My first foray into password management

For Internet users, the week of April 6 was undoubtedly one of the most annoying and harrowing in recent history. OpenSSL’s Heartbleed bug was simultaneously patched and publicized on April 7, and over the next few days, we learned that our login credentials for a great many websites had potentially been compromised. Google, Yahoo, Facebook, Dropbox, and numerous others were all affected. What followed was a mass password resetting effort the likes of which the web has probably never seen.

For me, the Heartbleed fiasco instigated a change of approach. Until those dark April days, I’d been using a mish-mash of alphanumeric passwords and passphrases, all stored safely in my noggin. I wasn’t nearly as diligent as I ought to have been about freshening them up, but that never got me into trouble. I made sure to use long, difficult-to-crack passwords with double-digit character counts, and I tried not to use the same ones for different services.

That all fell apart when I was faced with the daunting task of conjuring up—and then memorizing—a cornucopia of new passwords for a large and growing list of services. My friends and colleagues suggested password-management software, and I could think of no better alternative.

So, over a period of a few hours on the evening of April 10, I tried and subsequently discarded several of the most popular password-management tools available—until, like Prince Charming with the glass slipper, I came upon The One.

  • It started with LastPass, a well-reviewed and highly recommended solution. I tried it, uninstalled it, tried it again, and uninstalled it again, so overpowering was my revulsion. My mind has forever censored the specifics of that gruesome experience, but I’m still haunted by flashbacks of hideous user-interface design and confusing configuration panels. LastPass is probably fine once you get to know it (why else would everyone be recommending it?), but I had neither the time nor the inclination for a third date. Shudder.
  • Next was 1Password, a popular alternative to LastPass. I didn’t mind the interface as much, but the Windows application still felt a little clunky, and I was put off by the pricing structure. 1Password charges $69.99 for a Mac and Windows cross-platform license, and that fee doesn’t include subsequent upgrades. I may lead a glamorous and exciting life as a writer for a computer hardware review website, but I’m not made of money. Next!
  • KeePass is a favorite of one of my most technologically gifted friends. It’s the only free, open-source offering of the bunch, but it also turned out to be the highest-maintenance one. KeePass has no built-in cloud synchronization feature and no built-in browser extensions. What it does have is a dizzying array of customization options and an extensive supporting cast of third-party tools. The best word to characterize KeePass is probably “linuxy.” Hard-core nerds might love it, but those of us trying to find an easy-to-use password manager late on a Thursday evening probably won’t.
  • Finally, there was Dashlane—on whose proverbial foot, after a little pushing and twisting, the glass slipper popped at last. Dashlane doesn’t appear to be as popular as the others, but it was recommended by David Pogue in the New York Times. I found it to be the cleanest, lowest-effort solution of the bunch. It imported all my saved passwords from Chrome, presented me with an elegant and uncluttered interface, and surprised me with a slick and solid iOS app. Dashlane costs $29.99 a year for a Premium subscription that covers Windows, OS X, iOS, Android, cloud synchronization, web access, and support for two-factor authentication for the master login.

Dashlane’s browser extension can be a little overbearing, and I found it to make mistakes on occasion. A couple of times, it offered to generate a new password… and then promptly saved the old one, leading to a few minutes wasted waiting for “I forgot my password!” e-mails. There’s an easy workaround, though: manually generate a password via the extension’s menu, and keep that password in the clipboard until you’re sure the right credentials had been saved. Easy enough.

That little kink aside, I really can’t complain. For a guy or gal with limited time and a lot of passwords to change, Dashlane does a pretty great job. It even saves payment information and addresses for online shopping, although I haven’t set that up yet. Maybe I never will. I like the idea of not keeping all my eggs in one basket.

So anyway, that was my experience as a wide-eyed and quivering newcomer to the password management scene. I feel a heck of a lot better now, with a bunch of gibberish passwords that I can change at the drop of a hat, all without aggravation or memorization coming into the picture. I can access those passwords from any one of my computers (or my phone), and even if someone cracks my master password, two-factor authentication will leap to the rescue with its ever-changing six-number codes. I’ve never been safer.

Unfortunately, none of that really helps the average user. It doesn’t help mom or pop or grandma, or that struggling small business owner you see in political ads.

My biggest takeaway from this experience is that passwords suck. They didn’t suck so much back in the prehistoric days of the 1990s, when you only needed a handful of them. But today, with every little site on the web requiring its own login credentials, there’s just no way for John K. Average-Smith to make sense of it. I imagine old Johnny has been using “fido777” as his only password for the past half-decade, and someone in Iran is using his credit card details to buy enriched uranium as we speak.

We need something better. I think some manner of biometric authentication is probably the way to go. A lot of laptops—and now phones—have fingerprint sensors built in. If those become more widespread, and their security can be guaranteed, then I wouldn’t mind having to swipe my finger to log into Facebook or Gmail. It’d certainly beat fido777… or coughing up $29.99 a year for Dashlane.

Comments closed
    • DarkUltra
    • 5 years ago

    I’ll stick with LastPass because of these shortcomings with Dashlane:

    – no autologin
    – no opera support (has [url=https://getsatisfaction.com/dashlane/topics/dashlane_works_with_chrome_based_browsers<]workaround[/url<] that kinda works) - no remember master password without pin lock requirement on android - must use one capital letter and one number in master password (yes you can create [url=http://xkcd.com/936/<]good passwords which are easy to type[/url<] without those) - no auto-fill support on Android, must copy login and password manually

    • Mightyflapjack
    • 5 years ago

    Cryptic passwords are over-rated.

