Password vault or generator?

[palanzo]

You are correct that a password manager that is designed to use only a local device is not vulnerable to attack via the internet, but it's still vulnerable to revealing all the passwords it contains to someone having the required credentials and the physical device. I didn't think of the case of not storing passwords on a password manager's servers because that doesn't seem useful to me, but it's fine if other people choose to do that.

It's kind of a tautology that someone with a master password and a hardware key, if used, can decrypt everything stored in the manager's vault. That's the point. But if a hacker does not have those things, the passwords are just gibberish and therefore useless to a thief.

Using a password manager is the single best way for the average user to protect the financial and other accounts s/he has on line. It is not possible for a hacker to break into an online vault and steal passwords from any of the major vendors. It would likewise be impossible for a hacker to break into the vault if stolen from a computer as long as the user keeps the Master Password a secret. It is irresponsible to tell people otherwise to discourage use of a tool that will help keep them safe.

Maybe you missed the part where I said I do use a password manager that does store copies of its password vault on its network servers. All of my important logins and passwords are stored there. But the fact is that by justing giving my one master password (or two-factor capability, if I enable that) to another person, that other person can access all my logins and passwords. I felt the original reply was misleading in that it suggested there was not a single point of failure (or possibly two if you optionally enable two-factor.) There is.

It would be foolish indeed to give your master passphrase to another person. Unless that person is a trusted spouse or partner, and the accounts are joint.

There is another point of failure. If you use the master passphrase "password" then you can be sure you will be hacked.

[lazydavid]

It would be foolish indeed to give your master passphrase to another person. Unless that person is a trusted spouse or partner, and the accounts are joint.

This is why some password managers allow individual passwords to be "shared". So you can share certain passwords with another person, without sharing your entire vault.

[palanzo]

It would be foolish indeed to give your master passphrase to another person. Unless that person is a trusted spouse or partner, and the accounts are joint.

This is why some password managers allow individual passwords to be "shared". So you can share certain passwords with another person, without sharing your entire vault.

I am aware of that. 1Password for example. I was replying to tibbitts who suggested that was a vulnerability.

[tibbitts]

You are correct that a password manager that is designed to use only a local device is not vulnerable to attack via the internet, but it's still vulnerable to revealing all the passwords it contains to someone having the required credentials and the physical device. I didn't think of the case of not storing passwords on a password manager's servers because that doesn't seem useful to me, but it's fine if other people choose to do that.

It's kind of a tautology that someone with a master password and a hardware key, if used, can decrypt everything stored in the manager's vault. That's the point. But if a hacker does not have those things, the passwords are just gibberish and therefore useless to a thief.

Using a password manager is the single best way for the average user to protect the financial and other accounts s/he has on line. It is not possible for a hacker to break into an online vault and steal passwords from any of the major vendors. It would likewise be impossible for a hacker to break into the vault if stolen from a computer as long as the user keeps the Master Password a secret. It is irresponsible to tell people otherwise to discourage use of a tool that will help keep them safe.

+1

tibbitts keeps on repeating that the bad guys can "bust in" to the online vault. He is incorrect and it is irresponsible to keep saying this.

Everybody - apparently outside of those responding to this thread - would interprept "bust in" in this context as gaining unauthorized access to every one of your logins and passwords. And that is possible, exactly as I described. There is a single (or two) point(s) of failure. I don't think that's necessarily a practical problem, which is why, as apparently nobody is paying any attention to, I use a password manager myself and recommend it as the best solution to the problem of storing and accessing passwords. But when I do recommend a password manager to anyone, they always ask "so now I have this one login and password and if somebody has that information they can access all my other logins and passwords?" To them that's what "bust in" refers to - not to some incredibly sophisticated server attack, or to defeating encryption algorithms, etc.

And please don't credit me with being the first to use "bust in" in this thread.

