Password managers

[Ken W]

Quote:

Originally Posted by Paul

If you have a good password to start with, 2FA is just a waste of your time.

What is 2FA?

Quote:

Originally Posted by Ken W

What is 2FA?

Two Factor Authentication

https://www.csoonline.com/article/32...-it-works.html

[SnoopZ]

Quote:

Originally Posted by Ken W

What is 2FA?

What Hugh said.

Basically when I log in to last pass on my browser I get a popup on my phone that I can either authenticate with my finger print, if the mobile/tablet doesn't have a fingerprint reader it then gives me a code to enter on the browser, then all sites will log in with their relevant passwords when they're visited.

Basically I never need to remember my site passwords and they're all like dud5#6gkse@#%2 etc, you only need to remember the Lastpass master password.

[progers]

I use Keeper Password Manager, done so for two years now, tried all the popular ones like Lastpass and this is tops

[tweetiepooh]

Another thumbs up for LastPass. One feature I use is to share passwords with other users (children) but prevent them from seeing the password so they can login to sites but can't then share or play too much. I also generate a one time password sheet for each account and print that out incase master passwords are forgotten but I generally keep copies in my "vault".
LastPass (and others) can also fill in forms for you, I have a basic info one setup with name, address etc. It can save you time on some sites.
I use LastPass on Windows, Linux, iOS (iPhone) and mostly on Android. On computers it's the first thing I add to browsers as I need it to login to other sites to get other plugins working.
I don't have my main banking login in there and some sites require master password entry to get information.

[idi banashapan]

Quote:

Originally Posted by Paul

If you have a good password to start with, 2FA is just a waste of your time.

Any password can be cracked given enough time and people are still silly enough to fall for phishing emails where they will freely give away their passwords believing fake websites to be legit, or requests for credentials to be genuine. With a rise in distirbuted cracking of passwords like fitcrack, thousands of machines could be working on your password at the same time. I mean, there's even freely available code on Github to add to websites that utilise visitor's web browser CPU time to work on passwords whilst they visit a website. There are so many free and very easily obtainable packages out there to harvest or payload in order to gain passwords with you even knowing about it. Consider Kali for example, and the enormous array of abilities that package has, and it's all free.

2FA requires something you know (password) AND something you have (rotating code / smart card / et cetera). This means either one is absolutely useless without the other. If someone loses their password for any reason to someone outside of themselves, that 3rd party still cannot access the account. If the 3rd party steals your smartcard or gains access to your authenticator application, it means nothing without your known account credentials.

If it were a waste of time, people and businesses across the globe wouldn't bother implementing it. There is no doubt 2FA would have saved businesses millions, if not billions, of pounds over the years through fraud and cryptolocking attacks. Social engineering is rife and people are always the weakest link. Regardless of how 'safe' you think you password is, or how clever you think you are, a password by itself will never be as secure as one used in conjunction with 2FA.

Security is the leading concern and factor in the IT industry right now being driven forward and pushed. Think GDPR, ISO27001, CyberSecurity implementations and so on.

howsecureismypassword.net and other such sites are great for filling people with a false sense of security because a 'long' password looks like it will take so long to crack it will forever be safe. but;

1) I refer to my point on social engineering - people are so inquisitive, they put their actual passwords into these sites to see how long it might take to crack - they have just typed in their password! Who knows what such sites are doing with that data? Match that to an IP and cross reference a leaked access database from an infrastructure such as Google, Apple, MS, Facebook or whoever and the opportunity is there to match that IP to a user account name and then the password from that password checking site.

2) those sites give you an idea how long a basic desktop computer by itself might take to crack a password. they do not take into account GPU-based algorythm password cracking or the aformentioned distributed password cracking techniques. ANY everyday password could potentially be broken within hours depending on the methods employed.

Your passwords are most likely safe purely because you, as an individual, are not worth enough to waste time on it for another individual to target you directly. But when it's all being done automatically by machines, there's absolutely no favourtism at play and you are as vulnerable as the next guy or company.


If you have the option to use 2FA, use it. It's very quick to set up and very easy to use. And is WAY more secure than any password alone.

Totally agree - it’s very easy, and places like PayPal just sends an authentication code to your mobile (at no cost to you), which you then enter.

It takes around 30 seconds.

You can agree all you want, I dont.

... and yes, I find this sending of codes that banks now do, very very irritating, and a waste of my time.

[idi banashapan]

Quote:

Originally Posted by Paul

You can agree all you want, I dont.

... and yes, I find this sending of codes that banks now do, very very irritating, and a waste of my time.

You don’t have to agree. But facts remain facts. They don’t rely on what people believe in, agree with, have faith in, what they feel about something or what they think is ‘true’.

2FA / MFA is far safer than any password alone. Whatever your password is, if you add 2FA to it, your account will be far more secure.

Building a 20ft high, 2ft thick concrete wall, with barbed wire on top all around my house will make it safer and more secure from burglers, that still doesnt make it necessary, or not a waste of time/money doing so.

