On desktop, the emphasis is to use master password to unlock and access your PM. Not sure biometrics or pin code is available for convenience.
But on mobile, for convenience the practice is to use biometrics or pin code to unlock your PM. Using master password is there as well.
Do you, out of convenience, use biometrics or pin code for both if both are available and used? If yes, then hacking the laptop/PC and phone would be easier here, right?
Do you, out of convenience, use biometrics or pin code for both if both are available and used? If yes, then hacking the laptop/PC and phone would be easier here, right?
Yes, on my phone I use iris reader or biometrics to unlock my PM for convenience. Only once in a while my PM asks me to enter my master password for security reasons. Yes, on both my phones. I believe that your master password is stored somewhere on your temporary device, just to provide an authentication for convenience while you use biometrics, PIN code, face unlock or iris. The answer to this question is yes, but you are unlikely to be hacked or be a risk factor, because an attacker needs to have physical access to your device to gain access to your password.
It was just a joke, I just hope you don't take me wrong, I understand almost nothing in Japanese. But I really admire the Japanese dialect and have a lot of respect for people from Japan and the Asian continent. Your culture is on another level.
Actually jokes aside it's true. Because there are characters in some European, E Asian (Chinese Japanese Korean), Indian and Arabic languages that will nearly never be used by hackers. Hackers normally default to English either US or UK.
I tested it on keepass created a database and used that word as the master password in Japanese and it keepass accepted, probably if @show-Zi uses a PM, his master password will be impossible to crack by brute force attack. You have to have a Japanese keyboard or it will be difficult to type. I was just kidding, and worse, you can create master passwords in those languages. See the screenshots below in the spoiler. If I knew Japanese, my PM master password would probably look like this.
TBH I'd been completely lost if I had to use anything but a UK/US English keyboard. Yes of course there are those soft foreign language keyboards but those characters aren't easy to decipher.
On desktop, the emphasis is to use master password to unlock and access your PM. Not sure biometrics or pin code is available for convenience.
But on mobile, for convenience the practice is to use biometrics or pin code to unlock your PM. Using master password is there as well.
Do you, out of convenience, use biometrics or pin code for both if both are available and used? If yes, then hacking the laptop/PC and phone would be easier here, right?
If you use a PIN or biomitrics, the master pssword is “securely” stored on the device. I have no idea how secure that would be, but personally I keep entering the master password. I know it is a little inconvenient, but it helps make sure you never forget the master password.
It may be available through Windows Hello or Touch ID (Mac keyboard). Where possible, Biometrics over Master Password. Exposing your master passwords is dangerous.
This may be true for 1st world countries where abuse of power and violence are looked down upon and you have human rights, but in most of the 3rd world they have no problems breaking the law and your legs to get your password from your face/finger when your unconscious from being hit with a $5 wrench.
The reason you have a strong and long master password is that it buys you some time so someone can remotely wipe the device while they are trying to crack your device, and it gives you something to negotiate with if you're in a jam.
I have no idea how secure that would be, but personally I keep entering the master password. I know it is a little inconvenient, but it helps make sure you never forget the master password.
Your master password is the only one you need to memorize. Mine I write down in a notebook, just in case. If your master password for your PM is less than 256 characters, I see no problem with typing it every time in your PM to unlock your vault.
It may be available through Windows Hello or Touch ID (Mac keyboard). Where possible, Biometrics over Master Password. Exposing your master passwords is dangerous.
Yes, this. BW saves a session in your browser and adds your device as trusted, when you set up a PIN. So it is secure. I will make a more direct comparison, don't you have browser cookies? when you log into MT? or another site like google where you check the "Stay signed in" box so that is how a PM works. When you set up a PIN, Biometrics, Iris reader or facial unlock on a PM, being on mobile or computer, it automatically marks your device as trusted. Some PMs like Roboform, SafeiCloud, etc. you can set to ask for your master password every 30 days for security reasons and so you don't forget your master password too.
Yes, I agree, BW is free and can be installed on unlimited devices. Most people use Bitwarden because of cloud synchronization, and not only that, because it syncs with all your devices like on cell phones. Do you have a cell phone? I think everybody has a cell phone these days. Unfortunately the SP and other PMs that I tested the WiFi/LAN syncing did not work as it should, and when it did you sometimes had to pull a "Sync Now" lever. It is a manual type of sync and not an automatic sync like many PMs do in the cloud.
Yes, keepass deserved a version for android and iOS and synchronization via WiFi/LAN. You did you check the voting and how many votes keepass got? It came in second place only behind BW. Due to the Lastpass fiasco, even though many people continue to use BW or another cloud PM, everyone is thoughtful after the LP incident.
He must have received by email this information, all SP users who have the premium version, get 1 Year of Dark Web Monitoring for free. I received his e-mail from SP yesterday see the screenshot in the spoiler.
For those who have a lifetime licesne, the initial year of this service is going to be free. After that lifetime users will have to pay to use the service (dark web monitoring).
TBH I'd been completely lost if I had to use anything but a UK/US English keyboard. Yes of course there are those soft foreign language keyboards but those characters aren't easy to decipher.
You are right, after reading this article Are A Mix Of Non-English Passwords More Secure? | Password Bits I have changed my mind, it is unnecessary to use a master password in Japanese or any other language, you should stick with your native language in most situations.
