As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/
Options
Looking for a password manager
Belasco32
Registered User regular
Registered User regular
So, my delightful, brilliant, amazing husband has finally agreed having to reset his and our shared passwords because he can't ever remember them and locking me out of all of our accounts on a regular basis should be a thing of the past, and I'm pretty excited about it!
I've heard rumor that there are sites where one can save their passwords, but I know nothing and don't really trust a Google search to tell me what I need. So, here I am
I'm hopeful that y'all will be able to help us understand what's out there and how much we should trust any particular set up - e.g. is this a space where a banking password would be relatively secure.
We need something that will support both of us logging in, and my dear husband would very much like one that has an app. As I've recently won this ongoing marital wrestling match I'd like to accommodate him as much as possible, but without risking security.
I've heard rumor that there are sites where one can save their passwords, but I know nothing and don't really trust a Google search to tell me what I need. So, here I am
I'm hopeful that y'all will be able to help us understand what's out there and how much we should trust any particular set up - e.g. is this a space where a banking password would be relatively secure.
We need something that will support both of us logging in, and my dear husband would very much like one that has an app. As I've recently won this ongoing marital wrestling match I'd like to accommodate him as much as possible, but without risking security.
0
Posts
UI wise, I think lastpass works fine and I use it because their free tier is pretty well suited for my current needs. 1password has a cleaner back end, from what I've seen, but once I was in the lastpass I was too lazy to switch over.
The biggest thing is getting it and sticking with it, and making an easy to type, but long and secure master password. When you first get started, just know that its a bit of a project and it will be annoying. You'll be syncing passwords and clearing things out from your browser for a while. You also become pretty dependant on it once you embrace truly randomized passwords that you don't even consciously type out. You'll want to feel comfortable with whatever you pick.
Of course, if you've used your master password for anything else, and that username/password registry is hacked, someone could get access to your data. So you have to keep your master password secure and unique.
I use lastpass. It's free with some unnecessary belts and whistles for a low cost premium subscription. It has browser integration, stores different types of sensitive info, and has an app that integrates with your phone. You can also get a family plan.
The downsides of browser and app integration include processing overhead and managing different logins to the same domain name. It will kind of play nice with your browser integrated password management software, but sometimes will get annoying when there's conflicts. It also may pop up at annoying times when you're trying to fill in a form online that it repeatedly thinks is a login page. It works with most phone apps but not all. It had a few security vulnerabilities in the news, but nothing drastic.
If you want to use all of its features, be prepared to do some tech spring cleaning or just disable duplicate services.
I used to use keepass which doesn't use a cloud at all and is technically more secure but more difficult to update.
Doc: That's right, twenty five years into the future. I've always dreamed on seeing the future, looking beyond my years, seeing the progress of mankind. I'll also be able to see who wins the next twenty-five world series.
I use Keepass (version 2.33 or newer depending on the machine). The vault has a long passphrase on it. I use plugins to Chrome and Firefox, as well as plugins for more work related things like SSH support. I also have an Android app.
The vault itself is stored on Dropbox. So if I ever needed to do a full recover, I'd need to remember that. You could theoretically put the DRopbox password in your KeePass, but you need an origination point somewhere in there. A physical copy would suffice.
I'd go with the family plan options in your particular case. As always with this kind of thing, I point to the wirecutter article. https://thewirecutter.com/reviews/best-password-managers/
LastPass has had a history of security vulnerabilities that are well detailed on its wiki page. For that reason I would not recommend it.
I would recommend 1Password, Bitwarden or KeePass. 1Password is the one I use and it's quite easy.
Steam: CavilatRest
Many thanks, guys!
What browser plugins do you use? Your setup is almost identical to mine, sans plugins.
Depends on the machine.
If the mods are okay leaving this open until tomorrow, I can give my work loadout?
Here at home, I use Database Backup, KeeAgent, and KeePassHTTP on the main KeePass and ChromePass in Google Chrome.
The nice thing about keepass is that your phone probably has an app for it. On the iOS ecosystem, MiniKeePass works pretty well.
Cloud storage defeats the purpose of secure password storage imo.
I'd get something offline, duplicate the data file on two devices, and then merge the datafile every so often.
So I clearly don't know enough about these.
Lastpass, as a cloud password service, uses a cryptographic hash function to scramble your password at client. That scrambled password is transmitted to the cloud, which checks whether the hash matches the one they have on file. If so, they send the encrypted password file to the client, where the master password decrypts it clientside.
Therefore, the key vulnerability point is not the cloud but clientside.
Doc: That's right, twenty five years into the future. I've always dreamed on seeing the future, looking beyond my years, seeing the progress of mankind. I'll also be able to see who wins the next twenty-five world series.
For the record, while my database is stored in Dropbox, it is secured with a 37 character passphrase that Keepass rates as 139 bits. I could do better, I guess, but I type that passphrase so many times during the day that I'd prefer something I can remember. So yeah.. if you get access to my Dropbox, you still need to break through that in order to get my accounts.
@Nightslyr
Here at work, I'm running:
DataBase Backup
Favicon Downloader
Keeagent
KeeCloud
KeePassHttp
KeePassRPC
For Firefox, I'm using Kee Vault (which I'm a huge fan of once I got it properly set up) and Chrome is using ChromeIPass.
I am kind of upset that I installed a GPG module on my PC, because now I get conflicts with it and KeeAgent as both use pagent and stomp over each other, giving me errors. I haven't gotten around to fixing it.
Also, one other huge warning I'd give about KeePass: On my work PC, I have my password vault set to lock after 2 minutes of inactivity or if I lock my PC. However, this will not work properly if you have an editing dialog open. It also won't properly close if you have a password to save. It'll ask you if you want to save, discard, or cancel... and hitting cancel will go back to the unlocked program. I should probably submit these as bugs/feature requests to the project.
Steam: CavilatRest
(the reason being that you'll hear if Equifax has a breach, but if smallsite.net has a breach and doesn't tell anyone, or somewhere has a breach and you don't get the emails, then there are people cracking passwords that you're unaware are compromised. And if they aren't using the best standards, they might find a way to crack the whole set really quickly. Not a huge deal if you only use that password there, but Jake Random who used 93badkdi or whatever as a password for half his stuff is going to be very upset when jake.random@gmail, the Jake Random Facebook page, and the jrandom account at Wells Fargo all get rapidly compromised, and if an email is compromised then suddenly there is the opportunity to reset plenty of other stuff.)
Steam: CavilatRest
I don't use any of the plugins because I'm a luddite that way, but if you find they add sufficient value, go for it.
Either way, using a password manager is the way to go! I'm glad you're jumping on that wagon.
One step further is to have unique emails per site--that tends to make it very obvious when someone has lost or sold your email and someone else is trying to phish you with it. I personally use Sneakemail for that ($24/year), but there are other services, perhaps some free. It is significantly less convenient of course, but...it can be helpful if you want to go full paranoid.
I would argue that a well documented history of successfully managed security vulnerabilities should be a selling point, as opposed to a reason to stay away.
I would assume all cloud based password managers have vulnerabilities similar to each other's. If a particular solution does not seem to, I would assume that's because they have yet to be discovered.
The documented history of these things at least serves to prove their infrastructure and development response is up to the task of handling these vulnerabilities.
Ultimately you're right. From reading online most of the companies offering password managers have a good history of responding to issues brought forward by security researchers and rewarding them through bug bounty programs.
Steam: CavilatRest