Page 1 of 5 123 ... LastLast
Results 1 to 15 of 75
  1. #1
    Star Lounger
    Join Date
    Dec 2009
    Location
    Toronto
    Posts
    81
    Thanks
    6
    Thanked 2 Times in 2 Posts

    Password managers can let you down

    I've long been puzzled by the enthusiasm many people have for password managers such as LastPass, which is my choice. Every once in a while I come across a situation in which I breathe a great sigh of relief knowing that I didn't commit myself completely to a password manager. A few minutes ago is an example. I went to log on to Syncplicity. Normally LastPass would enter my ID and password automatically. However, suddenly, Syncplicity changed their logon screen. Now it asks only for my ID on a first screen. LastPass doesn't recognize the new logon screen and fails to enter anything. After entering my ID manually, the screen is redrawn and asks for my password. Again, LastPass fails to enter anything. I am happy that I have used a low-level password there that I can remember easily. If I had used one more difficult to remember or, heaven forbid, allowed LastPass to create one for me, something truly random-looking, I would be totally at the mercy of LastPass. At this stage, I could go to my "vault" on the LastPass site and look up the password. But if something happened to LastPass or its site, I would be barred from Syncplicity forever.

    I think passwords are a terrible measure for security. If you get too fancy with them in an effort to achieve ultimate security, you put yourself at risk of losing access to your data. If you use simple passwords, or re-use the same one at multiple sites, you put yourself at risk of being hacked.

  2. Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

    Excel 2013: The Missing Manual

    + Get this BONUS — free!

    Get the most of Excel! Learn about new features, basics of creating a new spreadsheet and using the infamous Ribbon in the first chapter of Excel 2013: The Missing Manual - Subscribe and download Chapter 1 for free!

  3. #2
    3 Star Lounger
    Join Date
    Dec 2009
    Posts
    287
    Thanks
    15
    Thanked 65 Times in 55 Posts
    David, You made a very good point so I thought I would check. I disabled my router but could still get my passwords in LastPass using Google Chrome. I guess this means they are stored locally and synced.

    However, I too share your concerns so keep an encrypted backup in MiniKeePass on my phone. A little bit of a pain to keep MiniKeePass updated but not as much as being locked out whilst I'm away from PC.

  4. #3
    Super Moderator jwitalka's Avatar
    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    4,743
    Thanks
    67
    Thanked 544 Times in 492 Posts
    Actually, hacking individual passwords is a low occurrence event compared to data breaches like the recent Target, Macy's situation. Now Sears is investigating a similar data breach. I've never read of a case where an individual password was hacked on line. I've quit obsessing about strong passwords and just try to insure they are different on the sites I really care about - mainly financial.

    Jerry

  5. #4
    Platinum Lounger
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    3,616
    Thanks
    7
    Thanked 231 Times in 219 Posts
    This is one reason for not using an on-line, automated login, password manager. I use a local manager that only enters credentials when I ask it to. I can store the database anywhere I want - I have several copies - and it will run on any device I want to use. I can even load the manager software on a PC I've never used and access my database in the cloud, or on a USB stick.

    cheers, Paul

  6. #5
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    Pittsford,NY
    Posts
    705
    Thanks
    309
    Thanked 25 Times in 19 Posts
    Paul:
    Which one do you use, out of curiousity?
    Dick

  7. #6
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    10,273
    Thanks
    130
    Thanked 1,153 Times in 1,062 Posts
    Quote Originally Posted by DavidToronto View Post
    I've long been puzzled by the enthusiasm many people have for password managers such as LastPass, which is my choice. Every once in a while I come across a situation in which I breathe a great sigh of relief knowing that I didn't commit myself completely to a password manager. A few minutes ago is an example. I went to log on to Syncplicity. Normally LastPass would enter my ID and password automatically. However, suddenly, Syncplicity changed their logon screen. Now it asks only for my ID on a first screen. LastPass doesn't recognize the new logon screen and fails to enter anything. After entering my ID manually, the screen is redrawn and asks for my password. Again, LastPass fails to enter anything. I am happy that I have used a low-level password there that I can remember easily. If I had used one more difficult to remember or, heaven forbid, allowed LastPass to create one for me, something truly random-looking, I would be totally at the mercy of LastPass. At this stage, I could go to my "vault" on the LastPass site and look up the password. But if something happened to LastPass or its site, I would be barred from Syncplicity forever.

