Join 3,380 readers in helping fund MetaFilter (Hide)


I'm changing them all to "password"
January 24, 2014 12:14 PM   Subscribe

It has come to the point where I officially have too many passwords to reliably remember. What's the OSX/iOS solution for me?

I've changed my bank password ever months for the last ... a lot of months, and at this point I no longer have confidence in my ability to keep track of these things.

There's a few options I've seen -- SplashID, LastPass, 1Password -- some with different pricing tiers or free/pro versions, so let me know which option I should take with that (and why.)

If it matters, this is less a matter of keeping a tighter lock on things and more not having to go through the rigmarole of changing a password every time I cycle through five passwords get locked out of an account for a day.
posted by griphus to Computers & Internet (45 answers total) 45 users marked this as a favorite
I use 1Password. Good browser integration (Safari and Chrome on OS X), good iOS app. The reader version for Android... well, it works. I sync it between devices via Dropbox. It's expensive to get it for everything, though. I also like the ability to easily identify which of my passwords were duplicates of each other, and which ones were weak.

I did try LastPass. Didn't like it, but I don't honestly recall why. Might just have been a user preference.
posted by neilbert at 12:20 PM on January 24 [4 favorites]

Oh, and password generation. I like not having to think of passwords anymore.
posted by neilbert at 12:21 PM on January 24 [2 favorites]

Rather than using a program, can you devise a system? Like:

first three letters of the website name
+ some reusable combination of letters and numbers and capital letters
+ last three letters of website name

So facebook password would be

Twitter would be

Metafilter would be

When you need to change one because you got locked out, just add a number at the end. (ie. facPass3wordook1, facPass3wordook2,...)

It would be better if you made the reusable combination something meaningful for you like your cat's name and your birth year or something. (Who wouldn't love typing something like facSchnookums1980ook? ha ha ha)
posted by PuppetMcSockerson at 12:21 PM on January 24 [6 favorites]

1Password is really, really great. I've used it for 5 or more years. It's rock solid. The iOS app syncs wirelessly with the OSX version, so your passwords stay up to date.
posted by Admiral Haddock at 12:22 PM on January 24 [1 favorite]

I like LastPass, because the free version suffices for most usages, to the extent that I only went for the annual paid version when I knew I was going to need the mobile-device app for a specific task (I'm not a big fan of recent versions of their app, but I needed it).
posted by aramaic at 12:24 PM on January 24 [1 favorite]

I use 1Password and it seems to be getting better with each version. I'd recommend it to anyone.
posted by disaster77 at 12:25 PM on January 24 [2 favorites]

David Pogue of the NYTimes likes Dashlane, qv.
posted by fivesavagepalms at 12:26 PM on January 24

I've used 1Password for maybe 5-6 years now. For the most part, I remember only 5-6 different passwords - a couple for some services, the 1P master password, and the ones to get into my computers. Everything else is a generated password - including security questions. (FWIW, strong passwords don't help much if you put "name of my first dog" as a security question and the answer's on your blog or something.) At the time, I wanted a decent Mac app and iOS integration that was good and 1Password had that. It has browser plugins for pretty much any browser you'd want (on the desktop), and knows how to autofill forms, so logging into things is basically click the 1Password thing, find site to log into, click that, done. Generated passwords can be just random characters, or you can have it generate pronounceable ones (which I use when I have to come up with something that I have to give out). Syncing to iOS can be done app-to-app (via WiFi), via Dropbox or via iCloud. The one time there was maybe a flaw in the 1P encryption design they were pretty upfront about it and all that, which I liked. There's a full-fledged Windows version and an Android reader that is ugly and clunky but works well enough.

The only thing I really dislike about 1P - and, mind you, I am not using version 4 yet - is that you can't really update password entries. So, when I have to actually change passwords, I end up with duplicate entries. This may be fixed in 4 or I may be doing it wrong.

I have had friends who like LastPass and (the unfortunately named) KeePass; the latter of which is open source and free. Neither seemed compelling enough to move from 1P so I haven't.
posted by mrg at 12:28 PM on January 24

oh, almost forgot: the 1P iOS apps include a web browser bit in them, so you can have the same "find entry->log in" type experience you have on the desktop with your mobile device too.
posted by mrg at 12:29 PM on January 24

Another vote for 1Password. I started with LastPass and liked it just fine, but they started to move towards a monetization policy of credit-checking services rather than focusing on password security. Made the switch to 1Password and I'm very happy with them. The family license is a good deal.
posted by Osrinith at 12:30 PM on January 24

I have three or four passwords.

There's one for any non-essential accounts. So, for instance, travelocity or groupon or what-have-you. I use the same password for all of these types of accounts.

There's one for the shopping accounts, like Amazon, where my cc info is on file. There's one for the bank accounts. There's one for email.

How do I keep track of them? I usually use something that already exists on my desk as a visual reminder of what the password is (that is, I pick something on the desk, and then make up a related password). If I'm ever at my desk and I can't remember the password, I remind myself that "oh, the bank account password is related to the picture of the palm tree".

I just don't dig the idea of an outside service generating my passwords.
posted by vignettist at 12:32 PM on January 24 [2 favorites]

I use passwordsafe on linux and windows, and password gorilla on OSX, because it can parse passwordsafe databases.
posted by rmd1023 at 12:48 PM on January 24

(For more detail: Both use a local encrypted database - I keep a master copy on a thumbdrive and periodically refresh. You could keep the encrypted file on dropbox or or one of those services if that floats your boat. I've been toying with dropping mine in evernote but I'm still wary of putting out out in the cloud.)
posted by rmd1023 at 12:49 PM on January 24

I've used LastPass for my passwords for a couple of years. Quite like it. Also it's inexpensive. And I use its two factor authentication for the financial passwords information.
posted by kalessin at 12:50 PM on January 24 [1 favorite]

1Password. Worth every penny. In addition to being awesome on iOS and Mac, it also has a read-only android client for when you just have to fiddle with an android device. Ideally, back it with DropBox for syncing.
posted by chairface at 12:54 PM on January 24

Another solution you could use for the stupid ever-changing bank password crap, which works because they always send you a YOU CHANGED YOUR PASSWORD email on that date:

"I changed my Chase Bank password on January 24, 2014."

Your password is: IcmCBpoJ24,14

You get caps, numbers, and a special character and you remember it because it's a sentence.

And as a special bonus, you can make your stock sentence anything you want. "I conformed to some bullshit for Chase Bank on January 24, 2014." "I nearly face stabbed the folks from Chase Bank on January 24, 2014." Delightful!
posted by phunniemee at 12:54 PM on January 24 [2 favorites]

I started using LastPass after lots of recommendations here. I'm not super thrilled with the integration of it on my iPhone but the way it works with Chrome on my desktop is heavenly.
posted by BrianJ at 12:57 PM on January 24

I use 1Password with the password chain stored in DropBox, and it works well for me. I like it a lot.

I use Chrome and the Chrome extensions seems to be great. The only thing that really drives me up the wall (and it sounds like it won't be an issue for you) is the Android client, which is.. functional, as other people have said, but, really, if we're being honest, is a piece of shit. They've talked about upgrading it for months and months and months and I occasionally poke them about it on Twitter and they say, "Oh, we're working on it!" but, alas.

Anyway, I like it. It generates passwords with ease. It stores passwords with ease. It auto-fills passwords with ease.

Every time I load (or re-load) one of my machines, the first thing I do is install DropBox (which has a unique password that I remember and also 2-factor authentication) and then I install 1Password (which has a unique password for the master key chain) and then I am in business and can get into my things.
posted by kbanas at 1:07 PM on January 24

Mavericks has this built right in, no third party software required.

I haven't trusted it with any essential passwords yet -- I'm too paranoid that my keychain will get lost or corrupted somehow and I'll be locked out of everything (which is the same reason I never adopted LastPass or 1Password or etc) -- but for throwaways or sites I visit maybe a few times a year it's turned out to be incredibly convenient. Once it's set up you don't have to think about it at all; when you hit a password field it asks if you want it to generate one, you click yes, and that password is immediately usable from all your devices without you having to do a thing.

(iCloud in general finally came into its own with Mavericks/iOS7 -- it was useless before but now I couldn't live without it -- stuff like being able to browse on my laptop a list of the tabs open on my phone is just magic, I use it constantly)
posted by ook at 1:10 PM on January 24 [3 favorites]

Silly question: is there a reason you don't use the iCloud password manager built into Mavericks and iOS 7? Much better integration than anything third party on those ecosystems.
posted by supercres at 1:11 PM on January 24 [2 favorites]

I use STRIP password manager. I no longer remember why I chose it over 1password, but I'm totally satisfied with it. It has a great iOS interface, which is how I use it. It also has OSX, Windows, and Android versions. The password generator is a great feature. Also backs up/ syncs via Dropbox.

