Password Manager?

[rjbinney]

For the longest time, i have let Firefox "save" most of my passwords. And, yes, I sometimes use the same password for several different sites.

So now, each time I sign onto a website where I have a saved password, I am deleting it from FF and creating a unique password for that site. (MIND NUMBING!! CRAZY how many sites are password-protected).

My brain is about full.

I have a password-protected sheet in OneNote (and my MSFT account is password protected) where I list my passwords - but the sites they go to are not listed. So if someone found the list, it would take some work - not impossible, but some work - to get into my accounts.

I read a lot about password managers. I don't know how I can trust saving a list of my passwords to the cloud. You can talk about encryption all day long - but I'd like to think my passwords can stay safer than pics of Jennifer Lawrence *censored*.

I tried doing a search on this topic first and didn't see anyone's (good or bad) experience in the forums; I saw the CH post that recommends DashLane. But honestly, an index card in my wallet feels safer.

Anyone use any of these? Anyone with horror stories? Anyone who can assuage my skepticism?

Thanks!

[SuperDave]

I do not have any knowledge about password managers but I will move this thread to another forum where I'm sure you will receive more information.

[Mark.]

I'll throw my two cents worth into the mix.And opinions will change for each user just like opinions are suppose to do. 
Personally, I see a few issues with password managers;

• all your eggs are in one basket so if you lose the master key to that then you are buggered, so you have to at least remember one
• being all in one place makes them more attractive to the idiots wishing to do you harm
• some popular providers of these services have already been hacked, at least once
• because they are stored for you, you never get to remember the most used ones

of course, those negatives are just potentials and the positives of everyday usage of such a service would outweigh them but how hard is it to remember half a dozen of your commonly required password?
between PC access codes, web banking, social media access, forums, online services etc, I usually get through the day only typing in 6 passwords, so can remember those because I type them in so frequently.obviously password managers become more attractive with the requirement to remember more password.

[patio]

+ 1

[camerongray]

On the other hand there are features of password managers which largely solve the common "problems" people see:

• They tend to have a backup/export feature allowing you to export the password database for you to store elsewhere (e.g. if you're concerned about forgetting the master password, print it out or something and store it in a secure location).
• A good password manager should encrypt the password database using your master password and decrypt the database locally on your machine.  If the system is built correctly, the passwords should be impossible to read, even for the company operating the service.
• They make it easy to use different, complex passwords for all services. IMO, it's much more likely that a random small website you set up an account on gets breached (which would cause issues if you have used that password elsewhere) than a professional password manager service that specialises in protecting your passwords.  Likewise, if a well known password manager gets breached, you are much more likely to find out and be able to take action than if a small website you've used once and forgotten about gets breached.
• They often support two factor authentication preventing malicious users from accessing your account even if they were able to get your master password.

A lot of it comes down to making a sensible judgement over how you use a password manager and what accounts you store in it.  For example, for me I use a well known password manager with two factor authentication so an external attacker would need to have both access to my smartphone as well as my password (which is never stored anywhere) in order to access my account.  I then use different, secure passwords for every service which are stored in the password manager.  However, I do not store my email credentials in my password manager and instead use a unique password which I remember as well as having two factor authentication on my email account.  This means that worst comes to the worst and I lose access to my password manager, I can reset most of my passwords over email.  I also use memorised passwords for anything banking related - partially just to keep those credentials completely offline and partially because the password manager doesn't really play well with the bank's concept of a separate pin and password where you are only prompted for certain characters when logging in.

Also, wherever possible, don't rely purely on the password stored in the password manager, setup two factor authentication for every provider that supports it.  Another thing you can do is have a "common" part of a password that you remember but never store in the password manager, prefix this to every password.  You therefore have a password manager storing the half of each password which is different for every site then you memorise the other half of the password which is the same for every site but never stored.  If the password manager was ever breached (as unlikely as this is) then an attacker would still be unable to log into any accounts without knowing the "common" half of every password.

The other thing is to take care when picking a password manager and make sure you go with a reputable, well known provider.  Avoid picking them from those nonsense "Top 10 password managers in 2018" lists on minor "Top Computer Tips" websites.

Also, if you are concerned about storing the password database in the cloud, there are plenty of password managers which run locally and store the password database in a file, the largest one I can think of is KeePass - This would at least be a good improvement on using a OneNote file.

[BC_Programmer]

I keep track of my passwords with a simple text file on my HDDs (which I occasionally copy to a flash drive). I also use browser's saved passwords/logins feature. I use a random generated password with a program I wrote that generates it randomly. Of course over time, I end up memorizing passwords. I have a few rather long completely random ones memorized, simply through repetition.

having it stored locally- and in plain-text files- seems risky but my logic is that unauthorized account access is usually a result of having a password and E-mail address compromised by one login or web page. For example, if say the CH password database was compromised it would be possible for whomever gets it to over time to "hack" the passwords and figure out what they are. At that point, they might simply try that same password on any accounts that are connected to CH; if you use the same password there, they get access to that as well, and maybe THAT links up to some other accounts and stuff. Having different passwords everywhere or at least as many different passwords as possible prevents that "chain" from progressing very far.

Compared to that I consider the risks of local compromise to be far less substantial (I don't recall dealing with any infections on my own computers in the past 10 years or so- I have seen weird executables running and freaked out only to find out it's a part of Intel's drivers or part of Windows (and is digitally signed and in the correct place). It would also require my system to not only be infected, but infected in such a way that it allows an actual person to go through my stuff, as the sort of malware in question typically just grabs data from well-known locations- like say browsers, or stuff like those bitcoin miner programs which save wallets or whatever that is all about, and fire it off to the malware author.

So far this approach I feel has been sort of "reinforced" in that I have had the first happen with about a half-dozen of my accounts across the web over the last decade or so, and was easily mitigated because the password that the "hackers" would have was used nowhere else.- I've even seen in the logs for my website that some of those compromised passwords were used to try to login to the root login, possibly by doing a big of research and discovering it linked with my E-mail address... so if I had used the same password there, I would have had a massive problem on my hands (Though I even have mitigations for that so I can fix it ASAP- I am sent an E-mail if an IP not on a specific list of IP addresses logs in to the root account. Other than one that I had sent to me during my own test, I've not had another yet!)

I've considered storing the "plain-text" information on, say, a Veracrypt volume, but the way I see it, the more layers I add, the more complicated the solution becomes and the more problematic it becomes in general- more stuff can corrupt, be lost, I can forget a password that I didn't write down or record for "security reasons" and lose all the others, etc.

[patio]

Old school...i write them down and store in 2 safe places...on top of the other methods discussed above...

[Mark.]

I keep all mine in a password protected Excel spreadsheet.
to the OP, you just have to find an approach that works for you, where reward is more than effort.

[rjbinney]

Why can't everyone just get along??!?

Thanks for all the opinions. And, Mark, I think you're right. The big thing for me is to get separate passwords for everything - I have just two or three "go-to"s that I always use.

Question for BC_Programmer, like I said, I keep mine stored in my browser, too. I figured that was super-risky, but you don't seem to think so?

[Geek-9pm]

I keep my notes in a Safe Place.

[Allan]

It may be the old school choice, but I use RoboForm and it works very well.

[rjbinney]

I also keep a list of passwords that are stored automatically on devices (e.g., email, Netflix) so if one device gets lost I can quickly know what needs to be changed ASAFP.