[notBobToo]

Not to hijack this thread, but in the several "password vault / generator" threads that I've read here I do not see a lot of discussion about Keychain. I am not very sophisticated in this area, and I wonder if I am exposed by (only?) using Keychain on my iOS devices (Mac mini 2018 and iPhone 10s)? Do I need some other password manager in place of or addition to Keychain? I've been happily using the strong and seamless (to me) capabilities across both devices at home and on the road for the past 18 months or so. That includes lots of online banking and Fidelity accounts (with 2FA) and other accounts. Am I kidding myself? Is this hopeless?

[bagle]

I´m no password expert, but it did install Lastpass last year and was very happy for a while that it seemed to work so well.

However, one day I logged in with my master password in order to access Vanguard and my nightmare came true. I was able to enter the Lastpass vault with that master key, but couldn´t log in to my Vanguard account. Fortunately, I had printed the entire sequence and was so able to enter. I´ve been wary since. Any clues as to what I might have done differently?

[ScubaHogg]

I don't understand how such things can be secure. Can't someone bust into one website and get all your passwords?

I favor leaving the passwords on scraps of paper in the bolted to the floor safe, very heavy.

I have literally hundreds of website logins. How can you possibly manage that with a floor safe?

I’d also wager my randomly generated 20 character passwords are more secure than the average p/w a person makes up.

[mnsportsgeek]

Another vote for 1Password here

[McDougal]

If one uses LastPass or another PW manager, and has unique, very long, complicated passwords for >200 sites, is it necessary to change the passwords ever, and if so, at what frequency?

[lazydavid]

If one uses LastPass or another PW manager, and has unique, very long, complicated passwords for >200 sites, is it necessary to change the passwords ever, and if so, at what frequency?

You must change them every time they are compromised, or you suspect they have been. So if tomorrow bogleheads has a breach and the user database is stolen, you should immediately change your bogleheads password. Other than that, no need.

Of course some sites will cling to the hopelessly outdated practice of regular password rotation, so you will be forced to change those every 90 days or whatever.

[McDougal]

If one uses LastPass or another PW manager, and has unique, very long, complicated passwords for >200 sites, is it necessary to change the passwords ever, and if so, at what frequency?

You must change them every time they are compromised, or you suspect they have been. So if tomorrow bogleheads has a breach and the user database is stolen, you should immediately change your bogleheads password. Other than that, no need.

Of course some sites will cling to the hopelessly outdated practice of regular password rotation, so you will be forced to change those every 90 days or whatever.

Your opinion aligns with my thoughts as well. Thanks

[midareff]

I use LastPass.... different long strong passwords for all financial sites.

[billthecat]

Not to hijack this thread, but in the several "password vault / generator" threads that I've read here I do not see a lot of discussion about Keychain. I am not very sophisticated in this area, and I wonder if I am exposed by (only?) using Keychain on my iOS devices (Mac mini 2018 and iPhone 10s)? Do I need some other password manager in place of or addition to Keychain? I've been happily using the strong and seamless (to me) capabilities across both devices at home and on the road for the past 18 months or so. That includes lots of online banking and Fidelity accounts (with 2FA) and other accounts. Am I kidding myself? Is this hopeless?

Keychain is great - it's integrated, it's free, and it's secure, and syncs across devices. However, passwords are normally stored in your "iCloud" keychain (or "login" if you don't have icloud syncing), so locally (on your Mac, for example) it's dependent on having a good login password (same for your iPhone). You have a good login password and FileVault turned on, right?

On your Mac, you can browse your keychain using Keychain Access. Web passwords and credit cards are also accessible from within Safari preferences (which will also warn you about using the same password across multiple sites). You can also store notes securely within keychain. So you could store, for example, security questions/answers there.

On an iOS device, you browse it from within Settings. But keychain notes are not synced to iOS devices.

