5 Reasons Why You Should Definitely Be Using a Password Manager
If you still aren't using a password manager, here are 5 reasons to start today. Password managers will keep your online accounts safe by using strong unique passwords and warning you of potential problems.
Comments: 25 Responses to “5 Reasons Why You Should Definitely Be Using a Password Manager”
Keith M Rivard
12 months ago
I never knew Apple had a password manager !! So, I will search for the details. I signed up for 1Password twice and dropped it both times even after our Apple guru in our computer club in Tellico Village couldn't make it work on my Macbook Air.
nick
12 months ago
Gary: agree with everything you said, but might be also worth mentioning that many reputable websites (banks etc) have two-factor identification which adds another level of security, especially if there are changes in the login routine.
G Perser
12 months ago
How do I access the password manager built into Mac OS? The directions were not given with the excellent presentation: "5 Reasons Why You Should Be Using a Password Manager".
Alex: From the article: "Our customers' passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture."
Be careful not to penalize the company that is open and honest about this kind of thing. No passwords were stolen here. LastPass did the right thing being transparent even though the data stolen isn't the data (passwords) that most people will assume when they read the headlines.
The danger is that if with inflammatory headlines like this that other companies may instead try to hide data breeches instead of being honest and transparent like LastPass in this situation.
I don't use LastPass (I use 1Password) but if I did use LastPass this news wouldn't make me change anything. It would make me trust them more, in fact.
Alex
12 months ago
Gary : It was not my intention to cast a "bad light" on the owner. I just wanted to express my concern as I have had a bad experience with data breaches in the past.
Otherwise, a sincere thank you for all the effort you put into getting to know and learning about Apple's programs and applications.
Bruce: Yes. That was reported just a few days ago. The vaults don't do them any good without the keys. By some estimates it would take trillions of years to decrypt a single 256-bit AES file.
Heather
12 months ago
Gary, I have to use a PC on some occasions. What would you suggest I use? Thanks for all your help.
Heather: I show the most popular ones at the end of this video. Maybe 1Password?
Bruce
12 months ago
I appreciate the vault file is secure but there seems no sense in hosting it on any password managers developers server (such sites are a big target) where it can be stolen by criminals. Encrypted files do get broken. Eg https://interestingengineering.com/innovation/math-theorem-cracks-us-encryption-algorithm
Password managers that don't mandate hosting my data on their target server is preferable to me.
Off line no subscription managers could be mentioned, but almost nobody does.
Bruce: Worried about quantum computers breaking into encrypted vaults? So what's your better solution? Should regular users have to find their own servers to host their own password vaults?
Jon
12 months ago
Hi Gary,
Thanks for this great explanation.
I have tried using Apple’s built-in password mgr, but it does not remember the passwords and log-ins if I switch browsers, say from Safari to Firefox. Your video makes me want to try password managers again though. But right now they seem overly complex to set up and use. I heard that Apple is developing a major improvement for password management. Can you produce a video about it when it is released? Cheers.
Jon: Right. Firefox isn't using Apple's password manager. If you want to use Firefox, then get a third-party password manager that has extensions for both Safari and Firefox (most do).
Fabian Thomas
11 months ago
Hi Gary - thanks for all your work.
You wrote "Should regular users have to find their own servers to host their own password vaults?"
I did with mSecure, a PW manaer which offers Wi-Fi syncing along with cloud syncing. I use Wi-Fi syncing and any change to the vault is sycned between all my devices as long as they are active on that network.
My concern with online vaults is giving my information to a third-party.
Seems like the stolen vaults need do not need a quantum computer to access them : Leo Laporte at https://www.youtube.com/watch?v=c50T7X4x-7g. All the Meta Data at LP in the clear, inadequate hashing etc etc.
Bruce: Can you point to a specific time in that video where he says that? My understanding is that any password vaults that may have been stolen were encrypted.
Bruce: You still didn't provide me with a TIME in the video you keep linking to that says that the vaults are easy to decrypt. I looked it up in the transcript though and there are a lots of IFs and guessing and speculation. The Wired article doesn't have any details either. And the third link doesn't even mention LastPass. Not trying to defend LastPass either (I have never used them). I just don't like alarmist reporting.
Bruce
11 months ago
Lastpass themselves "say you should consider minimizing risk by changing passwords of websites you have stored" and "The threat actor may attempt to use brute force" and "target customers with phishing attacks, credential stuffing, " https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
TIME: GPU password cracker burn thru that quickly 7:13. Also see 6:05, 7:05, 9:15 and 16:59. 5000 iterations PBKDF2 ain't enough.
By all means dismiss it as alarmist.
Bruce: I almost agree with you. But you are doing the same thing, making it seem worse. What LastPass actually says is this, referring to master password length and PBKDF2 settings above this quoted text:
"However, it is important to note that if your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored."
Bruce: Yes, though no need to panic. If you use LastPass, first check to see if you are using the easier-to-guess old master passwords (they have info on their site) and if you do, then start the process of changing your passwords in order of importance (email accounts first, then important things like iCloud, financial, social, shopping, etc.) Then consider moving from LastPass to something else. See https://askleo.com/lastpass-breach-2022-my-recommendation/
Leave a New Comment Related to "5 Reasons Why You Should Definitely Be Using a Password Manager"
I never knew Apple had a password manager !! So, I will search for the details. I signed up for 1Password twice and dropped it both times even after our Apple guru in our computer club in Tellico Village couldn't make it work on my Macbook Air.
Gary: agree with everything you said, but might be also worth mentioning that many reputable websites (banks etc) have two-factor identification which adds another level of security, especially if there are changes in the login routine.
