Am I a fool if I don't use an online password manager?

[Mabouya]

not so great if you have dozens of health care workers coming in and out of the house to take care of a sick spouse. Just hours ago, I found $20,000 of checks that someone wrote to themselves from my parents account. They also downloaded and filled out a form to give themselves access to a credit card.

That stinks.

Best of luck getting your $ back and finding the bad guys.

[monadnocky]

Admittedly, perhaps not to my benefit (and definitely not to my convenience), I'm old school as far as passwords go. I'm convinced that any and all corporations will sell your data eventually, and this certainly includes third party password managers. As with anything online, you are the product. Eventually, you will be sold.

I am fairly tech-unsavvy so I really don't know anything about how safe your data is with these companies. I'll admit that. But I don't trust any corporate entity.

As for me- I keep a master password list in Excel format (there's over 150 [!!!] at this time), encrypted via AxCrypt and kept on my encrypted (clinical) flash drive where I keep all my patient records. This drive is backed up to another, identical drive every week or so. In case I croak or become incapacitated, my professional will stipulates the passwords for the drive and the AxCrypt encryption.

Every month or so I print out the Excel sheets and stash them in a location in my house- also stipulated in my professional will.

It's cumbersome, admittedly, and when I travel (which is pretty rare) I don't have access to my passwords, besides the ones I know well, but this has never really been a problem for me.

Like I said, I'm old school, and paranoid to boot, I guess.

[j44ke]

I keep passwords in an encrypted file also, and then I copy and paste them (they are all longer 10-12 nonsensical number letter symbols) to log-in when needed. However, I was recently told that some operating systems' clipboards are easily accessed and tend to keep items in plain text cached long after they are no longer accessible for pasting. Someone who knows this and has access to a computer could possibly access the clipboard and get the passwords. Seems like there would be several levels of security in the way of this, but also that there (AFAIK) isn't any way to connect pasted items to the corresponding service/website. And I thought at least in terms of Apple OS X, the clipboard is wiped on restart or after deleting cache files.

Anyone know about this?

[rec head]

Unless there is a huge flaw in your PW manager it never knows what your password is. It is encrypted on your computer before it gets to them.

[sk_tle]

I keep passwords in an encrypted file also, and then I copy and paste them (they are all longer 10-12 nonsensical number letter symbols) to log-in when needed. However, I was recently told that some operating systems' clipboards are easily accessed and tend to keep items in plain text cached long after they are no longer accessible for pasting. Someone who knows this and has access to a computer could possibly access the clipboard and get the passwords. Seems like there would be several levels of security in the way of this, but also that there (AFAIK) isn't any way to connect pasted items to the corresponding service/website. And I thought at least in terms of Apple OS X, the clipboard is wiped on restart or after deleting cache files.

Anyone know about this?

If your computer is compromised by a malicious app such as a keylogger your password can indeed be individually retrieved. There is no way around it appart from fixing individual flaws. Additionnal thing is that some password manager running unlocked can expose all passwords at the same time if the database is decrypted in one block in memory or the master password gets compromised.

This is why we get to use 2nd level of authentication with TOTP tokens (think google/microsoft authenticator), push notifications and codes sent through SMS so there is an additionnal and separate way of proving who you really are in case your password is compromised.

Still the fact your passwords can be compromised shouldn't be an argument to abandon password managers, quite the contrary as it allows you to have different passwords for every account and limit the blast radius in case one gets known by an attacker.

As said earlier by all means protect your email account password as much as possible and do use 2nd level of auth as much as possible. If your main email is compromised, almost all your life can be stolen directly or easily through social engineering. Also, the more you leak information online, be it on social medias or even here on vsalon, the more you make the life easier of a potential attacker.

Also, this is an old but good read:
https://medium.com/@N/how-i-lost-my-...e-24eb09e026dd