Password Maker

[THAIPHUKET]

I hate the need to come up with and remember new passwords. A password maker is tempting. But I am worried if soemthing goes wrong, support or crash, you name the risk that I can't access any of the web sites subscribed to.

Realistic or not?

Worst case senario= I buy a passwordmaker,and by installing it a charming little trojan horse is placed beaming all passwords back to wherever.

Realistic or not?

Afterthought=

if traveling and want to access e.g. my mail account from another computer but don't know the password, what then???

Edited March 21, 2011 by THAIPHUKET

[lesdunbar]

G,day,

I use and reccomend "Robo form" I use the ealier version 6.9 . There is a new version out 7.5 or something. Very good software..

I hope this helps,

Cheers,

Les

[THAIPHUKET]

TKS ROBO FORM PROMPTED ME TO LOOK WHAT Cnet.com HAS TO SAY=

Since we'll likely be relying on passwords to secure our systems and data for some time to come, we need to keep in mind that cyberthieves are getting trickier and trickier in the techniques they devise to coax our passwords out of us. Even as we become more mindful of the attempts to steal our passwords, we have to prepare for the day when ours will fall into the wrong hands.

Keep a close eye on those credit-card statements and charges to online accounts. Don't hesitate to contact the financial institution involved if you suspect you've been victimized. Don't think that a strong password--or even a world-class password-management utility such as RoboForm--is all the protection you need on the Web

Read more: http://news.cnet.com...l#ixzz1HCpLsfN3

Edited March 21, 2011 by THAIPHUKET

[THAIPHUKET]

This story is interesting, it says don't download among other things

http://www.techbite.com/newsletter/17/password-disaster-my-paypal-account-was-hacked

[Crushdepth]

Try Password Safe. It has a reputable author, has been around for a long time and works very well. It both generates random passwords and stores them for you in a strongly encrypted file. You just need to remember the master password to open the safe and click to copy.

A backup copy of the file is also generated automatically. Of course, you should keep a copy of the database in a separate physical location.

[ETatBKK]

hi there

I am using couple of applications that synchonise smart phone <> desktop, from www.epocware.com. check it out !

participularly I favour on Handy Safe Pro, that basically a database from credit cards info to web log on passwords. yeah, it is not auto-fill into web page; I am fine with it. while I am not with my 2.6kg computer, all info with my mobile !

[PattayaPete]

lastpass.com has good reviews and is super convenient not to mention free. Having a crap memory I have been using the same password on many accounts which is a real no no. With lastpass you just have to remember one master password and it can generate impossible passwords for everything you access. You can access your account from any computer on the net so your passwords are truly portable. Just make sure your master password is a very strong one.

The free service does not include access from mobile phones but for $12 a year (I think) you can have this too. I've been using it for about a week and so far it's been great.

Here's a review on cnet http://download.cnet.com/LastPass-Password-Manager/3000-2092_4-10889725.html

[THAIPHUKET]

1.)still don't understand risk if http://www.epocware.com/ or http://passwordsafe.sourceforge.net/ or whatever goes down for whatever reason, bankruptcy, etc, ...what happens to access to my data?

I'm surprised that google and the likes don't offer this service. With them I feel more comfortable that they will be around.

2.) Assume you log in with your master pass in an internet cafe. Does this not expose all your data in one stroke? I would think a little program can be added to any PC simply catching all passwords. The click DONT REMEMBER PASSWORD simply overridden.

[Monokuro]

I use eWallet (http://www.iliumsoft.com/site/ew/ewallet.php) - it runs as an app on your pc/mac - but also has versions for various cellphones (which come free when you buy the computer version) and will sync automatically every time you hook your phone to your computer.

Incredibly useful

[Crushdepth]

My comments relate only to Password safe, I'm not familiar with the others:

1.)still don't understand risk if http://www.epocware.com/ or http://passwordsafe.sourceforge.net/ or whatever goes down for whatever reason, bankruptcy, etc, ...what happens to access to my data?

Only you have the data, which is stored on your computer in an encrypted file. The software itself is open source, and quite likely someone else would pick up development if the current author fell under a bus.

2.) Assume you log in with your master pass in an internet cafe. Does this not expose all your data in one stroke?

Possible but unlikely (to get all). Passwords are not exposed to plain view even when you unlock the safe, so its unlikely that they would all get sucked down at once. However, a favourite trick of keystroke loggers is to read the contents of your clipboard. Any *individual* password you copied onto the clipboard to use is at high risk. You could create a couple of different password databases to reduce risk - one with really important passwords, another with stuff you don't care about.

I would think a little program can be added to any PC simply catching all passwords. The click DONT REMEMBER PASSWORD simply overridden.

Internet cafe PCs are riddled with such programmes and are *not safe*. Do not use them to access sensitive accounts or services, as password manager won't help you.

[katana]

Keepass is another free one.

http://keepass.info/

[ETatBKK]

yeah, eWallet is another VERY GOOD one ! very versatile on synchonising with desktop applications.

