Passwords..UGH!

[penym]

Being a bit non zealous in thinking g of new passwords on so many sites I visit, I am sick of Apple chiding me and telling me to change passwords and have spent my morning changing ones used too many times. It may be time when I must invest in a decent keeper of Passwords! I expect I will have to pay for a decent one that is easy to use and manage but before I decide I would welcome the advice of experts here. Help!

[Lanark]

It depends a little on the different platforms where you will want to use it, but I recommend taking a look at

Keepass - free but Windows only
KeePassXC - MacOS version of Keepass
Bitwarden - free for 1 or 2 users. Windows/Mac/Mobile
1password - subscription required. Windows/Mac/Mobile

[kyu66]

Being a bit non zealous in thinking g of new passwords on so many sites I visit, I am sick of Apple chiding me and telling me to change passwords and have spent my morning changing ones used too many times. It may be time when I must invest in a decent keeper of Passwords! I expect I will have to pay for a decent one that is easy to use and manage but before I decide I would welcome the advice of experts here. Help!

No real need to pay for a good password manager.

I have used Keepass on Windows devices and KeepassXC on Linux/MacOS devices for years. The database format is readable by both versions so I can easily keep them up-to-date across a range of devices including smartphones.

Keepass and it's variants stores a database of your passwords as a file on your machine so it is not a cloud-based service.

HTH
kyu66

https://keepass.info/
https://keepassxc.org/

[Gaggsy]

I'm not an expert by any means, but have done a little research into password managers.

I currently use Bitwarden https://bitwarden.com/ which I switched to from Lastpass when the latter decided to start charging for using their service if you used it on multiple platforms (e.g. phone/tablet/laptop).

I'm happy with what Bitwarden provides. I use it on two laptops, a tablet, my personal android phone and my work-provided iPhone. It synchronises across all these devices. On the mobile devices you install an app and on the laptop/desktop you install browser extensions. I was able to easily migrate all my passwords from my old LastPass account. You can set it to automatically fill in usernames and passwords when you visit saved websites and it does this fairly well and fairly consistently. You can also access your account from their website which could be useful if you're using someone else's computer and need to log in to a site.

Of the the free use password managers I think this is the best, or was for me at the time I did my research. Onepass, LastPass and Dashlane are also good but can cost you.

Of course you can also save your passwords to your browser. This is probably the easiest to implement but this used to be a 'bad idea' as its wasn't very secure - anyone with access to your computer could find your passwords. However, I understand that improvements have now been made and it might not be as bad as it once was. Chrome is often recommended. I don't use it for saving passwords.

I can only talk about what I use. There are many options and you'll have to decide based on what you want to pay and how complex the process is.

Good luck!

[kiloran]

Being a bit non zealous in thinking g of new passwords on so many sites I visit, I am sick of Apple chiding me and telling me to change passwords and have spent my morning changing ones used too many times. It may be time when I must invest in a decent keeper of Passwords! I expect I will have to pay for a decent one that is easy to use and manage but before I decide I would welcome the advice of experts here. Help!

No real need to pay for a good password manager.

I have used Keepass on Windows devices and KeepassXC on Linux/MacOS devices for years. The database format is readable by both versions so I can easily keep them up-to-date across a range of devices including smartphones.

Keepass and it's variants stores a database of your passwords as a file on your machine so it is not a cloud-based service.

HTH
kyu66

https://keepass.info/
https://keepassxc.org/

As a Keepass user on Windows, Linux and Android for many years, I agree, but a non-expert user might like to consider:

• If stored as a file on the device (as I do) the file needs to be manually copied to each device. And decide which device is considered as the master copy. I think Keepass can use Google Drive, but that is cloud based and I prefer not to do that
• If stored as a file, do you have a reliable backup process?

A cloud-based tool (Lastpass?) might be better (if slightly less secure) than a file-based solution

--kiloran

[Infrasonic]

For non critical passwords the browser option is pretty easy and relatively secure. I use Chrome for that across multiple OS'. One advantage is that it has a built in security checker to see of your various services and/or password have been involved in any data security leaks/breaches.
I have one password that routinely gets flagged up but it's non critical and I can't change it anyway.

For banking and other mission critical password stuff I keep it in my head with a backup on paper and a coded entry on a cross OS platform app (Google Keep) in the archive section - so not immediately visible.

It would make more sense to move to one of the dedicated password systems suggested up thread for the sensitive stuff - but so far I haven't gotten around to it...

[SalvorHardin]

Super critical passwords.

At work, in office, tricky.

If you're like me where the domestic environment is all you deal with and is seriously locked down (no lodgers, no transients, no f*ckwits) there is a lot be said for pen and paper.

Especially with a little bit of misdirection. Such as passwords written in places that you don't expect to see them, and disguised (e.g. in the middle of some notes about the CNO stellar cycle)

And I don't do internet banking. If my bank insisted that I had to, I'd move elsewhere

[Lanark]

For non critical passwords the browser option is pretty easy and relatively secure.

Browser stored password are always going to be readable by someone who has physical access to your computer. The bigger issue is can they be remotely read by a malicious website you happen to visit. The current thinking is that browser password storage is designed by world class security experts, who will probably do a better job than some janky browser plugin designed by some company selling a password generator program.

So what I do is let the password generator create/store the password for long term storage, but allow the browser to save passwords to keep things simple day to day.

[Lanark]

And I don't do internet banking. If my bank insisted that I had to, I'd move elsewhere

I used to be like that, in the early days internet banking was super sketchy, but now I think it is far safer and more secure than any of the alternatives.

[simoan]

Super critical passwords.

At work, in office, tricky.

