How about you tell me how to use a password manager?
June 4, 2014 10:10 PM   Subscribe

I'm getting tired of the constant hacks, and I pretty much use the same passwords across multiple sites. Thing is, I can't keep up with eight dozen passwords. Seems like the answer is one of the password manager programs/apps out there. So which one is the one to use? How do I use it with multiple locations and computers (work/home/mobile)? I'm willing to pay upfront, but not a subscription. No one needs another monthly expense. Bonus points if you can explain it like I'm five.
posted by Willie0248 to Computers & Internet (37 answers total) 70 users marked this as a favorite
1Password with Dropbox sync does it for me.
posted by Johnny Wallflower at 10:22 PM on June 4, 2014 [8 favorites]

I've used 1password with Dropbox and KeePass. I ended up with 1password. 1password is annoying because it's pretty expensive, especially if you use both macs and PCs and an iPhone. Also, if you use Android, the mobile app is poor and doesn't currently support editing, just viewing.

It's also a pain to use password managers in general on mobile, because if you're using safari to browse, you're switching between apps, some of which still don't multitask gracefully. Especially on android, in my experience.

KeePass is free and very useful and easy if you're on windows pcs only. Maybe someone out there has a mobile KeePass solution they trust, but I didn't like the choices.

The other thing to do, of course, is turn on 2-factor auth on anything that supports it. There's no greater pain than using 2-factor auth on mobile (well, in comparison to the other hoops around passwords), but it's better security for your important accounts.
posted by Pacrand at 10:31 PM on June 4, 2014

5-year-old answer: wait until 1password has a sale, then buy a family pack for macs and pcs. Do everything they say.
posted by Pacrand at 10:32 PM on June 4, 2014 [1 favorite]

I keep passwords in an Excel spreadsheet that is saved on an SD card. The SD card is locked in my desk drawer. When I need a password, I just insert the SD card into my computer.

It's somewhat annoying when I am working away from my office computer, but it works for me.

I also tend to worry the most about a few mission-critical web services, like my main Gmail account (which is set up with 2FA), banking, credit cards, and utilities.

I also use a public-facing email address for web signups, so in case a website gets hacked, the email address is not going to be my "main one" and has no information in it.

I also work for an advertising agency, and we deal with about 20 clients that each have at least 10 different accounts. That's 200 passwords, at least, that I need to know each month.

We use Google Docs to keep track of all of them, and I have taken that approach as well in my own life for non-mission critical passwords.
posted by KokuRyu at 10:40 PM on June 4, 2014 [1 favorite]

LastPass on every computer plus the LastPass app and browser plugin on my cell and tablet keeps everything synced and easily accessible. Logging in when mobile is still sometimes annoying but has greatly improved with the new app.
posted by platinum at 10:48 PM on June 4, 2014 [5 favorites]

Best answer: I use 1Password as well. Here's how it works:

You install a program on your computer(s) and your phone. You choose a secure master password to use that will unlock the app and allow you access to all your other passwords.

You set this up to sync, probably via dropbox. That way if you add a new password on your computer, it's available on any other computers, and your phone.

You can also generate a secure file to store on Dropbox or a USB key that acts like the program, in cases where you need access to your passwords but can't install a program: You can open an HTML file in a browser, type in your password, and then access your passwords.

For regular browsing on your computer(s), 1Password has browser extensions. When you're on a login page of a site, you can click the extension button, enter your master password to unlock it (you can set it so you only have to do this once every so often, if you want), then click the site's name to auto-fill the username and password the program has saved for that site. You can also right-click in a field to accomplish the same thing.

1Password also has a menubar app you can use to access passwords for non-internet things like applications. It also includes a secure password generator that lets you choose the length, numbers and symbols, and will automatically save newly generated passwords and associate them with a website.

I've found it very useful for creating new logins, and updating old passwords — it pops up a window when you're changing a password or creating a new login to ask whether you want to create a new 1Password entry or update a current entry.

