Password Security, Anyone Know?

[AccelR8]

Would you care to share the problems you are unhappy with as well as a comparison between Nord and Proton?

Sure.

First and foremost, say I turn on my computer and want to log in to this website. After booting up, NordPass pops up and wants me to enter my master password, which I do. 12 characters, letters upper and lower case, numbers, special characters. Then I open a browser and come to this website. I go to log in. NordPass won’t give me my log in unless I enter my master password again. So I do, and I begin the log in here. I have enabled two factor identification on this site so now I have to go to my email to get a log in code. When I go to my email Nordpass requires me to again enter my master password. So by now I have typed my master password three times in a matter of minutes just to log in to a website.

There’s a feature in NordPass called Lockout Time or something like that. I have set it for 4 hours, 1 day, and Never. None of these makes any difference. Log in at any website, have to enter the master password. I mean what’s the point? I might as well just type in the password to the website itself and not use NordPass. OK sure I only have to memorize one password but it sure gets tedious. 12 characters…over and over and over.

Another issue is, when I go to log in to a site that uses my email address for a user name, as many do, NordPass will pop up every email user name contains. I have 4 different email accounts for various uses and the wife has 2. I don’t always remember which one I used for each and every site so I usually wind up trying 2 or 3 before I get in.

And occasionally at apparently random time NP pops up and wants me to enter my master password, just to make sure I don’t forget I guess.

And sometimes it seems to randomly create duplicate user name and password entries all on it’s own. I don’t know how or why but it does seem to complicate things

I’ve searched for solutions to all these things but found none. Only thing NP says is it’s for security, not convenience so basically just suck it up.

 

[Eagle Six]

There must be something different in your setup than mine, because I do not have any of those problems. If you would like to compare some setting, PM me and maybe we can make it work better, or not no obligation.

 

[AccelR8]

There must be something different in your setup than mine, because I do not have any of those problems. If you would like to compare some setting, PM me and maybe we can make it work better, or not no obligation.

Thanks for that. For now I'm going to continue trying out this ProtonPass (I already had a proton account). If it doesn't pan out, I'll be in touch!

 

[AccelR8]

Here’s a fun story. One day during the covid lockdowns, we were both at home. We work for a multi-national company and we are “essential” so we were not shut down, but we were working from home much of the time. My wife is pretty far up the food chain in the US branch.

So she’s sitting there working at the computer and at about 10:00 AM, boom. No Internet. A few attempts at the usual stuff like power-cycling the router etc. didn’t work. I tried to access the router software and I could not. Couldn’t log in to the router. So I called the ISP. Surprisingly got what sounded like an English-as-first-language speaker. After a brief description of the problem he says “You changed your router log in about a half hour ago.” I said no I didn’t he said someone did. I said no. he asked “What’s your user name?” I told him. There was a bit of silence as if he was checking something and he says “Here’s your user name and password.” They were both different than what I had set them as and recorded in my notebook about two years prior. What he read me sounded foreign to me, a user name I would never have used and a simple four digit password. I immediately reset both to complex sequences.

I have been told that that kind of an attack is pretty sophisticated, it likely wasn’t a 12-year old on his school-issued laptop. Most likely an attempt at corporate espionage or hijacking.

Some months later the company WAS hit with a ransomware attack. After nearly a year-long investigation it was said that the person in the company who was the entry point was discovered but they weren’t going to tell us who it was. Nothing was said to me or my wife beyond that so I figure it wasn’t us! I was told it was a simple social engineering e-mail trick...

 

[c3d4b2]

I've been using 1Password for a long time. For the most part I haven't had any issues between several devices. PC, Mac, iOS all connected to one encrypted vault so if something is added or changed through one device it's all accessible by the other devices. My password for the password manager would be much much harder (like impossible) to guess or crack than your computer. I don't trust the browsers.

Don't let your web browser save your passwords — here's what to do instead

Browsers just aren't safe enough to hold that kind of information

www.tomsguide.com

My co-conspirator's daughter deals with cyber security legal issues and she recommended 1Password also.

 

[209jones]

From what I've seen over the last while since LastPass krapped, Bitwarden seems to be the most recommended one. Using Keeper at the moment, pretty happy with it. Maybe the only annoying thing would be a popup in the corner of the screen to "fill record" . I had 3 two sided sheets of foolscap to change over from LastPass, wasn't bad to do thru Keeper.

 

[LVLAaron]

bitwarden.

 

[Big Bo]

I use a "BOOK". Yes I have to get up off my arse to get the book, but for security purposes, I see nothing that will surpass this. I, and I alone have this book.

 

[choprzrul]

Use the same base password for everything you log into and add several characters to the base password to indicate the website you are on.

Generate the base password from something familiar to you such as a bible verse, poem, saying, etc. Here is an example using 2 Timothy 3:16

"All Scripture is God-breathed and is useful for teaching, rebuking, correcting and training in righteousness."

Use the first letter of each word from the above and insert the first couple letters in the string somewhere, but make it the same place each time.....it all ends up looking like nonsense if you don't know the base. I also substitute numbers and special characters in a few places:

A$1G&isufgmtrcatir

18 character password for 'Gmail' that you can rattle off simply if you know the base bible verse and where you substitute numbers, capital letters, special characters, and where exactly you insert the letters for the site you are on....I put them after the word 'for' from the scripture in this example.

