[Closed] What password manager?

Eh - your memory?

I use KeePass. I use the native Windows version and the Android app, but keep the portable Windows version on my Dropbox for use elsewhere. Also had the native Mac version on my old Macbook. I keep the password file (encrypted) on my Dropbox (probably the least secure bit of it). I find this works flawlessly.

I'd never remember all my passwords without it. I wish I had your memory wanmankylung.

Eh - your memory?

I've probably got around 100 accounts with associated passwords. If each had a unique, strong password that's slightly more than I can remember.

wml - really?
Unless you operate a 'system' - as I'm trying to do - I too have only a handful or core passwords.

Due to having to buy stuff or even just register, I reckon I'm in or on for not far off 100 sites. Memory for that would be impressive, don't you think?

YMMV.

Cheers thenorthwind.

Eh - your memory?

I probably have somewhere between 80-100 passwords. Each of them is different and they vary in length between 12 and 16 characters. If I had a memory capable of that I would have put it to good use at a vegas card table before now.

Mine are in a password protected word file which is also printed out and kept in a safe place. Seemed a simple way to organise them, didn't require any new software and I only need to remember the one password to access the word file. I worked on the principle that a burglar is not very likely to be a cyber criminal and vice versa.

Mine are in a password protected word file which is also printed out and kept in a safe place.

Is it just me or is this a bit ummmmmm?

[url= https://lastpass.com/ ]lastpass[/url] for me. Really good. 2 factor authentication and restricted to country for logging in

Trying out Dashlane now.

Used to use KeepAss but it kept corrupting the file every month or so - easy roll back on the filers but not confidence inspiring.

I also use KeyPass and store the Data and Key files in separate Dropbox folders to keep them in sync between home computer, work computer and Android.

Oh and storing all of your passwords in a Word doc is a stupid way to go about things when there are much better solutions about,

if the document is a docx all that you need to do is rename the file to .zip, delete the settings.xml from within the file and rename it back to .docx

So all of your numerous passwords are protected by......a password?

Yep. I may be a fool but it feels safe enough to me, someone needs to break into the house, find the thing containing the word file, work out or otherwise hack the password then they've got access to my digital world.

The password on the word file is a long one so it would take an automated system a very long time to crack so the only realistic method would be for someone to have a lucky guess and that's just not very likely to happen.

As for the printed version. That's stored somewhere else and doesn't contain any email addresses only passwords so even if you managed to get hold of it it wouldn't be immediately useful as "I've forgotten my details" request would get sent to my email address so if anything it would be a heads up that somethings not right.

Any of these systems can be breached somehow but I'm happy enough that mine would buy me enough time to change my details if there were a problem.

I just go for 12345 or Pa55word

Both foolproof..

LastPass here as well

My passwords are now super complicated and long

Works well for me

Yep. I may be a fool but it feels safe enough to me, someone needs to break into the house, find the thing containing the word file, work out or otherwise hack the password then they've got access to my digital world.

I use a core password with additional characters depending on website. The name of the website gives a strong hint as to what the additions should be. The core password changes regularly on a prompt from my work account. It's really not that hard.

Remembering one password and a rule is a lot easier then 100 passwords.

Oh and storing all of your passwords in a Word doc is a stupid way to go about things when there are much better solutions about,
if the document is a docx all that you need to do is rename the file to .zip, delete the settings.xml from within the file and rename it back to .docx

Mine isn't a .docx file, not sure if that makes a difference but I'll look into it.

I store mine in a non password protected .doc file.

That's then encrypted using 128bit encryption.

I used Truecrypt which, for these purposes is probably completely adequate but does come with the disclaimer that it is no longer under development and may therefore become vulnerable at some point in the future.. It's available on all platforms, you need the version before the last one if you want to encrypt rather than read only. Also useful for storing bank statements and such. Bitlocker is also available for Windows only users on pro and above I believe, though how good it is I cant say.

Another Keepass user with the file stored on Google Drive.

lastpass here too. Never got the two factor working perfectly, but otherwise it integrates with iOS pretty well. the main benefit for me is passwords are all unique, so expendable. No more worries about a compromised password being used on lots of sites and having to change it (or remember where you used it)

lastpass here too. Never got the two factor working perfectly, but otherwise it integrates with iOS pretty well.

How about a book....choose chapter titles and their page numbers and mark the page....always works!

[quote=BoardinBob ]I just go for 12345 or Pa55word
Both foolproof..