On mobile, it's a bit more tedious, but it still works. My experience is iPhone/iPad. The app contains a browser, which you can use — you can even open the app, tap on a login for any site, and it will automatically open that site and log you in. But if you're already browsing in Safari and you want to log in, you can just add "op" to the beginning of the URL (so it begins with "ophttps"). That will send the page over to the 1Password app.

It is a bit pricey, but for me it's been worth it to know I'm creating secure passwords for the important stuff, and not using the same ones over and over again.
posted by brentajones at 10:48 PM on June 4, 2014 [10 favorites]

Somewhat along the lines of what KokuRyu said, I keep my login/password combos in a google doc.

Though that might sound insecure:
a) If they have access to my gmail I'm pretty much screwed anyway
b) I don't write out the whole passwords. There are certain words I use repeatedly, so I know if I see "C*****123" that it's the word I always use that starts with "C," but no one else knows that.

I found this the only effective way to balance security with the incredible pain-in-the-ass of trying to keep track of my trillion different logins.
posted by drjimmy11 at 10:53 PM on June 4, 2014 [3 favorites]

I have used Password Safe ( for a number of years. I use it to store virtually all of my passwords (with account names), plus other small bits of information like credit card numbers.

It's a free, open-source application, but it requires a little bit of tech knowledge to get it configured, so the OP might prefer 1Password. It also only works on Windows (XP through Win 8).

I tend to keep the password file on my primary (home) computer, and back it up periodically to a thumb drive. For portability, the password file can be copied to a thumb drive (or a cloud drive), along with the Password Safe application.

Once your password file is open, you can double-click on the appropriate entry, then past it into the password field of the web page you are using. Closing the safe automatically locks it, and clears any copied passwords from memory.

I also tend to save frequently used, low-to-medium security passwords in my browser, so I don't have to re-enter them all the time. This works for me because my home system is secure and not shared.
posted by Jefffurry at 11:22 PM on June 4, 2014 [3 favorites]

Best answer: I've used LastPass for a long time and really like it because it's easy to use, it works reliably, and it has a lot of features like secure notes, password generation, optional two-factor authentication, etc. You can just install it as a browser extension or you can download the app from LastPass. You don't need to worry about Dropbox or a USB drive or any of that stuff. And it's free. How to use it? Just install it and it will be pretty much self-explanatory (with prompts like "fill", "auto login", "save password", "generate password", etc.).
posted by Dansaman at 11:22 PM on June 4, 2014 [3 favorites]

Seconding PasswordSafe. I've got it running on Windows and Android, and had a compatible manager on Iphone before that. It has no cloud storage, so it's up to you to keep the systems in sync, but PasswordSafe includes tools for merging separate password files. I merge mine once every few months or when I change a bunch of passwords. It autogenerates passwords and you can set how crazy the complexity rules are.

You can also store the password file on some cloud storage as a backup. As long as your master password is suitably complicated, it should be safe until the sun burns out or the NSA reveals a backdoor.

One other note, use something easy to type on your phone for the master password, as you will be typing it a lot. I recommend pass phrases with a few random characters thrown in.
posted by benzenedream at 11:54 PM on June 4, 2014

I used 1password for a long time and still do generally on my laptop, but iOS updates broke Dropbox syncing to my iPhone. I never upgraded to the latest version of 1password on my laptop because none of the features really applied to me or were anything I cared about. So I kept using the version I had and I paid for and it kept syncing with my phone and all was well. Then the iOS version updated to a point where it didn't recognize the Dropbox sync to my older version and wanted me to pay for the new version to continue having the same Dropbox syncing I had before. So that broke for me and now if I change a password on my laptop I can't automatically sync it to my phone. I can still manually Wi-Fi sync, but it's a step down for no reason other than I didn't upgrade to something I didn't need.

