Resolved Revisiting Password Managers

Help me understand this business of PW managers and the manner in which FF stores its passwords under a Master PW.

Currently I use the extension Lastpass to store my passwords. The advantages are: 1) each PW is unique and strong (about forty of them which I could never remember otherwise); 2) the PW are stored on "their" servers in encrypted form so even if their servers were hacked, the PW would still be protected at least until they regained control of their servers AND LP does not have the master PW so even they cannot read my PW; 3) my PW are synced to my other devices (ipad, laptop) by my simply installing LP and logging into it with my master PW; 4) my PW are easily changed and on a regular basis since LP makes this process so easy.

The only disadvantage to date is that in IE LP forces me to have an extra toolbar in order to work whereas in FF or Chrome it is a simple button that adds to my taskbar.

Now... some still argue that having one's passwords stored on a server rather than one's own computer is putting them at risk. I will add that my banking and amazon pw are NOT stored anywhere but are in my mind. Still... I can partially see their argument against LP and Roboform managers.

NOW... compare the above to Firefox. As I understand it, the passwords are stored on my own computer in encrypted form and under a master password... correct? Would they easily sync with my other devices? Would they be considered safer from hacking than they are currently on LP or Roboform? What are the advantages to letting FF do this rather than an extension like LP?

 

Passwords, in Firefox, are stored encrypted, and could be controlled by a master password, although I doubt that many people go through that bother. I doubt that syncing would be easy, or even possible.
As for storing passwords for LP on the server is self-defeating, security-wise.
I have, never, used Last Pass, and Roboform has been abandoned a couple of years ago.

 

@Westside, I don't use LP either but from what I gather they store all your passwords (not just LP's) on their server for you to collect as required.

My tuppence worth,

I wouldn't even give my partner my PIN number for ATM's etc. Why would I trust a stranger with it? Yes the OP has posted that banking details/amazon account etc aren't stored on LP's system but there is still a lot of valuable data that can be mined.

As to the questions...

1) Yes FF stores your passwords on your system.
2) No they won't sync with other devices.
3) Safety/Security...

How secure is your system, how secure is LP's server, how secure is the encryption.

I guess you have to decide how much you trust yourself and how much you trust LP. Bear in mind that the central server (LP's) would be a more inviting target for hackers as they would have thousands of user passwords whereas you are only tempting them with one target. They're more likely to be attacked but hopefully far more likely to defend themselves.

4) Pro's/Con's...

The pro's for locally stored passwords are you control the security (some may see this as a con), you are less likely as an individual to be attacked and it is very easy to change your passwords. Finally if the external server does go down you can still log into WindowsBBS with that 231 character MIxedCaseNumericSymbolic password you set up .

Con's if your HD fails and you have no backup, create a new online life because you've just lost your old one.


Serioulsy I'd go for keeping passwords for important sites in the old grey matter, less important ones can be scribbled down somewhere and those that don't really matter can be stored locally. If you want to be lazy and let others do the work and risk losing your privacy by all means go with an external server.

 

Well now, that intrigues me. Why would you do this when your passwords could be synced with all of your devices, be easily changed at will, be encrypted and about as secure as keeping them in your wallet and be strong so that you would not need your wallet with you when you go online? I'm not trying to be critical... just understand why someone who is technologically advanced would not go with a password manager. In short... what is the rationale for what you do versus what you don't do?

 

Xmarks can sync your sites & passwords across all your devices and most major browsers.

 

Sounds pretty archaic. I can't tell you how many times I've lost or misplaced things I "carry with me" from keys to wallet. Thus, physically carrying something is still not necessarily safer than using a pw manager. But I suppose we all have to find our comfort zone. No matter what we do online, there is a risk factor involved.

I have a good friend who refuses to do any business online. He claims it's dangerous. Recently a multi-million dollar identity theft ring was broken up and over 85 arrests made. The bulk of the stolen credit card numbers were obtained from swiping on magstrips in restaurants not from online transactions. My friend has no problem giving his credit card to a waiter but he can't seem to do the same with Amazon.com and yet statistically he's taking the greater risk.

 

I'm really surprised that you're willing to use the same password for all your sites. As strong as it may be, if a keylogger, well-placed video camera, or other device did manage to capture that one password, the bad guys would have access to all your accounts.

Let's say for the sake of argument that all encryption can be decrypted. Doesn't that include your very strong password that you use for all your sites?

(FWIW, I've been a happy LastPass user for several years.)

 

Well, I guess if you never use a computer to access Web sites except in your house, you may be right.

 

Hi,
I used the password collector of Firefox for along time now, never had any problems with it.
Now i am testing for Trend Micro "DirectPass" this is a protected password collector thats integrate in IE Firefox Chrome Opera Androyd or Iphone will work with it. Has a overall program from where i can start all the web pages from and login directly. You can give it a try as a Beta tester. https://www.trendbeta.com
So far testing it now for a month, for me it works great.

Kind regards Tom

 

That's quite an interesting program, Tom. Whereas I continue to use Lastpass since it is free and has served me well for two years now, I also have Norton Internet Security Suite 2012 which has a Secure Log-in that I can use with all of my browsers and three of my computers. They also have it for mobile devices but only Android (I have a Windows 7 phone so it will not work with this platform yet). I think many of the security companies will be offering similar programs in the near future.