What you miss out on are a few extra features offered by (some) third party password managers, such as:

• more of a database structure, so you can store things like security questions/answers, images, etc. within single records. You're not using real answers to security questions, are you? Answers should be just like passwords - unique for each site.
• storing other things like driver's licenses, passports, reward program info, bank account info, memberships, email accounts, etc., etc.
• a VPN service
• grouping of passwords (e.g., making a group just for brokerages/banks, shopping, etc.), including "smart" groups (items meeting certain criteria)
• warnings about password quality
• sharing certain passwords with certain people
• sharing passwords upon death
• ...and more

If none of that interests you, then Keychain is fine. I haven't upgraded 1Password since they switched to a subscription model, and the Safari plug-in no longer works, so I use both Keychain (for Safari) and 1Password (for all the other features).

[CardinalRule]

I was initially reluctant to go with a subscription model, but I really love how 1Password works for our family, across different devices. Very happy with the product, which I have used in one form or another, for at least a decade.

[gtg970g]

If one uses LastPass or another PW manager, and has unique, very long, complicated passwords for >200 sites, is it necessary to change the passwords ever, and if so, at what frequency?

It's only necessary to change a password when a site requires it. Research shows that changing passwords on a regular basis does not reduce security risk. Lastpass has a function that will run through your stored sites and notify you if one of them has had a security breach so you can change the password on that specific site.

[gtg970g]

What happens if you forget your master password (I know, I know, but I'm getting older and older ......).

I store my master password with my will and those who need to know know where to find it. My wife of course knows how to access and use LastPass but this would be more of an issue should we pass together.

[notBobToo]

Not to hijack this thread, but in the several "password vault / generator" threads that I've read here I do not see a lot of discussion about Keychain. I am not very sophisticated in this area, and I wonder if I am exposed by (only?) using Keychain on my iOS devices (Mac mini 2018 and iPhone 10s)? Do I need some other password manager in place of or addition to Keychain? I've been happily using the strong and seamless (to me) capabilities across both devices at home and on the road for the past 18 months or so. That includes lots of online banking and Fidelity accounts (with 2FA) and other accounts. Am I kidding myself? Is this hopeless?

Keychain is great - it's integrated, it's free, and it's secure, and syncs across devices. However, passwords are normally stored in your "iCloud" keychain (or "login" if you don't have icloud syncing), so locally (on your Mac, for example) it's dependent on having a good login password (same for your iPhone). You have a good login password and FileVault turned on, right?

On your Mac, you can browse your keychain using Keychain Access. Web passwords and credit cards are also accessible from within Safari preferences (which will also warn you about using the same password across multiple sites). You can also store notes securely within keychain. So you could store, for example, security questions/answers there.

On an iOS device, you browse it from within Settings. But keychain notes are not synced to iOS devices.

What you miss out on are a few extra features offered by (some) third party password managers, such as:

• more of a database structure, so you can store things like security questions/answers, images, etc. within single records. You're not using real answers to security questions, are you? Answers should be just like passwords - unique for each site.
• storing other things like driver's licenses, passports, reward program info, bank account info, memberships, email accounts, etc., etc.
• a VPN service
• grouping of passwords (e.g., making a group just for brokerages/banks, shopping, etc.), including "smart" groups (items meeting certain criteria)
• warnings about password quality
• sharing certain passwords with certain people
• sharing passwords upon death
• ...and more

If none of that interests you, then Keychain is fine. I haven't upgraded 1Password since they switched to a subscription model, and the Safari plug-in no longer works, so I use both Keychain (for Safari) and 1Password (for all the other features).

Thank you for a detailed response. Sounds like I am ok: I have a good login password and FileVault is turned on. I store security questions/answers in a secure Numbers file (not passwd, just site info). I use ProtonVPN when away from home.

The sharing stuff sounds interesting, but have already shared the two or three critical passwords and security info with DW on her iPhone.

[Generator515]

Wondering if anyone here with 1Password also used Android? Considering switching and know 1Password was originally iOs developed so trying to see how well it has been working with Android.

[BeneIRA]

Wondering if anyone here with 1Password also used Android? Considering switching and know 1Password was originally iOs developed so trying to see how well it has been working with Android.

