Password Managers, Anti-Virus & VPN software

Discussion in 'Geek Cave: Computers, Tablets, HT, Phones, Games' started by wadec22, Apr 7, 2020.

  1. rhythmdevils

    rhythmdevils MOT: rhythmdevils audio

    Pyrate
    Joined:
    Apr 15, 2020
    Likes Received:
    12,239
    Trophy Points:
    113
    Location:
    Bay Area, CA
    Home Page:
    Except for the password being easier to get ahold of since it’s used everywhere for your Apple ID.

    Neither your Apple ID password or password manager app’s password can be random numbers and letters because you have to remember it.
     
  2. dasman66

    dasman66 Self proclaimed lazy ass - friend

    Pyrate Contributor
    Joined:
    Mar 13, 2018
    Likes Received:
    2,462
    Trophy Points:
    113
    Location:
    NW Pennsylvania
    Sitting at your desk, look around the room at your 4 favorite things. Your password is:

    FIRST-SeCoNd-THird-fOrTh

    As long as you can remember your favorite things, and the All caps/cap-lower alternating/CAP half-lower half/lower-cap alternating order, then you remember your password and no one is ever going to guess it or brute force it.
     
  3. Armaegis

    Armaegis Friend

    Pyrate BWC
    Joined:
    Sep 27, 2015
    Likes Received:
    7,467
    Trophy Points:
    113
    Location:
    Winnipeg
    Lately my passwords are some random item serial number that I find on my desk, then I hold shift and retype the whole thing, sometimes repeating a third or forth time, and insert a typo so I wind up with passwords like: abx123wtfbbqABX!@WTFBBQabx124wtfbbq
     
  4. fastfwd

    fastfwd Friend

    Pyrate
    Joined:
    Aug 29, 2019
    Likes Received:
    993
    Trophy Points:
    93
    Location:
    Silicon Valley
    I don't understand; what does "used everywhere for your Apple ID" mean? Your Apple ID password is used in exactly one place: to authenticate yourself to Apple. Right?

    Ok, so I know that clueless web sites (i.e., nearly all web sites) have "taught" us that a password must necessarily contain a mix of uppercase letters, lowercase letters, numerals, and symbols in order to be secure -- and password-manager publishers have told us that passwords are weak unless they're generated by a cryptographically strong random number generator.

    But if you think about what you're actually trying to protect against, you'll see that you can choose a good password without any of that.

    Threats against your passwords fall into only a few categories:

    Targeted attack (someone trying to hack into your account specifically)
    To protect against this, all you have to do is not use personally identifying information (your birthday, the city where your mother went to high school, the name of your first pet, etc.) as a password or part of a password. And for heaven's sake, don't use that information in the answers to password-reset "security" questions, either. Remember, you aren't actually required to answer those security questions truthfully, or even plausibly.​

    Untargeted attack (someone trying username/password combinations until one of them works)
    To protect against this, don't use popular or known passwords (lists are easily found online, and haveibeenpwned.com is a valuable resource), and don't reuse passwords across multiple accounts. If you do nothing else, make absolutely sure that the password to your primary email account -- the one where "I forgot my password" reset emails will be sent -- is not on any password list and is not shared with any other account.​

    Offline attack (someone compromising a system and cracking its password file)
    This is the one case where people imagine that it could be helpful to have a password that's difficult to brute-force (e.g., a long, random string of characters, or maybe the FirstSecondThirdFourth idea posted earlier). But even here, that's not actually necessary -- because any attacker who can dump a system's password file ALREADY has control over that system. You've already lost, so who cares whether they can also crack your account's password? So long as you aren't reusing passwords, cracking that one won't help them get into any of your other accounts.​
     
    • Epic Epic x 3
    • Like Like x 2
    • List
    Last edited: Nov 15, 2021
  5. Tchoupitoulas

    Tchoupitoulas Friend

    Pyrate Contributor
    Joined:
    Aug 17, 2019
    Likes Received:
    3,711
    Trophy Points:
    93
    Location:
    PA
    To supplement the advice from some of the posts above, and for those of us lacking expertise about these things, the UK's National Cyber Security Centre (part of GCHQ, the signal's intelligence agency) recommends the use of password managers: https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/password-managers

    If not using a password manager, they also recommend that some people use three random words (as a compromise balancing a degree of complexity with the right amount of ease of use): https://www.ncsc.gov.uk/blog-post/three-random-words-or-thinkrandom-0 and https://www.ncsc.gov.uk/blog-post/the-logic-behind-three-random-words

    Thank you, @fastfwd, for your very helpful post.
     
