How do you manage passwords?

[JustGettingStarted]

I have trouble remembering passwords for so many sites. I have a password that works for everything (upper case/lower case, numbers, letters and a punctuation character, 8 characters long) but it's not safe to use the same one on everything, so I'm going to be changing them this week. I'm thinking of creating one that has all the necessary characters, but varies by one character, based on the name of the site. Like "F07896a!" for Facebook and "M07896a!" for mumsnet, etc.

I still think someone might figure out the system. What do you do?

[DGRossetti]

This morning I had to send a message on a site related to my work and finances and in order to message via the helpcentre, I had to proved the 3rd and 7th characters of my password. Having something I can easily remember meant that I could message them. Is it possible to look up the password and see it with my naked eye with lastpass?

Yes, Lastpass lets you view saved passwords in plaintext. It also allows you to store secure notes per-site. So things like the VfV string where you have to provide 2 characters from 8 or whatever ...

(Does anyone else hate sites that don't allow you to see what you're typing in? It's hard to know if "35Ff*£$Wp876%" is being typed in correctly if you can't see it!)

Sign of shit design and coding. Also arguably contrary to the 2010 DDA for what it's worth (fuck all in my experience )

[Tuptup]

is it possible to look up the password and see it with my naked eye with lastpass?
Yes, after you've logged in with your master pass, you can edit or see all your passwords.

Offline export is possible, but if your not digging that, have a look at keepass or similar instead.

[SpoonBlender]

I guess I just don't trust lastpass, etc. But if they're really secure and you can keep the passwords stored somewhere that isn't just attached to their servers (in case they get destroyed by an asteroid) then it could actually work.

All the cloud sync ones keep a local copy, and when you change something it sends the encrypted local copy up to the server. It's encrypted with your single password for getting into your password safe, and the people who run the service don't have that - it's used at your end, not theirs.

Balance off the probabilities - huge tech companies like IBM and Apple by Lastpass and 1password corporate licences, and they have the skills to ensure that it's secure. Vs "I have a system 90% derivable from knowing a couple of leaked passwords and the site URL".

[SpoonBlender]

*"buy" not "by" licenses.

[Stupomax]

I guess I just don't trust lastpass, etc.

Part of my job involves keeping client passwords for things like their websites, email, PayPal, bank accounts, etc.

I thought long and hard about how to do this safely, and talked to a lot of other people who face a similar challenge and are much more technical than me.

I use Lastpass. It's far more secure than the system you're using.

[JustGettingStarted]

Can I add my own passwords to lastpass, then use them to change them going forward?

[JustGettingStarted]

And what do you do when it's a site you want your spouse to be able to access, either because it's a shared thing like Amazon or something they may need in the event of an emergency? Is there a way to share things yet keep "seekingaffairs.com" (joking!) private?

[MeetOnTheSIedge]

A question about lastpass - do you have to install anything on your laptop to use it? I am allowed to use my work laptop for private use so I might do a bit of online shopping in my lunch break or whatever. I just log on using the relevant password at the moment, would I still be able to do this without installing anything on the laptop?

[DGRossetti]

There is a browser plug in you can install for Lastpass which makes things easier. However if not, you can simply log into your account on the lastpass website, and go from there (I think it can autofill too).

I used to work for an outfit that confused security with locking everything down, and I could install the Lastpass plugin on my laptop.

The Mooltipass thingy I linked upthread is completely standalone. But then needs USB access to your machine - which should be locked down.

[ReflectentMonatomism]

I use Lastpass. It's far more secure than the system you're using.

Indeed.

www.ncsc.gov.uk/blog-post/what-does-ncsc-think-password-managers

[ReflectentMonatomism]

And what do you do when it's a site you want your spouse to be able to access, either because it's a shared thing like Amazon or something they may need in the event of an emergency?

Then you use LastPass, which has support both for shared accounts (ie, "this user and this user have access to this small shared vault containing the things they both need") and for emergency access ("this user can take charge of my passwords, after an X day warning period during which I can revoke permission").

