Password Manager Security

Forumite Members General Topics Tech Security Talk Password Manager Security

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • February 20, 2019 at 4:25 pm #30970
    Ed PEd P
    Participant
      @edps
      Forumite Points: 39

      An interesting article which says that all managers are secure when not in use, but Windows APIs reduce their security once they have been opened, IF the attacker can gain access to the device.

      Link

      February 20, 2019 at 4:36 pm #30974
      RichardRichard
      Participant
        @sawboman
        Forumite Points: 16

        Yes I read reviews of the paper but I did wonder how valuable it would be to the ordinary PC or other device user? The sum total appeared to be that most, perhaps not all exploitation attacks would require physical access of some kind, so it would be wise to reboot after each use to minimise the risks, or is that an over simplification?.

        I have never had the time or inclination to dabble with password managers so perhaps my level of engagement was reduced. As long as banks insist on devalued security, e.g. no name checking for transfers, carrying out financial work on a device is not something my personal inclinations favour. Others must draw their own personal conclusions.

        February 20, 2019 at 4:57 pm #30976
        Ed PEd P
        Participant
          @edps
          Forumite Points: 39

          Generally I think a manager of some form (even if just a notebook) is essential to ensure no re-use of passwords and ensuring sufficient complexity of 14 chars+.

          I’m personally doubtful of cloud-based managers but I recognise others find them of value. The one area of failing for the study was the omission of Android/Linux based processors.

          February 20, 2019 at 5:34 pm #30983
          The DukeThe Duke
          Participant
            @sgb101
            Forumite Points: 5

            I’ve used Last pass fro ten plus years. Probably closer to 15. As I recall when android launched I had to pony up to the $1pm plan to streamline mobile use via the dolphin HD last pass plug in. The days before a last pass app, or even chrome.

            Anyhow, I tell anyone that doesn’t want to use a manager, a notepad is a must, and is probably far safer than a dedicated manager. Even though ten years ago, the current status quo was to tell people to never write them down. Which I always found strange. OK if you work in an office. But for average person at home, a notepad is probably the best way to go.

             

            February 21, 2019 at 12:15 am #30998
            Bob WilliamsBob Williams
            Participant
              @bullstuff2
              Forumite Points: 0

              More than 5 years ago, I created an A5 book of removable, replaceable pages in an anonymous plastic A5 file. Using Text Boxes in Open Office, I made a small template that was update-able and entered all my passwords, site details etc. I also made reference pages, with short Help texts for various PC items, and details of all devices. It’s easy to add new stuff in pencil, wait until there is an appreciable amount of new stuff to add, open the template and renew the text. Changing passwords is much easier this way.

              I join Richard in being wary of using a mobile or tablet for internet banking. Only my desktop and SWMBO’s laptop are used for that.

              When the Thought Police arrive at your door, think -
              I'm out.

              February 21, 2019 at 1:53 am #31003
              The DukeThe Duke
              Participant
                @sgb101
                Forumite Points: 5

                In the opposite I won’t use banking on a pc. I don’t trust windows. I always use the offical app. That way it ain’t my fault if something goes wrong.

                One thing I do have set up is when I open my banking app my vpm auto engages, for extra security. I’ve had my banking /ebay/amazon etc… All set up that way since pre ‘firesheep’ time. Even though that was really directed at laptop users on public WiFi.

                So basically don’t use public WiFi  and your fine.

                But for probably over ten years I’ve not opened my bank on a pc browser. Just use the app the bank provides. If its compromised its their issue.

                Though the biggest way of losing money is from telephone payments, your putting all your trust into the hands of the underpaid kid on the other end. I personally like websites that accept PayPal or android pay. As then the site gets zero critical info. And both is just a finger print scan to do make the transaction. No looking for my wallet and  inputting details by hand. Just a simple pick android pay, and fingerprint scan to say yes.

                February 21, 2019 at 7:03 am #31004
                Dave RiceDave Rice
                Participant
                  @ricedg
                  Forumite Points: 7

                  I don’t use a password manager app, I have a file tucked away on an encrypted share on my server. I can get to that from my mobile if needs be. For anything important I have 2FA set up that needs my phone.

                  I agree with Steve, the banks app is my preferred way of doing things but for new payees I have to use the PC. I have an OpenVPN server out in the cloud (terminates in London) and use that mostly from the phone.

                  I’ll repeat my offer that if anyone wants to use it you’re more than welcome. Just PM me and I’ll send you the config file.

                  February 23, 2019 at 2:32 pm #31068
                  keith with the teefkeith with the teef
                  Participant
                    @thinktank
                    Forumite Points: 0

                    Got to get me a password manager. Don’t let your web browser have them. 🙂

                  • Author
                    Posts
                  Viewing 8 posts - 1 through 8 (of 8 total)
                  • You must be logged in to reply to this topic.