33
votes
Password manager suggestions?
I'm going to college soon, and I'm in the process of straightening out my accounts and login information. What password managers would any of you recommend? I'm looking for something that can be accessed on both desktop (PC) and mobile (Android).
Edit: I have set up KeePass and it looks like a great solution! Thanks for the help.
Im a big fan of KeePass. It's Free and open source software (FOSS) and has clients for basically every OS - of course the "official" one for Windows, the cross-platform KeePassXC as well as keepass2android.
It doesn't have a built-in "cloud", but you can simply store your database on Dropbox/GDrive/Nextcloud/... and then point your clients to that. Works flawlessly.
I second the KeePass recommendation! What I like about it, apart from it being open-source and available on all major operating systems, is its configurability. There are tons of useful plugins.
Also, others have already said it: don't reuse passwords and let your password manager generate strong passwords. I just wanted to add, if you use KeePass you should install the Pronounceable Password Generator plugin or you are going to hate yourself in those (rare) instances where you need to type an automatically generated strong password.
Do you have any examples of passwords that plugin generates? I can't see any on its website.
Sure, here are some:
The length (and a couple of other things) are customizable.
Edit: There's also the Readable Passphrase Generator, which will generate completely readable (albeit nonsensical) passphrases, like this:
the statesman will burgle amidst lucid sunlampsThese are better suited for memorizing, but that's a whole other discussion. :)
The random sentence password (with spaces) is just as secure, if not more, than the crazy number and special character passwords.
That's true. Unfortunately, there are many sites out there that force you to have numbers and special characters in your password.
Edit: I also encountered a site once that had a maximum password length requirement that was exceeded by the sentence generated by Readable Passphrase Generator.
A maximum password length is a sign they could be storing your password in plain text. A particular hash algorithm for computing password hashes always produces the same length output, so password length doesn't matter all that much. It's not a certainty, but the main reason you would have a maximum password length is because you are actually storing it. That's when you're really glad you're using a password manager with a unique password for every site.
Huh, I never stopped to wonder why they had a maximum length constraint. What you're saying makes a lot of sense, so hurray for password managers and unique passwords! Too bad I can't remember which site it was...
There are also sites that try to use the same password for web and phone. I've run into this with Wells Fargo and Fidelity. I no longer have the WF account to check, but Fidelity puts a 20 character cap on passwords, and I suspect the phone entry is the limitation. Passwords get mapped to 0-9 and * when entered on a phone. I haven't tested on Fidelity, but on Wells Fargo the mapping was symmetrical for the web: JKL all next to each other on the keyboard and on the same button on a phone, and J / K / L "typos" I made worked for logging into the web site.
I've been using KeePass for a while now with google drive. I put a portable installation in the actual drive folder with it, so i don't even need it installed on the computer i access it on. Works great :)
Keepass is nice, but the mobile app takes awhile to resync on slow connections, so don't store files in it (use a separate database). The keyboard is also something I'd expect from Android 2.x in appearance and auto complete helpfulness. Also, no fingerprint unlock, if that's something you want. Other than that, it's great, but I was never able to get browser extensions working (Firefox was flaky, Chome never worked for me).
KeePass DX (you can find it in FDroid) has fingerprint unlock. I keep my database file synced across all my devices with Syncthing.
Thanks for these recommendation! I was using Enpass, but their mobile app costs $10 to access everything.
I've been very happy with the cross-platform 1Password over the years, using it personally with multiple macbooks, windows desktops, and an iphone. It's not free, but has a high level of polish, enough support, and a wide enough range of features to justify the cost for me. It can be done as individual licenses (bit of a pain now, have to get one for each platform) or subscription (few bucks a month, good for all of your devices plus web access). Solid browser extensions to make generating passwords (with customizable rules for length, special characters, and more), remembering logins, and filling in forms. It also helps you review your passwords and lets you know when your password was revealed in a breach, when you've reused passwords, etc. In addition to passwords, it can also handle other sensitive information, such as remembering and filling in credit card info. There's also a family subscription which allows a few people to use the service, each having their own "vault" and the ability to create shared "vaults".
1Password is the gold standard of password managers in my opinion. Others are definitely good, but nothing comes close to the polish of 1Password for me.
I recently started to use for some projects BitWarden. It is open-source and easy to use. Give it a shot.