Epocware Handy Safe Pro and Iliumsoft eWallet are old fashioned database, that is a 'physical' piece in your computer.

I hesitate on the idea of online password services, too vague in term of ownership !

I use eWallet (http://www.iliumsoft.../ew/ewallet.php) - it runs as an app on your pc/mac - but also has versions for various cellphones (which come free when you buy the computer version) and will sync automatically every time you hook your phone to your computer.

[THAIPHUKET]

replies much appreciated!!

@crushdepth, I am not sure I understand how it works in practise and how to conteract, pls eleborate

[janverbeem]

Why use many different passwords.Create 1 or 2 strong passwords and use these for all your applications.By the way I thought that Firefox has standard a password keeper added to their browser.This remembers regular website passwords but not to secure sites.

[JSixpack]

Lastpass, usable anywhere, frees you from dependency on a particular machine and ends worry about a crash: http://lastpass.com/

Fantastic program, free, runs circles around Roboform (payware for any serious duty). Does everything you'll ever need. Can't imagine doing without it.

[THAIPHUKET]

Sorry, but I like to think in risk terms, what happens if one of these services suddenly goes dark? What can you do to get access momentarily to your emails, etc?

Can be technical black out for days, can be .........you name it. Hope for a white knight doesn't solve your problem.

How does a password maker handle security questions?

Edited March 22, 2011 by THAIPHUKET

[katana]

Keepass as such isn't a service with the passwords stored on a website away from your computer.

The passwords are stored on your computer in an encrypted file.

[JSixpack]

Sorry, but I like to think in risk terms, what happens if one of these services suddenly goes dark? What can you do to get access momentarily to your emails, etc?

Can be technical black out for days, can be .........you name it. Hope for a white knight doesn't solve your problem.

What those statements reveal is that you don't have a clue as to how Lastpass works or can work. Rather than blow smoke, demonstrate total ignorance, and wait for spoonfeeding, why not just go research it for yourself thoroughly?

How does a password maker handle security questions?

You'd hardly be competent to judge the merit of any answer. If you were, then you wouldn't be asking. Suffice it to say if Leo Laporte and Steve Gibson of Security Now! endorse it, you can't argue with them.

Here are the Lastpass forums: http://forums.lastpass.com/index.php. Go for it. You'll find that any conceivable question/objection you have has already been answered satisfactorily.

Really, best thing for you to do is stop wasting time and start learning how to use this brilliant FREE product. You may trust me on that point.

Edited March 22, 2011 by JSixpack

[JetsetBkk]

Try Password Safe. It has a reputable author, has been around for a long time and works very well. It both generates random passwords and stores them for you in a strongly encrypted file. You just need to remember the master password to open the safe and click to copy.

A backup copy of the file is also generated automatically. Of course, you should keep a copy of the database in a separate physical location.

I use Password Safe and have for years. It now has over 400 passwords in it.

It's open source and free.

[ETatBKK]

not sure if this is your situation - you probably need 10+ passwords everyday to something 40+ passwords if you are in a corporate life. most often they come in login names, serial numbers, access codes and password combinations. for example, when you place a support call for your notebook, you need a set of 6 to 7 information ( not always password ).

you may consider a comprehensive solution, a robust mechanism than just a simple list of passwords.

if security is a concern, keep the physical database with you in your own device under a strong password protection. this is indeed the same you keep an 'old fashioned' piece of paper in your wallet - WITH YOU !

[JetsetBkk]

Try Password Safe. It has a reputable author, has been around for a long time and works very well. It both generates random passwords and stores them for you in a strongly encrypted file. You just need to remember the master password to open the safe and click to copy.

A backup copy of the file is also generated automatically. Of course, you should keep a copy of the database in a separate physical location.

I use Password Safe and have for years. It now has over 400 passwords in it.

It's open source and free.

Edit:

And I keep a copy of the program's installer and of the database on a thumb drive as a backup.

[FarangBuddha]

Why use many different passwords.Create 1 or 2 strong passwords and use these for all your applications.By the way I thought that Firefox has standard a password keeper added to their browser.This remembers regular website passwords but not to secure sites.

My advice as well...and easier than using these password managers (where you always run the chance of the program or its password database being corrupted and thus inaccessible. I have had this happen in the past.)

Basically, one needs maybe 3 passwords for surfing the internet. The first, a super-safe password for one's banking, brokerage, and other financial information sites; a second password for email sites (and use the same password for all web-based email (i.e., Yahoo, Hotmail, Gmail, etc.); and finally, an easy to remember "junk" password for all the sites (like newspapers and the like) that require you to provide an email/password in order to use/access the site.

