Password vaults are your most secure solution.
Some believe using password managers presents a single point of failure. Very technically, they are correct: if someone gains access to your password manager, they have access to everything in it.
Not so technically, I strongly believe they are misguided.
Using a good password manager is significantly safer than any other alternative.
Become a Patron of Ask Leo! and go ad-free!
Good security demands you have a unique and strong password for every site or service ideally kept only in your head. Without a password manager to aid you, you’ll likely need to make a tradeoff that compromises your security. There’s no such thing as perfect security, but using a password manager ensures you’re as secure as possible without needing to make those tradeoffs.
Security best practices
Password security demands that you:
- Have good, strong passwords (long and complex).
- Keep them nowhere but in your head (memorable).
- Use a different password on every site or service (unique).
Yes, indeed, that would be ideal.
Without using a password manager, it’s also completely impractical.
Those requirements simply can’t all be met at the same time. At least one, if not two, will be compromised without the aid of a password vault.
Without a password manager
Without a password manager, you’ll compromise your security in some way.
- You’ll choose a less secure, easy-to-remember password (short and/or not complex).
- You’ll use the same password at multiple sites (not unique).
- You’ll save the password using technology that is not secure (not memorable).
Any one of those can significantly compromise your security.
With a password manager
Password managers make best practices trivially easy. Using a password manager allows you to:
- Generate and use secure, complex, and appropriately long passwords.
- Avoid the need to remember passwords yourself.
- Use different passwords on different sites.
These are things people don’t do unless they have a tool in place to help them. Password managers are specifically designed to securely do exactly that.
Most password managers add several features that make improved security even more convenient. They can:
- Synchronize your information across multiple devices.
- Be used on mobile devices.
- Automatically fill in not just passwords, but common web forms.
- Securely store other information of many types.
And they do all of that with more security than almost all alternatives.
If you’re compromised, you’re compromised
It is true that if your computer is compromised, all bets are off. Malware could gain access to whatever it is you have stored on the computer. For example, while I’m logged into my password manager, all the information could technically be available to software running on my machine — good software or bad.
That’s a serious concern, and not to be taken lightly.
But it’s a concern that exists regardless of whether you use a password manager or not. All bets are off if a keylogger captures what you enter when you log in to your bank account.
Avoiding a password manager doesn’t increase your security one whit.
But are password managers safe?
Yes. Password managers are safer than any practical alternative.
There are no absolutes — that, too, is a practical reality. There is no such thing as absolute security. As I said earlier, if you fall victim to malware, all bets are off, no matter what technique(s) you use.
Password managers are the safest way to keep a record of your online account information, but they are no safer than:
- The master password you use to access the password manager.
- Your own ability to use your computer safely.
The last one scares most people, but my claim is that using password managers is, in fact, one way to use your computer more safely.
What I do
I keep my machines secure by doing the things you hear over and over: keeping software up to date, running scans regularly, avoiding malicious websites and downloads, not falling for phishing, and so on.
I now use 1Password to manage all my passwords and additional security information.
I use Google Authenticator, a form of two-factor authentication, to access my 1Password vault. You can’t get in to my 1Password account even if you know my master password. To get access, you need both my master password and my mobile phone.
I have 1Password automatically log out after some amount of time on any device which I’m not 100% certain won’t get stolen or accessed without my permission.
I keep my master password secure and complex.
I back up my 1Password vault regularly.
I’m not going to claim it’s impossible for anything bad to happen — that’d be a foolish claim. I am, however, very satisfied with the risks and trade-offs, and absolutely convinced that using 1Password (or any reputable password manager) keeps me as safe as possible, and safer than not using one at all.
Let’s face it: even doing business offline has risks and trade-offs.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
I totally agree! I used Roboform but I find LastPass to be superiour in many ways. Not least of which is that is easily available to me on any platform.
I am so reliant on it that it now contains all the info required In Case of Emergency (ICE). My dependants have half the password each so that should anything happen to me they can gain access to my LastPass account in which they will see not only my passwords but instructions on how to deal with other matters.
I highly recommend this. The free version of LastPass is all you really need but please consider supporting them by upgrading to the Pro version for $1 a month. I do.
Computers are supposed to be fast but when it comes to security, well, it comes first.
I use an old program from PC Mag called Password Prompter. It stores your data encoded.
I never let my browser “Remember Me”
I can copy my User name and password from Prompter and paste them into the site page to log in.
No passwords data is stored where it can be hacked easily. Takes a little more time but it’s worth it.
You must log into Prompter to open it. It stores any special instructions or notes you care to remember for each site along with the site url.
Letting your browser remember you isn’t a security risk as long as you are on your own computer which is reasonably secured. “Remember me” keeps a cookie (a tiny text file which tells the website you are still logged in) on your computer and nowhere else so that when you return to the site it reads the cookie and knows you’re logged in. If you have kids, especially teens, in your house and you don’t lock the screen (Windows Key + L) all bets are off. I’ve seen some Facebook posts on friends’ timelines which prove my point :-) .
I’ve used Firefox for years but just recently realized that a password manager is now built into the browser, Lockwise! I was surprised, and perplexed, to discover this, since it has been my understanding for a long time that it is unsafe to store passwords in the browser. Is this Lockwise password manager safe?! Or is it safe only if no-one else has access to this computer (e.g., my laptop which no-one else ever uses)? It seems to me that Lockwise would NOT be safe on, say, a family computer that the whole family is using. Or am I missing something here?? Thanks for any enlightenment on this question you can provide.
My sense is that Lockwise is as safe as any password manager.
I do general discourage letting the browser safe passwords, though, and recommend using a dedicated tool: https://askleo.com/browser-remember-passwords/
Never trust any software or any companies with your user IDs and passwords.
One they know your secrets, they can access without you knowing it and possibly stealing your identity and your money.