ETA: oh, yeah, now I remember why. $4.99 vs $17.99.
posted by Kriesa at 1:14 PM on January 24

I have used LastPass for a long time and I like it. It syncs among devices automatically (I presume there's some security trade-off in order to be able to do that, but I don't know how big it is). The current state of the iPhone app is a little funky in my opinion but I think it's evolving and I certainly don't find it to be a problem.
posted by Dansaman at 1:29 PM on January 24

LastPass with two-factor authentication (free and easy: Google Authenticator) is what I use, both for work and personal. I highly recommend it.
posted by odinsdream at 1:34 PM on January 24

nthing Lastpass.
posted by Aizkolari at 1:53 PM on January 24

I've used Roboform for years, and I'm very happy with it.
posted by nobejen at 2:02 PM on January 24

I've been using LastPass for about three or four years and pay for the premium version. It works amazingly on a desktop browser and these days I only know two passwords by heart: my LastPass master one and my generated iTunes one (b/c I have to enter it constantly). Everything else has been randomly generated.

Two extra highlights: you can enable 2-step auth to get into your account, making even more secure. My bank account now require crazy special characters and numbers in usernames, which I always forget when I can't just have mathowie, so it has been a godsend for those accounts.

The only downside has been that it's a pain to constantly re-auth the app on my phone to get a password, which you have to copy/paste to use in apps. It's possible to use it in mobile safari but it's a little clunky with bookmarklets, but manageable.
posted by mathowie at 2:43 PM on January 24

With generated passwords, how do you log in from a computer without LastPass or 1Password installed on it (and assuming you have no access to a smart phone)?
posted by griphus at 3:06 PM on January 24

See this previous post.
posted by Sonic_Molson at 3:14 PM on January 24

I'll put in a plug for KeePass/KeePassX. KeePassX is the better client for OSX, but it uses the KeePass file format. I keep the encrypted file on Dropbox, so I can get to it from all my systems plus my iOS devices (using MiniKeePass). Every site password is randomly generated, and I cut-and-paste from KeePassX to the login screen on whatever site I'm accessing.

Looking at your last question -- if you're concerned with being able to access your passwords on a machine without the appropriate software installed, 1Password might be a better bet. According to their site, 1Password Anywhere lets you read your 1Password file in a web browser. So if you keep it on Dropbox, you can download it from the Dropbox site and then go to the 1Password Anywhere site to read it from the browser.
posted by McCoy Pauley at 3:22 PM on January 24

With LastPass (which I use and highly recommend) you can log onto their website and access your "vault." From there you can copy/paste passwords into a site. It's not elegant. Honestly I'm paranoid about accessing my password protected sites on computers I don't know so I rarely do this.

LassPass Premium also has LastPass Pocket and LastPass for applications which can be installed on a USB drive and used on other computers. I've never used either of them. The Premium version has a free trial period.
posted by sevenless at 4:12 PM on January 24

1Password. I have over 500 logins and dozens of other entries. I have the iOS and Mac versions.

The only thing I really dislike about 1P - and, mind you, I am not using version 4 yet - is that you can't really update password entries. So, when I have to actually change passwords, I end up with duplicate entries. This may be fixed in 4 or I may be doing it wrong.
You can modify entries. I've been on 1Password for years, I'm fairly certain you could modify entries in v3 as well, but don't have it any longer since I'm on v4, I know for certain you can modify entries there.
posted by Brian Puccio at 4:21 PM on January 24

My passwors have a system.

It is adj + noun + number. If I need a symbol it goes upfront symbol + adj + noun + number.
In addition to very the password sometimes I use the variation of number + adj + noun. If I need a capital letter, the first letter of the Adj is capitalized. I generally use a word with a common misspelling and misspell it for a little extra security.
This gives enough varitation. For example this leads to the passwords


I have two compound words (so my e-mail is not the same as my bank account) and this gives me enough passwords to do just fine, but really I'm remembering 2 passwords and my varitation system. Sometimes I look at the password requirements (if I cannot remember what I did!) because if it needs a symbol and a capital letter I know I used some variation of symbol + (number) + capital letter adj + noun (number) which gives me 2 passwords to guess, meaning I won't get locked out of the site.

