password manager vs writing it down

[Bill_Bright]

TLDR password managers are and will always be a vulnerability.

This is really an extremely misleading statement and could, sadly, be misconstrued as suggesting since they are so vulnerable, don't bother using them. That would be horrible, naive and potentially catastrophic advice.

Of course, password managers are, and always will be vulnerable. So is the bank vault at the main branch of JPMorgan Chase Bank, Tiffany & Co. Jewelers, the Palo Verde Nuclear Generating Station, MI5 HQ, the Kremlin, and your house.

Being vulnerable does NOT mean (1) it is being targeted or (2) that it will be compromised if targeted.

You can have security cameras, motion detectors, intrusion alarms, extra deadbolts, and 2 angry rottweilers inside your home. It is still vulnerable. Your wifi can have a passphrase 43 characters long, with a random mix of upper and lower case letters, numerals, and special characters and it is still vulnerable.

If you put it out there, it is vulnerable. How vulnerable is a different manner.

unless you are a very high-value target, you won't be selected for brute-force/dictionary attacks.

I agree in principle but not in practice - at least for the general public; and that is, 99% of us.

Sure, high-value targets are indeed, targets. But bad guys troll neighborhoods and parking lots looking for ANY unlocked door, ANY car with keys left in the ignition, ANY car with high-value items left on the seat. In other words, they are lazy opportunists looking for easy pickings. They don't have to be targeting you specifically. In fact, they probably aren't.

Same with any data you store out in the cloud.

HOWEVER, ANY password manager that requires a master password/decryption key to unlock the password database is "almost" infinitely better than writing your passwords down - assuming you don't write your master PW on a sticky-note stuck to your monitor.

 

[P4-630]

Just leave this here:

KeePass exploit helps retrieve cleartext master password, fix coming soon

The popular KeePass password manager is vulnerable to extracting the master password from the application's memory, allowing attackers who compromise a device to retrieve the password even with the database is locked.

www.bleepingcomputer.com

 

[p-o-db-o-q]

"Physical Security"

That is how FBI confirmed Ross Ulbricht was the guy behind Silk Road.

 

[chrcoluk]

Keeppass is still many multitudes more secure than cloud based password managers, it requires the machine to be compromised for this vulnerability due to the offline nature of the storage.

--

Looks like my version not affected, I use 1.x.

 

[outpt]

paper.

 

[Bomby569]

how safe is firefox password manager system?

i know if they can get to the files in your system they can get all the passwords, but besides that, how safe is it?

 

[Bill_Bright]

Well, according to the new Bing AI search,

Yes, password managers are safe to use. They use advanced encryption to protect your credentials. Without it, your passwords are accessible to anyone. However, browser-based password managers are not encrypted and can be easily compromised.

???

The reason I do not recommend using browser-based password managers is because anyone who has access to your computer may gain access to your passwords. So, for example, if you step away from your computer and fail to sign out of Windows, someone can come in right behind you and perhaps access your accounts.

You do always remember to sign out of Windows, right? And you do always require a password to sign into Windows, right?

Even if you live alone and no one else has access to your computer(s), I do not recommend them. A badguy might break into your home, or a nosy, visiting nephew might get too nosy.

Another disadvantage is that you cannot use Firefox stored passwords with Chrome, for example. So if, for whatever reason, a site is not allowing you to connect with Firefox and try to use Chrome, the password may not be accessible to you.

So for sure, a browser based manager is better than no manager (or writing them down), but a separate manager is usually the best choice.

 

[bug]

The reason I do not recommend using browser-based password managers is because anyone who has access to your computer may gain access to your passwords. So, for example, if you step away from your computer and fail to sign out of Windows, someone can come in right behind you and perhaps access your accounts.

I'm using Vivaldi. If I want to reveal a password, I have to enter the access PIN.

Another disadvantage is that you cannot use Firefox stored passwords with Chrome, for example. So if, for whatever reason, a site is not allowing you to connect with Firefox and try to use Chrome, the password may not be accessible to you.

That and OS/device switching. I would like to use Keepass, but then I don't have access to my passwords from my desktop, laptop and mobile devices, unless I keep copying the db myself.

I got a pair of YubiKeys, trying to go passwordless, but the current level of support is weak, at best.

 

[Bill_Bright]

I'm using Vivaldi. If I want to reveal a password, I have to enter the access PIN.

