1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Resolved Revisiting Password Managers

Discussion in 'Firefox, Thunderbird & SeaMonkey' started by leushino, 2011/10/04.

  1. 2011/10/04
    leushino

    leushino Well-Known Member Thread Starter

    Joined:
    2010/08/01
    Messages:
    201
    Likes Received:
    11
    Help me understand this business of PW managers and the manner in which FF stores its passwords under a Master PW.

    Currently I use the extension Lastpass to store my passwords. The advantages are: 1) each PW is unique and strong (about forty of them which I could never remember otherwise); 2) the PW are stored on "their" servers in encrypted form so even if their servers were hacked, the PW would still be protected at least until they regained control of their servers AND LP does not have the master PW so even they cannot read my PW; 3) my PW are synced to my other devices (ipad, laptop) by my simply installing LP and logging into it with my master PW; 4) my PW are easily changed and on a regular basis since LP makes this process so easy.

    The only disadvantage to date is that in IE LP forces me to have an extra toolbar in order to work whereas in FF or Chrome it is a simple button that adds to my taskbar.

    Now... some still argue that having one's passwords stored on a server rather than one's own computer is putting them at risk. I will add that my banking and amazon pw are NOT stored anywhere but are in my mind. Still... I can partially see their argument against LP and Roboform managers.

    NOW... compare the above to Firefox. As I understand it, the passwords are stored on my own computer in encrypted form and under a master password... correct? Would they easily sync with my other devices? Would they be considered safer from hacking than they are currently on LP or Roboform? What are the advantages to letting FF do this rather than an extension like LP?
     
  2. 2011/10/05
    Westside

    Westside Inactive Alumni

    Joined:
    2003/03/30
    Messages:
    4,506
    Likes Received:
    14
    Passwords, in Firefox, are stored encrypted, and could be controlled by a master password, although I doubt that many people go through that bother. I doubt that syncing would be easy, or even possible.
    As for storing passwords for LP on the server is self-defeating, security-wise.
    I have, never, used Last Pass, and Roboform has been abandoned a couple of years ago.
     

  3. to hide this advert.

  4. 2011/10/05
    wildfire

    wildfire Getting Old

    Joined:
    2008/04/21
    Messages:
    4,649
    Likes Received:
    124
    @Westside, I don't use LP either but from what I gather they store all your passwords (not just LP's) on their server for you to collect as required.

    My tuppence worth,

    I wouldn't even give my partner my PIN number for ATM's etc. Why would I trust a stranger with it? Yes the OP has posted that banking details/amazon account etc aren't stored on LP's system but there is still a lot of valuable data that can be mined.

    As to the questions...

    1) Yes FF stores your passwords on your system.
    2) No they won't sync with other devices.
    3) Safety/Security...

    How secure is your system, how secure is LP's server, how secure is the encryption.

    I guess you have to decide how much you trust yourself and how much you trust LP. Bear in mind that the central server (LP's) would be a more inviting target for hackers as they would have thousands of user passwords whereas you are only tempting them with one target. They're more likely to be attacked but hopefully far more likely to defend themselves.

    4) Pro's/Con's...

    The pro's for locally stored passwords are you control the security (some may see this as a con), you are less likely as an individual to be attacked and it is very easy to change your passwords. Finally if the external server does go down you can still log into WindowsBBS with that 231 character MIxedCaseNumericSymbolic password you set up ;).

    Con's if your HD fails and you have no backup, create a new online life because you've just lost your old one.


    Serioulsy I'd go for keeping passwords for important sites in the old grey matter, less important ones can be scribbled down somewhere and those that don't really matter can be stored locally. If you want to be lazy and let others do the work and risk losing your privacy by all means go with an external server.
     
  5. 2011/10/05
    Steve R Jones

    Steve R Jones SuperGeek Staff

    Joined:
    2001/12/30
    Messages:
    12,315
    Likes Received:
    252
    I have a small number of passwords I use for everything. I write everything down on a piece of paper that I carry in my wallet.....

    Example for www.test.com
    username-> "regular office "
    password-> "a_ _ _ _ k (i know what the secret 4 digits are)
     
  6. 2011/10/05
    leushino

    leushino Well-Known Member Thread Starter

    Joined:
    2010/08/01
    Messages:
    201
    Likes Received:
    11
    Well now, that intrigues me. Why would you do this when your passwords could be synced with all of your devices, be easily changed at will, be encrypted and about as secure as keeping them in your wallet and be strong so that you would not need your wallet with you when you go online? I'm not trying to be critical... just understand why someone who is technologically advanced would not go with a password manager. In short... what is the rationale for what you do versus what you don't do?
     