My wife has all Android. Phone and Chromebook. Admittedly, it isn't as smooth to do everything as MacOS and iOS, but it's still pretty good. One thing to note is if you log into a Chromebook, you are really logging onto your Google account, so you do need to know the password to that Google account in order to get access to the laptop itself, which would have 1Password on it. Works well on an Android phone.

[Gadget]

Wondering if anyone here with 1Password also used Android? Considering switching and know 1Password was originally iOs developed so trying to see how well it has been working with Android.

It works great on Android. I think it's the best even on Android, but it's at least among the top choices.

If you read reviews, some say it is designed for Mac and doesn't work as well on Android as other options. Those reviews are outdated. That was the case quite a while ago though.

[Vulcan]

Surprised no one mentioned Chrome's built-in password manager. It works across all devices without additional installs or configuration so long as you use Chrome browser.

I much prefer the simplicity and portability it offers to any third-party alternatives that may not even be free. And I trust Google over any other company to keep my data safe.

I am a computer network/security professional.

If it's good enough for me, is good enough for 99.9% of other people.

[Gadget]

Surprised no one mentioned Chrome's built-in password manager. It works across all devices without additional installs or configuration so long as you use Chrome browser.

I much prefer the simplicity and portability it offers to any third-party alternatives that may not even be free. And I trust Google over any other company to keep my data safe.

I am a computer network/security professional.

If it's good enough for me, is good enough for 99.9% of other people.

This is probably true for a lot of people. Google's built in password manager is much better than not using one. It doesn't make it as easy to store other stuff like random security question answers, or built in TOTP answers. My main issue with it is that I can't easily share passwords with my spouse/family unless they're logged into my Google account. It also just doesn't seem to work on as many different sites as a 3rd party manager because Google doesn't seem to really care about it as a product yet.

I imagine some day Apple and Google will decide to improve their built in password managers and make all the competition obsolete. I just don't think they're there yet on equivalent features. But for the average single person user, it's probably good enough.

[Vulcan]

Surprised no one mentioned Chrome's built-in password manager. It works across all devices without additional installs or configuration so long as you use Chrome browser.

I much prefer the simplicity and portability it offers to any third-party alternatives that may not even be free. And I trust Google over any other company to keep my data safe.

I am a computer network/security professional.

If it's good enough for me, is good enough for 99.9% of other people.

This is probably true for a lot of people. Google's built in password manager is much better than not using one. It doesn't make it as easy to store other stuff like random security question answers, or built in TOTP answers. My main issue with it is that I can't easily share passwords with my spouse/family unless they're logged into my Google account. It also just doesn't seem to work on as many different sites as a 3rd party manager because Google doesn't seem to really care about it as a product yet.

I imagine some day Apple and Google will decide to improve their built in password managers and make all the competition obsolete. I just don't think they're there yet on equivalent features. But for the average single person user, it's probably good enough.

I haven't run into any issues with website interoperability. I do not recall when I last had to enter any passwords (other than my Google one).

The extra features you mention are nice, but when I weight them against entrusting such crucial data to another entity, and paying for the privilege, my answer is a resounding 'meh'.

As it is, my Google account is already the key to my kingdom, so storing my passwords with them does not increase my attack surface.

In fairness, I do use KeePass (an offline password manager) to store and share (via Dropbox) the passwords and secret answers.

[BeneIRA]

Surprised no one mentioned Chrome's built-in password manager. It works across all devices without additional installs or configuration so long as you use Chrome browser.

I much prefer the simplicity and portability it offers to any third-party alternatives that may not even be free. And I trust Google over any other company to keep my data safe.

I am a computer network/security professional.

If it's good enough for me, is good enough for 99.9% of other people.

This is probably true for a lot of people. Google's built in password manager is much better than not using one. It doesn't make it as easy to store other stuff like random security question answers, or built in TOTP answers. My main issue with it is that I can't easily share passwords with my spouse/family unless they're logged into my Google account. It also just doesn't seem to work on as many different sites as a 3rd party manager because Google doesn't seem to really care about it as a product yet.

