How Safe are Password Manager Sites
 

I been tempted many times to use one of the password managers that are available.

My son works out of his house for a national bank, and keeps reminding me
they can and known to be hacked and recommends against them.

Your Thoughts

Have been wondering myself have a large stack of passwords on my desk and a pain to go thru them to find the one I need

I don't trust them. I list all of my passwords on an MS Word document that requires a password to open. If I forget a password, I can use the document to find it. The Word document is on my Google Drive which can be accessed from anywhere.

Are password managers secure? | Norton.

Are password managers secure?

You might worry about trusting a program or app with your master password and other private information. Can't app makers be hacked, too?

The quick answer is “yes.” Password managers can be hacked. But while cybercriminals may get "in" it doesn't mean they will get your master password or other information. The information in your password manager is encrypted. And deciphering that encryption, which is usually industry-standard encryption like Advanced Encryption Standard (AES), is almost impossible.

Plus, most password managers do not store or have any access to your master password or the encrypted information in your password database.

Much of the security of your password manager depends on the strength and safety of your one master password. And for many password management systems, that master password is not stored on the same server as your encrypted information. This adds an additional layer of security.

...


Password managers like Dashlane do not have your master password. All information is encrypted before sending to their database. Flip side, if you forget your master password, they can't help recover your data.

...

Umm, MS Word can be hacked in about 10 seconds with tools really available on the Web...

Also risky to trust Google Drive with information...

Is Google Drive Secure? How to Protect Your Files

Minimum 12 characters, 14+ is better. Mix upper and lower case letters, numbers and symbols.

So, they would need to hack my Google account, find my Google drive, hack it, then figure out which MS document has my passwords, hack it, and then figure out my username and find a website that would somehow benefit them. And, they still couldn't access my financial accounts. I feel pretty safe with my system.

I use an online password manager and I am pretty careful about such things.

LastPass was famously hacked but the hackers could not get a customer passwords because the online customer password files are encrypted and LastPass does not store customer encryption keys. Only customers know their own encryption keys. So even though hackers got into LastPass, the best they got were encrypted customer password files. The hackers, however, likely got some unencrypted files such as billing addresses, email addresses, and phone numbers. LastPass, of course, says it learned from these hack experiences and improved their security. That is likely true.

I use two factor authentication in addition to an access key for my password manager (not LastPass) that makes my online encrypted files even safer from hackers. It is two layers of protection. Also, the online password manager helps me create complex, randomized passwords that would be impossible to guess and it alerts me if I use the same password for more than one website.

For websites requiring my log in information, I use two factor authentication for all important websites that offer it (most do now). This means they require my password and a separate two factor authentication tied to my personal device.

All of this means is my online password manager has multiple layers of security and my important websites offering two factor authentication have two layers of security.

Personally, I would not use Google’s or Apple’s password managers for anything important. I want a reputable company mainly in the business of password security rather than only a small part of their business.

I have over 500 stored passwords. For me, the alternative to an online password manager carries more risk.

If your computer has a setting to have your Google Drive files stored on your local storage drive, you may have another area of exposure with your Word file. A hacker into your computer or evil local tech support person could get to your Word file on your local drive. But you still might have good protection if your local Word document is password protection for document encryption rather than only for limited access. Encrypted files are generally the gold standard. And better yet under these conditions is if your entire local storage drive is encrypted by your operating system.

My Google drive can only be accessed in the cloud and my Word document name is not identified as having passwords. Also, my financial account passwords are not located in the Word document. So, if someone gets my Publix app password, so what?

hacked
 

Password managers have been hacked.

Put it all in excel and password protect it that encrypts it and backup to a usb drive - that is all they do

I use what is built in to Google Chrome, and have multifactor authentication enabled. Having my password won't get you into anything I saved inside, except for the few files and folders I have shared publicly.

I don't keep a file with passwords in it. Instead I have a list of places I have used that require usernames and passwords. Instead of storing the password, I have clue formulas that remind me of the password for that site.

So for each account, there is a link to the account, a username, and a password clue.

Make those clues impossible to guess.

Kaspersky has long been a trusted name for anti-virus protection and they also offer a password manager that is very good. I've used it for some 10 years now along with their anti-virus, and I have never had any issues. I also have the extension installed on Chrome and my password protected websites open automatically with the master password. Your master password is not stored so you have to remember that one. The Kaspersky Total Protection software is outstanding IMHO.

Password Manager
 

Check out 1Password. Very secure and highly recommended and used by.a lot of internet professionals.

I concur w BobMiller, 1Password is the ultimate, and I have 247 saved passwords there. The important ones, like my investment accounts and the 1Password Master PassWord are 25 digits, and kept written down and kept in a sealed envelope in my gun safe and a copy in an off-site family members gunsafe in a sealed envelope. Security is an onion, good security has a lot of layers, and good security is not convenient.

Trust the Russians?
 

I don't trust the Russians.
Laboratoriya Kasperskogo) is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky, and Alexey De-Monderik; Eugene Kaspersky is currently the CEO.

