Password management software

Joe Sixpack

Well-Known Member
Lifetime Member
SoSH Member
Sep 9, 2002
4,065
Mansfield, MA
SumnerH said:
 
By "not really an OS issue" you mean "absolutely an OS issue, and unrelated to the OS we've been discussing for the last 7 posts."
 
Obviously if you use the OS keyring, you wouldn't have encryption on Windows before Windows had an OS keyring.
 
The original point I was disputing was that it was safe to store passwords in Chrome.
 
For anyone using Windows or Mac, which represents about 99% of people out there, that statement was completely, 100% untrue until December 2013.
Admittedly, it has been semi-fixed for about 4-5 months now, depending on how you view the current state. Regardless, whether it's considered an OS issue or a browser issue is really not the point anyway.
 
The original issue was pointed out by a Mac user who found that you could go into the Chrome password settings and click "show passwords" to see all of them in plain text with no authentication required.
 

SumnerH

Malt Liquor Picker
Dope
Jul 18, 2005
25,934
Alexandria, VA
Joe Sixpack said:
 
The original point I was disputing was that it was safe to store passwords in Chrome.
 
For anyone using Windows or Mac, which represents about 99% of people out there, that statement was completely, 100% untrue until December 2013.
 
 
In what Foxconn plant are you manufacturing those numbers?  The majority of Chrome browser installations are on Linux devices (primarily Android devices).
 

Joe Sixpack

Well-Known Member
Lifetime Member
SoSH Member
Sep 9, 2002
4,065
Mansfield, MA
SumnerH said:
 
In what Foxconn plant are you manufacturing those numbers?  The majority of Chrome browser installations are on Linux devices (primarily Android devices).
Sorry, you're right, I should have said 99% of desktop users. 
 

SumnerH

Malt Liquor Picker
Dope
Jul 18, 2005
25,934
Alexandria, VA
Joe Sixpack said:
Sorry, I should have said 99% of desktop users (and I'm sure you knew that this was what I meant).
 
Yes I knew what you meant, I was pointing out that it's wrong because it completely changes the scope of what you're talking about.  
 
Saying password storage is OS dependent isn't a footnote affecting 1% of users, as you stated: it's something that's important and means a majority of Chrome users shouldn't even have worried before those other OSes were fixed.
 

Joe Sixpack

Well-Known Member
Lifetime Member
SoSH Member
Sep 9, 2002
4,065
Mansfield, MA
SumnerH said:
 
Yes I knew what you meant, I was pointing out that it's wrong because it completely changes the scope of what you're talking about.  
 
Saying password storage is OS dependent isn't a footnote affecting 1% of users, as you stated: it's something that's important and means a majority of Chrome users shouldn't even have worried before those other OSes were fixed.
 
I don't think it completely changes the scope at all. It's not like the combined Windows/Mac OS Chrome user base is some niche market. This product had a major security flaw on those two operating systems that has been only recently, and only partially fixed and that should not be discounted just because it's not an issue with Android or Linux. It's important for people to be aware of this.
 

Blacken

Robespierre in a Cape
SoSH Member
Jul 24, 2007
12,131
SumnerH said:
By "not really an OS issue" you mean "absolutely an OS issue, and unrelated to the OS we've been discussing for the last 7 posts."
 
Obviously if you use the OS keyring, you wouldn't have encryption on Windows before Windows had an OS keyring.
Windows has had CryptProtectData forever, which does roughly the same thing. I don't know if they were using it or not, because I can't be fucked to go bisect the tree right now, but it's been there. The problem that everyone was aflutter about and was fixed in Dec 2013--and it is a problem, but not really unless you're the sort to leave your machine unlocked--was that, on desktop browsers with keyring support, Chrome would cache credentials so you could, as he said, click "show password" to show any password within the chrome settings/passwords page.

Which is not the same as unprotected data, because an attacker still needs user-level access to go find those cached credentials. Which means you already have system access and can do way, way worse stuff than peep at passwords.

The janitorial staff lecturing me on security is funny, though.
 

geoduck no quahog

not particularly consistent
Lifetime Member
SoSH Member
Nov 8, 2002
11,465
Seattle, WA
So, these programs only store your passwords in a safer and more convenient manner than an encrypted excel sheet or a piece of paper, right?

Meaning, if a website gets hacked and they get your user info and password, a program like 1password hasn't really helped you. Is that correct?

If so, what's the point of changing your passwords or having the program generate a complex one for you?
 

SumnerH

Malt Liquor Picker
Dope
Jul 18, 2005
25,934
Alexandria, VA
geoduck no quahog said:
So, these programs only store your passwords in a safer and more convenient manner than an encrypted excel sheet or a piece of paper, right?

Meaning, if a website gets hacked and they get your user info and password, a program like 1password hasn't really helped you. Is that correct?

