Password Managers...

RD Mercer said:

I have some friends that won’t even use online banking, because they are worried about it.

Click to expand...

Even if you have no online exposure, there have still been a lot of companies, public utilities, and even government agencies that were hacked or had ransomware attacks. Your bank could be attacked and even if they are "backed up", it could still cause a disruption. Anything is possible and may or not be likely, but the posts in this thread are very helpful for us to assess our own needs.

One thing brought up was that most people are fairly careful with their financial passwords but sometimes not as careful with others. It is just as important to protect your email password as it could be used to reset many passwords.

Hollywood said:

Your bank could be attacked and even if they are "backed up", it could still cause a disruption.

Click to expand...

Not to mention that with an online account, the user can quickly check all info and even receive notifications. Without an account, he is oblivious to what is going on and by the time he checks at the bank or receives a written notification, his account can be empty.

TairikuOkami said:

Not to mention that with an online account, the user can quickly check all info and even receive notifications. Without an account, he is oblivious to what is going on and by the time he checks at the bank or receives a written notification, his account can be empty.

Click to expand...

I agree. Online has more advantages then possible fraud. I am fairly careful with my computer but I hope that if there was a widespread vulnerability I would hear about it and maybe it be patched before I was a victim. ....hopefully :)

RD Mercer said:

I have some friends that won’t even use online/phone app banking, because they are worried about it. I use both, because if there’s a withdrawal over $25, or credit card charges over $25.00 my bank shoots me a text immediately. Whereas if you don’t bank online, you have to depend on your bank to call you, or wait till you get your next statement at the end of the month to see if anyone is hacked your account.

Click to expand...

I have my credit cards setup the same way.

Devlin1888 said:

Im no one and im really not that exciting :) Who wants my crap xD

Click to expand...

Most people are like that. Yet they still have contributions to make and corporations, hackers and intelligence love it.

The-Hive said:

I think it is quite easy to get paranoid about security I got a good enough for me system without going overboard

Click to expand...

It is also quite easy to call precautions as paranoia, and taking those isn't going overboard. There are ample examples of how corporations have abused the data they have collected with absolute zero respect for people's privacy.

Corporations care only for their profitability and follow certain practices only to comply with law, and not to respect user privacy. A classic example in recent times is Johnson & Johnson. This company was fully aware of the risks that their products carried, yet they continued selling them despite the fact that the target market primarily comprised babies. What kind of an evil company is that?

This isn't the 1st company in history to do that. There is enough documentation on how tobacco companies did a similar thing (they still do) despite their internal documents clearly pointing towards the health risks their products presented. Not everyone who smokes gets cancer. But would you call someone advising against smoking as paranoid? Or those advising against smoking as going overboard?

markw51 said:

Which banks force you to change passwords? Here in the UK the banks I use certainly don't force me to change passwords, they don't even suggest I change them after a certain period of time!! I guess a password, ID number, memorable phrase and biometric login is good enough for them...

Click to expand...

The banks you use or even the entire banking system in the UK is just a fraction of the global banking industry. So it is neither a representative sample nor a benchmark for others to follow. To think that the methods adopted by these banks can be extrapolated to the whole banking industry is another example of a blind assumption.

Fortitude said:

What changed your mind?

Keepass 2 is perfectly fine for my needs. I don't want to be paranoid. Otherwise I would question whether my browser is spying on me, whether my ISP is listening in, whether the end to end encryption is what it's said to be, whether a hacker at the other end is reading my password etc. etc.

Click to expand...

You would be better placed for your own safety if you do than assuming they are all as safe as they claim to be.

Somehow I doubt that a password manager will help with login security and covid I use it only for the former :)

I use a password manager, specifically LastPass. I have the family plan and everybody (wife, son, daughter) is using it. I'm quite comfortable with it as they don't actually store my password, but rather they store a hash of the password that requires my email address an my master password to decrypt it and that happens locally on my machine.

Biggest advantage here for me, is that wife and I can have emergency access to either others valuts, so in the event that something happens to either one of us, we have a fighting chance of dealing with shutting down accounts, bills, credit cards, etc....Just one less thing to have to fight when you have lost a spouse.

We let it generate secure passwords for site, so honestly I don't really know what any of my password are anymore And I try to use MFA in as many places as I possibly can.

@pparks1 That is all good, but LastPass or most other password managers have an online account for you in their system. You supply your userid and master password (the same one used for local access) to get into that site. This is one method of getting into your vault.

Any competent online system will have your password stored in encrypted/hashed format that makes them "virtually" impossible to decrypted. There have been reports of incompetent system, even some large organizations, storing passwords in plain text, but I have never heard of a password manager doing this. I am comfortable with my master password being stored on their system.

Quandary said:

@pparks1 That is all good, but LastPass or most other password managers have an online account for you in their system. You supply your userid and master password (the same one used for local access) to get into that site. This is one method of getting into your vault.

Any competent online system will have your password stored in encrypted/hashed format that makes them "virtually" impossible to decrypted. There have been reports of incompetent system, even some large organizations, storing passwords in plain text, but I have never heard of a password manager doing this. I am comfortable with my master password being stored on their system.

Click to expand...

