I have been a LastPass fan for years. I have a Family account with four adults dependent on my knowing their master passwords. 
This conversation may finally motivate me to wean the kids out onto their own! But my husband and I definitely will need to share some passwords, he’s hopeless. Are there better managers that are good at that stuff? Where I can update a password and it will get updated in his manager as well if we share the record?
When my late wife and I used LastPass we just had one LastPass single-user account and dumped all of joint and separate passwords and factoids in that one. We both knew the single login and single master password.
It helped of course that we kept no secrets from each other.
I just got Chrome for iPhone. Holy shit it is so much faster and better than Safari that I can barely believe it. I downloaded it and it immediately knew who I was and had all of my passwords that the laptop has, probably because I have Gmail on the phone.
Yes, it has all the passwords that are held within Chrome because of your Google/Gmail account.
But I don’t think it will have passwords that are specific to any of the apps on your phone. Which, I believe, a good password manager will track and save. Am I correct in this assumption?
You are. Those all use FaceID.
One I started to use a password manager, it was easy to make different, long passwords for every site and service. So now there are dozens in there, plus lots of other stuff; password number, driver’s license number, travel loyalty program account info, software license keys, etc.
Which one do you use? Do you recommend it?
I use LastPass, since before their security incidents. I thought about switching after them, but haven’t yet. It is a bit scary just how much private data is stored in my account.
Bitwarden lets me do that, but I don’t think on the free plan. You can have passwords that are only yours, and passwords that are shared with other users. There is also the concept of an emergency user, that can access all of your passwords if you are unable to.
I share with my wife and kid passwords for Netflix and stuff like that. If one of us changes the password, it changes for all of us.
I think I have it setup so I can access all of my kid’s existing passwords, but they could create new ones that aren’t shared with me.
Sharing in Bitwarden is a bit complicated with organizations, vaults, and folders as similar concepts, but with different purposes. I think 20 minutes reading the docs would probably clear it up for me, but that’s crazy talk.
I expect other password managers have family or small business plans that have similar capabilities.
Just for the hell of it, I’ll mention the system I use, although I would not recommend it for anyone else. I wrote a program that takes a master password and a domain name, hashes their concatenation using a cryptographically secure hash (SHA-256) and uses the resulting hash to generate an alphanumeric password. When I need to generate a new password, I run the program and give it the domain name of the site, and it spits out a password that I copy/paste into the browser. The process is identical if I want an existing password. The nice thing about this system is no passwords are stored anywhere, not locally and not in the cloud, not even in encrypted form. An attacker can’t get access to my password vault because there is no such thing. Even if they get a copy of the program, it does them no good without the master password, which is not stored anywhere except in my brain.
I designed this system before password managers existed and before there was any secure cloud storage. It’s rather archaic nowadays and as I said, I don’t recommend anyone else use it. But it works for me.
How does your app handle needing to generate a different updated PW for some existing site?
Or where the company reorgs their website and now you login at www.consumer.example.com instead of the previous www.login.example.com?
I didn’t want to get into too much detail, but since you asked…
For updating passwords, I have a small config file that assigns a “version number” to some domains. The version number is hashed along with the master password and domain. Most domains aren’t listed in the file so their version number is empty. When a site asks me to change my password, I just increment the version number for that site in the config file. I do have to carry this config file around to each machine that runs the program, which is a disadvantage.
For your second question, the “domain name” I use is just the second level part. So for www.amazon.com, I use “amazon”, and for www.consumer.example.com, I use “example”. Companies essentially never change their second level domain name, and in the exceedingly rare situation that one did, I’d need to change my password on that site.
ETA: Oh and before you ask, the passwords that it generates are 12 chars long and have an uppercase letter, a lowercase letter, a number and symbol. Occasionally I run across a site that frustratingly doesn’t like that format, so the config file also allows tweaking the format for a particular domain.
A friend of mine insists that hardware keys are the only way to go, even if you’re using a password manager (and I think they all support hardware keys). He swears by Yubikey https://www.yubico.com/
I just use a regular password manager, LastPass. I’ve considered dumping it since the hacker issues, but it’s pretty daunting to move to a different one. I have hundreds of passwords that would have to migrate. It’s a dilemma. I’ve of course changed a bunch of critical passwords since.
I migrated from last pass to 1password after the hack. Export, import, done. Super-easy.
I am using BitWarden with a long master password and a hardware security key for most passwords. For banking sites, my passwords are on paper only.
I used to use LastPass but moved to BitWarden and changed all of my passwords (which was a bit of a project) after they were compromised.
Using an Excel file is not ideal. There is no two-factor authentication and nothing to slow down retry attempts (Bitwarden has Captchas and rate limiting to prevent brute forcing.)
I switched from LastPass to BitWarden about a year ago. Took about 10 minutes total to install the app, perform an export from LastPass, then an import into BitWarden. And 2 of those minutes were reading the instructions.
The transition is not an obstacle. Really. Some muscle memory needs to change, but that’s easy.
One of the big advantages to BitWarden is you can explicitly tie your various phone apps to BitWarden entries. I found LastPass often sucked on recognizing which Android apps went with which login records. Total non-issue with BitWarden; it just works.
It’s also far smarter about dealing with situations where you have multiple logins, perhaps from a 3rd party authentication service, leading to different websites. LastPass still doesn’t handle that gracefully. BitWarden does.
That, plus free, no hack history, and no motherlode of PW files attracting thieves planet-wide make it a total no-brainer. For me.
Same here. BW is not as integrated into web browsers as LP was, but that’s probably a good thing. I use the DuckDuckGo browser which might also be a factor in that. A couple of extra clicks is no big deal.
BitWarden has nice extensions for both Chrome and Firefox. I don’t think browser integration is an issue for most users.
And because Bitwarden has a Chrome extension, that same extension also does Edge.