# Lounge > Computers, Consoles, and other Electronics >  How do you manage your passwords?

## kaput

My ability to keep track of the login details for the hundreds of sites and applications that require them has reached a breaking point. The login process for things I don't use daily has degraded into guessing what my username is and then doing password recovery to create a new password, which I almost always forget again before the next login. Despite being a bad practice, it's been working fine until I recently lost an account because I can't remember the username that was assigned when I registered. It's time to get this under control.

What I ultimately need is a secure way to maintain a list of sites/applications, the username, and the (unique) password for each. Ironically, the most secure solution I've come up with is to physically write them down on a sheet of paper kept near the computer; however, this doesn't work if I am anywhere other than at my desk and it makes tracking changes cumbersome. 

I know I'm not the only one with this problem. How do you manage yours?

----------


## D'z Nutz

I know there's a lot more elegant solutions out there, but I've been using Password Safe for well over the last decade:

http://passwordsafe.sourceforge.net/

I can transfer my password database across Windows, Linux, and OSX and there's Android and iOS clients (though I've never tried them myself).

Some guys at work use iCloud Keychain or 1Password, but habits die hard for me and I've never had a reason to switch.

----------


## ExtraSlow

When I had a job, I was keeping all of them written down in a book I kept beside my computer. I also got really fast at requesting a new password for sites I don't use often, like ticketmaster. Probably request a new password damn near every time there!

----------


## The_Rural_Juror

I use Dashlane. 

Lots of free options to choose from if you don't care about syncing.. I think 1password has a sale right now.

----------


## killramos

i use icloud synced notes on my iPhone for the most part. Also icloud keychain and google chrome password remember feature.

----------


## jwslam

I pick from this list
http://globalnews.ca/news/2463385/th...make-the-list/

Passwords are not so much my problem as "your username has been taken", "your username is too short", "you cannot use symbols in your username"

----------


## taemo

> _Originally posted by D'z Nutz_ 
> *I know there's a lot more elegant solutions out there, but I've been using Password Safe for well over the last decade:
> 
> http://passwordsafe.sourceforge.net/
> 
> I can transfer my password database across Windows, Linux, and OSX and there's Android and iOS clients (though I've never tried them myself).
> 
> Some guys at work use iCloud Keychain or 1Password, but habits die hard for me and I've never had a reason to switch.*



+1, we still use passwordsafe at work

----------


## pheoxs

I used a base password that covers all the usual password requirements plus a code for each site so that every password is unique but easy to remember. For example [email protected] covers the letter, capital, number, symbol and length requirements most siites use, then I append something specific to the site in the middle, let's say the first 3 letters of the site, say 'bey' for beyond. So my PW here would be [email protected], Gmail would be [email protected], and so on.

Each password is unique to a site but can be remembered for every site

----------


## sabad66

I use 1Password on my iphone. Synced to the cloud and unlocked with my fingerprint. I quite like it and recommend it to everyone.

----------


## Mibz

> _Originally posted by D'z Nutz_ 
> *Some guys at work use iCloud Keychain or 1Password, but habits die hard for me and I've never had a reason to switch.*



 This is pretty much why I use LastPass. It was the first one I used so it will likely be the last one I use.

----------


## nzwasp

Mostly keep it in my head and then if I forget something I use the forgot password option to generate a new one. 

At work we used to use passwordsafe.

----------


## Alterac

We use keypass at work and I use it at home, only downside is no sync to your mobile devices, etc.

I suppose you could use it in conjunction with dropbox/gdrive/etc.



I know a few people that use lastpass but im wary about storing all my passwords online.. (cause im nuts).

----------


## HiTempguy1

I have the passwords in a text file on my desktop and a keep-me file on my phone (which is completely unlocked, no passcode to enter).  :ROFL!:  

I stopped caring, "internet security" is a joke nowadays. If you use the internet or technology in general, I personally feel that you have to be willing to accept the fact that your information could be stolen at any moment.

I am sure there are better ways to do it as listed, but I've kind of given up  :dunno:

----------


## googe

1Password, good enough that I actually paid for it. 

