# Password storage sites



## couchman (Oct 10, 2013)

Does anyone use password storage sites so that you can store all your passwords. If so which ones are you happy with.


----------



## Spudd (Oct 11, 2011)

I use and like Lastpass.


----------



## sags (May 15, 2010)

I keep a ledger at home..........probably not the most secure, but neither is the internet or a computer linked to it these days.

I wouldn't trust passwords to a software program or any online service.

If someone shows up on CMF forum under the "sags" moniker asking how to invest $1,000,000 safely.............trust me.............it isn't me.


----------



## 6811 (Jan 1, 2013)

Like Sags I don't trust that kind of service and keep my passwords in a pass-worded local storage file. The only passwords I really have to remember are it and my computer log on.


----------



## Synergy (Mar 18, 2013)

I've never used it myself, but I believe there has been threads about 1password on CMF

FYI - Lastpass vs 1password:



> -LastPass stores your passwords (encrypted) in a online database.
> -1Password stores your passwords (encrypted) on your computer in a file/directory called 1Password.agilekeychain, so your passwords are stored offline.


Personally I store all my passwords on Password Keeper on my phone.


----------



## nathan79 (Feb 21, 2011)

Firefox allows you to use a master password. I've never tried it though.

I keep my passwords in my wallet. That way they're always with me, and in the unlikely event my wallet is stolen I'll know to change my passwords immediately. 

If your passwords are in a file on your computer or in the cloud, it could be compromised for weeks before you become aware.


----------



## MrRoboto (Nov 28, 2009)

I've decided on using Keepass for myself. Unless you're a photographic-memory savant it's the most secure way to create/manage passwords. You use the program to create an encrypted master file you save on your computer which will be your password database. You choose the password for this master file and it's the only one you need to remember. No other parties are able to access/recover this file unless they get that password (even the creator of the software). It is because of this fact I chose it over services similar to Lastpass whose staff or anyone who compromised their system could conceivably have access to your password files.

Downsides are that if you forget that master password you're up the creek, you'll have to contact all your account providers and have your passwords reset. You also have to manage the master file (I save it on my computer, on my usb stick, my phone and Dropbox). My master password is complex enough and I change it regularly so I'm comfortable having the file on Dropbox. Once a month I use Keepass to generate new passwords for my online banking, email account (see note at the end) and the master password itself. Last bit, make that master password powerful. If your using something like MyPa$$wordz112 that's not great, that's actually a relatively weak password. In fact, "*that,s actually a relatively we1234ak password*" is a great password, it's hugely stronger and easier to remember. Ref this useful explanation Password Strength.





As a side note, it is incredibly important to change that email password, almost more so than your online banking. The majority of online services, including banking, allow anyone to reset your password through the reset password option. All they need to know is your login name (usually bank card number) and a few random details about your life (youngest siblings name, town highschool was in etc) which are "security questions". Then if they have access to your email, they have you new password and full access to the target account. Turn that feature off if your online service allows it.


----------



## m3s (Apr 3, 2010)

MrRoboto said:


> As a side note, it is incredibly important to change that email password, almost more so than your online banking. The majority of online services, including banking, allow anyone to reset your password through the reset password option. All they need to know is your login name (usually bank card number) and a few random details about your life (youngest siblings name, town highschool was in etc) which are "security questions".


Yes your email password should be considered the gatekeeper of the rest. It should have a unique password and ideally two-factor verification (Google Authenticator, SMS, or physical device) Google Authenticator is better imo as it doesn't require a mobile network, and any good email account will lock you out in random countries. I'm surprised the Canadian banks don't offer two-factor verification yet because it is fairly standard in US and Europe.

As far as having your encrypted data on dropbox, that is not exactly safer for all the hassle you're going through. Encryption is meant to protect time sensitive data while in transit. It is known that encrypted data can be hacked given enough time and effort. NSA can probably break it the fastest, anyone else just needs computing power (which can be crowd sourced or hacked online) Two-factor verification is more robust and much easier to use imo.

I use two-factor verification for my 2 email accounts, interactive brokers, euro chequing, Facebook and iCloud. You only have to use it on new devices or IP addresses (travelling etc) and everything online can be protected under these accounts. Without the physical device (phone or code) your email is locked. Most of these leaked images online were hacked through the weak "security questions" method..


