Password Managers

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
plasmatic-d
Posts: 1
Joined: Sat Jun 17, 2017 2:29 pm

Re: Suggestions for password storage services?

Post by plasmatic-d » Sat Jun 17, 2017 2:58 pm

TomatoTomahto wrote:It doesn't get much love on BH, but I've been happy with RoboForm. Keeps my passwords, credit cards, passport and FF info, address, DL, etc., ready to fill in forms. Works on my Windows 10 PC, MacBook, iPad, iPhone, and my wife gets a copy also.
+1.
I've used Roboform Pro for 6+ years and the unpaid version for several more. Love it love it.

Major wins with roboform:
1) Access to all of your passwords stored on your PC using RoboForm is permitted with your one password you memorize. It re-locks on your request, so guests can use your PC without exposing your bank password, etc. Or, if your house is secure, you can leave it accessible all day, or perpetually.

2) your passwords can be stored on-line in their cloud, fully encrypted, AES 256 bit. VERY safe. so if you should have an unfortunate hard drive failure or worse, all is not lost. I *have* used this feature, more than once.

3) plain-text SafeNotes can also be stored encrypted! Everything from your VIN's to margarita recipes. Passport numbers. Medical Info. Credit card numbers of cards in your wallet with if-lost phone numbers. Brokerage account numbers. Bank routing numbers and account numbers.

4) automatically updates all your devices. (Roboform Everywhere). A changed password etc. syncs on my laptop, my desktop, and my phone.

5) automatically integrates with FireFox, Chrome and IE. Offers to save new login / passwords automatically when you visit a new site.

6) Easy to use. (probably should have lead off with this one!)

7) paid version allows more than 10 logins, and is priced VERY reasonably. I currently store unique login/passwords for nearly 200 websites and forums, all with unique passwords I no longer have to remember. And roboform has a built-in password generator to create those for you
(like this one I just generated: g4o84@92rbic9 ) with as much or as little complexity as you wish, special characters, length, etc.

my little disclaimer: I'm a happy user of Roboform Pro Everywhere, and have no affiliation whatsoever

User avatar
LadyGeek
Site Admin
Posts: 41674
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: Password Managers

Post by LadyGeek » Sat Jun 17, 2017 3:02 pm

FYI - I merged ImNotABot's thread into here, which is a similar discussion.

plasmatic-d, Welcome!
To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

User avatar
TomatoTomahto
Posts: 6979
Joined: Mon Apr 11, 2011 1:48 pm

Re: Password Managers

Post by TomatoTomahto » Sat Jun 17, 2017 5:03 pm

@ plasmatic-d, yes, welcome to the forum! Not only your first post, but you have the good sense to agree with me :sharebeer

need403bhelp
Posts: 440
Joined: Thu May 28, 2015 6:25 pm

Re: Password Managers

Post by need403bhelp » Sat Jun 17, 2017 7:13 pm

I really like the offline/standalone version of 1Password. Pay one time to buy it and use it forever (~$40). Can sync over Wifi or over Dropbox automatically between all devices.

With that said, they are no longer "marketing" this option - still available but you have to email support to be able to purchase a standalone license.

Thus, for a good friend or family member, I would go through the trouble of getting the standalone license (two points of failure if you are storing encrypted file on Dropbox to sync seems preferable to me, at least in theory).

On the other hand, for others, I'd probably recommend the Lastpass option, as their basic product is now completely free. (I'm cheap frugal).

2015
Posts: 981
Joined: Mon Feb 10, 2014 2:32 pm

Re: Suggestions for password storage services?

Post by 2015 » Sun Jun 18, 2017 11:39 am

mhalley wrote:A key file can be any file you choose, but it should be one with lots of random data. From KEEpass FAQ:


You don't even have to remember a long, complicated master passphrase. The database can also be locked using a key file. A key file is basically a master password in a file. Key files are typically stronger than master passwords, because the key can be a lot more complicated; however it's also harder to keep them secret.

A key file can be used instead of a password, or in addition to a password (and the Windows user account in KeePass 2.x).
A key file can be any file you choose; although you should choose one with lots of random data.
A key file must not be modified, this will stop you opening the database. If you want to use a different key file, you can change the master key and use a new/different key file.
Key files must be backed up or you won't be able to open the database after a hard disk crash/re-build. It's just the same as forgetting the master password. There is no backdoor.
I've opted not to use the Key File option, personally. Then again, my Keepass db isn't stored on the cloud.

