Why use a password manager?

Any other tech-related topics
Message
Author
User avatar
webfork
Posts: 10818
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Why use a password manager?

#1 Post by webfork »

Ars just did a story about how anything but very high quality passwords may not be good enough. I'd been fighting the whole password managers thing because I've already got a system for difficult passwords, but they're definitely not as good as this article is recommending (along the lines of "WVGw.ZUT2bfLHR")

I always thought OpenID would take off to help fix this, so that, if you're going to remember a really hard password, you only have to remember one. Unfortunately, more services are using Facebook/Google sign-ins, which I avoid.

Edit: Note that this might fall into a category where you can never really gain actual security, but that's part of why I wanted to bring it up here; I'm trying to find out if anyone actually uses password managers + super hard passwords, or if that's a rarity.

freakazoid
Posts: 1212
Joined: Wed Jul 18, 2007 5:45 pm

Re: Why use a password manager?

#2 Post by freakazoid »

I came across that same article as well, webfork.

I've also skipped on using password managers, but that article gives a good reason why you should use one. Also the concept of passphrases is new to me and I'm definitely going to use the Diceware method.
Last edited by freakazoid on Sat Jun 08, 2013 8:49 pm, edited 1 time in total.
is it stealth? ;)

User avatar
joby_toss
Posts: 2970
Joined: Sat Feb 09, 2008 9:57 am
Location: Romania
Contact:

Re: Why use a password manager?

#3 Post by joby_toss »

I'm using a password manager. It contains not so hard to remember passwords, but many different ones, so I really need it. Its database (master) password is simple, though, so I can easily remember it. I should note that I'm not hiding anything from NSA, CIA etc. They don't scare me. But if my wife would find access to some of my accounts...oh, boy!

User avatar
Craunch
Posts: 54
Joined: Tue Jul 03, 2012 5:27 am
Location: UK

Re: Why use a password manager?

#4 Post by Craunch »

There is a passphrase generator available for Keepass2 listed on plugins section of the keepass website. It's called Readable Passphrase Generator and is downlaodable from the Readable Passphrase Generator website.

Edited to add url.

User avatar
SYSTEM
Posts: 2041
Joined: Sat Jul 31, 2010 1:19 am
Location: Helsinki, Finland

Re: Why use a password manager?

#5 Post by SYSTEM »

I use Password Safe, and all my passwords are randomly generated.
My YouTube channel | Release date of my 13th playlist: August 24, 2020

User avatar
Andrew Lee
Posts: 3052
Joined: Sat Feb 04, 2006 9:19 am
Contact:

Re: Why use a password manager?

#6 Post by Andrew Lee »

This is a really big problem and is getting messier by the day.

I too use a password manager, but it is far from ideal. The password manager runs from my PC, and it is really inconvenient when I need a password on my mobile or laptop.

Not sure how readable passphrases help, since you are supposed to use different passwords on different sites, and I am subscribed one way or another to hundreds of them! (forums, ecommerce, social networking etc.). And some sites force you to change the password for one reason or another, so it won't be possible to remember them, and we are back to password managers again.

The prominent solution for cross-platform password manager now is LastPass, but even that is non-ideal (not after the demise of Google Reader!).

The world really screams for a solution on this issue, but there's no light at the end of this tunnel yet...

User avatar
Mike.S.G.
Posts: 79
Joined: Mon Nov 26, 2012 6:58 pm

Re: Why use a password manager?

#7 Post by Mike.S.G. »

All you can do is be proactive, use every character a site offers, change it periodically, check regularly for breaches. If it's 26 max characters, generate a 26 character password. eYEaaMso0kule is not very creative seeing the sophistication (and horsepower) used to crack em - pretty amazing.

I have to use a password manager for the drag&drop otherwise I could never remember them.

We are part of the problem, I don't think we want to be too put-out, but we like to complain when we get hit. I wouldn't mind a multi-step process if it was worth the effort.

This is our modern world, cracking passwords is one issue. There are those staunch political types who like to intimidate those on the political opposite side of a matter - same-sex marriage, pot, immigration ..., they find names, addresses, of the opposition and post the info online for the crazies who show up in your front yard, or at your place of business - threaten, intimidate, trouble make.

There will always be victimizers and victims. I guess you have to ask yourself, what lengths are you willing to go to protect yourself, or someone you love...?

User avatar
Midas
Posts: 6710
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Re: Why use a password manager?

#8 Post by Midas »

webfork wrote:'m trying to find out if anyone actually uses password managers + super hard passwords, or if that's a rarity.
I use a password manager: it's Keepass, because it's multi-platform and has a single file database that I can easily synchronize via Dropbox or any such webservice; no super hard passwords, though -- too much hassle and not easily replicable by hand. OTOH, I use a keyfile as master password, so no dice without possession of that file... now which of the 1 432 765 files on my rig is the right one? ;)

I had the same high hopes about OpenID and am truly saddened by its failure... :(

User avatar
guinness
Posts: 4118
Joined: Mon Aug 27, 2007 2:00 am
Contact:

Re: Why use a password manager?

#9 Post by guinness »

Maybe it will take off?!

