Should I be worried?

To those that reuse passwords - DON'T DO IT!
Click to expand...
Excellent advice. But this is, admittedly a real PITA. And writing them down is a mistake too. So for sure, I highly recommend the use of a good software based password safe or manager. With a password safe you only have to remember one (ideally, very strong) password, the one into your safe. Recommended safes include, Password Safe, KeePass Password Safe, and RoboForm is a favorite of many.
 
I don't like recurring fees. Recurring fees are like a constant debt looming overhead for me.

What happens if you forget a payment, or are incapacitated due to some serious injury or illness for several months? So no way would I go for one of the subscription plans. If the free version serves your needs, then I suppose that is fine - if you trust cloud storage. I don't.

I am sure they have sufficient backup to ensure your passwords won't get lost. But with all the successful hacks of companies we would expect to be unhackable, I just don't trust my passwords could not be compromised.

I actually use SplashID. I've been using it for about 25 years. I started using it when I had my Palm Pilot PDA. It consisted of a Palm and "Desktop" version for Windows and every time you synced up the Palm, it would sync the encrypted password database too. Thus instant backup. I got rid of my last Palm PDA years ago but I still use the Windows version of the safe. For a backup, I simply copy the encrypted data base to my notebook. Splash now has smartphone versions that sync with Windows, but they've gone to a recurring fee basis too, so I have not upgraded to the latest version and don't plan to since this old version works great with W10.

With SplashID, I also keep other information in there, including PINs and such for credit cards, insurance and social security numbers for my kids and grandkids, and bank account information and such. This means I don't need Internet or cell phone access to get a PIN or account number. I like that.
 
We have two-factor authentication for admin and mod accounts so, although I doubt any website is completely impenetrable, we are in good shape.
 
Martin Brinkmann at ghacks reported on a study of Android password managers a couple of days ago:

...
The team's conclusion should have anyone worried who implements a password manager on Android. While it is unclear whether other password manager applications for Android have vulnerabilities as well, there is at least a chance that this is indeed the case.

"The overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials. Instead, they abuse the users` confidence and expose them to high risks."

At least one security vulnerability was identified in each of the apps the researchers analyzed. This went as far as some applications storing the master key in plain text, and others using hard-coded cryptographic keys in code. In another case, installation of a simple helper application extracted the passwords stored by the password application.

Three vulnerabilities were identified in LastPass alone. First a hard-coded master key, then data leaks in browser search, and finally a vulnerability affecting LastPass on Android 4.0.x and lower which allows attackers to steal the stored master password.
...
Click to expand...
 
...some applications storing the master key in plain text
Click to expand...
:eek4:

I am glad I don't live off my smartphone. Consequently, I don't keep any passwords on my phone. What I also find disturbing is the study didn't mention any password manager that was safe to use. :(

At least on the source site, in their bold red it says, !! Update 2017-03-01: All reported vulnerabilities are fixed by the vendors !!

As a side note, most browsers let users save passwords. I NEVER let that happen. In fact, the first time any browser offers to save my password, I always say no, then check the option to, "Don't ask me again!"

Best if users asked themselves, "What happens if a bad guy steals my computer or smartphone?" "What if I lose my phone or leave my notebook at the cafe?"
 
Digerati said:
Best if users asked themselves, "What happens if a bad guy steals my computer or smartphone?" "What if I lose my phone or leave my notebook at the cafe?"
Click to expand...

For non-mobile home users you might ask "What if someone steals my password list stashed somewhere in my home?", writing down passwords can be safer than the hardware is.
 
writing down passwords can be safer than the hardware is.
Click to expand...
Well, maybe.

Physical security is an often overlooked area of computer security. I cannot tell you how many times I have gone on trouble calls only to look under the keyboard, in the computer desk drawer, or in a recipe card file box sitting next to the monitor to find the lists of passwords the users wrote down. A bad guy breaking into your home or office is likely to search within arm's reach of the computer chair for such lists too - and grab that, and any external drive (often a user's only backup :() along with the computer too.
 
Your average bad guy is more likely to grab an armful of valuable items, like the EHD/Tower/half a dozen bottles of hard liquor and get out fast, looking for scraps of paper in unlikely places is a job for specialists, not opportunists.
 
looking for scraps of paper in unlikely places is a job for specialists, not opportunists.
Click to expand...
Not all burglars are simple opportunists looking for quick drug money.

