Password manager

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Topic Author
k b
Posts: 173
Joined: Tue Oct 15, 2013 8:43 pm

Password manager

Post by k b »

Starting a separate chain to post these Qs hoping for specific guidance. I previously posted them in the Mac Air thread and found a lot of good info there, but would still like clarity on the following. Honestly, I think most of the usual choices would work. But it is very likely that I will be tied into whichever one I choose for a long time. So, being choosy here.
  • Lastpass seems to be most commonly used. I see that they offer a free version, which does the job for me. Any reason why a "regular" household would need Premium?

    How do I compare ACROSS offerings like Lastpass, Bitwarden, 1Password, etc.?

    What is the business model for free providers beyond enticing me to upgrade? That is, am I leaving any of my data with them?
FYI, we're a "hybrid" household :D - Windows / Mac laptops + iphones + ipad (please don't ask WHY we need so many devices :) :) ) So, I am looking for a browser add-on that I could add to any browser / machine. Then, I could just login to Lastpass or Bitwarden first and then head to whichever site I want to visit.

Thanks for all responses.
squirm
Posts: 4239
Joined: Sat Mar 19, 2011 11:53 am

Re: Password manager

Post by squirm »

I use lastpass for years and happy with it. i see no reason to switch, plus it would be a pain.
Gadget
Posts: 1026
Joined: Fri Mar 17, 2017 1:38 pm

Re: Password manager

Post by Gadget »

My recommendation is Bitwarden if you want to use a free one and don't need to share passwords with anyone.

I'd recommend 1Password if you want the most spouse friendly one that is really easy to share vaults/passwords. And you don't mind paying for one.
Laundry_Service
Posts: 397
Joined: Wed Sep 15, 2010 11:52 am

Re: Password manager

Post by Laundry_Service »

I recently started using Bitwarden and so far I give it excellent marks.
Marseille07
Posts: 16054
Joined: Fri Nov 06, 2020 12:41 pm

Re: Password manager

Post by Marseille07 »

I just use KeePass as I don't have much need to store my passwords online then later worry about their security.
Topic Author
k b
Posts: 173
Joined: Tue Oct 15, 2013 8:43 pm

Re: Password manager

Post by k b »

Gadget wrote: Tue Jan 12, 2021 3:15 pm My recommendation is Bitwarden if you want to use a free one and don't need to share passwords with anyone.

I'd recommend 1Password if you want the most spouse friendly one that is really easy to share vaults/passwords. And you don't mind paying for one.
Could you explain what "don't need to share passwords with anyone" means?

I am thinking of a single account that I could (or one of the family members could) login from any device / any browser in the household. If another family member logs into the same single account, isn't that the same as 'sharing' ?
Marseille07
Posts: 16054
Joined: Fri Nov 06, 2020 12:41 pm

Re: Password manager

Post by Marseille07 »

k b wrote: Tue Jan 12, 2021 3:27 pm
Gadget wrote: Tue Jan 12, 2021 3:15 pm My recommendation is Bitwarden if you want to use a free one and don't need to share passwords with anyone.

I'd recommend 1Password if you want the most spouse friendly one that is really easy to share vaults/passwords. And you don't mind paying for one.
Could you explain what "don't need to share passwords with anyone" means?

I am thinking of a single account that I could (or one of the family members could) login from any device / any browser in the household. If another family member logs into the same single account, isn't that the same as 'sharing' ?
Violation of ToS, unless you somehow try to claim your family as an organization.

"The User," "You," and "Your" refer to the individual person, company, or organization that has visited or is using the Website or Service; that accesses or uses any part of the account; or that directs the use of the account in the performance of its functions. A User must be at least 13 years of age.
Topic Author
k b
Posts: 173
Joined: Tue Oct 15, 2013 8:43 pm

Re: Password manager

Post by k b »

Marseille07 wrote: Tue Jan 12, 2021 3:33 pm
k b wrote: Tue Jan 12, 2021 3:27 pm
Gadget wrote: Tue Jan 12, 2021 3:15 pm My recommendation is Bitwarden if you want to use a free one and don't need to share passwords with anyone.

I'd recommend 1Password if you want the most spouse friendly one that is really easy to share vaults/passwords. And you don't mind paying for one.
Could you explain what "don't need to share passwords with anyone" means?

I am thinking of a single account that I could (or one of the family members could) login from any device / any browser in the household. If another family member logs into the same single account, isn't that the same as 'sharing' ?
Violation of ToS, unless you somehow try to claim your family as an organization.

"The User," "You," and "Your" refer to the individual person, company, or organization that has visited or is using the Website or Service; that accesses or uses any part of the account; or that directs the use of the account in the performance of its functions. A User must be at least 13 years of age.
Got it. Wasn't aware (rookie, as you can see :) ). Thanks for this.

Going to be me MOST of the time. Others, only in an emergency.
User avatar
cowdogman
Posts: 2072
Joined: Sat Dec 16, 2017 6:44 pm
Location: Washington State

Re: Password manager

Post by cowdogman »

I have used LastPass forever and started to pay for the premium version several years ago so that I could have access on my iPhone (included in the free version now). Premium gives you a lot of support/recovery options, including recovery options for a designated contact--wife, child, etc. Most importantly, it's inexpensive and I like to support the company.

Don't forget about the LastPass family plan.
Gadget
Posts: 1026
Joined: Fri Mar 17, 2017 1:38 pm

Re: Password manager

Post by Gadget »

k b wrote: Tue Jan 12, 2021 3:37 pm
Marseille07 wrote: Tue Jan 12, 2021 3:33 pm
k b wrote: Tue Jan 12, 2021 3:27 pm
Gadget wrote: Tue Jan 12, 2021 3:15 pm My recommendation is Bitwarden if you want to use a free one and don't need to share passwords with anyone.

