Password managers vs. Manual password management

[WindowRobin]

I've been thinking about the use of password managers lately and wondering whether it's worth exploring an alternative.

The problem, as I see it, is with having one master password - I know this is supposed to be kept securely by the developers, but I've heard of several security scares in the last few years. Of course, this is much more secure than simply using the same password everywhere, but if hackers were able to gain access to people's master passwords, surely it would be a goldmine for them and disatrous for everyone else! Even if the master passwords are well protected, this is possible, right?

Back to the alternative... what do you think about the possibility of devising a new unique password each time, writing it down, and physically guarding it. However, this would just be for the accounts you deem most vital, so a password manager could still be used for less important accounts. I know it sounds inconvenient, and I suppose it would only work if you're not prone to losing things, but could be a viable option?

 

[fireberd]

With all the available password manager programs/apps around I often wonder if any of them have any "backdoors" that send your personal info to somewhere. Maybe I'm just paranoid but I keep my passwords list off line and wouldn't consider a password manager program.

 

[WindowRobin]

Exactly, it's always a little disconcerting to have the key to so much sensitive information in one place. I was reading this earlier, mainly to get an idea of what each password manager offers, but then I noticed right the "Residual Risk" heading...:
"Further challenges include a certain dependency on already-prepared data bases as well as the fact that local installations only allow password managers to be used on private computers. Options involving cloud functions are also associated with higher risk."

Seems like a pretty big deal really. Either you go with a locally installed password manager, which sounds far less convenient, or you go for the cloud and risk being the target of a hack. Not ideal! Can someone tell me if I'm missing something here?

 

[Bambinoo]

I'm with fireberd on this..been doing it that way forever!

I personally use Excel, but there are numerous other options.

Lee

 

[Layback Bear]

None of my passwords are kept on my computers or on any site with a program.
I use a old fashion Rolodex. The Rolodex sits on my desk within easy reach.

Rolodex Open Rotary Business Card File with 200 2 5 8" x 4"Cards Purple 1819543 | eBay

 

[Mellon Head]

I use a manual system (in my head), and occasionally written down away from the computer.

I don't trust password managers. I think that they are too easy to hack. All it takes is one accidental keylogger to snag my master password and all of my passwords are compromised.

A pencil and some paper is the best defense.

 

[Layback Bear]

I personally have never had a pencil or paper hacked. When I upgraded to pen; still no hacks.
Maybe I'm just lucky.

 

[Mellon Head]

I personally have never had a pencil or paper hacked. When I upgraded to pen; still no hacks.
Maybe I'm just lucky.

Or you use a good anti-malware on that paper.

 

[UsernameIssues]

I personally have never had a pencil or paper hacked. When I upgraded to pen; still no hacks.
Maybe I'm just lucky.

Paper works for many people. It would not work for me (and many others). In this old post, I mention that I had just under 400 accounts/passwords to keep up with. I checked before making this post and I'm now closer to 300 accounts/passwords.

The KeePass database is electronically searchable - which is the only way that I can find some accounts. A lot of those passwords are related to those that I support. e.g. I use KeePass to generate a unique/long password for TeamViewer access.

One man that I support uses pen/paper to track account credentials.
His list has never been hacked
His home office burned to the ground :-(
His list was in a "fireproof" safe
His list burned up anyway :-(

A woman that I support was near Katrina. She moved far from there and decided to keep important stuff in a small fire/water resistant safe. That is where her paper password list was when a tornado took the roof off of her 3rd story apartment. She never found that safe. If someone else found it (and got it open), they had lots of important info. We tried to change the passwords on her accounts, but she could never be sure that she remembered every account on that list.

While a fire/tornado event is rare, losing the paper list is not that rare among the elderly that I support. Also, my "clients" have told me that they changed the password on an account and failed to write it down or wrote it down wrong or could not read what they wrote. Whatever happened, they could not get in to a particular account. Systems like KeePass create/save the new password and make a backup of the old password. Sometimes, a password change does not go thru and you need to know/try the old password.

The KeePass encrypted database is a local file, but I back it up to an encrypted online storage provider. Yes, an employee of the online storage provider could get to my KeePass file - then spend years attempting to get into the file.

Back doors into apps are hard to keep secret when there are millions of users of that app. People sell such valuable secrets and buyers greedily use the "secret" over and over and over. Once that happens, the secret is out.

The problem, as I see it, is with having one master password - I know this is supposed to be kept securely by the developers, but I've heard...

There is no master password like that to KeePass (unless there is a secret back door). You pick your own master password to unlock your KeePass database*. Yes, a lot is riding on that password - but consider this: most online account passwords can be reset via e-mail. The password to your e-mail account becomes a master password for all of your other accounts. [Which is why I have lots of different/active e-mail accounts.]

*You can have multiple KeePass databases with different master passwords (e.g. not all of your eggs in one basket). Have the name of the shortcut to each database include a tiny (one character) password hint and maybe a hint as to its contents. For example: P9 could be the shortcut name to the KeePass database that holds credit card account info. The P is for plastic. Plastic being slang for credit cards. 9 might not be enough to help you with a master password, but it works for me.

 

[margrave]

I, too, have been using KeePass. The UI could stand some improvement, but it otherwise works well.

