Looking for a password manager

Belasco32

So, my delightful, brilliant, amazing husband has finally agreed having to reset his and our shared passwords because he can't ever remember them and locking me out of all of our accounts on a regular basis should be a thing of the past, and I'm pretty excited about it!

I've heard rumor that there are sites where one can save their passwords, but I know nothing and don't really trust a Google search to tell me what I need. So, here I am

I'm hopeful that y'all will be able to help us understand what's out there and how much we should trust any particular set up - e.g. is this a space where a banking password would be relatively secure.

We need something that will support both of us logging in, and my dear husband would very much like one that has an app. As I've recently won this ongoing marital wrestling match I'd like to accommodate him as much as possible, but without risking security.

SniperGuy

I use LastPass which is free and seems to work very well. It has an app, browser extension, autofills and will create crazy passwords for you. Just don't forget the password for the vault!

Iruka

I think all the major password managers have family plans. I personally use last pass, but we use 1password at work. I've not used much of the sharing tools at the moment, but both work well and generally respond to security audits with the level of severity you would want from a company managing your shit.

UI wise, I think lastpass works fine and I use it because their free tier is pretty well suited for my current needs. 1password has a cleaner back end, from what I've seen, but once I was in the lastpass I was too lazy to switch over.

The biggest thing is getting it and sticking with it, and making an easy to type, but long and secure master password. When you first get started, just know that its a bit of a project and it will be annoying. You'll be syncing passwords and clearing things out from your browser for a while. You also become pretty dependant on it once you embrace truly randomized passwords that you don't even consciously type out. You'll want to feel comfortable with whatever you pick.

Paladin

All password managers like lastpass, 1password, and Keepass use encryption that basically works like this: you have a bunch of passwords that are stored in a data file encrypted by whatever your master password is. So while cloud storage options like 1password and lastpass do house your data on their servers, they won't be able to access your data without your password. If you lose it, you're out of luck. This also means if someone hacks these companies and downloads your data files, they shouldn't get access to your data as these companies do not keep a list of your master password.

Of course, if you've used your master password for anything else, and that username/password registry is hacked, someone could get access to your data. So you have to keep your master password secure and unique.

I use lastpass. It's free with some unnecessary belts and whistles for a low cost premium subscription. It has browser integration, stores different types of sensitive info, and has an app that integrates with your phone. You can also get a family plan.
The downsides of browser and app integration include processing overhead and managing different logins to the same domain name. It will kind of play nice with your browser integrated password management software, but sometimes will get annoying when there's conflicts. It also may pop up at annoying times when you're trying to fill in a form online that it repeatedly thinks is a login page. It works with most phone apps but not all. It had a few security vulnerabilities in the news, but nothing drastic.

If you want to use all of its features, be prepared to do some tech spring cleaning or just disable duplicate services.

I used to use keepass which doesn't use a cloud at all and is technically more secure but more difficult to update.

Athenor

I don't recommend my setup for most people, because it isn't the most convenient, but it is free.

I use Keepass (version 2.33 or newer depending on the machine). The vault has a long passphrase on it. I use plugins to Chrome and Firefox, as well as plugins for more work related things like SSH support. I also have an Android app.

The vault itself is stored on Dropbox. So if I ever needed to do a full recover, I'd need to remember that. You could theoretically put the DRopbox password in your KeePass, but you need an origination point somewhere in there. A physical copy would suffice.

I'd go with the family plan options in your particular case. As always with this kind of thing, I point to the wirecutter article. https://thewirecutter.com/reviews/best-password-managers/

finnith

SniperGuy wrote: »

I use LastPass which is free and seems to work very well. It has an app, browser extension, autofills and will create crazy passwords for you. Just don't forget the password for the vault!

LastPass has had a history of security vulnerabilities that are well detailed on its wiki page. For that reason I would not recommend it.

I would recommend 1Password, Bitwarden or KeePass. 1Password is the one I use and it's quite easy.

Belasco32

Being able to have five people on the family plan for 1Password is spot on for us since it's the 2 of us and our 3 kids. I hadn't even thought about being able to have a shared vault for all of the family passwords, so that's extra helpful.

Many thanks, guys!

