Best Password Manager

I feel it would be a good idea to install a Password Manager, but found that there's conflicting information about which one is best.  Any suggestions?  I have only two devices:  a PC and a tablet.  Windows based PC and an IPAD.  Looking for something straightfoward and not too technical!  

Thank you. 

Congrats on taking a huge and positive step to improving your security! Having a separate password for each site, and having those passwords be difficult to have a computer program guess, is probably the electronic-security equivalent of always washing your hands -- relatively low investment for large results.

I'm partial to Lastpass. It has extensions/plugins for browsers (I mainly use Chrome, but all major browser are supported). This makes browser-based password management really easy. We spring for the paid version so my spouse and I can share passwords.

You'll have to choose a master password -- the password you use to access Lastpass (or the password manager of your choice). I have two recommendations here:

- Choose a sentence or phrase. Password cracking is almost always a program just cycling through as many possibilities as possible as fast as possible, meaning a long but easy to remember password is harder to guess than a short but obscure one.

- Change this password regularly  -- at least every six months.

I also use and like LastPass, although I haven't convinced my other family members to follow suit.  I have it on my phone as well as computer and with the latest iOS version, it actually works fairly well (or at least better than previously) with iPhone apps.  And on my computer, with Chrome it works very smoothly with the form-fills, etc.  I do recall that there was some learning curve at the beginning but it was very worth it as I have hundreds of online accounts and this allows me to have unique, hard-to-crack passwords for each one.  

Watching this thread.

Our circumstances: 1-windows desktop, 1- Android tablet, 1 Apple desktop, 1 iPad.  I’ve said this many times before...I’m a technotwit so be patient.  We don’t keep sensitive onfo on our puters.

Sounds like LastPass will work with all that...right?  

Do I need to purchase separately for each?  One time?  AnnuaL?

Do they also do a malware thing?  

What are you using for malware?

If we don’t have “...hundreds of onine accounts...” with sensitve info do we realy need to have separate passwords for each?

Thanks muchly

Apollo_T said:
Watching this thread.
Our circumstances: 1-windows desktop, 1- Android tablet, 1 Apple desktop, 1 iPad.  I’ve said this many times before...I’m a technotwit so be patient.  We don’t keep sensitive onfo on our puters.
Sounds like LastPass will work with all that...right?  
Do I need to purchase separately for each?  One time?  AnnuaL?
Do they also do a malware thing?  
What are you using for malware?
If we don’t have “...hundreds of onine accounts...” with sensitve info do we realy need to have separate passwords for each?
Thanks muchly

One lastpass account works on multiple devices --- I don't know if there's a limit on how many, but didn't see anything in the docs saying there was. If there is, I'm nearly 100% your use case is well under any limit.

As far as storing info, you may not keep sensitive info on your computer, but your email provider, your bank, your utility company, etc certainly have your sensitive data on their computers. So you definitely want to make it difficult for someone to guess your password and gain access to those accounts.

And on the point of not having hundreds of online accounts -- you have a password here on MOL? Hopefully you don't also use that same password for, say, your bank account. If your bank's lax website security lets an attacker get your password there, now they also have access to your MOL account...  Point being, you don't need to have hundreds of accounts for there to be an issue. So long as you are reusing passwords (or even variations of passwords -- if I know your password for your bank is Apollo11, won't take me too many tries to figure out your MOL password is Apollo13) between sites, you're vulnerable, and a password manager makes it much easier to avoid doing that.

ETA -- more details on lastpass -- one annual payment, and very affordable (Family plan in $48/year).

https://www.lastpass.com/pricing

One further point -- good security helps not just you, but everyone else too. The most common online attack is phishing -- tricking people into divulging information they can use to hack an account. Think a fake email directing you to a log in page for your bank that's not actually your bank's site, or the DNC hack. 

If someone gains access to your Facebook, or email, or MOL, or other social media account, they can then contact your friends pretending to be you, tricking them into divulging sensitive info or passwords. So even "unimportant" accounts can be tools for attackers, and so are worth locking down.

My fear is if LastPass gets hacked, they get ALL your passwords.

And if they can hack: Paypal, FBI, Facebook, IRS, et al... why not LastPass?

Very helpful thread!  I have been using the "save your password" feature in Google Chrome.  While I can go into the settings and remove any saved passwords whenever I wish, those passwords are also on the "cloud" because I can log into websites on my laptop and iphone when using Chrome.  In my more paranoid moments, I've been thinking that I am being foolish in using this Google feature instead of a password manager such as Lastpass or Dashlane...is that the case?   My thinking has been that, either way, some external company has all of my passwords that I've saved on their server so what's the difference?  