I imagine some day Apple and Google will decide to improve their built in password managers and make all the competition obsolete. I just don't think they're there yet on equivalent features. But for the average single person user, it's probably good enough.

There are already rumors Apple is planning on doing this in iOS 14. There are quite a few stories over the years of successful companies that had a feature that the major phone operators begin using and the company is obsolete. I expect password managers will have their day.

[Laker1]

I was working on a clients car one day and he called me to get his VIN number...I said sure...he laughed and said it was the password for account online at one of these vaults and he couldnt remember it...said I never write it down...if I forget I walk out and look on the dash...I said..well suppose you sell the car...he said..well it has 409,000 miles on it for a reason..cant sell it , need the numbers...seems like a good plan.

[Vanguard Fan 1367]

I appreciate those of you saying that if I wanted to try a free password manager that Bitwarden worked ok. I really enjoy having Bitwarden help me with passwords.

People that don't invest time learning on Bogleheads miss out on a lot. Thanks Bogleheads for your time and expertise helping me with many issues.

[EddyB]

Apologies if it’s been discussed, but I’d appreciate some knowledgeable thoughts on subscription models vs. one-time licenses among these offerings, and migrating from one of these products to another.

I have used one of the major password managers for a long time, under a one-time family license, but it later shifted to a subscription model and the standalone product under the license is becoming increasingly obsolete. The pricing and my use case have always made the one-time license model preferable, so I would consider switching to another product that offered that, but is this just another case where that’s going to disappear in the industry as a whole?

[wfrobinette]

I sat down the other day to try and tidy some things up passwords wise...good lord I have about 50 different things I log into with it seems about 75 passwords....anyone have a better plan? Thanks in advance!!

I use keeper. I too hard the struggle to change but man is it so nice not having to remember passwords.

[wfrobinette]

Apologies if it’s been discussed, but I’d appreciate some knowledgeable thoughts on subscription models vs. one-time licenses among these offerings, and migrating from one of these products to another.

I have used one of the major password managers for a long time, under a one-time family license, but it later shifted to a subscription model and the standalone product under the license is becoming increasingly obsolete. The pricing and my use case have always made the one-time license model preferable, so I would consider switching to another product that offered that, but is this just another case where that’s going to disappear in the industry as a whole?

Every piece of software is migrating toward the subscription model.

[gtd98765]

I believe it is worth paying a reasonable annual fee for a password manager, considering how much the secrets it protects for me are worth. Maintaining decent software requires good engineers who do not come cheap.

[Sandtrap]

1Password is great.

https://1password.com/

+1
This one has worked out well for me over the years.

j

[MythicalSeth]

I am mostly an apple guy so I just use the built in password vault/generator. It automatically syncs to all my devices and saves to the cloud as backup. I’ve also used the built in Chrome system as well back when I mostly used Chrome/Android. They are both obviously free and work very well. They are also better than nothing. -MS

[benway]

I sat down the other day to try and tidy some things up passwords wise...good lord I have about 50 different things I log into with it seems about 75 passwords....anyone have a better plan? Thanks in advance!!

I’ve been a Keepass user for years but I recently tried 1Password, Lastpass, and Bitwarden due to wanting a better mobile solution. I ended up settling on Bitwarden.

Also, Bitwarden did make Consumer Reports recommended list (1Password and Keeper did as well) and is Wirecutter’s choice for best free password manager. It’s free but for $10 per year you get some additional features that may or may not be necessary.

[Gadget]

I sat down the other day to try and tidy some things up passwords wise...good lord I have about 50 different things I log into with it seems about 75 passwords....anyone have a better plan? Thanks in advance!!

I’ve been a Keepass user for years but I recently tried 1Password, Lastpass, and Bitwarden due to wanting a better mobile solution. I ended up settling on Bitwarden.

Also, Bitwarden did make Consumer Reports recommended list (1Password and Keeper did as well) and is Wirecutter’s choice for best free password manager. It’s free but for $10 per year you get some additional features that may or may not be necessary.