I'd recommend 1Password if you want the most spouse friendly one that is really easy to share vaults/passwords. And you don't mind paying for one.
Could you explain what "don't need to share passwords with anyone" means?

I am thinking of a single account that I could (or one of the family members could) login from any device / any browser in the household. If another family member logs into the same single account, isn't that the same as 'sharing' ?
Violation of ToS, unless you somehow try to claim your family as an organization.

"The User," "You," and "Your" refer to the individual person, company, or organization that has visited or is using the Website or Service; that accesses or uses any part of the account; or that directs the use of the account in the performance of its functions. A User must be at least 13 years of age.
Got it. Wasn't aware (rookie, as you can see :) ). Thanks for this.

Going to be me MOST of the time. Others, only in an emergency.
I didn't mean as a TOS violation.

Let's say you and your spouse both have a Facebook account. You both have gmail accounts. Every time you try to log in to one of those sites, it'll show every login for it if you share one account. It can be annoying if you mis-click on the wrong one.

If instead, you each have a 1Password account and share a vault, you can filter out passwords. So each person can have a private vault that only they see. And you could have a shared vault for shared logins. And you can set the defaults for which vaults display by default. So my spouse's passwords don't display by default, but if I need to log in to her accounts (in a shared but filtered out vault) then I can switch to that vault. Or visa versa. It's very convenient for us.

Also, the need for 2 factor authentication is debatable with how 1Password is setup with a secret key, but if you do use a password manager that requires 2 factor authentication (I'd recommend it on all others that don't have a secret key), then the spouse who doesn't control the 2nd factor will be annoyed. If you share one account and it decides you need to redo your 2nd factor to login, you will have to be right next to your spouse when they need to login to something. That isn't always the case.
User avatar
BolderBoy
Posts: 6755
Joined: Wed Apr 07, 2010 12:16 pm
Location: Colorado

Re: Password manager

Post by BolderBoy »

k b wrote: Tue Jan 12, 2021 3:05 pmHow do I compare ACROSS offerings like Lastpass, Bitwarden, 1Password, etc.?
Do you mean like this: https://en.wikipedia.org/wiki/List_of_password_managers
"Never underestimate one's capacity to overestimate one's abilities" - The Dunning-Kruger Effect
Beck49
Posts: 220
Joined: Sun Nov 24, 2013 7:15 pm

Re: Password manager

Post by Beck49 »

For decisions like this I often look to reviews on Wirecutter, the NY Times version of consumer reports with readable evaluations.

https://www.nytimes.com/wirecutter/revi ... ompetition

They have an evaluation of the pword managers described by others, as well some additional options.

My only comment is that even the premium versions are not that expensive. This kind of protection is too important to worry about another $30 or $50 a year. Good luck.
dboeger1
Posts: 1411
Joined: Fri Jan 13, 2017 6:32 pm

Re: Password manager

Post by dboeger1 »

For your common, basic use case, the free versions of LastPass and Bitwarden are likely to be pretty much identical in function. They have similar free tiers. The biggest difference, and the reason I went with Bitwarden, is that they have free native desktop clients. I think LastPass does not have native desktop clients. However, I've since come to realize that's really not a huge deal because you can always open a browser on a desktop. I suppose there might be edge cases where Bitwarden's client could come in handy, like maybe you want to use it on a relative's computer but don't want to pollute their browser with plugins they don't use. It's a stretch, but it is a minor difference. On the other hand, LastPass is more common, and perhaps more concretely, I've heard the interface is a prettier and more intuitive. Bitwarden admittedly looks and feels like something a software nerd designed for themself. You'll probably have a slightly easier time picking up LastPass; at the very least, you'll find more search results for help and things like that. None of these differences are that big of a deal though.

Beyond the free editions, I don't know much about LastPass, but paid Bitwarden basically adds the functionality of something like Authy, where you can scan QR codes and use it for 2FA. As much as I wouldn't mind paying for premium Bitwarden to add that feature, I actually still use Authy separately because I want to have that functionality regardless of whether I continue paying or not. But it is a nice option if you want that all in one app. Back to the topic of Bitwarden's somewhat ugly but functional interface, it actually looks like this feature is available in the free version, but it sort of just silently doesn't work until you actually pay, which is kind of weird.

Another huge thing with Bitwarden is that you can host your own instance of it. In other words, instead of storing your private data with the company, you can actually host it yourself somewhere. This gives you a potential future alternative in case they get compromised or you have some other reason to prefer self-hosting, such as within a protected intranet. You likely won't use this for the foreseeable future, but I think it's actually a really cool option. Using LastPass obviously doesn't prevent you from ever switching over to self-hosted Bitwarden, but if nothing else, you'd be familiar with the web site and interface.
dboeger1
Posts: 1411
Joined: Fri Jan 13, 2017 6:32 pm

Re: Password manager

Post by dboeger1 »

Gadget wrote: Tue Jan 12, 2021 6:34 pm if you do use a password manager that requires 2 factor authentication (I'd recommend it on all others that don't have a secret key), then the spouse who doesn't control the 2nd factor will be annoyed. If you share one account and it decides you need to redo your 2nd factor to login, you will have to be right next to your spouse when they need to login to something.
My spouse thanks you for bringing this up, lol. She hates trying to access my PayPal and other accounts with 2FA because it means using both Bitwarden and Authy, and she hasn't quite figured that out yet. If only she would stop using my payment accounts and create her own!

