Discussion about
dave

April 15th 2014 1:57 pm

Do you use a password manager?



That is a generic screenshot of 1Password. Fear not, it's not my data. :)

It seems like there's a new security breach at a different website every day. Besides being an inconvenience at best and a nightmare at worst, a particularly troubling is that all these leaked passwords floating around have given hackers better strategies for cracking passwords: lifehacker.com­/5937303­/your­-clever­-password­-tricks...

Everyone I talk to seems to have a different strategy for creating and remembering passwords. Some use a rotating assortment of 3 or 4, some combine birthdays and pets names, or even create a tabula recta (I actually don't know anyone who does this, but it's a neat idea): lifehacker.com­/5715794­/how­-to­-write­-down­-and­-encry...

Of course, there's also the XKCD password generator if you're feeling especially geeky: preshing.com­/20110811­/xkcd­-password­-generator/

If you're really smart though, you'll be using a password manager. There are a number to choose from -- some of the more prominent ones are 1Password, LastPass, KeePass, and more.

Do you currently use a password manager? I've been using 1Password for around 3 years now and I haven't looked back. Initially, it was a bit of a chore to setup and took some time to get used to the idea of not really being in control of my passwords. That said, it's been a handy tool when companies like Sony, Adobe, or LinkedIn have a security lapse and entire databases start floating around.

sort by

41 replies
mjpuczko

I finally got around to using 1password about 2 years ago. Love it. Use it on my macs, iOS devices and windows work pc. Worth the money.
5 like dislike
MaKleSoft

1Password is nice but a little too clunky for my taste and quite pricey. If you're looking for a free, open source alternative, you should take a look at Padlock: padlock.io

It's still in alpha but will be available on all major platforms pretty soon.
0 like dislike
lwdupont

1Password all the way. Best money I've spent, particularly given all these breaches.
3 like dislike
groovechicken

I still can't bring myself to use something that relies on a cloud service. I have been using KeePassX for years and really like it. I recently acquired an OpenPandora, though, and the version I have found for it is an alpha that uses the v2 database file. I am not keen on trusting my data to an alpha release of anything. So, I have been looking at options such as PortaBase, Ultimate Password Manager, and just keeping a spreadsheet inside a TrueCrypt vault. I may settle on UPM since it covers the most platforms. It isn't as good as KeePassX but it is good enough for my needs. If I had time, I would get set up to do a new port of the current KeePassX to OpenPandora, but I think it would take less time to just switch.

As to storage, I only have it on my main SD card that I use as my primary working drive and a backup on my home server. Not as convenient as LastPass or 1Password, but I feel a lot better about the situation.
3 like dislike
Dignan17

You should check out Steve Gibson's assessment of LastPass. I trust their security. Then again, I know how paranoid you are about everything.
1 like dislike
groovechicken

When it comes to account security, it has less to do with paranoia than laziness. I know the credit card companies will clear bad charges, so the cost is minimal in that regard. The biggest thing is that the thought of having to go through in a rush and change every single password for every account I have all because my passwords got nabbed is enough to make me just want to give up on the internet. The 2 full days of wasted time it would cost me is a much bigger cost than any inconvenience I am enduring in little chunks on the front end.
0 like dislike
Dignan17

youtu.be­/r9Q­_anb7pwg

I know that video is old, but I think it demonstrates why you'd be safe with a company like LastPass.

I've been using LastPass since before that episode of Security Now, and in that time they've had one breach that didn't involve the leak of any actual information, but they were completely up-front about it. IMO, four years of security and convenience outweighs the highly unlikely risk that I might have to spend those couple days fixing everything and resetting passwords (again, not likely).

You've gotta take some chances! The risk/reward balance here is so out of whack in this case in favor of trusting the service.
0 like dislike
groovechicken

Well, running the LastPass extension in Firefox on my Pandora isn't a great option anyway, so I am stuck here anyway at least until the DragonBox Pyra comes out to replace this.
1 like dislike
reidabook55

I love LastPass...terrific service and I really liked the way they handled heartbleed
0 like dislike
groovechicken

Saved by the bell! I forgot I had posted on the OpenPandora boards to see if the guy working on KeePassX still had the old version lying around. This thread reminded me to go check, and he had sent me a link to 0.4.3, which I am happily running. So, my stubborn ways can continue for a while yet. :)
0 like dislike
shavera

