Who uses them and which one do you use.
Do you feel their safe?

Thinking about getting one so following

I'm a new Mac user, so I now use the built-in Mac password manager. When I used Windows, I used the free version of "Last Pass" password manager for years. It works great, in my opinion.

I have used the free version of KeePass for many years. It stores the encryted file on your computer and not in the cloud. I have a copy on my computer and on my iphone. I can transfer the encrypted file directly from computer to iphone without fear of interception. I do not trust something as sensitive and important to be in cloud storage even though the file is encrypted. Soon if not already AI will be able to attack cloud storage and encrypted files. Also if the cloud goes down you are SOL. Can't be overly paranoid when it comes to protecting keys to all you own.

For many years now, I have used 1Password. It is excellent and very robust. It will allow you to choose your own passwords at various sites, or it will suggest ones that it will remember for you and offer when you visit those sites. I also use Apple's Safari, so I go to Safari, Settings, Passwords and input some there at my most commonly visited sites so that my fingerprint or face biometrics will open the sites for me.

I have never had a problem.

Hope this helps.

There was another thread about this a while back. Someone on here recommended a password manager and explained why it is better than the one I've been using, which is RoboForm. Pretty informative thread. I've done a search under "password" to no avail. I think it might have been a thread that went off topic into password manager programs. Maybe someone on here will remember and give a link.

This isn't the exact one I was thinking of, but it might be helpful: https://www.talkofthevillages.com/forums/computer-questions-92/how-safe-password-manager-sites-343509/index2.html

I've been using LastPass for years. I know there was some press about a breach, but it never affected anyone.

I do not trust anything that is online (aka cloud) storage, and I do not like local storage on my PC, so I have my own secret way of storing passwords which I will not give out on an open forum. There are ways to keep your passwords safe I have over 100 currently.

I do not trust anything that is online (aka cloud) storage, and I do not like local storage on my PC, so I have my own secret way of storing passwords which I will not give out on an open forum. There are ways to keep your passwords safe I have over 100 currently.
LOL, I have used Bitwarden (free). Cloud based is good so when you travel you do not have to carry the legal pad in the briefcase or the kitchen drawer with them written on the bottom, LOL. It’s also linked to the password function of IOS.

Used Dashlane for years.

Password Manager for Home, Mobile and Business | Dashlane (https://www.dashlane.com/)

Dashlane reviews generally highlight its user-friendly interface, strong security features including dark web monitoring, cross platform support and smooth password capture and autofill functionality,

But often criticize its relatively high price point compared to competitors, with some noting that its free plan is too limited to be truly useful; overall, it's considered a good option for users seeking a comprehensive password manager with a focus on ease of use, but might not be the best value for budget-conscious users.

Who uses them and which one do you use.
Do you feel their safe?

No, no, and no.

Who uses them and which one do you use.
Do you feel their safe?

1Password. Solid functionality and is safe.

This issue has been addressed before in a different manner and as a previous poster stated I also do not trust putting anything on the internet no matter how secure they claim to be. If the manager site is hacked, they will have access to all your information. What I don't understand is why you just don't keep all your passwords in an address book that you only have access to.

The last time I suggested that someone said what if someone breaks into your house and finds the book. If that is your worry put it in a place where no one will look. But let be realistic if someone breaks into your house, they're not going to waste their time looking for a book they don't even know exists. They're going for cash and jewelry.

If you don't think a hackers can't break into a password manager, a hacker from North Korea just got away with over a billion in bite coin.

Who uses them and which one do you use.
Do you feel their safe?

I've used a password manager for a very long time (more than 15 years) and find it very helpful. I'm not concerned about it being cloud based, and I like that I can get into my passwords from anywhere I am with my phone/laptop. Perhaps the best reason for manager is that the passwords it generates are very very complicated...much more so than a human can think up. Plus it remembers them and plugs them in your log on screens. I currently use LastPass which is a free manager from Webroot, which I also have for anti-virus, etc. In the past I used Kaspersky for years and years. When the USA decided it didn't trust Russian compainies I switched to Norton..huge mistake...the flooded me with pop ups to buy more of their products to keep me "safer." Dropped them like a hot potato and moved to Webroot, which I like very much. Their free password manager, LastPass does a good job. I like the convenience of their logo being in the sign on boxes...I click the logo...and it auto logs me on, easy peasy. Since I also use One Drive, I have my passwords available from my iPhone also. Can't imagine not having a password manager.

Who uses them and which one do you use.
Do you feel their safe?

I use 1Password. I’ve used it for years.

Everything is in the cloud these days, 20 years ago I was nervous about the cloud, haven’t been nervous for over 15 years now. How else are all of your devices kept in sync? When you have computers, phones, watches all accessing the same sites, you need a good way to sync all devices and a good password manager. Apple has had this functionality built in for over a decade. Plus now with facial recognition.