What I will say is that if you really need or want spouses to be able to access each other's accounts, then there's really no sense in using a 2FA factor that is tied to only 1 of the 2 spouses. Something like Google Authenticator only makes sense as long as it's a fair assumption that the registered device is with the person rightfully trying to access their account. For spouses, I much prefer something like Authy, which still gives you 2FA, but allows both to access it by essentially remembering another password as a 2nd factor rather than a specific device.
Topic Author
k b
Posts: 173
Joined: Tue Oct 15, 2013 8:43 pm

Re: Password manager

Post by k b »

dboeger1 wrote: Tue Jan 12, 2021 8:38 pm
Gadget wrote: Tue Jan 12, 2021 6:34 pm if you do use a password manager that requires 2 factor authentication (I'd recommend it on all others that don't have a secret key), then the spouse who doesn't control the 2nd factor will be annoyed. If you share one account and it decides you need to redo your 2nd factor to login, you will have to be right next to your spouse when they need to login to something.
My spouse thanks you for bringing this up, lol. She hates trying to access my PayPal and other accounts with 2FA because it means using both Bitwarden and Authy, and she hasn't quite figured that out yet. If only she would stop using my payment accounts and create her own!

What I will say is that if you really need or want spouses to be able to access each other's accounts, then there's really no sense in using a 2FA factor that is tied to only 1 of the 2 spouses. Something like Google Authenticator only makes sense as long as it's a fair assumption that the registered device is with the person rightfully trying to access their account. For spouses, I much prefer something like Authy, which still gives you 2FA, but allows both to access it by essentially remembering another password as a 2nd factor rather than a specific device.
We use 2FA, but the second level of authentication is linked to our cellphones. A code is sent to the cellphone and is valid for 30 minutes.

Sites like Fidelity, Chase and Vanguard allow TWO different cellphone numbers to be provided for this purpose. Once the first level of authentication (password) is completed, these sites ask you to choose which phone to send the code to. So, if you provide your cellphone and your spouse's, whoever logs in using the common pw can request for the code to be sent to the phone of choice.
Topic Author
k b
Posts: 173
Joined: Tue Oct 15, 2013 8:43 pm

Re: Password manager

Post by k b »

All - just a quick note to say THANKS for your feedback and time.

I will need read these points again (and read up the link posted by Bolderboy) over the 3-day weekend before I revert with anything meaningful.
jhsu802701
Posts: 353
Joined: Fri Apr 03, 2020 2:42 pm

Re: Password manager

Post by jhsu802701 »

I use KeePassXC (https://keepassxc.org/). It's free, open source, and available for Linux, MacOS, and Windows. No matter which OS you use, you're covered.

If you wish, give the other password managers a try. The important thing is to use one so that you don't commit no-nos like writing down your passwords on paper, using the same password everywhere, or using passwords that are easy to crack.
DFJ: Japan - small cap dividend | DGS: emerging, small cap dividend | MOTI: international moat stocks | IQIN: large cap, developed | DGRE: emerging, dividend growth | GWX and FNDC: small cap, developed
Turbo29
Posts: 1047
Joined: Tue May 01, 2018 7:12 am

Re: Password manager

Post by Turbo29 »

jhsu802701 wrote: Thu Jan 14, 2021 4:12 pm I use KeePassXC (https://keepassxc.org/). It's free, open source, and available for Linux, MacOS, and Windows. No matter which OS you use, you're covered.

If you wish, give the other password managers a try. The important thing is to use one so that you don't commit no-nos like writing down your passwords on paper, using the same password everywhere, or using passwords that are easy to crack.
+1
It is by the goodness of God that in our country we have those three unspeakably precious things: freedom of speech, freedom of conscience, and the prudence never to practice either of them. --M. Twain
User avatar
VictorStarr
Posts: 746
Joined: Sat Jan 04, 2020 9:13 pm
Location: Washington

Re: Password manager

Post by VictorStarr »

Gadget wrote: Tue Jan 12, 2021 3:15 pm I'd recommend 1Password if you want the most spouse friendly one that is really easy to share vaults/passwords. And you don't mind paying for one.
+1
tm3
Posts: 779
Joined: Wed Dec 24, 2014 6:16 pm

Re: Password manager

Post by tm3 »

k b wrote: Tue Jan 12, 2021 3:05 pm
How do I compare ACROSS offerings like Lastpass, Bitwarden, 1Password, etc.?

I read a lot of online reviews and watched some YouTube reviews but it's hard to tell what is real and what is sales. But I eventually narrowed it down to Bitwarden and 1Password.

I went to the support forums for both, trying to get a feel for response time and support and for what kind of problems users were having.

I signed up for a free Bitwarden account and a 30 day free trial of 1Password. I entered a dozen or so of my logins in both and compared for a couple of weeks. I found that 1Password kept warning me that it soon would no longer work with my version of Safari (and to get the "correct" version I would have to update the whole OS), and that Bitwarden warned me of potential security issues when 1Password's "Watchtower" said all was OK. Other than that both worked pretty seamlessly but I found Bitwarden a little more intuitive and I concluded that the cost of 1Password is not justified for my use.

However, rather than over analyzing like I did you might just want to pick one. They all are pretty much electronic index card storage, and I think the key is to get a set of secure passwords established ASAP -- the "fluff" that one offers over another IMO is not much to worry about*.

*With the exception of the ability to Password Autofill on the iPhone. This is a key feature for my use and one of the big players (not 1Password or Bitwarden) does not offer it.
User avatar
LazyNihilist
Posts: 1005
Joined: Sat Feb 19, 2011 8:56 pm

Re: Password manager

Post by LazyNihilist »

jhsu802701 wrote: Thu Jan 14, 2021 4:12 pm I use KeePassXC (https://keepassxc.org/). It's free, open source, and available for Linux, MacOS, and Windows. No matter which OS you use, you're covered.

