Storing Passwords?

Try Lastpass instead. It will not only store your passwords securely, it will store them in an ever accessible cloud for all your computers. But be warned if you forget your master password for Lastpass, you lose all your passwords. Lastpass cannot recover your data without your master password.

Oh and you can setup two-factor authentication with Lastpass making it even more secure.

If no one accesses your PC, there is not much to worry about. If they do, you can have the normal password to access your Profile. Even if someone breaks your Profile Password, you can store your list of Website Passwords under three layers of Folders and they will be pretty well hidden. That is what I do.

logicearth said:

Try Lastpass instead. It will not only store your passwords securely, it will store them in an ever accessible cloud for all your computers. But be warned if you forget your master password for Lastpass, you lose all your passwords. Lastpass cannot recover your data without your master password.

Oh and you can setup two-factor authentication with Lastpass making it even more secure.

Can you edit passwords on a regular basis? I use an Excel file at the moment seeing as only I use my PC but that sounds decent.

Boozad said:

Can you edit passwords on a regular basis?

Of course. Edit and change as much as you want.

Well it's just my opinion but if software can recover your passwords from files then any user with access to your PC can recover them hidden or not - unless they're encrypted.



I guess the bottom line is that if you can view/ recover passwords using forensics tools then so can malware - potentially - if it manages to sneak onto your system undetected.

paulyjames said:

~~~
First off, how does one lock a document?
~~~

I've never considered this a safe way to store important info, so I've not kept up on to lock a document. You could encrypt the document using the Operating System or a 3rd party tool, but you are better off using a tool (like KeePass) that was designed for the task at hand. KeePass is a mature product and it takes care of security issues that you and I don't understand.

paulyjames said:

~~~
Also is there a place to store it online?
~~~

Yes, but keeping it (your document or your KeePass database file) out of the hands of others is now back in your hands. You would need to stay educated on the issues related to cloud storage security.

paulyjames said:

~~~
...I heard someone mention keepass. I downloaded it but not sure how it really works. So basically you only need to remember 1 password right?
~~~

Correct. In its simplest mode of operation, you only need to remember one password.

paulyjames said:

~~~
...Then when you access it, you have all the password for each site you have on it?
~~~

Correct.

paulyjames said:

~~~
...How does one even put the password in keepass? You suppose to type it manually or transfer a document to it such as an openoffice or microsoft word or wordpad or excel sheet on it because im not sure how that works.
~~~

You can type it all in or import your existing info. cyberSAR provided info on importing... but I would consider typing it in and taking this opportunity to change the password for your important accounts. Humans are not very good at picking random passwords. KeePass can create better passwords for you.

I started using KeePass many years ago and I too found it hard to figure out the first steps to do to get started. For this post, I had a hard time finding a video that stuck with the simple steps of getting started. Most videos dealt with advanced features or using KeePass along with browser plugins.

See if this video helps you:

I'm not associated with or recommending the company mentioned in the video.

In the video she shows right clicking on an entry and selecting various actions from the context menu. You can also open a URL by double clicking on that URL area for the entry of interest. Double clicking does not show up well in a video - so maybe that is why she opted for the slower right-click method. You can also Double click on the password area for an entry and the password will be copied to the Windows clipboard. Then (as shown in the video) you paste it into the browser field of interest.

There is some risk involved in using the Windows clipboard, so KeePass (by default) clears the clipboard after a few seconds. There is an option to have KeePass clear the clipboard info after once paste operation has occurred, but if your computer is infected with an app that is recording your clipboard operations and your antivirus app has not detected that - then you have bigger problems than how long info stays in the OS clipboard.

I tend to copy/paste the password first, then copy/paste the user ID. The password is in the clipboard the least amount of time. There are 3rd party apps that pass info to browser fields without using the OS clipboard, but then you have to research and stay informed about any security related issues with those apps.

paulyjames said:

~~~
...Also is keepass very safe?
~~~

A perfectly good question ---- that is hard to answer. I could just say, "Yes, KeePass is safe". But I'm not sure how or why that would satisfy you. I could provide links to papers/blogs/videos about why it is safe, but the info gets deep into terms and concepts that most people would not understand. It is possible to break into a KeePass database and (according to this website) it is possible to do so in a reasonable amount of time using regular computers (not super computers). The info on that website does not disclose how to get into the KeePass database - so I hope that I'm still within the forum's rules.

I will still use KeePass and accept the slight risk that someone wants into the file.

paulyjames said:

~~~
...Thus if someone hacks your acct, then they would have all the passwords. So would it be good idea to just put passwords in it but dont put the actual site to it and just recall which password is which site when you see all the password if that makes sense?
~~~

That sounds like a good plan, but I have too many accounts/websites/things to remember.




logicearth mentioned Lastpass and even with its security flaws/weaknesses, Lastpass is still a good option - if you are careful. I've not used Lastpass, but I'm not sure that is would work for me. I use KeePass to track info that is not related to the internet. The note section for each KeePass entry is a good place to keep info like the date/name of the person that I spoke to when renewing contracts. I can record order confirmation codes, pricing offers or anything else that I need to.





Edit: I'll add a note from my experience using software to generate passwords. As shown in the video, you can let KeePass (or Lastpass) create passwords for you and they can be long passwords because you don't need to remember them. However, some websites (and applications) will accept the long passwords and silently only use some of the characters. In other words, let's say that you let the software create a password that is 15 characters long. You go to the website's interface for changing passwords and paste in your new 15 character password. Everything appears to have worked. There were not errors during the password change process and the website makes no mention of the number of password character allowed. But when you test logging on, it fails.

[I had run into this before with VNC password. The UltraVNC password change interface accepts "long" passwords but only uses the first 8 characters. But when it comes time to actually use the password, the UltraVNC interface accepts more than 8 characters - then fails to authenticate you. Once you know about the 8 character limit, you can simply use the first 8 characters of the password.]

I figured that the same sort of thing was happening with the website. If I could contact a human and find out the password character limit, I could just change my KeePass info to match that limit. I called, but the human would not tell me the character limit! They would only reset the password. Experimentation determined the limit to be 12 characters... then I closed the account.

UsernameIssues said:

logicearth mentioned Lastpass and even with its security flaws/weaknesses..

I'm curious what flaws and weaknesses are those? If syncing to the cloud is what you are referring to, then no that is not an issue. Even if the Lastpass servers are compromised your data is not. Everything is done locally on your machine all you send to Lastpass is an encrypted blob of data. Your password is never even transmitted to Lastpass. Thus if you forget your password for any reason, Lastpass CANNOT recover your data.

Now unless you know a way to break AES-256 encryption with PBKDF2 then please tell us. (Outside of brute forcing weak passwords, that is a given.)

Not to mention with Lastpass you can even setup two factor authentication improving security.