SillyDog701

[James]

Let's revisit a question about passwords to help straighten out my addled brain.

If a person chose to have Firefox memorize his password (which would then be stored on his computer) and set a master password, would the master password give a certain degree of protection to his stored passwords if his computer were hacked?

Secondly, are the passwords stored in encrypted form?

UserAgent: Mozilla/5.0 (Windows NT 6.1; rv:2.0b7) Gecko/20100101 Firefox/4.0b7

[PaulD]

1. "would the master password give a certain degree of protection to his stored passwords if his computer were hacked?"
- Yes.
2. "are the passwords stored in encrypted form?"
- Yes. See signons.sqlite.
Are you toying with the NSA? Or the TSA?

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 (.NET CLR 3.5.30729)

[James]

Hi Paul.

I'm using Lastpass (password manager extension for FF) but I'm beginning to have some reservations about it. I don't like the idea of storing my passwords on their server (yes, I've read the arguments for and against this and it's just my personal hang-up if you will). So, I'm toying with the idea of simply letting FF store my passwords but under a master password (something I had never done in the past).

UserAgent: Mozilla/5.0 (Windows NT 6.1; rv:2.0b7) Gecko/20100101 Firefox/4.0b7

[Fulvio]

James,
I have an old-fashioned method for remembering passwords, i.e. using pencil and paper. One drawback, if I scribble, I can't read what the info. is!

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12

[Antony]

Paul,

Thank you for re-assuring the important protection from Firefox.


James,

I let the browser to remember certain passwords, usually for those non-serious ones such as forum logins. For more serious items/information I use Yojimbo to remember those (it uses AES-256 encryption). And for even more serious ones (such as online banking), I either memorise that myself or I don't enter full information onto Yojimbo.

UserAgent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.12) Gecko/20101026 AlexaToolbar/alxf-2.0 Firefox/3.6.12

[James]

Antony, why do you use Yojimbo rather than Lastpass? I believe we've discussed this before but perhaps you could refresh my memory.

Fulvio, I have too many passwords... literally dozens of them and they're all different so I must have a manager of some kind. Paper and pencil would work if I only had a dozen or so.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12

[Antony]

Antony, why do you use Yojimbo rather than Lastpass? I believe we've discussed this before but perhaps you could refresh my memory.

Because I use it for recording all sorts of bits and pieces information (notes, image, PDF, serial numbers I bought, passwords... etc). And most importantly, it syncs to all my Macs (and now iPad). Although it is for Mac only, you can still take a look at Yojimbo website.

Fulvio, I have too many passwords... literally dozens of them and they're all different so I must have a manager of some kind. Paper and pencil would work if I only had a dozen or so.

Okay, not for me, but somehow I'd like to add my two cents.

I do, like most people, have quote a lot of logins (for websites). I personally have a few different types of passwords. One of those is simple and easy to remember.
Say the password is in following pattern: AAAABBBBCCCC (different length).
AAAA is a word I like.
BBBB is the name of the said website.
CCCC is one of the numbers I like.

This style is extremely handy for websites that are not serious, and can easily remembered. And of course, I tried to use the same login if possible.

UserAgent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.12) Gecko/20101026 AlexaToolbar/alxf-2.0 Firefox/3.6.12

[James]

Well... that's interesting, Antony. But again, I'm wondering why so many here seem to avoid taking a serious look at Lastpass (which will work with Safari, Chrome, FF and IE... and soon with Opera)? I'm not trying to persuade anyone to adopt it, but I'm trying to figure out why folks are bucking against password managers, especially one that is so highly respected and free no less. Just curious to see if my own questions about LP are the same that others might have.

btw... I also have Norton Internet Security 2010 and it has a built-in password manager but there's little point in having two.

UserAgent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

[PaulD]

James, you've opened up an interesting thread of ideas.
Regarding security -
1. It isn't integrated with browsers (no automatic fill-in-the-blank), but to address your 'too many for pencil and paper' scenario, here are some ideas (practicality aside).
Put your multitude of passwords into a file.
a) Use Windows' Encrypting File System (medium format must be NTFS). For information, see Help.
- To set: in Explorer, right-click on file or folder > Properties > (tab) General > (button) Advanced.
- Usage is transparent for 'your' logon ID. Any other user logon (including an administrator) gets 'Access is denied' message. Copy password from file, Paste into browser password field. (Hacker protection, but not theft protection if thief can log on. Power-on and Logon passwords will alleviate this.)
b) Store the file on a removable medium: diskette(?!), USB drive, ... . Device is not shared. Then mount it only when needed and Copy/Paste. Cumbersome.
c) Even more secure and cumbersome: Combine a) and b). But remember NTFS prerequisite.

2. Haven't tried this, so experiment with appropriate archive/backup -
- Similar to 1.a - Forget the Firefox Master Password; but set Encryption on the signons.sqlite file.

Note that (1) is general, not Firefox specific. The methodology in (2) is general, but details are browser-specific, depending upon how/where internal passwords are stored.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 (.NET CLR 3.5.30729)

[James]

Paul... this certainly is an interesting solution but it seems a bit unwieldy. The reason i was attracted to Lastpass in the first place had to do with its ability to sync among your computers. If I download LP to any computer (my laptop, or netbook) and type in the master password, it immediately grabs all of my passwords and I'm away to the races with it automatically logging me in if I so choose. What could be easier?

I heard Steve Gibson tell Leo Laporte on a recent interview that it was an extremely secure program and one that he personally endorsed and used. So... I wanted some feedback on what others are doing.

UserAgent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

[Antony]

Well... that's interesting, Antony. But again, I'm wondering why so many here seem to avoid taking a serious look at Lastpass (which will work with Safari, Chrome, FF and IE... and soon with Opera)?

I guess it comes down to following reasons:
personal preferences,
people's trust with LastPass,
and willingness of installing an add-on (or plug-in).

To me, I've been using Yojimbo since the first version in early 2006. It is an independent application, not a plug-in which means I don't have to install a plug-in or add-on on every browser I use (nor the need to worry about brother compatibility). Most importantly, it synced to all my computers which is very important.

Besides using Yojimbo, Mac OS X also has built-in Keychain for memorising all passwords (and auto-fill them), which can also be synced to different computers. I use the built-in Keychain for passwords management on a number of websites), and Yojimbo has almost all the passwords I need to store. (I know it is duplicated in certain sense)

BTW, LassPass works for Safari.

UserAgent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.12) Gecko/20101026 AlexaToolbar/alxf-2.0 Firefox/3.6.12

[James]

Hi Antony. Yes, I know LP works on Safari; I've tried it. It also has its own form of keychain so I'm not sure I really see a difference other than the keychain (I think they call it Lastpass on the Go) portion is on a paid-for version of the program.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12

[Blessmac]

What about me i use Logon Sentry for my mac. It's prog can control and save all Login Events. Try this.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7

[James]

But I use a PC.

UserAgent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

[Antony]

Some of you may know that Laurent recently got his iMac (Intel Core i5), part of migrating (from my PowerBook G4) for him was to copy over all passwords. Then I realised that he simply used Firefox to save all passwords, without Master Password.

Of course, I insisted him to use the (Firefox's) Master Password. I might use this opportunity to give LastPass a try.

While thinking about that, Laurent only uses one computer, does he really need to sync his passwords? If syncing is needed, we do have MobileMe Family Pack (subscription), and syncing Keychain (etc) is pretty with Apple's service.

UserAgent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.12) Gecko/20101026 AlexaToolbar/alxf-2.0 Firefox/3.6.12