Password manager?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Topic Author
ClaireTN
Posts: 247
Joined: Tue Jan 06, 2009 8:23 pm
Location: Tennessee

Password manager?

Post by ClaireTN » Sat Nov 19, 2011 9:42 pm

Hello Bogleheads,

My apologies if this topic has been covered. A search yielded no good results. I've got way too many usernames and passwords to remember and my system (ahem...record them in a password protected Word document) is neither secure nor convenient.

I'm looking for a secure password manager that will sync across platforms. I'm using Mac OS X at home, an iPad, and an android phone. Any recommendations?

Thanks,
ClaireTN

User avatar
Bylo Selhi
Posts: 1119
Joined: Mon Feb 19, 2007 10:40 pm
Location: www.bylo.org in the Great White North
Contact:

Re: Password manager?

Post by Bylo Selhi » Sat Nov 19, 2011 9:48 pm

Lastpass is the gold standard for this. Free for all PC platforms but you have to pay $1/month for a premium account that will support all your smartphones and tablets.

fljones3
Posts: 23
Joined: Mon Sep 19, 2011 7:20 pm

Re: Password manager?

Post by fljones3 » Sat Nov 19, 2011 10:06 pm

1password is your answer. They have a mac and windows version. Free trial at their website.

Frank

User avatar
investor.saver1
Posts: 263
Joined: Sun Jan 02, 2011 9:43 pm

Re: Password manager?

Post by investor.saver1 » Sat Nov 19, 2011 10:11 pm

Take a look at RoboForm. It's the one I use. It's pretty slick and easy to sync.
Investor.Saver1 | | Experience is something you don't get until just after you need it.

Topic Author
ClaireTN
Posts: 247
Joined: Tue Jan 06, 2009 8:23 pm
Location: Tennessee

Re: Password manager?

Post by ClaireTN » Sat Nov 19, 2011 10:23 pm

Thank you. These all look very good. I noticed that 1Password will also store other kinds of secure information like credit card and insurance numbers, but I couldn't tell if that was true of Roboform and Lastpass. Do they also store that kind of information?

For others asking the same question, here's what I've learned about cost:
Roboform everywhere: $20 a year
Lastpass premium: $12 a year
1Password for Mac: $39 educator license; Free android app; $15 iPad app (**edit: sale price until 11/30/11: $20 educator license, $25 individual, $35 family)

Again, thank you.
Last edited by ClaireTN on Fri Nov 25, 2011 9:45 pm, edited 1 time in total.

User avatar
bertilak
Posts: 6997
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Password manager?

Post by bertilak » Sun Nov 20, 2011 6:22 am

I use KeePass. It's free and it does what I need:
  • Holds all my IDs/Passwords
    Can group them into categories
    Stores a URL and notes for each
    Can copy ID/Password/URL to clipboard easily
    Can double-click to send browser straight to URL
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet

User avatar
NAVigator
Posts: 2457
Joined: Tue Feb 27, 2007 7:24 am
Location: Iowa

Re: Password manager?

Post by NAVigator » Sun Nov 20, 2011 7:19 am

I also use KeePass and I am very pleased with it. It is Open Source, so the source code for it is available for developers. It has been ported to Mac OS X, PortableApps, Linux, etc. I like being able to create categories to group the passwords such as; investing, credit cards, banking, shopping, hobbies, etc. The answers to the security questions used by some sites can be put in the notes associated with each password. All of the data is stored in an encrypted file. It can be put on a USB flash drive so you can run it on computers without installing it. This is one program I depend on.

Jerry
"I was born with nothing and I have most of it left."

Sidney
Posts: 6736
Joined: Thu Mar 08, 2007 6:06 pm

Re: Password manager?

Post by Sidney » Sun Nov 20, 2011 8:52 am

I use Keepass as well. I like the portability.
I always wanted to be a procrastinator.

User avatar
BigFoot48
Posts: 2753
Joined: Tue Feb 20, 2007 10:47 am
Location: Arizona

Re: Password manager?