  6. AllanMarcus

    AllanMarcus Friend

    Pyrate
    Joined:
    Oct 23, 2015
    Likes Received:
    2,969
    Trophy Points:
    113
    Location:
    Los Alamos, NM
    Home Page:
    Actually, the more I think about it, the more this isn't true. AppleID also uses MFA; you have to have physical access to one of the registered Apple devices to log on from a new location. Knowing an AppleID and password isn't enough.
     
  7. rhythmdevils

    rhythmdevils MOT: rhythmdevils audio

    Pyrate
    Joined:
    Apr 15, 2020
    Likes Received:
    12,239
    Trophy Points:
    113
    Location:
    Bay Area, CA
    Home Page:
    Using apple keychain sure would be easier if it is just as secure. It's all integrated into Safari and there's no need to enter a master password all the time. I'm trying to setup 1Password but it feels much more cumbersome than Apple Keychain.
     
  8. Syzygy

    Syzygy Friend

    Pyrate
    Joined:
    Jun 13, 2018
    Likes Received:
    2,144
    Trophy Points:
    93
    Location:
    DFW, Texas
    After setup, it'll be as easy as keychain.

    Despite what websites require for password construction, these days the only things that protect you are 1) password length, and 2) using a different password for different sites.

    For #1, I prefer 4-7 random words with some mixed numerals and symbols, but easy to remember. The password manager solves #2.

    What really irks me is when sites limit password length, or have a weaker requirement then I already have. Especially with password-length limits, it tells me that they're not storing the passwords properly: a hashed password is always the same length regardless of the original password.

    [​IMG]

    (xkcd from here: https://xkcd.com/936/ . I first saw this in 2011, and we have much more power to hack passwords today)
     
  9. Merrick

    Merrick A lidless ear

    Pyrate
    Joined:
    Jan 6, 2016
    Likes Received:
    12,569
    Trophy Points:
    113
    Location:
    Portland, OR
    The strength of password managers IMO is the convenience. I don’t even have to look around my room for four things and remember which letters are uppercase and lower case, I just press a button and get a cryptographically strong, randomly generated password off the bat. Any of the good password managers allow you to use whole words instead of random characters, and also to use a mix of upper and lower case and add in a number and/or special character too.

    If one of those passwords is compromised, I press the button again and have a brand new one with no relation to the old one. If for some reason I need to recall the old one, there’s a password history for each site.

    So yes, it’s 100% possible to generate secure passwords without using a password manager, but I think the password manager model is still the best balance of security and convenience.
     
  10. dasman66

    dasman66 Self proclaimed lazy ass - friend

    Pyrate Contributor
    Joined:
    Mar 13, 2018
    Likes Received:
    2,462
    Trophy Points:
    113
    Location:
    NW Pennsylvania
    the point of the 4 word password is that you use that one to get into your password manager. everything else is randomly generated and stored in the password manager
     
  11. Merrick

    Merrick A lidless ear

    Pyrate
    Joined:
    Jan 6, 2016
    Likes Received:
    12,569
    Trophy Points:
    113
    Location:
    Portland, OR
    Ah, I must have misunderstood! I agree, that’s a good formula for a strong master password.
     
  12. Biodegraded

    Biodegraded Friend

    Pyrate Contributor
    Joined:
    May 28, 2017
    Likes Received:
    7,985
    Trophy Points:
    113
    Location:
    Vancouver BC
    Yeah but now @Syzygy has exposed everybody's master, we all have to change it.

    I claim "donkey" :D
     
  13. YMO

    YMO Chief Fun Officer

    Pyrate Contributor
    Joined:
    Apr 1, 2018
    Likes Received:
    10,517
    Trophy Points:
    113
    Location:
    Palms Of The Coasts, FL
    For me I use random expression/wording passwords for stuff like my Apple/Google/Windows/Router/Bitwarden since I must remember these passwords in my head. Thankfully that are long enough passwords with special characters and other stuff that makes it hard to crack since they are each separate passwords not being used in other places. For the rest of my passwords (even on my phone bill), they are random generated.
     
