Password managers

[MtnMan]

I use Bitwarden for everything online. About once a month I export everything from BW and import it into KeePass.

KeePass gives me local storage/access to all the BW stuff for worst case SHTF events.

Additionally, I keep all sorts of data I want secure in KeePass, such as serial numbers of my guns, TV's, VINs, software keys, make/model/serial of power equipment, etc., etc.

 

[Kaido]

Does anyone here use a password manager, and if so, do you store password to financial websites (CC, bank, etc.) separately? Or do you store those in the PW manager too?

MYKI: (non-cloud)

Offline Password Manager and 2FA Authenticator | MYKI

The Only Secure Password Manager, Password Generator and Authenticator designed with privacy in mind. Available on Mac, PC, Linux, iOS and Android.

myki.com

It's similar to Bitcoin...you're 100% responsible for the safety of your security because there's no cloud backup. The software is a bit finicky (still in development) but it handles 2FA, passwords, notes, etc. You just have to be ultra-careful to keep your backups in case you lose a device!

 

[Charmonium]

Do you know what PMs can do way better than you? Avoid phishig sites that are carbon copies of your bank's or broker's. Sometimes they set up a site that looks legit, even if you inspect the url because they embed non-printable characters. So to all the world, they are the "Chase" where you have your account. You don't see it's just a shell until you've already given up your info.

With PMs like LastPass, it doesn't matter if they get hacked since everything of your's that's on their server is encrypted.

Now, if you're worried about their encryption being hacked, just cash in all of your asset and do an 'air drop.' You'll make a lot of friends.

 

[MrSquished]

LastPass just sent an email out that there is no indication anybody's master passwords were hacked, the emails were sent out by mistake, triggered by an error. Either it's PR or the truth, who knows.

Do you know what PMs can do way better than you? Avoid phishig sites that are carbon copies of your bank's or broker's. Sometimes they set up a site that looks legit, even if you inspect the url because they embed non-printable characters. So to all the world, they are the "Chase" where you have your account. You don't see it's just a shell until you've already given up your info.

With PMs like LastPass, it doesn't matter if they get hacked since everything of your's that's on their server is encrypted.

Now, if you're worried about their encryption being hacked, just cash in all of your asset and do an 'air drop.' You'll make a lot of friends.

They did mention this too, which is good info for us that don't know how this shit works:

"Lastly, it is important to remember that LastPass utilizes a zero-knowledge security model that is designed to ensure that customer data remains protected. When a LastPass user creates their Master Password, it’s used to generate a unique encryption key. The Master Password and the encryption key stay local on the user’s device – they are never sent to or shared with LastPass."

 

[Lost_in_the_HTTP]

Sometimes they set up a site that looks legit, even if you inspect the url

That's one reason I hate URL shorteners. I want to see the full URL, not some .gl or .to garbage.

 

[Charmonium]

How would you tell if there were unprintable characters in what appears to be the correct URL?

 

[mikeymikec]

How would you tell if there were unprintable characters in what appears to be the correct URL?

IMO there would be a space or some nonsense character in the URL where the unprintable character is.

In any case, my advice to customers is to ignore any links or attachments in e-mails you're receiving from any organisation unless you're fully expecting it to arrive at that moment (ie. you've just had a conversation with an organisation that you know to be legit and they said they would be sending through xyz via e-mail). If your supplier for xyz is telling you that your new bill is available online through their website, then you know how to get to that website yourself without the link in the e-mail.

 

[JM Aggie08]

+1 for Bitwarden. Incredibly long/complex passwords, app synced across all of my devices. Love it.

I'd previously used LastPass until they went to shit. Fortunately, was able to export/import everything into Bitwarden.

 

[Red Squirrel]

On subject of password managers anyone know of any decent ones for Firefox that act similar to the built in auto form filler that remembers form entries but that is completely separate? My workplace disabled that and it's a pita having to open the password manager to copy/paste the password every time an app times out. I just want the form to auto fill. Oddly enough existing passwords still auto fill but you can't update them anymore. I want something that's local only, no cloud stuff.

 

[Ajay]

^Keypass

 

[JM Aggie08]

Also, somewhat related -- shoutout to Yubikey for making excellent 2FA devices.

 

[Muadib]

Also, somewhat related -- shoutout to Yubikey for making excellent 2FA devices.

I recently was told about these from a friend. Thanks for the reminder, just ordered two.

 

[MtnMan]

^Keypass

I use Bitwarden for logging on to websites, via the add-on in my browser.

Keypass is also very useful, and it is my fallback, plus more. And since it is local to my computer, I don't have to rely on internet access to get to the information. It also means I don't have all my eggs in one basket.

I will periodically export all passwords from Bitwarden and import into Keypass.
I use Keypass to store a bunch of other information, such as all the software keys for the programs on my computer, from Windows to Adobe products and many other programs.
All the model and serial numbers of everything from TVs to appliances, to my guns, along with date of purchase, vendor, etc.

 

[MtnMan]

+1 for Bitwarden. Incredibly long/complex passwords, app synced across all of my devices. Love it.

