Password managers.

RichardCoulter · 03-08-2017, 17:06

After watching something about internet security, they advised upon getting a password manager.

How safe are these?

Is there any evidence of unscrupulous people using these in order to obtain passwords?

Can anyone recommend a good one?

What if the password manager itself gets hacked?

Thanks.

**Paul** · 03-08-2017, 19:13

I have been testing "Lastpass" for a couple of months, it seems to work ok.

pip08456 · 03-08-2017, 19:50

Quote:

Originally Posted by Paul M

I have been testing "Lastpass" for a couple of months, it seems to work ok.

I've been using LastPass for a few years now. They got hacked a couple of years ago but due the the encription no-ones passwords were comprimised.

All in all very happy with it.

Onramp · 03-08-2017, 19:51

I would never trust any password manager.

RichardCoulter · 03-08-2017, 20:27

Thanks for the replies everyone.

Why wouldn't you trust them Infamous, have you had a bad experience with one?

progers · 03-08-2017, 22:01

A lot of password managers store your details on a web server, although they might be encrypted, passwords can still be broken using brute force dictionary methods.

I use Steganos Password Manager which saves the files to your PC which, IMHO, makes it inherently safer

Onramp · 04-08-2017, 01:03

Something feels wrong about providing someone else with your passwords. It is a centralized, externally-managed, more-humans-involved-than-just-you point of failure, which if not accidentally mishandled, could otherwise be deliberately misused.

SnoopZ · 04-08-2017, 02:15

Last Pass is awesome, i use it on a PC.

RichardCoulter · 04-08-2017, 14:09

Quote:

Originally Posted by RichardCoulter

Thanks for the replies everyone.

Why wouldn't you trust them Onramp, have you had a bad experience with one?

Corrected (spellcheck).

v0id · 04-08-2017, 15:32

Quote:

Originally Posted by SnoopZ

Last Pass is awesome, i use it on a PC.

I use it on both PC and mobile, since you no longer need premium to do so

Hom3r · 04-08-2017, 15:37

I use lastpass on my mobile, which requires my fingerprint.

TBH in your own home you could just write them down

**Paul** · 04-08-2017, 20:27

Quote:

Originally Posted by Hom3r

TBH in your own home you could just write them down

Lastpass auto fills them, and auto logs you in.

Qtx · 05-08-2017, 18:30

Quote:

Originally Posted by pip08456

I've been using LastPass for a few years now. They got hacked a couple of years ago but due the the encription no-ones passwords were comprimised.

They got hacked at one point and encrypted passwords stolen. That was probably less of an issue than:

1) the problems with their browser extensions (which fill in the passwords for you) that actually meant anyone running a website could completely pwn your computer. Remote code execution.

2) again an extension/addon issue which allowed any website to read your unencrypted password for any site they wanted. Basically it tricked the addon in to thinking you was on the site the password was for.

Both extremely bad issues and as with ANY software, it's unknown if there are other issues waiting to be found.

In reply to original poster....TL;DR Use Lastpass or Keepass2/KeepassX. Lastpass has prettiest interface and less hassle auto password entry. Keepass has not such a great interface and the way it inputs passwords is a bit of a hack on windows if I remember rightly. might not be everyones cup of tea. Keepass you can keep locally off the cloud if you want or sync to something like dropbox or manually if you want to use the passwords elsewhere too. Ignore 1Password.

At least having different passwords for different sites is a good start but you should let the password manager generate a secure password for you.
I'm paranoid through 'being involved in security' and penetrated enough systems and decrypted enough databases which has scared me enough to never want to store anything on the cloud, so would never use Lastpass, but for the average person it's an ok choice. I would recommend it to family as an easy choice, if I had not set them up other options.

Saying all that about LastPass...the other password managers, especially ones where your passwords are stored locally on your computer have another issues. Once you enter your master password to decrypt your password database, the decrypted passwords are in memory. Even though some try and make it difficult to just read the passwords straight from memory, it can be done and there are public/private tools to do so.

You already need to be infected by something to do that though. Whereas RAT's or traditional malware may have keyloggers or read your browser when you login to get passwords for the sites you visit, having a password manager open could potentially mean someone could read the memory and get ALL your passwords, even for sites you have not visited since infection. The chances of this happening are slim. Unless you are a journalist or something that the NSA/GCHQ's of the world are targeting, you shouldn't really worry. A determined hacker targeting you for whatever reason and is aware enough to read the process's, spot the password manager and then know about the tools to read the memory, is possible but again slim.

There is more of a chance that the sites you visit will get compromised and your username/passwords stolen from those, than your password manager.

Matthew · 06-08-2017, 07:41

I use Last Pass and even bought the next one up so I can use it with the app on my mobile. Yes there is some risk with it all but its mainly forums and other none important sites I have on there, all the important ones either have a different password I know or I use 2 factor like I do to even access my last pass.

heero_yuy · 06-08-2017, 10:24

I use the manager that's built into Firefox. The passwords are stored locally and can be protected with a master password.

I've not heard that it's ever been compromised but anything is possible.