  14. AllanMarcus

    AllanMarcus Friend

    Pyrate
    Joined:
    Oct 23, 2015
    Likes Received:
    2,969
    Trophy Points:
    113
    Location:
    Los Alamos, NM
    Home Page:
    It’s just as secure. The only advantage a password manager provides to a regular user (as opposed to a power user) is portability. If you want to use a different browser on the Mac or iOS, it likely won’t work with keychain. If you are happy with safari on both platforms, then stick with keychain. Just use a different strong password for every site, and two factor for any bank or sites that can cost you money.
     
  15. rhythmdevils

    rhythmdevils MOT: rhythmdevils audio

    Pyrate
    Joined:
    Apr 15, 2020
    Likes Received:
    12,239
    Trophy Points:
    113
    Location:
    Bay Area, CA
    Home Page:
    So for many apps, Apple Keychain doesn’t get triggered so the password either has to be remembered or stored somewhere. (Is 1Password better at auto filling in apps like my banking app, eBay app etc?)

    is the app Standard Notes safe for keeping passwords if I don’t have a password setup for the app? It’s got high end encryption. There are only so many unguessable passwords I can remember. But in reading about Standard Notes it seems the encryption depends on having a password.

    my phone is totally safe it never leaves the house for reasons I won’t go into but my phone is in no danger of getting stolen. So I don’t need a password for Standard Notes for this reason.

    thanks for all the suggestions and advice this has been super helpful! I can’t decide between 1Password and Apple Keychain so I’ll probably use the latter for now. I’m guessing it integrates better and more seamlessly.
     
  16. Merrick

    Merrick A lidless ear

    Pyrate
    Joined:
    Jan 6, 2016
    Likes Received:
    12,569
    Trophy Points:
    113
    Location:
    Portland, OR
    If you use 1Password 7, not the new 1Password 8 that they have in beta, there is a system wide keyboard shortcut that you can use to bring up a mini window of the app to use for auto filling if it’s not automatically triggered. Super useful and convenient.
     
  17. Syzygy

    Syzygy Friend

    Pyrate
    Joined:
    Jun 13, 2018
    Likes Received:
    2,144
    Trophy Points:
    93
    Location:
    DFW, Texas
    1Password has different classes of protected items you can choose from:

    Screen Shot 2021-11-16 at 6.26.03 PM.png
     
  18. rhythmdevils

    rhythmdevils MOT: rhythmdevils audio

    Pyrate
    Joined:
    Apr 15, 2020
    Likes Received:
    12,239
    Trophy Points:
    113
    Location:
    Bay Area, CA
    Home Page:
    I wound up trying 1password and finding it annoying because of having to enter my master password every time I autiofill a password. How many seconds do I have to set it to to just turn that off? Geez. But I just got a new MacBook Air M1 which has fingerprint ID, which can unlock 1password without the master password.

    But I ultimately prefer iCloud Keychain because I can autofill addresses with other contacts which I do a lot when shipping things I buy to other people. So right now I'm using iCloud Keychain for autofill and have 1password autofill turned off, and I'm just using 1password for apps that don't support autofill, which it works marvelously for, you just open it from the menu bar and it already has the app or website there suggested for me and I just copy paste.

    I guess I'll see how using both works for a while. The only problem is if I change a password I have to change it in both. but there aren't that many places that don't support autofill.

    let me know if this is idiotic. :)
     
  19. AllanMarcus

    AllanMarcus Friend

    Pyrate
    Joined:
    Oct 23, 2015
    Likes Received:
    2,969
    Trophy Points:
    113
    Location:
    Los Alamos, NM
    Home Page:
    1. Sign in to your account on 1Password.com.
    2. Click your name in the top right and choose My Profile.
    3. Click next to Auto-Lock and adjust the number of minutes before 1Password locks automatically.
    for the browser
    If you’re using Chrome, Firefox, Edge, or Brave:
    1. Click [​IMG] in your browser’s toolbar.
    2. Click [​IMG] and choose Settings.
     
  20. rhythmdevils

    rhythmdevils MOT: rhythmdevils audio

    Pyrate
    Joined:
    Apr 15, 2020
    Likes Received:
    12,239
    Trophy Points:
    113
    Location:
    Bay Area, CA
    Home Page:
    It doesn't fix the autofill of other addresses from my contacts or clouds better integration and ability to update bad passwords without going to each site.

    We'll see how it goes. This thread has been great, I patched up a lot of security threats that were disasters waiting to happen. so thank you all!
     

Share This Page