Model Boat Mayhem

Mess Deck: General Section => Chit-Chat => Topic started by: Tug Fanatic on November 17, 2017, 12:02:32 pm

Title: Password Managers - Are They Safe & A Good Idea?
Post by: Tug Fanatic on November 17, 2017, 12:02:32 pm: Hopefully I will get an answer from somebody who understands this in a language that I will understand!

Like most people I have literally hundreds of passwords some of which are much more important than others. I do not reuse passwords and most of my passwords are horribly complicated. I do not allow my computer to remember passwords, I have two level passwords on things like my email accounts, I close my browser after using financial passwords & I regularly run virus checker, Malware Bytes & CCleaner. I regularly, often automatically, update my software. I have been recommended to look at Password Managers to sort out the complicated mess and improve security.

But I am concerned. At the moment I have control of my passwords and they are not recorded anywhere that will help anybody else. If someone breaks one then I have a problem but it will not cause problems elsewhere.

If I have a password manager then surely that password manager has everything. I think of hacks like Yahoo and wonder if someone could steal all of my passwords to everywhere in one go. I am also told by my bank etc not to ever share my password with anybody. I have a nasty feeling that they might see a password manager as sharing and thus deny any liability.

How do password mangers cope with those sites that ask for the say the third, fifth & then seventh characters of the password rather than the whole thing?

I am sure that the providers of the password managers have thought of all this & that if it were a problem nobody would recommend their use but I don't understand. As a child I was told don't buy anything you don't understand & that is where I am now.

I have searched the internet & cannot find an understandable explanation of how this works.

Explanation please.
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: C-3PO on November 17, 2017, 12:38:02 pm: Not sure if this helps - may give a little detail of one product available - this stores your passwords and more in a secure, cloud-based vault that only you can access (can I hear alarm bells ringing)

https://identitysafe.norton.com/

I think it's fair to say nothing is 100% robust in this context and if that's enough doubt for you don't do it!!

The thought of giving lots of access details to a third party to store for me for free gives me the heebeegeebees

Don't think there is an easy solution for this one - I have a crib sheet in my wallet padded out with lots of noise (random alphanumeric padding and sometimes just word association) - with no direct reference to web site of instituition works for me!

C-3PO
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: derekwarner on November 17, 2017, 12:39:36 pm: This is an interesting question....

However I do not understand why an individual would need....'literally hundreds of passwords' :o

Having said this, I am not prepared to commit my 13 individual account numbers & respective passwords to any supposedly encrypted cloud

I have a copy on a ZIP drive, a copy on my portable Ultrabook, a copy on my Desktop.......the latter 2 of these are backed up to individual external drives .....& the ZIP drive to a mirrored another ZIP drive........and the most used...a paper copy committed to an Excel spread sheet which is about the size of a credit card & double sided & in my wallet

I think it would take a crew from your Bletchley Park a few years to understand my encrypted symbols understand what was what {-)

Derek
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: C-3PO on November 17, 2017, 12:42:43 pm: Nice one Derek! - Looks like so far 2/2 people say use a crib sheet in your wallet - now I am worried - is this what we all do:)

C-3PO
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: Tug Fanatic on November 17, 2017, 01:50:02 pm: Quote from: C-3PO on November 17, 2017, 12:42:43 pm
Nice one Derek! - Looks like so far 2/2 people say use a crib sheet in your wallet - now I am worried - is this what we all do:)

C-3PO

No it isn't! We all have coping strategies but carrying the info I my wallet is way down my list of desirable solutions however well I think that I have disguised it.

Reading the Norton Identisafe page I agree that it is extremely vague about what "only you can access" means & how they achieve that. Nat at all convincing.

Hundreds of passwords? yes really. I have over 50 passwords that I regard as important and then lots more that are everyday - sorry but my password here falls into that category. It all comes to over 100 passwords & a lot of those are ID (most others start with my email address) & then a password. Several are id + password + keycard or computer number generator. That equates to over 150 things to remember.

As no one who has replied trusts these password managers why do they keep getting recommended.

I am not sure that paying for the service makes it any safer!
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: dougal99 on November 17, 2017, 02:31:54 pm: I keep all my passwords on a computer not connected to the internet and backed up elsewhere (again no internet connection).
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: tigertiger on November 17, 2017, 03:07:44 pm: I read some advice on password security. It was as follows.
Most of the things that require passwords are very low level security, these only need to be simple passwords. Save the few complex harder to remember passwords for access to data that really needs to be kept secure. Email accounts should be secured as they are targeted for identity theft.

