Is there an app for this? Help me fix my terrible security
I thought I've been looking for a good password manager, but I'm not sure that's what I really need.
Here's my use case:
- I currently have a Google Sheet in my Google Drive that contains all my ID/passwords for everything
- In addition I have personal info in there like SSNs and Credit Cards #s
- I want to be able to have instant access to all of the info from my ancient iPhone and my laptop
Things I've tried:
- I messed around with Last Pass a bit and found it couldn't actually fill in the passwords in the apps I was using so I'd have to manually type them, which is a deal breaker for me.
- I've been using FireFox's LockBox and it's a bit better on that front but doesn't actually remember what the password goes to the app so I have to look it up each time, but it does populate them in the appropriate fields.
- Password-protecting a Google Sheet is apparently impossible but was a solution I was after for some time (Excel and Libre can do this..so +1 for software)
Other info:
- I am currently using an iPhone 5 but I plan to "upgrade" to a Samsung Galaxy S7 sometime in the near future. Perhaps that's why the functionality of these password managers seem so inconvenient for me? Would they work better on a modern phone?
What I'm after is perhaps two solutions:
-
A password manager that crosses the bridge from desktop FireFox to the apps on my phone, and fills in the password for me automatically. That would allow me to feel like I could move to more random passwords for things.
-
Some encrypted, password-protected site/app that could store plain text notes for sensitive things like SSNs and Credit Card #s that would stay in sync between a laptop and a smartphone.
Go ahead and mock me for my terrible security and ancient phone. I deserve it! But when you're done, I'd appreciate some guidance.
EDIT: Sounds like first priority should be to update my phone. Then there appear to be plenty of options to try. Thanks everyone so much!
This looks really nice! It's all free? I haven't set up a personal VPS yet for self-hosting anything but it's a hobby-activity I'd like to pursue when things free up for me a bit.
KeePass (MiniKeePass on iOS, KeePassDroid on Android, KeePass/KeePassX/KeePassXC on PC/MacOS/Linux) + Dropbox/Google Drive/OneDrive/etc.
There are applications for KeePass files for every platform under the sun, and they’re generally easy to use. I believe the default encryption is AES. I haven’t used it on iOS, but KeePassDroid can use the fingerprint sensor if it’s available.
If you aren’t afraid of git and GPG, look at pass (passwordstore.org).
I'll take a look at this. Thank you. Ideally I'll move away from Google Drive and similar services, but it'll take time.
Does keepass provide an easy way to store and retrieve data not necessarily tied to a form like SSN or credit card info? I'm wondering if some secure notes app isn't the better solution for that.
KeePass* have a notes field for each password. Everything in the app gets encrypted (not just passwords), if that’s what you’re worried about.
Nice!
I forgot to mention that keepass* just create an encrypted password database. Syncing it across your devices is up to you, which is why I mentioned Dropbox and friends.
Aw, I see. Thank you!
I use it together with Syncthing. It works fairly well and yes, it can store any arbitrary data, not just URL, username and password. Even files.
and it doesn't upload you files to a third party you have to trust.
Good encryption is worth nothing if people can run an offline-brute-force against a DB encrypted with a mediocre password
I am very confused here because your solution is a deal breaker??
Perhaps you should look into more why the lastpass app wasn't filling into apps you use?
FWIW I use the lastpass app and it can be finnicky. Sometimes I have to open lastpass then close/reopen whatever app I want it to fill in data for in order to get it to work. I think it's because most apps on phones get put to "sleep" in the background if they haven't been used recently enough.
Right?! I think what I'm looking for is something better than my current solution, otherwise why adopt it? :)
But I was a little unsure of what the functionality of LastPass and others are actually supposed to be. Surely the intention can't be to look up the website for each app manually in LastPass and then copy/paste the password from there to the app? That's the behavior I've seen so far with both Lastpass and Lockbox and I really want to work like my browser where it recognizes the site and autofills the ID/password. Just now I was messing around with LockBox on my phone as part of all of this and actually saw it work the way its supposed to - auto filling the ID/password in my banking app.
So in a somewhat confusing way, what I was trying to say is please don't recommend an app that can't autofill, because that's not better than my current solution.
