Password files

[Gina Stevenson]

Yes, today being the day to pay my phone bill (paid on-line "forever" now) and, the same day, GiveawayOfTheDay having one of those "we'll keep track of your password" programs, it got me to wondering ~~ while looking again for the paper on which I've written the most obscure passwords ever made up [which, of course, I'm not going to remember].

Just haven't dared trust something like this ... yet, hoping that no one can figure out my passwords for the $$ place where I pay a bill [have peeked @ my checking acct on-line, too], I've made some passwords I know I'll never remember, their so weird.

Does anyone use/trust these sorts of things ... in case, for instance, some browsing software [spyware?] picks up a file from your computer and it happens to be one related to PW's & $$$ sites?

Wanting to have a place where they can be remembered, yet not knowing if I dare trust such a place/file to keep them safe for me, yet ... ??

Thanks!

[Kevin Rector]

I wouldn't trust my passwords to a program from a GiveAwayOfTheDay website. I might to a product from a really reputable company.

Browsers will remember your passwords for you. Other than that, you can put them all on a piece of paper in a safe place (it should be a safe place, not sitting next to your computer).

[John Kennedy]

I've had to resort to keeping mine (especially the less-used ones) in a journal/log book. I'm afraid if I put them on my computer I wouldn't be able to remember the password to get to the passwords.

I'm one of the reasons the post office is going broke. I haven't mailed a bill payment in a long time. Everything's paid online either by the company's website or by my bank's 'bill pay' service. I remember my bank/s passwords fine since I'm into them every day, a practice that saved me quite a few bucks about a year ago.

[John Kennedy]

I wouldn't trust my passwords to a program from a GiveAwayOfTheDay website. I might to a product from a really reputable company.

Browsers will remember your passwords for you. Other than that, you can put them all on a piece of paper in a safe place (it should be a safe place, not sitting next to your computer).

You mean you don't have your PIN written in permanent marker on your ATM card?

[Gina Stevenson]

Browers !? Since when? And where ???? Do we want to trust those, either, since they connect more than most of our files that just sit here on our computer.

OK, just went to look again. hadn't even bothered to look at what company was offering it; sometimes those GAOTD things are from reputable companies, Kevin. But, anyway, I see now that this one is: 1-abc [never heard of this one!], so we'll forget it. Besides, by now it says that there are 84% agin' it, and only 16% on the positive side. So, anyway ....

Kevin, what about the browser keeping them? [Now I have some vague memory of something like that, but probably didn't use it when I did see it, b/c I didn't want to trust the browser, either.]

Thanks.

[Michael Flowers]

If you go to the "options" menu for your browser you should be able to find a spot referring to the saving of passwords. It is likely turned off right now if you have not noticed it. I currently use Mozilla Firefox and there are a couple of sites that I don't remember the passwords for because I haven't typed them in over four years (firefox just remembers them for me).

[Gina Stevenson]

If you go to the "options" menu for your browser you should be able to find a spot referring to the saving of passwords. It is likely turned off right now if you have not noticed it. I currently use Mozilla Firefox and there are a couple of sites that I don't remember the passwords for because I haven't typed them in over four years (firefox just remembers them for me).

Thanks, Michael. I use Firefox, too. But I was just wondering if perhaps when something gets into the computer that should not be there ~~ say, some virus ~~ if that "something" could steal a PW or two before it's cleaned out! Scary tho't if anything re $$$ [such as one's bank PW, or PayPal, or ... where one uses that bank account to pay a bill on-line].

ETA: How encrypted/safe something is has to do partially with whatever bits (whatever they are) a computer is, right? Now that many are 64-bit, having an older one that is 32-bit would, therefore, be a bit more vulnerable, maybe ???

[Dave McClung]

Yes, today being the day to pay my phone bill (paid on-line "forever" now) and, the same day, GiveawayOfTheDay having one of those "we'll keep track of your password" programs, it got me to wondering ~~ while looking again for the paper on which I've written the most obscure passwords ever made up [which, of course, I'm not going to remember].

Just haven't dared trust something like this ... yet, hoping that no one can figure out my passwords for the $$ place where I pay a bill [have peeked @ my checking acct on-line, too], I've made some passwords I know I'll never remember, their so weird.

Does anyone use/trust these sorts of things ... in case, for instance, some browsing software [spyware?] picks up a file from your computer and it happens to be one related to PW's & $$$ sites?

