Ask HN: How do you manage your passwords?
A while back someone posted a link to qwertycards.com, a (low security) product that promised an easy way to keep track of all of your passwords whilst staying secure.
This got me thinking about what I should use - after a year of using Lastpass to store "super secure" passwords and then logging in repeatedly to it, i'm starting to get fed up.
What do you all use? Do you spend a lot of time memorising them? Do you use medium security passwords that are easier to remember? Do you use Lastpass/ 1Password/ another service? If so what do you recommend?
91 comments
[ 3.4 ms ] story [ 146 ms ] threadHow often do you have to log into it? Is it specific to a device?
I'd skip lunch for a day to pay for it.
It works well enough to have convinced me to buy Premium on my personal account.
I haven't tried this for a long time, but the last time someone shared a password with me through LastPass, I was able to easily grab the plaintext just by watching the network traffic with dev tools. So this feature seems questionable to me.
I do have Google Authenticator tied to it, so logging in once a day is a little annoying, but overall it is a good experience.
I have the phone app (LastPass Premium) and while it is fine, it is a little buggy/annoying/meh. I haven't decided if I'm going to renew or not. I don't really blame the company for the limitations, they're trying to work around heavy app sandboxing, but after it all the user experience remains subpar.
Overall I would recommend it. In particular if you use Google Authenticator with it and a very solid master password.
Initially the $50 was painful, but I've since happily paid for all the upgrades and for family members license' too - encouraging good password hygiene!
1password is great. On OSX, I have one long, nice password and on iOS I can use Touch ID to open it (typing in that password on an iPhone was a pain). It syncs across devices over wifi, Dropbox, or iCloud.
There are versions for Windows and Android as well. I've used the Windows version a little bit and it's pretty much the same.
1password is vulnerable to hackers because they rely on third party storage via dropbox. I wouldn't trust my sensitive info with them.
Second, the data stored in dropbox is encrypted by a key that only you have. Dropbox has no way to see what is inside that bundle without your long password.
I use a key file and a passphrase to secure my keepass database. The database is stored on dropbox, the keyfile is stored elsewhere.
I use a sometimes-synced copy of the database on KeePassDroid on my Android phone. Actually, the user experience of KeePassDroid can only be described as vile, but that it works at all (allowing me to have all of my passwords securely available on my person) is awesome enough.
I got to think of another way!
The only legitimate security gripe I've ever read about LastPass (and people have focused its security a LOT) is that a bad guy can modify the JavaScript utilised by the extension if they took control of LastPass's servers, and have your plain text master password sent to a third party (assuming no cross-site protections).
The actual password database is fairly secure. As is the login process (which can further be strengthened with 2F and various options in the account settings).
But in retrospect I don't know if this makes any real difference from something like keepass. My encrypted file is transferred over some secure socket, so an attacker can at least a copy of the encrypted file if they either hack the cloud storage provider or somehow hijack my connection.
It's not exactly super portable but for sites I care about, I wouldn't log onto them on untrusted computers anyway.
I use a chrome extension and an android app most of the time, and the "mobile" browser version when neither of those are handy.
I like the fact that nothing is ever stored anywhere. Feels clean.
And it has plugins for FF and Chrome for auto entry on websites (Win only so far).
What I often use and enjoy a lot is it's import and export functionality. For example if I want to add URLs to get auto completion working and I want to do that in batch, I export a CSV, edit this in LibreOffice and import it back into Keepass.
( It would be cool if something like Keepass could be built around smartcards or these new-fangled U2F dongles... I've be come quite a convert to the smartcard approach after setting up my yubikey to work as an OpenPGP smartcard )
It's fantastic, free, simple and works across multiple platforms.
I also set up a simple web front-end for it, so I can use it from my phone: https://pw.mkn.io/
For password security, I have different levels of passwords, for less important service, will just use less secure password and will not store in security DB.
alias getpass='_getpass() { _g=$(printf "sauce%s" "${*}" | md5sum | openssl enc -base64 | cut -c1-16); printf "%s" "${_g}"|xclip -selection clipboard 2>/dev/null|| printf "%s\\n" "${_g}"; }; _getpass'
like this:
$ getpass mail@domain.lts
$ getpass user@domain.lts #for ssh logins
[1 letter after domain][c is 3rd letter of alphabet][numeric letter representation][last 4 SSN][pseudo counter] It might not be as high tech as software, but I think it offers a reasonable security / ease of use combo.
Note: This is nowhere near my algorithm and tokens have been made up for the purposes of this example.
Repeatedly? Only at my work do I ever have to retype my password. My home is logged in and my phone has a pin.
What repeatedly is driving you away?
PS Lastpass is best in class for me
EDIT: I never memorize my passwords for sites. After having friends who were penetration testers I never do anything half-way secure. I actually can't wait till I have some kind of rfid of some sort to access lastpass.
Currently still using DropBox to sync the password file and backups, but will switch soon to ownCloud with my own server.
The Firefox password manager contains copies of many of the passwords, but I don't sync those between machines.