I'm currently trying out LastPass if for no other reason than I like having something that works all the time without a big new charge later on when they decide to break something. $12 a year is fine to maintain something I know will work vs $40 or so at random when I'm forced to upgrade without cause.
posted by downtohisturtles at 12:01 AM on June 5, 2014

KeePass with the file stored on Dropbox is great and free. For mobile, there seems to be KeePassDroid which is very highly reviewed (but I haven't tried).
posted by bsdfish at 12:55 AM on June 5, 2014 [1 favorite]

I use LastPass. It's pretty seamless.
posted by katrielalex at 1:00 AM on June 5, 2014

LastPass 4 Life./
posted by Hairy Lobster at 1:50 AM on June 5, 2014 [1 favorite]

Apple with iCloud password sync works for some places (e.g. Metafilter).
posted by persona au gratin at 1:51 AM on June 5, 2014

KeePass with the file stored on Dropbox is great and free. For mobile, there seems to be KeePassDroid which is very highly reviewed (but I haven't tried).

KeePass on my laptop, KeePassDroid on my Android phone, and Dropbox works very well.
posted by briank at 2:54 AM on June 5, 2014 [3 favorites]

I've been using the same system as brentajones for a couple of years now and I couldn't work any other way. It's seamless, satisfying, and (AFAIK) highly secure. I can highly recommend 1Password.
posted by Magnakai at 3:02 AM on June 5, 2014

1Password (or, I assume, any password manager) on mobile sounds incredibly tedious. Also, are those passwords you sync across Dropbox (of all things) actually encrypted?

Yes, 1Password encrypts the Dropbox file.

The other nice thing about 1Password and Dropbox is that you can access it through a browser pointed to the Dropbox folder.

As for browsing, if you're using Safari or Chrome, it can be a little annoying. I've actually switched to using the 1Password browser as my primary browser on my iPhone. Some applications will allow you to specify the default browser to open links. For times where I end up in the wrong browser, brentajones "add op" trick works, or you can find bookmarks that will do it for you. And for apps, it's not that bad. I keep 1Password in the bottom of the screen so it's visible everywhere. I click out of the app I'm in, launch 1Password and find the entry, copy the password and then double-click the home button. The app I just left is right there, so I can easily switch back and paste it in.

The Android version of it should be out June 10. It's a good deal better than the read-only version they have now.
posted by neilbert at 4:42 AM on June 5, 2014 [1 favorite]

KeePass is free and open source, is still in active development after over 10 years, and there are ports for all systems. While admittedly you are in practice placing your trust in random app developers when it comes to iPhone and Android, you are at the same time not locked into a proprietary system. Syncing via Dropbox is relatively painless, though I have to open the Dropbox app on my iPhone manually to update the database when I need a recently changed or added password.

It won't type your passwords into your browser automatically, but I kind of prefer it that way. You may need to install this bookmarklet to enable pasting in password forms on some websites that stupidly disallow it.

If you don't need any fancy features, KeePass does the job for free.
posted by Aiwen at 4:55 AM on June 5, 2014 [3 favorites]

  KeePass is free and very useful and easy if you're on windows pcs only.

KeePassX is Linux/Mac/Windows, can sync with Dropbox (where, yes, the database is encrypted), and works with KeePassDroid.

KPX only reads and writes KeePass v1 databases, but there are enough features in that format for me.
posted by scruss at 5:01 AM on June 5, 2014 [2 favorites]

I use Keepass and Dropbox to sync everything. Have KeepassX on the Mac at home. Keepass on the Windows machine at work. iPhone and iPad have Minikeepass. Minikeepass had decent reviews, and I have been using it for 2+ years without trouble.
posted by ohjonboy at 7:04 AM on June 5, 2014 [1 favorite]

Another vote for KeePass(x). I've been using it on Windows & Mac for a few years, and it works quite well.
posted by jmd82 at 7:04 AM on June 5, 2014 [1 favorite]

I use and love LastPass. Integrates with every browser, fills in passwords automatically. You can get by just fine with the free basic service; if you want some extra features/mobile apps, the premium version is $12/year.
posted by Shmuel510 at 7:04 AM on June 5, 2014

Piggybacking, does anyone have some recommendations that DO NOT utilize some 3rd party software that locks your passwords behind another password that can be forgotten, lost, stolen, or hit by a cosmic ray?
posted by BeerFilter at 7:10 AM on June 5, 2014

Lastpass stores a local copy of your password database on your computer that is accessible even if their service goes down. I would guess the other paid providers do this too.

