The nature of the LastPass hack would not have been a serious problem to
those using a good enough master passwords for LastPass access. If
concerned that your database might have been stolen and you didn't trust
the goodness of your encryption password, you could change to a better
master password, and then first change to new good passwords on those
accounts that are most sensitive (financial stuff, email accounts used
as account usernames or for account recovery, etc.), and gradually
change passwords on accounts of lesser importance. Even if your
password-manager data was captured in the hack, it should take some time
to hack a decent encryption password (plus many financial accounts now
use MFA), giving time to alter your main encryption password and then
change the passwords of sensitive accounts. The hackers would
initially be diverted by exploiting the inevitable cases where people
had used grossly poor passwords for LastPass encryption, and they might
even stop after that -- the longer it takes to hack a stolen encrypted
password database, the more likely the data will have become obsolete.
My personal preference for password manager is KeePassXC (same database
format but more actively maintained than KeePass and KeePassX), as it
uses a local file rather than relying on a known cloud service that
concentrates everybody's encrypted data in one spot, an attractive
target for hackers. If you want, you can store copies of your
encrypted KeePassXC database in a generic cloud service, even under
non-obvious file names making it doubly hard for any hacker to stumble
across. It is trivial to make copies of the encrypted database file
that may be stored on external media and placed in bank boxes as
backups, or as a way to pass your passwords to your estate or a trusted
family member. You have complete control over the database. I
especially like the ability of KeePassXC to concurrently access multiple
password databases. If you belong to an organization and have
responsibility for organizational passwords, you can isolate those to an
organizational KeePass database encrypted by a different password and
easily convey those securely to following officers, without having to
mix them with your personal passwords.
I dislike websites that insist on special characters in a password.
Acceptable special characters can vary among websites and special
characters are not necessary for a good password or a good username.
Using password-manager-generated passwords, you can always get the same
level of security without requiring special characters by just including
a few more random characters.
Physical notebooks if properly secured can maintain passwords securely,
but have their own problems. What if some event destroys your notebook
and you have no up-to-date backup copy in another secure location? Or
if you can't find your notebook, don't know if it has fallen into the
wrong hands, and can't even access your own accounts to change your
account passwords when the passwords are possibly compromised?
JC Ewing
On 2/15/24 09:25, Jack Zukt wrote:
Hi Bill,
I can relate to your suspicions about password managers. Not to long ago
Lastpass found out that they have been hacked, which must have been a big
problem for its end users (which, fortunately I am not). On the other hand,
I have way too many passwords to be manageable without a password manager.
So, I use not one, but two. With different master passwords. And using a
password manager will not prevent you from sharing passwords with trusted
friends. I usually tell my colleagues that use excel or notepad to keep
their passwords to try and use keepass. It is as easy to use as those
methods but far for secure.
Regards
Jack
On Thu, 15 Feb 2024 at 14:01, billogden <billog...@optonline.net> wrote:
My trivial comments:
1. Using a password manager seems to be putting all our eggs in one basket.
What if that basket fails? Is it secure? Can I always access it? If we need
to make a particular password available to a "trusted" friend (at some
indefinite time), how should we manage that.
2. I have about 60+ passwords noted (on a paper, not in view of any camera)
for various sites. Some have not been used in years, some are used
frequently. I rather expect than very few of us (on this site) have a tiny
number of passwords that can manage everything we need to do.
3. Minimum 16 characters, upper & lower case, numbers, symbols --- this can
be very obscure to all the "computer uneducated" people that try to use the
many services available via the web. We are expected to remember these?
Many
PWs are needed to avoid using the same PW for too many purposes.
4. Like most of us (on this site) I place tape over the camera lenses on
all
my systems.
5. Github? Being old and stupid, I have not used it yet. On my z/OS systems
(that often run odd versions of z/OS, etc, etc) I really do not want to
depend on a web service for program source code, etc, etc. A nice SMALL
book
that covers the most basic, practical uses of github (for a gethub
beginner)
without going into all the really wonderful things that might be done with
it, would be handy. To me, a basic book would illustrate the specific web
commands, the specific z/OS JCL, the specific TSO actions to install and
perform basic operations in a simple/practical manner.
6. Too much obscure/difficult security == insecurity? Amen, Amen, Amen.
The
IT executives seem to be in a terrific rush to go down this path. (Also,
"too much security" seems to actually diminish the time available to
create/improve application code, etc.)
7. "Trusted" (in the meanings used on this site) can be a very very complex
concept!
Bill Ogden
z/OS old, old time z/OS person (started on OS/360 option 1), but still
active (to some extent)!
...
--
Joel C. Ewing
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
