CHOICE membership

Password managers - recommendations?


#1

I have a long list of life admin projects for the easter break (such fun!), and one is to install a password manager. The CHOICE website has a great review article that says it was updated March 2018, but when you click through to the individual reviews, many have not been reviewed in 2016. Top rated is Norton - just wondering if this is still likely to be the case? I hear LastPass mentioned a lot more than Norton…


Cryptocurrency email extortion scams
#2

I use Lastpass - it works ‘well enough’ for me and the way I use it. Passwords in the cloud are a much juicier target for ‘bad guys’, but of course much more convenient for the user and the perceived security of any particular service is only as good as tomorrows exploit/compromise - some are better/more robust than others but there is nothing that can’t be broken sooner or later.

I do NOT store my important passwords in any password manager - this includes my online banking, my admin gmail access, paypal, ebay - if it can cost you money, keep it in your head. A password manager is where I store passwords for forums, online shopping sites (never save payment details), etc.


#3

Thanks, interesting thought about not putting all the passwords in there. I was imagining that it was more important to have a secure system for those passwords that could cost you money…


#4

I’m not saying I do this :slight_smile:

  • a sealed envelope at home hidden in a location only you know with only the passwords/codes you need, written down with no reference points. You’d typically remember your bank password was ‘something like’ one of them, you just cant remember the specific.

  • a sealed envelope with a trusted person with more specific details that might be useful for example in the event you are ‘no longer around’ (or if the above envelope is missing or nobody has access). You might prefer to have someone open that 5 tonne safe in the spare room with the right combination than with 25 hours of expensive drilling, cutting and trying to dodge re-lockers … This person might be your executor, lawyer, or even ‘your mum’ …

In the first instance its about having something to fall back on if you forget, but I feel it is worth considering what would happen to all your online stuff and secure stuff at home if you were hit by a bus and some poor soul had to work it all out …


#5

Dashlane is also worth having a look at. I have also tried Last Pass which had a couple of breaches awhile ago.
Dashlane has a couple of interesting options that you can setup a trusted person to access your account if something happens to you in an emergency. It also has a Secure section for a digital wallet but I think other password managers have this option as well now.

I also keep a copy of all my passwords on a memory stick as a backup just in case something goes wrong.


#6

My brother was a case study. All his passwords were in Lastpass and nobody had the Lastpass pass. There was an encrypted backup of the passwords that we could open, but the passwords there had not been updated for years. Since we knew the accounts the reset password options were all that saved the day, short of court-issued instructions. If we did not have access to his email and mobile it would have been quite ugly.


#7

We use Norton and have found it good…and is free.

More recent versions have also been more user friendly.

I am not sure about others, but Norton’s password vault (Norton Identity Safe password manager) can be used across various platforms such as Windows, Apple iOS, Android and using Firefox, Chrome, Internet Explorer, and Safari browsers. And password are synchronised across all operating platforms.

FAQs on the Norton Identity Safe can be found here.


#8

I think you need one of their security products to create an online safe. The standalone version of Norton Identity Safe (2014) hasn’t been available since mid 2017 from what I could see …


#9

There are several decent password managers out there. Most will help you auto logon to sites and generate secure passwords for the various sites.

Lastpass stores your data online so you can share your database over many devices eg PC, Mac and Smartphone. The stored database is encrypted. It has a free and paid version. I use the paid version.
Address is:
https://www.lastpass.com/

Keepass is an open source password manager. It stores both the program & the data is in a encrypted database on your local machine or your storage device eg USB stick. Using the program via a USB stick means it is portable and does not need to be installed on any computer. It is available for a number of operating systems as well as Microsoft Windows eg iOS, and Android. If you want to use it on multiple devices just copy the database to the various devices or as above keep it on a USB stick or similar external device. Keepass is free
Address is:
https://keepass.info/

Abine also have a password manager as part of the free part of their Blur suite. Again it is stored in the Cloud and is encrypted. Has both a free and paid version (I use the free version for the unlimited masked/disposable emails)
Address is:

Roboform is another commercial offering like Lastpass & Blur. It has a basic free version and a paid version.
Address is:
https://www.roboform.com/

Sticky Password is another commercial offering with both a free and paid version.
Address is:

Dashlane is again a free and paid commercial offering that has Cloud Backup/storage.
Address is:

All the above are Cross Platform and multi browser usable, most also have Cloud storage of your database.

There are also a few highly rated only paid for password programs such as 1Password & Keeper Password Manager.


