Try This Automatic Password Changer - Comments Page 1

I have been a Dashlane Premium user for several years and while overall I've been happy with it, it has not been without its trials and tribulations. Dashlane, Chrome and Keychain frequently battle it out for which one is going to control the keys to the passwords. I always steer toward Dashlane when given the option, but sometimes I'm not given the option. On my Windows machine this isn't an issue, just on my iPad and iPhone. The automatic password changer has been a bust so far. I clicked on the button two times since it came out and both times it only found 7 passwords it thought it could change and it failed to change any of them. It said the login information was incorrect, or an unknown issue prevented it from being successful. But I'm sure they will keep trying.

I've been happy with free Dashlane but I'd put all of that 'automatic' stuff right up there with all of the 'wonderful' electronics that car makers are adding these days! I get screwed up enough as it is with the manual control.

This all sounds mighty convenient, but I do have a concern.

Financial institutions, and probably others, will put you at fault for any fraudulent activity if you have "shared your password".

How is this not sharing your passwords?

I seem to recall reading an article a year or two ago, about the original person/team who many years previous had said that passwords should be changed on a regular basis. That same person/team, was now saying that regular password changing was _not_ necessarily a good idea, unless there was reason to suspect that existing passwords had been compromised. (The analogy was, do you change all of the locks on your house on a regular basis, even when there is no evidence of break-ins?) The person/team was now instead advocating long, complex, passwords or pass-phrases that were resistant to cracking, but user-friendly and easy to use and recall. The team/person said that policies that _required_ regular password changes caused people to adopt "convenient" update schemes, such as "mypassword-xx", where xx is an incrementing version number.

I have never heard a good, logical reason for periodically changing passwords. It seems like the type of rule security "professionals" come up with when they have too much idle time. Most of the rational I've heard seems to be "trust us - it's a good idea". WHY ?

It may just be a reflection of my age, but I prefer to do it manually.

1) Open a password generator, eg, LastPass, 2) set it to about 24 characters, 3) copy the generated password eg, JjTI@!p%qkF4s1i$eYsIxe3l to a docx file that holds ALL my passwords.

4) Save that docx file on a thumb drive, not the home computer, 5) make and update two copies of the thumb drive, 6) hide all the thumb drives around the house, the primary one near the home computer.

This doesn't work for when we're out of the house, but I hardly turn on my phone outside the house, much less log in to anything.

As some have noted, I don't change my passwords just because they're old. They should be strong enough to withstand both a dictionary and brute force attack.

It's a bit cumbersome to plug in the flash drive when I go to, say, my bank's website, but I'm happy to pay that price for the knowledge no one else has my password.

See any flaws in my strategy? My mind's open to change.

I agree with Walter T. At work we are required to change passwords periodically. If we do not, we are locked out until we do. Many use the incrementing version method Walter mentions. We also cannot reuse the same password. One and done.

@Steve K. Is your Docx file and/or your USB password flash drives encrypted?

Here's a really good article on re-thinking the whole "change passwords regularly" rule.

https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes

I've been using Blur by Abine for many, many years. It offers all the features I need, doesn't do what this is talking about, yet anyway, but it does everything else. Works across all platforms and devices. When a password is needed on an Apple device, I'm given the option of using Blur, or Keychain. I use Blur and try to keep Keychain in sync, but my default is always Blur. Simple to do what someone suggested above for a site that doesn't allow a password manager to actually change the password on site, just open Blur, generate a long strong password, copy it, and then enter it to whatever site. Then edit the new password in Blur to add your username and email, so it'll fill in next time. I don't change them as frequently as I did (though when working we were compelled to do so every 90 days), but that's mostly because they're 20 or more characters, symbols and numbers and ALL unique, none reused - Blur makes that part easy too. To each his/her own, but using one just makes sense these days. I wouldn't use a document to store them - though I have both software and hardware firewalls and great security software. That was always drummed into me, never write them down, they'll always be at some risk.

Reviews on Chrome Web Store are not good. Folks have lost passwords etc. You might want to check this out https://chrome.google.com/webstore/detail/dashlane-password-manager/fdjamakpfbbddfjaooikfcpapjohcfmg

It's not as "slick" but I still like my Secret! program from LinkeSoft https://www.linkesoft.com/secret/

Keeps an ENCRYPTED file on MY computer and syncs to my phone via WiFi. Never stored on someone else's servers. Have used this for over 20 years! Support is fantastic. Cannot recommend this highly enough.

When LastPass came out with their 'Premium' release, which is required if you need to access your passwords etc., across multiple devices (desktop or mobile), I opted to use Bitwarden. It had good reviews and had pretty much the same functionality as LastPass, and so far it has served me well.

