Results 1 to 10 of 10
  1. #1
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    Delaware, US
    Posts
    1,172
    Thanks
    19
    Thanked 99 Times in 88 Posts

    The Password Manager Conundrum

    Thinking out loud here... Please read to the end because I ramble.

    It's generally accepted that long, complex passwords that are different for each thing are the best protection against having your accounts stolen. I have issues with that notion, but let's just assume that it's correct for the sake of this thread. The question is then, what does a good password manager need to be able to do?

    --First off, it needs to be relatively easy to use. If it's hard to use, people will abandon it quickly.
    --Keep your passwords secure
    --Generate complex random passwords
    --Interface with a variety of different browsers and web sites

    For a long while, that was pretty much the limit. But we now have multiple devices and it's pretty pointless trying to have a complex password if you have to remember it and type it in on your smart phone. So now we have addition criteria...

    --Work equally well on multiple devices
    --Sync passwords across devices

    But wait, there's more...
    --We now have cloud services that maintain their own passwords so a manager has to be able to cope with them.
    --We now have Apps that work independently of a browser and may have credentials
    --Our TV's and set-top boxes like Roku can access the web and need credentials
    --The so-called Internet of Things has moved connectivity and credentials to a huge selection of devices (potentially including credentials to your network router)

    Users are being forced into using easy to remember passwords for things because no password manager made can deal with everything. As far as I can see, we have come full circle. We are now dependent on the software we give our passwords to protect them.

    Please tell me what I am missing here.
    Graham Smith
    DataSmith, Delaware
    "For every expert there is an equal and opposite expert.", Arthur C. Clarke (1917 - 2008)

  2. #2
    WS Lounge VIP access-mdb's Avatar
    Join Date
    Dec 2009
    Location
    Oxfordshire, UK
    Posts
    1,726
    Thanks
    147
    Thanked 156 Times in 149 Posts
    Interesting thoughts. I use a password manager (PM) which I find easy to use, and it can generate random passwords for me. But it's not free on Android. One that is free on Android, is one I've never liked so I have a problem there. But that might be solved by the fact I only have to enter passwords once on each device and they (like the PM) are protected by one password/pin/gesture/whatever.

    TVs etc. again would be permanently logged in - and in any case, most router passwords (in my experience) are quite secure, so that might not be as problematical as you think.

    But as more and more devices need passwords, I think you're right; PMs will need to become more sophisticated. It's already a case that some websites aren't conducive to using PMs on them easily.

    Scammers and phishers have a lot to answer for.
    Talk is cheap because supply exceeds demand

  3. #3
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,199
    Thanks
    48
    Thanked 987 Times in 917 Posts
    I use KeePass on the PC and KeePass2Android on Android. No issue with using complex passwords or syncing for me - although entering the master password on the Android can be slow.

    cheers, Paul

  4. #4
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    The ubiquity of internet access does pose those issues that you mention. It seems to me that the most delicate situation happens with websites or internet enable apps, with which you need to be able to handle either through a brower or an app, in mobile or desktop versions.

    Truth is, password managers are quite good for handling web access, and not quite so good handling app access, especially in mobile. I think the need for password manager cannot be disputed, so you really need to find one that makes it easier to access your passwords in your most used devices. I have one that works for me both in mobile (Windows Phone, Windows 10 Mobile, Android) and also with websites. I keep other information there, as well, through secure notes, so it can provide mechanisms to store everything you need, even if in some devices, the effort for password retrieval could be improved upon.

    About smart Tv's and all of that, I haven't felt the need to use them for internet access, but obviously the UI is much worse than everywhere else. Not yet a problem for me, but I guess things will be easier when password manager vendors offer support for all those platforms. Until then, things aren't going to be that easy...
    Rui
    -------
    R4

  5. #5
    5 Star Lounger
    Join Date
    Oct 2013
    Location
    Phoenix, AZ
    Posts
    926
    Thanks
    554
    Thanked 137 Times in 128 Posts
    You are correct. I use PasswordSafe. But use a easy dispo password on any account I don't care too much about if it gets hacked. A complicated random generated password for anything that accesses financial transactions. But devices that don't use a keyboard really cramp entering a long random password and make using shorter, simpler password preferred. Back to the same rules that pretty much guided password use that we have always created. Easy rather than secure.

