Ask HN: How do you manage your passwords?

43 points by pft ↗ HN
A while back someone posted a link to qwertycards.com, a (low security) product that promised an easy way to keep track of all of your passwords whilst staying secure.

This got me thinking about what I should use - after a year of using Lastpass to store "super secure" passwords and then logging in repeatedly to it, i'm starting to get fed up.

What do you all use? Do you spend a lot of time memorising them? Do you use medium security passwords that are easier to remember? Do you use Lastpass/ 1Password/ another service? If so what do you recommend?

91 comments

[ 3.4 ms ] story [ 146 ms ] thread
I use lastpass. Never tried any other password manager. I don't mind logging into it. On my phone I can swipe my thumb. The only thing I don't like is having to type out the long random passwords on non-physical-keyboards - like setting up a roku to connect to amazon play and spending an extra 15 clicks switching case/keyboard.

How often do you have to log into it? Is it specific to a device?

I'm guessing you use Lastpass premium if you use it on your phone? I use lastpass on all my devices. I like the phone app but I got premium for free for one year and it's about to run out. Looking for a free alternative.
It's only $12 a year for the premium service. Do you feel you're not getting at least $12 value for the ability to have a reliable, secure password manager that is actively supported?

I'd skip lunch for a day to pay for it.

+1 for lastpass. On it for now 4 years, they've gotten more aggressive on development as the market grew but still simple as the first time I've used it.
I started using Lastpass when I switched jobs and the company I moved to used it. The ability to share logins with people/groups without actually exposing the password is wonderful in the corporate setting, as it makes revoking a group of passwords (think company-level social media accounts) simple and worryfree.

It works well enough to have convinced me to buy Premium on my personal account.

> the ability to share logins with people/groups without actually exposing the password is wonderful in the corporate setting

I haven't tried this for a long time, but the last time someone shared a password with me through LastPass, I was able to easily grab the plaintext just by watching the network traffic with dev tools. So this feature seems questionable to me.

IMO, if you're "sharing" a password it should be visible to the sharee. Then, if you revoke it just change it - last pass knows how to make passwords
Another vote for Lastpass. Truly cross platform as it works on Linux as well. And the price is much less then 1password.
I like that I can open up an incognito window in Chrome at work, login to LastPass, have access to many things, then when the window closes, I log out, or shut the machine down then I am logged out.

I do have Google Authenticator tied to it, so logging in once a day is a little annoying, but overall it is a good experience.

I have the phone app (LastPass Premium) and while it is fine, it is a little buggy/annoying/meh. I haven't decided if I'm going to renew or not. I don't really blame the company for the limitations, they're trying to work around heavy app sandboxing, but after it all the user experience remains subpar.

Overall I would recommend it. In particular if you use Google Authenticator with it and a very solid master password.

1password - its expensive, but i am very happy with it...
I use a combination of the free tier of 1password on the phone and iCloud Keychain for Safari on everything. The canonical password is in iCloud, but if it's a random/nonstandard password I also put it into 1password (often by hand) since (a) TouchID makes 1password infinitely easier to unlock and (b) it's easier to browse/view saved passwords in 1password versus opening Settings then Safari then... you get the idea.
I use and recommend 1Password.
1password on iOS/OSX. There was a big discount on both a while back and I jumped on it. Even today, I'd consider paying for it. I've tried all the open source options, none of them worked nearly as well as 1pwd.
Hands down the best fifty bucks I've ever spent.
Used to use PasswordBox but then switched to 1Password - I'm much happier. Unlike my experience with PasswordBox, I can keep my data on my cloud and can export any/all my passwords. However, my 1password trial has expired and I rather not pay $50.
1password on iOS/OSX + on windows at work. It's got a great feature here you can have different 'vaults' for different sets of passwords - I have one personal, one for work and one for home utilities that I can share with the family.

Initially the $50 was painful, but I've since happily paid for all the upgrades and for family members license' too - encouraging good password hygiene!

https://agilebits.com/onepassword

1password is great. On OSX, I have one long, nice password and on iOS I can use Touch ID to open it (typing in that password on an iPhone was a pain). It syncs across devices over wifi, Dropbox, or iCloud.

There are versions for Windows and Android as well. I've used the Windows version a little bit and it's pretty much the same.

http://www.theregister.co.uk/2015/03/11/dropbox_sdk_flaw_lef...

1password is vulnerable to hackers because they rely on third party storage via dropbox. I wouldn't trust my sensitive info with them.

What? I thought the encryption was the whole point of a password manager…
First, you are not required to use dropbox with 1Password.

Second, the data stored in dropbox is encrypted by a key that only you have. Dropbox has no way to see what is inside that bundle without your long password.

PasswordSafe (http://passwordsafe.sourceforge.net/) for password storage + encryption. I sync the .psafe3 file using Bittorrent Sync (Windows, Linux, Mac, Android and iOS clients). Works really well and I own my data.
keepass. I don't trust a service to store my passwords.

I use a key file and a passphrase to secure my keepass database. The database is stored on dropbox, the keyfile is stored elsewhere.

Same here. KeePass2 on Linux, KeePassX on OSX, and KeePassDroid.
I prefer MacPass over KeePassX, because it support Keepass2 files by default - KeePassX only does in the non-stable version. That's the only annoyance with Keepass: it has two non-compatible file types and you need to stick with one (and hence the supporting software).
I've had a _great_ experience using KeePassX on both Windows and Linux.