Wanting to have a place where they can be remembered, yet not knowing if I dare trust such a place/file to keep them safe for me, yet ... ??

Thanks!

Gina
I use http://www.lastpass.com. I use the free version and have been very pleased.

With lastpass, you only have to remember two passwords. One for your computer and one for lastpass. Lastpass keeps your password file in encrypted form in the "cloud" so that you can access it from any computer. For people like me who use several different computers, that is a great feature.

The lastpass program also allows you to store information other than passwords. For example, I have a record of all my credit cards, frequent flyer numbers, etc.

If you have a smart phone, you can access your lastpass file with the smartphone too.

[Gina Stevenson]

Thanks, Dave. How long have you been using this? Really don't have to worry about anyone getting into that "cloud" ... ???

Nope, no smart phone here, BTW ... too much monthly ... tho' that would be nice. If I ever get "rich" then I'll do that, for sure ... being the i'net addict that I can sometimes be!

[Kevin Rector]

One other option and one that is very safe is to have a text file on your computer with all your various passwords and other information that you wouldn't want anyone to have and to encrypt that file with PGP. With that you don't have to trust your sensitive information to any third parties.

[Gina Stevenson]

OK, is PGP supposed to be a type of file, or is PGP a program name of some sort?

OK, in googling it looks like it's a security company [or was], and that they have now combined with Symantec (old Norton). It speaks of there being "freeware," and then once you get to the last link, it says "trial (of 15-60 days)," rather than "freeware."

A few days' trial isn't going to do much for someone. Is this site perhaps like another freebie that was hard to get to sometimes if you didn't hunt & hunt & hunt ... AVG? Since it does speak of "freeware," I would not think they'd actually call their "only-a-trial"by the name of "freeware!"

Thanks!

Here's where we found it:

http://www.pgpi.org/products/pgp/versions/freeware/winxp/

So, you then click on the PGP one (of two), and it takes you to:

http://www.pgpi.org/products/pgp/versions/freeware/winxp/8.0/

Then when clicking on the English PGP file there, it takes you to:

http://www.symantec.com/business/theme.jsp?themeid=pgp

Finding no link there for "freeware," I hunted, hunted some more, then did a search in varying ways re this "PGP freeware," et cetera.

There popped up one of those usually irritating "chat" boxes. The guy insists that since PGP joined Symantec (last year sometime), there is NOTHING free anymore; even what you apparently got free how long ago is now "30-day trial," which doesn't do anything for the long term.

Hey, Kevin ... do you think maybe it could be emailed, and used, or was there some code needed even when it was free?

Thanks.

[Dave McClung]

Thanks, Dave. How long have you been using this? Really don't have to worry about anyone getting into that "cloud" ... ???

Nope, no smart phone here, BTW ... too much monthly ... tho' that would be nice. If I ever get "rich" then I'll do that, for sure ... being the i'net addict that I can sometimes be!

Gina, the information held in the cloud is encrypted. If someone obtained it, they would have to know your LastPass password to access the information. I have never heard of anyone breaking that kind of encryption.

[Craig Laughlin]

Just got on LastPassword - very cool.

[Kevin Rector]

PGP stands for "Pretty Good Privacy" which is an encryption standard that's been around (and to the best of anyone's knowledge) unbreakable even by governments since the 90s. The guy who developed it gave it away for free. Some companies have made commercial offerings based off of it, but there are free versions available. You do need some level of technical savvyness to use it though so it might not be the best option for everyone.
A good free implementation of PGP for windows is: http://www.gpg4win.org/

A good free implementation of PGP for Mac is: http://www.gpgtools.org/

The way PGP works is you create a "public" key and then encrypt files with that. You use a password to decrypt the file. So if you have a text file for instance that has all your passwords in it, after it is encrypted no one can view it unless they know your password to decrypt it.

You can also encrypt files that you want to send to someone by using THEIR public key that they give to you.

