Facebook and Google will both tell you what devices you're logged in on, and allow you to log them off.
Google link: https://myaccount.google.com/device-activity
Facebook link: https://www.facebook.com/settings?tab=security
I'm sure Apple does the same thing, but I don't have Apple, so I can't tell you what that link is.
Check those and log out any you don't recognize. Or log them all out and log back in on the one you normally use.
Change all your passwords. If possible, set up two-factor authentication (2FA). If someone attempts to log in on a new device, or attempts to change your password, it will contact you via a secondary means (usually a text message) to verify.
Use a password manager. I use Password Safe, but there are others. It will generate and store all your passwords for you so that all you have to remember is the password to get into the password manager.
He might also have access to your social media. If you've ever logged in on a computer as his place, or ever written down a password there, etc, he may have found it. Or if he was ever on any of your email accounts when you were a minor, he may still have access.
Facebook and Google will both tell you what devices you're logged in on, and allow you to log them off.
Google link: https://myaccount.google.com/device-activity
Facebook link: https://www.facebook.com/settings?tab=security
I'm sure Apple does the same thing, but I don't have Apple, so I can't tell you what that link is.
Check those and log out any you don't recognize. Or log them all out and log back in on the ones you use.
And consider changing all your passwords and setting up two-factor authentication (2FA) wherever you can. That will alert you when someone tries to log in on a new device.
Get a password manager and use it to generate and keep track of your passwords. I use Password Safe, but there are lots of others.
Free, open source. Can use Dropbox to sync, as you retain control of the file.
NOT a cloud service.
The Mac desktop iteration has a cost for a reasonable reason, the store charges.
The mobile version for Mac/Android is free and supports biometric access, as well as a keyboard to type, so you don't have to copy/paste.
There are always risks, but there are fewer risks with the password manager.
The passwords in the password manager are encrypted. They cannot be decrypted without your password to the password manager. If you lose or forget that password, you're SOL.
People tend to use the same set of passwords on everything. So if one password is discovered for one site, it may also work on others.
And people suck at creating passwords. We tend to use things that are easy to remember and type. We all know that we need to use a mix of uppercase, lowercase, numbers, and punctuation, but rarely do. How long will it take to crack your password
But a manager can generate a random password for you for every account you have. When you need it, it copies the password to the clipboard and you can paste it in.
I personally don't trust the web-based password managers. Too many points of failure. The one I use (Password Safe https://pwsafe.org/) stores the passwords locally, so it's not on the web at all. Plus it's free.
While that's good, I'd like to suggest using a password like that as the password to encrypt your password vault, and have your password vault generate all your login passwords for your websites. I don't know my website logins, but I do know the password to my password vault.
Disclaimer: Do your own research and find a password storage medium that suits your needs.
Here is what I use https://pwsafe.org/
It's available on multiple platforms https://pwsafe.org/relatedprojects.shtml (android and ios support touch-id/face-id!)
It's open source https://github.com/pwsafe/pwsafe
And you can store your encrypted vault in a manner of your choosing, and share it with whomever you require.
No trusting your passwords to a third-party.
Keepass or Password Safe. We use password safe for all our corp IT assets, and I use Keepass for my personal accounts. I prefer Keepass for generating passwords as it gives some extra options for random characters than pwsafe.
While that's good, I'd like to suggest using a password like that as the password to encrypt your password vault, and have your password vault generate all your login passwords for your websites. I don't know my website logins, but I do know the password to my password vault.
Disclaimer: Do your own research and find a password storage medium that suits your needs.
Here is what I use https://pwsafe.org/
It's available on multiple platforms https://pwsafe.org/relatedprojects.shtml (android and ios support touch-id/face-id!)
It's open source https://github.com/pwsafe/pwsafe
And you can store your encrypted vault in a manner of your choosing, and share it with whomever you require.
No trusting your passwords to a third-party.
I use PasswordSafe, the one written by Bruce Schneier. It's been ported to nearly every operating system, and you can put the database into Dropbox, ownCloud, or your choice of shared filesystems.
I use Password Gorilla (the Linux port) and PasswdSafe Android. The Android port has an associated app called PasswdSafe Sync that keeps it synchronized across various cloud services. I used to use ownCloud, but when I moved phones the ownCloud sync stopped working. Dropbox still works, so that's what I'm using now.
I use PasswordSafe. I keep the file on google drive, and use Strongbox on the ios App Store to access it on my phone. There's a couple links on the website to ways to access it on android/iOS (left side of the site).
There are plenty of password manager options but this is my favorite. It doesn't hook into your browser or anything. It's just there. You copy and paste the un/pw. There's space to keep notes (where I put things like security questions).
The only passwords I know are for websites I literally don't care about (that use a trash email) and the password to my safe.
I'm neither a DNM vendor nor customer.