I second it—— One Password
 

I use one password - got the info from a person that ran a computer company. I love it and sure has simplified my life .

Having a password manager app is like having a safe in your house. A thief knows that, if they break into the safe, they will find something of value. But, if you hide your passwords in a document that only you know exists, it is very difficult for a hacker to find it.

Same but not out there in a cloud or on Google Drive. Mine are in a coded form and my kids have a hand-written list of the codes to de-code them should I croak.

Apple doesn’t take security serious? WHAT? Didn’t apple withhold info to the fbi on how to hack in to the iPhone? Google would have easily broke down and would have given the Chinese and the fbi your info.
2 factor authentication along with iCloud Keychain if you are an all apple environment.
If you use windows, you are already hacked!

Yes, it’s a great option! I use 1Password. It’s secure.

1Password

Apple has never been hacked. That’s why the FBI needed Apple to show it how to get into an iPhone. Apples iCloud Keychain password assignment is random digits that are encrypted stored at Apple, and to get into your Keychain you need face recognition. It also triggers all apps and websites that use facial recognition to be activated for that added layer of security.

So your son works for nation bank and reminds you they have been know to be hacked. You are questioning his insight, with non entity on a public site, in hope someone will give you the answer you are looking for.

So our son’s roommate from college works independently for multinational companies, finding hidden finances, from those who don’t want to be found.

On his last visit, he said no password manager or not is beyond being hacked if someone chooses to do so. He suggested address book (yes paper) Change passwords monthly on important banking/credit accounts. No password should be close to the next.

To prove his point using his computer he accessed 3 of our accounts within 15 minutes.

So his view on password managers is, Thank you for using them, I just need to get into that account to open every account you have on that manager app

I do not trust password managers (like 1password) that store your data in the cloud. When you allow that, you are trusting that any and every employee of that company and several unknown companies are trustworthy. All it requires is one rogue software engineer to introduce some code that allows them to access your cloud data. All software companies today use code libraries created by other companies … so your 1password app has code created by multiple companies. These code libraries are constantly being updated which makes it relatively easy for the rogue employee to interject something nefarious.

Instead I choose to use a password manager (like keepass) that only stores the data locally. I can easily manually synch the data across devices. I have several hundred passwords stored this way.

For sure.

Home grown "creative" kinds of password mental gymnastics to manage passwords are flawed and not helpful to the average user who likely is using the same password on multiple sites.

For the average person, Password managers make it easy to keep your passwords safe, secure, complex, unique and easy to use.

If one is using Apple’s built-in password manager, KeyChain, on an iPhone, one’s passwords are protected by only the phone’s passcode that opens the phone’s screen. A bad actor looking over the shoulder of an iPhone user in a restaurant, bar, airport, and so on can observe the user entering their phone’s passcode, which opens the phone’s screen and KeyChain passwords. After a bad actor knows the phone’s passcode, they could take the phone by theft or robbery and now they have access to all the iPhone owner’s passwords stored in KeyChain. Google’s Android phones have a similar risk.

Here is a newspaper story about this kind of risk on phones and the technology limits on basic phone security:

A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life - WSJ

Reputable pay password managers offer stronger protection than the free built-in Apple and Google password systems at least on mobile devices. Whether one wants extra protection for their passwords is a personal decision.

That system sounds simple and elegant but it isn’t. First, loss of one’s paper address book with the only record of dozens or hundreds of important passwords from forgetfulness, fire, hurricane, and so on could be disastrous to one’s life. Risk of loss of a paper address book with my only record of hundreds of passwords is too high for me. Making a duplicate copy of the address book and storing it in a bank safe deposit box and also changing certain passwords monthly requires going to the safe deposit box monthly is a hassle at least for me and I likely would not keep the second copy up to date.

The less convenient any system, the less likely one uses that system over the long run. For me, there is a trade off between very good password technology protection but not 100% risk free and convenience. Nothing is 100% risk free.

Look at it this way
 

Look at it this way. With this discussion, most of what everyone is talking about is better than most people ever do to protect their online access. All of this makes it more likely that the hacker is going to go to the next person with less security as they do not want to work harder than they have to. So:

1 - For all your sites that have access to information you do not want exposed, you should used multi-factor authentication. Have it send the code to your phone via text or better yet, use an authenticator. Look in the security section of your account on the website to set it up.
2 - For the rest use a strong password (look it up) or a passphrase (even better). Do not repeat passwords or passphrases from one site to the next.
3 - If you like a password manager for your passwords, use it. If you keep an encrypted excel file on Google drive, fine. If you keep it on a USB, gulp...those things go bad and get lost. Just use something other than leaving your passwords laying around. The key is to use something to store your passwords in a secure manner.
4 - Keep your PC and Phone updated all the time with the latest security patches. You don't want someone camping out on your PC or phone grabbing your info.

You'll likely never fully get away from passwords, but where ever you can, use multi-factor authentication.