Here is what the password for Accurateshooter.com would look like: A$1G&isufactrcatir

Pretty unlikely that someone could pick out the 'ac' in the middle of that string and associate it with Accurateshooter.com and then apply that same type of substitution elsewhere. Just my $0.02

.

 

[FleFlkr]

Biitwarden

 

[NZ_Fclass]

I gave up worrying and keep a list on the laptop. I don't have much to hide - I'm not wealthy, a terrorist, a militant socialist/ Biden supporter. I can even remember my bank log-in, despite being older than the local topography. Hack away boys - all you will find is some pictures of rifles, ladder tests and my family, good cartoons, anti socialist memes and really boring correspondence.

 

[SteveOak]

I use seven different devices and have logins for several hundred sites. An index card is not going to cut it. LOL

I finally broke down and decided to get a password manager. After a bunch of Googling and looking at what various programs had to offer I settled on NordPass. It is not perfect, actually a bit klunky at times but it seems to be serviceable.

I needed a program that would work across multiple platforms, including Android, and had a stealth mode so I can use it on work computers.

 

[mtncwru]

Another vote here for 1Password. I switched over from LastPass after their response to the breach convinced me that they weren't nearly as serious about security as they claimed to be. 1Password came recommended by folks I know and trust in the InfoSec realm: they appear to have done a thorough job in evaluating not just potential threats but also potential failure modes (including physical device failures) and put things in place to address them.

Changing over was easy, and the 1Password phone app seems to be an improvement over LastPass, too. My one complaint is that they don't auto-fill apps on my phone, only websites. The first time I choose to fill the app I can tell it to remember and it will auto-fill after that; I suspect it may be an account setting somewhere, but it hasn't pissed me off enough to investigate further.

Password Manager for Families, Enterprise & Business | 1Password

A password manager, digital vault, form filler, and secure digital wallet. Manage everything in one secure place – 1Password remembers all your passwords and sensitive information, so you don’t have to.

1password.com

 

[CharlieNC]

Excel page which I print when there are additions or changes.

 

[Eagle Six]

Two other consideration, does the company promote 3rd party audit and publish the results. And, what country is the company located and does that country agree to US warrants.

 

[mtncwru]

Two other consideration, does the company promote 3rd party audit and publish the results. And, what country is the company located and does that country agree to US warrants.

I'd say that the question that you want to ask isn't so much, "Do they want to hand this over?" but rather, "Do they have the ability to hand that over, independent of their willingness?" Company policy doesn't really matter when your server farms get raided and the feds take possession of a copy (or the regime changes, or company management/policy changes, or...).

Much better to be in a position of, "Company literally doesn't have the thing you're asking for officer. We couldn't comply even if we wanted to," than to rely on them staying out of reach of a court order.

 

[Infrequent Shooter]

I changed my password here a few days ago. It is a strong password. Additionally I have no passwords that are used on more than one site. They are all unique, complex and secure.

I had used NordPass for a while but we (wife and I) had a lot of trouble with it so I quit using it. So here comes my question.

What’s the best way to manage passwords? An easy one for the lay-person to use so she doesn’t change her passwords back to her initials and house address and use it for every site ?

(I have edited my original post because, well, Too Much Information I thought)

My Mac is pretty good about saving my passwords, but if someone gets into my Mac, that person can see them all. Weak link. I have read that 2 or 3, caps, numbers and symbols make it extremely difficult to break your password by random computer power.

 

[Eagle Six]

I'd say that the question that you want to ask isn't so much, "Do they want to hand this over?" but rather, "Do they have the ability to hand that over, independent of their willingness?" Company policy doesn't really matter when your server farms get raided and the feds take possession of a copy (or the regime changes, or company management/policy changes, or...).

Much better to be in a position of, "Company literally doesn't have the thing you're asking for officer. We couldn't comply even if we wanted to," than to rely on them staying out of reach of a court order.

I agree in part with your statements. The most secure form of encryption is accomplished by proprietary system and code. Every process has a key, some are known, some are not. If it's known it doesn't make any difference for those you have resources and are determined. It's is more likely than not that key could be given up by those facing legal jeopardy than those in a country that has an agreement to divulge. I'm not speaking of the key to encryption, rather the key that processes the key. On the other hand it is sometimes easier to circumvent the front end requiring the password via a back door. As you know for example banking funds are more likely and sometimes easier to be snatched from gaining access behind the password firewall.

 

[209jones]

I suspect LastPass was a lesson to the others in the field, some others may well have made some changes they won't talk about because of it. Anything on the net can be broken into if someone is determined and knowledgeable enough. At the moment, I'm using Keeper, works well enough. But, I keep the banking info in a book. Have to watch vendors that keep C/card info when you open an acct as well, they are all vulnerable.

 

[pikespeakgoat]

I have started to keep all my passwords on a jump drive, and a laptop that has no internet access, and a backup on a portable hard drive that is never connected to a computer unless I am updating password data, and then it is only ever hooked to my laptop, which has never experienced the www.

Every time a password changes, or I create one for a new site or account, I back up, which is rare. It has been a pita getting it figured and I hope to be all switched over when time allows.

Additionally, like one of the previous posters said, I have a phrase that I know I won't forget, adding in key numbers and special characters, usually 3 of each, at certain points in the phrase for each different site. Phrase plus additional numbers and characters total >40.

For all my financial site data, I also use 2-factor authentication and am moving that direction on sites that have that option.

YMMV.