But what’s just as important is to turn on 2 phase authentication, and use a password that contains uppercase letters, special characters, numbers and is over 15 chars long. It will take a hundred years to crack it!

If you are Using windows, just put your info on the web because it’s too easy to hack into. Linux and Apple are much harder to hack into.

All the major password managers, cloud or otherwise, work roughly the same.

Your passwords are stored in an encrypted file, which requires your master password to decrypt. Some password managers only store the encrypted file on your computer, while others store it "in the cloud", which is less far likely to fail and is more convenient to access across devices, i.e. desktop, laptop, phone, etc.

As long as your master password is sufficiently complex and not leaked, then your passwords are secure. This was proven when LastPass was compromised back in 2022. Note that when quantum computing matures, today's encrypted data will be easily decrypted. This is likely decades away and encryption will evolve in the meantime.

Personally, I use Zoho Vault. It's free and the browser and mobile apps work well. It's encryption is not better or worse than the others. They store your encrypted passwords in the cloud, and you can directly download the encrypted file at any time.

Zoho Vault can also store your 2FA TOTP codes and automatically fill them on websites. While this is convenient, it's less secure since your passwords and 2FA info will be in the same file.

There are some passwords that I do not store including my email, computer, and phone credentials.

For my master password and passwords that I do not store, I use unique pass phrases instead of passwords because they are easy to remember.

To create a passphrase, pick four words that you can remember, but others will not guess. For example, villages-holeinone-golfing-today. This passphrase is sufficiently complex, easy to remember, and is not vulnerable to a simple dictionary attack.

If you store sensitive information, then you can get a FIDO security key (actually multiple keys so you have a backup). With a FIDO key, your passwords cannot be decrypted without the physical key. You can also use it for multi-factor authentication on websites that support it.

To summarize, use a password manager is far better than using the same password on multiple websites. Pick a password manager that's easiest to use for you as they all basically use the same encryption. Consider using a pass phrase for your master password and a FIDO key (or passkey) for additional security.

Lastpass (https://www.lastpass.com/pricing). Family version. $4.00 / month - up to six users on that plan.

You can organize passwords. Share them securely. Generate them on demand. You never need to know or look up a password except for one that should be long, impossible to guess that is your master password for the password manager. Works with browsers and portable devices. You can also set a user who will temporarily get access in case of emergency or death. In somewhat rare cases, where the need for a password uses non-standard technology, e.g. disables paste operation, you can view a stored password and manually enter it. Those sites s*ck.

Yes. It is secure. If you don't believe it, you have not researched how they do it, or are not sufficiently educated on encryption technology. It also will give you a score and flag poor or stolen passwords so that you can reset them.

Start with the free trial to see if you like how it works. Then upgrade (https://www.lastpass.com/pricing). Never make up a password again - except for a temporary one if you encounter one of the p*ss poor sites that don't manage passwords properly. Transfer whatever you have into it, then get rid of your hard / private copy. If you go with a family plan, you might have to push-urge-cajole your significant other, that is always too busy, to get with the program.

Onepass has a great reputation. I have not used it.

Trusting a browser cache or password manager is a bad strategy.

Off-topic, slightly. Never trust public wifi's, for example, the kind you get in hotels. Expect that they will already be hacked. If you need to do something securely, either tether to your phone for access or use a VPN (virtual private network). You can set up VPNs to be used on demand.

If it's a program (as are password managers), it can be hacked.

:mornincoffee:

Who uses them and which one do you use.
Do you feel they’re safe?
I DO use a cloud-based password manager that syncs across all of my devices: Android, iOS, and Windows. Would any of us need a password manager if every organization would subscribe to the NIST (National Institute for Standards and Technology) Password Guidelines? Among other things, the guidelines suggest long, complex passwords that do not expire. Couple short password age with many characters forces either a paper- or technology-based password management solution. Each of us could come up with a long phrase to use as a password that might include the abbreviated title of your favorite movie that you concatenate with other data elements. Prepend this with the website name: Amazon, SECO, or Delta to yield a long, complex password that never needs to change. No paper or password manager necessary. Never in my lifetime, I’m afraid!

Yes. It is secure. If you don't believe it, you have not researched how they do it, or are not sufficiently educated on encryption technology. It also will give you a score and flag poor or stolen passwords so that you can reset them.

Start with the free trial to see if you like how it works. Then upgrade (https://www.lastpass.com/pricing). Never make up a password again - except for a temporary one if you encounter one of the p*ss poor sites that don't manage passwords properly. Transfer whatever you have into it, then get rid of your hard / private copy. If you go with a family plan, you might have to push-urge-cajole your significant other, that is always too busy, to get with the program.

Onepass has a great reputation. I have not used it.

Trusting a browser cache or password manager is a bad strategy.