If so, what's the point of changing your passwords or having the program generate a complex one for you?
If you generate complex passwords and use different ones for different sites, changing them often is highly overrated.
 
Complex passwords matter.  That website that gets hacked probably isn't storing your password at all; it's storing a hash* of your password. A hash is a one-way function; you can generate a hash from any word easily, but you can't get back from the hash to the original word.  The way attackers get your password is a dictionary attack; they run through the whole dictionary* and hash every word, comparing it to the stored hash, then do the same with common replacements (i->1, a->@, etc), common transpositions, etc.  If you have a complex password then they're not going to be able to recover it.
 
Some websites are idiotic and store your actual password.  This is why it's important to use different passwords at different sites: suppose Amazon has good security and stores your password well, but SomeDumbSite.com stores your password in plain text.  If you use the same password on both, then someone could hack SomeDumbSite, learn your password, and use it on your Amazon account.
 
*http://en.wikipedia.org/wiki/Cryptographic_hash_function
**Or rather, a dictionary of "words" commonly used in passwords; it's not limited to the English language dictionary
 

SumnerH

Malt Liquor Picker
Dope
Jul 18, 2005
25,934
Alexandria, VA
Also, when it comes to "complex passwords" remember that it's all about making it tough for a computer to guess; using funny characters and misspellings isn't a great way to do that.
 
 

geoduck no quahog

not particularly consistent
Lifetime Member
SoSH Member
Nov 8, 2002
11,465
Seattle, WA
Thanks for the info, Sumner. Sealed the deal for me.
 
I just tried to download Dashlane (was willing to pay), but it won't execute on my Windows 7 machine.
 
Guess I'll try 1Password.
 

Joe Sixpack

Well-Known Member
Lifetime Member
SoSH Member
Sep 9, 2002
4,065
Mansfield, MA
Just to add on to Sumner's point above, "SomeDumbSite.com" is actually eBay, which recently was hacked and was found to store all their passwords encrypted, but not hashed.

So regardless of your password's complexity on eBay, it's likely that it has been compromised.
 

ScubaSteveAvery

Master of the Senate
SoSH Member
Jul 29, 2007
8,329
Everywhere
I've been using 1Password and have found it to be really useful, especially with my Apple devices.  Its syncs seamlessly between my laptop, iPhone, and iPad.  At work I find it a little cumbersome since some sites aren't really utilized for 1Password's internal browser, so manually typing in passwords can be tedious.  Overall though, I'm really impressed and actually get annoyed when websites limit me to 9 characters and no special characters since the password is only medium strength. 
 

HriniakPosterChild

Well-Known Member
Gold Supporter
SoSH Member
Jul 6, 2006
10,495
500 feet above Lake Sammammish
Joe Sixpack said:
Just to add on to Sumner's point above, "SomeDumbSite.com" is actually eBay, which recently was hacked and was found to store all their passwords encrypted, but not hashed.

So regardless of your password's complexity on eBay, it's likely that it has been compromised.
 
That was actually SomeDumbSite2.com.
 
SomeDumbSite.com was adobe.com, but ebay must not read the papers.
 

Yaz4Ever

stumps for Trump
Lifetime Member
SoSH Member
Not to bump the infighting that previously took over this thread, but I'm ready to purchase a password manager and I was hoping for some hands on experience from the more tech savvy people on this board.
 
From what I can tell, Dashlane is the easiest and most pleasing looking of the bunch.  Dashlane, LastPass, and KeePass seem to be the big three and they all seem to offer fairly similar experiences.  Free is obviously better if all else is equal, but I'm willing to pay for something secure, easy to use, and that will work for our purposes.
 
I'd be using this password manager on four devices (maybe five) - all Apple products (iPhones, Macbooks, and possibly an iPad) that my wife and I use.
 
I've also read that some are better served if you provide your own cloud storage - I've got Dropbox and I'll sign my wife up as well, if necessary.
 
All of the important accounts - banks, credit cards, car loans, etc - will be shared completely.  Personal accounts - SoSH, Facebook, Instagram, etc - are user dependent, obviously.
 
I think that's about all anyone who understands this stuff better than me will need to make an informed response.  If you need my SSN, mother's maiden name, first elementary school attended, etc, just let me know and I'll PM it to you (figured I'd get that out of the way before ghoff showed up).
 

ScubaSteveAvery

Master of the Senate
SoSH Member
Jul 29, 2007
8,329
Everywhere
I've used 1Password on my Mac, iPhone, and iPad and have loved it on all devices.  It integrates well with Safari through a widget.  The browser within the apps is decent and I use it quite a bit since it auto-loads user names and passwords. The only annoying thing is typing the "master password" every time I close the app.  However, they released a preview of allowing people to log in using the fingerprint reader on the iPhone, which would be awesome and negate that process. 
 
