Talk to me about password managers


  • Discourse touched me in a no-no place

    So I guess I should be a grown up adult and probably not use the same set of 3 passwords for every damned thing.

    What password management tool doesn't suck shit?


  • mod

    @Weng I like LastPass. It's got good browser extensions and Android app that make it so I rarely have to think about pros or cons of password management. I used KeePass until I moved to a new phone and it broke my password file, which is when I realized I never want to worry about where my password file is kept, what format it's in, or how it's persisted into the cloud exactly. So that's my use case.

    If your use case is more "Doesn't trust cloud storage", use KeePass instead.


  • Winner of the 2016 Presidential Election

    @Weng KeePass is pretty good, and it works on Android as well. It also lets you store encrypted additional fields, so you can store extras like the answers to "security" questions.

    The (encrypted) backing database is a file somewhere you specify, so it's up to you to manage backup and distribution.


  • mod

    @Dreikin said in Talk to me about password managers:

    It also lets you store encrypted additional fields

    LastPass has this as well. And things like "secure notes", which are unrelated to any given site, and server passwords and private keys.



  • I'm not convinced password managers add much security over 2FA, or that the added security outweighs not actually knowing my passwords. Can someone set me straight?


  • Winner of the 2016 Presidential Election

    @LB_ said in Talk to me about password managers:

    I'm not convinced password managers add much security over 2FA, or that the added security outweighs not actually knowing my passwords. Can someone set me straight?

    The best reason is that it makes it a lot easier to use different passwords on different sites (many of which won't offer 2FA), thus giving you some protection from having your Tumblr/MySpace/LinkedIn password being used to drain your bank account via PayPal via TeamViewer, for example.


  • Discourse touched me in a no-no place

    @LB_ Given virtually 100% of everything I touch doesn't support 2FA (and 90% of it doesn't even support pretend-2FA), relying on 2FA is a bad idea.



  • @Dreikin LinkedIn and PayPal both support 2FA though.

    @Weng I agree it would be a good idea to use strong passwords (via password manager) for accounts without 2FA, but I don't have any such accounts worth the effort.


  • :belt_onion:

    I remain a fan of Password Safe - it's autotype feature works with pretty much any non-admin program and there are currently no 2 major versions around like with KeePass, making database compatibility a non-concern.


  • Winner of the 2016 Presidential Election

    @LB_ said in Talk to me about password managers:

    but I don't have any such accounts worth the effort.

    This brings to mind another benefit: if an account is compromised, you know which ones you need to change.


  • area_pol

    @LB_ They protect you against forgetting the passwords.



  • @Adynathos But they create the possibility of losing all passwords at once.



  • @Weng I like KeePass, with the authoritative copy of the password database kept on Dropbox.

    I like this arrangement because Dropbox sprays copies of everything it syncs onto every device I connect to it, as well as doing its own versioning; so I get all the benefit of a cloud-managed database plus the knowledge that even if Dropbox went tits-up tomorrow, I'd still have access to multiple copies of my password database.

    I also have an Elago Nano μSD card reader attached to my car keys, containing a μSD card with (among other things) a copy of my password DB and the portable KeePass executable required to open it. That one's not super-important to keep up to date - as long as it has my current Dropbox password, I can bootstrap from it.

    There are KeePass ports available for both Android and iOS. KeePassDroid and the Android Dropbox client integrate nicely once you're past the initial fiddliness of finding where Dropbox's local cache lives in the Android filesystem.

    I use KeePass 1.x because it (and its ports) are smaller and launch faster than the .Net-based 2.x on every platform I use, and I have never felt any need for any of the extensive plugin features that 2.x supports. The developer has said explicitly that 2.x is an alternative to 1.x but does not in any way supersede it, and so far his history of update releases tends to support that claim.

    KeePass is at least as much as a bookmarks manager as a password store for me. Without needing any browser extensions installed, you can double-click on a URL in its database view and it will open that web page in your default browser.

