I know there are a number of apps to store passwords in etc. but for me, most of them seem Over the top? Any decent apps someone can recommend or any lockable note keeping apps anyone can recommend etc?
Any PW making hints anyone can suggest. Ideally, I'd like it to be something on my phone, because usually I keep my phone with me everywhere I go.
I tried Google keep, but couldn't find a way to lock a particular note.
Thanks
thank you
You're welcome.
hunter2
trustno1
That was my password for years. Good old Mulder.
Hey guys Jagex blocks your password try it for yourself ***********
Also trimming armour!!!
Oh wow my password's ********** too, what are the odds
keepass on computer.
keepdroid on phone.
password file stored on Google Drive.
Yep exactly the same here
Exactly, although I use Dropbox to share the files. But same deal.
Have separate password files for personal stuff, work stuff specific to me, and shared work stuff.
Ditto
Can it autofill logins on websites?
You don't want that feature. The security risk isn't worth the tradeoff. https://www.schneier.com/blog/archives/2014/09/security_of_p…
So how's it work? Is it like a spreadsheet you search through and copy paste each time? Seems a bit cumbersome
Use google drive spreadsheet to store my passwords. If my password is china7, i usually put something like csdsf7 and i know what the random characters mean.
@LightningMcQueen: I tried to login into ozbargain as LightningMcQueen, password is china7, doesnt seems to work. Any idea?
Yes, sort of it can and it does not require any chrome extensions.
Choose the password in Keepass and click Ctrl-V. It will automatically enter the username and password into the website window.
So, it not automatic; but it does fill in the login details.
Thanks will look into setting this up, what about for android?
I store mine on my own nextcloud server
lastpass.
but its hard to remember my lastpass password :(
Ditto to LastPass.
I tried the Keepass, Keydroid, storing the encrypted blob on Google Drive combo and disliked it greatly.
LastPass just works everywhere, Keypass/Keydroid needs far more hands on in both setup and usage.
For some pseudo-security you could just "salt" a password generated by a "rule" with a random sequence that you remember.
You're still screwed if your rule is too easy to identify though and some lame-ass site gets hacked with your password in plaintext.
So use a Password Manager for mundane stuff to crank out and automatically fill a long, complex and random sequence, turn on 2FA for as many places as possible (make sure your phone is properly locked with at least a longish PIN, not an easily guessed pattern lock or worse just a swipe to unlock) and keep your most valuable passwords complex and memorised (ie memorise your primary email account password so that even if your Password Manager gets hacked, you at least haven't lost that key piece of electronic identification..)
The biggest downside put against Password Managers is that "everything is in one basket", but that argument only applies if you choose to keep everything in that basket. I prefer to think of it as a way to manage the cruft, thereby allowing my brain to manage the important stuff.
KeepShare is the most user-friendly KeePass compatible app IMO.
My issue with lastpass is that the passwords are over the network. What guarantee that lastpass is safe? It was hacked in 2016 and another major vulnerability was discovered in 2017 (http://www.pcworld.com/article/3185731/security/lastpass-is-…)
Does not give me much confidence that they can keep my passwords to everything safe.
The place where I work just bought a unlimited license for everyone so I can say with confidence they must be doing something right!
Lastpass don't store passwords…
They store encrypted blobs of passwords.
A hacker might get access to those but will have a very hard time brute forcing the 2000 odd rounds of encryption against my very long, complex and semi-randomised password.
Their time is far better spent hacking Adobe for instance to access their plaintext database of usernames and passwords.
My Adobe password was caught up in that hack, but thanks to Lastpass it was a randomised sequence unique to Adobe.
How is this different to storing your KeePass file on GDrive? What guarantee do you have that KP is secure? http://keepass.info/help/kb/sec_issues.html
Unless you have actually verified the source code is secure yourself you're still taking someone else's word for it, just as with LP.
LastPass performs all encryption/decryption client side, so as stated above, all that's stored on their server are blobs.
So with one method, you upload all your encrypted passwords to a server somewhere.
With the other method, you end up uploading all your encrypted passwords to a server somewhere…
To be fair Lastpass is WAY more of a honeypot for hackers than a personal Google Drive account, but even so, I still don't really think it's all that desirable to hack, cause the "loot" requires substantially more hacking to be remotely useful.
@scubacoles: Yeah fair comment.
As you say though, much easier ways to get passwords…
As far as I'm concerned, I'm not trying to stop anyone using KP, or to talk anyone into LP, but just use a password manager already!
