Please recommend a good Password Manager

[CRussel]

I'll second the recommendation for RoboForm. I use their Cloud version, since it lets me use it on all my computers without having to maintain separate databases on each version. PM me if you want a referral discount.

[Penforhire]

+1 for 1Password, especially after their last major revision.

[Teknikal]

Put me down as an msecure user I like how I can update my passwords on any device and it syncs to the rest of them using dropbox also lets you do things like send encrypted backups to gmail etc.

Expensive yes but I'm not taking chances with a small developer I can't be sure is truely trustworthy when it comes to passwords.

[SusanM]

1Password

[frahse]

Quote:

Originally Posted by HarryT

There are lots of tools around for cracking Excel passwords. Do a Google search!

I thought the higher level password protections on Word and Excel were pretty good. Or is that outdated info?

[jgaiser]

Quote:

Originally Posted by frahse

I thought the higher level password protections on Word and Excel were pretty good. Or is that outdated info?

A quick google search brings up a lot of hits for cracking microsoft passwords. I, personally, wouldn't trust a microsoft password with anything important. Before I started using LastPass, I used a GPG encryped text file for my most important and ususally the most complicated passwords.

[Katsunami]

Quote:

Originally Posted by Loosheesh

I'm looking for a secure and simple-to-access password manager; I would appreciate some recommendations, please.

On Windows, nothing beats Keepass for me.

It has an Android-port that can use the same database (and can now experimentally write new passwords into it as well). There is also a Linux- and OSX port called KeepassX, but it seems to be out of development, or is developed very slowly. Lastly, Keepass for Windows was reported to run correctly (but with an ugly GUI) using Mono for Linux or OSX.

[gridlewak]

Been a KeePass fan for a while now.

[whitearrow]

I use Lastpass. I also still use eWallet (an offline application that offers sync to my Android phone) as a backup.

[ApK]

I use STRIP. It's gotten good security reports over the years, and we've gotten very good support when needed.

Secure DB file can sync to multiple devices via Dropbox if desired.

ApK

[5thWiggle]

[Rhialto]

You could try Password Agent:
Free in the Lite version.

http://www.moonsoftware.com/pwagent.asp

• Fast, compact and easy to use program with a familiar interface that's similar to Windows Explorer
• AES-encrypted data files, accessible only with the master password that you choose.
• Store all kinds of textual information you need to keep track of and find quickly -- from passwords and web logins to credit card and passport numbers; from software activation codes to serial numbers and purchase dates of your home electronics -- or any other information you want to write down and keep easily accessible in one secure place.
• The program can work directly from a removable disk or USB flash disk, so no additional installation is needed to use it on other computers. Password Agent even includes the TakeWithMe Wizard which makes it really easy to copy the program, along with your data, to your removable device for easy transport.
• Create your own custom groups/subgroups to organize your entries for quicker, easier access.
• Each account entry consists of Title, UserID, Password, Link, Note, Date Added, Date Modified, Date Expire and Old Password fields. You can also make Note entries that do not have UserID or Password fields. All text fields allow a virtually unlimited length of text, so you can store long memos in the Note field.
• Automatically fill login prompts with required data (each entry is customizable by template).
• Includes a password generator that generates non-guessable passwords.
• Powerful QuickSearch function that allows you to easily display only entries that match a query across all groups.
• Print a hard copy of your database.
• Export your database to HTML (grouped or columnar), XML or CSV. Import entries from other password database programs in CSV format.
• Sort by any column in ascending or descending order, plus you can custom configure which columns are displayed and rearrange their order.
• View/hide sensitive information switch, plus you can configure yourself which data fields you consider sensitive.
• Strong, U.S. government approved AES/Rijndael encryption (256-bit key).
• A password database file that contains 100 entries can be under 10 kilobytes in size! That means small, fast and efficient files.
• Easy to understand, printable User's Manual in PDF format as well as online help.
• Multiple automatic backup files in the local system plus an option to make copies to another location.
• Plus much more...

[JoeD]

Quote:

Originally Posted by Teknikal

Put me down as an msecure user I like how I can update my passwords on any device and it syncs to the rest of them using dropbox also lets you do things like send encrypted backups to gmail etc.

Expensive yes but I'm not taking chances with a small developer I can't be sure is truely trustworthy when it comes to passwords.