    People who want their passwords to be things like “a&Vb3x0!” are making their lives more difficult when a password “mycatmakesmeveryangrymostdays” is much stronger and far easier to remember.

      • nafhan
      • 5 years ago

      So, you have 20+ phrases like that and you remember which website each one goes with? If so, good for you. If not, you should be using password management software.

      • dmjifn
      • 5 years ago

      I use cryptic passwords for work (initialisms specifically) and I have to concede that they are probably overrated. I think that Ars article someone linked says that. Of course, it also says your passphrase is also not strong anymore either.

      But long random passwords? “TCd>S;3G!1Fd3kFcvLJ]Tz2Lh{“Ea” may still be a strong password for a while yet. Assuming, you know, no Heartbleed.

        • Brok
        • 5 years ago

        If something similar to Heartbleed was to happen again, password managers can be quite helpful when changing passwords a hurry. Not essential obviously, but helpful.

    • itachi
    • 5 years ago

    Have you heard about roboform ? mh, I always wonder, how can I trust a company with all my passwords though…

    But I’d say it’s only necessary to use a complicated password like numbers, letters, and capital letters, for your account that really need security.. like steam account, battle.net login, main email login… the rest, for instance this website, do I really need an uncrackable password for it ? mmh I don’t think so ! lol

    And you make it sound like the Iranian governement need hacked credit cards to purchase their Uranium, no sir they can buy it legally.. uh.

    • jessterman21
    • 5 years ago

    Believe it or not, I have been using variations of the same passphrase for nearly everything (except those God-forsaken apps that require 6 characters only, including a number) for 14 years. I’ve added complexity since then, and I routinely change the numbers (sequentially) in it, but the only two times I’ve been cracked were for webmail accounts.

    • tom_in_mn
    • 5 years ago

    While the scope of Heartbleed was large, I’ve yet to see anyone show it was exploited. All the big compromises, such as Target, were found by analysis of the CC info available for sale on-line. If people had been finding unexplained CC info from something of the scale that supposedly HeartBleed had then they would have been looking for the source and would have immediately had confirmation of it being exploited.

    The initial number of servers quoted as being effected was all Apache servers, but that was only if they had been updated to the broken version of openSSL. Ours at work were not for example.

    That said, I got more paranoid about my security because of it as well.

    • El Burro
    • 5 years ago

    I also use lastpass. Love it

    • End0game
    • 5 years ago

    Am I the only one who still uses their noggin for all their passwords?

      • dmjifn
      • 5 years ago

      Oh, heck no! My wife does that too. She uses “<name of former pet><significant number like street address or year>”… with as many as 10 characters! But that’s only because she has a secret wish to make us both victims of identity theft, bank account theft, and fraud.

      • Krogoth
      • 5 years ago

      I’m one of them.

      I never understood passwords. They aren’t really a security way of preventing access. They are just simple doorlocks, they keep honest people honest. They are woefully ineffective against somebody determine to circumvent your security.

        • dmjifn
        • 5 years ago

        It sounds like you’re mixed up here. In terms of the greater security arms race, passwords may becoming obsolete rapidly. There is a middle ground between “honest people” and “criminals with ultimate will and means”, embodying various degrees of laziness, opportunism, purpose, knowledge, etc. Locks [i<]will[/i<] stop most vandals, nosy family and neighbors, car door checkers, thugs looking for an easy mark. Self defense classes are going to teach you (among other things) to dress right, act right, stay in lit and public areas, etc. Saying you're not going to bother taking these basic safety precautions and staying out of bad neighborhoods because "it's all woefully ineffective against someone really determined to mug me specifically" is just goofy, dude. Get as good a password system as you can manage. You aren't fighting the theoretical security arms race here. You're just being diligent.

    • security_maniac
    • 5 years ago

    First of all … very nice post.

    Secondly, I admire you that you tried 4 different password managers. I’d probably stay with the first or second one.

    It is good that in the market are a lot of PS managers, at least everyone can choose.

    I tried LastPass, but I chose Sticky Password – [url<]http://www.stickypassword.com/[/url<] , because the database with passwords is on my drive not in cloud.

    • Whispre
    • 5 years ago

    I have used RoboForm for years… Can’t understand how people live without it or something like it.

    • snakyjake
    • 5 years ago

    Why would anyone pay for Dashlane, when you can get LastPass for free? Plus LastPass Premium is cheaper if you want to use it on a mobile device.

    • snakyjake
    • 5 years ago

    Another reason why I want browser integration: It prevents me from entering my password on a phishing site. LastPass will look at the browser’s URL, match the URL with what I stored in LastPass, then suggest or auto populate the login credentials.

    • zenbi
    • 5 years ago

    Fingerprints are not passwords!

    Authentication involves two things: something you have and something you know. Fingerprints (and usernames) are something you have. Passwords and shared secrets are something you know.

    • Freon
    • 5 years ago

    I’m completely sold on LastPass. It’s very convenient, and while nothing is perfectly secure, I think their security is fairly solid overall. I’d much rather pay someone for the utility that use a freeware solution, or have to use yet another third party service to keep my keyfile.

