Also, be aware that there are differences between cloud-based password managers and device-based password managers. Some introduce a third category, browser-based, but in my view those are simply cloud-based password managers using the browser as the application/UI.
With the cloud-based managers, which make up the vast majority of what’s out there, you get convenience of sharing across multiple machines and even different browsers (not so for the browser-based ones, of course). But, your passwords are stored in their clouds, so if they get hacked your passwords might be compromised.
The device-based password managers are simply apps that run on your device that encrypt your data and store it locally on your machine. If you want to share passwords across devices, you need to copy the encrypted data file to the other device(s). Some have syncing capabilities where the app on two machines on the same WiFi network can exchange what was changed between them. Mine does that only upon me asking. I also keep multiple levels of backup of my devices since I don’t have a cloud backup. So, there’s more manual work needed, but I feel it’s more secure.
I used to use a similar method and it worked great. But what happened is the occasionally sites will require I change my password. Now my algorithm doesn’t work. So I came up with a second algorithm, kinda similar to the first, but one small change. Only now I can’t remember which site uses which algorithm, so I gradually switched everything over to the second, and then some sites wanted password changes, so I came up with a third algorithm…aw screw it. Password manager city.
If you want to get cyber-security related people arguing, I’ve found the best way is to bring up forced password changes. Some think it’s really important, but unless you change them frequently, someone who gets your password will have days or weeks, probably months, to get in a wreak havoc anyway.
In the meantime, you won’t remember your changed password, so you’ll write it down, which can be pretty bad. I was recently admitted into a hospital for scheduled surgery. When the admitting nurse left the room I told my wife I could log into her account, and showed her the bottom of her post-it stack, which had the nurse’s passwords written on it (a few crossed out and one not). I had noticed her picking up the post-it stack while typing and figured that out pretty quickly.
And so it goes. BTW, if you’re an Apple iCloud user, I’d also recommend setting up Advanced Data Protection. That uses end-to-end encryption so only your devices can decrypt what’s on the cloud. The downside is that if you lose your device AND your recovery key you’ll never be able to get your data off of iCloud, but the upside is (supposedly) anyone who hacks Apple can’t get it either AND even the government tells Apple to give over the data, they can’t.
Richard Feynman’s fame as a super genius began with passwords in the form of office safe combinations. Los Alamos required people to lock up using safes with difficult combination locks, and when someone needed access to someone else’s safe (forgetfulness, death, vacation, whatever) they would go to Feynman. Feynman insisted on being alone in the room while he “cracked the lock.” Hah!
Feynman was not an expert at safe cracking or combination lock code generation algorithms, instead he (very quietly and only revealed decades later) became an expert on where different types of personalities were most likely to hide the combination that they could not remember.
I use the Apple code generation system for most stuff. For very special stuff I use a random sequence generator to generate a random sequence matching the specs, and store it in the middle of a seemingly normal parts list document on a mostly unused old computer.
That’s the best way to get people to write down their passwords on a sticky note and leave it someplace where anybody can find it, like on a desk at work. I had a 401k account that required that, and the queue to talk to someone to recover a password was always 30 deep, or you could ask the cleaning ladies who probably collected them from computer screens at night.
Until you need to use it and you are NOT at home. Or you carry two cell phones all the time. I have two cell phones, but one is a backup and only used when the main phone has a problem. It is always at home.
Oh it’s definitely inconvenient! No doubt about that. But convenience comes at a price … that price is being hackable at least to some extent.
I’d love a cellphone model that has embedded in it a full two “personalities” that are separated by a hardware block. It would be great to have a section of my cellphone that can NEVER EVER connect to the Internet on its own, with the capability for me to allow it for very short periods of time (for example to add an account to the authenticator). But that doesn’t exist yet, and even if it does, it can STILL be hacked if someone nefarious takes control of the phone and simulates me allowing access to the blocked off part of it.
I have this. It is called Microsoft intune. (I think there are a few others). This is managed (mandated) by my work and when you set it up you have an additional password to enter this partition. You can only install and run apps in the work partition that are certified for the work partition. Data cannot be shared from the work partition to the personal partition.