I switched to BitWarden from Keepass, I highly recommend it. It has built in TOTP code generation (had to use a plug-in on Keepass for this), and it has browser extensions, a desktop app, and a mobile app for free (and at $10/yr, the subscription is priced better than LastPass). You can also self-host it, the source code is available on GitHub (and has some really cool AD/SSO integrations! Edit: GitHub).
Word of warning: the 1000 character limit on username, password, etc fields is actually around 670 characters (I'll update when I find the GitHub issue link. Edit: 687 characters). If you have anything longer, it will fail (I had some 1024 character passwords on my PPK files so I had to reencrypt them with a 512 length key).
You can also use fingerprint unlock on mobile devices, though this is optional so you can decide if it's worth the trade-off in security for convenience.
Edit 2: I'll also note it has a Linux client and the mobile app doesn't require a subscription (unlike LastPass). Prior to switching, I used both Keepass and LastPass (Keepass for mobile and desktop, LastPass for browser), and it really was a pain to keep them in sync.
Another vote for Bitwarden -- I pay for it (primarily to support good software) and self host. It just works, and beats the pants off my previous solution (a cobbled together Javascript page that would hash together a master password and site URL).
It has a "family/organisation" setting which allows you to share some or all of your passwords; at some point I intend to turn this into a dead man's switch so my wife gets all of my passwords if I croak. She can live without my bank account access, but if our Plex instance breaks and she can't get in to fix it there'll be posthumous hell to pay!
pass, very easy and it uses your GPG key.
I also recommend 'pass'.
It's just GPG encrypted text files in a Git repository so it's very flexible (scriptable) and using proven technology. You're not tied to any specific binary blob format.
I really like Bitwarden. Its a browser extension, so it just works. I was on LastPass, which is still good, but moved once they were acquired by LogMeIn. I moved to 1Password, which was also great, but they didn't have a standalone client for Linux. Their subscription service works well. I then tried KeepPassXC, which has its benefits, but it wasn't as pretty as the others and I had issues with it syncing quickly.
Bitwarden launched, I tried it out for a week, and haven't looked back since. I'd definitely suggest trying out a few of them to see which works best for your workflow. They all have decent mobile apps, so that is covered.
edit: if you do go down @nacho's route without using a password manager, song lyrics are excellent (spaces and all.) Extremely easy to remember, and you can choose lyrics that go along with the site -- e.g.
I can't forget the time or placefrom The Beatles, 'I've Just Seen a Face'I know this won't be a popular opinion, but here goes.
I used keepass for a while, but got tired of dealing with conflicts that were created with Dropbox.
I now use lastpass which is the most convenient one I tried out, and I coupled it with a yubikey to increase security.
What I should do (but currently don't) is to rip the current safe and save it to keypass just in case lastpass is unable to Auth me.
The mobile integration is awesome, as is the browser extension. It makes it super easy to create and add accounts.
I use the paid family edition which looks like it costs $48 per year for 6 accounts. You're also able to setup shared passwords, so that makes it easier to get the folks setup.
I am currently using LastPass too, it's the most convenient out of them all. The only thing that makes me nervous is that I started using really strong random passwords lately, so if for any reason LastPass ever fails to authenticate me, due to server outage or whatnot, I won't be able to login to any site. I think I need to make a backup on KeyPass too, just to be safe.
You can log in to a local version of your database without hitting the LastPass servers.
Just make sure you've got a regularly updated plugin in a browser or the app on your phone and you'll always have a local copy of the database you can access.
I wasn't even aware of that! Thanks!
The ability to enter a password for apps and websites on my cellphone with just my fingerprint is quite nice.
Why is that? I was under the impression that LastPass is a pretty decent choice and people generally vouch for it?
I use it as well, haven't had a problem so far.
It's a popular opinion on HackerNews that Lastpass is trash. There are a few reasons, one being the fear of storing your credentials on someone else's servers. In 2015 they were hacked and encrypted hashes were compromised (not actual passwords, though LP recommended update master pass and enabling 2fa which you should be doing anyways.) Another being LastPass being acquired by LogMeIn. LogMeIn was hated because they promised their service would always be free and then 10 years later reversed that statement. The fear was that LMI would ruin LastPass as well so people advocated migrating away before you could be betrayed.
Ha! I didn't see this reply. Just replied with almost exactly the same sentiments.
Firstly when they got compromised, and secondly when LogMeIn acquired lastpass a few years ago, there was a lot of concern given their negative reputation.