Stay Away from this SCAM!
LastPass encrypts passwords with the master password which you set. They cannot decrypt the file themselves. LastPass, KeePass, and DashLane are all open source so they can be verified as not having any back doors.
I have used Dashlane for a number of years. I love it although I’m comfused with the new web app. I guess that’s what it’s called. Hope to get it figured out when the covid slowdowns allow more people back to work.
I’ve always used Keepass. And I agree with some that it’s a bit clunky. But its better than nothing.
And it worked fine for me, until… I had a stroke.
Some time August/September 2020. At least 200 passwords inaccessible. Poof!
It’s now late January 2021. I still can’t recall my master password. Bugger!
But I’m glad that nobody else can access them either.
Very sorry to hear about the health issue. For everyone else: this is one of the reasons I recommend backing up your password vault in an unencrypted form (plain text or CSB export kinda thing), and then securing it some other way (like a safe).
HOPE YOU HAVE A GOOD MEMORY.
I have used KeePass for the last few years – free, easy, convenient and safe. I can strongly recommend it.
This highlights an issue which seems less commonly discussed. KeePass runs entirely locally. Nobody is going to try to steal data from your individual machine,but might well go after data in the cloud, or alternatively intercept communications between you and the cloud storage. (Keyloggers are one example of such interception.) KeePass itself is frustratingly clumsy, but the addition of one of the Plugins to automate the transfer of data from KeePass to the browser, (eg.KeeForm), makes it very efficient. (And it is free,open source, high security encryption, etc.) What it does NOT do is permit common use of the stored passwords by multiple machines. (This is not a problem for me – I am a Luddite and don’t even own a cell phone.)
Unless you want it to. You can *choose* to store your database in the cloud, if you wish, and access it from anywhere. I am a fan of KeePass, and I think that it is good that it has the flexibility to store your database either locally or online.
The reason banks don’t allow password managers is not technical – they can and do hire top tech brains – but legal – they can and do hire top legal brains too. If they take certain preventive measures they shift the responsibilities to the customer. The customer is supposed to keep the password safe, isn’t it?
Basically they want only customer entered inputs at the website (or the app); not any software accessed. Having deep pockets, they can be deemed responsible if they don’t have such usage restrictions.
Technology may solve our problems but legal system can and will prevent it from being used. You will be surprised how much of our life is governed by legal system lurking hidden behind us.
Leo, you sound like a candidate to join my one-man crusade against expiring passwords. No computer security measure could be more irritating. Password expiration policies only reduce security for many of the same reasons as not allowing password managers.
I agree 100%! Nothing annoys me more in the whole “password realm” than a website’s demand that I change my password every “x” number of days.
I’ll add my vote. I have one on-line acct that requires periodic password changes, and it’s annoying as all get out. I wonder if this doesn’t have some relation to Rachael’s post (above) about legal vs. technical. We’re told that changing passwords regularly is more secure, so perhaps sites cover their -um- behinds by requiring it.
Demands for frequent password changes are a real pain but they are also a defense against your credentials being used against you. There are several scenarios.
1) You have no control (& generally no knowledge) of how a site saves your credentials. There are numerous cases where sites have been hacked and large volumes of credentials accessed. Overtime these become more widely available (the hackers use them, then they sell them). Even where there is good encryption on the site secure passwords can be recreated from their hashed & salted forms. A strong password in 2012 no longer looks quite as strong 4 years later.
3) Increasing prevalence of surveillance cameras at work & in public locations make it easier for someone to shoulder surf & capture your password.
4) Similarly the odds of someone who spends a lot of time in your company working out what password you are using increase over time with repeated use.
All of these can be mitigated (but not eliminated) by not using the same password over multiple sites.
1. That is more an argument for having a different password for each login. A careless website where you need to change your password frequently would be almost as dangerous if you regularly change passwords.
3. That’s an argument never to type a non-work related password at work as they might use a key logger. If they don’t use your password before you change it, it might give some protection.
4. I don’t understand what you mean by “working out what password you use.”
Can I join too? Social Security demands changing your account password every six months. So irritating. I only go to the site once a year to check my balance. I couldn’t even get in this year so just said to heck with it.
Thanks, Leo, for mentioning that Google Authenticator works on Last Pass. Off to add two-factor to my Last Pass account.
Me too. (Not the # version) Soc Sec Admin requiring password chg every 6 months when *lots* of folks log on once per year is just silly. Not too long ago, SSA required users have a cell phone to receive a text in order to log on . That didn’t last long.
I have been watching the debate concerning password managers. I know the idea is nice because it make it easier to manage 30 different passwords. I also agree somewhat with the bank.
But ultimately the fact is strong passwords do not replace the need for other effective security control. These banks need to add additional layers of authentication for access and transaction verification without unreasonable complexity and this will help their customers by implementing some form of 2FA were you can telesign into your account and have the security knowing you are protected if your password were to be stolen. This should be a prerequisite to any system that wants to promote itself as being secure. With this if they were to try to use the “stolen” password and don’t have your phone nor are on the computer, smartphone or tablet you have designated trusted, they would not be able to enter the account. This one of the biggest problems with internet security, people are still encouraged to rely on their password as if they were all that is needed.
In European countries, Banks use a 2 factor authentication system called the PIN and TAN system. A TAN is a Transaction Authorization Number, a one time password to complete a transaction. Under the older PIN/TAN system, the bank would send you a list of 100 TANs and upon entering the information, the website asks for a specific random TAN from the list. In order to do away with a printed list which could be a weak link in the operation, many banks are switching to sending a text to your phone or using a TAN calculator. This calculates your TAN when you insert your bank card and enter a challenge code and your card PIN.