The banking password should be at least at least 12-16 characters, and should include upper and lower-case letters, numbers, and specialty characters and punctuation marks. For email and your junk password, it only needs to be 6-8 characters long. You are now done. If you want, you can save a text document listing your passwords on your computer and mobile phone and encrypt it with a simple file encrypter program like Encrypt On Click, Magic Folder, or for industrial strength encryption, True-Crypt. For the file on your mobile phone, something like Mobi Safe for Android is fine.

Edited March 22, 2011 by FarangBuddha

[Crushdepth]

The problem with using passwords across multiple sites is that if one is compromised you can be totally screwed. I've seen some horrendous incidents of that. For important things, each should have unique passwords to contain the potential damage.

In one case an attacker broke into an open source project website and got a copy of the database, including the password hashes for 20,000 users. Not the passwords, just the hashes. He ran an offline dictionary attack against the hashes and managed to recover a great many passwords, which he used to abuse other people's accounts. The project eventually forced everyone to change their password, but many people had used the same passwords on their email account and elsewhere. With access to someone's email you find out what other services they use and reset the passwords for those too.

The worst thing (for the project) was that some of the software developers had used the same passwords on their Sourceforge accounts. The attacker used a developer account to submit some trojan code into the software repository and nobody noticed. When the next version of the software was released everyone downloaded and installed it - and suddenly he owned hundreds of websites and had access to the password hashes of those too.

It took *years* to clean up this mess.

[FarangBuddha]

Regarding passwords and the internet, there has to be a balance between safety and usability. I just don't trust password/security programs to keep my passwords safe or accessible. This is also my feeling regarding the password management feature of the browsers themselves. For banking/financial sites (and Amazon), make up a password algorithm you can remember (or have the Gibson Research site generate one for you) and commit it to memory (and an encrypted text file on your computer). For other websites, any basic 6-8 character password will do (and these I would save in the browser password managers for ease of use if one wanted to).

If anyone ever hacked into a bank account and was able to siphon-off money from your account using any stolen information, the bank would surely make it's customers whole. As for non-financial sites, I really don't care if someone hacks into my Thai Visa or New York Times account (or even my web mail accounts) as no information of any real security value to me is stored there.

[Crushdepth]

Not Thai banks, check out the fine print

[FarangBuddha]

Not Thai banks, check out the fine print

Interesting...do they really say that you use their internet banking services at your own risk and that if they are hacked, or an employee steals the passwords, and your account is emptied that it's tough luck?

[Crushdepth]

That's how it was with SCB last time I looked. If they don't trust their own security then how can they ask their customers to? My Oz bank guarantees everything.

[THAIPHUKET]

Really, best thing for you to do is stop wasting time and start learning how to use this brilliant FREE product. You may trust me on that point.

My dear Mr Sixpack, comments like this make me even more sceptical. I'm not looking for non-existing 100% security.

But I like to UNDERSTAND the underlying risk and many have been addressed here. And no product web site will tell me as much info as this dialogue here. It is never wrong to ask naive questions, answers, however, ought to have substance.

The conclusion of this all is to go encrypted! At least for me.

Perfect, wonderful

Thanks a million for everyone's patience!

Edited March 23, 2011 by THAIPHUKET

[bino]

Keepass as such isn't a service with the passwords stored on a website away from your computer.

The passwords are stored on your computer in an encrypted file.

I like Keepass also, the "portable" version especially. It doesn't run an installer on your computer, and can be easily moved / copied / backed up. I keep a copy on my computer at home, and another on a Flash Drive to take to work, whenever I travel, etc.

[JSixpack]

My dear Mr Sixpack, comments like this make me even more sceptical. I'm not looking for non-existing 100% security.

Do you really think an independent, well-respected expert such as Steve Gibson isn't skeptical? But, unlike yourself, he also has the knowledge to make an educated judgment.

But I like to UNDERSTAND the underlying risk and many have been addressed here. And no product web site will tell me as much info as this dialogue here.

The Lastpass product website has an active UNCENSORED forum (less censored than TV, I'll wager) for anyone to discuss the product, and you can't possibly understand all about the underlying SAFETY unless you go to that forum and arse yourself to read what experts and newbies such as yourself have to say; and there you can bring up any question or objection you have.

But more than that, Google is always your friend. Read the reviews. Go read the interview in which Steve Gibson mentions the product--among other sources.

Here you are going to get much misleading and likely harmful, if well-meaning, non-expert advice (as per janverbeem or FarangBuddha for example) that you don't know any better than to believe. Now, suggestions such as Keepass (fine product; I've used it) are good as far as they go; it's just that Lastpass is the best on the market for combined convenience, portability, and security. It offers all that the others offer and more.

It is never wrong to ask naive questions, answers, however, ought to have substance.

And I pointed out exactly where you can find the substance you seek, advice which in your infinite wisdom you've chosen to ignore. And so I assume you also won't research thoroughly FOR YOURSELF the other products mentioned here.

The conclusion of this all is to go encrypted! At least for me.

All the products mentioned in the thread offer encryption, including Lastpass.

Edited March 23, 2011 by JSixpack