  7. 2011/10/06
    rsinfo

    rsinfo SuperGeek Alumni

    Joined:
    2005/12/25
    Messages:
    4,076
    Likes Received:
    178
    Xmarks can sync your sites & passwords across all your devices and most major browsers.
     
  8. 2011/10/08
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    Interesting read.

    I've never used any password managers, I just remember my passwords.

    The only passwords I am concerned about are my master pw for my ISP and my bank pw.

    I have a very strong pw using upper case, ,lower case, numbers and special characters that I have committed to memory, which I use for all other accounts, such as Web hosting, domain services, clients' sites, etc. Using that one strong pw makes it easy for me to manage my multiple logins. And it's strong enough that it the only way to crack it would be to tap the wire & sniff it.

    If I were to use an off-site pw storage system, I would also keep a printed backup of them in the event the company goes under or is breached.

    But, encryption or not, I do not trust any browser password storage system or browser pw managers. ALL encryption can be decrypted.
     
  9. 2011/10/08
    Steve R Jones

    Steve R Jones SuperGeek Staff

    Joined:
    2001/12/30
    Messages:
    12,315
    Likes Received:
    252
    1. I don't trust password managers.
    2. If I were a hacker - password managers would be the first thing I looked for on your system.
    3. Carring the passwords with me allows me to access anything from anywhere.
     
  10. 2011/10/08
    leushino

    leushino Well-Known Member Thread Starter

    Joined:
    2010/08/01
    Messages:
    201
    Likes Received:
    11
    Sounds pretty archaic. I can't tell you how many times I've lost or misplaced things I "carry with me" from keys to wallet. Thus, physically carrying something is still not necessarily safer than using a pw manager. But I suppose we all have to find our comfort zone. No matter what we do online, there is a risk factor involved.

    I have a good friend who refuses to do any business online. He claims it's dangerous. Recently a multi-million dollar identity theft ring was broken up and over 85 arrests made. The bulk of the stolen credit card numbers were obtained from swiping on magstrips in restaurants not from online transactions. My friend has no problem giving his credit card to a waiter but he can't seem to do the same with Amazon.com and yet statistically he's taking the greater risk.
     
    Last edited: 2011/10/08
  11. 2011/10/27
    cybernut

    cybernut Inactive

    Joined:
    2002/07/28
    Messages:
    51
    Likes Received:
    0
    I'm really surprised that you're willing to use the same password for all your sites. As strong as it may be, if a keylogger, well-placed video camera, or other device did manage to capture that one password, the bad guys would have access to all your accounts.

    Let's say for the sake of argument that all encryption can be decrypted. Doesn't that include your very strong password that you use for all your sites?

    (FWIW, I've been a happy LastPass user for several years.)
     
  12. 2011/10/28
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    The chances of this happening in my house are near zero percent. I rarely, if ever, do work on client sites anywhere else.


    Yes, all encryption can be decrypted.

    Also, I don't use FTP for my sites, I use SSH2, which is very difficult to decrypt and also requires a server cert on both ends.

    The only way my encrypted password can be grabbed is if a criminal taps the wire in my house. Getting a keylogger is nearly impossible.
     
  13. 2011/11/11
    cybernut

    cybernut Inactive

    Joined:
    2002/07/28
    Messages:
    51
    Likes Received:
    0
    Well, I guess if you never use a computer to access Web sites except in your house, you may be right.
     
  14. 2011/11/12
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    When I travel, I use Linux. And when working at clients' offices/sites I use Linux, so as to avoid any chance of network worms and to better scan & view their LANs.
     
  15. 2011/11/12
    Tom Emmelot

    Tom Emmelot Well-Known Member

    Joined:
    2002/10/04
    Messages:
    54
    Likes Received:
    0
    Hi,
    I used the password collector of Firefox for along time now, never had any problems with it.
    Now i am testing for Trend Micro "DirectPass" this is a protected password collector thats integrate in IE Firefox Chrome Opera Androyd or Iphone will work with it. Has a overall program from where i can start all the web pages from and login directly. You can give it a try as a Beta tester. https://www.trendbeta.com
    So far testing it now for a month, for me it works great.

    Kind regards Tom
     
  16. 2011/11/12
    leushino

    leushino Well-Known Member Thread Starter

    Joined:
    2010/08/01
    Messages:
    201
    Likes Received:
    11
    That's quite an interesting program, Tom. Whereas I continue to use Lastpass since it is free and has served me well for two years now, I also have Norton Internet Security Suite 2012 which has a Secure Log-in that I can use with all of my browsers and three of my computers. They also have it for mobile devices but only Android (I have a Windows 7 phone so it will not work with this platform yet). I think many of the security companies will be offering similar programs in the near future.
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.