[AnandB]

Have been using Lastpass for years. Can't live without it now. Was a premium user few years back but then they made all needed features free.

[Anjadekar]

I have been using 1Password for years and recommend it highly. Contrary to a post on this thread, 1Password has never had a data breach and is thought of as the gold standard in password managers, earning accolades and recommendations from a host of reputable and reviewers (1, 2 and 3.) 1Password’s security, sophistication and polish are, quite simply, unparalleled and you can use it to do a lot more than just store passwords.

While there are many free and cheaper alternatives, a password manager is one of those services that I would actually prefer to pay for. There is no such thing as a free lunch and if you don’t pay for such a sensitive service upfront you are likely paying by letting the company mine your data or worse, which I would absolutely not want to happen with my passwords and other private information.

I held out on 1Password’s subscription offerings (sticking to their standalone versions) as I am averse to the subscription model in general but, having tried 1Password Families, I am really glad to have made the move. I strongly suggest you give 1Password a go and check it out for yourself!

A tip if you do end up using 1Password: Keep a physical printout of your most sensitive passwords and backup codes in a safe place just in case you were to lose access to your electronic devices.

[IndigoXLGrandDi]

Quote:

Originally Posted by Red Liner

....when NASA apparently spent millions to develop a pen to work in space and the Russians just used a pencil.

Sorry for going
But Please go through the below screenshot and the link following it as well-



Why do astronauts use space pens instead of pencils

EDIT:-
Remember the 3 Idiots Film? Boman Irani has Zero Gravity Pen which he gives to Aamir Khan explaining the reason as above after he does the successful Delivery of Mona Singh.

[KrisTvpm]

I've got nearly 120 different userid/password combinations for my various online presences : emails/financial/study/misc etc. and the recovery codes of some of these.

What I do to maintain/protect these is slightly unconventional: always maintain different+random passphrases for each of these (well, nothing unconventional so far!) plus take photos of credit/debit/other cards (back & front) and maintain all these in a tabular structure in a double-password protected word document (one for opening and one for editing) - only on my PC & personal backup media.

Then I export this file as a pdf, protected by a 35char passphrase with alpha/num/spl-char etc., and upload to cloud/drive (after removing the extension & giving it some inconsequential name). So wherever I am, I have access to my credentials, even if I forget some when in need. Although would memorise the important ones, I need to memorise only this master password.

An added advantage : In case of theft/loss of card, I've ready proof of owning these and bank contact details.

Not sure if this is the best/safe way to handle and maybe I'm complicating it more than needed, but I found doing this easier & better than using password managers (used Lastpass, but discontinued later).

[Guite]

In our family we share one iPad for browsing the internet. I have been saving website login credentials on Safari. Until last week I was not aware that all these could be easily viewed in Settings.

As I was setting up fingerprint access, Touch ID in Apple lingo, on our new iPad this week for all our family members, I stumbled upon the password storage aka Keychain. I also realised anyone for whom Touch ID is set can view all the passwords in all its glory.

So started a mad hunt on how to limit access to this area of the settings. Few discoveries:
- anyone with passcode can setup fingerprint access. All is us know the passcode because each of us need to be able to use this iPad.
- any fingerprint which has been setup can access passwords. There is no admin thingy.
- iPad does not allow multiple user accounts with different levels of access rights.
- password storage aka Keychain access cannot be restricted with another layer of passcode or fingerprint.

So started the search for a password manager, and empty out keychain. So far I have installed Bitwarden, Dashlane and Keeper. I am evaluating them, but have more or less thrown out Dashlane. Bitwarden and Keeper remains.

I was getting comfortable with Bitwarden until I found out that account management, like changing master password, has to be done online, on their website. Moreover user password database are stored on their server, albeit encrypted. This made me a bit uneasy. My thought was, and is, can I really trust someone's server. Suppose it get compromised, etc, etc.

So I again looked for a password manager which will store my data on my device. That's how I started using Keeper. But then realised I can access my data online. So my original concern still remains. At the same time, online copy ensures backup availability. So that's a plus.

I am still trying out both. In the end I will settle for one and use it as a repository for all my passwords.

[neelkumar]

Quote:

Originally Posted by Guite

I was getting comfortable with Bitwarden until I found out that account management, like changing master password, has to be done online, on their website. Moreover user password database are stored on their server, albeit encrypted. This made me a bit uneasy. My thought was, and is, can I really trust someone's server. Suppose it get compromised, etc, etc.

Your password database is encrypted strongly and then stored on their server. Even if their servers are hacked (which can happen, but unlikely) and your database copied, the hackers cannot open it without your master password. So, your passwords DB is only as strong as your master password.