    The mobile app is really nice. Putting my master password in is a bit tough on a mobile device regardless, but from there it does a decent job entering my passwords.

    Feature and security wise it is very good, and I guess we’ll just have to disagree on interface. I never seem to agree with Cyril’s opinions regardless, so no big surprise. 😉

      • llisandro
      • 5 years ago

      Yeah, heartbleed was the push I needed to migrate to a pw manager, and I went with LastPass. Took a bit of time to get set up, but I didn’t encounter any of the problems Cyril had, either. I was able to export everything from chrome and Firefox no problem. Ditto on the mobile app- works great, and I’m using it with 2-factor authentication via a NFC-enabled Yubikey, and that works great on my Nexus 4 as well. Upping the ante to 2-factor was ~2 clicks more work than setting up LastPass-definitely recommended. Stick the flash drive into your machine when you use it, use NFC to do the same thing on your phone.

      I picked LastPass over KeePass mostly because of the dropbox thing- its big claim is that it’s better because you’re storing your keys locally, but in practice everybody puts them on Dropbox anyway. I figured it’d make less sense for a hacker to target a LastPass server that stores nothing but 256-bit AES salted hashes (using perfect forward secrecy, that you’re going to change the second a breach happens) than dropbox, which they know people also store unencrypted sensitive information on. And I can never forget that whole, “oops, we clicked a box and ‘turned off’ all of your passwords so anyone can access your dropbox account if they know your username” fiasco that happened a couple years back. It was kind of reassuring that LastPass was using OpenSSL and yet they didn’t lose data, because of how they layer security (detailed on their blog).

      Also, FYI, LastPass offers a discount if you have an .edu email account- it was $12 for 18mos (6 mos free), if you want the mobile app.

      Edited: typo

      • BoilerGamer
      • 5 years ago

      Love lastpass since day 1 and the UI is fine with me.

    • cobalt
    • 5 years ago

    I’m not sure I understand what you’re referring to when you say “dizzying array of customization options and an extensive supporting cast of third-party tools” for KeePass.

    There are a number of things in the GUI I don’t use — things like password expiration, triggers, and plugins, but I’ve literally never had a desire for them and their presence isn’t particularly confusing. Otherwise, you create passwords, group them, and so on, and I think the interface is fairly basic.

    And the “support cast of third-party tools”, I’m not sure what you mean. You don’t need any supporting tools or apps. There’s one main program that runs just about everywhere. And there’s an app for the major mobile OSes is separate. Maybe because it’s open source, people are making competing/compatible apps that clutter the marketplace?

    Granted, it’s maybe not the most polished thing ever, but I’ve found it straightforward. The only complaint I have is that unless it’s changed, their built-in selection of pre-chosed password styles is bizarre — 40, 128, and 256 bit hex keys and a random Mac address. No option for “8 digit upper/lower/digits” or “12 lowercase”. Of course, it’s trivial to do that yourself, but if they have built-in styles, they might as well make them useful!

    • Noigel
    • 5 years ago

    I use and endorse Password Depot. I wrote this recently about it somewhere else:

    ===========================

    Why I like Password Depot:

    1. I need an encrypted file that I control, be it on a local server or personal cloud (Dropbox). I do not want my data living in a system remotely where I don’t have access and I don’t know it’s nature or form. I am making the decision to trust Password Depot’s file encryption and to also trust Dropbox for storage (some people think that placing even this much trust in 3rd parties is too much.)

    2. I need integration across all my devices… computers, iPad, etc., even though I’m hosting my own encrypted file. This is why I like that Password Depot is integrated with Dropbox. The program also has a USB installation method… so I can have the program on any Windows-based system I choose to use without installing it. Password Depot does not have a Mac client (boo!) this may be a deal breaker for some people.

    3. I need to manage passwords for local programs too. I’ve seen Password Managers that only input logins and passwords into browser-based systems. Forget that! I need to be able to throw logins and passwords into any box I put the focus on. The only areas where I’ve seen Password Depot unable to input passwords is the initial Windows login and within MS Remote Desktop windows. The program doesn’t like to drop passwords into remote sessions… the way it does the password drop may be encrypted… it doesn’t appear to act like a simple copy and paste… I’ve also seen it get cranky on occasion where it thinks it could be putting the password into some sort of compromised position. It doesn’t happen often and I’m glad there is background logic trying to catch other programs from snooping.

    4. I need a system that generates complex passwords but has some flexibility with this too.
    a. Asks how many characters needed
    b. Will exclude consecutive identical chars
    c. Will use at least one char from each group (upper, lower, number, special, custom)
    d. Will exclude similar-looking characters (O vs 0, I vs 1, etc.)
    e. Will exclude common dictionary words

    5. Because I host a file… I need a backup scheme. In my opinion Password Depot hasn’t yet made file backups with DropBox seamless… I have to manually kick off the process but I may have it configured wrong.

