Which password manager do you use?

Both 1password and lastpass are perfectly fine. Use a good passphrase and turn on 2-factor everywhere.

I’m slowly moving out of KeePass to Last Pass because it is really is not as convenient as Last Pass. And the fact that there is no iOS client except for one indie one which was hardly updated.

If you’re an iOS user look at 1Password. When I was looking for one, 1P seems to be the favorite on Mac/iOS by far. I have been extremely happy with it, but the Windows version isn’t quite as slick.

Is the Mac version still free or subscription base? A couple of years ago, it was a $70 software which is a hard entry point, IMO

I believe it is free for basic stuff, but it’s now subscription based, $2.99/4.99 a month for all your devices. Although I think I am grandfathered in since I bought everything years ago. I would say easily worth it if you have a lot of devices, probably not if you just want to run it on your phone.

Seems like more and more apps are supporting 1P on iOS. Not sure if that’s true for Last Pass.

Wirecutter article. They like both but call 1P more powerful on iOS/Mac.

Lastpass is completely free for unlimited usage on both desktop and mobile.

If you want, you can pay them $12/year to get family password sharing (which is not completely secure so don’t use it) and additional multifactor authentication methods, including fingerprints on Windows (but not touchID on new macbook pros yet). Google 2FA is included in the free version, so there’s really no compelling reason to pay them at all.

I don’t really call that a positive because it’s unclear how Lastpass is effectively monetized, but they don’t inject ads and all data is decrypted clientside so I deal with it. I was more comfortable when paying them $12/year was worthwhile.

1Password will either sell apps outright or a subscription. If you buy it outright, the MacOS version costs $65, and they don’t seem to sell a Windows version any more. Mobile apps are free. You store your keychain on Dropbox and decrypt it locally.

If you go with a subscription, it’s $36/year for a service that’s essentially equivalent to what Lastpass gives for free. Completely cloud-based, they hold your keychain for you but you decrypt it locally. It does support touchID on macs, though.

1password’s business plan makes sense, but it’s tough to justify paying $36/year when its competitor is completely free and has no overt red flags.

If you’re in the Apple ecosystem and prefer Safari (if you ever run off battery power, Chrome is a pig), I haven’t seen anything that is anywhere near as easy to use as Keychain. I use a long passphrase for my Apple account, and every other password is handled automatically. Setting up a new phone or Mac is a 1-step affair.

My wife and I use a $5/month family plan. We have Macs and iPhones. It’s very well implemented and integrated in the macOS ecosystem. I’ve tried to use similar services in the past, but always got hung up on the little problems with them. For whatever reason, I suppose I’ve learned to work around those with 1Password. The ability have multiple vaults – one being shared with my wife, in this instance – is extremely useful. I have a vault for all of my work-related passwords (which I can just delete if I leave the job), and one for personal accounts that my wife doesn’t access, like Facebook, etc. It’s a great system and worth $5/month for us. Note: it’s just $5 – not $5 per person. However, we signed up early and the pricing may have changed since then.

All of the desktop and mobile device apps are included in the cost.

Wait what? When I originally signed up for Premium you could only use the mobile app if you were a premium member. When did that become a free feature?

Not that I really mind paying $12 a year for features I don’t really use, as it gives me massive benefit.

Why do you say this isn’t secure? My understanding is this just encrypts the password twice, once with your public key and once with the other people’s public key. So theoretically it’s just as secure as your own passwords (unless their account is compromised).

I use 1Password.

It went free about a year ago. But you could still use premium to get extra benefits.

Yes, Lastpass changed their business model around a year ago. Like I said, I’m not a fan of this. I like paying a reasonable price for services I use, and I found $12/year to be completely reasonable. $36/year is a bit much, IMO.

Lastpass premium really isn’t worth much. I still have it, and I do use fingerprint authentication on windows. So it’s worth something.

Regarding family sharing, I remembered a furor about it a couple years ago. The problem isn’t that Lastpass has the password, but that the feature that’s supposed to hide the password from who you’re sending it to doesn’t work, and it’s transmitted in plaintext to boot. They may well have fixed it in the 4 years since, so take with salt.

https://changedmy.name/2013/10/26/discovering-secrets.html

To those worrying, OneLogin differs from LastPass in that it’s SSO and federated Active Directory. Losing the keys to that kingdom is much more serious.

Even if LastPass or 1Password got hacked and the bad guys stole every bit of data they stored, they still wouldn’t get our passwords, because they’re decrypted client-side.

To get our passwords, they would need to create a compromised version of the Lastpass browser addons or the 1Password application and push it to users. That ain’t impossible, to be sure. But it would require a much more persistent threat than you’re likely to see from criminals.

I use the non-subscription version of 1Password. I didn’t spend too much… waited for a Black Friday special and picked up the Mac and Windows desktop applications for a reasonable price.

If it’s true you can no longer purchase the Windows app and are forced to subscribe, that’s a shame.

I recommend 1Password if you use iOS/Mac’s exclusively; else use LastPass.

That article doesn’t say it’s transmitted in plain text, just that someone (using DNS trickery on a compromised machine) can have the password sent to an http version of the website and thus only then would be transported over plain text (no different than any other password form on a non-https website). If your machine is compromised to go to my server for Capital One and you login on my version of the site then your password will be plain text regardless if it’s even a lastpass password or manual one.

I’ll agree it’s disengenous for LastPass to claim the password will be hidden but every attack vector outlined in there works without password sharing (just verified in chrome debugger tools with my own password). At the end of the day if the password is on the client (in order to be used) it can be retrieved by either a malicious user or compromised clilent and the few times I have used the sharing features I have done so in the full intention that the other user should be able to see the password, not just “use” it blindly.

Family sharing feature is the reason I’m moving off KeePass into LastPass and paying them $12/year.

From their support site:
https://lastpass.com/support.php?cmd=showfaq&id=2456

Sounds secure to me. If that’s not as secure, I need to reevaluate my options again…

It’s not exposed to external assault. The option to hide that password from your sharing target isn’t secure. So if you don’t mind your brother knowing the amazon password (or whatever) that you shared to him, if it’s fine.

That’s fine. I’m using LastPass generated 12 char password anyway, so it doesn’t matter if the wife knows the password. I hope it doesn’t randomly generate some girls name or something, lol

This thread seems like a good place to ask this question:

What do you use for 2 factor authentication? I started with Google Authenticator, then moved to Authy, and finally ended up using 1Password’s 2FA code generator. Technically the last one is not 2FA, since compromising 1Password would net an attacker both password and authentication code in one fell swoop, but I picked it for convenience. I’m now second guessing that decision and might switch back to Authy.