Post by BigFoot48 » Sun Nov 20, 2011 8:58 am

KeePass with the encrypted data file in my Dropbox folder and available wherever I find myself. Note to self: delete the image of the Treasury Direct code card stored in it.
Last edited by BigFoot48 on Sun Nov 20, 2011 9:03 am, edited 1 time in total.
Retired | Two-time in top-10 in Bogleheads S&P500 contest; 14-time loser

User avatar
Aptenodytes
Posts: 3762
Joined: Tue Feb 08, 2011 8:39 pm

Re: Password manager?

Post by Aptenodytes » Sun Nov 20, 2011 9:00 am

I can't say I've compared them all, but I chose LastPass a few years ago and have been extremely happy with it. My only complaint is that I find the way it handles changes to passwords awkward and confusing.

User avatar
TheGreyingDuke
Posts: 1656
Joined: Fri Sep 02, 2011 10:34 am

Re: Password manager?

Post by TheGreyingDuke » Sun Nov 20, 2011 9:19 am

I too have ben using LastPass but lately it has been a bit quirky, sometimes it fails to open when I get to a site that requires a password. I need to do a little more surveying, based on the information in this tread, thans to everyone
"Every time I see an adult on a bicycle, I no longer despair for the future of the human race." H.G. Wells

User avatar
Bylo Selhi
Posts: 1119
Joined: Mon Feb 19, 2007 10:40 pm
Location: www.bylo.org in the Great White North
Contact:

Re: Password manager?

Post by Bylo Selhi » Sun Nov 20, 2011 9:48 am

ClaireTN wrote:also store other kinds of secure information like credit card and insurance numbers, but I couldn't tell if that was true of Roboform and Lastpass. Do they also store that kind of information?
LastPass does indeed. You can store that sort of info in Secure Notes or as a Form, e.g. with the name, shipping address and credit card info that you use to shop online.

When I looked at LastPass vs Keepass a couple of years ago, the main advantage of the former was that it stores your data (in encrypted form, of course) in the cloud, whereas the latter requires you to carry it around on, say a USB key. I'm intrigued by BigFoot48's suggestion to store Keepass data in DropBox.

BTW here's a nice comparison of LastPass, Keepass, 1Password and Keeper. Also the "possible security breach" referred-to wasn't an actual breach. LastPass made the responsible decision to announce this and require everyone to change their master passwords, just in case. If this is still a concern then they same concern applies to storing Keepass data in DropBox or similar cloud databases.

Sam I Am
Posts: 2062
Joined: Tue Feb 20, 2007 7:58 pm

Re: Password manager?

Post by Sam I Am » Sun Nov 20, 2011 9:59 am

I have used RoboForm for a few years now, no problems encountered during time of use.

Sam I Am

User avatar
blacktupelo
Posts: 207
Joined: Mon Feb 19, 2007 6:43 pm
Location: St. Louis Missouri USA

Re: Password manager?

Post by blacktupelo » Sun Nov 20, 2011 10:04 am

I use and recommend 1Password for Mac and iPad. I share my password database between my iMac and iPad using the Dropbox free file sharing. 1Password is invaluable.
Larry

Silence Dogood
Posts: 1226
Joined: Tue Feb 01, 2011 9:22 pm

Re: Password manager?

Post by Silence Dogood » Sun Nov 20, 2011 10:48 am

How safe is the built in password manager in Firefox?

stan1
Posts: 7977
Joined: Mon Oct 08, 2007 4:35 pm

Re: Password manager?

Post by stan1 » Sun Nov 20, 2011 10:59 am

LastPass now has built-in support to use Google Authenticator for multi factor authentication in the free version.

I have it set up so that my primary computer is trusted (it would be a hassle to enter a Google Authenticator code every time I need a password).
But access to my passwords from any other computer requires that the person logging in have a code from Google Authenticator.

User avatar
Bylo Selhi
Posts: 1119
Joined: Mon Feb 19, 2007 10:40 pm
Location: www.bylo.org in the Great White North
Contact:

Re: Password manager?

Post by Bylo Selhi » Sun Nov 20, 2011 11:03 am

Silence Dogood wrote:How safe is the built in password manager in Firefox?
It depends on whether you protect it with a Master Password and, if you do, how strong a password you use.

