Why I don’t use a Password Manager

So here’s a story in today’s WSJ about a fellow who used a Password Manager, was hacked, and the thieves got entrance to his entire life: all passwords, bank accounts, social media, work computers, and everything else that passes in today’s modern world. He’s bankrupt, destitute, and oh yeah, fired. Here’s a gifted link:

https://www.wsj.com/tech/cybersecurity/disney-employee-ai-tool-hacker-cyberattack-3700c931?st=vmEhL5&reflink=desktopwebshare_permalink

A Disney Worker Downloaded an AI Tool. It Led to a Hack That Ruined His Life.

Matthew Van Andel’s experience reveals the threat that opportunistic hackers pose to companies and individuals

The next morning, the lunchtime Slack exchange became one of more than 44 million Disney messages from the [workplace collaboration tool] published online by a cryptic hacking group with murky motivations. The hacker had used Van Andel’s login credentials to steal from his employer.

The hack sent Disney’s cybersecurity team in motion to assess the damage. Private customer information, employee passport numbers, and theme park and streaming revenue numbers were in the [huge data dump.

The breach upended Van Andel’s life. The hacker stole his credit-card numbers and racked up bills—and leaked his account login details, including those to financial accounts. The attacker published Van Andel’s personal information online, ranging from his Social Security number to login credentials that could be used to access Ring cameras within his home.

This particular password manager is called “1Password”, but given the richness of the target I’m sure all of them are targets, and it’s only a matter of time before we hear of other breaches.

Meanwhile I use a different password for every site, and keep them all in my head. I can therefore access any site I want from anywhere, including at the bank or the stock brokerage, from a friend’s phone or wherever and not worry about whether I have “right right app” or about being targeted. (Obviously I don’t think I’m invulnerable, anyone can be hacked, just I’ve closed off what I consider to be an obvious pathway to my entire life.)

I’ve detailed it before, in short and (vastly) simplified form: I take 2 letters from the site. Am for Amazon, for instance. And a word I use everywhere, let’s say “change”. Change becomes “chang3” to satisfy sites that require letters and numbers, so my Amazon password would be CAmhang3. If the site requires it I add a “special character”, like “&” to the end. Now add the 3rd character from the site to the end, so for Amazon the final password is CAmhang3a, or possibly CAmhang3&a. Doesn’t look like much, eh?

Most times I enter a site and don’t use the character, if I get bounced it’s trivial to re-enter using the character and I’m in. Once you’ve done it a couple times, your personal “algorithm” becomes simple to enter.

Yes, I suppose the passwords look similar, CAmhang3a for Amazon, CWahang3&s for the Washington Post and CFihang3r for the bank, but it’s my belief that the hackers aren’t going to bother figuring out what my little algorithm is when there are people still using “Password” or “12345678” or “qwerty” for their passwords to multiple accounts. Even if they would get hold of one of mine, it doesn’t easily lead to a second, you see?

And for anything important, say financial, I always use two-factor authentification, requiring the person to be in control of one of my devices that has been “trusted.”

Anyway, don’t use password managers. Don’t trust them. Too target rich, I hide in the weeds.

I think.

13 Likes

Your method is not better. The passwords are stored even if you do not use storage on your end.

The only method that helps is two factor authentification. So it does not matter who has your passwords. They can not get in without your cellphone.

2 Likes

Sure. My Amazon password is store at Amazon. Tell me how that leads someone to have access to my account at the First National Bank, or vice versa?

It doesn’t but neither are secure without two factor authentification.

You are just making the first step more complex. It only slows you down.

That possibility has occurred to me as well. Every time that “helpful” window pops up on my browser offering to store the password information, I click “NO”. I keep all my passwords in a spiral notepad, except for the really sensitive ones.

Steve

3 Likes
[quote="Leap1, post:4, topic:113883, full:true"] It doesn’t but neither are secure without two factor authentification. [/quote]

I have often wondered about that. When I use one of those sites it gives me a code - on the same instrument . If someone were to pickpocket me phone (or if I were to leave it around) they would have access to that “trusted” device meaning the “2 factor” would be meaningless. Except they would have to have the original password, which (I’m supposing) they wouldn’t. Unless they targeted me.)