Note I said "within arm's reach". That's only takes a couple seconds and "under the keyboard", the "computer desk drawer", and an "index card box next to the monitor" are hardly "unlikely places". Those places are by far, the most obvious and likely. I've even seen password lists thumb-tacked to cork boards next to the user's desk. :(

BTW, I was taught that in a security awareness class by a cyber crime specialist with the FBI as part of the required training I needed to get my access certifications to support secured US State Dept networks. Writing down passwords just isn't a good idea. If you have to, keep them in a secure place, preferably off-site, locked in a safe! But it is better to use a "good" password manager. Then you only have to remember one password.
 
Digerati said:
looking for scraps of paper in unlikely places is a job for specialists, not opportunists.
Click to expand...
Not all burglars are simple opportunists looking for quick drug money.
Click to expand...
I didn't say they were.

Note I said "within arm's reach". That's only takes a couple seconds and "under the keyboard", the "computer desk drawer", and an "index card box next to the monitor" are hardly "unlikely places". Those places are by far, the most obvious and likely. I've even seen password lists thumb-tacked to cork boards next to the user's desk. :(
Click to expand...
In a home burglary scenario, it would still need a specialist to discover and make profit from stolen passwords.

BTW, I was taught that in a security awareness class by a cyber crime specialist with the FBI as part of the required training I needed to get my access certifications to support secured US State Dept networks. Writing down passwords just isn't a good idea. If you have to, keep them in a secure place, preferably off-site, locked in a safe! But it is better to use a "good" password manager. Then you only have to remember one password.
Click to expand...
State Dept. networks are more likely to be attacked by specialists.
Off-site and in a safe, for home users, or just the rich, retired home users?
One of those "good" password managers that only get patched after there's been some bad publicity?
 
One of those "good" password managers that only get patched after there's been some bad publicity?
Click to expand...
Well, I don't use any of those! I use SplashID that encrypts the master password, and the database too. This version only works with Windows, not Android as all those in that report did. And it does not backup to the cloud either.

That said, those in that report would still take someone with some tech savvy to hack - assuming they determined a password safe was being used. Passwords written on a piece of paper under the keyboard (seen when he steals the keyboard), only takes someone who can read know what they are, and then use them.

In a home burglary scenario, it would still need a specialist to discover and make profit from stolen passwords.
Click to expand...
Umm, no it wouldn't. As I have shown several times now, if the user is writing down the passwords on a piece of paper, discovering them is easy. If users are writing them down, they are not going to hide this piece of paper downstairs on the opposite end of the house in a hallowed out book. They are going to be within convenient, easy arm's reach.

And once a bad guy knows the passwords to your bank or Paypal account, he can steal your money. Or just be mischievous and change your passwords.

State Dept. networks are more likely to be attacked by specialists.
Click to expand...
That's immaterial. This training class was about the physical security of all computers, not just government owned computers. And the information the special agent gave was from cyber crime statistics - not State Department policies.

Off-site and in a safe, for home users, or just the rich, retired home users?
Click to expand...
Off site can be at a trusted neighbors. That works in case of fire or flood too. And you don't have to be rich to have a safe deposit box at your bank. Mine costs $40 per year (and is tax deductible too). I keep original copies of birth certificates, insurance papers, living will and other important documents in it, a hard drive with a fairly recent backup of all my computers, and a flash drive with copies of other files, including an encrypted copy of my password safe.

I really don't understand your position in this discussion. You seem intent in rationalizing and justifying writing down passwords, or at least suggesting writing them down is just as secure as using a password safe. Sorry, but I'm not ever going to buy it. Users need to use unique passwords and PINs on all their accounts and then properly secure those passwords and PINs. For most people that would mean many, perhaps dozens or more passwords and PINs. Not to mention lock combinations too.

Odds are our homes will never be robbed, flooded, burned down, or blown away by a tornado. But those things happen to others every day!
 
I'm not trying to sell you anything, just trying to point out that one size doesn't fit all.
 
One size? ??? I have no clue what that means in the context of this discussion. The only absolute I contend is passwords should never be written down unless they are then locked up in a secure place out of sight and out of arm's reach of the computer.
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top