Off-topic, slightly. Never trust public wifi's, for example, the kind you get in hotels. Expect that they will already be hacked. If you need to do something securely, either tether to your phone for access or use a VPN (virtual private network). You can set up VPNs to be used on demand.

This is terrible advice. I’ve been in the IT industry for many years. Last pass used to be a password manager I used until their security breaches.


I assume you’re referring to the "LastPass security breach." LastPass, a widely used password manager, experienced significant security incidents, with the most notable and impactful occurring in 2022. Because of this, I don’t trust him anymore. Here are the details.

The LastPass security breach unfolded in multiple stages throughout 2022, with the company disclosing critical updates over several months. It began in August 2022 when LastPass announced that an unauthorized party had accessed portions of its development environment, stealing source code and proprietary technical information. At the time, the company assured users that no customer data or encrypted password vaults were compromised, and the breach was contained within the development environment, which was separate from production systems holding sensitive user data.

However, the situation escalated in November 2022 when LastPass revealed a second related incident. Using information stolen in the August breach, the attacker gained access to a third-party cloud storage service that LastPass used to store backups of customer data. By December 22, 2022, the company confirmed that this breach was far more severe than initially suggested. The attacker had copied a backup of customer vault data, which included both unencrypted data—such as website URLs—and encrypted sensitive fields, like usernames, passwords, secure notes, and form-filled data. Additionally, basic account information such as names, email addresses, billing addresses, phone numbers, and IP addresses was stolen. The encrypted data was protected by 256-bit AES encryption and could only be decrypted with each user’s unique master password, which LastPass does not store or have access to due to its zero-knowledge architecture.

Further details emerged in March 2023, when LastPass provided a comprehensive update. The attacker had targeted a senior DevOps engineer’s home computer, exploiting a vulnerability in third-party media software (suspected to be Plex) to install keylogger malware. This allowed the attacker to capture the engineer’s master password after they authenticated with multi-factor authentication (MFA), granting access to the engineer’s corporate LastPass vault. From there, the attacker obtained decryption keys for the cloud storage backups, enabling them to access and exfiltrate the sensitive customer data. This incident highlighted a sophisticated, multi-step attack that leveraged both the initial breach and social engineering tactics.

The fallout from this breach has been significant and ongoing. While LastPass maintained that users with strong, unique master passwords adhering to its defaults (at least 12 characters and 100,100 iterations of PBKDF2 hashing) were secure—claiming it would take millions of years to crack such passwords with current technology—experts raised concerns. If users had weak or reused master passwords, especially from prior breaches available on the dark web, their vaults could be vulnerable to brute-force attacks. This led to widespread recommendations for users to change all passwords stored in LastPass and consider switching to alternative password managers like 1Password or Bitwarden, which have not reported similar breaches.

The breach’s impact extended beyond immediate data loss. In late 2024, reports surfaced linking the stolen LastPass data to cryptocurrency thefts. Blockchain investigators, such as ZachXBT, claimed that hackers using the 2022 breach data stole millions in crypto assets, with over $5 million reportedly taken in December 2024 alone and a total exceeding $12 million across multiple incidents. These attacks targeted users who had stored crypto seed phrases or keys in their LastPass vaults, exploiting the encrypted data once decrypted with compromised master passwords.

LastPass responded by enhancing security measures, including rebuilding its development environment, rotating credentials, and enforcing stricter master password requirements (e.g., a 12-character minimum for all users by January 2024). The company also spun off from its parent company, GoTo, in 2024, aiming to rebuild trust under new leadership. However, its handling of the breach—marked by delayed and piecemeal disclosures—drew criticism from users and security experts, damaging its reputation. Many questioned the company’s transparency and its ability to protect sensitive data, especially given prior incidents in 2011, 2015, and earlier in 2022.

In summary, the LastPass security breach of 2022 was a complex, multi-phase attack that compromised user data through a combination of stolen source code, cloud storage access, and a targeted keylogger attack on an employee. While encrypted data remained secure for users with strong master passwords, the breach exposed vulnerabilities in LastPass’s infrastructure and response strategy, leading to long-term consequences like crypto thefts and a loss of user trust. If you’re a LastPass user, it’s wise to ensure your master password is robust, rotate sensitive credentials, and monitor for any suspicious activity.

For many years now, I have used 1Password. It is excellent and very robust. It will allow you to choose your own passwords at various sites, or it will suggest ones that it will remember for you and offer when you visit those sites. I also use Apple's Safari, so I go to Safari, Settings, Passwords and input some there at my most commonly visited sites so that my fingerprint or face biometrics will open the sites for me.

I have never had a problem.

Hope this helps.

We’ve switched from LastPass to 1Password a couple of years ago and we are glad we did. It’s great for families and highly rated in many reviews. You can store passwords, important documents, credit card information etc. There’s a learning curve and it took us about a couple of weeks to set it up properly on all our devices and browsers. I recommend watching YouTube videos before you begin.