The first step is simple, it takes literally no more time than remembering a password, or launching an app to get to it.

3 Likes

And you could use 2-factor auth on your password manager.

1 Like

I do it a different way. I have five or six different passwords. Each one is a different level of security. I have a throw away password for nonsense. It has left me in good stead when I trusted a bunch of BBB businesses and the pw was automatically leaked.

I have a common pw for easy access non financial.

I have a work pw that is very complex and changes.

I have financial security pw that is complex and changes.

No one yet has leaked or whatever the complex passwords.

1 Like

1Password is a privately held company. Their security is only as good as their willingness and ability to spend money to stay up to date. I’m sure they don’t/won’t announce when they decide better security interferes with short-term profits.

When I was looking for a password manager I decided open source was more secure than closed corporate solutions. I use Bitwarden. The code is published on Github and there is a large community of security experts and hackers who test and verify the code. Nothing is foolproof but this is my compromise between security and convenience. It works really well, has a nice interface, browser plugins, and phone and desktop apps.

Slightly less convenient but perhaps safer would be to adopt something like Goofy’s strategy for the relatively small number of financial websites and a password manager for the websites where hacking would be less catastrophic.

7 Likes

The other thing I like about Bitwarden is I was able to get my spouse and kids to use it. Goofy’s strategy would never fly with them. Bitwarden is a big step up from what they were doing previously.

1 Like

I use different passwords for every site I access, with 2-factor authentication for anything I consider sensitive. I am using a password manager because I have lots of sites I access.

Just to freak everyone out, I have read how some hackers can trick 2-factor authentication using a different phone. OK, I’m selling everything and buying a shotgun and gold.

I had a cousin (who sadly died yesterday after discovering he had cancer 6 weeks ago :cry: Folks, enjoy every single day you have.) who was active in IT security. He was going to help me setup a private network in my home so anything that got to my carrier (Spectrum) would already be encrypted.

When I spoke with him about my use of a password manager, he tilted his head down and looked at me over his glasses and said, save all your passwords on paper and delete the damn password manager.

I think the best you can do is to go with the bear theory.

Two guys are out hiking. A bear spots them and starts to chase them down. One guy starts running. The other guy sits down, takes off his hiking boots, and puts on his sneakers. The running guy turns around and says don’t be stupid, you can’t outrun a bear! The other guy says I don’t have to outrun the bear, I just have to outrun you.

6 Likes

Plus ça change, plus c’est la même chose. The late 20th century wasn’t so bad anyway.

2 Likes

Maybe not. OTOH, I showed it to Mrs. Goofy, a tech-averse human if there ever was one. She picked it up that day and has used it since. I’m considering advertising it, perhaps with the slogan:

It’s so simple even a cave-man could do it.

Or maybe substitute “wife” for “cave-man.” Probably get in trouble for that. Even for writing it here now that I think about it.

1 Like

This sounds secure, but usually isn’t. When you remember all your different passwords in your head, you usually create them using some variation of <Word1><Word2><XX> and you vary the order, or the digits, and sometimes throw in some typical punctuation. This is less safe than using a totally random password for each site that has no relationship to each other. Apparently cryptography experts say that too many similar passwords available to hack make it easier than a single one.

That’s what’s nice about the Apple approach, they create random strings, and remember them for you. They also determine if “too much” access is being attempted, and when that is the case, they require an additional level of verification, either biometric (fingerprint, face, etc) or a digital code that only you know quick enough to satisfy the security alert they generated. Is it perfect? No. Nothing is perfect. But it’s pretty good.

This always struck me as a ridiculous password requirement. Obviously hackers don’t know that an “E” can be represented with a “3”, right?

This is the better way to do it. And I do so as well. But it’s important to keep in mind that if you grant the hacker full access (like the guy in the article did) to your phone, they can access this, or trick you to access it for them, as well.