    I also don't bother with any of the various extensions that are available to integrate KeePass into the browsers' native password storage facilities. For me, the workflow of double-click a URL in KeePass, then do whatever clickery the site's login page needs to prepare for credentials to be typed into it, then Alt-Tab Ctrl-V is plenty smooth enough.

    KeePass has a global hotkey feature that theoretically lets you skip the Alt-Tab keystroke. I've never bothered setting it.

    I like KeePass's templating feature for password generation, which is a feature I miss when I'm using the db-compatible KeePassX on non-Windows boxes.

    It might not be the slickest-looking, most-tightly-integrated password manager in existence, but it certainly sucks no shit. Like any of these tools, the first few weeks of using it will require you to grit your teeth and push through the annoyance of the unfamiliar workflow, but once you've got more than a few tens of sets of credentials saved in it you'll wonder why adopting it took you so long.



  • @Yamikuronue said in Talk to me about password managers:

    @Dreikin said in Talk to me about password managers:

    It also lets you store encrypted additional fields

    LastPass has this as well. And things like "secure notes", which are unrelated to any given site, and server passwords and private keys.

    Forgot to mention: as well as free-form text notes (good for stuff like credit card details), KeePass lets you attach a file to a password entry, so you can use it for completely general purpose encrypted storage of anything. Not sure about the performance on large files. KeePass 1.x allows only one attachment per entry - not sure if this restriction is lifted in KeePass 2.x but the only time it ever bothered me I just attached a 7z archive (password protected of course, using the KeePass entry it's attached to to store its password).



  • @LB_ said in Talk to me about password managers:

    I'm not convinced password managers add much security over 2FA, or that the added security outweighs not actually knowing my passwords. Can someone set me straight?

    I'm not convinced 2FA adds much security over password managers, or that the added security outweighs needing to fiddle with an extra device on every logon. Can someone set me straight?

    Seriously though: not knowing your passwords is a feature, not a bug. In 2016, fitting more than one secure-enough password into a human brain involves working way too hard. Just take the three passwords you're currently using for everything, jam them together endwise, and use the result as a KeePass master password.



  • @LB_ said in Talk to me about password managers:

    I don't have any such accounts worth the effort.

    I used to think that way as well, before I started using a password manager. Now that I do, I have absolutely no reason at all to use a weak password anywhere ever - and that feels oddly satisfying.


  • Winner of the 2016 Presidential Election

    @flabdablet said in Talk to me about password managers:

    KeePass 1.x

    My father, who used v1 as well, recently encountered weird encoding issues with passwords copied from KeePass on Windows 10. v2 didn't exhibit those issues. Therefore, I'd recommend everyone to use Keepass 2.x.



  • @Dreikin said in Talk to me about password managers:

    if an account is compromised, you know which ones you need to change.

    And when my credit card expires, I just look in the "Has CC details" folder inside my KeePass to know exactly which organizations need those details updated.

    There's also a password expiry date reminder feature. I haven't used it myself, but it's there for those whose orgs are anal about that kind of thing.



  • @anonymous234 said in Talk to me about password managers:

    they create the possibility of losing all passwords at once.

    Yes they do. And that would hurt. It would hurt me a great deal, because I don't even know my email passwords; if I lose all copies of my KeePass database file, I'm boned.

    That's why I have many tens of copies scattered all over a whole bunch of disparate devices, only some of which are synced to Dropbox.


  • Winner of the 2016 Presidential Election

    @flabdablet said in Talk to me about password managers:

    @Dreikin said in Talk to me about password managers:

    if an account is compromised, you know which ones you need to change.

    And when my credit card expires, I just look in the "Has CC details" folder inside my KeePass to know exactly which organizations need those details updated.

    There's also a password expiry date reminder feature. I haven't used it myself, but it's there for those whose orgs are anal about that kind of thing.

    I'll have to remember to start doing that. It also reminds me of one not-quite-obvious use I have for KeePass: storing software keys. After all, they are a sort of password.



  • @asdf said in Talk to me about password managers:

    I'd recommend everyone to use Keepass 2.x.

