Password Manager Discussion.

Discussion in 'other software & services' started by Mayahana, Jan 28, 2015.

  1. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Figured we needed a good place for all of this.

    My password systems have morphed over the years;

    1) Written in notebook near PC.
    2) Text File on computer (LOL)
    3) Encrypted text file on computer.
    4) KeepassX (big mistake)
    5) PasswordBox (hosed by Intel)
    6) LastPass (Good, but has annoyances)

    I've recently migrated to Trend Password Manager, and find it excellent. Less buggy/finicky then LastPass, and I like the fact when you hit sensitive financial sites it pops up an (optional) super secure browser. I purchased a 2 year deal for it after testing it for a bit.

    Info on Trend's Secure Browser;
    http://docs.trendmicro.com/DP10/EN-US/002114/

    http://www.trendmicro.com/us/home/products/software/password-manager/index.html
     
  2. java dude

    java dude Registered Member

    Joined:
    Aug 5, 2011
    Posts:
    75
    Out of curiosity, why was KeepassX a mistake?

    My password evolution:
    1. Using the same few memorized passwords and usernames across all sites. "Important" sites (eg. banking, email) got their own unique passwords.
    2. LastPass - I liked the browser integration, random password generation and sync... But it burned me very badly and I don't think I'll ever trust the "cloud" again.
    3. Keepass - No cloud sync, local encrypted backups only. I've been using it for several years and it's by far the best choice I could have made. I feel a lot more secure using it - the fact that it's not stored in the cloud or even integrated with the browser is just pure awesomeness.
     
  3. Brian K

    Brian K Imaging Specialist

    Joined:
    Jan 28, 2005
    Posts:
    8,647
    Location:
    NSW, Australia
    Keepass for me.
     
  4. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,156
    +1
    but is keepassX for mac?
     
  5. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,322
    Location:
    Philippines
    I kept them all in memory, then it evolved in to a spreadsheet, not saved but printed and I kept locked up in my desk, later in a password protected spreadsheet. Now I use KeePass on all systems.

    KeePassX for OS X and Linux. I prefer to run KeePass on OS X (needs mono installed). I works well enough for my purposes.
     
    Last edited: Jan 30, 2015
  6. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    Notebook in the old days, KeePass now. In Android I use Keepass2droid that avoids the insecure Android's clipboard with its special keyboard.
     
  7. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    I was burned by LastPass several years ago and now I store all my passwords on a cd but still use lastpass. All of a sudden it wouldn't accept my password and there was no key on the pc so I was sh@t out of luck. I was able to recover most passwords from websites though and keeping them on the cd makes them safe and always available.
     
  8. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    How did LastPass burn so many people? What happened? I need a cloud based solution because it's too inconvenient to sync between machines without a good solution. I also prefer browser integration. PasswordBox burned me because Intel purchased them and killed all of the lifetime purchasers keys. Also Passwordbox was underdeveloped, promised features never arrived, and they never added an export feature for the database.

    I've bounced around testing various solutions like Roboform, but so far only LastPass and Trend made the cut, but Lastpass gave me a big scare a few weeks ago when my master password wouldn't decrypt it.. Finally after a few tries it worked. Trend keeps an encrypted local database as well as cloud sync to eliminate that issue so I think it may be safer for me. Also Trend has stand alone desktop program OR extension OR both. (your choice) Which I think is a better idea in case browser extension breaks due to an update or something?
     
  9. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    1. a few easy passwords to use in multiple sites. Got hacked (Gmail and ebay)
    2. started using LastPass with more passwords
    3. Dropped LastPass to use Keepass for a couple of years
    4. Tried PasswordBox: lots of hype but not as good as Lastpass.
    5. Tried Mitro. Good, but small company..actually it has disappeared (People hired by Twitter and end of it)
    6. Back to Lastpass (Premium). To mitigate the risk of getting burned, from time to time I export my LastPass database and import in Keepass, just to have another local backup.

    Has Trendmicro audited by a third party? How do you trust it?
     