You didn't mention it as an option, but I figured I would put my two cents in for it. 
 

derekson

Well-Known Member
Bronze Supporter
SoSH Member
Jun 26, 2010
4,399
If you're using all Apple products already, I don't really see a reason to purchase a password management solution like 1password when you can just use iCloud Keychain.
 
The only thing that iCloud keychain doesn't do that has been annoying to me is let apps store passwords, and I believe they are adding support for that in iOS 8.
 

Yaz4Ever

stumps for Trump
Lifetime Member
SoSH Member
derekson said:
If you're using all Apple products already, I don't really see a reason to purchase a password management solution like 1password when you can just use iCloud Keychain.
 
The only thing that iCloud keychain doesn't do that has been annoying to me is let apps store passwords, and I believe they are adding support for that in iOS 8.
I thought these other options were supposed to be more secure and user friendly.  I've honestly never considered using iCloud keychain, even though I've heard of it.
 

Yaz4Ever

stumps for Trump
Lifetime Member
SoSH Member
ScubaSteveAvery said:
I've used 1Password on my Mac, iPhone, and iPad and have loved it on all devices.  It integrates well with Safari through a widget.  The browser within the apps is decent and I use it quite a bit since it auto-loads user names and passwords. The only annoying thing is typing the "master password" every time I close the app.  However, they released a preview of allowing people to log in using the fingerprint reader on the iPhone, which would be awesome and negate that process. 
 
You didn't mention it as an option, but I figured I would put my two cents in for it. 
SSA, thank you for the insight.  I should've included 1Password as well as most of us considering these services have likely heard of it as well.
 

smastroyin

simpering whimperer
Dope
SoSH Member
Jul 31, 2002
20,684
dumb question.  
 
Does anyone know one of these that will also work to keep a Kindle logged in for purchases on Amazon?  I'm surprised Amazon hasn't bought one of these just for this purpose.  I am trying to set something up for my mother (see pet peeves) but at least with lastpass you need to navigate to the amazon site within its browser to even do things like in-app purchasing, which is pretty bulky.
 
Similarly, anyone know of one that will do the same for google play store?
 

Boston Brawler

Member
SoSH Member
Jan 17, 2011
8,902
Reviving this thread because I've never used a password manager, and I realized today my wife's passwords are all garbage and the same garbage repeated on basically every important site. Mine are slightly less garbage, less repeated, but I was most certainly hit in the Yahoo attack (damn Fantasy sports account!)

I'm looking into LastPass. Anyone here use it? Feedback seems very positive in the reviews I've read and it looks like it works with Apple devices too (which we both have). I'm assuming we would each have to buy/setup an account, or is there some kind of family account?
 

HriniakPosterChild

Well-Known Member
Gold Supporter
SoSH Member
Jul 6, 2006
10,495
500 feet above Lake Sammammish
My wife uses lastPass. She started getting serious about password security when I was still conjuring up schemes to avoid duplicating passwords on important sites. The downside of LastPass is that she has to launch a special LastPass browser app on iOS in order to get automatic password filling. The Safari extension that does the job on macOS doesn't exist on iOS. The LastPass app isn't fast on JavaScript-heavy websites. (These days, that's all of them.)

I use iCloud Keychain because it is tightly integrated with Safari on all Apple devices. I almost never use Windows.

I am not aware of any solution that works seamlessly with iOS apps. When I want to deposit a check to BofA, I open the BofA app, copy the Safari password from the Settings app, and pasted the password into the BofA app.
 

Boston Brawler

Member
SoSH Member
Jan 17, 2011
8,902
That's great feedback, thanks much. We are iPhone users for mobile and Windows users for at home laptops, so I'm not sure anything will ever seamlessly work for us...
 

bohous

Member
SoSH Member
Jul 21, 2005
2,787
Framingham
I use Keeper and can confirm it works across all platforms (iOS, OSX and Windows). I rarely use mobile browsers for anything that needs a password but with Safari and Chrome on iPhone you can autofill using Send To and choosing the Keeper extension.
 

TFP

Dope
Dope
Dec 10, 2007
17,419
My wife uses lastPass. She started getting serious about password security when I was still conjuring up schemes to avoid duplicating passwords on important sites. The downside of LastPass is that she has to launch a special LastPass browser app on iOS in order to get automatic password filling. The Safari extension that does the job on macOS doesn't exist on iOS. The LastPass app isn't fast on JavaScript-heavy websites. (These days, that's all of them.)

I use iCloud Keychain because it is tightly integrated with Safari on all Apple devices. I almost never use Windows.