Sundays said:
My fear is if LastPass gets hacked, they get ALL your passwords.
And if they can hack: Paypal, FBI, Facebook, IRS, et al... why not LastPass?

 I believe that the password encryption mechanism in LastPass is such that it would be very complicated for a hacker to get "all" of your passwords, just as a result of hacking into LastPass.  (Much moreso than getting into your Facebook or whatever account as a result of hacking into one of those apps.)  But I guess nothing is impossible.  Obviously you should NEVER use your LastPass Master Password for ANY other purpose and it should be a very strong password.  (But since you are using LastPass for your other passwords, then the difficulty of having to remember, or needing to write down, many unique AND strong passwords is reduced.) LastPass also offers (but does not currently require) two-factor authentication which is another layer of security.

I wanted to add more context, but the post might get a bit long, so I'll put the tl;dr first, then the context second.  Briefly:

- Use two-factor authentication (aka "2fa")
- Never re-use passwords between sites

- Legitimate online services -- your bank, your email provider, etc -- will not ask for your password or other private information over email. Relatedly, be suspicious of emails from your service providers asking you to click a link to log or which direct you to a different site

The longer context:

I'm a software developer, but not a security expert. I have to be security conscious in my job, but it's not my main focus. That's just to get my biases and potential blind spots out in the open -- talk to an actual security expert and they may have different emphases or even outright disagreements with what I say (they'll definitely be a lot more paranoid!).

The thing with passwords and online security is that it's by and large not personal. Unless you're the president of the United States or some other high value target, no one's going to be trying to hack into your unsecured cell phone or trying to specifically hack your bank account.

Instead, what's usually happening is the attacker has long lists of usernames and passwords, and they have a program that just tries all of these (and common variations of them) against as many services as they can. And inevitably, some of these will work and they'll have access to some accounts. From that point on they might do any number of things, but usually along the lines of some sort of identity fraud -- not just for whatever financial gain they can get from the info in the compromised account, but as a way of using that information to get gain even more access to more accounts. Sometimes the most lucrative thing an attacker can do with a compromised account is gather information from it and sell it -- ie, making those lists of passwords and usernames even bigger. 

So really, what you're trying to do is keep your information from ending up on one of these lists and, if it is, stopping that information from actually being useful to an attacker.

Check out https://haveibeenpwned.com/ to see if your email or password is on a list of known data breaches. Chances are, it is.

If you re-use passwords, your security is only as good as the least secure site you visit. Maybe chase.com hasn't been hacked, but if you use the same password for it as on insecuresite.com, and that has been hacked, then your chase account is hacked too. Remember, these credentials just end up on giant lists -- attackers are going to run their list against chase.com and see if any password and username combos work.

So, step one, don't reuse passwords. And subtle variations don't count as different passwords.  If you use the password "mypass" on one site, and "mypass1" on a second site, it's pretty trivial for a password-cracking program to try such simple variations.

Relatedly, avoid common passwords. Don't use any on this list, for instance. Such passwords are pretty much by definition already compromised -- they're on those big lists of credentials.

This is where password managers are useful, because coming up with strong, unique passwords for all your online services is really hard. As @sac noted, these manager don't keep your actual passwords on their servers -- they keep an encrypted version, and at least in the case of Lastpass the encryption key is kept locally on your computer, not on the server. So if Lastpass is compromised, they won't get your passwords, but rather an encrypted hash. I mention Lastpass because that's who I use, but there are other good ones out there too, some arguably better than Lastpass.

Step two, use two factor authentication for all sensitive sites -- your bank, Facebook, your email, etc. The idea behind 2fa is that a password is not enough to log in -- you need a second factor. The most common implementation is having a one time code texted to your phone when you want to log in. In this scenario, even if an attacker has your username and password, it's still not enough to gain access.

Finally -- everything's a trade-off, and nothing is 100% secure. More security means less convenience, but at this point I'd argue that using a password manager and 2fa is well worth that trade. Talk to the real security folks and they'll argue that's not enough -- that you shouldn't even trust a password manager, that you should possibly swear off Google and Facebook and commit all your passwords to memory via complicated mnemonic devices -- and hey, it sounds crazy but I do see their point. Further than I'm personally willing to go, but I can see where they're coming from. Again, everything's a trade off, and it's about balancing risk.

Thank you all for your thoughtful and helpful posts.  I'll be making my password changes in the coming weeks...

I really like Lastpass and use it heavily. I had a small handful of reused passwords before I got it. I didn't rush to change them all. I did it gradually over months, with the help of Lastpass. I will say that there is a learning curve, but it's worth it.

