Anyone here use a password manager? How do they work and why can't they be hacked?

Who said they can't be hacked?

I use Dashlane and am happy. Don't know if it can be hacked....I guess anything can be hacked if you throw enough at it.

AES Password Manager here. I've used it for as long as I can remember.

Who said they can't be hacked?

Just curious. With the E-bay breach, and the advice to change passwords and to make them big and complex I'm thinking of using a manager but was wondering what makes them so safe.

I am guessing here, but I would hope the encryption is so complex it would not be worth it to try to crack the code. Personally, I am not going that route, even though my Xfinity Constant Guard add-on constantly asks me if I want it to remember my password.

My wife swears by Last Pass.

Our problem is not from hacked passwords, I'm convinced. Who would want to take the time to do that?


Instead, our problem is caused by companies who give away our passwords, like Target and Ebay.

Our problem is not from hacked passwords, I'm convinced. Who would want to take the time to do that?


Instead, our problem is caused by companies who give away our passwords, like Target and Ebay.

Obviously, not many would take the time to hack an individual password. Depends on the risk/reward ratio, or maybe just the challenge.

Going after businesses that have thousands or millions of passwords for the same amount of time and effort(give or take.. probably more security) seems to be the hackers goal.

Accusing the companies of "giving away" the information is a bit naive and grossly unfair. Many vulnerabilities are only found because someone exploits them. I can pretty much promise we will see more of this. NO software that is connected to the internet is 100% foolproof.

If you think hacked passwords are not a problem, just keep your head in the sand and keep using those same weak passwords. Best of luck with that:confused:

You could injure yourself jumping to those conclusions.

The only password manager I trust and use is a notebook and pencil. In this day n age few those with a penchant for steeling don't even know what a note pad and pencil are for so they'll over look it when ransacking your belongings. And digital password managers are crackable and always found where they should least be - on the computer.

Obviously, not many would take the time to hack an individual password. Depends on the risk/reward ratio, or maybe just the challenge.

Going after businesses that have thousands or millions of passwords for the same amount of time and effort(give or take.. probably more security) seems to be the hackers goal.

Accusing the companies of "giving away" the information is a bit naive and grossly unfair. Many vulnerabilities are only found because someone exploits them. I can pretty much promise we will see more of this. NO software that is connected to the internet is 100% foolproof.

If you think hacked passwords are not a problem, just keep your head in the sand and keep using those same weak passwords. Best of luck with that:confused:


You won't find many that will try to crack an individual password via brute force. But if they're able to crack the password managers encryption or find a vulnerability everyone with that manager is at risk once its sold on the open market and the fishing expeditions start. That's the achilles heal, the more popular the manager is the more attempts there will be to crack it. The same reason why few try to crack macs - no one uses them.

Your safest route is to create a spreadsheet with all your websites and passwords and keep the file on a jump drive. When you need it plug it into the computer, access the information and then unplug the jump drive. If it is not plugged in it can't be hacked.

Your safest route is to create a spreadsheet with all your websites and passwords and keep the file on a jump drive. When you need it plug it into the computer, access the information and then unplug the jump drive. If it is not plugged in it can't be hacked.

No, but the temp file often created automatically can be found (a common goldmine for script kiddies is the temp folder(s) )... requires zero hacking skills, no cryptography to worry about, etc.

Your safest route is to create a spreadsheet with all your websites and passwords and keep the file on a jump drive. When you need it plug it into the computer, access the information and then unplug the jump drive. If it is not plugged in it can't be hacked.

what do you do when/if that fails. Old school baby, pencil n paper

Since I have a boat load of personal and work passwords, I do use a password (and personal information) manager and I've used the same one for several years now...since my iPaq Pocket PC days. It's an app on both my iPhone and iPad and includes a desktop PC companion version that makes initial entry and subsequent management easier. Encryption is pretty robust so I'm reasonably confident in using it.

what do you do when/if that fails. Old school baby, pencil n paper

I've been using pencil n paper, but have been reading about password managers and was curious what made them so appealing. Maybe I'll just keep doing it the old way.

