quote:

Originally posted by Mustang-PaPa:
I have never stored mine online, I'm old school and unorganized I guess.

Neither have I and I'm not old school and into High Tech. It's just that some of it isn't ready for prime time yet.

I should add; I never use the "remember me" option many websites, especially retail, ask when creating a password. This seems very convenient but also seems like the least secure option. Also, I've turned off password storing on browsers. Again, I can't see how this could possibly be considered secure since it's in the browser so surely a hacker can break into that with one hand tied.

I use a spreadsheet that is resident on my computer and password protected. I'm not giving my passwords to anyone else.

I have used “Keeper” for years and have been extremely happy with it.

quote:

Originally posted by xantom:
KeePass here, stored offline.

I also use Keepass. Seems not many people use it anymore. I don't need anything fancy and I'm well use to it now.

quote:

Originally posted by NavyGuy:

quote:

Originally posted by Rey HRH:
If you're really worried about someone getting your passwords, here's what I do which is only for accounts where my money can be taken out such as banks and brokerages: when I set up a password for a bank, I use the password that 1password suggests, have 1password record it, then I add a short string of letters or numbers that I can easily remember. That way, the password stored in 1password is not sufficient or complete.

I always us the password manager's suggested password (I'm using Dashlane) and use the longest allowable for the site with the most character types allowable. Since Dashlane (and 1Password) will fill in these passwords I don't worry about remembering them or fret about typing this long string of nonsensical characters. I change my master password monthly and it is something I can remember but follow the security suggestions on character placement. It's 16 characters long.

Dashlane, and I suspect most password managers allow you to download your password list. I do this from time to time, store it on a thumb drive with encryption and it goes in my safe. I suppose there are better places to store this drive, but it seems relatively secure to me and I like having a hard (soft) copy of my passwords.

I also always use the password manager's suggested password, (although, I could configure the passwords it comes up with such as "memorable words," up to 30 characters, exclude/include special characters or numbers. It also has a smart password feature that figures out the password requirements of the site.

But what I think you missed is that, not only do I use the password manager's password, I also add additional string of characters to the password that I do not store in the password manager. I do this for "sensitive" accounts where someone getting my password could be deleterious to me. Someone hacking my password to a credit card account? Who cares? I won't mind if they pay the balance off for me.

I have a little black book I keep me poems in…..

quote:

Originally posted by Pipe Smoker:

quote:

Originally posted by r0gue:
<snip>
I considered all the options just a few months ago and did my homework. Also my friend, a sys admin, did the same. Bitwarden and 1Password were the top two we'd arrived on. I went with 1Password. Toss of a coin.
<snip>

Was price a factor? My PW manager is mSecure (premium). $14.99 per year. Several device syncing options: Wi-Fi, Dropbox, or mSecure’s own server (no cost for that).

Also, how did mSecure (premium) come out in your PW manager homework endeavour?

Price really wasn't for me. I buy the family plan, so even the most expensive provides a lot of benefit. Hard to think of a better value than any incremental improvement on cybersec. I can't recall if we looked at mSecure. We started with a few industry leader recommendations (one was Steve Gibson), and evaluated the best of his for our needs.

quote:

Originally posted by Rey HRH:

quote:

Originally posted by r0gue:
I used LastPass since 2006. It's astonishing how many accounts you create in that time. In my case over 600. Mostly retail. With LastPass's recent issues, I'm migrated to 1Password, changing passwords as I went. That's not a trivial task.

I came from personal encoded notes to 1 Password but I understand most password managers allow exporting of passwords and importing into 1Password.

They do. But I did not want to do that. By doing them one at a time I can control and track my progress on turning them all over. I'm changing them through password reset on one browser with my old LastPass plugged-in. And resetting them on another browser with 1Password plugged in. Then it remembers the new.

Another reason is that I REAAAAALLLY didn't want to drop all of my account info with passwords into a clear text csv on my computer. And besides, it's best to change em all every decade or so. haha. Also, I'm finding many accounts/websites that are defunct. So I get those cleaned out.


!!! IMPORTANT !!! While I do believe that a well managed and secured (2FA, huge master password) vault is quite secure, and better for me than the alternatives of weaker/memorable, or reused passwords, or managing a notebook for 600+ accounts, I should add that I do NOT keep my main email credentials nor my financial info in the vault. I just don't need those few passwords often enough to take on any minuscule additional risk for them. Those creds are managed offline.

I consider my main email the holy grail as it can be used to reset other passwords. I think this is ultra-important guys. And you should definitely be using two-factor authentication on that account as well. That holds true whether or not you choose to use a PW manager.

quote:

Originally posted by Rey HRH:
But what I think you missed is that, not only do I use the password manager's password, I also add additional string of characters to the password that I do not store in the password manager. I do this for "sensitive" accounts where someone getting my password could be deleterious to me. Someone hacking my password to a credit card account? Who cares? I won't mind if they pay the balance off for me.

Yeah, I did read that and it sounds like a good extra step which would help if the password manager was hacked to the extent the actor got complete access to all of your (and other's) passwords and long ins. That would be a catastrophe, and thankfully this has not happened to any of the password mangers. Some like Lastpass, did experience some breaches but not a complete breakdown of the "wall" but only some non critical info was accessed.

I know some have a hard time getting their head around storing such critical info on remote servers even though the encryption and security have been solid. It's a big step, and a person should do what makes them comfortable, balancing the convenience the PW managers provide with their own sense of security.

quote:

Originally posted by r0gue:
<snip>
I considered all the options just a few months ago and did my homework. Also my friend, a sys admin, did the same. Bitwarden and 1Password were the top two we'd arrived on. I went with 1Password. Toss of a coin.
<snip>

I suspect that you didn’t include the mSecure PW manager in your considerations.

Probably not. This was a good education. I cracked up around 14:30. I don't believe Steve had truly thought about the clear text export.

https://www.youtube.com/watch?v=9XWHCF4pLmI

quote:

Originally posted by NavyGuy:

I know some have a hard time getting their head around storing such critical info on remote servers even though the encryption and security have been solid. It's a big step, and a person should do what makes them comfortable, balancing the convenience the PW managers provide with their own sense of security.

Count me as being one of those. "to keep my list of passwords secure, I have to give it to a third party for safekeeping????" It was a slow long process to get me to the tipping point.