G-Force
Posts: 332
Joined: Sun Sep 20, 2009 3:03 pm
Location: Florida

Re: Password manager?

Post by G-Force » Sun Nov 20, 2011 11:38 am

I use 1Password on Mac, Windows, and iOS.

chaz
Posts: 13604
Joined: Tue Feb 27, 2007 2:44 pm

Re: Password manager?

Post by chaz » Sun Nov 20, 2011 12:22 pm

LastPass is very good.
Chaz | | “Money is better than poverty, if only for financial reasons." Woody Allen | | http://www.bogleheads.org/wiki/index.php/Main_Page

Topic Author
ClaireTN
Posts: 247
Joined: Tue Jan 06, 2009 8:23 pm
Location: Tennessee

Re: Password manager?

Post by ClaireTN » Sun Nov 20, 2011 2:39 pm

I've been playing around with the free version of Lastpass, and it looks very good so far. It seems a bit clumsy with sites that that have separate screens for the username and password or challenge questions, though. I was very glad to see that it handles multiple log-in identities for the same web site with such ease. My husband and I both have accounts at Vanguard, TIAA-CREF, and State Farm, so this is a nice feature.

I'm also planning to try the 30-day free trial of 1Password. I'll post back here if I discover anything useful.

I've identified one other interesting possibility, eWallet. Unfortunately, it won't work for me because it only syncs between Mac and iOS or between PCs and Android. Too bad. The UI is based on a card metaphor, which looks nice.

jives
Posts: 59
Joined: Fri Mar 25, 2011 7:08 am
Location: Ohio

Re: Password manager?

Post by jives » Sun Nov 20, 2011 3:09 pm

I have used a program called PW Safe for several years now. As far as I know it's still free.

brianH
Posts: 327
Joined: Wed Aug 12, 2009 12:21 pm

Re: Password manager?

Post by brianH » Sun Nov 20, 2011 4:35 pm

I prefer KeePass. I don't really trust LastPass, and I find their security to be lacking (convenience over security.)

A system (like KeePass) where you can use a master password plus a keyfile to encrypt the database is the most secure option. It should be noted that LP (and possibly other cloud services) only use the other factor as access control. That is to say, if someone grabbed your password DB from LP's servers through some attack, all they would need is your master password.

I've never been cool with this. Say an (ex)employee wanted to inject some javascript into the login page that sent them your master password. They also grabbed the DB through some other mechanism--you're screwed. The access control provided by multi-factor is great and should be used more often, but it does nothing to protect the security of your actual password DB should it fall into the wrong hands. The fact that LP admitted to suspicious behavior on their network and the fact that they weren't using key transforms to make bruteforcing harder removes any trust I may have given them.

The key transforms is a standout to me. I'm a software developer that has written security/encryption code. Setting up a system that doesn't perform these transforms is very sloppy. I'd unfortunately expect as much on commercial websites, but for a company focused on security, this is a huge failure.

For what it's worth, I inspected the KeePass source code a few versions ago, and it passed my exam. Note, the packaged versions (for download) may have evil code added, but the developer has been at this awhile and personally signs his products.

Topic Author
ClaireTN
Posts: 247
Joined: Tue Jan 06, 2009 8:23 pm
Location: Tennessee

Re: Password manager?

Post by ClaireTN » Sun Nov 20, 2011 6:15 pm

brianH wrote:I prefer KeePass. I don't really trust LastPass, and I find their security to be lacking (convenience over security.)

A system (like KeePass) where you can use a master password plus a keyfile to encrypt the database is the most secure option. It should be noted that LP (and possibly other cloud services) only use the other factor as access control. That is to say, if someone grabbed your password DB from LP's servers through some attack, all they would need is your master password.

I've never been cool with this. Say an (ex)employee wanted to inject some javascript into the login page that sent them your master password. They also grabbed the DB through some other mechanism--you're screwed. The access control provided by multi-factor is great and should be used more often, but it does nothing to protect the security of your actual password DB should it fall into the wrong hands. The fact that LP admitted to suspicious behavior on their network and the fact that they weren't using key transforms to make bruteforcing harder removes any trust I may have given them.