There are others out there. They may be just as good. One cow-orker uses an AVG password keeper and likes it.

I often let Lastpass generate a password for me, since I am not likely to be typing it. I also have a way of making up passwords, but that is slower. There is also an app on MacOS, but I don't use a Mac at work. So my passwords are long, complex, and very hard to guess by software. Some are hard to type, and some are not, but being hard to type isn't a big deal any more.

Is there a charge for these services?

FilmCarp said:
Is there a charge for these services?

 There are levels. The free level of Lastpass is pretty good, and you may never need to upgrade. I upgraded because it lets me share passwords, particularly with my wife. At my previous job, we had an enterprise level account which has even more features. I'm paying $12/year for my personal account.

Thanks.  I think I can manage $12 per year if I have to.  I'll just stop feeding my son.

To be frank, I dunno what a "password manager" is.  I have a spreadsheet I maintain where I keep a log of my passwords for sites.  Most the basis of my passwords is a 4 digit ATM pincode which was assigned to me 30 years ago.  So I use that for most sites coupled with variants of letters, upper and lower case, and a couple of "unique characters" (or whatever the lexicon is) (e.g. "?", "!" etc).  Seems to work for me, haven't been hacked.  In the spreadsheet, I don't specify the pincode because I just know it.

Everything You Need to Know About Password Managers --Consumer Reports

Tom_Reingold said:
Everything You Need to Know About Password Managers --Consumer Reports

 Thanks - helpful.  But paranoid me worries about those sites being compromised.  

@lanky, the data of yours that they save is encrypted and can't be decrypted without your passphrase, which they don't have.

What happens if someone learns your PIN? How will it help them break into your accounts?

To ask a similar question again...what about malware programs?   

Don't malwarbytes and other services have password managers?   

Someone mentioned Mac OS has a password manager; does iOS also have one?

Which malware is recommended( for Apple products))?

TIA

I don't get why it's recommended to change passwords every few months. If you have a solid password what's to be gained by changing it?

unicorn33 said:
I don't get why it's recommended to change passwords every few months. If you have a solid password what's to be gained by changing it?

 One reason is that people reuse passwords. If I know your facebook password, I'll see if I can get into your Chase bank account with it. But companies sometimes take this too far. I think the policies that make you change your password very frequently are misguided and cause more problems than they solve.

@Apollo_T, I still don't use an anti-malware program on the Mac. And it's anti-malware. Mal means bad.

I don't think you can use keychain access (the Mac app) to fill in passwords on web sites, but I could be wrong. I use Lastpass on Mac, Windows, Linux, and iphone.

unicorn33 said:
I don't get why it's recommended to change passwords every few months. If you have a solid password what's to be gained by changing it?

 The most recent recommendation by the National Institute of Standards and Technology is not to force users to change passwords (unless there is a reason to believe a password has been compromised).  Unfortunately many companies ha e not yet caught up with this...

tpb said:

unicorn33 said:
I don't get why it's recommended to change passwords every few months. If you have a solid password what's to be gained by changing it?

 The most recent recommendation by the National Institute of Standards and Technology is not to force users to change passwords (unless there is a reason to believe a password has been compromised).  Unfortunately many companies ha e not yet caught up with this...

 Not even so recent. From a 2016 post:

Frequent Password Changes Is a Bad Security Idea

I've been saying for years that it's bad security advice, that it encourages poor passwords. Lorrie Cranor, now the FTC's chief technologist, agrees:

By studying the data, the researchers identified common techniques account holders used when they were required to change passwords. A password like "tarheels#1", for instance (excluding the quotation marks) frequently became "tArheels#1" after the first change, "taRheels#1" on the second change and so on. Or it might be changed to "tarheels#11" on the first change and "tarheels#111" on the second. Another common technique was to substitute a digit to make it "tarheels#2", "tarheels#3", and so on.

https://www.schneier.com/blog/archives/2016/08/frequent_passwo.html

I've been saying that for over 15 years when I like others was frustrated with required monthly password changes. We appended a "change" number to our passwords.

Stupidity seems to be endemic. Many got into "security" because of money, not brains. Which is why we had the serious Equifax breach even though Equifax was told months before about the Apache server security issue and the fix, the issue that allowed the breach. Equifax disregarded the warning. Target was also told about their breach which they also ignored.

It seems, we will be waiting awhile until all our security "professionals" are enlightened. If you're in an environment that requires frequent password changes then be assured that your IT lacks competency.

btw - after the Equifax breach, congress had hearings and postured that something needed to done. They did. Congress immunized Equifax from being sued.