I also do have a less secure throw away password for sites that don't matter.
posted by AlexiaSky at 4:30 PM on January 24

Heres my one page guide to Password security and a comparison of Password Generators
posted by Lanark at 4:35 PM on January 24

I'll nth 1Password. I have both the Mac and iOS versions. I've gotten better at using more of the features, and love it even more now.

When I first installed it, I started adding my frequently-used accounts with my existing passwords. More recently -- thanks to a new feature (I think) in version 4 that shows you lists of duplicate and/or weak passwords -- I've been updating all my accounts so that they all have strong, randomly-generated passwords. It's a welcome relief that when I hear a site I use has been hacked, I don't have to worry whether I've used the same password on other sites.

mrg mentioned frustration with 1Password not properly detecting when you're updating a password vs. creating a new one. I've had mixed results with this, and I think it just depends on each site's interface for updating passwords. Sometimes it understands that I'm updating a password, but sometimes it still thinks I'm creating a new account. When it knows I'm updating, it asks me if I want to update the password. This interface did change with version 4, but I can't say whether it's any better at discerning update vs. create. I'm in the habit of launching the 1Password app, looking up the relevant account and pasting in my new (randomly-generated, super-secure!) password whenever the browser extension fails me. After developing some muscle memory for this procedure, it's become a trivial task.

I use 1Password to fill in my credit card info and bank routing numbers a lot, too.

The iOS app has an in-app browser (so you don't have to flip from Safari, look up your password, copy, flip back, paste) that is sometimes very handy. I use that for online ordering on my iPad a lot. I have my login for sites I shop from regularly (local pizza place, couple of clothing stores, PayPal, etc.) marked as favorites, so I go to my favorites, select the account and then click the web address (it saves the URL you're on when you initially save the login), and it goes to the page and logs me in automatically, and also fills my payment info when I get to that step.

I feel like the energy required to switch between different password managers means that most people try one and stick with it forever, so I suspect advice on one versus another isn't as readily available as you'd expect/hope. But whatever you choose, I think you'll really like not having to juggle passwords anymore.
posted by katieinshoes at 5:26 PM on January 24

With generated passwords, how do you log in from a computer without LastPass or 1Password installed on it (and assuming you have no access to a smart phone)?

Personally, the times when I need to access a password-protected resource but don't have at least one of: computer, smartphone, ipad, or wife's phone is non-existent.

I do accept the slightly minor inconvenience of typing in cryptic passwords manually. This may seem dumb at first, but it is well worth the added account security.
posted by odinsdream at 6:16 PM on January 24

I slugged it out with KeePass for quite a few years before switching to LastPass Premium. My main advice to you would be to use a commercial password manager (for your requirements that would be LastPass or 1Pass). I would also recommend turning on two-factor authentication; I don't know about 1Pass, but that is something you can do with LastPass. I would make a point to change any re-used passwords so that every site has a unique password to prevent "side hacking". Finally, let the password manager randomly generate passwords for you.

I would ignore the advice up-thread about password systems that don't require an application. While well meaning, is outdated - every time that hackers get a couple of millions passwords, everything we are doing is collectively getting weaker. When passwords that use systems like those described above are released into the wild, they get cracked and then the system doesn't work anymore. Ars Technica described this problem in detail last year.
posted by kovacs at 6:32 PM on January 24 [4 favorites]

I've used LastPass for around 4 years. Good stuff. Free to try it. for new accounts it will generate "good" passwords if you tell it to.
posted by nogero at 6:45 PM on January 24

I use both LastPass and 1Password (one for work, one for personal).

1Password is a much better product at this point in time, and I strongly recommend it. The interface is a tad simpler, but more importantly it has far fewer glitches.
posted by grudgebgon at 7:54 PM on January 24

With generated passwords, how do you log in from a computer without LastPass or 1Password installed on it (and assuming you have no access to a smart phone)?

1Password perspective: So, you asked about an iOS access point; if you're using 1Password on an iPod touch or an iPad without cell data, it will still have the data locally stored, so you can access it without a network connection.

