Do you use a password manager?

[Forsyth Jones]

Do you use a password manager for your online accounts, exchanges, 2FA and wallets?

Which one do you use and why? Share your experiences.

What do you think of closed-source password managers like 1Password?

And open-source ones like Keepass?

Here is a comparison of most password managers (I don't know if the list is up to date), which may help you in your choice.

[ABCbits]

Do you use a password manager for your online accounts, exchanges, 2FA and wallets?

Yes, although i don't store 2FA secret key or wallet on it.

Which one do you use and why? Share your experiences.

I use KeePassXC since it's available on Windows, Mac and Linux. Most Linux distro also provide it on their reposutory, so i also can install it easily using command such as apt-get install keepassxc.

What do you think of closed-source password managers like 1Password?

And open-source ones like Keepass?

I don't use closed-source ones, since it means they're less transparent and i need to trust them more. Although i don't have skill to read and understand KeePassXC code either.

[libert19]

Yes, I used to use Lastpass but moved my stuff from there when they were breached a while ago and now I am using offline password manager called Password safe [1], and make regular encrypted backups of data.

For 2FA stuff, I use Aegis authenticator [2].


[1] Password Safe

[2] Aegis Authenticator

[Forsyth Jones]

Yes, although i don't store 2FA secret key or wallet on it.

You can use a unique database.kbdx for your 2FA secret keys on another device to reduce attack vectors if you want, although the worst app for saving 2FA keys is Auth, I used it for many years, but today I use either Apple Passwords or KeePass itself.

I use KeePassXC since it's available on Windows, Mac and Linux. Most Linux distro also provide it on their reposutory, so i also can install it easily using command such as apt-get install keepassxc.

I also use keepassxc on Linux and Keepass2 on Windows, recently I started using Keepassxc on Windows too, it's fascinating to use biometrics to unlock the database and the browser extension!

Although these features are possible in keepass2 through plugins, it's always good to have this native in the keepassxc software.

One of the interesting features in Keepass2 is the fact that you can use a Trezor device as a key file through the challenge-response similar to the yubikey, however, to use the trezor as a key file you need to install a third-party plugin for this, but it works well. Installing a plugin means depending on third-party security, which I consider a disadvantage, however if it's open source it can be audited by the community.

I don't use closed-source ones, since it means they're less transparent and i need to trust them more. Although i don't have skill to read and understand KeePassXC code either.

I really don't see the point in using a proprietary password manager where you rely on third-party infrastructure and trust, although it does offer more convenience for those who are not tech-savvy.

In Keepass, besides being free and open source, we have all these features, including Passkeys in keepassxc.

Yes, I used to use Lastpass but moved my stuff from there when they were breached a while ago and now I am using offline password manager called Password safe [1], and make regular encrypted backups of data.

For 2FA stuff, I use Aegis authenticator [2].


[1] Password Safe

[2] Aegis Authenticator

I didn't know about Password Safe, and about this Aegis Authenticator, can I import/export my secret keys if I want to switch services? As far as I know, Auth sucks for this, although some services don't allow it for security reasons.

On the iPhone I use Strongbox, which is a version of Keepass for iOS, it's also open source and supports passwords, storing 2FA keys, attaching files, etc and has a very beautiful and sophisticated UI.

[libert19]

Yes, I used to use Lastpass but moved my stuff from there when they were breached a while ago and now I am using offline password manager called Password safe [1], and make regular encrypted backups of data.

For 2FA stuff, I use Aegis authenticator [2].


[1] Password Safe

[2] Aegis Authenticator

I didn't know about Password Safe, and about this Aegis Authenticator, can I import/export my secret keys if I want to switch services? As far as I know, Auth sucks for this, although some services don't allow it for security reasons.

Yes, you can export/import database.

This was major reason for my switch as Google authenticator didn't support backing up database then, and it was cumbersome to manually write entries each time I would switch a device.

[Lucius]

The only password manager I used was the one in the browser (Firefox), but only for a short time because I decided to trust myself more than any software in this regard. It's not that I don't understand the need for some people to use such programs, considering that they may have tens or hundreds of passwords, but I'm more in favor of the old-fashioned approach of storing them offline on paper.

In addition to multiple copies of such backups, which is logical, I protect myself additionally by having a part of each password that is saved separately (and is identical for all passwords), say something like a passphrase. In other words, even if someone finds all the passwords, they can't do any harm with them, because in addition to the key being in my head, it's also stored in an extra secure location.

[examplens]

The only password manager I used was the one in the browser (Firefox), but only for a short time because I decided to trust myself more than any software in this regard. It's not that I don't understand the need for some people to use such programs, considering that they may have tens or hundreds of passwords, but I'm more in favor of the old-fashioned approach of storing them offline on paper.

The same thing with me, with the fact that I use several different browsers and I have classified each one for different things. For example, in Opera I have login information for some important things like primary email, some of the exchanges etc... Firefox is the second level and there are some things related to work, while Chrome is the 3rd level and that includes everything else, accounts for various testing and the like, mostly without major risk.

[ABCbits]

Yes, although i don't store 2FA secret key or wallet on it.

