Password Manager
 

Who uses them and which one do you use.
Do you feel their safe?

Thinking about getting one so following

I'm a new Mac user, so I now use the built-in Mac password manager. When I used Windows, I used the free version of "Last Pass" password manager for years. It works great, in my opinion.

I have used the free version of KeePass for many years. It stores the encryted file on your computer and not in the cloud. I have a copy on my computer and on my iphone. I can transfer the encrypted file directly from computer to iphone without fear of interception. I do not trust something as sensitive and important to be in cloud storage even though the file is encrypted. Soon if not already AI will be able to attack cloud storage and encrypted files. Also if the cloud goes down you are SOL. Can't be overly paranoid when it comes to protecting keys to all you own.

For many years now, I have used 1Password. It is excellent and very robust. It will allow you to choose your own passwords at various sites, or it will suggest ones that it will remember for you and offer when you visit those sites. I also use Apple's Safari, so I go to Safari, Settings, Passwords and input some there at my most commonly visited sites so that my fingerprint or face biometrics will open the sites for me.

I have never had a problem.

Hope this helps.

There was another thread about this a while back. Someone on here recommended a password manager and explained why it is better than the one I've been using, which is RoboForm. Pretty informative thread. I've done a search under "password" to no avail. I think it might have been a thread that went off topic into password manager programs. Maybe someone on here will remember and give a link.

This isn't the exact one I was thinking of, but it might be helpful: https://www.talkofthevillages.com/fo...09/index2.html

I've been using LastPass for years. I know there was some press about a breach, but it never affected anyone.

I do not trust anything that is online (aka cloud) storage, and I do not like local storage on my PC, so I have my own secret way of storing passwords which I will not give out on an open forum. There are ways to keep your passwords safe I have over 100 currently.

LOL, I have used Bitwarden (free). Cloud based is good so when you travel you do not have to carry the legal pad in the briefcase or the kitchen drawer with them written on the bottom, LOL. It’s also linked to the password function of IOS.

Used Dashlane for years.

Password Manager for Home, Mobile and Business | Dashlane

Dashlane reviews generally highlight its user-friendly interface, strong security features including dark web monitoring, cross platform support and smooth password capture and autofill functionality,

But often criticize its relatively high price point compared to competitors, with some noting that its free plan is too limited to be truly useful; overall, it's considered a good option for users seeking a comprehensive password manager with a focus on ease of use, but might not be the best value for budget-conscious users.

No, no, and no.

1Password. Solid functionality and is safe.

This issue has been addressed before in a different manner and as a previous poster stated I also do not trust putting anything on the internet no matter how secure they claim to be. If the manager site is hacked, they will have access to all your information. What I don't understand is why you just don't keep all your passwords in an address book that you only have access to.

The last time I suggested that someone said what if someone breaks into your house and finds the book. If that is your worry put it in a place where no one will look. But let be realistic if someone breaks into your house, they're not going to waste their time looking for a book they don't even know exists. They're going for cash and jewelry.

If you don't think a hackers can't break into a password manager, a hacker from North Korea just got away with over a billion in bite coin.

I've used a password manager for a very long time (more than 15 years) and find it very helpful. I'm not concerned about it being cloud based, and I like that I can get into my passwords from anywhere I am with my phone/laptop. Perhaps the best reason for manager is that the passwords it generates are very very complicated...much more so than a human can think up. Plus it remembers them and plugs them in your log on screens. I currently use LastPass which is a free manager from Webroot, which I also have for anti-virus, etc. In the past I used Kaspersky for years and years. When the USA decided it didn't trust Russian compainies I switched to Norton..huge mistake...the flooded me with pop ups to buy more of their products to keep me "safer." Dropped them like a hot potato and moved to Webroot, which I like very much. Their free password manager, LastPass does a good job. I like the convenience of their logo being in the sign on boxes...I click the logo...and it auto logs me on, easy peasy. Since I also use One Drive, I have my passwords available from my iPhone also. Can't imagine not having a password manager.

I use 1Password. I’ve used it for years.

Everything is in the cloud these days, 20 years ago I was nervous about the cloud, haven’t been nervous for over 15 years now. How else are all of your devices kept in sync? When you have computers, phones, watches all accessing the same sites, you need a good way to sync all devices and a good password manager. Apple has had this functionality built in for over a decade. Plus now with facial recognition.

But what’s just as important is to turn on 2 phase authentication, and use a password that contains uppercase letters, special characters, numbers and is over 15 chars long. It will take a hundred years to crack it!

