Favorite Password Manager

[atanere]

You can't have too much security these days. After years of using a little notebook to record much-too-simple passwords, I realized the time had finally come to choose a password manager. But there are many to choose from, even in the Linux world, and we all have different needs. For me, I did NOT want to sync passwords with my phone or the cloud, but I did need to share with my wife and her Windows computer.

I chose the portable Windows edition of KeePass Password Safe. I keep the master copy on my Linux box, but I also keep 2 USB backups, one of which my wife uses to access the program. This Windows edition needs some Mono packages (not Wine) to run in Linux or Mac, but there are native Linux packages available for KeePass and also KeePassX (a variant of the original).

So what do you use? Any special pros or cons that you've discovered? Any others not in the poll, please list in the comments. Thanks!

 

[Rob]

I voted keepassx but currently use 1password most of the time..

 

[JasKinasis]

Heh heh, sorry - couldn't resist.
I keep all of my passwords in my head..... If I ever forget them, that's what the 'reset password' link is for!

 

[atanere]

I voted keepassx but currently use 1password most of the time..

Yes, 1password is another popular one. But I discovered the poll limits selections to 10.

 

[atanere]

Heh heh, sorry - couldn't resist.
I keep all of my passwords in my head..... If I ever forget them, that's what the 'reset password' link is for!

My head doesn't work that well! But I've also read about the Diceware passphrase which looks like a very good way to create easy-to-remember but hard-to-break passphrases instead of the more typical passwords (uppercase, lowercase, numbers, special characters, etc). But even with Diceware, my problem remains and I have too many places I visit that need login credentials, and I don't want to re-use any, so I can't remember that many phrases. (And a password reset would also be as much or more trouble for me, I think.)

 

[Rob]

I'm actually looking to switch from 1password since they only have the web version for linux which is a pain.. handy in android though.

 

[iodisciple]

I'm using lastpass but am really looking for a password manager that does the same as lastpass, but then on my own server. Also has to be multiplatform (Linux, Mac, Windows, iOS) or at least be accessible from more than one device.

 

[Lazydog]

I use Lastpass also. If you ever find something that you can use local that keeps everything encrypted I'd be interested in hearing about it.

 

[atanere]

I picked KeePass precisely because it is local-only and very simple. If I wanted to sync the database with other computers or phones via the cloud, I could use Dropbox or Google Drive to manually do it... but I don't want that "feature" anyway.

KeePass is also open source and was subjected to an independent audit of their source code by the EU-FOSSA Project not long ago. I use version 2.x, but it was their 1.x version (still in current production) that was tested... with the results showing there were no critical or high-risk vulnerabilities found. That is no guarantee, but it makes me feel better about it, even using the 2.x version.

 

[PcBuilderEd]

Its Atnanare... he is IN my head... its getting uncomfortable.... I was just about to write a post asking for advice on what manager to use and...oh look, atanare has a post.... lol
Ok though ive been debating between lastpass and keepass. One "expert" summed it up as if your uncomfortable having your info on the cloud use keepass. If you like having it on the cloud use lastpass. For me I like the idea of having everything on the cloud for convienienience, you can just download the plugin to wherever you are and your set. However that makes me skeptical as well. What im really debating is since it auto scans everything when you are entering in data then it might get my ssn and banking info. I would want something I could limit that. So if I could use lastpass and somehow have it not remember some things that would be great, but Im thinking that isnt possible....

 

[atanere]

 

[Bayou Bengal]

I was using Dashlane in Windows, and one day it popped up on Chromium when I entered a new password. So I guess it works in Linux. The Icon was in the upper right corner of Firefox, Chrome, and Chromium. I have since disabled it because it's a pain in the back side the way it constantly is asking for the Master Password. The manager in Chromium is what I use now.

 

[atanere]

I was using Dashlane in Windows, and one day it popped up on Chromium when I entered a new password. So I guess it works in Linux. The Icon was in the upper right corner of Firefox, Chrome, and Chromium. I have since disabled it because it's a pain in the back side the way it constantly is asking for the Master Password. The manager in Chromium is what I use now.

Hi again! I have always been skeptical of using any browser's password manager... or for that matter, any password manager that integrates with the browsers. Maybe my fear is unfounded and I am overly paranoid (yes, I am), but the browser itself is a focused attack target for many of the bad guys on the web. Now with the recent Equifax hack, I'm even more paranoid than usual.

On a more positive note, I did that "credit freeze" thing a couple of years ago after another major data breach, so that gives me some sense of security.... probably a false sense.

 

[Bayou Bengal]

Hi again! I have always been skeptical of using any browser's password manager... or for that matter, any password manager that integrates with the browsers. Maybe my fear is unfounded and I am overly paranoid (yes, I am), but the browser itself is a focused attack target for many of the bad guys on the web. Now with the recent Equifax hack, I'm even more paranoid than usual.

On a more positive note, I did that "credit freeze" thing a couple of years ago after another major data breach, so that gives me some sense of security.... probably a false sense.

Yeah, I'm not comfortable with it either. I need to experiment some more with Dashlane, if it isn't satisfactory I need to find one that is. My memory is getting to the point where I can't remember a bunch of passwords anymore.

 

[atanere]

Yeah, I'm not comfortable with it either. I need to experiment some more with Dashlane, if it isn't satisfactory I need to find one that is. My memory is getting to the point where I can't remember a bunch of passwords anymore.

I resisted using a password manager for a long time, and I'm still a bit paranoid about it... it is a single-point-of-failure if the database is exposed (like in the cloud) and the master password is compromised. That is what led me to use a local-only manager rather than one that syncs to multiple computers and/or phones, tablets, etc. But everyone has different needs, so multiple devices are a must for some folks.

My memory ain't what it used to be either. But using a password manager now lets me use some really strong passwords without the hassle of typing them. And I have WAY TOO MANY passwords these days. Yet I would rather stick with this system (that I can reset, if needed) rather than giving up a fingerprint or iris scan in most cases. I can't reset my fingerprint if it is ever compromised.

 

[PcBuilderEd]

Quite a few lastpassers. Is it possible to block certain fields and numbers in last pass or is it always recording? Is keepass local only or can you put it on a USB?

 

[Bayou Bengal]

I resisted using a password manager for a long time, and I'm still a bit paranoid about it... it is a single-point-of-failure if the database is exposed (like in the cloud) and the master password is compromised. That is what led me to use a local-only manager rather than one that syncs to multiple computers and/or phones, tablets, etc. But everyone has different needs, so multiple devices are a must for some folks.

My memory ain't what it used to be either. But using a password manager now lets me use some really strong passwords without the hassle of typing them. And I have WAY TOO MANY passwords these days. Yet I would rather stick with this system (that I can reset, if needed) rather than giving up a fingerprint or iris scan in most cases. I can't reset my fingerprint if it is ever compromised.

Well, the government got my finger prints years ago, so if they've been hacked my finger prints have probably been stolen. The point you made about using a manager across multiple devices is what really worries me. Dashlane does that so my current passwords are in their cloud. I am currently considering a tablet to store them and never allowing the tablet to go online.

 

[atanere]

Quite a few lastpassers. Is it possible to block certain fields and numbers in last pass or is it always recording? Is keepass local only or can you put it on a USB?

KeePass, at its core, is a Windows program, and it does offer a portable USB installation too. I use that portable version in Linux by running it with Mono... this is one way for Linux and Mac too. One of its "features" is the ability to create plugins to add other functionalities. But for me (and my paranoia) I would rather not expand out from the core package and accept the risk of other developers tinkering with it and possibly breaking it unintentionally (or worse, altering it maliciously). Shame on me for being so untrusting, but the times are getting bad with too much criminal hacking going on.

But using Mono is not the safest thing either. It is essentially a Linux version of Microsoft .NET, and I read that it is also susceptible to .NET vulnerabilities. Nothing is perfect, I guess. But I have wanted the USB portability to share KeePass with my wife on her Windows laptop.

KeePassX is included in many Linux distros, but there is also a keepass2 included in the Synaptic Package Manager for Linux Mint (and others, I guess). KeePassX started as a plugin for Linux, but I think it is a fork now, although I am not sure. I am currently thinking of switching to keepass2 to run natively on Linux, and then just sharing the database with my wife.

 

[Bayou Bengal]

KeePass, at its core, is a Windows program, and it does offer a portable USB installation too. I use that portable version in Linux by running it with Mono... this is one way for Linux and Mac too. One of its "features" is the ability to create plugins to add other functionalities. But for me (and my paranoia) I would rather not expand out from the core package and accept the risk of other developers tinkering with it and possibly breaking it unintentionally (or worse, altering it maliciously). Shame on me for being so untrusting, but the times are getting bad with too much criminal hacking going on.

But using Mono is not the safest thing either. It is essentially a Linux version of Microsoft .NET, and I read that it is also susceptible to .NET vulnerabilities. Nothing is perfect, I guess. But I have wanted the USB portability to share KeePass with my wife on her Windows laptop.

KeePassX is included in many Linux distros, but there is also a keepass2 included in the Synaptic Package Manager for Linux Mint (and others, I guess). KeePassX started as a plugin for Linux, but I think it is a fork now, although I am not sure. I am currently thinking of switching to keepass2 to run natively on Linux, and then just sharing the database with my wife.

Thanks for the heads up on Keepass 2, atanere! You may have just saved me the expense of buying a tablet!

 

[iodisciple]

I use Lastpass also. If you ever find something that you can use local that keeps everything encrypted I'd be interested in hearing about it.

Its not a high priority for me, but I will be setting something up on my own VPS with most probably Keypass and a sync tool on my iPhone / iPad. I'll report when I've got something useful