Storing of passwords.

Jim40 · May 27, 2021

The UK banks of the UK have advised me that the biggest cause of internet scams is due to multi use of the same passwords for different websites. Can I make a suggestion. Never store passwords on the computer you are using. All my passwords are on a USB thumb stick, which I always know where it is, usually in my shirt pocket.

Lifeisabeach · May 29, 2021

Jim40 said:
The UK banks of the UK have advised me that the biggest cause of internet scams is due to multi use of the same passwords for different websites. Can I make a suggestion. Never store passwords on the computer you are using. All my passwords are on a USB thumb stick, which I always know where it is, usually in my shirt pocket.

That quite frankly isn't a good idea. Thumb drives are lost all too easily. It's fine that you have confidence you'll never lose it from your shirt pocket, but if you forget to take it out and run it through the washer, then what? What happens if you lose it, or it gets corrupted? Is that the ONLY place you have them stored? At the minimum, you should have those passwords encrypted in a file, and the drive encrypted also. But really, what's the practical difference in doing all that, vs using the same security precautions on your computers and devices?

Most of us use a password manager like 1Password. All my passwords are stored in that. The database is encrypted and accessible only if you know the password for 1Password. You can only get to 1Password if you know the user password for the computer or device. The password database, which I sync via iCloud, can't be accessed unless my iCloud account gets compromised, which requires a compromise of my 2-factor authentication among other measures. That just ain't gonna happen. These measures are superior in EVERY regard to just tossing them on a thumb drive and toting that around, even with best-practice measures for the thumb drive.

pigoo3 · May 29, 2021

In addition to what Lifeisabeach mentioned...I'm not confident that the thumb drive couldn't fall out of the shirt pocket (if it's there all of the time). If it gets lost...and someone finds it...depending what's stored on the thumb drive (account names, URL's, passwords)...and how it's stored (encrypted or not)...someone finding it could easily access everything.

Storing passwords on a thumb drive that's always with you (in your shirt pocket) could be much more risky than storing passwords on a computer. Especially if that computer is a desktop computer that never leaves your home.

Nick

Jim40 · May 29, 2021

Lifeisabeach said:
That quite frankly isn't a good idea. Thumb drives are lost all too easily. It's fine that you have confidence you'll never lose it from your shirt pocket, but if you forget to take it out and run it through the washer, then what? What happens if you lose it, or it gets corrupted? Is that the ONLY place you have them stored? At the minimum, you should have those passwords encrypted in a file, and the drive encrypted also. But really, what's the practical difference in doing all that, vs using the same security precautions on your computers and devices?

Most of us use a password manager like 1Password. All my passwords are stored in that. The database is encrypted and accessible only if you know the password for 1Password. You can only get to 1Password if you know the user password for the computer or device. The password database, which I sync via iCloud, can't be accessed unless my iCloud account gets compromised, which requires a compromise of my 2-factor authentication among other measures. That just ain't gonna happen. These measures are superior in EVERY regard to just tossing them on a thumb drive and toting that around, even with best-practice measures for the thumb drive.

Well at 80 years old and a Mac user since system 7, my first Mac was an LC111 with 2MB Ram, and 160 MB HD. I should have mentioned I have 5 USB thumb drives, all stored in different places, including 1 in my bank, and 1 with my next door neighbour. I've started keeping the one in my shirt pocket round my neck on a chain.We oldies have some weird ideas especially in England.

chscag · May 29, 2021

Whatever works for you....

And age has nothing to do with it.

krs · May 29, 2021

What's wrong with storing the critical passwords in the noggin that sits on top of your neck?
I divide my passwords ito two basic categories - one for sites where unauthorized access creates a financial or identity fraud issue and the other for the hundreds of sites where it doesn't but they still want a password.
For the first group the password is different for each site and I typically remember that since I check those sites fairly often.
For the second group I just use a few passwords over and over again and I have the browser remember user name and password for auto login, like this site for instance.

I'm actually more worried about a bank's server being compromised and crooks accessing my accounts that way.
To the point that I now take a screen shot of my account balances every once in a while so I have a reference to check if something on the accounts doesn't look right.

MacInWin · May 29, 2021

I use 1Password, and I like it, although the competitors are all pretty good. 1Password syncs across my various machines (MBP, iPad, iPhone,  Watch) so that I have the passwords with me, encrypted, wherever I am. And with the backups of those devices, I have insurance on each one. So, for me, no need to carry one more thing that I could lose or end up leaving in the wash.

pigoo3 · May 29, 2021

Jim40 said:
I should have mentioned I have 5 USB thumb drives, all stored in different places, including 1 in my bank, and 1 with my next door neighbour. I've started keeping the one in my shirt pocket round my neck on a chain.

I have no arguments with the copy you keep in the bank. Always there in case all other options fail or are unavailable.

Having a copy with your neighbor adds some risk...since what if they lose it...they forget where they put it...someone takes it from them...or someone in this neighbors family grabs it & maybe reformats it or erases it. All probably rare events...but possible.

If the USB thumb drive in your shirt pocket is also on a chain around your neck...this is much different than what was mentioned initially. The chain around your neck would prevent the USB thumb drive (if it fell out of your pocket)...from falling onto the ground. The chain makes things MUCH safer. But then my concern would be how well is the chain attached to the USB drive. Many USB thumb drives are made from thin brittle plastic (which can break rather easily). I'd like to see a thumb drive used that has a more durable connection for the chain.

Security is definitely important. Like Chscag said above...we got to do what works best for each of us.

