What password manager should I be using?
I don't think which one matters nearly enough as just using one. I use LastPass, pay the $12 per year for mobile access and don't regret it. You can even add private notes for yourself. The other two are just fine as well. Don't let this indecision paralyze you into doing nothing. You can always change later.
posted by soelo at 9:58 AM on August 3, 2016 [6 favorites]

Also, if you have other suggestions, I would be glad to hear them.

I don't trust anyone with my passwords, so I came up with my own system and it hasn't failed me yet.

1. I come up with a core, for example "bar10der" - the less of a real word the better, but easy for YOU to remember.
2. The site I'm logging into is Metafilter, so I put a capital "M" in front of it: Mbar10der (this give me the capital letter most sites want)
3. Finally, I count the letters in the site name - Metafilter has 10 letters, so I put that number at the end (giving me the number most sites want), so my final password for Metafilter is "Mbar10der10".

My Amazon password would be Abar10der6, Facebook would be Fbar10der8, and so on. As long as I remember the core, and can count, I'll remember my password for every site. I used to keep a little address book with them written down, but since I switched to this system, I never forget a password.
posted by NoraCharles at 10:01 AM on August 3, 2016 [15 favorites]

N.B. that, of those, I think only 1Password doesn't rely on a back-end that, by definition, knows how to decrypt your password store.

LastPass has already been hacked once. Any such service will be a very, very attractive target for bad people. Better to use a tool that doesn't have a back-end capable of unlocking your goodies, and then rely on syncing the encrypted file around as needed.
posted by uberchet at 10:09 AM on August 3, 2016 [3 favorites]

I used to use both LastPass and 1Password, now I just use 1Password. It's worth paying for.
posted by BinaryApe at 10:10 AM on August 3, 2016 [1 favorite]

Personally I distrust cloud providers and would never rely on one to keep my passwords either available or secret. However, I also firmly believe that in 2016, failing to use password management software is so far into Doing It Wrong territory as to be unacceptable.

My family uses KeePass 1.x on Windows, KeePassX 0.4.3 on Linux, KeePassDroid on my phone and MiniKeePass on my daughter's iPad, and Dropbox to keep the password database files in sync across all these devices (if you're all-Apple, you could might prefer iCloud). All these packages are interoperable and free.

KeePassX 0.4.4 is still available for OS X. I'm not as fond of the 2.x series of any of these applications - they still work fine, but strike me as overcomplicated.

The security of my passwords is assured by the fact that KeePass database files are properly encrypted and I have a long, randomly generated master password (made from two of the passwords I used to have to remember before I started using KeePass). The worst that could possibly happen if something goes wrong with Dropbox is that I'd need to find some other cross-platform sync service to replace it; even before doing that, I'd still have full access to all my local copies of the password database files.

As well as the copies synced by Dropbox, I keep one (along with the portable version of KeePass) on a μSD card in the Elago Nano reader attached to my car keys. I update that one from the main one every now and then. As long as it's got my current Dropbox password in it, I can always get a current copy of my main password database via Dropbox on the web.
posted by flabdablet at 10:18 AM on August 3, 2016 [16 favorites]

KeePass synced between my computer and my phone via SyncThing. All free and open source, no cloud involved.
posted by ropeladder at 10:18 AM on August 3, 2016 [7 favorites]

I don't think which one matters nearly enough as just using one.

Also this.

All of them, to the best of my knowledge, support exporting and importing password databases in formats used by the others. However, by the time you've built up a passwords collection big enough that you'd want to avoid having to enter it all again by hand, you'll be so completely used to working around the limitations of whatever password manager you started with as to make jumping ship not worth the trouble.

The most important thing is to use the software. Pick one and get started.

Also, it's worth getting in the habit of always using your chosen password manager to open any of the sites whose credentials you're storing in it. That way, you avoid any possibility of being hooked by a phishing site.
posted by flabdablet at 10:27 AM on August 3, 2016

I came up with my own system and it hasn't failed me yet.

I will cop to using a similar system for sites where security is not vital for me, but I wouldn't recommend something like this for anything actually sensitive.

First, there's the overarching fact that laypeople suck at designing their own security systems.

Second, chances are there are people who you might trust with a password or two of yours (hey Spouse, can you login to my Amazon for me and order some more peanut butter quick?), and if one of those people gets their hands on two of your passwords, they can discern your system.

Third, even if you never ever share passwords, there are enough username/password databases out there that eventually some hacker is going to start looking for password patterns across them -- especially if that hacker has a reason to target you personally for whatever reason.

