The best and most secure password manager

[EngWiPy]

Hi,

I am thinking to use a password manager, but I am not sure 1) if it will help me remember my passwords, and 2) if it is secure.

If they are useful and secure, what are the best (free and commercial) password managers out there to use?

Thanks

 

[Wrichik Basu]

I generally use Google to save my passwords. It automatically saves all passwords that I enter on chrome. But I never save my bank details in it. In today's world, anything could happen...

Another option is to write your passwords on a piece of paper and keep it somewhere safe and secure.

 

[Mark44]

Another option is to write your passwords on a piece of paper and keep it somewhere safe and secure.

That's what I do, although the focus is more on "keep it somewhere.."

 

[EngWiPy]

I guess storing them on the browser is one option, but what would happen when you clear the history and cookies in the browser? They would be gone.

 

[Wrichik Basu]

I guess storing them on the browser is one option, but what would happen when you clear the history and cookies in the browser? They would be gone.

Storing anything from chrome means you're storing them on your Google account. When you clear your browser history, there will be an option "Clear saved passwords". Just uncheck that for safety.

 

[glappkaeft]

I don't consider password storage in browsers to be a password manager. A password manager is is something like LastPass or OnePass, preferably secured using 2 Factor Authorization techniques (password + something like YubiKey, 2FA Apps, etc).

 

[vela]

I am thinking to use a password manager, but I am not sure 1) if it will help me remember my passwords, and 2) if it is secure.

It will almost certainly not help you remember your passwords. The main benefit of a password manager is being able to use strong, high-entropy passwords, which you don't have to remember, instead of relying on easily remembered but weak passwords.

If they are useful and secure, what are the best (free and commercial) password managers out there to use?

I've been using 1Password for over a decade now, and I still consider it one of the best software purchases I ever made.

There are many articles comparing various password managers, and most password managers, if they're not free, have a free trial so you can see which one fits your needs the best.

 

[symbolipoint]

Hi,

I am thinking to use a password manager, but I am not sure 1) if it will help me remember my passwords, and 2) if it is secure.

If they are useful and secure, what are the best (free and commercial) password managers out there to use?

Thanks

I generally use Google to save my passwords. It automatically saves all passwords that I enter on chrome. But I never save my bank details in it. In today's world, anything could happen...

Another option is to write your passwords on a piece of paper and keep it somewhere safe and secure.

First, do an internet search and also a search on YouTube. Find what you like and investigate further. MY PICK for a good password manager, although I honestly do not know how secure it is, is LastPass. It seems to work very very well (mostly).

As the other member said, writing your login combination on paper kept in a paper-hard file is a very important thing to do.

 

[FactChecker]

I have used Password Safe for Windows for a while now and recommend it (especially over other non-manager schemes) (see https://en.wikipedia.org/wiki/Password_Safe ). It is free. It allows drag-and-drop of ID, passwords, etc. without leaving a copy in the clipboard or buffer. It can autogenerate passwords if you ask it. Everything is encrypted using Twofish encryption.

I have separate schemes for different categories of passwords:
1) High security, daily use, where I what to remember the password: I use the first letter of each syllable of favorite song lines, with a pattern of capitalization and special charactors.
2) High security, rare use, where bringing up Password Safe each time will not be a burdon: I let Password Safe auto-generate a PW and don't try to remember it.
3) Low security, where I don't care much if someone hacks it: I use a generic PW that I can easily remember.

All the passwords are kept in Password Safe except a few of the low-security uses. I also keep notes in Password safe of any verification question answers, phone numbers, etc.

PS. If anyone recognizes a flaw or risk in this approach, please let me know. I would rather be safe than sorry. Thanks.

 

[ZapperZ]

It will almost certainly not help you remember your passwords. The main benefit of a password manager is being able to use strong, high-entropy passwords, which you don't have to remember, instead of relying on easily remembered but weak passwords.I've been using 1Password for over a decade now, and I still consider it one of the best software purchases I ever made.

There are many articles comparing various password managers, and most password managers, if they're not free, have a free trial so you can see which one fits your needs the best.

I use 1Password as well, and have been using it for years. I have the app on my iPhone, my iPad, my Windows machine, and my Macbook. Each time I enter a new password entry, or change one of the existing password, it updates all of them. So I always have all of my passwords at any given time.

