password storage

goodrob

Limp Gawd
Joined
Apr 10, 2001
Messages
317
Hi all, so i had a friend come to me and ask about something to store passwords. It has been a few years since I needed anything like that so was looking for a few suggestions and pros cons if know for the products. I use sticky notes taped to my monitor then post a picture of them to facebook so i can always be able to view them lol.
 
Depends on how tech savvy your friend is and how susceptible you think they would be to really messing this up and losing all their accounts permanently.

I would err on the side of caution and use the tried and true LastPass. It's cloud based and also has an authenticator you can use on a mobile device for 3rd party MFA.
 
AES 256 encryption is now built into MS Office 2013 and newer. You canturn it on to protect your document that way.

It is uncrackable with a long simple password for the foreseeable future.

For instance a 15 character simple passphrase made up of only lowercase letters and numbers would take a 980Ti roughly 37 million years to exhaust the key space with brute force cracking AES 256 at 7000 passwords per second. I was just playing with passware pro today and saw that stat and that’s ONLY 15 characters attempts. That doesn’t include anything less or more than exactly 15 character passwords.
 
There are alot of web based password managers. At work we use the free version thyotic secert server. This is more of an Enterprise solution... Other options like last pass etc.. might be a better fit
 
If its just a Friend, not a business. Keepass and lastpass are the best combination ever!
 
KeePASS is free, and pretty good. I used it at my last job and kept my password file on my Network Home Directory so I could share it between my desktop and laptop.

I have moved to Lastpass, so I have my passwords on my work computer, home computer, phone, iPad, etc. In the past I had used SplashID as well.

I like all three options.
 
KeePASS is free, and pretty good. I used it at my last job and kept my password file on my Network Home Directory so I could share it between my desktop and laptop.

I have moved to Lastpass, so I have my passwords on my work computer, home computer, phone, iPad, etc. In the past I had used SplashID as well.

I like all three options.

KeePASS is great if you are good at keeping track and understanding how it works - which is why I was up front about the OP's friend's technical accumen. If he loses the master password or certificate, they're screwed.
 
thank you all for the suggestions i will do a little research into them and tell him about each. again thank you very much.
 
I use 1Password on my iOS and macOS. In addition I trust the keychain-chain based auto-fill on Safari. On the few cases i use Windows I need to retype the passwords comming from iOS device.
 
Keepass w/ Kee FF extension (allows writes to the DB). KP database stored on my Nextcloud server to sync to all my devices, and remote access from the internet if needed. Lots of setup involved, but keeps the DB completely under my control, while still getting close to the cloud services functionality. Password is like 40 characters long (Something I won't forget), so it's not getting cracked in my lifetime.

With all the data breaches lately, I am not about to trust a cloud services to store my DB with every single one of my passwords.
 
Keepass. If you don't use an email service that spies on you, save a copy of your DB in your email. Use a long passphrase.
 
Keepass. If you don't use an email service that spies on you, save a copy of your DB in your email. Use a long passphrase.

Wouldn't it be prudent to not save your DB file in a repository that requires credentials to access? What about a flash drive in a safety deposit box?
 
I've been using lastpass for a year, it's really go. When I travel and use a diffenent latop I can install the browerser extension, and it carrys over to my phone as well.
 
Wouldn't it be prudent to not save your DB file in a repository that requires credentials to access? What about a flash drive in a safety deposit box?

You can, there are few bad answers when we are talking about password managers. I don't trust flash drives for that though, I have had a enough randomly stop working after long periods of not using them to make it a no-go in my book.

It will also depend on your goal or purpose for making a duplicate of your DB. Are you making a duplicate for yourself? Then storing it in a trusted cloud repo is fine. Or a duplicate for your next of kin (in case of the worst...)? Then a safety deposit box with a trusted storage medium would be better.
 
Hard to keep passwords current if its in safety deposit box.

I keep keepass on an external drive with a password on it, simple yet effective.
 
Maybe I'm naive, but I compartmentalize the process. KeePass to keep the information secure ( strongest encryption with key transformations which I've boosted to taking 5 seconds to open the database ), google drive to keep it reliable/robust/backed up.

I figure if anyone really wants my credentials, they aren't going to attack my keystore given how hard that would be, they're going to try to trick me into giving up my credentials through a more direct route ( browser hack, social engineering, ect.. )
 
you can buy logins for $5 from data dumps, I wouldn't be to sure about that.

https://haveibeenpwned.com

I have lots of info lost in various attacks over the years.

Have to constantly change passwords.
 
you can buy logins for $5 from data dumps, I wouldn't be to sure about that.

https://haveibeenpwned.com

I have lots of info lost in various attacks over the years.

Have to constantly change passwords.
I have two factor authentication enabled and I habitually monitor login attempts, so I'd be very surprised if my email account were compromised. Even if it were, however, they'd need to break the encryption on the keepass database.

Both accounts are secured by non-dictionary strings that I routinely change once or twice a year. There are softer targets than me, and software attack vectors than brute forcing my db or email.
 
Keepass w/ Kee FF extension (allows writes to the DB). KP database stored on my Nextcloud server to sync to all my devices, and remote access from the internet if needed. Lots of setup involved, but keeps the DB completely under my control, while still getting close to the cloud services functionality. Password is like 40 characters long (Something I won't forget), so it's not getting cracked in my lifetime.

With all the data breaches lately, I am not about to trust a cloud services to store my DB with every single one of my passwords.


So I've since moved to KeepassXC since the keepass development has gone stagnant for a while now. XC includes some critical features that were missing, like auto reload of the DB if the file changed. That fixes my issues of multiple computers using the DB shared from Nextcloud. Also they have chrome/FF addons that allow writing to the DB, where kee only allowed that on FF, and the addon didn't work very well.
 
Also a way to help secure Keepass when using bittorrent sync or some other cloud provider or cloud sync service is to sync the database and use the password as well as a key file.

The, ahem, key to making this secure is to never transfer the key file over the network or internet. Put the keyfile on your devices manually with a USB flash drive or something that you normally keep locked up in a safe or safe deposit box at a bank along with your other sensitive data.

That way even if the cloud provider is breached and they have the database, they will need to brute force your password as well as not having the key file so they would need to also brute force that, and well, good luck lol.

It is not technically 2 factor authenticaion, it's more like 1.5 or 2 x 1 factor (since both password and key file go to one key/method of unlocking the DB) but better than nothing and will at least help you stay safe when syncing the DB across devices without having to sync it manually.
 
Back
Top