I didn’t want to derail or hijack the conversation in “How easily can a hacker break your password” in MPSIMS, so I thought I would ask the question here and get some feedback.
Can ye recommend a good password manager or vault?
Here are my requirements:
[ul]
[li]Must be accessible from Android phones[/li][li]Must be accessible from Windows computers[/li][li]Must be accessible by at least two people in the same household[/li][li]Optionally, would be nice if the tool can keep different sets of passwords (e.g.: his, hers, and ours)[/li][/ul]
I tried keepass in 2012 or 2013 on my work computer, and hated it. I had it set up so that it was tied in with my browser (Firefox). It would put a big asterisk next to entry fields when you viewed the page.
Unfortunately, “something happened” (I’m not sure what), and the asterisk started to appear next to entry fields that had nothing to do with logging in. Specifically, it started to appear on certain fields within the Ektron Content Management System that I manage. The HTML markup for the asterisk somehow got added to either some underlying Ektron Smart Forms (which are basically data-entry templates) or the actual content items, and the asterisk would show up where it was not needed or wanted.
It took me a long time to root out all the occurrences; in fact, I’m not sure if I have gotten them all.
I don’t think this was necessarily a keepass problem, and may have been more of a problem with Ektron. Either way, I’m a little leery of keepass.
Have you seen anything like this? I might be willing to try keepass again.
I like KeePass. Like, leachim, I have used Dropbox to keep the vaults synched.
KeePass…
• works with Android, Linux, Windows (not tried any other OS)
• Can be shared by multiple people
• Passwords can be organized by folders (so you could make a his/hers folder) I think you could make separate vaults if you wanted them secret from each other.
• is free.
• has customize-able ‘auto-type’ for sites that do not allow pasting into the password field.
I personally have not seen any strange behavior like asterisks appearing anywhere (but I use Chrome).
It works much better than my previous system of pen and paper, because it is accessible everywhere, and can generate much more secure passwords than I could create.
Admittedly, it is the only one I have used, and I certainly acknowledge others may be better, but I like it fine.
I have similar requirements as the OP, except I don’t need 2 users. I tried LastPass* just yesterday and see that it needs to you install an (unobtrusive) browser plugin. However, I use multiple computers at work, and I might not always have admin access. How crippled or non-secure are these options, like if I forget to logout.
I guess with KeePass, you’d need to memorize at least 2 passwords (Dropbox and theirs)?
*Free, or Premium is $12/year, though so far (and again it’s new), I don’t think I have a need to pay.
I’ve been using Lastpass for a month or so. I don’t think it’s required to install the browser plugin, as I used the website to retrieve a password when I was borrowing my mother’s computer (which does not have the plugin installed). It depends on how you want to use the password manager. If you just want to store passwords, browser access is sufficient. If you want to have the program automatically enter the password, some sort of plugin is necessary.
And I paid for the software, so I can access it from my phone as well as my PC.
By the way, after going through the process of entering all of the passwords in the Lastpass vault, I learned just how many I have. It comes to eighty or ninety, although I also used the vault to store personal data aside from passwords.
I’ve used LastPass for the past 3 years or so; I couldn’t live without it. I use the phone app when I’m at a different computer (without the browser plugin) and need to lookup a password.
It also allows you to store secure notes, so I keep things like family SSNs, safe combinations, and other things in there, too.
Finally, I respect their “security challenge” feature, which points out instances across all your login accounts where you have weak or duplicated name/password combos.
Syncs on Android, iOS, Windows, Mac (mine is set up via DropBox, but you can also use OneDrive)
Allows multiple vaults - work, home, etc. They also have a family and team plan available
Password generator
Wallet (for credit cards)
I only use it with Firefox and Chrome, and the plug-in works well with most websites. However, last year I put some of my high use passwords in a secure note, which works just as well.
What I did was just save a non-synched version of my vault on my home hard drive + backup drive. So I only memorized my KeePass passphrase. That way if I ever got locked out of my dropbox for some reason I could at least fall back to one of my older files to obtain the Dropbox password. Also, my dropbox folder will normally have the last version. But you could just remember 2 passwords if that works for you.
I tried KeePass first, and the way I use it, I do not use any of the plug-ins. I just open KeePass and copy and paste or use the auto-type rarely. This works for me and I’m happy with it, but I could understand that some may find it clunky.
I have been using LastPass for a couple years. I’ll concur that you don’t need a plug-in. But, for your main computer at least, it makes things easier. As Dewey Finn said, if you’re on another computer you can just access LastPass through the web.
It’s free for your desktop and laptop computers but it’s $12 a year if you want to use it on your phone. I didn’t think I would need that at first but have since found that I want that functionality on my phone, too, and it’s worth the nominal price for the security it offers.
Regarding an issue thelurkinghorror raised: If you don’t log out then, IF YOU ARE USING THE PLUG-IN, someone who uses the computer after you could have access to your websites. But closing the browser should close the plug-in even if you don’t log out.
IMO, whether you’re using a password manager or not you should at least close the browser, if not log-out or turn off the computer any time you’ve finished using a public computer.
+1 on this now that they’ve finally implemented the Android version. Previously, they only had a reader version for Android: you had to create passwords on Windows or on IOS, then the Android version could download them via Dropbox.
Re Dropbox usage: your vault is secured first by your master password, then by Dropbox’s security. So if somoene hacks your Dropbox account, they can get your password files but those are encrypted as well, so they aren’t much use unless a brute force or dictionary attack succeeds.
It’s a one-time purchase for the handheld, and a separate one-time purchase for the Windows client. You have to use the Windows version once to get the Dropbox synching to work, but you can just download the trial version, use it, and not use it again if you don’t care to spend the cash for that version.
I’m going to log another vote for 1Password. We bought a family plan and have been gradually converting parents and kids to our account (since it’s us they’d turn to for support when they get hacked)
I don’t use it for work since my company prohibits access to password managers. I understand why they don’t allow them in general (they’d need to verify that all available password managers met our security standards and would need to audit them regularly to maintain our security) however I think that once one of these companies breaks into corporate licensing it’s going to make multi system security at work a whole lot easier.
Ah yes, corporate usage. My company has a list of third party software that we are permitted to install on our personal workstations. Some stuff is excluded due to licensing issues but 1Password and some of the other tools are allowed. The company doesn’t support it, but we’re permitted to use it at our own expense.
So, that’s something to check into if you have a work computer and are allowed to install your own stuff on that computer.