The key transforms is a standout to me. I'm a software developer that has written security/encryption code. Setting up a system that doesn't perform these transforms is very sloppy. I'd unfortunately expect as much on commercial websites, but for a company focused on security, this is a huge failure.

For what it's worth, I inspected the KeePass source code a few versions ago, and it passed my exam. Note, the packaged versions (for download) may have evil code added, but the developer has been at this awhile and personally signs his products.
Interesting. Have you ever looked into 1Password? Any security concerns there?

I've now tried LastPass and 1Password on a very limited basis. I'm finding that both programs have trouble handling sites like Vanguard where the username and password need to be entered on separate pages. This isn't a big deal, but it is inconvenient.

chaz
Posts: 13604
Joined: Tue Feb 27, 2007 2:44 pm

Re: Password manager?

Post by chaz » Sun Nov 20, 2011 7:34 pm

brianH, thanks for the important info - I will switch to keepass.
Chaz | | “Money is better than poverty, if only for financial reasons." Woody Allen | | http://www.bogleheads.org/wiki/index.php/Main_Page

Saving$
Posts: 1838
Joined: Sat Nov 05, 2011 8:33 pm

Re: Password manager?

Post by Saving$ » Sun Nov 20, 2011 7:52 pm

Another vote for KeePass.

+Free (right price)
+Open Source (increased transparency and thus better security)
+Available for multiple platforms: I have used the PC desktop version, and synched the desktop with the version installed devices including Palm OS, Windows Mobile, Blackberry and will soon use the Android Mobile. This means when I switch handheld devices I don't need to purchase new password software for the device, and I don't need to change the password software on my desktop.

brianH
Posts: 327
Joined: Wed Aug 12, 2009 12:21 pm

Re: Password manager?

Post by brianH » Mon Nov 21, 2011 10:04 am

ClaireTN wrote: Interesting. Have you ever looked into 1Password? Any security concerns there?

I've now tried LastPass and 1Password on a very limited basis. I'm finding that both programs have trouble handling sites like Vanguard where the username and password need to be entered on separate pages. This isn't a big deal, but it is inconvenient.
I haven't looked at 1Password in any depth. When I looked into LastPass, I was trying to find a service that would allow other members of my business to easily use common passwords. I did a deep dive into the service, including purchasing the full version and a Yubikey. The Yubikey is very cool, but that's a story for another day.

In the end, I use KeePass with 2 databases. One for 'work' and one for my personal passwords. I also use Firefox's password manager (with a master password for encryption support) for my less sensitive passwords (forums, shopping sites that don't have my CC info, etc.) This is a decent compromise between convenience and security for passwords that wouldn't be disastrous if lost.

User avatar
Toons
Posts: 13424
Joined: Fri Nov 21, 2008 10:20 am
Location: Hills of Tennessee

Re: Password manager?

Post by Toons » Tue Nov 22, 2011 12:24 am

stan1 wrote:LastPass now has built-in support to use Google Authenticator for multi factor authentication in the free version.

I have it set up so that my primary computer is trusted (it would be a hassle to enter a Google Authenticator code every time I need a password).
But access to my passwords from any other computer requires that the person logging in have a code from Google Authenticator.

+1 :D Used keepass for a couple years but switched to lastpass over a year ago.I also use the multifactor authenticator and have set it up for multiple (trusted) computers and devices.I have the lastpass extension installed in chrome browser and it makes it very easy to work with the application
For me ,lastpass truly is the last password application I should ever need :D
"One does not accumulate but eliminate. It is not daily increase but daily decrease. The height of cultivation always runs to simplicity" –Bruce Lee

User avatar
soaring
Posts: 1440
Joined: Sun Nov 18, 2007 9:09 am
Location: North Central Florida

Re: Password manager?

Post by soaring » Tue Nov 22, 2011 7:33 am

how do I create a back-up of keepass?
I've installed the program on a usb stick and set it up with one link. All works ok. But when I copy or send it to another hard drive as a back up it doesn't recognize the master password on that new hard drive.

The program is there. It just won't recognize the password but will let me set up a new master password.

Any suggestions?
Desiderata

richard
Posts: 7961
Joined: Tue Feb 20, 2007 3:38 pm
Contact:

Re: Password manager?