Who uses them and which one do you use.
Do you feel their safe?
The one which is probably the safest is Proton Mail's password manager. However, I started using LastPass and still feel it is the easiest to use. LastPass has had trouble in the past with being hacked though key information is encrypted.

What I will tell you is that as an extra safety measure, I don't put the last 4 characters of my financial accounts into the password manager - just in case of hacking. Every account has a different password, but my financial accounts all end in the last 4 characters which is not in the password manager. I have no idea what my passwords are. Of course, use 2-factor verification on financial accounts if possible too.

Thank you for taking the time to provide such a thorough and comprehensive response. Do you have a recommendation for iOS users?

About 2 years ago mt FB account got hacked and I needed to change 100+ passwords on different websites and apps. At the time I was using 2 different passwords 8 digits long and now that I use the Apple Password app they’ve all been changed to 20 digits of random numbers and letters, all unique and never repeated twice. So yes….I do feel much more secure. I could never remember all those logins on my own without the program. Oh and you HAVE to use the facial recognition to get into it. Another layer of security.

Have you listened to the tech guru Kim Komando on the radio? She recommends Nord Pass for storing passwords. Has anyone ever used Nord Pass? If you have I would appreciate hearing what you think of it and your experience. Thanks !!!

...

Of course, use 2-factor verification on financial accounts if possible too.


2-factor verification or FIDO passkey is the answer here for your high security sites like your finances. Enable 2-factor verification in google, too.

Use different email account and computer for finances/high security.

Use of password manager is personnal preference, use answers given prior to help choose one and use their password generator to get secure random passwords.

Nothing is totally secure. But you can be sufficiently safe for now if you are careful. Just do not make obvious security mistakes.

Everything has risks.

An important consideration for our age group is how do your heirs get access to your important accounts when you pass.

Or should a medical condition impare your ability to remember how to get to your passwords.

So be sure someone you trust knows how to access your accounts. The major password managers provide secure methods to do so.

Who uses them and which one do you use.
Do you feel their safe?

I have been very satisfied using 1Password for many years. One of its many features is that it is supported and synchronized on all smartphone, notebook, and computer platforms.

Who uses them and which one do you use.
Do you feel their safe?

I have used Bitwarden for several years. It synchronizes information between your phone, laptops, desktop, and other devices.

It's free. I've never paid for it.

Get it on Google Play or the iPhone app store.

I keep all my passwords on a spreadsheet on a thumb drive. There are several apps and accounts that require me to change the password every 90 days. I don't know how these password managers handle that. If you get one that says you have to change it, it requires that you manually enter the current password. If you don't know what it is - you're outta luck.

I keep all my passwords on a spreadsheet on a thumb drive. There are several apps and accounts that require me to change the password every 90 days. I don't know how these password managers handle that. If you get one that says you have to change it, it requires that you manually enter the current password. If you don't know what it is - you're outta luck.

Do you carry the thumb drive with you so that when you are sitting at the square and try to login to a site you have your passwords? Which slot do you use to insert the thumb drive in your phone?

When you need to change your password the password manager inserts your old password - that's what a password manager does. When you are asked for a new password, most of the password managers will offer to generate one for you. When you hit the submit button the password manager will ask if you want to update your stored password.

A Disney employee, Van Andel, a middle aged father of two, used 1Password and his work computer was hacked. And he had 3 types of malware detectors on both his work and home computers. All his digital details were posted on line so that his identity could be stolen by anyone, and it was. He lost his job, he was faced with a huge debt and is literally fighting to get his life back.

‘The breach upended Van Andel’s life. The hacker stole his credit-card numbers and racked up bills—and leaked his account login details, including those to financial accounts. The attacker published Van Andel’s personal information online, ranging from his Social Security number to login credentials that could be used to access Ring cameras within his home.’


Then WSJ published an article as to what can be done to avoid what happened to Van Andel:

‘How to Keep Hackers From Destroying Your Digital Life
A few digital hygiene measures can help secure online accounts and passwords.’

By
Robert McMillan Feb 27, 2025 Wall Street Journal

The article emphasizes two-factor identification, one on a physical device like phone etc. biometric is best.

Who uses them and which one do you use.
Do you feel their safe?

Yes they are safe however you need to come up with a very strong master password. Be sure to write it down and have several copies of it put away.

Who uses them and which one do you use.
Do you feel their safe?

1Password has been my choice for years. Allows access to your passwords from multiple devices. Plus you can keep much more than passwords. Licenses, memberships, credit cards, etc... Very secure.

1Password has been my choice for years. Allows access to your passwords from multiple devices. Plus you can keep much more than passwords. Licenses, memberships, credit cards, etc... Very secure.

