What's your password policy?

imightbewrong

Distinguished Member
In an article from 2018 it showed LastPass had major vulnerabilities in each year of 2014-2017. Similarly Keeper in 2016 and 2017. The list goes on, most of these were white hat attacks but each case mentioned the vendor didn't detect the vulnerability nor the unauthorised access so its plausible that others could have used the same route before the ethical hackers announced the flaws after the vendor had had time to fix.

Yep there have been a few bugs along the way - to my knowledge these have all been related to some corner cases in the browser extension which could allow a malicious website to access a past password under certain conditions.

If you really want to go to extremes you can store a partial password in a password manager - e.g. store a 50 character random string but leave a common part out of it:

[50 random characters] + avf0rums!

then even if your vault is compromised due to the advent of quantum computing or something, your password is still not exposed.

Sure, a password manager is not a requirement - if people can manage dozens or hundreds of strong passwords in their head that is the ultimate security - but many cannot.

The critical security feature is two-factor, which means even a password on its own is of no use.

In any case I'm not sure we are seriously comparing potential exploits in a password manager to entering a non two-factor-secured payment-capable password, such as Amazon, into a shared computer and probably even shared Windows account in a Library?
 

leamspaceman

Distinguished Member
My password policy is ██████████ and ██████████ with ██████████.

Hope that helps...
 

jurassicmark

Active Member
In an article from 2018 it showed LastPass had major vulnerabilities in each year of 2014-2017. Similarly Keeper in 2016 and 2017. The list goes on, most of these were white hat attacks but each case mentioned the vendor didn't detect the vulnerability nor the unauthorised access so its plausible that others could have used the same route before the ethical hackers announced the flaws after the vendor had had time to fix.


If just being careful/sensible was sufficient then there would be no need for password managers. If just being careful isn't sufficient then there is a risk of putting all your details in one place. Yes they'll be more secure than some random e-commerce website that someone has cobbled together using their PHP for Dummies book but they are also more a target.
I don't believe anything is 100% secure but think a password manager is significantly more secure than all other methods that I'm aware of. I know that there have been vulnerabilities exposed but that happens with much software and it gets patched. I'm always hearing that about Windows but I rarely (if ever) hear about hackers exploiting these vulnerabilities in the real world. Likewise with password managers.

How is being careful/sensible sufficient in order to remember over 100 unique and good quality passwords? Other methods may require putting all your eggs in one basket, such as storing your passwords on a laptop or a USB stick. Any storage hardware can fail. I'm not aware of any password manager suddenly going bust and users password vaults becoming inaccessible so I would class that as a minute risk. Even if it did happen then I'm sure someone would be capable of making the data temporarily accessible to allow users to migrate their vault elsewhere.

Password managers have been around for some time but similar to what I said in the first paragraph, I haven't heard about any instances of password vaults being exposed as the result of software vulnerabilities. If that wasn't the case then I wouldn't be endorsing them so much. Using them is infinitely better than using the same password for virtually every site as it just takes one of those sites to be hacked and all those other sites will be at risk. That's what happened last year with Tesco Clubcard account holders.
It wasn't a problem with their security but "a database of stolen usernames and passwords from other platforms had been tried out on its websites, and may have worked in some cases."
 

imightbewrong

Distinguished Member
Even if it did happen then I'm sure someone would be capable of making the data temporarily accessible to allow users to migrate their vault elsewhere.

With LastPass (and no doubt the others) you can do a one-click download of your vault - you can store that encrypted, print it, put it on a USB stick in a safe, whatever. In practice even if LastPass vanished overnight without a backup, it would be nothing more than an inconvenience as all sites have password recovery mechanisms using a two-factor approach.
 

imightbewrong

Distinguished Member
It wasn't a problem with their security but "a database of stolen usernames and passwords from other platforms had been tried out on its websites, and may have worked in some cases."

This is why we never, ever use the same credentials for two sites.
 

BobBob21

Well-known Member
It wasn't a problem with their security but "a database of stolen usernames and passwords from other platforms had been tried out on its websites, and may have worked in some cases."
And what was the possible consequence of that? Someone managed to transfer some clubcard points out into vouchers or something. Access to some extra details about the person possible to aid other scams.

What is the consequence if that same db had been used on password manager sites instead?

The concept is nice but it remains too many eggs in one basket for me.
 

Richardxx

Active Member
I keep all my passwords (all different and random) on a 2 sheets of something called paper that I have lying around from the 20thC. I keep them hidden away amongst lots of other sheets of similar paper. The important (financial ones) have false labels which I remember.

Somehow I could never trust my passwords to a database out there.
 

jurassicmark

Active Member
And what was the possible consequence of that? Someone managed to transfer some clubcard points out into vouchers or something. Access to some extra details about the person possible to aid other scams.

What is the consequence if that same db had been used on password manager sites instead?