It has plenty of other features as well, such as going directly to the webpage from the password entry page, but storing all of my passwords securely in convenient locations when I want them is the most important feature.

Zz.

 

[FactChecker]

It has plenty of other features as well, such as going directly to the webpage from the password entry page, but storing all of my passwords securely in convenient locations when I want them is the most important feature.

What are your thoughts on the security of storing passwords in the cloud? Because I fear them getting hacked I have always balked at that, but it would be convenient.

 

[ZapperZ]

What are your thoughts on the security of storing passwords in the cloud? Because I fear them getting hacked I have always balked at that, but it would be convenient.

Here's the thing about getting hacked : the losers who are doing the hacking to gain personal info on people, such as getting credit card numbers, often want to get to things easily! That's why they try to get as many as they can, so that they'll be able to profit from as many as they can, as quickly as they can. In most cases, they won't waste time on the higher-hanging fruit. And these passwords are encrypted even when they are stored in the cloud. It will take effort to break the encryption, something they'd rather not waste their time on.

No encryption is infallible, the same way no security measures you have for your house will prevent a break-in for a very determined burglar. But unless someone is targeting you personally, he/she will usually not waste their time trying to hack encrypted passwords when he/she can easily go elsewhere and get other things with less effort.

Zz.

 

[FactChecker]

But unless someone is targeting you personally, he/she will usually not waste their time trying to hack encrypted passwords when he/she can easily go elsewhere and get other things with less effort.

That sounds logical. I'll buy that. Thanks.

 

[harborsparrow]

I am a sysadmin AND a developer, working multiple consultancy jobs, and I have to remember many passwords, some very important. I was on the verge of buying and using a password manager a few years ago, when suddenly I read that that product had been broken into, and all the info people had stored in it became compromised.

So. Instead, I resorted to using patterns. I have about 3 different schemes, and I'm not about to describe them, but I can represent a specific password with a set of hints, and I don't think anyone on Earth could jump from my hints to the actual password so long as I don't tell any living human what my system is. And then, I write down a hint for every single password. And I keep a backup of my written-down hints. This has worked very well. The hints are even reachable over the web (I won't say how) because I need that capability on occasion.

 

[Sonomahi]

I use lastpass firefox and chrome addon to store password and it is secure and reliable.

 

[phyzguy]

I use a system similar to @harborsparrow. I think any password manager is susceptible to being hacked, so I don't trust them. So I write down hints in a physical notebook. It's not accessible over the internet, so it can't be hacked. If someone finds or steals the notebook, the hints are not enough to let them come up with the passwords.

 

[symbolipoint]

I use lastpass firefox and chrome addon to store password and it is secure and reliable.

I find LastPass fails to handle multiple logins for single sites. Usually fine for one site with one login combination; but more than one account login for one site and failure to be reliable LastPass. Trouble has been at Yahoo, and AOL. Sometimes LastPass asks, "Want to revise or update or change this...?"; but I already did those as affirmatives and LastPass destroyed the account at that site, so I had to manually redo two login combinations.

 

[Vanadium 50]

What are your thoughts on the security of storing passwords in the cloud?

LastPass does not store your passwords in the cloud. The thing they store can generate the site-specific password from the master password, but they store neither the master password nor any site specific password themselves. The advantage of this is that nobody can get your passwords without the master password. The disadvantage of this is that this includes you if you forget your master password.

 

[Wrichik Basu]

Recently chrome has started providing random passwords when you sign up for any site. The passwords are generated, and automatically saved to the Google account. I haven't tried it yet, but if you have 2-step verification switched on for your Google account, then it might be a good idea, except for net banking. Though I don't know how strong those passwords are.

 

[Greg Bernhardt]

I'm fine with Chrome remembering all my passwords for me.

 

[JoyceEJones]

LastPass, without any doubt.

 

[symbolipoint]

I'm fine with Chrome remembering all my passwords for me.

And it works very well for this.

LastPass, without any doubt.

Yes, until you have multiple logins for one sign-in site - but then until you know what to do about this, which I am just recently learning.

 

[elusiveshame]

My professional opinion is to never allow a browser to store any passwords (or any other non-secured application), at least for anything you want to keep as secured and protected as possible.