Please read what happened to Van Andel, his 1Password was hacked by AI.

Please read what happened to Van Andel, his 1Password was hacked by AI.

Not hacked by AI at all.

According to reporting, he downloaded an AI tool that happened to include malware. The malware stole information from his machine including his keystrokes as he typed his 1Password login and password. Once they had the 1Password login information they had all his other logins and passwords too.

Two quick takeaways: Be careful about what software you download and make use of 2FA.

Not hacked by AI at all.

According to reporting, he downloaded an AI tool that happened to include malware. The malware stole information from his machine including his keystrokes as he typed his 1Password login and password. Once they had the 1Password login information they had all his other logins and passwords too.

Two quick takeaways: Be careful about what software you download and make use of 2FA.

Right, I did not write out the whole story. Thank you for clarifying.

Not hacked by AI at all.


Two quick takeaways: Be careful about what software you download and make use of 2FA.

And even 2FA is insufficient for a number of widely used email accounts. Now passcode is recommended in addition to 2FA for gmail, yahoo, etc. The hacking community is way out in front of the rest of us.

Who uses them and which one do you use.
Do you feel their safe?

from one cheesehead to another, but this one has a background in cyber security. NO!

You need to keep your passwords somewhere that isn't under the keyboard, on your computer, in the cloud, basically only accessable to you alone. What I find is the easiest method, is to find a password that is long, easy to remember, and variable. Typically you make it with 2 pieces of information no one would ever know or think of.

for example - grandpa's middle name (as long as it's not in your name)+ a series of characters or numbers + maybe your favorite packer's nickname. just an example but you should strive for at least 8-12 characters. That would cover just about any website password. As for your computer and phone both different and neither of them your other password. also with that example design make 3 of them. that's really all you need.... if you need it for porn sites then just PM me LOL that's an entirely different art form.

And even 2FA is insufficient for a number of widely used email accounts. Now passcode is recommended in addition to 2FA for gmail, yahoo, etc. The hacking community is way out in front of the rest of us.

I believe you mean a passkey (there's a difference).

Passkeys currently have some shortcomings in that they don't work across all devices or accounts and they are difficult to use without your specific device (though 2FA has the same limitation). Passkeys are a good idea but until they are a bit more universal I will stick with a password manager.

Everything is in the cloud these days, 20 years ago I was nervous about the cloud, haven’t been nervous for over 15 years now. How else are all of your devices kept in sync? When you have computers, phones, watches all accessing the same sites, you need a good way to sync all devices and a good password manager. Apple has had this functionality built in for over a decade. Plus now with facial recognition.

But what’s just as important is to turn on 2 phase authentication, and use a password that contains uppercase letters, special characters, numbers and is over 15 chars long. It will take a hundred years to crack it!

If you are Using windows, just put your info on the web because it’s too easy to hack into. Linux and Apple are much harder to hack into.
I agree with all of the above. For non-important things, like web forums, I use whatever password(s) I like. For important things, like an investment account, I let the 1Password randomly select a 25+ random character password. I do NOT put that on the computer, and instead hide it written down and tell my spouse and another trusted family member of its location. That other trusted family member also has copy of the password written down and in a sealed envelope they keep at their house (just in case mine burns down). Secure redundancy that is non-digital for the important things.

LastPass, I have used it for many years.

It just seems to be the unknown out there for using any pass manager
that changes more offend then we change our shorts.

Ex: The one site of AI.
How much do we really know about it's presents and future?

Life’s too short. It’s a gamble. Best one can do is reduce the probabilities. Then go out and play golf… or whatever you like to do.

I've been using LastPass for years. I know there was some press about a breach, but it never affected anyone.

Unfortunately, a friend who used Last Pass lost her entire bitcoin investment which was supposed to be 100% safe. Last Pass has been breached at least twice.

Not hacked by AI at all.

According to reporting, he downloaded an AI tool that happened to include malware. The malware stole information from his machine including his keystrokes as he typed his 1Password login and password. Once they had the 1Password login information they had all his other logins and passwords too.

Two quick takeaways: Be careful about what software you download and make use of 2FA.

Very sad story indeed, the malware provided the same access as of sitting at the computer. Several lessons to be learned.

Hackers stole this engineer's 1Password database. Could it happen to you? | ZDNET (https://www.zdnet.com/article/hackers-stole-this-engineers-1password-database-could-it-happen-to-you/)


"The WSJ article discusses 1Password at length, pointing out that the victim was using the password manager to store 2-factor authentication keys for many sites, and that he hadn't turned on 2-factor authentication for 1Password itself.

...


In this case, it's hard to assign any fault to the password manager. Bad guys had unrestricted access to his computer for five months!

