Some believe using password managers represents a single point of failure. Very technically, they are correct: if someone gains access to your password manager, they have access to everything in it.
Not-so-technically, I strongly believe they are seriously misguided.
Using a password manager is significantly safer than the alternatives.
Security best practices
Without using a password manager, the idea is that you:
|
Yes, that would be ideal.
It’s also impractical for most.
Those requirements cannot all be met at the same time. At least one of them will be compromised.
Without a password manager
Without a password manager, most people compromise their security somehow.
- They’ll choose a less secure, easy to remember password (short and/or not complex).
- They’ll use the same password at multiple sites (not unique).
- They’ll save the password using unsecure technology (not memorable).
Any one of those decreases your security significantly.
Avoiding technology specifically designed to keep passwords secure doesn’t make you safer. Factor in human nature and it decreases security significantly.
With a password manager
Password managers make best practices trivial. Using a password manager allows you to:
- Generate and use secure, complex, and appropriately long passwords.
- Never need to remember passwords yourself.
- Use different passwords on different sites.
These are things people don’t do unless they have a tool in place to help them.
Most password managers add several features that make improved security even more convenient. They can:
- Synchronize your information across multiple computers.
- Be used on mobile devices.
- Automatically fill in not just passwords, but common web forms.
- Store arbitrary notes.
All with more security than almost all alternatives.
If you’re compromised, you’re compromised
It is true that if your computer is compromised, all bets are off. Malware could gain access to whatever it is you have stored on the computer.
For example, while I’m logged into LastPass, all the information is technically available to software running on my machine – good software or bad.
That’s a serious concern, and not to be taken lightly.
But it’s a concern that exists regardless of whether you use a password manager or not. All bets are off if a keylogger captures what you enter when you log in to your bank account.
Avoiding a password manager doesn’t increase your security one whit. In fact, I’d wager there’s more malicious software out there waiting to see what you type in than there is targeted at stealing the contents of your password manager.
There’s just no substitute for keeping your machine secure to begin with.
But are password managers safe?
Yes. Password managers are safer than any practical alternative.
There are no absolutes – that, too, is a practical reality. There is no such thing as absolute security. As I said earlier, if you fall victim to malware, all bets are off, no matter what technique you use.
Password managers are the safest way to keep a record of your online account information, but they are no safer than:
- The master password you use to access the password manager.
- Your own ability to use your computer safely.
The last one scares most people, but my claim is that using password managers is, in fact, one way to use your computer more safely.
What I do
I keep my machine(s) secure by doing the traditional things that you hear over and over: keeping software up-to-date, running up-to-date scans, avoiding malicious websites and downloads, not falling for phishing, and so on and so on.
I use LastPass as my password manager to manage all my passwords and additional security information.
I use Google Authenticator, a form of two-factor authentication, to access my LastPass vault. You can’t get in to my LastPass account even if you know my master password. To get access you need both my master password and my mobile phone.
I have LastPass automatically log out after some amount of time on any device which I’m not 100% certain won’t get stolen or accessed without my permission.
I keep my master password secure and complex.
I’m not going to claim it’s impossible for anything to happen – that’d be a foolish claim. I am, however, very satisfied with the risks and trade-offs.
Let’s face it, even doing business off-line has risks and trade-offs.
Download (right-click, Save-As) (Duration: 6:56 — 3.2MB)
Subscribe: Apple Podcasts | Android | RSS
- LastPass – Securely keep track of multiple passwords on multiple devices One of the problems with current online safety advice is keeping track of multiple different secure passwords. LastPass not only does that, but does it across multiple devices and very securely.
- RoboForm Password Manager and more With lots of accounts on the web, good security says their passwords should all be unique. Your computer can remember them for you with RoboForm.
- Managing Lots of Passwords Managing multiple strong passwords can be a pain. I’ll discuss a couple of alternatives, including Roboform and LastPass.
- Has LastPass had a security breach? I recommend LastPass because of their transparency and security model: even LastPass cannot recover your login!
- How do I choose a good password? Password security has never been more important. With occasional security breaches at service providers and rampant email account theft you need to do everything you can to make sure you’re choosing and using secure passwords.
- What’s a good password? Good passwords are hard to crack and hard to remember. As a result, many people don’t use really good passwords, even though they should. We’ll look at what makes a good password, and some ways to make them easier to remember.
PC Resolver
I totally agree! I used Roboform but I find LastPass to be superiour in many ways. Not least of which is that is easily available to me on any platform.
I am so reliant on it that it now contains all the info required In Case of Emergency (ICE). My dependants have half the password each so that should anything happen to me they can gain access to my LastPass account in which they will see not only my passwords but instructions on how to deal with other matters.
I highly recommend this. The free version of LastPass is all you really need but please consider supporting them by upgrading to the Pro version for $1 a month. I do.
Howard Miller
Computers are supposed to be fast but when it comes to security, well, it comes first.