Post by richard » Tue Nov 22, 2011 7:57 am

soaring wrote:how do I create a back-up of keepass?
I've installed the program on a usb stick and set it up with one link. All works ok. But when I copy or send it to another hard drive as a back up it doesn't recognize the master password on that new hard drive.

The program is there. It just won't recognize the password but will let me set up a new master password.

Any suggestions?
Are you sure you're using the same version of keepass in both places? Are you sure you're copying the current data file (e.g,. *.kdbx)?

You might try using the export function

User avatar
soaring
Posts: 1440
Joined: Sun Nov 18, 2007 9:09 am
Location: North Central Florida

Re: Password manager?

Post by soaring » Tue Nov 22, 2011 9:26 am

richard wrote:
soaring wrote:how do I create a back-up of keepass?
I've installed the program on a usb stick and set it up with one link. All works ok. But when I copy or send it to another hard drive as a back up it doesn't recognize the master password on that new hard drive.

The program is there. It just won't recognize the password but will let me set up a new master password.

Any suggestions?
Are you sure you're using the same version of keepass in both places? Are you sure you're copying the current data file (e.g,. *.kdbx)?

You might try using the export function
Thank you richard. I was not moving the kdbx file just the program.
Desiderata

User avatar
runthetrails
Posts: 591
Joined: Tue Jun 05, 2007 12:51 pm
Location: Tennessee

Re: Password manager?

Post by runthetrails » Tue Nov 22, 2011 9:54 am

If you need to use software that is cross-Operating System capable, Password Safe(on Windows) uses the same database format as Password Gorilla (Mac OS and Linux). Both are free, and better yet I believe both are Open Source. Password Gorilla runs on Windows as well, but Password Safe has a slightly slicker interface. Password Safe was recommended to me by the instructor of an application security class at my place of business. He was from the OWASP foundation, so should be in the know. It's also approved by Bruce Schneier, a well-known security guru and author.

User avatar
tadamsmar
Posts: 8579
Joined: Mon May 07, 2007 12:33 pm

Re: Password manager?

Post by tadamsmar » Tue Nov 22, 2011 10:18 am

Bylo Selhi wrote:Lastpass is the gold standard for this. Free for all PC platforms but you have to pay $1/month for a premium account that will support all your smartphones and tablets.
LastPass CEO reports an apparent data theft:

http://www.pcworld.com/article/227268/l ... _hack.html

Silence Dogood
Posts: 1226
Joined: Tue Feb 01, 2011 9:22 pm

Re: Password manager?

Post by Silence Dogood » Tue Nov 22, 2011 10:29 am

brianH wrote:
ClaireTN wrote: Interesting. Have you ever looked into 1Password? Any security concerns there?

I've now tried LastPass and 1Password on a very limited basis. I'm finding that both programs have trouble handling sites like Vanguard where the username and password need to be entered on separate pages. This isn't a big deal, but it is inconvenient.
I haven't looked at 1Password in any depth. When I looked into LastPass, I was trying to find a service that would allow other members of my business to easily use common passwords. I did a deep dive into the service, including purchasing the full version and a Yubikey. The Yubikey is very cool, but that's a story for another day.

In the end, I use KeePass with 2 databases. One for 'work' and one for my personal passwords. I also use Firefox's password manager (with a master password for encryption support) for my less sensitive passwords (forums, shopping sites that don't have my CC info, etc.) This is a decent compromise between convenience and security for passwords that wouldn't be disastrous if lost.
Brian, can you tell us about the Yubikey?

User avatar
Bylo Selhi
Posts: 1119
Joined: Mon Feb 19, 2007 10:40 pm
Location: www.bylo.org in the Great White North
Contact:

Re: Password manager?

Post by Bylo Selhi » Tue Nov 22, 2011 10:33 am

tadamsmar wrote:LastPass CEO reports an apparent data theft: http://www.pcworld.com/article/227268/l ... _hack.html
Already mentioned, linked and discussed upthread.
The CEO of password management company LastPass says it's highly unlikely hackers gained access to his millions of users' data--but that he doesn't want to take any chances... now says he may have been "too alarmist" in assuming the worst, but that--even if it ended up hurting his company's image--he wanted to act quickly and make sure everyone was informed...

