How much of a pain in the ass would it be to migrate from one password manager to another?

Underseer · Oct 24, 2018

It took me far too long to break down and start using a password manager.

I'm currently using the freebie password manager that comes with Norton because I happen to have a subscription right now. I figure Norton has pretty decent computer security protecting my password information because they offer a lot of security-related services and it would be really embarrassing for them to suffer a break-in. I'm hoping that the security they have for their anti-virus products and all those accounts for anti-virus customers will also mean similarly enhanced security for people using their password manager, which works off of the same accounts.

Anyway, it helpfully nags me into changing duplicate passwords (i have an embarrassing number of those), and it nags me to change older passwords. I just recently changed a large number of account passwords (but not nearly as many as Norton Password Manager wanted me to change), and felt pretty good about myself.

Anyway, part of the purpose of this thread is to nag fellow curmudgeons into using a password manager if you don't already, but also to ask those more knowledgeable if it is worth it to purchase a dedicated password manager, and if so, how much of a pain in the ass is it to migrate from one to another?

Underseer · Oct 24, 2018

Oh, and do any of you have a favorite password manager? I've only ever used one.

Loren Pechtel · Oct 25, 2018

I'm using LastPass, I have a few gripes with it.

I have a couple of cases of "duplicate" passwords it nags me about, there is supposed to be a way of telling it that the two logins are really the same site and should have the same password but last I checked it was impossible to do in Firefox.

It also nags me about weak passwords on sites where I don't care about the password strength.

James Brown · Oct 25, 2018

I use LastPass also, and I have the same minor gripes as Loren. But it's better than my old method---use the same three or four passwords everywhere.

Also, like a lot of people, I started using it because its free. But then I've been burned by other scenarios where a freebie turned out to be a bad choice. The company goes out of business, the app is compromised because security is performed on-the-cheap, etc.

Another minor issue (for me): I'm reasonably tech-savvy, but my wife isn't. But if I use LastPass to secure my financial dealings, then my wife will have to be able to also use it in the event of my death. I've written instructions on how to use LastPass for her, but I don't know if they'll suffice after I'm gone.

phands · Oct 25, 2018

Mostly, they're varying shades of just barely usable. I hate Lastpass, and got rid of it years ago.

Mostly now, I use the built-in password manager in Chrome, and, since I'm a Linux head, the KDE Wallet system. I never, ever use windows for anything I need to keep secure, and I don't want my passwords in anyone else's cloud where I have zero control.

I also use 2FA keyed to my phone for anything financial, and change the code every 30 days.

If you must use a commercial password manager, https://www.pcmag.com/article2/0,2817,2407168,00.asp

Gun Nut · Oct 26, 2018

Lastpass used to be great. The company was bought by Logmein a few years ago, and the security professionals that I work with stopped using it because they don't trust that company. I personally don't use a password manager because I was taught how to make complex unique passwords that I can remember. It is also a one stop shop for all the keys to your kingdom.

Let me mansplain that for you, hahahaha

Don't try to make up a series of characters or a funky spelled word. Use a passPHRASE, not a password.

So instead of making your password "C0l0r@d0R0ck13s" (Colorado Rockies) with simple letter replacement. Make your password "I Really Like the Colorado Rockies Team. They are my favorite".

You don't need to do letter replacement when you use more than a couple of words. Any more than 3 or 4 words and the hacking technique to crack it won't work.... so you can use proper spelling of a complete phrase, as long as it isn't an extremely common one, like "In God We Trust".. that would be a bad one.

You can even make them relevant to the site. "I can easily remember my online banking password, because it is easy to remember.". That is a perfectly good password. you have an upper, lower, and special (the comma and period), so it passes the check. It is also far too many words to do a brute force dictionary attack on it.

I am a security guard with lots of friends in the business that have taught me this.

Underseer · Oct 26, 2018

Gun Nut said:
Lastpass used to be great. The company was bought by Logmein a few years ago, and the security professionals that I work with stopped using it because they don't trust that company. I personally don't use a password manager because I was taught how to make complex unique passwords that I can remember. It is also a one stop shop for all the keys to your kingdom.

