How do you manage your password? Advice and tips

Hi there are many wise people on Ozbargain, so I wonder how you would manage your passwords, which is required everywhere these days.
I have been slacking and use one password for most of my websites with a small alternation for different requirements, but more and more websites require you to change password every three months or so.
How do you manage your passwords? Do you have any tips and advice? Is there anyone use a password manage website/app and how do you think about it. I suspect these webiste/app will consume much more time. How do you think?

Comments

    • Moving from LastPass to Bitwarden was super simple. There is a warning that there may be problems with special characters so I put it off as long as possible, but there wasn't.

  • +2

    Seems like I am the only one here who just uses Google's password manager? Signs me in automatically for sites as well as apps (though some have 2FA)

  • +1

    It's very simple for me…
    I just look at my user name for each site I visit and I know exactly what my password is for that site ;-)

  • +1

    I use bitwarden but I really do find it rarely if ever recognises logins on either my iphone or laptop. SO when I register for a new site it doesn't offer to save the details for me or set it up for me, so I have to manually get it to do it which is a bit of a pain.

  • I use the same basic password for all non-monetary sites and special ones for all others which are noted in a small (A5) Index Book … never forgot a password.

  • +1

    https://www.passwordstore.org/ with the git repo on home server

  • I use my memory for passwords. I have nothing written down or stored in phone, laptop, anything. I figure that is the best way for no-one to get access to anything and yes my passwords are not simple.

  • KeePass2 on PC, and AuthPass on iOS.

  • +2

    Apple iCloud Keychain

  • -1

    I use the same base password for everything (one that has high complexity), but then salt that myself using a basic cipher based on the URL / application. That way I only have to remember one password and one method, referable to wherever I'm trying to login.

    So, say your password is "[email protected]" and your cypher for your salt is first letter of URL, then a=1 … z=26 for the second and third letters of the URL, then your password for OzBargain would be "[email protected]" and your password for google would be "[email protected]".

    To secure your secret questions, for any sites still using those, you can implement a standard rule, such as not using vowels, answering the questions backwards, or starting all answers with a particular symbol.

  • I sound very old school but am using a password protected LibreOffice Calc file which is on syned cloud folder. Years ago I looked at password manager but couldnt find one that worked over several devices (Windows, Linux, Windows Mobile & Android). I may have to revisit that with the suggestions above and the fact I have dropped Windows mobile.

    • Not sure about Linux, but definitely check out bitwarden for Android/Windows.

  • -1

    Google has a pretty sweet password manager. It automatically suggests a strong password and then saves it to your Google account so you don't even need to remember it. And the integration with Google Chrome and Android keyboard is pretty seamless.

  • bitwarden

  • +1

    I wish sites would not put stuff in front of their URL on the login, like .auth or .members, because it is confusing Bitwarden.

    Anyone having this problem of Bitwarden not recognising the site? Am I doing something wrong?

    I guess I will have to edit and put the extra URL in but I don't remember having to do that with LastPass.

    • +1

      Bitwarden has options (a global and then a per-entry setting) on how to match the URL - i.e. the base domain, the whole hostname, starts with xxx, even regex.

      Sounds like you may have a bad default set and probably want it set to 'base domain' based on your issue.

      • +1

        It's on the default 'base domain'.

        • +1

          Then you have a bug you should report. base domain should match example.com along with sub.example.com and works like that on my browser extension and Android app.

          See: https://bitwarden.com/help/article/uri-match-detection/

          • +1

            @zfa: Thanks. Maybe I'm the bug. Just getting started with Bitwarden. I will see what happens from here.

  • I use Bitwarden across browser and mobile. I have the free version and it covers a lot of bases.
    - never have to remember passwords,
    - generates secure passwords for new logins you add to it.

    if you're curious as to the flow:
    - on mobile, click on password field > access vault via fingerprint > Autofills the password > login
    - on desktop, access vault via PIN into edge browser (Bitwarden extension) (or you can use 'master password' instead) > autofills the password > login

  • +1

    I used password store. If you are a techie it's second nature, but if not you would want to look elsewhere :D

    https://www.passwordstore.org

  • Guys let’s share our favourite passwords. I’ll start; it’s *********.

  • keepass. 256bit aes impenetrable.

  • I'm on the Keepass bandwagon; paying for it is very non-OzBargain. Uploading your passwords online is equally counter-intuitive in my book. Haven't ever had a need to have or do banking on my mobile.
    A lot of my passwords are partially written down too.