I use Lastpass and love it, most of all for the 2-factor authentication.
posted by Aizkolari at 7:32 AM on June 5, 2014

1Password unless you want something that is aggressively painful to use, then choose LastPass.
posted by toomuchpete at 9:29 AM on June 5, 2014

I've used LastPass for years, and I kind-of like it, but I've noticed two problems with it lately:

More and more websites don't seem to function automatically with LastPass. There might be some kind of work-arounds, but I haven't researched them.

I recently had to change a bunch of my passwords on different websites, and LastPass would often get confused during the process. After struggling with it for a while, I just disabled it and did the changes manually (then went back and manually updated the information inside of LastPass).
posted by alex1965 at 9:38 AM on June 5, 2014

BeerFilter: the only other solutions I can think of involve either writing all your passwords on cards which you then keep in an box by your computer, or something similar. In theory, you could have a system which uses your phone or another device as a code generator, but it's still reliant on another piece of hardware. Any better ideas?
posted by Magnakai at 12:53 PM on June 5, 2014

Ars Technica has got you covered.

The most important thing to remember no matter what software you pick is that your master password has to be really good or the whole password manager thing is just creating a honeypot for someone to get into your complete online identity. (This shouldn't dissuade you from using a password manager, as it's still a much better idea than not using one.) Your master password should be long, probably 12+ characters if not double that, should not contain words from the dictionary or phrases (common password crackers now use Wikipedia to get lists of words that go together), should contain a mixture of letters, numbers, and symbols, and shouldn't be of the common and obvious form {Capitalizedword}{string of numbers, especially a year}. The more formulaic your password structure and content is, the less secure it is.
posted by wondercow at 1:10 PM on June 5, 2014 [2 favorites]

LastPass only costs $12/year if you get the premium version, which offers two-factor authorization, etc. The free version seems like it would probably meet your needs.

A good way to remember a complex master password is to memorize a random phrase and then use the first letter of each word as a character in your password, with some modifications (like S becomes $ or A becomes @).

For example:

Phrase: "AskMetaFilter is my #1 favorite social networking site in the entire frigging world bar none":

Derived password: @MFim#1f$nsitefwb0

That's an 18 character password with a "random" assortment of characters: upper case, lower case, numbers (one, and zero for "none"), and special characters.

Of course now that particular password is not random and secure, you need to make up your own.
posted by Dansaman at 5:15 PM on June 5, 2014

I don't know if it has been mentioned before but one of the coolest features of 1Password is that you can use it on any computer. If you're at a relative's house and are using their computer and need access to something of yours. Pull up Safari / Chrome (any modern browser), open up Dropbox via the web interface, and clicking the 1password.html file will open up a secure window just like the application's initial screen. Type in your master password and viola! You have your 1password keychain available. Browsing away from the window or closing it, relocks 1password. Indispensable when using it on my work computer which doesn't allow for installation of apps like 1password.
posted by lonemantis at 10:18 PM on June 5, 2014

  1. I've settled for LastPass and it works perfectly fine on every OS, every PC out there. Well almost but it's by far the best option out there. Paying a $1 per month lets you use its mobile app which I don't complain about. Their Android app is making some real good progress these days.
  2. Another option is using KeePass, KeePassx (corresponding browser plugins are good too) etc and use Dropbox or anything cloud sync service to sync your password. (It's safer. Safer as in safe for the paranoid. Not a bad thing). I tried this and found it very cumbersome or I am just lazy.
  3. There are some websites (13 to be precise) for which I don't trust any service or app. For them I have a personalised algorithm which has a fix component (becomes variable actually) and 3 variable components which depends upon website's name (name and TLD and one more thing). I have written the complex algorithm in text file and have saved the encrypted file in Dropbox (4 years and I have never needed to take that file out, but just in case). For hint: this xkcd.
I could easily use the 3rd option for each of my hundreds of password and that will be very secure too, but LastPass is just too easy.