AntsOnTheMarch
Posts: 356
Joined: Mon May 29, 2017 5:47 pm

Re: Password Managers

Post by AntsOnTheMarch » Sun Jun 18, 2017 3:24 pm

need403bhelp wrote:I really like the offline/standalone version of 1Password. Pay one time to buy it and use it forever (~$40). Can sync over Wifi or over Dropbox automatically between all devices.

With that said, they are no longer "marketing" this option - still available but you have to email support to be able to purchase a standalone license.

Thus, for a good friend or family member, I would go through the trouble of getting the standalone license (two points of failure if you are storing encrypted file on Dropbox to sync seems preferable to me, at least in theory).

On the other hand, for others, I'd probably recommend the Lastpass option, as their basic product is now completely free. (I'm cheap frugal).
I am also cheap! I'm a 1Password fan and I didn't know you could still get the "pay one time" version. Do you know if it syncs over iCloud as well? I may consider it—although my current setup is free and acceptable to me (see below).

LastPass: I tried it because it's free. I followed the directions to export from 1Password and import into LastPass but the import failed. I'm pretty savvy with this stuff and did my due diligence and google searched for a while. Seems others also had problems and I decided a couple of hours investment for downloading, registration, searching and failed imports were enough sunk costs for me. I also came to the opinion that the LastPass interface was not much to my liking. So, deleted!

What I'm doing is completely free. I use 1Password on my iPhone and iPad (free). They sync over iCloud. IIRC, I read in a tech article a while back this was more secure than using Dropbox but this is way back when and I don't remember why or know if it's still the case. I would be comfortable with Dropbox if necessary but I'd do some research to verify first.

On my MacBook, I use keychain. It does not sync with 1Password but by remembering sites from the other devices I have almost all my important passwords fill in automatically. I've come to like keychain more and more lately but I still prefer a proper password manager like 1Password to have a repository of all information including notes for things like security questions—which I sometimes make up weird answers for—as part of my ICE instructions to DW. She has a sheet of instructions plus a secret location to locate the master passwords to devices, computer and master password for 1Password. This way I know that once she gets into one 1Password, she will have access to all logins.

IMO, a password manager and unique, secure passwords for all logins is security job 1. 2-factor authentication is job 2. People worry about getting their cloud passwords hacked but I'd be way more worried about phishing attacks and opening suspect files. I've been on the internet since compuserve days and seen it all. I'm glad this experience informed me to set up unique logins for all sites since day 1. I think that I'd probably be too lazy to go back and redo hundreds of logins now.

need403bhelp
Posts: 440
Joined: Thu May 28, 2015 6:25 pm

Re: Password Managers

Post by need403bhelp » Sun Jun 18, 2017 3:47 pm

AntsOnTheMarch wrote:I am also cheap! I'm a 1Password fan and I didn't know you could still get the "pay one time" version. Do you know if it syncs over iCloud as well? I may consider it—although my current setup is free and acceptable to me (see below).
Looks like they do have an iCloud option.

I've never used the iCloud option, although I can't imagine there's a huge difference in security with Dropbox if you use the Google Authenticator-only 2FA option (this prevents people from using social engineering to transfer your phone number to their SIM for 2FA authentication, or nation-states from getting your texts via SS7 - in essence, they just tell your mobile network you are roaming in their country, and they get all of your texts and calls).

There is a long discussion on the standalone licenses at: https://discussions.agilebits.com/discu ... assword/p4

Basically, my understanding is that you just email them and they will be able to provide a standalone license. I haven't personally tried this and it seems they are discouraging it, so there may be a little back and forth.

AntsOnTheMarch
Posts: 356
Joined: Mon May 29, 2017 5:47 pm

Re: Password Managers

Post by AntsOnTheMarch » Sun Jun 18, 2017 5:01 pm

need403bhelp wrote:
AntsOnTheMarch wrote:I am also cheap! I'm a 1Password fan and I didn't know you could still get the "pay one time" version. Do you know if it syncs over iCloud as well? I may consider it—although my current setup is free and acceptable to me (see below).
Looks like they do have an iCloud option.

I've never used the iCloud option, although I can't imagine there's a huge difference in security with Dropbox if you use the Google Authenticator-only 2FA option (this prevents people from using social engineering to transfer your phone number to their SIM for 2FA authentication, or nation-states from getting your texts via SS7 - in essence, they just tell your mobile network you are roaming in their country, and they get all of your texts and calls).

There is a long discussion on the standalone licenses at: https://discussions.agilebits.com/discu ... assword/p4

Basically, my understanding is that you just email them and they will be able to provide a standalone license. I haven't personally tried this and it seems they are discouraging it, so there may be a little back and forth.
Thanks for the standalone license info.

