Solved Which is your preferred password manager

man00 · Dec 4, 2022

Isn't LastPass the one there been some breaches lately ?

Try3 · Dec 4, 2022

safron said:
The workbook opened to an innocuous spreadsheet

You were using a password to open the file not just a password to open a particular worksheet?
How long was it & how complex was it?

Denis

iPanda032 · Dec 5, 2022

I tried LastPass long ago. For whatever reason I can't remember, I just didn't like it. Then I used Dashlane for a bit. At that time Dashlane wasn't 100% in online form filling. It's gotten better. But before they made improvements I was turned onto Roboform by that Chris Titus tech youtuber guy. After using Free version of Roboform I decided I liked it more. It gets the job done where I use it most. Mobile. But the WIndows app kinda sucks. Lot of UI glitches. Like the tree menus don't always display for some reason. I have to close the app and reopen. Otherwise I like it more. I briefly tried Keeper. That was kinda meh. But I didn't really give it that big a chance since I kinda committed to roboform by paying for 3 years worth.

willyou · Dec 5, 2022

I started out using LastPass, but found (in my case) that it doesn't always fill in password as smoothly as I would like. I'm gradually transitioning to Firefox' built in PW Mgr. I have no indication yet that it is not secure and it seem to work more smoothly.

johnlgalt · Dec 5, 2022

I still use KeepassXC (and KeePassDX) on my android phone. For work, we've started using Dashlane, and since we implemented it barely 6 months ago they've actively listened to feedback from me and my team and have implemented quite a lot of features that I thought they never would. It's gotten to be a much better PWM overall, but for personal stuff, I'm sticking to my own KPXC, as a long time user of it and before that the original KeePass.

safron said:
Be careful about relying on a password protected MS Office document. I was using a very sophisticated Excel workbook until a more "technical" friend showed me how to bypass it with a easily obtained executable from the internet. Now I use KeePass, and although the UI leaves something to be desired, am very happy with it. It's open source, secure, and has the additional benefit of being able to populate fields on web forms without add-ins. It also uses a Local install, so you won't have to worry about a security breach like what recently happened (again) with LastPass, and can easily use a common file across all devices on a home network.

As a long time KP user myself, I love that Dominik and a few other developers have gotten together and actually made a standard that KP uses, but which any other app can also use.

I switched to KPXC because it is a more modern interface and handles some things straight OOB without the need for adding plugins, and is also open source. Same with KPDX, though you can support both devs with donations (and the KPDX mobile app does hide certain features behind that donation, but most of which are aesthetics - additional icons, additional themes, etc.).

KP 2.xx is the way to go if you're using the original KP apps, versus the older 1.xx version, as there is a bit more compatibility when moving PWs from other systems to the KP standard, and the 2.xx versions also support more stringent encryption, as well.

man00 said:
Isn't LastPass the one there been some breaches lately ?

Actually, yes, it is. Although, these days, I'd not be surprised to find most of the ones on the list having experienced at least one form of hack / data breach in the last 5 years.

TraderGary · Dec 5, 2022

johnlgalt said:
Actually, yes, it is. Although, these days, I'd not be surprised to find most of the ones on the list having experienced at least one form of hack / data breach in the last 5 years.

An addendum to your comment is that it does take a rather uninformed hacker to go through the trouble. All he gets is encrypted data that is of no use to him.

johnlgalt · Dec 5, 2022

TraderGary said:
An addendum to your comment is that it does take a rather uninformed hacker to go through the trouble. All he gets is encrypted data that is of no use to him.

You'd be surprised what they can get. Today's hackers are not all 12 year old script kiddies, a lot are very high level hackers, some with state sponsored backing, to boot.

TraderGary · Dec 5, 2022

johnlgalt said:
You'd be surprised what they can get. Today's hackers are not all 12 year old script kiddies, a lot are very high level hackers, some with state sponsored backing, to boot.

They could be Einstein reincarnate but the fact is they are still going to get nothing but 256-bit encrypted password data.

man00 · Dec 6, 2022

TraderGary said:
They could be Einstein reincarnate but the fact is they are still going to get nothing but 256-bit encrypted password data.

Einstein wouldn't be caught dead hacking

johnlgalt · Dec 6, 2022

TraderGary said:
They could be Einstein reincarnate but the fact is they are still going to get nothing but 256-bit encrypted password data.

Again, you might want to consider what you're saying.

For example, if they obtain *logins* and then actually use said login information to access an account, they can possibly get unencrypted data. Once you're logged in with the correct credentials, you have access to the data, and can perform any and all functions that the system you've just accessed with legitimate credentials allows you to - including things like "Export to CSV, or make a local backup, or whatever. The same holds true with your computer - even if you have bitlocker enabled, once a hacker has you actual login and is able to log into your system, your data is decryptable and accessible.

The encryption only works when no one (besides authorized personnel) has access to credentials to decrypt the files. But if they get access to those decryption keys (credential based logins, for example) then it is no longer a factor.

Hacking systems is not always about getting the raw data. You'll find that a lot of hackers are focused on first gaining access to systems - a big reason why social engineering techniques are on the rise. Even they know that a bunch of encrypted data does them very little good.

