my bank login in there though. And that also has a card reader and response mechanism to do things once logged in anyway.

Re: Password managers.
 

First, if you do keep passwords in notepad, please don't call the file passwords.txt . Lots of malware automatically look for such filenames.


2 factor was completely bypassed with LastPass due to a bug/implementation error. There are lots of cases of 2FA being bypassed even with Google services. Then there is the difference between an auth app and an SMS message as the mobile phone system allows anyone to use the SS7 protocol to intercept the SMS 2 factor messages of any number. I say anyone but you need a connection to the phone system or a VOIP account somewhere that allows it or has a badly configured system, of which there are a few out there.


As for LastPass, the 2 factor auth issue was fixed in february:


madukes1 pimp frame02250 alezam5 stanleyboo23 < when a person is forced to use a number in their password. Now a capital letter is often forced....just capitalise the first letter and re-use. This often repeated bad habit is what password managers stop when they create passwords for you, rather than you storing your own thought up passwords.