KeePass source code was audited - yes, its not me doing it but better than nobody! Reference: https://www.ghacks.net/2016/11/22/keepass-audit-no-critical-…
Also, Lastpass doubled the cost of their Premium version this month :(
AS @therog1 says though, "just use a password manager" - the risk of not using a password manager (and falling into the habit of using simple passwords and/or re-using passwords) is far higher than the risk of your password manager being breached.
If you are super concerned and want to make your password manager harder to breach, invest in a YubiKey, set it up and use that to secure your password manager (both KeePass and LastPass work with YubiKey) https://www.yubico.com/products/yubikey-hardware/
@therog1: Ask PlayStation users a few years back where not paying for a service which uses your sensitive data gets you.
But to continue the trend:
…50c a week
7c a day…
Agreed, I don't trust any 3rd party to store my passwords.
I keep my passwords in a paper book, except my financial/important ones. Those I just remember, there's not tooo many.
I keep my passwords in a paper book, except my financial/important ones. Those I just remember, there's not tooo many.
I'm sorry, don't mean to be rude, but storing in an easily accessible paper book is patently worse.
…except my financial/important ones. Those I just remember, there's not tooo many.
These need to be complex and be changed periodically.
I'd highly recommend a password manager (especially for you). If you don't want to trust third-party cloud solutions, just get KeePass.
Patently worse? Sorry, I must strongly disagree.
What is the attack vector I'm exposing my self to? Remember, these are my non financial, non important passwords.
Store electronically:
Now, let's compare that to my book.
So, someone wants my ozbargain password, they need to break into my house, find my book, understand what my scrawls mean and then profit!!!
Sorry, that's a fanciful scenario - why would someone break and enter my house for some useless passwords? If they're going to that extent, they will just grab me and force my passwords out of me!
And your "especially for you" is very arrogant - totally not needed. Especially as you seem to be a bit naive on practical attack vectors and password management.
My book works 100% of the time - never fails, does not open me up to any remote exploits and is fool proof.
I get you feel safe with KeePass, but you know, I bet there's a vast number of hackers working to break KeePass encryption, I'll also bet there are no hackers working on breaking and entering my house to get my stash of junk passwords.
Each to his own, but perhaps think a little before you attempt to chastise someone who does something different to you - especially when your opinion is likely flawed and not thought through.
By the time a hacker has remote access to your machine, it really doesn't matter what method you use, you're still screwed cause a hacker will be able to see EVERYTHING that you access and have historically accessed.
Third Party storage hacking is a potential issue, but they store encrypted parcels of passwords, they don't actually store passwords directly (if they do, don't use them). Some simplified info here https://lastpass.com/support.php?cmd=showfaq&id=6926
There are advantages and disadvantages to all methods;
Paper storage is perfectly fine provided your password generation is long, complex and random - this is the key point to passwords.. Keep it long (ie more than 10 characters and ideally more than 20), complex (ie all characters available) and random (no decipherable or decodable words) - this is patently difficult to maintain for a human, and most of us will tend to slip back to shorter passwords if we have to manually type them in and probably using "words".
Paper works 100% of the time you have your book within reach.. but you're stuffed if you are out and need to recall a password.
If the book works for you, then great.
This article really opened my eyes to the world of password cracking.
https://arstechnica.com/information-technology/2013/03/how-i…
@scubacoles: Absolutely. I'm not new to this, I'm an old software engineer. I do use long and complex passwords, that's why I write them all in my book. Simple ones I could just remember.
By the time a hacker has remote access to your machine, it really doesn't matter what method you use, you're still screwed cause a hacker will be able to see EVERYTHING that you access and have historically accessed.
Totally agree, likewise, if someone had access to my physical book they'd just take my machine/hdd and have everything also. Hacks/crimes that require physical access are vastly different from the run-of-the-mill internet connected attacks that happen every day. I'm a target for online hacks, I doubt I'm a target for a physical intrusion targeting my password book (I'm not important enough).
I'm certainly not saying not to use electronic storage of passwords (even though that doesn't work for me), but I am saying that a book is a very valid approach for some people.
Sure. Re-reading my comment, it may have been worded a bit too harshly. My apologies.
A worthy hacker could compromise my machine remotely and steal my passwords.
Definitely a possibility. Meaning you have some form of malware running that is either pulling creds from memory or logging keystrokes.
A third party password storage company could be compromised and expose all of my passwords.
Unlikely. The passwords are decrypted client side. The cloud solution stores the encrypted blob, so even if an attacker manages to retrieve the encrypted blobs, it is highly unlikely that it could be decrypted unless a really awful master password is used.
Using a 3rd party tool like KeePass is still open to being compromised remotely.
