Are password managers really safe?
 

I’m skeptical. Should I really put my whole financial life in the hands of Lastpass or one of the others? What if they get hacked? I’d like easier on-line security, but I don’t like the idea of handing the keys over to someone else.

look at keepass. program runs local, but the file'o passwords, you can keep on for example a usb stick. if super paranoid, you can encrypt the usb stick ala veracrypt et al. have two sticks to prevent possble loss or failure. walla.

Esel Mann is on point. I wouldn't store my passwords "online".
I store mine in an app that runs locally. (I only use LINUX Mint at home)

But I've always wondered: What happens to your password when you use it to get into your account on a web page?
- And how are "they" storing your password and details?

As it turns out I was right to be paranoid. Massive data hacks are very common.

I use and recommend Dashlane (for iOS)

You mean that post it note with all my passwords is not a good idea?

That's probably better than what a lot of online vendors are using to secure their data. lol ;)

This...

Can you dumb this down for us dummies..?
I assume that's what Mr Mann did but would love further clarity if possible..

I moved from Lastpass to Bitwarden.

You can self host.

if you are not using 2F everywhere you can then you are just asking for trouble whether you use a password manager or not

I write the password on the underside of my desk.

Password managers that save a local file are password protected and allow you to store usernames, passwords and URL in a local file. The nice thing is you can cut and paste the username and passwords into websites, etc. So you never have to see the password.
They can also generate passwords for you.

I like Keepass but there a several others that are free and local.

Years ago I used an Excel spreadsheet with "password to open" set to store passwords etc.

Never had an issue.

I have a "system" and just memorize them. Though my memory is "sharp", it's really not that difficult imo. Though it's also imbedded in other characters in the PW, if you don't know the serial # from my bycycle I had over 50 years ago .... good luck ;).

That's just one example fwiw.... make a longish sentence that meets all the "PW criteria", and is easy to remember if that helps.

I used dynamic PWs back in my latter corporate daze (FOB changed it every minute), for system access, so I'm not lax about security.... I've never written one down, nor stored them .... anywhere.

I have a Reynolds Wrap cap too :D

I'll move as well.

And, I know this means I already have issues, but what is 2F?

TIA.

In a word, no.

Seems to me like asking the used car salesman what the car on his lot is really worth.

Doesn't everyone use their pet's name + 123? That's why you never answer facebook polls/questions. They are all geared to pry data.

I got an email from Amazon over the weekend, they stopped a login from IP in Taiwan on a rarely used account of mine. Said they had the password. I suspect it was a breach from a different account.

I’m guessing it’s when you enter a password and they send you a text with a one-time PIN. .

Whatever password manager you use, do your survivors a favor, write down what it is, and how to get into it, and put that in a safe, or big box of financials documents.

My nephew recently died unexpectedly at 34 years old. He has a full business, and the many accounts of a web based guru. His parents still can't get into his phone or many of the accounts. His bitcoins may be lost forever.

^^^^ Good advice Glen. I haven't finished doing this, among some other things. All the pertinent info, docs, etc. will be in my safe .... that no one knows the combination (right now). Worst case .... a locksmith would be called... and "they" know that's the current plan. I will fix that too.

Ducks .... still not in a row ... not yet :D.

Worked great until I named my dawg Password :D

Like Patrick said, it’s a rolling 6 digit code that is sent to your phone via text or you can use an authenticator app which is what i do.

I use Authy, when i need to access one of my accounts you do the user/pass then the site prompts for the code.

Pull up the account from my phone or watch and enter the code which refreshes every 30 seconds.

Thanks. I have got to get more up to speed on this stuff.

Lastpass has a delegate feature.

You assign an individual as your delegate and initially they have no access.

If something happens to you the delegate can request access.

If you do not acknowledge the request within a preset timeframe, 24, 48 hours the delegate is granted access.

When you say 2FA, make sure it is a good method. Some methods are easier to hack than the passwords which makes 2FA worthless.

Pretty sure at every level of technology with computers we've been told 'do this and it will keep you safe'. And thus far at every level of technology with computers that assurance has proven false. I guess now it's 'oh we goofed last time but NOW we have it right!'.

Sure.

My pet peeve with entering passwords is they all seem to think I have someone looking over my shoulder, so I just see ********* or dot or some useless information. Just show me what I type!

I have no one behind me, around me or near me when I enter the password. And some of them are long and complex for secure sites.

A password manager that fill in the blanks might well be the simplest solution.

+1 on that. It's really frustrating.

Shoulder surfers are like the guys with mirrors on their flip flops at the YMCA mens locker room. They are very real. So while the line of '*'s is a pain, it exists for a real reason. There are even folks out there that try to video you typing on your keyboard! That being said, many (not all) have an "eye" icon next to the box where you enter the password to permit you to see it for that one time when the coast is clear.

I still use a notebook here at home and since I rarely travel with a laptop I don't need to have it with me outside of the house.

So check out KeePassX: https://www.keepassx.org/ this will give you a good idea as to what it is about.
Cliff notes summary: It is a password manager program. It is used to access a file (database) which has all of one's passwords. The file is encrypted. The nicety is the file can be local (as in not up on the cloud) to you. For example, one could have the file on a USB stick. You can even put the password manager program as well on the USB stick. This way it is portable. Which is nice if for example you have a PC at home and say a laptop when you travel. Now the encryption on the file is very good, but only as good as one's choice of master password which is used to access the file.

These programs typically also have for each entry, an area for you to add additional notes. This additional notes feature is a MUST! The reason why is most sites in addition to your password force you to create 3 challenge questions/answers. With the additional notes feature you can (a) store the 3 challenge questions/answers, (b) create answers which are completely unrelated to the question. Said answers make it next to impossible for someone to figure out but also next to impossible to remember unless it is jotted down somewhere.

The mention for an identical second USB stick is simply for back up purposes because if for some reason a USB stick becomes unusable (which does happen) or becomes lost/stolen, the back-up will at least give you the ability to start over.

The mention for Veracrypt (or similar) is to add a second layer of security. Said program is used to encrypt entire USB sticks or even hard drives. That way if the USB stick is lost/stolen, it will be more difficult to get at whatever is on the USB stick. Like the password manager program a single master password is used to access the encrypted USB stick. So protection is only as good as one's choice of master password.

Thanks for that!

I have one more question. What is I need to access my passwords to use on with my iPhone?

Are you asking what applestore downloadable app to use with an iphone that is a password manager program?

If so, take a look see at https://keepassium.com/

Cursory look it appears to be KeepassXish but for iphones/tablets.