I use an old program from PC Mag called Password Prompter. It stores your data encoded.
I never let my browser “Remember Me”
I can copy my User name and password from Prompter and paste them into the site page to log in.
No passwords data is stored where it can be hacked easily. Takes a little more time but it’s worth it.
You must log into Prompter to open it. It stores any special instructions or notes you care to remember for each site along with the site url.
Dave Smithson
I have used KeePass for the last few years – free, easy, convenient and safe. I can strongly recommend it.
Rachael Morris
The reason banks don’t allow password managers is not technical – they can and do hire top tech brains – but legal – they can and do hire top legal brains too. If they take certain preventive measures they shift the responsibilities to the customer. The customer is supposed to keep the password safe, isn’t it?
Basically they want only customer entered inputs at the website (or the app); not any software accessed. Having deep pockets, they can be deemed responsible if they don’t have such usage restrictions.
Technology may solve our problems but legal system can and will prevent it from being used. You will be surprised how much of our life is governed by legal system lurking hidden behind us.
Billy Bob
Leo, you sound like a candidate to join my one-man crusade against expiring passwords. No computer security measure could be more irritating. Password expiration policies only reduce security for many of the same reasons as not allowing password managers.
Andrea (Team Leo)
I agree 100%! Nothing annoys me more in the whole “password realm” than a website’s demand that I change my password every “x” number of days.
Dan O
I’ll add my vote. I have one on-line acct that requires periodic password changes, and it’s annoying as all get out. I wonder if this doesn’t have some relation to Rachael’s post (above) about legal vs. technical. We’re told that changing passwords regularly is more secure, so perhaps sites cover their -um- behinds by requiring it.
Dave Hart
Demands for frequent password changes are a real pain but they are also a defense against your credentials being used against you. There are several scenarios.
1) You have no control (& generally no knowledge) of how a site saves your credentials. There are numerous cases where sites have been hacked and large volumes of credentials accessed. Overtime these become more widely available (the hackers use them, then they sell them). Even where there is good encryption on the site secure passwords can be recreated from their hashed & salted forms. A strong password in 2012 no longer looks quite as strong 4 years later.
3) Increasing prevalence of surveillance cameras at work & in public locations make it easier for someone to shoulder surf & capture your password.
4) Similarly the odds of someone who spends a lot of time in your company working out what password you are using increase over time with repeated use.
All of these can be mitigated (but not eliminated) by not using the same password over multiple sites.
Mark Jacobs (Team Leo)
1. That is more an argument for having a different password for each login. A careless website where you need to change your password frequently would be almost as dangerous if you regularly change passwords.
3. That’s an argument never to type a non-work related password at work as they might use a key logger. If they don’t use your password before you change it, it might give some protection.
4. I don’t understand what you mean by “working out what password you use.”
Marie
Can I join too? Social Security demands changing your account password every six months. So irritating. I only go to the site once a year to check my balance. I couldn’t even get in this year so just said to heck with it.
Thanks, Leo, for mentioning that Google Authenticator works on Last Pass. Off to add two-factor to my Last Pass account.
Salvador
I have been watching the debate concerning password managers. I know the idea is nice because it make it easier to manage 30 different passwords. I also agree somewhat with the bank.
But ultimately the fact is strong passwords do not replace the need for other effective security control. These banks need to add additional layers of authentication for access and transaction verification without unreasonable complexity and this will help their customers by implementing some form of 2FA were you can telesign into your account and have the security knowing you are protected if your password were to be stolen. This should be a prerequisite to any system that wants to promote itself as being secure. With this if they were to try to use the “stolen” password and don’t have your phone nor are on the computer, smartphone or tablet you have designated trusted, they would not be able to enter the account. This one of the biggest problems with internet security, people are still encouraged to rely on their password as if they were all that is needed.
Mark Jacobs
In many, if not all European countries, Banks use a 2 factor authentication system called the PIN and TAN system. A TAN is a Transaction Authorization Number, a one time password to complete a transaction. Under the older PIN/TAN system, the bank would send you a list of 100 TANs and upon entering the information, the website asks for a specific random TAN from the list. In order to do away with a printed list which could be a weak link in the operation, many banks are switching to sending a text to your phone or using a TAN calculator. This calculates your TAN when you insert your bank card and enter a challenge code and your card PIN.
Jeff Niemuth
So if our wonderful “copy-me” litigation avoidance system is behind this “conspiracy” how long will it be before all major web destinations adopt the “no robo login manager” policy? (I wonder if somebody has a patent on the technology to make robo-managers not work…)
But the thing that absolutely infuriates me is when I forget a password and the site (some, not all) helpfully sends it back to me – in plaintext email! Have they not heard of (decades old) one way encryption? This is even worse than robo-managers because the user has no control over security management on the other end of the wire to these sites. How many times have major breaches happened to large companies/website? I would love to publish a list of these sites and embarrass the heck out of them but then that would be compromising security too. This factor alone makes using the same password at more than one site an absolute no-no. So, Leo, I am all for best security practices by everyone but there are some outfits are a few brains short of a full kindergarten, tech, legal or otherwise, and there is not much we can do about that.