TenaciousD
Posts: 48
Joined: Thu Nov 15, 2012 11:38 pm

Re: Why use a password manager?

#10 Post by TenaciousD »

I loved that article from Ars Technica :D

But I also use a standalone PC based Password manager like KeePass. But I'm beginning to think that an online solution like Last Pass might be the best option. I heard Last Pass is one of the best methods of dealing with storing passwords plus it works on multiple computers and there's even a free version of it! I really feel that LastPass is the way of the future although I'm not going to them just yet. Last Pass

One more thing we really need to start getting serious about creating and using strong passwords.

Did you notice that the hackers even kept the correcthorsebatterystaple in their dictionary! That means people with thought that they could just use that will get pwned big time! Plus adding cool combinations like dogmonkeygirl is just as vulnerable beacuse they can use a combination attack to get the password, as a well known security researcher has said its the death of clever! You now need to create long and randomized passwords to be truly secure and lets not forget 2 factor authentication!

Image

NickR
Posts: 105
Joined: Thu Aug 26, 2010 6:37 am

Re: Why use a password manager?

#11 Post by NickR »

The Image above should be credited to the brilliant XKCD site
http://xkcd.com/936/

romulous
Posts: 76
Joined: Fri Feb 25, 2011 5:51 pm

Re: Why use a password manager?

#12 Post by romulous »

Midas wrote:OTOH, I use a keyfile as master password, so no dice without possession of that file... now which of the 1 432 765 files on my rig is the right one? ;)
I thought the path to the keyfile was listed in KeePass.config.xml - is that not actually the case on your installation? It is with my v2.22 installation - KeePass also shows the keyfile in the keyfield field drop-down when you run KeePass itself. The config file is an XML file, so open it with a text editor and search for the name of your keyfile to check it (just make sure you open the right config file, if you run Vista onwards with UAC enabled, you may find 2 config files on your system, the first one being a small file with one single line which simply points to the location of the real config file).

Of interest as well, the below is from the keyfile section of the KeePass documentation, stating why keeping the keyfile location a secret is not really too important:
Location. The point of a key file is that you have something to authenticate with (in contrast to master passwords, where you know something), for example a file on a USB stick. The key file content (i.e. the key data contained within the key file) needs to be kept secret. The point is not to keep the location of the key file secret — selecting a file out of thousands existing on your hard disk basically doesn't increase security at all, because it's very easy for malware/attackers to find out the correct file (for example by observing the last access times of files, the recently used files list of Windows, malware scanner logs, etc.). Trying to keep the key file location secret is security by obscurity, i.e. not really effective.
(http://keepass.info/help/base/keys.html)

carbonize
Posts: 363
Joined: Wed Jan 09, 2008 1:16 am
Location: Bristol, UK
Contact:

Re: Why use a password manager?

#13 Post by carbonize »

This is interesting if slightly pointless.

https://www.grc.com/haystack.htm

User avatar
Midas
Posts: 6710
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Re: Why use a password manager?

#14 Post by Midas »

romulous wrote:I thought the path to the keyfile was listed in KeePass.config.xml - is that not actually the case on your installation? It is with my v2.22 installation - KeePass also shows the keyfile in the keyfield field drop-down when you run KeePass itself.
My KeePass is a portable v1.23 (no DotNET dependency), which keeps settings in a 'keepass.ini' alongside the main executable, and the only path mention in there is the "KeeLastDir=" key -- defaulting to Keepass own folder. In any case, better keep that keyfile out of there...
http://keepass.info/help/base/keys.html author wrote:Location. The point of a key file is that you have something to authenticate with (in contrast to master passwords, where you know something), for example a file on a USB stick. The key file content (i.e. the key data contained within the key file) needs to be kept secret. The point is not to keep the location of the key file secret — selecting a file out of thousands existing on your hard disk basically doesn't increase security at all, because it's very easy for malware/attackers to find out the correct file (for example by observing the last access times of files, the recently used files list of Windows, malware scanner logs, etc.). Trying to keep the key file location secret is security by obscurity, i.e. not really effective.
Quite rigth, I'm afraid. But then, password managers and such are only weak countermeasures for a determined foe; given enough resources, he won't even have to bruteforce your system (or yourself, for that matter); all he needs is access to TEMPEST type monitoring... :(

(see also http://en.wikipedia.org/wiki/Computer_s ... a_distance)

BTW, I earnestly recommend people watch the late Tony Scott's "Enemy of the State" for an entertaining primer on digital surveillance -- nearly everything that movie shows related to the field is real... :!:

romulous
Posts: 76
Joined: Fri Feb 25, 2011 5:51 pm

Re: Why use a password manager?

#15 Post by romulous »

Midas wrote:My KeePass is a portable v1.23 (no DotNET dependency), which keeps settings in a 'keepass.ini' alongside the main executable, and the only path mention in there is the "KeeLastDir=" key -- defaulting to Keepass own folder. In any case, better keep that keyfile out of there...
Oops, yes - I am using the non-portable version, and of v2.x. I completely forgot about the portable version of 1.x - it should have been obvious I suppose, considering the forums I was posting in! :mrgreen:

Post Reply