I use a sometimes-synced copy of the database on KeePassDroid on my Android phone. Actually, the user experience of KeePassDroid can only be described as vile, but that it works at all (allowing me to have all of my passwords securely available on my person) is awesome enough.

I use KeyPass and sync it using BitTorrent sync on all my devices. The problem with my current setup is that I carry the keyfile along with the database which useless.

I got to think of another way!

Carry the key file around on a USB drive, perhaps?
I keep my keyfile in another BitTorrent Sync folder, along with all my other dotfiles. At least they're in two different places then!
This is very close to how LastPass works under the hood. You're storing an encrypted database on their service (just like DropBox in your case). They don't actually store your original master password.

The only legitimate security gripe I've ever read about LastPass (and people have focused its security a LOT) is that a bad guy can modify the JavaScript utilised by the extension if they took control of LastPass's servers, and have your plain text master password sent to a third party (assuming no cross-site protections).

The actual password database is fairly secure. As is the login process (which can further be strengthened with 2F and various options in the account settings).

I don't particularly favor putting all my passwords in an online password manager. So I have some JavaFX gui I made that encrypts a password file (passphrase => PKDF => AES). In total it's like 200 lines of code - GUI, storing pass, generating pass, and rotating master password. The encrypted file I keep synced in my cloud storage.

But in retrospect I don't know if this makes any real difference from something like keepass. My encrypted file is transferred over some secure socket, so an attacker can at least a copy of the encrypted file if they either hack the cloud storage provider or somehow hijack my connection.

It's not exactly super portable but for sites I care about, I wouldn't log onto them on untrusted computers anyway.

http://supergenpass.com/

I use a chrome extension and an android app most of the time, and the "mobile" browser version when neither of those are handy.

I like the fact that nothing is ever stored anywhere. Feels clean.

Keepass (Win/Linux) and MacPass (Mac). Certainly not as polished as 1password, but it's Open Source and cross platform.

And it has plugins for FF and Chrome for auto entry on websites (Win only so far).

What I often use and enjoy a lot is it's import and export functionality. For example if I want to add URLs to get auto completion working and I want to do that in batch, I export a CSV, edit this in LibreOffice and import it back into Keepass.

The Achilles heel for Keepass for me (and what ultimately sent me to LastPass) was that there wasn't any way to use it on a Chromebook conveniently (yes, there's crouton, but I don't find that acceptable).

( It would be cool if something like Keepass could be built around smartcards or these new-fangled U2F dongles... I've be come quite a convert to the smartcard approach after setting up my yubikey to work as an OpenPGP smartcard )

I use lastpass because it's been mentioned. It's been almost 2 years now and I like it. It's pretty cheap and works on mobile, pretty convenient. I haven't tried anything else.
I feel like I go against the grain, I use OS X Keychain.
KeepassX is a good option.
I use KeePass (and KeyPassx on Mac OS), and use network drive to store the DB files.

For password security, I have different levels of passwords, for less important service, will just use less secure password and will not store in security DB.

A Little Black Book and a Pencil.
I use a shell alias:

alias getpass='_getpass() { _g=$(printf "sauce%s" "${*}" | md5sum | openssl enc -base64 | cut -c1-16); printf "%s" "${_g}"|xclip -selection clipboard 2>/dev/null|| printf "%s\\n" "${_g}"; }; _getpass'

like this:

$ getpass mail@domain.lts

$ getpass user@domain.lts #for ssh logins

Seems like that would be pretty annoying for passwords that must be changed periodically (or even just occasionally).
yep, it doesn't allow changing passwords because of its fixed nature. I use it for my personal needs
Easy enough to include a version number as another arg with the identifier, and include that in the hash. Then all you have to do is keep track of what version each of your passwords is on, which is not sensitive information and could be stored in greppable plaintext.
1Password on all the platforms I use (OSX, iOS, and Windows). Great looking UI and an abundance of features. Great support.
Plain text file encrypted with Vim's Blowfish encryption
I use an internal (in my head) algorithm that bases (in part) on the domain name of the site I log into. For example, ycombinator.com could be z4O9999asdf Which represents

[1 letter after domain][c is 3rd letter of alphabet][numeric letter representation][last 4 SSN][pseudo counter] It might not be as high tech as software, but I think it offers a reasonable security / ease of use combo.

Note: This is nowhere near my algorithm and tokens have been made up for the purposes of this example.

> logging in repeatedly

Repeatedly? Only at my work do I ever have to retype my password. My home is logged in and my phone has a pin.

What repeatedly is driving you away?

PS Lastpass is best in class for me

EDIT: I never memorize my passwords for sites. After having friends who were penetration testers I never do anything half-way secure. I actually can't wait till I have some kind of rfid of some sort to access lastpass.

I use a qwertycard, I don't see it as being 'low security', but obviously not as convenient as the software password managers out there.
PasswordSafe (on Windows, Android, and under Wine on Mac), because I want to own my data and not be forced or pressured to use some cloud service. Also, PasswordSafe was the most secure according to some tests.

Currently still using DropBox to sync the password file and backups, but will switch soon to ownCloud with my own server.

The Firefox password manager contains copies of many of the passwords, but I don't sync those between machines.