An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Previous Thread
Next Thread
Print Thread
Using password managers
#46916 11/19/17 02:29 PM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
I've never used one of these, I have always just kept in excel file. What is the opinion out there on this? For some reason, I feel with Excel I control more... maybe wrong...

Re: Using password managers
kevs #46919 11/19/17 04:34 PM
Joined: Aug 2009
Likes: 16
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 16
An Excel will certainly work but it is not secure and it can be problematic if you want to share the passwords across multiple devices (Macs, iPhones, iPads, etc.)

Keychain is FREE (built into MacOS, iOS, TVOS, WatchOS, and iCloud), very secure and by using an iCloud Keychain can easily share passwords across every device on the same iCloud account. But in the event you need to look up a password on an iOS device there is no Keychain Access app.

There are several password managers that are very secure, use iCloud or some other internet file sharing service to connect multiple devices, can be accessed directly in Safari or other browsers, and work on both MacOS and iOS. (After LOTS of experimentation, trial, and error I settled on 1Password.) I have hundreds of private or secure logins, notes, credit cards, identities, passwords, software licenses, memberships, etc. stored in it and can access or update any of that info on any of my various devices (even Windows machines if I had one), at any time. Additionally it suggests new passwords (with more options than Keychain), nags me when it is time to change passwords, and tracks duplicate passwords. If that isn't enough it is continually evolving and new features keep being added.

SUMMARY: I could get along without 1Password (or a similar app), but I most definitely would not want to.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Using password managers
joemikeb #46921 11/19/17 05:02 PM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
My 2-cents', maybe even 2-bits', worth is that while password managers are 'secure' at some level, they are still susceptible to compromise (by whatever definition).

I prefer my own brain (which I presume is immune to electronic hacking) and my password algorithm (which is eminently easy for me to implement and remember and which gets me to where I need/want to be on all sites).

Should I croak, my passwords would be wholly unavailable to my successors and executors, but at that point, it's their problem. They need to earn their statutory fees.
Although, should I become heir to the technology portrayed in Vanilla Sky qua Abre Los Ojos, such would be moot. smirk

Re: Using password managers
grelber #46922 11/19/17 05:20 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
I use the same login identity and password at innocuous, i.e. most, websites...those where even a malicious person who gets hold of them can't do any damage (other than maaaybe embarrass me).

Financial and other critical logins are, same as you, based on an easily remembered algorithm and stored between my ears. (Actually, I keep a Text Edit doc, stored in an encrypted disk image with a 25 character password, for my daughters' benefit.)


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Using password managers
kevs #46926 11/19/17 06:38 PM
Joined: Sep 2009
Offline

Joined: Sep 2009
Keychain isn't secure. I use 1Password. But be careful when you buy it. They will try to sell you a yearly subscription rather than a stand-alone product that you pay for once.

1Password generates secure passwords. It puts an icon in the toolbar of your browser. When you login to a web site, you click on the icon and your ID and password are filled in automatically.

I visit a lot of web sites, and most of them require IDs. I certainly don't want to memorize anything. Secure passwords are almost impossible to memorize. A one-click solution saves me a lot of time, effort, and worry.

1Password might be the only password program which is not connected to the cloud. Your IDs and passwords are on your computer. They are not shared with the company. They are not uploaded to the cloud.

Not yet.

Re: Using password managers
artie505 #46927 11/19/17 06:47 PM
Joined: Sep 2009
Offline

Joined: Sep 2009
I used to think that there was such a thing as a innocuous web site, but I don't anymore.

I found these helpful:

Take Control of Security and Take Control of Privacy by Joe Kissell (ebooks)
Brian Krebs, krebsonsecurity.com
Bruce Schneier, schneier.com
routersecurity.org
Shields up router testing, www.grc.com
bleepingcomputer.com
Ars Technica.com
Macintouch.com

Re: Using password managers
deniro #46928 11/19/17 07:22 PM
Joined: Aug 2009
Likes: 16
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 16
Originally Posted By: deniro
1Password might be the only password program which is not connected to the cloud. Your IDs and passwords are on your computer. They are not shared with the company. They are not uploaded to the cloud.

Your information is incomplete and could be misleading. 1Password data can be shared through...The first three options permit the data to be shared with other computers and iOS devices anywhere in the world and require the use of internet data storage. The "local folder" can be on a server attached to the LAN. WLAN permits sharing anywhere within range of your wireless local area network. These last two are the only options that do not require internet storage of the data.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Using password managers
joemikeb #46929 11/19/17 10:45 PM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
Thanks, D, love Joe Kissel will check out.

Joe: I'm with Firefox and they just annihilated all their addons/ plugin.