So if our wonderful “copy-me” litigation avoidance system is behind this “conspiracy” how long will it be before all major web destinations adopt the “no robo login manager” policy? (I wonder if somebody has a patent on the technology to make robo-managers not work…)
But the thing that absolutely infuriates me is when I forget a password and the site (some, not all) helpfully sends it back to me – in plaintext email! Have they not heard of (decades old) one way encryption? This is even worse than robo-managers because the user has no control over security management on the other end of the wire to these sites. How many times have major breaches happened to large companies/website? I would love to publish a list of these sites and embarrass the heck out of them but then that would be compromising security too. This factor alone makes using the same password at more than one site an absolute no-no. So, Leo, I am all for best security practices by everyone but there are some outfits are a few brains short of a full kindergarten, tech, legal or otherwise, and there is not much we can do about that.
I happen to use KeePassX as my password manager. I simply copy-and-paste my passphrase into the login form field. My bank is none-the-wiser.
I have set my bank [B of A] online banking features to NEVER allow a withdraw, transfer, or check unless I have previously approved it. So, a hacker could send a check to my previously approved list, like the phone company or PG&E. I doubt they would do that.
If I want to send money elsewhere, a new place, I have to create a new payee or transfer, and then I must use by SafeKey card that generates a new code number via algorithm. I enter that number into the bank info and the money moves.
I keep that SafeKey at home.
I also use a jumbled up set of letters for my user name, a 16 numbersymbolletter password. All my credit cards are set to notify me if used for over $100.
Am I perfectly safe? Of course not, but no key logger could enter my bank info without the SafeKey card that is kept at home.
And passwords are encrypted with TrueCrypt.
I am an expert in bank regulations and security. All banks must comply with a significant set of internet banking security regulations. Included in them are mandatory specific multi-factor authentication procedures which are designed to ensure that only a real person sitting at a pre-authorized computer can access customer accounts. These specifications require that the authentication procedure eliminates the possibility of automatic sign-ons to the furthest extent of current technological means. Because of this and other specific Ebanking regulations, the banks have no choice but to inconvenience their customers in order to make the government happy. Can you imagine how much it costs the bank just to have customer service staff available 24/7 to deal with this kind of problems? And if someone does get in and steal your money the bank is usually liable. There is simply no legal way to make it easier for the customers. We bank operations professionals sure wish there was. Investment banks may not be appropriately regulated, but bank operations and security have been and still are. If you don’t like it, remember November 6!
Thank you! Always great to hear from someone who knows the reason behind the annoyance.
A big problem with pw managers is that you have all of your eggs in one basket. If your pw manager pw is compromised, then all of your assets are compromised
Another method is to use “Your Password Card”. Link is: http://www.passwordcard.org/en
10-Jul-2012
A great idea. But rather than using symbols for the columns, I have found it easier simply to use alpha characters from A to Z, splitting them into groups of three – ABC DEF HIJ … etc. and using a Courier font.
OOps… ABC DEF GHI :o)
re roboform and the safety issues using it, a couple of years ago i was using roboform, i had the passwords for 4 bank accounts and maybe 40 online sportsbooks ( all with money in them) stored there.
one morning i opened up my inbox and there was a message from a guy named , {removed} ( @yahoo7.com) , he said to me,” i am a security expert, your master password at roboform is , {removed}, “and it was.
he claimed it and all of the P/W’s at roboform were ” in the background” and anyone could see them.
i immediately closed my roboform account, this guy, a very honest man, did not touch one cent of my money nor did he ever try and sell me anything.
roboform told me ” he is a keylogger “, apparently either one who is only practicing or an honest one because he did not touch any of my money so why bother being a keylogger and he had access to everything i had.
no more roboform for me thank you, regards don rees
Don Rees, you got somehow infected with a keylogger it is not the fault of roboform. As soon as you typed your password into roboform he could read it. Run several free anti malware software to get rid of it.
I use what I think is an even more secure method. I use strong passwords, different ones for each account, and keep cryptic notes to myself that will help me (and me alone) to reconstruct what my passwords are if I forget them, which I do often. Yes, it’s a bit of a pain having to go look up my hints to remind myself of what my password is every time I want to log onto a bank account or other online account, but I’d rather have to go through that then have it easily hackable. I *never* write my passwords down in plain text anywhere. Also, I always open a brand new browser window (not just a new tab) whenever I want to log onto a financial account, and I log off immediately and close the window afterwards, so that no other websites I happen to be connected to at the time could know what my bank URL is. I also practice all the safe computing practices Leo mentioned, so I’m pretty much not vulnerable to key loggers. I also reconcile all my financial accounts regularly against my own records (I don’t trust downloading the transactions from the bank website) so I’ll catch any fraudulent activity (or bank error) and be able to report it.
Leo is right that it is better to have a password manager like Roboform than rely on common sense!
Roboform does not in my environment let me into on line banking, it lets me access the entry to the account but I still have to enter the password for my account which changes every day.
Moreover a big added facility with Roboform is that you can carry access to your passwords with you on a memory stick and you have only to remember the master password which can be sixteen characters long
I use KeePassX to generate my various passwords.
How does KeyPassX compare to Roboform and/or
Last Pass? Should I consider dropping KeyPassX
and move over to either of the alternatives, or am I
in good shape with what I have? Up to the present
I’ve had no problem with KeyPassX. Thanks for your anticipated response.
10-Jul-2012
AOL has just offered it;s “Premium” paying members a bunch of free services. One is a password protecting software like Roboform and Lastpass. It is called “AOL OnePoint”. AOL has been hacked before, so I don’t know if I can be confident about this service. They don;t give info as to who is behind the solftware … and what experience they have. Help on this.?
I have been using RoboForm for many years and have never had a problem. RoboForm generates very secure passwords and also enables one-click logging in to all your secure web sites. It’s invaluable, especially if you have a memory like mine. I recommend it to all my friends.