Tom R.
I happen to use KeePassX as my password manager. I simply copy-and-paste my passphrase into the login form field. My bank is none-the-wiser.
bob price
I have set my bank [B of A] online banking features to NEVER allow a withdraw, transfer, or check unless I have previously approved it. So, a hacker could send a check to my previously approved list, like the phone company or PG&E. I doubt they would do that.
If I want to send money elsewhere, a new place, I have to create a new payee or transfer, and then I must use by SafeKey card that generates a new code number via algorithm. I enter that number into the bank info and the money moves.
I keep that SafeKey at home.
I also use a jumbled up set of letters for my user name, a 16 numbersymbolletter password. All my credit cards are set to notify me if used for over $100.
Am I perfectly safe? Of course not, but no key logger could enter my bank info without the SafeKey card that is kept at home.
And passwords are encrypted with TrueCrypt.
Neil Copeland
I am an expert in bank regulations and security. All banks must comply with a significant set of internet banking security regulations. Included in them are mandatory specific multi-factor authentication procedures which are designed to ensure that only a real person sitting at a pre-authorized computer can access customer accounts. These specifications require that the authentication procedure eliminates the possibility of automatic sign-ons to the furthest extent of current technological means. Because of this and other specific Ebanking regulations, the banks have no choice but to inconvenience their customers in order to make the government happy. Can you imagine how much it costs the bank just to have customer service staff available 24/7 to deal with this kind of problems? And if someone does get in and steal your money the bank is usually liable. There is simply no legal way to make it easier for the customers. We bank operations professionals sure wish there was. Investment banks may not be appropriately regulated, but bank operations and security have been and still are. If you don’t like it, remember November 6!
Marie
Thank you! Always great to hear from someone who knows the reason behind the annoyance.
Al Kubeluis
A big problem with pw managers is that you have all of your eggs in one basket. If your pw manager pw is compromised, then all of your assets are compromised
RE Barwick
Another method is to use “Your Password Card”. Link is: http://www.passwordcard.org/en
10-Jul-2012
Jim Bedford
A great idea. But rather than using symbols for the columns, I have found it easier simply to use alpha characters from A to Z, splitting them into groups of three – ABC DEF HIJ … etc. and using a Courier font.
Jim Bedford
OOps… ABC DEF GHI :o)
don rees
re roboform and the safety issues using it, a couple of years ago i was using roboform, i had the passwords for 4 bank accounts and maybe 40 online sportsbooks ( all with money in them) stored there.
one morning i opened up my inbox and there was a message from a guy named , {removed} ( @yahoo7.com) , he said to me,” i am a security expert, your master password at roboform is , {removed}, “and it was.
he claimed it and all of the P/W’s at roboform were ” in the background” and anyone could see them.
i immediately closed my roboform account, this guy, a very honest man, did not touch one cent of my money nor did he ever try and sell me anything.
roboform told me ” he is a keylogger “, apparently either one who is only practicing or an honest one because he did not touch any of my money so why bother being a keylogger and he had access to everything i had.
no more roboform for me thank you, regards don rees
Siegfried
Don Rees, you got somehow infected with a keylogger it is not the fault of roboform. As soon as you typed your password into roboform he could read it. Run several free anti malware software to get rid of it.
Rosie Perera
I use what I think is an even more secure method. I use strong passwords, different ones for each account, and keep cryptic notes to myself that will help me (and me alone) to reconstruct what my passwords are if I forget them, which I do often. Yes, it’s a bit of a pain having to go look up my hints to remind myself of what my password is every time I want to log onto a bank account or other online account, but I’d rather have to go through that then have it easily hackable. I *never* write my passwords down in plain text anywhere. Also, I always open a brand new browser window (not just a new tab) whenever I want to log onto a financial account, and I log off immediately and close the window afterwards, so that no other websites I happen to be connected to at the time could know what my bank URL is. I also practice all the safe computing practices Leo mentioned, so I’m pretty much not vulnerable to key loggers. I also reconcile all my financial accounts regularly against my own records (I don’t trust downloading the transactions from the bank website) so I’ll catch any fraudulent activity (or bank error) and be able to report it.
John Butler
Leo is right that it is better to have a password manager like Roboform than rely on common sense!
Roboform does not in my environment let me into on line banking, it lets me access the entry to the account but I still have to enter the password for my account which changes every day.
Moreover a big added facility with Roboform is that you can carry access to your passwords with you on a memory stick and you have only to remember the master password which can be sixteen characters long
Don Bell
I use KeePassX to generate my various passwords.