    The non-Windows KeePassX project has recently released a version compatible with KeePass 2.x databases, as have most of the phone-based ports, so there's probably no downside to taking that advice at this point. KeePass 2.x will import a 1.x database, and if I do ever run into trouble with Windows 10 I expect switching would be almost painless.



  • @Dreikin said in Talk to me about password managers:

    storing software keys. After all, they are a sort of password.

    Using the URL field to store the download path for the installer executable works nicely too.



  • @flabdablet Wouldn't it make sense to use the same password for KeePass and for a single secure email account that all other services depend on? I mean they're both "root nodes" that all other accounts depend on so there's not much of a difference, and the probability of Google leaking your password is basically zero so there's not much risk that way.


  • :belt_onion:

    @flabdablet said in Talk to me about password managers:

    I used to think that way as well, before I started using a password manager. Now that I do, I have absolutely no reason at all to use a weak password anywhere ever - and that feels oddly satisfying.

    Until you meet one of those sites with a weak password policy due to FUBAR requirements.

    :trolleybus:


  • Winner of the 2016 Presidential Election

    @anonymous234 said in Talk to me about password managers:

    @flabdablet Wouldn't it make sense to use the same password for KeePass and for a single secure email account that all other services depend on? I mean they're both "root nodes" that all other accounts depend on so there's not much of a difference, and the probability of Google leaking your password is basically zero so there's not much risk that way.

    That's what I do. LastPass and my primary Gmail account use the same password, which also is the only one I remember. Everything else is in LastPass


  • Winner of the 2016 Presidential Election

    Also +1 for LastPass


  • Winner of the 2016 Presidential Election

    @anonymous234 said in Talk to me about password managers:

    same password for KeePass and for a single secure email account that all other services depend on

    I wouldn't do that, since one of the passwords is sent to a third party over the internet and may be intercepted/leaked if there are security issues or if new 0-days are found. You should remember two different passwords, one of which you only use locally for you password database.



  • @asdf said in Talk to me about password managers:

    @anonymous234 said in Talk to me about password managers:

    same password for KeePass and for a single secure email account that all other services depend on

    I wouldn't do that, since one of the passwords is sent to a third party over the internet and may be intercepted/leaked if there are security issues or if new 0-days are found. You should remember two different passwords, one of which you only use locally for you password database.

    If there's a vulnerability in TLS that causes my email password to be grabbed by hackers, what makes you think that:

    • They will have access to my password database which is local and not accessible over the internet
    • They won't have access to all the other passwords sent over TLS


  • @flabdablet said in Talk to me about password managers:

    Just take the three passwords you're currently using for everything, jam them together endwise, and use the result as a KeePass master password.

    Noooo......

    You know what's coming.

    Diceware!

    True RNG implemented in common hardware! Remember long, secure passwords with ease!

    Err.. site looks broken right now, check back later.



  • @ben_lubar said in Talk to me about password managers:

    vulnerability in TLS

    Are we talking about that? I thought we were talking about Google's servers being cracked or there being an inside job, both of which seem more likely to me. Anyway:

    @ben_lubar said in Talk to me about password managers:

    They will have access to my password database

    Only if the TLS vulnerability allows local code execution on the client, which while unlikely isn't unpossible.

    @ben_lubar said in Talk to me about password managers:

    They won't have access to all the other passwords sent over TLS

    They will have potential access only to those passwords you send over vulnerable channels during the window of vulnerability, while the rest of your passwords remain safe.



  • @another_sam said in Talk to me about password managers:

    Google's servers being cracked or there being an inside job

    If Google wanted to turn Chrome into a keylogger/password sniffer, they could definitely steal all my passwords. I just have to trust that Google won't do that. If Google does something evil or one of the many centralized code repository hosts disappears, the whole world comes tumbling down.



  • @flabdablet said in Talk to me about password managers:

    The non-Windows KeePassX project

    Huh? Why does it have a Windows binary download then?

    0_1465178550881_upload-a823a2ee-7c10-4982-994d-9f1707467834



  • Bad wording on my part. KeePassX has long been the most prominent of the KeePass clones for non-Windows environments. And yes there's a Windows build available, but if I recall correctly the KeePassX dev suggests using KeePass instead on that platform.

