Is my password management safe or complete garbage?

[Zeze]

I think this still belongs in off topic?

I want check in with the internet crowd on my crappy way of managing numerous logins. Like most of you, I have tons of logins/pws for various sensitive and inane crap on internet (banking, credit cards, insurance, forums, etc).

1. I decided to maintain a spreadsheet with manual entry for all these sites containing login/pw.
2. That spreadsheet is in cloud only (Google Drive), never offline.
3. My Google pw is very strong (maximum chars, symbols, numbers, etc).

This gives me the benefit of easily accessing my login/pw anywhere I go via my phone (which also has a screen lock). The risk is obviously that if my Google account is hacked, I am facked royally. And also, Google can do something with it too (company hacked or a malicious employee).

Google being the #1 tech company, I'd like to think they have the best security.

Is my method okay? As I'm typing it out, it just sounds risky. What's the best way then while maintaining easy access (via my phone preferably).

 

[shortylickens]

Should be a memo pad in a steel lock box.

 

[local]

I do something similar except the site name and all my login/passwords are in code which is a holdover from when my list was a piece of paper in my desk. Each letter, symbol and number mean something different than what they show. A 10 digit password can break down into three characters. It is far from perfect but that is about as far as I am going to go.

 

[pcslookout]

I have basically the same system but all of my passwords are at least 22 characters long.

 

[zCypher]

Sorry man but I have to go with "complete garbage". You don't want a single or central point of failure for anything that's important to you. Nothing inherently wrong with throwing some stuff up on google drive, but anything important needs to have secure copies in other places just in case. Online AND offline.

On top of that, you never ever want to be storing your list of logins or anything of equal importance in any sort of bare or unprotected format. This means if you're emailing yourself logins, or if you're storing a plain text file or word document or excel document in the cloud, you're exposing yourself to unnecessary risk.

You can easily add orders of magnitude more protection by simply placing said file inside a heavily encrypted file container. You can do this any number of ways - using a program like Veracrypt is one. Upload the encrypted file instead, and to more than one place.

IMO, something like this is really the bare minimum. Don't leave it up to a third party or up to luck for nothing bad to happen to you.

It's always a trade-off between security and convenience. You can save all your passwords in your browser, but then you're leaving yourself more vulnerable to any browser-level attacks. You can use a service like Lastpass, but then you're leaving yourself at the mercy of their security systems and practices. You can save all your logins in a plain text file, but then anyone that gains access to the device in which it resides can access your logins. You get the idea. If you don't want to compromise any convenience, then you will inevitably compromise some level of security. For me, prudent use of an encrypted volume backed up in a number of places that couldn't possibly all be compromised simultaneously makes the most sense.

 

[boomerang]

KeePass with a secure password. The database for KeePass is encrypted and stored on my NAS which syncs it across my devices. The database is also synced with OneDrive for cloud storage in case the NAS is stolen, burned up in a fire or takes a dump either electronically or physically.

KeePass has a phone app that can work in conjunction with various cloud storage providers. I don't have the database stored on my phone just the front end of the app.

 

[Thebobo]

I've been using Lastpass for a long while and love it. Love the fact I can retrieve a password anywhere I need it.

 

[ch33zw1z]

Safe in Cloud works ok for me so far. I dont use the browser extension...

 

[Skunk-Works]

The answer is always one time pad. Never reuse the key though.

 

[Scarpozzi]

I say boycott all sites that don't use 2 factor authentication if you really care.

You need some kind of alert to your cellphone or a secondary account every time access is attempted. I just assume all my stuff's been compromised or that it could be.

 

[momeNt]

How many is it?

With enough practice you should be able to memorize them all. I memorize my passwords in addition to my 3 most used credit cards. You should be able to handle about 15 websites as long as you are logging in once a month.

 

[dullard]

I do something similar except the site name and all my login/passwords are in code which is a holdover from when my list was a piece of paper in my desk. Each letter, symbol and number mean something different than what they show. A 10 digit password can break down into three characters. It is far from perfect but that is about as far as I am going to go.

That is basically what I do. I have a central location to download hints to my passwords. The hints are non-obvious and the hint->actual password conversion key is only in my head.

I suppose if someone hacked my central location and hacked many of the websites to get the actual passwords, then someone could probably figure out the conversion key. But, at that point they already have access to most of my accounts anyways, so they wouldn't need the conversion key.

For example, the hint "3" that I can download anywhere online might be the "5th character" in a random string of characters that I have memorized and is not written down anywhere.

 

[snoopy7548]

I set up Keepass a while ago and I love it. I have a key file I keep on a small flash drive (on my keychain), and some spare ones at home hidden away, and a very strong master password. The database is stored on my Google Drive and all of my devices. Even if someone were to get my key file and database, they'd have a heck of a time cracking my master password.

I say boycott all sites that don't use 2 factor authentication if you really care.

You need some kind of alert to your cellphone or a secondary account every time access is attempted. I just assume all my stuff's been compromised or that it could be.

Good luck with that. That's like saying boycott the ISP that has a monopoly in your area. My 401k provider (Fidelity) through work doesn't use 2FA, for one.

 

[Scarpozzi]

I set up Keepass a while ago and I love it. I have a key file I keep on a small flash drive (on my keychain), and some spare ones at home hidden away, and a very strong master password. The database is stored on my Google Drive and all of my devices. Even if someone were to get my key file and database, they'd have a heck of a time cracking my master password.

Good luck with that. That's like saying boycott the ISP that has a monopoly in your area. My 401k provider (Fidelity) through work doesn't use 2FA, for one.

I already did that. I dropped cable Internet in 2015 because they increased my price by 50% and wouldn't budge. I cancelled and haven't looked back.