I am not aware of any solution that works seamlessly with iOS apps. When I want to deposit a check to BofA, I open the BofA app, copy the Safari password from the Settings app, and pasted the password into the BofA app.
1Password works phenomenally across iOS apps. A lot of them are updated so you can fill your passwords right from the app. Also, Safari has it incorporated so you can very easily pre-fill while in the browser (vs having to go outside and copy/paste).

You have to pay for a lot of this, but I've had an excellent experience with 1Password across all platforms.
 

BroodsSexton

Member
SoSH Member
Feb 4, 2006
9,144
guam
1Password works phenomenally across iOS apps. A lot of them are updated so you can fill your passwords right from the app. Also, Safari has it incorporated so you can very easily pre-fill while in the browser (vs having to go outside and copy/paste).

You have to pay for a lot of this, but I've had an excellent experience with 1Password across all platforms.
+1 (though I don't recall it being very expensive).
 

Van Everyman

Member
SoSH Member
Apr 30, 2009
17,852
Newton
I'm pretty sure I paid $15 or $20 for 1Password a single time. My wife and I use the same account with the vault shared between our Dropboxes. That's a fucking bargain given the security level and convenience.
 

dirtynine

Member
SoSH Member
Dec 17, 2002
4,807
Philly
1Password user here. It's great, and fingerprint recognition has made it virtually perfect. Definitely worth the $30 or so you might spend setting it up across your ecosystem.
 

HriniakPosterChild

Well-Known Member
Gold Supporter
SoSH Member
Jul 6, 2006
10,495
500 feet above Lake Sammammish
1Password works phenomenally across iOS apps. A lot of them are updated so you can fill your passwords right from the app
From what I see here, the list is not all that long and does not include any of the apps I'd care about like BofA, Vanguard, Chase Bank or Uber.

(I was hoping I'd missed something and that I'd have access to my iCloud keychain Safari passwords in those apps, so I started hunting.)
 

SumnerH

Malt Liquor Picker
Dope
Jul 18, 2005
25,934
Alexandria, VA
1password is closed source. There's no way to evaluate its security.

I'd strongly recommend KeePassx or another open source option; if the source to your security oriented software isn't available, you're making 2 terrible assumptions (that the small set of programmers who made it didn't make a stupid mistake, and that they didn't intentionally put in a back door be it for customer support, government pressure, or other reasons).

With open source stuff, even when you never use the source yourself there's been a chance for public security experts to pick through it and evaluate the code.
 

Nick Kaufman

protector of human kind from spoilers
Lifetime Member
SoSH Member
Aug 2, 2003
10,101
A Lost Time
Formulating a password strategy is on my to do list for this year, so thanks for all the posts here. Very informative.
 

Boston Brawler

Member
SoSH Member
Jan 17, 2011
8,902
1password is closed source. There's no way to evaluate its security.

I'd strongly recommend KeePassx or another open source option; if the source to your security oriented software isn't available, you're making 2 terrible assumptions (that the small set of programmers who made it didn't make a stupid mistake, and that they didn't intentionally put in a back door be it for customer support, government pressure, or other reasons).

With open source stuff, even when you never use the source yourself there's been a chance for public security experts to pick through it and evaluate the code.
Do the password managers advertise which they are (open or closed)? And what is the difference for those of us that don't understand what the difference is?
 

SumnerH

Malt Liquor Picker
Dope
Jul 18, 2005
25,934
Alexandria, VA
Do the password managers advertise which they are (open or closed)? And what is the difference for those of us that don't understand what the difference is?
Open-source means that the source code is publicly available and modifiable; closed-source means the source is kept secret by the company that makes it.

Even if you're never going to look at it yourself, this means that other people can audit it for security, to look for any back doors, etc; most popular open-source projects (especially something like KeePass in the security realm) have been looked at by dozens of independent outsiders. A closed-source product has usually only been self-audited by the company that makes it, or if you're lucky maybe a bored consultant was paid to rubber-stamp it.

Typically open-source projects will advertise that fact, closed-source won't mention it one way or another.

For something as security-important as a password manager there's no way I'd trust a closed-source option.


Copying a list from Wiki:
Proprietary/Closed Source
Open Source
 

Bunt4aTriple

Well-Known Member
Silver Supporter
SoSH Member
Jul 15, 2005
1,919
North Yarmouth, ME
I hate to revisit this, but maybe someone has some insight.

2 years ago, I opted for LastPass. I love it, but my wife does not. I handle the finances, so she only occasionally needs to get in, which is the real issue. She’ll try to log in once every couple of months, can’t remember what to do, get frustrated and quit. There are a few quirky things here and there, but it’s not as easy for her to problem solve.

Are any of the other password managers considered more user friendly? If it matters, we both have PC laptops, but I’m android and she’s iOS. The app hasn’t been the problem. It’s when she wants to print expense receipts, or log into a frequent flyer account to book a flight.

I could take the opportunity to switch to an open source application, but ease of use has to be a consideration.