Am I a fool if I don't use an online password manager?

[Mabouya]

I'm thinking of finally joining the 20th century and switching to that instead of what I'm currently doing.

I would think that there are some risks to going that route, but I assume most folks would say "that's certainly a lot better than what you're doing now..."

Wirecutter recommends "1Password" if you're willing to pay, and "Bitwarden" if you want a free service.

Anyone care to suggest anything else I need to know?

Edit: In the near future I'm going to be upgrading from a flip-phone to either a Google Pixel 5a of 6, which will allow me to use fingerprint login, and misc other mobile fancy stuff, so that's a bit of a consideration as I looks at manager options. (unless all of them already offer that, it which case it will be a non-factor)

TIA

Not mine:

[spopepro]

I use a password manager and suggest to everyone to do the same.

Know the drawbacks: if your master password is compromised everything is exposed. If you turn on all the convenience features (never sign out/lock vault, open on phone unlock, etc) you’re making yourself less secure, not more. The primary point of the manager is not to make your life easier, it is to be more secure.

Someone out there is storing your password incorrectly. They will be hacked, since if they can’t encrypt correctly, they probably aren’t doing other stuff right. Password managers make it so you really can have a unique password for every site. Now when somewhere is hacked you don’t have to worry and only need to update one password. A secondary benefit is that you can also share passwords with others securely, and easily if they also use the service.

I use bitwarden and like it. I was a LastPass user until they sold out. Don’t use LastPass. 1Password is good, but I’ve never used it. If you have close ones who use a manager pick the one they use.

[sk_tle]

Am I a fool if I don't use an online password manager?

Short answer is yes. You definitely need a different password for each service and a password manager is the best way to achieve that.

Know the drawbacks: if your master password is compromised everything is exposed. If you turn on all the convenience features (never sign out/lock vault, open on phone unlock, etc) you’re making yourself less secure, not more. The primary point of the manager is not to make your life easier, it is to be more secure.

Not that this mostly applies to hosted password management services.

Right now I am using one hosted but in the past I have used a combination of keepassxc + syncthing to sync it automatically between my phone and my computers.

keepassxc is a cross-platform local password manager that store your passwords in a locally encrypted db. Downside is if you want to share the passwords accross different devices it doesn't provide that functionnality.
syncthing is a continuous file synchronization program. It synchronizes files between two or more computers in real time.

By combining those 2 programs you can sync your passwordd db to multiple computers and phones without relying on an hosted service that could get hacked. Downside is it is a little bit less straightforward for non technical people, you can't share accounts to other people and you could potentially get conflicts. This is solved by syncthing being able to keep copies in case of conflicts. Other way to avoid conflict is to treat your smartphone as the master of truth, meaning you always make sure your phone is connected on the same network as any other device you want to generate a new account or password. 99% of the time you use keepass a client and not to generate new accounts so it is easy to take care of.

Note that syncthing is useful for many other things, for example I use it to backup my smartphones photos on my local NAS (which is really a linux server) without relying on apple/google/whatever cloud service. Every time I activate wifi on my phone at home it syncs everything automatically.

LAST NOTE: The password manager is not the only thing that need to be kept secure in order to not be compromised locally. Almost every service that doesn't rely on your phone number for validation will use your email to recover from a lost password. Thus the most important thing to keep secure is your email access as anyone who would compromise your email account could hack you away from it and get a new password for any service your subscribed to. An easy task if you didn't even cared deleting the registration emails and unsubscribing to the notifications and newsletters. SECURING YOUR EMAIL ACCOUNT CORRECTLY IS AN ABSOLUTE MUST. Use multiple level of authentication, even if it is annoying to do so and keep emergency codes in a safe in order to be able to log on even if your smartphone die.

[rec head]

I was a LastPass user until they sold out. Don’t use LastPass. 1Password is good, but I’ve never used it. If you have close ones who use a manager pick the one they use.

Please explain. My Lastpass subscription is about to renew. I've been using it since Steve Gibson recommended it on Security Now years ago.

[spopepro]

Please explain. My Lastpass subscription is about to renew. I've been using it since Steve Gibson recommended it on Security Now years ago.

LastPass was acquired by LogMeIn in 2015. LogMeIn as a company doesn’t have a great track record of respecting user privacy nor do they have a history of solid security practices. I didn’t switch immediately, but decided to when they significantly upped the premium price without any improvements (like support for hardware based 2FA). I notice now LogMeIn recently announced separating LassPass back out to operate independently, so maybe things will get better? I didn’t stick around to find out.

It was easy for me to download a flat file of my password db from LassPass and import into Bitwarden. I then changed all of the important passwords after switching.

[davids]

That's good info @spopepro. I've been using LassPass since Wirecutter's recommendation and will now look at these issues (as a Bostonian I'd like to support LogMeIn or whatever they've renamed themselves, but...)

As far as the original question, get one @Mabouya. Get one now!

It was, candidly, a lot more difficult to gather and re-set all our passwords than I expected. I figured I'd put on the stereo on a Sunday afternoon and knock off the job. Uh uh. It took 4-5x longer than I'd thought. But the process ended up giving me a lot of comfort, since I had to check each pw change to confirm my work. And now, adding super-strong passwords for new logins - even something as mundane as the MA RMV - is a simple process.

Just choose a long, hard-to-guess, hard-to-hack, easy-for-you-to-remember master password!

[smontanaro]

My wife and I have been using LastPass for a few years. We've had no big problems. I do like the ability to share certain records so we don't have to coordinate carefully when (for example) a bank forces us to change a password.

Do bitwarden or other alternatives offer a similar feature?

