Does anyone use the software "1password" to protect financial/shopping accounts?

[Unionville]

I keep hearing about 1password as being a good software to protect all your online accounts.  I'm hesitant to drop the $50 to buy it. 

Does anyone else use it?  Do you think it is really worth it?

My understanding is you use one password to generate multiple complicated passwords for individual online accounts.  But what if someone steals your laptop?  Will they be able to get into the 1password software and access all your accounts?

[Rickk]

I personally use LastPass with the Google two factor authenticator on my smart phone to make it harder to hack. 
They have a free version and it is highly rated.

[Thegoblinchief]

The last thing I'm worried about is someone having physical access to my computer, and even if they do, there's no way for anyone to do anything bad. Like, oooh, a criminal paid my mortgage for me! Woohoo!

Every financial-related site has a unique password that I write down on set of index cards.

Data breaches are almost always stolen government laptops or server-side dumps of hash tables. If you have different credentials for each site, it doesn't matter how you store them.

[Unionville]

I personally use LastPass with the Google two factor authenticator on my smart phone to make it harder to hack. 
They have a free version and it is highly rated.

I just looked that up and it seems to be almost the same as the security password feature already offered on Firefox.  Am I wrong?

[Dr. Doom]

I use keepass which is free.

It's not as nice as 1password in the sense that you'll still have to look up each password before you enter it into your browser to log in.  1password integrates with your browser and eliminates this step.

Keepass's main datastore is protected and every time you look up a password you'll have to enter your vault password before viewing your list of website accounts and credentials.  This solves the whole "what if my laptop is stolen?" problem.

[Unionville]

I use keepass which is free.

It's not as nice as 1password in the sense that you'll still have to look up each password before you enter it into your browser to log in.  1password integrates with your browser and eliminates this step.

Keepass's main datastore is protected and every time you look up a password you'll have to enter your vault password before viewing your list of website accounts and credentials.  This solves the whole "what if my laptop is stolen?" problem.

This seems to be the same as the integrated Firefox security system.

[Spork]

my free/semi paranoid method:
* different userid/password per site
* I use a different browser instance for financial sites
* home directory is encrypted with ecryptfs... and inside that encrypted filesystem is a second encrypted filesystem encrypted with encfs. 
* when I need a password, I have a single perl script that searches for it.  It mounts the second encrytped filesystem, prompts for password and spits the password -- that can be copied/pasted into the login
* perl script unmounts after a configurable timeout... so several calls in a row do not require a passphrase, but a few minutes later, it is unmounted

[Insanity]

Spork - that is some serious  work :)

I use KeePass.  I do not believe the cloud is the right place to be keeping passwords, but that is a personal opinion.    As a security professional, I believe that sites should be treated like cars on the road.  There is no real difference in risk (yes, I know banking sites vs forum sites do have different regulations, but when you look at it from a user perspective, they don't).  All sites should require two factor authentication of some form or another.

Passwords suck for authentication.

[DougStache]

I use keepass which is free.

It's not as nice as 1password in the sense that you'll still have to look up each password before you enter it into your browser to log in.  1password integrates with your browser and eliminates this step.

Keepass's main datastore is protected and every time you look up a password you'll have to enter your vault password before viewing your list of website accounts and credentials.  This solves the whole "what if my laptop is stolen?" problem.

I use KeePass as well.  I trust it because the passwords are stored locally, and the software is open source and has many eyes on it.

This can also be setup with a Chrome extension to work very well.  Mine is setup to require a password periodically, but if I've entered master password recently it will enter my login credentials for me, if not then pressing Ctrl+Alt+A prompts for that password and then it will enter them.

[Spork]

Spork - that is some serious  work :)

Not really... everything is built into linux.  I have been around a while... and between personal and work I long ago was over 1000 passwords I had to remember.  At some point it was the only way to handle it.

I might also add: I use a different email address for every site as well... but that's not so much for security as for an easy way to disassociate when/if someone starts doing icky things with my email address.

[Insanity]

Spork - that is some serious  work :)

Not really... everything is built into linux.  I have been around a while... and between personal and work I long ago was over 1000 passwords I had to remember.  At some point it was the only way to handle it.

I might also add: I use a different email address for every site as well... but that's not so much for security as for an easy way to disassociate when/if someone starts doing icky things with my email address.

The different e-mail addresses is an idea I have long since liked.  Especially if you use password management systems then you don't even need to remember which one goes with which address (or you can of course use the naming scheme of your choice so it is easy to remember).

[Spork]

The different e-mail addresses is an idea I have long since liked.  Especially if you use password management systems then you don't even need to remember which one goes with which address (or you can of course use the naming scheme of your choice so it is easy to remember).

I  use sneakemail (www.sneakemail.com) -- and have for 10+ years.  They generate very random email addresses, tag them, and forward them to you.  It is simple to see where an email leaked when it happens.  It's replyable (goes back to sneakemail and gets rewritten to take your real address out.)

It handles multiple forward-to addresses (I share the account with my wife).

For more trusted sources (billing, banks, etc) I actually set up a dedicated email address on my own domain...  but sneakemail: recommended.

For the 'single time use and who cares' -- I use mailinator.  You can use any address without pre-defining it.  oinkywoofwoof@mailinator.com, for example.  If someone mails it, you (AND ANYONE ELSE!) can read that mail without a password.   For all those useless things that you need an email for to get one tidbit of info... this is awesome.

[Undecided]

I use it and like it, especially that it works well across multiple computers and handheld devices.

[Insanity]

The different e-mail addresses is an idea I have long since liked.  Especially if you use password management systems then you don't even need to remember which one goes with which address (or you can of course use the naming scheme of your choice so it is easy to remember).

I  use sneakemail (www.sneakemail.com) -- and have for 10+ years.  They generate very random email addresses, tag them, and forward them to you.  It is simple to see where an email leaked when it happens.  It's replyable (goes back to sneakemail and gets rewritten to take your real address out.)

It handles multiple forward-to addresses (I share the account with my wife).

For more trusted sources (billing, banks, etc) I actually set up a dedicated email address on my own domain...  but sneakemail: recommended.

For the 'single time use and who cares' -- I use mailinator.  You can use any address without pre-defining it.  oinkywoofwoof@mailinator.com, for example.  If someone mails it, you (AND ANYONE ELSE!) can read that mail without a password.   For all those useless things that you need an email for to get one tidbit of info... this is awesome.

Thanks for the tips!

[CompoundingRocks]

keepass if you want to store it locally on your computer, USB

Lastpass for convenience everywhere - free as an extension on Chrome or Firefox

I used to use keepass but lastpass was way too convenient!
regardless you need a masterkey and if that's breached, doesn't matter what option you use if person has access

good thing about lastpass is that you can store bank details
if your lastpass happens to be open and someone wanted that - they still would need to enter masterkey to gain access

hope that helps!

[dragoncar]

Gmail also supports multiple addresses (google for details).  Requires the system to support plus signs in addresses though, which some poorly coded sites do not.