Jump to content

Do you use a password manager?

JTMac

By JTMac
in The Bored Room

 Share

Recommended Posts

JTMac Senior Member

JTMac

Posted
Posted

I just started using a password manager, and it's the best quality of life decision I've made in years.  I'm saying this to try to convince you to do the same.

After years of managing passwords in my head, I reached my frustration limit trying to work a "system" of being able to support a unique password on each site.  And you should have a unique password on every site unless you want one security breach to give someone access to the rest of your life.

Now I have one master password that I use and the manager takes care of the rest.  Every login I use has its own strong, unique, unguessable password.  I'm no longer frustrated because some site with its own special-snowflake password requirements trips me up.  I no longer have any concerns about someone guessing my system of cooking up passwords, because there isn't one.

"But what if someone steals your master password?"  They'll need more than the password to get my stuff.  I use two factor authentication, so it requires an approved device with its own password to cough up the key.

"But what if someone takes the data from the password manager's servers?"  It's encrypted on your side, so they can't decrypt it without your password.  Maybe we should worry after another 50 years of quantum computing advancement, but for now we're good.

It's awesome.  You should get in on this.  It's free!

LastPass is the common favorite.  https://www.lastpass.com/
It's killer feature, in my opinion, is the automatic password changing tool.  It saves a lot of clicking when it comes to changing your passwords everywhere you have them.

Bitwarden is what I'm using.  https://bitwarden.com/
My preference for Bitwarden is based on the software being published under a free license and support for a wider variety of browsers.

If you can't decide, pick one!  You can always import your stuff to another manager.  Do it and life will be better.

Link to comment
Share on other sites
JTMac Senior Member

JTMac

Posted
  • Author
Posted
40 minutes ago, Presguy said:

No, I don't yet, but I think you may have pushed me over the edge.

I try to use unique passwords, but, as you say, the system quickly becomes too much.

I partially use the Chrome password manager, but I know that's a poor idea for a number of reasons. I had been putting off switching to a password manager because of how long it would take to set up - but I didn't know that LastPass offers a migration tool.

Even better, both of these are capable of detecting (most) site logins.  So no actual setup time is needed until you get to the point of actually changing the passwords.

Link to comment
Share on other sites
crockett Bored Member

crockett

Posted
Posted

I've got too many passwords to be a key to very sensitive access points, both for business and personal items. No way in hell will I trust a 3rd party software with all that.

All my passwords are saved in an encrypted xls file. I copy&past ever single one when needed. All my passwords are random, very long and include no words.

One huge key element to successful IT security is decentralization. A password manger is the exact opposite.

  • Like 1
Link to comment
Share on other sites
JTMac Senior Member

JTMac

Posted
  • Author
Posted (edited)
1 hour ago, crockett said:

I've got too many passwords to be a key to very sensitive access points, both for business and personal items. No way in hell will I trust a 3rd party software with all that.

All my passwords are saved in an encrypted xls file. I copy&past ever single one when needed. All my passwords are random, very long and include no words.

One huge key element to successful IT security is decentralization. A password manger is the exact opposite.

I can understand the paranoia about including third party hosting into the mix.  Third party software, well, you're trusting Excel to do that.  And I assume your hosting/backup solutions are air-tight...  And does Excel support hiding all field until the password is displayed?   Does it do 2FA?  Passing through the clipboard is another vector...

Considering that I need to have passwords available at more times than when I'm sitting at my PC, I'm not too concerned with AES 256 bit encrypted data being hosted by a security-minded company.  Because short of a USB stick in a safe in the basement, I don't have time to do better after work.  But if you have more strict requirements, you could at least use something like KeePassX, which is local-storage only and is open source.  Compile it yourself if you don't trust anyone. 

Bitwarden also has a self-hosting option.

Edited by JTMac
Link to comment
Share on other sites
Huaco Kid Stressed Member

Huaco Kid

Posted
Posted

I write them on the backs of business cards.  I have very few;  don't do much online.  I put them in a metal business card case and throw it on a shelf with a bunch of other junk.

Work passwords usually get pasted into bookmark descriptions.  I have absolutely no personal information on my work laptop.  I don't ever even surf the web on my work laptop.

Link to comment
Share on other sites
Mrs.Cicero Bored Member

Mrs.Cicero

Posted
Posted (edited)

No.  I use an algorithm that gives me a unique password for every site, and is easy for me to remember.  Here is an oversimplified version... start with your initials in lowercase, then a date important to you, then the last three letters of the site name in CAPS, then your favorite sign.  Every password will be different because it includes the 3 letters from the site name, but you won't have any trouble remembering them all.  Mine is more complicated, but just as easy to remember for me.

I hate that two factor authorization thing, because my phone is generally not on the same floor as my computer.  It's a pain to find the darn thing most days...

Edited by Mrs.Cicero
missing "not"
  • Like 1
  • Thanks 1
Link to comment
Share on other sites
JTMac Senior Member

JTMac

Posted
  • Author
Posted
2 hours ago, Mrs.Cicero said:

No.  I use an algorithm that gives me a unique password for every site, and is easy for me to remember.  Here is an oversimplified version... start with your initials in lowercase, then a date important to you, then the last three letters of the site name in CAPS, then your favorite sign.  Every password will be different because it includes the 3 letters from the site name, but you won't have any trouble remembering them all.  Mine is more complicated, but just as easy to remember for me.

I hate that two factor authorization thing, because my phone is generally on the same floor as my computer.  It's a pain to find the darn thing most days...

This is what I was doing before.  Not the exact system, but in principle.  It looked like gibberish to someone who wasn't aware.

But I still ended up having collisions between websites, and had to have special exceptions.  And certain websites have their own, unique password requirements.  This site wants mixed case, that site wants numbers and a special character.  So I adjusted my system...  but this other site doesn't like those special characters, and another wants at least two...  and I still had collisions. 

It was a problem that scaled up with the number of sites I use.  And the risk also remained that there were a security breach involving passwords on more than one site that I used then my system could be derived. 

It's a problem I'm happy to be free of.

Link to comment
Share on other sites
JTMac Senior Member

JTMac

Posted
  • Author
Posted (edited)
3 hours ago, Mrs.Cicero said:

I hate that two factor authorization thing, because my phone is generally on the same floor as my computer.  It's a pain to find the darn thing most days...

Two-factor authentication can be a pain, but it doesn't have to be.  Many 2FA systems use email or SMS, and those can be available on both the phone and PC (my SMS is via Google Voice, but there are other options).  Since those require the only password I don't keep in my password manager and can only be accessed via a device I've already approved via 2FA previously, it's not a total security hole.

If you use something like Google Authenticator/Duo/FreeOTP, I'd recommend Authy to make things easier.  It will work everywhere those will and they also have options for authorizing more than just a single device and a desktop app.  It's not quite as secure as having a 2FA device in a safe, but if you've protected it with its own unique password then it's still a pretty good option.

Edited by JTMac
Link to comment
Share on other sites
BadAndy Member

BadAndy

Posted
Posted

A couple of our guys at work used to be very much against things like that since we're in IT and they're our heavier security guys but eventually started looking at using KeePass and they've been using it ever since. I just manage our desktop and infrastructure teams and have been working that side for over 15 years but I'm not security savvy like they are so I can't say if KeePass or one of the others listed is better but I do trust their judgement on this, especially since we have so many different systems and passwords lol!

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Please Donate To TBS

    Please donate to TBS.
    Your support is needed and it is greatly appreciated.
×
×
  • Create New...