The best and most secure password manager

[EngWiPy]

Hi,

I am thinking to use a password manager, but I am not sure 1) if it will help me remember my passwords, and 2) if it is secure.

If they are useful and secure, what are the best (free and commercial) password managers out there to use?

Thanks

 

[Wrichik Basu]

I generally use Google to save my passwords. It automatically saves all passwords that I enter on chrome. But I never save my bank details in it. In today's world, anything could happen...

Another option is to write your passwords on a piece of paper and keep it somewhere safe and secure.

 

[Mark44]

Another option is to write your passwords on a piece of paper and keep it somewhere safe and secure.

That's what I do, although the focus is more on "keep it somewhere.."

 

[EngWiPy]

I guess storing them on the browser is one option, but what would happen when you clear the history and cookies in the browser? They would be gone.

 

[Wrichik Basu]

I guess storing them on the browser is one option, but what would happen when you clear the history and cookies in the browser? They would be gone.

Storing anything from chrome means you're storing them on your Google account. When you clear your browser history, there will be an option "Clear saved passwords". Just uncheck that for safety.

 

[glappkaeft]

I don't consider password storage in browsers to be a password manager. A password manager is is something like LastPass or OnePass, preferably secured using 2 Factor Authorization techniques (password + something like YubiKey, 2FA Apps, etc).

 

[vela]

I am thinking to use a password manager, but I am not sure 1) if it will help me remember my passwords, and 2) if it is secure.

It will almost certainly not help you remember your passwords. The main benefit of a password manager is being able to use strong, high-entropy passwords, which you don't have to remember, instead of relying on easily remembered but weak passwords.

If they are useful and secure, what are the best (free and commercial) password managers out there to use?

I've been using 1Password for over a decade now, and I still consider it one of the best software purchases I ever made.

There are many articles comparing various password managers, and most password managers, if they're not free, have a free trial so you can see which one fits your needs the best.

 

[symbolipoint]

Hi,

I am thinking to use a password manager, but I am not sure 1) if it will help me remember my passwords, and 2) if it is secure.

If they are useful and secure, what are the best (free and commercial) password managers out there to use?

Thanks

I generally use Google to save my passwords. It automatically saves all passwords that I enter on chrome. But I never save my bank details in it. In today's world, anything could happen...

Another option is to write your passwords on a piece of paper and keep it somewhere safe and secure.

First, do an internet search and also a search on YouTube. Find what you like and investigate further. MY PICK for a good password manager, although I honestly do not know how secure it is, is LastPass. It seems to work very very well (mostly).

As the other member said, writing your login combination on paper kept in a paper-hard file is a very important thing to do.

 

[FactChecker]

I have used Password Safe for Windows for a while now and recommend it (especially over other non-manager schemes) (see https://en.wikipedia.org/wiki/Password_Safe ). It is free. It allows drag-and-drop of ID, passwords, etc. without leaving a copy in the clipboard or buffer. It can autogenerate passwords if you ask it. Everything is encrypted using Twofish encryption.

I have separate schemes for different categories of passwords:
1) High security, daily use, where I what to remember the password: I use the first letter of each syllable of favorite song lines, with a pattern of capitalization and special charactors.
2) High security, rare use, where bringing up Password Safe each time will not be a burdon: I let Password Safe auto-generate a PW and don't try to remember it.
3) Low security, where I don't care much if someone hacks it: I use a generic PW that I can easily remember.

All the passwords are kept in Password Safe except a few of the low-security uses. I also keep notes in Password safe of any verification question answers, phone numbers, etc.

PS. If anyone recognizes a flaw or risk in this approach, please let me know. I would rather be safe than sorry. Thanks.

 

[ZapperZ]

It will almost certainly not help you remember your passwords. The main benefit of a password manager is being able to use strong, high-entropy passwords, which you don't have to remember, instead of relying on easily remembered but weak passwords.I've been using 1Password for over a decade now, and I still consider it one of the best software purchases I ever made.

There are many articles comparing various password managers, and most password managers, if they're not free, have a free trial so you can see which one fits your needs the best.

I use 1Password as well, and have been using it for years. I have the app on my iPhone, my iPad, my Windows machine, and my Macbook. Each time I enter a new password entry, or change one of the existing password, it updates all of them. So I always have all of my passwords at any given time.

It has plenty of other features as well, such as going directly to the webpage from the password entry page, but storing all of my passwords securely in convenient locations when I want them is the most important feature.

Zz.

 

[FactChecker]

It has plenty of other features as well, such as going directly to the webpage from the password entry page, but storing all of my passwords securely in convenient locations when I want them is the most important feature.

What are your thoughts on the security of storing passwords in the cloud? Because I fear them getting hacked I have always balked at that, but it would be convenient.