The concept is nice but it remains too many eggs in one basket for me.
I don't know the consequences but even if it results in no financial loss, there's the hassle of regaining control of any internet account that gets compromised, as happened with some Tesco Clubcard accounts.

How do you think anyone's master password on their password manager will end up on such a database?

No solution is perfect but a password manager is by far the best solution in my opinion. As another poster recently said, you can download your vault and "store that encrypted, print it, put it on a USB stick in a safe, whatever." That way you won't have all your eggs in one basket but I haven't done that as I believe the risk of losing access to my vault to be tiny.
 

imightbewrong

Distinguished Member
And what was the possible consequence of that? Someone managed to transfer some clubcard points out into vouchers or something. Access to some extra details about the person possible to aid other scams.

What is the consequence if that same db had been used on password manager sites instead?

The concept is nice but it remains too many eggs in one basket for me.

Websites that are hacked are ones that store passwords in un-encrypted, un-salted ways on poor infrastructure - because security is not their business, and you should not give them a password you give to anyone else.
 

BobBob21

Well-known Member
No solution is perfect but a password manager is by far the best solution in my opinion. As another poster recently said, you can download your vault and "store that encrypted, print it, put it on a USB stick in a safe, whatever." That way you won't have all your eggs in one basket but I haven't done that as I believe the risk of losing access to my vault to be tiny.
That way you have all your eggs in one basket and then a second/third basket with copies of your eggs. Be it the hacker that gets into the password manager or the cleaner who stumbles across the printed list etc once in/seen they have all your passwords
 

imightbewrong

Distinguished Member
That way you have all your eggs in one basket and then a second/third basket with copies of your eggs. Be it the hacker that gets into the password manager or the cleaner who stumbles across the printed list etc once in/seen they have all your passwords

If it was a printed list it would need to be well secured - in a safe. Or an encrypted USB.

In any case, storing your passwords offline is largely pointless as they can all be recovered via two-factor.

The main use-cases for offline storage are where they can't be recovered, such as crypto keys. The general recommendation then is to store in a safe a steel plate embossed with your passcode - typically 26 words - and for belt and braces don't put the 26th word on - memorize it.
 

jurassicmark

Active Member
That way you have all your eggs in one basket and then a second/third basket with copies of your eggs. Be it the hacker that gets into the password manager or the cleaner who stumbles across the printed list etc once in/seen they have all your passwords
If you have your eggs in different baskets then you obviously don't have all your eggs in one basket.

If a hacker managed to get access to my encrypted vault then that would be useless to them without my username and master password.

If you decide to make copies of your vault then it just requires a bit of common sense when considering storage. I wouldn't print them off unless I had a safe. I would store the vault in encrypted form on an external disk drive and/or a USB stick and/or Google Drive.
 

BobBob21

Well-known Member
If you have your eggs in different baskets then you obviously don't have all your eggs in one basket.

I think you are considering it from the perspective of what if I lose my USB stick with my password vault on it but I've a printed copy in the safe... then yes from that sense you've spread your risk around losing access if the company folds.

If you think of it from the perspective of if someone gets access to this thing then they'll have every single password I have then putting a printed copy in the sale, another one under the mattress etc doesn't mean your spreading the risk/eggs but duplicating it
 

ChuckMountain

Distinguished Member
And what was the possible consequence of that? Someone managed to transfer some clubcard points out into vouchers or something. Access to some extra details about the person possible to aid other scams.

What is the consequence if that same db had been used on password manager sites instead?

The concept is nice but it remains too many eggs in one basket for me.

It's about assessing the risk, for me that is not as you suggested earlier having a number of reused passwords (or variations on a theme) for sites you don't care about.

Not sure I understand about the same db being used on password manager sites point. The databases that are compromised are not because there is anything inherently wrong with the database but the application that accesses it or the security around it has been done badly.

With a lot of password managers the password is not stored by the company so there is nothing to hack. The vulnerabilities in LastPass came from the browser plug-in. That again is not something new as why do you think Microsoft and others have so many patches. On a compromised machine it doesn't matter how you put the password in it will be nicked. The obvious way round that is 2 factor authentication where a secondary code changes on a regular basis.
 
Last edited:

jurassicmark

Active Member
I think you are considering it from the perspective of what if I lose my USB stick with my password vault on it but I've a printed copy in the safe... then yes from that sense you've spread your risk around losing access if the company folds.

If you think of it from the perspective of if someone gets access to this thing then they'll have every single password I have then putting a printed copy in the sale, another one under the mattress etc doesn't mean your spreading the risk/eggs but duplicating it
No, having all my eggs in one basket is just having one instance of the vault on the password manager's server (they should also use backup servers but I just have one access point). Making just one copy of my vault, whether that's a paper or an electronic copy, means I no longer have all my eggs in one basket.

If a printed copy of a vault is in a safe then it's secure. How secure is dependant on the safe but keeping unwelcome people from accessing its contents is its primary function. Just like my password manager's vault being stored in encrypted form on its server, a USB stick holding a copy of that vault in encrypted form will also be secure. Both vaults are worthless to anyone who gets hold of them without the encryption key (the password). I may technically be duplicating the risk but the risk is practically zero with the encryption option so the overall risk is negligible.
 