I ditched LastPass when they wanted to charge to sync across devices. I switched to Bitwarden and haven't looked back.

"Is your Docx file and/or your USB password flash drives encrypted?" is asked by Bill K, and it's a great question.
The answer is No.
1) If I forgot - by even one character - the absurdly long master password, I'd be locked out of all my passwords.
2) I live in a safe, stable neighborhood. In our 13 years here, the worst that has happened is some tires stolen off two vehicles in the driveway. Our town is notorious locally for its zealous police force.
3) Hiding a small flash drive in a 2900-sq ft house is easy. Book safes, pantries, attics, etc, no thief is going to find it.
4) If I die unexpectedly, my executor or adult children can use the flash drive to work with my accounts in my name.
That's how it looks from here anyway. Not a perfect system, but I feel I understand its risks.

"...some tires stolen off two vehicles in the driveway."
Not my driveway. Two other houses. Out of 210.

I have been using LastPass for a long time on my PCs. I use my phone for making/taking calls, playing a few games, and searching the Internet for information such as phone numbers, etc. but I never use it to access any Internet account I have set up. For example, if I want to go on Facebook, I do so from my PCs at home, not from my phone. I never do any banking on my phone, IMHO, that is simply too insecure. All such activity is performed from the security of my desktop PC at home. All this is to inform you that I have no need to sync my passwords between device types, only between PCs which remains free when using LastPass, so their most recent change to their free tier has had no effect on me.

I use long, strong passwords on all my Internet accounts. I use 2FA with all my Internet accounts that support it. I have my email accounts registered with the Have I Been Pwned Website for alerts when/if they may be involved in a breach. I subscribe to a few security-related newsletters to watch for breach reports. When/if I see news about a (potential) breach that may affect any of my accounts, I use LastPass to change that/those password(s).

I agree with Walter T regarding password changes, and I have read the item he references. The concept of forced password changes has been changed/debunked since about 2009 by many security organizations including the FTC (as the referenced item in Walter T's post indicates - it appears on their site). I put a lot of effort into keeping my computer secure, and if my research indicated that there was any measurable advantage to scheduled password changes, I would make that a part of my monthly/weekly routines.

No one can argue that regularly scheduled password changes can limit the window of a password's vulnerability to the length of time between changes, at most. In other words, if a password becomes compromised immediately following a change (later the same day), it will remain so until the breach is discovered, or until the day of the next scheduled change, whichever comes first. On my Windows 10 desktop I have Ransomware Protection (Controlled Folder Access) enabled. When I install a new app, either during the installation, or when the app runs for the first time, I get a notification telling me that a folder access has been blocked. I then go into my Security dashboard and review the event. If it was the new app, I authorize access to allow the new app to make changes in that folder. Controlled Folder Access protects me from much more than Ransomware, it protects me from any malware being installed on my PC because Controlled Folder Access notifies me when/if any unauthorized change is attempted. RAM-based malware is a different story, and beyond the scope of this post.

The bottom line here is that when/if I become aware that a password has become compromised, I change it ASAP. Until then, as far as I have learned over more than thirty years of computer use/exploration, there is no measurable benefit to be gained with regularly scheduled changes, especially since I use 2FA to better secure my Internet accounts, so I don't do them.

My2Cents,

Ernie

I agree with Steve K. from Feb. 24. The only thing I haven’t done is to put my document on a thumb drive which I will do.

Just tried Norpass as vault for my passwords Well I cannot recommend them as of today I have spent more time trying to log in than it is worth . Yes they do not give back your money .Robo was no better .Will have to go back to writing passwords

@Steve K It is nice to have a good local police force; however, home break-ins happen even in well-protected gated communities. The flash drive located close to your computer is the one I would be concerned with. Unless they are amateurs, thieves know about the different hidey-holes people believe no one would ever find, especially around computers. They will dump and grab anything that even remotely appears of value, and sort it out later. It is good that you have a 2nd flash drive hidden away--and hopefully, they did not come across it also--that way you would be able to change all of your account passwords before they figure out what they have.

As to an end-of-life scenario, a letter or flash drive in a safety deposit box or left with a trusted friend or relative will work as long as it does not contain any personally identifying information (like using your full name as a user-id :-)

"They [thieves] will dump and grab anything that even remotely appears of value, and sort it out later."

I agree, Bill K, and is why all three of my flash drives are stashed with nothing remotely of value. One is in the pantry, for example, but knowing that, you'd never find it if you looked all day. And burglars want to get in and out of a house.

Having one of the drives found by a burglar is a concern, I can't deny. Weighing all the risks, though, it seems the best solution for me.

My plan won't work for everyone. I offer it to others, like Diane, in hopes it helps.