Password Managers

[Nocton]

I use the Password Manager in Firefox for all sites requiring passwords, except those for financial sites - on-line banking and stockbrokers - which I keep in an encrypted file. I see that there are lots of both free and paid-for Password Managers around. I find the FF system really easy to use and to manage, but wonder if these other PW managers offer anything useful that the FF manager doesn't?

[kyu66]

I use the Password Manager in Firefox for all sites requiring passwords, except those for financial sites - on-line banking and stockbrokers - which I keep in an encrypted file. I see that there are lots of both free and paid-for Password Managers around. I find the FF system really easy to use and to manage, but wonder if these other PW managers offer anything useful that the FF manager doesn't?

The main advantage of a stand-alone password manager is that it combines the simple username/password storage of FF with your encrypted file(s) in one or more database files.

I use my password manager databases as my primary stores to hold sensitive information in an encrypted form with some username/password pairs also stored in FF and Thunderbird. The manager is also cross platform, so the database files can be accessed from all my devices.

[eepee]

I do have a simple password manager that is of my own creation (for Windows only).

It is stand-alone so does not require any installation.

If you would like a copy do contact me off board.

Regards,
ep

[jonesa1]

I use Keepass2 on a laptop and Keepass2Android on mobile phone and tablet. The encrypted DB is shared using Dropbox. It works well (so long as you remember not to update on more than one device at a time). For less critical sites I also store the user / pw in Chrome. On more critical sites, where possible (e.g. Amazon, GMail, AJ Bell) I have enabled 2 factor authentication as well

[torata]

I use the Password Manager in Firefox for all sites requiring passwords, except those for financial sites - on-line banking and stockbrokers - which I keep in an encrypted file. I see that there are lots of both free and paid-for Password Managers around. I find the FF system really easy to use and to manage, but wonder if these other PW managers offer anything useful that the FF manager doesn't?

I use LastPass, a free online service with add-ins for browsers, for my non-financial passwords*. One advantage is that I can access it on my work PC if I ever needed to check something personal, like get into my personal website. Another advantage is that it tells me if I'm using the same password for different websites.

(*if I want extra security if I do have a critical password then it's not the full password stored, but has to have something short added by me on the end, like last 4 digits of my telephone number)

I use KeePass the standalone password manager to record not just all key passwords, but also website PINs and security Qs, and other info like passports and credit cards. As has been mentioned, this encrypted database is backed up so I can access it with my other PCs if I need to.

But recently the biggest advantage for me is that both allow random generation of secure passwords. I don't even make an attempt to remember anymore (apart from one or two where I got the passwords generated into known words, like 'Mechanical-Horse-Knuckle-Bits').

I wouldn't go back to not having password managers.

torata

[mrbrightside]

I use pass on Linux which is backed up to my NAS.

The thought of using an 'online password manager' or sync'ing to a cloud service seems counter-intuitive and almost contradictory.

If the provider gets hacked, then you have a real problem.

[Infrasonic]

Not all online is the same, zero knowledge end to end encrypted for instance is in a different league altogether in comparison to the average cloud based database security.
As ever, DYOR before committing to any online service.

[Lanark]

I think the main thing to consider is how easy is it to move your passwords to another machine.

What if your machine fails and you have to get a new one, are you going to be restoring a backup of firefox files and hoping you get the right magic file in the right place to get all your passwords working again?

I use a 20 digit password hash, so If Im abroad and need to login to someting I can do it without having to install any software.

[torata]

I use pass on Linux which is backed up to my NAS.

The thought of using an 'online password manager' or sync'ing to a cloud service seems counter-intuitive and almost contradictory.

If the provider gets hacked, then you have a real problem.

As Infrasonic says, it's a different league. With LastPass it's end to end - the encryption and deencryption is done on my PC. All the provider has is gobbledegook.

torata

[tsr2]

I find the FF system really easy to use and to manage, but wonder if these other PW managers offer anything useful that the FF manager doesn't?

Keepassx and Keepassdroid, which I use, allow me to store passwords for things that aren't accessed via a browser. I also use them for storing tax references, NI numbers and membership numbers.

I can easily copy the database to and from Google Drive for access from other devices when travelling and it has a large notes field where you can store associated PIN Numbers, answers to security questions, etc.

[Julian]

Not all online is the same, zero knowledge end to end encrypted for instance is in a different league altogether in comparison to the average cloud based database security.
As ever, DYOR before committing to any online service.

Agreed although probably worth pointing out explicitly as part of DYOR that, if going the zero knowledge end to end encrypted route (for anything), be aware that since the provider never has sight of your encryption key it means that if you lose/forget it there is no "please reset my password" mechanism to get you access to your online data again. You will be left with an encrypted database on the servers that neither (you forgot your decryption key) nor the provider (it never knew your decryption key) can decrypt. With increased security comes increased user responsibility.

For the record I use LastPass with my own key. I also use both Crashplan and Carbonite for my cloud backup providers both of which also offer zero knowledge end to end encryption which is how I have them set up. I do use Google services sometimes for non-sensitive files and for my totally photos (there are none that I would care if anyone saw) but my personal risk-tolerance is that I am willing to put sensitive stuff in the cloud provided it is with a provider that offers zero knowledge end to end encryption. I am very careful to keep last-resort printed copies of all my keys in my fire safe as well as in a few other places.

I know that others have quite different views and would never under any circumstances put sensitive stuff in the cloud but that is where I have calibrated my personal risk threshold in order to gain benefits that I want to have from such stuff being in the cloud.

- Julian

[Nocton]

Thank you for all the replies to my original query. My query was prompted by the fact that that money aggregator I use, Internet Banking Plus is to close. This has been a very practical and useful way to log in to bank, credit card and building society accounts as it sores the user names and passwords in an encrypted vault on one's own PC. It automatically inserts the correct characters from the password as requesting by the site. It seems as if no password manger can replace this and in the UK at least there seems to be no equivalent app. See the thread: https://www.lemonfool.co.uk/viewtopic.php?p=241117#p241117
So I have looked at Keepass and it clearly has some useful and secure features, although not a complete replacement for IBP.

[vrdiver]

It automatically inserts the correct characters from the password as requesting by the site. It seems as if no password manger can replace this

I use keepass to access my Santander bank, which asks for 3 random characters from my password. Keepass can do this automatically, using the PICKCHARS feature.

In the Auto-Type field, I have put

{PICKCHARS:Password:ID=1,C=1}{PICKCHARS:Password:ID=2,C=1}{PICKCHARS:Password:ID=3,C=1}{TAB}

.

When the login screen appears, Keepass presents a pop-up that lets me tell it that this time Santander want characters 3, 7 and 12.

It's not a one-click solution, but it means I don't need to know my password or even look at it in situations like this one.

The other thing I like about Keepass is that I control the database, not some third party, so I don't worry about e.g. LastPass being hacked or their website being unavailable for any reason. (Which, to be fair, is likely a miniscule probability, but the associated headache wouldn't be!).

VRD

[Nocton]

Thank you for that PICKCHARS suggestion, vrdriver. That adds useful functionailty so I'll try it out.

[Itsallaguess]

I use Keepass, and have it installed in a hidden TrueCrypt volume on my main PC, and I have back-ups of that hidden Truecrypt volume on USB sticks in a couple of places.

I've never found a need for more mobile solutions as of yet, so this suits my main PC usage, and the double-layered high-security of having an encrypted Keepass password database inside a hidden and encrypted TrueCrypt volume, that's only mounted when I want to use my Keepass utility, is a really good solution to this issue for me.

The portability and ability to back-up the Trucrypt volume is a main driver for this arrangement.

I also find that I now keep all sorts of important information inside my Keepass utility, and not just passwords. The ability to make notes and categorise areas of importance is superb for this type of thing, and the search facility works well if keywords are chosen carefully.

I only ever need to remember two passwords for this to work well...

Cheers,

Itsallaguess

[kiloran]

Another vote for Keepass. My reasons are:

1. The database and software are local to my machine. I am not reliant on a web-based supplier which may be here today, gone tomorrow. Even if Keepass goes belly-up, I still have the working software on my machines and I can dump the data to a spreadsheet or text file for importing to something else.
2. I don't want/need autofilling of web-based forms. I'm quite happy to fill them out manually, perhaps with copy/paste from keepass
3. I also use keepass to store other useful and personal information, including complete files
4. Keepass can be used on Windows, Linux and Android
5. I have multiple backups of the encrypted database file, on local hard drives and USB sticks, and in the cloud (which is further encrypted)
6. I like the ability to categorise information into various folders

Downsides:

1. My process is somewhat manual to keep my Windows/Linux/Android copies in sync, and for some backups, but I feel I am in control
2. Not using automated form-filling can make logins a little longer, but I have a certain structure to many of my passwords so I can remember them without using keepass

--kiloran

[jonesa1]

I use Keepass, and have it installed in a hidden TrueCrypt volume on my main PC, and I have back-ups of that hidden Truecrypt volume on USB sticks in a couple of places.

Maybe time to replace TrueCrypt (no longer developed) with VeraCrypt (developed from TrueCrypt and still maintained)?

[Itsallaguess]

I use Keepass, and have it installed in a hidden TrueCrypt volume on my main PC, and I have back-ups of that hidden Truecrypt volume on USB sticks in a couple of places.

Maybe time to replace TrueCrypt (no longer developed) with VeraCrypt (developed from TrueCrypt and still maintained)?

That's a good reminder, thanks - but I'm still happy using the last 'good' version of TrueCrypt, before it got, erm, 'nobbled'....

The last 'good' version of Truecrypt, 7.1a, can be downloaded from this location -

https://www.grc.com/misc/truecrypt/truecrypt.htm

Cheers,

Itsallaguess

[mc2fool]

Downsides:

1. My process is somewhat manual to keep my Windows/Linux/Android copies in sync, and for some backups, but I feel I am in control

I use KeePass actively on my W10Pro desktop and W10Home laptop and in a read-only fashion on my Android phone, and I have syncs and backups pretty much automated.

By "actively" I mean that I create and edit, etc, entries on both the desktop and laptop. KeePass has a Synchronize facility to sync up the changes in two databases and I've developed a set of KeePass Triggers to use that to (mostly) automatically keep the two in sync. The triggers, along with a .bat file, also automatically make (probably far too many) backups.

What I have is three read-write copies of the database, one on each of the desktop & laptop and one on an SMB served USB flash drive stuck in the back of my router (could be any LAN accessible drive, NAS, etc), which the triggers synchronize the desktop/laptop databases with. Synchronization happens on KeePass startup, or whenever the desktop or laptop database is saved, or when I click a "SyncDB" button that the triggers add to the toolbar. So, e.g....

I make change D1 on the desktop and save, and it automatically syncs with the SMB copy, so both desktop and SMB now have D1.
I then make change L1 on the laptop and save, and it automatically syncs with the SMB copy, so both laptop and SMB now have both D1 and L1.
etc.

Now, under that part of the system, with syncs being done on db saves, you can see that the opposite computer is always one change behind, and so in order to sync L1 down from the SMB to the desktop (without making any changes there) I'd click the "SyncDB" button on the desktop KeePass -- although it reality I almost never have to on the desktop 'cos I boot it up and shut it down every day, so the automatic sync on KeePass startup does it. I do have to use it occasionally on the laptop though, as that goes yonks between restarts.

The triggers and .bat file also create and maintain a rotating set of backups (as I say, probably too many, considering!), and also update the read-only copy on the zero knowledge end to end encrypted cloud storage used by my Android phone.

If folks are interested I'm happy to post the triggers and .bat file, however, bewarned that you will have to modify them for your setup and it's a fair bit "techie" and if you're not already familiar with KeePass Triggers there is a definite learning curve -- and, other than a brief write-up I will not be doing any "walk-throughs" and definitely not offering any support! It'll be "as is" only ....

[vrdiver]

If folks are interested I'm happy to post the triggers and .bat file, however, bewarned that you will have to modify them for your setup and it's a fair bit "techie" and if you're not already familiar with KeePass Triggers there is a definite learning curve -- and, other than a brief write-up I will not be doing any "walk-throughs" and definitely not offering any support! It'll be "as is" only ....

Terms noted and accepted.

Yes please!

VRD