Did you read the thread? The free version has been wonderful. Emphasis on the “has been” part.
About 6 months ago they partly borked it by disabling the security audit feature. Since then you have to have premium to use that feature.
They’ve now announced that starting in mid Mar, you can use the free version on all your PCs/Macs, OR on all your phones/tablets. But not on both. To be able to have access to your PWs on your PC and your phone after mid March you need to upgrade to the premium version.
Of course that use case covers about 95% of all users of free Lastpass. It amounts to an ultimatum: “Pay up, or switch to somebody else’s app; we’re tired of the freemium model.”
I dream of a day when this is viable for me. But I still find myself typing passwords into websites dozens of times a day even with password managers. They either don’t work, I’m bouncing around between browsers and devices, or some website has an asinine password policy. Until these problems go away the biggest security problem will always be reused passwords and subsequent breeches, not brute force attacks on weak passwords.
I just use the one built into Chrome. It requires your Google account password to access on any computer other than your own, and requires you to type in your device account’s password to read them locally. Yes, that includes phones, where you have to use your fingerprint.
It also seems to have a feature that somehow knows what characters its generated passwords can use.
The main downside is that I do t use Chrome on mobile, and passwords.google.com by default locks you out on other browsers if you had an older account.
But if you just use Chrome, it’s sufficient, I think.
I just wanted to add that with keepass, since you can keep notes with an entry, I usually put the answers to the questions three that many websites now require for password recovery/authentication when using a new device. I never use actual things about myself and simply choose the first question choice. So On what street did you grow up? could have an answer like blue, gobbledygook, or Maximum Effort, which I store in the notes should they ever be asked.
That has not been my experience with Lastpass on Chrome on my PC nor on my Android phone.
I can have Lastpass generate & save a decent PW that matches whatever asinine policy any given site wants. The act of updating the PW at a site also updates the corresponding Lastpass entry.
There is more hassling on the phone than on the PC; sometimes Lastpass sees the PW prompt in an Android app and sometimes it doesn’t. But if it doesn’t detect that correctly, then copying the unseen PW from Lastpass and pasting into some app is vastly easier than keying a PW, even an easy one.
It’s now been years since I keyed a website PW other than entering my master PW into Lastpass and having it handle the grubby details.
Passwords are bullshit. . What do I care if some Ukrainian stranger reads my email or IMDB or YouTube account or hacks into my access account to read my local newspaper. I use the same simple password for everthing, except the bastards who make me use at least one Cyrillic letter or change it every week.
I don’t even care if you know my bank password, because you can’t get in anyway unless they text you a code.
So, seriously, how does a “strong” password protect you.
As someone who deals with people who have password problems on an almost daily basis, I can’t recommend using a password manager strongly enough. The “I write them down” method sucks. I have clients who have passwords written in notebooks, index cards, scraps of paper, and post-it notes. None of them know their passwords. Also, password managers have an auto-generate function, which makes using strong passwords a snap.
This could potentially make it easier for someone to steal your identity, especially if they have access to your email. They could call the bank and ask them to email your account with info that they could use.
They could get into your Amazon account (or create one in your name) and order thousands of dollars and have it shipped somewhere. By the time you figure it out the goods are long gone.
You will probably be ok but if hackers get your password from a couple of different sites and realize you use the same one you will become a target.
Simple song lyrics or popular phrases, sure.
I’m talking about 100-letter long strings that differ from the way the lyrics are normally published.
And I’m not going to trust the advice of any site that tells me to "write your new passphrase down on a piece of paper and carry it with you for as long as you need. " on password security.
My actual master password is not a song verse, though. It’s a collection of very specific terms of art in unrelated fields in more than one language including non-IndoEuropean ones. But it is >50 characters long.
Never used a password manager. Chrome keeps all my usernames and passwords and lets me logon to websites without having to type anything. I have a password master file in Word that is encrypted with a strong password (an anglicized Indic phrase that is almost 30 characters including several special characters and digits). I don’t see how a PM can help improve upon things.
It is possible for someone to get Chrome to display those passwords, depending on how you’ve set up Chrome and Windows (not sure about iOS).
If you’ve truly encrypted your Word file, all well and good. If you just have a password to open the file, that would slow me down by about three minutes.
As an IT person and programmer, I really don’t trust password managers. They are certainly convenient, but with the frequent Internet, Windows, and software vulnerabilities I feel like they are like putting all your eggs in one hackable basket.
I keep my most important passwords like my Google account on paper. Less important passwords I keep in a Google doc, but I don’t store them in plain text, I use a semi-secret notation that leaves some important bits out of every password. For example, maybe I had a cat named Charlotte when I was growing up. If my password for site.com was Charlotte473Z then I would write it as:
And the word Charlotte never appears in the doc anywhere. I also have a system to obfuscate the number too, so 473 isn’t in the actual password. So not totally secure, but obscure enough that a bot isn’t going to get anything, it would take actual human eyes to figure it out.
I’ve even “nested” passwords. One of my banks will not use an actual password, only a PIN (different from my cards, but still) so I use randomly generated passwords for the “extra” questions. I also force the bank to require me to use this extra password even on my home computer, just in case someone got into my apartment and tried to access that bank account.
It’s interesting that nobody in this thread has mentioned using an authenticator app, which is supposed to be safer than getting verification codes via SMS. I haven’t tried one yet, but I’m considering it.
I use Google’s password manager, but it doesn’t work with most of the apps on my Android phone. I also worry about the eggs-in-one-basket problem with password managers, but I don’t know of any better alternatives. For years I kept a list of passwords in a password-protected PDF file, but that grew into an enormous document that was a PITA to update. (And yes, I’m aware that PDF encryption isn’t particularly secure.)
I used to use KeePass, but a few years ago I switched to BitWarden, and have found it much more reliable at inserting passwords into web pages. Hopefully KeePass has caught up. BitWarden is convenient as it means I can securely share passwords with my wife for things like Netflix, but not work related stuff that she has no need to know.
The important thing about a good password manager, is that it has (hopefully) been designed by cryptography experts with security as its primary principle, and is actively maintained so any vulnerabilities are quickly corrected. Things like password protected zip files, PDFs, and others have a terrible record of security. It’s a matter of using the right tool for the job.
I do think notebooks and pieces of paper are a great alternative, if you don’t care about carrying your passwords with you.