I've got bad news for you, somebody has hacked your account and changed the password

Muppetwrangler. If you are feeling confident send me your word document and if I haven't cracked the security within 24 hrs I will delete it, and if I do I'll post its contents here! Still confident?

If you are feeling confident send me your word document and if I haven't cracked the security within 24 hrs I will delete it, and if I do I'll post its contents here! Still confident?

That would defeat the point of keeping the file off of a network. A big part of this is the idea that it's a simple system that's not easily accessible to the vast majority of people capable of reading it. You'd need to be a physical as well as a virtual thief. And even if you broke in you'd need to know what you were looking for as it's hardly the typical high value easily saleable item favoured by local scrotes.

Yes there's a good chance that an individual user account will get leaked in amongst millions of others as part of a larger corporate hack and yes there's a good chance that local youths will break in and try and nick my bike and the telly at some point. But I don't think there's much likelihood of a modern day pink panther style thief targeting my house so that they can gain control over my amazon account. Individually I'm just not worth the effort.

I use 1Password on iPhone, Macbook, Windows and Android.

I went for 1Password mainly as it's an outright purchase. Also the apps work well and look nice on their respective platforms. It's probably much of muchness between the main players, as assume they all have secure notes, credit card functions, browser plugins, multiplatform etc, but I am very happy with my choice.

Used Keepass in the past with my windows machine, now I use apple's keychain.

Keepass was recommended to me by my tame hacker.

Which reminds, me, I really should find out which institution he's in now...

I've just had to migrate from my previous one and have gone for LastPass for $12 per year.
Clients for OS X & iOS work for me.

I use a piece of paper! Nobody is going to hack it or steal it and it's not going to get lost

That would defeat the point of keeping the file off of a network.

You missed this bit of the OP's requirements then?

I'd like to use the same service on my Android phone and tablet and my personal Win10 laptop and at work

What exactly are folk doing that the need 100+ passwords?

I have around 40 at most, most of which I change regularly. My memory can handle that.

didn't last pass get bought by a less desirable competitor recently?

I just log into my google account if I forget a password as chrome has all my passwords remembered so I just need to click on the little reveal one and it shows me my login and password

For those with a Word doc and 'online' fears,

What happens if your hard drive dies tomorrow?

I have around 40 at most, most of which I change regularly. My memory can handle that.

You can remember 40 strong passwords? I suggest taking up Poker.

A bit of paper.

Seriously, the chances of someone breaking into your house to steal your passwords off bits of paper are next to nothing. Vastly safer than storing things online or trusting a password manager that could itself be hacked.

Difficult to update a piece oof paper when you change your wiggle password sat in a cafe.

I have a word doc in a google drive presently up to three pages, probably should do something better but works as I always have access.

I really can't imagine having a memory that allows me to remember 40+ passwords that are all unique and complex. Typically they'd be something like 'y62htX$6jF%Ku*' and I'll be jiggered if I could remember one or two like that let alone dozens. If you can remember 40+ 'complex' passwords, I'd suggest you either need to take up card counting, a one man memory show or your passwords aren't really that complex at all

No, that's not one of my passwords by the way!

What use is the bit of paper at home if you're sat a 100 miles away?

LastPass works for me

What exactly are folk doing that the need 100+ passwords?

Using lots of websites.

Thanks for the suggestions/discussion everyone.

So all of your numerous passwords are protected by......a password?
Is it just me or is this a bit ummmmmm?

I suppose there might be an argument that you've put all your eggs in one basket with things like LastPass, should they ever get hacked. That said I've never really checked them out so I'm not sure exactly how they work.

LastPass for me. Two factor enabled for non approved devices. Runs on my Mac, PC and phone. 100+ here too - some for work, most for other stuff. Also I have multiple email-ids so trying to remember that is beyond this bear of little brain 😉

Drac - Moderator
What use is the bit of paper at home if you're sat a 100 miles away?

Common sites you're likely to access - memory.

Write stuff down for all those complex ones you're rarely likely to access. If you get stuck, "forgot my password", so long as you have access to your email. Then repeat when you get home if you can't remember what you just changed it to 😀

Though another option is to keep an obfuscated list in a password protected cloud document store. I use OneNote for things like this. The traffic is encrypted and stored encrypted, although Microsoft internally do have the keys to decrypt their cloud storage, although not sure they can get to password protected sections in OneNote.

Still, obscure document that would make little sense to most people. It would take a targeted attack looking specifically for password looking things and working out what sites they refer to. Vast majority of hacks go for places where passwords are obviously stored such as web sites, or password managers which could potentially be hacked via malware or a flaw in a browser that gives them access. They get them on mass and sell them on.