Anyways, as to the actual question: I use LastPass, it works great for me (though I haven't ponied up the $12 for mobile access yet). I like the way that the company as a whole talks about security (I am aware that a lot of this is marketing, but at least they get what I'm looking for). It's right in the middle of the security/convenience/cost Venn diagram for me, in a way that say, KeePass is not.

But yeah, the most important thing is that you use something. If you don't like what you choose, then switch.
posted by sparklemotion at 10:30 AM on August 3, 2016 [4 favorites]

If private notes are a feature of interest to you, the KeePass database format supports those and you can also attach a file (which can be a zip archive full of other files) to each entry.
posted by flabdablet at 10:30 AM on August 3, 2016

My current password management, er, 'style'

leads me to recommend that you just replace Adobe Acrobat with the appropriate app from the KeePass family on each platform, and just keep doing what you're already used to doing, only with better security and convenience, using KDB files instead of PDFs.
posted by flabdablet at 10:33 AM on August 3, 2016 [2 favorites]

Seconding the KeePass/MiniKeepass/KeepassX solution - as noted upthread, it's good enough, it's free and it works with any WebDAV type syncing, including Dropbox.
posted by Happy Dave at 10:39 AM on August 3, 2016

I don't know if you log into anything from your phone often, but I pay for Lastpass Premium because it can auto-fill passwords for me on my phone. That's super helpful because I also use it to generate passwords, so all my passwords are like 16 character length random strings that are a pain to type in.
posted by possibilityleft at 10:50 AM on August 3, 2016

LastPass has already been hacked once. Any such service will be a very, very attractive target for bad people. Better to use a tool that doesn't have a back-end capable of unlocking your goodies, and then rely on syncing the encrypted file around as needed.

LastPass doesn't have the ability to independently decrypt user data.
posted by CBrachyrhynchos at 10:50 AM on August 3, 2016 [1 favorite]

I pay for Lastpass Premium because it can auto-fill passwords for me on my phone

MiniKeePass and KeePassDroid can both do this.

MiniKeePass does it by using iOS's multiple-items clipboard feature: after touching the entry for the site you want in MiniKeePass, Username and Password items become available in the clipboard for pasting.

The Android clipboard doesn't have that, so KeePassDroid works a slightly different way. After touching a site entry in KeePassDroid, you get two notifications in the global pulldown notification area. Touch one of those and a username gets copied to the clipboard; touch the other and the password is copied.

I've used both, and after a little practice they both stop being annoying.
posted by flabdablet at 11:13 AM on August 3, 2016

LastPass is very good. I've been using it for years. As CBrachyrhynchos notes, they do not have the ability to decrypt your passwords. They also offer two factor authentication for extra security. I trust them.

The #1 deciding factor should be ease of use. How good the Browser Extension / Password Agent is, and how well it works on your mobile device of choice. LastPass' browser extension is good enough, and their iPhone client is as good as it can be given the limitations of iOS. I would not call either user experience "great" though. It's been awhile since I tried out 1Password, but if it's a better user experience I'd love to know and switch.
posted by Nelson at 11:14 AM on August 3, 2016

One more plug for the KeePass family and I'll shut up: none of them needs you to modify your browser in any way.

That's useful when you're using a computer that isn't yours: insert your USB stick into the computer, drag your own KDB file and drop it on the portable KeePass application you keep alongside it on the stick, and you're able to log on and auto-type your credentials regardless of what browser is installed on the machine.

Of course, you would never do this on any computer you could reasonably expect might have been compromised by a keylogger.

Browser extensions to integrate KeePass do exist, but I don't see the need for them. My workflow for opening a site from KeePass goes like this:

1. Double-click a URL in my KDB file. KeePass brings the browser to the front with that page open.
2. Do any minor clickery required to prepare the page for having the username typed in (usually this is none at all), then click the KeePass taskbar icon to bring KeePass to the front again.
3. Press Ctrl-V. KeePass auto-types the username and password and logs on.