I had a autofiller / or auto log in? that would populate user/ pass or form that I filled in-- called Secure Log in.

But here is the deal: I'm confused now difference between the plug ins for web that do auto fill or fill in passwords you typed in that you created vs. true password management software that generate passwords. What is the difference?

I've been using a manual excel file for so long, it's hard for me to let go or trust a real password creator or manager, your opinon? I feel what happens if there is some glitch? Excel, I have it all in my palm still.

And what if you need to use another browser or 2?

Oh missed previous post to Joes last.
thanks guys:
A girl recommended Last Pass, have you tried that Joe?

Joe: Why is 1 password better or more secure than my old excel sheet? My excel sheet passwords have a code, snippint memorized in my brain plus a password. Isn't that better than a great password that maybe someone can find use?

And will it work for multiple browsers or just one?

Last edited by kevs; 11/19/17 11:03 PM.
Re: Using password managers
kevs #46942 11/20/17 10:13 PM
Joined: Aug 2009
Likes: 16
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 16
Originally Posted By: kevs
Joe: I'm with Firefox and they just annihilated all their addons/ plugin.

I have Firefox, but the only version of it that I use is a version the TOR router is based on. Of course, the TOR router eschews add ons/plugins because they all contribute to your identifiable online signature. On the other hand 1Password claims to work with Firefox 40 or later. 🤷‍♂️

Originally Posted By: kevs
I had a autofiller / or auto log in? that would populate user/ pass or form that I filled in— called Secure Log in.
There are a number of similar products and Safari has that built in based on Keychain.

Originally Posted By: kevs
But here is the deal: I'm confused now difference between the plug ins for web that do auto fill or fill in passwords you typed in that you created vs. true password management software that generate passwords. What is the difference?

For starters Password Management software is a stand alone app that is totally independent of any browser. It may have a browser plugin that permits access from within the browser, but that is not necessary.

Originally Posted By: kevs
I've been using a manual excel file for so long, it's hard for me to let go or trust a real password creator or manager, your opinon? I feel what happens if there is some glitch? Excel, I have it all in my palm still.

Well let's see, in my case the password manager data is backed up on Time Machine, there are synched copies on iCloud, my server, my iPhone, and my iPad. If one glitched I can always get the data from one of the other devices.

Originally Posted By: kevs
And what if you need to use another browser or 2?

Not a problem, open the app find the data then copy and paste into the browser, or alternatively for logins simply double click on the entry in the app and it launches the default browser and passes the url, userid, and password to open the site. If you have computer using family members up to five can share the same account and there are additional features offered such as the ability to unlock a members vault if they forget their password.

Originally Posted By: kevs
A girl recommended Last Pass, have you tried that Joe?

No but there are new ones coming out all the time. I have only tried maybe 8 or 10 different apps and since I started using 1Password three or so years back, I have not had any impetus to try any others.

Originally Posted By: kevs
Joe: Why is 1 password better or more secure than my old excel sheet? My excel sheet passwords have a code, snippint memorized in my brain plus a password. Isn't that better than a great password that maybe someone can find use?

How good is the encryption algorithm on the Excel spreadsheet? 1Password uses AES-256bit encryption, a locally generated 128 bit secret identifier key, and all synchronizing internet traffic is end-to end encrypted. There is a master password that is not stored anywhere (you have to remember it) but on my iPhone 1Password opens with facial recognition, on my MBP and iPad I have to use my fingerprint, and only on the server is the access password required. Right now I have 338 items stored including 235 logins, 33 software licenses, 26 passwords, etc. organized by type of entry with specific templates for each type (reminds me to capture data items I might otherwise overlook and wish I had later), the ability to search on a variety of criteria, automatically flags any weak passwords, identifies all duplicate passwords, tracks how old passwords are as a reminder to update old ones.

Originally Posted By: kevs
And will it work for multiple browsers or just one?

It will work without a browser and there are extensions for Firefox 40 or later, Safari, and Chrome. In these browsers 1Password can either replace used in addition to the browser's automatic fill in.

CAVEAT The original question was in essence, why use a password manager. The MacOS App Store catalogs 80 different products and the iPad App Store lists over 200, I didn't check the iPhone App Store. They all have many of the same features and each offers some unique features. Obviously some are unique to iOS or MacOS and others work on both platforms. I am not trying to tout you or anyone on using 1Password, I am citing it because it is the one I am most familiar with. (It is rated by the App Store as one of the essentials.)

THE POINT IS: As I said previously I could live without a Password Manager, but I would not want to. It is too useful and I have come to rely on this one too much to give it up now.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Using password managers
joemikeb #46944 11/20/17 10:39 PM
Joined: Sep 2009
Offline

Joined: Sep 2009
The key word is "permit". If you have file sharing turned on, so that you can share 1Password between computers, then of course that's weakening your security because you need internet access.