Also, the general consensus for password managers is that you should have the control and ownership of your data. I'm putting trust in lastpass, and that's a risk I'm willing to take. Others aren't happy to take that risk and will use keepass or even something like masterpassword that requires no storage or 3rd party trust.
For my usage with Keepass I decided to save it as a new file whenever I apply changes with the filename containing a running index. Obviously using "cloud based" password managers is more comfortable but I like the added security layer of an encrypted file that only gets synced by hand in my local network.
For "cloud based" solutions I would recommend using open source solutions though, as you can independently verify that there's nothing shady going on in the background.
I highly recommend Master Password. Your password isn't stored, it's open-source, on just about every platform, and doesn't require internet to use.
Master Password is my favorite. I wish the Windows version were native instead of a gross Java app, but it’s gotten me through several total data loss events without a single password lost.
I just use Chrome's built-in password manager. Works on desktop and mobile Chrome. Syncs in the cloud and is accessible from anywhere by going to https://passwords.google.com
My Google account password is unique and I never reuse it anywhere. Some people might not trust Google to manage their passwords and that's fine - use KeePass or something else. But this works for me.
I highly recommend KeePass. In the past, I've heard great things about KeePass2. However, recently I've heard that its browser integration is subpar in security terms, and that the KeePassXC fork (which is based on 2 and is more cross-platform) is the better option on Linux and Windows desktops, at least as far as browser integration. You should look into this on your own.
Either will be compatible with KeePass2Android on your phone. The .kbdx database is opened by pretty much any KeePass fork. Make sure you get the autoswap keyboard plugin and follow its instructions to enable it.
Browser integration is done via ChromeIPass/KeePassHttpConnector on Chrome and Chromium, or with KeeFox on Firefox. KeeFox is way better IMO, but I don't use FF anymore. And now, like I said, the KeePassXC plugin is supposed to be safer for Chrome/Chromium, but I don't know anything about if it's used on Firefox or if that is even true. You will hate KeePass if you do not enable browser integration. That's what lets it auto-type the long passwords you will make and maintain with it.
Don't use short or repeated passwords anymore. Spend a day or two listing all the services you can think of that you use or have used, ever. Log in to them, change their passwords to long strings, like 25-30 characters, and save them with KeePass. THAT'S the way security is supposed to be handled with KeePass.
You can put your encrypted .kbdx database on a cloud service to sync between your phone and PC, but if you do this, you will want extra strong encryption. You may also like Syncthing--it's a free and open-source syncing application that works perfectly cross-platform. If you have multiple uses for syncthing, I'd recommend that route--it's more secure and you also get to use it for those other purposes. If you wouldn't use it, you might as well just beef up the password and drop the database in the cloud.
I have a shit ton of tips and tricks and I'd be happy to help.
I couldn't get any of those to work IIRC, so I use the Url in title extension and the feature in KeePass to look for the entry URL in the window title when doing auto-type.
That's what I do too and it works a treat.
That's actually quite clever!
How well does it work, though? With the proper plugins I get auto type on the vast majority of sites, a few others I have to manually remind it to autotype, and a couple don't work at all.
It works basically 100% of the time, now I've set it up properly. I ran into a couple of problems along the way, but I managed to fix them:
That's so funny, I literally JUST set that up with Steam like 2 days ago!
I personally use LastPass. Easy to set up and use, and I can access it anywhere. KeePass if you want tighter security.
Keepass has been reliable and customizable and easy to host personally if you want sync.
Bitwarden looks like a really good option. I haven't had a chance to delve into it yet, but it's interested me more than LastPass and 1password.
I'm a long-time password manager user and I've found a secure and convenient solution in my opinion. Probably the best and most secure password manager is keepass, due to it's large user base and its many plugins (of course it's open-source too).
The main drawback of password managers in my opinion is typing the password out, or switching windows to copy them from our password manager. With keepass, you can use a plugin in Firefox and Chrome where it auto-fills your passwords and usernames into your browser.
A good solution for syncing your databank across devices is a cloud-hoster. I'd recommend using some version of Nextcloud because its end-to-end encrypted or your generic cloud-provider like dropbox and gdrive paired with Cryptomator. It's a program that encrypts your files before syncing it. Its free for Windows but the android app costs 5€. Works like a charm though!
Another vote for keepass2
I've been using it for the past 2 years, never have any issue with it.