LastPass can autofill, perhaps you didn't set it up right?
That could be very true. I have been using FireFox's Lockbox on it for some time and it literally worked in the way it's intended for me for the first time today. My experience with LastPass was similarly disjointed. From what other's describe as how these function on their own phones, I suspect my phone is starting to lose it's useful (but still remarkably long) life.
I was curious whether Apple dropped support for it because I can't seem to install the most recent update and saw what seems like a mixed message on Wikipedia:
https://en.wikipedia.org/wiki/IOS_version_history#iOS_12
So perhaps mine has one of those processors? Or perhaps I have some other technical issue, Or perhaps I just have not been successful in setting them up.
Who knows. If another app is working right out the box and accomplishes the same thing, no reason to specifically choose LastPass over something else, TBH.
No love yet for 1Password? I do think I'm grandfathered in to the old non-cloud plan, but it's great if you need more "commercial" support. e.g. You have a non-technical boss that doesn't like that "open source crap".
1password is integrated into iOS now and works really well in most App situations. (There is also autofill support and apps for many major platforms including linux, Android, and Chrome). For those situations where autofill doesn't work. I simply summon the app via hotkey and you can search and copy the password without having to leave the keyboard. (Workflow is slightly less ideal on the phone, but still).
All of this said, I joined the 1Password family a long time ago before there were the options today. I haven't tried KeePass or some of the alternatives mentioned here.
Although I would avoid Lastpass, especially in a group situation. Due to the poor browser implementation if you have access to a login you can reveal the password, even if the person sharing has disabled that feature. How? Lastpass stores the actual password in it's "password" input. Changing this input to type="text" reveals the password. Boo... So easy to fix too...
Good luck in your hunt!
Thanks so much! I'll give it a look-see. I don't mind paying for something truly useful.
Just a note: 1Password (and likely a bunch of the other suggested ones, although I don't use them) allows you to set a strong masterpassword and then a PIN to unlock on the phone. I've found this pretty useful when I used 1P on my iPhone 5 due to the lack of fingerprint reader
So, I came here fully intending to recommend LastPass but then you wrote that it's not able to fill in passwords for apps that you use. That's weird. I run Mac OS X (prior version to the current one because my old-ass computer can't handle the new stuff), OpenBSD, and I have an iPhone XR. LastPass can fill in passwords on these things. I'm going to assume the non-filling has to do with your iPhone 5. I think upgrading your phone would indeed help. This might sound like gloating but I assure you it's just me being a big fan- Face ID & LastPass is the best thing since ball-less mice for me. My creds fill in fast and automatically.
There's a command-line client for LastPass which can be used for console stuff on OpenBSD. Of course, for most stuff you're using a browser and the standard technique works fine there.
So, I guess this might not be useful to you but I'm sort of writing it to other people also. Don't write off LastPass. I love this program and it revolutionized my password/security woes.
I actually think this was very useful and what I was hoping for - that my ancient phone is likely the cause of the issue with filling in passwords in apps. So thank you!
Would LastPass offer any way for me to store data that isn't tied to a particular form like SSNs and Credit Cards? I want to be able to easily look this info up from either phone or laptop.
I am skeptical of facial recognition and finger print scanners. I tried the finger print locking on the iPhone 5 and it's not great, but again, probably my old phone. I'm not really sure how much I like the idea of Google having a scan of my face and only slightly better about Apple, but hell at this point they all probably already have that.
Thanks again!
LastPass can store secure information that isn't passwords, and newer phones are definitely better at the fingerprint scanning.
Thanks! I definitely plan on locking my phone once I get something where it isn't so cumbersome.
LastPass does have a "notes" section with templates for credit cards and SSNs. I use it to store that stuff and it comes in pretty handy.
One thing that I will recommend, if you choose to go with LastPass, is to export your encrypted passwords from time to time. Export it to CSV and print out or save that CSV in some secure location. You never know when a calamity might hit and you need to log into an account from a weird place.
Great idea!
Like others, I'd suggest Bitwarden for passwords.
I wouldn't keep your SSN or other IDs online at all. Spend a night and memorize those numbers. If you must have those available, I'd use another service specifically for these records -- something like keepassxc in an offline database. I definitely would not want these records on a phone that can be lifted, though.