    6. I want a system that can include all the other “biasing” information surrounding the password too… it’s not just a password… it’s a cluster of various private and sometimes public information. For instance, let’s take a DSL account for example… you will likely need to keep up with:
    a. login name
    b. login password
    c. security question 1*
    d. security question 2*
    e. security question 3*
    f. security answer 1*
    g. security answer 2*
    h. security answer 3*
    i. the website URL
    j. an account number
    k. actual phone line’s number

    *I select random questions so I would need to keep up with them too as well as the answers. My answers are NOT my real answers, they are complex, scrambled passwords too. People can find out your first pet, first car, where you went to elementary school… people spend so much time making complex passwords and then one of their security answers is “blue” to a security question about their favorite color…

    7. For Windows, and being a local install, I need a SMALL launcher that is super-imposed on top of any other windows and that doesn’t hide when I move focus to the actual program requesting the login and password info. Also nice if it can launch specific websites for you.

    ===========================

    Note that some people are more extreme on the security aspect than I am… they don’t trust 3rd party encryption at all. Some don’t trust any closed-source programs (i.e. commercial) and will only use open-source “code in plain sight” programs. Guess it really depends on how safe you really want to be.

    • MetricT
    • 5 years ago

    KeePass + Dropbox works great for me. It works on Windows, OS X, Linux, IOS, Android, probably elsewhere.

      • Kurotetsu
      • 5 years ago

      How did you get KeePass working on Android?

        • Firestarter
        • 5 years ago

        KeePassDroid: [url<]https://play.google.com/store/apps/details?id=com.android.keepass[/url<]

          • mark84
          • 5 years ago

          This. KeePass on your PC synced to your Google Drive account. Easy peasy.

          KeePass is one of the few decent password managers where you the user have full control over your database.
          All the other services, you need to rely on their security measures. I’m sure their sites are the biggest honey pots for hackers out there. Literal goldmine.

        • Godel
        • 5 years ago

        I believe KeePassX works on Android.

      • GokieKS
      • 5 years ago

      Saying that KeePass works great on OS X, Linux, and Android is a major stretch, and even on iOS it’s probably overstating it. On Windows it does work very well, but trying to use it across multiple platforms is a giant pain. I previously used it, and the state of clients on every OS except Windows leaves a lot to be desired, and eventually I just gave up on it and switched to Dashlane. It still has quirks (OS X and Windows Chrome extensions are different versions, the UI between the two is almost but not exactly the same, etc.), but in usability across multiple platforms, it’s leagues ahead of KeePass.

      • CreoleLakerFan
      • 5 years ago

      This is what I use … it’s perfect!

      • LoneWolf15
      • 5 years ago

      Similar here. Keepas + Google Drive.

    • Shambles
    • 5 years ago

    I am confused. A one time $70 fee is unbearable yet a $30/year fee on a service that you’ll undoubtedly have to manually transfer over to a different utility once you realized you’ve spent more on your password manager than you have on your entire windows license is all good?

    Am I missing something?

    (I like to use KeePass and have it stored on my dropbox account that all my devices have access to.)

      • Cyril
      • 5 years ago

      It’s not a one-time $70 fee, though. It’s $70 for the current version, plus whatever they decide to charge for major new releases.

      And I spend more on a lot of things than I did on my Windows license. Doesn’t mean I shouldn’t. 😉

        • Shambles
        • 5 years ago

        It’s like buying winzip. You buy it once and use the same version for 20 years because it does a simple task and it works. I would think an entire operating system would be worth considerably more than what is essentially putting an .xls inside a truecrypt container.

        (Haha yes I know, as if anyone would pay for a zip utility)

    • sweatshopking
    • 5 years ago

    I haven’t changed a password since heartbleed. probably not going to bother. I don’t have any “real” accounts anywhere. just stuff like here, and a few others that aren’t linked to real me. my wife has a bunch, and she updated her passwords, BUT I LOVE BEING A MAN CHILD.
    as for password managers, Opera 12 has it right. i’ll be using that badboy FOREVER. the chrome version is garbage, and given the thrashing they’re enduring on facebook and twitter, it looks like i’m not the only one advocating a return to the older engine and setup. opera 12 was the best browser ever made.

      • El Burro
      • 5 years ago

      Don’t you have any accounts at a banking site? What about insurance? I don’t understand not having any “real” accounts.

        • sweatshopking
        • 5 years ago

        No. My wife does.

    • superjawes
    • 5 years ago

    I think the better solution that we are generally moving to is the social networking login. Yes, that presents other issues, and yes, I know that not everyone likes the social networking.

    However…logging in with Facebook to a service I might use once or twice a year is much easier than creating a new account and having to remember or store new login information.

    The big flaw with this is that if your profile is compromised, then everything is compromised, but I think that can be solved with some extra protections in authentication, like autheticators with pseudorandom number generation. That should make it harder to break to begin with, but easier to recover if it is broken.

    • TardOnPC
    • 5 years ago

    lol @ LastPass.
    I went to their site, downloaded for Mac, created an account and their app got stuck on the creation screen. No extensions were installed on any browser. I received their welcome email though. I tried to log in to their site and I got a “Invalid Password.” Account Recovery fails and tells me to try a browser with the extension installed. I manually added it to Firefox and once again “Invalid Password.” Great job LastPass.

      • Shambles
      • 5 years ago

      It’s so secure even you can’t access it!

    • Shouefref
    • 5 years ago

    My passwords are a random series of letters and figures, using small caps and capitals, and putting in interpunction and other symbols if possible. Learn them by heart is impossible.
    But I do not use password managers and certainly not password managers in the cloud.
    Manage your passwords in the cloud? Thus avoiding the dangerous of the cloud by using the cloud????

