Simplest good password manager
November 19, 2020 12:01 PM Subscribe
A relative uses a password manager on one computer, with intent that I can access their passwords if needed due to emergency. (I don't live near them, so paper is not an option here.) They do not use or want autofill on web pages, syncing to other computers/phones, or any other bells and whistles. We've used Dashlane for this, but they are now pushing a web/extension model rather than a desktop app that will likely bother and/or confuse my relative. All they need is the ability to save passwords and text (in Dashlane this is "secure notes") and the ability for me to access this in case of emergency - and of course that this be secure. Are any of the other options going to be simpler than Dashlane?
Why can’t they mail you a letter with the passwords? Or call you?
posted by Ideefixe at 1:10 PM on November 19, 2020
posted by Ideefixe at 1:10 PM on November 19, 2020
I have not used it personally so I am not sure it meets your simplicity requirements but KeePass with the database stored somewhere you can access (dropbox or whatever) may be an option.
posted by quaking fajita at 1:25 PM on November 19, 2020
posted by quaking fajita at 1:25 PM on November 19, 2020
Best answer: I would stick to Dashlane if you can. They have always had a browser extension, but I don't think you have to use it (there's a lot of things you can't do in the browser that you can in the app).
posted by samj at 1:27 PM on November 19, 2020
posted by samj at 1:27 PM on November 19, 2020
+1 to KeePass
I use KeePass, with the DB stored in dropbox. Thinking about it now, this may be something I try with my aging parents...
posted by chiefthe at 1:45 PM on November 19, 2020
I use KeePass, with the DB stored in dropbox. Thinking about it now, this may be something I try with my aging parents...
posted by chiefthe at 1:45 PM on November 19, 2020
Yes, KeePass seems to fit all of your requirements, and if you sync it to Dropbox or somewhere, you can also use it on a phone. It also has plugins for both Chrome and Firefox if you do end up going down that route.
posted by patternocker at 4:50 PM on November 19, 2020
posted by patternocker at 4:50 PM on November 19, 2020
I use KeePassXC for this, with the secrets database file kept in a Dropbox folder. This would also fit your described use case. I prefer KeePassXC to the original KeePass because it doesn't need a huge, slow-starting .Net/Mono runtime to make it work. It's quite tidy and easy to live with.
I have turned on the setup options to autostart at login, minimize as soon as the database is unlocked, and use shift-ctrl-L as a global auto-type hotkey. This means that as soon as I log in, the first thing I see is a prompt for my KeePass master password. Fill that in and KeePassXC essentially disappears into the background. When I need to log in to a website I click in the Username box and press shift-ctrl-L; KeePassXC wakes up and types in the username and password for me. No browser extension or integration is required and the same process works for any dialog box asking for a username and password, web or otherwise.
Entries in KeePass databases are organized in groups, which can themselves be nested in other groups. Group members can have their own auto-type sequences explicitly set; if that's not done they inherit them from their containing group. I've set the auto-type sequence for the all-containing Root group in my own database to
{CLEARFIELD}{USERNAME}{TAB}{CLEARFIELD}{PASSWORD}{ENTER}
and this works well for most login forms. Some, such as Google, have separate pages for entering username and password. In the database entries for my Google accounts I've set the auto-type sequence to
{CLEARFIELD}{USERNAME}{ENTER}{DELAY 4000}{CLEARFIELD}{PASSWORD}{ENTER}
This works well (delay numbers are specified in milliseconds, so that's a four-second delay to give the password page time to load). Pretty much any login page can be accommodated with some variant of this.
Login pages that refuse to cooperate with auto-type for whatever reason can just have usernames and passwords copied from the database in much the same way as you'd do for a simple-minded password list kept in a Word doc or similar, except that KeePass/KeePassXC allow you to copy usernames and passwords without needing to see them and also clear the clipboard after a short delay so that your secrets aren't hanging around waiting to be pasted accidentally into something else.
I've encountered the occasional login form that actually goes out of its way to block pasting into password fields (presumably "because security"). KeePassXC also lets you drag a password straight out of a database entry without looking at it and drop it into a web form. I have yet to meet a login form that manages to screw this up as well.