If the computer being used is compromised, then yes (although there are protections to limit that; e.g. sandboxed processes, overwriting memory structures holding the password etc).
Now your comments regarding the book:
Need access to my house
Need to actually find my password book
Need to then decipher what my scrawls are.
Assuming you never take the book out of the house and therefore it is not at an elevated risk of theft/loss. If you machine is compromised, they can still get a hold of your passwords as you key them in (and as they reside in memory). Moreover, I've found that when users have to manually key in passwords, the complexity suffers. This could result in yourself gravitating towards easier to key in passwords (for instance, keying numbers and symbols that are in closed proximity, avoiding too many case changes etc).
Security is based on three fundamental pillars: confidentiality, integrity and availability. IMHO, availability and integrity are incredibly hard to ensure for the password notebook. An errant cup of coffee could render the contents of your notebook unreadable. Alternately, a natural disaster or house fire could damage the contents of the notebook rendering everything unusable.
Sorry, that's a fanciful scenario - why would someone break and enter my house for some useless passwords? If they're going to that extent, they will just grab me and force my passwords out of me!
:D Definitely. As they say in my business, the best password cracker is a lead pipe to the kneecap.
And your "especially for you" is very arrogant - totally not needed
Again, I think it was a poor choice of wording and for that you have my apologies.
Especially as you seem to be a bit naive on practical attack vectors and password management.
I'd hope not, as this is my bread and butter. I've had great success in pilfering written passwords as well as remotely during certain types of engagements. :)
I get you feel safe with KeePass, but you know, I bet there's a vast number of hackers working to break KeePass encryption, I'll also bet there are no hackers working on breaking and entering my house to get my stash of junk passwords.
Keepass uses twofish and AES. Both are encryption algorithms that I'm intimately familiar with, I trust the math (until I learn otherwise). The efforts of the security community would be to find flaws in the implementation and find weaknesses (not in the algorithms themselves). I could counter your comment by saying that there are no hackers working on compromising your instance of keepass. :)
You mention your book contains only junk passwords and that all the important stuff is in your head. I reckon a password manager (whatever you choose) would be really helpful managing both sets of passwords. I do not want to regurgitate what I wrote before (elsewhere in this thread), but the "remembering" passwords technique is prone to issues.
A simple yet elegant solution for the paranoid:
Dropbox/cloud based solution containing the encrypted blob. This gets sync'd across multiple devices.
Local Password Manager using the encrypted blob.
Alternate (if you don't trust cloud based solutions, want mobility):
Encrypted container (using veracrypt/filevault/bitlocker to go) containing the encrypted DB as well as portable exe for the password manager. This is in the event you don't trust the password manager's implementation of the crypto algorithms.
Keep the container backed up regularly, and you're sweet. :)
As you said, to each their own. So if this sounds too onerous/impractical then so be it.
Sure. Re-reading my comment, it may have been worded a bit too harshly. My apologies.
Np.
Unlikely. The passwords are decrypted client side. The cloud solution stores the encrypted blob, so even if an attacker manages to retrieve the encrypted blobs, it is highly unlikely that it could be decrypted unless a really awful master password is used.
Agree, but I'll add one word: "Yet", everything is secure until the flaws are found (if they exist) or compromised in some manner that's unexpected as you're aware (no sarcasm there - sounds like you work in the security field). I can think of a number of encryption techniques that were considered secure in the past that are no longer. I also get that were smarter now, but for me that just means less chance of the same happening again, but not no chance. Time will tell.
Security is based on three fundamental pillars: confidentiality, integrity and availability. IMHO, availability and integrity are incredibly hard to ensure for the password notebook. An errant cup of coffee could render the contents of your notebook unreadable. Alternately, a natural disaster or house fire could damage the contents of the notebook rendering everything unusable.
That is very true. But all passwords in this book could be recovered via a password recovery process (hence why I don't keep my important passwords in the book - eg email ). I'll rely on that should such an even occur - but yes it is the greatest weakness in my method.
I'd hope not, as this is my bread and butter. I've had great success in pilfering written passwords as well as remotely during certain types of engagements. :)
Likewise, apologies - I misinterpreted your mood and intent. I'm ok with the fact my friends/family could get passwords from my password book - but IMO, my problem is not the passwords, it's the friends.. Maybe not a great strategy, but for myself the consequences are limited.