    Last edited: Jan 29, 2015
  10. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Trend PW Manager = Annoying me already. It does allow you to 'sort' entered links, and has it's own strange method of ordering them.
     
  11. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    Also it seems not available for Linux. The great pro of LastPass is that works with any system/browser.
     
  12. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
  13. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    For me it is KeePass and my own memory. No cloud storage for passwords.

    PS: I'm also curious about what was the problem with KeePassX.
     
  14. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    Lastpass with Yubikey OTP for general web passwords
    Password Safe with Yubikey HMAC-SHA1 for other passwords

    Very happy with this combination, it's convenient and effective. I don't think I'd be comfortable with a password manager unless backed by TFA.

    But I don't use either of these for financial account passwords, and I'm looking for my financial providers to support effective TFA directly (something like U2F) - but they seem to be back in the stone-age frankly, and obsessed with biometrics and smartphones which I hate.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Same over here, but it does bug that KeePass can't be integrated into my browser (Opera 12). So I'm thinking about letting my browser manage the passwords for some less important sites. It's not recommended to use auto-fill, but as long as you protect the password database there isn't that much risk.
     
  16. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
  17. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    What browser is it based? Maybe Chromium?

    I use my own algorithm to generate password so I can live even w/out password manager, but currently use LP & Norton ID Safe for desktop, KeePass2Droid (offline) for Android, miniKeePass for iOS.

    Both of LP and IDSafe with 2FA, KP2D and miniKeePass with key file.

    I use Mayahana's salt method for LP & ID Safe so even if they're compromised, still adversary can't know my exact passwords and email addresses. I also don't store some critical credentials in those password manager.
    What KP2D's advantage along with what vojta mentioned is you only need to enter full password for the first time after boot, then you only have to enter short PIN code to decrypt database unless you mistype it which cause you again have to enter full password.
     
  18. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
  20. SK_Hendrik

    SK_Hendrik Registered Member

    Joined:
    Dec 31, 2014
    Posts:
    8
  21. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    Yes, I was just answering a 'what happened?' question.
     
  22. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,133
    Location:
    USA
    I've used LastPass Premium for years and have never had a problem decrypting my passwords. Occasionally I have to type the master password more then once which I attribute to my poor typing and the flaky keyboard on my laptop, not a failure of the service. The 2FA support is excellent. I used a USB stick first and currently use android Google Authenticator. LastPass on the desktop can be further protected with HitmanPro Alert which encrypts keystrokes in the LastPass browser plugin logon window (stealing the master password via keylogger is one of the potential attack vectors). That said it may still be a good idea to have a printout of the password vault somewhere because redundancy is a good thing and because in a well secured system the "user" is weakest link.
     
  23. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,052
    Location:
    USA
    LastPass for me. No problems, no reason to use anything else. Works like I want it to and it is probably more likely that someone could get my password from the site it is for than from LastPass.
     
  24. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Was an early adopter of LastPass. Still using it today on virtually all devices, with Google Authenticator. Too cheap to buy Premium, so I use bookmarklets on mobile. Never burned me.

    Before that, I tried to keep every password in my head and even repeated a lot of them. It was still a pain.
     
  25. SirDrexl

    SirDrexl Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    545
    Location:
    USA
    I use KeePass, not so much for the local storage aspect of it but rather for the ability to sort and manipulate data more easily. I can add custom fields, such as for the email address and the length of time before changing the password again, and then see all that information in a tabular format. I stagger password changes over time, doing a handful each month so that I'm not faced with the tedium of doing many all at once.

    As far as I can tell, with LastPass I can only sort by account name or site. So to find out what passwords are due to be changed next month (and the month after that, and so on...), I can sort by the expiry date field. If I want to close or abandon an email account, I can sort all the website accounts that are tied to it to see which ones will need updating. To do things like that in LastPass, it seems that I would have to click on each and every entry and take notes.

    BTW, has anyone here tried SecureSafe?
     
Loading...