Having said that - you should use a password manager. I have about 400 (not-DNM-related) accounts - each and every with a different random password.
Password Safe (https://pwsafe.org/) is the best. Available for all relevant OSs.
https://pwsafe.org/ originally written by Bruce Schneier.
It's one of the password managers with pretty sound choices for its encryption.
Check out his post about password managers here https://www.schneier.com/blog/archives/2014/09/security_of_pas.html
I've been using the free and open source Password Safe for years. I have a scary number of passwords in it, that I'd be totally lost without, so I understand your pain.
It is a standalone app. I keep the encrypted vault file on my Google Drive, so it is accessible on all my devices, Windows, Android, etc.
The real annoyance for me is going though 2FA for every account :sigh:
Lastpass is a good option. Or, if you're me and still nervous about security in the cloud regardless of strong encryption there are also local solutions. I use https://pwsafe.org/.
Oldie but still good Password Safe
https://pwsafe.org/readmore.shtml
https://pwsafe.org/relatedprojects.shtml
Put the safe file on Google Drive and use different clients on Mac, PC, Android, and iOS to access.
Sounds like you got most of it :)
Consider what would happen if you lose your phone, or drop and smash it.
Some services provide single-use recovery codes. File these away (like in a home safe, or safe-deposit box)! You can buy a small home safe on Amazon fairly cheap (search: "safe" or "AmazonBasics safe"), or buy at a big-box like Walmart, or an office supplies store like Staples, etc.
Also, I recommend backing-up the secret URI itself. If you are only given a QR code to scan, you can use a QR scan app to extract the URI string (I use "QR Droid" on Android).
It looks like:
otpauth://totp/Example:?secret=JBSWY3DPEHPK3PXP&issuer=Example
You can also optionally, snap a picture of the QR code, and back that up securely (USB key you keep in the safe), so it can re-scanned on another device in the future.
I have all my Google Authenticator secrets on my mobile phone, and also cloned onto my tablet which never leaves my home. As well, stored on my Google Drive in encrypted Password Safe notes.
How about Password Safe?
It's open source, capable of 2FA and can be used on multiple platforms. It syncs the stored safe with Dropbox and had a secure note function.
I don't know if there's a Safari extension (someone may have built one)
> and like an idiot, I forgot to write down the password.
In other words: the $20,000 password management lesson. I suggest you also add back-ups to it.
Good info in general, except I personally would not recommend an online password manager. Online sites are routinely hacked, including LastPass, the very one you linked.
I would recommend KeePass or PasswordSafe or KeepassX - all of which are open source (great for trust in its security and future) and very widely used. Even if they are hacked, it is not a centralized collection of user information and passwords.
Also, your advice about creating good passwords is redundant since that's the job of the password manager. You almost never have to think about it and computers are much better at generating strong passwords than humans.
> Thanks man. So the idea that at some future date I am being judged in a court and someone could search out my Internet history and see 'ah, he admitted a mental illness' that's not going to happen, right.
No one is going to do that. The first step is to check whether you are engaged in any sort of illegal activity. If you are not, then you have no reason to worry. It's not illegal to have a physiological disease and, for the same reason, it's not illegal to have a mental illness.
Of course, even if you are not involved in illegal activity, you may find governmental and private-corporate snooping to be extremely distasteful, as many people do. You can take concrete steps to ease your general privacy concerns. Get a "non-smartphone", e.g. a standard flip-phone. Try to do most of your Internet browsing at a public library, where there are actually some legal protections against active invasions of your privacy - any government agency spying on an individual's Internet use in a public library is opening themselves up to a massive first-amendment lawsuit. Lurk more and post less often. Use strong passwords and use a different password for every online account. You can use a password utility like PasswordSafe to help you keep your passwords organized. Finally, think about getting involved with an online privacy-promoting organization, such as Tor or EFF. Knowing that there are others out there who share your privacy concerns and knowing that you are helping to protect not only your own privacy but the privacy of others may help relieve some of your feelings of paranoia, feelings that can be difficult to battle in the post-Snowden era.
As far as desktop applications are concerned, KeePass and Password Safe are open source and can work entirely offline. You do lose the advantages of browser and mobile integration, although as mentioned here, there are third-party extensions and apps available.
I switched from LastPass and aside from the initial one time effort of cut & paste from that database, never looked back. I use Keychain for all normal web passwords, but pwsafe allows me to add notes so I can put all loyalty membership notes and whatnot in the entry.
I've had success with https://pwsafe.org/ (open source, free) combined with cloud file storage (Google Drive/OneDrive/Box/Dropbox/PCloud etc) for the password store I can access my lockbox on all myself of my devices.
My DBA made me get a password manager because I kept forgetting my DB password.
An encrypted safe might be overkill for most folks, but pwsafe has some really handy copy/paste functions.