----------



## Pluto (Sep 12, 2013)

I just use keepass portable on my desk top. 

If you want off site storage, you can put a copy on a usb drive and store that somewhere else.


----------



## Woz (Sep 5, 2013)

+1 for Keepass

I’m reluctant to use online password storage sites because it seems like a prime target for anyone trying to hack a large database of passwords. I also like that keepass is open source.

I don’t think there’s any password storage that’s uncrackable, but anything you can do to make your passwords more difficult than the average person reduces your chances of getting hacked. You don’t need to run faster than the bear to get away. You just need to be able to run faster than the guy next to you.


----------



## m3s (Apr 3, 2010)

Using encryption is more like outrunning the others, and past more bears, after lathering up in honey and bbq sauce! :tongue: Encrypted data is perceived as a more lucrative target, and likely a jackpot of all your eggs in one basket.

Far more money is spent on decryption than will ever be spent on encryption. How much do you pay for these encryption services?.. Nothing?.. Encryption is used by professionals to protect time sensitive information in transit

Anything you want safeguarded should be on a standalone computer or usb stick


----------



## Beaver101 (Nov 14, 2011)

sags said:


> I *keep a ledger *at home..........probably not the most secure, but neither is the internet or a computer linked to it these days.
> 
> I wouldn't trust passwords to a software program or any online service.
> 
> ... it isn't me.


 ... + 1 .. simple, cheap, and works.


----------



## Barwelle (Feb 23, 2011)

I don't think I would ever use digital anything to store passwords... even if it's stored locally on your computer, it can be found.



sags said:


> I keep a ledger at home..........probably not the most secure, but neither is the internet or a computer linked to it these days.


That's probably the best way IMHO. Something I'll be doing eventually as I keep adding new accounts here and there. One thing, if you want to make that more secure when writing down the password, is to use a code or abbreviation that would jog your memory. That way, if someone gets a hold of your list, they still don't have the actual password.

i.e. if your password is blackfish29, write down bf2.

May be over-the-top, but you never know...


----------



## Pluto (Sep 12, 2013)

Barwelle said:


> I don't think I would ever use digital anything to store passwords... even if it's stored locally on your computer, it can be found.
> 
> 
> 
> ...


Yeah, and maybe throw in a character like *: so you get, blackfish29* , or black!fish29 But don't write down the *, or ! in your ledger. Adding just one of those characters strengthens the password immensely.


----------



## dave2012 (Feb 17, 2012)

I used to use Roboform back in my archaic days on Windoze. Roboform was pretty decent. Now we have been using 1Password for a few years. Its great. Stores locally but also allows you to sync with all your other devices when on the same WIFI. I have an iMac, Macbook, 2 iPads, iPhone... nice not having to worry about updating each device.


----------



## lawyerandover (Dec 22, 2014)

*Password storage site*

Hi Everyone 

Anyone know password storage sites.Please help me


----------



## agent99 (Sep 11, 2013)

Spudd said:


> I use and like Lastpass.


Resurrecting an old thread!

Some of you that use Last Pass will have received an email from them saying that the FREE version will only work on one type of device after mid-March. If you want to add your phone or maybe a tablet then you need to pay something like $3/month


> Leading up to these changes, you can *upgrade to Premium* at a limited-time discounted rate of _$2.25 per month, billed annually ($36 $27 /year)._




I couldn't see paying that for the few times I use my phone for internet access. 

Saw discussion on Reddit r/lastpass. Many are moving to Bitwarden.. It is free and has no restrictions. Also highly rated for security. Big plus is that all you need to do is:
1. export your Lastpass data as a csv file (click on lastpass icon in browser and it provides that option)
2. Go to Bitwarden site and open an account. 
3. Import the Lastpass csv file. 
Now it will work seamlessly on your PC.
On phone, install the Bitwarden app and log-in. You are done!
Uninstall Lastpass from PC and phone.


----------



## AltaRed (Jun 8, 2009)

There has been some forum discussion elsewhere on Bitwarden as well, with good reviews. Seems like a good fit for many.

I have been on LastPass premium across my devices for some time now and have no desire to change. I have over 100 accounts and passwords 'stored'.