You can add attachments of arbitrary size and file format to any KeePass database file entry, as well as free-form text notes readable from within the KeePass/KeePassXC user interface itself.
If your relative wants to give you access to their secrets, you will need two things: access to their .kdbx database file, and knowledge of its master password. If they're willing to keep their .kdbx file inside a Dropbox folder, they can just give you a sharing link to it and you can pull a current copy over the Web when you need it. Using Dropbox also creates a file history, allowing previous versions to be retrieved if something hideous should happen to the current one (that's the main reason I use it). If the master password that secures the .kdbx database is good and strong, Dropbox's security or perceived lack of it is irrelevant. Any file sync/sharing platform with a file history feature (iCloud, OneDrive, whatever) would work equally well.
posted by flabdablet at 10:52 PM on November 19, 2020
I have turned on the setup options to autostart at login, minimize as soon as the database is unlocked, and use shift-ctrl-L as a global auto-type hotkey. This means that as soon as I log in, the first thing I see is a prompt for my KeePass master password. Fill that in and KeePassXC essentially disappears into the background. When I need to log in to a website I click in the Username box and press shift-ctrl-L; KeePassXC wakes up and types in the username and password for me. No browser extension or integration is required and the same process works for any dialog box asking for a username and password, web or otherwise.
Entries in KeePass databases are organized in groups, which can themselves be nested in other groups. Group members can have their own auto-type sequences explicitly set; if that's not done they inherit them from their containing group. I've set the auto-type sequence for the all-containing Root group in my own database to
{CLEARFIELD}{USERNAME}{TAB}{CLEARFIELD}{PASSWORD}{ENTER}
and this works well for most login forms. Some, such as Google, have separate pages for entering username and password. In the database entries for my Google accounts I've set the auto-type sequence to
{CLEARFIELD}{USERNAME}{ENTER}{DELAY 4000}{CLEARFIELD}{PASSWORD}{ENTER}
This works well (delay numbers are specified in milliseconds, so that's a four-second delay to give the password page time to load). Pretty much any login page can be accommodated with some variant of this.
Login pages that refuse to cooperate with auto-type for whatever reason can just have usernames and passwords copied from the database in much the same way as you'd do for a simple-minded password list kept in a Word doc or similar, except that KeePass/KeePassXC allow you to copy usernames and passwords without needing to see them and also clear the clipboard after a short delay so that your secrets aren't hanging around waiting to be pasted accidentally into something else.
I've encountered the occasional login form that actually goes out of its way to block pasting into password fields (presumably "because security"). KeePassXC also lets you drag a password straight out of a database entry without looking at it and drop it into a web form. I have yet to meet a login form that manages to screw this up as well.
You can add attachments of arbitrary size and file format to any KeePass database file entry, as well as free-form text notes readable from within the KeePass/KeePassXC user interface itself.
If your relative wants to give you access to their secrets, you will need two things: access to their .kdbx database file, and knowledge of its master password. If they're willing to keep their .kdbx file inside a Dropbox folder, they can just give you a sharing link to it and you can pull a current copy over the Web when you need it. Using Dropbox also creates a file history, allowing previous versions to be retrieved if something hideous should happen to the current one (that's the main reason I use it). If the master password that secures the .kdbx database is good and strong, Dropbox's security or perceived lack of it is irrelevant. Any file sync/sharing platform with a file history feature (iCloud, OneDrive, whatever) would work equally well.
posted by flabdablet at 10:52 PM on November 19, 2020
Best answer: I've just got a relative started with BitWarden for very close to this use-case.
I've been using KeePass for years myself, and it does work. But it is more fiddly and more oriented towards people who are technically capable.
BitWarden is simpler and it just works. Open source as well, and for your purposes it is free. They have native apps for Windows, android, macOS, iOS, Linux, etc etc. Plus you can access it by logging into the BitWarden web site. Point is, whichever combination of operating systems/devices the two of you use, you're covered.
BitWarden web site.
posted by flug at 11:07 PM on November 19, 2020 [1 favorite]
I've been using KeePass for years myself, and it does work. But it is more fiddly and more oriented towards people who are technically capable.