Yes, if you want to "reveal" it. But what if you don't care to "reveal" it? I don't know about Vivaldi, but others just let you paste it in without revealing it. I find that a potential security risk.

That and OS/device switching.

Some include "cloud" storage but still only work with the specific browser.

 

[bug]

Yes, if you want to "reveal" it. But what if you don't care to "reveal" it? I don't know about Vivaldi, but others just let you paste it in without revealing it. I find that a potential security risk.

Just tested, can't copy it without entering the PIN first either.

Some include "cloud" storage but still only work with the specific browser.

But then we're back to "do I trust the cloud more than I trust local storage"?
Mind you, I'm not blaming the browsers or the password managers. Keeping passwords safe, random and frequently updated is just an uncrackable nut.

 

[Bill_Bright]

Just tested, can't copy it without entering the PIN first either.

That's good.

But then we're back to "do I trust the cloud more than I trust local storage"?

Right. And one thing (among many things) I don't like the cloud is I am confident they won't lose my data. My worry is there will always be a couple million copies of it out there - with many in the hands of those I never gave authorization.

Mind you, I'm not blaming the browsers

Me either. Just about any manager is multitudes better than writing them down.

 

[1freedude]

If what you arw trying to keep safe is very important, dont let the password get stale....update it very often. If the password/data gets into the wrong hands, the data they got will be irrelevant.
Dont be afraid to click forget your password?
But there's the old training...."Hard Target". Dont give them a reason to want your shit.

 

[Space Lynx]

just an fyi for everyone

Your favorite password manager could be exposing your credentials

Several widely used mobile password managers are inadvertently leaking credentials from Android devices due to a newly discovered vulnerability in the WebView autofill mechanism used by many...

www.techspot.com

if you use an android device...

 

[bug]

just an fyi for everyone

Your favorite password manager could be exposing your credentials

Several widely used mobile password managers are inadvertently leaking credentials from Android devices due to a newly discovered vulnerability in the WebView autofill mechanism used by many...

www.techspot.com

if you use an android device...

Which is why my use of password managers is very light and all the important stuff is confined to my proper (Linux) desktop.

 

[P4-630]

just an fyi for everyone

Your favorite password manager could be exposing your credentials

Several widely used mobile password managers are inadvertently leaking credentials from Android devices due to a newly discovered vulnerability in the WebView autofill mechanism used by many...

www.techspot.com

if you use an android device...

"can potentially expose your credentials to malicious apps"

I don't use any of those apps anyway.
Could be apps that need to be side-loaded which I'm not doing anymore.

 

[ThrashZone]

Hi,
I can live with a few less features on iphones than use any android
I've never seen the need for password apps or a host of other apps people rave about.

 

[bug]

Hi,
I can live with a few less features on iphones than use any android
I've never seen the need for password apps or a host of other apps people rave about.

You didn't see the fappening either, apparently.

 

[Good Guru]

I use dashlane free pw manager it's just great. Only complaint is that it limits how many pw you can save to like 40 or 60.

 

[Frick]

I use dashlane free pw manager it's just great. Only complaint is that it limits how many pw you can save to like 40 or 60.

That is ... not a lot. I have something like 170 items in Bitwarden.

 

[Space Lynx]

Part of me does want to get on the Apple ecosystem, it just seems more secure in general. These types of articles just reinforce that for me.

 

[bug]

I use dashlane free pw manager it's just great. Only complaint is that it limits how many pw you can save to like 40 or 60.

You can save all that on a hardware key. More reliable to boot.

 

[ThrashZone]

You didn't see the fappening either, apparently.

Hi,
Hell I made a few but not on my cell phone

 

[bug]

Part of me does want to get on the Apple ecosystem, it just seems more secure in general. These types of articles just reinforce that for me.

There's no right answer here. If you're clueless about security, Apple is better at holding your hand. If you know what you're doing, you'll find any platform wanting.
That said, if you look at Safari alone: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=safari

 

[ThrashZone]

Hi,
Best thing about apple is they don't dump security support like android typically does.

 

[bug]

Hi,
Best thing about apple is they don't dump security support like android typically does.

That's not 100% accurate either. "Android" doesn't drop support, security patches are released for years. It's Android phone manufacturers that do not release further patches to their customers because they would rather you buy a new phone instead. The net result isn't that different, but there are differences between manufacturers.