dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2420

mattmag

join:2000-04-09
NW Illinois

mattmag

Password Managers--Good or Bad??



So I recently received an email promotion regarding "RoboForm", a password-managing program. I am always intrigued with those products, as I have a long list of passwords and something that would automate the process seems like an attractive idea.

But, are they safe? RoboForm apparently works across multiple platforms and devices, so it is going to be cloud-based, I presume. I have an intrinsic fear of anything with the word "cloud" in it however, so I never pull the trigger for programs like it.

What do you all think? Justified concerns, or am I missing out on the best time-saver ever?

Thanks---
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned)

Member

last i checked roboform is not cloud based. But it is available for pretty much every os out there. It is a trusted program/addon. It does allot more than just store passwords it will fill in pretty much any data you need or want it to.

rfhar
The World Sport, Played In Every Country
Premium Member
join:2001-03-26
Buicktown,Mi

4 recommendations

rfhar to mattmag

Premium Member

to mattmag
I also distrust cloud based stuff. If people can hack into the Pentagon and so many of the banks... I use KeePass.

»keepass.info/

Link Logger
MVM
join:2001-03-29
Calgary, AB

Link Logger to mattmag

MVM

to mattmag
I use Keepass as well and chucked one file of password up onto Sky Drive so I could access it from any of my devices (its a test).

Blake

mattmag

join:2000-04-09
NW Illinois

mattmag to Nanaki

to Nanaki
Ok thanks, that's good to know. So if I used it on say a home and work computer plus my Android phone, I would need to enter the site information required once per site for each device if it doesn't store that info in the cloud?

I'm not opposed to that, and most likely that would be the desired way to utilize it I would think.
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned)

Member

Typically but see link loggers post as well. In some of the managers the file they store every thing in might be cross platform compatible.

If that is the case what should happen is you should be able to import the file that stores the information and the program will ask you for the master password. At that point you can import the data (possibly) and not need to enter it per device.

Some of the PW managers encrypt the crap out of the file to say the least. So it should be on the safe side to actually keep on the cloud. As with out the master password it should be next to impossible to decrypt.

My advice read up on them and their features to see what one is best for you. Honestly id be some what surprised if roboform ended up not being that one. It is easily one of if not the oldest most developed program of it's type. In all honesty i can not remember when i first seen it mentioned but it was a solid 10 or 15 years ago minimally years ago. I used it and others to fill out online job applications heh. Makes filling out a job app etc damn fast when about 80% is done auto for you.

jaykaykay
4 Ever Young
MVM
join:2000-04-13
USA

2 recommendations

jaykaykay to mattmag

MVM

to mattmag
I don't like things in the cloud, but I use Last Pass and have been doing so for quite some time. I like it very much.

stormbow
Freedom isn't FREE
Premium Member
join:2002-07-31
Simi Valley, CA

stormbow to mattmag

Premium Member

to mattmag
I use a copy of the same keypass file on my Linux server, Windows 7 desktop, iPad and my iPhone. I keep the server one the master and merge changes into that before refreshing all devices.
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

1 recommendation

Nanaki (banned) to jaykaykay

Member

to jaykaykay
I still chuckle at the idea of cloud being a new thing. I used map network drive to map a drive letter to my web host over 15 years ago. All the cloud really is is this a new way to do something we have done for years. It is little more than a way to market the idea and make money from it. Before the cloud was popular we had dropbox which was a simple program to drop files to a network drive that was off site. It was little more than a gimic as most ftp programs had the ability to have files dropped on the transfer panel in them to auto transfer or drag and drop from the directory on the server to your computer. All the marketing of the cloud has done is made it low hanging fruit.
Nanaki

Nanaki (banned) to stormbow

Member

to stormbow
Well there we go all questions answered i suppose.

Rocky67
Pencil Neck Geek
Premium Member
join:2005-01-13
Orange, CA

Rocky67 to mattmag

Premium Member

to mattmag
RoboForm has been around since 1999. I think it used to be called Air RoboForm. It is available for Windows and Mac and stores your data locally. For ten bucks more there is a portable version that uses the cloud. I used to use it some time ago and it was a good program, but I don't have any opinion about the newer version.
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned)

Member

Yeh i thought was about 15 years old. I would say they are likely pretty well trusted at this point hehe
MichelR
join:2011-07-03
Trois-Rivieres, QC

MichelR to rfhar

Member

to rfhar
said by rfhar:

I also distrust cloud based stuff. If people can hack into the Pentagon and so many of the banks... I use KeePass.