If you are Using windows, just put your info on the web because it’s too easy to hack into. Linux and Apple are much harder to hack into.

All the major password managers, cloud or otherwise, work roughly the same.

Your passwords are stored in an encrypted file, which requires your master password to decrypt. Some password managers only store the encrypted file on your computer, while others store it "in the cloud", which is less far likely to fail and is more convenient to access across devices, i.e. desktop, laptop, phone, etc.

As long as your master password is sufficiently complex and not leaked, then your passwords are secure. This was proven when LastPass was compromised back in 2022. Note that when quantum computing matures, today's encrypted data will be easily decrypted. This is likely decades away and encryption will evolve in the meantime.

Personally, I use Zoho Vault. It's free and the browser and mobile apps work well. It's encryption is not better or worse than the others. They store your encrypted passwords in the cloud, and you can directly download the encrypted file at any time.

Zoho Vault can also store your 2FA TOTP codes and automatically fill them on websites. While this is convenient, it's less secure since your passwords and 2FA info will be in the same file.

There are some passwords that I do not store including my email, computer, and phone credentials.

For my master password and passwords that I do not store, I use unique pass phrases instead of passwords because they are easy to remember.

To create a passphrase, pick four words that you can remember, but others will not guess. For example, villages-holeinone-golfing-today. This passphrase is sufficiently complex, easy to remember, and is not vulnerable to a simple dictionary attack.

If you store sensitive information, then you can get a FIDO security key (actually multiple keys so you have a backup). With a FIDO key, your passwords cannot be decrypted without the physical key. You can also use it for multi-factor authentication on websites that support it.

To summarize, use a password manager is far better than using the same password on multiple websites. Pick a password manager that's easiest to use for you as they all basically use the same encryption. Consider using a pass phrase for your master password and a FIDO key (or passkey) for additional security.

Lastpass. Family version. $4.00 / month - up to six users on that plan.

You can organize passwords. Share them securely. Generate them on demand. You never need to know or look up a password except for one that should be long, impossible to guess that is your master password for the password manager. Works with browsers and portable devices. You can also set a user who will temporarily get access in case of emergency or death. In somewhat rare cases, where the need for a password uses non-standard technology, e.g. disables paste operation, you can view a stored password and manually enter it. Those sites s*ck.

Yes. It is secure. If you don't believe it, you have not researched how they do it, or are not sufficiently educated on encryption technology. It also will give you a score and flag poor or stolen passwords so that you can reset them.

Start with the free trial to see if you like how it works. Then upgrade. Never make up a password again - except for a temporary one if you encounter one of the p*ss poor sites that don't manage passwords properly. Transfer whatever you have into it, then get rid of your hard / private copy. If you go with a family plan, you might have to push-urge-cajole your significant other, that is always too busy, to get with the program.

Onepass has a great reputation. I have not used it.

Trusting a browser cache or password manager is a bad strategy.

Off-topic, slightly. Never trust public wifi's, for example, the kind you get in hotels. Expect that they will already be hacked. If you need to do something securely, either tether to your phone for access or use a VPN (virtual private network). You can set up VPNs to be used on demand.

If it's a program (as are password managers), it can be hacked.

:mornincoffee:

Password Complexity and Expiration
 

I DO use a cloud-based password manager that syncs across all of my devices: Android, iOS, and Windows. Would any of us need a password manager if every organization would subscribe to the NIST (National Institute for Standards and Technology) Password Guidelines? Among other things, the guidelines suggest long, complex passwords that do not expire. Couple short password age with many characters forces either a paper- or technology-based password management solution. Each of us could come up with a long phrase to use as a password that might include the abbreviated title of your favorite movie that you concatenate with other data elements. Prepend this with the website name: Amazon, SECO, or Delta to yield a long, complex password that never needs to change. No paper or password manager necessary. Never in my lifetime, I’m afraid!

This is terrible advice. I’ve been in the IT industry for many years. Last pass used to be a password manager I used until their security breaches.


I assume you’re referring to the "LastPass security breach." LastPass, a widely used password manager, experienced significant security incidents, with the most notable and impactful occurring in 2022. Because of this, I don’t trust him anymore. Here are the details.

The LastPass security breach unfolded in multiple stages throughout 2022, with the company disclosing critical updates over several months. It began in August 2022 when LastPass announced that an unauthorized party had accessed portions of its development environment, stealing source code and proprietary technical information. At the time, the company assured users that no customer data or encrypted password vaults were compromised, and the breach was contained within the development environment, which was separate from production systems holding sensitive user data.