You can use a unique database.kbdx for your 2FA secret keys on another device to reduce attack vectors if you want, although the worst app for saving 2FA keys is Auth, I used it for many years, but today I use either Apple Passwords or KeePass itself.

That's good point. Although i got used using 2FA application on mobile device, which also offer backup feature.

I don't use closed-source ones, since it means they're less transparent and i need to trust them more. Although i don't have skill to read and understand KeePassXC code either.

I really don't see the point in using a proprietary password manager where you rely on third-party infrastructure and trust, although it does offer more convenience for those who are not tech-savvy.

In Keepass, besides being free and open source, we have all these features, including Passkeys in keepassxc.

I also don't see the point either. But it's popular since they usually spend more money on advertising. As for convenience, i believe BitWarden offer similar convenience with proprietary ones. Although you still need to trust them, since you can't inspect code on their server.

[Lucius]

The only password manager I used was the one in the browser (Firefox), but only for a short time because I decided to trust myself more than any software in this regard. It's not that I don't understand the need for some people to use such programs, considering that they may have tens or hundreds of passwords, but I'm more in favor of the old-fashioned approach of storing them offline on paper.

The same thing with me, with the fact that I use several different browsers and I have classified each one for different things. For example, in Opera I have login information for some important things like primary email, some of the exchanges etc... Firefox is the second level and there are some things related to work, while Chrome is the 3rd level and that includes everything else, accounts for various testing and the like, mostly without major risk.

It already makes sense when we talk about risk reduction because not all passwords are found in one browser - but the vulnerabilities that are often discovered in most browsers just completely put me off using them as password managers. Somehow, it is much more logical (safer) for me that they are completely offline, although even with such storage I always have a certain fear that some keylogger will get into my system and somehow compromise every entered password.

Of course, such a possibility is minimal considering that I do not download any suspicious files and try to maintain the hygiene of the computer and online activities at the maximum level as possible.

[Husna QA]

-snip-
On the iPhone I use Strongbox, which is a version of Keepass for iOS, it's also open source and supports passwords, storing 2FA keys, attaching files, etc and has a very beautiful and sophisticated UI.

On the iPhone, I use the built-in Password feature from iOS. So far, it has been effective when I need to open certain accounts or applications that require a password; moreover, I often make password combinations randomly.

Meanwhile, for backup, I manually create an Excel file that is encrypted and stored on a special flash disk.

For some reason, I'm wary of using third-party password managers, especially after reading articles like the following:
https://thehackernews.com/2023/05/keepass-exploit-allows-attackers-to.html
https://www.coindesk.com/business/2023/10/30/lastpass-hack-victims-lose-44m-in-a-single-day/

[albon]

This is an application or software that creates and remembers different passwords for all your accounts. You just need to choose a strong password master password to enter the password manager and remember only that. User keeps all his data encrypted. As a result, even if the passwords are stored in the memory of the software then no person from that company can see them. 
The user original master password is usually not stored in the password manager memory. And it comes with two-factor-authentication. So any hacker would need to collect a variety of information to look at the information stored in your password manager.

[bitmover]

I use proton pass and Firefox password manager.

Both are good.

The  it is a very important password, I just add 2FA in another software  (aegis)

Everyone should use a password manager. You should use different passwords for every service  , so when a password leeks it doesn't compromise your other accounts.

[joniboini]

For some reason, I'm wary of using third-party password managers, especially after reading articles like the following:
https://thehackernews.com/2023/05/keepass-exploit-allows-attackers-to.html
https://www.coindesk.com/business/2023/10/30/lastpass-hack-victims-lose-44m-in-a-single-day/

I think the nature of the LastPass breach and KeePass exploit is quite different. At the very least, with Keepass the attacker has to gain access to our devices before they can exploit it. I believe we can manually anticipate these potential attacks and prepare accordingly, while we can't do much with using LastPass. I don't think it's a good idea to store your seedphrase on a password manager anyway. Btw, I use KeePass too, works well so far on my phone and PC. Still need to have decent awareness to avoid phishing links and so on though. CMIIW.

[Lucius]

~snip~
Everyone should use a password manager. You should use different passwords for every service  , so when a password leeks it doesn't compromise your other accounts.

What if all the data from the password manager leaks? In the event that you do not have 2FA on all created accounts, all but one of them are compromised - and that is the biggest risk of storing such data in one place. There are many examples of why it is bad to entrust the storage of passwords to such programs, in my opinion it is almost as unsafe as the storage of cryptocurrencies on CEXs.

[bitmover]

~snip~
Everyone should use a password manager. You should use different passwords for every service  , so when a password leeks it doesn't compromise your other accounts.

What if all the data from the password manager leaks? In the event that you do not have 2FA on all created accounts, all but one of them are compromised - and that is the biggest risk of storing such data in one place. There are many examples of why it is bad to entrust the storage of passwords to such programs, in my opinion it is almost as unsafe as the storage of cryptocurrencies on CEXs.

I have used nearly a thousand services, I can't save those passwords in my mind. 

Good services won't get hacked, and if they do I have 2fa of important services