Password Security, Anyone Know?

[Krogen]

I'm sure most of you know more about password managers than I do. It certainly seems a password manager site is the proverbial honey hole for hackers. Cracking into the site would like getting the keys to the kingdom. I'd consider a password manager, but I think I'd want one that wasn't in the cloud. It seems better for it to reside in encrypted form on one of my devices. Less accessible to hackers and less of a target. Am I off-base in my thinking?

 

[skeeljc]

I like Norton Password Manager. You can unlock the PW vault with the app. It generates really strong random passwords. Use two step verification for bank accounts. Use credit cards for payments (never a debt card).

 

[Flouncer]

I use a journal book for the handwritten PW. I dont understand the technicalities or risks of cyber science so I just keep it simple. Double factor authentication for all banking and Medical stuff. PITA but safe, I think. The journal is about worn out and filled with crossed out and replaced PW.

For those that truly know, how good, safe, is the facial recognition in my two banking apps on my iPhone ? - thanks

 

[Evan]

I'm sure most of you know more about password managers than I do. It certainly seems a password manager site is the proverbial honey hole for hackers. Cracking into the site would like getting the keys to the kingdom. I'd consider a password manager, but I think I'd want one that wasn't in the cloud. It seems better for it to reside in encrypted form on one of my devices. Less accessible to hackers and less of a target. Am I off-base in my thinking?

Nope. That is very sound thinking that security professionals support. I like to recommend Keepass to folks. If you’re a linux user, pass and pmenu are excellent tools.

 

[mtncwru]

tl/dr:
1. Password managers are targets, but hardened against attacks and a net-gain in terms of security
2. Defense in depth is your friend when it comes to online security.
3. Biometrics are generally fine, but...

I'm sure most of you know more about password managers than I do. It certainly seems a password manager site is the proverbial honey hole for hackers. Cracking into the site would like getting the keys to the kingdom. I'd consider a password manager, but I think I'd want one that wasn't in the cloud. It seems better for it to reside in encrypted form on one of my devices. Less accessible to hackers and less of a target. Am I off-base in my thinking?

You're not wrong: password managers could be appealing targets for hackers (more on that in a minute). But the main threat isn't a password manager being hacked, it's using short, repetitive passwords across sites. Password managers help address that: they generate a true-random password with one click, and also automatically check for re-use across your various accounts. Re. the cloud piece, you're also not wrong that can increase the threat surface, but if you have multiple devices it also means you can actually keep them in sync. Most of security is a question of prioritizing what's the biggest threat, and for most people a password manager with some degree of cloud connection is the best choice for "improves my security and is also convenient so I actually use it."

Password managers are far from the only piece of staying secure online. Turning on Multi-factor authentication when it's available, turning on login notifications when available, cleaning out old accounts you don't need, etc., are all pieces of the puzzle. The highest priority for most people, though, is improving what passwords you use and a password manager is far and away the easiest way to make that happen. The link here is a nice rundown of things to consider in terms of online security, in rough order of priority: https://synecdochic.dreamwidth.org/804912.html

Re. the honey hole part: good password managers are designed with their being a target in mind. They assume that threat actors will try to hack/crack them, and design their systems to limit what can be done with the data they have, extend the time that it will take to make that data usable at all, and put systems in place to know ASAP that someone is trying to access or has succeeded in accessing their systems. That's part of why you don't hear of them being hacked more than you do.

I use a journal book for the handwritten PW. I dont understand the technicalities or risks of cyber science so I just keep it simple. Double factor authentication for all banking and Medical stuff. PITA but safe, I think. The journal is about worn out and filled with crossed out and replaced PW.

For those that truly know, how good, safe, is the facial recognition in my two banking apps on my iPhone ? - thanks

Facial recognition is usually fine from a "can someone remotely access the app" standpoint...so long as you keep control of your physical device. If someone gets a hold of your phone they could use a picture of you to access it. I love biometric access for the convenience (I usually go with fingerprints, personally), but for banking I always use username/password, even on my phone.