How do I access the password manager built into Mac OS? The directions were not given with the excellent presentation: "5 Reasons Why You Should Be Using a Password Manager".
Thanks in advance.
G Perser: https://macmost.com/the-practical-guide-to-mac-security-part-3-password-managers.html
LastPass Hacked for Second Time This Year
https://www.macrumors.com/2022/12/02/lastpass-hacked-second-time-2022/
Just to know ...
Best regards
Alex: From the article: "Our customers' passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture."
Be careful not to penalize the company that is open and honest about this kind of thing. No passwords were stolen here. LastPass did the right thing being transparent even though the data stolen isn't the data (passwords) that most people will assume when they read the headlines.
The danger is that if with inflammatory headlines like this that other companies may instead try to hide data breeches instead of being honest and transparent like LastPass in this situation.
I don't use LastPass (I use 1Password) but if I did use LastPass this news wouldn't make me change anything. It would make me trust them more, in fact.
Gary : It was not my intention to cast a "bad light" on the owner. I just wanted to express my concern as I have had a bad experience with data breaches in the past.
Otherwise, a sincere thank you for all the effort you put into getting to know and learning about Apple's programs and applications.
Best regards
Seems like entire customers password vaults were stolen for the hackers to work on in their own time. Keeping passwords in a password manager the mandates storage of customers authentication details passwords and secure notes etc on the developers server is a risk just not worth taking.
https://www.bleepingcomputer.com/news/security/lastpass-hackers-stole-customer-vault-data-in-cloud-storage-breach/
Bruce: Yes. That was reported just a few days ago. The vaults don't do them any good without the keys. By some estimates it would take trillions of years to decrypt a single 256-bit AES file.
Gary, I have to use a PC on some occasions. What would you suggest I use? Thanks for all your help.
Heather: I show the most popular ones at the end of this video. Maybe 1Password?
I appreciate the vault file is secure but there seems no sense in hosting it on any password managers developers server (such sites are a big target) where it can be stolen by criminals. Encrypted files do get broken. Eg https://interestingengineering.com/innovation/math-theorem-cracks-us-encryption-algorithm
Password managers that don't mandate hosting my data on their target server is preferable to me.
Off line no subscription managers could be mentioned, but almost nobody does.
Bruce: Worried about quantum computers breaking into encrypted vaults? So what's your better solution? Should regular users have to find their own servers to host their own password vaults?
Hi Gary,
Thanks for this great explanation.
I have tried using Apple’s built-in password mgr, but it does not remember the passwords and log-ins if I switch browsers, say from Safari to Firefox. Your video makes me want to try password managers again though. But right now they seem overly complex to set up and use. I heard that Apple is developing a major improvement for password management. Can you produce a video about it when it is released? Cheers.
Jon: Right. Firefox isn't using Apple's password manager. If you want to use Firefox, then get a third-party password manager that has extensions for both Safari and Firefox (most do).
Hi Gary - thanks for all your work.
You wrote "Should regular users have to find their own servers to host their own password vaults?"
I did with mSecure, a PW manaer which offers Wi-Fi syncing along with cloud syncing. I use Wi-Fi syncing and any change to the vault is sycned between all my devices as long as they are active on that network.
My concern with online vaults is giving my information to a third-party.
Fabian: Thanks for the recommendation.
Seems like the stolen vaults need do not need a quantum computer to access them : Leo Laporte at https://www.youtube.com/watch?v=c50T7X4x-7g. All the Meta Data at LP in the clear, inadequate hashing etc etc.
Bruce: Can you point to a specific time in that video where he says that? My understanding is that any password vaults that may have been stolen were encrypted.
Hashing 5000 iterations was default which today is inadequate. Lastpass default recently increased to 100100 iterations. With older 5000 databases a GPU password cracker can brute force access. Here it talks about iterations https://www.youtube.com/watch?v=c50T7X4x-7g.
Change every password in your vault for every site you access : https://www.wired.com/story/lastpass-breach-vaults-password-managers/
Tavis Ormandy on password managers: https://lock.cmpxchg8b.com/passmgrs.html
Bruce: You still didn't provide me with a TIME in the video you keep linking to that says that the vaults are easy to decrypt. I looked it up in the transcript though and there are a lots of IFs and guessing and speculation. The Wired article doesn't have any details either. And the third link doesn't even mention LastPass. Not trying to defend LastPass either (I have never used them). I just don't like alarmist reporting.
Lastpass themselves "say you should consider minimizing risk by changing passwords of websites you have stored" and "The threat actor may attempt to use brute force" and "target customers with phishing attacks, credential stuffing, " https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
TIME: GPU password cracker burn thru that quickly 7:13. Also see 6:05, 7:05, 9:15 and 16:59. 5000 iterations PBKDF2 ain't enough.
By all means dismiss it as alarmist.
Bruce: I almost agree with you. But you are doing the same thing, making it seem worse. What LastPass actually says is this, referring to master password length and PBKDF2 settings above this quoted text:
"However, it is important to note that if your master password does not make use of the defaults above, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored."
Does this make it seem worse?
https://9to5mac.com/2022/12/29/lastpass-security-latest/
Bruce: Yes, though no need to panic. If you use LastPass, first check to see if you are using the easier-to-guess old master passwords (they have info on their site) and if you do, then start the process of changing your passwords in order of importance (email accounts first, then important things like iCloud, financial, social, shopping, etc.) Then consider moving from LastPass to something else. See https://askleo.com/lastpass-breach-2022-my-recommendation/