According to my searching it’s been several years since we’ve discussed them directly.
I think that it’s time for me to bite the bullet and get one going. My inclination is to go with 1password since it’s highly regarded, not very expensive and my neighbor works for them. I am open to other suggestions.
My current password strategy leaves much to be desired. Some of the older ones aren’t very strong and a few a repeated in different places. Presumably this would be a good opportunity to change all of them to be different and very strong.
Then again, maybe what I already have with Chrome and iOS is good enough.
Bitwarden seems like it replaced 1password as the popular choice. That’s the one I’m using. I’d probably be using iCloud’s password keychain if I wasn’t using Firefox or they came out with a Firefox plugin for it.
Not being a trusting soul in this realm I use KeePass. Despite the obvious joke that could be inferred from the name, it does everything I could want a password manager to do, is open source, and does not require any type of web communication rendering it practically invulnerable to a remote hack.
My understanding (and I may be incorrect, so if I am, someone please feel free to correct me) is that yes, you could use a password manager for those, through having the login passwords stored on the manager’s smartphone app. You’d use your password for the app itself to unlock the app, look up your computer login password, and then type it in.
I used KeePass for a long time. The biggest drawback is that it is your responsibility to sync the password vault between different devices. I believe there are some options to store it on Google Drive and similar, but at that point, your just trading cloud for cloud.
I need my password manager to work and sync across devices.
I use Bitwarden, and browser plugin works very well. Bitwarden on iphones and ipads also works very well. It does not work quite as well on Android. It is still perfectly usable on Android, and often works exactly as desired, but it seems Android is less likely to notice a field wants a password than on IOS. I don’t know if that is a Bitwarden problem or Android problem. Bitwarden works better on Android than KeePass did, but I switched many years ago, so KeePass may be much better.
If you are completely on either Apple, Chrome+Android, or (maybe) Microsoft+Android, then you can use the manager that comes with the browser/OS, and it is probably good enough, and far better than just trying to remember some things.
Geek time
I host my own Vaultwarden server, which uses the Bitwarden clients and API, but with a backend I control. I really wouldn’t hesitate using and paying for the commercial version, but I already have a cloud instance I use for other things, and putting Vaultwarden on there was very easy. Most of the things my cloud server does I could use a commercial alternative for, but if I already am managing the thing, letting it host one more service is usually easy.
Possibly not wrong, but there are better options. It is definitely no worse than writing them down, and far better than using the same password everywhere. The big downside to an Excel file is that likely anyone with access to your computer can view it, and it doesn’t sync between devices. Unless you have it password protected and stored in the cloud.
So think of a password manager as a password protected Excel file that automatically syncs between devices, but with bonus features. It can autofill username and password fields, it can generate random passwords, it can notify you when passwords are exposed, and other convenient things.
Password managers are also not just for passwords. I store credit card information; images of useful documents like passports, insurance cards, driver’s license, and birth certificates; and encryption keys for my hard drives.
Both of which I do, plus I have all the information you mention stored there as well. I’m not big on having autofill capability, since my phone and work either does autofill, or makes me type in a password each time. I can remember the three or four that I physically have to type in.
I use Bitwarden. Auto sync on all my devices, auto fill in all phone apps and websites, fills in addresses, credit cards, insurance cards etc.
The master data file is in my own cloud account w somebody else. Unlike e.g. LastPass, there is no motherlode of 100 million encrypted password files acting as a hacker magnet.
Someone who only has 1 device and doesn’t use any apps might get by with the PW manager built into a browser. Until that computer dies or is replaced.
The excel spreadsheet approach reminds me of a 1955 pickup truck. It drives. No heater, no air-conditioning, and no safety features. But if you’re dead set oniving the hard way, it does go from A to B. Leaving a trail of unburnt fuel behind it.
If it’s built into a browser like Chrome, it will work on multiple devices. You just log in to Chrome. I had Chrome on my work PC and laptop and home and it was seamless. Presumably I could get Chrome on my iPhone too.
It sounds like you’re using a combination of the Excel file and your browser/phone’s builtin password manager. If passwords are already filled in, then that is what you’re doing. The most likely risk there the password manager and the Excel file getting out of sync. Every single person I’ve worked with who does similar has had them get out of sync.
Because a password manager can integrate with the browser, it is best to turn off the browser’s password manager. Then there is nothing to get out of sync with.
Excel password protection used to be pretty bad, but I think it is much better know. Assuming that password is strong, then as long as it is locked, it is probably safe. Of course, if you are in the habit of keeping Excel open to paste passwords, then you’re leaving it unlocked for anyone nearby to view. That might not be an attack you care about, so it might not matter. A password manager can be setup to lock after various periods of time, or stay unlocked (maybe Excel can lock, I’m not sure.)
If it is securely encrypted, there were no mistakes in implementing the encryption, and it’s locked with a secure password, then it shouldn’t matter if hackers get it. “If” is doing a lot of work there.
To build off what I was just saying in my previous post:
Pick a password management solution, and stick to it, and only it.
Story 1. For a very long time my wife used a combination of the Apple keychain, the Safari password storage, and Safari on iphone password storage.[1] It caused a huge amount of frustration, because they would get out of sync, so she never knew what her passwords were, and was constantly resetting them on one device, and not updating the others.
A few years ago she switched to Bitwarden everywhere (except the places where the Apple keychain is required), and has been much happier. Randomly generated passwords just work at all of the places she goes to.
Story 2. The person whose estate I’m dealing with deliberately left behind passwords for me to use. There is a spreadsheet, Bitwarden, and at least two browser password stores. He gave me the spreadsheet, which contained a wrong password for Bitwarden. Fortunately one of the browser stores had the correct Bitwarden password. Password may be in any or none of the various places. In many instances it was more useful to think of the password manager as just a list of accounts, and then use the password reset mechanism at the site to gain access.
So, pick something, and use it exclusively.
I think Apple has unified these since it was a problem for her. ↩︎
We’ve had these conversations before, and I’m in no position to make recommendations since I don’t use any of the modern password managers because I don’t need their features. I’m not concerned about syncing across different devices, and when it comes to auto-populating login screens, I rely on Firefox and Edge to do that, but only for non-critical accounts.
So for me, a password manager is just the equivalent of a written list. I use a very old app that isn’t even offered any more, protected by a master password, and contains all the others. It’s strictly local and kept backed up with the rest of my data plus a copy on another computer. It’s worked well for probably some 30 years, and goes back to the early days of Windows NT where it was considered cool because it was a full-fledged 32-bit app and not a 16-bit one! So yes, I’m more than 30 years out of date in regard to password managers … and loving it!