How does KeyPassX compare to Roboform and/or
Last Pass? Should I consider dropping KeyPassX
and move over to either of the alternatives, or am I
in good shape with what I have? Up to the present
I’ve had no problem with KeyPassX. Thanks for your anticipated response.
10-Jul-2012
Charles
AOL has just offered it;s “Premium” paying members a bunch of free services. One is a password protecting software like Roboform and Lastpass. It is called “AOL OnePoint”. AOL has been hacked before, so I don’t know if I can be confident about this service. They don;t give info as to who is behind the solftware … and what experience they have. Help on this.?
Lou Maule-Cole
I have been using RoboForm for many years and have never had a problem. RoboForm generates very secure passwords and also enables one-click logging in to all your secure web sites. It’s invaluable, especially if you have a memory like mine. I recommend it to all my friends.
Pete Miles
In the UK banks have a variety of methods of logging on. My bank uses a client number as the first part, then a variation on a password, and last, a variation on a really long user invented word.
So every time a user logs on they are asked for entirely different variations of parts 2 and 3.
So using LastPass doesn’t work because we have no idea what we will be asked when we log on.
For everything elese I use LastPass based on Steve Gibson’s reccomendations and Leo’s suggestions.
donotreadonme
In conjunction with Speed Dial this is a cool way to automate and manage accounts. Speed Dial allows you to set up unlimited webpages listing sites anyway you want to categorize them. You click on the pointer and Last Pass logs you in. Roboform ticked me off after they tried charging me more money to upgrade to their Windows 7 version. I had paid for a lifetime subscription.
bob
most banks or financial institutions uses a electronic key which without it you can not access your bank account
11-Jul-2012
Gord Campbell
Horse Puckey! I have a file folder which contains my (more than 50) passwords. I keep it physically secure. When I log on to a site, I type my password. Oh, I also use Linux, so I’m safe these days.
C. B.
“Oh, I also use Linux, so I’m safe these days.”
LOL. Good luck with that. I don’t know why you Linux users think your systems are not subject to malware attacks. It’s an ignorant assumption and it’s a false assumption.
Kenny Driver
Norton now has a password toolbar that works very good. Identity Safe. It’s less buggy than Lastpass.
Maraiah MLynn
Ive been using roboforms for over 6 years and i feel very saffe using it. Especially the new everywhere service. You can read more on the safety of it here (I found this on their web site) http://www.roboform.com/everywhere/security.
James
Work requires that I have different passwords for the various things that I access (Windows logon, mainframe logon, Compensation website, encryption software, etc.). And work forces you to change your passwords every 90 days and repeating previous passwords does not work, nor does it work if the password is too similar. Passwords must be strong passwords. And writing down your passwords is a no-no.
A couple years ago, I came up with a “formula” that fit the password requirements. Every 90 days I can use the “formula” again to come up with the new set of passwords for the various systems. All I really have to remember is the “formula.” I can always figure out my password if I forget what it is.
ThomasGC
I and the rest of my household use LastPass, each with our ownYubiKey second-factor security. Works like a dream. Very impressed with the service and there’s an Android app too, as well as a add-on for the Dolphin browser.
Tregonsee
Roboform is slowly finding ways around those institutions which try to prevent its use. I only have one problem account, and it works with IE, but not Firefox. No problem, since I only access it once or twice a month.
I have one user name and password which I have been using since 1978 when I had a Department of Energy network account. It exists on literally hundreds of places, but all are in the “Don’t Care” category. The simplicity of always knowing what it is far out weights the possible problems of compromise. The few accounts which matter, such as banks, email accounts, and a few professional sites, are all long, complicated, and different.
Byron
I’ve used Roboform for years. Main reason I began using it was to protect against KEYLOGGERS. I use Viper Anti-virus. Great combination!
John Butler
I strongly support Leo’s recommendation to use Roboform as a password manager. I just add that as it is so secure make sure you backup the Roboform data on an external disk in case you have a crash. If you do not do this a crash may cause loss of all password information which can be a serious problem
Jerome Bush
I have to agree with Tregonsee . I got the idea from the book, Lord of the Rings. In the fortress, there were “lesser passwords” that were taught to everyone. Then, there were stronger passwords for more important stuff and more important people.
Ed Boyd
Regarding banks and security… FIRST: When the banks get THEIR act together, then I might head their messages! They are not much better than the Feds when it comes to IT geniuses! I had a young friend who told me that they would practice on government accounts, then see how they could do with banks…he just smiled! Many have little old ladies in combat boots that have been around since WWII. I belong to Boeing Credit Union, I use Last Pass and have since they started. When I go to the BECU site, another pop-up window shows and Last Pass just jumps right in and posts the info…no hassles, no problems! It drives me crazy when service organizations (banks??) always “TELL YOU WHAT YOU CAN’T DO BUT NOT WHAT YOU CAN DO!”
