How Secure Are Password Managers?

The idea of a password manager can seem insecure initially, because it means that a single password will reveal the gleaming treasure of all your passwords. But using a password manager is the recommendation of experts.

And if you use the same password everywhere, like many folks do, all of your passwords would be exposed if even the weakest link was broken. (Note: The weakest links are broken with morbid regularity)

I had some concerns when I first heard about using a password manager, but I have been using KeePass for years and rest easy at night. Let’s dig a little deeper so you can too.

Alternatives

  • Same password for everything – one site is exposed and the gig is up
  • Try to memorize dozens of long, hard to remember passwords – nearly impossible
  • Password card – not bad, but tedious
  • Saving passwords in your browser

None of these alternatives work as well as a password manager, or scale to hundreds of passwords. It’s not to say you should never use them, just that for the balance of convenience and security, a password manager wins out.

Attack vectors

  • A web site you use is hacked, revealing your password
  • Keylogger
  • Physical access to your machine

The first attack vector is depressingly common. LinkedIn, eHarmony, Gawker media, Sony Playstation Network and plenty more have all had their passwords exposed. When this happens I can change my password to another random password quickly and easily. The longest part of the process is finding the option in the account settings.

A keylogger is pretty much game over if you’re typing your passwords in. But password managers make an effort to be resistant to key logging. And if someone has physical access to your machine, a password manager has your passwords encrypted. If you use a relatively short inactivity timeout, your passwords would still be safe from prying eyes.

While no solution is perfect, a password manager gives you strong, random passwords for every login. I use KeePass, but there are plenty of options.

  • KeePass – Standalone application, free and open source
  • LastPass – Web site with browser extensions, free and paid plans
  • BitWarden – Apps save encrypted passwords to the cloud, free and open source (can be self-hosted)
  • 1Password – Paid plans only

Christmas Desktop 2017

I fear blogging has fallen by the wayside thanks to a variety of other draws on my time. But I can still post my new Christmas desktop for the holiday season.

Christmas Desktop 2017

Photograph from Pixabay.

Changing Motherboard from RAID to AHCI with Windows 7

I don’t even remember making this decision, but I recently discovered my motherboard’s storage controller was set to RAID for my SSD and spindle hard drive. I was trying to see how much life was left on my SSD after seeing a friendly reminder on Reddit. But SSDLife couldn’t see either drive. They were hidden behind a RAID configuration I didn’t even want.

When I switched from RAID to AHCI in the BIOS, Windows 7 wouldn’t boot. Fortunately, changing it back to RAID fixed that.

If you can believe it, I fixed the not-booting issue with two lines. They were registry edits I found on Microsoft’s answers site.

Here they are:

REG ADD HKLM\System\CurrentControlSet\Services\msahci /v Start /d 0 /f /t REG_DWORD
REG ADD HKLM\System\CurrentControlSet\Services\atapi /v Start /d 0 /f /t REG_DWORD

I’ve heard people claim commands like these are magic. I know better than to make that claim myself, but I have to admit, going from not booting to a fully working system without RAID enabled felt magic. I love it when a plan comes together.

It could be my imagination, but even after a day of having switched over to AHCI, the SSD and the spindle drive both feel much snappier. I didn’t run any benchmarks, but everything on my system feels lighter and faster. I like it.

And the good news is, at least according to SSDLife, my SSD has another 8 years left (taken with a large grain of salt of course).

SSDLife results for my SSD

I was surprised to see it’s only been powered on 58 times in 5 years. That’s probably due to monthly Windows updates reboots. Windows reliability has come a long way.

Christmas Desktop 2016

As I’ve done in previous years, here’s my Christmas desktop for this year.

Christmas Desktop 2016

I used DesktopSnowOK, which is nowhere near as good as Xsnow on Linux, but it’s something.

The falling snow blends so much with the background it’s hard to even tell it’s there.

How I Saved Over $1,000/year With EmailOctopus

MailChimp vs EmailOctopus pricing

I’ve been using MailChimp for my Riddles and Brain Teasers site for the past five years. When I first started, it was free. Then it bumped up and leveled out at $50/month. I was okay with that.

The price began another ascent when the list reached 5,000 subscribers. It leveled off at $75/month and I was somewhat okay with that.

In the past few months I’ve been going up the third staircase. It’s longer and steeper than the first two and it’s painful. Every 200 subscribers adds $5/month, and I was heading for $150/month. Halfway up the staircase, I was no longer okay with it. I couldn’t justify paying $150/month to send out a monthly newsletter.

So I began my search through nearly a dozen alternatives, and last month my search ended at EmailOctopus, which uses Amazon SES behind the scenes. I will be paying $35/month until I reach 100,000 subscribers. That would have cost me $500/month with Mailchimp.

If anyone from Mailchimp comes across this, my suggestion would be to stop the $5 bump for every 200 subscribers. It’s frustrating and feels unfair when you’ve been adding thousands of subscribers and remained at the same price. I felt like I was being punished every time I bumped up a step. The 10% discount for enabling two-factor authentication was appreciated, but not enough.

Instead, keep it simple:

5,000 subscribers = $50
10,000 subscribers = $75
25,000 subscribers = $150

One Month Later…

Now that I have a successful campaign under my belt, I am pleased to report that my first campaign with EmailOctopus had similar click and open rates as Mailchimp (even higher on open rates). The higher open rate could have been due to the new email template I used, but at least I know deliverability isn’t suffering with Amazon SES.

The migration was painless. I exported the list from Mailchimp, imported it into EmailOctopus and requested Amazon increase my sending limit, which they did in a matter of hours. It was also simple to enable DKIM on the domain in Amazon SES.

EmailOctopus doesn’t have as many features as Mailchimp, but they have the essentials that I use, like autoresponders, scheduled campaigns, subscription forms, unsubscribe support and campaign analytics. Plus they’re adding new features. Since I created my account they’ve added email templates and two-factor authentication. Their customer support has also been responsive and helpful.

And I love the price!