I don't do it that way. I have a copy of 1Password on two different computers. If I need to use a password on a different computer, I can either export it from 1Password to a file, put the file on a USB thumb drive, then import it, or write it down on a piece of paper and type it in myself. To me these are far preferable than using file sharing.

1Password allows you to do what the others don't: avoid the cloud. Also, the subscription model, which I suggested the person avoid, does use the cloud. But if you buy the standalone program you can avoid the cloud. That is not the case with most password managers because they are cloud based. They are not isolated programs.

Re: Using password managers
deniro #46945 11/20/17 10:49 PM
Joined: Sep 2009
Offline

Joined: Sep 2009
To the question why use a password manager, I use one because I visit web sites that require IDs and passwords.

With 1Password I have to memorize only one password, which I enter to open the program's vault. The program installs an extension in your browser and puts an icon in your tool bar. You don't have to type anything or memorize anything. One click for every site.

If I wanted to, I could use a freeware program to generate reliable passwords, then write them down somewhere, or type them in a text file, or memorize them if possible, then either type them or copy and paste as needed for each web site. That's secure if you have your list of passwords in a secure place.

But I don't want to do that. Too many sites, too many different passwords to remember. At this point, passwords have to be 12 characters to be reliable.

There's also a psychological aspect to all of this.

Re: Using password managers
deniro #46946 11/21/17 12:49 AM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
Thanks guys good info.

What if someone got your 1 password, crazy no? (saw you typing it in..) Do you use this for your bank? I think for Bank you may want to use something else.

Deniro/ Joe : for web, I like the 1 click convenience. (so you guys rarely actually type your long 1 passoword out?)

I think firefox even has that built it.. but is it a worry ever if laptop stolen?

Joe; are you using in the cloud? Seem logical use apples icloud no? But Deniro, only use via your local hard drive?

Re: Using password managers
deniro #46951 11/21/17 08:30 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Originally Posted By: deniro
I used to think that there was such a thing as a innocuous web site, but I don't anymore.

Well, take FTM, for example... What's my risk if someone steals my login credentials? I doubt that anybody could even embarrass me with a spoofed post, because my writing style is distinctive and know to all the regulars.

Or at any of the various websites at which I shop, where a malicious person could fill up a shopping cart but NOT be able to pay for it.

OK, I AM at risk with eBay, but only insofar as the inconvenience of having to explain what happened and hoping I'm not penalized for it. (Yeah, I should re-examine that.)

And so it goes...

As long as I've got everything "sandboxed", i.e. with means of payment totally unconnected to means of purchase, I'm happy.

Websites at which money or important services or data are vulnerable are protected by strong passwords.

If I'm being dangerously naive, somebody please give me a kick in the right direction.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Using password managers
kevs #46952 11/21/17 08:33 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Originally Posted By: kevs
What if someone got your 1 password, crazy no? (saw you typing it in..)

Isn't the same thing possible with your Excel password?


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Using password managers
kevs #46958 11/21/17 03:28 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Originally Posted By: kevs
... What if someone got your 1 password... (saw you typing it in..)....


When initiating a Login with 1PW, from a desktop computer, one can use the double-click, keystroke combination of ⌘ \ (Cmd Backslash) to have 1PW auto-enter your Username & Password (as well as select & enter Answers to Security Questions).

1PW works in relation to the Web Site's Login URL, which is part of the Login's details; and, this is how 1PW knows which Login is to be entered. ...When ⌘ \ is initiated, one's keyboard entry is by using only those 2 keys.

This Login step does require prior entry of one's Master Password (MP), in order to open 1PW. But given one's using 1PW (in this case) on one's desktop computer, it should be easy to manually enter the MP in a secure way (avoiding furtive eyes). [If one can't do so, then, I think such a user has more critical vulnerabilities.] Moreover, one can set 1PW for the time length before the MP is again required; or on the other hand, one can immediately lock 1PW. ...As I'm now using a new MBP 15, I can activate 1PW from the Trackpad using TouchID.

My Web Logins are all complicated (both in length & text/number/characters combinations) due to using 1PW's Password Generator (in a controlled environment, to control / setup / change Login passwords) and different for every Login.

When it comes to Web Logins, I know, from memory, only 2 passwords (although I've saved them, for reference, as a 1PW Secure Note.) ... my 1PW MP (12 characters) & my Apple ID's password (18 characters). [My ID PW is longer since I may have to manually enter it in less secure circumstances (and is subject to hacker attempts on Apple's servers). Outside of someone filming me, which I could defeat, I seriously doubt anyone could memorize, in the moment, what I'm typing.]