    I haven't used KeePassX 2 yet, so I can't speak to the quality of its Windows version, but I would be surprised to find that it's as good as KeePass 2.x.

    KeePass 2.x is a .Net application and it works on Mono, so you can run it on non-Windows platforms. I was completely unimpressed by the experience when I took it for a test drive on Linux; like anything Mono that includes a file picker, it feels really fish-out-of-water away from Windows. Plus .Net and Mono are both huge runtimes and apps that use them are obnoxiously slow to launch.


  • :belt_onion:

    I use 1Password. Maybe I have more money than sense, but it does the job for me. Syncs using Dropbox (my only use of such). MacOS with an Android fallback, did Windows before I gave up on using Windows.



  • @anonymous234 said in Talk to me about password managers:

    Wouldn't it make sense to use the same password for KeePass and for a single secure email account that all other services depend on?

    Not really, for me. I have so many passwords saved in my KeePass that remembering what I have passwords for would fail without it; total loss of my KeePass db is therefore unacceptable and I go to some lengths to prevent it. Given that I can be reasonably confident that I never will experience total KeePass db loss, privileging one particular email account above others doesn't really appeal.



  • @Weng One more cute KeePass feature I forgot to mention: it's not inherently tied to the Web. The URLs you store in it can use cmd:// as a pseudo-protocol, giving KeePass the ability to launch literally anything else with a double-click. You can put {USERNAME} and {PASSWORD} placeholders inside the command lines, or use the same auto-type feature you'd use with a browser to enter credentials into whatever you launch. Handy for launching RDP sessions, chess clients etc.


  • mod

    @flabdablet said in Talk to me about password managers:

    KeePass the ability to launch literally anything else with a double-click

    LastPass has a desktop app that supposedly can fill desktop applications, but it's been hit-or-miss for me. So that's a point in KeePass' favor


  • Winner of the 2016 Presidential Election

    I've just started using KeePass, since the last discussion about it on here. I have the database backed up on OneDrive, and downloaded on my computer, phone and tablet.

    I should have installed the app on my tablet before generating a new Google password. I now have to get around to signing getting the password off another device and typing it in so I can get to the play store


  • mod

    @Jaloopa I don't keep my google password in LastPass and...... I can never change it again. It's too damn painful trying to figure out how to synchronize password changes when I have 2FA and the second factor is an Android phone authenticated by the same password I just changed.



  • @Jaloopa For generating mail account passwords that you might need to type on a touchscreen keyboard at some point (like the Dropbox or Onedrive password you'd need to bootstrap KeePass on a new device), have a look at KeePass's password generation templates feature. If you tell it to use pattern-based generation, make the pattern lllll.lllll.lllll.lllll.lllll (those are lowercase ells, short for "letter") and save that as a template called "touchscreen friendly", it makes passwords like fxwze.afqsy.nslio.dfezp.zvuzf that are hella strong but super easy to transcribe.


  • Winner of the 2016 Presidential Election

    @Yamikuronue said in Talk to me about password managers:

    It's too damn painful trying to figure out how to synchronize password changes when I have 2FA and the second factor is an Android phone authenticated by the same password I just changed

    QFT. I kept getting "sorry, an error has occurred, please try again later" after entering the Authenticator code and sometimes after entering the password. I ended up getting it sent via SMS (second try. First time also gave me "an error has occurred").

    @flabdablet said in Talk to me about password managers:

    passwords that you might need to type on a touchscreen keyboard at some point

    Or a smart TV. I'd just changed my Netflix password after getting an email saying there had been suspicious activity, so just loaded that in rather than generating one. It should be pretty secure and it is unique



  • My biggest concern with security is untrusted devices. Any public computer you use might have keyloggers or other types of spyware. So plugging your password file and typing your master password in there is not a good idea.

    I was thinking I could get around that by keeping the password manager on my (assumed to be secure) smartphone and transcribing the passwords by hand. Maybe passphrases would be easier to type? Or purely numeric sequences so I can type them in the numeric keypad?