I did the same test recently. I agree Bitwarden is the best for a single user when you factor in it's $0 cost. I liked its interface and UI almost as much as 1password with negligible differences. Where Bitwarden failed for me was having shared vaults/folders/passwords with a spouse. It was confusing for me to setup on Bitwarden, which made it a hard pass for the spouse. 1password made sharing password vaults with a spouse simple, which is why I went with it over Bitwarden even though it costs money.

[softwaregeek]

I have been using LastPass for several years. What confounds me is that while it works fine on web sites, I cannot get it to work on apps. For example, I use TuneIn on my browser and as an app. I cannot get LP to pop up the window on the app.

Anyone else have that problem?

I don't use that particular TuneIn app. But does Lastpass not work for you on ANY app, or just that one?

Lastpass always worked fine for me on Android apps, but some were better than others. The app has to allow it and code it properly for both Android and iOS. For instance, PayPal in their infinite wisdom basically bans password managers from being used on Android (not sure about iOS). No password manager I've used has ever worked with PayPal on Android. I always have to manually open the password manager, manually copy the password, and manually paste it. Because PayPal is stupid. And their are lots of stupid/lazy app devs.

But if you can't get Lastpass to autofill any app, then I think you're doing something wrong. You might want to rerun the autofill and/or accessibility instruction settings for Lastpass on your Android/iOS device.

Do you have the paid version? This is reserved for paid tier.

[Gadget]

I have been using LastPass for several years. What confounds me is that while it works fine on web sites, I cannot get it to work on apps. For example, I use TuneIn on my browser and as an app. I cannot get LP to pop up the window on the app.

Anyone else have that problem?

I don't use that particular TuneIn app. But does Lastpass not work for you on ANY app, or just that one?

Lastpass always worked fine for me on Android apps, but some were better than others. The app has to allow it and code it properly for both Android and iOS. For instance, PayPal in their infinite wisdom basically bans password managers from being used on Android (not sure about iOS). No password manager I've used has ever worked with PayPal on Android. I always have to manually open the password manager, manually copy the password, and manually paste it. Because PayPal is stupid. And their are lots of stupid/lazy app devs.

But if you can't get Lastpass to autofill any app, then I think you're doing something wrong. You might want to rerun the autofill and/or accessibility instruction settings for Lastpass on your Android/iOS device.

Do you have the paid version? This is reserved for paid tier.

I did used to have the premium version of Lastpass, the family tier, but I am pretty sure Android/iOS phone app autofill support is included in the free tier. The premium upgrade is for Windows and Mac desktop applications. I never used those.

But I could be reading the Lastpass info wrong. I never used the free version of Lastpass.

https://support.logmeininc.com/lastpass ... s-lp010085

[557880yvi]

Keypass, free, fantastic

[mptfan]

So I recently decided to start using a separate password manager other than the password manager built into Chrome which I have been using for a while. I did a lot of research and read and watched a number of reviews, and I tried several password managers using their free version or their free 30 day trials, including Lastpass, Dashlane, Bitwarden, 1Password and Keeper. The features that are most important to me are ... a well designed and intuitive UI, the ability to use two factor authentication using physical U2F security keys and not being limited to only using a specific model of security key made by Yubikey (yes I'm looking at you Lastpass), the ability to easily share passwords with my SO, and having access to all of the account features using only Chrome OS without the need to use a Windows or Mac app to access all of the features (yes I'm looking at you Dashlane). I chose Keeper. There was a bit of an initial learning curve, and it does take time to transfer all of your login credentials, but now that I understand how to use it I am very happy with it and I am getting to the point where I am wondering how I got along without it for so long!

[1210sda]

Any experience with Norton's Password Manager or Password Generator??

[CycloRista]

Myki is a free offline password manager that works on Android, IOS, Linux, macOS and Windows. It has the capability to sync between personal devices securely in your home/on your local network rather than in "the cloud".