I know what you mean about companies that don't. I'm just stating that for things that really matter like banking and perhaps Email for recovery purposes....try to work with companies that do when you have a choice. 2 Factor is the best way to go even though I hate it for a lot of things.

Yahoo and Google have it....a few of my 401ks do and some of my financial accounts have it as an option that you can opt-in to.

 

[IronWing]

I carve mine on circles of stones placed in beautiful locales throughout the world.

 

[BW86]

I've been using Lastpass for a long while and love it. Love the fact I can retrieve a password anywhere I need it.

same here

 

[RLGL]

I've been using Lastpass for a long while and love it. Love the fact I can retrieve a password anywhere I need it.

Add me to that list.
We are all sentenced for life to Password Hell

 

[Red Squirrel]

I have a couple passwords I know off hand for less important stuff like forums. Problems is it seems so many forums get hacked now then force password changes, so I've been forced to start having to track them in my password manager.

For password manager I just have a basic php script I wrote that stores it encrypted in a mysql database. I want to redesign the system as I did not go about it the right way. The password to get into the system is the encryption key. Kinda makes it hard to change the master password and it also means the key is kind of weak.

I would not trust cloud especially if you're not even encrypting it.

 

[destrekor]

Encrypted files within encrypted storage. You want segregation of the data.

I still really like Lastpass - it has had it's security issues, but they have been on top of them, and what exploits have been exposed over time have been methods that any security-conscious user can defend against with ease.

You still want to keep a strong but memorable master password but using a strongly encrypted manager + generated passwords is the only way to go. Whether it's cloud, like Lastpass, or self-hosted, like Keepass or whatnot, is the only real decision. Nothing else counts anymore.

 

[destrekor]

I have a couple passwords I know off hand for less important stuff like forums. Problems is it seems so many forums get hacked now then force password changes, so I've been forced to start having to track them in my password manager.

For password manager I just have a basic php script I wrote that stores it encrypted in a mysql database. I want to redesign the system as I did not go about it the right way. The password to get into the system is the encryption key. Kinda makes it hard to change the master password and it also means the key is kind of weak.

I would not trust cloud especially if you're not even encrypting it.

Meh, cloud is fine. I used to subscribe to the distrust of cloud services, but things have completely changed in this era. Now more so than ever, it's almost more about liability; even then, modern encryption with well-tested solutions, with multiple layers of security, will almost always go further in protecting your data than most people could ever achieve on their own, be it at home or in the business. And in the event of breaches at the biggest providers, they usually aren't able to get anything remotely significant due to the multiple layers of encryption and obfuscation. Flawless? Hell no, but these systems are far more redundant and secure than practically anything you could design at home. So long as transport security is maintained, the cloud is no worse than at home. If transport security is the only concern, that's a different story, but most complaints/fears I see are blown way out of proportion.

 

[Mr.IncrediblyBored]

I don't really have a password management system, unless you consider resetting my password every time I need to log into a random website I haven't used in 2 months a "system". Passwords are then basically single use.

 

[Red Squirrel]

Meh, cloud is fine. I used to subscribe to the distrust of cloud services, but things have completely changed in this era. Now more so than ever, it's almost more about liability; even then, modern encryption with well-tested solutions, with multiple layers of security, will almost always go further in protecting your data than most people could ever achieve on their own, be it at home or in the business. And in the event of breaches at the biggest providers, they usually aren't able to get anything remotely significant due to the multiple layers of encryption and obfuscation. Flawless? Hell no, but these systems are far more redundant and secure than practically anything you could design at home. So long as transport security is maintained, the cloud is no worse than at home. If transport security is the only concern, that's a different story, but most complaints/fears I see are blown way out of proportion.

The issue is trusting the company hosting it. Imagine how much money Google can make selling user data to companies? Capitalism. if the money is there, they'll do it. You signed for it at some point when you checked "I agree" so it's legal. Whether or not they do it, I don't know, but they could. That said if people found out it would paint a bad image so they are more likely not to. Depends if the bad publicity is still worth the extra profit.

 

[Mai72]

Safe in Cloud works ok for me so far. I dont use the browser extension...

I was going to say the same.

Safe in cloud kicks butt. I have both the pc/android version. All the passwords are stored in Dropbox. My passwords are all 12 characters long. Love it.

 

[snoopy7548]

I don't really it at all because I believe in my memory more than relying on a machine's virtual safe box.
Everyone has their own opinions. Look what CBS News has published about it.
https://www.cbsnews.com/news/in-wake-of-lastpass-hack-how-safe-are-password-managers/

True, but my password manager can generate passwords infinitely more secure than what my mind can remember, for the 50+ accounts I have. The hack of LastPass is why I went with a non-cloud based manager, even if I do store it on my Google Drive.

 

[clamum]

KeePass with a secure password. The database for KeePass is encrypted and stored on my NAS which syncs it across my devices. The database is also synced with OneDrive for cloud storage in case the NAS is stolen, burned up in a fire or takes a dump either electronically or physically.

KeePass has a phone app that can work in conjunction with various cloud storage providers. I don't have the database stored on my phone just the front end of the app.

I use KeePass and it works great. I have the database on my Dropbox so it's synced easily (at work I gotta download it from Dropbox manually cause of security rules they don't allow Dropbox installations on workstation rigs). For my phone, there's a KeePass app and of course Dropbox. There's a couple extra steps for me if I add a new password entry on my phone (cause I gotta manually copy the .pdb file to Dropbox) but overall it's a pretty dang good method IMO. It's probably not the *most* secure setup in the world, but I think I don't have to realistically worry about my logins being compromised.