If you wish, give the other password managers a try. The important thing is to use one so that you don't commit no-nos like writing down your passwords on paper, using the same password everywhere, or using passwords that are easy to crack.
I strongly recommend KeePassXC too.
The strong do what they can and the weak suffer what they must -Thucydides
discman017
Posts: 238
Joined: Mon Jan 28, 2008 12:07 pm

Re: Password manager

Post by discman017 »

I use Bitwarden and love it. But users of many other password managers are very satisfied, too. That's probably because any password manager is sooooo much better than the alternatives (same password for every site, passwords written on a piece of paper or captured in a spreadsheet, different password for every site but you can't remember them so waste time getting locked out of accounts, etc.)

A password manager is a life-changer.

Bitwarden even lets you share passwords. I'm an officer in a nonprofit and created a separate Bitwarden account for our nonprofit's passwords. Then I shared that account with my personal Bitwarden account, so I can stay logged in under my personal Bitwarden account and seamlessly access both my personal and nonprofit passwords.
Horologium
Posts: 269
Joined: Tue Oct 23, 2018 10:08 am
Location: Chicagoland

Re: Password manager

Post by Horologium »

Gadget wrote: Tue Jan 12, 2021 3:15 pm My recommendation is Bitwarden if you want to use a free one and don't need to share passwords with anyone.
A while ago there was an article re password managers on wirecutter (IIRC). In the comments, someone wondered why Bitwarden had been overlooked. I checked it out and have been a user ever since. It works flawlessly for me across a desktop, laptop, iPad, and iPhone.
Life Is Good
Posts: 75
Joined: Thu Sep 08, 2016 7:35 am
Location: Wisconsin

Re: Password manager

Post by Life Is Good »

Another vote for Bitwarden. I've been using it maybe 6-8 months. Works great across devices. Interface needs an upgrade, but the price is right.
User avatar
Dan-in-Virginia
Posts: 841
Joined: Sat Apr 16, 2011 5:33 am
Location: Virginia

Re: Password manager

Post by Dan-in-Virginia »

I’ve been using LastPass since 2012 with zero issues. I have a family plan for my family, and I’ve got them using it religiously now as well. I also have them using the LastPass Authenticator which is backed up to their vault.
User avatar
Tejfyy
Posts: 224
Joined: Mon Aug 26, 2019 9:18 pm

Re: Password manager

Post by Tejfyy »

I used Lastpass for some years, mostly as a premium user until last year. The renewal price had doubled I think, but more importantly I wanted to get off the cloud. So I'm using Strongbox, the free version. It's a local database. It's not as convenient as Lastpass was but I'm increasingly opting for simplicity, security and privacy over convenience.
Topic Author
k b
Posts: 173
Joined: Tue Oct 15, 2013 8:43 pm

Re: Password manager

Post by k b »

All,

Thanks for your inputs. I decided to go for 1Password (one person plan) after reading through a bunch of stuff, including the Wirecutter article posted here.

I have a follow-up Q :) :)

1Password provides 2FA, which links to your cellphone. My Q is whether I can link my account to TWO DIFFERENT cellphones? Once again, this is not to get family plan benefits but for an emergency - in case I am not available to log in and another family member wishes to.

Thanks.
Broken Man 1999
Posts: 8626
Joined: Wed Apr 08, 2015 11:31 am
Location: West coast of Florida, near Champa Bay !

Re: Password manager

Post by Broken Man 1999 »

I have been using LastPass for a few years, and other than losing my master password and having to rebuild my vault once it has been great.

At my urging DW has started using LastPass, but I think she is just keeping her weak passwords at LastPass, instead of generating strong ones.

Fortunately we only have one joint account and she does not have the password, so her weak password habits can't affect any accounts. :x It is our taxable brokerage account with $35 bucks or so in it.


The other day she wanted my Amazon password, and was shocked that I had to login to LastPass to get it. That pretty much tells me she is using weak passwords. Oh well, maybe one day she will take these matters seriously, hopefully not because she has one of her financial accounts hacked.

Broken Man 1999
“If I cannot drink Bourbon and smoke cigars in Heaven then I shall not go." - Mark Twain
Gadget
Posts: 1026
Joined: Fri Mar 17, 2017 1:38 pm

Re: Password manager

Post by Gadget »

k b wrote: Mon Jan 18, 2021 3:18 pm All,

Thanks for your inputs. I decided to go for 1Password (one person plan) after reading through a bunch of stuff, including the Wirecutter article posted here.

I have a follow-up Q :) :)

1Password provides 2FA, which links to your cellphone. My Q is whether I can link my account to TWO DIFFERENT cellphones? Once again, this is not to get family plan benefits but for an emergency - in case I am not available to log in and another family member wishes to.

Thanks.
The direct answer is yes. You just need to use something like Authy or MS Authenticator that is cloud based 2FA and can be logged into from multiple devices. You can technically do this with a device based 2FA like Google Authenticator, but you would have to copy the QR code onto multiple devices at the initial setup time to accomplish that. It's much easier with Authy.

However, my counter argument is, are you sure you even need 2FA on your 1Password account? Do you understand how the secret key works? It is basically a 2nd factor just like 2FA. It's something only you should have with you. Since 1Password needs your secret key to log in to any new device, I think it is effectively just as good as setting up 2FA on your 1Password account. You just need to ensure that you protect your secret key, either by encrypting it or saving it on something that can only be accessed with 2FA, or is only printed physically somewhere. Clear as mud?
Rienzi
Posts: 14
Joined: Sat Oct 20, 2018 10:51 pm

Re: Password manager

Post by Rienzi »

Gadget wrote: Tue Jan 12, 2021 3:15 pm My recommendation is Bitwarden if you want to use a free one and don't need to share passwords with anyone.