The keyboard logger was capable of stealing every set of credentials he used during that time, even if the usernames and passwords were typed in manually. "

Thinking about getting one so following

1Password is my password manager of choice and is often rated as #1. To my knowledge it's never been breached and is a dream to use if you access lots of websites. The backup team is very helpful should you have an issue, although all communication is done via email with their team.

I believe you mean a passkey (there's a difference).

Passkeys currently have some shortcomings in that they don't work across all devices or accounts and they are difficult to use without your specific device (though 2FA has the same limitation). Passkeys are a good idea but until they are a bit more universal I will stick with a password manager.

I guess I misspoke, it is passkey. I'm not an IT guru. Nevertheless, security experts are recommending using passkeys to counter the Astaroth Phishing Kit which is designed to bypass traditional 2FA in gmail, etc. as reported in Infosecurity Magazine and cybersecsentinel as well as other news outlets. The Astaroth kit is available on the dark web for $2K. Passkeys work on my PC and iPhone and I choose to use them. Of course the first line of defense is don't click on unknown links, but studies have shown user negligence is prevalent.

Who uses them and which one do you use.
Do you feel their safe?

My DIL who worked at FB for ten years and now TikTok says everyone uses Last Pass. So I got it. It's cheap enough $36.00 year but you have to learn how to use it and there are You Tube Videos. But our computers also give us automatic generated passwords if you have a MAC.

Do you carry the thumb drive with you so that when you are sitting at the square and try to login to a site you have your passwords? Which slot do you use to insert the thumb drive in your phone?

When you need to change your password the password manager inserts your old password - that's what a password manager does. When you are asked for a new password, most of the password managers will offer to generate one for you. When you hit the submit button the password manager will ask if you want to update your stored password.

I don't use my phone to access websites. I have some shopping apps, and the passwords are encrypted and saved, and the phone doesn't display anything without my fingerprint or face to unlock it first. I also sometimes use my kindle app to read on my phone if I'm out to lunch by myself.

I don't have banking apps on my phone, and my "wallet" is also encrypted and requires biometrics to use.

The thumb drive goes with me when I take my laptop to my dad's house. If I'm taking my tablet instead I port just a dozen lines of data to a temporary spreadsheet on a micro SD card and take that - and then I delete it when I get home.

I do not trust anything that is online (aka cloud) storage, and I do not like local storage on my PC, so I have my own secret way of storing passwords which I will not give out on an open forum. There are ways to keep your passwords safe I have over 100 currently.
I completely agree and have my own method of managing passwords as well

I keep all my passwords on a spreadsheet on a thumb drive. There are several apps and accounts that require me to change the password every 90 days. I don't know how these password managers handle that. If you get one that says you have to change it, it requires that you manually enter the current password. If you don't know what it is - you're outta luck.
1Password is named that because you have ONE Password to get into your master listing where you can change anything or occasionally copy and paste a password.

This issue has been addressed before in a different manner and as a previous poster stated I also do not trust putting anything on the internet no matter how secure they claim to be. If the manager site is hacked, they will have access to all your information. What I don't understand is why you just don't keep all your passwords in an address book that you only have access to.

The last time I suggested that someone said what if someone breaks into your house and finds the book. If that is your worry put it in a place where no one will look. But let be realistic if someone breaks into your house, they're not going to waste their time looking for a book they don't even know exists. They're going for cash and jewelry.

If you don't think a hackers can't break into a password manager, a hacker from North Korea just got away with over a billion in bite coin.
Very good point! I have been in IT for yrs and see more and more how online products are advertised as the best thing since sliced bread and the employees within the companies see all the failure points (areas for improvement). There are pros and cons to both electronic/physical methods of PW storage. The difficult part is there are NO guarantees, so that leaves the question of what has the least amount of risk? Which method does one feel the most comfortable?

I completely agree and have my own method of managing passwords as well

I assume you mean something far more robust than writing them down on a sheet of paper and putting it under the keyboard or in an adjacent drawer.

This is terrible advice. I’ve been in the IT industry for many years. Last pass used to be a password manager I used until their security breaches.


I assume you’re referring to the "LastPass security breach." LastPass, a widely used password manager, experienced significant security incidents, with the most notable and impactful occurring in 2022. Because of this, I don’t trust him anymore. Here are the details.

The LastPass security breach unfolded in multiple stages throughout 2022, with the company disclosing critical updates over several months. It began in August 2022 when LastPass announced that an unauthorized party had accessed portions of its development environment, stealing source code and proprietary technical information. At the time, the company assured users that no customer data or encrypted password vaults were compromised, and the breach was contained within the development environment, which was separate from production systems holding sensitive user data.