If you want trustworthiness, PasswordSafe is your best option. Originally written by an expert in the field of Cryptography. Also open source so others in the field can examine and verify whether anything has been overlooked.

A lot of mobile apps* of a closed source nature were recently found to either be doing no encryption, trivially bypassed encryption (simple xor or storing the master key with the data encrypted with a known/static password) or using appropriate encryption (AES etc) but applying it in flawed ways i.e without password strengthening.

With a closed source app, there's no way to know if that's the case unless someone attempts to reverse engineer it or otherwise puts in a lot of effort. With cryptography, trusting the developer alone is not sufficient. Even a knowledgable developer can overlook an issue that becomes a critical flaw in the safety of the application. Others in the field need to have the opportunity to look over their implementation to offer some degree of validation.

As an example, consider how SplashID present themselves and their password safe app. They're apparently a trust worthy developer, they've made numerous apps their customers have happily used for years. Now read how flawed their implementation is in the above linked pdf and consider that had that been an open source app, the flaws would likely have been found and people could recommend against using, or patch/fixed the issue if possible. With closed source, people have been using that software for years unaware of the flaws and they only came to light through a concerted effort to analyse various closed source apps.

Maybe SplashID have since fixed that issue, maybe they haven't. As a closed source app there's no way to verify. Even re-running the reverse engineering test wouldn't help, they may have just adjusted how/where they store it in an equally flawed way that "appears" to fix the issue. You'd have to expend a great deal of time analysing the app again. That change however would be much more apparent as a flawed fix in an open source app.

* Now all that said, it sounds like msecure isn't too bad. However, I would still recommend using an pass safe that not only comes from a developer with experience in cryptography but in addition is open source so that any short-comings can be highlighted quickly. PasswordSafe is one of the few that meets that on the desktop and minikeepass is the closest I could find for iOS, mainly because it's based on keepass and both are open source (keepass is also highly regarded).

Don't take the above the wrong way, I'm not saying everyone should always use open source software. Far from it. But when it comes to security critical software like password safes or SSL encryption, open source is by far the best option. Allowing professionals and academics a chance to really scrutinise everything it's doing.

and finally, usually you get what you pay for, but in the case of security, it's a rare instance where you can get the most assurance of security by using the cheapest (eg free) product (just be careful not to arbitrarily pick a free product as there's just as many poor open source safes as there are closed source. Only difference is, with open source we have a chance of knowing it ).

PS: Didn't mean the above to sound preachy, that's not my intention. Just trying to make clear some issues. Whether anyone takes note or not is irrelevant as long as people are going into it with their eyes open.

[ManosHandsOfFate]

My wife and I share a LastPass account. It's not perfect, but it's easy enough to use and both of us have migrated all our important accounts to strong passwords. I've enabled Google 2-Factor authentication to make it trickier for a remote user who has our password to gain access.

[Katsunami]

I've got my Keepass database stored in DropBox.

To protect it, beside having a password, I use a keyfile beside the normal password of the database. (This is a randomly generated file, used as a key to encrypt the database.) I've got a small USB-stick with me, which I put into the notebook as soon as I need to open Keepass. As soon as I go away from the notebook, I pull the USB-stick out, taking the keyfile with me.

I do the same on my workstation computer, but I only take out the USB-stick if I'm going on vacation or something. The chance of someone breaking into the house and stealing the entire workstation from my study is quite small.

Of course, the keyfile is NOT in Dropbox, and the password isn't either.

All of my accounts at stores and websites have passwords that are generated randomly by Keepass, and I never save any passwords in the browser, except for not so important stuff such as forums.

So, if someone gets a hold of my laptop, he can visit some forums and destory my accounts there, which would be annoying, but not really threatening. He won't be able to access anything else such as stores, email, or banking info, as far as I can see, as he will need the Keepass keyfile and password in addition to the database. Even if he gets the keyfile because I forgot to take the USB-stick out of the notebook, then he still won't have the password, and that last bit of information is not saved anywhere, ever, except in my head.

My phone and tablet run KeepassDroid. They have the keyfile stored, so it'd be possible to steal them, or get a hold of them and obtain both the database and the keyfile. However, the tablet and phone don't have the Keepass password stored anywhere, so stealing them is a no go also. (And they are also protected by a login pattern; the database and keyfile are in the internal memory, not on an SD-card.)

Apart from some forums, it seems my data is safe, except when a site, store, bank or something is directly hacked. Then the information in that particular place could be lost or misused.