My main reason for always starting by double-clicking a URL in KeePass is to render my habits phishing-proof; my KDB file, unlike my email client and/or browser, is beyond the reach of scammers.
posted by flabdablet at 11:27 AM on August 3, 2016 [1 favorite]

After burning through a couple of password managers that no longer exist, I finally stumped up for 1Password. It's good—I wish I had started with it. You have several options for cloud storage (iCloud, Dropbox, whatever), as well as the option of "none": you can sync over wifi if you want. I've got several "vaults," one of which I share with my wife for logins to our utilities. You can store stuff in it other than passwords—I've got some sensitive documents in it—and you can unlock the iOS version with your thumbprint, which is nice.
posted by adamrice at 11:33 AM on August 3, 2016

It is sometimes clunky but I find that LastPass is the most useful I've tried. It has extensions for each browser, can be used to store secure notes as well as site passwords, and credit cards too, and has very helpful functions like quick customizable password generation and the ability to audit your own security overall. It updates itself instantly on all my devices -- computer, tablet, phone.

I hated 1Password, which I tried because of strong MeFi recommendations -- it never worked on any browser and was damned hard to access on my computer, and constantly was updating and popping up on my screen.
posted by bearwife at 11:50 AM on August 3, 2016

I've used 1Password for many years now and love it.

I chose it because it was a one-time purchase (no subscription - though they're now offering subscription services), it worked on all of my devices (PC, Mac, phone), and because it offered more flexibility over where and how my secure database is kept in sync - I use Dropbox, but I could easily take my database entirely offline if I wanted. As mentioned above, online subscription services make me uneasy, considering that Lastpass has already been compromised. I prefer to have the options that 1Password gives me.

I considered Keepass since it will accomplish the same, but decided against it since its software strikes me as much less user friendly, and it didn't have a good phone app at the time.

Either way, use a password manager. All of my passwords are now unique, long, and complex. Better yet, I don't have to remember any of them ever. The only time I've been inconvenienced by this is if I'm using a machine that's not mine. When that happens I have to pull out my phone and manually type in the password. That's a rare enough problem that I have no regrets at all about making the switch.
posted by owls at 12:05 PM on August 3, 2016 [1 favorite]

For individual sites I use a system very similar to the one NoraCharles describes, but then I use 1Password to manage them, and I created a very cleaver, very long passphrase as my master password in 1Password.

I like 1Password because I can store the chain on my Dropbox account and use 1Password on multiple devices. And I like the iOS app.
posted by terrapin at 12:08 PM on August 3, 2016

One more vote for 1password & dropbox.
posted by o0dano0o at 12:10 PM on August 3, 2016

I've used LastPass for the past couple years, and I love it. It worked so well for me that I sprung for the premium version for $12 and don't regret it at all. It's simple, cross platform and works on all major browsers - in fact, Microsoft Edge will be supporting the LastPass extension thanks to the new Anniversary Update for Windows 10 that is currently rolling out. I especially like the fact that LastPass allows me to generate long, random passwords for every site I currently use, so all I have to remember is one master password.
posted by Roger Pittman at 12:18 PM on August 3, 2016

To clarify the above comment, for Lastpass the encryption is done in the client. Lastpass uses an authentication token rather than sending the password over the network and the formula (in pseudocode) is, I believe, sha256(username + sha256(passphrase)). Their encryption uses something like PBKDF2(passphrase), also in the client/browser. I believe the above has been confirmed independently.
posted by CBrachyrhynchos at 12:29 PM on August 3, 2016

I use KeePass and sync my database across devices (including mobile) using SpiderOak, which I trust a fair bit more than DropBox.
posted by Apoch at 12:51 PM on August 3, 2016

nthing Keepass : )
posted by bitterkitten at 12:58 PM on August 3, 2016

I decided to go back to KeePass & dropbox & android apps after using lastpass for a couple years. Lastpass surely was more convenient but I eventually let my fear of storing my passwords in the cloud move me back over.

For family i suggest lastpass because "it just works" and they'll actually use it (without even knowing it really), and I feel that it's good enough.
posted by escher at 1:25 PM on August 3, 2016

I downloaded 1Password last night and it appears to be some horror show of geek-driven metadata framework where you can add all sorts of custom fields and it has checkboxes and options for things I don't want to worry about or even know how to fill out. I found it the new user experience off-putting and I consider myself computer-savvy.

Today I'm going to try LastPass. The website and marketing copy are a lot better to start with.

Since we're an Apple family, iCloud Keychain + password suggestions would probably work for us, but the family sharing features would be nice.
posted by troyer at 2:09 PM on August 3, 2016

One thing about Lastpass which I liked is that there are lots of ways to access your passwords.

For example, at work everything is locked down - so running an executable, using a USB stick, accessing Dropbox or installing a browser extension are off limits.

