Hack me twice, shame on me. Hack me once, ... crap.
April 30, 2015 1:45 PM   Subscribe

I know that password managers (LastPass, etc) are Good Things™. I know that using the same password for multiple things is terrible. And yet I can't bring myself to let go of my current habits. Help me see reason here.

This is embarrassing, because I work in software, but...

LastPass (for example) seems like a great idea. Suddenly you can have different passwords for everything, it will generate complex ones for you, you can get them across multiple platforms and on your phone, blah blah blah. This cannot possibly be a worse situation than where I'm at now, which is having a few passwords that I reuse across multiple accounts.

But when I think about changing over to LastPass, I get super anxious about it. What happens if LastPass just closes down? What if it's unreachable? Do I include my work passwords there? Banking? Email? What about systems where you punch in your password over the phone? What if LastPass gets hacked?

In summary: I'm not in control of my passwords anymore; how bad is that?

If you're a lover of LastPass or something similar, please assuage my fears! Thank you :)

(For purposes of this question, I'm only interested in distributed password-management systems. Systems that live only on one PC, for example, are not a feasible solution for me.)
posted by Dilligas to Technology (26 answers total) 52 users marked this as a favorite
I use KeepAssX, which is open source, because I had many of your concerns.

I keep a backup of the encrypted file in the cloud.
posted by vacapinta at 1:54 PM on April 30, 2015 [1 favorite]

I don't know about LastPass, but I'm a 1Password user. You're still totally in control of all of your information. A local copy of 1Password needs access to my master file, but it doesn't care where that file lives: Dropbox, a folder synced in some other way, a USB stick you carry around, doesn't matter.

The business shutting down wouldn't affect me except that the software wouldn't be updated anymore, everything would still work. The business getting hacked somehow wouldn't affect me because they don't have any of my password info. If my sync service or computer was hacked and the hackers got my file, they'd need to crack my master password to open it (so you want to choose a secure master password).
posted by brentajones at 1:55 PM on April 30, 2015 [2 favorites]

What happens if LastPass just closes down? You can export your passwords for re-import into something else. Have that backed up somewhere secure if you're concerned.
What if it's unreachable? By default, it caches an encrypted version of your vault. The Android app has a 'Login offline' mode for that exact reason.
Do I include my work passwords there? Banking? Email? What about systems where you punch in your password over the phone? Yes, definitely, yes. (Though I will admit that my one exception for "no user-memorizable passwords" beyond LastPass is my email password.) You can set up partitioned 'identities', so work passwords stay separate from personal.
What if LastPass gets hacked? Honestly, if this happens, everyone probably has much bigger issues going on. But this could still happen. Which means it's a question of relative risk: What's more dangerous, using reused human-memorizable passwords? Or trusting a company who's focused on making sure the odds of this happening are as low as possible?
posted by CrystalDave at 1:56 PM on April 30, 2015 [4 favorites]

N'thing KeepassX (and MiniKeepass for iPhone) - I sync via Dropbox, but any WebDAV server will work. It's a butt-ugly piece of software but it works really well. And reusing the same password or password pattern is a textbook way to get hacked across multiple services, but you knew that already.
posted by Happy Dave at 1:58 PM on April 30, 2015 [1 favorite]

I've used 1Password for years and years, and to address your concerns:

-if they close down, I still have my database on my computer and the software will still be able to read it... it's not stored on their servers, in other words. I use Dropbox as the cloud solution, but if they close down I still have the file. Also, if you're really paranoid, you can print out your passwords and stick the paper in a safe or something.

- I have a separate database for work, and the iPhone app lets you switch back and forth between databases.

- I use it for all my passwords, including banking, email, whatever. I've not had any problems yet.

- I use it on a mac, a pc, an iPhone, and an android tablet, and it syncs without issues.

- The chance that your 1password database is going to be hacked is much, much less likely than your crappy passwords being guessed, just saying.
posted by Huck500 at 2:04 PM on April 30, 2015 [1 favorite]

As a LastPass user, it gives me immense comfort to remember that every single webpage you use has a "forgot your password?" link, and that, if worst comes to worst and your password keeper and all its data somehow disappears without a trace, you can reset your passwords as you need to. It would be a total PITA... but then it's only a remote possibility.
posted by BrashTech at 2:16 PM on April 30, 2015 [8 favorites]

1Password offers the option of wifi synching. If you synch over dropbox or other cloud solution, it is possible someone could access to the encrypted information, although it would be extremely hard for them to decrypt without access (or guessing) to the 1Password password. However, if wifi synching, the only way someone can get access to even the encrypted files is if they are (1) on the same local network (2) my laptop version of 1Password is active and set to the synch page and (3) the receiving device knows the synch code. Downside is that I have to remember to manually synch my devices but since I don't add passwords very often, I just do it whenever I am going to be traveling (once every month or two) and that works out well for me.
posted by metahawk at 2:16 PM on April 30, 2015