Q. If someone had what you'd consider a strong master password, then, would they have any reason to be worried at this point?
Siegrist: No. None...

[Author's note: LastPass is also requiring some users to change their master passwords with the service as a precaution... LastPass has also now said it's rolling out stronger encryption standards on its data. Full technical details are available at the company's blog.]
So he's damned if he does and he's damned if he doesn't. I'd rather deal with the likes of Siegrist than with the likes of Sony or TJ Maxx.

brianH
Posts: 327
Joined: Wed Aug 12, 2009 12:21 pm

Re: Password manager?

Post by brianH » Tue Nov 22, 2011 11:34 am

Silence Dogood wrote: Brian, can you tell us about the Yubikey?
The YubiKey (http://yubico.com/yubikey) is a cool little USB device that has multiple security functions. It is small and thin, and it only has one 'button' on the top, which is really just a gold-plated finger contact. Anyway, LastPass uses one of its modes called OATH OTP (one time password.) Using their code or your own, you can write a form entry field (textbox) on your site that expects a code. Once plugged in, the YubiKey functions as a USB keyboard that can automatically 'type' a string of characters into the input field when the user presses the button. Using a couple algorithms, the server can determine that yes, you have the key in your possession. This satisfies multi-factor authentication: something you know (password) and something you have (Yubikey.)

Unfortunately, this provides access control only, though more web portals should use it to increase security (Vanguard, you listening?) What would be ideal, is if the YubiKey actually was used to encrypt your password database. Well...turns out you can do just that. I wrote proof of concept code to do it with the YubiKey, as it also supports a mode called 'challenge-response'. You can actually 'feed' the YK a value, and it will return a value constructed from that value + a secret internal value that can't be read (but can be reprogrammed.) So, for a password database, when you're saving the database, the software could come up with a random value, feed it to the YK, and encrypt the DB with the resultant value (cyrpto hash). The value initially passed to the YK would need to be stored with the database file (it's not sensitive.) Now, on next open, that value would be read, passed to the YK, and the hash used to decrypt the DB.

This would be one of the most secure processes I can think of. Of course, (from LastPass' perspective) there are downsides. Loss of the device would be problematic. A new device could be reprogrammed to function the same as the lost one, but it would require using tools offered by Yubikey. No problem for a local IT department, but hard to tell your customers when you aren't local (LastPass.) You are also forced to use a computer/device that has drivers for the YubiKey. So, understandably (from a business perspective), LastPass made a pro/con decision to be as secure as they can given the desired functionality: convenience over security.

If you do use LastPass, I would highly recommend one of their options for multi-factor. I believe they now offer the free Google Authenticator method, which uses a small program running on your cell phone as the 'what you have' portion.

User avatar
Toons
Posts: 13424
Joined: Fri Nov 21, 2008 10:20 am
Location: Hills of Tennessee

Re: Password manager?

Post by Toons » Tue Nov 22, 2011 11:43 am

"If you do use LastPass, I would highly recommend one of their options for multi-factor. I believe they now offer the free Google Authenticator method, which uses a small program running on your cell phone as the 'what you have' portion."

+1 Works great and easy to use no need to be connected to the internet for codes either. :D

https://market.android.com/details?id=c ... ator&hl=en
"One does not accumulate but eliminate. It is not daily increase but daily decrease. The height of cultivation always runs to simplicity" –Bruce Lee

Brody
Posts: 983
Joined: Wed Oct 19, 2011 8:21 am

Re: Password manager?

Post by Brody » Tue Nov 22, 2011 11:49 am

BigFoot48 wrote:KeePass with the encrypted data file in my Dropbox folder and available wherever I find myself. Note to self: delete the image of the Treasury Direct code card stored in it.
I just downloaded KeePass. I have the encryped data file in my Dropbox folder. However, when I go to get it in another computer windows can't open the file because it doesn't recognize the .kdbx file.