----------



## fireseeker (Jul 24, 2017)

agent99 said:


> Resurrecting an old thread!
> 
> Some of you that use Last Pass will have received an email from them saying that the FREE version will only work on one type of device after mid-March. If you want to add your phone or maybe a tablet then you need to pay something like $3/month


I use LP and received the message about the service degradation.

As it happens, I had been thinking about signing up for pay plan anyway. One reason was that I wanted to add my S/O to the the vault. Another is that I subscribe to the theory that if you're not paying for a product, then you are the product.

I have been happy with LastPass. I can't imagine trying to use it on only type of device. Bitwarden sounds like a good option, but I'm happy to pay for this service.


----------



## agent99 (Sep 11, 2013)

fireseeker said:


> As it happens, I had been thinking about signing up for pay plan anyway. One reason was that I wanted to add my S/O to the the vault.


One thing I noticed, is that Premium plan is for only one user. The family plan is US$36/yr if you sign up now but otherwise will be US$48/yr. Or about C$64!


----------



## fireseeker (Jul 24, 2017)

agent99 said:


> One thing I noticed, is that Premium plan is for only one user. The family plan is US$36/yr if you sign up now but otherwise will be US$48/yr. Or about C$64!


Yes, it's the $64 decision.

OOH, it seems like an outrageous price to pay for something intangible that used to be free.
OTOH, it's also the equivalent of these things:

one nice lunch for two (no drinks)
10 Big Coffee Chain Frappalattes
six online stock trades
17 cents a day
Given that I use a password manager every day -- in fact, multiple times every day -- and given that in paying for it I can access the vault anywhere in the world, on any device at any time of day, I think it's a bargain.


----------



## agent99 (Sep 11, 2013)

fireseeker said:


> Yes, it's the $64 decision.
> I think it's a bargain.


Bitwarden seems to be too! At $0  

It worked right away. Just a bit of learning curve to understand the browser extensions and some other less obvious "features"


----------



## Retiredguy (Jul 24, 2013)

fireseeker said:


> Yes, it's the $64 decision.
> 
> OOH, it seems like an outrageous price to pay for something intangible that used to be free.
> OTOH, it's also the equivalent of these things:
> ...


You must be a politician. They all say...its just a cup of coffee a day when they want to raise our taxes or fees. LOL !


----------



## Retired Peasant (Apr 22, 2013)

I don't use a tech based password manager, but saw this on another forum...
1Password has none, KeePass has none... So why are there seven embedded trackers in the LastPass Android app?


----------



## m3s (Apr 3, 2010)

agent99 said:


> Bitwarden seems to be too! At $0


I also use the free Bitwarden. Even premium is only $10/year. I do have a FIDO U2F device so I may upgrade at some point

LastPass has been breached multiple times so I wouldn't pay $64 more for that


----------



## AltaRed (Jun 8, 2009)

m3s said:


> I also use the free Bitwarden. Even premium is only $10/year. I do have a FIDO U2F device so I may upgrade at some point
> 
> LastPass has been breached multiple times so I wouldn't pay $64 more for that


To be fair, it has been breached a few times, with user login data, not the encrypted data bases that keeps user account password data. Everyone has their own pet password manager and pet peeves about one or the other but that simply detracts from the need for everyone to use a good password manager to manage the dozens/hundreds of account passwords.


----------



## sags (May 15, 2010)

I received a warning from Google yesterday about a gmail email account on Walmart.

Google recommended changing the password or deleting the Walmart account. I deleted the Walmart account.


----------



## m3s (Apr 3, 2010)

AltaRed said:


> To be fair, it has been breached a few times, with user login data, not the encrypted data bases that keeps user account password data.


I may not understand, but doesn't login data decrypt the encrypted data

Either way, everyone needs to get used to using real 2FA. The benefit of a password manager is that a data breach doesn't uncover the password to all your accounts

The irony of a password manager data breach


----------



## AltaRed (Jun 8, 2009)

No. It does not decrypt the encrypted data. LastPass themselves cannot access this encrypted data and that was thoroughly explained in the last login data breach..

I agree with 2FA for all these things but regardless, i have a lengthy 20+ character password for LastPass itself that only I could possibly remember.