I'd recommend 1Password if you want the most spouse friendly one that is really easy to share vaults/passwords. And you don't mind paying for one.
Bitwarden was great for me. But, when I had to get my reluctant family on board with a PW manager, 1Password was the ticket. Made it easy for them to transition.
ScubaHogg
Posts: 3573
Joined: Sun Nov 06, 2011 2:02 pm

Re: Password manager

Post by ScubaHogg »

VictorStarr wrote: Thu Jan 14, 2021 5:03 pm
Gadget wrote: Tue Jan 12, 2021 3:15 pm I'd recommend 1Password if you want the most spouse friendly one that is really easy to share vaults/passwords. And you don't mind paying for one.
+1
+1. Only one I’ve used so I can’t compare, but we’ve had it for 7 years and it’s very very easy. Plus it’s the only way I can get my spouse to not use the same simple password for everything.
“Conventional Treasury rates are risk free only in the sense that they guarantee nominal principal. But their real rate of return is uncertain until after the fact.” -Risk Less and Prosper
fwellimort
Posts: 890
Joined: Tue Feb 12, 2019 8:41 am

Re: Password manager

Post by fwellimort »

LazyNihilist wrote: Fri Jan 15, 2021 1:06 pm
jhsu802701 wrote: Thu Jan 14, 2021 4:12 pm I use KeePassXC (https://keepassxc.org/). It's free, open source, and available for Linux, MacOS, and Windows. No matter which OS you use, you're covered.

If you wish, give the other password managers a try. The important thing is to use one so that you don't commit no-nos like writing down your passwords on paper, using the same password everywhere, or using passwords that are easy to crack.
I strongly recommend KeePassXC too.
I too strongly +1 KeePassXC.
1. Free
2. Does not store on the 'cloud' or whatever so you know the information is private only to your own computer
3. You can store the encrypted file (.kdb) in wherever you want like Google Drive (basically the Cloud) if you really want it available anywhere.
4. Open source and the codebase is super active: https://github.com/keepassxreboot/keepassxc
5. Super easy to use and you can integrate it to a browser like Chrome through an addon like KeePassXC-Browser.
:)
Topic Author
k b
Posts: 173
Joined: Tue Oct 15, 2013 8:43 pm

Re: Password manager

Post by k b »

Gadget wrote: Mon Jan 18, 2021 5:02 pm
k b wrote: Mon Jan 18, 2021 3:18 pm All,

Thanks for your inputs. I decided to go for 1Password (one person plan) after reading through a bunch of stuff, including the Wirecutter article posted here.

I have a follow-up Q :) :)

1Password provides 2FA, which links to your cellphone. My Q is whether I can link my account to TWO DIFFERENT cellphones? Once again, this is not to get family plan benefits but for an emergency - in case I am not available to log in and another family member wishes to.

Thanks.
The direct answer is yes. You just need to use something like Authy or MS Authenticator that is cloud based 2FA and can be logged into from multiple devices. You can technically do this with a device based 2FA like Google Authenticator, but you would have to copy the QR code onto multiple devices at the initial setup time to accomplish that. It's much easier with Authy.

However, my counter argument is, are you sure you even need 2FA on your 1Password account? Do you understand how the secret key works? It is basically a 2nd factor just like 2FA. It's something only you should have with you. Since 1Password needs your secret key to log in to any new device, I think it is effectively just as good as setting up 2FA on your 1Password account. You just need to ensure that you protect your secret key, either by encrypting it or saving it on something that can only be accessed with 2FA, or is only printed physically somewhere. Clear as mud?

Getting there, but it's going to take time :-) I asked about 2FA because somewhere within my profile 1Password actually revealed my PW to me! Even hotmail or yahoo mail don't do that!!

But then - the secret key is not asked for when I log in? So, how is it 2FA?
softwaregeek
Posts: 951
Joined: Wed May 08, 2019 8:59 pm

Re: Password manager

Post by softwaregeek »

I've been in the security industry for a while and this is something I feel very passionate about.

All of the products mentioned are excellent, although Keepass is more complicated than I typically recommend.

However, I want to make a few important points.

1. You need a 2FA system as well as a password manager.

This is the one with the numbers that change every minute or so.You can get one free from lots of places. I recommend Authy or Microsoft Authenticator, both are free. Authy makes money selling software vendors 2FA systems and Microsoft just gives it away since they're too big to care. Many password managers offer 2FA systems. However, I do not recommend using 2FA systems from your password manager provider since I want to keep the two totally separate. I don't want problems at my Password Manager vender spilling into my 2FA vendor.

2. You need to lock down your email with 2FA. Because email is typically the holy grail of hacking.

That's because once I can access your email, I have access to all those juicy account password reset emails from places with bad security. First I'm going to change the password to lock you out. Then I'm going to do password resets on all the accounts I find in there. Then I'm going to find all the personal info in there...oh, you have something with your paystub, taxes etc? I can open up a credit card in your name, or order stuff from Amazon sent to a third party. Next I can probably get your phone number out of your email. With all the personal data in there and access to the email account for password reset, I can reroute your phone number to a new sim. Now I can use my new phone with your phone number to bypass bank SMS validation and drain the financial accounts.

3. If you can remember your password, you are using your password manager wrong.

Lots of people use password managers to store variations on the same password. WeakPassword1, WeakPassword2, etc. I want you to consider the concept of a rainbow table. Basically, a rainbow table is a giant file with millions or billions of precracked passwords. Now, if you're dealing with Microsoft or Google or Amazon, they probably take steps to protect against this (for the technical types out there, this is "Salting the Hash") but basically the vast majority of sites don't bother. So you can pretty much assume that if you are not using one of the giant providers, your password will be cracked in about 30 seconds if it is 10 digits or less. Use the generator in your password manager to make a long complicated password and store it. Longer than 10 digits, complicated etc.
softwaregeek
Posts: 951
Joined: Wed May 08, 2019 8:59 pm

Re: Password manager

Post by softwaregeek »

Also, as a follow up, I like lastpass due to the "Digital Legacy" feature that can transfer your passwords to a family member after your death.

