Use a Password Mgr? Which One? Like It?

[scrinch]

We use SplashID. I used the Splash apps back in the 2003-4 era on my Handspring and Palm smartphones, and then gave them up when I switched to android. About 6-7 years ago my brother reintroduced me to SplashID. It is simple and secure. No autofill or pwd generation. Just flexible, synced, encrypted pwd databases on all our devices.

[Cobra9777]

Quote:

Originally Posted by steveinjersey I use Password Safe https://pwsafe.org/ Used it for years and happy with it. It stores passwords in an encrypted file locally on your computer or on a memory stick. One Master Password is needed to open the the password file. Free and supports 64 bit. Did not want to store passwords online.

I think that makes 3 of us so far on this thread.

But yeah... PWSafe is open source, totally free, no ads, no trackers, lots of features, very simple to use. Data is stored locally on your device. Designed by Bruce Schneier, a professional cryptographer, lecturer at Harvard, and public advocate for computer security and privacy. This is anything BUT a commercial enterprise. Plus it's been around since 2002.

I've been using it since 2004. Never an issue. There's an Android version that works quite well. The interface is a bit dated. But it just works. It's more about security than bells and whistles. It supports physical 2FA such as YubiKey.

Over the years, I've done multiple trials on several of the big commercial password managers. But I always come back to PWSafe... for simplicity and the ultimate in security. Did I mention it's free?

[WWDog]

My simple solution is to not have any accounts of value be accessible on line. I do keep a spread sheet that tracks all my accounts but only access it off line and do not store it on a computer. I reboot after closing and removing the media, then come back on line. Always do an update of security SW and scan before initiating any other programs.

[Scuba]

I’m glad to hear the favorable comments re the Safari/Apple solution. That’s what I use, and it works great for me but I’m glad to hear that others also feel it’s a good solution. I never researched the different options, just used Safari since all our devices are Apple.

[cbo111]

Quote:

Originally Posted by Scuba I’m glad to hear the favorable comments re the Safari/Apple solution. That’s what I use, and it works great for me but I’m glad to hear that others also feel it’s a good solution. I never researched the different options, just used Safari since all our devices are Apple.

+1.
I recently downloaded the 1Password Family and found it cumbersome to use on my Mac. It was spotty getting the auto password creation to work and required me to enter the long master password frequently. I gave up after a couple days and about 8 hours messing with it. Given enough time I probably could have figured out all the wonderful features of the software, but certainly DW had no interest in this. So I cancelled during the free trial period and returned to the relative ease of my Safari password generator.

[Kayzmum]

Quote:

Originally Posted by 38Chevy454 Even though I use strong passwords, and two factor authentication when available, I think the time has come where I might use a password manager. Too many world events where cyber attack is part of the plans. Sure as individual I am probably not a direct target, but a major data breach can make for challenging times. Certainly can't hurt to improve security online since so much of our lives are present there. 1. Do you use a password manager? 2. Which One? 3. Do you like it? 4. (bonus question) Do you pay for it, and how much?

I've been using RoboForm for many years. It was one of the first ones to come out. I pay $25 a year. I like it, but I've never tried anything else so haven't compare it to anything. I don't mind paying for it. I feel like the programmers will have more incentive to keep it secure and not lose their income. I don't know if that's true or not, but it gives me more peace of mind.

[Sunset]

Quote:

Originally Posted by WWDog My simple solution is to not have any accounts of value be accessible on line. I do keep a spread sheet that tracks all my accounts but only access it off line and do not store it on a computer. I reboot after closing and removing the media, then come back on line. Always do an update of security SW and scan before initiating any other programs.

I don't think that is a good solution.
You are basically allowing any scammer to be able to set up an account in your name, which will be allowed as it's the first one.
If you are not there, then a scammer can set up the account and have command of your digital identity for that organization.

I think with a Social Security account in your name, someone can do damage.
Same with some bank accounts.
It becomes a nightmare if they set up an account at a bank/brokerage that you actually use, as they will have access to your money online while you don't.
They can then add a transfer account (you won't be notified).
They can then transfer out the money and again you won't know until a check bounces..

[JeKa]

Quote:

Originally Posted by 38Chevy454 Even though I use strong passwords, and two factor authentication when available, I think the time has come where I might use a password manager. Too many world events where cyber attack is part of the plans. Sure as individual I am probably not a direct target, but a major data breach can make for challenging times. Certainly can't hurt to improve security online since so much of our lives are present there. 1. Do you use a password manager? 2. Which One? 3. Do you like it? 4. (bonus question) Do you pay for it, and how much? I have been searching and found these as popular choices: lastpass, bitwarden, 1password, dashlane, keeper. Thanks for discussion and helping me decide what to do.

I use the paid version (one time fee) of My Passwords. I use the Android version. Does everything I need in a manager. Love it. When it generates the passwords, it is color differentiated as to numbers vs letters.

[Reese]

Bitwarden - Free Version.
Syncs across Browsers on mobile, tablets and desktops.

