[rsmurano]

Everything is in the cloud these days, 20 years ago I was nervous about the cloud, haven’t been nervous for over 15 years now. How else are all of your devices kept in sync? When you have computers, phones, watches all accessing the same sites, you need a good way to sync all devices and a good password manager. Apple has had this functionality built in for over a decade. Plus now with facial recognition.

But what’s just as important is to turn on 2 phase authentication, and use a password that contains uppercase letters, special characters, numbers and is over 15 chars long. It will take a hundred years to crack it!

If you are Using windows, just put your info on the web because it’s too easy to hack into. Linux and Apple are much harder to hack into.

[kkimball]

All the major password managers, cloud or otherwise, work roughly the same.

Your passwords are stored in an encrypted file, which requires your master password to decrypt. Some password managers only store the encrypted file on your computer, while others store it "in the cloud", which is less far likely to fail and is more convenient to access across devices, i.e. desktop, laptop, phone, etc.

As long as your master password is sufficiently complex and not leaked, then your passwords are secure. This was proven when LastPass was compromised back in 2022. Note that when quantum computing matures, today's encrypted data will be easily decrypted. This is likely decades away and encryption will evolve in the meantime.

Personally, I use Zoho Vault. It's free and the browser and mobile apps work well. It's encryption is not better or worse than the others. They store your encrypted passwords in the cloud, and you can directly download the encrypted file at any time.

Zoho Vault can also store your 2FA TOTP codes and automatically fill them on websites. While this is convenient, it's less secure since your passwords and 2FA info will be in the same file.

There are some passwords that I do not store including my email, computer, and phone credentials.

For my master password and passwords that I do not store, I use unique pass phrases instead of passwords because they are easy to remember.

To create a passphrase, pick four words that you can remember, but others will not guess. For example, villages-holeinone-golfing-today. This passphrase is sufficiently complex, easy to remember, and is not vulnerable to a simple dictionary attack.

If you store sensitive information, then you can get a FIDO security key (actually multiple keys so you have a backup). With a FIDO key, your passwords cannot be decrypted without the physical key. You can also use it for multi-factor authentication on websites that support it.

To summarize, use a password manager is far better than using the same password on multiple websites. Pick a password manager that's easiest to use for you as they all basically use the same encryption. Consider using a pass phrase for your master password and a FIDO key (or passkey) for additional security.

[FredMitchell]

Lastpass. Family version. $4.00 / month - up to six users on that plan.

You can organize passwords. Share them securely. Generate them on demand. You never need to know or look up a password except for one that should be long, impossible to guess that is your master password for the password manager. Works with browsers and portable devices. You can also set a user who will temporarily get access in case of emergency or death. In somewhat rare cases, where the need for a password uses non-standard technology, e.g. disables paste operation, you can view a stored password and manually enter it. Those sites s*ck.

Yes. It is secure. If you don't believe it, you have not researched how they do it, or are not sufficiently educated on encryption technology. It also will give you a score and flag poor or stolen passwords so that you can reset them.

Start with the free trial to see if you like how it works. Then upgrade. Never make up a password again - except for a temporary one if you encounter one of the p*ss poor sites that don't manage passwords properly. Transfer whatever you have into it, then get rid of your hard / private copy. If you go with a family plan, you might have to push-urge-cajole your significant other, that is always too busy, to get with the program.

Onepass has a great reputation. I have not used it.

Trusting a browser cache or password manager is a bad strategy.

Off-topic, slightly. Never trust public wifi's, for example, the kind you get in hotels. Expect that they will already be hacked. If you need to do something securely, either tether to your phone for access or use a VPN (virtual private network). You can set up VPNs to be used on demand.

[dewilson58]

If it's a program (as are password managers), it can be hacked.

[ltcdfancher]

Quote:

Originally Posted by Michael G.

Who uses them and which one do you use.
Do you feel they’re safe?

I DO use a cloud-based password manager that syncs across all of my devices: Android, iOS, and Windows. Would any of us need a password manager if every organization would subscribe to the NIST (National Institute for Standards and Technology) Password Guidelines? Among other things, the guidelines suggest long, complex passwords that do not expire. Couple short password age with many characters forces either a paper- or technology-based password management solution. Each of us could come up with a long phrase to use as a password that might include the abbreviated title of your favorite movie that you concatenate with other data elements. Prepend this with the website name: Amazon, SECO, or Delta to yield a long, complex password that never needs to change. No paper or password manager necessary. Never in my lifetime, I’m afraid!