However, the situation escalated in November 2022 when LastPass revealed a second related incident. Using information stolen in the August breach, the attacker gained access to a third-party cloud storage service that LastPass used to store backups of customer data. By December 22, 2022, the company confirmed that this breach was far more severe than initially suggested. The attacker had copied a backup of customer vault data, which included both unencrypted data—such as website URLs—and encrypted sensitive fields, like usernames, passwords, secure notes, and form-filled data. Additionally, basic account information such as names, email addresses, billing addresses, phone numbers, and IP addresses was stolen. The encrypted data was protected by 256-bit AES encryption and could only be decrypted with each user’s unique master password, which LastPass does not store or have access to due to its zero-knowledge architecture.

Further details emerged in March 2023, when LastPass provided a comprehensive update. The attacker had targeted a senior DevOps engineer’s home computer, exploiting a vulnerability in third-party media software (suspected to be Plex) to install keylogger malware. This allowed the attacker to capture the engineer’s master password after they authenticated with multi-factor authentication (MFA), granting access to the engineer’s corporate LastPass vault. From there, the attacker obtained decryption keys for the cloud storage backups, enabling them to access and exfiltrate the sensitive customer data. This incident highlighted a sophisticated, multi-step attack that leveraged both the initial breach and social engineering tactics.

The fallout from this breach has been significant and ongoing. While LastPass maintained that users with strong, unique master passwords adhering to its defaults (at least 12 characters and 100,100 iterations of PBKDF2 hashing) were secure—claiming it would take millions of years to crack such passwords with current technology—experts raised concerns. If users had weak or reused master passwords, especially from prior breaches available on the dark web, their vaults could be vulnerable to brute-force attacks. This led to widespread recommendations for users to change all passwords stored in LastPass and consider switching to alternative password managers like 1Password or Bitwarden, which have not reported similar breaches.

The breach’s impact extended beyond immediate data loss. In late 2024, reports surfaced linking the stolen LastPass data to cryptocurrency thefts. Blockchain investigators, such as ZachXBT, claimed that hackers using the 2022 breach data stole millions in crypto assets, with over $5 million reportedly taken in December 2024 alone and a total exceeding $12 million across multiple incidents. These attacks targeted users who had stored crypto seed phrases or keys in their LastPass vaults, exploiting the encrypted data once decrypted with compromised master passwords.

LastPass responded by enhancing security measures, including rebuilding its development environment, rotating credentials, and enforcing stricter master password requirements (e.g., a 12-character minimum for all users by January 2024). The company also spun off from its parent company, GoTo, in 2024, aiming to rebuild trust under new leadership. However, its handling of the breach—marked by delayed and piecemeal disclosures—drew criticism from users and security experts, damaging its reputation. Many questioned the company’s transparency and its ability to protect sensitive data, especially given prior incidents in 2011, 2015, and earlier in 2022.

In summary, the LastPass security breach of 2022 was a complex, multi-phase attack that compromised user data through a combination of stolen source code, cloud storage access, and a targeted keylogger attack on an employee. While encrypted data remained secure for users with strong master passwords, the breach exposed vulnerabilities in LastPass’s infrastructure and response strategy, leading to long-term consequences like crypto thefts and a loss of user trust. If you’re a LastPass user, it’s wise to ensure your master password is robust, rotate sensitive credentials, and monitor for any suspicious activity.

Ditto for 1Password
 

We’ve switched from LastPass to 1Password a couple of years ago and we are glad we did. It’s great for families and highly rated in many reviews. You can store passwords, important documents, credit card information etc. There’s a learning curve and it took us about a couple of weeks to set it up properly on all our devices and browsers. I recommend watching YouTube videos before you begin.

The one which is probably the safest is Proton Mail's password manager. However, I started using LastPass and still feel it is the easiest to use. LastPass has had trouble in the past with being hacked though key information is encrypted.

What I will tell you is that as an extra safety measure, I don't put the last 4 characters of my financial accounts into the password manager - just in case of hacking. Every account has a different password, but my financial accounts all end in the last 4 characters which is not in the password manager. I have no idea what my passwords are. Of course, use 2-factor verification on financial accounts if possible too.

Thank you for taking the time to provide such a thorough and comprehensive response. Do you have a recommendation for iOS users?

