OT: UserID/Password storage apps....

Submitted by Champeen on January 17th, 2018 at 9:30 AM

What is everyone using?  What one(s) should people stay away from?  Free?  Cost?

Im at the point with so many site UserId/Passwords i cannot remember jack anymore.  Im sure there are many out here with more to store than i have.

 

*EDIT*

Thanks all.  Some very good starting points for future research :)

 

Comments

Wallaby Court

January 17th, 2018 at 9:37 AM ^

I discovered the same problem early last year. After digging around, I settled on LastPass over Dashlane and KeePass. Dashlane did not allow syncing in its basic form, and KeePass looked more technical than I needed. LastPass hit the sweet spot on the spectrum between security and ease of use.

mvp

January 17th, 2018 at 10:50 AM ^

Well, who knows for sure.  There are a couple of well documented examples out there.  Here's my take:

  1. Using a password manager is better than not using one.  What's your alternative?
  2. The hacks at LastPass I'm aware of never actually exposed account information and passwords.
  3. LastPass from its inception has been very open about how it works and what its doing to maximize security.  When there have been issues, they have been quick to respond and to recommend specific steps to protect your information.
  4. People need to be informed and decide accordingly.

MichiganG

January 17th, 2018 at 10:58 AM ^

Agree 100%.  To my knowledge, LastPass has never had a hacking incident where anyone had access to passwords stored through them.  Considering they'd presumably be a great target and have not yet had that happen, I presume they are doing a good job.

Also, LastPass has a lot of other useful features.  Password-sharing among family members, for example, so that my wife can access various accounts.  Synchronization across desktop and mobile experiences is another nice feature.  

4roses

January 17th, 2018 at 11:13 AM ^

I am by no means and expert but did spend a great deal of time reading up on things before settling on Lastpass. If I remember correctly your passwords (and all other information) are encrytpted in a manner that is far superior to any encryption method used by the average company that we read about being hacked in the news.

 

mvp

January 17th, 2018 at 10:42 AM ^

I've used LastPass for a while.  It is hard for me to compare because I haven't used the other services, but Dashlane is the one I hear about the most.

A couple of add-ons:

  1. I use LastPass family and pay for it.  It means that for accounts my wife and I both need to access, we can share passwords.  This also avoids having to call each other or (worse) text each other when we need a shared password or when one gets changed.
  2. With the family plan, my kids are now in the habit of using different complex passwords.
  3. With the premium version, you can also access via your mobile phone, which you can secure with fingerprint ID and then use to copy/paste passwords on your mobile devices.
  4. I also recommend and use multi-factor authentication.  In particular, I use Google Authenticator which I have on my phone and iPad.  Every so often, typically 30 days for me, you need to re-enter an authentication code on each device you use.  You also need to enter an authentication code when you log in from a new computer or new device.  This solves the "single point of failure" problem.  As an aside, even with LastPass, I also use Multi-Factor authentication on key apps, like my Google account, social media, and any sites where I do financial transactions.  It is powerful and way less intrusive than it used to be.

mvp

January 17th, 2018 at 10:56 AM ^

Another thing I like about LastPass (and I'm sure the other major apps do the same) is that you can store notes and attachments.  As an example of why this is important, in my Driver's license record, I have a picture of my Driver's License; in my Passport record a picture of my Passport.  Even if everything I have is stolen while I'm traveling, I can access LastPass from any computer and get a copy of those documents.

Qseverus

January 17th, 2018 at 11:18 AM ^

The free version of Lastpass now allows access on all devices. I've been using Lastpass for several years and highly recommend it. There are some instances when copy & paste is required but usually automatic fill-in works fine using Chrome on my desktop.

julesh

January 17th, 2018 at 9:38 AM ^

I switched to using a hash. So when I create a password it goes like this (obviously I use different rules than I'm giving here):

j0Hn,hpn;ph

So my hash is j0Hn and the other characters are each one key to the right of the key to spell out the service I'm signing up for, in this case mgoblog. No need for an external service, super easy to remember, no using the same password on every site.

julesh

January 17th, 2018 at 10:26 AM ^

It's just something you can remember that you use consistently with all passwords. So your name or something. Also something to make sure you get a capital letter and digit in since many (most?) services require one of each at this point. Wouldn't hurt to stick a special character in as well.

Another thing you can do is use two hashes one on either side, so your mgoblog password could be j0Hn,hpn;phsm!th if you are looking for extra length and security. I don't go that far, though my hash is more than 4 characters.

julesh

January 17th, 2018 at 11:19 AM ^

I'm not concerned about someone personally figuring out my system. I am concerned with ending up on Have I Been Pwned and whoever steals the email/password combos from LinkedIn then using the combo on Gmail. With this system that doesn't happen. And the chance of a hacker who takes a list of millions of email/password combos trying to crack a system like this instead of just going for the low hanging fruit is close to nil.

Pkf97

January 17th, 2018 at 9:38 AM ^

1Password or LastPass. Use 2FA (two-factor authentication) on any important accounts where it's available.