    Then I started thinking about whether I should split my passwords in two files so if one gets leaked the other one will still be fine. But I realized that most people just go through life just fine using Password123 for everything, so by using a password manager I'll be an order of magnitude more secure than average, which is good enough.


  • Discourse touched me in a no-no place

    @anonymous234 said in Talk to me about password managers:

    Any public computer you use might have keyloggers or other types of spyware.

    So don't use those computers? Problem solved.



  • @anonymous234 said in Talk to me about password managers:

    Any public computer you use might have keyloggers or other types of spyware. So plugging your password file and typing your master password in logging into anything by any means whatsoever there is not a good idea.



  • @Yamikuronue said in Talk to me about password managers:

    It's too damn painful trying to figure out how to synchronize password changes when I have 2FA and the second factor is an Android phone authenticated by the same password I just changed.

    It just pops up an error notification that you tap to sign in again, and you can switch between the sign-in flow and the authenticator app of your choice to complete the sign-in. It is a bit awkward but it works perfectly fine in my experience, and I've done this for multiple mobile apps. (Though if you ever want to use a Chromebook like @ben_lubar and me, I recommend using a password you remember).

    @Jaloopa said in Talk to me about password managers:

    QFT.

    I guess not all Android devices are created equal :\

    @anonymous234 said in Talk to me about password managers:

    So plugging your password file and typing your master password in there is not a good idea.

    Indeed. 2FA doesn't really have this problem, though - in fact I believe Gabe Newell was so confident in Steam's 2FA that he gave out his username and password (which I would never do myself, of course).


    The one thing that would suddenly get me to start using a password manager no-questions-asked would be support for 2FA as part of the decryption process, but I don't really see how that can happen. I guess you could use a U2F like a YubiKey, but you are supposed to have two so that one acts as a backup if you lose your primary and that wouldn't really work for encryption+decryption.


  • mod

    @LB_ said in Talk to me about password managers:

    It is a bit awkward but it works perfectly fine in my experience, and I've done this for multiple mobile apps.

    I saw that popup you mentioned, but it took me hours to get the damn thing working last time I changed my password. My phone told me it needed my new password, but I couldn't put it in because of the 2FA. It was super annoying. I've got a Moto X, though, I'm sure it works better on the Nexus >.>



  • @LB_ said in Talk to me about password managers:

    The one thing that would suddenly get me to start using a password manager no-questions-asked would be support for 2FA as part of the decryption process, but I don't really see how that can happen.

    KeePass can do that. The thing you know is your master password, and the thing you have is some portable medium (preferably not one containing your KeePass db itself) containing a key file. The key file can be anything at all; a short text file containing a GUID would be a good choice.

    When you set up the encryption for your password database (which you can do on creation, or any time you have it open) you can specify access via password, or via key file, or via both. It can't do "via either", but you can work around that using an intermediate KeePass database.



  • @flabdablet I've heard about that, but that's not 2FA, that's just a second password. Can't it be copied, potentially without my knowledge? In fact if I want to avoid losing it I would have to copy it. I don't really find it feasible to have the benefits of both 2FA and encryption without a third-party service in the middle. (I'm not against storing my encrypted data with some provider like LastPass).

    In fact, it looks like LastPass supports 2FA and U2F. I'll have to do some reading...

    EDIT: Turns out U2F is not supported because they are waiting for more browsers than just Chrome to support it. So, only OTP is supported.



  • @LB_ said in Talk to me about password managers:

    Can't it be copied, potentially without my knowledge? In fact if I want to avoid losing it I would have to copy it.

    Nothing stopping you from keeping your key file on storage that is itself encrypted.

    If you want to be a :pendant: about it, any lossproof thing-you-have is equivalent to a second password, since it ultimately reduces to a thing-you-know (i.e. where to find a replacement).



  • @Weng The only one I've ever used was KeePass, and only because its on our default install at work, and I only use it for one password and the only reason it's there is because my boss was looking over my shoulder when I was setting up the VPN connection that required that password.

    KeePass indeed sucks shit.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.