General Discussion about Password Managers

Status
Not open for further replies.

Dirk41

Level 17
Thread author
Verified
Top Poster
Well-known
Mar 17, 2016
797
hi everyone.
I read some of your threads about extensions like lastpass. I am not an expert and I was wondering about the purpouse and how much these extensions are usefull.
1) I suppose that if you use only your memory , you can't create many different and strong pw;unless you write them on paper;
2)I suppose these extensions are useful against keyloggers (even if i am not sure how do they work: memo all that you type?)
3) even if they save you from keloggers,couldn't someone force lastpass(or others) and so have all your pw?

I'd really appreciate if you could clarify these things

looking forward to hearing from you

thank you
 
Last edited:
H

hjlbx

1. The point of a password manager is for convenience, but more importantly, to use it to create really strong passwords; unfortunately the vast majority of people only use them for convenience.

2. Extensions - in and of themselves - are not protected against keylogging - unless - anti-logging protection is built-in (and I don't know of any with anti-logging protection built-in).

3. Someone could hack your browsing session, your system and\or your password manager account - but that would be highly unlikely. Also, if keylogger somehow manages to get onto your system, then all your personal datas - including passwords - could be compromised.

If you are worried about keylogging, then I suggest KeyScrambler or SpyShelter free. Zemana Anti-Logger free is good too.

It is more important to protect your physical system from infection to protect your data. Anti-loggers are notoriously unreliable since new keylogging techniques are always being developed. Furthermore, there are certain types of keylogging that no anti-logger can protect against - such as webpage embedded logging scripts. To protect against those you'd need to use NoScript, uBlock Origin in Hard or Nightmare Mode, uMatrix. And while they do work very well, they will change your online experience - because they disable a lot of webpage functionality. If you use only a few webpages, it is not a problem. If you use a lot of pages, configuring all the rules will be a pain. There is learning curve to use as well.

Nothing is bullet-proof, but password manager is considered an essential for optimum security. Just make sure you use LastPass on all your devices if you use it to generate passwords - otherwise you will lock yourself out of sites on devices that do not have LastPass installed - or you carry around your LastPass password list - which would be insecure.

NOTE: I am not advocating just LastPass - but just using it as an example. There are a lot of good password managers. Surely one will fit your needs and personal preferences.
 
Last edited by a moderator:

Dirk41

Level 17
Thread author
Verified
Top Poster
Well-known
Mar 17, 2016
797
wow thank you very much for the explanation!
regarding poin 2 i supposed that the first time you insert your pw in lastpass,your pc is keyloggers-free, but your are right.(anyway i never used lastpass so I don't know how it works exactly, I'll look into it.

regarding ublock ,I have always used adblock, but for popups, but maybe i misunderstood what is ublock, I'll look for it aswell
 
H

hjlbx

wow thank you very much for the explanation!
regarding poin 2 i supposed that the first time you insert your pw in lastpass,your pc is keyloggers-free, but your are right.(anyway i never used lastpass so I don't know how it works exactly, I'll look into it.

regarding ublock ,I have always used adblock, but for popups, but maybe i misunderstood what is ublock, I'll look for it aswell

uBlock ORIGIN - not just uBlock. uBlock Origin and uBlock are two different products. uBlock is neutered version of uBlock Origin.

You have to read the full uBlock Origin help file - like 10 times - to grasp everything. Take it slow...
 
H

hjlbx

oh one last thing: aren't bidirectional firewall enough against keyloggers?

Outbound notification from firewall is last line of defense against keylogger; your system is already infected. But to answer your question, yes, firewall can be used to block outbound keylogger network activity.

Some advanced malwares that utilize keylogging - such as Win32.Sality or WIn32.Zbot - can use techniques to bypass firewall.

Best protection is to not allow anything that is unknown to execute on system.

In other words, you don't have to worry too much about keylogger if you prevent keylogger from being installed on your system.
 

Dirk41

Level 17
Thread author
Verified
Top Poster
Well-known
Mar 17, 2016
797
1. The point of a password manager is for convenience, but more importantly, to use it to create really strong passwords; unfortunately the vast majority of people only use them for convenience.

2. Extensions - in and of themselves - are not protected against keylogging - unless - anti-logging protection is built-in (and I don't know of any with anti-logging protection built-in).

3. Someone could hack your browsing session, your system and\or your password manager account - but that would be highly unlikely. Also, if keylogger somehow manages to get onto your system, then all your personal datas - including passwords - could be compromised.

If you are worried about keylogging, then I suggest KeyScrambler or SpyShelter free. Zemana Anti-Logger free is good too.