With the exception of email. As an individual your home computers are unlikely to be targeted by hackers, as they generally go for commercial systems. Exceptions I have heard of is if people are using commercial network software for home use, as you can be mistaken for a commercial network/target. Home wifi routers are targeted a lot in China as some people think it is cool to freeload other peoples bandwidth (mostly to download/stream movies). I am not sure if this is a problem in other parts of the world.

Regards your original question, there is a lot of advice online from independent expert sources.
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: dougal99 on November 17, 2017, 03:25:48 pm: My anti virus tells me that my computer is being maliciously probed several times a day. Keeping your passwords on your computer would seem not to be a good idea if this is true and not just scaremongering on the part of the anti virus provider.
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: Bob K on November 17, 2017, 03:53:21 pm: Any software company, even very "secure" good names, that offer to store ALL your passwords for is asking for trouble IMHO. It may be less likely that a reputable company may be hacked, but if they do then the nasties have the lot on you - every single file and access point. You also stand the risk of losing the lot if anything happens to that data file.

Keep your passwords on a sheet of paper, locked in a secure cabinet, or a unique text file on a memory stick (with backup of course) uniquely kept elsewhere. Even if your PC goes feet up you still have that remotely stored USB stick.

Better still, remember them - same as your card PIN numbers. Do not write them down at all.
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: tigertiger on November 17, 2017, 03:57:34 pm: A few years ago I had lots of messages saying my computer was being tracked. It was a pop up advert for anti malware. In itself a form of malware.
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: Colin Bishop on November 17, 2017, 04:09:28 pm: I use KeePass: https://keepass.info/

The encrypted files can be copied between my devices.

And yes, I have dozens of the things too, it's almost inevitable these days.

Colin
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: Nordlys on November 17, 2017, 04:13:44 pm: Could you honestly remember 20 different passwords even if they were vaguely similar?
You are not supposed to use the same password over and over - this is the problem n'est pas?
But - a solution is needed - interesting discussion.
N.
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: tigertiger on November 17, 2017, 04:17:45 pm: Andromeda
Bismark
Cunard
Dreadnought
Enterprise
Frigate
Gunboat
Hermes
etc.
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: Tug Fanatic on November 17, 2017, 04:33:12 pm: TigerTiger
Yes there is a lot of information on the internet but none that I have found is very specific about how it works nor about how it might be compromised. I am not sure how a list of ship related names would help me remember which applied to which account nor that such a list isn't a hackers delight as it narrows down your choices so much.

Just imagine that Photobucket (policy changes) or Yahoo (security issues) were Password Manager organisations.
I don't want a solution where the only thing that knows my passwords is something that I don't understand or where it is all held in the cloud.
Keepass sounds interesting. Perhaps not to protect my life savings but to deal with the vast majority of my passwords which are lower priority.

I have been reviewing all this & I am not sure that I even know all the groups/organisations that I have accounts/passwords registered with. Everything that I have purchased online for years has required me to set up an instantly forgotten account that gets remembered when I next shop with them & am surprised that they know me & ask for my password. Some solution is necessary as the list of pass words grows daily.
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: Nordlys on November 17, 2017, 04:38:52 pm: I got locked out of my NSI account for 5 days until a new password was activated all because I got something wrong with an ID question once,
N
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: Tug Fanatic on November 17, 2017, 04:45:45 pm: Quote from: Nordlys on November 17, 2017, 04:38:52 pm
I got locked out of my NSI account for 5 days until a new password was activated all because I got something wrong with an ID question once,
N

Half the world must know my mothers maiden name, the first line of my address, postcode, the name of my first pet, first school & date of birth + plus the other usual questions, by now yet many still think that they need to ask me to help prove who I am. I am sure that this information will have been stolen in one of the data breaches somewhere. Any organisation that uses them hasn't a clue & I suspect is getting a false sense of security by asking for them. I remember reading a suggestion that I should make them up but then that is another list of passwords to remember.
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: tigertiger on November 17, 2017, 04:51:59 pm: The ship related names thing was a bit light hearted, but systems like this are useful for all those accounts where security is not important. There are ways to connect passwords with the account, with a little thought.
You are right that there are a lot of companies that want you to register an account, when you purchase (or even before). The result is usually spam, but it can be useful to track your own history, sometimes. But if they are instantly forgotten, well it was probably only important to the companies marketing manager.

