Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Should You Use Password Managers?

Posted by BeauHD on from the actions-have-consequences dept.

New submitter informaticsDude writes: What do Slashdot users recommend regarding the use of password managers? The recent election underscored the hackability of many personal accounts. One solution is to use different passwords for every digital experience. But, of course, humans are lousy at remembering large numbers of large random strings. Another solution is to use a password manager. However, password managers have been hacked in the past, in which case you lose everything. How do Slashdot users balance the competing risks? What is a person to do?

11 of 415 comments (clear)

  1. Should You Use Password Managers? by Anonymous Coward · · Score: 5, Insightful

    Yes.

    1. Re:Should You Use Password Managers? by Aighearach · · Score: 5, Insightful

      While I share the distrust of the browser storage, I also don't trust of the OS or gui system to protect the clipboard.

  2. KeePass by Anonymous Coward · · Score: 2, Insightful

    I don't trust cloud-based password managers. Use KeePass and encrypt your keyfile with a really strong password. If you want to access your keyfile from multiple devices, sync it to the cloud with box/dropbox/gdrive/etc. Even if the keyfile is stolen, it'd be very difficult to compromise if you use a strong password.

  3. Use a password manager, don't store online by slazzy · · Score: 4, Insightful

    Use a password manager = yes. Storing passwords online = no. If you must store in the cloud, use different providers for the encryption as the storage.

    --
    Website Just Down For Me? Find out
  4. Use a Local Not a Remot Passwords Manager by DERoss · · Score: 5, Insightful

    Some password managers rely on remote servers or the cloud to store your password. That is risky for two reasons. (1) A service holding passwords for many users is a more likely target for hackers than your own individual computer. (2) If the server or cloud service goes down even temporarily, you are stuck without your passwords.

    You should choose a password manager application that is installed within your computer and does not rely on you having an Internet connection. The application should use a master password -- actually a master pass-phrase -- to encrypt the individual passwords. That master pass-phrase itself is not stored anywhere. Instead, if it is entered incorrectly, it fails to decrypt any passwords. By "pass-phrase", I mean a longer expression containing blanks, punctuation, etc.

    Note that Mozilla-based applications have internal password managers that reflect my second paragraph above.

  5. Re:There's several options. by war4peace · · Score: 4, Insightful

    With every fucking site on the Internet now requiring you to have an account to even take a look at stuff (MassDrop, looking at ya), #1 is a no-go.
    #2 is actually a valid option if you split your accounts into 3 main types:

    - accounts essential to my well-being (mail, bank, etc) which mandate complex, unique, memorized passwords + 2-step authentication;
    - accounts which are important but not essential (e.g. Steam), which mandate unique passwords with 2-factor auth but can be kept in a password manager;
    - finally, crap that nobody gives a fuck if hacked (e.g. Slashdot, niah niah). but seriously, "that odd forum which I had to make an account to ask an once-in-a-decade question and never visited again" fits the bill. Those can have relatively simple, non-unique passwords kept in Chrome's password list. So what if they get hacked?

    --
    ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
  6. Re:Dont use lastpass by SensitiveMale · · Score: 3, Insightful

    +1 for 1Password.

    I would have said the same a month ago, but 1Password is changing their pricing to $36 a year subscription.

    I'm switching to LastPass.

  7. Use a manager, use 2fa by WinstonWolfIT · · Score: 3, Insightful

    I use LastPass just fine, because every site where getting my login details would hurt, I use 2fa: Microsoft, my bank, PayPal, LastPass, Google, etc. Sure I'm picking up my phone once in a while but it's a good balance between secure and convenient. Far less secure are card details; mine got compromised recently but was detected and reversed almost immediately. Which is why I use PayPal whenever possible.

  8. Re:There's several options. by aaarrrgggh · · Score: 3, Insightful

    In terms of execution, I break your three categories into:
    -Memorized passwords with hard-copy password in a book someplace
    -OSX Keychain
    -Passwords saved in browser.

    The OSX keychain is the weakest link unfortunately, although it pretty much requires local access to defeat. I used a Yubikey for a while, but it was just too much of a pain for day-to-day use.

    Ultimately, the weak link is my wife... who does not know how to secure all her passwords properly. When two different people need access to the same information security becomes an order of magnitude more difficult to achieve. I wish bank and brokerage accounts allowed one user "read only" access and the other the right to modify stuff.

  9. Re:PasswordSafe by paulatz · · Score: 5, Insightful

    Except that many websites do not accept very long passwords, and most will require it to contain an upper case letter and/or a number, and may even bitch if you put the upper case at the beginning and the number at the end, at which point you put them somewhere else and you forget the password the moment you press "ok".

    --
    this post contain no useful information, no need to mod it down
  10. Re:PasswordSafe by TheRaven64 · · Score: 4, Insightful

    Second, forget about it all you people with your **genius** schemes for generating unique 8-11 character passwords. Congratulations, you've just been hacked. Look up rainbow tables, people!

    If you have upper- and lower-case letters, numbers, and symbols then each character is one from a set of 80, so a random 8-character password from this set contains 50 bits of entropy (2^50 possible combinations). To store all such passwords in a rainbow table would require 2^54 bytes (8 petabytes) of storage. I doubt that most hackers have that much space.

    A case insensitive 8-character password, in contrast, has just under 38 bits of entropy, so it is quite feasible to compute a rainbow table. Mixing cases alone takes this up to 45 bits, which means that you'll need around half a petabyte for the rainbow table.

    If you're using a salted hash to store the password, then the rainbow table needs to be computed for each salt (and if you're sensible, you'll use a different salt for each password, so you need a different rainbow table per password, not per password db). You're better off brute forcing it than storing the rainbow table. A modern GPU can manage about 20,000,000,000 hashes per second, so can search a 34-bit key space per second. 45 bit of entropy gives you a search space that takes about half an hour of GPU time. 50 bits gives you 18 hours. An 11-character password will give you 69 bits of entropy (and a rainbow table that most filesystems can't store, though ZFS can if you can afford enough disks), and will take about 1,000 years to brute force with a single GPU (though with 10,000 GPUs you can do it in a reasonable amount of time). A 10-character password gives you 63 bits, which takes about 17 GPU years to crack and is still probably beyond the capabilities of anyone other than a nation-state adversary.

    --
    I am TheRaven on Soylent News