Managing passwords - recommendations?


#21

https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/


#22

https://team-sik.org/trent_portfolio/password-manager-apps/


#23

Yes I totally agree that software has defects, including operating systems, the routers we use, etc. A password manager is not perfect - but most of the modern ones seem to be fairly responsive in fixing defects quickly.

I think it also matters the type of sites you browse and the type of computers you use, so no one solution is perfect for everyone.

And then, even with a great password, there are sites that simply fail to secure them properly and allow 3rd parties to harvest the databases and crack and publish passwords (or the sites that actually store your password in cleartext). It is frustrating. A visit to haveibeenpwned is sometimes also good to see if your email has been published in one of these hacked lists. Also a good reason to not reuse the same password across multiple sites, or to use a common pattern that is easily transferred from site to site.


#24

Interesting about 1/3 of my email addresses have been pwned.


#25

I prefer not to store my passwords all in one place, cause all it takes is
one zeroday to get pwned across the board. A 32 character password is still
vulnerable to keyloggers and man-in-the-middle type attacks such as
tab-napping attacks.

Rotating your passwords periodically with new unique passwords is the best
method.

2FA if avail, login notifications enabled, audit your account logs.

for work/teams keepass.


#26

I’ve never understood sites like this. Insert your email or password to our database to see if it is breached. If it wasn’t, thank you for your email and password which we will add to our brute force database.


#27

You don’t give them any password. You only give them the email address you’re concerned about and they tell you if they’ve seen it, and optionally send a message to that email if it appears in somebody’s authentication database dump down the road. So if you sign up for some things as rahakasvi@aol.com, you can give them that address and when it shows up in the next Yahoo breach, they’ll tell you that.

It’s just a sort of pastebin-lookup-as-a-service.


#28

yeah, can confirm… haveibeenpwned is legit (it was set up by security researchers)


#29

I don’t understand why the “old way” doesn’t work. Most website that ask for a password aren’t getting any dangerous information about me, and I use asdf1234 or similar throwaway passwords on all these sites. Including this one! (no disrespect intended).

A lot of it is businesses asking for you to set up an account as a condition of them sending you their “whitepaper” (brochure).

Or are you suggesting that there is enough information that’s being saved even on these websites ?

I too am curious about the password managers, but wonder if they are themselves vulnerable. Maybe a bad idea keeping all your passwords in one place ?


#30

My partner keeps his passwords in a little black book. I kid you not. If
our place burns down tho’ he might be in trouble. :slight_smile:


#31

This topic was automatically closed 364 days after the last reply. New replies are no longer allowed.