BitWarden is simpler and it just works. Open source as well, and for your purposes it is free. They have native apps for Windows, android, macOS, iOS, Linux, etc etc. Plus you can access it by logging into the BitWarden web site. Point is, whichever combination of operating systems/devices the two of you use, you're covered.
BitWarden web site.
posted by flug at 11:07 PM on November 19, 2020 [1 favorite]
Best answer: The Mac has a built-in password manager—the Keychain. If you launch the "Keychain Access" app on the Mac, you'll see a list of all the passwords stored in the keychain. You can also use the Keychain Access app to create secure notes, accessible right in the app. There's nothing to install—this comes with the OS.
Assuming they use Safari, you can turn off password autofill in Preferences -> Autofill -> User names and passwords, if they don't want it turned on. This will let them store passwords in the Keychain, but it won't automatically autofill. Though, to be honest, AutoFill makes it easy. The Mac will even suggest strong passwords and add them to the keychain.
The Keychain Access app allows you to see existing passwords. Just search for the website you're interested in, double-click it in the list, and click the "Show password" checkbox. Enter your keychain password, and voila.
Keychains are protected by the Mac's login password. If you know the password for their Mac's account, you have access to the keychain. If they give you their password for the Mac, and you store it in a safe location, you'll have access to the keychain in case of an emergency.
There is a wrinkle, here, though—if the Mac's login password changes, the keychain's password doesn't automatically change. The Mac will prompt you for the old password, so that the keychain can be updated with the new password, at which point the keychain and login passwords would be in sync again. So, if there was an emergency, and you had lost the Mac's password but somehow managed to reset it (via iCloud), you wouldn't have access to the keychain.
There's iCloud Keychain, which uses iCloud to sync keychains between devices. But if they don't want syncing, you can leave that turned off, and their Mac's keychain will remain confined to the Mac.
Other solutions described by MeFites might help more than this one, but I find it's always helpful to know about built-in, first-party solutions.
posted by vitout at 6:41 AM on November 20, 2020
Assuming they use Safari, you can turn off password autofill in Preferences -> Autofill -> User names and passwords, if they don't want it turned on. This will let them store passwords in the Keychain, but it won't automatically autofill. Though, to be honest, AutoFill makes it easy. The Mac will even suggest strong passwords and add them to the keychain.
The Keychain Access app allows you to see existing passwords. Just search for the website you're interested in, double-click it in the list, and click the "Show password" checkbox. Enter your keychain password, and voila.
Keychains are protected by the Mac's login password. If you know the password for their Mac's account, you have access to the keychain. If they give you their password for the Mac, and you store it in a safe location, you'll have access to the keychain in case of an emergency.
There is a wrinkle, here, though—if the Mac's login password changes, the keychain's password doesn't automatically change. The Mac will prompt you for the old password, so that the keychain can be updated with the new password, at which point the keychain and login passwords would be in sync again. So, if there was an emergency, and you had lost the Mac's password but somehow managed to reset it (via iCloud), you wouldn't have access to the keychain.
There's iCloud Keychain, which uses iCloud to sync keychains between devices. But if they don't want syncing, you can leave that turned off, and their Mac's keychain will remain confined to the Mac.
Other solutions described by MeFites might help more than this one, but I find it's always helpful to know about built-in, first-party solutions.
posted by vitout at 6:41 AM on November 20, 2020
Response by poster: Thanks all, especially samj for the suggestion to just keep using Dashlane, flug for mention of BitWarden, and vitout for the reminder about and detailed explanation of the Mac's native keychain option. While KeePass looks great for those who can manage it, it looks way too complicated for my relative. Turns out Dashlane will keep the desktop app though not continue to update it, which means it will become obsolete eventually but not immediately, and my relative has agreed to switch to and learn the web app.
posted by 2 cats in the yard at 7:38 AM on November 22, 2020
posted by 2 cats in the yard at 7:38 AM on November 22, 2020
« Older Is a digital recorder significantly better than a... | How to approach a tricky conversation about MLM Newer »
This thread is closed to new comments.
And I meant that the web/extension thing will likely bother & confuse my relative. They would prefer a desktop app if possible
posted by 2 cats in the yard at 12:02 PM on November 19, 2020