Alert Using a Password app to manage passwords

[Joe Hogan]

Recently I switched the App I use to manage passwords to a more robust App, 1Password, to help me remember the 100s if not thousands of credentials I use on the internet.

Recently I received a Spam email threatening dastardly actions if I didn't pay thousands of dollars. Needless to say this got my attention. The email did contain a Password I have used in the past.

Apparently one of the sites I have visited, appears it was a Used Car website, has been hacked and the hackers, I later found out, had posted the credentials on some Dark Net board for hackers.

Soon my inbox was filled with threatening emails claiming they had hacked my computer, installed keyboard loggers, etc. and got this password.

Luckily for me, I recognized it as a password I use for generic non essential sites. Luckily for me it was seldom repeated so damage was limited.

That said, it prompted me to systematically replace any duplicated general purpose passwords I employ repeatedly.

Now all my passwords are unique, so if a site is hacked, all they get is what ever personal data is stored, in the worse case.

Any internet sites that accept 2 factor authorizations, I use. All of my financial and medical websites are 2 factor. Yes, it Is more cumbersome.

But if you get an unexpected 2 factor request, that is an early warning sign someone is attempting to access your data.

Had this hack been one that was more serious, or had they got lucky and got a commonly reused password, it could have been very damaging.....

BTW, do not ever respond to an email like this. The act responding can provide lots data to a good hacker. Do not click Links, as we all know, they can contain all sorts of malware. QR codes, bar codes, all those types of links can contain malware.

It is such a shame that many talented folks focus on stealing and damage rather than to be productive members of society...

Luckily no damage

 

[redbaron]

I use KeePass, and synchronize it between all my devices. Keepass is free, open source, and works on all devices.

1password is the best commercial product I have seen.

No matter what product you use, use something.
No password should be duplicated between sites.
No username should be duplicated between sites.

Also...make sure your attorney, life partner, child, or best friend has a copy and access to this file in case you become incapacitated and loved ones need access.

 

[CaptainGizmo]

1Password is insanely imperative for living. I've signed up for my whole Family.
And, I have many friends who've told me they just can't imagine living without it, now.
It is without a DOUBT, the best utility I've paid for, and one of the most important things I've done to keep over 400 logins separate and secure.

 

[RKins]

Sounds like a ton of work, changing passwords on all the sites you frequent or have frequented. I understand the intent but I have hundreds and hundreds ....

 

[tetranz]

Bitwarden is very good too and is open source.

 

[redbaron]

Sounds like a ton of work, changing passwords on all the sites you frequent or have frequented. I understand the intent but I have hundreds and hundreds ....

For most sites, you should do it as you use them, not as a specific task. Change all financial and medical as a specific task

 

[RKins]

Do you let your OS memorize the new password? Or do you enter the 20 character p/w manually. Do these pw minders auto enter when they see the same site that is in the db?

Edit: I never let my OS remember anything important like banking, SSA, retirement accounts credentials.

Edit: I do see on KeePass you can click the URL at the bottom and "auto type" and it will fill in everything for you once at the site. Nice.
Another question, on KeePass do you just copy the db from the master location to another device. Can you copy it to a thumbdrive and install KeePass on a laptop and have the laptop look for the USB drive?

 

[Joe Hogan]

The App used , 1Password, suggests a random set of 20 characters, a combination of alpha, both Cap and small case, numbers and special characters.
If you accept, it is entered in both fields, Password field and Confirmation field on most websites.
Some websites are not as advanced and you have to fiddle around some. Typically, if there is an issue, copy the password the App is suggesting, then paste into the Confirmation field manually, You get reasonably quick at this after a few iterations.
Then you should indicate to App to save the credentials in the App, if you so choose.

The process is painless after a few passwords.

 

[CaptainGizmo]

Sounds like a ton of work, changing passwords on all the sites you frequent or have frequented. I understand the intent but I have hundreds and hundreds ....

If you think having unique and secure password is a lot of work, then you’ve probably not had any of your sites, data, or identity hacked.

Point being, it’s just like routine maintenance on your cars and RV. Neglect to do it, and you WILL pay the price.

Last week, I spent hours and hours helping an old friend unscrew his entire online life from being hacked because of one stupid move. He got sucked into a Phish, gave out his password…which was “only one”, and his whole house of cards came tumbling down. Social media, bank accounts, email, even phone numbers all had to be changed.

So, if you do ANYTHING online, I could sell 1Password to anyone, doesn’t matter who. I have over 400 logins. Just changed one last night and let 1Password do all the work. It didn’t take a single minute to do.

Think about it. And trust those who have paid the price; realizing that the consequences are an unreal amount of stress, time, and work to get your online life back to normal…if at all.

 

[RKins]

You're right, I haven't been hacked.

 

[Joe Hogan]

According to this using simple math, once you get above 12-13 truly random characters brute force cracking is extremely difficult. The number of iterations is unmanageable, even for the very dedicated State Sponsored hackers and equipment.

 

[RKins]

According to this using simple math, once you get above 12-13 truly random characters brute force cracking is extremely difficult. The number of iterations is unmanageable, even for the very dedicated State Sponsored hackers and equipment.

View attachment 6625

I've been using 12-13 characters for about 20 years.

 

[redbaron]

For keepass, i use the Dropbox auto sync between devices. It works very well. Drop box can be replaced with any storage, including Google drive, USB drive, etc.

 

[murphysranch]

Oh wunnerful. You mean my four page excel spreadsheet is a dinosaur?

 

[redbaron]

Oh wunnerful. You mean my four page excel spreadsheet is a dinosaur?

No...thats a good method. There are better, and most can import your old sheet.

 

[tetranz]

I think a difference between Keepass compared to the others is that Keypass is just a local application and your passwords are stored locally so you need to arrange something like Dropbox to use it on multiple devices. Bitwarden, 1Password, LastPass etc provide their own cloud service where your passwords are stored. I can use Bitwarden on my laptop, tablet and phone and they all "magically" have the same data so it's probably simpler for most people to use. Passwords are encrypted before they leave your device and the service doesn't know your master password so there's no real worries about what would happen if the storage system was hacked. You can still make a backup to store elsewhere to cover the "what happens if I wake up one day and the service has disappeared or gone out of business?".

Like a lot of people, I recently changed from LastPass to Bitwarden when LastPass made their free tier less attractive by restricting it to one device. Bitwarden seems better. Their free service is probably all I need but I got the premium service for $10 per year. At that price it's good to support them even if I don't use the premium features.

 

[RKins]

Oh wunnerful. You mean my four page excel spreadsheet is a dinosaur?

You have me beat, I carry a little spiral notebook around with all the sites and p/w's.

 

[tetranz]

Here's another option.

 

[RKins]

I think it's a valid tool for some people. Maybe not as fancy as the apps we've been talking about but for someone that is not app savvy, it works.

 

[MemoriesByTheMile]

These password managers concern me, is there a back door or can they be hacked? Thus giving up a very big treasure trove of data.