I personally prefer passwordsafe aka pwsafe. https://pwsafe.org
Then
bindsym $mod+k [app_id = "^pwsafe$"] scratchpad show
I have once audited the code myself years ago and it was a project started by Bruce Schneier. https://www.schneier.com/academic/passsafe/
When it comes to security I generally prefer not to trust anything that looks fancy, it might signal deception or at least where priorities and competencies lie.
My DataBase Administrator made me get a password manager, because he didn't want to reset my DataBase access again. Changed my life forever. Never going back. Password manager all the way.
P.s. https://pwsafe.org/
I currently use KeePass 2 for my personal passwords and Password Safe at work. Both of these keep their password databases on your local system, so they aren't dependent on an online service. That does, however, make synchronization difficult between devices. So something like LastPass would probably be better for most people because it handles cross-device synchronization and has actual consumer-level support. I believe it also has better integration with web browsers, making it easier to fill in passwords, so those are things to consider too. Because I haven't used LastPass, I hesitate to 100% recommend it, but there are several products like it and it's easy to find comparisons of the different available products online.
I recently switched jobs and Password Safe is the approved password manager at my new place of employment, so I've only been using Password Safe for a few months. It seems fine, but I prefer KeePass, although they are very similar in terms of features and functionality.
I've used KeePass for quite a while, for about the last 15 years. My approach for dealing with synchronization across devices is to store the database on Google Drive and access it from there. That sounds easy, but I have to admit that setting it up was a bit of a pain. Oh, I also only use Windows and Android devices, so I'm not sure if it supports Apple products.
One other thing worth mentioning is that most of these password manager tools are flexible enough that you can keep other information in them too, like SSNs and credit card numbers. Again, I'm not sure about all of them, but that's certainly true of KeePass and Password Safe.
My personal choice is Password Safe as it has no online functionality so I know it isn't sending my passwords anywhere and it's all stored locally. It also has an Android version for your phone with the same functionality of nothing going online.
There are a plethora of others out there though, Password Safe just does everything I need it to do.
Anything based on psafe3 (https://pwsafe.org/). There's a lot of different clients for different operating systems, personally I use Strongbox on MacOS (https://apps.apple.com/us/app/strongbox-password-safe/id1270075435).
A password manager is a program that replaces that piece of paper you have all your passwords written down on. They are stored in encrypted format, so the only way to get them is to use the password for the password manager. This becomes the only password you have to actually memorize.
When you want to log in somewhere, you pull up the password manager. It copies the password to the clipboard (typically by double-clicking on a list), and you paste it into the password field.
I started using one a few years back. It's one of those simple things that really does change the way you do things for the better. Now when someone asks me to log in, I'll create an account, generate a password, and save it. Months later, I can log back in if I need to. Several times, I've gone to create a password and discovered I already had one.
There are some that are implemented as websites, so that you can get your passwords everywhere, and don't have to worry about backing up the list. You generally have to pay for those. Some are standalone programs, of which some are free.
I use a free one (Password Safe), which means I am responsible for keeping a backup of my password list.
I've heard people recommend LastPass, and I'm sure there are others.
For anyone trying to break the cycle of re-using passwords across different sites, especially when it comes to non-2FA sites, try a tool like PasswordSafe that stores your passwords and the accounts/sites they belong to.
Passwordsafe stores a file of all your passwords on your local machine that is encrypted. The file is locked behind a password. To me it is important that it is stored locally, because that means there is no website account to be hacked and expose all your passwords. Someone has to gain access that local file on your computer and decrypt it, which is a very small percentage of the security breaches that are happening. Once you begin using a tool like this, you can easily use unique 20 character passwords of complete gibberish and high complexity for your logins, because you no longer have to remember it or type it by hand.
Personally what I would do is, for all my low priority accounts like streaming services or stores, use Passwordsafe exclusively to login and create/store complex passwords there. For important accounts like my bank or email, use strong, unique passwords I can remember, so that if I can't access my Passwordsafe I can still log in manually to those. You can probably be more lenient on password complexity for sites with 2FA, but still, the stronger the better.
Check it out, it's well known software, designed by Bruce Schneier. You can build your own copy so you know that the binary is clean, and at least dozens of experts have dissected this code.
I've been using Password Safe for a while now and I really like it. I keep the file it generates in my Google Drive Folder and I get access to all of my stuff across PCs and phone/tablet.
I have my password manager database on my phone, and it syncs with the master copy. All encrypted at rest and in transit. Super low tech - Password Safe.
PasswordSafe was originally designed by Bruce Schneier.
FWIW, with any Google-Authenticator 2FA, you can always show the 'secret' by using a QR app to decode and display the string.
Example:
otpauth://totp/Example:?secret=JBSWY3DPEHPK3PXP&issuer=Example
I maintain the 'secret' in the secure notes of my offline password manager, Password Safe, so I can reproduce the QR code later if necessary (e.g. backup device) using offline QR generator.