HARVEY MELTZER
I Have had RoboForm 6 for several years. it is about 95% efficient. Sometimes it drops the pass word entry box for a site. When using it always use the “Virtual” key pad for the Master password and not your regular key board. This adds another layer of protection.
Joseph Schiavone
I have used Dashlane as my password manager for the past 2 years and I love the way it works and it’s features. By using a password manager it trained me to use a different password for each site and also being more creative in forming passwords
Gil
How does one extend the generated passwords to beyond eight characters in LastPass? I would like to have some be 16 characters and my bank accounts be 24 characters. I’ve searched in LastPass and just not finding the answer to my question. Thanks Leo!
Mark Jacobs
Tick the ‘Show advanced options’ check box. An option to set the length will appear.
FBTOOL
I have been using “Last Pass” for a few months. I haven’t allowed it to re-generate all of my old passwords yet though. I am concerned if in the future, should decide to stop using it or they go out of business how would I gain access to all the sites that it auto generated passwords for????
Mark Jacobs
Even if the LastPass site goes down, you’d still have the passwords stored on your hard drive which would still work with the LastPass plugins. To be sure you should back up your LastPass passwords.
http://askleo.com/what-happens-when-applications-die/
http://askleo.com/how-do-i-back-up-lastpass/
duane
I didn’t know that the Lastpass passwords were on my hard drive. Where would I find them?
Mark Jacobs
To download them and print them, click on the LastPass icon and select Tools from the pulldown. In the next pulldown choose Advanced Tools. Then in the next pulldown choose Export, where you can choose the format you want to save it to. (The original Ask Leo! article on backing up LastPass skipped the step of choosing Advanced Options. It appears LastPass changed the menu since the article was written.)
duane
I think I found my problem. I only have the free version of Lastpass and haven’t upgraded to the premium. With what I have, when I sign into the Lastpass site I get my vault and there are no tool bars like you are describing to download anything. Thanks for your help.
Leo
I found the locations listed on the LastPass support site, “Where is my data stored on my computer?” https://lastpass.com/support.php?cmd=showfaq&id=425&questiondefault=where%20is%20the%20
Mark Jacobs
It’s not found in a tool bar. If you click the LastPass icon in your browser, the Tools option should appear in the pulldown menu. As I understand it, the only difference in the free version is that it doesn’t synchronize your passwords with your phone and tablets. See this article for screenshots showing how to access this feature. http://askleo.com/how-do-i-back-up-lastpass/
Daniel Ullman
A way to add security to a password manager is to store only partial passwords. For example, say you have a password of 25 random characters and the word rough. Have the password manager save the 25 random characters and add the word rough to the end once the password manager has filled out the password field. The last characters are easy to remember and you will not have recorded your entire password anywhere.
SGKris
This is cute. Simple to execute for an added security. Thanks Daniel.
Reid
I’d just like to stress Leo’s point “I have LastPass automatically log out after some amount of time…” I highly suggest all LastPass user’s configure that setting (Preferences, General, Security). I use LastPass at work, as well as home. I don’t want some sysadmin remote connecting to my PC when I’m not around and finding LastPass wide open. I have it log off after 30 minutes of non-use.
Here is a good page listing several LastPass security measures you may want to consider, including those mentioned by Leo above: http://www.howtogeek.com/121267/11-ways-to-make-your-lastpass-account-even-more-secure/
Steven
Worried about some ‘sysadmin’ finding your LastPass passworsds or some other file while you’re away for a period of time?
DISCONNECT THE LINE. You won’t forget about it.
Clairvaux
I’m irritated by the few sites which don’t allow entering passwords by copying and pasting. I suppose this is done to prevent automated hacking attempts, but in my opinion, it has the opposite effect : in practice, forcing users to enter passwords manually limits their length and complexity. Therefore it decreases security.
Besides, I’m sure most sites are programmed to reject log-in attempts if a single user makes too many of them in a short while. At least, I hope so…
I use Kee Pass, which is supposed to pretect you even against keyloggers, since it can scramble the password before entering it. It is also very useful to store any amounts of various identification data, such as social security numbers, software licence numbers, etc.
All you have to do, then, is make sure that you have multiple, up-to-date backups of your password database in various places.
Leo
I would simply caution you that no password manager can protect you against all keyloggers. The simple ones, sure, but a relatively sophisticated one can capture the password as it’s passed to the web site.
Dan O
Leo, maybe I missed something, but are you saying that a keylogger could capture a complete password even if it’s entered to a site’s login page via a keystroke or two entered into the pw manager? That seems to go way beyond the scope of keylogger to me.
Connie (Team Leo)
The only safe way to think about any type of malware, keylogger included, is that once a hacker has control of your computer they can do anything. What we want to do is everything in our power to prevent malware and hackers. There is not much value in devising strategies to manage malware and hackers who have control of your machine.
Leo
EXACTLY. Calling something a “key logger” doesn’t restrict what it can do. A keylogger is MALWARE and once on your system malware can do anything.
