Passwords - create & manage - online security apps & tools

[target]

Quote:

Originally Posted by driver8

And the rather worrying: Pwned Websites - see if your email address or user name is featured in online lists, publicly dumped and readily available.

Nice link! There are 22 email addresses compromised on my domain (I am the only user of it) including one in the Ashley Madison breach. I don't recall having an account there!!

[leemel]

I still don't trust LastPass and Keepass as if your master password is compromised,and in the case of keepass if someone has physical access to your computer or machine is compromised, then you could be in the crap. I have a formula for normal websites, and one for Financial and sensitive information. Every site has a unique password, as well as I have seperate passwords for work, as if they get compromised, can cause me a lot of work.

[The Cleaner]

I finally moved everything to 1Password this year and regenerated unique passwords for all sites I was aware of that I've created. It was a ballache to do but I'm happier knowing that the impact is much lower as breaches become more common.

The biggest drive to this was IOS8(or 9?) finally allowed the use of 1Password in Safari as an extension to reference/generate passwords and use TouchID to unlock. Such a time saver.

[zantarous]

Quote:

Originally Posted by leemel

I still don't trust LastPass and Keepass as if your master password is compromised,and in the case of keepass if someone has physical access to your computer or machine is compromised, then you could be in the crap. I have a formula for normal websites, and one for Financial and sensitive information. Every site has a unique password, as well as I have seperate passwords for work, as if they get compromised, can cause me a lot of work.

Unless someone has your device they can't do much with your master password, if you try to configure it with a new device it needs to be activated and authorised by you. You could take it a step further and enable two factor authentication.

[Anthony.S]

Quote:

Originally Posted by zantarous

Unless someone has your device they can't do much with your master password, if you try to configure it with a new device it needs to be activated and authorised by you. You could take it a step further and enable two factor authentication.

It is so easy to add 2factor it really should be on by default.
I use either Google authenticator or a Yubikey.

[zantarous]

I need to look at that as I tried to enable the last pass 2 factor app but ram into an issue. Will look at the Google one

[Stevie G]

Quote:

Originally Posted by peg20

KeePass has android and iphone apps. I keep my KeePass encrypted in BoxCryptor and then inside DropBox (again, both free for non-commercial use and available on android and iphone). So then I have access to my passwords wherever I go.

Hope this helps

I do similar. I keep my Keepass DB in a Dropbox folder so it's replicated across my computers, and then use Kypass pointing to Dropbox to access it on my iPhone and iPad.

I like Keepass as the DB is always on my computer (and backed up) so regardless of any issues with connection or an onine service I know I can always get access to it, and as I use it for all my banking (all the questions, codes, memorable stuff plus photos of number keycards for those that need them) I feel happier having the info there than in a notepad or keeping the letters like a lot of people do.

The way I figure it is someone would need to work out the password on my computers plus the long and unique master password I use for Keepass, or they'd need to hack or guess my Dropbox password plus my Keepass master password to access it all.

The weak link at the moment is probably having finger print allow open it on my iPhone, but I guess that's me being lazy in getting fed up tapping in that long password.

[driver8]

LastPass is now free on mobile (as well as desktop) -

EDIT - I thought it (almost) seemed too good to be true. Whilst the app is free on all devices, it's of most benefit to phone users who don't browse via mac/windows, as syncing is a premium feature (a reasonable $1/month which I'll probably stump up for). [Catch]
Plus, importing existing passwords from Chrome seems a real pain that I'm currently going through (instructions).

[driver8]

Not so techy, but a good read and a useful roundup -

Eight things you need to do right now to protect yourself online

[The Bear]

I disagree about using the first letters of phrases to generate random passwords.

If you use a random phrase which is personal to you, substitute in certain letters for symbols and numbers, and also add in the site name at the start of the password so that it changes for each site, then I don't see how any brute force attempt can possibly guess it.

For instance I suggested this method to a fellow Wolves fan with the example phrase of "Matt Doherty has been making a hash of defending at Wolves since 2003". That makes the password (say for PayPal) - paypalMDhma#od@Ws2003

What computer could ever guess that correctly?

I use this method for all my passwords nowadays. The bit after the site name stays the same all the time but it's such a random phrase that any computer couldn't possibly randomly guess it.

[Dave B]

Quote:

Originally Posted by The Bear

For instance I suggested this method to a fellow Wolves fan with the example phrase of "Matt Doherty has been making a hash of defending at Wolves since 2003". That makes the password (say for PayPal) - paypalMDhma#od@Ws2003

What computer could ever guess that correctly?

You won't either, your missing a letter!

Dave

[The Bear]

Oh yeah. I meant "made".

[Chris Locke]

But if (in your example) PayPal gets hacked and the passwords identified, all I have to do is change 'PayPal' to 'Tesco' and I've broken into your Tesco account. Change it to 'Gmail' and I've broken into your email account.
Oh and yes, some sites DO still store passwords as plain text, while others use such crude encryption, eg, base 64, so it's easy to decode your password.
So yes, the same passwords across different sites is a bad idea.

Also, annoyingly, many sites don't like your password (or algorithm) as they don't accept hashes, more than 12 characters, or capital letters.

[The Bear]

Yeah maximum number of characters has a been a problem on one or two sites.

[driver8]

Passwords are like underwear:
change them often,
keep them private,
don't share them…



Sent from my ONEPLUS A3003 using Tapatalk

[ascender]

I've started using 1Password as well to store them and generate new unique passwords for sites. Works very well with TouchID on the iPhone and now the Mac laptops too.

[Chris Locke]

Quote:

Originally Posted by driver8

Passwords are like underwear:

use them and then turn them inside out?

[Stevie G]

And back to front

[Wooglie]

I've recently took the plunge and set up KeePass so I have unique passwords for all the different sites. Seems to be working well for me.

[driver8]

Interesting article and subsequent discussion here, at codinghorror.com -

Password Rules are BS

(I needed to use a link shortener cos of the URL sweary).