Thankfully Lastpass has bookmarklets which work in the aging version of IE that we have access to.
posted by mr_silver at 2:34 PM on August 3, 2016

I use lastpass and have for a couple years, I pay the $12 for mobile access, and I use a Yubikey for computer access (you have to plug in a little usb stick for a couple seconds and press a button when you first log in to the extension).

I really like it and it was really easy to set up, especially if you're currently allowing a browser to save any of your passwords, it just imports them all off the bat. There's also a tool where you can do a one-click change for a lot of popular sites and it will just automatically do a password change for you instead of you having to do all the steps. I've used it a couple times for that and like it a lot.
posted by euphoria066 at 5:32 PM on August 3, 2016

The main thing here is actually to use a different, complex* password for each of your online accounts. I can't tell from your comment about your current Adobe system of keeping passwords if this is the case. If you aren't doing that now, then as someone up thread said, "I don't think which one matters nearly enough as just using one." Don't let perfect be the enemy of good. I used KeePass for five or six years and then moved over to LastPass about four years ago and then quickly upgraded to the premium version of LastPass. I get the concern about trusting someone else with passwords; if you have the willpower for KeePass, I'll stipulate it is a better solution. I just reached the point of password madness (> 200) that usability and cross-platform syncing trumped security. The main reason for chiming in is to give you some advice you didn't ask for:

#1 Review your passwords when import them into your new password manager. If you've got some duplicates, go ahead and take this opportunity to change them to something unique. If they are less than 12 characters and don't include three of four of a mix of upper case, lower case, numbers, and special characters, go ahead and fix that now, too. That is what I mean when I used the word "complex" in the first sentence of this reply.

#2 Turn on two-factor authentication for your password manager.

#3 While you are at it, if you haven't already done so, turn on two-factor authentication for your email account

#4 Do it now.
posted by kovacs at 6:49 PM on August 3, 2016

I like charts which help people compare features of software, so I recommended this article to a friend who recently asked a similar question
posted by gusandrews at 10:53 PM on August 3, 2016

those who used one password manager then traded it for another, what happens to your data?

I played with KeePass 2.x for a while. It uses a different data file format (KDBX) from KeePass 1.x (KDB), so I had to import my KDB database file into 2.x and then save it as a KDBX. That went smoothly and I didn't lose anything.

Later, after deciding I had enjoyed using 1.x a lot more than 2.x, I used 2.x to export all the passwords from my KDBX file back to a KDB. That went smoothly too.

In general, any of the non-cloud-reliant stand-alone password managers (KeePass, 1Password, Password Safe and various others) will keep your passwords in a file stored wherever you choose and backed up however you choose, making it extremely unlikely you'd ever lose it. Most of them will import data in each other's formats as well, so even in the wildly unlikely event of losing access to any installation source for your software of choice, as long as you had your master password you'd still be able to import your collection into whatever manager you like.
posted by flabdablet at 9:06 AM on August 4, 2016

I use Dashlane at the moment, but I might move away from it. The $40/year for premium is unreasonably steep, in my opinion, and the program has a habit of annoying me. I have caught it taking up several gigs of RAM just sitting there, and since I have different browsers, it wouldn't stop harassing me until I installed the add-on in all of them. Every time it updates, it pops up a new tab to make sure I have the add-on installed, although I already do. Just a lot of unnecessary hassle. Also, if you want to share your passwords with someone in case of emergency, you can, but the other person has to have Dashlane, as well. It uses less RAM if you don't use the listener, but then you have to manually open the program whenever you want to use it. Dashlane doesn't auto-clear your clipboard like Keepass, and doesn't always correctly detect form fields.

On the other hand (and I'm not sure if the other programs do this), I like that it's possible to auto-fill payment information, so I don't need to store it on the merchant's server somewhere but I don't have to go get my wallet if I want to buy stuff. Despite my complaints, it is still a pretty good program, all things considered.
posted by jet_pack_in_a_can at 12:31 PM on August 4, 2016

I chose Dashlane about 2 years ago, largely because it would auto-fill credit card info and LastPass wouldn't. I'm not 100% sure that was true that LastPass lacked this ability, or if it is still true, but anyway I definitely love that credit card feature. If you are still typing in your credit card number and your CRC and blah blah then you are living like a savage. It will also autofill my address on most web forms.

I like the security dashboard--it allows me to identify my weakest or oldest passwords and rectify them. For a long time I was just using it for free, so I didn't care about the fact that it's more expensive than LastPass. A few months ago they put out an offer for 5 years at half price, so I jumped on it.

