Yes that's true. I've seen things like user id used as salt which, as far as I can see, that's fine for the security purpose but ... I'd prefer a separate random field. One thing for one purpose is just cleaner code and using something like user id is likely to come back to bite you if you ever migrate to a different system which probably means different user ids.
I have some advice for this. The biggest threat is Phishing, whereby you willingly give your password to the crook. 1. Be extremely careful when logging in anywhere. Even if it's a site that you've used thousands of times, you must STILL PAY ATTENTION... 2. If there is ever a login error, STOP what you're doing immediately! Investigate. 3. If you are following instructions and discover that there is no message or notification, take notice! Most Phishing threats arrive by email. They instruct you to CLICK HERE to address some issues. When you do, you see the familiar login to your favorite site, and you automatically type in your password. Bingo, you're fried. Done. Stick a fork in ya. What just happened? The attacker wants your username and password because it has some value. The attacker then creates a web page that looks exactly like your favorite website. Usually, your username pops up and is pre-filled into the input box. Today, however, it doesn't. CAUTION SIGN. Why didn't it happen today? (more on that later) So, you type in your username and password and hit Continue. Everything seems normal, except that when you hit Continue, the system returns to the same Login page. CAUTION SIGN. What happened? Then, you log in again, and things go smoothly. You won't find any reference to the issue that prompted you to log in. CAUTION SIGN. "Are they nuts?" you wonder. What's happening here? Well, for starters, you're being Phished. When you input your password into the FAKE login page, the attacker saves your password and then forwards you to the real website. The real website, not having seen you before, asks for your password as usual. This behavior seems odd because it IS ODD. It's not normal. Computers generally respond the same way every time to a given input. If what you've been doing for years suddenly has a hiccup, there must be a reason. In this example, the hiccup means that you're under attack. I'm a sloppy typist sometimes, and I sometimes mistype a password when in a hurry or on a small device. Since I'm accustomed to retrying, I don't think anything of it when it happens. The attackers rely on your familiarity with such routine responses, and they use it against you. Also, don't be lulled into a false sense of security when nothing becomes of your login mistake. The hackers can wait months, if they wish, to attack your account. By then, you will not have remembered that stray failed login attempt last winter. The bottom line is this: If your login fails, even momentarily, on a site that you regularly frequent, investigate. It's either a dumb mistake or you're under attack. You must determine which case it was. Don't assume that it was your fault. They're hoping for that.
It is frustrating for how slow the uptake is for FIDO2 being deployed by websites etc. That is the case despite many of the big players being on board with it as members of the fido alliance. But yet not many are actually making it available on their web sites. https://fidoalliance.org/fido2/ https://fidoalliance.org/members/
What do you do if your main password is hacked? What happens if the password in PWSAFE is lost? What happens if you forget your main password? Daniel, HB9DDS
All the important ones I change on the regular. Only been banged up once and it was a site intrusion. Nothing anyone can do about that. Other is have an account only for internet use and keep everything else away. Stop using credit cards for everything you do, Cash is king. Though none of that will matter soon its a good practice to get into. I know a few people who were caught in a point of sale crash yet they still will leave the house with just credit cards. Perfect paranoia is perfect awareness.
1. Not a worry as far as I am concerned. As already discussed by the OP, a very secure password is simply not going to be deciphered, and I also use two factor authentication if in the extremely unlikely event someone does acquire the password though some other means. My master password is a sentence that includes upper/lower caser, numbers and special characters. Should someone try to access with only my password, I would know about it almost instantly and would change it, but that has never happened and I doubt it ever will. 2. Also not a concern. I do have it backed up in a secure place should I have a mental failing, but again not really a concern over the last 13+ years of use (this system, not the same master password). 3. I am not sure how this is different from the last question? Perhaps I misunderstood the last question and that answer applies more to this one? If you are asking about the encrypted file itself, while the master encrypted copy is stored in Dropbox, each device I use also has a copy of whatever the current version was when I last used PWSafe on that device. So I have multiple copies I can access if I need to recreate the Dropbox version. If I had done a recent edit, the device I did that on would still have the most current file. The reality is that any system is not 100% foolproof. You follow the best practices you can and by not being the low hanging fruit, one greatly reduces the odds of ever having an issue. I am not saying my method is the best for everyone, but just another option to consider. I currently have 378 passwords stored as I never use a duplicate, and all are randomly generated highly secure passwords because I use a password safe.
I only need passwords that would take 30 years to crack. I don't believe that I'll live any longer than that.
We mustn't forget, however, that even a very secure password can be stolen, for example by a sniffer if someone is infected by malware. Having passwords in one's head prevents anyone from getting at the "crown jewels" by infecting a PC. Although that raises a separate issue: I have a family, and in case I randomly get hit by a bus they need my passwords for everything. So even if I can commit them all to memory they need to be somewhere they can access.
Absolutely, and while I feel that is unlikely in my situation given my other precautions I know it is still possible. Hence my use of good two factor authentication. Unless one is going to repeat the use of passwords, it is simply not realistic to memorize. Out of my current 378 in my safe, many are low importance or no longer used sites or services, so I could certainly cull that list. That said, between various typical basic personal and work passwords, passwords for financial services, medical, educational, numerous government agencies, and a bunch of other stuff, I easily have over 100 regular use passwords. To make this more challenging, probably 15-20% of these force a password change every 60 days. For me, the only realistic option is a password manager of some kind and I like the control the open source option provides.
That's another problem. Sites screw up password schemes by setting their own rates for changing passwords.
Not true. If your PC gets infected with a keylogger, it doesn't matter where your passwords are stored. When you enter them on the keyboard you've been owned.
Interesting chart. Thank you. And nice to know that all my many passwords are in the 77 million year range. I use a system ( in my head ) to generate passwords as I need them, but all are easy for me to remember. I even have a procedure for changing a password if I am forced to do so. So I don't worry about someone guessing any of them. But. If someone hacks into a website and finds one of my passwords, then the cook is goosed. So there is no absolute protection, but being prudent and sensible in picking passwords surely helps. And now that I have fiber optics and reliable cell service ( missing for the past 10 years or so ) I can take advantage of 2FA.
FIDO2 when used as part of a multi-factor authentication systems it is highly resistant to keylogging and man in the middle attack efforts. From: https://thestack.technology/fido2-c...ecurity-significantly-why-isnt-it-everywhere/ "FIDO’s protocols use unique key pairs for each login: a public key on the remote server, and a private key which only exists on a user’s local device, such as a smartphone, a secure module in a PC, or a hardware token such as those from Yubico or similar vendors." ... "Implemented properly, public-key cryptography makes phishing or man-in-the-middle attacks virtually impossible. These attacks rely on gaining access to a shared secret (such as a password or OTP) – but as FIDO2 protocols do not transmit the private key, there is no shared secret to access." FIDO2 is built around the person who is logging-in having both something they know, and something they physically have. That having something physical also goes a long ways towards thwarting phishing efforts. I'm not totally keen on the smart phone implementation of it for the really important stuff, but overall it comes across as a very good system for authentication. The open standard for it which was adopted by the W3C was created nearly 5 years ago already. And pretty much all browsers support it. Same for operating systems, smart phones etc. It is the slow adoption of it that is frustrating to see. Edit to add: If you have a keylogger on your machine, then you also have a lot more other bigger problems going on your machine and your network. It is a symptom of bigger security failure.
