Ask Slashdot: Should You Use Password Managers?

New submitter informaticsDude writes: What do Slashdot users recommend regarding the use of password managers? The recent election underscored the hackability of many personal accounts. One solution is to use different passwords for every digital experience. But, of course, humans are lousy at remembering large numbers of large random strings. Another solution is to use a password manager. However, password managers have been hacked in the past, in which case you lose everything. How do Slashdot users balance the competing risks? What is a person to do?

Should You Use Password Managers?

Yes.

Re:Should You Use Password Managers?

[93+Escort+Wagon]

Ian Betteridge's head just exploded.

Re:Should You Use Password Managers?

[belthize]

Some day I hope to see a submission with the headline: "Is Ian Betteridge's Law of Headlines Real ?". Sure, it might break the universe, but it's a risk we should be willing to take in the pursuit of truth.

Re:Should You Use Password Managers?

I agree. I use KeePass *without* the browser integration extension. I let my browser store passwords for unimportant things like forums but I always manually copy passwords from my KeePass database for things like email, shopping and banking sites.

Re:Should You Use Password Managers?

[Aighearach]

While I share the distrust of the browser storage, I also don't trust of the OS or gui system to protect the clipboard.

keepass

http://keepass.info/

Re:keepass

[sexconker]

I also vote for KeePass. It's very nice and very extensible.

Re:keepass

[war4peace]

KeepAss keeps your ass secure.

Re:1Password

> Yes, but I'm sure a photogenic memory is super uncommon.

But my god are they beautiful to look at.

Keypass for me

[Snotnose]

Not web nor cloud based. You make a master password, it stores a file on your hard drive containing your encrypted stuff. You can move that file anywhere and, if keypass is installed, get your passwords on that platform.

There's several options.

[tlambert]

There's several options.

(1) Don't use a lot of password protected services; that way: less to remember.

(2) Live with being occasionally hacked.

(3) The Bratva solution: someone hacks you, send someone to shoot them in the head.

I don't know about you, but I'm kind of partial to #1, with #3 being a close second. I don't particularly like #2.

Re:There's several options.

[war4peace]

With every fucking site on the Internet now requiring you to have an account to even take a look at stuff (MassDrop, looking at ya), #1 is a no-go.
#2 is actually a valid option if you split your accounts into 3 main types:

- accounts essential to my well-being (mail, bank, etc) which mandate complex, unique, memorized passwords + 2-step authentication;
- accounts which are important but not essential (e.g. Steam), which mandate unique passwords with 2-factor auth but can be kept in a password manager;
- finally, crap that nobody gives a fuck if hacked (e.g. Slashdot, niah niah). but seriously, "that odd forum which I had to make an account to ask an once-in-a-decade question and never visited again" fits the bill. Those can have relatively simple, non-unique passwords kept in Chrome's password list. So what if they get hacked?

Use a password manager, don't store online

[slazzy]

Use a password manager = yes. Storing passwords online = no. If you must store in the cloud, use different providers for the encryption as the storage.

Use a Local Not a Remot Passwords Manager

[DERoss]

Some password managers rely on remote servers or the cloud to store your password. That is risky for two reasons. (1) A service holding passwords for many users is a more likely target for hackers than your own individual computer. (2) If the server or cloud service goes down even temporarily, you are stuck without your passwords.

You should choose a password manager application that is installed within your computer and does not rely on you having an Internet connection. The application should use a master password -- actually a master pass-phrase -- to encrypt the individual passwords. That master pass-phrase itself is not stored anywhere. Instead, if it is entered incorrectly, it fails to decrypt any passwords. By "pass-phrase", I mean a longer expression containing blanks, punctuation, etc.

Note that Mozilla-based applications have internal password managers that reflect my second paragraph above.

LastPass

[Mike+Van+Pelt]

I've been using LastPass for years. I tried pwsafe (nice, but at the time, didn't support Mac well) and KeePass (which I didn't like for reasons that I don't quite recall now; ended up moving back to pwsafe) before I switched to LastPass.

The deciding factors were (1) LastPass Premium works on Android. (And, now, you don't need Premium; the free version also works on Android.) (2) Syncs password changes across all devices, and (3) Professional Paranoid Steve Gibson gave it his seal of approval.

Some of the others also have a way to sync across all devices now, but I haven't come across any compelling reason to switch. Though LetMeIn may be working on that one.

Re: Standalone hardware

[jep77]

This exactly. Taped to the bottom of my keyboard.

PasswordSafe

[twitnutttt]

I am surprised no one has endorsed PasswordSafe yet! Written originally by Bruce Schneier, open source, and ported to Android which lets me sync my pwd database files between devices via Dropbox. I've been using it for years and plan to continue.