The feature for sharing passwords seems to have worked well for sharing passwords with my wife. I think the wife has had some complaints about the software on her iOS devices, but I don't know the details.

I also really like the "secure notes" feature. As with all features, I haven't tried LastPass so I don't know how this compares with equivalent features of LastPass.

Like jet_pack_in_a_can says, I found that it has a memory leak that causes the memory usage of the Firefox plugin (Windows 7) to grow and grow. Formerly, it was taking about 24 hours for the memory to grow so big that it would lock up. I reported this to customer service, and it seems like they have since partially fixed the problem. It now runs for about a week before it locks up. When this happens I kill the plugin in task manager, restart the browser, and then everything is fine.

My other gripe is that when you type your master password into the popup, it is obscured by default (you know, like ******). You can click on a button to reveal what you're typing, but when you click on the button, the text box loses focus so that you have to re-click it with the mouse. I've written to customer service about this, and they've responded cheerfully that they'll pass it on to the developers, but months later this trivial thing is still not fixed.

I like Dashlane a lot, and have zero interest in switching to LastPass. I also hope you'll choose it, even though I know that my honest review might not sound so good. My fear is that because they charge so much more than LastPass, that LastPass has sucked up all the market share and Dashlane will eventually die.
posted by polecat at 2:33 PM on August 4, 2016

FYI Lastpass will fill in your credit card data for you if you want.
posted by bearwife at 9:05 PM on August 4, 2016

KeePass site entries can easily be customized to auto-type anything you like. Auto-typing gets directed into the application whose window sits immediately behind the KeePass one. If you've just opened a web site from inside KeePass, this will always be the web browser; but it can be quite handy to be able to auto-type passwords into e.g. protected PDF or Word documents, or Skype or remote desktop login dialogs. Any form you can fill in with the keyboard (e.g. by using Tab to move from field to field) you can auto-fill with KeePass.

The default auto-type sequence is {USERNAME}{TAB}{PASSWORD}{ENTER}, which works for 99% of logins. Google accounts need {USERNAME}{ENTER}{DELAY 2500}{PASSWORD}{TAB}{SPACE}{ENTER}. MSY Victoria gets {USERNAME}{TAB}{PASSWORD}{TAB}V{TAB}{ENTER} to make a dropdown menu on their login page select their Victoria store as the one to log in to.

I don't actually have it set up to auto-type my credit card details into any sites, because I won't generally hand over credit card details to sites I wouldn't trust to store them safely and prefer to use Paypal instead. To cover ordering from suppliers who don't accept PayPal, I have a generic KeePass entry for my credit card that contains all its information as a freeform note. It's easy enough to copy and paste the required values from that by hand.
posted by flabdablet at 11:51 PM on August 4, 2016

That is another thing I use LastPass for - filling out those forms! You can have a few different profiles to pick from, too, so one that fills in your work address, phone and email and another that fills out your personal details. It saves me lots of typing.
posted by soelo at 12:34 PM on August 5, 2016

I started off using Dashlane for work and have started using it for personal stuff too. No real complaints. Occasionally some minor buggy stuff where the sync locks up, which I've reported to support, but overall it's a positive experience for me using it across Chrome and iOS. Credit card fill is so great too.
posted by jourman2 at 8:09 PM on August 5, 2016

nthing Lastpass. I've used it for about five years, and started paying for premium (as I craved mobile access) about three years ago. I can't recommend it enough - I often bore my friends about it, and my employees groan when I force them to change all their passwords to keep their security scores high - but the important thing is to use one. Considering the vast gulf between security amateurs and experts, I'd go with the latter's opinion every time.
posted by Ten Cold Hot Dogs at 6:51 AM on October 13, 2016

PSA for Lastpass users: Critical security flaws found in LastPass on Chrome, Firefox
posted by bluecore at 5:31 AM on March 22, 2017

Article includes this recommendation from Tavis Ormandy, the researcher who found those flaws:

If you're suddenly looking for another service to store your important login information, Tavis (who makes a habit of poking holes in security products) suggested KeePass, a manager that doesn't use browser extensions to keep a layer of security between websites and your vault.

posted by flabdablet at 10:03 AM on March 22, 2017

LastPass has commented as well. The highlights: "Our investigation to date has not indicated that any sensitive user data was lost or compromised" and "All extensions have been patched and are being re-released to users"
posted by soelo at 1:48 PM on March 22, 2017

This thread is closed to new comments.