I assume that this is just my technological lack of smartness showing. Do I have to put KeePass on all of my computers? And then since, I am keeping the file in Dropbox, it will then be automatically updated on all of my computers at once?
I am the poster formerly known as Oneanddone.

brianH
Posts: 327
Joined: Wed Aug 12, 2009 12:21 pm

Re: Password manager?

Post by brianH » Tue Nov 22, 2011 11:51 am

Brody wrote:
BigFoot48 wrote:KeePass with the encrypted data file in my Dropbox folder and available wherever I find myself. Note to self: delete the image of the Treasury Direct code card stored in it.
I just downloaded KeePass. I have the encryped data file in my Dropbox folder. However, when I go to get it in another computer windows can't open the file because it doesn't recognize the .kdbx file.

I assume that this is just my technological lack of smartness showing. Do I have to put KeePass on all of my computers? And then since, I am keeping the file in Dropbox, it will then be automatically updated on all of my computers at once?
Yep, you'll need to install the KeePass software on any machine that you want to access the passwords. It should automatically associate the .kdbx file extension to open the program when you double-click on the database (in your dropbox sync'd folder.)

hudson4351
Posts: 307
Joined: Fri Aug 10, 2007 8:30 pm

Re: Password manager?

Post by hudson4351 » Tue Nov 22, 2011 3:16 pm

Another vote for KeePass. There is a bit of a learning curve but once you get over that it works really well. You can even combine it with Dropbox and the smartphone apps to access your information anywhere from your phone.

User avatar
family_doc
Posts: 137
Joined: Sat Mar 10, 2007 12:00 pm

Re: Password manager?

Post by family_doc » Wed Nov 23, 2011 3:28 am

Another vote for Keepass. Works well for me. I especially like the feature where you can start with the url and launch your browser, then add in the password and login. I have the portable version on a flash drive also.

Brody
Posts: 983
Joined: Wed Oct 19, 2011 8:21 am

Re: Password manager?

Post by Brody » Wed Nov 23, 2011 1:50 pm

I'm a day into using Keepass. So far, so good.

I'll allow my computer ignorance to show some more. What makes this more secure than just keeping my passwords in a password protected file?
I am the poster formerly known as Oneanddone.

User avatar
roymeo
Posts: 1273
Joined: Sat Apr 28, 2007 7:19 pm
Location: Oakland, CA
Contact:

Re: Password manager?

Post by roymeo » Wed Nov 23, 2011 1:57 pm

LastPass

I use 1 account with my partner so we can instantly share our passwords. You can also share 'access' to accounts without revealing the password to others using LastPass--I've used this at work to give other people access to a test account without having to give them the password itself, but I can also see how that would make it convenient for families, etc. to share access without giving out everything.

roymeo
The sewer system is a form of welfare state. | -- "Libra", Don DeLillo

User avatar
family_doc
Posts: 137
Joined: Sat Mar 10, 2007 12:00 pm

Re: Password manager?

Post by family_doc » Wed Nov 23, 2011 2:03 pm

The file, .kbdx, is also encrypted with fairly vigorous encryption. Data is flushed from buffers when program shut down. Password necessary to open. Etc. Much safer thaan just password protecting a file. I believe programs exist to "crack" Microsoft's password protection on documents and files. I'm sure the computer geeks on this forum have more detailed explanations of your question.

family_doc

Topic Author
ClaireTN
Posts: 247
Joined: Tue Jan 06, 2009 8:23 pm
Location: Tennessee

Re: Password manager?

Post by ClaireTN » Wed Nov 23, 2011 5:33 pm

OP here. For now I've settled on 1Password. I like that it holds information on my local computer and works seamlessly with my iPad and Android phone. I can also gain access to it from any computer using the .html file in Dropbox. The program is very user friendly - much more so than I found LastPass to be. If I run into trouble before the 30-day free trial is up, I'll likely switch to KeePass.

Thanks, everyone, for the excellent advice.

Mudpuppy
Posts: 5890
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Password manager?