It is more important to protect your physical system from infection to protect your data. Anti-loggers are notoriously unreliable since new keylogging techniques are always being developed. Furthermore, there are certain types of keylogging that no anti-logger can protect against - such as webpage embedded logging scripts. To protect against those you'd need to use NoScript, uBlock Origin in Hard or Nightmare Mode, uMatrix. And while they do work very well, they will change your online experience - because they disable a lot of webpage functionality. If you use only a few webpages, it is not a problem. If you use a lot of pages, configuring all the rules will be a pain. There is learning curve to use as well.

Nothing is bullet-proof, but password manager is considered an essential for optimum security. Just make sure you use LastPass on all your devices if you use it to generate passwords - otherwise you will lock yourself out of sites on devices that do not have LastPass installed - or you carry around your LastPass password list - which would be insecure.

NOTE: I am not advocating just LastPass - but just using it as an example. There are a lot of good password managers. Surely one will fit your needs and personal preferences.

Don't you think that if someone can bypass a two step authentication ( with sms in your phone , without LP) , he probably has the ability get into your LP account as well ?
 

Dirk41

Level 17
Thread author
Verified
Top Poster
Well-known
Mar 17, 2016
797
Even if someone knows my LastPass password and has access to my tablet (wich is also locked down)
then you still have to be in my country to login and tor browsers also get blocked :D

Not sure to have understood .Why your tablet ? Because you receive there the second step of authentication ?
If yes, most of accounts ( Google , FB, Twitter ...) let you receive and sms on your device
 
Last edited:

Dirk41

Level 17
Thread author
Verified
Top Poster
Well-known
Mar 17, 2016
797
I thought it would be redundant to open a similar thread .

guys could you help me understand one thing ?
Lastpass creates a very strong pw impossible to guess , at least for a human( I don't know for PCs).

But then the pw is stores even in the website you login right ?

If yes, I found this article ( dates 2012 but things must not be much different now) that explain different methods website can use to store PWs . ( so it depends also on this , it is not all on LP)

http://lifehacker.com/5919918/how-y...and-when-your-password-strength-doesnt-matter

First of all I / we don't know how they store . Instead We know , I think, how LP store .

And ( as written in the article )the length of the pw matters even in at least of some method of storing .


So I realise that it is better to use LP :D

I would not have imagined instead that the article suggested to sign up using social account in some circumstances .


The only doubt is that LP store pw even on the PC , but hopefully you can prevent malware to come in or thieves to steal your PC
 

soccer97

Level 11
Verified
May 22, 2014
517
I use Sticky Password Premium (for the past few years) - and bought a lifetime license when on sale). It's auto-fill technology is really good, and you can manually tweak it. It's reliable - it uses a bit of memory - but is compatible with Windows 7, 8 and 10, Firefox, Chrome and IE (even 64-bit versions) and many more browsers - even programs on your PC. It gives you the option to store only a local copy of your passwords, to sync them with other devices ONLY on your own Wi-Fi network, or use cloud sync. They don't store your master password. There is a browser extension in each browser and program, it is updated frequently. It is frequently updated (the extensions are as well), has AES 256 encryption, 2FA, syncs with other devices, as of now it offers lifetime licenses (if you want one you better get it soon while you can find a sale b/c its getting more popular and more expensive). It even has pairing codes (like connecting 2 bluetooth devices - must enter certain code on other advice to authorize it to sync) and a central console to revoke authorization on devices (say if you lost one).

Known incompatibilities are a few AV suites, notably Kaspersky Total Security (and from best of my fuzzy knowledge by inquiry this is a low priority or they don't plan on fixing this) and if you already have other passwords installed.

There are frequent 1 year trials posted in the giveaway forums. Try it out. Likely to be on sale (as will many other InfoSec products on Black Friday)
 
Last edited:

marzametal

Level 7
Verified
Jun 10, 2014
316
I was a regular user of LastPass, but didn't like v4. So I switched to KeyPassX, which I have been using for 6+ months.
I heard that there is an integration script that connects it to Firefox, but I prefer the manual approach; using right click on mouse to copy username and password from KeyPassX and pasting into Firefox.

Just gotta' make sure you have a clean system; eg: nullify threats by keyloggers.

It's just personal preference really. KeypassX used to piss me off in the beginning, right click copy, alt tab, ctrl v just to input login and password. But meh, it grows on you. My main goal was to seperate stuff from the browser, since I wanted my browser to be just that... a browser, not a method of authentication. Keep it simple.
 

Dirk41

Level 17
Thread author
Verified
Top Poster
Well-known
Mar 17, 2016
797
I don't know how other pw manager work, I only know a bit about LP.

And what I don't like is that it stores pw in the device and OTA in the browsers .. Weren't we supposed to not store things in the browsers ?
They are encrypted but if they steal them who knows
 
  • Like
Reactions: ForgottenSeer 55474
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top