Create Account Success! LP Master password used is weak.
I had commented on another post, but decided to test in practice if LP would allow or notify me that the master password used is weak.
I created a Lastpass test account using the LP's minimum requirements of a master password with at least 12 characters and the LP accepted it, even though the strength indicator was orange.
After I created an account, LP issued no warning that my master password was weak. This is quite worrying. It is obvious that most users who know how a PM works and value their security will not use a weak master password in their vault.
I tried to create an account on Bitwarden using this 12 character master password and BW issued a Popup saying that my master password is weak.
If I click YES on that notification box of course BW will accept that password, but the user will be aware that his password is weak. All the PMs I have tested that I can remember never accepted to use a weak master password.
Conclusion: It seems to me that the LP is more concerned about the number of users and does not take user security seriously. Draw your own conclusions.
Well, yes, changed passwords to all sites that mattered for sure. And reset 2FA tokens + recovery codes to boot. The remainder I really don't care about. The process helped me weed out about 80-90 redundant passcards/entries going back a decade or more.
Well, yes, changed passwords to all sites that mattered for sure. And reset 2FA tokens + recovery codes to boot. The remainder I really don't care about. The process helped me weed out about 80-90 redundant passcards/entries going back a decade or more.
Yes of course I do test a login process with the new password 2FA code before deleting the old one I maintain multiple 2FA apps on my phones - if I delete a token in one of them the other is a standby just in case. Once the login is successful and all goes according to plan, I delete the token in app 1 (Authy has a 48 hour wait before its actually deleted) and proceed to reregister 2FA at the site, scan the new code with both apps so there's always a backup.
Tokens are backed up to cloud (Authy) and iCloud (Raivo). Raivo backups can be imported into Aegis/2FAS for Android, resulting in backups on multiple handsets, it's like having 2 Yubikeys around 1 primary the other a spare.
It's a bit convoluted at times but I won't get caught without my TOTP codes.
Well, yes, changed passwords to all sites that mattered for sure. And reset 2FA tokens + recovery codes to boot. The remainder I really don't care about. The process helped me weed out about 80-90 redundant passcards/entries going back a decade or more.
I know how laborious it is even using PM to generate the passwords, imagine without using a PM. When I activated the 2FA for my accounts in early 2021 it took weeks. Imagine changing +300 passwords and revoking the 2FA one by one and saving the recovery codes, it is an arduous and tedious process.
@piquiteco I had about 800+ logins and about 100 TOTP tokens. As I mentioned earlier, the critical and important ones are done. For the rest well, I'll take a chance. This has been an awful experience TBH lasting about 2.5 weeks.
I believe @R2D2 is a smart person, he must have tested the passwords and 2FA before deleting the old ones. I already realized that he is experienced person like you CyberTech. Unfortunately Lastpass failed him, and all his users, what happened to him could have happened to us too he put his trust in a big company, if he didn't do that who knows what would happen to his data and their accounts in the future by a hacker? Maybe only God knows. This thing that happened with Lastpass has opened our eyes. But just concluded my point of view, this tip goes to everyone, who already knows disregard this information, always keep the secure notes, recovery code, security questions, QRCODE everything offline, and then replicate in several backups and distribute in several devices, memory cards, external hd,etc. cloud too? yes, you can since you keep this backup encrypted. Use PM only to store passwords, the rest keeps offline and the backups, don't forget the backups, if one fails you have another one as an alternative. Use the Aegis app on your phone to generate the TOTPs or another trusted authenticator app, then export to a file and backup this file and save it in a safe place. On computer and notebook use keepass or keepassXC to generate TOTPs if your phone is not around, now sleep easy.
@piquiteco perfectly put about Lastpass failing me and milions of subscribers/users. I had stored many (in 100s) of secure notes in my Lastpass account and regret it as do so many others. Several experts including Steve Gibson, Jeremi Gosny etc have made it very clear - move on from LP NOW and choose another PM. LP is beyond hope and will suffer the conseqeunces in due course unless there's a course correction that may be very painful. Lastpass' nonchalance, atleast on the outside, about this matter still shocks me leaving me one bitter customer who has zero goodwill for them. Every word that comes out of LP is vetted carefully by lawyers I am sure. I do feel bad for those noobs/non-geeks and the likes who are not aware of the seriousness of this issue and how to tackle it...their lack of knowledge leading them to seek guidance from the neighbourhood geek.
Anyways, all newly generated recovery codes are only stored locally and then encrypted using Cryptomator and stored in 4 cloud accounts. All secure notes will be deleted from my password managers shortly. Still debating about the credit cards and financial info.
The only way to store personal information relatively safely is locally and in an encrypted form using a tool of your choice. Other than the cloud backups I also back them up locally to my 2 NAS boxes and a USB HDD that are switched on only when required. You can't hack something that's powered off It doesn't end there, TOTP tokens (authy etc) are also backed up. I don't take chances having suffered n number of data losses caused by hardware failures in the past.
Gen Digital, formerly Symantec Corporation and NortonLifeLock, is sending data breach notifications to customers, informing them that hackers have successfully breached Norton Password Manager accounts in credential-stuffing attacks. According to a letter sample shared with the Office of the...