Especially on my phone, with fingerprint ID, because typing that stuff out is annoying.

It has an option to sync over local wifi, so if you don't want your passwords sent up to the cloud, it still works  :thumbs up:

----------


## SportEL

mSecure

----------


## schocker

I have been using lastpass for a bit over a year. Great app, browser plugins also finger print protected which I believe 1password just got on android at least.

----------


## kaput

I'm liking the look of mobile-based solutions like 1password or lastpass but I have trust issues with apps in general. As a below average idiot that knows nothing about computer security, given all the major security failures in the news, how do I know I can trust a third party company and the cloud with potential access to everything I do? What if they get hacked? What if they go bankrupt? What if the app fails and I lose all my accounts (is there offline backup)?

----------


## speedog

> _Originally posted by HiTempguy1_ 
> *I have the passwords in a text file on my desktop and a keep-me file on my phone (which is completely unlocked, no passcode to enter).  
> 
> I stopped caring, &quot;internet security&quot; is a joke nowadays. If you use the internet or technology in general, I personally feel that you have to be willing to accept the fact that your information could be stolen at any moment.
> 
> I am sure there are better ways to do it as listed, but I've kind of given up *



Heh, mine are in a password protected Excel file in a Dropbox folder.

----------


## schocker

> _Originally posted by kaput_ 
> *I'm liking the look of mobile-based solutions like 1password or lastpass but I have trust issues with apps in general. As a below average idiot that knows nothing about computer security, given all the major security failures in the news, how do I know I can trust a third party company and the cloud with potential access to everything I do? What if they get hacked? What if they go bankrupt? What if the app fails and I lose all my accounts (is there offline backup)?*



Check out how last pass does it, I am assuming others are similar. 
https://lastpass.com/how-it-works/

Part of it:



> Local-Only Encryption
> 
> User data is encrypted and decrypted at the device level. Data stored in the vault is kept secret, even from LastPass.
> 
> Private Master Password
> 
> The users master password, and the keys used to encrypt and decrypt user data, are never sent to LastPass servers, and are never accessible by LastPass.

----------


## PeterGTiR

> _Originally posted by kaput_ 
> *I'm liking the look of mobile-based solutions like 1password or lastpass but I have trust issues with apps in general. As a below average idiot that knows nothing about computer security, given all the major security failures in the news, how do I know I can trust a third party company and the cloud with potential access to everything I do? What if they get hacked? What if they go bankrupt? What if the app fails and I lose all my accounts (is there offline backup)?*



I'm not a computer wizard, but I read an article about these password apps once. The apps that store your passwords online keep it within an encrypted file on their servers. And someone could only decode the file if they have the private key (which in most cases is just you). 

You should consider using KeePass2 as it stores your passwords on your hard drive in an encrypted file.

----------


## botox

At work for websites I don't care about I put the username and password right on the favorites link. I save the link then edit it and type in the credentials right beside it, works like a charm  :Big Grin: .

----------


## pheoxs

> _Originally posted by PeterGTiR_ 
> * 
> 
> I'm not a computer wizard, but I read an article about these password apps once. The apps that store your passwords online keep it within an encrypted file on their servers. And someone could only decode the file if they have the private key (which in most cases is just you). 
> 
> You should consider using KeePass2 as it stores your passwords on your hard drive in an encrypted file.*



The problem with all these services is the same: 1) for cloud based ones if they phish your master password they have access to all of them. And 2) if it's locally stored only and your hard drive becomes corrupted you lose all your passwords without going through the hassle of recovering the drive.

----------


## Khyron

> _Originally posted by PeterGTiR_ 
> * 
> You should consider using KeePass2 as it stores your passwords on your hard drive in an encrypted file.*



I moved to KeePass2 recently. File is small so it's on my dropbox (and so technically on every device/computer) plus it's backed up to an external with the other backups so there's 0 chance of losing it. 

Don't really care about forum accounts but banking, steam, cra, amazon - that shit would be a royal pain to deal with with just 1 being stolen let alone all of them. Android app works fine - just open, click "copy" then task-switch to the login screen and paste.

----------


## Swank

> _Originally posted by pheoxs_ 
> *I used a base password that covers all the usual password requirements plus a code for each site so that every password is unique but easy to remember. For example [email protected] covers the letter, capital, number, symbol and length requirements most siites use, then I append something specific to the site in the middle, let's say the first 3 letters of the site, say 'bey' for beyond. So my PW here would be [email protected], Gmail would be [email protected], and so on.
> 
> Each password is unique to a site but can be remembered for every site*



I like this approach  :thumbs up:  

I put some of mine in Google Keep, but not the actual password, just a reminder cuz who knows how secure the cloud is? Usually just the first letter and then asterisks so I know the length ie [email protected] would be P*******. This is just for trivial sites, any sites having to do with finances or government stuff I memorize the password and don't store it anywhere, I only have a few of those.

----------


## Mibz

> _Originally posted by Swank_ 
> * who knows how secure the cloud is?*



 "The cloud" in this case consists of single-tenant infrastructure owned by the password manager. A decent password manager will tell you what they do to keep your shit secure. It isn't about security by obscurity with this stuff, you can spell out what you're doing and it doesn't make life any easier for attackers.

Once you know that the company isn't fucking around, adding 2FA to your account and using a completely unique and secure master password is all you should ever need to have complete confidence. Hell, LastPass was breached last year and I didn't even have to change my master password.

----------


## PAV

I have to echo a vote for 1Password, I use it on Mac and Android (and iOS in the past). It goes on sale a couple times a year, but even for full price I have found it has been worth it.

For those that don't like the cloud, it stores a local copy. You can sync by wifi, icloud and dropbox (the later two using the cloud). However, the file that is stored on that file is encrypted as well. So someone would have to 1) Hack into my dropbox account (which is secured by 2Factor Authentication), then crack the encryption on the file. I feel safe enough with that as the convenience of syncing across all my devices almost instantly is worth it. However, the wifi sync works well too.

With the built in browser extension (once you get used to how it works it is so easy to create/fill passwords), and it now uses fingerprint authentication (Lollipop and iOS devices) for even easier use on phones.

Yes you could just have an encrypted file, but the amount of time you save by having the browser extension may be worth the $$ if you have lots of passwords.

----------


## kaput

I am still learning about the options but I'm leaning towards 1password at the moment. Most of the time it would be used on the computer but I still need mobile access for the once in awhile scenarios that randomly pop up. If I understand correctly, by syncing between my (android) phone and computer over wifi, each device would have a local copy of the encrypted file so if for example one of them had a catastrophic failure, the other can act as a backup? 

I don't use dropbox, I have google drive but it looks like that isn't supported if I did want to use cloud sync.

----------


## Sentry

> _Originally posted by pheoxs_ 
> *I used a base password that covers all the usual password requirements plus a code for each site so that every password is unique but easy to remember. For example [email protected] covers the letter, capital, number, symbol and length requirements most siites use, then I append something specific to the site in the middle, let's say the first 3 letters of the site, say 'bey' for beyond. So my PW here would be [email protected], Gmail would be [email protected], and so on.
> 
> Each password is unique to a site but can be remembered for every site*



That's amazing! I've got the same password on my luggage!

----------


## D'z Nutz

> _Originally posted by Sentry_ 
> * 
> That's amazing! I've got the same password on my luggage!*



 :ROFL!:

----------


## whydontchathen

> _Originally posted by speedog_ 
> * 
> 
> Heh, mine are in a password protected Excel file in a Dropbox folder.*



I've been doing this for more than a decade. except for the Dropbox part. Works almost perfectly as long as I diligently update any changes, record new memberships, etc. My spreadsheet is at 485 lines atm.....

----------


## CompletelyNumb

I use a blur add on called Blur to keep track of mine. Keeps its easy, syncs to my phone. I change them often so it works.

----------


## Zorac

another vote for password safe. started using it ages ago and never switched. its not fancy but does the job.

----------


## schmooot

I just keep an password protected excel file on my computer. I use it to keep track of passwords for crap that I very rarely need to get into like CRA and service canada and junk. Everything else is just a single password with a couple variations for certain criteria so I can usually get away with trying 3 different variations before I get it right eventually

----------


## RealJimmyJames

Testing out LassPass right now.

----------


## locust

I use pw safe which syncs with iCloud between all my devices. iPhone / iPad / Macbook.

I use password safe for windows but there's no syncing service.

----------


## sabad66

fyi, oneSafe on iOS is free this week. I haven't used it (i use 1Password), but it's normally 4.99 so might be worth trying out.

----------


## kaput

As an update, I've been using keepass for a few months and it works well enough, but I wouldn't mind having more features like easy family sharing and better app support. 

1password has come out with a new subscription model that may be of interest to some (and will cause extreme anger in others). Regardless, they are offering a free 6 month trial if anyone wants to check it out. 

Those who like 1password - do you use it on Mac or Windows? My first impression is that it's almost useless on Windows, but there are so many good reviews that I wonder what I'm doing wrong.

----------


## RealJimmyJames

LastPass has been flawless for me.

----------


## schocker

> _Originally posted by RealJimmyJames_ 
> *LastPass has been flawless for me.*



Yup, have been using it for a year and a half now and it works great between browser plugins and the mobile app. They also have a pretty good 2FA app (free) I have seen but I haven't tried it yet as I am using the google one.

----------


## D'z Nutz

Bump.

I'm assuming those of you who are still using LastPass have heard about this:
https://blog.lastpass.com/2022/12/no...rity-incident/

----------


## taemo

I ditched LastPass couple of years ago when they changed the free plan for only 1 type of device, computer or mobile device.
Moved to Bitwarden and really happy with it, has browser extension, mobile app and free.
For most, the free plan is good enough but figured 10$ annually was worth to support the service.

Keeper Security looks pretty promising as well

----------


## ExtraSlow

I'm still on lastpass free plan. I did hear about the issue you posted. 
What I'm not clear on is what's a reasonable path for regular individuals
1) use weak passwords you can remember (they end up being very similar or identical in most cases)
2) use a password manager, which creates the risk of the whole thing getting cracked through something like was posted
3) throw away your devices and live naked in the forest. 

All three are appealing for various reasons.

----------


## killramos

I mean the whole thing didn’t get cracked. So that’s something.

Still use LastPass, I have a family account because my wife is useless at this stuff and I end up setting up a lot of her shit for her.

----------


## taemo

LastPass security attacked by rival company 1Password: ‘Passwords could be cracked for $100’
https://www.reviewgeek.com/140925/la...curity-claims/
Most human passwords are easier to be hacked because typically they are a bunch of words easy to be brute forced and tried first before attempting random generated characters.

Use 16+ random characters generated passwords
master password should not be used by any other services/accounts
avoid common words like [email protected]

----------


## Swank

I'm on LastPass too, all eggs in one basket sucks when stuff like this happens. I don't keep bank or credit card logins there, old school memory and written down at home for those. There are a few PWs I'll be resetting that are in my vault, most I DGAF if they get hacked, they are all different and mostly complex. 2FA wherever possible for accounts, hopefully all of the low hanging fruit means the hackers don't bother with my vault for a long time if ever.

----------


## vengie

The key is to have the same password for everything.

----------


## suntan

> The key is to have the same password for everything.



eyeluvextraslow$$11inches

----------


## vengie

Well shit.. I need to change my password.

----------


## suntan

It's a very common password.

----------


## bjstare

I use 1password. It's good.

----------


## dirtsniffer

I use google chrome? is that bad?

----------


## Darell_n

I let Apple create and store random passwords for everything.

----------


## schocker

I moved to bitwarden when lastpass jacked up their pricing a couple years ago. Works well between phone/pc etc. and then I use the microsoft 2fa app.