Are you using 2FA (e.g. Authy or Google Authenticator) for everything?
Other suggestion: buy a physical safe. Physical security is oft overlooked. All my meatspace ids + instructions for my wife on how to take control of all my online identities are in the safe and I feel confident that it is significantly less likely that this will be breached than any online account. Of course fitting one securely is a luxury that typically only home owners have, so perhaps not an option.
oh man! yes! Safes, for what they do, are so inexpensive. A safe in combination with a safety deposit box at a bank is excellent.
All too often we overlook physical security as a piece of the overall puzzle.
There's probably a good buck to be made in consumer level contingency plans.
I second BitWarden, and a pox on LastPass. I used last pass for years until one day I changed my password and due to some bug on their end lost access to my vault. Now before anyone jumps in with "you obviously didn't do it right" this is incorrect. Something went seriously wrong on their side:
I went from being a loyal lastpass premium user for 4 years and recommending it to everyone to exporting all my stuff the instant my account was restored and moving it all into pass with hardware tokens to protect my gpg keys. For technically minded people I think this is a strong privacy play. You sync with git anywhere you like (I have 3 peer devices, my homeserver and keybase), and the keys are somewhere very secure. You can inspect the files and prove to yourself that they are pgp encrypted and you can quite happily send the lot off to any host you like whether you trust it or not at the cost of leaking your directory structure to an adversay.
If you haven't implemented multi-factor authentication on your Google account (and your password manager, if you choose to use one), it's both very strongly recommended and not too challenging.
You don't need to buy Google's proprietary dongles, and in fact Google just recalled the Titan dongles. YubiKey makes great products - I've been using their tokens for years.
I use LastPass, and I agree that its form and app fills could be smoother. Worst comes to worst, I'll copy/paste, but LastPass does make it simple to regenerate passwords, and has secure note features, as well as secure account sharing.
I believe I have MFA enabled - Google texts me a code to my phone if I try to log in from an usual device. But good and welcome advice!
I didn't know LastPass had a secure notes feature. That may be my ticket then! Thank you.
SMS 2FA is really insecure, you should not be using it. Use TOTP or buy a U2F token if you want to secure your account.
Well, this really depends on your threat model. Yes, it can be intercepted, and if you ever think you would be specifically targeted (sure, by a government, but even by a stalker or other dedicated individual), it's very important to know that. However, if you're threat model is mostly to prevent random hackers with password dumps from trying to brute-force your account, it can be effective, as an attacker who doesn't know you won't know your phone number.
If you have a U2F key, those are often the safest, generally followed by TOTP, as you suggest. But, SMS 2FA does improve the security of your account, and if it's the only MFA a service offers, it will still help to secure your account.
EDIT: Typo
It's a bit of a hassle so I can't recommend this to you as an 'easy solution', but after a year of experimentation between multiple tools, what I came to use as a final method is Keepass XC. I also have its Chrome extension (it allows me to autofill on any website as long as the login link is added to the .kdbx file).
I also use Keepass2Android for my phone, so in order to have the DB synced up I added it to Google Drive. For my PC I had to use Backup & Sync in order to have it synced automatically. I'm not sure how the Keepass app on iPhone works but I doubt it's different from what I use.
Advantages:
I don't know my own passwords and I don't have to (besides the master pass);
Different and very strong passwords for each and every website (randomly generated by Keepass);
I can add passwords to the DB from my phone, from my PC, from my VMs and the database is synced up automatically on any new device;
Disadvantages:
If my DB is by any chance deleted or I forget the master pass, I'll have to go through some hoops to gain access to most of my accounts;
Takes a bit of time to set up on any new PCs;
Autofill only works on Chrome, with the extension installed and set up (also works on Firefox), but for anything else I have to copy it straight from Keepass.
Do you mean that on your phone it can't autofill the ID/password? Thank you for all of the great info BTW!
Happy to share, I hope you find a good solution.
And yes, my phone does not autofill any data (also on PC for things such as Spotify, Steam, or any other app). It's not an issue for me because I do not need this feature that often, but I imagine for others it might be a deal breaker.