  6. #6
    Super Moderator jwitalka's Avatar
    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    6,797
    Thanks
    117
    Thanked 799 Times in 720 Posts
    The most complex password in the world will not help if a site you visit is hacked and their password database is stolen. This is a much more common event for the home user than a hacker cracking an individual password. I have quit obsessing about secure passwords and just make sure I use different passwords on all my financial and email accounts. This is so that if one password is stolen, it won't work on other important sites.

    Jerry

  7. #7
    4 Star Lounger
    Join Date
    Jan 2010
    Location
    Fort McMurray, Alberta, Canada
    Posts
    565
    Thanks
    51
    Thanked 68 Times in 66 Posts
    "...their password database is stolen."
    This is why unencrypted password files/databases is a huge no-no. It's already bad if the hackers have entered the network and gained some type of file system access. However if the data is encrypted, the hackers still have break the encryption scheme. A decent encryption scheme can still make life very difficult for these criminals. And there's no acceptable reason why shoddy encryption schemes ought to be used.

  8. #8
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    Delaware, US
    Posts
    1,172
    Thanks
    19
    Thanked 99 Times in 88 Posts
    Quote Originally Posted by jwitalka View Post
    The most complex password in the world will not help if a site you visit is hacked and their password database is stolen.
    This is one of the issues I have with password security, but it's part of a much larger discussion about security in general so I'm letting it go for now.

    The reason I brought this up is a few things I noticed recently. Windows has a password manager as does FireFox. Thunderbird stores my email credentials. OneDrive and OneNote store my MS Cloud id. Etc, etc, etc. I can relegate some of that to a central password manager but some things are far less easy to deal with.

    Then there is my Android phone and my iPad and they both store stuff. I have a banking app on my iPad that is easier to use and more convenient than the web interface, so even if I use a password manager, it would have to be able to deal with separate apps (other than browsers).

    This is turning into one of those "death of a thousand paper cuts" sort of things. The sheer number and diversity of things that want credentials and store credentials has become it's own problem. I'm relatively certain that letting Firefox store credentials isn't safe because it's a single file that's relatively easy to steal and decrypt. But it's so convenient that it's tough to say no when it asks if I want to save the password.

    What I'm thinking is that the best solution would be to use a general purpose, simple password for most stuff but use something more complicated for financial related credentials. That would limit the number of complicated passwords needed.
    Graham Smith
    DataSmith, Delaware
    "For every expert there is an equal and opposite expert.", Arthur C. Clarke (1917 - 2008)

  9. #9
    WS Lounge VIP access-mdb's Avatar
    Join Date
    Dec 2009
    Location
    Oxfordshire, UK
    Posts
    1,726
    Thanks
    147
    Thanked 156 Times in 149 Posts
    I just wonder....

    A number of people have suggested that having the same simple password for most sites, and only more complex ones for important stuff like banks (just as Graham has suggested). They couldn't care less about losing those sites.However, let's say that a hacker gets hold of your simple password, and eventually finds and logs in to your 'unimportant' websites. Is it not possible that they could garner enough information about you, that identity theft could become easier?

    I've just Googled a Windows Secrets username (not saying whose) and quite a lot of sites have come up. Not to say that it's all the same person, but if most have the same password, the bad guy could find out a lot of information as none of us is able to remember what info we gave any particular website. So he could get your mother's maiden name from one site, first school attended from another etc. etc.

    Just a thought...
    Talk is cheap because supply exceeds demand

  10. #10
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    Delaware, US
    Posts
    1,172
    Thanks
    19
    Thanked 99 Times in 88 Posts
    Quote Originally Posted by access-mdb View Post
    So he could get your mother's maiden name from one site, first school attended from another etc. etc.
    Possible, but unless some stalker decides to single me out, it seem a bit unlikely. Besides, web sites are already doing a lot of things like this. Amazon ads on Facebook know what I have looked at and purchased and hit me with targeted ads. Tracking cookies can tell one merchant what you were just looking at on a different web site and how much the price was there so that they can give you a price that's a bit lower. (I've seen this in action when someone sent me a link to a product and it was a higher price for me than they were looking at).

    Even if you use a different name for every web site, your IP address still tells them who you are. So if you are going to use a bunch of different names, you better also use a proxy client.
    Graham Smith
    DataSmith, Delaware
    "For every expert there is an equal and opposite expert.", Arthur C. Clarke (1917 - 2008)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •