I highly recommend using a password manager. I finally bit the bullet and started using 1Password a few weeks ago, and I haven't looked back since. It's just so much better than having to remember a thousand different passwords.
Besides securely managing passwords, you can also use a password manager to secure your digital legacy. 1Password has a feature where you can print out "emergency kit" sheets that has the information required to access your password vault. I printed out two of these sheets and gave them to trusted family members in sealed envelopes. In the event that I become incapacitated, they will be able to access my accounts.
Same thing here. I ditched the online password managers a few years back for a similar setup and it's been just about as good as lastpass was, with the added benefit of being stored locally.
Does anyone have a recommendation for a good keepass client for iOS? Is MiniKeePass still the best option? I've been wanting to switch to KeePassXC + something for iOS for a while but I'm not sure what the best way to go is.
Not GP, but KeePass user: I store my KeePass database on a small thumb drive (SanDisk Cruzer Fit), together with a copy of the KeePass executable. If I absolutely need to decrypt my password database on someone else's machine I can take the "secure" software from the USB and hope for the best. The USB also stores a copy of Truecrypt and a large Truecrypt container with backups of my encrypted private keys (PGP, SSH).
Yeah, totally with you — don't trust devices you (or your employer) doesn't own. I'm borderline still where I trust my employer's devices with my personal passwords sometimes, but even that seems a bit iffy.
I'm going to plug https://bitwarden.com/ since nobody else has yet (I'm not affiliated). Open source, clients for everything, free for personal use, imports from other managers. I had been using a GPG encrypted text file for a long time, then later KeePass (and variants) on dropbox. I switched to Bitwarden a while ago and have been very happy with the whole thing.
Everyone should be using a password manager. You can't really trust the average joe to be able to make secure passwords for the potentially dozens or hundreds of sites and services, and even if they do, they probably use just one secure password for everything.
I just wish there was more seamless support for apps to use 1Password to paste in passwords. There are still sites that prevent pasting into password fields!
It's not that they don't allow the use, it's that they don't have a convenient 1Password icon next to the password field. I've noticed some apps have that. Not sure if it requires some specific integration or some open protocol.
The password manager integration is a public standard. More annoyingly, though, apps can also find out if you've pasted into a field and then immediately clear it (some rinkydink banking apps do this.) So it's a 2-pronged problem.
+1 from me as well. Great for storing literally anything sensitive, syncs flawlessly across devices (I currently use dropbox to sync the vault, but it supports other options & they have their own syncing/account system (that is not required to use 1password)).
It is not open source but the vault format is open.
I really wish websites would support use of client side TLS certificates as part of the authentication process. Combining that with a username and password would give you two-factor authentication.
Client side TLS certificates get sent in the clear before you authenticate the server. (You can send them in a renegotiation, but renegotiation has been a historic source of both implementation and protocol security bugs because it does complicated things to TLS state.) So you don't want a client-side certificate that includes your name; that's a huge privacy leak.
You could imagine a scheme where you give a user a certificate with a random subject, and you have a server-side map of random string to user account (so leaking that map isn't the end of the world like leaking passwords, it merely reintroduces the privacy leak above). I recall some proposals for that several years ago. Today, Web Authentication effectively does something effectively equivalent, as does U2F, although they don't involve TLS client certificates specifically.
In TLS 1.3 client certs are sent over an encrypted link, and a reasonable client can and should wait for Finished from the server to arrive, at which point they're entirely sure of who their recipient is too.
Another nice thing is that TLS 1.3 servers can send a CertificateRequest asking for a particular _type_ of certificate, so (if that's ever used in anger) it lets us have clients that don't need to waste the user's time when they don't actually have a suitable certificate anyway. In earlier versions servers could only hint about which CAs they trust, not anything else.
> So you don't want a client-side certificate that includes your name; that's a huge privacy leak.
If it matches the username I have on a website like reddit or HN, then is it really a privacy issue? Anyone, regardless of whether they're logged in or not, can see posts I've made under my username. Though what you say can be an issue for websites where privacy from other users is expected (e.g. banks).
> Today, Web Authentication effectively does something effectively equivalent, as does U2F
Both of those seem to rely on HTTP, while TLS could work with any application level protocol.
They can't see that the posts are coming from your IP address, though. That's one of the things TLS protects—I can post from a coffee shop and nobody at the coffee shop can know (except perhaps by traffic analysis) that the person at the table next to them is the person with this username.
I looked into this and the user experience involved is very poor, in particular the browser interfaces. It sounds like a chicken-and-egg problem. On top of this, is the clear text sending of the client certificate as another poster mentioned.
>It's just so much better than having to remember a thousand different passwords.
Login by email should really become a thing. There's just no reason to store passwords for most sites where you can just stay logged in indefinitely. On rare occasion you need your login cookie refreshed, just send a new link to your email. The burden of remembering a thousand secure and unique passwords dissolves immediately.
I keep all my passwords in a text file. I can't imagine remembering them all. I suppose I should keep that file encrypted and synced to multiple devices with rsync or so. Would a password manager give me any advantage over this scheme?
A password manager will have an integrated password generator where you can configure the spec (include special chars, brackets, custom characters, etc. or not). And you can keep password spec "favorites". So you can quickly generate a 20-char with special chars and accents password, or an 8-char, only letters and numbers for those websites that requires that.