#10

It is still free and available as a stand alone product.

https://play.google.com/store/apps/details?id=com.symantec.mobile.idsafe

https://identitysafe.norton.com

I looked into others a few years ago and while others look good, I found my decision based in trust…either trust an established known company or a relatively new upstart. With password management, one heeds to ensure trust because if a wrong decision made, your passwords could be exploited.


#11

I’m not normal, in that I have no trouble remembering scads of username/ password combos, but still I think the best is absolutely remember and key it every time, your primary email login (and make it a good password you use on no other service). Then for every other service, if you forget your password just trigger it to reset it, sending to your secure mailbox above.

Personally I use a unique password and unique username for every service I use (likely over a hundred by now). Easy enough with a Google Apps (paid) or similar mailbox.


#12

Check out Roboform. I use it to save literally hundreds of unique passwords that can be shared across your secure computers. You can also save other details. I’ve used it for several years now, and it’s never failed me.


#13

Hope this isn’t too late to be useful, but I have been using Lastpass for about 3 years now, for everything except $-critical sites, and it works great for me. I don’t recall all the details but before setting myself up with lastpass I did a fair bit of research into password managers in general and lastpass in particular, and eventually concluded that lastpass is very secure (which was my primary concern) - as far as I recall my passwords are never stored online - only in encrypted form on my computers. I also use 2 factor authentication (yubikey) to get into Lastpass (which I only use on my desktop or laptop pcs). I think I pay $12pa for it, and I’m happy with that.


#14

Thanks everyone for the very helpful pointers. Key things I have taken away - a few of you gave me pause to rethink the assumption that I’d put all passwords into a password manager (I had been assuming that this was the purpose); plus a great reminder of the need to have some other list that doesn’t rely on being able to get into the password manager (my other life admin task for the break was to make the list of everything for safekeeping).

Am giving Lastpass a whirl

Hope everyone has had a good easter


#15

Relevant for the topic, and in general.


#16

yes! I am preparing my bucket file! Hadn’t read this particular article, but have been worried that if I was hit by a bus, no easy way for anyone to deal with my financials etc


#17

it would be great if there was a template or checklist out there for a bucket file…


#18

Just think of all the things you can never remember, and that’s what they will need :wink:

Some things one might consider:

  • A will - with a very specific clause saying who has access to your ‘private stuff’ online/etc - eg executor … or not … You might want to consider this in conjunction with a power of attorney document taking into account any advanced care directives (living will) you might have in place. Your death might not be the trigger …

  • Think very carefully about anything you specifically don’t want anyone to find … don’t leave ‘keys’ lying around for that stuff …

  • Make sure your primary recovery mechanisms are well documented and secure but in a way available to the person you have entrusted - access to your phone (primary pin for sms/etc to validate account resets etc, and any secondary phone pins for apps/etc), any email account you use for recovery, and all those secret questions and answers used to validate who you are if you lose your access. Think in the same way for keys (house, PO Box, secure containers) and for safe combinations, especially if you have something ex-defence class a or b, or money/jewellery/bullion rated in some way, etc they can be very messy to get into, which of course is the whole idea. (this may be where your backups are stored for example).

  • The password(s) to your password manager or the (secure) location of your physical list or usernames/passwords.

  • Remember to update the relevant items with any changes … remember also to regularly test access to any secondary accounts you use rarely or only for recovery …

The profile is different for everyone …

There are various online services that offer ‘what next when I die’ type services … think I prefer dealing with it myself.

My position is that I want the executor of my will to have full access without the need to go formally begging to organisations … this may not suit everyone.


#19

It is also worth doing an internet search on the ones which may interest you.

Check/search to see who owns the software (and whether they are reputable/known entity and trustworthy), whether they have had any security issues in the past, if there have been any past security breaches, whether password accounts set up have been available (there are some password managers where the software owner has suspended or deleted accounts for no particular reason - which is a really big problem as this defeats the purpose of a password manager) and whether their are costs (annual subscriptions for premium versions as you may find that the ‘lite’ version may not be enough in the long term) and also whether the password manager works across multiple platforms and can readily be transferred to new devices.


#20

ANYPASSWORD PRO
This is an oldie and I have used it for the last ten years.
Appears not to be supported any more so I want to migrate to another one.

Does anyone know if I can migrate my data to a new password manager?
It will export to CSV.
Will any of the discussed password managers import CSV?
Thanks