[HawkeyePierce]

Any experience with Norton's Password Manager or Password Generator??

I would never use any product from Norton.

[fourwheelcycle]

I used to have a password-protected Excel spreadsheet that I opened each time I needed to use a password. About six years ago I switched to 1Password.

I use 1Password's licensed version for Mac, so all of my passwords only exist in my own computers; none of them are in 1Password's servers. I think this is overkill, since 1Password assures it users their password vaults cannot be decrypted even if someone breaks into 1Password's servers. The 1Password vault on my own computers is encrypted as thoroughly as 1Password's cloud vaults, so my weakest point of entry, even if someone steals one of my computers, is the strength of my 1Password master password. It is a ten character password, made up of six upper and lower case letters and four digits. I use Apple's FileVault, so if someone stole one of my computers they would have to guess my user password and my 1Password master password.

My wife has always kept her passwords on index cards in a drawer near her computer. Since her passwords include her logins for our shared BoA and Vangaurd accounts, I finally convinced her to use 1Password. I set her up with her own vault and her own master password, which we constructed so she can remember it. Now I just have to make sure she does not write her master password on an index card.

As others have noted, I do worry that someday I will log into my Vanguard or BoA account and it will say I have entered an incorrect password. That would mean 1Password somehow created a new password for one of these accounts, maybe due to an errant keystroke by me, and the "new" password did not get saved in my vault. Fortunately, this has never happened. If it did happen it would not be the end of the world, since I would only be locked-out until I could convince Vanguard or BoA that I am the real me and I need to reset my password.

[Dave55]

Years ago I used the mSecure vault, then I switched to 1Password which works like a charm.

Dave

[Living Free]

The conclusion that I have come to is that you have 3 options to manage your passwords, which I'll list in order of preference:

1. Use a password manager. Some effort up-front to set up, but once it's there your life will be better.
2. Write down everything on a sheet of paper and store it somewhere, hopefully no bad guys find it ever and you also need to retrieve said piece of paper every time you wish to log on to things.
3. Use weak and re-used passwords (obviously this is a horrible idea)

[tvubpwcisla]

KeyPass works great and is very simple to use.

https://keepass.info/

[Elric]

Compromising the scrap of paper under my keyboard will get you 1 account. Personally my scrap of paper is only a password hint not the actual password. So you only get a clue to use in your guessing.

How big is your scrap of paper that you can keep hints to all of your distinct, non-patterned passwords?

Mine would be a multiple pages, not hint possible for many, and still a real pain to type on multiple passwords per day. Especially when on my phone or laptop away from my main computer.

[Elric]

As others have noted, I do worry that someday I will log into my Vanguard or BoA account and it will say I have entered an incorrect password. That would mean 1Password somehow created a new password for one of these accounts, maybe due to an errant keystroke by me, and the "new" password did not get saved in my vault. Fortunately, this has never happened. If it did happen it would not be the end of the world, since I would only be locked-out until I could convince Vanguard or BoA that I am the real me and I need to reset my password.

I've actually had this happen a few times over the years, usually with sites that have a couple of ways in or where there can be different passwords for different functions (SFTP, ssh, control panel, and email passwords when managing a website, for example). As you say, it's no big deal. A bit more for financial sites, but since it's a rate occurrence, not much of a hassle.

[1210sda]

Any experience with Norton's Password Manager or Password Generator??

I would never use any product from Norton.

Hawkeye (and anyone else),

What is the issue with Norton? Is it the virus protection, or the password protection and generation stuff?
Any other issues.

I've been using them for a while, but if they're not good, I probably should switch.

[Gadget]

Myki is a free offline password manager that works on Android, IOS, Linux, macOS and Windows. It has the capability to sync between personal devices securely in your home/on your local network rather than in "the cloud".

I don't think this should be a bogleheads recommendation. Maybe it's fine, but it seems far too risky to me.

