quote:

Originally posted by architect:

quote:

Originally posted by nhracecraft:
I am my own 'Password Manager', and I'm unhackable....100% secure!

It is tempting to this so, but it is hard, if not impossible, to reconcile that approach with the need to maintain a different password, of sufficient variability and complexity, for each use case/login. Very few people have that good a memory.

I just checked my keyring: 417 entries. Maybe Sheldon Cooper could memorize all those. I certainly cannot.

Mind you: I expect 100-150 are stale--no longer in-use. One of these days I'll have to get around to doing a purge. But that would still leave ±250 sets of credentials for active accounts.

Plus I store in it, not only username/email address and password credentials, but things like my driver's license number, there's an entry will all my current CC info, my ATM PIN, an entry for my U.S. passport info, my gun safe combinations, etc.

My wife used to use the pen-and-paper method. But, after about the third time she misplaced the credentials for something, I finally convinced her to use Password Safe. Now that she's become accustomed to it, she loves it Same with one of my SIL's.

quote:

Originally posted by architect:
Even then you are vulnerable to "false flag" attacks, e.g. a website that masquerades as another prompting you to enter a password that has value on the forged site.

That's why I always put a site's URL in an entry and get to that site only by copy-n-pasting from my keyring. No missed typos that way

I taught my wife to do the same thing. After explaining why, she allowed as how that made sense and does it, too.

quote:

Originally posted by NavyGuy:
In addition, I use Dashlane's password generator ... Hand typing these is very tedious.

Yeah, there's that, too. I rarely use my keyring's password generator, but a couple different password generators on my computer and a pass phrase generator I coded, myself, to emulate Diceware. (It doesn't truly emulate Diceware, because a computer's pseudo-random number generator can't match the entropy of physically rolling [unloaded] dice.)

NO password manager of any type for me . Too old school for that .

Used to use LastPass (until their recent gameplaying around charging) now use BitWarden. I have over 150 logins plus other information stored in the app which would be incredibly inefficient to try and tackle manually.

I use Keeper. How does that rate these days?
Perhaps it's under the radar since it hasn't been mentioned here yet?

No problems so far in several years of use btw.

LastPass here - 482 individual login accounts. I use the secure notes extensively, including photos of the front and back of all cards and licenses as well as other important notes.

As someone mentioned earlier, yes you can export everything in case you want an offline copy.

quote:

Originally posted by V-Tail:
Here's my question: If I wanted to take the cloud out of the picture, but still keep the two Macs (in different locations) synced, could I make the iPhone version the "master" and have the Mac desktop installations of 1Password sync automatically whenever the iPhone connects to the local network? If so, how to set this up?

The iOS version of 1PW can only act as a client for syncing. Getting the second Mac synced is going to be your problem. For the second Mac (a MBP), I just run a simple shell script whenever I login. Among other maintenance things, it copies the primary database from the master Mac, but both Macs are on the same local LAN so this is easy. With your 2 Macs in different locations, a cloud sync is probably your best option. Or you could sneaker-net it between the two locations.

quote:

Originally posted by JimTheo:
I use Keypass and sync IPhones, Macbook Pro, Window 10 and wifes Iphone by using Dropbox as the master repository. The database is encrypted so is OK on dropbox, no website has my stuff to get hacked. pretty basic but effective and cheap. Open source. I did donate as it is only fair.
https://keepass.info/

I also use Keepass. I don't know what's most of whats going on but I don't even use dropbox.
Just a file on my comps. and a few back up thumb drives.
I've nothing to worry about?
Keepass is one of the originals. Did they do it right?

It seems that most folks posting in this thread like the PW manager they already have. I’m no different – it would be a Royal PITA to populate a new PW manager with all the data from my current one. But other than the transition difficulty, I have other reasons for liking my PW manager, mSecure. Here some of its features…
* Industry standard AES-256 encryption.
* Generates PWs of arbitrary length from your choice of character sets.
* Syncing multiple devices – your choice of several agents: Wi-Fi, mSecure Cloud*1, iCloud, and Dropbox. Syncing operations are performed automatically. My MacBook has the master repository.
* Automatic backups to iCloud. Multiple copies are saved.
* Account PW is copied to clipboard (paste buffer) for easy login when mSecure launches a URL for that account.
* User-defined record types in addition to built-in types. All types have a “Notes” field for any text you wish.
* Good clean visual appearance.
* Utilizes FaceID (iPhone) and TouchID (MacBook) for convenient app opening.

*1 mSecure Cloud – no additional cost and no 2nd party involved.

I expect that most PW managers have most of these features, but I have other reasons for liking mSecure.

Pricing – Like most PW managers, mSecure offers a free version for my iPhone. And a “Pro” upgrade that lets me download it for all of my platforms, and keeps them synchronized. I have the Pro version, which costs $20. But it’s a one-time cost – not a damnable periodic fee.

Security – Good app builders are thick on the ground nowadays. But not all of them are savvy about the subtle hazards of the encryption process. I believe mSeven Software, maker of mSecure is among the savvy ones:

Long ago, the Black Hat group reported that they easily cracked 1Password. Of mSecure, they said that it’s “not bad”. Which meant, I think, that they couldn’t crack it.

More recently, CNET had some unsettling comments about LastPass:

“…
No, LastPass isn't flawless: A vulnerability privately reported in September 2019 was a scary flaw that could potentially compromise passwords. But the company patched it before it was known to be exploited in the wild. It was one of several vulnerabilities that have been discovered in LastPass over the years.

More recently, however, privacy concerns emerged around LastPass's Android app when a privacy advocacy project discovered seven web trackers within the mobile app.

In light of these privacy concerns and LastPass's new restrictions on its free-tier service, we're currently in the process of reevaluating LastPass's rank in our list of top password managers. Read our LastPass review.”

https://www.google.com/amp/s/w...st-password-manager/

And the first post in this thread reports that OneLogin was hacked.

So, yeah, I like the mSecure PW manager on my iPhone and MacBook.

^^^^^^^^
Another reason that I like mSecure:

For mobile devices, mSecure uses its built-in browser by default, which provides this advantage: When I click the URL of an account the browser will (in most cases) automatically log me in to the site, using the Username and Password recorded for the account. Handy!

For that to work the recorded URL must be the site’s login location rather than its top “.com” URL.

If, for some reason, you don’t want to use the mSecure browser, you can specify a more common browser. E.g., Safari for iPhone.

quote:

Originally posted by Pipe Smoker:
^^^^^^^^
Another reason that I like mSecure:

For mobile devices, mSecure uses its built-in browser by default, which provides this advantage: When I click the URL of an account the browser will (in most cases) automatically log me in to the site, using the Username and Password recorded for the account. Handy!

Something you might want to do a bit of reading on, is that hackers and the like have been found to be grabbing login info when a URL loads and the password manager automatically offers up the login credentials. I use Bitwarden and have turned off the autoload feature. Now when I hit the site, I have to take one additional step, to manually offer up credentials, to finish the login process. Not suggesting you change anything, just suggesting you research this possible exploit.