If you're going to store your passwords anywhere, I'd suggest anything that encrypts both your login and the data it stores. Browsers (Firefox, Chrome, etc) aren't the most secure spots, and are often incredibly easy to extract (Chrome used to save them across all user profiles, and Google stores their passwords in clear text for speed while relying on other measures of security, so I'd never recommend using Chrome for anything that requires secure transmission).

There's no perfect solution, unfortunately. Me, personally, I just remember all my passwords and don't have them written down anywhere. While not perfect, it works for me.

 

[anorlunda]

Me, personally, I just remember all my passwords and don't have them written down anywhere. While not perfect, it works for me.

How many passwords must you remember?
Do you use the same password more than one place?
How often do you change them?

 

[elusiveshame]

How many passwords must you remember?
Do you use the same password more than one place?
How often do you change them?

I use similar passwords for things that I wouldn’t care if they got compromised (junk email accounts, certain forum accounts, etc).

I juggle about 30 passwords that get changed and updated every 6 months. Each major account (banking, PayPal, website, databases, etc) all have different passwords.

 

[harborsparrow]

At the risk of repeating myself, for those of you who responded "I use Product-X and it is reliable and secure", please be aware that password managers are a TARGET with high value to hackers, and they have been compromised in the past (see https://www.esecurityplanet.com/network-security/lastpass-password-manager-hacked.html as an example).

If it's really important, you are better off devising a personal and private system of hints that no one else could guess, and then write down the hints. Your system must be obscure to anyone else. The chances of that being "hacked" is less, IMO, than any commercial product anywhere.

 

[anorlunda]

If it's really important, you are better off devising a personal and private system of hints that no one else could guess, and then write down the hints. Your system must be obscure to anyone else. The chances of that being "hacked" is less, IMO, than any commercial product anywhere.

Is that your recommendation for children, and seniors, and people who don't want to invest significant interest in doing it right?

What you described is a form of encryption. Encryption experts repeatedly tell us that amateur or home-brew schemes are usually much less secure than their creators imagine them to be. The only way to be sure is to submit your system to a real cracking expert and let them try.

 

[harborsparrow]

Is that your recommendation for children, and seniors, and people who don't want to invest significant interest in doing it right?

What you described is a form of encryption. Encryption experts repeatedly tell us that amateur or home-brew schemes are usually much less secure than their creators imagine them to be. The only way to be sure is to submit your system to a real cracking expert and let them try.

I'm not suggesting encryption, but rather obfuscation, and it is my recommendation for everyone. Because those password managers are targets for hacking. There is nothing at all wrong, BTW, for a senior person only managing four passwords, to write them down and stick them in a drawer or on a wall--but beware of grandkids. Better to write the HINTS down.

 

[anorlunda]

I'm not suggesting encryption, but rather obfuscation

There is no practical difference.

 

[harborsparrow]

I'll beg to differ. Encryption is a scheme that can be used to obscure vast amounts of information. I'm suggesting a scheme so simple, yet personal, that it's only useful for password-length strings. And has no universal application to anyone else. And must never be published, or else its useless.

Encryption, OTOH, is meant to obfuscate communication between two end points.

A useless bicker. What is your real objection here?

 

[anorlunda]

A useless bicker. What is your real objection here?

The chances of that being "hacked" is less, IMO, than any commercial product anywhere.

If you read the history of secrets/codes/encryption/obfuscation or whatever you want to call it, you'll see that amateurs almost always think that their own invention is so obscure that nobody will ever guess it. But the code breakers report the opposite.

I like the idea of using phrases to create passwords. They are certainly better than nothing, or better than birthdays, but I do not believe that they are more secure than those generated by commercial products.

 

[harborsparrow]

To: "anorlunda" - I don't claim that my passwords are better than "those generated by a commercial product". I claim that commercial products which store passwords are a target for hackers, and I provided a concrete example of a major password storage product having been hacked, which means, everyone using it needed to change ALL their passwords pronto.

There is no definitive answer here. I hold one opinion, based on long experience, and you hold another.

 

[phyzguy]

If you read the history of secrets/codes/encryption/obfuscation or whatever you want to call it, you'll see that amateurs almost always think that their own invention is so obscure that nobody will ever guess it. But the code breakers report the opposite.

I like the idea of using phrases to create passwords. They are certainly better than nothing, or better than birthdays, but I do not believe that they are more secure than those generated by commercial products.

I think harborsparrow's point is that a commercial password manager is accessible over the internet to billions of people. So even if its encryption is better than my "home-brew" scheme, many, many more people can work on cracking it. In order to crack my little notebook with my password hints, a hacker would first have to have physical access to the notebook, which only a handful of people do. If I lose or someone steals my notebook with the hints, I change the passwords and start a new notebook.

I agree with harborsparrow. These commercial password managers are targets for hackers and have been successfully hacked in the past. I'll trust my notebook with hints above them any day.

 

[vela]

I provided a concrete example of a major password storage product having been hacked, which means, everyone using it needed to change ALL their passwords pronto.

That's a total mischaracterization of the LastPass breach. No one had to change all of their passwords as the passwords were never compromised. It says so right in the second paragraph of the article you linked to.

While no LastPass user accounts were accessed and no encrypted user data (stored passwords) was stolen, the company's investigation has determined that LastPass account email addresses, password reminders, server per user salts and authentication hashes were compromised.

 

[harborsparrow]

To vela's claim that it was not necessary for Lastpass users to change any passwords, I'll provide a little side snicker:

“I will not say that your mulberry trees are dead; but I am afraid they're not alive. ”
― Jane Austen, Jane Austen's Letters

 

[vela]

I think harborsparrow's point is that a commercial password manager is accessible over the internet to billions of people.

That's not universally true.

So even if its encryption is better than my "home-brew" scheme, many, many more people can work on cracking it.

This is only a real concern if you seriously believe that today's state-of-the-art industry-standard encryption methods are "easily" crackable or if you used a poor encryption key, in which case I wouldn't put much trust in any home-brew scheme you come up with.

I agree with harborsparrow. These commercial password managers are targets for hackers and have been successfully hacked in the past. I'll trust my notebook with hints above them any day.

There's tension between security and convenience, and history has shown that the vast majority of people will opt for convenience. For most people, (properly) using a password manager will result in a great increase in security with little or no overall cost in convenience.

Arstechnica had a series of articles awhile back about passwords and cracking methods, and it was quite eye-opening how sophisticated the methods are now. As much as you might think your system is unique and foolproof, people tend to follow patterns, and cracking attempts exploit these tendencies.

 

[harborsparrow]

It's not the encryption methods I worry about-- it's the fact that the password managers are themselves applications written by programmers like me, and hardly a day goes by when someone's allegedly secure application (in any field you choose) gets broken into, not because the encryption method was too easy, but because of software bugs. Use those products if you wish; it's one valid strategy.

The seat-of-the-pants cautious strategy I employ is another one. This is a matter so complicated in all its aspects that there cannot be a single definitive answer that is right for everyone.

Having written commercial software myself for decades, I can only say that my experience is, it is still far too difficult and complex to implement good security in any product. It's difficult to understand all the risks and ways hackers can invade software. A lot of products have tried forcing users to create more complex passwords, which IN MY OPINION has caused more people to start writing down their passwords. I once had to have a logon at a USGS website that forced me to pick a different, very complex password every 3 weeks. I calmly wrote those passwords down and taped them to my monitor at work, and the whole thing made me so frustrated that I actively hoped someone would break into that website.

Well, end of rant. Use these things all you want, and I wish you well with them.

 

[anorlunda]

I try to think of ordinary people. If they have dozens of accounts and change their passwords regularly, and never re-use, that means generating 10, 20, 50 or more new passwords per month. Not only remembering what they are, but which pw goes where, and which pws were used in the past is a challenge that few people can meet. Almost all of them will simplify somehow to what they can manage.

That's why I discount how marvelously secure a single pw scheme can be; I think instead of the average man's average performance. My conclusion is that the average man is much better off with a pw manager. Sure, smart young people can do better than that, but that's not relevant.

 

[Vanadium 50]

, please be aware that password managers are a TARGET with high value to hackers, and they have been compromised in the past

As the link says, "no encrypted user data (stored passwords) was stolen". This was a data breach just like Equifax, Target and Facebook had. That doesn't make it good, but we should discuss it on the basis of what actually happened.