As one of the minor, lesser known password managers, you're placing a lot of faith in the unknown. For an interface that doesn't even seem as convenient to me. For example, their syncing between devices uses a proprietary method that you just have to trust is fully encrypted. There is no evidence of any 3rd party audit. It's closed source so no one could verify their proprietary methods. It requires you to give them your phone number, and at least one security review website couldn't figure out a good reason why. The company also admits it collects your metadata. An unknown tiny company collecting my metadata when there are tons of other password managers I could choose? What else is it collecting to tie to my phone number? Hard pass.

If you are dead set on not having your passwords saved/synced in the cloud, use a self hosting Bitwarden or 1Password setup. Not Myki.

It reminds me of a conversation with a coworker. For years, I've bugged him to setup and use a password manager. He's had accounts hacked twice for using weak repeated passwords. I gave him the usual recommendations (Lastpass, Bitwarden, 1Password, Dashlane, Keepass, etc.). Instead, he finally tells me he setup one called SafeInCloud. He really liked the interface and the cheap one time price. So I did some digging, and find out that SafeInCloud is a proprietary closed source password manager developed by a Russian national. Sound safe? I didn't think so. The only security review of SafeInCloud I could find basically stated that they couldn't verify the companies' claim that it encrypted password vaults. But if they didn't, it was extra bad because the connection to their server used poor SSL security where the keys could easily be stolen by a man in the middle. It almost sounds like a social experiment by some random developer to see how many people he can get to sign up for his app by blindly trusting an unknown program on the internet. Or worse.

[CycloRista]

Myki is a free offline password manager that works on Android, IOS, Linux, macOS and Windows. It has the capability to sync between personal devices securely in your home/on your local network rather than in "the cloud".

I don't think this should be a bogleheads recommendation. Maybe it's fine, but it seems far too risky to me.

As one of the minor, lesser known password managers, you're placing a lot of faith in the unknown. For an interface that doesn't even seem as convenient to me. For example, their syncing between devices uses a proprietary method that you just have to trust is fully encrypted. There is no evidence of any 3rd party audit. It's closed source so no one could verify their proprietary methods. It requires you to give them your phone number, and at least one security review website couldn't figure out a good reason why. The company also admits it collects your metadata. An unknown tiny company collecting my metadata when there are tons of other password managers I could choose? What else is it collecting to tie to my phone number? Hard pass.

If you are dead set on not having your passwords saved/synced in the cloud, use a self hosting Bitwarden or 1Password setup. Not Myki.

It reminds me of a conversation with a coworker. For years, I've bugged him to setup and use a password manager. He's had accounts hacked twice for using weak repeated passwords. I gave him the usual recommendations (Lastpass, Bitwarden, 1Password, Dashlane, Keepass, etc.). Instead, he finally tells me he setup one called SafeInCloud. He really liked the interface and the cheap one time price. So I did some digging, and find out that SafeInCloud is a proprietary closed source password manager developed by a Russian national. Sound safe? I didn't think so. The only security review of SafeInCloud I could find basically stated that they couldn't verify the companies' claim that it encrypted password vaults. But if they didn't, it was extra bad because the connection to their server used poor SSL security where the keys could easily be stolen by a man in the middle. It almost sounds like a social experiment by some random developer to see how many people he can get to sign up for his app by blindly trusting an unknown program on the internet. Or worse.

That's fine- I can keep more of the non-mainstream sorts of recommends out of the mix if needed.

Not that big of a risk in my opinion... they all have plusses and minuses. For personal use this one ticks the boxes for me. My only hesitation in recommending it was that support had been spotty in the past. Nowadays it is quite good from the few times I've contacted them- most recently when I switched mobile providers and SIM cards; needed to resync my phone pwd db after the change.

I've used a number of the commercial products at work and choose to use Myki at home to keep it all separate. I also have an enterprise firewall platform running at home, two Pi-holes (one internal and one DMZ) to clobber advertising garbage and known/blacklisted nefarious traffic and a whole host of local tools running to ferret out "interesting" connection attempts. Haven't come across anything alarming from Myki or other egress traffic from my home.