[dbwillis]

I use StickyPassword

[Carol1862]

Quote:

Originally Posted by Jerry1 I also use a spreadsheet. The one thing you didn't mention is password protecting the spreadsheet. Mine requires a password to unlock the spreadsheet then I can access all my passwords. My financial accounts require two factor authorization.

+1

This works for me. I also routinely go through and delete ones I set up that I rarely use.

I never save financial passwords online

[RetMD21]

another Lastpass breach https://www.npr.org/2022/12/01/11400...a-breach-again

[TripleLindy]

Quote:

Originally Posted by RetMD21 another Lastpass breach https://www.npr.org/2022/12/01/11400...a-breach-again

Ouch. At least passwords weren’t compromised. I recently started using 1Password. So far so good, but when filling in the password for some sites, it doesn’t seem to work. I learned to copy and paste when logging into those sites. There’s only a few I’ve encountered.

I like the generation of long, random passwords.

[bloom2708]

Using 1Password, Family version. 5 people use it. Each can have a Private locker and a Shared locker for things like TV logins.

Very happy with it. I did spend ~8 hours one Saturday transitioning and getting everything in 1Password. This included getting rid of duplicate passwords and using much more complicated passwords for anything financial or shopping related.

[TripleLindy]

Quote:

Originally Posted by bloom2708 Using 1Password, Family version. 5 people use it. Each can have a Private locker and a Shared locker for things like TV logins. Very happy with it. I did spend ~8 hours one Saturday transitioning and getting everything in 1Password. This included getting rid of duplicate passwords and using much more complicated passwords for anything financial or shopping related.

I’m still in the process of transitioning and cleaning up dupes. It definitely requires a commitment of time. I’ve been slowly doing it, but took care of the most financially sensitive sites first thing.

[Chuckanut]

I have just switched from LastPass to Bit Warden. Why? Two reasons:

1.) LastPass seems to be the object of some determined attackers. They seem to be a rather favored target for reasons that are unknown to me.

2.) Since their code is unknown, it's hard to get a 3rd party view of the risk to users. Bit Warden is open source. If there is a flaw in the code, it has a better chance of being exposed and fixed by outside experts in the field of data security.

According to the email from LastPass the attackers did get some customer data.

Quote:

We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass's Zero Knowledge architecture.

My interpretation of this is that the bad guys managed to get some of the customer's encrypted signon data. I may be wrong. But, that is how I read between the lines.

I have already changed the passwords of my financial accounts and stored them in Bit Warden.

[TripleLindy]

Quote:

My interpretation of this is that the bad guys managed to get some of the customer's encrypted signon data. I may be wrong. But, that is how I read between the lines.

I doubt that anything encrypted was compromised. I'm no expert, but my oldest son is. He's a software engineer on Microsoft's security team and also spent 5 years with the NSA doing encryption work. He tells me that encrypted data can't be hacked without the encryption key, which would be on the user's device, not the vendor's servers. Regardless, it's troubling to see continued breaches.

[OldShooter]

Any widely-used password manager is going to be a high-priority target for hackers. At the same time, the need for complicated and obscure passwords, is pretty questionable. Exhaustive passwords attacks are inefficient and passé. Phishing is the name of the game these days and password managers are no defense against that. So I just have no interest in using one. My financial passwords are complicated enough to be unguessable and the sites prevent exhaustive attacks by limiting the number of login fails permitted. My passwords for sites like this one are close to trivial but I really don’t care whether I am seriously protected or not. There is nothing here that an imposter could steal. Same story on other forums, even on news sites. Nothing to steal so little need for protection.

[Chuckanut]

Quote:

Originally Posted by TripleLindy I doubt that anything encrypted was compromised. I'm no expert, but my oldest son is. He's a software engineer on Microsoft's security team and also spent 5 years with the NSA doing encryption work. He tells me that encrypted data can't be hacked without the encryption key, which would be on the user's device, not the vendor's servers. Regardless, it's troubling to see continued breaches.

IIRC, in August they stole copies of code used in LastPass. Now they steal customer data. That seems to be part of plan from my point of view. How they would get my encryption key is unknown. I guess what bothers me is this is starting to look rather methodical. Scary.

[TripleLindy]

Quote:

Originally Posted by OldShooter Any widely-used password manager is going to be a high-priority target for hackers. At the same time, the need for complicated and obscure passwords, is pretty questionable. Exhaustive passwords attacks are inefficient and passé. Phishing is the name of the game these days and password managers are no defense against that. So I just have no interest in using one. My financial passwords are complicated enough to be unguessable and the sites prevent exhaustive attacks by limiting the number of login fails permitted. My passwords for sites like this one are close to trivial but I really don’t care whether I am seriously protected or not. There is nothing here that an imposter could steal. Same story on other forums, even on news sites. Nothing to steal so little need for protection.

I kind of felt the same way, but the convenience is what pushed me over to a PW manager. Logging on is now a snap and I only have 1 password to remember. Like you, my financial sites had pretty strong passwords, but there were elements that were shared between them just so I could remember. And that's the real risk. Once any part of a password is known, hackers have software that will test lots of sites with multiple iterations. Takes only a few seconds.