Figured we needed a good place for all of this. My password systems have morphed over the years; 1) Written in notebook near PC. 2) Text File on computer (LOL) 3) Encrypted text file on computer. 4) KeepassX (big mistake) 5) PasswordBox (hosed by Intel) 6) LastPass (Good, but has annoyances) I've recently migrated to Trend Password Manager, and find it excellent. Less buggy/finicky then LastPass, and I like the fact when you hit sensitive financial sites it pops up an (optional) super secure browser. I purchased a 2 year deal for it after testing it for a bit. Info on Trend's Secure Browser; http://docs.trendmicro.com/DP10/EN-US/002114/ http://www.trendmicro.com/us/home/products/software/password-manager/index.html
Out of curiosity, why was KeepassX a mistake? My password evolution: 1. Using the same few memorized passwords and usernames across all sites. "Important" sites (eg. banking, email) got their own unique passwords. 2. LastPass - I liked the browser integration, random password generation and sync... But it burned me very badly and I don't think I'll ever trust the "cloud" again. 3. Keepass - No cloud sync, local encrypted backups only. I've been using it for several years and it's by far the best choice I could have made. I feel a lot more secure using it - the fact that it's not stored in the cloud or even integrated with the browser is just pure awesomeness.
I kept them all in memory, then it evolved in to a spreadsheet, not saved but printed and I kept locked up in my desk, later in a password protected spreadsheet. Now I use KeePass on all systems. KeePassX for OS X and Linux. I prefer to run KeePass on OS X (needs mono installed). I works well enough for my purposes.
Notebook in the old days, KeePass now. In Android I use Keepass2droid that avoids the insecure Android's clipboard with its special keyboard.
I was burned by LastPass several years ago and now I store all my passwords on a cd but still use lastpass. All of a sudden it wouldn't accept my password and there was no key on the pc so I was sh@t out of luck. I was able to recover most passwords from websites though and keeping them on the cd makes them safe and always available.
How did LastPass burn so many people? What happened? I need a cloud based solution because it's too inconvenient to sync between machines without a good solution. I also prefer browser integration. PasswordBox burned me because Intel purchased them and killed all of the lifetime purchasers keys. Also Passwordbox was underdeveloped, promised features never arrived, and they never added an export feature for the database. I've bounced around testing various solutions like Roboform, but so far only LastPass and Trend made the cut, but Lastpass gave me a big scare a few weeks ago when my master password wouldn't decrypt it.. Finally after a few tries it worked. Trend keeps an encrypted local database as well as cloud sync to eliminate that issue so I think it may be safer for me. Also Trend has stand alone desktop program OR extension OR both. (your choice) Which I think is a better idea in case browser extension breaks due to an update or something?
1. a few easy passwords to use in multiple sites. Got hacked (Gmail and ebay) 2. started using LastPass with more passwords 3. Dropped LastPass to use Keepass for a couple of years 4. Tried PasswordBox: lots of hype but not as good as Lastpass. 5. Tried Mitro. Good, but small company..actually it has disappeared (People hired by Twitter and end of it) 6. Back to Lastpass (Premium). To mitigate the risk of getting burned, from time to time I export my LastPass database and import in Keepass, just to have another local backup. Has Trendmicro audited by a third party? How do you trust it?
Trend PW Manager = Annoying me already. It does allow you to 'sort' entered links, and has it's own strange method of ordering them.
Also it seems not available for Linux. The great pro of LastPass is that works with any system/browser.
Maybe this: http://www.forbes.com/sites/johnray/2011/05/05/possible-lastpass-data-leak/ https://blog.lastpass.com/en/2011/05/lastpass-security-notification.html/
For me it is KeePass and my own memory. No cloud storage for passwords. PS: I'm also curious about what was the problem with KeePassX.
Lastpass with Yubikey OTP for general web passwords Password Safe with Yubikey HMAC-SHA1 for other passwords Very happy with this combination, it's convenient and effective. I don't think I'd be comfortable with a password manager unless backed by TFA. But I don't use either of these for financial account passwords, and I'm looking for my financial providers to support effective TFA directly (something like U2F) - but they seem to be back in the stone-age frankly, and obsessed with biometrics and smartphones which I hate.
Same over here, but it does bug that KeePass can't be integrated into my browser (Opera 12). So I'm thinking about letting my browser manage the passwords for some less important sites. It's not recommended to use auto-fill, but as long as you protect the password database there isn't that much risk.
What browser is it based? Maybe Chromium? I use my own algorithm to generate password so I can live even w/out password manager, but currently use LP & Norton ID Safe for desktop, KeePass2Droid (offline) for Android, miniKeePass for iOS. Both of LP and IDSafe with 2FA, KP2D and miniKeePass with key file. I use Mayahana's salt method for LP & ID Safe so even if they're compromised, still adversary can't know my exact passwords and email addresses. I also don't store some critical credentials in those password manager. What KP2D's advantage along with what vojta mentioned is you only need to enter full password for the first time after boot, then you only have to enter short PIN code to decrypt database unless you mistype it which cause you again have to enter full password.
Speaking of password managers. F-Secure PW Manager is FREE right now for a limited time; http://campaigns.f-secure.com/freedome/key/en/
Are this articles still relevant? In ICT, 2011 is history. As far I see, Lastpass learned their lesson and maybe is now a much saver/better choice? Works also fine with Opera.
I've used LastPass Premium for years and have never had a problem decrypting my passwords. Occasionally I have to type the master password more then once which I attribute to my poor typing and the flaky keyboard on my laptop, not a failure of the service. The 2FA support is excellent. I used a USB stick first and currently use android Google Authenticator. LastPass on the desktop can be further protected with HitmanPro Alert which encrypts keystrokes in the LastPass browser plugin logon window (stealing the master password via keylogger is one of the potential attack vectors). That said it may still be a good idea to have a printout of the password vault somewhere because redundancy is a good thing and because in a well secured system the "user" is weakest link.
LastPass for me. No problems, no reason to use anything else. Works like I want it to and it is probably more likely that someone could get my password from the site it is for than from LastPass.
Was an early adopter of LastPass. Still using it today on virtually all devices, with Google Authenticator. Too cheap to buy Premium, so I use bookmarklets on mobile. Never burned me. Before that, I tried to keep every password in my head and even repeated a lot of them. It was still a pain.
I use KeePass, not so much for the local storage aspect of it but rather for the ability to sort and manipulate data more easily. I can add custom fields, such as for the email address and the length of time before changing the password again, and then see all that information in a tabular format. I stagger password changes over time, doing a handful each month so that I'm not faced with the tedium of doing many all at once. As far as I can tell, with LastPass I can only sort by account name or site. So to find out what passwords are due to be changed next month (and the month after that, and so on...), I can sort by the expiry date field. If I want to close or abandon an email account, I can sort all the website accounts that are tied to it to see which ones will need updating. To do things like that in LastPass, it seems that I would have to click on each and every entry and take notes. BTW, has anyone here tried SecureSafe?