    I think passwords are a terrible measure for security. If you get too fancy with them in an effort to achieve ultimate security, you put yourself at risk of losing access to your data. If you use simple passwords, or re-use the same one at multiple sites, you put yourself at risk of being hacked.
    Are you aware that you can use the LastPass browser add-on, browse the sites list, choose a site, right click it and then have several options to access the password (and the username):

    1. use the option to copy the password and then paste it wherever you need.
    2. choose edit, to edit the login details, which allows you to change the password or simply view it, by clicking the icon that mimics an eye.

    If you have a problem with a site, like the one you reported here, the LastPass add-on has the site at the bottom of it's dialog, so you just have to click it to access the Edit, Copy Username and Copy Password options. You can use any of them to gain easy access to your login data.

    So, I am sorry, I can't agree with your comment at all. Maybe you didn't know about these options, but they are there and they aren't really that hard to find. LastPass allows you to use it in multiple ways, from a completely automated login scenario to a totally manual situation, which other options in between - such as the option to copy username and copy password, that you can then paste wherever you need.

    I have yet to find a situation where LastPass has failed me, and this includes using the mobile version to access some websites from my phone. Sometimes on the phone, where there is no browser add-on, I just open the app, use the option to copy the password and just paste it, to login to a website. Now I always use complex passwords and don't even bother trying to remember any password, any longer. I know I can access it whenever needed, be that through the browser add-on, LastPass website or on the phone.
    Rui
    -------
    R4

  8. #7
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    10,273
    Thanks
    130
    Thanked 1,153 Times in 1,062 Posts
    Quote Originally Posted by Rick Corbett View Post
    David, You made a very good point so I thought I would check. I disabled my router but could still get my passwords in LastPass using Google Chrome. I guess this means they are stored locally and synced.

    However, I too share your concerns so keep an encrypted backup in MiniKeePass on my phone. A little bit of a pain to keep MiniKeePass updated but not as much as being locked out whilst I'm away from PC.
    If you agree to pay $1 / month, you have access to the mobile version of LastPass, which allows access to everything in your LastPass vault.
    Rui
    -------
    R4

  9. The Following User Says Thank You to ruirib For This Useful Post:

    Rick Corbett (2014-03-01)

  10. #8
    Platinum Lounger
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    3,616
    Thanks
    7
    Thanked 231 Times in 219 Posts
    I use KeePass, which is open source. It doesn't automatically add entries to the database or automatically fill them in, but it's secure, reliable and portable.

    cheers, Paul

  11. The Following User Says Thank You to Paul T For This Useful Post:

    Dick-Y (2014-03-02)

  12. #9
    Star Lounger
    Join Date
    Dec 2009
    Location
    Toronto
    Posts
    81
    Thanks
    6
    Thanked 2 Times in 2 Posts
    Yes, I did realize that I can go to my LastPass online "vault" and get the password there, then go back to the webpage and enter it manually. In fact, that's what I did. But at that point I began to worry about the next possibility. What if something happened to LastPass and I'd used an impossible-to-remember password? I'd be locked out permanently. Maybe I'll look into the suggestion above of a local password manager.

  13. #10
    Star Lounger
    Join Date
    Dec 2009
    Location
    Toronto
    Posts
    81
    Thanks
    6
    Thanked 2 Times in 2 Posts
    Judging from the number of times my friends have had their email accounts taken over by spammers, I'd say password breaking is extremely common.

    Yes, I agree that serious sites need passwords that are more complicated than everyday passwords.

  14. The Following User Says Thank You to DavidToronto For This Useful Post:

    Strawboss (2014-03-06)

  15. #11
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    10,273
    Thanks
    130
    Thanked 1,153 Times in 1,062 Posts
    Quote Originally Posted by DavidToronto View Post
    Yes, I did realize that I can go to my LastPass online "vault" and get the password there, then go back to the webpage and enter it manually. In fact, that's what I did. But at that point I began to worry about the next possibility. What if something happened to LastPass and I'd used an impossible-to-remember password? I'd be locked out permanently. Maybe I'll look into the suggestion above of a local password manager.
    No, it's not like that. If you are on the site, LastPass allows you immediate access to your details, they are accessible through the list at the bottom of the browser add-on dialog, no need to go to any vault.
    Also, LastPass add-ons keep local encrypted copies of your passwords, so you don't even need internet access either to login to LastPass or to access passwords from the list. Plus, LastPass allows you to export all your passwords, to csv format (not advised, unless you then encrypt it yourself) or to an encrypted file, which you can then import again, to LastPass, in case you need.

    In Windows 8, there is a LastPass app that, again, if used before, will keep a local encrypted copy of your data and that will work without internet access, so in the event of LastPass being down, would allow you access to anything you need.

    The problem with password managing is pretty similar to the problem of backups. Should you keep only local backups? Should the cloud be used? Wouldn't it be better to use both? Can a cloud outage be overcome?

