InformAction Forums

I'm wondering if it's a good idea to use KeePass or an equivalent app for storing passwords...
I currently use the same password for a lot of things (to avoid trying to remember 5 million passwords... ok, not quite that many, but you get the idea ), but I was browsing through this forum and noticed a lot of posts saying "that's a bad idea". However, I don't really relish the idea of storing my passwords on the computer... at least my brain can't be cracked, but a computer file sure can...
So, do you think it's a better idea to mentally store passwords and use the same pwd for several places, or is it a better idea to use KeePass or some other secure-password-storage app?

Thanks!

Summary of my opinion: passwords aren't worth a cent if they aren't transmitted securely and if they are worth a cent I don't input them manually.
It follows from this that I choose the most convenient way to manage passwords for insecure transmission, and the most secure way to manage them for secure transmission.
It so happens that the Fx Master Password - Tools|Options|Security>Passwords - satisfies both those requirements for me.
An exception is many financial sites which enforce keyboard or pointer password input. Good luck there if your site doesn't provide two-factor authentication and you don't know exactly what processes your operating system is running from one second to the next :-)

Grumpy Old Lady wrote:Summary of my opinion: passwords aren't worth a cent if they aren't transmitted securely and if they are worth a cent I don't input them manually.
It follows from this that I choose the most convenient way to manage passwords for insecure transmission, and the most secure way to manage them for secure transmission.
It so happens that the Fx Master Password - Tools|Options|Security>Passwords - satisfies both those requirements for me.

I thought the Fx Master Password thing wasn't secure... am I wrong/did that change/did someone's advice screw me?

Grumpy Old Lady wrote:An exception is many financial sites which enforce keyboard or pointer password input. Good luck there if your site doesn't provide two-factor authentication and you don't know exactly what processes your operating system is running from one second to the next

Well, fortunately for me I don't go to any financial sites... just my school site and half-a-dozen forums...

computerfreaker wrote:I thought the Fx Master Password thing wasn't secure... am I wrong/did that change/did someone's advice screw me?

The Fx Master Password is and was just fine. If someone said that it wasn't, they were mistaken. Write your passwords down too and keep them in a safe place, just in case Fx becomes corrupted somehow and you can't access them that way. That's not likely, but it's prudent to have a copy of them.

KeePass or equivalent app are fine for storing passwords.
I typically do not "auto-enter" any passwords, but rather manually type them in. (Not for any of the reasons mentioned above, it is just what I do.)

Alan Baxter wrote:The Fx Master Password is and was just fine. If someone said that it wasn't, they were mistaken. Write your passwords down too and keep them in a safe place, just in case Fx becomes corrupted somehow and you can't access them that way. That's not likely, but it's prudent to have a copy of them.

therube wrote:KeePass or equivalent app are fine for storing passwords.

Thanks for the tip! I guess I will change half-a-dozen passwords, store them in KeePass, and use the Fx password manager to log me into various sites...
(btw, one last question... I'm an admin on 2 different sites. Do you think I should save the passwords for those sites, or is that begging for a compromised admin account?)

therube wrote:I typically do not "auto-enter" any passwords, but rather manually type them in. (Not for any of the reasons mentioned above, it is just what I do.)

Ditto.

Alan Baxter wrote:The Fx Master Password is and was just fine. If someone said that it wasn't, they were mistaken. Write your passwords down too and keep them in a safe place, just in case Fx becomes corrupted somehow and you can't access them that way. That's not likely, but it's prudent to have a copy of them.

I like Password Safe, with encryption designed by cryptoguru Bruce Schneier. This addresses Alan's issue of Fx becoming corrupted, as PWS stores in a completely separate file on your hard drive (in its own Programs folder in Win, e. g.), securely encrypted. You can back up the pw database easily and frequently to any USB drive, CD/DVD, whatever, and it still remains secure. Mine's presently a little over 8 Kb, fully encrypted and all -- *that's* a quick back-up. Whole puter crashes? No problem. After re-install, just re-install PWS with the same pw database from your backup. Take the portable version with you and use it on other machines, without leaving tracks. Auto-type safely, with strong passwords like cY(,:\(cY9sz[iJ]lpX2n9OnNwp=680 that you wouldn't, and couldn't, type. ... and yes, I do write them somewhere very safe (far away from the computer, in case it's stolen), as a multiple-redundancy thing.

As for safety of Fx pwd mgr, I respect Alan's opinions greatly -- on this and on everything else. In my own humble opinion, I go with the philosophy of "Do one thing, and do it well." (This is why Giorgio has said that, for example, he won't combine cookie management with NS.) A browser has many things to do, and is constantly exposed to the Internet. Security vulnerabilities are discovered regularly. Asking the browser to store your pws, and to keep them secure, and to guarantee that no flaw will be discovered in the future, is asking too much. Get one tool designed to do one job very, very well. IMHO. YMMV.

He's alive!

Tom T. wrote:A browser has many things to do, and is constantly exposed to the Internet. Security vulnerabilities are discovered regularly. Asking the browser to store your pws, and to keep them secure, and to guarantee that no flaw will be discovered in the future, is asking too much. Get one tool designed to do one job very, very well. IMHO. YMMV.

Thank you for pointing out how an external PW manager may be more convenient and secure, Tom. I appreciate the information.

Alan Baxter wrote:He's alive!

It's certainly nice to be missed!

Alive and well, thank you, but preoccupied with Real World and Real Job issues, alas, plus another interest or two outside of the digital world. I *do* remember, Alan, that you assured me that being a Mod did not involve any particular time commitment, a concern I expressed due to the highly-variable demands described above. I certainly consider supporting NS and its users most worthwhile, and don't we all regret that there aren't 30 hours in a day (except in octal, of course!)

Back on topic: Alan, IIRC, you tried my recommendation of Sandboxie, and came to like it. Would you give PWS a similar eval? It's not even a nagware model: absolutely, totally free, no strings attached, no crippleware. Your investigations into new sw are always diligent and thorough, and your opinions are highly respected here. It isn't *directly* connected to our main function of supporting NS and FG, but we do have this "Security" sub-forum, and all the script-blocking in the world is useless if your pws are stolen, right?

If you ever have the chance to evaluate it, I'd be very interested in your opinion. And it's one less thing to go wrong with the browser, or for the browser people to have to worry about. (I've *never* stored pws in a browser, even as an IE noob.)

IIRC, it was Mark Twain who said, "The reports of my death are greatly exaggerated." (His obituary had been published mistakenly by the New York Times.) Cheers, and thanks for your exhilaration at my appearance!

Its always good to see you my friend.

Thanks G, back at ya.
Have you looked into Password Safe? If so, your opinion? If not, perhaps a look -- when you have a break from your 3, 796 other projects?
Cheers!

My dear friend, as I have said in the past a long while ago when we discussed it, I have not used it and have no opinion, as I use RoboForm personally.