 

[ZapperZ]

What are your thoughts on the security of storing passwords in the cloud? Because I fear them getting hacked I have always balked at that, but it would be convenient.

Here's the thing about getting hacked : the losers who are doing the hacking to gain personal info on people, such as getting credit card numbers, often want to get to things easily! That's why they try to get as many as they can, so that they'll be able to profit from as many as they can, as quickly as they can. In most cases, they won't waste time on the higher-hanging fruit. And these passwords are encrypted even when they are stored in the cloud. It will take effort to break the encryption, something they'd rather not waste their time on.

No encryption is infallible, the same way no security measures you have for your house will prevent a break-in for a very determined burglar. But unless someone is targeting you personally, he/she will usually not waste their time trying to hack encrypted passwords when he/she can easily go elsewhere and get other things with less effort.

Zz.

 

[FactChecker]

But unless someone is targeting you personally, he/she will usually not waste their time trying to hack encrypted passwords when he/she can easily go elsewhere and get other things with less effort.

That sounds logical. I'll buy that. Thanks.

 

[harborsparrow]

I am a sysadmin AND a developer, working multiple consultancy jobs, and I have to remember many passwords, some very important. I was on the verge of buying and using a password manager a few years ago, when suddenly I read that that product had been broken into, and all the info people had stored in it became compromised.

So. Instead, I resorted to using patterns. I have about 3 different schemes, and I'm not about to describe them, but I can represent a specific password with a set of hints, and I don't think anyone on Earth could jump from my hints to the actual password so long as I don't tell any living human what my system is. And then, I write down a hint for every single password. And I keep a backup of my written-down hints. This has worked very well. The hints are even reachable over the web (I won't say how) because I need that capability on occasion.

 

[Sonomahi]

I use lastpass firefox and chrome addon to store password and it is secure and reliable.

 

[phyzguy]

I use a system similar to @harborsparrow. I think any password manager is susceptible to being hacked, so I don't trust them. So I write down hints in a physical notebook. It's not accessible over the internet, so it can't be hacked. If someone finds or steals the notebook, the hints are not enough to let them come up with the passwords.

 

[symbolipoint]

I use lastpass firefox and chrome addon to store password and it is secure and reliable.

I find LastPass fails to handle multiple logins for single sites. Usually fine for one site with one login combination; but more than one account login for one site and failure to be reliable LastPass. Trouble has been at Yahoo, and AOL. Sometimes LastPass asks, "Want to revise or update or change this...?"; but I already did those as affirmatives and LastPass destroyed the account at that site, so I had to manually redo two login combinations.

 

[Vanadium 50]

What are your thoughts on the security of storing passwords in the cloud?

LastPass does not store your passwords in the cloud. The thing they store can generate the site-specific password from the master password, but they store neither the master password nor any site specific password themselves. The advantage of this is that nobody can get your passwords without the master password. The disadvantage of this is that this includes you if you forget your master password.

 

[Wrichik Basu]

Recently chrome has started providing random passwords when you sign up for any site. The passwords are generated, and automatically saved to the Google account. I haven't tried it yet, but if you have 2-step verification switched on for your Google account, then it might be a good idea, except for net banking. Though I don't know how strong those passwords are.

 

[Greg Bernhardt]

I'm fine with Chrome remembering all my passwords for me.

 

[JoyceEJones]

LastPass, without any doubt.

 

[symbolipoint]

I'm fine with Chrome remembering all my passwords for me.

And it works very well for this.

LastPass, without any doubt.

Yes, until you have multiple logins for one sign-in site - but then until you know what to do about this, which I am just recently learning.

 

[elusiveshame]

My professional opinion is to never allow a browser to store any passwords (or any other non-secured application), at least for anything you want to keep as secured and protected as possible.

If you're going to store your passwords anywhere, I'd suggest anything that encrypts both your login and the data it stores. Browsers (Firefox, Chrome, etc) aren't the most secure spots, and are often incredibly easy to extract (Chrome used to save them across all user profiles, and Google stores their passwords in clear text for speed while relying on other measures of security, so I'd never recommend using Chrome for anything that requires secure transmission).

There's no perfect solution, unfortunately. Me, personally, I just remember all my passwords and don't have them written down anywhere. While not perfect, it works for me.

 

[anorlunda]

Me, personally, I just remember all my passwords and don't have them written down anywhere. While not perfect, it works for me.

How many passwords must you remember?
Do you use the same password more than one place?
How often do you change them?

 

[elusiveshame]

How many passwords must you remember?
Do you use the same password more than one place?
How often do you change them?

I use similar passwords for things that I wouldn’t care if they got compromised (junk email accounts, certain forum accounts, etc).