It will allow you to organize the passwords in a hierarchical way with folders (banks, administration, forums, whatever), and set icons.
It will also keep the date of the last time you modified it. Sometimes this can be useful to know if you are impacted by a breach revealed after the fact. You can also make passwords expire if you like.
You can also add extra data in a way that doesn't clutter the main view. This can be interesting when credentials are more than login/password. For example you could add a PIN there. For my car radio there is a code to enter to make it work after the battery dies, I added the entire procedure to the extra data as I always forget it and it's not intuitive.
I just checked, I have 957 passwords in my KeePass.
Yes, a password manager is just an encrypted database for your passwords. 1Password synchronizes all of your passwords across devices and makes sure everything is secure. You only need to remember a single "master password", which is never sent outside of your local device. In the event that you lose or forget your master password, the password vault is completely unrecoverable.
1Password can also store other information besides passwords such as credit cards, software license numbers, passport numbers, etc. There is also a secure notes feature for storing arbitrary text.
The other password manager that I tried before 1Password is Lastpass. I ended up choosing 1Password since I think it's better designed and overall feels slicker. The /r/lastpass subreddit is littered with complaints about broken updates and bugs...
Sync, browser integration, password generation, audits on password age and duplicates, validation against pwned passwords, shared vaults — nothing that you can't do yourself on top of a text file, if you've got the time and energy for that. TOTP, ACL, secure notes and files — these can't easily be done with a text file, but don't need to be part of a single password management system just because the commercial vendors have added these.
Yes. Among the many features a manager app like 1Password would provide is a way for easily pasting in a password to a login field with a simple keystroke.
You don't need to trust others. For example, build the password using some simple algorithm that uses the TLD name. This way you only need to remember the algorithm.
I used to use this system but moved away from it. The reason is twofold. First, if it's a simple enough algorithm there will be enough 'hash collisions' that if someone gets their hands on one of your passwords and your email address, there's a non-negligible possibility that they will be able to find another domain that has the same password.
Second, sometimes sites mandate that you change your password. Or have rules that are incompatible with that algorithm. And then you need to start remembering exceptions to your algorithm, at which point you're back where you started.
There's also https://lesspass.com/ which is stronger than what the parent mentioned and I used a system like that for several years.
I gave up on it for the same reason. Having to remember exceptions, plus when you change your password, you have to change it everywhere, which is annoying because you can't remember every active account.
Do you only use Apple devices? Despite spending most of my time on a laptop with macOS, I also have a gaming PC with Windows, a home server with Debian, a mobile device with Android, and a tablet with iOS. It's nice to have a bit of flexibility available.
If you use an alternative browser such as Firefox you lose access to the built-in integration.
I think their SaaS offering has vault sharing for friends and family, which isn't available through iCloud Keychain.
They provide additional security audit features, such as vulnerability tracking. Quite relevant: I just opened the app and Watchtower had a vulnerability alert notifying me to update my password on Twitter.
It supports One-Time Password, which can occasionally be convenient.
Other kinds of item are supported as well, such as credit cards, bank accounts, software licenses, identities, and secure notes. No more having to grab for my wallet when I need to input my credit card or driver's license info. No more having to search for a checkbook to find my bank account number.
Not particularly, if you don't need the 1Password features and use Safari on macOS. The password generation is integrated into the browser UI which is arguably better for non-nerd and lazy-nerd users.
I use 1Password to store everything. Security answers so I can use completely bogus ones, social security numbers for family members, software license keys, membership info, etc.
iCloud Keychain is definitely well-integrated, but I've run into a few edge cases where it doesn't behave the way I need it to. In these cases, 1Password is better since it actually lets me dig in and edit some of the low-level details in a quality UI (versus digging a couple levels deep in system settings/Safari preferences to find/edit the password in question).
I'm skeptical whether it is really worth it to trust yet another party that can potentially be bribed by intelligence agencies and what not; or even hacked. No. I sit down once a year and think of CorrectHorseBatteryStaple-like passwords [1] for each important service, where each password is a relatively complex function (involving deletions, insertions, swaps, associations, numbers and special characters) of details of my life, the current year, the service in question and the username. That way I have a unique password for each service and I can easily reconstruct it based on that sort of easily recallable information.
How long have you done this, for how many sites, do you rotate passwords (when sites are breached, and/or on a schedule), and have you had to access sites in a mentally compromised state (distracted, sleep-deprived, post-concussion)?
Every once in a while I hear someone explain their system for this (and I used to use a simpler scheme), and I can think of arguments about why it won't work for long, but I'd be happy to update my internal monolog from actual evidence.
I've got about 1K passwords in 1Password. I generally rotate them when they're 1-3 years old, depending on the threat model, cost of compromise, and on what I'm using password review to procrastinate.
My question with these schemes is how do they deal with sites which have weird password requirements which don’t match the scheme.
Typically they don’t remind you when you are logging in that *we made you use 8 character passwords but you can’t use some special characters” or whatever. So you have to have some way of remembering what crazy password rules they had 3 years ago when you registered...
Besides securely managing passwords, you can also use a password manager to secure your digital legacy. 1Password has a feature where you can print out "emergency kit" sheets that has the information required to access your password vault. I printed out two of these sheets and gave them to trusted family members in sealed envelopes. In the event that I become incapacitated, they will be able to access my accounts.