Below is a sample of a file that has been encrypted:

Code:

-----BEGIN PGP MESSAGE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

hQIMA23e17rcpoIxARAAg4K4+lgzinnDOJVyRKJ5o0oIFBolVQTLsAhiMyxNNS5d
51mY3EGT+IrpcAQ4QXc0OZXzy8I5xkLOV/X0ffCjfdTswvX4wDavjkSS2gAKT0g8
Kb7Gx/NIAYmoRm3VMamfYvs841zXLLrPWpwIeLhuWdWy/VAf5V/7GVMJq1BiUEbW
xHIGal3rUtd1d8AMsb5SBtcCKll7FnEMnC3zAvI6iqAZ5MnzDegXIRLWCwe/lN2K
e0gKFMehmMaR44fY1V0itMqN0uHpY7ksT8zSlHU1vUQ3Mhm0yRLgmE7u7GL9rxP1
DmgQ7CjByeIu73tBLHwU8CEFsCnUzR1GEg5/DxLqz1dmzEt9fb1GAIO9JwuMtiQE
DeDgBxtJVwmVZmMsVJ/vRa7l5IZyPpGui4DNTs2RvIdbmOcHnHw0XXMMOXsLCZPE
AFkIOUpZWbdvKILze1ax48Xd0cjtYnP9DxEvVQZl7drxi66LvNGqjiy0vm/O54Tw
RLwDtEI6/v9XHsiOhoif+cjIYFtZNunLABDabapORiODz4ZkATyjVvpLrDoaHWzj
9cgzLCivJAm4buf2wT3A1B1xAPTAyOuHr9rFBbxVSgkSpY0rtznEXoke2R1XbB1z
VEDtw3l9W/+lHf9llPMYijtyfK3ma49yxUuUFBdKu8KlX/ucNIV8g/D/CWIpgjDS
pgGTJIm0iFKqnKPJihbCk7+SPJJugluXROP0qLmBkKkkqhacC4fxZSdLmHwLlfVQ
C6sklAP+pKqwISdBXnbSp5ufkOnmA8cZkDrdAxKzltMH0h0b/iIvNKPfi8T87Ei9
RwidQz582fylcSr5BVQCNRDxXk0bynbxtGVAkqrxVQU5tBw9To6EvPMcPkPo+Sr6
FPbjg6tpTTdNuQlbD+Vh7/ds+IvC0tw=
=QSCe
-----END PGP MESSAGE-----

When the file is decrypted is read:

Code:

This is a text file and I am going to encrypt it.

Don't you think that's neat.

No one will ever be able to decrypt it but me.

Yippie!

[Betty Bolerjack]

Gina
I use http://www.lastpass.com. I use the free version and have been very pleased.

With lastpass, you only have to remember two passwords. One for your computer and one for lastpass. Lastpass keeps your password file in encrypted form in the "cloud" so that you can access it from any computer. For people like me who use several different computers, that is a great feature.

The lastpass program also allows you to store information other than passwords. For example, I have a record of all my credit cards, frequent flyer numbers, etc.

If you have a smart phone, you can access your lastpass file with the smartphone too.

I've been using LastPass for a couple of months now, ever since another one of my email accounts got hacked. I started looking for something and found three, two of which were free and the other one had a free trial. LastPass had very good reviews, so I decided to give it a try. So far, I am mostly pleased. I say "mostly" because it seems to have turned off the option for having my browser save my passwords (which I used to use), but there are some of the sites that it doesn't remember those passwords for and I don't remember them, either! It's also a little funky on some sites and doesn't always recognize when a site is calling for a password. Those are just minor irritations and probably something that I just haven't had time to figure out.

One other option and one that is very safe is to have a text file on your computer with all your various passwords and other information that you wouldn't want anyone to have and to encrypt that file with PGP. With that you don't have to trust your sensitive information to any third parties.

I used to have a text file, but it wasn't encrypted as I didn't know how to do that. At one time, I printed it out so I could take it with me on a trip and then, I think I shredded it. I sure wish I still had that hard copy because the drive died that it was on and I didn't have a backup of that drive. I do now (changed the plans on backup... I think I posted about that back when it happened) and I'm just waiting for the money to recover that drive since most of the files on it are pictures.

When I was trying to figure out what to do about my passwords, I learned that one of the best ways to make a safe password that you can remember without writing it down is to use a phrase of a song and use only the first letter of each word. For instance, "Old McDonald had a farm" becomes "omhaf" which isn't long enough, but you get the idea. To make it even more secure, capitalize some letters and throw in a number and/or a symbol. That one could become very secure (especially if it was longer) by making it 0Mh@f. Oops! That @ symbol made it a link. It won't do that in a password field, though. Adding a second line from the song would make it long enough.