KyleS1

Distinguished Member
At the moment I store everything in an encrypted excel sheet that is stored in DropBox. I've never once been "hacked", but a password manager seems like a safer approach, especially as I keep getting notifications that my password was compromised when I log in to various sites. Not sure what that really means as nothing has ever happened. Are they saying that they have been hacked and my details might have been captured or are they telling me that my login information is on a known hacked list?!?
 

jurassicmark

Active Member
At the moment I store everything in an encrypted excel sheet that is stored in DropBox. I've never once been "hacked", but a password manager seems like a safer approach, especially as I keep getting notifications that my password was compromised when I log in to various sites. Not sure what that really means as nothing has ever happened. Are they saying that they have been hacked and my details might have been captured or are they telling me that my login information is on a known hacked list?!?
I don't know for sure but perhaps your login credentials have been found on a stolen password database. This site will show if your email is in a data breach:

This site will indicate how strong your passwords are:

I would strongly advise you to change your passwords on the sites that are giving you that message.

BTW, I think how you store your passwords is reasonable and secure but think a password manager is preferable. I don't think there's any harm in trying them out if you want to see how they work for you. I've only used two different password managers so you may want to see more reviews rather than taking my advice. I used LastPass for over 10 years and only recently moved to Bitwarden due to LastPass introducing a more restrictive free option. I've found Bitwarden a bit easier to use so think that would be a good option for a beginner.
 

imightbewrong

Distinguished Member
The Lastpass browser/app plugins do get a bit confused with some websites, where they have multiple challenge questions.

Also my first-world-problem is that lastpass doesn't automatically fill in the single letters where you have to do 3rd, 7th, 10th letter of a password - you have to break it out in the note to look it up.

But other than that, being able to log into any site on my phone after simply unlocking lastpass with my thumb after it detects there is a credentials form on the page is very convenient.

There is something very liberating about both not knowing any of my passwords, and also knowing they are entirely long strings of gibberish.
 

Kronenguy1664

Active Member
That may sound like a rather official way to describe how you decide what password to use and how to record/remember it when registering on a new website, app, etc. but I think this is more important than many people seem to appreciate.

Security is only as strong as the weakest link so when people use easily guessable/crackable passwords then they shouldn't complain if their accounts are compromised. I think it's reasonable to say that it's not feasible for most internet users to have good quality passwords for all their account logins and remember them all. If you only have a few logins then perhaps you can remember them but not if it's much more than that. I have over 100 logins although I haven't used many of them for ages.

I've heard some people say that they record their logins on paper and others say they use a password-protected file on their device to record them. I think they have flaws but are reasonable methods to record good quality passwords, especially when it seems that many don't really care about security when looking at the most commonly used passwords.

I've used a free password manager for many years which only requires me to remember the master password to access the password vault. I've made sure that the master password is of good quality but it's the only one I have to remember. The password manager securely stores all my login details for exiting sites and it allows me to create passwords for new sites, where I generally make them very long using random letters, numbers and symbols.

What about you?


NOTE: Please don't give any of your live passwords or methods used that could reveal them.

Mine're listed in Notepad so I copy and paste everytime I need to log in.
 

D'@ve

Active Member
Mine're listed in Notepad so I copy and paste everytime I need to log in.

If you do that, make sure you encrypt the notepad file in something such as 7-zip, with a long passphrase you will always remember (and some quirky characters thrown in for good measure). Not perfect but one heck of a lot better than unencrypted!
 

Kronenguy1664

Active Member
You'd better hope nobody steals your laptop as they will have access to all your internet accounts if they find that Notepad document.
My laptop'snever left the bedroom, let alone the house and I have windows tablet with cases with keyboards attached PCs for when I'm out.
 

jurassicmark

Active Member
My laptop'snever left the bedroom, let alone the house and I have windows tablet with cases with keyboards attached PCs for when I'm out.
I obviously hope it doesn't happen to you but there's always the chance of getting burgled. You should at least encrypt the notepad file, as suggested by @D'@ve.
 

The latest video from AVForums

Podcast: Cleer Audio speaker + HiFi Rose Streamer Reviews & Movie/TV Show talk
Subscribe to our YouTube channel

Latest News

Astell&Kern announces AK Solaris X in ear monitors
  • By Andy Bassett
  • Published
Astell&Kern Kann Alpha audio player gets Roon support
  • By Andy Bassett
  • Published
iFi Audio launches the Zen Stream Wi-Fi audio transport
  • By Andy Bassett
  • Published
Ruark R1 Mk4 radio gets summer makeover
  • By Andy Bassett
  • Published
AVForums Podcast: 23rd June 2021
  • By Phil Hinton
  • Published

Full fat HDMI teeshirts

Support AVForums with Patreon

Top Bottom