LastPass

[KGIII]

What are you going to do if your house burns down or do you keep that notebook in a safe?

Hit the "Forgot Password" link. If need be, answer the security questions, and generate a new password.

"Forgot Password" is my password manager!

 

[Condobloke]

I have started a fresh topic HERE about BitWarden

 

[stan]

Hit the "Forgot Password" link. If need be, answer the security questions, and generate a new password.

"Forgot Password" is my password manager!

Hmmmm, that would not help me. My mother's maiden name is Rd8Hn#7y. My high school city is 97GrU3W$. And my childhood best friend is Cwp4Mz8d. No, I don't even trust my childhood best friend!

This follows advice from Electronic Frontier Foundation (EFF). So keeping a good up-to-date backup of my password manager is very important. Exporting the vault to .csv and printing a hardcopy to store in a safe, or safe deposit box, isn't a bad idea either. There are no perfect solutions, and everyone has a different level of comfort between security versus convenience. I try to lean toward security.

 

[KGIII]

The answers I give to those recovery questions aren't real answers - but they're consistent answers.

So, knowing my mother's maiden name, my first pet's name, or my first car won't actually help you.

 

[SeanK]

What are you going to do if your house burns down or do you keep that notebook in a safe?

If my house burns down my laptop goes with it. Do I keep it on line in a cloud scenario instead and risk it being hacked by fraudsters?

No silver bullet friends.....

 

[Condobloke]

The stumbling block, it would appear, is the cloud. It is not trusted.
“But what exactly is the cloud? Simply put, the cloud is the Internet—more specifically, it's all of the things you can access remotely over the Internet. When something is in the cloud, it means it's stored on Internet servers instead of your computer's hard drive.”

So, we use the cloud with just about every mouse click....we are using it now to exchange comments etc here
We use it every time we receive an email, search for anything at all regardless of which search engine we use......it is the internet

But when it comes to our passwords.....no way !....trust goes out the window !!

what if those who doubt the security of the cloud were to use 2FA.....two factor authorisation ?...a text can be received or an ‘authoriser’ can be used. Google has one.....or “Authy”....Yubikey etc etc....all are simple and quite easy to set up. They work across devices.....pc and mobile (cell) phone etc
@stan said somewhere to print the .csv file from your password manager, and store that in a safe. Sage advice indeed !

It is imperative to note that with BitWarden, the information that leaves your pc/mobile or cell phone, is ENCRYPTED .....BEFORE IT LEAVES THE DEVICE .

Food for thought.

 

[KGIII]

You can also personally encrypt things before they leave your device.

You can also compress stuff into a .zip and encrypt it at the same time.

 

[Condobloke]

Lol.....that didn’t take much thought David !....wouldn’t you like the warm tingly feeling of a pword manager doing it for you ??

 

[KGIII]

wouldn’t you like the warm tingly feeling of a pword manager doing it for you ??

LOL Not really, no...

As I mentioned in the other thread, I use 'reset password' as my password manager. I also don't do much in the way of banking on my computer, so I'm not too worried there. I do have PayPal, but that's attached to an account that I only put money into it when I want to. If I don't visit a site regularly, there's no chance I'll remember the password and I'll just reset it.

My email passwords are all committed to memory. (I'm kinda pleased to be able to say that. I'm old and I have a dozen email addresses!) Though, frankly, my email client keeps those memorized if I should happen to forget.

I used the 'reset password' today, actually. I had to get into Amazon. I reset the password to a long string of gibberish, copied and pasted it to login, and promptly forgot it. When I want to use Amazon again, the browser might remember it for me. If not, I'll just reset it again.

I also don't let my browser sync my passwords. I have a copy of my ~/ directory. When I need to, I just move my config files to another computer, open the browser anew, unlock the profile, and there are all my passwords, bookmarks, browser history, cookies, etc...

On the other hand, my drive is encrypted and I don't really need to worry about physical security. As I've said before, if you can get past my encrypted drive, the last thing I'm worried about is you accessing my Amazon wishlist.

 

[LorenDB]

But what exactly is the cloud?

There is no cloud... it's just somebody else's computer!

 

[stan]

It is imperative to note that with BitWarden, the information that leaves your pc/mobile or cell phone, is ENCRYPTED .....BEFORE IT LEAVES THE DEVICE .

Someone can correct me if I am mistaken. The BitWarden encryption importance "leaving the device" is about syncing to other devices, right? When you log in to your bank, via any password manager, your passwords are sent in plain text... or else your bank would not be able to decrypt it. Your real point of trust then is the pipe, the https connection, that secures your plain text password between you and your bank. The password manager's encryption "on the device" is simply a padlock to protect it if someone steals your phone/computer or is somehow able to retrieve it from your cloud storage server (hack). No one is immune from hacks... ask Chase Bank, Equifax, et al.

Your browser is your weak link, in my opinion. It is your gateway to everything. It has flaws and needs constant patching in it's attempt to remain secure for you. It is a prime target for adversaries who would exploit it's vulnerabilities. It is for these reasons that I never use the browser to store any passwords, ever. It is for these reasons that I would not want my password manager to interface with my browser in any way... in spite of the "convenience" that might offer. More convenience usually means less security, in one way or another, in ways you may not think of or suspect.

I don't use "banking apps" on my phone... not trusting either the phone itself, the phone's browser, or the app. I just have no need for that "convenience" that would justify the risks. Similary, I won't use Google Pay, or Apple Pay, or any other near-field communication (NFC) to move money with my phone.

I've read absolute horror stories of the after effects of identity theft. One of the strongest protections (here in the US) is to "freeze" your credit report with all the major credit bureaus. I did this many years ago, and I check occasionally that these reports remain frozen. That means it is very inconvenient when I actually do want to open a new credit account. Less convenient is more secure, following what I've already said.

I do online banking and bill pay from my computer, so these concerns are very real and immediate. I use KeePass with locally stored database (and backups) and extremely long secure passwords for important stuff. As @KGIII mentioned above, I have a script to compress and encrypt my KeePass vault (and a few other important files) and store it on a personal web server, not Dropbox or Google Drive. That process puts a 2nd padlock on the password data for the online backup.

And then I wonder.... is that enough?

For some folks, it is way too much. Some folks may even use more stringent methods than me. We all have different levels of comfort. We all have different levels of knowledge too... maybe some of these things have never occurred to you. But our computer security is up to us, and we all have different ideas, and needs, and solutions. Good luck!

 

[KGIII]

As @KGIII mentioned above, I have a script to compress and encrypt my KeePass vault (and a few other important files) and store it on a personal web server, not Dropbox or Google Drive.

I trust it when *I* encrypted it.

I have less trust when someone says *they* encrypted it before uploading it - and I can't even verify that it was encrypted prior to being uploaded.

I also have other-worldly quantities of disk space available online. But, properly encrypted *on your end*, you could upload said file most anywhere - including places like bayfiles.

 

[mrcrossroads]

After LastPass's dick move I switched to BitWarden premium. Loving it. Wish I had switched sooner.