BuckinghamshireBoy

I searched BE and only found an old thread of BristolUK's in the Maple Leaf which has been dead for a couple of years.

I currently use an Android app, which does have a Windows compatible interface, but seamless it sure isn't. I'm not talking about browser extensions or that kind of thing, but a secure, multi-platform accessible vault.

So... cloud based storage accessible by Windows, Linux and Android (I've effectively abandoned Apple/IOS, so don't care on that front).

I see that the lovely people behind NordVPN have launched NordPass, but they don't seem to be pushing it - why not

I looked at this article but don't see a clear 'winner'.

If anyone has thoughts or recommendations, I'd be glad to hear back.

BristolUK

dbd's comment in that thread - My "secret question" for some banking thing or other is "knee pads, an airline bag and?" is very handy. It's obviously something that means something to him but anyone else would be clueless. You could certainly guess it was something else needed on a plane but sick bag, ear plugs, book, dvd player are just a few of the possibilities and where would you put your caps/characters/spaces etc even if you did guess the right one among scores?

I'm still old skool and reluctant to use anything techie (for reasons mentioned in that thread) preferring clues that won't mean anything to anyone else. I do change them from time to time and the biggest issue then is automatically typing in the old one.

BuckinghamshireBoy

It's managing the sheer number of items concerned (122 as of this morning) that prompted the inquiry. Not all of these these things are logins/passwords, I'm sure that I could muck out a few redundant ones, but I use it to handle all kinds of information that I consider to be sensitive. Plus the master database is on the mobile, so if that were to be misplaced or even stolen, I'd be in deep lumber.

I do copy the database over to a PC as a back-up fairly often, but as mentioned before, it's a bit clumsy. The data within hardly changes, but I'm making more and more use of it now, and I've had a couple of issues recently, one where the 'phone database became 'corrupted' and couldn't be accessed at all - had to copy back from the PC - and a couple of days ago I had a need to access something online where I had the userid, but no password was in the database, or the backup. Ok, that's a slip on my part, but still.

I realise that it's become exacerbated by moving country and thus changing SIM card and 'phone number. My financial stuff is always two-phase authentication, so the 'phone plays a critical part. Some governmental services in BE, CH and UK also use two-phase authentication, but not all of them.

materialcontroller

https://www.dashlane.com/amp

BuckinghamshireBoy

Thank you for that.

What put me off that originally was that it comes with an integrated VPN, and I already have one that meets my needs. It seems that I can get away without activating Dashlane's VPN, so I'll likely be trialling Dashlane and NordPass.

livinginnyc

I had something similar for a UK telephone bank account when I was a teenager. (The challenge would be 'You can't go out dressed like that'). Now everything is 2FA (text message) or MFA (code on an app), so I can't troll/traumatize someone on the phone any more (or at least make their day slightly better by having to talk to a weirdo).

In terms of password managers, I use 1Password.

Mercury39

thinbrit

I'm a fan of LastPass. I use the Teams and Personal versions for work and home.

2FA is two factor authentication, MFA is multi-factor authentication. MFA could require more than 2 pieces of evidence to authenticate, whereas 2FA requires only two. They are not the same.

Text messages historically use the SS7 protocol (designed in 1975!), it is not at all secure. It has no authentication, no encryption, can easily be spoofed or modified in transit. I can't believe this is even used any more for 'authentication'. I'm not a Twitter user, but one of the security podcast I listen to said that Twitter finally allowed users to disable SMS based authentication when setting up 2FA. If you use SMS for authentication on Twitter then disable it and pick something secure.

Bob

I use Keypass.
It's not very sexy, but it is simple enough.

Can use it as a standalone program off a thumb drive which is handy for the move. Can integrate your DB in the cloud such as Dropbox. Android app works well. Not tried iOS.

BuckinghamshireBoy

That's what I have at the moment, but have had some issues with it, which prompted the question. I currently drive it through the Android 'phone, maybe if I went the other way around... the portable option might work for me, as I need it on at least two Win machines, I'll give that a whirl.

Nordpass doesn't allow for hierarchies/groups, so that's going down towards the bottom of the list.

Bob

I must admit, I do prefer using it on the desktop, as a standalone and have it on my thumb drive for the move. When the program updates, I just replace the folder on the thumbdrive and copy over the key file and plugins.

Steerpike

I'm a long-time user of 'Password Safe', an open source tool that works for me. Unfortunately, I've had only moderate success sharing the underlying database from my PC (which I consider the 'master') and my Android phone. But I rarely need it on my phone.

I just looked at my database and to my surprise I see I've got over 300 entries! While some are marginally appropriate (such as security gate codes for friends, my TSA Precheck code, my passport number, activation codes for licensed software, etc) there's a remarkable number of valid accounts in there - hard to believe there could be so many!

Like BristolUK, I don't save 'actual' passwords in the tool, but rather, clues / hints / obvious reminders. For example - if a password were to be AndyPandy1234!!, I might put AP1...!! as the 'reminder'. I know to substitute 'AndyPandy' for AP, and the 1... means a numeric sequence. This is a safety measure just in case the tool is ever compromised. The down-side to this approach is that I can't use the tool to 'automate' password entry - the tool can't possibly 'fill in' a password field for me since it doesn't know the actual password. But to me, using a tool to automate password entry is risky.

I don't know how many people on here follow 'NIST' (natl. inst. for standards and technology), but they are now strongly advising against complex passwords and ever-changing passwords. This guidance is now filtering its way through to other areas such as 'HIPAA'. Extract (from https://spycloud.com/new-nist-guidelines/ )

The updated guidance is counter to the long-held philosophy that passwords must be long and complex. In contrast, the new guidelines recommend that passwords should be “easy to remember” but “hard to guess.” According to the new guidance, usability and security go hand-in-hand.

In short, the new NIST guidance recommends the following for passwords:

• A minimum of eight characters and a maximum length of at least 64 characters
• The ability to use all special characters but no special requirement to use them
• Restrict sequential and repetitive characters (e.g. 12345 or aaaaaa)
• Restrict context specific passwords (e.g. the name of the site, etc.)
• Restrict commonly used passwords (e.g. [email protected], etc.) and dictionary words
• Restrict passwords obtained from previous breach corpuses

Two- (or Multi-) factor is definitely an improvement also.

BuckinghamshireBoy

This is working out quite well. I had seen that Windows interface before, but must have blanked it around the time that Microsoft blanked my machine with the 1803 unleashing..

Database is up on NAS rather than thumb drive portable version. Android 'phone has a copy...

Gozit

I'm an IT person and I use the simplest option...Google. Built into chrome and syncs to my google account which is protected with its own password as well as MFA. I'm aware it may not be the most "secure" but also Google would be in huge shit if it was caught stealing users passwords to things. Can't be bothered with the inconvenience of doing it any other way.

Zoe Bell

Ben and I use Last pass, as it also allows us to manage shared accounts
also has a feature that will allow me to access ben's stuff if anything happens to him or vice versa