----------



## agent99 (Sep 11, 2013)

m3s said:


> I also use the free Bitwarden. Even premium is only $10/year. I do have a FIDO U2F device so I may upgrade at some point
> 
> LastPass has been breached multiple times so I wouldn't pay $64 more for that


So I am new to Bitwarden and not having an easy time with it,

It seems to me that it does not automatically enter the site username/pw like LP does. You have to go to the BW extension. If you haven't used it for the site before, you have to jump through a few hoops. Seems no matter what I want to do, I have to re-enter the password. Just glad it isn't 20+ characters like Alta's. I have sort of given up after hours of trying to understand and get it to work. Seems it's main use is just as a safe to store access data. 

Thinking I may go back to LP for my laptop, and just use Google or?? on my phone which I don't use a lot for web access.


----------



## m3s (Apr 3, 2010)

Bitwarden extension works well for me on brave (chrome) I click the extension, click the login and it fills. Not fully automatic

I would rather use LastPass than Google for passwords


----------



## Retiredguy (Jul 24, 2013)

agent99 said:


> So I am new to Bitwarden and not having an easy time with it,
> 
> It seems to me that it does not automatically enter the site username/pw like LP does. You have to go to the BW extension. If you haven't used it for the site before, you have to jump through a few hoops. Seems no matter what I want to do, I have to re-enter the password. Just glad it isn't 20+ characters like Alta's. I have sort of given up after hours of trying to understand and get it to work. Seems it's main use is just as a safe to store access data.
> 
> Thinking I may go back to LP for my laptop, and just use Google or?? on my phone which I don't use a lot for web access.


Ditto, and reading some of the blog comments we're not alone.


----------



## Retiredguy (Jul 24, 2013)

Anyone with the paid LastPass can you tell me how long the emergency contact delay can be set for. I can't find that on the web site . Several years ago it was max 90 days, and is there a auto notify feature when its going to expire?


----------



## AltaRed (Jun 8, 2009)

30 days is all that I see and I don't know about auto notify.


----------



## agent99 (Sep 11, 2013)

Retiredguy said:


> Ditto, and reading some of the blog comments we're not alone.


I have stayed with Bitwarden for now. I have it working OK on my laptop. Seems you have to set it up to Autofill each site, even although they are already in your Vault. Easy enough to do. 
I am having trouble with it on my Android phone. Maybe I will learn how if I persist.

Some sites, including this one just auto-load. Chrome isn't saving passwords, but it seems something does. I don't think it is Bitwarden that is logging me in.


----------



## Retiredguy (Jul 24, 2013)

agent99 said:


> I have stayed with Bitwarden for now. I have it working OK on my laptop. Seems you have to set it up to Autofill each site, even although they are already in your Vault. Easy enough to do.
> I am having trouble with it on my Android phone. Maybe I will learn how if I persist.
> 
> Some sites, including this one just auto-load. Chrome isn't saving passwords, but it seems something does. I don't think it is Bitwarden that is logging me in.


Agree I can live with the autofill but it's the constantly having to log in with the master password PW that's the bigger issue. They have a setting to keep it unlocked for up to 4 hrs but it doesn't work. None of the time settings work, for me at least. (My main browser is MS Edge.)


----------



## agent99 (Sep 11, 2013)

Retiredguy said:


> Agree I can live with the autofill but it's the constantly having to log in with the master password PW that's the bigger issue. They have a setting to keep it unlocked for up to 4 hrs but it doesn't work. None of the time settings work, for me at least. (My main browser is MS Edge.)


I tried 4hrs, and some of the other time-outs. Had similar problem. Changed to NEVER. That seems to work. (Using Chrome). With LastPass, I used to set it to 8hrs so it would work all day, so not much different.


----------



## Retiredguy (Jul 24, 2013)

agent99 said:


> I tried 4hrs, and some of the other time-outs. Had similar problem. Changed to NEVER. That seems to work. (Using Chrome). With LastPass, I used to set it to 8hrs so it would work all day, so not much different.


Thanks. Changed to "never" with good results.


----------



## Retiredguy (Jul 24, 2013)

*For those using Edge with Bitwarden *if you down load "Fast Reopener" from the MS Store it will overcome the issue of the time settings in BW not working and constantly having to re enter the Master PW. Fast Re opener is a tiny extension (its Icon is orange kinda looks like a flame) Adding it also very noticeably makes the browser much more snappy. - At least that's my experience.