However, the situation escalated in November 2022 when LastPass revealed a second related incident. Using information stolen in the August breach, the attacker gained access to a third-party cloud storage service that LastPass used to store backups of customer data. By December 22, 2022, the company confirmed that this breach was far more severe than initially suggested. The attacker had copied a backup of customer vault data, which included both unencrypted data—such as website URLs—and encrypted sensitive fields, like usernames, passwords, secure notes, and form-filled data. Additionally, basic account information such as names, email addresses, billing addresses, phone numbers, and IP addresses was stolen. The encrypted data was protected by 256-bit AES encryption and could only be decrypted with each user’s unique master password, which LastPass does not store or have access to due to its zero-knowledge architecture.

Further details emerged in March 2023, when LastPass provided a comprehensive update. The attacker had targeted a senior DevOps engineer’s home computer, exploiting a vulnerability in third-party media software (suspected to be Plex) to install keylogger malware. This allowed the attacker to capture the engineer’s master password after they authenticated with multi-factor authentication (MFA), granting access to the engineer’s corporate LastPass vault. From there, the attacker obtained decryption keys for the cloud storage backups, enabling them to access and exfiltrate the sensitive customer data. This incident highlighted a sophisticated, multi-step attack that leveraged both the initial breach and social engineering tactics.

The fallout from this breach has been significant and ongoing. While LastPass maintained that users with strong, unique master passwords adhering to its defaults (at least 12 characters and 100,100 iterations of PBKDF2 hashing) were secure—claiming it would take millions of years to crack such passwords with current technology—experts raised concerns. If users had weak or reused master passwords, especially from prior breaches available on the dark web, their vaults could be vulnerable to brute-force attacks. This led to widespread recommendations for users to change all passwords stored in LastPass and consider switching to alternative password managers like 1Password or Bitwarden, which have not reported similar breaches.

The breach’s impact extended beyond immediate data loss. In late 2024, reports surfaced linking the stolen LastPass data to cryptocurrency thefts. Blockchain investigators, such as ZachXBT, claimed that hackers using the 2022 breach data stole millions in crypto assets, with over $5 million reportedly taken in December 2024 alone and a total exceeding $12 million across multiple incidents. These attacks targeted users who had stored crypto seed phrases or keys in their LastPass vaults, exploiting the encrypted data once decrypted with compromised master passwords.

LastPass responded by enhancing security measures, including rebuilding its development environment, rotating credentials, and enforcing stricter master password requirements (e.g., a 12-character minimum for all users by January 2024). The company also spun off from its parent company, GoTo, in 2024, aiming to rebuild trust under new leadership. However, its handling of the breach—marked by delayed and piecemeal disclosures—drew criticism from users and security experts, damaging its reputation. Many questioned the company’s transparency and its ability to protect sensitive data, especially given prior incidents in 2011, 2015, and earlier in 2022.

In summary, the LastPass security breach of 2022 was a complex, multi-phase attack that compromised user data through a combination of stolen source code, cloud storage access, and a targeted keylogger attack on an employee. While encrypted data remained secure for users with strong master passwords, the breach exposed vulnerabilities in LastPass’s infrastructure and response strategy, leading to long-term consequences like crypto thefts and a loss of user trust. If you’re a LastPass user, it’s wise to ensure your master password is robust, rotate sensitive credentials, and monitor for any suspicious activity.
This brings to light the need for multiple layers of security! Not just a PW mgr, but 2FA, credit freeze, virus protection, and constant PW changes along with many others to make it not worth it to the hacker for the timed needed to get through to your valuable data! It's not IF your hacked ... It's WHEN!!!

2-factor verification or FIDO passkey is the answer here for your high security sites like your finances. Enable 2-factor verification in google, too.

Use different email account and computer for finances/high security.

Use of password manager is personnal preference, use answers given prior to help choose one and use their password generator to get secure random passwords.

Nothing is totally secure. But you can be sufficiently safe for now if you are careful. Just do not make obvious security mistakes.
I have heard it suggested to use an entirely different computer (Chromebook due to being harder to hack) and email address.

This brings to light the need for multiple layers of security! Not just a PW mgr, but 2FA, credit freeze, virus protection, and constant PW changes along with many others to make it not worth it to the hacker for the timed needed to get through to your valuable data! It's not IF your hacked ... It's WHEN!!!

Govt databases have become suspect with the activity of the hoard buzzing around CMS, IRS, and VA looking for savings. I suspect all of this activity has made our data less than secure and individuals can do nothing to protect themselves as long as there is virtually no accountability for data security.

I use KeyPassXC (not KeyPass). Decent user interface, very easy to use, local file storage, no ads or account required and best of all opensource so its free. You have control of the encrypted password file and a copy can be kept offsite like where you keep backups, or with a family member (heirs). More than just passwords can be saved too (account numbers, critical info etc.).

1Password is named that because you have ONE Password to get into your master listing where you can change anything or occasionally copy and paste a password.

Google already does that. You log into Google and you have access to your master list. If you don't log in, you don't have access.