»keepass.info/

I use KeePass too, but also use BoxCryptor to encrypt everything I have "on the cloud". I trust that more than a service that would do its own sharing. The KeePass file is encrypted, and BoxCryptor encrypts as well and mangles the filenames.
Shady Bimmer
Premium Member
join:2001-12-03

Shady Bimmer to mattmag

Premium Member

to mattmag
I had used KeePass too but now use 1Password . It offers an option (not requirement) to sync across devices using cloud or wifi (for those that don't trust cloud services for this).

This poll is now pretty old but may be helpful as a starting reference: »Software Forum Member Choice »Preferred Encryption/Password Software - 2011 Member Choice

BoxCryptor has two variants - I use the classic version which is based on encfs. Other encrypted containers may be used similarly depending on the OSs and/or devices from which you desire access. BoxCryptor is available on Window, MacOS, IOS, and Android.

There are cloud services such as SpiderOak, Trestorit and Cyphertite that provide client-side (as in on the local device, not on the remote server) encrypted storage providing similar functionality to locally-encrypted containers. Any one of these may be suitable for storing a password vault if sharing/synchronization across devices is needed.

Personally I would not go without a password manager today. Sharing/cloud storage/network storage is not a requirement in all cases making a local-only solution absolutely feasible.

NOYB
St. John 3.16
Premium Member
join:2005-12-15
Forest Grove, OR

NOYB to mattmag

Premium Member

to mattmag

I use the product grey matter by God. I'm sure you all know the cliché "God gave you a brain use it!" And when it fails I use the site password reset process, and hope they have my current email address.
Jeremy W
join:2010-01-21

1 recommendation

Jeremy W

Member

said by NOYB:


I use the product grey matter by God. I'm sure you all know the cliché "God gave you a brain use it!" And when it fails I use the site password reset process, and hope they have my current email address.

If you can remember multiple passwords easily, you're either incredibly gifted or using insecure passwords.

javaMan
The Dude abides.
MVM
join:2002-07-15
San Luis Obispo, CA

javaMan to Link Logger

MVM

to Link Logger
said by Link Logger:

I use Keepass as well and chucked one file of password up onto Sky Drive so I could access it from any of my devices (its a test).

Blake

That's how I handle my Keepass file as well. Works for my desktop and all my Android devices. Works great.

Ian1
Premium Member
join:2002-06-18
ON

1 recommendation

Ian1 to jaykaykay

Premium Member

to jaykaykay
said by jaykaykay:

I use Last Pass and have been doing so for quite some time. I like it very much.

Another vote for Lastpass. I trust how they encrypt it online. They could be lying about how they do it, but to me it's a small risk. Compared to using less secure passwords that is.

rfhar
The World Sport, Played In Every Country
Premium Member
join:2001-03-26
Buicktown,Mi

rfhar to Jeremy W

Premium Member

to Jeremy W
said by Jeremy W:

said by NOYB:


I use the product grey matter by God. I'm sure you all know the cliché "God gave you a brain use it!" And when it fails I use the site password reset process, and hope they have my current email address.

If you can remember multiple passwords easily, you're either incredibly gifted or using insecure passwords.

Agree I have 48 complex pass-phrases. I can remember them for a short while if I am using one of frequently but to remember one a month or year later is not possible for me. He must be doing something simple like using the same set of pass-words over and over.

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

sivran

Premium Member

said by rfhar:

He must be doing something simple like using the same set of pass-words over and over.

Not that there's anything wrong with that as long as sensitive sites get unique and secure passwords.

The password I use for dslr is very weak and re-used at multiple sites (though my username here is unique, heh). It won't however lead you to anything important. You won't be able to take my creds here and use them on any of my email accounts, much less financial accounts. You could however add it to your dictionary and crack open my accounts at several random web forums. That's about it. None of those would lead you anywhere either.

Drunkula
Premium Member
join:2000-06-12
Denton, TX

Drunkula to mattmag

Premium Member

to mattmag
I'm not too keen on the cloud either. However I have been using LastPass for personal stuff and Keepass at work (not it's not cloud) and as a backup for personal stuff as well.