Keepass uses twofish and AES. Both are encryption algorithms that I'm intimately familiar with, I trust the math (until I learn otherwise). The efforts of the security community would be to find flaws in the implementation and find weaknesses (not in the algorithms themselves). I could counter your comment by saying that there are no hackers working on compromising your instance of keepass. :)
If the underlying encryption (or implementation of or possible incorrect use of) is ever compromised, then my instance is equally as vulnerable as any :) though I do recognise this is a reasonably unlikely event for keepass, but I personally have not inspected the code, so all bets are off(even though I could check - but now I'm just pretending that I could spot a security vulnerability in their software :) )
You mention your book contains only junk passwords and that all the important stuff is in your head. I reckon a password manager (whatever you choose) would be really helpful managing both sets of passwords. I do not want to regurgitate what I wrote before (elsewhere in this thread), but the "remembering" passwords technique is prone to issues.
I concede that most of what I'm saying is purely academic since the security of my 'junk' passwords is reasonably low priority and I may in fact employ something like KeyPass since as I say, I'm not that fussed about them! But I'd prefer to avoid putting anything like financial,email,etc passwords online anywhere (even my own machine - which is online). Obviously I need to enter the passwords to enter the sites, this I can't avoid. FWIW, I never use any Windows/Android/Etc machines to do anything financial or important. For this I rely on my Linux boxes (my main machine or laptop) for that added feeling of security :) Even my wife has a dual boot to linux just for banking (yes she hates me now too).
I might even consider using something like KeePass for my junk passwords, I have no real reason no to (after all, they're not important passwords) - it'd be a convenience thing for myself. But, that's more work than just using my book (for now)..
Side note, KeePass in SourceForge - ouch, I'm not keen to touch anything in SourceForge, seems to be a pit of malware churning Trojanware these days.
Apologies if my previous reply was emotionally driven, you appear to be pragmatic and intelligent despite my "naive" comment :)
All good mate. Thank you very much for explaining your perspective. I may have been a bit too hasty in my initial response. :)
It's all a matter of balancing security(/paranoia) vs pragmatism. Sometimes my cohort's paranoia and "opsec" tends to colour our worldview.
FWIW, for real security for stuff I really care about (e.g. backup private keys to hardware crypto wallets, master passwords and OTP seed files) I have printed them out and stashed them in an actual vault. :) So I will concede, what works well, works well. :)
These need to be…changed periodically.
NO. NO. NO.
Changing a password that has not been compromised is the most pointless thing you can do.
Changing a password that has not been compromised is the most pointless thing you can do.
Absolutely. Agree completely. No arguments there.
However, the reason why this is a recommended practice is because, in most cases, one doesn't know that their credentials have not been compromised with absolute certainty.
Not all websites/online services follow responsible breach disclosure at all times.
Some websites/online services may not even know that they've been popped… or when they've been popped.
Folks reuse fragments of their passwords elsewhere (or the actual scheme employed to "think up" password) which makes it easier for attackers to break into individual accounts if their can start building up identity/profiles. Let me explain with a very rudimentary example: if someone uses colour+year of birth as a scheme and Red1954 gets compromised, there is a non-trivial likelihood that Black1954 may also be used elsewhere.
A service doesn't necessarily need to be popped for your credentials to be compromised. There is always the likelihood that credentials can be stolen through client-side attacks.
That said, its a matter of personal risk management, for most things its not a hard and fast requirement. If there is a compromise, if you feel the impact doesn't warrant the overhead of periodic password changes, that's fine. I must admit I have heaps that I don't change frequently (or at all since signup /nervous laugh).
For important creds though, it is imperative to change passwords periodically, whether they have been "publicly" compromised or not. Hope that makes sense.
@lonix: Oh, not so fast. I'm a right nutter, there's 6 decoys, 1 external door monitored by 4 battery backed up IP cameras (video streamed off site via 4G).
Then there's the dog and a laser based intruder detection system and my WIFE you must get past.
If you manage that and manage to get past my crazy kids. Then hell, the book's yours!!!
The vulnerability was for the browser extension specifically.
I look at the internet in general in a different point of view. Assume that everything on the internet can be breached and accessed. So the question is that if the hackers have access to the data:
1) can the hackers read it? ie. is everything in plain text
2) how long might it take them to read it? ie. their encryption method is really bad. if it takes the hackers only days to read the stuff then you should worry, but if it might take them 2 years (to brute-force or the computer hardware speed to catch up) i wouldnt worry too much, you have 2 years to change every password
3) has the website told us about the breach reasonably quickly? ie. dont wait for 2 years to tell us like PSN
4) what was their response to the breach? ie. "we know whats wrong, nothing was accessed, we patch the computers, but we are making you change the password anyway " = good, "we havnt figure out whats wrong, goodbye" = bad
There are a few options that you can do to make it safer, make up a very long master password and change the number of rounds of password Iterations. its takes longer to access everything, but it will take longer to brute force as well.
tl;dr: the company response is important, there are other ways to make your own account safer.
as scubacoles stated. LastPass does not store your actual passwords, they store what is called a password hash. This value is a checksum value of what your password is, when you type in your correct password it checks they're both the same hash and carries on. This is also how things like Touch ID work on iPhone, they store a hash of your thumbprint, not your actual thumbprint.
tattooed on inside of eye lids
On a PC, Password Gorilla
On an android smartphone, PasswordSafe
I'm the same. Deal breaker for me is that you can't run the 1Password browser extension on a PC without the desktop application installed. I need a password manager I can use at home, work and on my phone —> LastPass.