----------


## ThePenIsMightier

"No matter how complex, no matter how unique, your passwords can no longer protect you."
We've known this for 10+ years, yet here we still are.

https://www.wired.com/2012/11/ff-mat...ssword-hacker/

----------


## rage2

> LastPass security attacked by rival company 1Password: ‘Passwords could be cracked for $100’
> https://www.reviewgeek.com/140925/la...curity-claims/
> Most human passwords are easier to be hacked because typically they are a bunch of words easy to be brute forced and tried first before attempting random generated characters.
> 
> Use 16+ random characters generated passwords
> master password should not be used by any other services/accounts
> avoid common words like [email protected]



Master passwords needs to be sort of memorable. Use a pass phrase instead. And of course don’t reuse master ones that lock down your favorite password databases. 

https://www.okta.com/identity-101/pa...vs-passphrase/

----------


## ExtraSlow

A 20 character master passphrase that is letters only should be reasonably secure against brute-force attacks. 
Nothing is secure against social engineering.

----------


## suntan



----------


## eblend

Funny...spent last 3 months or so working on implementing LastPass in our company....Okta auth, groups ect ect...yesterday was the final meeting on LastPass to close the project...and our security guy joins and says we are ditching LastPass haha...funny. Guess getting hacked multiple times a year + not telling people up front what was compromised changed their stance on this "Awesome" product as it was originally sold to us by our Cyber team.

I personally use BitWarden and love it. It's on the list of considerations to replace LastPass in our company as well.

----------


## cet

I use LastPass, but now thinking of changing to something like BitWarden. Is there an easy way to transfer information from LastPass to a new program or do you have to open each one and copy/paste?

----------


## Tik-Tok

> [ATTACH=CONFIG]pic[/ATTACH]



Now all we need is for every company to let us use only words and a reasonable amount of characters.

----------


## taemo

> I use LastPass, but now thinking of changing to something like BitWarden. Is there an easy way to transfer information from LastPass to a new program or do you have to open each one and copy/paste?



very easy to do
https://bitwarden.com/help/import-from-lastpass/

----------


## mr2mike

People are the weakest chain in the password world.

----------


## cet

> very easy to do
> https://bitwarden.com/help/import-from-lastpass/



Awesome, thanks

----------


## The_Penguin

> I use LastPass, but now thinking of changing to something like BitWarden. Is there an easy way to transfer information from LastPass to a new program or do you have to open each one and copy/paste?



Lastpass will export to a .csv. BitWarden will import from that. Don't forget to delete the .csv when you're done  :Smilie:

----------


## Swank

> Lastpass will export to a .csv. BitWarden will import from that. Don't forget to delete the .csv when you're done



Or you can send it to me and I'll delete it for you  :Big Grin: 

As tempting as it is to move to BitWarden or some other reputable password manager I don't suppose there is anything stopping others from suffering a similar breach in the future. Are they all great until they aren't? I would like to think that LastPass will now be more vigilant than ever after this giant oops but I could also be kidding myself to save the effort of moving to another PM (but it does seem like a simple process as mentioned above so that's a bonus).

----------


## ThePenIsMightier

> People are the weakest chain in the password world.



Do you mean a chink in the chain?
#triggered

----------


## rage2

> Do you mean a chink in the chain?
> #triggered

----------


## mr2mike

> 



I see a camera to the right that 
@ExtraSlow
 might be interested in the specs.

----------


## The_Penguin

> Or you can send it to me and I'll delete it for you 
> 
> As tempting as it is to move to BitWarden or some other reputable password manager I don't suppose there is anything stopping others from suffering a similar breach in the future. Are they all great until they aren't? I would like to think that LastPass will now be more vigilant than ever after this giant oops but I could also be kidding myself



Normally I'd agree, but this isn't the first for Lastpass. Also, they have not been that forthcoming with details. Yes, the bad guys got a copy of a backup of customers' vaults. All the vaults? When? Other things brought to light during this: They moved from 5000 iterations to 100100 iterations but didn't apply it to all customers. likewise with the move from ECB to CBC not applied to all customers. Then there's the encryption. They only encrypted passwords and usernames, not the entire contents of users' vaults. So the URLs are in the clear. IF you had a secure master password, there's likely not much to worry about, but given the history etc. Might be time for a change. Some good info here: https://www.grc.com/sn/sn-904.pdf

----------


## killramos

I’ve never seen a better example of tldr…

----------

