So with a password manager I just remember the one password for it. Itās a piece of software I have to download to my PC and phone and I run it, go to a site and it prompts me for the one password to rule them all and logs me in automagically?
@Woodman: Depending on the password manager, and your preferences, it may be able to integrate with your browser, or you may be the integration.
Iāve been using KeePass for years. I keep a copy on Dropbox, and each PC/ tablet/ phone links there. Since the KeePass file is encrypted, I feel pretty safe in doing that.
When I open a site like a bank, I open KeePass, drill down into the entry for that site, and < Ctrl > < C > copies the password. I type in the ID (which is generally a variant of a standard āhouseholdā ID), then paste the password. A brief pause in the flow, but I get to use a horribly complex, maximum length password that has no relevance to any other site.
As @DocDubious says, the actual implementation varies from app to app, but generally thatās how it works, yep. When I go to a site with a login, I hit cmd-backslash (or click the 1Password button in the browser toolbar), type my master password, and the correct login name & password gets autofilled.
Hereās 1Passwordās intro video. Itās a little hippy-dippy, but it gets the point across:
(not sure why thatās showing as a link and not embeddingā¦but whatevs)
Iām reviving this old thread because password managers have become such a necessary thing these days.
My company has tried a couple, and have decided on 1Password for our choice. If anyone is thinking about using it, we have an affiliate link - 1Password ā Password Manager for Teams, Businesses, and Families
At work, weāve been using LastPass as a āpassword vaultā and DUO for MFA. So far so good for us, despite a rocky start two years ago. Outside of work, my wife uses LastPass as well so all of our personal passwords are tied to that. Unfortunately, I havenāt gotten around to moving my passwords to there yet so theyāre still sitting in an email draft in Gmail. Yeah, I know Iām asking for troubleā¦
LastPass is one of the ones that Iāve used. I like 1Password better, and you can export your passwords from LastPass and import them to 1Password or vice versa.
Password managers are one of the things Iāve been to slow to adopt myself and most of that hesitance is due to people I know that relied on them completely and then got locked out somehow. This isnāt a jab at LastPass, but a former coworker had been using it for years and one day, his master password just wouldnāt work and LP couldnāt help him recover it so he lost access to everything he stored with them.
I have no idea how often that happens so Iām likely being irrational, but Iām doing well without it so far so until the wife gives me an ultimatum, Iāll keep on as is for my personal stuff.
LastPass has export and backup features, though of course you have to use them. I do not care for how theyāve gradually made the free product less and less useful, but we have a family subscription for the moment. I had planned to investigate alternatives, but I was up for renewal right as I was getting ready to deploy so I just threw more money at the problem and deferred looking into it for another year.
I want 2FA not tied to my phone, e.g. my YubiKey. That was why I started paying for it in the first place.
1Password does tokens for 2FA too. Itās especially nice that you can have multiple vaults, so you can have a shared vault for company stuff and a private vault for your personal stuff.
LastPass has one-time tokens you can generate and store against that fatal day when the password no longer works, or was forgotten, or whatever.
You do have to generate and store them ahead of time, of course.
And yeah, there is no ābackdoorā method LP can use to unlock your vault. Itās all on you, and if the workarounds donāt work, youād be stuck, just like your coworker.
I still like KeePass the most for personal/ family use. I have the vault stored in Dropbox, and each of our phones has the same Dropbox account set up, as well as my work and home PC.
I even have a ābusinessā vault set up in the same place, just a different file/ name/ password.
If youāre using LastPass, you should have already been notified about the security incident in August. It sounds like they got the source code, some account information and the āvaultā
āOopsā
Not good news for some.
No, not good at all.
If you have LastPass, you need to change your master password, and then every password on every website in your vault. Not fun if you have hundreds of things stored in there.
Yep, changing the master password is not enough, because the hackers have copies of vaults with the old master password, and basically have unlimited time to brute force the password.
I use LastPass, but Iām not going to change every password, because a lot of them it just doesnāt matter. The ones that do matter use MFA, but Iām still going to change them anyway.
I spent about 7 hours last Friday doing this. Itās was even less fun than you might imagine, lately due to sites that in the year 2022 do not let you change your password or delete your account in a simple manner.
Iām going to post this here because Linus mentions 2FA and its shortcomings.
The Linus Tech Tips channel and two of their others got hacked on Friday as a result of malware in a PDF. As Linus states, nothing was immediately obvious about the email or file to say that it wasnāt legitimate. When the PDF was opened and didnāt do anything, the employee (totally not Colton) went on to do other things, but within 30 seconds, the malware package had copied a massive amount of browser data, including the critical piece: the session token.
A session token is what lets you stay logged into a website even after restarting the browser and going back there. Without them, you might have to authenticate multiple times while on the site.
Getting the session token was coupled with a YouTube feature called Content Manager (or maybe itās Channel Manager), which is used to assign who has responsibility for what on a channel. If you donāt configure it right, itās the same as giving a user admin rights on a computer instead of the more secure method of having a separate admin account and you use a lower-level account for your day-to-day work.
Ā
Among the items Linus listed as security improvements is geolocation security. If a request suddenly comes in from a different area of the world, prompt to log in again. Having the token expire faster is also listed.
Iām going to take that a step further. If the session token is supposed to be unique to your login session from a specific device and it suddenly appears on another device, especially if the first device is actively connecting to the website at the time, the website needs to force a logout of every device using that token and immediately revoke the token. (Linus does say some of this near the end of the video.)
Link time:
- My Channel Was Deleted Last Night
- ThioJoe explaining how this happens (referenced by Linus)
- ThioJoe explaining how file name manipulation can hide that itās malware - a display override Unicode character can hide a file extension like .exe
That last one may be what helped the initial email with its āPDFā attachment trick the employee into thinking it was okay.
Update: When it was covered on The WAN Show, it was referred to as āthe hackeningā.
I saw this on Extraordinary Attorney Woo! From my limited understanding this sounds exactly like what happened to in one of the episodes. Not a session token, but it took their entire database.
dang neāer-do-wells getting sneakierer and clevererā¦