Nightslyr

Athenor wrote: »

I don't recommend my setup for most people, because it isn't the most convenient, but it is free.

I use Keepass (version 2.33 or newer depending on the machine). The vault has a long passphrase on it. I use plugins to Chrome and Firefox, as well as plugins for more work related things like SSH support. I also have an Android app.

The vault itself is stored on Dropbox. So if I ever needed to do a full recover, I'd need to remember that. You could theoretically put the DRopbox password in your KeePass, but you need an origination point somewhere in there. A physical copy would suffice.

I'd go with the family plan options in your particular case. As always with this kind of thing, I point to the wirecutter article. https://thewirecutter.com/reviews/best-password-managers/

What browser plugins do you use? Your setup is almost identical to mine, sans plugins.

Athenor

Nightslyr wrote: »

Athenor wrote: »

I don't recommend my setup for most people, because it isn't the most convenient, but it is free.

I use Keepass (version 2.33 or newer depending on the machine). The vault has a long passphrase on it. I use plugins to Chrome and Firefox, as well as plugins for more work related things like SSH support. I also have an Android app.

The vault itself is stored on Dropbox. So if I ever needed to do a full recover, I'd need to remember that. You could theoretically put the DRopbox password in your KeePass, but you need an origination point somewhere in there. A physical copy would suffice.

I'd go with the family plan options in your particular case. As always with this kind of thing, I point to the wirecutter article. https://thewirecutter.com/reviews/best-password-managers/

What browser plugins do you use? Your setup is almost identical to mine, sans plugins.

Depends on the machine.

If the mods are okay leaving this open until tomorrow, I can give my work loadout?

Here at home, I use Database Backup, KeeAgent, and KeePassHTTP on the main KeePass and ChromePass in Google Chrome.

Soggybiscuit

I use Keepass, and I have for a long time now. I don't use any browser plugins.

The nice thing about keepass is that your phone probably has an app for it. On the iOS ecosystem, MiniKeePass works pretty well.

Inquisitor77

I've used Lastpass for years, no complaints.

davidsdurions

I’ve been using RememBear. Works great on my iPhone and PC. Decent integration on both platforms.

discrider

Cloud storage defeats the purpose of secure password storage imo.
I'd get something offline, duplicate the data file on two devices, and then merge the datafile every so often.

discrider

... on second thought, as long as the cloud repository is only shifting the datafile around, and the password is just being used on the local datafile rather than going to the cloud copy, then that would work and be secure.
So I clearly don't know enough about these.

Paladin

discrider wrote: »

... on second thought, as long as the cloud repository is only shifting the datafile around, and the password is just being used on the local datafile rather than going to the cloud copy, then that would work and be secure.
So I clearly don't know enough about these.

Lastpass, as a cloud password service, uses a cryptographic hash function to scramble your password at client. That scrambled password is transmitted to the cloud, which checks whether the hash matches the one they have on file. If so, they send the encrypted password file to the client, where the master password decrypts it clientside.

Therefore, the key vulnerability point is not the cloud but clientside.

urahonky

Another vote for 1Password. I've been using it for about 2 years and it works great. Phone app unlocks with a thumb print and lets me autofill even in applications, not just web forms.

Thundyrkatz

The last time I tried to use a password manager The issue that I ran into was that I could not sync it across all of my devices. I don't know if this has been resolved. However, since the password manager is a plug-in for your browser. Be sure you can add that plug-in to all the browsers that you use. In my case, I can not do that at work. Also, the integration for any apps you use was pretty spotty and required a lot of cutting and pasting. Maybe that's better now? So, take stock of what and where you will be accessing with the password manager before you change all of your passwords.

mts

I wonder if the old license I had for my macbook for 1password still is valid. it is from way back when

Athenor

discrider wrote: »

... on second thought, as long as the cloud repository is only shifting the datafile around, and the password is just being used on the local datafile rather than going to the cloud copy, then that would work and be secure.
So I clearly don't know enough about these.

For the record, while my database is stored in Dropbox, it is secured with a 37 character passphrase that Keepass rates as 139 bits. I could do better, I guess, but I type that passphrase so many times during the day that I'd prefer something I can remember. So yeah.. if you get access to my Dropbox, you still need to break through that in order to get my accounts.

