Password Management

captaink

I'm pretty sure my passwords to multiple sites have gotten out there in some fashion, and I need to go about setting new ones basically everywhere.

What's the best way to do that these days? I need to get unique ones per site, but I also want them to not be a total pain in the ass to input on phones, consoles, etc. Management through my phone or gmail/drive account would be a massive plus.

GnomeTank

I don't know about best, but I swear by LastPass. You have to pay a small premium fee to have it on all your devices (it's 12 dollers a year). It's very actively developed and has some great features (like easily generating long random passwords, even with filters like "easy to remember" and "easy to say"). I have it installed on everything. My iPhone, my iPad, my MacBook, my work PC, my home PC. It integrates with all the major browsers on PC, Mac and Android (iOS is obviously a walled garden when it comes to that stuff, so I have to open LastPass and copy passwords out, which is annoying but not LastPass's fault).

In 2015 their master password database was compromised and they notified all users within hours and their encryption on the database was so strong that to date no known master passwords have been broken because of the compromise. As a professional in the industry I know compromises can happen, but their response to it and use of incredibly strong encryption that even they can't recover (it's one way) is very professional and gives me more trust in them not less.

It's one disadvantage is that it only does local caching of your password database, which is stored heavily encrypted in the cloud. So if you are without an internet connection you can only access the passwords you've used recently. I personally feel it makes up for this in raw convenience and the trust I have in their security, but some people prefer a more bespoke solution using their own cloud storage, generally using something like KeePass.

Links:
https://lastpass.com/
http://keepass.info/

fightinfilipino

i'm a big fan of 1Password, although i started using it before they moved to a per-month billing model. i guess i'm lucky, i paid like $30 for a single license that allows me to install 1Password on all of my Windows-based devices. the current pricing is $2.99/month, or what seems to be a one-time license fee of $65. matching Android/iOS apps are included.

1Password allows you to store the associated keychain using Dropbox (built-in) or another syncing service (through allowing you to select the shared folder). 1Password also has a centralized server where you can store the keychain. this has an advantage over cloud-based services since your whole password file (or at least the most recently synced file) is available to you. it's also more secure - encryption/decryption happens at the local device level and is never transmitted.

i've got PCs and Android devices, and the device intergration is top notch. the 1Password Android app in particular is really nice; it's set up as a "keyboard" in Android - you enter in your master password, and 1Password either autofills your username/password in the mobile app or browser, OR in some cases, you just find the matching account from a list and it then fills in the username/password.

1Password does have a free trial, so you can check it out before deciding.

dporowski

1Password is the shit. I've only used it on iOS, but it's awesome, and at least if you just want to use "iOS", it's free for basic use which includes sync between iOS devices.

Just... Do NOT lose your master password. If you do, everything is gone, gone, gone; there is explicitly no means to recover/decrypt your vault.

Edit: Oh, and it does integrate with iOS, so if the app/etc supports it, you get autofill.

bowen

I also use 1password

Synthesis

Another vote for 1Password--I didn't know they went over to a subscription model, I just bought licenses twice--once back on Windows 7 (and Windows 8), and then another time when they did a major update for Windows 10. My only complaint is that to sync with my phone, the phone app insists on using Dropbox, which I fucking hate for other reasons I won't go into detail here, which means I have to keep using Dropbox on my PC as well, but I guess that's the price of free service across devices.

Nightslyr

I use Keepass

Casually Hardcore

I use keepass and store my database in Dropbox (which is protected by a heavy ass password and 2 step verification)

GnomeTank

LastPass does the same local encrypt/decrypt thing that 1Password does. It's basically how any good password manager should work at this point. The encryption keys are generated from your master password and never leave your devices.

This is explicitly why they are not recoverable and why you CANNOT forget your master password or you're screwed.

tsmvengy

I use LastPass. Works very well, they have a two-factor authentication app as well for phones. One of the cool things about the phone app is that it now just pops up a check box for you to click, rather than showing you the numbers to type into the little box on your PC. Makes for much faster two-factor logins.