A family friend just fell down the stairs and is in hospice unconscious. His wife and kids spent several days looking for the book with his passwords. Now they have it, but it's incomplete and they can't read some of the passwords "Is that a S or a 5?"
Gadget
Posts: 1026
Joined: Fri Mar 17, 2017 1:38 pm

Re: Password manager

Post by Gadget »

k b wrote: Tue Jan 19, 2021 8:42 pm
Gadget wrote: Mon Jan 18, 2021 5:02 pm
k b wrote: Mon Jan 18, 2021 3:18 pm All,

Thanks for your inputs. I decided to go for 1Password (one person plan) after reading through a bunch of stuff, including the Wirecutter article posted here.

I have a follow-up Q :) :)

1Password provides 2FA, which links to your cellphone. My Q is whether I can link my account to TWO DIFFERENT cellphones? Once again, this is not to get family plan benefits but for an emergency - in case I am not available to log in and another family member wishes to.

Thanks.
The direct answer is yes. You just need to use something like Authy or MS Authenticator that is cloud based 2FA and can be logged into from multiple devices. You can technically do this with a device based 2FA like Google Authenticator, but you would have to copy the QR code onto multiple devices at the initial setup time to accomplish that. It's much easier with Authy.

However, my counter argument is, are you sure you even need 2FA on your 1Password account? Do you understand how the secret key works? It is basically a 2nd factor just like 2FA. It's something only you should have with you. Since 1Password needs your secret key to log in to any new device, I think it is effectively just as good as setting up 2FA on your 1Password account. You just need to ensure that you protect your secret key, either by encrypting it or saving it on something that can only be accessed with 2FA, or is only printed physically somewhere. Clear as mud?

Getting there, but it's going to take time :-) I asked about 2FA because somewhere within my profile 1Password actually revealed my PW to me! Even hotmail or yahoo mail don't do that!!

But then - the secret key is not asked for when I log in? So, how is it 2FA?
Log in from a new device. It will definitely ask you for your secret key. It's caching your secret key on a device you've already setup, just like financial sites sometimes cache that you've sucessfully entered 2FA codes on a website and won't make you enter 2FA again for a while.

I'm trying to figure out where you saw 1password showing you your master password. Are you using the desktop local client instead of the web version or chrome extension? On the web version or chrome extension, I can't find where it shows me my master password anywhere. I do agree that doesn't seem right.

There are technical differences between 2FA and a secret key. There are some pluses and minuses in regards to security and ease of use. Personally, I feel like the secret key is just as good if not better than 2FA using Authy or Google Authenticator. But I suppose that's for each person to figure out on their own. There is no harm in also adding 2FA to a 1password account, it's just an extra annoyance.


Here's what 1password said:
Security professionals recommend using multiple authentication factors: “something you know”, like your password, and “something you have”, like an authenticator app on your phone.

The Secret Key takes this idea to the next level. It doesn’t just authenticate you with our servers; it also plays a direct role in encrypting your data. That’s important, because it strengthens your Master Password exponentially. And since it never gets sent to us, your Secret Key can’t be reset, intercepted, or evaded.
long_drink
Posts: 25
Joined: Mon Mar 09, 2020 11:08 am

Re: Password manager

Post by long_drink »

I use KeePass and store the database in the cloud. Since that could be a security weak point, I set the database to require a keyfile (which is stored separately on each device). Works great on desktop and pretty good on a smartphone.

It's free, it's simple, and I'm in control of everything.
ikowik
Posts: 392
Joined: Tue Dec 23, 2014 5:52 pm

Re: Password manager

Post by ikowik »

k b wrote: Mon Jan 18, 2021 3:18 pm All,


Getting there, but it's going to take time :-) I asked about 2FA because somewhere within my profile 1Password actually revealed my PW to me! Even hotmail or yahoo mail don't do that!!

But then - the secret key is not asked for when I log in? So, how is it 2FA?
Are you mistaking the secret key with the master password in 1Password? Once you have logged in with the master password, the secret key can be seen in your password vault. I have not seen my master password revealed anywhere in 1Password, and AgileBits (the company behind 1Password) makes a big deal of not knowing or storing the master password in their servers or vault.
gips
Posts: 1760
Joined: Mon May 13, 2013 5:42 pm

Re: Password manager

Post by gips »

lastpass family and the chrome extension. i like the ability to share selected pws with my family (no more “dad, what is the netflix pw”), and i like the capability where if something happens to my wife and me, they can request access to all the passwords. the chrome extension is a real time saver.

i was an early adopter of keepass but had some concerns around my spouse or kids figuring out how to use it were I to pass.
MrJones
Posts: 775
Joined: Sat Mar 18, 2017 2:23 am

Re: Password manager

Post by MrJones »

The cool thing about BitWarden is, it's open source. That really matters with anything related to security.

https://bitwarden.com/open-source/

I believe the free version lets you share passwords with one another user. My experience with it overall has been excellent on Android, Mac, Windows.
Marseille07
Posts: 16054
Joined: Fri Nov 06, 2020 12:41 pm

Re: Password manager

Post by Marseille07 »

long_drink wrote: Wed Jan 20, 2021 11:10 am I use KeePass and store the database in the cloud. Since that could be a security weak point, I set the database to require a keyfile (which is stored separately on each device). Works great on desktop and pretty good on a smartphone.