As mentioned earlier, Lastpass (and presumably their competitors do things the same way) does not store and does not even know your passwords. What they store can be combined with your master password to create the passwords. If you like, they store half your password, and your master password is the other half. Stealing one half gets you nothing. (At first order; there are second-order effects)

The better target is wherever both parts exist together. One such place is your PC. Somewhere in memory your real password exists. If it's a laptop, and you've ever gone into hibernation, chances are the real password may still exist somewhere on disk as well. Laptop stolen? So were your passwords. Of course, an encrypted Excel file has the same problem, and an unencrypted Excel (or plain text) is even worse.

Another place is in your head. A malicious web page can spoof your password manager, and get you to enter your master password that way. That's probably the biggest flaw in the system, far riskier than the chances someone with a supercomputer will steal half the passwords and start working on figuring out the other halves. But since we're not going to take human beings out of the loop, we're stuck with it.

The question to ask is not "is this perfect?" or "are there risks?". It's "is this more secure than what I was doing?" and maybe even "who am I trying to protect against"? I think password managers are more secure than many alternatives, and are decent protection against opportunistic lowlifes and script kiddies. They are not protections against major world governments.

 

[anorlunda]

The better target is wherever both parts exist together.

Another place is in your head.

Both very true.

Another target is the web sites where your account and passwords (pw) are stored. They are subject to data breaches where they can be stolen in bulk. It is claimed that many tens of millions of account and pw are for sale on the dark net. Note that, once stolen, the difficulty of your pw becomes immaterial. A more difficult pw protects you only from the risk of guessing or brute force attacks. In today's world, it is much more productive for bad guys to attempt theft of sites like Marriott Hotels than to rely on brute force. (Although I presume that people who use something like "pw" or "admin" as their pw are still targets for guessing attacks.)

The best defense against the bulk theft risk is frequent changes in pw. If you change it every N days, then worse case, your security is compromised for N days. More likely, if it takes more than N days for the stolen pw to be exploited by the bad guys, you are at no risk at all because the stolen pw becomes moot before it is exploited. You can improve that when you read in the news that a site you use has been compromised, and you then change that pw immediately.

Password managers like Lastpass make it easier to change all your pw every N days. It can choose the new pw for you. For a few popular sites, Lastpass partially automates the pw change process for you.

Stolen credit card numbers are analogous. Three times in the past 3 years, my cc company informed me that a new cc was in the mail because they suspected that the old one had been compromised. Canceling the old cc number ASAP is the best defense. That's very inconvenient, but it is just common sense regarding security.

 

[fluidistic]

For those (Greg Berhardt and symbolipoint?) who use Chrome and Firefox to store their passwords, please bear in mind that they store them in plain text and that it's very easy to display them. Anyone having a direct access to your computer can see your passwords and it's likely possible for online crackers to get their hands on them too.

What about offline password managers with double security, i.e. password + secret file? I don't know if a keylogger could dupe someone to dump their secret file, that means it's probably a yes I guess.

The synchronization between devices can be made via usb (painful), automatic script that uses ssh or via email/dropbox. Even though the database file is on dropbox or similar websites (that were hacked in the past), as vanadium points out, they would get only half of the information to crack it up.

Picking the masterpassword can consist of several (greater or equal to 4) words, possibly mixing languages, adding weird signs at some specific spots. It is not hard to remember, and it's close to impossible to brute force.

I personally use keepassxc, which is based on keepassx, which I think (but I'm not sure nor do I care) is based on keepass.

 

[symbolipoint]

Thanks for the advice, fluidistic.
Nobody uses my laptop computers other than me. I use the password manager in a chrome-like browser alternative on an old computer of o.s. Windows VISTA; otherwise, I use LastPass. LastPass is still not properly handling some multiple-sign-in sites on all computers.

 

[harborsparrow]

I divide my logins into 3 tiers. Most are logins that, if compromised, hardly matter. Like where you are forced to create a login to download a photo. For those, I use a junk email account (my Yahoo email works well for this), and if needed regularly, I might let the browser store the password. Those passwords I do not make complicated. If hackers get those, it is because they hope I have reused the password, or part of it, on a higher value site.

For places where I have to use a credit card or enter more valuable information, I use strong passwords, unique passwords, and I don't let the browser store passwords. I use PayPal whenever possible and try o avoid giving my cred card to any sites other than Google or Amazon (bad enough I know, but they do have the resources to try hard on security).