      • MrJP
      • 5 years ago

      If you can’t learn them by heart, and you don’t use a password manager, how are you remembering them?

        • hbarnwheeler
        • 5 years ago

        NotMyPasswords.txt

        • sweatshopking
        • 5 years ago

        I email them to him when he needs them under the subject “terrorism”. that’s the most secure way.

    • Dr_b_
    • 5 years ago

    KeePass, because you don’t want to store your passwords in the cloud.

    • Big Jon
    • 5 years ago

    Keep your system clean and do not install those dysfunctional Password Managers. Just stay with a strong Mozilla Firefox “Mistress” Password. When using a master password, the data is encrypted using Triple DES Encryption in CBC mode. You can even increase security by enabling FIPS:

    [url<]http://blackhole01.wordpress.com/pc-xtrm/pins-and-passwords/[/url<]

      • sbhall52
      • 5 years ago

      What’s wrong is that time after time, both Firefox’s and Chrome’s password managers have been shown to be insecure. (I don’t think either of them keep plaintext passwords anymore, though, which is quite an improvement.)

        • yogibbear
        • 5 years ago

        I have noticed Chrome pining in the mirror wondering if she chose the right colour for her autumn hair.

        • Freon
        • 5 years ago

        That’s my conclusion as well.

        Also, at least last time I used them, there was no random password generation, and I wouldn’t want more third party freeware generators. That’s an essential feature, as is portability across devices and systems. Almost all my passwords are now some crazy long random key, with as about as much upper/lower, number/letter, special characters, and length as the website will allow.

          • Big Jon
          • 5 years ago
        • Big Jon
        • 5 years ago
          • Brok
          • 5 years ago

          I’d like to know where did you take above “surely” from. Any article on the subject?

          LastPass is extremely difficult to crack, as long as you have chosen master password with appropriate difficulty. Your master password is not directly used as a ciphertext key, it first goes thorough 5000 iterations (which can be easily incremented, according to CPU power you have at hand) of SHA256, significantly slowing down any brute force attack.

      • malicious
      • 5 years ago

      Security-conscious sites often don’t allow browsers to auto-populate user name and password fields. The financial institutions I use are this way and those are the passwords one would want to be the longest and most complex which also makes them the most difficult to recall without software help.

        • Big Jon
        • 5 years ago
      • Firestarter
      • 5 years ago

      Install? You don’t have to install Keepass to use it, you can just use a portable version on a USB-stick if you so desire.

      [url<]http://blackhole01.wordpress.com/pc-xtrm/pins-and-passwords/[/url<] [url<]http://blackhole01.wordpress.com/pc-xtrm/pins-and-passwords/[/url<] [url<]http://blackhole01.wordpress.com/pc-xtrm/pins-and-passwords/[/url<] [url<]http://blackhole01.wordpress.com/pc-xtrm/pins-and-passwords/[/url<] edit: [url<]http://blackhole01.wordpress.com/pc-xtrm/pins-and-passwords/[/url<]

    • Usacomp2k3
    • 5 years ago

    I’m sad that something like OpenID hasn’t gotten further.

      • jmke
      • 5 years ago

      “A notable security vulnerability has been discovered which impacts both OAuth and OpenID, [url<]http://it.slashdot.org/story/14/05/02/2015227/nasty-security-flaw-in-oauth-openid[/url<] " OpenID doesn't solve this issue, at all. You have one password for a lot of sites/logins...

    • spuppy
    • 5 years ago

    Can’t you use something like Dropbox or Google Drive to sync different versions of KeepPass?

    I have sort of been looking into this too, and a free solution seems the best to me

      • Spittie
      • 5 years ago

      Yes, you can just save the .kdbx file in your dropbox/drive/whatever folder.

        • cobalt
        • 5 years ago

        Plus, when you start KeePass it opens the last database you’d opened, so it’s not like you need to hunt around and find that file. Just launch KeePass.

      • Kurotetsu
      • 5 years ago

      Thats exactly what I do (KeePass in Dropbox). Works great for me.

    • Spittie
    • 5 years ago

    [quote<]We need something better. I think some manner of biometric authentication is probably the way to go. A lot of laptops—and now phones—have fingerprint sensors built in.[/quote<] Like others, I'm not sure about that. This technology is still not as good for that (and now you can even pay with Paypal on Samsungs phone with it!), it's also something unique that one might not want to share. My hypothetical vision include certificates (like SSH), some kind of trusted hardware where one can store them, short-life certificates (1 month or less) and a way for your certificate manager to ask you "hey, your certificate has expired, want to renew it?". On yes, it would automagically contact the site and regenerate without needing any user input. This with a different certificate for every site. Actually, I'd be happy already with only the last point applied to my password manager. Changing passwords every once in a while is a pita, and having a simple way to do so would make me change/improve my password way more often. [quote<]For Internet users, the week of April 6 was undoubtedly one of the most annoying and harrowing in recent history.[/quote<] This was my birthday, I'm not sure if I should feel offended...

    • Rübenschwein
    • 5 years ago

    Ha, I’ve been there years ago.