It's free, it's simple, and I'm in control of everything.
I like KeePass as well. Love that I can find a client for Windows, Mac and Linux as I use all 3.
Gadget
Posts: 1026
Joined: Fri Mar 17, 2017 1:38 pm

Re: Password manager

Post by Gadget »

MrJones wrote: Sat Jan 23, 2021 1:43 am The cool thing about BitWarden is, it's open source. That really matters with anything related to security.

https://bitwarden.com/open-source/

I believe the free version lets you share passwords with one another user. My experience with it overall has been excellent on Android, Mac, Windows.
While I like open source software and promote Bitwarden myself as the best free password manager, I don't like the narrative that open source software is more secure.

The true answer is that open source software is only more secure if there is a large team of developers (usually unpaid) devoted to looking at the code. That can't always be guaranteed. Open source software is actually less secure if there are few to no developers working on the code. Cybersecurity vulnerabilities are a constantly changing landscape.

The one big plus for open source software is that you know that the company making it is transparent and didn't put any backdoors in their software on purpose. So if you don't fully trust the company making the software, this is a big plus.

With closed source software though, new vulnerabilities are hidden a little better to the bad guys when exposed. It allows the development team to find and correct them before the bad guys see them. They do this by using software like Coverity, Fortify, etc. that help scan their code and flag it for an ever changing and increasing list of known vulnerabilities and code weaknesses. But no software just finds these vulnerabilities automatically.
It takes experienced programmers analyzing software tools and code, filtering out false positives, and correcting the bugs. Cybersecurity and secure software isn't this static thing that can be protected against. It is a giant moving target every day. And most importantly, it costs time or money to keep up with.

With open source software, you are at the mercy of hoping that the active development community is faster/better than the cybercriminals. Usually that is true. But there have been some famous Linux vulnerabilities that weren't found for years on open source software.
Topic Author
k b
Posts: 173
Joined: Tue Oct 15, 2013 8:43 pm

Re: Password manager

Post by k b »

ikowik wrote: Wed Jan 20, 2021 11:19 am
k b wrote: Mon Jan 18, 2021 3:18 pm All,


Getting there, but it's going to take time :-) I asked about 2FA because somewhere within my profile 1Password actually revealed my PW to me! Even hotmail or yahoo mail don't do that!!

But then - the secret key is not asked for when I log in? So, how is it 2FA?
Are you mistaking the secret key with the master password in 1Password? Once you have logged in with the master password, the secret key can be seen in your password vault. I have not seen my master password revealed anywhere in 1Password, and AgileBits (the company behind 1Password) makes a big deal of not knowing or storing the master password in their servers or vault.
No. I did check again today. There is one route to actually revealing the master password. This gets me worried about 1Password, TBH.
ikowik
Posts: 392
Joined: Tue Dec 23, 2014 5:52 pm

Re: Password manager

Post by ikowik »

k b wrote: Sat Jan 23, 2021 11:32 am
ikowik wrote: Wed Jan 20, 2021 11:19 am
k b wrote: Mon Jan 18, 2021 3:18 pm All,


Getting there, but it's going to take time :-) I asked about 2FA because somewhere within my profile 1Password actually revealed my PW to me! Even hotmail or yahoo mail don't do that!!

But then - the secret key is not asked for when I log in? So, how is it 2FA?
Are you mistaking the secret key with the master password in 1Password? Once you have logged in with the master password, the secret key can be seen in your password vault. I have not seen my master password revealed anywhere in 1Password, and AgileBits (the company behind 1Password) makes a big deal of not knowing or storing the master password in their servers or vault.
No. I did check again today. There is one route to actually revealing the master password. This gets me worried about 1Password, TBH.
I agree that would be worrying if true. Are you sure of this? Once I have logged in using my master password on my computer, I CAN change my master password (and therefore see the new one), but that requires knowledge of my master password to get in and do that (which is true of other password managers as well). The master password resides only on your computer's memory while the program is open and should not be transmitted to AgileBits.
See https://support.1password.com/forgot-master-password/

Are you saying someone who does NOT know the master password can somehow unlock 1Password and see your master password? If this is correct, I strongly urge you to contact AgileBits and let them know ASAP.
Topic Author
k b
Posts: 173
Joined: Tue Oct 15, 2013 8:43 pm

Re: Password manager

Post by k b »

ikowik wrote: Sat Jan 23, 2021 2:12 pm
k b wrote: Sat Jan 23, 2021 11:32 am
ikowik wrote: Wed Jan 20, 2021 11:19 am
k b wrote: Mon Jan 18, 2021 3:18 pm All,


Getting there, but it's going to take time :-) I asked about 2FA because somewhere within my profile 1Password actually revealed my PW to me! Even hotmail or yahoo mail don't do that!!

But then - the secret key is not asked for when I log in? So, how is it 2FA?
Are you mistaking the secret key with the master password in 1Password? Once you have logged in with the master password, the secret key can be seen in your password vault. I have not seen my master password revealed anywhere in 1Password, and AgileBits (the company behind 1Password) makes a big deal of not knowing or storing the master password in their servers or vault.
No. I did check again today. There is one route to actually revealing the master password. This gets me worried about 1Password, TBH.
I agree that would be worrying if true. Are you sure of this? Once I have logged in using my master password on my computer, I CAN change my master password (and therefore see the new one), but that requires knowledge of my master password to get in and do that (which is true of other password managers as well). The master password resides only on your computer's memory while the program is open and should not be transmitted to AgileBits.
See https://support.1password.com/forgot-master-password/

Are you saying someone who does NOT know the master password can somehow unlock 1Password and see your master password? If this is correct, I strongly urge you to contact AgileBits and let them know ASAP.

No. The only way to REVEAL the master password is to log in WITH the master password. But I have never actually seen my password on the screen before on any site. Not recently anyway.