I use Lastpass, but can't install it at work. Therefore if I have a sudden desire to log in to something from work, it's better if I can remember the password (ie, it's not one of those generated ones). I have memorable passwords for a few key accounts, use Lastpass for most others that I only check at home, and use the "forgot my password" function mentioned above probably more often than the average bear. All of this is to say you've got to find/buy a system that works well for you and your life.
posted by ldthomps at 2:20 PM on April 30, 2015

Almost all services let you reset your password using some info and your email address. That makes your email password one of your most important. Write down that password, and the password to your secure password program of your choice and put it the same spot you keep your important papers at home. I use 1password myself, and I love it.
posted by demiurge at 2:33 PM on April 30, 2015 [2 favorites]

I use a simple password generator that hashes my master password with each site's domain name to generate, and regenerate on demand, a different password for each site. There's nothing stored anywhere, and the generator is a single HTML+JavaScript page that you can save locally. If it ever went away, the (current) hashing function is just b64_sha1(master_password+':'+domain_name).substr(0,13)+'@1a' which you can do in any browser. It's not sophisticated – others have taken this idea further – but it's always available and it prevents using the same password everywhere.
posted by nicwolff at 2:40 PM on April 30, 2015 [4 favorites]

I use and love LastPass. As others have noted, your encrypted password vault is cached on any device where you install LastPass, so if they were to suddenly disappear you could still get to all of your passwords. And it is absolutely critical that every website has a forgotten password link. Without that, I would not have been comfortable using the service, but thanks to the forgotten password links if they suddenly go under I can still get into all of my accounts as long as I can get into my email. So my solution has been to memorize two passwords: the one for LastPass, and the one for my main email.

What no one has mentioned yet is using LastPass is actually hugely convenient. It saves time compared to manually entering your passwords. If you leave it logged in on your computer, it will recognize websites and automatically enter passwords. Imagine logging into your bank without touching the keyboard, it's pretty amazing. You can set the timeout on LastPass so if your computer is idle for a couple minutes or a couple hours it will log itself out. This is even more convenient if you use their excellent Android app. Entering decent passwords on mobile devices is a major pain, but LastPass will detect password fields and offer to fill them in. It's easily my favorite app. They also have an iOS app, I'm not sure if it's as useful as the Android app.
posted by Tehhund at 2:53 PM on April 30, 2015

I use KeePass (of which the aforementioned KeePassX is an authorized port); there's no service backing it up, only software. Your key file is yours to move around-- like many people I share it with myself (on 4 different platforms, 6 machines) with Dropbox.

I used to keep a single keyfile for work and home, but a few months back I split them into separate files. It idea is that eventually I will leave this job, and I want to give my boss all my passwords in one fell swoop. Since I'm in IT and have access to a lot of resources, it'll also be a comprehensive list of stuff I have access to that he should change. It's onerous work, but it's more onerous if you don't know what access people have.

Not all versions of KeePass have the password generation utility. KeePass also forked into "version 1 " and "version 2," and the former cannot access keyfiles of the latter, while the latter requires some extra steps for compatibility. Still trying to get my Apple stuff to read v2 keyfiles, but v1 worked for a long time just fine, and I didn't change to v2 because of any limitation, just a new OS install made me think I could get away with it.

The only catch with using a keyfile in dropbox is that mobile devices (phone/tablet) don't auto-synch with dropbox for space reasons (very reasonably so), so one must update the file from dropbox before using. A couple times i've had ot plan ahead when I knew i'd need passwords sans network.
posted by Sunburnt at 2:56 PM on April 30, 2015 [1 favorite]

If LastPass gets totally hacked, the hacker could potentially get peoples' encrypted vaults. They do not store vaults unencrypted and they are never decrypted on their servers (all decryption is done on your browser, even if you log into the site without any LastPass extension installed).
posted by zsazsa at 3:09 PM on April 30, 2015

LastPass is great. I just started using it this fall; I have transitioned slowly via a policy of "when I use a website, then I change the password and store in LastPass". So probably there are a bunch of places out there where I have some stupid login and my old common password, but those are only places I basically never go anymore anyhow (otherwise I would have switched them by now).

I also have an exception for my email, so I basically have two passwords to remember: email, and LastPass.

This also has a side benefit: I'm planning on setting up a "open in case of my demise" envelope so my next of kin can have access to the electronic things they might need; there's less to put there, too.
posted by nat at 3:32 PM on April 30, 2015

The problem I have with any of these services is that they are not compatible with the mobile apps for a lot of financial websites. I do a lot of banking from mobile devices. Is there a workaround?
posted by harrietthespy at 4:24 PM on April 30, 2015 [1 favorite]

LastPass, on Android at least, recently added mobile app fill-in, which works pretty well for me. Worst-case, I open up LastPass, navigate to my bank's entry, copy the password into the clipboard (which it wipes after pasting), then paste it manually.
posted by CrystalDave at 4:43 PM on April 30, 2015

I don't only use LastPass, I pay for Premium, because now the only password I have to type on my phone ever again is the LastPass one. Which is still plenty secure but I made to be something I *could* type on my phone without making myself crazy. Convenience is, to me, not a separate thing from security. Inconvenient passwords are passwords that you're very likely to eventually change back to something easy. Or, for example, you can use the too-easy password that's in your head, or you can go somewhere and generate a random string--which will you do? The one in your head. With LastPass, telling it to generate me a password is easier than even trying to make decisions about what password to use.