----------



## m3s (Apr 3, 2010)

Edge? There's your problem

Get Brave or at least Chrome


----------



## Retiredguy (Jul 24, 2013)

m3s said:


> Edge? There's your problem
> 
> Get Brave or at least Chrome


Chrome has the problem as well. Never heard of Brave.


----------



## Retiredguy (Jul 24, 2013)

m3s said:


> Edge? There's your problem
> 
> Get Brave or at least Chrome


Chrome? Has the same problem.

I found this possible solution online. (Cut and paste below) Others in the blog claimed success.

"Just to update the thread in case anyone is interested, I found a perfect solution to my challenge. There is a Chrome extension called “Lightning Reopen” which enables Chrome to keep running in the background after you close it with the “X” button. So when you reopen it again, BW is still unlocked! And when you log off, then BW is either locked or logged out, as per your BW preferences,"


----------



## m3s (Apr 3, 2010)

I really don't mind logging into my password manager that has all my passwords

I just lock/sleep my PC with the browser open instead of shutting it down. I need a PIN for windows but Bitwarden extension stays logged in


----------



## Retiredguy (Jul 24, 2013)

m3s said:


> I really don't mind logging into my password manager that has all my passwords
> 
> I just lock/sleep my PC with the browser open instead of shutting it down. I need a PIN for windows but Bitwarden extension stays logged in


I don't mind logging in with my Master PW either, just not everytime I change sites, or close my browser and when I set BW to "never" as none of the other settings worked, it stayed unlocked even after a complete restart of the computer. Yes I have a windows PW too. I'm certainly not a tecky but that doesn't seem too secure to me.

A very separate issue (nothing to do with BW) for me is when I put my CPU to sleep mode or do a restart it is so slow to get up and usable again. I've check all the ususual things - startup menu, and cleanouts of cookies, cache, temp files, etc. but still an issue. Ideas welcome?


----------



## m3s (Apr 3, 2010)

Retiredguy said:


> I've check all the ususual things - startup menu, and cleanouts of cookies, cache, temp files, etc. but still an issue. Ideas welcome?


Look at what background services are loading on startup. Probably lots of bloat there

Easiest solution is to reformat


----------



## agent99 (Sep 11, 2013)

I have exchanged messages off-line with Retiredguy.. With Lock set to never, I can even restart Windows without need to unlock Bitwarden. I have it working well on Chrome now. Many sites including CMF save log in data so there is no need to log in each time. Once saved, that also works on my phone. Seems like Chrome and BW don't yet talk to each other on Android. But I seldom have a need for that anyway.

So basically, I am now happy with BW - It does everything for me that LP did except fill in log-in data for sited in my vault that I have not yet used with BW. For those it takes one click to open and save for future use. For new sites, a bar pops up and you can save the new log in data in the vault. I think I am sold!

Next will be to test it out on Edge and Firefox because I do use those sometimes. 

I must also boot into Windows 7 and see if Lastpass is still active there. I have some apps that still require Windows 7.


----------



## Spudd (Oct 11, 2011)

Retiredguy said:


> Anyone with the paid LastPass can you tell me how long the emergency contact delay can be set for. I can't find that on the web site . Several years ago it was max 90 days, and is there a auto notify feature when its going to expire?


Currently it's anywhere between immediately and 30 days. 

I don't think there's an auto-notify - here's what it says:
When your trusted contact requests Emergency Access, you can decline their request within the specified waiting period. Otherwise, your vault is added to their LastPass account.

So the way I read that, when you die or fall off your sailboat into the ocean, your trusted contact can go to Lastpass and request access. When they do, you'll be notified, and you can deny it within the timeframe you choose. After that timeframe has expired, they'll get the access, since you were unable to deny it, presumably due to your death/sailboat accident.

It's not like if you don't use Lastpass for 30 days they automatically get access. It's only given on their request, and only if you don't deny it within the time period. So if you set it to 30 days they'll have to wait a month to get your passwords after you die and they request it. I don't foresee any situation where I would want to deny the request but wouldn't be able to within 30 days, so it seems to me that it's a good solution.


----------



## AltaRed (Jun 8, 2009)

Good explanation. I probably should have posted that process in my earlier post. It is logical.


----------



## Retiredguy (Jul 24, 2013)

Spudd said:


> Currently it's anywhere between immediately and 30 days.
> 
> I don't think there's an auto-notify - here's what it says:
> When your trusted contact requests Emergency Access, you can decline their request within the specified waiting period. Otherwise, your vault is added to their LastPass account.
> ...