I am about to enable 2FA on 1Password just to be sure. Only issue with 2FA is that there is so much dependence on my phone...
Topic Author
k b
Posts: 173
Joined: Tue Oct 15, 2013 8:43 pm

Re: Password manager

Post by k b »

Gadget wrote: Wed Jan 20, 2021 10:53 am
k b wrote: Tue Jan 19, 2021 8:42 pm
Gadget wrote: Mon Jan 18, 2021 5:02 pm
k b wrote: Mon Jan 18, 2021 3:18 pm All,

Thanks for your inputs. I decided to go for 1Password (one person plan) after reading through a bunch of stuff, including the Wirecutter article posted here.

I have a follow-up Q :) :)

1Password provides 2FA, which links to your cellphone. My Q is whether I can link my account to TWO DIFFERENT cellphones? Once again, this is not to get family plan benefits but for an emergency - in case I am not available to log in and another family member wishes to.

Thanks.
The direct answer is yes. You just need to use something like Authy or MS Authenticator that is cloud based 2FA and can be logged into from multiple devices. You can technically do this with a device based 2FA like Google Authenticator, but you would have to copy the QR code onto multiple devices at the initial setup time to accomplish that. It's much easier with Authy.

However, my counter argument is, are you sure you even need 2FA on your 1Password account? Do you understand how the secret key works? It is basically a 2nd factor just like 2FA. It's something only you should have with you. Since 1Password needs your secret key to log in to any new device, I think it is effectively just as good as setting up 2FA on your 1Password account. You just need to ensure that you protect your secret key, either by encrypting it or saving it on something that can only be accessed with 2FA, or is only printed physically somewhere. Clear as mud?

Getting there, but it's going to take time :-) I asked about 2FA because somewhere within my profile 1Password actually revealed my PW to me! Even hotmail or yahoo mail don't do that!!

But then - the secret key is not asked for when I log in? So, how is it 2FA?
Log in from a new device. It will definitely ask you for your secret key. It's caching your secret key on a device you've already setup, just like financial sites sometimes cache that you've sucessfully entered 2FA codes on a website and won't make you enter 2FA again for a while.

I'm trying to figure out where you saw 1password showing you your master password. Are you using the desktop local client instead of the web version or chrome extension? On the web version or chrome extension, I can't find where it shows me my master password anywhere. I do agree that doesn't seem right.

There are technical differences between 2FA and a secret key. There are some pluses and minuses in regards to security and ease of use. Personally, I feel like the secret key is just as good if not better than 2FA using Authy or Google Authenticator. But I suppose that's for each person to figure out on their own. There is no harm in also adding 2FA to a 1password account, it's just an extra annoyance.


Here's what 1password said:
Security professionals recommend using multiple authentication factors: “something you know”, like your password, and “something you have”, like an authenticator app on your phone.

The Secret Key takes this idea to the next level. It doesn’t just authenticate you with our servers; it also plays a direct role in encrypting your data. That’s important, because it strengthens your Master Password exponentially. And since it never gets sent to us, your Secret Key can’t be reset, intercepted, or evaded.
I use a Firefox add-on. Tried again this morning and I was actually able to see my password on the screen! About to switch on 2FA.
ikowik
Posts: 392
Joined: Tue Dec 23, 2014 5:52 pm

Re: Password manager

Post by ikowik »

k b wrote: Sat Jan 23, 2021 2:49 pm
I use a Firefox add-on. Tried again this morning and I was actually able to see my password on the screen! About to switch on 2FA.
I find it hard to understand what you are seeing. I also use the Firefox extension. When I type in the master password, it shows only dots, not letters or numbers. I remember from the time I was using KeepassX and XC, that I could click on the eye sign to the right and it would reveal the password I just typed in. I have not seen this on 1Password.
OP, one of the posters above explained why the secret code is another layer of security and functions similar to 2FA. Once you have set up a new device with the code, it is not asked for again, but you will need it if trying to log in from an unrecognized device.
I also use an extra 2FA (Yubikey or Authy).
Target2019
Posts: 904
Joined: Sat Mar 03, 2007 4:30 pm

Re: Password manager

Post by Target2019 »

k b wrote: Sat Jan 23, 2021 2:49 pm
I use a Firefox add-on. Tried again this morning and I was actually able to see my password on the screen! About to switch on 2FA.
Make sure you are using the official 1Password extension.
I do not see my master password on the screen when I login through the extension.
Topic Author
k b
Posts: 173
Joined: Tue Oct 15, 2013 8:43 pm

Re: Password manager

Post by k b »

"OP, one of the posters above explained why the secret code is another layer of security and functions similar to 2FA. Once you have set up a new device with the code, it is not asked for again, but you will need it if trying to log in from an unrecognized device." - YES, I LEARNED THIS IN THE LAST COUPLE OF DAYS AS I ADDED 1PASSWORD TO A DIFFERENT DEVICE. WORKED FINE.
Topic Author
k b
Posts: 173
Joined: Tue Oct 15, 2013 8:43 pm

Re: Password manager

Post by k b »

Target2019 wrote: Sat Jan 23, 2021 3:28 pm
k b wrote: Sat Jan 23, 2021 2:49 pm
I use a Firefox add-on. Tried again this morning and I was actually able to see my password on the screen! About to switch on 2FA.
Make sure you are using the official 1Password extension.
I do not see my master password on the screen when I login through the extension.

I think I figured it out. The browser extension has a 'LOCK' feature. Previously the extension was 'unlocked'. Once I clicked on the LOCK feature, the PW did not 'reveal'.

If you want to try this out, unlock the extension and look for the reveal password feature.

Feeling much better now!
Post Reply