LastPass will let you use your own created passwords or will make them up for you. You can see what the password is when you go into your LastPass vault and click on edit for the site that you want to see. I don't have all of my passwords changed yet and I haven't yet added it to my mobile devices, but I'm working on it and it sure beats having to remember all those passwords! All in all, I would recommend it. Just be sure you log out! I realized earlier today that, by staying logged in, if someone got hold of my computer, they would have access to my passwords. That's going to change!

[Gina Stevenson]

Hey, Kevin, that is cool! Gobbledygook-type cool.

Thanks, too, Dave. Will check out both of these things, I guess.

[Kevin Rector]

Hey, Kevin, that is cool! Gobbledygook-type cool.

Thanks, too, Dave. Will check out both of these things, I guess.

Sounds like LastPass is good for those who are less technically savvy and aren't afraid to trust a third party.

[Betty Bolerjack]

Sounds like LastPass is good for those who are less technically savvy and aren't afraid to trust a third party.

If you think about it, we trust third parties all the time.

[Kevin Rector]

If you think about it, we trust third parties all the time.

That is definitely true. What I meant was that using PGP as opposed to a service like LastPass or 1Password - you are doing the encryption rather than someone else. You are storing the data yourself instead of someone else. That's all I meant.

I'm giving serious consideration to signing up with LastPass. I'll just maintain an encrypted copy locally (and a paper copy in the safe deposit box) in case they go under or are hacked or whatever.

[Zach Wingo]

I find it easier to use a single complex password for everything and there's no reason to change your password often so you should be able to learn it and remember it.

[Zach Wingo]

I'm sure some of you are shocked that I would suggest using a single password and not changing it often. However, it really doesn't make sense and it's something that's been discussed in the computer security industry for a few years now as being pointless. Look at this transcript from Security Now.

Steve: And so really, if we look at changing it often, okay, so what's the risk? The risk is that somewhere far in the past our password would have been captured, but it wouldn't have been used until now. So the not changing it often creates a window of opportunity. But if the password is captured and immediately used, which is probably more likely, then changing your password often provides you no benefit. Right?

Leo: Okay. Let me think about that.

Steve: Because it would only be if you changed it, like, every few minutes...

Leo: Right.

Steve: ...that someone would have to fit within a very small window in order to exploit the fact that you had had the same password. So again, the changing it often, the argument against that is that most times the password is going to be captured and probably used quickly. So it doesn't really matter how long you've had the same password. The only place where that would matter would be if a year ago the password were captured and it hadn't been used until now. So that changing it anytime in that year would have thwarted the attack.
So you could say, okay, that's dumb. I mean, changing it often is, first of all, a real pain because if you just got comfortable with - it's like when I lose one of my credit cards because of online fraud, it's like, oh, I had just memorized the darn thing, and now I've got to go memorize it again. So changing your password is very expensive from a user argument, from a user cost, and it's not really clear. It's like should you? Yes. What happens if you don't? Probably not a big problem because the nature of the attack is not using real old passwords. That just probably doesn't happen.


Leo: Right.

Steve: Now, how about the no reuse of passwords across sites? So we talked about what the cost there is, or the exploit is, some sort of cross-site abuse where something sees your logon credentials, something or someone, a keylogger or malware or a trojan or something, or an employee at a site that's a bad employee at a site sees your credentials and then specifically tries to reuse them on other sites. Could it happen? Yes? How likely is it? One of the problems, and it's a really good point that Cormac brings up, is we don't know the answer to these things. We don't really - we in the security community don't have real quantified research about the nature, the size of the risk.

Leo: That's interesting. We're just assuming empirically.

[Gina Stevenson]

Thanks. But what is it after all that we are then to assume about their assumptions?

[Bruce Nuffer]

I second this. I have used LastPass for three years and am very happy with it. More recently I have begun letting it create my passwords for me. I feel a little funny about that, but I guess I trust them enough to store all of my own passwords there. Besides, their suggestions are always better than what I can come up with.

[Gina Stevenson]

I second this. I have used LastPass for three years and am very happy with it. More recently I have begun letting it create my passwords for me. I feel a little funny about that, but I guess I trust them enough to store all of my own passwords there. Besides, their suggestions are always better than what I can come up with.

Wow! That is something ... not even knowing one's own passwords? That does sound odd.

[Jonathan Hooker]

Last Pass is a good solution. I personally do not like keeping my passwords in a file on a server that I don't control. I use and have used for a very long time keepass. It is a nice little open-source program that is well documented and provides an encrypted password safe. It is pretty easy to use as well...