L L E
After reading all of the above I have a question: When a password is generated by a password manager, can I see the what the password is after it has been generated?
Leo
Depends on the password manager. Most have a “reveal” option, or a way to see it. LastPass’s is displayed for you so you can even copy/paste it if you like.
Paul Moore
It’s worth mentioning, what LastPass (or indeed any PW manager) calls “2FA” actually isn’t 2FA at all.
Two-factor authentication is simply not possible in this context. If your data/backups & master keys are stolen, “2FA” won’t help you.
Leo
I don’t understand this statement. Could you elaborate?
Sinisa
So, what happens when your hard disk develops bad sectors over the password data or your password manager itself? Can you still access your “more than 30 accounts all over the internet” after the manager is dead?
Mark Jacobs
That’s why Leo harps so much on backing up.
https://askleo.com/how-do-i-back-up-lastpass/
https://askleo.com/lets-get-people-back/
Leo
Many password managers store their information on servers as well – LastPass for example. So you’ll have lost nothing.
Maxim
Since I discovered password managers as a more secure anti-crack protection of my accounts (not so long ago), I used to use RoboForm.
But yesterday, after thinking about differences between proprietary password managers and open-source ones, a question entered my mind:
“How do I know that a proprietary software don’t see all my entrusted to them data without having to use any master passwords or such?”
Truly, it is a fact – there is NO way to know if a proprietary software (such RoboForm, LastPass and others) don’t see your passwords/data (it certainly can), no way to say if it doesn’t just copy all your database on their server, maybe even in open view – without any master password or such, and therefore you just cannot know if your data is actually safe from crackers (ones which people use to call “hackers”), from RoboForm guys themselves, NSA and so on.
On the other hand, an open-source software shows you exactly what that software is doing with your data and therefore, through a community of people who are able to read the code and determine that it doesn’t do any hidden/strange activity with your data, you can be more confident that your data is in fact safe. Therefore solutions like KeePass are the most reliable, trustworthy, although maybe (I don’t know for sure, as I am still to initiate to use it) KeePass is less convenient to use, and indeed has somewhat “uglier” design/user interface and, again maybe, are less integrated into different operating systems/different computing devices/different web browsers.
Mark Jacobs
LastPass data is encrypted on your computer using LastPass, and only the encrypted passwords are uploaded to LastPass servers. Steve Gibson, a trusted friend of Leo Notenboom, has extensively tested the security features of LastPass. This video is very long, but you can skip to about minute 53 where he reviews the security of LastPass.
http://twit.tv/show/security-now/256
Leo
While Steve and I have crossed paths ever so slightly, I’m not sure “friend” is the right word. But I do trust his analysis of LastPass, and it factored heavily into my adopting it.
euheide
I have a small Truecrypt volume that has a *.txt file with all my info. It’s almost always unmounted. When I need access to my info. I mount it, use the info and then unmount it again. Isn’t this safer than using a password manager?
Also, if Truecrypt fails, my volume is still accessible by reinstalling Truecrypt but, if a password manager fails, won’t you lose all your data?
Leo
It’s as safe, but in my opinion no safer and somewhat more inconvenient.
Depends on what you mean by “fail”, but I don’t see a likely scenario where a simple failure would cause you to lose everything. I do recommend backing up the contents of your password manager periodically – just as I recommend backing up the contents of TrueCrypt volumes. 🙂
euheide
Alright! Thank you very much for you answer! I’ll probably start using one of these heheh.
Take care!
Caroline
If you are really looking for a password manager that works on all browsers running on any device (including mobile phones, tablets, computers, etc), take a look “Intuitive Password”. I use it all the time and it’s very convenient.
Ted
As far as “security” goes, how can you tell (or how do you know) that the author of the software does not use any hidden tactics to secretly collect the data you enter into the password manager, thereby having access to all of your passwords?
Mark Jacobs
LastPass encrypts the data on your computer and only the encrypted passwords are uploaded to their servers. Since you can’t see how this is done, it ultimately comes down to whether you trust that they are doing what they say. They are considering releasing the source code in light of the NSA revelations.
https://blog.lastpass.com/2013/09/lastpass-and-nsa-controversy.html/
Leo
Actually Steve Gibson of Security Now did a breakdown of LastPass a few years ago and confirmed the quality of the encryption and the code that’s running on your PC. That gives me a very high degree of confidence.
Mac M
What makes me nervous about the likes of LastPass is the increasingly frequent reports that some very well known and you would think, very secure sites are hacked these days. How certain are you that these site are immune to attack? Reading through your earlier comments, the big weakness of us users is our habit of using very easy to breach simple passwords or the same one many times. For this reason, I can see the argument that a password manager would be a whole lot safer. In my case I am at home, no one sits at my desk top but me and a I have a book full of such information to which no one else has access. Admittedly, a burglar might. There are no duplicates and I am slowly making existing passwords more complex. At present, I can look up or share a password if I wish with a trusted person and if my desk top goes down (and they do) , I can still get to my sites using another machine.