I am kind of tempted to use a SECOND PHONE for authentication purposes only, and only allow that phone to connect to the Internet rarely (for updates and for the rare things that require it to be connected). In other words, my 4 authenticator apps will reside on that phone, and only on that phone, and that phone will almost never be connected to the Internet. That makes any hack I can think of nearly impossible to pull off.

2 Likes

Of course they do, but they have to want to wade through my own mental encryption in order to extend one password to any other. They’d somehow need to hack Amazon and the bank and the Times in order to get any kind of ability to sequence.

And then there are other things I do which camouflage everything. I’m a touch typist, so “keyboard shift” is triflingly easy. Move your hands one key up, or down, or left, or right and everything scrambles, I guarantee no one can read it, yet it’s second nature for me.

It strikes me as easier and faster than “writing it down in a secure notebook” which maybe the cleaning ladies move around, or using some website or app (Apple included) over which I have no control or jurisdiction. Nobody can serve a warrant somewhere that I don’t know about, I’m not a “rich target”, and I’m definitely not an “easy target”, so I sleep well.

It’s good that hackers don’t know about touch typers. I am not a cryptography expert at all, but I do sometimes listen to what they say, and “change” (or “chang3”) is no different to the tools they use than “dyqht3” is. It’s the repetition that matters, they use various algorithms to take strings and run them through conversions (hashing?) and do other things to them to see if they can match the plaintext to the encrypted text in any way. And they do it MANY times using nefarious tools that are out there.

Also, adding some random piece to your password DOES make it more secure, but it might be overkill because apparently all good systems do that automatically by adding “salt”, a random string to your password on its own. Maybe your own added string might help, but it has to be truly random to be of any real use.

I’m not criticizing your way of password-ing per se, just the general state of passwords in the world today. Using ‘3’ instead of ‘E’ is so common that I bet the hackers try the 3 before the E at this point, LOL.

But seriously, I think breaking passwords is only one small part of hacking today. Most hacking is more human oriented at this point. One excellent movie that I saw last year was Thelma and I highly recommend it. The crooks have boiler rooms [mostly] overseas and they simply work the phones 24/7. The whole operation is cheap enough to run to make even occasional successes worth it. And there are all sorts of human engineering techniques used - affinity, family, romantic, business, investing, crypto, dementia, medical, etc. It’s horrible, but in general the human is the weakest link between a crook and the money, so that’s the link that is exploited most often.

5 Likes

You are a man of experience.

Having many years of Apple behind me, I remember when 1Password came along, it was jumped on by many users, but I could not see the need, I do keep a paper list, an Excel sheet, actually up to over 300 sites visited over the years, some were one time visits, maybe buying this or that, but never have had an issue… At work we had to change passwords monthly, they’d pass out a random wordlist, pick any two, add special characters, etc… But the more serious access portal, we had a dongle, ‘atomic clock’, a psuedo-random set of characters known by the national server we were connecting into… Never needed anything near that level for my personal accounts…

I use two factor on any sites with a financial connection, facial recognition seems to work well. for me, not my DW, nor do fingerprint scanners work for her, even when we applied for TSA passes, their scanners weren’t able to consistently get a good scan, so they put a note on her file, on we went…

Anyway, I’m sorry to see iPassword get hacked, maybe the developers are gone, aged out, not I haven’t looked at managers in ages… Apple has their own app now, I imagine its already picked up my most used PWs, so far so good!

How do I protect my Chrome password?

On your computer, to get automatic warnings when there’s a data breach:

  1. Open Chrome.
  2. Select More Settings Privacy and security.
  3. Under “Privacy and security,” select Security.
  4. Turn on Warn you if passwords are exposed in a data breach. You can find this option under “Standard protection.”
1 Like

Actually, in almost all cases, web sites do not store a copy of your password. Nor an encrypted copy. Instead they store a cryptographically irreversible (salted) hash of your password.
(Note: salting is required because so many people use the same passwords, such as password123. The “salt” is a system generated random extra password that is appended to your password)

This is (one reason) why when you forget your password they can’t just send it to you. They don’t know it. So you have to create a new one.

Many places to read about this.
Here is one:

Mike

4 Likes