Govt databases have become suspect with the activity of the hoard buzzing around CMS, IRS, and VA looking for savings. I suspect all of this activity has made our data less than secure and individuals can do nothing to protect themselves as long as there is virtually no accountability for data security.

The only way you can protect yourself these days is to NOT store passwords in the cloud, or on your hard drive. Even then it's not really safe - they can find you with keyloggers.

Everything is in the cloud these days, 20 years ago I was nervous about the cloud, haven’t been nervous for over 15 years now. How else are all of your devices kept in sync? When you have computers, phones, watches all accessing the same sites, you need a good way to sync all devices and a good password manager. Apple has had this functionality built in for over a decade. Plus now with facial recognition.

But what’s just as important is to turn on 2 phase authentication, and use a password that contains uppercase letters, special characters, numbers and is over 15 chars long. It will take a hundred years to crack it!

If you are Using windows, just put your info on the web because it’s too easy to hack into. Linux and Apple are much harder to hack into.
I agree with the 2 phase authorization, which is often referred to as "two-step verification". My investment accounts have this feature turned on, which is very easy to do in your profile security settings. When you enter your username and password, they will then text or call your phone with a 6-digit code to enter. You must enter the code within about 10 minutes. You need to have your phone with you or you cannot log in. If you don't have this feature turned on, anyone with your username and password can access your account from anywhere. If it is turned on, your username and password are worthless to a hacker. In my opinion, this feature should be mandatory, and not something that needs to be turned on. I highly recommend turning on the two-step verification, which will only add about 15 seconds to your log in process.

I do not trust anything that is online (aka cloud) storage, and I do not like local storage on my PC, so I have my own secret way of storing passwords which I will not give out on an open forum. There are ways to keep your passwords safe I have over 100 currently.

Any reason why you can't discuss your method in just vague general terms??

But more importantly, pretty much all of us (yes, I know there are outliers) will get more forgetful as we age, and what will you do if (God forbid) you get beginning stages of dementia / Alzheimers?

It might be a pain if someone found out my username and password to online forums such as these, but I'm really only concerned about someone hacking into my email account & banking / investment accounts. I'm thinking of buying an inexpensive Chromebook and using it EXCLUSIVELY when I need online access to my Fidelity & Vanguard investment accounts & the crypto/bitcoin exchanges I'm on. I would not use it for email or to log on to any other website, but again use it solely for online access to my investment accounts.

I'm considering Chromebook because a) they are cheap, and b) because I've been told that they are very basic computers with very little memory and are therefore very hard to hack & aren't very susceptible to malware. If anyone here is knowledgable about Chromebooks and whether or not they would be good for what I'm proposing, I'd appreciate feedback.

Any reason why you can't discuss your method in just vague general terms??

But more importantly, pretty much all of us (yes, I know there are outliers) will get more forgetful as we age, and what will you do if (God forbid) you get beginning stages of dementia / Alzheimers?

It might be a pain if someone found out my username and password to online forums such as these, but I'm really only concerned about someone hacking into my email account & banking / investment accounts. I'm thinking of buying an inexpensive Chromebook and using it EXCLUSIVELY when I need online access to my Fidelity & Vanguard investment accounts & the crypto/bitcoin exchanges I'm on. I would not use it for email or to log on to any other website, but again use it solely for online access to my investment accounts.

I'm considering Chromebook because a) they are cheap, and b) because I've been told that they are very basic computers with very little memory and are therefore very hard to hack & aren't very susceptible to malware. If anyone here is knowledgable about Chromebooks and whether or not they would be good for what I'm proposing, I'd appreciate feedback.
Do you have the two-step verification turned on for your Vanguard and Fidelity accounts? If so, someone with your username and password cannot log in to your accounts without access to your cell phone. My cell phone requires my fingerprint to unlock it.

Any reason why you can't discuss your method in just vague general terms??

But more importantly, pretty much all of us (yes, I know there are outliers) will get more forgetful as we age, and what will you do if (God forbid) you get beginning stages of dementia / Alzheimers?

It might be a pain if someone found out my username and password to online forums such as these, but I'm really only concerned about someone hacking into my email account & banking / investment accounts. I'm thinking of buying an inexpensive Chromebook and using it EXCLUSIVELY when I need online access to my Fidelity & Vanguard investment accounts & the crypto/bitcoin exchanges I'm on. I would not use it for email or to log on to any other website, but again use it solely for online access to my investment accounts.

I'm considering Chromebook because a) they are cheap, and b) because I've been told that they are very basic computers with very little memory and are therefore very hard to hack & aren't very susceptible to malware. If anyone here is knowledgable about Chromebooks and whether or not they would be good for what I'm proposing, I'd appreciate feedback.
Online security methods that are selected boil down to an individual preference. I am not intentionally trying to be vague. I have found long drawn out details do not interest most people. A simple suggestion may prompt someone to research if it is something they are interested in and find the details on their own.