In the case of web site hacks though, if people like Talk Talk hashed the bloody passwords properly then it's much harder to get them. Sounds like they used plain encryption and that's two way. If it can be decrypted then there's always a chance of it being cracked. First rule of web site design where passwords are involved - hash, never encrypt (sadly I keep coming across companies that break this and argue "oh we encrypt the passwords so it's fine"). Better still, use delegated authentication so you are never storing any password related information anyway. Though the delegate is then a single point of attack.

Keepass for me, mainly use it from android phone and copied to dropbox. All this discussion making me think its probably time to change some passwords. Mine tend to be thematically linked but unique, however not completely unmemorable, so im not dipping in every day, for me the challenge is often is remembering the id as much as the password, is it email or not, if email which one, has a benefit on any compromise not being exploitable everywhere else.
I also try not to register with every damned website that i might have bought a hinge from once, use paypal where possible.

Been using 1Password for years on all Apple devices at home.
Works really well. Main file can be stored in Dropbox or iCloud, or locally.

May buy a windows license for it too so I can use to at work too, when I'm not surfing STW 😀

Lastpass is pretty damn secure

1. All encryption and decryption happens on your computer.
2. The sensitive data that is harbored on their servers is always encrypted before it’s sent so all they receive is gibberish.
3. Lastpass never receive the key to decrypt that data.

Furthermore, like any other service, you should be using two-factor authentication with LastPass. If you do, someone with your master password still will not be able to access your account, even in the event of a breach.

https://blog.lastpass.com/2010/07/lastpass-gets-green-light-from-security.html/

Also using an online password manager you are less likely fall foul of phising attacks

A browser-integrated password manager will only fill in a site-specific password if you're actually visiting the correct site. So you won't accidentally type in your Paypal.com password into www.paypal.com.us.cgi-bin.webscr.xzy.ru.

I really can't imagine having a memory that allows me to remember 40+ passwords that are all unique and complex. Typically they'd be something like 'y62htX$6jF%Ku*' and I'll be jiggered if I could remember one or two like that let alone dozens. If you can remember 40+ 'complex' passwords, I'd suggest you either need to take up card counting, a one man memory show or your passwords aren't really that complex at all

e.g. make a base password, something long, but relatively easy to remember. Lets say "purple-crocodiles", if you increase the complexity of this by adding some symbol/number/caps replacement then:

Purple-Cr0c0dile$ is still quite easy to remember.

Now you don't want to use the same password on multiple sites - simple you add some site specific letters at the end (or start - or middle) or the password according to a system you define and remember. So your singletrack and facebook passwords might be:

Purple-STW+Cr0c0dile$ and
Purple-FBK+Cr0c0dile$

You don't tell anyone your system or base password then even if one is compromised it takes a concerted effort with a degree of intelligence to guess what the others would be. You can make the base and combination harder to "read" as well (e.g. PSTWCr0c$) - or some people like to use the first letter of words from a song - say Ittw1wbSTWLamws2c.

I use essentially this approach but with a couple of base password & structure variants depending on my perception of the risk.

I have considered taking it one step further and hashing these passwords so they are gibberish and all I have to do is remember the password and hash method (and have access to a computer or website that will let me run and copy/paste the result).

e.g. those two passwords would become:

A9CD471148BED6CEE644B5D8B8C2E582
and
CB9EE944B518137E7CAF165F896DABC1

But since most sites are keen to have $ymbol$ Numb3r5 and Caps I'd probably need to add another short base to them; which added to the need to hash them and the pain of cut-n-pasting on a mobile device is enough to put me off. However my point is you really don't need to write them down anywhere to remember large numbers of unique passwords. I have a general mistrust of all "vault" type systems as it is like saying I'll keep the keys to all our vehicles in the safe. This is great unless (a) the safe gets compromised or (b) you loose the safe key.

Numbers and symbols instead of letters can still appear in password cracking dictionaries.

e.g. obvious ones, so using ! instead of i, 0 instead of o, $ instead of s.

People know these are typical substitutes, so a common word with those substituted may still be easy to crack.

People know these are typical substitutes, so a common word with those substituted may still be easy to crack.

If it is a worry, don't sub it every time, maybe just change the second vowel in your phrase, or 1st in the first word second in the second word. Random caps is probably as good as subbing in terms of this type of attack, as is appending phone number or DOB - if they aren't specifically targeting you that is.

Poly's base examples are plenty secure enough for common usage. If they aren't you should generate + store one or use 2FA.

