What is the best way to deal with so many accounts these days?

[zhenya]

I'm not resisting your suggestion, but trying to understand. I looked at your link and saw nothing there about why copy and pasting a password into a web page logging was unsecured, or not as secure as using a password manager.

Maybe not copy/paste but this:

• File integrity checks: Even if the file's encrypted, it's not necessarily prtoected against unauthorized modification. Password Safe implements integrity checks on the file so that an attacker cannot modify it without knowing the master passphrase.

Can you clarify? If there is a good reason to be using a program like this, I'll be happy to. Btw, this product does not appear to have a Mac version. I need cross platform.

The short answer is that it automatically clears the clipboard contents from memory after a very short period of time. With your method you need to do that in some manual way, or else you are at risk of having your password compromised via a simple malicious bit of code that could be embedded in any web page.

There is a Mac version in the app store. I use it on a couple of Macs, iPhone, iPad, my work Windows computer. Everything stays in sync perfectly.

 

[rhett7660]

The strength of your password has point only to prevent someone to brute-force it or guess it in order to open your file.

But being paranoid myself I would clarify what I think. When closed/encrypted, your DMG file is safe, as long no backdoor is implemented in neither encryption algorithm nor the file system. That is fine.
But when you "unlock" the DMG, and you need to open your file. When your file is opened, it is opened UNENCRYPTED, it means, in order to be able to read it, to edit, the file system must store it somewhere. How it is implemented - I am not sure. But having secure virtual memory ON, and file-vault ON would probably help there.

Another vote for not storing the passwords outside of the password managers is need to copy-paste your passwords from one to another application, or to type it. It is a huge security risk.

I am a big fan of PGP, and plaintext.
Also, I would ALWAYS use the open source (to prevent eventual backdoors) such as KeePassX or GPGTools, or finally TrueCrypt (audited!).

That is something I did not think of! I did not think about what is being copied into memory that is used for cutting and pasting of information. Are these tools that you mention, are they used in programs like Lastpass or 1Password? Or are these a separate set of tools that reside outside of most if not all major password managers?
[doublepost=1453301466][/doublepost]

Why is copy paste a huge risk, bigger than using a password manager that inserts the password at the appropriate time?

This is something I didn't think about also. You have basically copied your password into the area of memory that is used for retrieval of said copied information. How it is managed by the OS once it is copied and then another item is copied, I do not know. But this is a good question and the link has some very interesting items to read about! This would go for any program that you would need to copy and paste items out of a program.

 

[Weaselboy]

For those of you wanting to buy 1Password, I just noticed it is 50% off today at $24.99.

App Store Link

 

[0970373]

1Password is more than just passwords. If I clutch my chest and collapse, it's the one place my grieving widow will find everything: passwords, bank accounts, credit cards, software licenses, auto information (VIN, registration, etc.), receipt information, etc. About the only thing it won't do is scrub my browser history.

This is what makes it so worthwhile to have above keychain. Plus you can create shared vaults. I have my router passwords, ID copies, passport copies, security keys,etc etc I like that I can choose when to use logins and other info instead of auto filling when I go to a web page.

If you are away from your Mac or iPhone, you can use 1PasswordAnywhere, which has come in handy a couple of times for me.

 

[flyingspur]

I can see 1Password and others for cross platform.

Key for me, cross platform, I rely heavily on 1Password.

 

[mobilehaathi]

This is what makes it so worthwhile to have above keychain. Plus you can create shared vaults. I have my router passwords, ID copies, passport copies, security keys,etc etc I like that I can choose when to use logins and other info instead of auto filling when I go to a web page.

If you are away from your Mac or iPhone, you can use 1PasswordAnywhere, which has come in handy a couple of times for me.

Wasn't aware of the access through Dropbox, thanks for bringing that to my attention!

 

[Roller]

1Password is more than just passwords. If I clutch my chest and collapse, it's the one place my grieving widow will find everything: passwords, bank accounts, credit cards, software licenses, auto information (VIN, registration, etc.), receipt information, etc. About the only thing it won't do is scrub my browser history.

That's assuming you gave her your master password, of course.

I guess that someone could use my fingerprint to unlock my iPhone and 1Password if they get to me quickly enough. But I probably should consider making my master password available in some other way.

 

[hajime]

I have some questions about security:

1. If somebody got access to your iPhone or the Mac, will they be able to access all the passwords if you use:
a) 1password
b) keychain on Mac OS

2. If somebody got access to the only password to unlock the vault, that person will have access to all the passwords. Am I right?

3. If a hacker can hack into the ipassword app, the hacker can gain access to all the passwords. Am I right? How likely will that be?

4. Can we trust companies that make these password storing apps? If somebody dishonest work for those companies, that person could gather our passwords.
[doublepost=1453378226][/doublepost]

For those of you wanting to buy 1Password, I just noticed it is 50% off today at $24.99.

App Store Link

It seems that the MAC version costs money while the iOS version is free. Am I right? I use iPhone and MacBook Pro (both Mac OS and Windows). Do I need to get both versions Mac and PC versions or just the free iOS version? I suppose I can just install the free iOS version and store all passwords on my iPhone. Why do I still need the MAC and/or Windows version?

 

[Аррlе]

I have some questions about security:

1. If somebody got access to your iPhone or the Mac, will they be able to access all the passwords if you use:
a) 1password
b) keychain on Mac OS

a. no
b. no, but possible if the keychain has the same password as your account password which is known to the attacker.

2. If somebody got access to the only password to unlock the vault, that person will have access to all the passwords. Am I right?

yes.

3. If a hacker can hack into the ipassword app, the hacker can gain access to all the passwords. Am I right? How likely will that be?

yes.
likely that someone would install keylogger on your machine.

