Question What are your favorite password managers?

[SHaines]

Hey folks,

While nothing on the market yet is able to give you total immunity from security breaches, there are some very commonly discussed measures we can all take to be as safe as possible.

Having very complicated passwords is one way to protect your accounts, but it's impossible to memorize random strings of characters that are also unique for each site. Thus, the rise of password managers.

What password manager are you using and why?

Hopefully some folks who haven't yet discovered the joy of password managers may find reasons here to take the plunge. Personally, I've used LastPass and 1Password. Both worked great for my needs, but I swapped over to 1Password exclusively last year since I was having trouble getting LastPass to populated passwords into sites via my smartphone.

We'd love to get your thoughts on password managers, so chime in and share your knowledge!

 

[rgd1101]

I said when the service go off line.
and what are you going to do then?

 

[DiarroAmarotti]

I said when the service go off line.
and what are you going to do then?

oh, thats a risk for all the password managers i guess.
i've my passwords backed up on paper in a safe, better have a back up regardless of what you use.
i read people locked out when they did not paid their yearly subscription to password manager service.
passcal is an offline tool like a calculator in your computer, if their service goes down, you will have plenty time to change your passwords back to originals.
with online services this is more riskier. if their service goes down you left with local encrypted files that you can never recover your passwords from them.

so you have more control over your passwords with passcal

 

[rgd1101]

without anyway to know the company or the source. I wouldn't use that.
You could have just create a hash from your info.

 

[DiarroAmarotti]

without anyway to know the company or the source. I wouldn't use that.
You could have just create a hash from your info.

hash output does not meet the requirements for today's password standards
hash gives limited characters such "0123456789abcdef" equals 16 characters, not uppercase characters, not even all lower case characters and special characters
it's even weaker when there is limited password length is required.

passcal gives 76 characters with upper-lower case, special characters - digits (and of course you can exclude or include some of them).
in order to get hash results (i assume you will not calculate on paper) you rely on third-party application too.

So I am preferring this: zK7W-@Ih5#F8GH)zFhyPo1Qx
to this: 0ae4b5c6r8s26f1a575c073b

 

[rgd1101]

Special characters - digits (and of course you can exclude or include some of them).
so it not constant ? if you lost your settings, you lost the password? nice


And still doesn't fix the password manger try to solve. which is forgetting password.


Once the hash is calculate, you can translate it anyway you want.

 

[DiarroAmarotti]

Special characters - digits (and of course you can exclude or include some of them).
so it not constant ? if you lost your settings, you lost the password? nice


And still doesn't fix the password manger try to solve. which is forgetting password.


Once the hash is calculate, you can translate it anyway you want.

it is constant until you need a specific combination, only if website requires you to not to have special chars you can exclude
as well as if you lose your e-mail or password manager account you will lose all the passwords with it

to prevent forgetting problem you should have a hard back up of your passwords it doesn't matter where your passwords are stored, encrypted, hashed, salted, peppered etc.

once the hash is calculated, your password still will have a chance to be cracked (if you don't use salt), see rainbow tables, collisions..
if you use salt, you will need a new combination every time when you introduce new password, it is what passcal does already

in my opinion, password managers are not solving problems, they replacing it.
they are providing a little solution while creating bigger (and sneaky) problems
i don't want to be rely on their online services, servers, connection etc. most of them only working online..
to get a service from them you still have to fill their forms to give personal information, fingerprint, faceID, credit card, address, phone access..
you are giving them more than just your passwords.

using password manager is just saying "i don't want to have control over my passwords because it is tiring to type every time, you get my passwords and give me every time when i ask"
it is sound not safe to me

 

[rgd1101]

everything can be crack.

if you have hard backup, what the point of using a password calculator, why just use a random string ?

if you forgot the phase and stuff you still lock out.
https://www.passcalpro.com/faq.html

 

[DiarroAmarotti]

everything can be crack.

if you have hard backup, what the point of using a password calculator, why just use a random string ?

if you forgot the phase and stuff you still lock out.
https://www.passcalpro.com/faq.html

"everything can be crack" i agree
if you know the right formula you can crack
the point not searching for unbreakable combination but using harder combination for improved safety. because hackers/attackers are improving their techniques constantly.
i believe sooner or later we will need to replace 2FA/U2F for better ones.

if you forget password manager's master password you will be locked out,
you can still recover the password via e-mail. at this point i am choosing security over accessibility.
it is a decision to keeping a backup key under doormat or not.

same problem exists for cryptocurrency wallets, and even more painful one. if you lose your private key, you're losing the asset lying in that wallet. you cannot reset password via e-mail.
i prefer to have responsibility on my hands.

so for me the best usage of passcal is to using for web accounts, forums, social accounts, newspapers, music services (lower level accounts) etc.
but not for e-mail or bank accounts (higher level accounts).
i prefer to enter my long and safe passwords on painful way (manually) for e-mail and bank accounts and its worth it.

on the other hand, using passcal for less important environment is prevents online attackers to use one compromised password in other services, finding sequence of your weak passwords on lower level accounts and guessing for other ones.
also we cannot be sure that all the online services hashing our passwords before storing which we introduced for them.

i have hard backup in case i will not have access to passcal or i forget the keywords somehow.

using random string is messy when you have around 100 accounts over internet.
all of them should be unique and should not contain a pattern to be guessed.
since i don't use autocomplete, i have to type chaotic 24 characters manually for just reading a newspaper is not practical.
using simple passwords for unimportant web services is real danger.

 

[mejustsayin]

good for you if can remember passwords for 100 accounts. I most certainly cannot. Me old brain ain't what it used to be. I use simple passwords on unimportant sites. Why waste a perfectly good long chaotic one when there is absolutely no security risk on my side.