Regarding info on line. You did say in your OP that you did not want to get technical. There are reviews/comparisons in online publications that dumb things down for us mere mortals, but do allow us to make a more informed decision; and will give more knowledgeable answers (on the specialist topic of IT security) than you could expect on Mayhem.
As for who will be targeted next, and where the weaknesses in these companies systems are... they won't be advertised and some of the weaknesses won't be exploited until the are discovered. As some of the biggest names in tech have seen recently.
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: timgarrod on November 17, 2017, 06:01:53 pm: I use lastpass and it good.

word of warning, they are only as good as the master password(my master password is over 100 characters long)
this is good to check the passwords you use,
https://howsecureismypassword.net/ (https://howsecureismypassword.net/)
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: Colin Bishop on November 17, 2017, 06:22:07 pm: There is a more sober aspect to all this. With many of us doing online banking, gas, electricity and water accounts and, managing assets and all sorts of other things just imagine what would happen if you were to fall under the proverbial bus! Very often it is the man who does most of this as he is likely to be more technically savvy (sorry girls) and is also more likely to shuffle off this mortal coil first. Your nearest and dearest could have a dreadful job sorting out your affairs without easy access to all the important passwords. Been there and done that as an Executor.

My Keepass master password is not a long one but it is a family in joke word which my Wife and Daughters will not forget but which is meaningless to anyone else and not guessable. They know how to access it if needs be and I do trust them of course.

My Wife and I have separate bank accounts and ISAs but the accounts are joint accounts to which we both have access to should there be an emergency so money would not be frozen if one of us should fall off the perch.

It is these practicalities that so many people overlook and which can cause so much extra grief and hassle in the event of a bereavement. I know people who do not make wills because they cannot acknowledge that one day there will be a need for them. By not taking action they are making things really difficult for their loved ones at what is already an extremely stressful time. You can't just assume 'that everything will turn out OK regardless', it won't!

Colin
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: Tug Fanatic on November 17, 2017, 06:30:35 pm: Yes & dying makes it easy. Total disability such as a serious stoke can be much worse as the, extremely expensive & slow, Court of Protection will get involved with every penny for as long as you live unless you have Lasting Power of Attorney.

We have it set up - if you don't I seriously suggest you find out why you might consider it.
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: inertia on November 17, 2017, 06:36:18 pm: I use Lasspass like Tim, for the reasons given by Colin.
My network manager guru Huw recommended it, along with a method of setting a master password which isn't over 100 characters long (it's 15).
My bank's system declined my card and they rang me when I tried to buy a guitar case. Said it was an "untypical purchase from a risky trade group".
Bless 'em.
'Nuff said.
DM
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: Colin Bishop on November 17, 2017, 06:46:40 pm: Maybe it was the Kalashnikov they thought you were going to put in it Dave.

Colin
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: Tug Fanatic on November 17, 2017, 07:01:18 pm: Quote from: Inertia on November 17, 2017, 06:36:18 pm
I use Lasspass like Tim, for the reasons given by Colin.
My network manager guru Huw recommended it, along with a method of setting a master password which isn't over 100 characters long (it's 15).
My bank's system declined my card and they rang me when I tried to buy a guitar case. Said it was an "untypical purchase from a risky trade group".
Bless 'em.
'Nuff said.
DM

Is there a way back if Lastpass create problems like Photobucket has managed to do?
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: Colin Bishop on November 17, 2017, 07:27:50 pm: Not sure about Lastpass or where it is actually located.

I like Keepass as it is a separate program which sits on each of your devices and you can import and export the master password database between therm. No faffing around with the Cloud etc. when you son't know where the information is being held/sent.

It won't automatically fill in your passwords when you are accessing applications. You need to open it in a separate window and copy or cut and paste or reference the information across depending on the nature of the password. OK, a bit of manual effort but you are in control. Suits me as DM would say.

Colin
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: kinmel on November 17, 2017, 08:28:23 pm: I have 2 "core passwords" - one financial and another for everywhere else, anyone can remember 2 passwords.

Each core is 9 characters long and includes Capitals, lower case, numbers and symbols, in themselves there is no meaning.

To create a password for a particular site, I start with the appropriate core and and add 3 characters into the core from somewhere in it's web address, always using the same method of selection.