If you don't have that device with you, there is an alternate way. You'll need to be using Dropbox to sync your data between devices, and you'll need to be able to access Dropbox from wherever it is you are. If you log into Dropbox on the web and into the folder where 1Password keeps the keychain, you'll see that the keychain is actually a folder. (If you do this from the Mac client and access it as a synced folder, it doesn't let you inside the keychain unless you're doing some trickeration.) In there will be a 1Password.html file. Open that, enter your master password and you're all set.

If you can't access Dropbox and don't have an portable device with the app on it... well, then you're probably going to be waiting until you get home.
posted by neilbert at 8:27 PM on January 24

What's wrong with just using Apple's Keychain? Rather than using an app to generate random passwords, Keychain stores all of them. If you forget your password you can open the Keychain app and look at it in plain text.
posted by Gungho at 5:57 AM on January 25 [1 favorite]

I'm too paranoid that my keychain will get lost or corrupted somehow and I'll be locked out of everything (which is the same reason I never adopted LastPass or 1Password or etc)

I don't know about the others, but with the 1Pass cloud keychain format a 1-bit error will only damage data for the account in which it appears, and depending on what part of the data is damaged potentially only part of that account item. (note, 1Pass document their keychain format, and there are open source clients that will read it as well so you're not locked in to the AgileBits products).

With generated passwords, how do you log in from a computer without LastPass or 1Password installed on it (and assuming you have no access to a smart phone)?

1Pass can do a JavaScript client if you store your keychain somewhere it's reachable over http (like Dropbox, for example). Using this you need to trust the computer you're on doesn't have a keylogger or anything, but otherwise gives you full read-only access to your keychain.
posted by russm at 1:28 AM on January 26

I've been using LastPass for years and highly recommend it. I have not noticed at all this comment from Osrinith: I started with LastPass and liked it just fine, but they started to move towards a monetization policy of credit-checking services rather than focusing on password security.

I have the Pro version so that it's also on my phone.
posted by getawaysticks at 9:07 AM on January 26

The thing I want to share about LastPass that may help or hinder is that in the two and a half years I've been using it, it's only gotten better.

Monetization is not really an issue for me. They moved from free to $12/year, that's $1/month. Cut out one Starbucks coffee every other month and you can pay for this.

The iPhone app recently switched from just being a password vault browser to having a built-in Internet browser like the iPad app always had (since I started using it). I don't use the integrated internet browser function a lot, but I do sometimes need it.

It is a little clunky because it's pretty secure. It allows syncing between devices automatically because the encrypted vault you carry is cloud-based. Which is not as secure as having full control over the file-based vault you'd have with KeePass. 1Password is like LastPass in that the file is somehow managed over the cloud.

I do sometimes have to physically transcribe passwords from my vault as I view it on my iPhone to whatever password-requiring site/service I'm challenged with. It's okay. Worst is on video game consoles with no real keyboard input. But whatever, it's a small price to pay for only having to remember one extremely complicated master password (that I change every so often).

Also they allow 2-factor authentication, which is the bomb. You can even print out sheets of codes if you're afraid something will send you back to the dark ages. Or you can use Google Authenticator. To me Last pretty perfectly balances security and convenience.
posted by kalessin at 7:22 AM on January 27

I use LastPass on my laptops(OSX/Windows (work and home)) and it's great. It's easy enough that I set it up on a few family member's computers.(To be fair, they're only use the bare minimum features.) If you are not a premium member, you can still access it from your phone but it's a bit of a hassle.
Switching to windows 8, it's a bit of a bummer that there doesn't seem to be an add-on for the metro version so you have to switch around from metro to desktop mode. (this is more of a MS issue than a Lastpass issue but, fyi). The recent update has made it a lot more visually appealing.

The premium feature seems to be that you can use it a native app from Lastpass. It might be helpful if those of you who pay for the premium could talk a bit more about that.

Anyways, I recommend it as well.
posted by Spumante at 10:35 AM on January 27

Of all the automated password managers I've tried I like Dashlane the best.

It connects to Firefox, Chrome, and IE to automatically handle logins, credit card numbers, and form filling (e.g. name and address), but has good controls for how frequently it should ask for your master password before it will fill anything in. It also helps me generate new passwords, and lets you control the length and type of characters it uses. It syncs this information between multiple computers, and has iOS and android apps.
posted by vegetableagony at 9:52 AM on February 5 [1 favorite]

« Older My husband and I are disagreei...   |  Water temperature has gone way... Newer »

You are not logged in, either login or create an account to post comments