In the UK banks have a variety of methods of logging on. My bank uses a client number as the first part, then a variation on a password, and last, a variation on a really long user invented word.
So every time a user logs on they are asked for entirely different variations of parts 2 and 3.
So using LastPass doesn’t work because we have no idea what we will be asked when we log on.
For everything elese I use LastPass based on Steve Gibson’s reccomendations and Leo’s suggestions.
In conjunction with Speed Dial this is a cool way to automate and manage accounts. Speed Dial allows you to set up unlimited webpages listing sites anyway you want to categorize them. You click on the pointer and Last Pass logs you in. Roboform ticked me off after they tried charging me more money to upgrade to their Windows 7 version. I had paid for a lifetime subscription.
most banks or financial institutions uses a electronic key which without it you can not access your bank account
11-Jul-2012
Horse Puckey! I have a file folder which contains my (more than 50) passwords. I keep it physically secure. When I log on to a site, I type my password. Oh, I also use Linux, so I’m safe these days.
“Oh, I also use Linux, so I’m safe these days.”
LOL. Good luck with that. I don’t know why you Linux users think your systems are not subject to malware attacks. It’s an ignorant assumption and it’s a false assumption.
Norton now has a password toolbar that works very good. Identity Safe. It’s less buggy than Lastpass.
Ive been using roboforms for over 6 years and i feel very saffe using it. Especially the new everywhere service. You can read more on the safety of it here (I found this on their web site) http://www.roboform.com/everywhere/security.
Work requires that I have different passwords for the various things that I access (Windows logon, mainframe logon, Compensation website, encryption software, etc.). And work forces you to change your passwords every 90 days and repeating previous passwords does not work, nor does it work if the password is too similar. Passwords must be strong passwords. And writing down your passwords is a no-no.
A couple years ago, I came up with a “formula” that fit the password requirements. Every 90 days I can use the “formula” again to come up with the new set of passwords for the various systems. All I really have to remember is the “formula.” I can always figure out my password if I forget what it is.
I and the rest of my household use LastPass, each with our ownYubiKey second-factor security. Works like a dream. Very impressed with the service and there’s an Android app too, as well as a add-on for the Dolphin browser.
Roboform is slowly finding ways around those institutions which try to prevent its use. I only have one problem account, and it works with IE, but not Firefox. No problem, since I only access it once or twice a month.
I have one user name and password which I have been using since 1978 when I had a Department of Energy network account. It exists on literally hundreds of places, but all are in the “Don’t Care” category. The simplicity of always knowing what it is far out weights the possible problems of compromise. The few accounts which matter, such as banks, email accounts, and a few professional sites, are all long, complicated, and different.
I’ve used Roboform for years. Main reason I began using it was to protect against KEYLOGGERS. I use Viper Anti-virus. Great combination!
I strongly support Leo’s recommendation to use Roboform as a password manager. I just add that as it is so secure make sure you backup the Roboform data on an external disk in case you have a crash. If you do not do this a crash may cause loss of all password information which can be a serious problem
I have to agree with Tregonsee . I got the idea from the book, Lord of the Rings. In the fortress, there were “lesser passwords” that were taught to everyone. Then, there were stronger passwords for more important stuff and more important people.
Regarding banks and security… FIRST: When the banks get THEIR act together, then I might head their messages! They are not much better than the Feds when it comes to IT geniuses! I had a young friend who told me that they would practice on government accounts, then see how they could do with banks…he just smiled! Many have little old ladies in combat boots that have been around since WWII. I belong to Boeing Credit Union, I use Last Pass and have since they started. When I go to the BECU site, another pop-up window shows and Last Pass just jumps right in and posts the info…no hassles, no problems! It drives me crazy when service organizations (banks??) always “TELL YOU WHAT YOU CAN’T DO BUT NOT WHAT YOU CAN DO!”
I Have had RoboForm 6 for several years. it is about 95% efficient. Sometimes it drops the pass word entry box for a site. When using it always use the “Virtual” key pad for the Master password and not your regular key board. This adds another layer of protection.
I have used Dashlane as my password manager for the past 2 years and I love the way it works and it’s features. By using a password manager it trained me to use a different password for each site and also being more creative in forming passwords
How does one extend the generated passwords to beyond eight characters in LastPass? I would like to have some be 16 characters and my bank accounts be 24 characters. I’ve searched in LastPass and just not finding the answer to my question. Thanks Leo!
Tick the ‘Show advanced options’ check box. An option to set the length will appear.
I have been using “Last Pass” for a few months. I haven’t allowed it to re-generate all of my old passwords yet though. I am concerned if in the future, should decide to stop using it or they go out of business how would I gain access to all the sites that it auto generated passwords for????
Even if the LastPass site goes down, you’d still have the passwords stored on your hard drive which would still work with the LastPass plugins. To be sure you should back up your LastPass passwords.
http://askleo.com/what-happens-when-applications-die/
http://askleo.com/how-do-i-back-up-lastpass/
I didn’t know that the Lastpass passwords were on my hard drive. Where would I find them?
To download them and print them, click on the LastPass icon and select Tools from the pulldown. In the next pulldown choose Advanced Tools. Then in the next pulldown choose Export, where you can choose the format you want to save it to. (The original Ask Leo! article on backing up LastPass skipped the step of choosing Advanced Options. It appears LastPass changed the menu since the article was written.)
I think I found my problem. I only have the free version of Lastpass and haven’t upgraded to the premium. With what I have, when I sign into the Lastpass site I get my vault and there are no tool bars like you are describing to download anything. Thanks for your help.