For example perhaps on Mayhem I always land on http://www.modelboatmayhem.co.uk/forum/index.php?action=unread (http://www.modelboatmayhem.co.uk/forum/index.php?action=unread) , so might use "first letter", "fifth character" and lst vowel on every site. So with a core of " &Z4_-tT> p" here it would be m&Z4_l-tT>pe. and for http://www.theregister.co.uk/ (http://www.theregister.co.uk/) it would be t&Z4_e-tT>pr

After a while, you create a new password without thinking about it and inputting it is equally automatic, I occasionally visit over 100 sites and each has a unique password and I just remember two 9 character sequences.

Simplicity can be overwhelmingly complex.
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: RST on November 17, 2017, 09:15:05 pm: I had aconversation with our IT guy recently because Iwas vetting inundated with requests to use various password keeper programs and I was wondering but not so convinced..........

I do not have a large on-line presence
I am not a facebooker or have any interest in social media
I do not subscribe to things randomly
I do not order from anyone other than trusted sources
I do not give my E-Mail address or phone number out -period
My D.O.B>is strictly confidential
If I HAVE to give a tel no or address from an untrusted source I will spell the details wrong on the form and correct after

...the most important thing for me is I have so many on-line passwords. I am very careful where my personal data goes. I would never trust any 3rd party password saver because I manage my own accounts.

...on the other hand if you want everything 10s quicker, paypal linked to mobile linked to bank card linked to home address linked to facebook. Then I can see why you would want a password program and my IT guy said they should maybe be used but he wasn't quite convinced himself..

........personaly I couldn't think anything worse than handing my passwords over to a 3rd party. It goes against all theprinciples we are supposed to abide by!!??!!!!!!!!!
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: derekwarner on November 17, 2017, 11:33:10 pm: OK....so asked .... https://howsecureismypassword.net/ ..... how secure my General password is :o....

It has 10 key strokes
1 x capitalized letter
7 x lowercase letters
1 x numeral
1 x symbol........

I have MS Office 2010 installed on 2 machines, this password opens MS Excel, which is where my actual passwords reside

Each of the embedded passwords has the same number & type of keystrokes and each displays the same level of security

Why not try this & come back with your score count....

Derek

Result is below %)
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: C-3PO on November 17, 2017, 11:36:51 pm: Is that even a word....

(http://modelboatmayhemimages.co.uk/images/2017/11/17/pw.jpg)
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: dreadnought72 on November 18, 2017, 12:22:19 am: For sites such as this, I use basic passwords (simple names with a few digits chucked in). Easily remembered, though I let Chrome remember them all. There's minimal risk.

More data-secure sites I use "dinghies I have owned" (can't forget things like that: name and sail number, pretty much unguessable. Or "lines from books". I've had more than a few people look at me when I casually type in a thirty-letter password. Easy to recall, very hard to guess.

When my father died a couple of years ago, I found myself in front of his PC, trying to guess his password to unlock/refund his Paypal cash to my Mum's account. It took less than a minute: he was a radio amateur, I knew his call sign. ;)

Bottom line is: IF someone is going to steal info about you, they will do it. Making it slightly harder than the average password means that the 'low hanging fruit' will be picked first. I'd never trust to a password manager, as those systems must be targetted (bigger potential gains) much more often than mere individuals.

Andy
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: furball on November 18, 2017, 07:37:42 am: A bit technical in places, but worth watching.

https://m.youtube.com/watch?v=7U-RbOKanYs (https://m.youtube.com/watch?v=7U-RbOKanYs)

Lance
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: Tug Fanatic on November 18, 2017, 08:47:50 am: I get the feeling that few of us are really convinced by Password Managers. I cannot really get myself to believe in them but I have decided to use an open source manager to keep my low priority passwords such as the example used here & an alternative private method for those that matter.

This might not be the perfect answer but it will help.

Even though I try not to give out my date of birth, mothers maiden name etc there have been enough corporate/ government data breaches that I am sure this commonly used information is out there about all of us.
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: Tug Fanatic on November 18, 2017, 09:28:47 am: Quote from: furball on November 18, 2017, 07:37:42 am
A bit technical in places, but worth watching.

https://m.youtube.com/watch?v=7U-RbOKanYs (https://m.youtube.com/watch?v=7U-RbOKanYs)

Lance

Wow!!!! The technical bit is easy to gloss over & get the main message.
Most of the password ideas that I have had over the years are rubbish (even though I believed that I was being clever at the time)
! Fortunately my current ideas basically seem to be heading in the right direction.
Everybody should watch the above video
https://m.youtube.com/watch?v=7U-RbOKanYs (https://m.youtube.com/watch?v=7U-RbOKanYs)
& the one that follows it

https://www.youtube.com/watch?v=3NjQ9b3pgIg (https://www.youtube.com/watch?v=3NjQ9b3pgIg)

It will be 20min of your life where I pretty well guarantee most of us will learn a lot.
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: kinmel on November 18, 2017, 12:35:48 pm: Quote from: C-3PO on November 17, 2017, 11:36:51 pm
Is that even a word....