Additionally, I use 1PW's iOS versions on my iPhone & iPad, and these iOS versions can be activated by TouchID or now, by FaceID. So on devices I'm using in public, I'm not manually typing any passwords.

Even if any of my devices are stolen, 1PW's details are 256-bit encrypted (both on my MBP & iCloud) as well as protected by a lengthy & unique MP, which would defeat any brute force attempt to ferret it out before I could change my MP.

I have been using 1PW ever since the software was introduced. 1PW is well supported by Agile Bits and their regular improvements are innovative. I have never used any other password manager as I feel there's no reason to do so as well as being the best password manager. 1PW is an essential means in my strategy to protect, and use, my most important, web details.


MacStudio M1max - 14.4.1, 64 GB Ram, 4TB SSD; Studio Display; iPhone 13mini; Watch 9; iPadPro (M2) 11" WiFi
Re: Using password managers
pbGuy #46959 11/21/17 03:41 PM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
Artie, I just one memorized real long pass.... And it's not on the Excel sheet. Most on the excel or simple ones, a memorized intro-- a few digits coded then a simple pass.

But I suppose I could use the one long memorized passed and and a 1 at the end for the 1 password to solve that issue....

For my bank and icloud I use my one long memorized pass and and a letter before after.

Nice post PB, ok so only worry if if laptop or desktop gets stolen while it's open and working! Which would be rare, and you can then change the pass remotely later... You might also want to code the name, example intead of Bank of America just put B.

Last edited by kevs; 11/21/17 03:59 PM.
Re: Using password managers
kevs #46961 11/21/17 04:32 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Originally Posted By: kevs
... only worry if if laptop or desktop gets stolen while it's open and working... ...might also want to code the name...


IMHO, 1PW has user-set, Security preferences enabling easy & controlled use in public. 1) 1PW allows Lock on Sleep, Lock when Screen Saver is activated, Lock when 1PW main window is closed, Lock on fast user-switching (desktops with multiple, account users). 2) 1PW allows Lock after computer is idle for user-set time in minutes and clear Clipboard contents after user-set time in seconds.

If one is using a computer in such a vulnerable environment, where being stolen during use is a possibility (or, can't be mitigated by any of 1PW's Security preferences), I think using in such an environment, is foolish and leaving the computer unattended in such an environment, is foolhardy. ...I wouldn't even use my iPhone in such an environment.

As far as a code name, No, I would never want to do so. ⌘ \ is the only keystroke combination I want to use to initiate an auto-Login as ⌘ \ doesn't denote anything specifically.


MacStudio M1max - 14.4.1, 64 GB Ram, 4TB SSD; Studio Display; iPhone 13mini; Watch 9; iPadPro (M2) 11" WiFi
Re: Using password managers
pbGuy #46962 11/21/17 04:39 PM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
PB

With simple auto log in, which think for mostly everything would be ok, maybe except Bansk.. or sites where you buy stuff. Is there way to tell 1 pass which sites want an auto log in and which dont?

Re: Using password managers
kevs #46965 11/21/17 04:58 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Absolutely... As mentioned in my initial post, the web site's Login URL is part of the 1PW Login submission details (so, if the URL is not what's entered in 1PW's site details - doesn't match, no auto-login will take place with the keystroke method), and one can set whether or not submission will use auto-login or use manual submission or, No submission whatsoever.

You have customizable control over how 1PW submits (and what it submits) within each and every, 1PW web site Login. ...I would go as far to say, this provides the best control at financial web sites, where the site may have its own unique requirement(s) about how Login is completed.

I encourage you to visit Agile Bits web site and peruse the details and watch the video.


MacStudio M1max - 14.4.1, 64 GB Ram, 4TB SSD; Studio Display; iPhone 13mini; Watch 9; iPadPro (M2) 11" WiFi
Re: Using password managers
pbGuy #46966 11/21/17 05:27 PM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
PB thanks, they don't really have a lot of info past the one sales pitch video.

So info getting here is probably good- enough.

Ok that's nice.

But I just looked at my Excel file with 400 user/ passwords, and 95% are for simple forums and small stores that don't store my credit card.

The real important ones are probably about 5 -- Paypal, Apple, 2 banks...

So still not sold! But info is good. Do I really need to give them $36 year after year.. where Excel free year after year? Still open... If JOes uses it.. then the... and you....


Moderated by  alternaut, dianne, MacManiac 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.4.33 Page Time: 0.034s Queries: 54 (0.025s) Memory: 0.6849 MB (Peak: 0.8408 MB) Data Comp: Zlib Server Time: 2024-03-28 15:17:25 UTC
Valid HTML 5 and Valid CSS