    Gotta decide on the reason for wanting the manager and different passwords. I only need help differentiating passwords to not use the same one to often for sites in case they get hacked, not because I think someone is going to break into house.

  • +1

    I have my passwords written in a notepad.

  • yep - used free Lastpass for years - then it was notified as dubious - then finally no longer free or something

    so I installed free BitWarden on both my laptop and smartphone - and it's just fine

    on my iPhone BitWarden uses the touchpad to login - which I think is easier than LastPass which required typing in my long password

    so in that respect BitWarden is better - as the great majority of comments here seem to agree.

  • +1

    For passwords that you don't need to change regularly

    Create one very complicated password that you can memorise, and then think of a way to amend that password based on the name of the website you are using:

    E.g.

    Complicated Password: oyObtPWQ4wfClYhaFokk
    Base Password: (ComplicatedPassword)
    For Facebook: F(ComplicatedPassword)A
    For Google: G(ComplicatedPassword)O
    For Twitter: T(ComplicatedPassword)W

    Pros:
    - Easy to remember
    - Can use mostly the same password for every site.
    - If the websites password vault gets hacked, people who get this information are most likely going to create scripts to attempt to use the same password and login across multiple sites. So are not likely to try and work out a pattern with your single password.

    Cons:
    - If someone is targetting you specifically, they may be able to work out the pattern. But if someone is trying to target you specifically then you have a lot more to worry about in your life.

    For passwords that you do need to change regularly

    Use keepass. Its free and secure. There is a learning curve but if you spent an hour working out how to use it, you would easily make that back over your lifetime of forgetting / resetting usernames and passwords.

    You can use it for estate planning. Put the password to your keepass in your will or give it to your partner (If you really trusts them) so that they can access everything they need to after you pass away.

  • +3

    Bitwarden and 2FA on everything. If your email is not 2FA enabled, start with that ASAP. With access to an email account you can reset most passwords.

    With Bitwarden, you don't need to know your passwords and they can be massive in length and complexity. The only password I know is the master password for Bitwarden.

  • Good thread, I have been using Lastpass but looking for a change since they have moved into paid service.

    • +1

      Yeah as many other comments have said, Bitwarden is almost a drop-in replacement for LP, and many people from OzB (and elsewhere) have voted with their feet against LP and for BW.

  • +1

    If Monkey123 doesn’t work I try Password123 and I’m in. Easy as to remember

    • I know someone use Money123

  • +1

    1Password. Got in early and haven't looked back. UI is great and easily understood by other less technical members of the household.

    • +1

      Me too. I have a 1Password family subscription and got my whole family on it. In my experience the easiest to use and the most polished password manager.

      Most companies I worked at also use 1Password, so it is great to have everything in 1 place.

  • Notes, I just have a running list on my phone

  • This is a good thread, thanks for the inputs. Looks like Bitwarden is the most popular one.

    For me, I stored them in excel, with the excel file being password protected, saved on my local PC. The only disadvantage of this is, I need to login to my PC if i forgot any of my pw to the important sites where it contain my personal information. But this does not bother me much as most likely I am logging in to important website using my PC anyway. Any login to important website on my mobile are most likely through an app with fingerprint authentication.

    Apart from that disadvantage, can someone convince (scare) me to use Bitwarden instead?

  • I'm using 1Password, it's hard to get out of an ecosystem once you're in it, but I have no regrets and no plan to leave currently. I pay the annual fee but it's a piece of mind thing and I really don't need to do much with it anymore.

    Randomly generate a secure password for every site, synced across every device you use. Yes, I know cloud stored password data is not the most secure, but it's highly encrypted via my master password and in combination with a serial key for my account. It nicely syncs across my gaming desktop, ipad, iphone, macbook and windows desktop with all passwords.

    It also supports Google Auth 2factor within the platform, so when you login to a website with Google Auth enabled and setup within 1Password, it automatically copies the 2factor code or inputs it via your secured device. It automatically clears copied passwords and 2factor codes from your devices clipboard.

    I found a lot of my usual passwords were already leaked on haveibeenpwned.com and thought it was time to change, it saved me a lot of time and makes it very easy to manage once it was all set up. The kicker is it's also integrated with HIBP and alerts you to specific sites where your password has been compromised and prompts you to change the password for that site specifically. It also screams at you for insecure passwords due to min character/combination recommendations where some websites simply don't allow longer passwords (for whatever ridiculous reason)

  • +2

    I click on the forget password link

  • Bitwarden absolutely.

