Does the average user really need a password manager?

Hi,
I'd describe myself as an average tech savvy computer user. I have many accounts in forums, shopping sites, etc where I recycle two moderately strong password with small variation. These are account where I don't care if anybody gains access to them and that's why I have them saved in the browser's password manager. For example, I don't care if somebody gains access to my Alfa Romeo forum account or my Deal Extreme account because they can't do me any harm.
Now for my internet banking and main email, it's a different story. I use a strong password for my internet banking which I DON'T recycle and don't have it saved in my browser password managers. For banking transactions I use a hardware token. For my gmail I use a two-step verification with another strong password.
To me that sounds like a secure enough method where I'm keeping what's important safe and at the same time I'm not clogging my mind with too many passwords or worrying about what the latest security breach in my password manager would be.
Thanks!

 

Long rant ahead :

Average user not really...the average user perhaps does not even need a VPN or a password manager.

If your however privacy conscious and aware of adversaries,NSA, Governments etc who track just about everything via facebook and google and Gmail then you can protect yourself better. Always ask yourself what would an adversary do with your contents of your hard drive ?

Using stronger passwords and changing them obviously helps, but if your for example going to use the same password on every forum and website then you might as well leave your front door open....or if your going to connect to a forum with your real ISP IP address same thing...

A few wilders on here change their name and password on a regular basis, perhaps a good idea. Some change VPN providers or VPN chain them, some change email providers regularly also.

If you think about it in this age of technology and with hard drives and storage, one is literally giving anyone be it friend or foe information of ones brains contents handed over to them. A bit like a brain in a pickle jar.

So why make it easier for anyone ?

Password managers I find are great, however again do you really trust say keepass or Lastpass? A always connected to internet program which has all your usernames and passwords and sites you visit ? How easy would it be for someone to get that information and say this member called "steve87" posted something illegal, lets now email this to the authorities.....

Still if your just doing the basics and nothing criminal and under a VPN then all good, but the paranoia in me again thinks what if I connect to a password manager or anything else with a naked internet connection and an adversary could put real IP with VPN IP and forum user member name and link all 3

Bottom line, protect your privacy and security always.

 

First, as an average pc user may I ask what a VPN is in simple terms? As for a password manager, I use Keepass. It isn't directly connected to the internet, and I use it solely for logging my many passwords rather than listing them on paper. I often have to retrieve an ID and password when accessing an app or web site, and Keepass is easy to bring up via a taskbar icon. As for forum passwords, I confess that I use the same one for all because the forums aren't important and who cares if someone logs in on my password.

 

Same here.

 

That would depend on the particular user. The average user is not monolithic, as each user will have their own needs, security concerns, abilities, comfort zone, etc.

 

Correct me if I'm wrong, but doesn't a proper password manager protect you from key-loggers stealing your info when logging in to a site?
I use Sticky Password Pro - that's what Kaspersky uses. It has an anti-spy function that protects your master account password against screen-scrapers, too.
http://www.softpedia.com/reviews/windows/Sticky-Password-Pro-6-Review-272470.shtml

 

I'm prepared for other Wilders members to correct me, but I think something like what you're doing is reasonable. You want your email password to be unique and secure, because your email is often a tresure trove of personal information. You obviously want any financial services sites to have unique and strong passwords. In addition, you better be sure to never use real answers to security questions for any sites.

I think you want a good password for shopping sites also, because they contain your name, address, etc. So they make you subject to identify theft (you'd be surprised by the sort of unending nightmare you can get into with people who have surprisingly little personal information about you). Whether you need a different password for every shopping site, I don't know. If they all contain basically the same information, then I suppose once one site has been compromised it doesn't make a difference if they all are (except going and changing the password for every site will be a pain).

For online forums, I agree. Who cares if someone pretends to be some screenname I created for an online forum? I don't even know if this is me typing this right now.

I do think you don't want to leave yourself permanently logged into any webmail accounts, unless you don't care if someone else gets into them. In that case, for something you use frequently, a password manager can simply provide convenience.

So I think your methods sound pretty good and certainly better than what the vast majority of users do. A password manager could improve your security, if you wanted to. You could have passwords that are much longer and more secure than you're likely to remember. Ditto for security questions. And by having a different password for every site, you save a lot of hassle if one site gets compromised.

I personally would not use a service like LastPass. They're a good, honest, service, I think. But I just don't trust having all my passwords stored online. Last pass was already compromised once. They were very open about what happened and correcting it, but still, it's just a risk I don't see the point of taking.

*

This is perhaps a dumb question, but I've been wondering. If one has a screen name in a forum that has been used with one's regular IP address and then subsequently starts using a VPN service, does it basically totally defeat any privacy gained, because the old IP address associated with the screen name can now be correlated with the IP address of the VPN service?

*

They're not invulnerable, but they do improve your risk of being keylogged.