Nope. That is very sound thinking that security professionals support. I like to recommend Keepass to folks. If you’re a linux user, pass and pmenu are excellent tools.

Really? 'cause all the security professionals I know and work with are strong proponents of password managers that sync securely across devices automatically, through secure cloud connections.

 

[Evan]

This topic can go deep. The implementation of the encryption algorithm matters. If a company doesn’t open source their code, and/or pay third parties to audit and test the implementation, then you have little assurance that it is robust. Keeping your database under your direct control reduces exposure at the cost of convenience.

 

[praveen]

All good password managers would store password (and any other data) in their vaults encrypted using the user's master password/key. e.g. Bitwarden used AES-CBS 256 bit encryption for all the vault data and 1Password uses AES-GCM-256, which is "arguably better". Both of these are practically impossible to decrypt with the current computing power available without your master password.
Oh and the password manager companies also cannot decrypt your data, even if they wanted to.

 

[Evan]

All good password managers would store password (and any other data) in their vaults encrypted using the user's master password/key. e.g. Bitwarden used AES-CBS 256 bit encryption for all the vault data and 1Password uses AES-GCM-256, which is "arguably better". Both of these are practically impossible to decrypt with the current computing power available without your master password.
Oh and the password manager companies also cannot decrypt your data, even if they wanted to.

I was careful with my language above and the distinction is important. AES-CBS, etc. are algorithms that can be implemented in a way that is not robust and allows it to be broken or bypassed. It’s why on government work, you have to used validated cryptographic modules. Just implementing an AES 256 algorithm yourself or from just any old software isn’t good enough.

 

[prone.life]

I'm hard pressed to believe bitwarden or 1Password haven't securely configured their respective ciphers. You don't have to believe me, you can read the excruciatingly detailed audits conducted by credible 3rd party organizations.

Audit Reports
Bitwarden - https://bitwarden.com/help/is-bitwarden-audited/
1Password - https://support.1password.com/security-assessments/

@praveen's post is salient pointing out even if info is obtained by bad actors it's reasonable to think it's in a form not useful to them. I had all of my info on LastPass during their breach almost two years ago and to this day I haven't seen suspicious activity on any of my LastPass managed accounts. I can't say the same thing about my credit/debit card.

Systems will get breached but controls can be put in place to ensure the information isn't of use.

Create strong passwords; change banking / investment / insurance / health related passwords often.

btw... bitwarden has a great password / passphrase generator that's free and easy to use; it does not require you to use a password manager. i.e. notebook people will find it useful too.

that's the end of my sermon, you can go on with your life now; thanks for listening!

 

[Flouncer]

If someone gets a hold of your phone they could use a picture of you to access it.

Woa. Thank you. Makes sense. And thank you prone.

 

[Krogen]

Thanks, everybody! This thread is enlightening. I appreciate the insight offered up here.

 

[MikeRu]

I also benefited very much from the thread and thanks all, I read thru this thread this morning and then opted for 1password (family edition is about $48/year and allows 5 accounts). It installed easily and in just a couple hours it's running fine with 3 devices all sync'd up. Small tip: to get it to work while browsing you may need to sign in to the browser extension (i'm using Mozilla Firefox), as it'll sign you out each time you log off etc. If you download/install the application to a laptop (vs access on a web browser) then Windows Smile (face ID) will turn 1password on for you, so that's easiest and avoids re-activating the browser extension each time you log on.

As discussed above by some smart folks, there's no 100% secure solution but this one seems great for me (thanks all). The cloud data is encrypted, and IF ever notified of a compromise then quickly changing your critical passwords (banking etc) should'nt be too terrible. Once source of (slight) risk, but manageable, is that you have to save your access password and even a longer secret key "somewhere", you can't ever forget where you saved them, you may not type them often enough to remember them esp if using face recognition, practically you can't use a lock box, and on the other hand you can always lose your wallet!

Good luck all and thanks again.