Of course, lastpass has an account for me on their system. Let's say my username is bob@bobross.com. And my password is happylittlebushes^gr3@t. When I setup an account with lastpass.com, I enter in the email that I want to use, and I enter in that password above as my master password. Locally on my computer, the email address, along with the master password are used to generate an authentication hash which is what gets sent to LastPass. So, in my example, my authentication hash might be ( rew8-qr-13refw0a78-32i09r-0fdsa jsakhpiqfhk;jgt42eh98fdsIOd;hf3213#9289redsFui92u4395riadsckdlfjasdfpsdF).

So, a nefarious hacker breaks into the systems at LastPass and they find an account for bob@bobross.com. Bingo, now let's grab his master password and we will know all of his painting secrets. Well, last pass doesn't store his password, the only thing you are going to find is the following hash , rew8-qr-13refw0a78-32i09r-0fdsa jsakhpiqfhk;jgt42eh98fdsIOd;hf3213#9289redsFui92u4395riadsckdlfjasdfpsdF. That hash isn't going to work at the logon prompt.

The only thing that LastPass is storing is encrypted data. They don't have the encryption keys used to encrypt or decrypt your data. Those are only used locally on your computer.

The bigger threat would be somebody hacking into your laptop and installing a key logger or taking over your webcam to record the keystrokes of your email address and your master password. These are the people who may gain access to your vault.

If you want to test the system, have somebody change your lastpass master password to something you don't know. Then call LastPass and beg and plead with them to change your password on your site so that you can get your data back. If you find somebody who can do it, let us know.

LastPass have had a few security incidents over the years...

pparks1 said:

The only thing that LastPass is storing is encrypted data. They don't have the encryption keys used to encrypt or decrypt your data. Those are only used locally on your computer.

Click to expand...

If everything is done locally, can you explain how the same master password works on multiple devices?

pparks1 said:

The bigger threat would be somebody hacking into your laptop and installing a key logger or taking over your webcam to record the keystrokes of your email address and your master password. These are the people who may gain access to your vault.

Click to expand...

How can the webcam capture keystrokes? During normal use of any laptop, the keyboard is never within the field of view of that camera.

pparks1 said:

If you want to test the system, have somebody change your lastpass master password to something you don't know. Then call LastPass and beg and plead with them to change your password on your site so that you can get your data back. If you find somebody who can do it, let us know.

Click to expand...

That doesn't mean much. It could just be a policy decision.

TheMystic said:

If everything is done locally, can you explain how the same master password works on multiple devices?

How can the webcam capture keystrokes? During normal use of any laptop, the keyboard is never within the field of view of that camera.

That doesn't mean much. It could just be a policy decision.

Click to expand...

Sure, when you visit the website, you are given the page and the method used for hashing your username and your master password is defined. You enter both pieces of information, it runs it through the hashing algorithm and the current answer will be derived. That hash is then sent via SSL to last pass who then verifies your hash against what they have stored for you. If the authentication hashes match, they assume you are who you say you are and they present you the data they have (encrypted) and when it gets to your local machine, with your decryption keys you are able to see it, use it and modify it. When done, it's re-encrypted and then sent back to Last Pass in an ecnrypted state.

Webcam was just a crazy example what people should worry more about. Most webcams won't show the keyboard. But a stand alone webcam on top of a monitor pointed at a strange angle, could.

It's not a policy decision. They could set your password to whatever they wanted. But YOU would have to get lucky enough to pick a username and a master password that hashed corrected to be the exact value they entered for it to work. Good luck.

trevo said:

LastPass have had a few security incidents over the years...

LastPass users warned their master passwords are compromised

Many LastPass users report that their master passwords have been compromised after receiving email warnings that someone tried to use them to log into their accounts from unknown locations.

www.bleepingcomputer.com

Click to expand...

That is what was reported, but do you have an explanation on how (not just speculation)? It is not clear from the posting where the point of failure was.

pparks1 said:

Of course, lastpass has an account for me on their system. <snip>

Click to expand...

That is exactly what I was saying, just a shorted version. :)

Quandary said:

That is what was reported, but do you have an explanation on how (not just speculation)? It is not clear from the posting where the point of failure was.

Click to expand...

No I don't, I'm no expert...my point in posting was so that any LastPass users who were unaware of the several security incidents could investigate for themselves.
As I posted earlier, Keepass offline is my password solution.

pparks1 said:

If you want to test the system, have somebody change your lastpass master password to something you don't know. Then call LastPass and beg and plead with them to change your password on your site so that you can get your data back. If you find somebody who can do it, let us know.

Click to expand...

I would think that they would tell you that you have to go online and click on the I forgot my password and enter the info asked for. They also might be able to give you a temporary password by asking for your username, email address and if provided, answers to your security questions. I had to go through something like that when my cellular phone account got hacked.

Winuser said:

I would think that they would tell you that you have to go online and click on the I forgot my password and enter the info asked for. They also might be able to give you a temporary password by asking for your username, email address and if provided, answers to your security questions. I had to go through something like that when my cellular phone account got hacked.

Click to expand...

According to what he says and what Lastpass website claims, there is no way to recover the vault if you forget the master password. It doesn't work like how your email works.