I would not hesitate to sync with Dropbox. IIRC, it was around 2013-14 that I last researched this. It was something about accessing the cloud back up file via a standard web interface (not via the app). That small bit of difference made iCloud a bit safer. But that assumes that the hacker had the master password or could crack the encrypted file. Both unlikely. And I'm willing to bet it has all changed since then.

need403bhelp
Posts: 440
Joined: Thu May 28, 2015 6:25 pm

Re: Password Managers

Post by need403bhelp » Sun Jun 18, 2017 5:10 pm

AntsOnTheMarch wrote:
need403bhelp wrote:
AntsOnTheMarch wrote:I am also cheap! I'm a 1Password fan and I didn't know you could still get the "pay one time" version. Do you know if it syncs over iCloud as well? I may consider it—although my current setup is free and acceptable to me (see below).
Looks like they do have an iCloud option.

I've never used the iCloud option, although I can't imagine there's a huge difference in security with Dropbox if you use the Google Authenticator-only 2FA option (this prevents people from using social engineering to transfer your phone number to their SIM for 2FA authentication, or nation-states from getting your texts via SS7 - in essence, they just tell your mobile network you are roaming in their country, and they get all of your texts and calls).

There is a long discussion on the standalone licenses at: https://discussions.agilebits.com/discu ... assword/p4

Basically, my understanding is that you just email them and they will be able to provide a standalone license. I haven't personally tried this and it seems they are discouraging it, so there may be a little back and forth.
Thanks for the standalone license info.

I would not hesitate to sync with Dropbox. IIRC, it was around 2013-14 that I last researched this. It was something about accessing the cloud back up file via a standard web interface (not via the app). That small bit of difference made iCloud a bit safer. But that assumes that the hacker had the master password or could crack the encrypted file. Both unlikely. And I'm willing to bet it has all changed since then.
Thanks for the info. That does bring up the point that I have no idea about the underlying APIs (application programming interfaces) that 1Password uses to sync with Dropbox nor with iCloud, but I would imagine that both are transmitted in encrypted form.

The only thing I ever access over the Dropbox web interface (which goes over https per Chrome) is photos, and they are not of a nature where I would be super unhappy if those somehow got out.

User avatar
zaplunken
Posts: 854
Joined: Tue Jul 01, 2008 9:07 am

Re: Password Managers

Post by zaplunken » Mon Jul 03, 2017 8:29 pm

KeePass use of a key file is nice but...

I used a picture and it allows also you to edit and change the bits in the file and it works but... I thought what if I deleted that image when looking at stuff I have in my Pictures Folder cleaning up old stuff? I'd never get into the base without that altered image so I decided to not use the key file.

KeePass also has a virtual keyboard vs the real keyboard you can use to enter your info to open the base but I opted to use a (I forget the term for it) "blocked" keyboard. It changes the entry window from white to black so you know you are in that hidden keyboard mode. This is to defeat keyloggers, they claim that is the purpose.

I use a long and complex master password. I often think I should make some changes and add some extra characters but I have used it for several years and I'm afraid any change may be forgotten so I'm reluctant to alter it. I never used anything but KP and I didn't find it so difficult to learn. A password safe is not meant to be easy or simple to use, I want some complexity and options, I want security vs convenience.

User avatar
LadyGeek
Site Admin
Posts: 41674
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: Password Managers

Post by LadyGeek » Mon Jul 03, 2017 9:01 pm

zaplunken wrote:...I used a picture and it allows also you to edit and change the bits in the file and it works but... I thought what if I deleted that image when looking at stuff I have in my Pictures Folder cleaning up old stuff? I'd never get into the base without that altered image so I decided to not use the key file.
Consider using a picture or program file that's distributed with your operating system. If anything happens to it, you've got a backup.
To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

User avatar
zaplunken
Posts: 854
Joined: Tue Jul 01, 2008 9:07 am

Re: Password Managers

Post by zaplunken » Mon Jul 03, 2017 9:10 pm

LadyGeek wrote:
zaplunken wrote:...I used a picture and it allows also you to edit and change the bits in the file and it works but... I thought what if I deleted that image when looking at stuff I have in my Pictures Folder cleaning up old stuff? I'd never get into the base without that altered image so I decided to not use the key file.
Consider using a picture or program file that's distributed with your operating system. If anything happens to it, you've got a backup.
Not if you "alter" the image! You edit the image or document (any file really) and move the cursor around and it scrambles the bits... you could never duplicate the change to the same unchanged image. It is a neat way to use something you have by adding an unseen change to it but forgot that you altered it and you are SOL! If you could keep the key file in the base that would be good but since you need that key file to open the base not so good!

Post Reply