If you're like me where the domestic environment is all you deal with and is seriously locked down (no lodgers, no transients, no f*ckwits) there is a lot be said for pen and paper.

Especially with a little bit of misdirection (passwords written in places that you don't expect to see them, and disguised (e.g. in the middle of some notes about the CNO stellar cycle)

And I don't do internet banking. If my bank insisted that I had to, I'd move elsewhere

I keep my passwords in a notebook. It's simple and not resident on any of the computers I use them on. I then have a method for translating the written password into the real password using a non-trivial character replacement method known only to me, so even if someone steals the notebook they do not have my real passwords.

Works for me! Si

[Arborbridge]

It's been said that the chance of having a "codebook" stolen by a burglar is much less than the chance of having passwords stolen from your computer. Therefore, I have a number of passwords in cryptic form in a codebook. The passwords also have numbers or characters (not written in the codebook) which are changed regularly. Those elements are written down elsewhere.

For ultra secure things I've been experimenting with passwordcard https://www.passwordcard.org/en

It seems pretty clever, but not terribly convenient.

Most of my banks have a 2 factor authentification system so feel secure.

I am still not at the stage where I feel I can trust any third party system such as those discussed here in case there's a back door entry system. No passwords of any importance are stored on my computer or phone, and I never used the phone for banking.

Arb.

[xeny]

I am still not at the stage where I feel I can trust any third party system such as those discussed here in case there's a back door entry system. No passwords of any importance are stored on my computer or phone, and I never used the phone for banking.

Keep in mind that there is potential for the same trust issue with any web browser you may use to access online financial services.

I use keepass. I don't name the credentials for the name of the service they're used for, so even if someone gets access to the database, they gain credentials where it is unclear what service they are for.

[GeoffF100]

Passwords are only part of the problem. I find memorable answers even more of a problem. I have seen password managers, but I am yet to find a memorable answer manager. I write clues on a piece of paper that I hide. I also have the clues on a cloud account - a different cloud account to the one that stores my account numbers.

[kiloran]

Passwords are only part of the problem. I find memorable answers even more of a problem. I have seen password managers, but I am yet to find a memorable answer manager. I write clues on a piece of paper that I hide. I also have the clues on a cloud account - a different cloud account to the one that stores my account numbers.

Keepass can store memorable info (and anything else you want, even files)

--kiloran

[Arborbridge]

I am still not at the stage where I feel I can trust any third party system such as those discussed here in case there's a back door entry system. No passwords of any importance are stored on my computer or phone, and I never used the phone for banking.

Keep in mind that there is potential for the same trust issue with any web browser you may use to access online financial services.

I use keepass. I don't name the credentials for the name of the service they're used for, so even if someone gets access to the database, they gain credentials where it is unclear what service they are for.

True. Indeed with possible leakyness and the potential for hacking or spy software/data logging being placed on one's own computer, I sometimes wonder what the point is of changing passwords frequently or indeed having complex ones. Well, of course it cuts down risk, but if a hacker can see exactly what one is doing we're dooomed.

Arb.

[Infrasonic]

One of the reasons to keep secure boot enabled and things like TPM modules switched on if you have them is it can help prevent rootkit infections, key loggers etc.

You don't have to use passwords - hardware key solutions like USB/NFC U2F are available across many OS platforms now and the list of services that implement them is growing all the time.

[Arborbridge]

Passwords are only part of the problem. I find memorable answers even more of a problem. I have seen password managers, but I am yet to find a memorable answer manager. I write clues on a piece of paper that I hide. I also have the clues on a cloud account - a different cloud account to the one that stores my account numbers.

Do you have clues as to where you hide the clues, though?

[Arborbridge]

One of the reasons to keep secure boot enabled and things like TPM modules switched on if you have them is it can help prevent rootkit infections, key loggers etc.

You don't have to use passwords - hardware key solutions like USB/NFC U2F are available across many OS platforms now and the list of services that implement them is growing all the time.

Well, there's the rub. I (and no doubt others) haven't a clue what you are talking about

Some people are really good at this stuff, but most of us just straggle along and hope to learn a few things on the way. Mostly, people just want to use the internet, not spend enternity worrying about it: that's our Nirvana.

Arb.

[XFool]

It's been said that the chance of having a "codebook" stolen by a burglar is much less than the chance of having passwords stolen from your computer. Therefore, I have a number of passwords in cryptic form in a codebook. The passwords also have numbers or characters (not written in the codebook) which are changed regularly. Those elements are written down elsewhere.

For ultra secure things I've been experimenting with passwordcard https://www.passwordcard.org/en

It seems pretty clever, but not terribly convenient.

Ingenious. Rather reminds me of the older bank etc. log on security cards, all gone now. I used to like those, simple and straightforward. I suppose their theoretical weakness nowadays is the ubiquity of mobile phone cameras, allowing them to be 'stolen' without needing to remove them. (Same issue with the above?)

I am still not at the stage where I feel I can trust any third party system such as those discussed here in case there's a back door entry system. No passwords of any importance are stored on my computer or phone...

Same here, no third party involved, I just write them all down. I must have been using Internet banking for years now. Best security: a long enough password.

[vrdiver]

Another +1 for keepass.

I use it on windows and android, with no problem problem.

Memorable answers are stored in it, which lets me have some fun, as questions like "what is your mother's maiden name? or what was your first pet?" no longer have to have true or even sensible answers!

I also store 2FA backup codes and the relevant QR codes in there, so recovering access to sites after losing a phone (with the 2FA generator on it) is a lot less hassle.

Mrs VRD has access to my keepass database, and I to hers, which means if one of us is overtaken by events at least the other can tidy things up... (this last is optional, depending on your situation!)

VRD