Its been about 5 + years since I read about it and I was obviously confused and didn't understand. I thought the setting by the grantor expired after 30 days so it needed to be continually renewed as it automatically would give the trusted party access after the 30 days. Your explanation that its the trusted partys reguest to the grantor that triggers the start of the 30 days (unless denied by the grantor) makes sense. Very helpful Spudd, thank you.


----------



## agent99 (Sep 11, 2013)

agent99 said:


> Next will be to test it out on Edge and Firefox because I do use those sometimes.
> 
> I must also boot into Windows 7 and see if Lastpass is still active there. I have some apps that still require Windows 7.


OK, seems to work fine in Firefox and Edge.

I had to use Windows 7 tonight. There my Lastpass is still working. I suppose I could import/export passwords to keep that up to date. But I seldom use 7 these days, so no real need.


----------



## SW20 MR2 (Dec 18, 2010)

I've been using 1Password for about a year. I did it based on my friend's reco and didn't do deep research to compare it to other solutions, but I'm happy with it. I like how I can access it across multiple devices. I also use a double-blind system for any of my important logins (ie. banks, investments, CRA, etc), so that even if someone got ahold of my 1Password login, they would still need to hack those logins as well.


----------



## Retiredguy (Jul 24, 2013)

SW20 MR2 said:


> I've been using 1Password for about a year. I did it based on my friend's reco and didn't do deep research to compare it to other solutions, but I'm happy with it. I like how I can access it across multiple devices. I also use a double-blind system for any of my important logins (ie. banks, investments, CRA, etc), so that even if someone got ahold of my 1Password login, they would still need to hack those logins as well.


Working with Bitwarden. I'm still reluctant to enter my bank, investments PW's. Can you explain your double blind system? Thanks.


----------



## digitalatlas (Jun 6, 2015)

Actually double blind is a pretty good idea for important passwords. Basically you let the manager app generate its own password, which you don't remember, but you add your own string before/after the generated password, like 2296 or something. 

Then the actual password will be ***(generated)2296. So even if the manager app gets hacked, they won't know your 2296 string, and can't get access.

It comes at the cost of the slight inconvenience of manually typing in 2296 after the app has already filled in a password. Takes an extra 0.3s.


----------



## Retiredguy (Jul 24, 2013)

digitalatlas said:


> Actually double blind is a pretty good idea for important passwords. Basically you let the manager app generate its own password, which you don't remember, but you add your own string before/after the generated password, like 2296 or something.
> 
> Then the actual password will be ***(generated)2296. So even if the manager app gets hacked, they won't know your 2296 string, and can't get access.
> 
> It comes at the cost of the slight inconvenience of manually typing in 2296 after the app has already filled in a password. Takes an extra 0.3s.


Great idea. Thanks.


----------



## cowolter (Jun 12, 2018)

I use Keepass, it's pretty good. You can set passwords to expire which will cross them out in the UI and remind you to update them, and it's encrypted so even better. You can lock it up with a master password, key file and a Windows user lock, which pretty much stops another person aside from the user who created it from opening. I genuinely don't regret it, and I've used other password managers before.


----------



## Retiredguy (Jul 24, 2013)

Bitwarden - I've been using it for the last couple of weeks. I found the time delay settings confusing to use but undertsand from BW tech that regardless of the setting when you close the browser (unless NEVER is selected) it will lock BW and then when you want to enter a site requiring BW use, you then must enter your full BW PW. I was told that this is expected behaviour of the program and that in the settings you can create a PIN to expedite the opening rather than using the full master BW PW. So I created a short PIN which does what its supposed to do. However my expectation was that when I totally shut down or restart my computer that the full (comprehensive) master BW PW should be required. To my surprise only the short PIN is required. What's the point of having a comprehensive strong master BW PW if a short PIN will allow anyone who steals my laptop access if they are able to bypass my short PIN.

I have set this out in a email to BW and await their reply but does anyone here know the answer?


----------



## agent99 (Sep 11, 2013)

I guess I must have chosen Never as I never have to enter my Master PW. However, I don't use BW for important logins, like banks etc. Anyone stealing my laptop would only get to access CMF and similar 😉


----------