Post by Mudpuppy » Wed Nov 23, 2011 5:39 pm

Brody wrote:I'll allow my computer ignorance to show some more. What makes this more secure than just keeping my passwords in a password protected file?
Not all password protected files are actually encrypted files. If they are not encrypted, then it is trivial for someone to recover the data inside. MS Office did not add real encryption until Office 2010 (2007 maybe?), so older Word files (.doc extension) are easy to break into. Even if they are encrypted (Office 2010 uses AES), they are still prone to password cracking attempts or attacks against the encryption algorithm. There are tools that exist just to try different passwords against an Office 2010 .docx file to find out which is the real password (this is called a brute force or password cracking attack).

Keepass uses an AES (or Twofish) encrypted file, but also allows you to set it up to require both a password and a private key file. The advantage of this approach is that it is computationally infeasible to brute force the key file with current computer hardware, while a password can be brute forced unless it is highly complex. Keepass also passes the master password through SHA-256 and uses the result as the key to AES, which means it will take longer for a brute force attack since each password will take longer to test. So even if you go with password-only mode, it will take longer to brute force the Keepass master password than to brute force the Office 2010 password.

mclvngr
Posts: 41
Joined: Sun May 08, 2011 9:57 am

Re: Password manager?

Post by mclvngr » Thu Nov 24, 2011 4:23 pm

LastPass, end of debate. Watch this video about LastPass by security expert Steve Gibson:

http://www.youtube.com/watch?v=r9Q_anb7pwg

Topic Author
ClaireTN
Posts: 247
Joined: Tue Jan 06, 2009 8:23 pm
Location: Tennessee

Re: Password manager?

Post by ClaireTN » Fri Nov 25, 2011 9:43 pm

1Password is on sale right now for 50% off. I got the family license for $35. A single license for an educator would have been $20. A good deal! I had planned to wait until the 30-day free trial was up, but I like the software so much that I decided to go for it now to get the sale price.

-ClaireTN

lightheir
Posts: 2415
Joined: Mon Oct 03, 2011 11:43 pm

Re: Password manager?

Post by lightheir » Fri Nov 25, 2011 10:02 pm

mclvngr wrote:LastPass, end of debate. Watch this video about LastPass by security expert Steve Gibson:

http://www.youtube.com/watch?v=r9Q_anb7pwg
LastPass is excellent, but I never like the idea of having my password reader built into my browser. I used LastPass for a year, and despite not being paranoid about security, felt uncomfortable with having it so accessible from the browser.

I prefer the minimally more incovenient method of Keepass for critical financial passwords. Keepass will auto-paste logon and passwords so it's not a big deal, and I like the fact it's completely separate from the browser, so there's absolutely no chance of forgetting to log out. I also find it easier to enter miscellaneous data (like big chunks of text) in Keepass, whereas it's very clunky in Lastpass. My Keepass file is now indispensable to me, and super secure - and I can back it up even on e-mail given the bank+ level encryption on it. (The backup file is <200k.) Keepass is great stuff.

Die Hard
Posts: 772
Joined: Wed Jan 02, 2008 9:51 pm
Location: West of the Pacific

Re: Password manager?

Post by Die Hard » Sat Nov 26, 2011 8:02 pm

I have Password Keeper on my Blackberry Smart Phone. Haven't seen this mentioned.

Anyone know of any security concerns with this one? It's my work phone. If I ever left my job they would take the phone. Could it possibly be hacked then?
The best way to teach your children about money is to not have any.............

User avatar
Bylo Selhi
Posts: 1119
Joined: Mon Feb 19, 2007 10:40 pm
Location: www.bylo.org in the Great White North
Contact:

Re: Password manager?

Post by Bylo Selhi » Sat Nov 26, 2011 10:44 pm

lightheir wrote:LastPass is excellent, but I never like the idea of having my password reader built into my browser. I used LastPass for a year, and despite not being paranoid about security, felt uncomfortable with having it so accessible from the browser.
LastPass has quite a variety of security settings that should relieve you anxieties, including e.g.
• Automatically Logoff when all browsers are closed and Chrome has been closed for (mins) ___
• Automatically Logoff after idle (mins) ___
• Clear Clipboard after use (seconds) ___
• Website auto-logoff timeout ___
• Prompt for LastPass master password when: [select from several options]

If you're using LastPass on a computer to which other people who you don't necessarily trust have access, e.g. a PC at the office, you can make LastPass timeout much more quickly than you would otherwise.

Post Reply