More over Bitwarden's code is open sourced and security audits are also done to ensure that security.

I've been using LastPass free for quite sometime, but with their recent change in the free account's T&C, I have switched to Bitwarden after much research.

[Samfromindia]

After the recent LastPass free tier fiasco, I like many others moved to BitWarden. UI & functionality is almost similar and transferring credentials from LastPass to BitWarden via csv export - import was a breeze. I deleted my LastPass account altogether. The premium tier plan should be subsidized for India, like many providers have done. BitWarden premium tier is cheaper also. I seem to like their android mobile app more while LastPass Chrome extension seemed to be more polished & user friendly.

[R2D2]

Again! This one was yesterday or this morning IST. The last one was in Aug '22. What the heck!

https://blog.lastpass.com/2022/11/no...rity-incident/

[R2D2]

Think it's time to move on from LP:

Parsing LastPass’ data breach notice What LastPass said — and hasn't said — about its second data breach this year

[casnov]

I am a firm believer of having total control of our credentials. I use Keepass. If you are using iPhone then you will need to use StrongBox.

Keepass doesn't natively support syncing the pwd DB with online cloud services.

If you are on Apple ecosystem then you can store your DB on iCloud

Or else you can use other encrypted cloud services like pcloud or Skiff.com.

[AnandB]

Quote:

Originally Posted by AnandB

Have been using Lastpass for years. Can't live without it now. Was a premium user few years back but then they made all needed features free.

Quote:

Originally Posted by R2D2

Again! This one was yesterday or this morning IST. The last one was in Aug '22. What the heck!

https://blog.lastpass.com/2022/11/no...rity-incident/

I switched over to Bitwarden last year and its actually very good. Perfectly happy with it and don't need to pay.

[R2D2]

I deleted all the data from my and my wife's LP account but not the account itself. Have actively moved to Bitwarden and 1Password. They don't have a "hack me" target painted on their backs like LP does

I use Keepass to be precise KeepassXC to archive my data. Encrypted backups on Pcloud, OneDrive Google and Dropbox. With more than 1000 entries in LP I'd be in big trouble if I were to lose the data.

[mxx]

Anyone who uses password managers should NOT use browser in-built password managers. They are relatively safe but not safe enough. Most browsers to not have master password based encryption, making them prone to malware attacks. It is always recommended to use dedicated password managers like LastPass, 1Password, Dashlane etc. Not only are these more secure, these companies regularly run security audits, penetration tests etc to keep the data secure.
Many of these password managers have browser plugins/extensions, so it is almost as convenient as browser password managers.

[S_U_N]

Quote:

Originally Posted by mxx

Anyone who uses password managers should NOT use browser in-built password managers. They are relatively safe but not safe enough. Most browsers to not have master password based encryption, making them prone to malware attacks. It is always recommended to use dedicated password managers like LastPass, 1Password, Dashlane etc. Not only are these more secure, these companies regularly run security audits, penetration tests etc to keep the data secure.
Many of these password managers have browser plugins/extensions, so it is almost as convenient as browser password managers.

If you are using LastPass, please change your passwords and expect some phishing emails too.

[R2D2]

Ok guys/gals,

Further to the mass message from the Mods/GTO, here are my thoughts on the Lastpass hack situation after reading about it in detail on various fora:

a) I spent over 3 weeks resetting passwords to all several hundred sites among other things. Use a strong password preferably generated by a password manager using all available characters on the keyboard ie. alphabets numbers, upper and lower case and special characters.

b) Reset your 2FA tokens if you ever used Lastpass Authenticator. DO NOT store 2FA tokens in your PM.

c) In case you have 2FA active for any website also reset recovery codes.

d) I have gone a step further and changed user IDs and email addresses registered in my bank accounts etc.

e) There will be phishing/social engineering attempts. Be careful. The amount of spam I receive has gone up many fold since the Lastpass hack. Be very careful.

f) Do not store personal information in PMs. Prefer to use a local copy encrypted and uploaded to the cloud + 1 copy on a USB stick

Lastpass has been covering up the seriousness of this issue to prevent law suits. A total CYA, but a class action has already been filed.

My recommendations are:
a) Bitwarden - cheapest at just $10/year
b) 1Password
c) Sticky Password (cloud + local sync)
d) Enpass (desi product, local sync only)
e) Keepass/KeepassXC - recommended for the geeks Not user friendly. Offers only sync via a cloud and that too with difficulty.

Lots of reviews to help you out. But seriously start using a PM + 2FA and if possible go password less.