    I still am very happy with my ‘Password Safe’, see [url<]http://passwordsafe.sourceforge.net/[/url<]. Old school, straight forward, simple, open source and the first version was written by Bruce Schneier himself. The only features of a password manager one should have to use are: 1) Open DB 2) Browse to URL 3) Autotype and the occasional 4) New Entry with random password The GUI sometimes has some quirks, but it has always served me well. Tried some of the others and the appearant 'feature overload' of, e.g., KeePass, just annoyed me. There is no fancy cloud support but all you need to synchronize is one file, dropbox or Google Drive or what-have-you will sort it out. There are portable clients for USB sticks or the occasional load on another PC, as well. There are not many import features, like from ones browser, OK. But what it does, it does well. The only passwords I memorize are those for my various safes. Regarding the choice of passwords see my usual recommencation: [url<]https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html[/url<]. Regarding Biometrics, e.g., fingerprints or iris patterns, although seemingly handy they certainly are no perfect solution. How do you change your fingerprint, once compromised? OK, most of us will have 10 tries. Also, these systems are quite loosely calibrated so as to allow few false negatives, this again makes them accept forgeries easier.

      • malicious
      • 5 years ago

      I used to rely on Password Safe and would recommend it to anyone who uses only Windows as a free, no-frills program that covers all the essentials. The lack of ports for other platforms is a shame. I switched to KeePass because it’s also free and runs on Linux and Mac OS.

        • Rübenschwein
        • 5 years ago

        there seems to be a Linux port in progress: [url<]http://sourceforge.net/projects/passwordsafe/files/Linux-BETA/[/url<]

    • allreadydead
    • 5 years ago

    I’m really very uncomfortable about using my finger print or any kind of biometric for web authentication. What if the access got comprimized by malicious users or goverments ? We know that NSA, CIA and god knows what other countries intelligence agencies tracks even normal users over web/cellular lines. NSA&CIA even didn’t bothered to deny accusitions of mass intel gathering from everyone without neccessary court orders/permits.
    If you ask me now, I’m more afraid from reckless goverments than a script kiddie who happen to have black baseball hat. And I doubt those apps are the answer.

    • Disco
    • 5 years ago

    I’m not sure where I stand regarding passwords. I know that it’s always recommended to mix up the letters (lower and capitalized) and throw in some numbers. This is pretty much what I’ve done since my first email account in 1st year university (1989?). I still use that first password I was given for some sites – it was random junk and I just memorized it.

    But I’ve been told that a simple statement can be even more effective (and much easier to memorize) than the random stuff. Using ‘Iturned43inapril’ is not something that is going to be easily cracked, or you could use ‘1lovenetflix’ for Netflix, and just change out netflix for whatever other service you are using, then each one is different but easy to remember.

    I don’t know. I haven’t actually gotten around to changing my passwords since HeartBleed. I’ve been meaning to, and I’ll get to it. This was going to be my approach. What do you experts think?

      • Spittie
      • 5 years ago

      To be honest, it’s pretty bad. ‘1lovenetflix’ is just a passphrase with 3 words, and of those words for one you use a very common substitution (I -> 1), one is probably between the top 10 common words in english, and the other one is the service you’re using. A dictionary attack is going to pick it up pretty soon.

      The problem with passphrases is that sure, English has between 400.000 and 600.000 words (according to Wikipedia at least), but your average English speaker (same for every language) probably doesn’t know 10% of those. Which in turn decrease the security by a lot (compare 600.000^3 with 60.000^3). So if you’re using a passphrase, use obscure words, use substitutions that aren’t totally obvious (and mix them with no substitutions), Bonus if you speak two or more languages and put words for both in there. Also avoid using the site name, that’s just giving one word to the attacker. Or if you do, then put a lot of other stuff in it.

      Your first one is probably a bit more secure, but still probably easily cracked by a dictionary attack, and easily crackable by social engineering (or, considering how many information people put up on the internet, a quick trip to Facebook).

      Sure, those are miles better than the usual ‘password’, ‘123456’ or ‘monkey’, but you can get much better passwords. And for much less efforts if you use a password manager.
      My suggestion is Keepass 🙂 Free as in freedom and in beer, and has a client for everything. Copying the DB is not much an hassle imho (compared to having to remember passwords), and there are a couple of nice plugins for Firefox and Chrome.

      Join the 30+ char alphanumeric passwords club 🙂

        • Disco
        • 5 years ago

        I’ll take a look at Keepass…

        • jihadjoe
        • 5 years ago

        L337$P3@|< 70 7|-|3 r3$(U3! /\/\4|\| 1 |<|\|3\/\/ 7|-|0$3 d4’/$ (|-|4771|\|9 1|\| QU4|<3 \/\/0ULD b3 900D Ph0r $0/\/\37|-|1|\|9 3\/3|\|7U4LL’/.

      • Rübenschwein
      • 5 years ago

      My usual recommencation on choosing passwords: [url<]https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html.[/url<]

      • oldDummy
      • 5 years ago

      meh.
      If it makes you feel secure; do as you must.
      The Internet is not a secure place, that is the bottom line.
      Liken it to a locked door on a tent; it will keep kids and those not determined honest.
      Recent history reminds/reinforces us about this.