Verdict: If you don't want to use it on mobile then LastPass what I recommend (because on mobile it costs $1 a month). Otherwise go with Dropbox+KeePass(X) setup. Here are some more.

(I tried 1Password and I didn't like, mostly for the fact that other than iDevices and OSX their apps are almost a low priority afterthought. jm2c)
posted by amar at 1:10 AM on June 6, 2014

Another vote for 1Password, it sounds expensive but they don't come out with "paying" versions every year and it is seamless. With Apple 's new iOS 8 they should be able to create extensions and that means that the need for a dedicated Browser is gone.

To complement XKCD here's the link to diceware

Also most Password managers can do more than handle passwords. I keep in 1P SS numbers, Passport scans, bank and credit card info, legal documents etc.

BTW first post
posted by ejrb at 4:33 AM on June 6, 2014

Not to derail, but because your choice of master password is going to be the key to all your future online security potentially including your bank, your email, and your Metafilter account, I feel it's an important enough point to encourage you, and anyone else reading this, to NOT use the xkcd password algorithm. It seems like a good idea when you read the comic, but it completely misses the point of how password cracking actually works.

Modern password hackers don't first try the password "a", then "b", then go through the letters until they try "aa", then "ab", etc. and repeat until they've tried every password. Such an approach works on passwords of 6 characters or less in seconds (which is why you should NEVER have a password this short), but it becomes lengthy when you have 7 and 8 character passwords, and beyond that the time to brute force a password starts getting longer than the known age of the universe.

But password crackers aren't stupid. They don't try to brute force your 16-character password. Instead, they know that people love the xkcd cartoon, and people love diceware. The English language contains somewhere around 30,000-50,000 words that are in common use. A 4-word phrase of "random" words (taken from those in common use) can be cracked in a period of a few days with modern hardware. You can make the password considerably stronger by including uppercase letters at random intervals and adding symbols (try to be more unpredictable than just substituting @ for A, 3 for e, etc. as this is also one of the first things password crackers try, too). But using simple lowercase words like that xkcd cartoon? Not a good idea.

Basically, take Dansaman's advice and you're good to go.
posted by wondercow at 5:50 AM on June 6, 2014

People tend to use the least complex patterns for passwords that they can get away with. If you know the password complexity requirements used by an application or website you can dramatically cut down on the time required to crack most passwords. One of the security researchers at KoreLogic has a nice presentation that explains how to exploit this concept. If you want to really protect your accounts & passwords you should avoid minimum complexity like the plague.

One of the nicest features of a password manager like 1Password is that it lets you really maximize the complexity of your passwords without making you memorize any of them. You can create passwords that are 50 characters long & use mixed case letters, 10 numerics & 10 symbolics, assuming the app or site allows passwords that long. Be careful, you may run into problems with those special characters especially on websites as they're also used by hackers to exploit vulnerabilities like SQL injections so many sites will filter some or all of them out. Either way, even the NSA's gonna have a hard time with that.

Just make sure you put enough effort into creating your master password because if somebody can steal your password cache from your PC or off of Dropbox it's all that stands in the way of handing them the keys to the kingdom of your online life. For any password you need to type in yourself the one unchanging rule is "easy to remember but hard to guess".
posted by scalefree at 9:10 PM on June 7, 2014

Agile just released 1Password 4 for Android, free through August 1. It has many new features & is worth considering as part of your password management system.
posted by scalefree at 3:22 PM on June 10, 2014

That's "free trial", not free free. Still probably worth it, it's pretty much the whole application not just a reader like the older one.
posted by scalefree at 8:47 PM on June 10, 2014

« Older Legal Life Coach?   |   Need a tubing holder thingwhatsit Newer »
This thread is closed to new comments.