Ask HN: Password manager?
With the recent news about Heartbleed and the advice to change all passwords (which should be done periodically anyway), I figure it's time to look at the state of password manages again.
I've got a general set of requirements, but I'm also interested in what HN likes in general.
My general requirements are:
- MacOS/iOS/Linux support
- Cross-platform syncing, but not reliant on a specific service provider (e.g., WebDAV sync or folder sync is preferred over Dropbox sync)
- Encryption done locally - the syncing should really just send a blob of encrypted data.
- The usual browser integration, password generation, storage of metadata (password last changed, notes, etc) stuff.
So far 1Password with WiFi sync looks like the closest fit, but I'm curious to know what else is out there.
5 comments
[ 3.6 ms ] story [ 25.5 ms ] threadhttps://hn.algolia.com/?q=password+manager#!/story/forever/0...
In regards to Heartbleed, the Security Check that LastPass offers will help with that in terms of notifying you of the sites that you should change your passwords on since they were vulnerable to Heartbleed, but really all sites could be vulnerable to it, so I would recommend changing all your passwords fairly frequently over the next few months.
As long as the password is not contained within a list of commonly used words and isn't in the dictionary, length is the most important thing. The second most important thing I would say is using the widest variety of characters possible including lowercase letters, uppercase letters, numbers, and special characters.
You want to generate a secure password from a password generator such as GRC's Password Generator. I always generator my passwords to be 50+ characters but everything over 15+ characters will be fine.
Also, make sure you change your passwords every 3 months and don't share your password with anyone. Lastly, store your passwords securely using a password manager such as LastPass (https://lastpass.com/). You should have a strong master password with LastPass and use two factor authentication. You should also use two factor authentication with all of your other accounts that offer it.
If a site requires a secret question, make sure the answer to that question no one else would know or make it a password or phrase that you would remember. Don't reuse passwords on other things as well (only use the same password once).
Make sure when you are logging in that the site is using HTTPS (the browser addon HTTPS Everywhere can help with that) and you aren't logging in from a public network such as from Starbucks. Even if you are logging in from a private network, I recommend using a VPN that uses encryption such as proXPN. For your home or office network that you are logging in from make sure it is using WPA2 encryption, it has a random network name, a secure password, you have changed the default credentials for the network settings to something secure, you have disabled WPS, etc.
That is all I can think of right now in terms of password security, but those are the main things that you should focus on in terms of secure passwords.