I found the locations listed on the LastPass support site, “Where is my data stored on my computer?” https://lastpass.com/support.php?cmd=showfaq&id=425&questiondefault=where%20is%20the%20
It’s not found in a tool bar. If you click the LastPass icon in your browser, the Tools option should appear in the pulldown menu. As I understand it, the only difference in the free version is that it doesn’t synchronize your passwords with your phone and tablets. See this article for screenshots showing how to access this feature. http://askleo.com/how-do-i-back-up-lastpass/
A way to add security to a password manager is to store only partial passwords. For example, say you have a password of 25 random characters and the word rough. Have the password manager save the 25 random characters and add the word rough to the end once the password manager has filled out the password field. The last characters are easy to remember and you will not have recorded your entire password anywhere.
This is cute. Simple to execute for an added security. Thanks Daniel.
I’d just like to stress Leo’s point “I have LastPass automatically log out after some amount of time…” I highly suggest all LastPass user’s configure that setting (Preferences, General, Security). I use LastPass at work, as well as home. I don’t want some sysadmin remote connecting to my PC when I’m not around and finding LastPass wide open. I have it log off after 30 minutes of non-use.
Here is a good page listing several LastPass security measures you may want to consider, including those mentioned by Leo above: http://www.howtogeek.com/121267/11-ways-to-make-your-lastpass-account-even-more-secure/
Worried about some ‘sysadmin’ finding your LastPass passworsds or some other file while you’re away for a period of time?
DISCONNECT THE LINE. You won’t forget about it.
I’m irritated by the few sites which don’t allow entering passwords by copying and pasting. I suppose this is done to prevent automated hacking attempts, but in my opinion, it has the opposite effect : in practice, forcing users to enter passwords manually limits their length and complexity. Therefore it decreases security.
Besides, I’m sure most sites are programmed to reject log-in attempts if a single user makes too many of them in a short while. At least, I hope so…
I use Kee Pass, which is supposed to pretect you even against keyloggers, since it can scramble the password before entering it. It is also very useful to store any amounts of various identification data, such as social security numbers, software licence numbers, etc.
All you have to do, then, is make sure that you have multiple, up-to-date backups of your password database in various places.
I would simply caution you that no password manager can protect you against all keyloggers. The simple ones, sure, but a relatively sophisticated one can capture the password as it’s passed to the web site.
Leo, maybe I missed something, but are you saying that a keylogger could capture a complete password even if it’s entered to a site’s login page via a keystroke or two entered into the pw manager? That seems to go way beyond the scope of keylogger to me.
The only safe way to think about any type of malware, keylogger included, is that once a hacker has control of your computer they can do anything. What we want to do is everything in our power to prevent malware and hackers. There is not much value in devising strategies to manage malware and hackers who have control of your machine.
EXACTLY. Calling something a “key logger” doesn’t restrict what it can do. A keylogger is MALWARE and once on your system malware can do anything.
After reading all of the above I have a question: When a password is generated by a password manager, can I see the what the password is after it has been generated?
Depends on the password manager. Most have a “reveal” option, or a way to see it. LastPass’s is displayed for you so you can even copy/paste it if you like.
It’s worth mentioning, what LastPass (or indeed any PW manager) calls “2FA” actually isn’t 2FA at all.
Two-factor authentication is simply not possible in this context. If your data/backups & master keys are stolen, “2FA” won’t help you.
I don’t understand this statement. Could you elaborate?
So, what happens when your hard disk develops bad sectors over the password data or your password manager itself? Can you still access your “more than 30 accounts all over the internet” after the manager is dead?
That’s why Leo harps so much on backing up.
https://askleo.com/how-do-i-back-up-lastpass/
https://askleo.com/lets-get-people-back/
Many password managers store their information on servers as well – LastPass for example. So you’ll have lost nothing.
Since I discovered password managers as a more secure anti-crack protection of my accounts (not so long ago), I used to use RoboForm.
But yesterday, after thinking about differences between proprietary password managers and open-source ones, a question entered my mind:
“How do I know that a proprietary software don’t see all my entrusted to them data without having to use any master passwords or such?”
Truly, it is a fact – there is NO way to know if a proprietary software (such RoboForm, LastPass and others) don’t see your passwords/data (it certainly can), no way to say if it doesn’t just copy all your database on their server, maybe even in open view – without any master password or such, and therefore you just cannot know if your data is actually safe from crackers (ones which people use to call “hackers”), from RoboForm guys themselves, NSA and so on.
On the other hand, an open-source software shows you exactly what that software is doing with your data and therefore, through a community of people who are able to read the code and determine that it doesn’t do any hidden/strange activity with your data, you can be more confident that your data is in fact safe. Therefore solutions like KeePass are the most reliable, trustworthy, although maybe (I don’t know for sure, as I am still to initiate to use it) KeePass is less convenient to use, and indeed has somewhat “uglier” design/user interface and, again maybe, are less integrated into different operating systems/different computing devices/different web browsers.
LastPass data is encrypted on your computer using LastPass, and only the encrypted passwords are uploaded to LastPass servers. Steve Gibson, a trusted friend of Leo Notenboom, has extensively tested the security features of LastPass. This video is very long, but you can skip to about minute 53 where he reviews the security of LastPass.
http://twit.tv/show/security-now/256
While Steve and I have crossed paths ever so slightly, I’m not sure “friend” is the right word. But I do trust his analysis of LastPass, and it factored heavily into my adopting it.
I have a small Truecrypt volume that has a *.txt file with all my info. It’s almost always unmounted. When I need access to my info. I mount it, use the info and then unmount it again. Isn’t this safer than using a password manager?
Also, if Truecrypt fails, my volume is still accessible by reinstalling Truecrypt but, if a password manager fails, won’t you lose all your data?
It’s as safe, but in my opinion no safer and somewhat more inconvenient.
Depends on what you mean by “fail”, but I don’t see a likely scenario where a simple failure would cause you to lose everything. I do recommend backing up the contents of your password manager periodically – just as I recommend backing up the contents of TrueCrypt volumes. :-)
Alright! Thank you very much for you answer! I’ll probably start using one of these heheh.