Either use a randomly generated password, or a pass phrase. Length > complexity.

mgoblogfridayposbangs > Mg0BL0Gfr1d4Yz!

Spork

January 17th, 2018 at 10:30 AM ^

KeePass is more technical than LastPass, but offers great flexibility. I like it because I can store my database locally on my machine, whereas with LastPass, your passwords are stored in LastPass cloud servers.

My wife and I have a shared password database that we keep on Dropbox, which syncs across all our devices. As LB noted above, there are KeePass ports or plugins for almost every platform out there. That said, the biggest gap is in iOS support. There are some apps out there for iOS, but they all seem to struggle with keeping an up-to-date copy of a Dropbox database. KeePassTouch for iOS looks promising, though.

Wallaby Court

January 17th, 2018 at 2:50 PM ^

You've echoed my impression of KeePass. When I researched KeePass, I liked its model, but not the setup and upkeep requirements. Since my wife also uses the same password manager and is not as technically inclined as me, I elected for something easy to use, if less secure.

D4pp3rD4n

January 18th, 2018 at 6:20 AM ^

I've been using KeePass on all of my devices, by far the best out there. There's also a huge community around it too, with a lot of add ons.

LastPass is like LifeLock, it's for the lazy and inferior who don't know any better.

TheLastStraw

January 17th, 2018 at 9:43 AM ^

I use LastPass and have for a couple of years. I pay for premium - I think it is about $100 per year. It has apps on Android and iPhone and plug-ins for the major browsers. I never enter most of my password manually anymore (which deals with issues of keylogging).

Carpetbagger

January 17th, 2018 at 9:50 AM ^

I have my personal userids and passwords stored on paper in my wallet. Substitution codes may be used, although abbreviations only I would know work for me.

At work I have a folder I keep in my laptop bag.

Works great, it's always free, and immune to remote hacking.

Carpetbagger

January 17th, 2018 at 12:07 PM ^

Why wouldn't I be serious? It isn't that hard not to lose things. If I ever did, almost everything has an automated password change tool anyway.

I've been doing this for 25 years, and it works great. Only change I've had to make is moving the work password folder to my bag when I started working more outside of the office.

AA Forever

January 17th, 2018 at 1:18 PM ^

I put passwords on typed labels and fix them to paper or 3x5 cards. When I change a password, I just put a new label over the old one. I keep duplicates just in case, but nothing is stored on a computer, ever. Unhackable.

Anyone who tells you they can guarantee security of your personal information on a computer connected to the internet is lying. Period. If the NSA can be hacked, so can your little password storage service.

GRBluefan

January 17th, 2018 at 9:56 AM ^

same general structure for all my passwords, just with different characters tacked onto the end.  I keep a protected document on my computer with all of them in there, with the middle all blanked out, like this:

Bank: G*********64&

So the '*' are a consistent string of characters.

People can (and likely will) tell me this is a terrible way to do it, and it probably is. 

Mr. Elbel

January 17th, 2018 at 10:00 AM ^

I have a stickynote app that I have a locked note in with all my passwords. I feel like it's safe bc I have too many stickynotes already, it's labeled something totally innocuous, and the passwords aren't labeled. Could probably be hacked easily but I doubt a hacker would think to look there in the first place.

Mr. Elbel

January 17th, 2018 at 3:04 PM ^

So, each password is labeled with a first letter of the place it's for. For example, if I had a SunTrust account (I don't), it would say S: ****** ...so the sticky is labeled with all of those abbreviations in a row. Something like GLCSIDPOFWZQUBT. If anyone were to go through the trouble of stealing my phone, knowing my passcode, knowing which default app I store passwords in and which note it is, and then knowing my memorized password I use to access the note, and then be able to guess what S: ****** means they've totally got my number.

Pepper Brooks

January 17th, 2018 at 10:13 AM ^

I said hip, hop, the hippie to the hippie to the hip hip hop and you don't stop the rock it to the bang bang boogie say up jump the boogie to the rhythm of the boogie the beat

redjugador24

January 17th, 2018 at 10:17 AM ^

I use last pass, and my employer uses the enterprise version of it where you can create groups based on permission, share access, etc.  There's also a handy "notes" section so you can store whatever private notes (account numbers, safe combos, etc.) you want, whether they are personal or shared to a group. If someone in the company changes a shared password, it updates the vault so all users get the update.  There's also a password generator built in that will create highly secure, random character passwords that you dont ever have to type. Very handy and as far as I can tell, very secure.  

MTH1993

January 17th, 2018 at 10:36 AM ^

I use splashid (one of very few paid apps i have). It stores local encrypted on my phone but i sync it to home pc as well. When i need a new password it generates a long >10 character random password for me that i store and the paste into site needing password.

I was close to using zoho free but did not like the cloud storage with no offline option.

MTH1993

January 17th, 2018 at 10:36 AM ^

I use splashid (one of very few paid apps i have). It stores local encrypted on my phone but i sync it to home pc as well. When i need a new password it generates a long >10 character random password for me that i store and the paste into site needing password.

I was close to using zoho free but did not like the cloud storage with no offline option.