ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > Living Room

Password Managers ... vs. Not

<< < (3/6) > >>

Dormouse:
I'm gradually switching systems again.
I still use Lastpass; it is very convenient, but I have never stored passwords to my financial accounts on it. It has a very long password that isn't stored anywhere but I can derive fairly quickly.
I am switching back to browsers for passwords for sites that don't store any of my personal or sensitive information (just email addresses). I don't always want Lastpass enabled.
I have a password manager on my computer (with copy on my mobile) with a very secure password that isn't written anywhere. Both phone and computer are encrypted. I am switching more to this.
It's not complete security. But is my current balance between convenience and security - or it will be when I have completed the transition and checked everything out.

x16wda:
I put what I can into Lastpass. But any sensitive passwords aren't saved there - I just use Secure Notes named as hints to the site to save hints that allow me to remember the correct password. In the end, one ring password to rule them all, on multiple devices, is just too darned convenient. Seductive. Especially for the permanently exhausted who might otherwise look at alternatives more closely.

MilesAhead:
Plain bruteforcing has to search a much bigger keyspace than a smart dictionary-based attack.
-f0dder (June 04, 2017, 09:37 AM)
--- End quote ---

See your previous comment about off line attach modes.

f0dder:
Plain bruteforcing has to search a much bigger keyspace than a smart dictionary-based attack.
-f0dder (June 04, 2017, 09:37 AM)
--- End quote ---
See your previous comment about off line attach modes.
-MilesAhead (June 05, 2017, 06:57 AM)
--- End quote ---
I'm not sure what you're trying to say here? I thought you were wondering why "unmemorable passwords" were any better?

MilesAhead:
Plain bruteforcing has to search a much bigger keyspace than a smart dictionary-based attack.
-f0dder (June 04, 2017, 09:37 AM)
--- End quote ---
See your previous comment about off line attach modes.
-MilesAhead (June 05, 2017, 06:57 AM)
--- End quote ---
I'm not sure what you're trying to say here? I thought you were wondering why "unmemorable passwords" were any better?
-f0dder (June 05, 2017, 11:02 AM)
--- End quote ---

My point was that although passwords that are made of actual words were more vulnerable than those "secure" generated ones, if you do not limit the number of attempts at cracking them then nothing is secure.  Also the same thing applies to hijacking the encrypted database.  If the brute force method can be applied offline then just because the passwords have no vowels and some numbers and symbols sprinkled in that will not long delay the cracking.  Especially with cheap computing power.  Seems to me setting delays on IPs and domains generating invalid logon attempts would be more secure.

Then the main worry might be somebody flubbing logins to your account just to get it shut off for a time.  Kind of a perverted denial of access.  But even then there should be some indication where the attack is coming from.

To me it is similar to these fast food joints where you have to hop skip and jump to their "system" in order to place your order.  When everything is owned by four holding companies there is less "competition" and customer service than when Mom and Pop have to worry you will go around saying their service sucks at their one variety store.  This seems to be analogous to the online situation these days.  You have to include uppercase letters, lower case letters, punctuation and numbers, plus pass gas twice, in order t log on.  IOW, it stinks for a reason.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version