Make sure you have your SS username/passwords stored

[SDS]

At some point very soon, I will be moving my sites from http: to https:.  I don't know if this will have any ill-effect on browser saved passwords, so make sure you have them in case you get locked out.

[WildCard]

What happens if we can't remember them? Mines been just lurking in my cache forever 

[Assquatch]

Thanks Scott.

 

Personally, I could never go back to not using a password manager.

What happens if we can't remember them? Mines been just lurking in my cache forever 

Try a utility from Nirsoft called WebBrowserPassView. Or log out and go through the password reset procedure.

[SDS]

Thanks Scott.

 

Personally, I could never go back to not using a password manager.

Try a utility from Nirsoft called WebBrowserPassView. Or log out and go through the password reset procedure.

 

Same. I use 1Password and recommend it to everyone. Unless you are a Rain Man savant, you should be using enough random 16 character passwords - there is no way you could remember them all. 

 

I get complaints from the password reset users occasionally that they don't get the emails. So spam filter along the way filters them out at times. In those cases, I reset it manually, so the user can change o to something new, secure and stored in their password manager.

[Huckleberry]

yeah I limit myself to 2  - 3 passwords I use at home and at work.

[JujuFish]

Add me to the pro password manager list.  I can't think of any good reason why someone wouldn't use one.  You can store 100 character passwords with random mixes of numbers, letters, and special characters and not have to remember any of it.  And you can use a different password for everything, so if your password is hacked somewhere, it's completely useless anywhere else.

 

Speaking of passwords, it's an immediate warning sign when sites limit the length of your password.  It's extraordinarily unlikely that a site that limits you to, say, 12 characters, stores your password in a hashed and salted database since there is no benefit for those databases to limit password length.  That's not even counting the fact that software running on GPUs can check billions of password guesses per second in an offline attack.

Edited July 27, 2017 by JujuFish

[spndnchz]

Preseason warm ups. DO,IT!

[nfreeman]

Serious question for those advocating password managers:  what about the risk that the password manager site itself is hacked?  I would think those sites are highly appealing targets for hackers.  If that happens, aren't you at risk of losing everything? 

[Assquatch]

Serious question for those advocating password managers:  what about the risk that the password manager site itself is hacked?  I would think those sites are highly appealing targets for hackers.  If that happens, aren't you at risk of losing everything? 

 

The theory is that your passwords are encrypted on their end, and your master password is the decryption key which never leaves your computer. The data on the password manager's end is completely useless to anyone that gets their hands on it unless they also have your decryption key.

 

I also use 2 factor authentication with my password manager so even my master password would be useless to an attacker unless they also had my cell phone and fingerprint to unlock the phone and again the app.

Edited July 27, 2017 by Assquatch

[SDS]

Serious question for those advocating password managers:  what about the risk that the password manager site itself is hacked?  I would think those sites are highly appealing targets for hackers.  If that happens, aren't you at risk of losing everything? 

 

I don't actually store my passwords with a third party. 1Password is a phone app or a desktop app that can keep all data local if you prefer. Obviously, you need to have an appropriate backup in case of hardware failure. The way I think about it is that I trust world experts in security, which is their only job, more than every single place I register with where security may not even be a small concern, let alone their life's mission.

[DarthEbriate]

Thanks for the notification!

I don't actually store my passwords with a third party. 1Password is a phone app or a desktop app that can keep all data local if you prefer. Obviously, you need to have an appropriate backup in case of hardware failure. The way I think about it is that I trust world experts in security, which is their only job, more than every single place I register with where security may not even be a small concern, let alone their life's mission.

<waves hand>

What is your password?

-- What is my password?

No. Tell me your password.

-- Tell you my password.

Hmmm. Spell out your password.

-- Y o u r p a s s w o r d

 

Jedis agree: password managers work! :angel:

[Eleven]

The theory is that your passwords are encrypted on their end, and your master password is the decryption key which never leaves your computer. The data on the password manager's end is completely useless to anyone that gets their hands on it unless they also have your decryption key.

 

I also use 2 factor authentication with my password manager so even my master password would be useless to an attacker unless they also had my cell phone and fingerprint to unlock the phone and again the app.