Consider this... writing a password manager program/app with a back door would be the easiest way to harvest passwords! None of that hacking, cracking, or just plain guessing stuff. Might even be able to make a few bucks on the side.

Think I'll stick with my spreadsheet(yes I know... if it's online, can't trust it too far either). Pencil and paper might be ok as long as no one else has physical access. My biggest problem with that is losing the paper:)

A good password manager should help you generate passwords that are much harder for hackers to brute-force (the easier it is to type in from a spreadsheet the easier it to guess) and less susceptible to being viable to attacks based on tables and data sets of known passwords. At the very least, it helps you generate unique passwords for multiple sites, so a compromise at one doesn't lead to the compromise of another.

Hopefully their systems are more secure than most - a large problem with passwords is not your bank being easily hacked, it's a minor e-retailer being easily hacked and someone using the same password / username combo at multiple places.

The other thing that most password managers have going for them is a combination of trusted devices and two-factor authentication. That is, I can only use the password manager from laptops, phones, etc. that I have control over (and I can revoke that access if I lose my phone) and that if I try to access the password manager from somewhere different or new (a new computer, a friends computer, etc.) I need to put more than a master password in that I normally would; usually this is accomplished by a combo of password and text - if I use a new device, I have to both put in my master password and unique code that has been sent to my phone. A lot of companies (Apple, Google, Twitter, most banks, etc.) are also offering two-factor authentication now, and if the hassle is amenable to you, it's a useful precaution. This might not always help prevent hacks aimed at obtaining your financial information, but also hacks attempting to lock you out of your devices or data, two factor authentication helps prevent someone from changing your login and locking you out of your accounts, etc.

Arstechnica has had a lot of nice articles on password security and password managers.

If you think hacked passwords are not a problem, just keep your head in the sand and keep using those same weak passwords. Best of luck with that:confused:
Yes. An 8 character password using any key on your keyboard (alt chars, caps, etc.) takes minutes to crack with a $200 graphics card.

Password programs allow you to easily use longer passwords (since you're not typing them in) so that is an advantage.

How does a password hacking program get around "three tries and you are out" that most critical sites use? Interesting that my bank (a large national one) limits you to 12 characters and does not allow other than letters and numbers.

After listening to Edward Snowden interview last night I'm convinced that all this password security is really only a feel good thing for us users. The kinds of folks we need to be concerned with will get through any encryption method we can develop. Lets say you use a password manager software. All the hacker has to do is figure out which one, use his own secret key to unlock it, then he has total access to what you have. He can do this to get into your Iphone and find your passwords while you sleep, even if your phone is turned off for example. By the way, where is the 'hacker' forum. I bet that would be interesting reading. I could just imagine the topics there.

After listening to Edward Snowden interview last night I'm convinced that all this password security is really only a feel good thing for us users. The kinds of folks we need to be concerned with will get through any encryption method we can develop. Lets say you use a password manager software. All the hacker has to do is figure out which one, use his own secret key to unlock it, then he has total access to what you have. He can do this to get into your Iphone and find your passwords while you sleep, even if your phone is turned off for example.

The folks you should really be concerned about are those the media chooses to actually call "hackers" (not governmental agencies) as they will empty your accounts and steal your identities, if given the opportunity. Those groups use multiple methods to get your data. These include (in increasing order of what can be done to avoid them as a user): exploits (both unknown (known as 0-days) and known to the security community at large) of the programs you run, such as Internet Explorer or Adobe Flash; links to malicious code (from ads on webpages you visit to hotlinks in emails); phishing (you're practically handing them your data); posting it in forums or social media pages.

Starting at the end, those are the easiest to grab as they require no skill, just patience (it's tedious work). The beginning of the list, the hardest stuff, is done by groups that are generally financially well-backed. All of them can end with the same consequences for you. These hackers can't grab your data simply because they know what program you're using (unless it has a flaw they know of and can use)... public-key cryptography requires both ends of the chain to be correct, so they can't use their own (public or private) key to get yours (private). No one less than a nation state is going to have the capability to get into your equipment while it's powered down, so don't get in a frenzy about that.

I'll say this only once... Snowblower is a hack, not a hacker. I liken him to Mitnick back in the day... he's a social hacker, not a code hacker. He talked people out of their passwords, he didn't steal them via hacking.