The highest tier is sites where I am an admin, and my personal finances. On these I take every precaution I can think of, included always logging out, closing the browser, and not letting the browser keep cookies.

I do reuse the same password within that lower tier, but not in the higher two. I use different schemes of increasing complexity for them.

I cannot imagine being comfortable committing my higher tiers to a password vault because I know too much, have studied and read too much, to trust anyone else's software.

 

[Wrichik Basu]

Rather than use any software that is vulnerable, it's best to use a diary to keep track of all your passwords. Keep the diary in a safe place, and nothing would be compromised unless a thief breaks into your house.

For sites where you tend to log-in frequently and are within the group "lower tier" as per @harborsparrow, you can save the passwords in your browser.

 

[Wrichik Basu]

Today an article was published on safety of passwords with Chrome. Quoting the necessary parts (to preserve the text in case the link doesn't function later):

If you use Chrome as your primary browser, be sure to install Google’s Password Checkup extension because your credentials may have already found its way into the database of hackers due to the frequent breaches that have taken place in the recent past.

Google says that it has over 4 billion compromised usernames and passwords. Every time you log into your account on a website, the extension will alert you if your password is safe or not.

To get this extension, go to https://chrome.google.com/webstore. Search for Password Checkup. Be sure that the extension that shows up in the result is the one offered by Google. Click on the “Add to Chrome” button. A green icon will sit on your Chrome address bar on the top right. You will get automatic alerts if you use a compromised password.

You can check by going to a website that requires you to log in. Click on the Password Checkup icon and you should ideally get a message saying “None of your recently used passwords was detected in a data breach”.

Google takes extra care with sites where you use the Google username and password. In case an attacker hacks your Google account, Google does Cross Account Protection and makes sure that your privacy is protected in the process. Google will send a message that a security breach has happened and notify the app or website.

Yes, there are other sites to check up on your account such as https://haveibeenpwned.com/, but having the browser extension automatically doing it for you is a much better option.

Now, you may not trust a big monopoly like Google with all your passwords, but the company says it “never reveals this personal information”. Any data reported back to Google about the extension’s use is anonymous.

Firefox users should try Firefox Monitor that essentially does the same thing but is not an extension. Go to https://monitor.firefox.comand sign up for its alerts. You will be told when your online account has been leaked or a data breach has occurred in the websites you visit.

 

[Greg Bernhardt]

None of your recently used passwords were detected in a data breach.

phew!

 

[anorlunda]

your credentials may have already found its way into the database of hackers due to the frequent breaches that have taken place in the recent past.

It emphasizes that the most important strategy for consumers is more frequent password changes as opposed to harder to guess passwords. A stolen password must be exploited within the time window until your next password change to do harm to you.

Frequent changes is where a password manager helps. If you have many passwords, and you change them often (i.e. 30 days), it is too onerous to track without the assistance of some software. If I did it manually, I would be harming myself because I would not remember my pw. My manager (lastpass) chooses the new passwords, and it automates the pw change process on a few popular sites.

Even if the security of the password manager itself is compromised in a one-time breach, the thief must make use of that info before you change your passwords again.

 

[symbolipoint]

If you have many passwords, and you change them often (i.e. 30 days), it is too onerous to track without the assistance of some software. If I did it manually, I would be harming myself because I would not remember my pw. My manager (lastpass) chooses the new passwords, and it automates the pw change process on a few popular sites.

The password manager can ruin some of your username-password combinations for sites at which you have more than one account, unless you know the special trick to make the save to new passwords happen properly.

 

[anorlunda]

The password manager can ruin some of your username-password combinations for sites at which you have more than one account, unless you know the special trick to make the save to new passwords happen properly.

Good point.

I just looked that up for lastpass. The help desk says that it works only if you disable the browser's password fill-in. In other words, don't use a pw manager and the browser's pw management at the same time.

 

[symbolipoint]

Good point.

I just looked that up for lastpass. The help desk says that it works only if you disable the browser's password fill-in. In other words, don't use a pw manager and the browser's pw management at the same time.

Although you might have found "correct" information, it is inadequate for the problem. LastPass mishandles saving on sites with multiple logins no-matter the settings adjustment made to the browser. Trying to setup the separate logins for a same site manually also fails. (Any further about this and probably better done through a computer-help forum than through physicsforums, but I'm interested anyhow).