OT: UserID/Password storage apps....

Submitted by Champeen on

What is everyone using?  What one(s) should people stay away from?  Free?  Cost?

Im at the point with so many site UserId/Passwords i cannot remember jack anymore.  Im sure there are many out here with more to store than i have.

 

*EDIT*

Thanks all.  Some very good starting points for future research :)

 

MGoBoard

jakerblue

January 17th, 2018 at 11:18 AM ^

I either let google remember for me. Or i just click the forgot password link.

I have a couple iterations of the same password I use for all the whatever sites that don't have any real personal info that I wouldn't give a crap about getting hacked on

Then one good, complex password for all banking type stuff.

Joined: 10/09/2015

MGoPoints: 3645

jakerblue

January 17th, 2018 at 11:18 AM ^

I either let google remember for me. Or i just click the forgot password link.

I have a couple iterations of the same password I use for all the whatever sites that don't have any real personal info that I wouldn't give a crap about getting hacked on

Then one good, complex password for all banking type stuff.

Joined: 10/09/2015

MGoPoints: 3645

MaizeAndBlueWahoo

January 17th, 2018 at 11:23 AM ^

I've been thinking about using a password manager like Dashlane.  But I have a question: Given how often any cloud-based anything gets hacked, why should I consider it more secure than simply storing a bunch of passwords on a spreadsheet located on an external hard drive that sits next to my computer?  Isn't my own tiny little cloud that I can personally disconnect from everything, safer than the big one?

Joined: 07/02/2008

MGoPoints: 41586

canzior

January 17th, 2018 at 4:18 PM ^

I have been using Dashlane for about 3 months now, and I just upgraded to the paid version. It syncs my passwords across all devices, work computer, home computer, cell phone, and ipad.  It also lets you know if a password you choose is weak...or if the site has been hacked. It will monitor your passwords for any that are weak, or common to your other passwords and recommend changes. It can also autogenerate passwords for you that are absurdly(but necessary) long for which ever site you choose. Using multiple devices, it was worth the $40 per year for me. 

Before that I used Google Keep..and before that I used to keep my work related passwords on my company iphone, in Notes. 

Joined: 05/28/2010

MGoPoints: 9223

I Bleed Maize N Blue

January 17th, 2018 at 5:04 PM ^

What happens to your external hard drive if there's a fire, tornado, etc? Or what if it just fails? Do you have another external hard drive in an offsite location?

A cloud could get hacked, but will they be able to decipher the info?

Check the Dashlane Security page for more. Also, there's a white paper with further info. If I'm following it correctly, they don't store your User Master Password (UMP) on their servers, nor any derivative of it. There is a User Device Key for each device you're using with Dashlane to authenticate it. Your UMP is used with a 32-byte salt (additional random data) to generate an 256-bit key used to encrypt or unencrypt your data. You can also add in 2-factor authentication.

So without your UMP and device key (and secondary key, if 2FA), how is a hacker to decipher the data?

Joined: 09/27/2008

MGoPoints: 58723

MGoAragorn

January 17th, 2018 at 11:26 AM ^

I don't like any of the password storage apps. As Willie Sutton said, "That's where the money is." To me, they're just too tempting for serious attackers. Plus, I would be ceding some level of control to an intermediary, which I don't like.

I have a formula for passwords that results in a) unique passwords for every site; b) passwords that are at least 10 characters long; c) lower case, upper case, numbers, and a special character. For financial sites, I have kicker characters. For a given site, I can usually figure out the password using the formula in my head and the site I'm trying to sign into.

However, that's sometimes not possible. For example, some sites don't allow special characters. Other times, the formula and site might results in a couple of different password possibilities. For that, I need a lookup table.

I have a 128-bit encrypted, innocuously named Excel spreadsheet that resides in an unshared folder on Google Drive. It's accessible to my phone, my iPad, and my laptop. I don't access the spreadsheet from untrusted systems. The password to the spreadsheet is long, complex, but unchanging. It would take serious horsepower and time to crack that file, assuming it could even be found.

BTW - I also have other important data in various tabs in the spreadsheet. It really is like a safe deposit box for my family's info.

If my system is already compromised (e.g. keystroke logger, other types of surveillance malware), I'm screwed. If not, I think my method is a pretty safe. Good luck to the dude who wants to break into my Google Drive, find that innocuous Excel file, and crack the  encryption.

Joined: 10/09/2014

MGoPoints: 600

BrewCityBlue

January 17th, 2018 at 12:16 PM ^

Have a base password with lowercase, uppercase and numbers. U need to always remember this. Then feather in unique characters in spots based on the place u are logging into. If u do a good enough job of this then one pword being compromised should not effect other logins.

Joined: 09/07/2009

MGoPoints: 2336

canzior

January 17th, 2018 at 4:13 PM ^

Dashlane is pretty good. free version or $40 per year to sync across all devices.  Auto updates your passwords too if you choose, and will generate passwords for you.  You also get notifications if a site is hacked, and will suggest you change your password. Few other neat features. 

Joined: 05/28/2010

MGoPoints: 9223

quakk

January 17th, 2018 at 4:34 PM ^

I happily used LastPass for a long time. After it was discovered that hackers could steal your password if you use autofill, I set all my passwords to not autofill. Then I swear they changed the polarity, i.e. new and hundreds of my existing passwords now autofill unless I go back in and explicitly tell them not to. And they doubled their annual fee. So it was time to look for alternatives. I found BitWarden. It does almost everything LastPass does for free. In fact, I can't think of anything I miss. I also second the recommendation for two-factor authentication.

Joined: 11/22/2008

MGoPoints: 224