Mine is on an Ironkey and I love it. It will generate them if you like. It also uses them to help you log into sites.

The folks you should really be concerned about are those the media chooses to actually call "hackers" (not governmental agencies) as they will empty your accounts and steal your identities, if given the opportunity. Those groups use multiple methods to get your data. These include (in increasing order of what can be done to avoid them as a user): exploits (both unknown (known as 0-days) and known to the security community at large) of the programs you run, such as Internet Explorer or Adobe Flash; links to malicious code (from ads on webpages you visit to hotlinks in emails); phishing (you're practically handing them your data); posting it in forums or social media pages.

Starting at the end, those are the easiest to grab as they require no skill, just patience (it's tedious work). The beginning of the list, the hardest stuff, is done by groups that are generally financially well-backed. All of them can end with the same consequences for you. These hackers can't grab your data simply because they know what program you're using (unless it has a flaw they know of and can use)... public-key cryptography requires both ends of the chain to be correct, so they can't use their own (public or private) key to get yours (private). No one less than a nation state is going to have the capability to get into your equipment while it's powered down, so don't get in a frenzy about that.

I'll say this only once... Snowblower is a hack, not a hacker. I liken him to Mitnick back in the day... he's a social hacker, not a code hacker. He talked people out of their passwords, he didn't steal them via hacking.
My point Dan, was that the techniques outlined by Snowden (you misspelled his name and later mis-characterized what he did) are available to the hackers and we should be very concerned about those hackers so you agree with me on that point. Your other point regarding these hackers being well funded is way off base and probably couldn't be further from the truth.

My point Dan, was that the techniques outlined by Snowden (you misspelled his name and later mis-characterized what he did) are available to the hackers and we should be very concerned about those hackers so you agree with me on that point. Your other point regarding these hackers being well funded is way off base and probably couldn't be further from the truth.

My profession affords me a different (deeper) view than most of the world receives. My mis-spelling of his name was (obviously, or so I thought) done on purpose. As for what he did and my perceived mis-characterization of it, well, your view (not just your viewpoint) are vastly different than mine. The broadcasters are making him out to be some super-genius... let's just say the guy himself has done some serious resume padding. Just because I clean the floors at NASA doesn't mean I'm a rocket scientist. And just because I was able to get my hands on Gigs worth of data doesn't mean I'm a hacker. The "crypto parties" being bandied about lately are little more than "this is how you use this set of downloadable tools to secure your data", but the media throws around words like crypto and hacking in the hopes Joe Average will believe Snowblower was sitting in his evil lair with a can of Red Bull and some Twinkies hacking governmental systems. The guy had a flash drive, people's passwords garnered via social skills, and direct access to machines containing the data... an elementary school kid could accomplish the same.

NOTE: None of the above says anything about my personal view towards what he did, whether it was right or wrong, a patriot or a traitor, etc. I am merely saying there was nothing special and/or complicated about what he did.

As far as what's available to the real hackers, how financially viable (liquid?) they are, etc... well, that will come down to both view and viewpoint. Most likely do not have enough of the former, which heavily colors the latter. The media always comes back to "Two hackers were arrested in their mom's basement yesterday after blah blah blah". That's an extremely limited view, and it's all most will ever see. If your viewpoint is based off of that kind of stuff... <shrug>

Dan,
I never termed Snowden a "hacker". I merely stated that what he was saying about the ability of sophisticated hackers to get into your phones, Ipads, computers, etc was a bit astounding. He didn't say those things because he necessarily did them, but because he knows that they can be done, and are being done. For example, the idea that someone could remotely turn your Iphone on. I figured, naievely, that if the phone was off, then it was OFF. Now it turns out, if you believe him, and I have no reason to doubt him, that remotely starting your Iphone is doable and likely is being done. I'm not glamorizing Snowden in any way.