I’m not going to criticise you for having odd security practices because this post shows you care about doing the right thing, so good on you 👍
It seems like the tech has been the biggest contributor to your lack of migration to a secure solution. And for what it’s worth, I feel your hassle. I had to set up an iPhone 5c for work using the work LastPass account and having to enter my stupidly long password really took it out of me. And this was just half an hours use with the phone. I can’t imagine having to do that on a day to day could be feasible.
What I will say is that the next phone you buy should remedy this. Most phones have some sort of of fingerprint/facial recognition technology to verify its you, and most security platforms use this to verify its you. Specifically speaking there is a “vault” in your phone which stores usernames, passwords, session tokens, and other stuff securely (iOS had this for ages, Android caught up with I believe marshmallow) which is encrypted with the details of your phones security system, whether it’s a fingerprint or facial recognition.
So what will happen the next time you get your new phone is that you’ll go through the motions of setting up the phone, and then fingerprint/Face ID, and then you’re good to go. You download a password manager and you tell the os to fill in details from this password manager. The next time you need to fill something in, the password manager will ask for your fingerprint/faceid and if it’s valid, it will unlock and grant you access to the password manager system. Simple.
Others have suggested different password managers to use. There was one that suggested Google’s own one, there was LastPass, and I’d recommend Bitwarden if it hasn’t been done so.
The key thing is to get your password managers to play nice with whatever device your using, whether it is phones, tablets, or pcs. Then everything is smooth sailing.
I would suggest you try and move away from the spreadsheet, however. Even with it being password protected, the contents aren’t encrypted and anyone will be able to see your passwords in plain view - theoretically even staff at google. Using a password manager means that your data is encrypted and you have the guarantee that only you will have access to your passwords.
Another point to note is that password managers like LastPass and BitWarden have services that check your passwords against each other and with online password dumps and check how secure your password is and if you need to go ahead and change your password. By password dumps, I mean hackers will break into online services and try their best to extract the largest amount of usernames and passwords so that they can be revealed. The aim is to find the credentials and try to use them on as many online services and gain access to other systems. Password managers help with that by the security check mentioned above and by suggesting secure passwords. LastPass offers good scrambled passswords. Bitwarden offers secure scrambled passwords as well as easy to remember pass phrases that have been mathematically calculated to be very secure.
If you don’t want to go the way of password managers yet (understandable), at the very least get passwords generated here: https://xkpasswd.net/s/ the passwords here are secure, memorable, and there are some good defaults like I.e. answers to security questions. Poor (easy to guess) answers to security questions are a massive factor in accounts being compromised so I would suggest you use the site above to generate memorable random words so you know only you has the correct answer, and then stick them in your spreadsheet.
The key thing with security is doing the best with what you have got, and then when the opportunity comes, you try your best to upgrade to a more secure system to mitigate any compromised accounts.
Incredibly informative. Thank you so much! I plan to follow what you say :)
Are you comfortable storing SSN's on the cloud?
My views on privacy and security fluctuate quite a bit. It's an interesting space that's for sure.
I am of the view that all of the info anyone has shared on the internet ever will one day be compromised. It's only a matter of time and in most cases it's already happened.
That said, it's still worth it to try to be secure because it may prevent a bad actor from getting that data in the short term. However, from that view point I think of Google Drive as pretty secure, and when I talked to other folks at my work they often use similar method (for their personal stuff). If my data were to be compromised it would likely not be from someone targeting me but rather from a large data breach. And obviously I recognize it's not the best solution or I wouldn't be on here asking for recommendations :)
Good security is like avoiding spam.
All you need is one weak link with your information, and your information is out there.
And I don't follow best practices with passwords either.
Yet I still have a semi irrational fear of putting my SSN on google, or emailing out my DOB or images of my passport/drivers license.
Well email is a lot different than using Google Drive, but I understand why you'd feel that way.
Google provides fairly sophisticated searching algorithms.
About twenty years ago, someone found out you could search for SSN's exposed on the web with a simple google search.
That's very interesting viewpoint. I still would not feel comfortable putting such things into a plain text document. Even google have had issues like the one with Google+ where "private" data was available for everyone.