      • hbarnwheeler
      • 5 years ago

      Those passwords would be [url=http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/2/<]pretty trivial to crack these days.[/url<]

        • Disco
        • 5 years ago

        OK. I read this and it makes me even less inclined to bother, since everything will be cracked soon enough anyway? 🙂

          • cobalt
          • 5 years ago

          You’re drawing the wrong conclusion. 🙂 It’s certainly possible to create passwords which can’t be cracked, but it requires actual randomness.

          What you should take away from this is mostly that you can’t create good passwords yourself using your brain alone, because you will use patterns that are easy to predict. Phrases using English grammar cut down the possibilities too dramatically, and simple substitutions (like 1 for the letter I) are so phenomenally common that it doesn’t add much randomness.

          In other words, things you can come up with yourself and that you think are easy to remember turn out to be predictable.

          The answer is to use a password manager and use its built-in password generators to create TRULY random passwords — and because you’re using a password manager, that means you don’t have to remember them.

      • Disco
      • 5 years ago

      Hi guys. I appreciate all your input. Thanks! I was away from the computer today and wasn’t able to respond earlier.

      I realize that the passwords would be ‘trivial’ to crack. But how many passwords are actually cracked? Aren’t they more typically stolen as text files once a system is hacked? So it doesn’t really matter how many characters your passwords are, unless you think you are going to get individual attention from some individual who is actively trying to access YOUR account, or break into your phone etc.

      What I hear in the news is always the hacking of the systems holding the usernames and passwords. Such as Sony last year. No necessarily the individual accounts. And that’s usually more the result of responding to phishing bait (which I don’t).

      I’m not trying to argue against having secure passwords. I’m just wondering if it really matters how ‘secure’ the actual password is? At least have different passwords for different accounts.

      Am I totally wrong?

        • cobalt
        • 5 years ago

        Well, you’re wrong in the majority of cases. It’s highly unusual for a site to store the actual passwords.

        What actually happens in most cases is that the passwords themselves are never stored on the systems. A one-way HASH of the password is stored there, so when thieves break in, what they get is a big file of usernames and password hashes. They don’t immediately get any passwords.

        So then, offline and with all the time and computing power they want, they try to find passwords that match those hashes. They’ll start simple, with shorter combinations like just letters and numbers, and that’ll get them, say, passwords for half the accounts. Then they use more complex guesses, adding phrases and substitutions, which takes longer, but then they get another percentage. Once they’ve reverse engineered a bunch of passwords, they can use them to log in directly or sell them on the black market.

        But good passwords can’t be cracked in any feasible amount of time, unless maybe you’re being singled out someone with millions of dollars of computing resources. So yes, it’s still very important to have good passwords, because it means that an unknown data breach will leave you secure, and that even a known data breach will give you enough time to change your password before someone can crack it. (And yes, have different passwords on different sites to contain any breach.)

        There are lots of good articles out there, e.g. on Ars Technica about the details. They’re well written and pretty informative. I think some, like this, have been mentioned by other posters:
        [url<]http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/[/url<]

          • Disco
          • 5 years ago

          Ok. That makes sense now. Thanks for all that information. I appreciate it. I will make my passwords better (and no, I’ve never used ‘ilovenetflix’ for Netflix account – just creating a simple example).

          thanks again.

          dave

    • Ninjitsu
    • 5 years ago

    Multiple game clients are compounding the issue as well.

    • Firestarter
    • 5 years ago

    I’m a little surprised by your opinion of Keepass, I find the basic usecase of opening the database, storing a password and retrieving it again to be quick, easy and painless. Granted, it doesn’t come with any browser integration out of the box, but you can install plugins for that if you wish. I use mine without and just copy/paste passwords when necessary. As for cloud storage, you can choose your own. Install the appropriate programs/apps on the devices that you use and have them autosync the file, and you’re done.

      • atari030
      • 5 years ago

      I’m not surprised by Cyril’s opinion of it at all given that’s going to be the same position most people would take regarding KeePass user friendliness. It’s not a tool most people would immediately be able to embrace.

      However, I agree with you on all other points and am of the same mind as you when it comes to how I employ a password manager and interact with it.

      I would say, as a general comment regarding cloud storage and password data stores, throwing that beast out there would be akin to storing your most important hashed password on a multitude of servers that are internet accessible. It’s just asking for trouble and something I personally would avoid like the plague unless I had no other alternative.

        • Firestarter
        • 5 years ago

        [quote<]It's just asking for trouble[/quote<] I agree, it's a major security hole. But the same goes for the password services that Cyril mentioned (Dashlane and Lastpass, I don't know about 1Password): you're still storing your passwords on a server which might be just as secure or insecure as a Dropbox server, there's no way for you to know or find out. I would just rather pick and choose my own hosting solution and not be dependent on its survival. Dropbox could explode tomorrow for all I care, all I have to do is change my passwords (assuming some hacker has downloaded my Keepass file) and look for another cloud hoster.

      • CreoleLakerFan
      • 5 years ago

      Or, as mentioned elsewhere, just store your .kdbx file in Dropbox or GoogleDrive and don’t bother with any of the autosyncing plugins.

        • floodo1
        • 5 years ago

        KeePass + KeePassX + simple passwords for simple sites that i use on my phone.

        it’s not hard for me to sync across machines becasue my passwords are strong and change infrequently. when they do change i just manually move it around.