Last pass is good
Lots of finicky features tho
I don't. All my passwords are dynamic based on the context.
LastPass.
P@ssw0rd1 for everything….easy & Strong…so no need any third-party tool.
No.. Its P@ssw0rd1!
Oh…crap.. I was locked out from my account.
I use hunter2
give my passwords to bikies
<insert pic of guy tapping his temple>
Sticky note on my monitor
under my bed
My easy solution is my memory banks (Brain)
It seems bizarre to me that people can't remember their passwords at sites..
(yes I use a different password for every site)..
Also choose to remember things like credit card number, tfn, super and bank numbers.. Just makes life a lot easier if you remember things..
Somehow I've memorised a lot of my passwords. Even encryption keys! Just don't expect me to remember someone's birthday.
i write it down, and stick piece of paper in a safeplace jocks
Umm i remember them.
EnPass. Used to be LastPass. But recently changed as I dislike the idea that it is stored in LastPass cloud encrypted using the LastPass password.
now as I use Enpass with Google drive, I know exactly where my password file is.
This is the same as kind of Keypass/Keypassdroid, which I used before lastpass, but supports features such as the fingerprint on my phone. Plus the app, browser plugins and the program are a bit user-friendly than keypass. Didn't use it recently though, maybe it's better now.
+1 for Enpass. You just need to buy a lifetime licence for each phone device, which is cheaper to other password managers charge the service annually! Enpass also has cross platform support (Windows, Ubuntu) and browser plugin which is really convenient.
I use safeincloud, desktop app is free, Android app is $5. I use it for everything - used any cloud storage you want to sync.
I use 1Password but don't like how you have to pay for it on the Mac. I see EnPass is free on all devices. So all your passwords are saved in an encrypted file on Google Drive?
Yep, the file is encrypted with AES-256 using your master password. You get the option to sync with Dropbox, Google Drive, OnceDrive, Box, WebDAV/ownCloud, or just a folder (E.g. Samba/Windows share).
Cool cheers, so hard to decide when there are a few good options now!!! Lastpass seems to be the most popular…
must be old school i keep all my passwords in my brain
Try harder ASIS!!! I'm not giving it up that easy!
Did you mean: ASIO or ISIS?
OMG worst typo ever….. I'll just go over there ———————> and hide!
ASOS? Get some cheap clothes?
In my head
Its super secure. Written on a post it note stuck to my monitor.
In my brain
Cloud
I write it all down.
I have to. I can't remember them all.
msecure
Pen and paper.
1Password for sure. Has an app for every platform as well as plugins for all browsers. Been using it for years and wouldn’t use anything else.
Nope.. no Linux support.
As a customer support person for AgileBits (makers of 1Password) I've a vested interest for sure, but if lack of Linux support is all that's holding you back you might want to check out what's coming… https://discussions.agilebits.com/discussion/79940/a-present… 🎁
My home use OS is Ubuntu and has been for 10 years, so yeah, Linux support is pretty important to me.
LastPass has fulfilled my requirements across all platforms I use (Linux, Windows, Android and iOS) for more than 5 years now… While it's great that you're expanding platform support, I'm not at all interested in entering a beta program when I'm otherwise not invested in the product.
In reality the only thing that might make me jump is;
1) after the Linux Beta program has finished
2) if/when your Android Client surpasses that of LastPass - I see in the new features list that you've finally added the App-Fill feature that's been in LastPass for the entire time I've used it! AND
3) if you support Google Play Billing so I can charge the service to my Telstra Credit and essentially get it for free - like I currently do for LastPass.
@scubacoles: Hey, thanks for the feedback! I can understand reluctance to switch seeing as you're already getting all you need from LastPass – and any password manager is better than none! Still, I'll pass your feedback on, and we'll keep working at improving 1Password… maybe we'll be able to knock off your list yet!
Thats they said with ashley madison but look how that went.
I basically use the same password for everything.
Easy to remember!
Password1
My password is **********
Yes i would like to know about what other people use as password helper etc
thank you