Nick

p.s. The issue with having all these different copies in different places is...if you ever decide to change ANY of your passwords (even just one password)...then all of these copies need to be updated. Otherwise some of these copies will be out-dated.

toMACsh · May 30, 2021

I use similar, often identical, passwords on multiple sites. I let Keychain remember most of them for me. My Bookmark names include the user name and password, which I change when called upon by sites that require it. I have some passwords in Stickies, which I print from time to time. So far, I have not been victimized by identity thieves. Heck, I can't even remember my real name!

pm-r · May 30, 2021

Jim40 said:
Can I make a suggestion. Never store passwords on the computer you are using.

I do not know why you would make such a suggestion, especially when even Keychain Access.app allows a user to set up a separate password for each keychain you might want to use.
It works well for this 80 year old and 32 year Mac user out on the Pacific Wet Coast.

Rod · May 30, 2021

Point well made about updating. Given that banks along with other organisations recommend regular password changes. To attempt to comply with that suggestion over five devices in different locations would be an arduous task.

Rod · May 30, 2021

I also disagree with not keeping your passwords on your computer. They are website passwords in most cases so you need them where your web browser is.

Most password managers provide browser extensions for their apps so you can quickly access your web site passwords from within your browser with your master password. For that reason I do not allow my browsers to record any of my user name/passwords.

Not only does a password manger allow you to create strong, unmemorable multi-character passwords but it also allows you to audit your list and in the case of my password manager, allows me to check for breaches.

Think of a disaster scenario, like a flood, tsunami, earthquake or volcanic eruption, all possible where I live. Say i lost everything, my home my devices the lot. How quickly could I recover?

I need only buy a mobile phone to access my apple account. Download my password manager app, login with my master password and download all my passwords from iCloud.

My only reservation about 1Password and other similar password managers is that all your data is saved on their servers. Yes, I know it's encrypted and it offers easy access from any computer but Enpass only stores my data on my devices and up to now I trust iCloud to keep the synced data safe via encryption and 2FA.

MacInWin · May 30, 2021

Rod said:
My only reservation about 1Password and other similar password managers is that all your data is saved on their servers. Yes, I know it's encrypted and it offers easy access from any computer but Enpass only stores my data on my devices and up to now I trust iCloud to keep the synced data safe via encryption and 2FA.

I sync 1Password through iCloud, so nothing of mine is stored on their servers at all. They never see anything from my vaults. My vaults are on my devices and pass through iCloud encrypted and not stored.

Lifeisabeach · May 31, 2021

MacInWin said:
I sync 1Password through iCloud, so nothing of mine is stored on their servers at all. They never see anything from my vaults. My vaults are on my devices and pass through iCloud encrypted and not stored.

Ditto. 1Password is increasingly known for their subscription-only cloud service, but they still offer a standalone app with a one-time purchase.

chscag · May 31, 2021

Lifeisabeach said:
Ditto. 1Password is increasingly known for their subscription-only cloud service, but they still offer a standalone app with a one-time purchase.

I just checked their site and do not see an offering for a stand alone product. They do offer what they're calling the "classic extension for your browser".

I do have an older version of 1Password which does not include all the extra offerings that the newer versions have. But it is stand alone and not a pay by the month subscription.

macgig · May 31, 2021

its good advice to not save passwords on the computer in the web browser. but most of us do it for convenience.

I keep my passwords in a text file on an encrypted disk image which is password protected… may be a good idea if you are using a USB drive?

How to Create an Encrypted Disk Image to Securely Store Sensitive Files on a Mac

You don't need third-party utilities like VeraCrypt to create a secure, encrypted container for your sensitive files on your Mac.

www.howtogeek.com

Sawday · May 31, 2021

Another point to consider - do make sure your nearest and dearest know your passwords to access all your financial and hosuehold accounts. Should something happen to you you need to ensure that they can still function. I have created a word document (password protected) with full details of the household accounts with all passwords and how to access them. A printed copy lives in a locked fireproof safe to which my wife and our executor have the key. No matter how good your password security is it's of little use if you are unable to use it!

Slydude · May 31, 2021

chscag said:
I just checked their site and do not see an offering for a stand alone product. They do offer what they're calling the "classic extension for your browser".

Same here. I thought I had downloaded the stand-alone version some time ago but apparently, I hadn't.

chscag · May 31, 2021

Just received an email back from 1Password support. Not good news....

The classic and older version of 1 Password 6 (stand alone) is no longer compatible with Safari because of the way Apple has redone the extensions for Safari.

In addition to that, the stand alone version of 1Password 6 will not work reliably with macOS Catalina 10.15.7 and Big Sur.

Bottom line is that their support advised me to download version 7 (subscription only) instead. I'm not going to do that but will move on to another password manager instead.

Rod · May 31, 2021

My apologies Jake, I just read 1Password's features page. My knowledge of the app probably dates back to when I was shopping for a password manager for myself. Although 1Password does offer encrypted storage of 1GB you can also opt for other syncing services such as iCloud, DropBox, OneDrive etc.
"By default, 1Password syncs your saved passwords, encrypted so even its own employees can’t see them, to its own cloud service. But you can also opt to sync them through Apple’s iCloud, Dropbox, or a local network, or keep some or all them stored on an individual machine."

Non the less it is a subscription based service and I would not use it for that reason alone. Now I see there is a web version as well so it's obviously evolved a little since I decided on Enpass.

Storing of passwords.

Jim40

Lifeisabeach

pigoo3

Well-known member

Jim40

chscag

Well-known member

krs

MacInWin

pigoo3

Well-known member

toMACsh

pm-r

Rod

Rod

MacInWin

Lifeisabeach

chscag

Well-known member

macgig

How to Create an Encrypted Disk Image to Securely Store Sensitive Files on a Mac

Sawday

Slydude

Well-known member

chscag

Well-known member

Rod

Shop Amazon