 

[Layback Bear]

UsernameIssues

I understand that one method will not suite everybody's needs.
I'm in the belief that most don't have hundreds of needed passwords.
For those that do have that many passwords, pencil and paper would not be my suggestion.

If my house burns down and destroys all my passwords so be it.
It's my fault for not having a second or third copy in other locations.
If my house burns down I will have more to worry about than passwords.
If passwords are stored on a computer, any computer any where, they are susceptible to being hacked. If one just reads a few Security Websites it should be enough information to prove that anything on a computer can be hacked.
If one understands that and still chooses to use a Password Manager so be it.

Of course this post is just my thoughts and opinions. YMMV

 

[UsernameIssues]

If my house burns down I will have more to worry about than passwords.

As long as you can handle your finances (e.g. manual online bill pay) - you'll be fine. Many people are too tied to their online accounts. You can probably get temporary checks from your bank and pay bills that way. Some young people don't even have checking accounts. Hopefully, they will think about a disaster recovery plan.


Some have advised that it is best to immediately stop* any automated bill payments after a disaster (if you can do so without breach of contract). That lets you re-prioritize the spending of any cash on hand.

*or change to minimum payment levels


I wonder how many online accounts a normal person has to keep up with. A dozen? Of those, how many are important? (e.g. I would not need access to many forums right away.)

 

[Layback Bear]

Silly old me I didn't think of how some people are tied to online payments or automatic payments.
I still pay all my bills with old fashion checks using snail mail.
I still get my bank statements through snail mail.
When I need extra cash I still have to walk in the banks front door and do a withdrawal with pen and paper.

That is why I believe that one method will not meet every persons needs.
I'm glad to see that WindowRobin is looking into options and asking questions.
Passwords and I.D. numbers are such a big part of todays life, it's a good thing to understand the proper storage and use of them.

***Is it possible to use a Password program from a thumb drive and only plug it in when needed?
That should give some degree of security.

 

[Callender]

Got a super sized DonationCoder newsletter today. One of the links inside was:

Comparative review of password managers - DonationCoder.com

Read Reply #5

I use LastPass (browser plugin). Advantages are using complex passwords to auto login to websites.

RE: LastPass hacks. I've been notified about those twice and both times they stated that the master password was possibly compromised. There's no problem with that as long as the password is changed and was not used for other sites.

For really important passwords (banking, email login etc) - those passwords are stored only in my brain.

Portable: You can try LastPass Pocket. I prefer the browser extension.

https://helpdesk.lastpass.com/lastpass-on-the-go-2/#h2

or KeePass Portable:

Downloads - KeePass

Also I used Dashlane in the past:

https://www.dashlane.com/security

Probably the most secure password manager but can be tricky to configure and needs to be running in the background all the time.

 

[LovelyFlipper]

I have my own system for passwords.

I have codes that I have made up that act as clues to about 25 different passwords.
For instance, one clue is CH. That stands for "childhood home".
The password for that is a street number,name and town.

I keep the master list of passwords and clues at home.

When I log in to a new site, I add the name of the site to my phone's address book.
Under the notes section, I add the clue for the password.
This way I can look up passwords for any login I need at any time by clue only.
The passwords are never on my phone and the clues have nothing to do with the password (except to me)
My passwords and clues have become quite imaginative over the years and I keep adding to the list.

 

[LovelyFlipper]

I also don't like the idea of handing over my passwords to someone else to manage.

 

[Clairvaux]

If you're OK with writing down your passwords, then you have almost nothing to lose by moving to a password manager -- and much to gain. The main problem with password managers is you still have to remember a master password, and it obviously needs to be pretty strong.

Writing down passwords means they can be lost, stolen by burglars (who might then use them) or even by people you know and would be intent on harming you, or destroyed by fire. If you're ready to run those risks for individual passwords, then you're ready to run it for a master password. In fact, mix both methods : learn your master password by heart, the way it should theoretically be done for maximum security, write it down several times, and store at least one copy offsite, in a bank safe for instance.

The digital part of your password vault is almost impossible to lose if you do things properly : the database is encrypted, it cannot be hacked if you don't rely on cloud password managers but store it instead locally, and you can (and should) make several copies of it, on different hardware. At least one of those copies should be stored in the cloud (or at least offsite).

It's not as risky as relying on a cloud password manager, provided you do it right by encrypting the file before it leaves your home or office. Which it already is, since any offline password manager worth its salt (pun intended) encrypts its database.

If you want both belt and suspenders, you could even chose an end-to-end encrypted, zero-knowledge cloud provider such as Spider Oak (United States), pCloud (Switzerland), Tresorit (Italy), Team Drive (Germany) or Sync.com (Canada), which, by technical design, cannot look into your files or pass them on, in clear text, to your government. This is in contrast to the big providers such as Google Drive, Microsoft OneDrive or Dropbox, which encrypt your files... but keep the key, and reserve the right to look into them in their EULA. (Of course, they cannot do that if you have, yourself, provided the encryption before using theirs.)

If you want free storage, the only zero-knowledge provider I've found is Sync.com, which offered 5 Gb the last time I checked. More than enough for a password database.