Good day everyone,

I am wondering since so many people seem to recommend password safes these days how these software products can be more secure than trying to memorize and possibly to reset single ones if forgotten?

To me, these products feel like a comfortable solution to save time when typing down long passpharases but the loss of key elements such as certain files or a master password would result in a huge single point of failure also.

Am I missing the picture here or is it nothing but a big hype these days to promote these things?


Kind regards,
WaterCatapult

if you can remember all of your passwords/pincodes without problems you do not need keepass or similar. Otherwise....

3 members found this post helpful.

If you memorize all your passwords for each site, you will probably use shorter passwords.

Not for important websites such as my E-Mail provider, Jabber or Paypal.
Speaking of message boards however, this is debatable and tends more towards shorter passwords.

I currently use LastPass, and there is no way I could memorize all 167 passwords I currently have. It also is great for keeping long and complex wifi passwords. It is much easier to autofill 20 character passwords than to memorize them.

1 members found this post helpful.

dontreusepasswords

If you are the one and only individual who need to access to those passwords, and you can manage that with your memory, then you can do it that way if you like.

If you work with other people, then a password manager is definitely a required tool nowadays.

Well, even for a "one and only individual" I would proceed that way. Since everybody dies one day or another, and that you may likely have some family members dealing with your bank/email/online service accounts to get them closed, it's something that would be useful (you can leave a copy of the master password in safe at the bank or something like that).

1 members found this post helpful.

I use a different password for every account.
That way when a service (like Yahoo) is breached and it's compromised, I simply need to reset that password instead of a larger group (or all) of password/s.
Since password difficulty is the same for any length / complexity, I can use long complex passwords - reducing any chance of a dictionary attack succeeding.
Finally, keepass(x) allows me to make notes of any entry. This is very useful for when some service asks for recovery questions, or provides a pin number for whatever reason. Inevitably, I'd resort to 1111 or something. This allows me to look back months later and see: ah, 4631 - even though it has nothing to do with my password.

Yes, it has cons and you should take appropriate steps to prevent the file from being corrupted / lost, prevent file from being stolen, do your best to keep it updated and stops you from accessing it when you don't have access to the database file.

1 members found this post helpful.

Sefyir's comments about using a unique password for each account are quite on target.

I have well over 100 unique passwords. No way could I remember all of them, and keeping them in an unencrypted file would be quite insecure.

I use KeePassX. I adopted it after a gig at a hosting provider which, for all practical purposes, required--er--suggested strongly--that staffers use it, and I became quite fond of it.

I also find KeePassX's ability to generate passwords to be quite useful.

1 members found this post helpful.

Indeed an interesting aspect I haven't thought of until now.
But then again, who would say the software remains like this in the late future at a point no one wants to know for sure?
I'd basically have to make sure the password is always stored somewhere in reality and in clear text that could still be stolen due to some stupid mistake.

From my understanding, the longer the passwords are the longer crackers have to run their tools to get the proper result.
Now that you mention entry notes, how exactly does that work?

Would the system with my keepass file for example send me a mail or Jabber message if someone else to open my password container and fails a certain amount of attemps?

I'm curious as mentioned in the first post, these tools feel like a single point of failure otherwise.

Unique and different passwords and passphrases are a must, no doubt and I'll go with that method for long now.
Speaking of keepass and its ability to generate passwords, is there a certain pattern or anything to it?

Lots of people say /dev/random is perfect for the purpose of generating random passwords, I myself felt fine with 'pwgen' myself in case I hadn't an idea for something strange and secure myself beforehand.


Kind regards,
WaterCatapult

about pw generators:
as I experienced there are different sites with different password checks/requirements. In general there should be no restriction, but sometimes <> are not accepted, sometimes ! or something else will cause troubles. So a good pw generator can be configured to use (include/exclude) whatever you need, length can also be specified and able to calculate something called strength (which is used to check if your pw is weak, so it is actually about weakness).
the generator of keepass is quite good from this point of view.

1 members found this post helpful.

I'm using Keepass/KeepassX and it's free software, so I have some confidence about their security (more than for a commercial/closed-source product or service). And to avoid any other issue you also should have backups (of the software installer and of your password database). You can event print the content of your database with Keepass and then keep the paper listing in a safe if you like (again, in the case of a critical event).

Yes, you can define how many characters do you need, what sets are required (upper case, lower case, some symbols, ...). There is also extra options to define your own pattern or to select a custom algorithm, but I have never used those. And you can save your selected options as a profile if you like.