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

4 recommendations

Kilroy to mattmag

MVM

to mattmag
It depends on the password manager. I've been using LastPass Premium for a little over four years with a Yubikey for two factor authentication and only mobile devices I authorize. The free version of LastPass will work on a computer, but you need to pay, a massive $1 a month, for the premium version to use it across all of your devices. LastPass relies on the cloud to keep your passwords syncronized across devices, but they are unable to give up your passwords as the data is encrypted and cannot be unlocked without your master password. You can take a read or listen to Secruity Now! - Eplisode 256 - LastPass to learn more about how LastPass works.

Password manager also do more than manage your passwords. As others have mentioned they fill forms. LastPass also has the ability to create one time use passwords that can be printed out and stored to be used in case of your demise. The one time use passwords can be revoked by you at any time. They are also able to generate random passwords so you don't have to create passwords any more. LastPass allows you to control the password creation so that you can make it generate passwords that will be accepeted by the site requiring a password.

Hopefully in the future we can do away with passwords, however they are currently required for our digital lives. The sheer number of passwords we need today cannot be securely handled in any other way due to the security issues related to password reuse.

NOYB
St. John 3.16
Premium Member
join:2005-12-15
Forest Grove, OR

NOYB to Jeremy W

Premium Member

to Jeremy W
said by Jeremy W:

If you can remember multiple passwords easily, you're either incredibly gifted...


Thank you.

Passwords need not be unmemorable to be strong.
NOYB

NOYB to rfhar

Premium Member

to rfhar
said by rfhar:

He must be doing something simple like using the same set of pass-words over and over.


Only on non-sensitive sites/apps.

Every site/app containing sensitive information has it's very own unique and strong "password". And yes I can remember them.

It's the other, non sensitive, sites I forget from time to time if I've not used them in a while. For an account that gets used that infrequently it's no big thing to do a password reset.

Although this dslreports site does gets it's very own weak password because from what I have read in one of these forums in the past it is stored in plain text.

bbbc
join:2001-10-02
NorthAmerica

1 recommendation

bbbc to mattmag

Member

to mattmag
LastPass Premium is the only way to go. It works on every operating system, desktop and mobile. So worth the $12 a year for mobile access too.
Uncle John
Premium Member
join:2004-01-23
Huntland, TN

1 recommendation

Uncle John to mattmag

Premium Member

to mattmag
Another vote for LastPass Premium with two factor authentication. I use a Yubikey, but there are several other two factor authentication methods supported and many of them are free. I think that nothing is 100 percent secure, but I don't lose any sleep over using LastPass and feel it is good enough until proven otherwise. Of course, I'm not an expert like many of you here.

mattmag

join:2000-04-09
NW Illinois

mattmag to Kilroy

to Kilroy


Thanks for all the dialogue and advice, I do appreciate it. After looking at the link that Kilroy See Profile provided, I have a better understanding of how the sync across the cloud works and how it keeps the local data secure.

Right now I have a total of 32 passwords for all the various sites I need to use, and currently I have them stored in an App on my phone. There just has to be an easier way...

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

1 recommendation

Kilroy

MVM

32, is that all? I probably created that many when I was looking for work this past summer. It seemed like every company had their own site that needed its own password.

With a password manager you'll find that you don't care about creating different passwords for everything, becuase you don't need to remember them. I do recommend that when you sign on and store your account in a password manager that you immediately log out and then back in with the password manager to verify the information.

NOYB
St. John 3.16
Premium Member
join:2005-12-15
Forest Grove, OR

NOYB to mattmag

Premium Member

to mattmag
Malware is probably the Achilles heal for password managers.
Anytime the password manager is open/logged in, etc., malware could potentially have access too. Putting all your eggs in one basket is still a risky proposition.

Though the following post is about Last Pass, the principle is not specific to only Last Pass.
Protection from malware?
»forums.lastpass.com/view ··· &t=64309

Highly recommend not using a password manager for financial accounts or accounts with sensitive information.

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

2 recommendations

sivran

Premium Member

So what?

A memorable password contains patterns which lend well to cracking but is somewhat protected from malware. ("If you can remember it, it's weak")
A random password is nigh-invulnerable to cracking, but the password manager is vulnerable to certain malware.
A piece of paper is invulnerable to malware, but is vulnerable to loss or theft.

Such is why, no matter how we store our passwords, we also try to protect the password manager, the host machine, and the human bean.