Posted on

More on password managers

Scroll down to see more content

password2Last month’s post “Password predicaments” generated a lot of discussion on password managers. As a follow-up I refer you to an Ars Technica article that appeared yesterday — “The secret to online safety: Lies, random characters, and a password manager — Or, how to go from ‘123456’ to ‘XBapfSDS3EJz4r42vDUt.’” It’s an in-depth discussion of password managers with detailed explanations of how several of them work. Screenshots are enlightening for those who’ve never used a pw manager. The lengthy article closes with a discussion of strong passwords, passphrases, and how to create them. Lots of great information, even if you aren’t actively shopping for a password manager. It’s never too soon to reexamine your security measures.

16 thoughts on “More on password managers”

  2. Holy mackerel, this security stuff is disturbing. It makes it sound like legions of hackers are toiling away to infiltrate our stuff. Maybe they are, but I’ve been OK for several decades now. Am I just lucky? (Anyone out there who’s been hacked? Huh?) One thing I’ve decided though is I’m glad I cancelled my Facebook account. It sounds like social media are a major source of clues for the bad guys.

    One thing I’ve decided in reading the arstechnica link is to use the idea of generating incorrect, intentionally wrong answers to security questions. That sounds pretty easy to do and probably wise, given the ubiquity of genealogical information on the internet these days.

    On your previous post I had mentioned some of my disappointing experience with DataVault for Mac. It has bugs, at least for my OS which is still Snow Leopard. After nearly 3 weeks of frustration I submitted a critical comment to the Apple store and I was going to copy it here, but to my surprise I went there and my comment has been taken down. It was critical not only of the software but of the DataVault tech help which was inconsistent, sporadic and contradictory. I guess it was too much for them. My confidence in Apple itself has also been damaged.

    I can see how the DataVault software is useful, when it works right, and I intend to use it for one of the most difficult sites, one which says it will soon require password changes every quarter (a government site), but there are too many sites on which it won’t work, including any with log-in’s on a page separate from the password page. I can’t trust it with everything.

    Reply

    1. My email on Yahoo was hacked once. Or somehow used to send or forward some sales message to some of my contacts. But that could have just been the result of something that came in via spam. And my Xbox account was hacked once and used to purchase some Microsoft points (used to buy Xbox stuff). Damage was minimal because my bank contacted me immediately (they figured I hadn’t suddenly moved to Indonesia). But I’d say no, I’ve not been the victim of any serious hacking where someone was trying to get into my bank accounts or steal my identity, or rack up huge charges on my credit card.

      There were a lot of great tips in the Ars article, although most weren’t new to me. I’ve heard them from my son who, as a developer, has to be up on all that stuff when he builds websites for clients. I thought of you when I read the part about the old pencil-and-paper thing being a good approach.

      The article mentioned that 1Password is on sale again, and I pounced on it. I’d been kicking myself for not getting it the last time it was on sale. I haven’t begun exploring it yet, since the first step seems to be coming up with a strong master password that I won’t forget. That will require some thought.

      Reply

  4. Here’s a juicy follow-up for everyone on passwords. I’ve been contacted by the government who tells me they are shifting to “complex passwords” for accessing my military retirement pay record. Here are the new rules:

    The PASSWORD MUST:
    be 15 to 30 characters in length
    contain at least two uppercase letters (A-Z)
    contain at least two lowercase letters (a-z)
    contain at least two numbers (0-9)
    contain at least two of the following special characters: # @ $ % ^ ! * + = _
    change at least four characters from your previous password
    The PASSWORD CANNOT:
    contain spaces
    be one of your last ten previous passwords
    The PASSWORD will expire in 60 days.

    Not only that, but the site requires me to use a virtual keyboard that lacks many of the special characters used by the random password generator that DataVault uses, and this also prevents me from using copy/paste to fill in the new password. Twice, yet. This is insane, and yet this is where the thing is heading. OMG!

    Reply

    1. And I thought I’d been inconvenienced by password requirements! That’s nuts. Now you have a new kind of password generator to look for — one that will let you enter a bunch of rules first. I haven’t read of any that do. My first thought is that I’d come up with a password that meets all their criteria, and then every sixty days I’d just advance each character by one step in the alphabet or on the keyboard. Or rotate the characters, moving the last one to the first position for each change. With a system like that, they ought to have to give you a password generator!

      Reply

    1. Too far away. When I want into an account, I want in NOW. Besides, it seems like every week or two I’m having to change one. I probably don’t get to the bank more than once or twice a year. But a filing cabinet here at home, not a bad idea.

      Reply

      1. I worry about getting sick/car accident and kid needing access to stuff. My parents had this “emergency folder” in a file cabinet – proved to be invaluable. Need to update the one here – we have everything on an protected excel sheet – but if you can’t get into the computer….

... and that's my two cents