Posted on 04/25/2018 3:57:45 AM PDT by paladinkc
I have run into an issue with my password manager which requires a master password, for some reason I am no longer able to update it which gives me great cause for concern. anyone have recommendations for a really good one other than lastpass? I've been a happy user for years until recently
Norton IDSafe
Keypass
Highly recommend 1Password. Ability to sync across multiple computers and my iPhone. Keeps track of login passwords as well as secure documents. Used it for about 4 years.
Oh, but if that was possible. About half of password protected sites require password changes every XX months or whenever an event such as a failed login occurs. The result is people carrying around devices with password lists on them. Disaster waiting to happen.
password - the bookmark
Ditto! Frequent updates, good customer service and has a family plan service. https://1password.com
YMMV... ;-)
Lastpass - but ive never gotten around to putting freerepublic password in there!
KeePass - it is open source, great encryption, and my favorite.
This is something I only talk with immediate family about. Never with personal friends, FR acquaintances or complete strangers. What sounds like an innocent enough question, can also be someone or something fishing for info to build breaching portfolios with. It’s not that I don’t trust you. It’s that I don’t have to trust you. Sorry, nothing personal.
The counter argument is that a password is not considered “strong” until the time it takes to break the password (called cracking) via brute force, exceeds the change window.
For example:
An 8 character NTLM (windows) password has a maximum brute force test of 6.6 quadrillion combinations. Since I work in security and as a pen tester, I have built a cracking server that can go through that entire space is less than 15 hours.
That is assuming the worst case scenario. In reality, users are creatures of habit and often use easily guessed passwords. I have compiled a list of over 2 Billion passwords by assembling hundreds of password lists from the dark web. Very often when I test a client’s Active Directory account, I find about 20% of the passwords are contained in this list. I recently tested a regional financial institution and was able to test their ~2,000 accounts against the 2 billion passwords in about 5 minutes of computer time.
In reality, most users only use upper case, lower case, numbers and keyboard special characters. Adding these up (24 + 24 + 10 + 30) means that the key space is not the full 95 possible but rather 88. So an 8 character password is 88^8 in total size. In reality, it is only about 3.5 quadrillion tests that need to be made.
In essence, it now requires a 10 character password to qualify as “strong”. That would take my cracking server about 6.7 years to go through the entire keyspace. That is well outside the 90 day window for changing the password.
That is why I am telling my customers to adopt a pass PHRASE, instead of a password.
I’m getting more into phrases.
Good thing I’ve seen so many obscure movies and TV shows plus all of the oddball old books read, I can mix and match all kinds of nonsense phrases.
All very interesting. Password management has become a bit oppressive, when one has numerous web sites that require a password as well as a username, not to mention the accessory questions designed to supposedly keep your data safe.
I live in fear of the 90 day password change or the six month password change. Why? because I have 21 pages of hand entry passwords and usernames, that require exacting accuracy and I rarely need access except annually. So is all this leading to a question? Would not having four or more cracking servers reduce the time to a point that no password would be safe?
Hence password phrasing and just how many of my password entities have the structure that allow phrasing? So, last question, a small explanation of what benefits phrasing brings to the table and is it usable for any site requiring a password?
BFL
Write them down on a legal pad and take pictures of it when you update. Store the pictures on a USB stick or SD card.
I can’t tell you how many people I know that used a password manager and lost it to corruption. One friend changed the password when drunk and doesn’t know it. Of course, people never back up anything.
Use former addresses and phone numbers as passwords, disguising them properly...ex. A_812bAyhaRbor!rD. Crackers rarely are able to guess passwords unless they are really obvious like your name or userid or school name(FaceBook). It’s normally a random process.
Mistake 1: Using the word password in a file containing passwords.
Mistake 2: Using an application to manage passwords.
I use OneNote 2010 archived to a flashdrive. 128 bit encryption and syncs with the device’s host OneNote. All I need to do is manually-cycle the flash drive from time to time and I keep my files updated at work and at home. Total number of logons & pw are >100. It works perfect for me.
Mistake 3: Logging into a secure site from a mobile device, particularly one with an RTOS.
Write them on a post it note and attach to the side of the refrigerator. :-)
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.