If I believe you, then there are large well funded organizations that are the real concerns as regards hacking. I don't believe that could be further from the truth. How will we ever know? I think that if there were those entities out there, then it would be very visible to the IT security industry and it would be deemed a national security issue and dealt with in a manner deserving of national security. If you know otherwise, enlighten us please. <shrug>

If I believe you, then there are large well funded organizations that are the real concerns as regards hacking. I don't believe that could be further from the truth. How will we ever know? I think that if there were those entities out there, then it would be very visible to the IT security industry and it would be deemed a national security issue and dealt with in a manner deserving of national security. If you know otherwise, enlighten us please. <shrug>

There's no way I can say it over a forum without sounding rude, condescending, etc. (and it's definitely not meant to be), but... you're making a lot of assumptions. You have hit the limit of what I can say...

There's no way I can say it over a forum without sounding rude, condescending, etc. (and it's definitely not meant to be), but... you're making a lot of assumptions. You have hit the limit of what I can say...
So, you really don't know, do you?

So, you really don't know, do you?

Pat, I know Dan personally. Trust me, he knows, he just can't publicly say due to his job.

There, without a doubt, are large, well funded organizations that do nothing but steal data all day long. The reason it's not on the news every day is because they are sitting in office buildings (not basements) in places like Moscow, etc.

There was a real time map of the globe and where threats were coming from and going to and there is a LOT of activity in Eastern Europe and Russia.

Pat, I know Dan personally. Trust me, he knows, he just can't publicly say due to his job.

There, without a doubt, are large, well funded organizations that do nothing but steal data all day long. The reason it's not on the news every day is because they are sitting in office buildings (not basements) in places like Moscow, etc.

There was a real time map of the globe and where threats were coming from and going to and there is a LOT of activity in Eastern Europe and Russia.

I would add that the large, well funded organizations that are stealing data are not after your passwords to Ebay. That is more about corporate/government espionage.

How does a password hacking program get around "three tries and you are out" that most critical sites use? Interesting that my bank (a large national one) limits you to 12 characters and does not allow other than letters and numbers.

They don't go through the front door like that.

What hackers attempt to do is get into the servers and get a copy of the password databases. Now they have a local copy of the DB and can hack on it all day long. Go look around for adobe password list and you can play Password Crossword. It's a bunch of fun!

I have used "Roboform" for several years. It works great and has both a mobile version (iPhone & Android compatible), and a cloud based "Everywhere" version.

http://www.roboform.com/

I would add that the large, well funded organizations that are stealing data are not after your passwords to Ebay. That is more about corporate/government espionage.

Sometimes, but not always. For example, look (deep) into the Target hack from months back. You'll hear a lot about a single person, a kid, really, who wrote the code that sat on the POS terminals... but what you don't often read about is the group who took that code and actually used it. The kid made a few grand for his work, but the group obviously was in it for the lion's share (both money-wise and work). eBay passwords may not be a top priority, but PayPal (owned by eBay) passwords would be gold.

On a side note... the eBay intrusion happened several months back. If anything was going to happen with those passwords, it would have started long before now.

I like Clifford Stoll's advice about passwords. It was along the line of "Treat it like your toothbrush. Don't share it and change it every few months" or similar. I've looked into password managers and haven't seen any I really like. LastPass is well regarded but I still don't like the idea of my important passwords residing on someone else's hardware. I think Keepass is built using MIcrosoft's .net language and I don't have a lot of confidence in the security of apps built using Microsoft tools. I may be off-base but there I am. The biggest risk using type-it-in or copy/paste would be a keystroke or data logger or as Dan says, mining a temp folder. I have a separate O.S. partition used only for sensitive stuff like financial stuff, taxes etc. Ubuntu clears the tmp file on each reboot so data in the tmp file persists only until that OS/partition is rebooted, typically less than an hour. I figure the risk of getting a data logging nasty from a credit card/bank/brokerage web site is acceptable.

I don't think there is a perfect solution. Use a layered approach where the bad guy would have to work around more than one obstacle and find a balance between secure and convenient.

I use LastPass and like it. I pay for LP premium although I don't use those features. I just feel that I should pay my way. The free one is just fine.

What I don't put into LP is any password involving money. I would never reveal my bank or PayPal password to a password repository. It just too enticing a target for the hackers.

I don't keep my credit card on file with any online stores except Amazon. It's a pain to enter it all the time but that seems to minimize my exposure.