You would only have a security risk if you use the same user name, password and email account on it and your online banking. For example, what type of risk does tom's guide have for me? Maybe someone can get my emaill address but that account does have two factor in addition to a secured password that is in LastPass which also has two factor.

I am more concern when the server at a restaurant takes my credit card to another area in order to scan it than I am with my passwords in LastPass.

In the end, a person does what's best for them in order to feel secure.

 

[DiarroAmarotti]

good for you if can remember passwords for 100 accounts. I most certainly cannot. Me old brain ain't what it used to be. I use simple passwords on unimportant sites. Why waste a perfectly good long chaotic one when there is absolutely no security risk on my side.

You would only have a security risk if you use the same user name, password and email account on it and your online banking. For example, what type of risk does tom's guide have for me? Maybe someone can get my emaill address but that account does have two factor in addition to a secured password that is in LastPass which also has two factor.

I am more concern when the server at a restaurant takes my credit card to another area in order to scan it than I am with my passwords in LastPass.

In the end, a person does what's best for them in order to feel secure.

you can manage tens of thousands accounts easily with passcal.

it is not about what normal user is feeling or thinking, it is what attacker is thinking about.
if you lose tomsguide account and if you have connected google, facebook, microsoft accounts, they can use against you,
some web services logging and showing IP history, they can reach your IP,
since they will have your e-mail you will be open to phishing attacks which you can read your password as e-mail subject sent from them
and so on..
there is no absolute security but there is more secure way,
easiest way is not the best way while they are trying harder.
i advice you to search about password managers security breaches

 

[rgd1101]

you can manage tens of thousands accounts easily with passcal.

same problem exists for cryptocurrency wallets, and even more painful one. if you lose your private key, you're losing the asset lying in that wallet. you cannot reset password via e-mail.
i prefer to have responsibility on my hands.

If you have to remember thousand of keyphase for thousand of website. This tool is no better then any random string generator.

but if you make you think it better. go keep using it

i advice you to search about password managers security breaches

and there security breaches on banks, twitter, big company too.

 

[DiarroAmarotti]

If you have to remember thousand of keyphase for thousand of website. This tool is no better then any random string generator.

but if you make you think it better. go keep using it

you don't have to "remember" keywords, you have to know how to build them.
i.e. for tomsguide you can use "tomsguide" as keyword.
"facebook" for facebook and here is your password: RFh1(K!NV/Q8lR/amFTaSh

random string gerenators will not give you the same result next day

 

[rgd1101]

random string gerenators will not give you the same result next day

but you can save it in password manger

you don't have to "remember" keywords, you have to know how to build them.
i.e. for tomsguide you can use "tomsguide" as keyword.
"facebook" for facebook and here is your password: RFh1(K!NV/Q8lR/amFTaSh

ah. and this is account based? meaning if I use that app it will not get the same result?

 

[DiarroAmarotti]

but you can save it in password manger


ah. and this is account based? meaning if I use that app it will not get the same result?

it is offline account based.
you will get the same result as long as your master password is right. plus your master password is not stored anywhere.

make it clear;
-even if another person uses the same account name with you, and same master password, and same keyword,
password results comes different.

-if you use right keyword but wrong master password you will still get results, but wrong one.
they explain this is additional security layer for attackers who forces your passcal account, there will be no way them to be sure that they have right or the wrong master password but results will give them useless passwords.

-you can use weaker or powerful keywords is up to you. as long as you have a good master password, all results will be safe enough.
adding "1" at the end of the keyword of "tomsguide" will result this far:
"tomsguide"
4YIG@K1FL,Yu@H&z2GeCvN
"tomsguide1"
UHM0#C@2L!Nf#H/IVt8MLh

if you are using password managers, autofills, same passwords on multi platfoms passcal is not for you.

 

[rgd1101]

make it clear;
-even if another person uses the same account name with you, and same master password, and same keyword,
password results comes different.

how is that possible. and how did you know so much?

and how do you know the app is safe? just some random guy on the internet making a website for an app. how did you even found this? not google and bing.

 

[DiarroAmarotti]

how is that possible. and how did you know so much?

and how do you know the app is safe? just some random guy on the internet making a website for an app. how did you even found this? not google and bing.

it is possible, you can download and test it yourself too.
i am testing security softwares.

 

[rgd1101]

it is possible, you can download and test it yourself too.
i am testing security softwares.

sorry, I don't download stuff from unknown source. test or not
can't even found on google or bing, you must be doing some deep search

 

[rgd1101]

make it clear;
-even if another person uses the same account name with you, and same master password, and same keyword,
password results comes different.

so if you have multiple device this will not work?

 

[DiarroAmarotti]

so if you have multiple device this will not work?

it works,
when you creating a user account in the program it creates a user file with the username, you have to keep that file safe.
that file does not contain any password inside but that is the file gives you the right password outputs.

you can carry this file with usb,
if you install passcal on another computer simply you are puting that user file into the program's folder and passcal work normally on that secondary computer.

thats how i transferred between my work and home computers and my offline devices at home.
once that file copied between computers your passwords will be the same.

after copying your user file between your computers,
if you decide to use passcal for an online account, let's say it is facebook, you are changing your facebook account password with passcal at home.

you are going at work in the morning and entering your master password and keyword that you defined at home yesterday and it works.

same file, same program, even if it was offline.
it works

 

[rgd1101]

so instead of password, it need to store a file.
so no mobile device either.

keep of funny. to keep the file safe you probably going to put it online and if you forgot the password, can't access it.