-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/11/2015 04:26 PM, Malcolm Greene wrote: > I've seen posts on this forum extolling the virtues of password managers > like 1Password and LastPassword. Wondering if anyone has used one of > these type of products and gone back to self managing their passwords > and if so, why? Any enthusiastic users with a recommendation on a > specific product? I'm also curious if anyone is using Apple's Keychain > as their primary password manager.
I've been using LastPass for about 4 years now, and wouldn't ever go back to anything else. It makes using reasonably secure passwords a no-brainer. > I've been using a XKCD-type method for generating easy to remember > passwords that are hard to break [1] and adding a non-obvious domain > name derived suffix to my base complex password for each login site. So you have to do mental gymnastics every time you go to a site in order to remember your password? The older I get, the less appealing that is to me. Also, the model proposed by XKCD is not always considered very good: https://diogomonica.com/posts/password-security-why-the-horse-battery-staple-is-not-correct/ ( -or- http://bit.ly/1AhyXjn ) > 1. The use of a single master password scares me. If this password gets > discovered (key logger?) then all my passwords are exposed. Well, that pretty much goes for any approach. If I keylogged your computer, I'd quickly learn your password scheme, and could probably figure out your domain-name trick. Once your physical machine is compromised, you're hosed. Don't count on any technique to keep you safe in that event. > 2. I work in very locked down environments that don't allow the > installation of password manager applications, browser extensions or > even access to their websites. Trying to copy a giant randomly > generated password from a password manager on my mobile phone sounds > like a logistical nightmare. LastPass for iOS makes this super-easy. I use it all the time. > 3. What happens if I don't have access to a personal device with a > password manager and I need to sign into a site with a huge randomly > generated password? Sounds like I would be SOL? Yeah, pretty much. If you have your phone, you could look it up and type the big-ass password manually, but that isn't fun. It boils down to how much convenience you are willing to trade for security. - -- Ed Leafe -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iQIcBAEBAgAGBQJVAZXkAAoJEKMgtcocwZqLXe0P/2Vm4WVbgz223EkeM7zLH5ho fIUJ9qHeWM6do/itoytGv6AW5cZCfF/QOhLISxred9ZWNLLBuOnMfM9sIKVawiMU oCa4MXfBDfpIvpyHH4wz/r+16e83vtyc2u+Zx+2RKP2yXRf3nPXJzJYNbk9+YOZf wR2lGbNsE84nLHkgznXNj7d6oUfnwMoTcckZaz+jZeWLh3fOptC5k7P0y5qtuOqR egbjtT3DupRimoLjaJtkTakBDt868ZOMEEcf4X+7KcJw9fQ+fwefKgmoSRs2PgFB K+UfYCfOaIa5I0w7l9FWGoSCrbZ1qT1oX7280ui0bIKZLOnI9wmCU8dtR21c/YsZ JX0kbdKEEeeTbfvR7h/y9KMP3jDL4qj4PjQ60ACeFQgWGkueOnnGvmUt6sZafnHD S/uXeOfImf8Kg7RR0tCrx/laBYU7lX3Tq7/cB3WnnXJMhfmkanzKLgrcRMJLjTad kxkrsVUPQsL0epg6QAq/rlZ2KmlF8rtw8NJXTSLr/D2UFqjrB5wWLpnEw0hShVKB JdoMXR0IBKd+J5P0IlzEfJmGf1B6nfPJ9/mIhPCuAoX6uacQ9XZbYTiIvCmn89xc 3vQIUemU5w3d8sOkzc7rGgU+5d3KBC7kXDTdRG+M1+SO5mTw6wczGQC+IX1o+0Oj ia3OXcEsnxCWR+G9c910 =wYoW -----END PGP SIGNATURE----- _______________________________________________ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/550195e4.3000...@leafe.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.