Since starting to use it on my mobile, I've segregated my database a bit to prevent a total breach in case my phone were compromised. I have my "lower security" internet website passwords that I need on the go in one file. And I have my financial passwords (which also stores account and credit card numbers that I might need in an emergency) in another file. And then on my PC there is a master file that has all these plus a ton of other accounts I've collected over the years but don't see the need to take on the road in my phone. Each database has a different unlock password, and those are all I have to remember.

Re:PasswordSafe

[twitnutttt]

Having just read through these comments, my forehead hurts from banging it against the wall and I better flush this explanation out a bit more...

First of all, I'm amazed NO ONE mentioned the classic xkcd comic on memorized random password security: https://xkcd.com/936/

Second, forget about it all you people with your **genius** schemes for generating unique 8-11 character passwords. Congratulations, you've just been hacked. Look up rainbow tables, people!

You are all reinventing square and pentagonal wheels here. It's not working against the threat profile you face, and it's a pain in the ass for you compared to the painless solution that is already out there and explained if you just knew about it...

OK, so here is the true situation you face if you actually want to be secure:
1) You have hundreds of passwords to store.
2) Each one better be 25+ characters of RANDOM data. Otherwise, you face a very realistic threat from brute force / rainbow tables cracking you in trivial amounts of time now or in the near future.
3) You better not be reusing any of them anywhere, cause, you know, hacking.
      3a) If you use a standard root and "permute" it, you are relatively safer until one of your sites storing it in cleartext gets revealed, and then guess what, literally *everyone* uses the first character or two of the site name, or one or two letters more than the first characters to permute. So if you are ever an actual individual target as opposed to a mass script kiddie attack, you're toast. I know, and you thought you were so clever!

AND, even if you managed to memorize all this, it's a goddam PAIN IN THE ASS to type these passwords in, especially on phones.

Here is a solution that is 1) easier to remember, 2) faster to access your websites and login, and 3) order of orders of magnitude more secure:

Stesps:
1) Generate a SINGLE 6-7 word diceware PASSPHRASE. https://theintercept.com/2015/...
2) Memorize it. This should take you all of two minutes.
3) Download passwordsafe or keepass or another trusted OFFLINE password manager. I'm not going to press my personal preferences here. But it should have an automatic password generator feature.
4) Lock the password manager with your diceware passphrase and start generating 30+ character random, unique passwords for each site you use.

If you have a good tool (I use passwordsafe), you can store the URL, username, and password and with a combination of 3 hotkeys open any website, and login in under 2 seconds for any of the hundreds of TRULY SECURE passwords you store.

You can sync the encrypted pwd manager file to your mobile and other devices and access from there with equal security.

And a passphrase with all lower case letters to unlock your pwd manager is even faster to type on a computer or phone than a single one of these insecure, short, alpha-symbol-numeric jokes people are advocating the genius of here.

OK. Now you know. So spread the word and forget all this elaborate security theater nonsense.

Re:PasswordSafe

[paulatz]

Except that many websites do not accept very long passwords, and most will require it to contain an upper case letter and/or a number, and may even bitch if you put the upper case at the beginning and the number at the end, at which point you put them somewhere else and you forget the password the moment you press "ok".

Re:PasswordSafe

[TheRaven64]

Second, forget about it all you people with your **genius** schemes for generating unique 8-11 character passwords. Congratulations, you've just been hacked. Look up rainbow tables, people!

If you have upper- and lower-case letters, numbers, and symbols then each character is one from a set of 80, so a random 8-character password from this set contains 50 bits of entropy (2^50 possible combinations). To store all such passwords in a rainbow table would require 2^54 bytes (8 petabytes) of storage. I doubt that most hackers have that much space.

A case insensitive 8-character password, in contrast, has just under 38 bits of entropy, so it is quite feasible to compute a rainbow table. Mixing cases alone takes this up to 45 bits, which means that you'll need around half a petabyte for the rainbow table.

If you're using a salted hash to store the password, then the rainbow table needs to be computed for each salt (and if you're sensible, you'll use a different salt for each password, so you need a different rainbow table per password, not per password db). You're better off brute forcing it than storing the rainbow table. A modern GPU can manage about 20,000,000,000 hashes per second, so can search a 34-bit key space per second. 45 bit of entropy gives you a search space that takes about half an hour of GPU time. 50 bits gives you 18 hours. An 11-character password will give you 69 bits of entropy (and a rainbow table that most filesystems can't store, though ZFS can if you can afford enough disks), and will take about 1,000 years to brute force with a single GPU (though with 10,000 GPUs you can do it in a reasonable amount of time). A 10-character password gives you 63 bits, which takes about 17 GPU years to crack and is still probably beyond the capabilities of anyone other than a nation-state adversary.