KWallet. Works as expected and integrates flawlessly into Plasma and other KDE apps. Also works with Chromium (an hopefully Firefox again soon).
You guys are overengineering this, all you need is
pass.I strongly urge against using password managers.
Create a list of the usernames for all your accounts and the sites they're on.
Then create password formulas that you manually change regularly. The formula creates unique passwords for each site based on a formula that includes the site/username in someway.
Simple to remember, and actually safe.
The whole idea of a password manager is a conceptually bad security solution. Stay away.
This doesn't necessarily give you extra protection though. Once someone has one of your passwords, and sees it's something like password@website.com, it becomes trivial to guess the rest. Even if you change them, you're still using a predictable formula, so you're effectively sharing a password, just one that won't be detected automatically by a hashing program. In contrast, with a password manager, even if all of your passwords are compromised, you can very quickly generate a vast array of new ones, and your enemy can't figure out any of them based on previous captures.
So for Facebook, your formula could be something like
Whatever type of formula you want to make.
As with many things, implementation is key
I completely disagree with you. On balance, it is a much better security solution than anything that normal people do. It is much safer than having a browser remember your password. It is much safer than repeating your passwords. It is much safer than having human-memorable passwords or things that could be caught in dictionary attacks.
The vast majority of hacks and other naughty behavior don't happen because someone gets or breaks into your computer or cloud accounts. To someone experienced and dedicated, that probably wouldn't be hard, but it would be a lot of effort for potentially very little reward--the blackhats try to go for the money. They go for websites that they think store in plaintext or have lots of good user information for them. And then they use that info to try and catch the victims in other locations all across the internet. If a password of yours gets pwned, it will be tried in every service worth trying, by a script.
Anyone who has the balls to break into my home network (or even better, university network), then onto my device, and THEN brute force my password, is someone I had no defense against anyway. As far as social engineering goes, well, there are solutions for that, too.
You can use Yubikey with some password managers, or you can do your own ghetto version with a flash drive and a key file. If you only use it on windows, you can require it be tied to a specific user account--which I think can probably be your admin account, so they have to get THAT privilege, too. My database is cross-platform so I don't bother with that, but the key file thing is pretty cool. I don't keep the key file in cloud storage--there is no way for cloud providers or anyone with access to their servers to break into my database without it, and they don't have it.
The concept I'm advocating is for normal people. It works in practice.
The company I work for forces people to create long ultra-secure passwords that are unique to all the various logins we have for work (they're checked against each other. Too many similarities or any previous uses etc. won't work).
We're forced to change passwords multiple times per year. That goes for everyone with a logon, from janitors and receptionists to the CEO.
Passwords are not repeated. They're derived from a single formula you need to remember.
That password formula is human memorable but provides unique passwords indistinguishable from computer generated ones.
Since you're remembering one formula, not the derived passwords themselves, you don't need to remember 20+ ~20 character long random strings. It's just one formula.
That's like memorizing maybe 5-7 sentences worth of text after every password change. Everyone can learn a poem by heart and recall it when you 'recite' that poem multiple times a day as you log in.
No more forgotten credentials to that one site you use once in a blue moon: you update its password regularly and know where you have the account name since it's with all the other account names.
This is basically the problem. NIST changed their minds on this - forced regular password changes do nothing to improve security, because people end up just using a weaker password so they can remember it more easily.
The single point of failure with a password manager is the password manager.
The single point of failure with an algorithm is the algorithm.
Anything is better than what most people do, but nothing is foolproof.
I prefer randomly generated password, as opposed to pseudo random ones. Given the amount of breaches, I'd assume reversing the algorithm would be reasonably trivial.
The algorithm reminds me of the reasons you shouldn't roll your own crypto.
This quickly becomes impractical if done on paper, and is actually less secure than a password manager if you keep the list digitally.
This is the same as u/Jedi's suggestion (Master Password).
If you don't have a secure location behind 2fa and encryption for your personal backups, that's a more pressing issue than that of password managing.
I can vouch for KeePass; for Windows I use the KeePassXC client and for Mac I use MacPass.
Also, make sure you take advantage of the password generation features! For the longest time I was making up passwords and storing them because I thought it would be faster, but I didn't realize you can set a bunch of parameters like reduce the length and still make it secure.
I use Firefox's password manager with an extension to generate random passwords. Syncs to all my devices, autofills my passwords: that's all I need.