(http://modelboatmayhemimages.co.uk/images/2017/11/17/pw.jpg)

Of course these calculators don't actually test the password, that would take all those quinquagintillions of years.

All they do is calculate how many possible combinations there are for that character set and multiply that by the time per calculation.

It is just as likely to find your password on the first result as the last.
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: Tug Fanatic on November 18, 2017, 12:58:53 pm: Quote from: kinmel on November 18, 2017, 12:35:48 pm
Of course these calculators don't actually test the password, that would take all those quinquagintillions of years.

All they do is calculate how many possible combinations there are for that character set and multiply that by the time per calculation.

It is just as likely to find your password on the first result as the last.

Real password cracking is a great deal more sophisticated as you will see if you watch the videos linked above your post. I agree that a simple counter is probably doing nothing more than you suggest.
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: grendel on November 18, 2017, 05:00:37 pm: of course - if I wanted to harvest peoples passwords - the best way would be to create a password how secure website and just get people to input their passwords to my cracking software database - or is that just me being cynical
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: RAAArtyGunner on November 19, 2017, 01:18:41 am: Quote from: grendel on November 18, 2017, 05:00:37 pm
of course - if I wanted to harvest peoples passwords - the best way would be to create a password how secure website and just get people to input their passwords to my cracking software database - or is that just me being cynical

No not much different to offering a free photo hosting service and selling the photos and personal details that you will be given for free {-) {-) {-)

We are warned about falling for scams but completely ignore such warnings when the word free is mentioned, think it is called Greed takes over. Let the buyer beware. %% %% %%
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: C-3PO on November 19, 2017, 09:17:39 am: Quote from: grendel on November 18, 2017, 05:00:37 pm
of course - if I wanted to harvest peoples passwords - the best way would be to create a password how secure website and just get people to input their passwords to my cracking software database - or is that just me being cynical

I think you may be closer than you think with your cynicism. Chances are they captured your IP address which may/may-not add ammunition to a potential hack.

About 15 years ago I formed a new company. Once I had decided on a company name I realised that I should register the domain name(s) before punching the paper work with Companies House. I spent a while on a domain registers website playing with permutations of the company name in their "search" function to see if the domain names I wanted where available. Thinking I would sleep on things and review my thoughts the next day before I committed funds to my new venture I stopped the process. Next day came and to my horror one permutation of my desired domain name had been registered the day before!!

I can only deduce that the output of web page search for available domains was reviewed by someone and where they saw an opportunity they took it. I expected someone to contact me having registered the other domains I wanted (all directly linked to the stolen one) but never got the communication we will sell you the domain for £xxx.

To this day I wonder was this a coincidence or conspiracy. The domain name was pretty abstract so I came to the conclusion it was malicious.

C-3PO
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: Tug Fanatic on November 19, 2017, 10:31:00 am: Quote from: C-3PO on November 19, 2017, 09:17:39 am
I think you may be closer than you think with your cynicism. Chances are they captured your IP address which may/may-not add ammunition to a potential hack......................

C-3PO

Don't IP addresses change frequently for most of us on standard ISP packages?
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: RAAArtyGunner on November 19, 2017, 11:26:13 am: You can test/check your IP address on line just type check my IP address, same as you can do a speed test also on-line.

Interesting, surprising results.

Our forum logs your IP. bottom right of your post. :-))

The other posts show logged so we can't see each others IP only ??????????????????? can. O0 O0
Title: Re: Password Managers - Are They Safe & A Good Idea?
Post by: dreadnought72 on November 19, 2017, 02:26:14 pm: Quote from: C-3PO on November 19, 2017, 09:17:39 am
...Next day came and to my horror one permutation of my desired domain name had been registered the day before!!

I have had this happen to me before and, like you, can't tell whether it's malicious or coincidence. With new website customers I've since purchased 'their' domain name within minutes of checking that it's available.

Andy