[jimkerr]

Quote:

Originally Posted by FredMitchell

Yes. It is secure. If you don't believe it, you have not researched how they do it, or are not sufficiently educated on encryption technology. It also will give you a score and flag poor or stolen passwords so that you can reset them.

Start with the free trial to see if you like how it works. Then upgrade. Never make up a password again - except for a temporary one if you encounter one of the p*ss poor sites that don't manage passwords properly. Transfer whatever you have into it, then get rid of your hard / private copy. If you go with a family plan, you might have to push-urge-cajole your significant other, that is always too busy, to get with the program.

Onepass has a great reputation. I have not used it.

Trusting a browser cache or password manager is a bad strategy.

Off-topic, slightly. Never trust public wifi's, for example, the kind you get in hotels. Expect that they will already be hacked. If you need to do something securely, either tether to your phone for access or use a VPN (virtual private network). You can set up VPNs to be used on demand.

This is terrible advice. I’ve been in the IT industry for many years. Last pass used to be a password manager I used until their security breaches.


I assume you’re referring to the "LastPass security breach." LastPass, a widely used password manager, experienced significant security incidents, with the most notable and impactful occurring in 2022. Because of this, I don’t trust him anymore. Here are the details.

The LastPass security breach unfolded in multiple stages throughout 2022, with the company disclosing critical updates over several months. It began in August 2022 when LastPass announced that an unauthorized party had accessed portions of its development environment, stealing source code and proprietary technical information. At the time, the company assured users that no customer data or encrypted password vaults were compromised, and the breach was contained within the development environment, which was separate from production systems holding sensitive user data.

However, the situation escalated in November 2022 when LastPass revealed a second related incident. Using information stolen in the August breach, the attacker gained access to a third-party cloud storage service that LastPass used to store backups of customer data. By December 22, 2022, the company confirmed that this breach was far more severe than initially suggested. The attacker had copied a backup of customer vault data, which included both unencrypted data—such as website URLs—and encrypted sensitive fields, like usernames, passwords, secure notes, and form-filled data. Additionally, basic account information such as names, email addresses, billing addresses, phone numbers, and IP addresses was stolen. The encrypted data was protected by 256-bit AES encryption and could only be decrypted with each user’s unique master password, which LastPass does not store or have access to due to its zero-knowledge architecture.

Further details emerged in March 2023, when LastPass provided a comprehensive update. The attacker had targeted a senior DevOps engineer’s home computer, exploiting a vulnerability in third-party media software (suspected to be Plex) to install keylogger malware. This allowed the attacker to capture the engineer’s master password after they authenticated with multi-factor authentication (MFA), granting access to the engineer’s corporate LastPass vault. From there, the attacker obtained decryption keys for the cloud storage backups, enabling them to access and exfiltrate the sensitive customer data. This incident highlighted a sophisticated, multi-step attack that leveraged both the initial breach and social engineering tactics.

The fallout from this breach has been significant and ongoing. While LastPass maintained that users with strong, unique master passwords adhering to its defaults (at least 12 characters and 100,100 iterations of PBKDF2 hashing) were secure—claiming it would take millions of years to crack such passwords with current technology—experts raised concerns. If users had weak or reused master passwords, especially from prior breaches available on the dark web, their vaults could be vulnerable to brute-force attacks. This led to widespread recommendations for users to change all passwords stored in LastPass and consider switching to alternative password managers like 1Password or Bitwarden, which have not reported similar breaches.

The breach’s impact extended beyond immediate data loss. In late 2024, reports surfaced linking the stolen LastPass data to cryptocurrency thefts. Blockchain investigators, such as ZachXBT, claimed that hackers using the 2022 breach data stole millions in crypto assets, with over $5 million reportedly taken in December 2024 alone and a total exceeding $12 million across multiple incidents. These attacks targeted users who had stored crypto seed phrases or keys in their LastPass vaults, exploiting the encrypted data once decrypted with compromised master passwords.