You also remove all the annoyance of, for example, discovering that this random website has weird password rules that make your usual password(s) invalid. No remembering that, oh, this one has an ampersand in the middle--or this one doesn't. (I have run into places that both required and forbade special characters in the last week. It really is impossible to come up with anything that could be universal.) With the password manager, I just go in and tell it that this one can't have special characters (which are normally in my rotation) and forget it forever after.
posted by Sequence at 7:58 PM on April 30, 2015 [1 favorite]

1Password keeps its information on your machine. You can also back up to the cloud but don't have to.

Also, if you're really paranoid, you can print out your passwords and stick the paper in a safe or something.

or your safe deposit box.

Just having to remember one really strong password (and yeah, you can write it down and put it in the safe deposit box) feels pretty secure.
posted by BillMcMurdo at 8:09 PM on April 30, 2015

I use lastpass as well, but my bosses used to use Moxier Wallet, which closed down! Just like your fears!

they gave them like 90 days notice and you can export a encrypted file which you can then upload into another password manager, or you would have had plenty of time to write them all down in that window.

I pay for lastpass premium even though it barely works on my phone, because I want to support the company and prevent it from closing down and it's not too expensive. hehe.
posted by euphoria066 at 8:27 PM on April 30, 2015 [1 favorite]

I use Lastpass, but can't install it at work. Therefore if I have a sudden desire to log in to something from work, it's better if I can remember the password (ie, it's not one of those generated ones).

To me, this is the one problem with Lastpass. I use three different computers at work that aren't my own that I can't install anything on, so it makes the idea of having a shit ton of unmemorizable passwords that I can just look up via Lastpass not workable. Imagine my joy last week when my Internet went down at home and I had to attempt to solve this problem at work and the ISP wanted to know all of my passwords.

So yeah, I don't think you necessarily have to embrace Lastpass if you don't have control of every machine you use.
posted by jenfullmoon at 11:03 PM on April 30, 2015 [1 favorite]

I have spent a lot of money on sofware/apps over the years. A lot. I can't think of anything that I have purchased that is of greater value that 1Password. My wife is far from a techie and she is also a huge fan. Really.
posted by Silvertree at 10:59 AM on May 1, 2015

I use LastPass. A few points:

- It doesn't matter if LastPass gets hacked (well, unless an attacker gets you to download a compromised copy of the client, I suppose). All decryption is done client-side, LastPass doesn't even know your password.

- If you have an iPhone 5S or 6, the iPhone app supports fingerprint unlocking. I don't even have to enter my password. Very convenient. It integrates with Safari, too. (you have to subscribe to use the app, though.)

- For app passwords, I just copy the PW from the LastPass app and paste it in. Pretty easy.

- Even without the LP browser extension, you can still access your passwords via the LP website. I used to have to do this on my phone before I got the LP Premium app. Kind of a pain but at least it's an option.

- It's super handy at work, since it can save all my pointless work logins. I just keep them stashed in a separate folder from my personal passwords.
posted by neckro23 at 2:45 PM on May 1, 2015

jenfullmoon: Imagine my joy last week when my Internet went down at home and I had to attempt to solve this problem at work and the ISP wanted to know all of my passwords.

You can just go to lastpass.com and log in to view passwords. You don't need the extension installed.
posted by zsazsa at 7:01 PM on May 1, 2015

Similar to nicwolff, I use a password generator - www.pwdhash.com - which hashes together a website address and my master password to come up with unique site-specific passwords that won't be cracked by a dictionary attack, can't be reversed to get to the master password, and don't get used on any other site.

There's an app for IOS and Android (which also runs happily on BB10) so I never need to remember any of my passwords, or rely on a third party storing them.
posted by Chunder at 2:33 PM on May 2, 2015

So once every month or two, print out a copy of you LastPass vault (usernames/passwords), and store it securly with your will (and other important document). This makes it easy for you if the site ever goes away, or you need to audit exactly where you have accounts, or if you die.
posted by blue_beetle at 7:06 AM on May 4, 2015

I store my passwords in Chrome. It's got pretty good odds to be around for awhile.

I still use Lastpass for my credit card data, which also demonstrates a good bit of trust that way. :)
posted by talldean at 7:20 AM on May 4, 2015

« Older Prenatal Screening   |   Cheap, Light, Portable Rowboat for A Dinky Little... Newer »
This thread is closed to new comments.