Take care!
If you are really looking for a password manager that works on all browsers running on any device (including mobile phones, tablets, computers, etc), take a look “Intuitive Password”. I use it all the time and it’s very convenient.
As far as “security” goes, how can you tell (or how do you know) that the author of the software does not use any hidden tactics to secretly collect the data you enter into the password manager, thereby having access to all of your passwords?
LastPass encrypts the data on your computer and only the encrypted passwords are uploaded to their servers. Since you can’t see how this is done, it ultimately comes down to whether you trust that they are doing what they say. They are considering releasing the source code in light of the NSA revelations.
https://blog.lastpass.com/2013/09/lastpass-and-nsa-controversy.html/
Actually Steve Gibson of Security Now did a breakdown of LastPass a few years ago and confirmed the quality of the encryption and the code that’s running on your PC. That gives me a very high degree of confidence.
What makes me nervous about the likes of LastPass is the increasingly frequent reports that some very well known and you would think, very secure sites are hacked these days. How certain are you that these site are immune to attack? Reading through your earlier comments, the big weakness of us users is our habit of using very easy to breach simple passwords or the same one many times. For this reason, I can see the argument that a password manager would be a whole lot safer. In my case I am at home, no one sits at my desk top but me and a I have a book full of such information to which no one else has access. Admittedly, a burglar might. There are no duplicates and I am slowly making existing passwords more complex. At present, I can look up or share a password if I wish with a trusted person and if my desk top goes down (and they do) , I can still get to my sites using another machine.
At heart I suppose I do not trust the storage of information in the hands of others. This is all about the expansion of “Cloud” computing. Free it may be now but I simply do not see such facilities remaining free for long before a fee will be demanded for keeping our data “safe”.
If someone manage to break into the LastPass server, all they could get is a massive block of encrypted data.
LastPass don’t know your master pass phrase. Only encrypted data ever travel between your device and the server that is encrypted and decrypted only locally.
Yeah, but…..
While LastPass has never actually exposed (unencrypted) user passwords, the company’s systems have been compromised more than once with email addresses, cryptographic salts and hashed passwords being stolen. Next time – and there *will* be a next time: these database are the Holy Grain for cybercriminals – it could be much worse.
The simple fact is that nothing is 100% secure. Remember the bookmarklet bug that would have enabled a malicious site to extract logins for other sites from LastPass without the users’ knowledge? Or how about the OTP bug, which could have had absolutely devastating consequences had it been exploited in conjunction with the user details extracted in the previously mentioned breaches? And it’s pretty much a given that other bugs will be discovered down the road. How critical will those bugs be? Your guess is as good as mine…..
As an aside, it’s also worth noting that using a password manager could possibly be in contravention of your bank’s terms of service – meaning that, were somebody to gain unauthorized access to your account and misappropriate funds, you could experience problems getting those funds reimbursed.
Nearly all of these password managers state that they cannot decrypt or view your passwords or other data. However, I don’t know of anyway to verify that. Might they indeed have masterkey or backdoor that would allow them to do so? With all of the international cyber espionage and hacking, couldn’t these tools be used as a great trojan horse to collect valuable data? All of the on-line credentials could be used to create a great deal of chaos in another country when desired.
Has anyone researched, pursued or reported on this potential risk??
Steve Gibson of grc.com did an extensive analysis of LastPass some years ago.
Agreed 100%. I either have to write-down all my passwords to have unique passwords or use the same or similar password. There are just too many to remember unique passwords. A password manager, if it is properly used, is safer than the alternatives.
Of course it would also be easier to remember unique passwords, if there was a standard password protocol. I have some passwords that must be 8 characters. I have some passwords that can be as long as I want. I have some passwords that only allow letters and numbers. I have some passwords that require a special character.
Thank you for a very interesting article.
It made me wonder if I could not add to the security by simply add a few easily remembered characters to the password stored in LastPass, each time I need to inter a password?
These characters would then not need to be unique as such, but could, to a certain degree, be varied a little, based on the site logging into?
Comments would be very much appreciated.
I use a password manager simply for its form-filling capabilities and convenience, but do not permit it to store sensitive passwords for sensitive accounts such as banking (see my comment above for reasons). For sensitive accounts, a simply use an easily remembered passphrase ($tupidOldRay99, say) and then modify it on a per-site basis ($tupidOldRay99Bank, for example).
Software fails. When my password manager fails, I’m unable to log on to any site on the Internet!
I use a password manager that is capable of storing the encrypted passwords on a stick drive. If the stick drive is not attached to my PC, no access to passwords is possible, even if a hacker obtains the 16-character pass phrase that is needed to open the password manager. Of course, always backup your encrypted password file–somewhere other than on your computer!
any chance that a password manager is in fact a spamware capable of stealing passwords
stored whenever there is internet connection?
Of course. That’s why you only download and install trusted password managers with good reputation, and only download them from their official sources.
My suggestion is to use a good password manager but store only half of every password in it,so by seeing the half password from password manager you should be able to recollect the other half from your memory and then enter it in website to login. By doing this even if your password manager is compromised you will lose nothing than incomplete passwords which won’t work. I follow the same thing.
That is stifling your password manager’s ability to be secure and useful. A good password manager, like LastPass, makes it very easy to store and change passwords over time. When you are logged in to LastPass it will autofill password fields, and even help generate secure passwords. It can also be used across multiple devices so you always have secure access to your difficult passwords. Since it’s important to have different passwords on different accounts it’s far better to allow your password manager to do the job it is well suited to do.
LastPass automatically saves your passwords. I don’t believe there’s any practical way to make it store a partial password. If there’s is any workaround to do it by editing the password field, it seems it would be easier to have an encrypted list you can copy and paste from.