[idi banashapan]

2FA is free and keeps safe your accounts, which in turn reduces the risk of identity fraud, theft from online resources and protects those who may be listed as contacts or associates in those accounts.

For example, if your email account is compromised, someone could send your friends and family phishing emails from your account and defraud them of money or belongings. In turn, their accounts could also be compromised and so the cycle continues as it has been for many many years. By not using 2FA, these criminals will continue to prosper and people you know will continue to lose out. Not protecting yourself online actually goes a long way to not protecting others.

A 20ft high, 2ft thick concrete wall with barbed wire is absolutely necessary if you have something to protect and keep safe. A prison needs these things in order to keep the contents in and the public safe. Same thought process applies to 2FA - it keeps your contents safe and protects other people from being the next step after your accounts are compromised.

If everyone used 2FA, there would be a huge reduction is scam emails, phishing and fraud. Not using it is doing nothing more than enabling the people that commit these crimes because you’ve made their goals not only possible, but on the whole, pretty easy.

Facts remain facts, no matter what analogy you try to use against them

If this ... If that ... If the other.

Quote:

Originally Posted by idi banashapan

A 20ft high, 2ft thick concrete wall with barbed wire is absolutely necessary if you have something to protect and keep safe.

No, it isnt.

Quote:

Originally Posted by idi banashapan

If everyone used 2FA, there would be a huge reduction is scam emails, phishing

Speculation, not a fact.
Banks and now Paypal force annoying 2FA on me, do I get less/no spam emails trying to phish my login ? (The answer is No).

It would be more secure not to have online banking at all.
Just becasue something is more secure does not make it necessary.

[idi banashapan]

Quote:

Originally Posted by Paul

No, it isnt.

If you value it enough, it is. The protection needs to be proportionate. Your identity in this day and age (online) should be valued. If not for your own sake and protection, then for that of others. World famous art museums will be better protected than your local corner shop. Why? because the content is more valuable. The protection for both will be proportionate to what is being protected.

2FA is free, quick and simple. I'm not sure I completely understand why you are so against it if it is there for your own benefit at no cost to you. I'd like to understand as I might be able to help you here.

Quote:

Originally Posted by Paul

Speculation, not a fact.
Banks and now Paypal force annoying 2FA on me, do I get less/no spam emails trying to phish my login ? (The answer is No).

Correct - there is no reduction in these at this time because not everyone is using 2FA (as per yourself and many others). This means the shotgunning tactics used by scammers via email will still hit a large number of people (which doesn't even need to be a high proportion of those using a service to be a lot of people), whom are still susceptible and open to falling foul of their efforts to gain access to their accounts. If you read again what I wrote, I did stipulate if everyone used 2FA, there would be a reduction. If there was zero chance of being able to compromise an account with a password alone, there would be no point in trying to get people's password.

Using your home protection analogy, if the house was completely empty (and we remove any desire for the property itself), then there would be no point in spending time on protecting it. But placing little or no value on your own identity, accounts and anything that is associated to that is not sensible thing. People can easily profit at your expense by using you or your identity as a product or catalyst to gain further assets for themselves.

Quote:

Originally Posted by Paul

It would be more secure not to have online banking at all.
Just becasue something is more secure does not make it necessary.

If we go back to your analogy about a 20ft wall around your house to protect it, well if you don't want to be burgled, don't live in a building. now that comment seems a little ridiculous because, well... it is. much like your comment about not banking online.

Banking online, like it or not, is here and it is here to stay. it is one of the reasons 2FA / MFA came into existence - to protect it. and it does a bloody good job of it. Remember, it means you need to know something AND have something in your possession to then access your account. So like it or not, 2FA is also here to stay, and that is a good thing. It means we as people, our accounts, identities and our assets are more protected than otherwise they would be.

I hope that all makes sense - forgive me if it doesn't, I will be happy to explain again in other ways.

The bottom line is that no matter what you think of it, 2FA is crucial in this day and age for the information that can be accessed online. It really is that simple. Without 2FA, a lot of systems and service available to us simply would not be able to exist in the form they do presently without a legitimate risk of losing an awful lot - be that information, fiscal assets or whatever. It's because people and companies have lost so much on the past that 2FA came about and it's a very good thing it did.

2FA is not your enemy. it's not going to give away your secrets or sell you out to third parties. That's the job of Facebook et al. 2FA is solely there to protect those individuals and groups that use it. Right now, it is not compulsory to do so. But it may be in the future - it prevents a lot of insurance pay outs because nothing gets stolen in the first place when it is employed. And as we all know, the fiscal world tends to dictate quite a lot, the nature of development within technology.

You should be a salesman.

You can post long arguments all day if you want, but you wont change my opinion.

Its an unnecessary pain I dont need, and a waste of my time, having to dig out a bloody phone everytime I wont to login to something (and just to rub it in, get timed out after a few minutes).

You are obviously one of those who thinks everyone lives their life tied to a smart phone.

I dont (nor do I even have one).

Im not going to waste any more time on it, you think its great, I dont.

This topic is about Password Managers, so back to the subject.

[Ken W]

Must say that I thanks for the password managers suggestions was very helpful