Password manager?

Do you use and recommend a password manager?

  • Yes - I recommend them to my clients

    Votes: 22 78.6%

  • No! - I don't trust, recommend or use them.

    Votes: 6 21.4%
  • Total voters
    28
Diggs

Diggs

Well-Known Member
Reaction score
3,622
Location
Wisconsin
I'm on the fence on this one. I'd like to hear some informed discussion. I don't use one but I'm not sure what to tell my clients.
 
I don't trust them, especially cloud based. It's the nature of the beast that cloud based system fail in kind of a all or nothing mode. Meaning when there's a breach it's not just a handful of records. It an entire container, many of them depending on how the system is designed. So it's pen and paper for most customers.
 
I also do not use one, although both of my techs do. I have installed Dashlane for a few commercial customers and they seem to like it - but they are the ones that came to me looking for a suggestion.
 
We use and recommend LastPass. Typically the data is encrypted. Someone may get a bunch of hashed passwords, but typically isn't very useful.

I look at it the same as having any other cloud based app like Quickbooks, EMR\EHR, legal case management software, etc. If you trust all of your data there then it's not much different than having encrypted passwords stored as well. I would think it would be easier to walk up to a desk and grab a list of passwords than to break the encryption on a password manager.
 
Last edited:
I use and recommend BitWarden. Opensource, self hosting for free if you want, or inexpensive cloud hosting with an easy export for emergency use. Shared repos are possible, two factor built in with multiple vendors... honestly not sure how I lived without it. I never have to think about passwords anymore, I just use the app / plugin and move on.

P.S. Don't lose your vault password, because it's the encryption key... you lose it, the vault is GONE there is no recovery.
 
I never trusted a password manager. If it's all stored in one place then it's a gold mine for bad guys, right? Or the authors of the program have a backdoor. Then I listed to Steve Gibson talk about Last Pass on his Security Now podcast. If you don't know Steve is ultra-paranoid and very smart. He was always the last to implement anything new. I think he was still using Windows 2000 in 2009 because he wasn't comfortable with XP's security.

Anyway, he thoroughly evaluated Last Pass, talked to the developers, etc. Then he started putting his whole life in it. I figured if it's safe for Steve it's safe for me.

https://twit.tv/shows/security-now/episodes/256

The current integration in iOS is awesome these days. My passwords are safe and available EASILY on any device I'm on. Especially on my iPhone with Face ID. Love it.
 
I am a huge fan of Dashlane. Have used it for years and it uses very strong encryption. And, if you forget your master password, they don't have it and cannot retrieve it for you. I recommend it to everyone...and it has some additional features that make it more than worth the money. Emergency contacts (access for relatives if you get hit by a bus), autofilling forms (this has saved me probably ages of typing), encrypted notes, password breach notifications...and much less clunky than LastPass in my opinion.
 
I looked and looked and looked...read TONS of reviews. Out of the popular ones....I narrowed down to DashLane.
Ran on the base/free one for around 6 months just kinda testing it....was about the pull the trigger on the full package, and then we had a similar thread here where I saw SkyKnight post about BitWarden. Read up on that a bit, went and tried it, ...and uninstalled DashLane and cancelled my account.

Being open sourced..it's constantly scrutinized and improved by more eyes than a closed proprietary system. And I just don't feel like getting roped into yet another recurring cost that'll just increase and increase.
 
@YeOldeStonecat, BitWarden was recommended to me by a friend of mine that works at NASA's Cleveland facility. It's used by NASA internally.

And I figured, if it's good enough for NASA, it's good enough for me! :D But I still drug my feet for darned near two years. The product has evolved tremendously in that time, even the last six months we've seen huge improvements.

But yes, if you're going to use it in the cloud put a good password on it that is never used anywhere else. Enable two factor... I've got mine attached to Duo, for free, via the generic TOTP stuff. I bought a "family" organization in the cloud $11 / year, I have an account with access, my wife has an account with access, neither account cost me a thing. We both have access to all our stuff in that one huge vault. Access is again two factor limited, and logged. So if someone gets in there, yeah I'm screwed but it's as strong as I know how to make it.

My NASA buddy just self hosts the thing at home, so his mobile devices sync in changes when he's there, and it's simply not on the Internet. That's probably best, but for $11 / year, I was lazy.
 
I still have it in there free hosted service...syncing across 3 computers fine. Granted...even more secure if you "host it" yourself...but hey they work hard at keeping it secure. I'll pony up the whopping 10 bucks a year goo, worth it.
 
How does BitWarden compare to LastPass in terms of ease of use? What about their iOS app and integration?
 
I used LastPass for years and consider the technology to be the best. HOWEVER last year on a road trip I was unable to access my password stack. Some weird problem with my account and the server that would not consistently connect. I was able to access my account in offline mode but I had to put my phone on airplane mode to gain access. I never could get a fast response from tech support and I had a paid account so I ended up going to Dashline for now. I am thinking of going back as I find Dashline to be a tad buggy, but nothing serious. No matter what program you use make sure you keep a local exported backup.
 
timeshifter said:
How does BitWarden compare to LastPass in terms of ease of use? What about their iOS app and integration?
Click to expand...

Honestly I can't compare. The chrome and firefox plugins just work, I click on a button, get a login prompt, 2nd factor if the device isn't trusted, then the vault is opened with the logins for that particular page, I click the one I want, it fills in the page and I move on.

Now on my android device, things are a ton less convenient. No plugin for the browser or apps, so there's an app I open, same dance to login and 2 factor if untrusted, then I touch the login I want, touch the copy button next to the password and press and hold to paste the password. Same process for the login too if I want, but most things I remember the usernames for. Self hosted or paid versions of Bitwarden also support TOTP based secret tracking for 2nd factor, so the code I need to login is right next to the password. The password generator stores a history of generated passwords so if I forget to save one I can get it back, and there's a log of historical passwords per login to deal with improper changes.

The darned thing just works for me, and it's saved me so much time. I don't have to obsess over passwords anymore, I just use the app it makes them for me, and I remember the one password I need to get into the vault. Again, it's two factored, so I protect that password and rotate it regularly.
 
Thanks for the mention of BitWarden. Never heard of it and it address one of my biggest concerns with Cloud systems. Not that they're Cloud based but that they're a large attack surface with the risk that comes with that level of exposure. That's why I like self-hosting, much smaller attack surface. So I'll be giving that option a spin.
 
You must log in or register to reply here.

Similar threads

Velvis
Windows Security asking for PIN to sign into AOL Mail
Replies
5
Views
610
britechguy
britechguy
thecomputerguy
Dell is really screwing me on this one...
Replies
18
Views
3K
Sky-Knight
Sky-Knight
lan101
Another password debacle thread lol
2
Replies
24
Views
604
HCHTech
HCHTech
callthatgirl
New Outlook Cannot Add a New Email Without a Microsoft License
Replies
6
Views
1K
carmen617
C
britechguy
Is my license OEM, Retail, Something Else? You tell me . . .
Replies
11
Views
3K
brandonkick
B
Back
Top