At heart I suppose I do not trust the storage of information in the hands of others. This is all about the expansion of “Cloud” computing. Free it may be now but I simply do not see such facilities remaining free for long before a fee will be demanded for keeping our data “safe”.
Alain
If someone manage to break into the LastPass server, all they could get is a massive block of encrypted data.
LastPass don’t know your master pass phrase. Only encrypted data ever travel between your device and the server that is encrypted and decrypted only locally.
Ray Smith
Yeah, but…..
While LastPass has never actually exposed (unencrypted) user passwords, the company’s systems have been compromised more than once with email addresses, cryptographic salts and hashed passwords being stolen. Next time – and there *will* be a next time: these database are the Holy Grain for cybercriminals – it could be much worse.
The simple fact is that nothing is 100% secure. Remember the bookmarklet bug that would have enabled a malicious site to extract logins for other sites from LastPass without the users’ knowledge? Or how about the OTP bug, which could have had absolutely devastating consequences had it been exploited in conjunction with the user details extracted in the previously mentioned breaches? And it’s pretty much a given that other bugs will be discovered down the road. How critical will those bugs be? Your guess is as good as mine…..
As an aside, it’s also worth noting that using a password manager could possibly be in contravention of your bank’s terms of service – meaning that, were somebody to gain unauthorized access to your account and misappropriate funds, you could experience problems getting those funds reimbursed.
Yaxman
Nearly all of these password managers state that they cannot decrypt or view your passwords or other data. However, I don’t know of anyway to verify that. Might they indeed have masterkey or backdoor that would allow them to do so? With all of the international cyber espionage and hacking, couldn’t these tools be used as a great trojan horse to collect valuable data? All of the on-line credentials could be used to create a great deal of chaos in another country when desired.
Has anyone researched, pursued or reported on this potential risk??
Leo
Steve Gibson of grc.com did an extensive analysis of LastPass some years ago.
James B
Agreed 100%. I either have to write-down all my passwords to have unique passwords or use the same or similar password. There are just too many to remember unique passwords. A password manager, if it is properly used, is safer than the alternatives.
Of course it would also be easier to remember unique passwords, if there was a standard password protocol. I have some passwords that must be 8 characters. I have some passwords that can be as long as I want. I have some passwords that only allow letters and numbers. I have some passwords that require a special character.
Ole
Thank you for a very interesting article.
It made me wonder if I could not add to the security by simply add a few easily remembered characters to the password stored in LastPass, each time I need to inter a password?
These characters would then not need to be unique as such, but could, to a certain degree, be varied a little, based on the site logging into?
Comments would be very much appreciated.
Ray Smith
I use a password manager simply for its form-filling capabilities and convenience, but do not permit it to store sensitive passwords for sensitive accounts such as banking (see my comment above for reasons). For sensitive accounts, a simply use an easily remembered passphrase ($tupidOldRay99, say) and then modify it on a per-site basis ($tupidOldRay99Bank, for example).
Gordon Campbell
Software fails. When my password manager fails, I’m unable to log on to any site on the Internet!
Betty C
I use a password manager that is capable of storing the encrypted passwords on a stick drive. If the stick drive is not attached to my PC, no access to passwords is possible, even if a hacker obtains the 16-character pass phrase that is needed to open the password manager. Of course, always backup your encrypted password file–somewhere other than on your computer!
williamwclee
any chance that a password manager is in fact a spamware capable of stealing passwords
stored whenever there is internet connection?
Leo
Of course. That’s why you only download and install trusted password managers with good reputation, and only download them from their official sources.
ghoststar
My suggestion is to use a good password manager but store only half of every password in it,so by seeing the half password from password manager you should be able to recollect the other half from your memory and then enter it in website to login. By doing this even if your password manager is compromised you will lose nothing than incomplete passwords which won’t work. I follow the same thing.
Connie (Team Leo)
That is stifling your password manager’s ability to be secure and useful. A good password manager, like LastPass, makes it very easy to store and change passwords over time. When you are logged in to LastPass it will autofill password fields, and even help generate secure passwords. It can also be used across multiple devices so you always have secure access to your difficult passwords. Since it’s important to have different passwords on different accounts it’s far better to allow your password manager to do the job it is well suited to do.
Mark Jacobs (Team Leo)
LastPass automatically saves your passwords. I don’t believe there’s any practical way to make it store a partial password. If there’s is any workaround to do it by editing the password field, it seems it would be easier to have an encrypted list you can copy and paste from.
Rae
Where do I ask a simple question???? Such as: If I give permission for a supposed friend to assist me in correcting a supposed problem with my computer….what is the access that I have given him / her in accessing data on / from my computer??? Can he / she go into my personal files and access personal data…or is the clearances I gave them constricted to repairs to my computer??? On a general basis.
