Password Management Software?

[Hack&Lube]

After years of being able to retain passwords rather reliably in my head, I've gotten to the critical mass of accounts for both personal and professional purposes that I began to lose track of a ton of important things over the holidays and I realize I need a proper password vault, accessible by phone, and probably cloud based.

CP cognoscenti, what are you experiences and recommendations for password management software?

[PsYcNeT]

Change all passwords to mnemonics.

Seriously though, password management software (to me) just seems like a really bad idea.

[photon]

I use http://keepass.info/ rather than an online service so that I have full control over the password file and know how it is accessed. It's also open source, which I think is good for these kinds of apps. EDIT: You can still access it on a phone by either copying the file manually, or using a service like dropbox to mirror your password file (which of course increases exposure to your password file, so it's a risk/benefit thing).

Quote:

Originally Posted by PsYcNeT

Seriously though, password management software (to me) just seems like a really bad idea.

I have something like 300 passwords in my primary password file, and a couple of customer password files which contain dozens to hundreds each, some of which only get used once every 5 years. Can't possibly remember those.

[ah123]

I use 1Password - there is an iOS, Mac and Windows version and you can synch devices through WiFi or DropBox. It doesn't do the full cloud solution, as far as I know.

[Thor]

Keepass here as well, works great.

[Street Pharmacist]

Pocket uses dropbox too for Android. It works well for me

[DownhillGoat]

+1 for 1password

[Buff]

At home I remember everything. At work we use a public folder lon our exchange server that is ocked down so that only IT guys can see it. Only the IT guys are smart enough to hack into that folder.

[Rathji]

LastPass here.

Quote:

Originally Posted by PsYcNeT

Change all passwords to mnemonics.

Seriously though, password management software (to me) just seems like a really bad idea.

There are about 40 passwords that I need to know at any time, independent of a password management system. For these passwords a combination of anagrams and acronyms combined with reasonable but complex salting system allows me manage without much issue.

What about the other ~300, for random sites around the internet?

Password (partial or full) reuse, especially if you are entering a password into a system that you don't fully understand, is far more dangerous than having all your passwords in one location, that has secure crypto with 2 factor authentication.

You just need to look at the various password breaches in the last 12 months alone. Adobe, is a prime example. If Billy Bob site admin over at www.bobshouseofabortionphotos.com stores my complex password in the clear, or without a salt, using 4 bit encryption, I can't control who gets a hold of that password. I need a password I can generate in 5 seconds, that I will never lose access to and is at least 16 random digits, and can throw away without a care in the world if it gets compromised.

That's what LastPass does for me.

It would do wonders for regular people, who decide that monkey123 is the password that gets used for everything, from their banking to their porn account.

[FlameOn]

I'm using lastpass as well. Fantastic piece of software, great because you can get every password for all your accounts randomized so if a hack happens you are safe with your other accounts and as Rathji pointed out, you can use two factor authentication. This ensures even if you lose your master password people still can't log in unless they have your second stage. It has excellent browser integration and great password form entry. Pretty good overall and it allows for both local and cloud based password storage that is encrypted.

Love it so far except there are some issues, if you want to do account password sharing that is not something you can do except with premium accounts, if you want to use anything other than Googles two stage authentication system you need a premium account and if you want access to your passwords in the mobile app you need to pay.

[Finger Cookin]

Necrobump

Ad targeters are pulling data from your browser’s password manager

I started using Dashlane based on this article. It's been pretty simple to set-up and use so far.

[DownInFlames]

I use 1Password and it doesn’t autofill logins. That sounds like a security flaw on top of a vector for tracking.

[Iceman90]

I am a big fan of LastPass.

[Azure]

I use LastPass as well and Authy for two factor authentication.

I always try to use max length passwords for every site and have a 92% security score. Its not higher because of some of my internal router passwords that I store there that are simple to figure out but it doesn't matter since they are not accessible to the internet.

For the most part it works good.

[cupofjoe]

Lastpass works well for me also.

[Azure]

I am more paranoid about losing access to my account than I am with someone hacking it.

If they get hacked I can change my passwords. If I lost access I have no idea what my passwords are.

What is the best way to backup? I printed off my list and put it into a safe for now.

[Iceman90]

Quote:

Originally Posted by Azure

I am more paranoid about losing access to my account than I am with someone hacking it.

If they get hacked I can change my passwords. If I lost access I have no idea what my passwords are.

What is the best way to backup? I printed off my list and put it into a safe for now.

I have my password manager's "master password" printed out on a piece of paper and stored in a secure location.

[Azure]

I did that as well.

However I am not worried about JUST that password, but in fact all my other ones.

[photon]

Quote:

Originally Posted by Azure

I am more paranoid about losing access to my account than I am with someone hacking it.

If they get hacked I can change my passwords. If I lost access I have no idea what my passwords are.

What is the best way to backup? I printed off my list and put it into a safe for now.

I use a standalone application rather than a service, so I keep my password file in several different locations. But if I forget my master password then yeah I'm completely screwed, it's not like an online service that has a password reset functionality.

Some apps also support using a private key as part of access to the information, so something you know and something you have (i.e. a keyfile on your computer's hard drive, on a USB stick on your key chain, etc).

Having a hard copy somewhere just in case makes sense IMO, offsite rather than just a safe is even better.

[photon]

Quote:

Originally Posted by Azure

I did that as well.

However I am not worried about JUST that password, but in fact all my other ones.

You could keep a USB key with the password file in wherever you keep the master password hard copy, or a printout. Both won't get updated though.

Because I'm confident in the password I have on my password file, I have it in Dropbox for ease of access, so even if my house got nuked my passwords are fine.

EDIT: And I'd bet that almost all your other passwords are recoverable via email if necessary. Your email should be the most secure of any of your accounts, as that's the one that can unlock almost everything else.