Passwords, their importance, and why you should remember them.

[Almeuit]

I actually just got a YubiKey Neo (2 of them) and now use that for 2FA on important accounts. I setup a main and backup one for LastPass. Now it is locked down / encrypted with my Master Password, encrypted again w/ Yubi, and requires a physical key. I didn't think it did a double but even LP told me to re-log in on devices and such due to it.

 

[dlalonde]

I personally use Enpass because of LastPass past issues with hacking and such. With Enpass my database is store on my device or Google Drive which I trust more.

Exactly. Further security stems from the fact that most brute force unlocking software bogs down at around 11 to 16 characters, but pass phrases can reach as many characters as allowed. I know Google passwords can go more than 20 characters.

Also, to even further increase security, you can use upper case and special characters as well. For example, the following phrases as a passphrases:

Android Forums 2018, good times!

!!Batman is Ace Ventura!?

That's pretty sweet! I've checked this with several password security checkers (using fake passwords of course) and that proved this. Even the more complex passwords were breakable before long pass phrase.

 

[chanchan05]

My concern with pass phrases like that are the available hacker dictionaries. So while a 20 character simple pass phrase may have more individual character combinations, a hacker program designed to try word combinations instead of every individual random string of characters is theoretically going to be able to crack the password much quicker. With password managers to handle them, it's just as easy and more secure to make that a 20 character string of random characters. And if you are using pass phrases like that, then I'm guessing you are not using a manager, meaning you are manually typing in your passwords. With an auto-fill ability, now the manager is both easy, more secure, and quicker at logging you in.

There really isn't a reason not to use one in today's world.

The answer to this is, there are more words than characters. There are 171,476 words in the English language. So it's it's still got to go through all of those and put them in combinations.

Further, that doesn't take into account foreign words. All of us knows at least some foreign words right? That exponentially increases security, especially if we use languages like romanized Japanese words which would vary in spelling depending on which Japanese alphabet you prefer.

However, I see your point in a password manager. I use one as well. But you still need a single master password that you remember, that is also hard to crack.

 

[Mooncatt]

An excellent article on password strength, the strength meters you may find, and some surprising numbers on just how quickly a password can be cracked.

https://nakedsecurity.sophos.com/2015/03/02/why-you-cant-trust-password-strength-meters/


And this beast, linked from the prior article!

https://arstechnica.com/information...s-every-standard-windows-password-in-6-hours/

 

[TraderGary]

I too use LastPass and have used it for many years.
Kate and I use LastPass Families.
This allows us to share some passwords jointly such as bank passwords.
We find this invaluable.

 

[RazorDev Apps]

Never use too many different passwords. I am having trouble right now. I am locked outside certain sites, because I can't remember the correct password and am too lazy to reset it, cause I have to think of another one, that I haven't used yet.

 

[Mooncatt]

Never use too many different passwords. I am having trouble right now. I am locked outside certain sites, because I can't remember the correct password and am too lazy to reset it, cause I have to think of another one, that I haven't used yet.

This is exactly why I prefer password managers. You only have to remember the one master password (which should obviously be very strong) and it takes care of the rest.

 

[Javier P]

Thread moved to the Ambassador's Guides forum.

 

[Mooncatt]

Just want to update anyone using the Android version of LastPass to fully log out when not in use, or at the very least, set a screen lock on your phone if you haven't already. I found a glaring bug that can allow access to your account without needing to verify your login credentials. I don't want to say any more about it because it's rediculously easy to exploit, and to explain how to prevent it basically gives it away and could clue in a data thief on what to do since this is a public forum. I have reported it to LastPass and they were able to recreate the problem, so are now looking into it. They have been quick to work with me so far and hopefully this is patched asap.

Once this is patched, I'll explain what it is and link to a video demonstrating it if others are curious.

 

[me just saying]

I don't see how that is a bug. it is the same way on your computer. unless you log out of lastpass, anyone can have access to your account if you are not around. what I do, is put any financial, banking bill paying and other important passwords into a folder that only can be accessed via verifying the password. this way I don't have to worry about leaving the browser open and it also works on android.

 

[Mooncatt]

I don't see how that is a bug. it is the same way on your computer. unless you log out of lastpass, anyone can have access to your account if you are not around. what I do, is put any financial, banking bill paying and other important passwords into a folder that only can be accessed via verifying the password. this way I don't have to worry about leaving the browser open and it also works on android.

On the Android app, there's settings to auto-lock the app so you have to verify your password or use biometrics to access anything. This isn't being properly respected, thus the bug.

You are right, there is the ability to allow the app to remain unlocked if you so choose (not recommended, of course), but that isn't the issue at hand. The fact that they have been able to reproduce this and now escalating it up the chain means that it's at least worth looking into.

 

[Mooncatt]

I've given LastPass the standard 90 days to address this vulnerability, and that time has come and gone. It's still there, and they now don't seem enthusiastic about fixing it. I created its own thread here to discuss it.

https://forums.androidcentral.com/showthread.php?t=1006337

I also linked to my YouTube video demonstrating the bug in action, which is here.

https://youtu.be/SWBkKYH3vZY

I'm posting here mostly for informational purposes and would like to keep any discussions about this issue to its own thread linked above.

 

[winmod21]

So what's the latest & greatest "Best" password manager app recommendation ?=)