So I keep the db in dropbox (which requires a password from the db itself to log in to, plus a second factor authentication), which helps make it cloud available... but It's encrypted with a key file I keep on my person physically. That might be an easier use case for you.
0 like dislike
baileylo

I use 1Password. The upfront cost was rather expensive, but over the life time it has proven worthwhile. When LinkedIn passwords were accessed, I lost 60 dollars on Skype(I wasn't using 1password yet). It doesn't seem like a lot, but it could've been a lot more and it's less than the cost of 1Password. The other nice thing about 1Password, it exposes sites with bad password policies. Often sites won't let you copy and paste passwords into either field, they'll prevent you from using special characters, or the worst of all they'll have password limits.
2 like dislike
Dignan17

I've been a devoted LastPass user for years now. I've looked at all the password management services out there and I just thought that LastPass came out looking the best. Their security is top-notch, and the product is very easy to use. I now have 16-character gibberish for passwords on all my sites. It wasn't hard to get started with it, and you can use it for free on desktops (merely $13/year for mobile access).

The recent feature that LastPass put out for their Android app (populating logins for your other apps) makes them, IMO, the most powerful password manager out there.

I've also been to their offices here in northern Virginia and they're a great group of people.
2 like dislike
TgD

Okay, it seems about time I should sign up for one of these. I have been a bit uneasy about changing all my passwords, but with the heartbleed bug I think it is time I take better control

Looking at the options mentioned in this thread, I think LastPass suits my needs best. I want it to work on all mobile platforms (iOS, Android, Windows Phone, BB10) because I switch between all of these quite often.

Mac and Windows support is required too.

1Password looks nice, but it only supports iOS and Android. It seems like a grey area for their Android app to work on BlackBerry 10, and no chance of it working on Windows Phone
1 like dislike
frankspin

LastPass is certainly the most universal
0 like dislike
joelhamill

I'm a happy Lastpass user. I can't even imagine trying to remember the passwords for all the sites that make you create an account. Everything and every site wants you to create an account now.
1 like dislike
Met

I don't like the idea of not remembering your passwords. I try to remember my passwords, while making them odd and long enough to be secure. 1Password is more of a reference for me.
1 like dislike
shavera

I've been using KeePass for a few months now.
1) all my files are local. No "will they hack the other server" bs. If my files get out there, that's my own fault then.
2) My files are encrypted with a combination key file and password. I only keep the key file on one piece of hardware. So it's unlikely that someone will get the key file and my password and my password database all together.

downside: I'm now primarily a linux user and it seems like it was entirely designed around windows use. I have to use a mac at work, and support is even worse there. (at least, far as I can tell)
1 like dislike
lamborghini

I only keep the key file on one piece of hardware.

Thats scary. What happens if somehow the key file is corrupted on the hardware or the hardware itself goes missing?

Backing up the key file (password protected zip file maybe?) in more than one hardware might be a good idea?
0 like dislike
unrealmp3

I use a KeePass on my desktop (with ChromeIPass to integrate it with Google Chrome), synced through Google Drive. On my mobile device, I rely on KeePass2Android which keep a synced copy , so I don't even need a data connection to use it if I'm abroad.
1 like dislike
Dignan17

FYI, LastPass creates an encrypted cache of your passwords anywhere you've signed in to it. If I don't have any internet access at all I'm still able to reach my passwords.
0 like dislike
baileylo

Hey, I just came across this article by security expert Bruce Schneier, https:­/­/www.schneier.com­/blog­/archives­/2014­/03­/cho.... I think some of the more interesting points in this article are the actual numbers.

> Last year, Ars Technica gave three experts a 16,000-entry encrypted password file, and asked them to break as many as possible. The winner got 90% of them, the loser 62%...

> A typical password consists of a root plus an appendage. The root isn't necessarily a dictionary word, but it's usually something pronounceable. An appendage is either a suffix (90% of the time) or a prefix (10% of the time).

> This is why the oft-cited XKCD scheme for generating passwords -- string together individual words like "correcthorsebatterystaple" -- is no longer good advice. The password crackers are on to this trick.