If your phone is lost the IT dept can disable the work partition remotely.
“You don’t have to pay for a good password manager, but if you can, 1Password is worth the $36 per year. If you prefer free software, Bitwarden does everything you’ll need and doesn’t cost anything.”
I have a brokerage account at Fidelity. I only access it from my desktop computer, never from my mobile phone. They send an authentication code to my mobile every time I log in.
Now they are offering to use an “authenticator app” for greater security. This seems to be an app that is loaded onto a mobile phone. But I only use my computer to log into Fidelity and the app doesn’t seem to be intended for a computer.
Please explain.
Thanks,
Wendy
I mostly log in using my PC. I use the phone SMS or e-mail to get authentication(s). I do NOT log in to sites that require every visit to get logged with a secondary verification. Verification once every six months is fine, IMO.
The authenticator app uses an algorithm that generates a new 6 digit code every 30 seconds. So instead of the web site sending you a text message with a 6 digit code that you enter on your desktop you launch the authenticator app and enter that code.
Details.
In order for this to work the authenticator app need a secret code and the web site must also have that secret. This is setup when you install the app and set it up the first time (You don’t have to know any of this to make it work).
Technically this is a bit more secure than sending you a text message, because through social engineering a cell phone SIM can be spoofed or just changed by someone at the phone company at any time. This is highly unlikely and you’d have to be targeted by someone. This can’t easily happen at all with an authenticator app.
My company requires the use of an authenticator app for company laptop login and running other services. So to login to my laptop I need to unlock my phone, then provide the Microsoft Intune work partition pin, launch the authenticator, get the code and enter it on a laptop.
Using an authenticator app is a more secure method of 2-factor authentication. I have no problem keeping that app on my phone. I also use Fidelity and have my accounts frozen, as well.
I have an upcoming annual meeting with our Fidelity agent and I sent her a meeting agenda:
Account security, account security, account security (and now, apparently, the authenticator app. Thanks for the heads up.)
To select a solid low cost plan to manage the accounts should I pre-decease my wife. She has no interest in investments and I want to make sure she is not ripped off. And definitely no money for her new boyfriend.
First of all hackers are more smarter than you give credit. Secondly, very important they don’t manually decipher your passwords, they have programs that break the algorithm. If you are using a pattern, they can reverse engineer it in few minutes. Don’t assume hackers are some degen in the basement, but sophisticated crime rings, and state players.
If they have multiple different passwords maybe. Not if they have a single string of 8 characters. (Yes, they could use a brute force attempt and scramble all those characters, but as I indicated the characters in the password aren’t the same as those I type in thanks to keyboard-shift)
But I’m hopeful that Fidelity or my local bank know that if someone is trying 43,248 attempts to get into my account that it should be locked and await some other form of verification.
I also think that if they’ve gotten a treasure trove of passwords from some hack somewhere, they’re sitting with thousands of other targets, and mine won’t be very attractive to them since it is unique to every site. If they crack eBay and get my password there, for instance, that tells them nothing about Vanguard - and frankly, they don’t even know if I have an account at Vanguard. Or Schwab. Or Robin Hood. Or Merrill. Or wherever. Sure, they can try them all, but they will come up empty every time, and will move on to the idiots who use the same password everywhere, and that password is “Password”.
Am I confident? Yeah, pretty much. Here’s an actual password for a site I use pretty often. Feel free to put it on the dark web. Pq52zhio3 It’s unique. No other site uses that password, and if someday it showed up on a list of “hacked sites” I wouldn’t worry since I use 2 factor ID on anything having to do with money, and again, it’s unique.
Bitwarden includes an authenticator that I use in their desktop app. You could use Bitwarden just for this and nothing else if you like. Duo Security also seems to have a desktop app.
I don’t know that authenticators are more secure but my work requires it when I access sensitive personnel and financial information.
DH is the marrying kind. I’m his 3rd wife. If I predecease him I want to take care of him but not his next wife… and the residue to go to my sister. All this is spelled out in my Living Revocabe trust.
Wendy