Where do I ask a simple question???? Such as: If I give permission for a supposed friend to assist me in correcting a supposed problem with my computer….what is the access that I have given him / her in accessing data on / from my computer??? Can he / she go into my personal files and access personal data…or is the clearances I gave them constricted to repairs to my computer??? On a general basis.
Thank you from a late computer bloomer?
Rae
You can ask a question by subscribing to the Ask Leo! newsletter. There is a place to sign up on the home page.
And yes, if you have a friend or a technician help you with your computer you need to be able to trust them. There are many problems that they cannot fix unless they have full access. Trying to limit their access will limit their ability to help. Never allow a stranger over the phone to remote access your computer. My personal recommendation is to find a real-live, local person whom you can look in the eye!
Here is a good article with some possible solutions: https://askleo.com/how_do_i_secure_a_hard_drive_before_sending_it_in_for_repair/
Depends on HOW you give him access, but generally the answer is: anyone with access to your computer can access everything on it.
My Last Pass seems to log out after a certain amount of time. Not sure at the moment if that is something I set or can control. When it is logged out, it cannot automatically sign in to any website, and needs the Master Password to be entered again. I’m thinking of improving my “best practice” by deliberately logging out of Last Pass if I will be away from my computer.
Further to that, there are options to how Last Pass accesses different sites. The more sensitive sites such as those relating to finance can be set to require a Password Re-prompt even though Last Pass was already switched on. Attempting to access my bank I get “Your current settings require you to enter your LastPass password to complete this action.” My other bank previously did not allow me to use Last Pass but now with their website upgrade I can.
Last pass allows you to change that setting:
Click on the LastPass icon, select preferences on the next screen, you’ll see:
Uncheck the second box, and it will stop that from happening.
The setting for re-entering your password before logging on is also something you can change. Click on the LastPass icon and select Show Matching Sites, click on the account name in the flyout menu (there may be more than one if you have alternate logins for that website). Next click Edit. Uncheck Require password reprompt. In Chrome, instead of clicking on the account name from the first flyout menu, click the wrench (spanner for those across the puddle) icon next to the account name.
Thanks Mark, but I wasn’t wanting to undo those restrictions. I was suggesting they can be used even more for blocking access if someone else somehow gets on to my computer.
I didn’t catch that when I read your comment, but they can also be used in reverse to protect your passwords by automatically logging off. I have a short idle time before logging off on my work laptop, and a longer idle time on my home computer.
I am looking for an answer to this question. Suppose there is a keylogger which gets installed on my machine(which is not a remote possibility). Now, if I am getting this right, it can deduce my master password for the password manager I am using. If that happens, am I vulnerable? If yes, then I think it is more unsafe to use a password manager, rather than writing down some thing from which you can deduce your password(partial information, in codes, which only you can decipher).
It would be helpful to change your thinking around a bit. The best strategy is to avoid the keylogger rather than plan for the keylogger as if it is inevitable. Writing passwords on paper can be a good solution if your computer is in a safe location, if you are very organized, and if you never travel. I’ve seen lots of people who write down passwords in such a way that it is completely useless. Often a password is not changed for years, and the paper lost or forgotten. Or it can be changed online and the change not noted. Or any number of things.
Here’s Leo’s best article on being safe on the internet: https://askleo.com/internet_safety_7_steps_to_keeping_your_computer_safe_on_the_internet/
A keylogger would capture your passwords when typed in. All you passwords. So avoiding a password manager is kinda silly, since the keylogger would instead capture all the other passwords you type in instead. The thing to avoid is the keylogger. My position remains that a password manager is far safer, as it allows you to use more different stronger passwords that protect you from a variety of other threats. Avoid malware, avoid the keyloggers.
Hi
Is Lastpass easy to use, user friendly ? What is your opinion on Roboform 8 ?
I tried using KeePass so as not to have to store my passwords online (I am absolutely terrified at the idea of storing passwords online–especially bank accounts and credit cards) but i found it to be a pain to use. Not user friendly at all (my opinion only).
Thanks
Hey Leo, do you use LastPass to enter your email as well? Since the Google Authenticator is connected to gmail right, and if we use lastpass to log-in into gmail, isn’t that a loop?
for example: if I already use lastpass and google authenticator. and somehow I got both logged out. when I want to log in into my lastpass, it asks me the google authenticator code. when i want to check my google authenticator, I already set that lastpass will auto-fill it, which in this case will not, because it have not logged in into lastpass, and I can’t possibly tell those scrambled-jibberish words that lastpass made for my gmail password.
I’m a little confused by the scenario you describe. I DO use the Google Authenticator (in the form of Authy, but same thing) for both Gmail and Lastpass. Works fine. No loops that I’ve encountered.
Login to LastPass: need password, prompted for second factor, which I enter after looking at the authenticator app.
Login to Gmail: LastPass enters email and password, I’m then prompted for second factor, which I enter after looking at the authenticator app.
Just wondering if LastPass was still your preferred password manager.
It is indeed. Use it every day. :-)
Programs like LastPass are great until your master password mysteriously gets changed. Then you are screwed! I had used them for months. I had my master password written down in a safe place in my office. Then one day it simply ceased to work. I had LastPass set to change all my passwords on a regular basis so I didn’t even know what these new passwords were! It was a disaster! I had to go in and close / cancel / or modify HUNDREDS of accounts that I no longer had access to because of this mess. Banks, emails, places I shop on line – my entire digital life got upended. LastPass never could explain how my master password got changed. I know I certainly didn’t do it!
You should have your LastPass passwords backed up so you can recover if something like that happens.
How Do I Back Up LastPass?
Recovering the passwords might be a pain but it’s much less painful than losing all your passwords.
