I do have a list of my passwords written down, but they are partially encoded. For example, if I wrote George###Duck! then I know to substitute the 3-digit street address where I grew up, But if I wrote Corn#####zebRA then I know to substitute the 5-digit zip code of where I work.
You could print it so it’s in the middle of a wordsearch-like grid of characters - you only need to remember where it is on the page - anyone who steals the page would very likely fail to determine which substring on the page is the right one (and if they’re using it to try to log in, flood control would probably shut them out completely before they got close)
And if something happens to the list, like fire or water damage? Or theft. You’ve got your security through obfuscation, but that isn’t going to help you if you don’t have the physical list.
Also, I personally would find it much easier to remember my favourite song than a list of different-length digits.
You are correct, of course, but at my age I trust the paper more than my memory. (I have several favorite songs, depending on my mood.)
I suppose I have to admit that the password managers are probably slightly more advantageous than my methods, but the difference is so minor that I’m just not gonna bother changing. But I do keep my brain open to new ideas, and I’ll be watching this thread for the next day or so. Thanks!
Once you go through the hassle of setting up a manager you’ll wonder at how you got by without it. I have hundreds of secure random passwords for different sites and I don’t know any of them. I only need to remember one.
(As an aside, it’s fine for home use to write down the main password; just make it long. The main use of a manager is to have a different long random pw for every site. That way if someone breaks into, say, Home Depot they won’t learn your bank password. Write it on paper; then it can only be stolen by an intruder.)
For general users I recommend online solutions like bit warden or LastPass. They handle most of the complexity for you.
For computer savvy people I recommend KeePass. It takes more work to set it up but it means that I am in complete control. I also use it to store more than passwords, like my passport number and driver’s license picture.
How do you store images or files in there? (Or is that just a locked folder using a Keepass-generated password?)
If you double-click an entry to edit it, the Advanced tab in the dialog lets you attach files.
That is amazing! I’m doing that tonight!
I use LastPass. I just got the memo that they’re forcing you to choose between desktop and mobile on free accounts so I’ve been looking for alternatives but it seems most have already had the same restriction so I might just pay for it.
The main one that is actually free is KeePass. I might try it out for a bit but it’s a little less user friendly and depends on how much time I want to invest. My normal use is the app on home desktop/work, but then I’m also often using strange computers so I use the phone app in these situations. I understand KeePass has a third-party phone app but I don’t know how good it is. I’d rather not have to log into Dropbox or something every time I want to do something.
So far, no one is using any hardware-based managers like the “OnlyKey FIDO2” (highly rated on Amazon)?
I use both Keepass and Lastpass.
Lastpass for most websites because it’s easy. Keepass for financial and my main email account because it’s (I think) more secure.
I use KeepassX on my computers and Keepassium on my phone
Yeah, it’s a nice feature. I store a lot of my legal documents in KeePass because it keeps them secure but easily accessible. You might find it handy to check out KP’s plugin page; there are plugins for handling SSH keys.
I use KeepPassXC, which is like KeePass but is cross platform. For Windows in particular, you can download a portable version that will run off of your USB key so that you don’t have to install anything and have access from any machine. On my phone I use Keepass2Android with the the key database on my phone so that I can use it there.
Both of the programs tell you upfront, don’t forget your master password because otherwise there is no way to access your keys. They also recommend that you provide to someone trusted in case something happens to you because there is no recovery without it due to the level of encryption used.
//i\\
Another Lastpass user. With some 300 sites & PWs on file. I’ve been real pleased with how it works and how it integrates with various browsers and phones and tablets.
Moving in was easy enough per site, but logging on to 300 sites & resetting their PWs was a big job. Once that was done it’s been trouble free.
I am displeased about Lastpass going to must-pay. But at $27/year it’s hardly a bank-breaking change. I suspect I’ll pay up since the hassle of moving to another manager is bigger than $27…
KeePass definitely takes some work to set up satisfactorily. If you’re a Dropbox user it’s not too bad but I got tired of paying them. There are a couple of Android solutions that work well–I use KeePassDroid.
The most important thing is to make sure you have adequate backup. My world would come to a screeching halt if I somehow lost my KP file.
I use 1Password. There’s a lot to like about it. I like the fact that I can have folders and access control with other people.
It made onboarding really convenient with my employer, because all they had to do was authorize my account as a member of their org, and then I had access to what I needed (without sharing my private stuff).
I’m no expert, but wanted to say look out for using song lyrics, common phrases, etc. for high-security master passwords. It’s my understanding that these get less secure all the time, even if initials are used. Initialed phrases are becoming part of password-cracking dictionaries.
For instance, your master password might not be some famous phrase like “To be or not to be, that is the question” but “Tbontbtitq” is hardly more secure these days. The same may be true of any published phrase or song lyric.
My Lastpass master password used to be equivalent to Tbontbtitq – initials of an obscure phrase from literature, but still published literature. I’ve changed it to a truly random passphrase using a word list and literal throws of dice, see here:
My master phrase is 7 words long – it makes a very goofy non-sentence, but uncrack-able, and at this point I could recite it backwards in my sleep.
Checking, it’s $36 per year now, but I agree that it’s an amount I’m willing to pay.
Lastpass has been popping up a reminder that normal price is $36 but it’s $27 in a special deal just for me if I sign up in the next couple of weeks. I’m not special, so I figured that deal applied to pretty much everybody who’s using the free version today. Perhaps I figured wrongly.
This is for the “Premium” version, right? Why that instead of the free version?