As I said before - these are not all 12 year old script kiddies trying to get only raw encrypted data dumps.

f14tomcat · Dec 6, 2022

kelper said:
I use LastPass

Suggestion........... add "Your Browser's Password Feature" as a choice. Not necessary to name a browser, that may go off on an unwanted tangent.

johnlgalt · Dec 6, 2022

He cannot add anymore, at 10, which is the max allowed in the polls, apparently.

kelper said:
I could only have ten choices

pparks1 · Dec 6, 2022

johnlgalt said:
Again, you might want to consider what you're saying.

For example, if they obtain *logins* and then actually use said login information to access an account, they can possibly get unencrypted data. Once you're logged in with the correct credentials, you have access to the data, and can perform any and all functions that the system you've just accessed with legitimate credentials allows you to - including things like "Export to CSV, or make a local backup, or whatever. The same holds true with your computer - even if you have bitlocker enabled, once a hacker has you actual login and is able to log into your system, your data is decryptable and accessible.

The working theory is that the data stored by LastPass is encrypted. They don't store any clear text data, or at least claim that they don't. And based on previous security breaches, there is nothing indicating that this is not true.

The most important key to everything with LastPass is your master password. If a hacker can access any data at LastPass they might get your email in clear text. With that in hand, if they can somehow compromise your workstation and get your master password, they would then have whatever they needed to decrypt your encrypted data.

As stated above, bitlocker only protects your data in the event that your password is unknown. If a hacker gets your actual machine, and can compromise your Windows password, the drive will unlock. If they get your machine and remove the physical hard drive, they would have to then compromise the bitlocker recovery key to get the drive mounted again.

kelper · Dec 6, 2022

pparks1 said:
The working theory is that the data stored by LastPass is encrypted. They don't store any clear text data, or at least claim that they don't. And based on previous security breaches, there is nothing indicating that this is not true.

The most important key to everything with LastPass is your master password. If a hacker can access any data at LastPass they might get your email in clear text. With that in hand, if they can somehow compromise your workstation and get your master password, they would then have whatever they needed to decrypt your encrypted data.

As stated above, bitlocker only protects your data in the event that your password is unknown. If a hacker gets your actual machine, and can compromise your Windows password, the drive will unlock. If they get your machine and remove the physical hard drive, they would have to then compromise the bitlocker recovery key to get the drive mounted again.

My LastPass master password is 23 characters and written nowhere. The only way to get it would be to gain access to this laptop while I was logged in.

Plodder · Dec 6, 2022

LastPass

johnlgalt · Dec 6, 2022

It seems rather obvious to me, but apparently not to others.

If these hackers can breach complex corporate systems like lastPass, you really think they won't be able to breach your personal systems, with something as simple as a Man in the Middle attack to methods much more complicated?

pparks1 said:
The most important key to everything with LastPass is your master password. If a hacker can access any data at LastPass they might get your email in clear text. With that in hand, if they can somehow compromise your workstation and get your master password, they would then have whatever they needed to decrypt your encrypted data.

Exactly. And, if they are sophisticated enough to breach LastPass in the first place, your really think the average end user will have *better* security measures than an organization such as LastPass to prevent accessing their 'encrypted' data?

kelper said:
My LastPass master password is 23 characters and written nowhere. The only way to get it would be to gain access to this laptop while I was logged in.

Or gain access in a way that has a dormant malware waiting for your next login, secretly transmitting data on the sly during your next login.

Let's be real people - I've said it twice now to try to get the point across- these aren't kids in mommy's basement hacking servers for the fun of it. If you seriously think you are protected with your own credentials, more power to you. But I think you're seriously underestimating these hackers' capabilities and backing.

pparks1 · Dec 7, 2022

johnlgalt said:
It seems rather obvious to me, but apparently not to others.

If these hackers can breach complex corporate systems like lastPass, you really think they won't be able to breach your personal systems, with something as simple as a Man in the Middle attack to methods much more complicated?

Exactly. And, if they are sophisticated enough to breach LastPass in the first place, your really think the average end user will have *better* security measures than an organization such as LastPass to prevent accessing their 'encrypted' data?

Or gain access in a way that has a dormant malware waiting for your next login, secretly transmitting data on the sly during your next login.

Let's be real people - I've said it twice now to try to get the point across- these aren't kids in mommy's basement hacking servers for the fun of it. If you seriously think you are protected with your own credentials, more power to you. But I think you're seriously underestimating these hackers' capabilities and backing.

Totally understand your point. Anybody able to breach Last Pass is likely going to easily be able to easily compromise a typical end user. As I said above, the critical piece of the lastpass puzzle is your master password. If that is compromised, it's end of story for you. Just like if your local user password on your laptop is compromised, Bitlocker does nothing for you.

kelper · Dec 7, 2022

This is a really good argument for antimalware software. Defender is ok, but I think there are better options with more protections.
It seems the pros here might disagree with me.

Anyone fancy a poll?

------ Are you happy to use only MS Defender?

fixer · Dec 7, 2022

I'm ok with Defender only. Online safety is mostly about user behaviour, not blocking stuff. This is why experienced users often say they haven't seen any infections in years.

kelper · Dec 7, 2022

I am happy to follow links when I am trying to fix problems, so I have clicked on dodgy links feeling safe that Webroot will protect me.

The majority of men have, at some time, accessed porn online. These websites are certainly risky. Many people are willing to access websites offering cracks for expensive software. Some sites offer access to sports that normally cost money to access.

Who here is totally innocent?