To those of you who have been breached:

Don't assume the breach affects you for a year or two or three. Your information is out there, for the rest of your lives.

tpb said:

unicorn33 said:
I don't get why it's recommended to change passwords every few months. If you have a solid password what's to be gained by changing it?

 The most recent recommendation by the National Institute of Standards and Technology is not to force users to change passwords (unless there is a reason to believe a password has been compromised).  Unfortunately many companies ha e not yet caught up with this...

 That makes logical sense. Create a complex password, don't use it in more than one place, and then leave it alone unless compromised. 

(It's also worth mentioning here that you can now apply credit freezes for free. It can be a bit of a pain to apply them (or remove them) with each of the three credit agencies separately, but it's an effective way to protect again identity theft.)

BG9 said:
Stupidity seems to be endemic. Many got into "security" because of money, not brains. Which is why we had the serious Equifax breach even though Equifax was told months before about the Apache server security issue and the fix, the issue that allowed the breach. Equifax disregarded the warning. Target was also told about their breach which they also ignored.
It seems, we will be waiting awhile until all our security "professionals" are enlightened. If you're in an environment that requires frequent password changes then be assured that your IT lacks competency.

 This is not my experience. From my perspective, the problem is that security doesn't really align with business goals. I've been in lots and lots of product design meetings, and quite often the only time security comes up is if I (speaking as a software developer) bring it up. It's rarely top of mind for design or business folks.

And why would it be? Thinking about security makes things more complicated. Which means building and deploying the product is slower. And it often involves making the user experience at least slightly less convenient. All of which means, ultimately, a greater risk of being too late to market, or grabbing too small of a market share. If you're successful at getting a big enough slice of the pie then poor security is, quite frankly, not expensive enough to be an issue. FB is maybe -- maybe! -- starting to experience some consequences from their longstanding and outrageous indifference to privacy issues. Even assuming a best case scenario where they do an about face and actually give privacy and security a real priority, they've built themselves into their current behemoth stature on years of reprioritizing security. And this is at a company full of very smart engineers, many of whom personally are very committed to security and doing things right. It's all downhill from there, if you start looking at places that aren't "tech" companies.

Simply put -- don't expect companies to look out for your security. The economics of it don't work. Even in places that have both the interest and the ability to take security seriously, it's just never going to be top priority.

PVW said:

BG9 said:
Stupidity seems to be endemic. Many got into "security" because of money, not brains. Which is why we had the serious Equifax breach even though Equifax was told months before about the Apache server security issue and the fix, the issue that allowed the breach. Equifax disregarded the warning. Target was also told about their breach which they also ignored.
It seems, we will be waiting awhile until all our security "professionals" are enlightened. If you're in an environment that requires frequent password changes then be assured that your IT lacks competency.

 This is not my experience. From my perspective, the problem is that security doesn't really align with business goals. I've been in lots and lots of product design meetings, and quite often the only time security comes up is if I (speaking as a software developer) bring it up. It's rarely top of mind for design or business folks.

Actually, you said what I said. Business people don't know about IT security. Their concern is "minimize our liability by securing us." Its the security dummies who pushed the change passwords often mantra. Business followed as told that by their security "professionals."

BG9 said:

Actually, you said what I said. Business people don't know about IT security. Their concern is "minimize our liability by securing us." Its the security dummies who pushed the change passwords often mantra. Business followed as told that by their security "professionals."

I think I'm getting tripped up on what you mean by security "professionals." What I meant is that I've worked with plenty of actual security professionals -- ie software engineers/developers whose primary focus is security. They're smart, dedicated, know what they're talking about, and are by and large ancillary to the actual business operations of a given company.

OTOH, there are plenty of organizations and people who are more in the security "business," which I think is what you're talking about. They're selling a product, with "security" as the hook, but they're as far removed from security as a car salesman is removed from the actual building of a well-running car.

I think it would cost the economy less overall if security were done right, but maybe we have to see the big picture and see it as a mutual gain to motivate people to do the right thing. The right way is for security to be a high priority from the moment of conception of a product or service. Taping it on as an afterthought makes it much worse. This is why Microsoft stuff has failed so colossally many times over the years. Overall, their stuff is a lot more secure than before, but I believe they still tack it on as an outer layer of tape, at least too often.

Back to enforced changed passwords: It's conceivable that a password can be observed by watching a person type. The more times you type it, the more opportunity there has been for your keystrokes to be observed. But I agree with those who would say this is a relatively small risk. My phone credit card was once stolen this way.