The Money Mustache Community
Learning, Sharing, and Teaching => Ask a Mustachian => Topic started by: naturelover on May 14, 2014, 12:35:58 PM
-
I have been trying to keep track of all my passwords individually for a long time now, and it has just become insane with all of the accounts and sign-ons we all have these days.
If you use a password manager, which one did you choose and why?
Do they tend to run locally on a person's pc, or do they tend to be web-based?
I also have security fears about them (which may be unfounded), and it kind of gives me the willies to know that they are all in one place together, especially the financial accounts. Any comments/info that can ease those concerns?
Thanks much!
-
One option is to truly memorize them all, with some memory trick. Say your base password is the first letter of each word in the phrase "Twinkle Twinkle Little Star, How I Wonder What You Are" with some strange capitilization. They add a standard 2 digit number, and append the first 3 letters of the site's URL. For example, your yahoo account password would be
TtlsHiwwya98yah
-
I use the one built into Firefox itself, it syncs across all my Firefox instances, and lock it with a master password just to be safe (you're prompted for the master password when restarting Firefox).
I trust Mozilla a lot more than I trust LastPass or OnePass or whoever is the leader these days.
-
I use keypass it is free and very secure. You can run it from a memory stick so they aren't even on your computer let alone the web.
-
I started using Keepass after the Heartbleed incident. I'm really liking it and it's open source which means that the price is right!
-
+1 keepass
This is also discussed here:
http://forum.mrmoneymustache.com/ask-a-mustachian/does-anyone-use-the-software-'1password'-to-protect-financialshopping-accounts
-
Lastpass
Free to use - Web based, good browser support, smartphone apps if you pay, supports 2 factor authentication (Google authenticator, cell phone, printed cards).
I have been very happy with it - just make sure you use a GOOD password on it, and set up 2 factor authentication.
-
We had a very onerous (and fairly typical) password requirement at my old place of work.
Passwords had to be changed every month!!!
Password must contain uppercase AND lowercase letters!
Password must contain a number!!!
Password must contain at least one special character, $ % & @ #
I was wondering how the heck I could do this, every month and remember the freaking password???!?!?!?
IT support guy came by in June and reset my password for me, leaving me this note:
"Your new password is, June@2007 " After that I changed it myself, every month.
-
I use Keepass for all of my financial passwords (and use auto generated ones) and keep all others in an Excel document. I'm not as concerned if someone hacks my MMM account.
-
Lastpass
Free to use - Web based, good browser support, smartphone apps if you pay, supports 2 factor authentication (Google authenticator, cell phone, printed cards).
I have been very happy with it - just make sure you use a GOOD password on it, and set up 2 factor authentication.
I use Lastpass w/ two factor and I've turned on two factor for Google and Evernote as well. Pretty groovy.
-
KeePass (or KeePass2), with the program and the password database stored in something like Google Drive or Dropbox. (The password database is encrypted, so you don't have to trust Google etc. to use it.)
-
We had a very onerous (and fairly typical) password requirement at my old place of work.
Passwords had to be changed every month!!!
Password must contain uppercase AND lowercase letters!
Password must contain a number!!!
Password must contain at least one special character, $ % & @ #
I was wondering how the heck I could do this, every month and remember the freaking password???!?!?!?
IT support guy came by in June and reset my password for me, leaving me this note:
"Your new password is, June@2007 " After that I changed it myself, every month.
Ha! I have this comic posted on my cubicle wall: http://xkcd.com/936/
I work in defense contracting, and as you could imagine our passwords are pretty rough.
- Reset every 60 days
- Must have at least 2 uppercase, 2 lowercase, 2 numbers, 2 symbols
- Must be at least 14 characters long, with no english dictionary words, and no sequential repeating letters ('aa', 'GG', etc)
- Must not be any of your last 12 passwords (2 years worth!)
It's friggin 2014... why can't they just scan my eyeball?
-
Ha! I have this comic posted on my cubicle wall: http://xkcd.com/936/
It's friggin 2014... why can't they just scan my eyeball?
Except that comic is totally wrong. Before password crackers use brute force (guessing every possible combination) they use "dictionaries" that try words and combinations of words.
If you find the idea of password cracking even remotely interesting, check out this Wired article:
http://www.wired.com/2012/11/ff-mat-honan-password-hacker/all/ (http://www.wired.com/2012/11/ff-mat-honan-password-hacker/all/)
-
Lastpass
Free to use - Web based, good browser support, smartphone apps if you pay, supports 2 factor authentication (Google authenticator, cell phone, printed cards).
I have been very happy with it - just make sure you use a GOOD password on it, and set up 2 factor authentication.
I've started using LastPass as well and really like it.
-
KeePass (or KeePass2), with the program and the password database stored in something like Google Drive or Dropbox. (The password database is encrypted, so you don't have to trust Google etc. to use it.)
KeePass2 with Dropbox is my solution too. I use it with Windows 7, iOS on iPhone, Android, Ubuntu, and MacOS X. No complaints from me and my non-technical wife uses it too.
-
We use Passwords Plus. Encrypted database across all devices when unlocked with master password, so I have it on phone, tablet, and computer.
I tried a couple others:
1Password - it was fine, but pricey.
Dashlane - Freaking terrible. The random passwords generated were far from random and didn't take advantage of longer lengths and special characters eligible in the password fields for many sites.
-
Lastpass.
-
I use this on my iPhone: https://keepersecurity.com/
-
Ha! I have this comic posted on my cubicle wall: http://xkcd.com/936/
It's friggin 2014... why can't they just scan my eyeball?
Except that comic is totally wrong. Before password crackers use brute force (guessing every possible combination) they use "dictionaries" that try words and combinations of words.
If you find the idea of password cracking even remotely interesting, check out this Wired article:
http://www.wired.com/2012/11/ff-mat-honan-password-hacker/all/ (http://www.wired.com/2012/11/ff-mat-honan-password-hacker/all/)
The comic is spot on, but they should have mentioned diceware (http://world.std.com/~reinhold/diceware.html). The entropy isn't due to the number of letters (brute force), it's due to the length of the wordlist. With diceware you use a list of 7776 words and 5 dice to randomly choose them (each roll of 5 dice gives you one word). Even if the person trying to guess your password knows you used diceware this still works, and you should always assume the bad guy understands your methodology in choosing your passwords, because we are rarely as clever and unique as we think, and they are better than you'd expect. If your password wouldn't stand up if your method in choosing was known, it's a bad password. With 4 diceware words like in the comic, that is 7776^4 possibilities to guess. At 1000 guesses/sec (which is too low by about a million), that's 115k years.
7776^4/1000/60/60/24/365 = 115936.02
4 words are no longer good enough, you'd want 5 minimum, 6 ideally, but the idea in the comic in still very valid.
To the original question: Lastpass, keeppass or 1password are all good options. I use 1Password but only because I'm on a Mac. Whatever you use, make sure your master password is good.
-
I am a long time user of Sticky Password, so I can recommend this one. These guys have never disappointed me - product works perfectly, now on my iPhone as well. Their support is very fast and they always try to fix issues if you have any also fast. Now I can not live without it. I generate super strong passwords and also have them unique for each site which makes me protected against any leaks or hacks of sites like Google etc. If someone will get one of my passwords somewhere, he will never guess the other one I have on another account. You can try them out here: www.stickypassword.com (http://www.stickypassword.com)