This also allows me to customize the labelling.
NEVER USE ONLINE PASSWORD / SECRET / QR CODE GENERATORS!
Get passwordsafe then they only have to remember one passphrase.
For that I tell them to remember a favorite fairy tale from childhood. Take the first letter of the first four words then their favorite number then the first four letters of the next word.
Write that down and put it somewhere safe and put all the other username/password combos in the safe.
I just use PasswordSafe which is free and I don't have to worry about someone else's service getting hacked and all my passwords being stolen.
You create a password database file, put it in your google drive, dropbox etc and it'll sync between devices. There's an android app (probably iPhone too).
The one that you'll use.
I used Password Safe not the other one for quite a while but eventually I got fed up with the constant sync issues between my PC and Android phone.
So I switched to KeepAss which also has an Android client and a much better integration for sync'd safes over stuff like Dropbox.
Haven't used any others. So I can't comment on them.
... or snap pictures of the QR codes and backup those.
Personally, I keep the text string secrets in the notes of my Password Safe, an opensource, cross-platform, non-cloud based system.
EDIT: To clarify, you can get the secrets strings by using a QR scanning app (like "QR Droid" for Android). The URI secret string looks like:
otpauth://totp/Example:?secret=JBSWY3DPEHPK3PXP&issuer=Example
Actually ... you can back-up the Google Authenticator secrets.
They are just text strings, which you can easily convert to a QR code, and share them across devices.
I keep them in my Password Safe notes.
Or worse, just snap a picture of the QR code and back it up securely (like a USB stick chained to your desk).
I've recently switched to pwsafe. Open source, portable, ported to every major platform I or my family uses, no cloud sync, no automagical keyboard or browser integration, originally designed by Bruce Schneier. https://pwsafe.org/ manually copy the encryped "safe" files between devices by backing them up to cloud storage and then downloading whenever I need a more recent password.
There was a bad vuln found in the mac keychain app last year
https://blog.malwarebytes.com/cybercrime/2017/09/keychain-vulnerability-in-macos/
I recommend password safe https://pwsafe.org/ although it is a paid app on mac
pwSafe is an official clone of the Open Source Password Safe. Password Safe is for Windows and pwSafe is available for iOS and macOS.
Pwsafe is open source, cross-platform and offers pretty much everything that 1Password offers. There's native apps for every imaginable platform too. Syncs with iCloud or Dropbox. No subscription.
They fixed it promptly and no passwords were leaked. Everybody's gonna have security issues sooner or later, nothing is 100% secure.
Anyway, I'm actually going with Password Safe instead. Open source, iCloud sync, no subscription, has a browser extension, user-friendly interface.
I use the functionality from PasswordSafe. https://pwsafe.org It's been audited and was designed by a well known security expert (Bruce Schneier).
NEVER trust a website to generate passwords. There is no way to prove that it's not being forwarded/stored.
Previously I used Password Safe.
We had a variety of safe files (for different teams/levels of access) on a network drive. A couple issues included password duplication across safes, and only one user can have a safe open for editing.
Overall though, it worked pretty well for a small team (<20) and, if you're content with the Windows version, it's free. Make sure you have recent, accessible backups of the safe(s).
I can't recommend enough that you check out a password safe application. I've used pwsafe for years with drop box to sync across multiple devices, but there are also paid online services.
This way you can generate random passwords for everything and retrieve them with one single secure password.
I use pwsafe.info on mac/ios, which is not free, but i like that it uses the cloud and syncs to all of my devices so when i am out and about i still have access to my passwords on my phone in case i need to login or send a coworker login credentials to something.
This one: https://pwsafe.org/ i believe is free and looks like it has an android app. i think it is the predecessor to the above one.
Yes, I clicked it, and downloads are listed here:
https://pwsafe.org/downloads.shtml
tell me which download there I should trust?
They're also hosted on sourceforge, which should absolutely not be trusted for any binaries.
A password manager requires you to have a single master password to access the data in the manager. This master password is used as the encryption key for the encrypted file containing your passwords and so - assuming the encryption algorithm is secure - the only way to get at the passwords is to figure out the master password.
I personally use Password Safe because I control the encrypted file and can store it on something like DropBox. Since it's not a service like LastPass there isn't a business incentive to create an escape hatch if I forget my master password and I know that the only data traversing the Internet - if any at all - is the encrypted file.
I use Password Safe on Windows, OSX and iOS and use the built in password generator to create the passwords for sites that I use so I don't actually know what they are and all are different.
It's free for Windows and iOS but you have to pay for it on OSX. It has integration with Dropbox and Yubikey and works with TouchID on iOS
I keep the encrypted safe in cloud storage.
I've been using Password Safe. They have a Linux beta on SourceForge. Your password database is stored locally.