Let me mansplain that for you, hahahaha

Don't try to make up a series of characters or a funky spelled word. Use a passPHRASE, not a password.

So instead of making your password "C0l0r@d0R0ck13s" (Colorado Rockies) with simple letter replacement. Make your password "I Really Like the Colorado Rockies Team. They are my favorite".

You don't need to do letter replacement when you use more than a couple of words. Any more than 3 or 4 words and the hacking technique to crack it won't work.... so you can use proper spelling of a complete phrase, as long as it isn't an extremely common one, like "In God We Trust".. that would be a bad one.

You can even make them relevant to the site. "I can easily remember my online banking password, because it is easy to remember.". That is a perfectly good password. you have an upper, lower, and special (the comma and period), so it passes the check. It is also far too many words to do a brute force dictionary attack on it.

I am a security guard with lots of friends in the business that have taught me this.

Yeah, reliability/trust is in part why I went with Norton. They have all the same flaws people complained about in LastPass, but since they make their money on antivirus, VPN, and identity protection, I figure it would be really embarrassing for them to suffer a breakin, and so I figure they have pretty decent security on account of all their other services. At least, that's the assumption I made. I have no idea if that was a good call.

It's good enough, it's free, there's an Android version of the manager. That kind of covers the necessary bases for me.

I use Norton's PM and the PMs built into Chrome & Firefox, which makes things really confusing. If I change an account password and get a popup dialog in the browser, I'm never sure who the popup is from.

Loren Pechtel · Oct 27, 2018

Gun Nut said:
Lastpass used to be great. The company was bought by Logmein a few years ago, and the security professionals that I work with stopped using it because they don't trust that company. I personally don't use a password manager because I was taught how to make complex unique passwords that I can remember. It is also a one stop shop for all the keys to your kingdom.

Let me mansplain that for you, hahahaha

Don't try to make up a series of characters or a funky spelled word. Use a passPHRASE, not a password.

So instead of making your password "C0l0r@d0R0ck13s" (Colorado Rockies) with simple letter replacement. Make your password "I Really Like the Colorado Rockies Team. They are my favorite".

You don't need to do letter replacement when you use more than a couple of words. Any more than 3 or 4 words and the hacking technique to crack it won't work.... so you can use proper spelling of a complete phrase, as long as it isn't an extremely common one, like "In God We Trust".. that would be a bad one.

You can even make them relevant to the site. "I can easily remember my online banking password, because it is easy to remember.". That is a perfectly good password. you have an upper, lower, and special (the comma and period), so it passes the check. It is also far too many words to do a brute force dictionary attack on it.

I am a security guard with lots of friends in the business that have taught me this.

Yeah, I'm solidly in the phasephrase camp but all too many sites don't accept that. They demand the special characters and it's not exactly unusual to see maximum lengths as well.

Then there's Kohl's that enforces password changes by periodically invalidating your password and making you change it--with an e-mail that looks very much like a phising attempt. (It doesn't have a link in it, though.)

James Brown · Oct 28, 2018

I appreciate the value of a nice long passphrase, but...

Instead of memorizing dozens and dozens of unique passwords, I would have to memorize dozens and dozens of unique password phrases.

Underseer · Oct 29, 2018

James Brown said:
I appreciate the value of a nice long passphrase, but...

Instead of memorizing dozens and dozens of unique passwords, I would have to memorize dozens and dozens of unique password phrases.

Yup. I'm using long pass-phrases at times, but I still enter it into my password manager. Some day soon, I'm going to change my Netflix password. Since this will mean changing the password on a large number of devices, a passphrase would make things much easier.

bilby · Oct 29, 2018

I just use 'Correct horse battery staple' as my password for everything*.

*This may well be an outrageous lie, because that style of password really isn't very secure at all.

How much of a pain in the ass would it be to migrate from one password manager to another?

Underseer

Contributor

Underseer

Contributor

Loren Pechtel

Super Moderator

James Brown

Veteran Member

phands

Veteran Member

Gun Nut

Veteran Member

Underseer

Contributor

Loren Pechtel

Super Moderator

James Brown

Veteran Member

Underseer

Contributor

bilby

Fair dinkum thinkum