      • squeeb
      • 5 years ago

      KeePass is amazing. Been using it for years

    • NovusBogus
    • 5 years ago

    That reminds me, I still need to change some passwords. I use a tiered strategy where sites with a tangible personal security risk (i.e. banks and a few ecommerce sites that demand a credit card on file) have unique variations of a strong and occasionally changed base password and accounts on blogs, forums, etc. that don’t even have my real name get a simple one that rarely if ever changes–though for this one I’m trying to make an exception. It may make infosec heads asplode but frankly I’m just not worried if some troll accounts get compromised.

    My thought on password management tools is that an offline solution like KeePass is okay but anything that talks to a website is actually exposing you to additional risk by adding another point of failure.

      • wujj123456
      • 5 years ago

      Totally agree with the web part. How does LastPass/1Password sync your password with servers? Use HTTPS and two-way encryption to send new passwords individually? That’s asking for interception right there. They operation on scale, and I doubt they will encrypt the entire datebase and send it over and over again to the server. However, that’s the only right way to do it. Security has always been enemy of efficiency.

      Offline password manager solutions with Dropbox, or other cloud service doesn’t have the problem. Every bit goes from/to cloud will already be in final state, with strong encryption in place. I used to use PyCrypto to implement LastPass algorithm myself. Since KeePass is much better, I switched over.

        • credible
        • 5 years ago

        For something like LastPass I could very well see them encrypting it both ways, it is only passwords I am sure that even the largest group of passwords has got to be quite tiny in this age of 3tb drives.

        • ApockofFork
        • 5 years ago

        I believe lastpass/1pass encrypt everthing locally and then sync it over the cloud. It is only ever decrypted locally with your master password. This solves issues of a man in the middle type attacks.

        Feel free to correct me if I’m wrong!

    • christos_thski
    • 5 years ago

    Here is where a “touch id” equivalent for the PC would be sorely appreciated. Plugin the fingerprint reader into your usb port and go.

    • ShadowEyez
    • 5 years ago

    First post, wow…

    Good article Cyril, though I admit I’m a little surprised that an experienced tech writer is just getting into password management beyond “putting them in the noggin”.

    And you’re right that passwords suck, and that we have to have so many of them. But I disagree with you on one point: biometric security that can be guaranteed is not a goal we should strive for. First off, the only guarantee in the tech security realm is that whatever lock you make, eventually it will be broken.
    But besides the snide remark, bio security doesn’t seem likely to be the panacea everyone hopes for. You only have one unique eye/iris pattern and one unique fingerprint. And when those are digitized and stored in a database that gets stolen or hacked into (and given our general ability to secure networks and databases, it’s only a matter of when, not if) then what? If you think it’s hard to change a password, try changing a fingerprint or iris pattern… The devils in the details…

      • xand
      • 5 years ago

      I doubt that the entire fingerprint or iris pattern is actually stored in any current implementation.

        • Ninjitsu
        • 5 years ago

        Makes more sense to store a salted hash…

          • sjl
          • 5 years ago

          All well and good, but the fundamental point remains: you can’t change your iris pattern, nor your fingerprints. It takes only one break in your security, and – with that sort of system – you’re utterly hosed.

          Passwords suck royally; the reason they’ve hung around for so long is because there isn’t really much alternative.

          Me? As a sysadmin, I have well over 200 passwords I need to keep tabs on for my job. I use Password Safe to manage them; apart from the fact that there isn’t an ssh client (nor RDP client, for that matter) that integrates with it, it works well enough for my needs. I use 1Password for my personal stuff.

    • UnfriendlyFire
    • 5 years ago

    “A lot of laptops—and now phones—have fingerprint sensors built in. If those become more widespread, and their security can be guaranteed,”

    Mythbusters defeated such fingerprint biometric system a few years ago,

    And I do believe they were not the last ones to do it.

      • Firestarter
      • 5 years ago

      those built in the iPhone 5S and Samsung Galaxy S5 were also hacked

      • DPete27
      • 5 years ago

      I might as well go writing my password/s on post-it notes and throwing them everywhere.

        • Vhalidictes
        • 5 years ago

        If you’re using Post-It Notes, then you’re essentially using an non-software version of KeePass.

        I don’t understand the KeePass hate; copy password paste password, it’s both easy and convenient.

          • hbarnwheeler
          • 5 years ago

          Copying/Pasting a password every time you need one is convenient?

          Would you like to buy my butter churn?

            • Firestarter
            • 5 years ago

            I don’t know about you, but I don’t need passwords that often. You can still use the “remember me” function on websites, storing a login cookie is a lot more secure than a non-secure password!

            That and I don’t really trust browser plugins to not accidentally leak my passwords. Copy/paste is a bit of separation between the online world and your offline storage. It’s a trade-off between security and convenience, and if you so wish you can make a different trade-off by installing a Keepass browser plugin.

      • Freon
      • 5 years ago

      Can’t recall who wrote it, but someone had coined the problem as, “fingerprints are usernames, not passwords”. I think I agree. You can’t change your fingerprint if it becomes known or copied.

      • humannn
      • 5 years ago

      Mythbusters did it, but only through great effort, the first step of which was obtaining an actual fingerprint from the victim. I’m not saying that’s impossible to do, but for that amount of work, I suspect only high value targets need worry at the moment. It’s much more efficient to access a server and get 100,000 passwords in one shot, then to slave away for days in the workshop to get just one.

Pin It on Pinterest

Share This