I juggle about 30 passwords that get changed and updated every 6 months. Each major account (banking, PayPal, website, databases, etc) all have different passwords.

 

[harborsparrow]

At the risk of repeating myself, for those of you who responded "I use Product-X and it is reliable and secure", please be aware that password managers are a TARGET with high value to hackers, and they have been compromised in the past (see https://www.esecurityplanet.com/network-security/lastpass-password-manager-hacked.html as an example).

If it's really important, you are better off devising a personal and private system of hints that no one else could guess, and then write down the hints. Your system must be obscure to anyone else. The chances of that being "hacked" is less, IMO, than any commercial product anywhere.

 

[anorlunda]

If it's really important, you are better off devising a personal and private system of hints that no one else could guess, and then write down the hints. Your system must be obscure to anyone else. The chances of that being "hacked" is less, IMO, than any commercial product anywhere.

Is that your recommendation for children, and seniors, and people who don't want to invest significant interest in doing it right?

What you described is a form of encryption. Encryption experts repeatedly tell us that amateur or home-brew schemes are usually much less secure than their creators imagine them to be. The only way to be sure is to submit your system to a real cracking expert and let them try.

 

[harborsparrow]

Is that your recommendation for children, and seniors, and people who don't want to invest significant interest in doing it right?

What you described is a form of encryption. Encryption experts repeatedly tell us that amateur or home-brew schemes are usually much less secure than their creators imagine them to be. The only way to be sure is to submit your system to a real cracking expert and let them try.

I'm not suggesting encryption, but rather obfuscation, and it is my recommendation for everyone. Because those password managers are targets for hacking. There is nothing at all wrong, BTW, for a senior person only managing four passwords, to write them down and stick them in a drawer or on a wall--but beware of grandkids. Better to write the HINTS down.

 

[anorlunda]

I'm not suggesting encryption, but rather obfuscation

There is no practical difference.

 

[harborsparrow]

I'll beg to differ. Encryption is a scheme that can be used to obscure vast amounts of information. I'm suggesting a scheme so simple, yet personal, that it's only useful for password-length strings. And has no universal application to anyone else. And must never be published, or else its useless.

Encryption, OTOH, is meant to obfuscate communication between two end points.

A useless bicker. What is your real objection here?

 

[anorlunda]

A useless bicker. What is your real objection here?

The chances of that being "hacked" is less, IMO, than any commercial product anywhere.

If you read the history of secrets/codes/encryption/obfuscation or whatever you want to call it, you'll see that amateurs almost always think that their own invention is so obscure that nobody will ever guess it. But the code breakers report the opposite.

I like the idea of using phrases to create passwords. They are certainly better than nothing, or better than birthdays, but I do not believe that they are more secure than those generated by commercial products.

 

[harborsparrow]

To: "anorlunda" - I don't claim that my passwords are better than "those generated by a commercial product". I claim that commercial products which store passwords are a target for hackers, and I provided a concrete example of a major password storage product having been hacked, which means, everyone using it needed to change ALL their passwords pronto.

There is no definitive answer here. I hold one opinion, based on long experience, and you hold another.

 

[phyzguy]

If you read the history of secrets/codes/encryption/obfuscation or whatever you want to call it, you'll see that amateurs almost always think that their own invention is so obscure that nobody will ever guess it. But the code breakers report the opposite.

I like the idea of using phrases to create passwords. They are certainly better than nothing, or better than birthdays, but I do not believe that they are more secure than those generated by commercial products.

I think harborsparrow's point is that a commercial password manager is accessible over the internet to billions of people. So even if its encryption is better than my "home-brew" scheme, many, many more people can work on cracking it. In order to crack my little notebook with my password hints, a hacker would first have to have physical access to the notebook, which only a handful of people do. If I lose or someone steals my notebook with the hints, I change the passwords and start a new notebook.

I agree with harborsparrow. These commercial password managers are targets for hackers and have been successfully hacked in the past. I'll trust my notebook with hints above them any day.

 

[vela]

I provided a concrete example of a major password storage product having been hacked, which means, everyone using it needed to change ALL their passwords pronto.

That's a total mischaracterization of the LastPass breach. No one had to change all of their passwords as the passwords were never compromised. It says so right in the second paragraph of the article you linked to.

While no LastPass user accounts were accessed and no encrypted user data (stored passwords) was stolen, the company's investigation has determined that LastPass account email addresses, password reminders, server per user salts and authentication hashes were compromised.

 

[harborsparrow]

To vela's claim that it was not necessary for Lastpass users to change any passwords, I'll provide a little side snicker:

“I will not say that your mulberry trees are dead; but I am afraid they're not alive. ”
― Jane Austen, Jane Austen's Letters