About 2 years ago mt FB account got hacked and I needed to change 100+ passwords on different websites and apps. At the time I was using 2 different passwords 8 digits long and now that I use the Apple Password app they’ve all been changed to 20 digits of random numbers and letters, all unique and never repeated twice. So yes….I do feel much more secure. I could never remember all those logins on my own without the program. Oh and you HAVE to use the facial recognition to get into it. Another layer of security.

Nord Pass
 

Have you listened to the tech guru Kim Komando on the radio? She recommends Nord Pass for storing passwords. Has anyone ever used Nord Pass? If you have I would appreciate hearing what you think of it and your experience. Thanks !!!

2-factor verification or FIDO passkey is the answer here for your high security sites like your finances. Enable 2-factor verification in google, too.

Use different email account and computer for finances/high security.

Use of password manager is personnal preference, use answers given prior to help choose one and use their password generator to get secure random passwords.

Nothing is totally secure. But you can be sufficiently safe for now if you are careful. Just do not make obvious security mistakes.

Everything has risks.

An important consideration for our age group is how do your heirs get access to your important accounts when you pass.

Or should a medical condition impare your ability to remember how to get to your passwords.

So be sure someone you trust knows how to access your accounts. The major password managers provide secure methods to do so.

I have been very satisfied using 1Password for many years. One of its many features is that it is supported and synchronized on all smartphone, notebook, and computer platforms.

Bitwarden Password Vault
 

I have used Bitwarden for several years. It synchronizes information between your phone, laptops, desktop, and other devices.

It's free. I've never paid for it.

Get it on Google Play or the iPhone app store.

I keep all my passwords on a spreadsheet on a thumb drive. There are several apps and accounts that require me to change the password every 90 days. I don't know how these password managers handle that. If you get one that says you have to change it, it requires that you manually enter the current password. If you don't know what it is - you're outta luck.

Do you carry the thumb drive with you so that when you are sitting at the square and try to login to a site you have your passwords? Which slot do you use to insert the thumb drive in your phone?

When you need to change your password the password manager inserts your old password - that's what a password manager does. When you are asked for a new password, most of the password managers will offer to generate one for you. When you hit the submit button the password manager will ask if you want to update your stored password.

A Disney employee, Van Andel, a middle aged father of two, used 1Password and his work computer was hacked. And he had 3 types of malware detectors on both his work and home computers. All his digital details were posted on line so that his identity could be stolen by anyone, and it was. He lost his job, he was faced with a huge debt and is literally fighting to get his life back.

‘The breach upended Van Andel’s life. The hacker stole his credit-card numbers and racked up bills—and leaked his account login details, including those to financial accounts. The attacker published Van Andel’s personal information online, ranging from his Social Security number to login credentials that could be used to access Ring cameras within his home.’


Then WSJ published an article as to what can be done to avoid what happened to Van Andel:

‘How to Keep Hackers From Destroying Your Digital Life
A few digital hygiene measures can help secure online accounts and passwords.’

By
Robert McMillan Feb 27, 2025 Wall Street Journal

The article emphasizes two-factor identification, one on a physical device like phone etc. biometric is best.

Yes they are safe however you need to come up with a very strong master password. Be sure to write it down and have several copies of it put away.

My recommendation
 

1Password has been my choice for years. Allows access to your passwords from multiple devices. Plus you can keep much more than passwords. Licenses, memberships, credit cards, etc... Very secure.

Please read what happened to Van Andel, his 1Password was hacked by AI.

Not hacked by AI at all.

According to reporting, he downloaded an AI tool that happened to include malware. The malware stole information from his machine including his keystrokes as he typed his 1Password login and password. Once they had the 1Password login information they had all his other logins and passwords too.

Two quick takeaways: Be careful about what software you download and make use of 2FA.

Right, I did not write out the whole story. Thank you for clarifying.

And even 2FA is insufficient for a number of widely used email accounts. Now passcode is recommended in addition to 2FA for gmail, yahoo, etc. The hacking community is way out in front of the rest of us.

from one cheesehead to another, but this one has a background in cyber security. NO!

You need to keep your passwords somewhere that isn't under the keyboard, on your computer, in the cloud, basically only accessable to you alone. What I find is the easiest method, is to find a password that is long, easy to remember, and variable. Typically you make it with 2 pieces of information no one would ever know or think of.

for example - grandpa's middle name (as long as it's not in your name)+ a series of characters or numbers + maybe your favorite packer's nickname. just an example but you should strive for at least 8-12 characters. That would cover just about any website password. As for your computer and phone both different and neither of them your other password. also with that example design make 3 of them. that's really all you need.... if you need it for porn sites then just PM me LOL that's an entirely different art form.