1 like dislike
HughesNet

I used to use 1Password but have had trouble juggling it everywhere and their reliance on dropbox sucks for syncing data. Recently I moved to LastPass since their Android app got the ability to auto fill within apps. I also use 2 factor authentication.
0 like dislike
baileylo

I believe the latest versions of 1Pass have supplied more syncing strategies than just Dropbox. But on iOS i'm way jealous of your ability to auto fill with in apps.
0 like dislike
codebeta

I have yet to see any app in iOS to do autofill for apps, LastPass mention that in iOS it's not possible due to the way the OS is closed to a lot of things. I still use iOS and just go into LastPass to copy the password and paste it on the app or site I need to log in.
0 like dislike
vedichymn

Anyone in particular have any good suggestions for Windows Phone users? I'm using 1password right now, but the Windows Phone client is really bad (although better than nothing). LastPass is ok, I'm almost tempted to jump back to SplashID, now that they actually have gotten their act together in terms of platform support.
0 like dislike
Dignan17

Knowing what you don't like about LastPass would help inform people about what you're looking for.
0 like dislike
vedichymn

I think it's really more about use cases. Lastpass seems 100% designed from the ground up to be used as a form filling application first and foremost, which isn't what I really want. All I want is a password safe that's synced and present on every platform I use (including the web).

You CAN use LastPass as a password safe primarily, but it's super clunky compared to say, 1Password or SplashID. Otherwise though, I really like the LastPass development cadence, platform support, etc.
0 like dislike
TgD

I kind of agree with this, although I am only one day into using lastpass
0 like dislike
Dignan17

I can see that. I started using it primarily as my password safe, and that is definitely how they started so I don't think it was built as a form filler (I've been using it for four years so I've seen it grow).

So I gather your complaint is that you don't like the presentation of the "LastPass Vault" as they call it. I can agree with that. I don't like going into that either. But the thing is, I never do. I don't really know why you would need to go into your password manager for anything. Why not just let it fill out the login information for you? I found this to be one of the best features of the service when I first tried it out. The first time that I went to a site and saw LastPass take over and log in for me I was hooked. You may not like that, but I love it.
0 like dislike
reidabook55

LastPass is hands down the best password manager available...I think this is even more so after the way they've handled the heartbleed exploit.
0 like dislike
Met

<3 1Password!
0 like dislike
Mikecron

I wasn't too fond of the idea of trusting my data to a cloud based company like LastPass or DashLane, though their products are certainly polished (and truly not very different from the system I ultimately adopted). I've been using KeePass to generate and store usernames and passwords, and then storing that file in a Tresor (tresorit.com). I feel pretty confident about the two layers of encryption. However, it does require a little more legwork (open the Tresor, open KeePass, copy the details to the clipboard and paste into the app in question).
0 like dislike
Dignan17

I'm not sure you're getting any more encryption than you would from these other services...
0 like dislike
frankspin

LastPass has it's own level of encryption that it uses. While their site was susceptible to Heartbleed, they explained that encryption of data was different. blog.lastpass.com­/2014­/04­/lastpass­-and­-heartbleed­-...
0 like dislike
Kalastaja

I've been using F-Secure key for the last few months. Simple, easy to use, does the job.
0 like dislike
ttringle

1Password, use it on my Mac, iPhone and Virtual Win 7 machine for work. Super secure keeps my passwords, and any other info secure. With it I can use much longer passwords and not have to worry about remembering them.
0 like dislike
mihai2203

good thing i stumbled upon this post. up until now i use just a password protected excel spreadsheet that i keep in my box account. in there i have the company name, website, username associated, email associated and password. some websites don't use user names so i just leave that cell blank.

what's a good app that i can access both from my android phone and from my windows laptop (soon chromebook) that's cheap and can accomplish the same thing?

my excel spreadsheet works just fine, but i wanna be a bit more modern :p

thanks
0 like dislike
MaKleSoft

You should take a look at padlock.io/. It's currently available in the Chrome Web Store and an Android version is coming very soon!
0 like dislike
Alexander202

If the password is to be hacked, it really does not matter how "strong" or "long" your password is, it will be hacked in any case.
So I really do not bother with many long passwords in different places, i stick to my one password and has been working fine so far .. hope yours stays safe too ..
0 like dislike
markbravo2014

I have no idea how that works :(
0 like dislike
share:

21 users following this discussion, including:

  • ttringle
  • frankspin
  • Kalastaja
  • Met
  • joelhamill
  • groovechicken
  • vedichymn
  • dave
  • TgD
  • mjpuczko

This discussion has been viewed 16795 times.
Last activity .