I'd previously used LastPass until they went to shit. Fortunately, was able to export/import everything into Bitwarden.

Ditto

 

[pete6032]

I started using Bitwarden about a month ago and it's a life changer. No more password resets. Just log into Bitwarden and copy the pw and paste into login field. Works great. Can't believe I wasn't using a pw manager before this.

 

[Charmonium]

IMO there would be a space or some nonsense character in the URL where the unprintable character is.

In any case, my advice to customers is to ignore any links or attachments in e-mails you're receiving from any organisation unless you're fully expecting it to arrive at that moment (ie. you've just had a conversation with an organisation that you know to be legit and they said they would be sending through xyz via e-mail). If your supplier for xyz is telling you that your new bill is available online through their website, then you know how to get to that website yourself without the link in the e-mail.

I just turn off scripting for all sites unless I permit it.

On subject of password managers anyone know of any decent ones for Firefox that act similar to the built in auto form filler that remembers form entries but that is completely separate? My workplace disabled that and it's a pita having to open the password manager to copy/paste the password every time an app times out. I just want the form to auto fill. Oddly enough existing passwords still auto fill but you can't update them anymore. I want something that's local only, no cloud stuff.

lastpass sort of does that. You can set the default to autofill but since I tend to multiple ids, I just rt click, click the lastpass link and pick an id. The problem I've run into though is picking the correct id. And some sites won't permit that at all. Not many any more though.

 

[Kaido]

MYKI: (non-cloud)

Offline Password Manager and 2FA Authenticator | MYKI

The Only Secure Password Manager, Password Generator and Authenticator designed with privacy in mind. Available on Mac, PC, Linux, iOS and Android.

myki.com

It's similar to Bitcoin...you're 100% responsible for the safety of your security because there's no cloud backup. The software is a bit finicky (still in development) but it handles 2FA, passwords, notes, etc. You just have to be ultra-careful to keep your backups in case you lose a device!

Unfortunately MYKI got bought out:

We Got Acquired! What You Need to Know

Today is an exciting day for the team here at MYKI! We are delighted to announce that JumpCloud has acquired MYKI’s technology and team.

myki.com

I'm currently recommending Roboform:

RoboForm Password Manager Personal Plans and Pricing

Pricing for RoboForm Password Manager Personal Plans

www.roboform.com

The sharing feature is nice for family members!

 

[JM Aggie08]

May as well be shitting in a hole and wiping with your bare hand if you're not using a password manager, tbh.

 

[Lost_in_the_HTTP]

I'm not quoting posts here any more, so you'll have to work from this. Many of you are talking about using these to either autofill forms, or simply copying and pasting information into fields. But as I said in my earlier post, more and more sites are disallowing that. Some Government and banking sites actively take steps to prevent either method and they will not allow you to disable scripting.

 

[Red Squirrel]

I'm not quoting posts here any more, so you'll have to work from this. Many of you are talking about using these to either autofill forms, or simply copying and pasting information into fields. But as I said in my earlier post, more and more sites are disallowing that. Some Government and banking sites actively take steps to prevent either method and they will not allow you to disable scripting.

I did notice that too. For some reason on this particular computer half of websites don't remember my credentials no matter what. So the only way around that is to use the browser feature. But there are a few sites where that does not work, since they use some kind of javascript based form instead of text fields. Quite annoying.

My main password manager both at work and at home just involves copy and pasting, but for sites that are used often it's annoying having to do that each time. AT work lot of stuff forces you to log in over and over again and now that they disabled the built in feature once the password changes I won't be able to update it. Will try keypass when I get the chance.

 

[pcslookout]

Never use a password manager that syncs online.

 

[balloonshark]

I did notice that too. For some reason on this particular computer half of websites don't remember my credentials no matter what. So the only way around that is to use the browser feature. But there are a few sites where that does not work, since they use some kind of javascript based form instead of text fields. Quite annoying.

My main password manager both at work and at home just involves copy and pasting, but for sites that are used often it's annoying having to do that each time. AT work lot of stuff forces you to log in over and over again and now that they disabled the built in feature once the password changes I won't be able to update it. Will try keypass when I get the chance.

With keepass you can use the auto-type feature. Since log ons are different from site to site you can also customize the auto-type. For example you may want to use the space key to tick the stay logged in check box. Some sites you have to use tab several times to navigate the log on (I'm looking at you MS). Some sites are slow and require a pause between typing the username and password (Yahoo). All this can be done fairly easily if you're willing to learn.

Normal auto-type sequence. {USERNAME}{TAB}{PASSWORD}{ENTER}

Auto-type sequence for a site with stay logged in box. {USERNAME}{TAB}{PASSWORD}{TAB}{SPACE}{TAB}{ENTER}

Microsoft auto-type sequence. {USERNAME}{TAB}{TAB}{TAB}{TAB}{ENTER}{DELAY 1000}{PASSWORD}{TAB}{TAB}{TAB}{ENTER}{DELAY 1000}{SPACE}{ENTER}