 

 

I don't actually store my passwords with a third party. 1Password is a phone app or a desktop app that can keep all data local if you prefer. Obviously, you need to have an appropriate backup in case of hardware failure. The way I think about it is that I trust world experts in security, which is their only job, more than every single place I register with where security may not even be a small concern, let alone their life's mission.

 

I have a lot to learn.

 

Also, Scott, does the warning go for TBD also?  I occasionally check in there.

Edited July 27, 2017 by Eleven

[MattPie]

Password managers are an interesting topic (for me at least). Everyone here has been bringing up good points and bad points. I use a mix of strategies, some born of laziness and bad habits from before managers were a thing, some actual good ones.

 

• Password managers can get hacked, and have been at least once in recent memory. That's not to say they're not a good idea, but they do carry some risk. Ideally, you would have one that only you have the key to decrypt the data, but even then there are possible issues. SDS is right that security experts are generally good at their job, but these sites become really big targets so they have to be really good.
• Using a few passwords isn't a great idea, just make sure you know the risks. The primary risk is if one place gets compromised, the first thing someone is going to do is try that password in other places (Gmail, Facebook, banks, etc.). If you're comfortable with the concept that someone may have that password for months or years before the breach is discovered, go for it.

As mentioned, I use a hodge-podge of stuff.

• I have an app on my Android phone called UPM that is a local password store. I'm trying to get rid of it, since it doesn't scale well past one person (MrsPie needs the passwords for some stuff)
• I've been using Encryptr as online storage to replace UPM. They make all the right statements about not having any way to decrypt your data, only your password does it and it's done on your device. Android app, PC apps (Windows, Linux, maybe Mac), but no web client. On one hand, that's a nice model as it isn't limited by web browser, but it means I ended up typing passwords from my phone screen into other computers from time to time. It generates a random password but you can enter in whatever you want.
• For many sites I use supergenpass. The idea is it takes a master password and web site name and generates a repeatable hash from that and you use the hash as your password. The benefit is there's no storage. If you enter the same master and web site, you'll get the same hash value every time. You can't get the master from the hash though so even if someone gets the hash password from one site, it doesn't help them get into anything else. In theory I should be using a few master passwords for levels of security in case there's a weakness in the algorithm, but I'm lazy and really use one for most things. It's nice that it works everywhere, but I have a little concern for the integrity of the algorithms.
• I have some really old throw-away simple passwords that I use for sites that are low risk (no personal data, like forums and whatnot). I really need to get rid of these.

Realistically, I should settle on something that works with two or more people, uses random passwords, and has some sort of integration with browsers to make it easy. I think my AV subscription includes a password manager, I should really look at that.

 

In a perfect world, all sites would participate in some safe single-sign-on solution, but how that works in the marketplace is tricky. Google and facebook sign-ins are examples, but people are wary of giving them too much information. The technology to authenticate users across domains has been around in Kerberos since the 80s.

Edited July 27, 2017 by MattPie

[SDS]

I have a lot to learn.

 

Also, Scott, does the warning go for TBD also?  I occasionally check in there.

 

Yes.

 

I have mentioned 1Password and I know most people don't want to make their eyes bleed looking into this stuff, but if you choose a trusted platform like that you are probably ahead of 99% of everyone using the internet. Here is a word about their technology:

 

https://1password.com/security/

 

Store notes, passwords, credit cards, whatever in the app on your phone or desktop.

[LTS]

If you use Chrome and you tell it to save your password you can retrieve your password from Chrome.

 

You'll need to know the Windows password you logged in with (presumable the Mac password on MacOS).

 

https://support.google.com/chrome/answer/95606?co=GENIE.Platform%3DDesktop&hl=en

[IKnowPhysics]

Wait, is there no password recovery via email for user accounts? Why not just tell users to remember their registered email addresses?

[SDS]

Wait, is there no password recovery via email for user accounts? Why not just tell users to remember their registered email addresses?

Read four posts down.

 

Regardless, the change has already been made. No login issues from what I can tell.

[IKnowPhysics]

Read

Edited July 29, 2017 by IKnowPhysics