4. Can we trust companies that make these password storing apps? If somebody dishonest work for those companies, that person could gather our passwords.

no.

 

[Huntn]

For those of you wanting to buy 1Password, I just noticed it is 50% off today at $24.99.

App Store Link

Still on sale today. Windiws-Mac bundle $35. That may put me over the edge.
Still trying to figure out if this is primarily a cinvienence issue or a security issue. My understanding is that a single license covers 5 individuals in a family, which is good.

Answer: Are family licenses available?
Your 1Password for Mac and 1Password for Windows licenses can be shared with up to five family members of the same household at no extra cost. That’s six people in total, including you.

But I have 2 computers and my wife has 1. I won't spend $105 for this if it is a single computer license.

Answer:
HELP
Let’s use 1Password for Mac as an example to help explain things. If you purchase a single user license of 1Password for Mac, you can install and use 1Password on all your Macs. On iOS, Android, and Windows, however, your 1Password for Mac license does not apply so you need to purchase separate licenses.

Does this work with all sites with a login or are there caveats?

 

[elthesensai]

That's sounds very good. Thanks for your sharing.


hulle6 Lumia 950 case

The Pinterest app actually uses safari keychain. It's the only app I know if that does.

 

[hajime]

a. no
b. no, but possible if the keychain has the same password as your account password which is known to the attacker.

yes.

yes.
likely that someone would install keylogger on your machine.

no.

So, it is better not to install iPassword on a work computer or let somebody else to use my computer. Am I right?

 

[hajime]

1Password doesn't store, hold or access your information. They can get hacked but your information is on your computer and is encrypted.

I am a bit confused. Could you please clarify? Doesn't iPassword store all the password information of various accounts? What information is on the computer and encrypted? Do you mean those iPassword generated passwords?

 

[mobilehaathi]

I am a bit confused. Could you please clarify? Doesn't iPassword store all the password information of various accounts? What information is on the computer and encrypted? Do you mean those iPassword generated passwords?

1Password stores the information you request it to store in an encrypted database stored where you tell it to be stored (i.e. on your hard drive). That database is not sent to 1Password. You retain control over it.

 

[tzhu07]

I use PasswordSafe to store all my passwords. Easy management.

 

[hajime]

1Password stores the information you request it to store in an encrypted database stored where you tell it to be stored (i.e. on your hard drive). That database is not sent to 1Password. You retain control over it.

Thanks. Which is the best location to store the encrypted database? Since it is encrypted, do I have to worry about selling my computer to strangers later?

 

[maflynn]

Thanks. Which is the best location to store the encrypted database? Since it is encrypted, do I have to worry about selling my computer to strangers later?

Its a file, and you can choose the location. Once you sell the computer, one of things you will want to do, is reformat the drive and reinstall osx . This will remove all personal information and apps. Of course you will want to have a backup of your data prior to reformatting.

 

[nebo1ss]

I like to store everything in one place and use an APP called eWallet. I store credit cards, bank account details, passport details, airline frequent flyer details, car details including vin numbers, passwords even equipment serial numbers. It is encrypted and there is both a iPhone and OS X version.

 

[hajime]

Its a file, and you can choose the location. Once you sell the computer, one of things you will want to do, is reformat the drive and reinstall osx . This will remove all personal information and apps. Of course you will want to have a backup of your data prior to reformatting.

Thanks. Is the following procedure good enough to prevent whoever will gain access to my computer from access the files?

https://support.apple.com/en-us/HT204904

Somewhere I heard that if I don't do something under something called safe mode, somebody could recover the deleted data.

 

[maflynn]

Yes, that article correctly identifies the steps needed to reformat your mac.

If your storage unit is SSD, then the data is gone, if you have a hard drive, you can secure erase the drive, but in all likelihood, unless you're talking about the the FBI or some hacker group the steps in that article is more then enough.

 

[Аррlе]

Thanks. Which is the best location to store the encrypted database? Since it is encrypted, do I have to worry about selling my computer to strangers later?

Correct.

 

[Аррlе]

Hi guys,
Use open source free software KeePass if you want to be assured that no company owns your data. The KeePass database you can sync over Dropbox.

Why to bother with excel documents and such?
Use the correct tool for the correct thing.

 

[hajime]

Is 1password really that bad?
http://www.tomsguide.com/forum/id-2843591/decide-password-manager-keepass-1password.html

 

[mobilehaathi]

Is 1password really that bad?
http://www.tomsguide.com/forum/id-2843591/decide-password-manager-keepass-1password.html

I didn't read all of your link, but it sounded like the problem with 1password was specifically the 1password.anywhere feature, which you are not required to use at all.

Honestly, there is risk in everything. And, yes, putting all your passwords in once place (even if encrypted) represents a risk to you. However, unless you can memorize dozens and dozens of different strong passwords, I think using a manager that let's you retain full control over your passwords is relatively low risk.

 

[Roller]

Is 1password really that bad?
http://www.tomsguide.com/forum/id-2843591/decide-password-manager-keepass-1password.html

No, it's not. The issue with 1Password was not that passwords were being stored as plain text - only the metadata for passwords (the URLs and website names) was. The passwords themselves were encrypted. And AgileBits now provides a way to encrypt the metadata, too. This blog explains it well.

(Incidentally, the post in the tom's guide thread that you cited even stated that it was about the metadata, but began with "1Password was found to be storing your passwords in plain text," which is incorrect.)

Truth is, nothing is perfect. Whether you store your passwords and other sensitive data using a password manager or you keep them in a Post-It note under your desk, there are methods like key logging that can steal them. You just have to be realistic in balancing risk vs. convenience. For me, 1Password offers just the right balance.