[QUOTE=spinner1001;2247040]That system sounds simple and elegant but it isn’t. First, loss of one’s paper address book with the only record of dozens or hundreds of important passwords from forgetfulness, fire, hurricane, and so on could be disastrous to one’s life. Risk of loss of a paper address book with my only record of hundreds of passwords is too high for me. Making a duplicate copy of the address book and storing it in a bank safe deposit box and also changing certain passwords monthly requires going to the safe deposit box monthly is a hassle at least for me and I likely would not keep the second copy up to date.

The less convenient any system, the less likely one uses that system over the long run. For me, there is a trade off between very good password technology protection but not 100% risk free and convenience. Nothing is 100% risk free.[/QUOTE

How many password does one have? Hundreds thankfully I don’t spend that much time online

Easy iPhone password protection!
 

The simple solution to IPhone password protection is to use face recognition to open the Lock Screen. No typing and only your face will open the phone. I also use fingerprint security on the IPad. Also, always lock the phone/Ipad screen before setting it down.

I also use Face ID on my phone. But a large proportion of phone users in the USA don’t use it according to survey results I saw.

I can’t use fingerprint on anything, after 45 plus years of scrubbing, my finger prints have to be taken with the old fashioned print. Any electronic doesn’t register enough to be useful, which is widely used for initial passport, government IDs and so on. We do use facial recognition, on one important computer, but that has no help when someone hack into your accounts remotely without your knowledge

Unless you're a government agency, a foreign National, an Agent of some official entity (like a bank CEO) or utility corporation server, the Russians really don't care what's on your computer. Kaspersky is safe for individual citizens, because they aren't interested in your porn collection. It's okay.

Do not use password managers that store your data in their company infrastructure (Norton).

Do not pay any fee. What if they close up shop and you no longer have access?

Word and Excel passwords take under 1 second to bypass, no matter how long or complex.

To see how long it takes to determine your master password, go to passwordmonster d0t com. That is an offline too that will show your 14 character password is close to worthless, especially if you use any words that appear in a dictionary, lists, language, acronyms, etc.

Using a zero for the letter "O" does not help. Password cracking tools know that trick.

Thinking a hacker won't look at every file on your PC or in the cloud is how the horror stories begin. Security by obscurity is foolish advice.

Choose a password manager that is open source and peer reviewed.

Use a long master password. In today's world, that is at least 30 characters.

There are smart choices in password selection. Do not use these, but which password would be more secure? Which can you remember? eTC82^9wn$j7 Dun/kinDon/uts?

For the web site passwords you store, the tool must be able to easily generate long passwords for you. Since it will feed that password to the site, who cares how long it is, or what complex character set it uses.

Password manager should be able to store the file wherever you want. Locally, or in the cloud. If you pick the cloud, it has to be safe to access from multiple devices concurrently. So it would have a sync function, not be a file that is held locked because it's "open".

The master database needs to be absolutely secure, so if anyone gets a copy, it's useless because your master password makes it secure.

I use Keepass. It exceeds all of the above.

I use a multitude of formulae for passwords. Some make sense for the account, some are random, some look random to other people but have meaning to me, and some are just silly word combinations with numbers to satisfy the requirements. I keep them all on a notepad file on a USB "thumb drive", where I keep all my other files. Google auto-fills all passwords for me on my desktop, but not on my phone or other devices. I don't have it saved to the cloud, I don't "sync" these passwords to google drive.

I also have a list of passwords to apps that I use regularly, hidden on my cell phone. None of them are bank apps. I use pattern and fingerprint and facial recognition to access various apps in addition to passwords. Sure people can get into my phone. But they'll be very disappointed if they do - unless they were hoping for a $5 credit at PetCo because I spent a fortune last month on flea treatment for my cat, and a free burrito at Moe's.

As someone who works in IT security every day, I'll echo what others have said:

The password managers recommended by others here are safe and effective. Your password is the encryption key, so even if the password manager company is hacked, it is extremely difficult for a hacker to decrypt your data. Most apps allow you to keep an encrypted copy of your passwords, so it doesn't matter if they go out of business.

Just make sure to pick a long password you'll remember, like Don'tSpendAllDayOnTalkOfTheVillagesDotCom.

Do not use password-protected documents. Not only are they less secure, but they are also less convenient.

-Ken

Hackers these days will go after the large investment firms and corporate accounts where they can get large amounts of passwords and your private info.... not individuals so much... I would worry about your investment firms more.

Hate to say it but so far my memory for passwords has a formula, don’t need to worry about carrying anything, for 6 important sites. For non important like Kroger they are simple, since who wants to hack into our grocery list.

Our grandson is IT, and what he can do scares you. He can acquire a lost password in minutes for us. Like others posted they have a someone in their life that has same ability. In todays world, there are many who have unique abilities to get into accounts

1password.com
 

I would NEVER trust google or any other company like that to manage my passwords but I've been using 1password.com for the last two years. It's convenient since i manage over 100 websites and need more than just a password protected spreadsheet to keep track of everything.

THAT BEING SAID, i would NEVER put any Bank or Credit Card information in any password manager. And always use two-factor authentication. Change passwords regularly. Use Credit Cards instead of a Debit card especially when travelling. I've only had trouble one time in 25 years.