LastPass responded by enhancing security measures, including rebuilding its development environment, rotating credentials, and enforcing stricter master password requirements (e.g., a 12-character minimum for all users by January 2024). The company also spun off from its parent company, GoTo, in 2024, aiming to rebuild trust under new leadership. However, its handling of the breach—marked by delayed and piecemeal disclosures—drew criticism from users and security experts, damaging its reputation. Many questioned the company’s transparency and its ability to protect sensitive data, especially given prior incidents in 2011, 2015, and earlier in 2022.

In summary, the LastPass security breach of 2022 was a complex, multi-phase attack that compromised user data through a combination of stolen source code, cloud storage access, and a targeted keylogger attack on an employee. While encrypted data remained secure for users with strong master passwords, the breach exposed vulnerabilities in LastPass’s infrastructure and response strategy, leading to long-term consequences like crypto thefts and a loss of user trust. If you’re a LastPass user, it’s wise to ensure your master password is robust, rotate sensitive credentials, and monitor for any suspicious activity.

[ndf888]

Quote:

Originally Posted by ElDiabloJoe

For many years now, I have used 1Password. It is excellent and very robust. It will allow you to choose your own passwords at various sites, or it will suggest ones that it will remember for you and offer when you visit those sites. I also use Apple's Safari, so I go to Safari, Settings, Passwords and input some there at my most commonly visited sites so that my fingerprint or face biometrics will open the sites for me.

I have never had a problem.

Hope this helps.

We’ve switched from LastPass to 1Password a couple of years ago and we are glad we did. It’s great for families and highly rated in many reviews. You can store passwords, important documents, credit card information etc. There’s a learning curve and it took us about a couple of weeks to set it up properly on all our devices and browsers. I recommend watching YouTube videos before you begin.

[RoboVil]

Quote:

Originally Posted by Michael G.

Who uses them and which one do you use.
Do you feel their safe?

The one which is probably the safest is Proton Mail's password manager. However, I started using LastPass and still feel it is the easiest to use. LastPass has had trouble in the past with being hacked though key information is encrypted.

What I will tell you is that as an extra safety measure, I don't put the last 4 characters of my financial accounts into the password manager - just in case of hacking. Every account has a different password, but my financial accounts all end in the last 4 characters which is not in the password manager. I have no idea what my passwords are. Of course, use 2-factor verification on financial accounts if possible too.

[Trident2]

Thank you for taking the time to provide such a thorough and comprehensive response. Do you have a recommendation for iOS users?

[Ptmcbriz]

About 2 years ago mt FB account got hacked and I needed to change 100+ passwords on different websites and apps. At the time I was using 2 different passwords 8 digits long and now that I use the Apple Password app they’ve all been changed to 20 digits of random numbers and letters, all unique and never repeated twice. So yes….I do feel much more secure. I could never remember all those logins on my own without the program. Oh and you HAVE to use the facial recognition to get into it. Another layer of security.

[daca55]

Have you listened to the tech guru Kim Komando on the radio? She recommends Nord Pass for storing passwords. Has anyone ever used Nord Pass? If you have I would appreciate hearing what you think of it and your experience. Thanks !!!

[TheWatcher]

Quote:

Originally Posted by RoboVil

...

Of course, use 2-factor verification on financial accounts if possible too.

2-factor verification or FIDO passkey is the answer here for your high security sites like your finances. Enable 2-factor verification in google, too.

Use different email account and computer for finances/high security.

Use of password manager is personnal preference, use answers given prior to help choose one and use their password generator to get secure random passwords.

Nothing is totally secure. But you can be sufficiently safe for now if you are careful. Just do not make obvious security mistakes.

[Altavia]

Everything has risks.

An important consideration for our age group is how do your heirs get access to your important accounts when you pass.

Or should a medical condition impare your ability to remember how to get to your passwords.

So be sure someone you trust knows how to access your accounts. The major password managers provide secure methods to do so.

[dblowry]

Quote:

Originally Posted by Michael G.

Who uses them and which one do you use.
Do you feel their safe?

I have been very satisfied using 1Password for many years. One of its many features is that it is supported and synchronized on all smartphone, notebook, and computer platforms.

[MrLindy]

Quote:

Originally Posted by Michael G.

Who uses them and which one do you use.
Do you feel their safe?

I have used Bitwarden for several years. It synchronizes information between your phone, laptops, desktop, and other devices.

It's free. I've never paid for it.

Get it on Google Play or the iPhone app store.