[JamieVardysHavingAParty]

I use a combo of a personal passphrase+individual website modifier bookending the phrase method already mentioned, for some sites, with unique weird phrases for other sites (the xkcd method).

[Tuptup]

It's free for single use, but you can pay four dollars a month I think for family share where you can share passwords win a shared folder with another user.so you could both have amazon. Or to do it for free just each have an account and both input that shared passwords manually without having to share.

[bellinisurge]

I write them down in a book. Usually in a foreign alphabet.

[ItsAllGoingToBeFine]

I just use the built in manager in chrome, and 2fa where it is available.

[JustGettingStarted]

So we would have to pay if we only wanted to share some passwords?

What about keeping some passwords we already have? Can you enter them in or does lastpass automatically change everything?

[SelpMeGod]

Dh is IT security and listens to security podcasts, we use Lastpass with a 2 device encryption.

So I log into lastpass with my password which is around 20 characters long. Then I have the app on my phone that gives me a 6 digit log in which changes every 30 seconds so I need the laptop and my phone to access it.

For Amazon this becomes a 3 code access, master password and 2 different ones on the app.

You can use something memorable like a song or a quote for your masterpassword for lastpass, eg the song We Can Work it Out by the Beatles would be the first line and the first character of that line.

TTSIMYDIHTKOTTICGO (Try to see it my way do I have to keep on talking till I can't go on)

We use lastpass to generate passwords too, you can specify length. It is as safe as any out there.

[SelpMeGod]

You can enter your own passwords, we did this at the beginning, then changed them in lastpass with generating passwords.

[BoswelliaGoldMyrrh]

1 Write a list of 8/9/10 whatever letter words beginning with a different letter of the alphabet. Use something obscure, maybe a daft nickname/mispronunciation or rare foreign words.

2 Write a list of friends’ phone numbers. Choose a consistent way to select digits, eg last 4 digits.

3 Choose a place to splice the word, eg after the second letter.

4 This will give you a password something like this

bo5678swells

5 Find a CONSISTENT way to incorporate upper case letters and symbols.

6 Write it down in code in a notebook/lockable notepad app, it will look something like this:

B-Sarah

[the “B” word + the last 4 digits of Sarah’s phone number]

The key is to choose a system and be consistent. If you choose your word list from a dictionary (even something obscure like Klingon or Faroese… hackers out there have dictionaries for everything) find an additional way to mangle the format of the word.

[DGRossetti]

Whenever you log into a site, Lastpass offers to add it to your vault.

If you access a site Lastpass knows about, you see a little symbol in the username/password fields, and (by default) Lastpass puts the username and password in.

If you change the password, Lastpass notices and offers to update it in your vault. You can also see a history of passwords you've used on that site over time.

As I say, I use Lastpass, but others are available.

Personally I'm not a fan of browser built-in password managers and disable them.

[DGRossetti]

Just signed up to a new site today, and had Lastpass remember it for me. Which reminded me of another feature (again others may offer this) where it sends you an email whenever any of your login details is changed.

[JustGettingStarted]

I saw they have an automatic password change feature that has dozens of major sites participating.

[SisyphusDad]

And another small but nice thing on the LastPass mobile app. If you ask to see your password in plain text, it shows upper and lower case letters, numbers and symbols in different colours so you can tell your lower case L from the number 1 etc.

[MeetOnTheSIedge]

Well, I had a good look at the lastpass website - it seems you do have to download either a browser extension or an app, so that is a problem if you want to log in to anything on a device that isn't your own, eg work laptop. I suppose you could look up a password on your phone then type it into the website manually though.

[Stupomax]

Well, I had a good look at the lastpass website - it seems you do have to download either a browser extension or an app, so that is a problem if you want to log in to anything on a device that isn't your own, eg work laptop. I suppose you could look up a password on your phone then type it into the website manually though.

There's no need to download an extension. Just log in from a browser window on whatever device you're using at the time. If Lastpass doesn't recognise the device or location it'll email you to check you're really you.