Recommend using a password manager or no?


#1

I am trying to figure out if we should be recommending to our staff that they use a password manager or not. Since both LastPass and KeePass have been hacked in the past, albeit by ethical hackers, it brings to mind the wisdom of putting all your passwords in one place.

Not sure which is the right solution.

Thoughts?


(Edwin Eekelaers) #2

Try either one of these 2. I trialled them ( NOT a publicist stunt ).


https://www.zoho.com/vault/

If you want contact pm me


#3

I am not looking for a particular type of password manager. I am trying to
figure out if using one is something that we should be advising our
employees to use. Is it really a secure method of storing your passwords,
or are we just kidding ourselves? Maybe we should be looking at just
remembering all those passwords. Not sure which direction makes more
sense…that is why I am asking the question.


(Edwin Eekelaers) #4

The ones i mention are pretty good. In an ideal world we wouldn’t need them but c’mon how many users can’t even remember 12345 on a monday morning. I’m against It as i’ve been called prehistoric. We didn’t have them and also had to remember 25 or 30 of tem.


(Daniel Beato) #5

I usually use 1Password or KeePass since they worked well for us.


(Christian Bureau) #6

I don’t trust password managers… I don’t think that it is a good idea to store our passwords in a database on a server. It can be 100% sure today but who knows how many security holes will be discover in the next days or months and I am sure that hackers are working hard on this project !! I think that, if you can’t remember your passwords, the best thing will be to download an app on your smartphone with good encryption.


(Edwin Eekelaers) #7

That would definitely be a very bad idea imho


#8

I am not sure about other password managers but KeePass stores the data in a file, you decide where that file is stored. Not sure if that makes a difference or not.


(Christian Bureau) #9

[quote=“Edwin, post:7, topic:1898, full:true”]

Not when using KNOX


(DT) #10

To my way of thinking, the only alternative to using a password manager is memorization. And for most people that means somewhere from 1 to 5 passwords that they can actually remember, most of which will probably be variations on a theme (password, p@$$w0rD, password1234, p@$$w0rD1234, and so forth), and then using one of these 1-5 passwords on every website and system on the entire Interwebz. I don’t see that as a good alternative.

I personally have literally hundreds of passwords. For work alone, I have 15 different username/password combos. That’s not by choice - each system requires its own. Without a password manager, I would be forced to write them down somewhere, or do password recovery/call the helpdesk every day.

I wish there were a better alternative.


(Will Jeansonne) #11

Not sure if I would ever use LastPass, since it was possibly hacked backed in 2011. Moreover, online password manager’s just spook the hell out of me, since they seem like the would be the ultimate target for hackers. Humans are definitely the weakest link in the chain, I could see myself being duped by a cleverly written phishing email.

Anyway, that’s why I’m sticking with my handy little standalone PW app that I’ve used for years for the time being. That my friends, I’ll never divulge. :wink:


(Edwin Eekelaers) #12

Make it a challenge and write your own password management app :wink: All you need for that is readily available on any Microsoft installed OS if you are handy with code.


(Sarah Cuny) #13

We us Keepass at work and recommend employees use it. As @Babs mentioned, with Keepass you decide where to store the data file.

At home, my husband and I use LastPass. There is no way we’d be able to remember 50+ unique, strong passwords.

It comes down to deciding for yourself which is riskier–a potential hack or using weak passwords in multiple places.


(Edwin Eekelaers) #14

I have a simple textfile that’s heavily encrypted but the key is not stored in the file and the decryption key is stored on a bitlocker encrypted thumb drive i have on my lanyard… Accounts & passwords are not stored in clear text format but in a secre system string which on its own is also unreadable to the naked eye. Recently compiled the code to encypt & decrypt the pwd file. Let’s see how they can decrypt that… when A & B are only together when i am present. Gradually when my coding knowledge develops further the encryption & security on that file will increase. Like i’ve said before if you are handy with code and you have a Microsoft OS device you can do a lot yourself.


#15

Edwin that sounds very secure. Unfortunately it isn’t really workable for
my users.


(Edwin Eekelaers) #16

True but i not your average user. With the level of access i have you can do pretty bad damage to our company network so extra caution is due.


(Daniel Beato) #17

Usually I would recommend KeepPass for local and 1Password for Local and cloud password manager.


(Eric Andresen) #18

No question you should promote password managers. Honestly in todays day and age if you know your own password that is a huge problem, that just means you are reusing passwords. Password reuse is a theme we see coming up in cyber breaches over and over. A great example we saw recently is the Yahoo email breach. If your password was only good at Yahoo it just isnt a big deal if they got your old one, change it and move on, but if that happens to be the same password as your Visa, Matercard, American Express, Amazon Account, Twitter account etc you have a big problem.

Keepass is what we offer all staff and I suggest to them Lastpass as well who seems to do everything correctly.

The Kevin Mitnick training also suggests using a password manager. How else can you survive today?


(David A Hahne Sr.) #19

How about going lo-tech, I have a rolladex (a desktop, not the big donut thing)with all of my passwords, my office is private, so no one truly knows what is in there. I have safe box, unmarked and plain, in which my rolladex sits in with other valuable papers, nice and locked up with me having the only key, and my second key is at home in a safe box there with my other valuable papers for my home in there. My file cabinet in unlocked, but soon will be. I have nearly 50 passwords at present, and when I am called to a job, I just merely pull out the rolladex obtain what I need and put it back. You can set them for departments, companies and if you have several ( I have two), one is presently unused, but there is master catalog card in the front to id what it is in that particular box. Just a suggestion that works for me, it is alphabetized so it is easy to find, and when the time comes to change your passwords, you can add the new one below the old one and date the passwords to know which is current and if something happens and you need the old one, it is right there for you. And if I ever move on to another job, a file shredder can do wonders to destroy the information or a secure burn company can be used as well. While it is true that a would be villain could break into my office, he would first have to know it is in there, and that is something save short of you folks, my company’s employee’s do not have the privilege of knowing. And since I am posting this, the box is being moved anyway, just as security precaution, I am very cautious about things like that (just a quirk of mine).


(Matt Parkes) #20

I personally think its better to have some protection than none. What happens without a password manager? Written down passwords, weak easy to crack passwords, password re-use and sharing?
I haven’t looked into how any of the managers you mention have been hacked but if these companies who create them are worth their salt and the vulnerabilities were made known to them then these should have been patched - you would be better to check with the individual companies to know this.

The other thing to think about is availability and accessibility of password managers, the one I use stores the passwords in a vault file which you can store locally on a PC or you can store in the cloud such as Google Drive etc… If you then have 2 Factor Authentication set up on this account then this provides additional access control as well as the encryption of the vault file. There are versions of my password manager available for Windows, Mac OS, iOS and Android which means I can access my vault from anywhere as long as I know the master password. For mobile platforms I ensure I follow best security practice using phone encryption, biometric and strong password access and always keep my devixce patched regularly and I nkow with Androids its a little more difficult depending on Make and Carrier used but hopefully this isn’t too bad an issue for you.