Thank you from a late computer bloomer?
Rae
Connie (Team Leo)
You can ask a question by subscribing to the Ask Leo! newsletter. There is a place to sign up on the home page.
And yes, if you have a friend or a technician help you with your computer you need to be able to trust them. There are many problems that they cannot fix unless they have full access. Trying to limit their access will limit their ability to help. Never allow a stranger over the phone to remote access your computer. My personal recommendation is to find a real-live, local person whom you can look in the eye!
Here is a good article with some possible solutions: https://askleo.com/how_do_i_secure_a_hard_drive_before_sending_it_in_for_repair/
Leo
Depends on HOW you give him access, but generally the answer is: anyone with access to your computer can access everything on it.
Tony
My Last Pass seems to log out after a certain amount of time. Not sure at the moment if that is something I set or can control. When it is logged out, it cannot automatically sign in to any website, and needs the Master Password to be entered again. I’m thinking of improving my “best practice” by deliberately logging out of Last Pass if I will be away from my computer.
Further to that, there are options to how Last Pass accesses different sites. The more sensitive sites such as those relating to finance can be set to require a Password Re-prompt even though Last Pass was already switched on. Attempting to access my bank I get “Your current settings require you to enter your LastPass password to complete this action.” My other bank previously did not allow me to use Last Pass but now with their website upgrade I can.
Mark Jacobs (Team Leo)
Last pass allows you to change that setting:
Click on the LastPass icon, select preferences on the next screen, you’ll see:
Uncheck the second box, and it will stop that from happening.
The setting for re-entering your password before logging on is also something you can change. Click on the LastPass icon and select Show Matching Sites, click on the account name in the flyout menu (there may be more than one if you have alternate logins for that website). Next click Edit. Uncheck Require password reprompt. In Chrome, instead of clicking on the account name from the first flyout menu, click the wrench (spanner for those across the puddle) icon next to the account name.
Tony
Thanks Mark, but I wasn’t wanting to undo those restrictions. I was suggesting they can be used even more for blocking access if someone else somehow gets on to my computer.
Mark Jacobs (Team Leo)
I didn’t catch that when I read your comment, but they can also be used in reverse to protect your passwords by automatically logging off. I have a short idle time before logging off on my work laptop, and a longer idle time on my home computer.
abhay bhatt
I am looking for an answer to this question. Suppose there is a keylogger which gets installed on my machine(which is not a remote possibility). Now, if I am getting this right, it can deduce my master password for the password manager I am using. If that happens, am I vulnerable? If yes, then I think it is more unsafe to use a password manager, rather than writing down some thing from which you can deduce your password(partial information, in codes, which only you can decipher).
Connie (Team Leo)
It would be helpful to change your thinking around a bit. The best strategy is to avoid the keylogger rather than plan for the keylogger as if it is inevitable. Writing passwords on paper can be a good solution if your computer is in a safe location, if you are very organized, and if you never travel. I’ve seen lots of people who write down passwords in such a way that it is completely useless. Often a password is not changed for years, and the paper lost or forgotten. Or it can be changed online and the change not noted. Or any number of things.
Here’s Leo’s best article on being safe on the internet: https://askleo.com/internet_safety_7_steps_to_keeping_your_computer_safe_on_the_internet/
Leo
A keylogger would capture your passwords when typed in. All you passwords. So avoiding a password manager is kinda silly, since the keylogger would instead capture all the other passwords you type in instead. The thing to avoid is the keylogger. My position remains that a password manager is far safer, as it allows you to use more different stronger passwords that protect you from a variety of other threats. Avoid malware, avoid the keyloggers.
Andre
Hi
Is Lastpass easy to use, user friendly ? What is your opinion on Roboform 8 ?
I tried using KeePass so as not to have to store my passwords online (I am absolutely terrified at the idea of storing passwords online–especially bank accounts and credit cards) but i found it to be a pain to use. Not user friendly at all (my opinion only).
Thanks
sena
Hey Leo, do you use LastPass to enter your email as well? Since the Google Authenticator is connected to gmail right, and if we use lastpass to log-in into gmail, isn’t that a loop?
for example: if I already use lastpass and google authenticator. and somehow I got both logged out. when I want to log in into my lastpass, it asks me the google authenticator code. when i want to check my google authenticator, I already set that lastpass will auto-fill it, which in this case will not, because it have not logged in into lastpass, and I can’t possibly tell those scrambled-jibberish words that lastpass made for my gmail password.
Leo
I’m a little confused by the scenario you describe. I DO use the Google Authenticator (in the form of Authy, but same thing) for both Gmail and Lastpass. Works fine. No loops that I’ve encountered.
Login to LastPass: need password, prompted for second factor, which I enter after looking at the authenticator app.
Login to Gmail: LastPass enters email and password, I’m then prompted for second factor, which I enter after looking at the authenticator app.