Password Managers

[Akzle]

solid but:

Web/Server administrators of the site you have joined can extract your password at will.

not true. most passwords stored server side are encrypted and cannot be "recovered" and that's why:

...anyone that gains access to this can also "forgot my password" on any site you are registered to and reset the password

[Gremlin]

[*]For level 3 and 4 passwords be sure to use strong passwords that will not be rejected by sites for not being complex enough.[/LIST]

Interesting and annoying thing here... two banks (went from National to ASB) wouldn't let me use characters such as #, &, % etc in my password... rather annoying that a password is too complex!

[Hoon]

not true. most passwords stored server side are encrypted and cannot be "recovered" and that's why:

This is dependant on the user management web software that the web/server admin chooses to use. Some may use industry standard and compliant methods while others can create their own storing passwords in a text file if they choose.

Aside from that there's a multiude of ways an unscrupulous web/server admin can access your password. The most obvious ones are:

• On non-https sites your password is sent in clear text and can be read by a packet sniffer/logger running on the web server....theres a funny story at our work (large IT company) where a collegue sniffed out another collegues NZDating credentials, created a false profile and resulted in him being stood up at the airport arrivals gate holding a bunch of flowers .
• Web admins can easily recode the login page to do whatever they want with your password.
• If the admins really want access and aren't concerned that you'll find out then they can just reset your password (and explain it as a corrupted user database if they needed to)

Most people don't realise that their data belongs to the web admins. They have full control over the website and and everything in it Only law and company policy prevent them from abusing this but it only takes one pissed off IT worker to go postal or give into temptation and compromise your security. This happens more often than you'd think.

[jonbuoy]

This is dependant on the user management web software that the web/server admin chooses to use. Some may use industry standard and compliant methods while others can create their own storing passwords in a text file if they choose.

Aside from that there's a multiude of ways an unscrupulous web/server admin can access your password. The most obvious ones are:

• On non-https sites your password is sent in clear text and can be read by a packet sniffer/logger running on the web server....theres a funny story at our work (large IT company) where a collegue sniffed out another collegues NZDating credentials, created a false profile and resulted in him being stood up at the airport arrivals gate holding a bunch of flowers .
• Web admins can easily recode the login page to do whatever they want with your password.
• If the admins really want access and aren't concerned that you'll find out then they can just reset your password (and explain it as a corrupted user database if they needed to)

Most people don't realise that their data belongs to the web admins. They have full control over the website and and everything in it Only law and company policy prevent them from abusing this but it only takes one pissed off IT worker to go postal or give into temptation and compromise your security. This happens more often than you'd think.

Not to mention just because it might be stored in an encrypted format doesn't mean it cant be un-encrypted either by the website owner or someone who manages to gain access to the database.