If anyone with half a brain got hold of one of Poly's passwords it wouldn't take much to work out the pattern. No pattern means it's very much harder to crack.

Numbers and symbols instead of letters can still appear in password cracking dictionaries.

e.g. obvious ones, so using ! instead of i, 0 instead of o, $ instead of s.

People know these are typical substitutes, so a common word with those substituted may still be easy to crack.

Personally I wouldn't bother with symbols etc because the brute force attacker has no way of knowing if you use them or not and so probably wants to test them anyway. However if you are trying to define a "standard" base password it is easier to include them (and a mixture of upper, lower, number, symbol) as some sites insists on one or more.

drac -

If anyone with half a brain got hold of one of Poly's passwords it wouldn't take much to work out the pattern. No pattern means it's very much harder to crack.

Indeed - the pattern I use in real life is a little less obvious that that (but it was easier to illustrate my point with a very simple case) - but if you had two passwords you would certainly be able to work it out (which is why I use two different systems for sites where security is critical and stuff like STW where the consequences of a breach are less serious but I have less faith in how the recipient of the password protects it). Of course that relies on someone actually being bothered to get into MY account, rather than just having a list of email addresses and passwords and hoping as 90% of people do that the same password works on a wide variety of accounts with the same email address. Whilst the majority of people are completely useless at password variation I think my approach will ensure working out my system is low priority. I don't believe that normal hacks are caused by people applying common sense to look at lists of passwords - they are simply bots which munge through lists looking for exact matches. If I was writing a bot to get smarter than that it would take all the "somepassword1" and try "somepassword2" etc before I was trying to spot patterns*.

However as I said, if that worries you then you can use the Hash. Each password is unique with no pattern. But you don't need to write down the hash - because you can recreate it at any time if you know which algorithm and the right (easily memorable) input.

IMO - as soon as people write down passwords (or probably worse use an excel / word document) their security is compromised, however the biggest threat is people using *exactly* the same password on multiple sites. I bet I could create a site in an afternoon that would let me easily collect passwords and matching email addresses (I've always been tempted just to see how bad the problem is). If I get you mail account password then with most password resets being mail based confirmation I can get into almost any account you have that doesn't require two factor authentication.

* For this reason I believe that forcing regular password changes is a design flaw which encourages people to use poor systems or right them down (probably on post it notes stuck to the screen).

Common sites you're likely to access - memory.

I have no idea what any of my passwords are.

That's the best way drac, it means they can't be tortured out of you 😀

Exactly.

Whoever said using a book. Dictionary attack

https://howsecureismypassword.net

Hashes are best as said however do I use them? No. Too easy to forget, still too many variables to remember and ultimately I don't give a shit if someone gets my STW or Facebook passwords as they wont learn anything that they cant easily find out anyway. For online shopping I don't store card details anywhere so in reality I only need to worry about banking passwords and Paypal. I only bank at home so it comes back to making a secure pass and sticking to it.

OT-ish, but do you use PayPal 2 factor authentication? I see a screen to set it up with SMS but NO details about how it works, how to turn it off, what to do if you lose your phone etc so I'm reluctant to proceed without an exit strategy!

I bet I could create a site in an afternoon that would let me easily collect passwords and matching email addresses (I've always been tempted just to see how bad the problem is).

Far and away the best way of getting someone's password is to ask them. If I had a pound for every time I've had a conversation along the lines of "do you need my password?" - "no, I don't want to know it" - "ok, it's jennifer7" I could retire.

For this reason I believe that forcing regular password changes is a design flaw which encourages people to use poor systems or right them down (probably on post it notes stuck to the screen).

You're not wrong. Hard to encourage sensible password usage in users when the administrators don't even really get it.

I use Iliumsoft Ewallet. Apps for iPhone, iPad, Mac and PC and syncing over wifi between them.

Seems fine. It's the synching and apps I like, but aware other tools do this too.

[url= http://www.iliumsoft.com/ ]http://www.iliumsoft.com/[/url]

Don't worry anyway. It won't be long until the government requires us to hand over all passwords to everything anyway so if you forget you can just get it off the list that will have been leaked within a month of the system going live 😀

if the document is a docx all that you need to do is rename the file to .zip, delete the settings.xml from within the file and rename it back to .docx

I tried this with a Word 2013 file with Winrar/Winzip and 7zip. None worked. It is a legitimate work file that a colleague forgot the password for. I am now using a brute force program.

The best ones are like http://kestas.kuliukas.com/MultiPass/ you only need to remember one password and it doesn't need to be stored in a crackable safe file, you just use the app to generate the password on the fly