    All these questions can be answered and have been answered by LastPass's features. My appreciation for LastPass results from all these possibilities having been covered - there are local copies of your data, which is kept encrypted and no data travels to the server without encryption. The fact that you add the cloud, means that even if your computer has issues, or you are away from your computer, you will have a copy of your data safely accessible, either through a safe computer or a smartphone app. You can also activate two-factor authentication, providing an additional measure of security.
    The fact that all the apps (both browser extensions and local apps, such as in Windows 8) work even without Internet access, offers the guarantee that even a cloud outage can be overcome. Finally, you can have copies of all your data exported, which is really the final guarantee.

    LastPass is clearly a well thought product and the fact that you may have not asked all these questions before, doesn't mean others haven't asked them, starting with LastPass itself.

    To finish this, I will add that I don't know of a website that doesn't allow you to reset a password, which adds yet another solution if things get horribly wrong.

    No do your own check and ask yourself if your (or any) local password manager offers all these guarantees.
    Rui
    -------
    R4

  16. The Following 2 Users Say Thank You to ruirib For This Useful Post:

    aczer (2014-03-17),Strawboss (2014-03-06)

  17. #12
    2 Star Lounger
    Join Date
    Jan 2011
    Posts
    198
    Thanks
    21
    Thanked 2 Times in 2 Posts
    The best password manager is your brain! Create a password that means something to you in the context of the site, and use that to remember the password. Say you are on your banking site - try something obscure like bUtchsUn1890 - Butch and Sundance 1890....... this is the second month, so the second letter of the two words are uppercase..... and then change each month! No hacker will try to get that, and it will be easy to "re-generate" your password using a system of working out where you are and what your password should be.

    What I am trying to indicate is that you don't need to necessarily remember your password (but that works too!) you just need to remember the system - much easier to remember, and it will be far more effective because you can build in automatic changes.....

  18. The Following User Says Thank You to Photorer For This Useful Post:

    DavidToronto (2014-03-06)

  19. #13
    Star Lounger
    Join Date
    Jan 2001
    Location
    Osaka, Japan
    Posts
    60
    Thanks
    2
    Thanked 3 Times in 2 Posts
    Quote Originally Posted by DavidToronto View Post
    I went to log on to Syncplicity. Normally LastPass would enter my ID and password automatically. However, suddenly, Syncplicity changed their logon screen. Now it asks only for my ID on a first screen. LastPass doesn't recognize the new logon screen and fails to enter anything.
    LastPass sometimes doesn't recognize new login screens. That's when you need to re-train it for the site. Next time use the Save All Entered Data option (video explanation at the bottom).

  20. #14
    Lounger
    Join Date
    Dec 2009
    Location
    Liphook, Hampshire,UK
    Posts
    28
    Thanks
    4
    Thanked 2 Times in 2 Posts
    Password manager or system? Either is good provided you learn how to use it. I have spent the last ten years trying to educate our local seniors computer club to stop putting passwords on post-it notes by the side of their computers and to stop using the same password for everything. It is very clear to me that the biggest vulnerability in most computer systems is the user. There are many free password managers; use one and learn to use it effectively and make sure that you have backups of the database. I use KeePass and it works for me on Windows PC's and laptops as well as Android Phone and Tablet and on my Linux systems. I haven't tried it but I believe has unofficial support on OSX, iOS, Blackberry and Palm OS. So it doesn't matter what combination of devices you have you can use the same database. I automatically keep two cloud based copies and three local backup copies to keep me feeling comfortable with what has become an essential tool. http:/keepass.info
    Expert help is less costly than inexpert help

  21. #15
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    10,273
    Thanks
    130
    Thanked 1,153 Times in 1,062 Posts
    Quote Originally Posted by Photorer View Post
    The best password manager is your brain! Create a password that means something to you in the context of the site, and use that to remember the password. Say you are on your banking site - try something obscure like bUtchsUn1890 - Butch and Sundance 1890....... this is the second month, so the second letter of the two words are uppercase..... and then change each month! No hacker will try to get that, and it will be easy to "re-generate" your password using a system of working out where you are and what your password should be.

    What I am trying to indicate is that you don't need to necessarily remember your password (but that works too!) you just need to remember the system - much easier to remember, and it will be far more effective because you can build in automatic changes.....
    That only works if you have a few websites. Have more than a few and the specificity of each will be hard to remember. I know because that's the way I did it before. Once I moved to LastPass, things became a lot easier. Not only remembering them was no longer needed, but the actual passwords used could be longer and more complex and actually unique, since you no longer depend on a "generation algorithm".
    Rui
    -------
    R4

Page 1 of 5 123 ... LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •