Password management software

WinRemmerswaal

Well-Known Member
Lifetime Member
SoSH Member
Feb 21, 2002
290
I searched the first couple of pages in this forum and TBLTS and don't see anything within the past year+ on the topic of software to manage passwords. A friend recommended KeePass and AnyPassword as good options, but thought I would look also to the collected wisdom of SoSH.
 
Anyone have a program/solution for password management that you find especially good or that you would avoid?
 

Blacken

Robespierre in a Cape
SoSH Member
Jul 24, 2007
12,152
I use mSecure, but I'd probably switch to 1Password if it didn't mean re-buying everything.
 

Jer

New Member
Jul 17, 2005
278
Boston, MA
I use LastPass and I'm satisfied. I can't compare to others because it's the only solution I've tried.
 

Jimy Hendrix

Member
SoSH Member
Jun 15, 2002
5,846
Big fan of 1password on all my Apple stuff (Mac, phone, tablet)' can't speak to the quality of their Windows & Android stuff but I know they're at least supported. what platforms are you running?
 

Mugsy's Jock

Eli apologist
Lifetime Member
SoSH Member
Dec 28, 2000
15,069
UWS, NYC
I have a hard time breaking away from the notebook locked in a drawer... but I guess it's time to take the leap.
 

bohous

Member
SoSH Member
Jul 21, 2005
4,418
Framingham
I was just researching this myself and it seems like 1Password and Lastpass get the bulk of the favorable reviews. I already had my passwords stored in a free version of the Keeper app on my phone so I just upgraded it to a single user account and it does everything I need it to do. Works well across all 3 platforms I use (PC/Mac/iOS). Honestly I don't know what additional features 1Password offers that justifies the premium.
 

WinRemmerswaal

Well-Known Member
Lifetime Member
SoSH Member
Feb 21, 2002
290
Mugsys Jock said:
I have a hard time breaking away from the notebook locked in a drawer... but I guess it's time to take the leap.
See, this is 100% where I am now (except that I have a stack of individual pieces of paper from memo pads locked in a drawer), which is why I definitely need the help
 
In terms of platforms, I have Windows PC for my work desktop and laptop and use an iPhone, so something versatile makes sense.
 
Thanks for the replies, will wait a couple days in case others have input and give one of these a try, then will report back in case Mugsy or other Luddites want to follow me.
 
Sep 13, 2013
97
Have a look at KeePassX:
 
https://www.keepassx.org/
 
It's an open source application that reads/write the Keepass database format.
 
Windows/OS X/Linux, free as in beer, free as in speech.
 
There are Android and iOS apps that read/write the KeePass format, so mobile support is there.
 
You can sync by storing the (encrypted) password db on Dropbox/Google Drive or equivalent.
 

Marceline

Well-Known Member
Lifetime Member
SoSH Member
Sep 9, 2002
6,441
Canton, MA
Tangled Up In Red said:
KeePass does the trick for me. Locked to a single machine.
But I'm hardly a security expert.
 
I am a security expert, and KeePass is great. Highly recommended. The only issue is, as you point out, locked to a single machine (not really though - you can use either of the options mentioned above, keep your kdb file in a dropbox folder or use keepassx).

LastPass is also good.
 

Corsi

isn't shy about blowing his wad early
Lifetime Member
SoSH Member
Dec 3, 2010
12,955
Boston, MA
Another vote for 1Password.  We're required to use it for all our logins at work and I've found it super helpful and easy to use.
 

AlNipper49

Huge Member
Dope
SoSH Member
Apr 3, 2001
44,851
Mtigawi
Joe Sixpack said:
 
I am a security expert, and KeePass is great. Highly recommended. The only issue is, as you point out, locked to a single machine (not really though - you can use either of the options mentioned above, keep your kdb file in a dropbox folder or use keepassx).
LastPass is also good.
 
The one thing that sucks about dropbox is that if you leave it open on another machine.  I'm usually pretty good at closing it but when I dont and open it on another machine it spawns a shit ton of conflict thingies in dropbox.  
 

WinRemmerswaal

Well-Known Member
Lifetime Member
SoSH Member
Feb 21, 2002
290
AlNipper49 said:
 
The one thing that sucks about dropbox is that if you leave it open on another machine.  I'm usually pretty good at closing it but when I dont and open it on another machine it spawns a shit ton of conflict thingies in dropbox.  
That is exactly what I was wondering about. I am not very tech-savvy as the opening post makes clear, but use dropbox to manage some shared projects and conflicted version issues have occasionally been a pain in the ass for routine documents. My concern is that a conflicted version problem for your password database could really screw you up. Am I right to be concerned about that, or is it more just a nuisance that will add a lot of needless files to your dropbox folder?
 

canderson

Mr. Brightside
SoSH Member
Jul 16, 2005
39,428
Harrisburg, Pa.
I probably should get this instead of a bigass Excel spreadsheet on my desktop. Can anyone explain how 1Password works exactly? We are all Mac (iPads, iMacs, iPhones). I'm a little suspicious of one file that puts all my passwords in it that's in the cloud and potentially hackable like every other fucking company on earth has been hacked in the past year or two.
 

Scott Cooper's Grand Slam

Member
SoSH Member
Jul 12, 2008
4,263
New England
canderson said:
I probably should get this instead of a bigass Excel spreadsheet on my desktop. Can anyone explain how 1Password works exactly? We are all Mac (iPads, iMacs, iPhones). I'm a little suspicious of one file that puts all my passwords in it that's in the cloud and potentially hackable like every other fucking company on earth has been hacked in the past year or two.
 
I'm a 1Password user as well. Love it. I'm not a security expert, but I've tested LastPass, KeePass, and Dashlane. 1Password is the only one I use -- emphasis on use. LastPass, KeePass and Dashlane are all functional, but 1Password is easy. Its interface is clean and clear. It gets out of your way, and it's a pleasure to use. It's "extra" features (like Secure Notes, a Secure Browser on mobile, and a wallet for your software licenses) are all things I thought I'd never use, but now find indispensable. 
 
1Password mini (the browser extension) and integration with Alfred make it really efficient on desktop.
 
If you want to know how it works, I'd recommend reading the 1Password site, some reviews, and the AgileBits blog. I know that's not a very helpful answer, but it's worth reading in to. I think you'll find that AgileBits is credible and transparent, two things I want from security companies.
 
The one thing I'll point out is the bolded: They feel your pain, and so syncing without the cloud is an option now. Syncing can be done with iCloud, Dropbox, or if you prefer to leave the cloud out of it you can sync your file from Mac to mobile (or Mac to Mac) through wifi.  
 

Blacken

Robespierre in a Cape
SoSH Member
Jul 24, 2007
12,152
AlNipper49 said:
The one thing that sucks about dropbox is that if you leave it open on another machine.  I'm usually pretty good at closing it but when I dont and open it on another machine it spawns a shit ton of conflict thingies in dropbox.
This is actually the thing that's kept me on mSecure - they use an atomic sync with dropbox so history is preserved and there are no conflicts.


LegacyR said:
I use LastPass in combination with a YubiKey for two-factor authentication.
I tried a YubiKey, but I have too many auth codes for it and I only carry one key with me so a ring with stuff on it would be weird. It's great if that doesn't apply to you, though - much easier than Google Authenticator.
 

TFP

Moderator
Moderator
SoSH Member
Dec 10, 2007
20,380
Just migrated to 1Password as a result of Heartbleed. Seems to be easy to use, kind of a pain to get everything setup though, in the sense of having to go to all my websites and replace the passwords.
 
Are there any tips to using on iOS? When going to websites or apps, I don't see any way to auto-fill the passwords. Is it just that you have to go into the app, copy the password, and then paste into where you're going every time? Or am I missing something?
 

Bunt4aTriple

Member (member)
Silver Supporter
SoSH Member
Jul 15, 2005
4,347
North Yarmouth, ME
I know I'm just going to have to download a free trial, but I have a couple of questions, specifically about 1Password and Dashlane.
 
  • Do you have to go and manually change your password at each site by copying/pasting?
  • Our setup would be a work PC for me and one for my wife, her iPhone and iPad and my android phone.  Do the premium licenses cover all of these devices?
  • What happens if I'm logging into a random PC, like in the business center at a Hilton Garden Inn?  Will I be able to log into gmail to print a document?
 

Jimy Hendrix

Member
SoSH Member
Jun 15, 2002
5,846
The Four Peters said:
Just migrated to 1Password as a result of Heartbleed. Seems to be easy to use, kind of a pain to get everything setup though, in the sense of having to go to all my websites and replace the passwords.
 
Are there any tips to using on iOS? When going to websites or apps, I don't see any way to auto-fill the passwords. Is it just that you have to go into the app, copy the password, and then paste into where you're going every time? Or am I missing something?
 
For apps, unless anyone has a trick I'm not aware of, it's copy/paste.
 
For websites, there's actually a browser built into the 1password app you can use. Also, if you're on a website in Safari, adding "op" to the front of the "http" in the site url will bounce you over to the 1password app and autoload that site.
 
If it's a site like SoSH where we want to be logged in all the time in our main Safari/browser of choice, then we're back to copy/paste.
 

Blacken

Robespierre in a Cape
SoSH Member
Jul 24, 2007
12,152
If your phone/computer (and, for Chrome users, your Chrome sync data) is encrypted, it's safe to just store your passwords in the browser and use 1Password for re-auth.

FileVault on Mac and BitLocker on Windows are both pretty good and the perf hit is minor (especially on SSDs; every Mac user should do it).
 

Marceline

Well-Known Member
Lifetime Member
SoSH Member
Sep 9, 2002
6,441
Canton, MA
Blacken said:
If your phone/computer (and, for Chrome users, your Chrome sync data) is encrypted, it's safe to just store your passwords in the browser and use 1Password for re-auth.

FileVault on Mac and BitLocker on Windows are both pretty good and the perf hit is minor (especially on SSDs; every Mac user should do it).
 
Storing passwords in your browser is not safe. Please don't do this.
 

Blacken

Robespierre in a Cape
SoSH Member
Jul 24, 2007
12,152
Joe Sixpack said:
Storing passwords in your browser is not safe. Please don't do this.
This is cargo-cult repetition. My machine uses a 14-character password, the disk is encrypted with FileVault, and my browser monitors CRLs.
 

Marceline

Well-Known Member
Lifetime Member
SoSH Member
Sep 9, 2002
6,441
Canton, MA
Blacken said:
This is cargo-cult repetition. My machine uses a 14-character password, the disk is encrypted with FileVault, and my browser monitors CRLs.
 
I don't know what "cargo-cult repetition" means.
 
However, I don't really care about your machine having FileVault disk encryption and your browser monitoring CRLs because it's irrelevant to the point you made above. That wasn't the advice you were giving others. Here is what you said:
 
 
If your phone/computer (and, for Chrome users, your Chrome sync data) is encrypted, it's safe to just store your passwords in the browser 
 
It is not safe to store passwords in your browser. There are major security problems with Chrome's password storage. Telling people it's safe is just plain wrong.
 

Monbo Jumbo

Hates the crockpot
Lifetime Member
SoSH Member
Dec 5, 2003
25,231
the other Athens
Hmmm.
 
Okay - I've never used password mgt software - sounds like it's time.  Reading the thread, seemed like 1password is the way to go.  I'm a windows/android user. The reviews on the 1password Android app are pretty bad. What's the best choice for a windows+android user?
 

canderson

Mr. Brightside
SoSH Member
Jul 16, 2005
39,428
Harrisburg, Pa.
Lastpass, probably.

I never did get one, bough now will. I'm honestly confused about how I can use them between my imac, iPhone and iPad. My biggest thing is having the list available on all three - I have far too many pw places to remember. :/
 

Blacken

Robespierre in a Cape
SoSH Member
Jul 24, 2007
12,152
Joe Sixpack said:
It is not safe to store passwords in your browser. There are major security problems with Chrome's password storage. Telling people it's safe is just plain wrong.
You're going to feel really stupid when you go research this. Thought you should know.
 

Marceline

Well-Known Member
Lifetime Member
SoSH Member
Sep 9, 2002
6,441
Canton, MA
Blacken said:
You're going to feel really stupid when you go research this. Thought you should know.
 
Thanks...very informative response. I guess you've convinced me!
 
I work in the security field, so I have a pretty decent idea of the situation and I've done my research. The condescending remarks are not necessary nor helpful.
 

Blacken

Robespierre in a Cape
SoSH Member
Jul 24, 2007
12,152
OK, sure, why not.

You are technically, but mostly meaninglessly, correct. There is a place where Chrome's password storage is vulnerable. That place is when you're logged in and allow access to an application that will use your user credentials to decrypt it (Keychain on Mac, CryptProtectData on Windows, who-cares on Linux). Anything that can access the Login Data database can already fuck with anything else it wants to; on either Windows or Linux (OS X requires you to enable things in Universal Access, and AFAIK that can't be done without user participation) you can already hook the keyboard and just pick the password vault's passphrase when you enter it--and it'll be trivial to figure out what it is because you'll enter it repeatedly through a day, like any other password.

So, yeah, it's "insecure", except that there's no attack vector worth considering that you don't already implicitly allow breaking your password vault by giving something the ability to read locally. The only serious argument against using Chrome password storage is security by obscurity, and if you want to rely on that that's cool, but I'd rather just not do stupid shit with my machine.

(There is a good reason to use 2FA with your vault, and that's an argument against using browser storage. But the ease-of-use for 2FA with a password vault is somewhere around fuck-all, and I won't recommend it because then people won't use the vault.)
 

SumnerH

Malt Liquor Picker
Dope
SoSH Member
Jul 18, 2005
31,885
Alexandria, VA
Blacken said:
You are technically, but mostly meaninglessly, correct. There is a place where Chrome's password storage is vulnerable. That place is when you're logged in and allow access to an application that will use your user credentials to decrypt it (Keychain on Mac, CryptProtectData on Windows, who-cares on Linux).
gnome-keyring on Gnome/Unity/xfce, kwallet on KDE.

The former supports 2FA for access to the vault, while continuing to work transparently as browser storage.
 

ScubaSteveAvery

Master of the Senate
SoSH Member
Jul 29, 2007
8,329
Everywhere
canderson said:
Lastpass, probably.

I never did get one, bough now will. I'm honestly confused about how I can use them between my imac, iPhone and iPad. My biggest thing is having the list available on all three - I have far too many pw places to remember. :/
 
1Password syncs to all of your mac products using iCloud. 
 
I signed up for 1Password the other day.  I had thought about it for months but the Heartbleed stuff finally persuaded me.  So far its very intuitive and I'm kinda surprised it took me this long to use it. I'm curious to see how well it integrates with my work stuff, which is a Windows machine. But so far I'm a big fan. 
 

canderson

Mr. Brightside
SoSH Member
Jul 16, 2005
39,428
Harrisburg, Pa.
ScubaSteveAvery said:
 
1Password syncs to all of your mac products using iCloud. 
 
I signed up for 1Password the other day.  I had thought about it for months but the Heartbleed stuff finally persuaded me.  So far its very intuitive and I'm kinda surprised it took me this long to use it. I'm curious to see how well it integrates with my work stuff, which is a Windows machine. But so far I'm a big fan. 
My friend says he thinks the Windows platform is actually better than the OSX one, so it should work well.
 
With it, let's say I want to log in to SOSH on Safari and have the password be 485te8239345584 or whatever - something I can't remember. It seems like I have to open it in the 1Password browser - my lack of understanding comes from how do I get Safari to know all the passwords then? Or for the SOSH app, how do I get it to login since it's not a browser option really? Just open the 1Password app, go find the site, copy/paste and be done with it?
 

ScubaSteveAvery

Master of the Senate
SoSH Member
Jul 29, 2007
8,329
Everywhere
canderson said:
My friend says he thinks the Windows platform is actually better than the OSX one, so it should work well.
 
With it, let's say I want to log in to SOSH on Safari and have the password be 485te8239345584 or whatever - something I can't remember. It seems like I have to open it in the 1Password browser - my lack of understanding comes from how do I get Safari to know all the passwords then? Or for the SOSH app, how do I get it to login since it's not a browser option really? Just open the 1Password app, go find the site, copy/paste and be done with it?
 
On the phone, this is my understanding.  You can either use the 1Password browser or copy/paste.  On a desktop/laptop, there is a browser extension that fills in all the information for you.  So for instance, when I get to the SoSH log in page I just click the browser extension, it recognizes that I'm on SoSh and pulls up an icon that you just click on.  Once you click on it the information auto-fills and you get logged in. 
 
When you first visit a site and log in, you can save your initial log in.  I usually go into 1Password and confirm that my user name and password are correct.  Then I go to the new site's profile page and use the password generator to generate a new password.  Once you save the new password, 1Password auto prompts you to 'save over' your old information in 1Password.  Click save and all the information will be saved. 
 

Marceline

Well-Known Member
Lifetime Member
SoSH Member
Sep 9, 2002
6,441
Canton, MA
Blacken said:
OK, sure, why not.

You are technically, but mostly meaninglessly, correct. There is a place where Chrome's password storage is vulnerable. That place is when you're logged in and allow access to an application that will use your user credentials to decrypt it (Keychain on Mac, CryptProtectData on Windows, who-cares on Linux). Anything that can access the Login Data database can already fuck with anything else it wants to; on either Windows or Linux (OS X requires you to enable things in Universal Access, and AFAIK that can't be done without user participation) you can already hook the keyboard and just pick the password vault's passphrase when you enter it--and it'll be trivial to figure out what it is because you'll enter it repeatedly through a day, like any other password.

So, yeah, it's "insecure", except that there's no attack vector worth considering that you don't already implicitly allow breaking your password vault by giving something the ability to read locally. The only serious argument against using Chrome password storage is security by obscurity, and if you want to rely on that that's cool, but I'd rather just not do stupid shit with my machine.

(There is a good reason to use 2FA with your vault, and that's an argument against using browser storage. But the ease-of-use for 2FA with a password vault is somewhere around fuck-all, and I won't recommend it because then people won't use the vault.)
 
Thanks for explaining this time...In reference to your earlier comment, no, I still don't feel stupid.
 
There is a measurable difference in the security level of Chrome's password storage and someone using a password vault. Saying that someone with physical access to a machine could just install a key logger, so who cares what other security is in place, is along the same lines as Google's argument for not protecting the password storage at all, prior to version 33 a few months back, and it's a faulty line of reasoning from my perspective.
 
Now they've got it protected with the Windows login, which is sort of better than it was before, I guess. But a large number of users still don't use a Windows login password. And I wasn't able to turn up what sort of encryption/protection, if any, is provided by the new access control. I did find at least one report where someone mentioned that any valid Windows login would grant access to all passwords across all users on the machine, which is kind of alarming, if true. 
 

SumnerH

Malt Liquor Picker
Dope
SoSH Member
Jul 18, 2005
31,885
Alexandria, VA
I'm not sure where you're pulling the "a few months back" thing from.  Chrome has used the platform's password vault for a decade plus (at least on my platform). If you don't trust that, you shouldn't trust your OS in general.
 

Marceline

Well-Known Member
Lifetime Member
SoSH Member
Sep 9, 2002
6,441
Canton, MA
SumnerH said:
Chrome has used the platform's password vault for a decade plus. If you don't trust that, you shouldn't trust your OS in general.
Chrome left the browser's saved passwords completely unprotected prior to version 33 which came out a few months ago. Anyone with physical access to the machine could read all the passwords for all users.
 
See the following for more info on this:
http://blog.elliottkember.com/chromes-insane-password-security-strategy
http://siliconangle.com/blog/2013/11/05/google-finally-boosts-chrome-security-with-password-manager-protection/
http://www.tomsguide.com/us/chrome-security-password-saver,review-1840.html
http://www.wired.com/2013/08/chrome-password-manager/
 

SumnerH

Malt Liquor Picker
Dope
SoSH Member
Jul 18, 2005
31,885
Alexandria, VA
Joe Sixpack said:
Chrome left the browser's saved passwords completely unprotected prior to version 33 which came out a few months ago. Anyone with physical access to the machine could read all the passwords for all users.
 
This is false.  Chrome has used Gnome keyring for password storage since version 6.  A decade might overshoot, but it's been many years.
 

Marceline

Well-Known Member
Lifetime Member
SoSH Member
Sep 9, 2002
6,441
Canton, MA
SumnerH said:
My bad, keyring support was added in version 6 but it didn't become default until version 12.  Still years ago, but more like 2010ish.
 
https://code.google.com/p/chromium/wiki/LinuxPasswordStorage
 
I don't know if Chromium is different than Chrome in this case. But Chrome's passwords were visible to anyone on the machine with no protection at all until late 2013 and this was well documented in the links I posted above and about a million other locations online if you do some searching. 
 
From the Wired article:
 
There’s much gnashing of teeth today over the discovery that Google Chrome lets you — or anyone using your computer — see the plaintext web passwords stored by your browser.
This isn’t a security bug. It’s Chrome’s documented behavior, and has been all along. But an outragedblog post highlighting the issue yesterday by U.K. software developer Elliot Kember was picked up by Hacker News, thrusting Google’s security choices into the limelight.
 

SumnerH

Malt Liquor Picker
Dope
SoSH Member
Jul 18, 2005
31,885
Alexandria, VA
Joe Sixpack said:
 
I don't know if Chromium is different than Chrome in this case. But Chrome's passwords were visible to anyone on the machine with no protection at all until late 2013 and this was well documented in the links I posted above and about a million other locations online if you do some searching. 
 
From the Wired article:
 
You're wrong.  Chrome is built from the same source tree as Chromium; the differences are only in Flash player and a few proprietary things (the old builtin PDF viewer, etc).  Password encryption for Gnome and KDE landed in patch r50475 in version 6 and was activated by default in version 12.  
 
I've personally been using it for years, whatever links you're referencing are certainly wrong if they claim it's only been around for a few months.
 
EDIT: That Wired article only references Windows, which is a different story; they didn't even have a password manager until c. 2011 so it's not surprising it took a year or two for Chrome to support it there.  That's on the OS, not the browser.
 

Marceline

Well-Known Member
Lifetime Member
SoSH Member
Sep 9, 2002
6,441
Canton, MA
SumnerH said:
 
You're wrong.  Chrome is built from the same source tree as Chromium; the differences are only in Flash player and a few proprietary things (the old builtin PDF viewer, etc).  Password encryption for Gnome and KDE landed in patch r50475 in version 6 and was activated by default in version 12.  
 
I've personally been using it for years, whatever links you're referencing are certainly wrong if they claim it's only been around for a few months.
 
EDIT: That Wired article only references Windows, which is a different story; they didn't even have a password manager until c. 2011 so it's not surprising it took a year or two for Chrome to support it there.  That's on the OS, not the browser.
If you look at any of the links I posted you'll see that it was both Windows and Mac. So not really an OS issue. And something that impacts about 99% of all users.

The evidence is out there so I would suggest actually spending 1-2 minutes looking at the links I posted rather than simply dismissing it as wrong.

Google themselves admitted this and then changed the behavior in version 33 which came out in late 2013.
 

SumnerH

Malt Liquor Picker
Dope
SoSH Member
Jul 18, 2005
31,885
Alexandria, VA
Joe Sixpack said:
If you look at any of the links I posted you'll see that it was both Windows and Mac. So not really an OS issue. 
 
By "not really an OS issue" you mean "absolutely an OS issue, and unrelated to the OS we've been discussing for the last 7 posts."
 
Obviously if you use the OS keyring, you wouldn't have encryption on Windows before Windows had an OS keyring.