GnomeTank

I should switch to LastPass's two factor, but I currently use GoogleAuth for everything that allows me to.

wunderbar

for two factor I use Authy, becuase it allows sync of the codes between devices. There's even a chrome app so when I need to enter a 2FA code on my PC I can just copy/paste it from the chrome app.

bowen

GnomeTank wrote: »

I should switch to LastPass's two factor, but I currently use GoogleAuth for everything that allows me to.

google auth is the best

I also wish more places accepted amazon payments too, I wish I could buy everything through amazon and get them sick reward points

Darkewolfe

bowen wrote: »

GnomeTank wrote: »

I should switch to LastPass's two factor, but I currently use GoogleAuth for everything that allows me to.

google auth is the best

I also wish more places accepted amazon payments too, I wish I could buy everything through amazon and get them sick reward points

Hang on, if you buy something with amazon payments you get amazon points, even if it's another vendor?

bowen

Darkewolfe wrote: »

bowen wrote: »

GnomeTank wrote: »

I should switch to LastPass's two factor, but I currently use GoogleAuth for everything that allows me to.

google auth is the best

I also wish more places accepted amazon payments too, I wish I could buy everything through amazon and get them sick reward points

Hang on, if you buy something with amazon payments you get amazon points, even if it's another vendor?

I could use my amazon card and I got reward points for it.. at least on the thing I tried to buy.

Darkewolfe

I have an amazon card. Didn't realize using amazon payments in that way might give points.

And on topic to the thread, I am terrible. I have debated over doing KeePass with my DB stored on my google drive (operating under the assumption that my personal gmail is less of a target than the LastPass servers) vs just going LastPass.

And I've been doing this for like two years now.

Kendrik

bowen wrote: »

GnomeTank wrote: »

I should switch to LastPass's two factor, but I currently use GoogleAuth for everything that allows me to.

google auth is the best

I also wish more places accepted amazon payments too, I wish I could buy everything through amazon and get them sick reward points

For reference, you can use Lastpass 2F for anything that Google Auth works with. The primary advantage to Lastpass is that if you use the lastpass browser plugin's it can do the "Click the Checkbox on your phone to allow" thing that tsmvengy was talking about.

And I'm fully bought in on Lastpass. Sure, you're technically more exposed by trusting their servers as opposed to your own (because if you use cloud storage to share your Keepass database then you're still trusting a 3rd party) but it's a fair trade to me for the convenience. Add the fast and open response to potential exploits that they have shown and I'm good.

Mercade

+1 for 1Password. I was so averse to password management apps before, but their interfaces on Win/OSX/iOS are slick and they all sync up nicely. Definitely worth the money for added peace of mind.

Uselesswarrior

GnomeTank wrote: »

LastPass does the same local encrypt/decrypt thing that 1Password does. It's basically how any good password manager should work at this point. The encryption keys are generated from your master password and never leave your devices.

This is explicitly why they are not recoverable and why you CANNOT forget your master password or you're screwed.

Not actually true for LastPass, see https://lastpass.com/support.php?cmd=showfaq&id=375

Inquisitor77

I have used LastPass for years. It's only gotten better since then, and it's well worth the cost.

furlion

I use KeePass,it works for me and is free which is the main draw for me.

Uselesswarrior

The thing to be very aware of when using Keepass (or any local password db) is that file corruption is very real. Luckily Dropbox has a revert option, but it's very easy for that file to get corrupted on one machine and distribute to everything it's sync to.

Unknown

This content has been removed.

fightinfilipino

i looked at KeePass before, but there were only third-party options for Android syncing, and no autofilling in Android to speak of. has that changed?

the third-party part was especially a bummer; the fewer parties having access to my passwords the better.

a5ehren

If you need mobile sync, the paid options are really the way to go. You can get KeePass to work for that, but it is a pain compared to LastPass and 1Password.