|
Post by trlove on Jan 6, 2020 10:43:47 GMT -5
Could Dana or someone else write an explanation on the use of password managers? It seems that our world is revolving around logins and passwords and it is getting overwhelming trying to manage these in a file on a thumb drive or on a piece of paper. I understand the concept of having one "Master" password that unlocks a vault for all of the other passwords, but I don't understand how you give access to a login page to access the necessary passwords. It seems to me that if you open up the whole vault to one login page to find the necessary password, you put all of the passwords at risk. It also seems that if the site that holds the key to the vault were hacked, it would expose all of the passwords for all of their clients. You do remember the Experian disaster? Somehow this method doesn't seem too secure, but everything I read says that it is the most secure way of managing your passwords. Can someone go into depth with an explanation of this or maybe suggest a better way of managing the passwords?
Thanks in advance
Tom
|
|
|
Post by steve04 on Jan 6, 2020 11:28:58 GMT -5
I use Lastpass and have for years. It is a browser add-on that fills in the username and password for a site when it notices that you are on that site. It uses encryption when it fills in the username and password so that key loggers can not see them. When lastpass is active it can also notice that your are on a new site and when you enter a username it will offer a generated password if you want and then save both the site and the username and password so that next time you go to the site it will fill in the username and password. You can also use Lastpass to automatically go to sites and have it log in for you. Lastpass will also notice if you have changed a password for a given site and update its copy of the password. It also allows you to save encrypted notes. I use these to save those backup questions some site ask to make sure you are you.
I use another add-on in conjunction with lastpass called Blur. Blur creates dummy email addresses and forwards any email to your preferred email address. You could just use Blue as a password manager for it does that too. Most sites today want your email either as a username or to get in touch. Blur allows you to have a unique email address/username for each site you join. On Blur's web site (unique to you) it lists all the email addresses you have with them and the ability to turn them off and on. Say for example you have an Amazon account and you don't want their persistent emails about deals you may be interested in. You can turn it off, Blur will not forward any further emails until you turn it back on. I turn it on when I've made a purchase and want emails pertaining to the status of my order and then turn it back off.
The emails forwarded will be marked as 'Masked' and the site or label you choose will be displayed so that you know who its from. You can tell if a site has sold your email if you get email from a company that is not what the label says.
If a site gets hacked the hacker will only have the one email ( the dummy blur one).
|
|
drcard
Software Review Panel
Posts: 580
|
Post by drcard on Jan 6, 2020 21:03:08 GMT -5
Hi Tom,
I’ll be happy to explain how password mangers work and the security behind them; however, I use password mangers in a very limited way.
Password managers are for login pages of web sites. The Password manager has a data base where it stores the user ID and password for different login web pages. Access to the Password manager and its data base is thru a password for the Password manager (this is called the Master password). Web sites that you have to login to will have a login page with a static IP address and boxes to enter the user ID and password to have access to the site. That web site login page’s address, what is entered in the User ID box, and what is entered into the password box is saved into the Password manager data base. When you go to that login page the Password manager will fill in the User ID and password boxes from the data base. Often you have to enter the master password to allow access to the Password manager data base to fill in the boxes. Hence the concept that you have to learn only one password to access all the other passwords
How secure are your passwords in the Password manager is how secure the master password for the Password manager. The Password manager’s data base is usually encrypted so the only way to access the data is thru the master password the data base is encrypted to. The Password manager provides only the User ID and password for a specific page and no web site can access any data in the data base or “see’ the master password you enter to access the Password manager’s data base.
That being said, many password managers work with encrypted cloud databases. Also if someone did get your master password, they would have access to all the passwords in that database.
First, not all passwords you have can be handled by a password manager; so, you can’t use a password manager for all your password needs (such as login to Windows, WiFi password, etc.). Second, not all user IDs and password require high security. There is no way you are going to remember all the user IDs and passwords, so it needs to be kept somewhere. If you keep all your web site IDs and passwords in a Password manager and the data base becomes corrupted so the master password will not open it, what are you going to do then?
I use a combination approach for my passwords. I have created a Word document that is a multi-column table that is an alphabetical listing for all my passwords. This allows me to store login page address, User ID, password, and security questions with answers. I keep this document on my private external drive that is turned on only when being used. The document is encrypted and password protected (this is my “master” password). No one has physical access to my office and desk except my wife. I print this form and keep it in my desk for quick reference. I use the password manager that comes built into Chrome (my main browser). The Chrome password manager allows you to decide if the manager is to remember the ID and password for a page. If the page is to a web site that poses no identity theft or financial risks (such as this forum) I let Chrome keep track to sign me in later. If the page poses a financial risk, I do not let Chrome store the ID and passwords. I enter them manually (from my list) each time I visit. If you hack Chrome’s password manager, no harm to me. Using Chrome’s password manger saves me a lot of time at many of the daily sites I visit.
|
|
|
Post by trlove on Jan 7, 2020 10:07:15 GMT -5
Thank you Dana for your response. You implement almost the same procedure that I currently us. It is good to know that I am not the only one managing passwords in this manner. I was just curious if there was a better way. I like your idea of putting non-critical passwords under the control of the browser. Can you let me know the steps for starting this procedure? I also use a Chrome browser, but am unfamiliar with the Chrome password manager. Thanks again for your help.
Tom
|
|
|
Post by steve04 on Jan 7, 2020 16:26:56 GMT -5
Just a note for those who are concerned about a password manager being hacked. Lastpass and probably others incorporates two-factor authentication. Once you enter your master password it will ask for additional authentication by sending a code to your phone that you enter in lastpass or through an app on your phone. Lastpass will not open until this secondary authentication is completed. A hacker would need to also hack your phone.
|
|
drcard
Software Review Panel
Posts: 580
|
Post by drcard on Jan 7, 2020 19:33:48 GMT -5
Hi Tom,
Chrome's password manager is called Autofill because it automatically fills the boxes for login. First, let's make sure its turned on. Open Chrome Click the three dots icon on the right side of Chromes's tool bar at the top. Select Settings from the drop down list to open the settings page. Under Autofill click the arrow to the right of Passwords to open the password settings. Make sure Offer to save passwords is turned on. Make sure Auto Sign-in is turned on.
While we are here note the Saved Password section. If you have saved any password they will be in the list of saved passwords.
To save a password: At the login page after you enter the user ID and password and click to enter, chrome will open a box and ask if you want to save the login and password. Click yes is how Chrome adds this web page , User ID, and Password to that Saved Passwords list in Chrome settings. The security of Chrome's passwords comes from the user logged on to Windows and only that Windows user will have access to those Chrome Saved Passwords. If you get one wrong, delete and set it up again.
|
|
|
Post by trlove on Jan 8, 2020 10:02:05 GMT -5
Thanks again Dana for another very complete and concise explanation. I think this will make it very easy to set up this procedure.
Tom
|
|