@Nightslyr

Here at work, I'm running:
DataBase Backup
Favicon Downloader
Keeagent
KeeCloud
KeePassHttp
KeePassRPC

For Firefox, I'm using Kee Vault (which I'm a huge fan of once I got it properly set up) and Chrome is using ChromeIPass.

I am kind of upset that I installed a GPG module on my PC, because now I get conflicts with it and KeeAgent as both use pagent and stomp over each other, giving me errors. I haven't gotten around to fixing it.

Also, one other huge warning I'd give about KeePass: On my work PC, I have my password vault set to lock after 2 minutes of inactivity or if I lock my PC. However, this will not work properly if you have an editing dialog open. It also won't properly close if you have a password to save. It'll ask you if you want to save, discard, or cancel... and hitting cancel will go back to the unlocked program. I should probably submit these as bugs/feature requests to the project.

finnith

One thing I would be careful of with Password Managers is ensuring that you clear out your clipboard after filling in a password (i.e. if you're copying and pasting from your password vault). I know1Password, KeePass and LastPass all have this feature, but I would take special care to ensure that it's on across all devices that you use the password manager in if for some reason autofill doesn't work.

Shivahn

One (two) piece(s) of advice, which is very important, but I have not seen here (partially because it's obvious, but I think it's important to state when people ask about password security) are to never re-use passwords, and especially never use your master password for anything else. The master password loss isn't a big deal unless someone has a way to access the database, but it's just so critical that you should be careful. Make sure that if you have repeated passwords anywhere, once you set up the manager, replace them all with randomly generated nonsense from the manager.

(the reason being that you'll hear if Equifax has a breach, but if smallsite.net has a breach and doesn't tell anyone, or somewhere has a breach and you don't get the emails, then there are people cracking passwords that you're unaware are compromised. And if they aren't using the best standards, they might find a way to crack the whole set really quickly. Not a huge deal if you only use that password there, but Jake Random who used 93badkdi or whatever as a password for half his stuff is going to be very upset when jake.random@gmail, the Jake Random Facebook page, and the jrandom account at Wells Fargo all get rapidly compromised, and if an email is compromised then suddenly there is the opportunity to reset plenty of other stuff.)

finnith

On the topic of breaches, it's a good idea to sign up for have i been pwned, a free service that checks if your accounts has been compromised in a data breach by looking for your email address. Some password managers such as 1Password have integrated this into their software.

Unknown

This content has been removed.

Rend

finnith wrote: »

SniperGuy wrote: »

I use LastPass which is free and seems to work very well. It has an app, browser extension, autofills and will create crazy passwords for you. Just don't forget the password for the vault!

LastPass has had a history of security vulnerabilities that are well detailed on its wiki page. For that reason I would not recommend it.

I would recommend 1Password, Bitwarden or KeePass. 1Password is the one I use and it's quite easy.

I would argue that a well documented history of successfully managed security vulnerabilities should be a selling point, as opposed to a reason to stay away.

I would assume all cloud based password managers have vulnerabilities similar to each other's. If a particular solution does not seem to, I would assume that's because they have yet to be discovered.

The documented history of these things at least serves to prove their infrastructure and development response is up to the task of handling these vulnerabilities.

finnith

Rend wrote: »

finnith wrote: »

SniperGuy wrote: »

I use LastPass which is free and seems to work very well. It has an app, browser extension, autofills and will create crazy passwords for you. Just don't forget the password for the vault!

LastPass has had a history of security vulnerabilities that are well detailed on its wiki page. For that reason I would not recommend it.

I would recommend 1Password, Bitwarden or KeePass. 1Password is the one I use and it's quite easy.

I would argue that a well documented history of successfully managed security vulnerabilities should be a selling point, as opposed to a reason to stay away.

I would assume all cloud based password managers have vulnerabilities similar to each other's. If a particular solution does not seem to, I would assume that's because they have yet to be discovered.

The documented history of these things at least serves to prove their infrastructure and development response is up to the task of handling these vulnerabilities.

Ultimately you're right. From reading online most of the companies offering password managers have a good history of responding to issues brought forward by security researchers and rewarding them through bug bounty programs.