[spopepro]

My wife and I have been using LastPass for a few years. We've had no big problems. I do like the ability to share certain records so we don't have to coordinate carefully when (for example) a bank forces us to change a password.

Do bitwarden or other alternatives offer a similar feature?

Yeah, it works slightly differently on bitwarden as it’s done by putting passwords into groups rather than directly sharing, but after a short adjustment it’s not bad. The import procedure will lose a lot of the sharing info so it would need to be set up again which is a little bit of a pain.

All that said, the best password manager is the one that you will use, and if you have family comfortable on a platform it might be worth sticking with. 25 year old me would have hated me saying this, but I also no longer use Arch Linux, strict no-script settings on the browser, and so on. Gotta find the Pareto optimal point of security and convenience. Sk_tle’s method is the gold standard, but you (probably) aren’t going to want to live with the maintenance and procedural demands. Everything is a trade off.

[Mabouya]

To be clear, I have different passwords for all my various accounts, it's just that the manner in which they are "stored" is a bit old-school.

[rec head]

Another benefit is that when you go to a site and the PW manager offers to auto fill it then you know you are at the correct site. Assuming you used the correct site in the first place.

[9tubes]

Has anyone seen an expert review of Apple's password manager?

[Chik]

Been thinking about the same recently, and the one service provider that keeps getting mentioned by people I know is Dashlane.

[mg2ride]

I'm thinking of finally joining the 20th century and switching to that instead of what I'm currently doing.

I would think that there are some risks to going that route, but I assume most folks would say "that's certainly a lot better than what you're doing now..."

Wirecutter recommends "1Password" if you're willing to pay, and "Bitwarden" if you want a free service.

Anyone care to suggest anything else I need to know?

Edit: In the near future I'm going to be upgrading from a flip-phone to either a Google Pixel 5a of 6, which will allow me to use fingerprint login, and misc other mobile fancy stuff, so that's a bit of a consideration as I looks at manager options. (unless all of them already offer that, it which case it will be a non-factor)

TIA

Not mine:

I'm state of the art compared to you. I keep mine on a is a word processing program, in a file that is password protected and named to seem to be something standard. I don't pretend that it is really all that secure in a high tech world, but I also don't assume Mr. Robot is interested in my stuff.

I started off using a "system" to help me remember unique passwords for each service I have. Maybe something along the lines of Pw4JimB@AMX!. I have gone away from a repetitive standard system because it seems a little obvious. I still use and variety of modified systems simply to make them easy to type with only a brief look at it. In the past I have even entered them in my word file with a very simple code (like capital letters are really lower case, etc) but that could be problematic if my wife or kids ever needed to get access without me. Thus, I've gotten lazy and put them in the file as is.

With the 2 system authorization that is standard now, I feel a little more secure. However, I realized today that I might want to add my wife's phone as an option on all those.

For any site like this one that does not have any important information about be, I use the same, super simple password for all of them. Somewhat unique to me but likely very hackable. If you want to hack me here, have fun.

[Mabouya]

A related question, now that I've been reminded of this thread:

Does anyone know if password managers always "auto-submit" your password to a given site, or, if you wish do you have the option of typing in something (say a prefix or suffix, or something in the middle) to add to the password that the manager has stored?

TIA

[Philster]

I’m going to be the contrarian and say that the paper and pencil is a good idea (with a better password). At this point, everyone requires an account and password (E-Tube??). For those a manager is convenient, but there is no way I’m giving my bank password to one of those. When the CIA want something to be secure, they require a physical separation from the net.

[Mabouya]

I’m going to be the contrarian and say that the paper and pencil is a good idea (with a better password)

I want to try and get the best of both worlds, hence my question in Post # 14.

[rec head]

A related question, now that I've been reminded of this thread:

Does anyone know if password managers always "auto-submit" your password to a given site, or, if you wish do you have the option of typing in something (say a prefix or suffix, or something in the middle) to add to the password that the manager has stored?

TIA

My only experience is with Lastpass and it does not. So yes you could have it fill in a PW and then add your extra special characters for super secrecy.

[rec head]

Another bonus of PW managers is website confirmation. When I go to my bank website the username and PW are filled in automatically. If I were to accidentally mistype the address for my bank and it brought me somewhere malicious my info wouldn't get filled in raising a red flag that something isn't right.

[VertigoCycles]

please be sure to use a very good master password. My dad used a password manager and then printed out the ID/Pass list eight or ten times and left it all over his house. It's great if you're trying to shut down accounts to settle an estate, not so great if you have dozens of health care workers coming in and out of the house to take care of a sick spouse. Just hours ago, I found $20,000 of checks that someone wrote to themselves from my parents account. They also downloaded and filled out a form to give themselves access to a credit card.

[Tristan]

For most people there are two locations you use passwords: On your web browser and on apps on your phone. The nice thing about the paid password managers is they will generally work with both of these.

If you're not using apps then your web browser (Firefox, Chrome, Edge, Safari etc) will already have a built-in password manager which is both convenient and secure. It will suggest strong passwords for new websites you sign up for, and will store passwords for others.

It's also worth popping your email into Have I Been Pwned - this website will reference your email address against know published lists of username / passwords from previous breaches. It's important to note this website does not ASK or SHOW your password, it only tells if your email address shows up from previous data breaches.

Let the password manager pick, manage, and store passwords for all your "low level" websites, and then use individual, secure, passwords for your email (because it's used as a 'password reset') and any bank / financial services.

Another note on passwords: pick something easy to remember but hard for a machine to crack. "8526" is only 4 digits but is hard for me, a stupid human, to remember but will only take a machine only seconds to crack.

Instead use phrases which are easy to remember: "IReallyLikeRidingMyBik3" is a very secure password which is also very easy to remember.