So what happens if Last Pass (or whoever) goes belly up? It is no longer available and neither are all your carefully crafted passwords…
I live alone and am the only user of my machine. I keep my passwords in a small notebook where my relatives in the area know where to look if I’m no longer around. Much safer, I believe, than depending on some “in the cloud” program to always be available for me to check on passwords…
The passwords are on your computer and the program should still be working even if there is no LastPass. You can use LastPass without being connected to the web.
You can also backup your passwords.
Two things: 1) the software will continue to work, and 2) regardless of which password manager you use, you should be backing up your vault. Here’s how in lastpass: https://askleo.com/how-do-i-back-up-lastpass/
I keep my passwords on an excel file that is on a flash drive and is password protected. Each PW is different and long. I have a system for sequential PW assignment but will not reveal it here. With just a bit of imagination, you can do the same. Columns: category ( so I can group banks, credit cards, email,etc), date PW last changed, website name, URL, user ID, PW, notes. I also keep down level files as sometimes a PW change seems to take but doesn’t.
I am now managing over 300 passwords and it has worked for me for years. You do have to be an organized type of person to do this, though!
Do you have a backup copy of that file? If it’s just on one flash drive, there is a high risk of loss or file damage.
Herb’s password management is fine, but I have to question the sanity of 300 passwords. Is that for 300 websites? If security is really a concern, then one needs to consider that increased exposure will increase the risk (probability) of being victimized. Much like this virus thing.
If all the passwords are unique, I don’t see how the number of websites you have accounts with would create any additional security problems. Perhaps you can explain how that might work.
The issue is the fundamental concept of increased probability of coming across a site, that you implicitly trust, which might somehow compromise you. This risk is higher than the typical web surfing without accounts because by having created accounts you believe that these sites are secure and trustworthy. You become less wary of clicking on links or downloading stuff. That’s especially true if most of the sites are social interaction websites or sites that promise you free stuff if you create an account. The compromise doesn’t have to be a loss of password, but increased probability of identity theft, being ripped off, being hacked, downloading bad stuff, or if someone is really worried about being tracked for web surfing habits, them that. Again, this is not about passwords or method of managing passwords. It’s about analyzing why someone needs to create an account on just about every site they visit. Simply, by that very act, the person is being socially manipulated.
Like I’m manipulated to pay money for gum at a convenience store? Sorry, I don’t see it that way. People can always (ALWAYS) say no. I do agree that they should say no more often, or at least put more thought into the decision.
It does increase what one might call the “attack surface”. More opportunities for compromise at those sites that do security poorly. The ramifications depend on how you’re using those sites and could range from none to significant.
If this works for him then it’s OK. Most folks will do what makes them feel comfortable, the SWAN effect (sleep well at night). I use a system that I believe is secure to my way of thinking: old school paper and pencil, with passwords encoded using a complex scheme, and 2FA; I’m sure other folks use a P&P method too. It’s protected from burglary & fire*, handwritten backups stored away from the house, PW decoding handwritten and safely stored elsewhere. This is my SWAN method. Cumbersome, yes. Slow, yes. But it works for me. I read the comments seeking weaknesses in my own methods, alternative solutions, and knowledge. I’ve read a couple things here about PWManagers that I didn’t know, I’ll investigate, might even take LastPass for a spin since it’s Leo’s recommendation. [* most household safes, including gun safes, are not completely fire proof or fire resistant. They are rated for a maximum inside temperature given the outside temperature over a time period, usually one hour; EG: “Class 350 1-hour” means that the temperature inside the safe will not go higher than 350°F (52°C) for at least 1 hour while exposed to external temperatures of over 1700°F (926°C). I also use a ‘fire boxes’ to store paperwork and certain valuables inside my gun safes, they provide additional buffers for both time & temp.]
I have followed Ask.Leo for many years and am convinced of the virtues of a password manager. One thing makes me apprehensive… using LastPass where my wife and I share access to many sites together. In some shared sites we use the same credentials. In some shared sites we have separate credentials. I’d enjoy seeing how to use LastPass in this scenario. Can it be done without one person interfering with the other’s LastPass settings? I hesitate to even try LastPass until I can resolve this aspect.
I can’t see how this is a problem. As long as you each have your own LastPass account, the saved credentials remain independent on each account. LastPass is simply a database of the login credentials which stores and enters the credentials. It has no other interaction with the site it store the credentials of.
My wife has her own LastPass account. I use the “sharing” feature of LastPass to share credentials for accounts where we have a single login between us. Everything else is separate.
If you suffered a traumatic brain injury (or death) would your loved ones be locked out of your online life? Not wonderful if most of your assets are in bitcoins.
Maybe this calls for a new standard clause in wills: credentials for logging on to important web sites such as your broker, your online banking, important memberships.
I use a different password for each website and store all on a password protected flash drive in spreadsheet form. (backed up of course!) I am able to categorize important websites such as financial ones and included notes of importance.
I generate sequential passwords that are word like but are not words. I find them easier to handle. For example, compare Fawteltem*55 or sigrenrepA-3 to Fghypnrxf@63 . This is easily done by the arrangement of consonants and vowels. So being as words and sequences are not repeated, password cracking programs are not going to find my passwords any easier to break than those that are totally random.
I see that I made a nearly identical post here a year ago and have not kept up so as to respond to the questions. Hopefully, this last post will clear up the questions.
I do try to avoid having to register every place I go, but this is not always a matter of choice.
Is there a way to set up an email notification when this thread is updated?
It depends what you mean by this thread. We don’t send out email notifications for new comments but you can get notified whenever a new article is published or an article is updated. https://askleo.com/new-article-notification-by-email/
or sign up for the Confident Computing Newsletter which notifies you off all articles published and updated the previous week. https://newsletter.askleo.com/
Unfortunately not. I tried something some time ago, and it caused WAY more problems than it solved. Sorry.