  • Good Read. I'm pretty happy with the Google Chrome password manager. Does its job.

  • I self-host bitwarden, but I use Diceware to create a master passphrase.

  • LastPass as work provides premium for free. However, very good to know about Bitwarden as a backup.

  • Use 2FA whenever possible. Most secure.

  • Bitwarden, bitwarden, bitwarden.
    Also go to
    https://haveibeenpwned.com/
    And put in emails/ mob number and enjoy the FFFF that come after.
    Not the good type either. 😛

  • Apple notes, with additional password.
    Yes it's in the cloud and could always get hacked, but I think apple security is pretty tight.

    • why not use the in build apple password manager? it prefills/generates passwords for you as well

      • +1

        Doesn't work across all apps, particularly if you shift devices. It loves Safari, but I don't.

  • -1

    Can someone introduce how it works with Bitwarden? I know you keep your master password, which generates a master decryption key and those encrypted passwords for websites are stored online. But do you get to see the decrypted password in plaintext locally after decryption and you copy paste it to login dialog to login?

    • Just create account, free and play around.
      You will be amazed.
      Thank me later….

      • -2

        I will thank you if you can give me some info before I spend time to create an account for something I may not like LOL

        • trust me its more fun than just playing wii

          :)

    • +1

      I looked into this now and you raise an interesting point.

      You can copy/paste into a field. However, Bitwarden can be set to Autofill, but like autofill in other places (like those built into browser, and other similar tools) it can be hit and miss.

      For example, filling your password into a plaintext field on the page, in error. (sidenote: This hasn't happened to me with bitwarden but when signing up somewhere and there are two password fields sometimes my username is put into the first password field)

      If I don't want to use autofill, I then login with master password and:
      - the individual password isn't visible until I click on eye icon. I can just copy without viewing.
      - I can set to flush the clipboard after a set time
      - I can right click on the field I want to fill to, and fill manually (still called autofill in the context menu). I think this is similar to what I heard about LastPass having an icon in a password entry field. Not sure if its equivalent or not

      On phone:
      -login with biometric/master password/PIN from the password entry field in an app, web browser. I think the phone's keyboard comes into play.

      Should you turn off autofill

  • MYKI - changed over when lastpass started overcharging. It’s free and better than all the other ones I tried as a replacement. I have 1Password but use the old version as a backup as I refuse to pay for an upgrade (so they can start charging again)

  • how well does bitwarden compare with 1password in 2021? I looked into switching a while back with 1password moving to subscription and forgetting about its early adopters, but it didn't seem to integrate into a mac/ios/windows environment so easily then, nor have the free form info fields to handle all the extra info types - like credit cards, loyalty program info, etc.

  • I was using LastPass when it was free, but recently swapped to iPhone (so 80% in the Apple ecosystem) and am just using keychain now.

  • Bitwarden 10/10

  • i just let google password manager have all my passwords

    • Its like let all the "universe" to see your passes….

      • eh. done alright so far

  • +1

    I use LastPass addon for firefox and chrome

  • LastPass is da bomb

  • Interesting reading about sms code sent to our phone

    https://theconversation.com/amp/how-hackers-can-use-message-...

    • -1

      I still can't see the problem. Hacker would need password + sms code. Besides as soon as there is an attempt to log in from a new device I get warned.

    • SMS = bad.

  • I use a spreadsheet.

    I also use swearing and throwing shit when I get asked passwords that I can't remember.

    I stomp and curse when looking for the bloody mobile when I have to put in stupid verification codes.

    But ffs the worst are those stupid captchas and "tick the number of crossings". " Type in the wavy unreadable letters bs"

  • Bitwarden - but if you're willing to pay, 1password is a better option imo
    Also gives an easy place to store all your OTP!

  • OK, after reading more about the most suggested Bitwarden, I am still not convinced to use it, or any other similar providers:

    • they are online, whether you can get your passwords relies on their services availability
    • even if they can cache locally, you really don't want your all your passwords being cached
    • you need to upload your passwords to them, which requires you to trust their programs REALLY only upload unidentifiable and encrypted passwords, and even encrypted, that they do not have master key or backdoor to decrypt them
    • you think open source is more trustworthy? Even if the code looks alright, how do you know the one hosting is definitely building from that source code?
    • you can self build the whole thing and self-hosting one? How much effort is there?

    So I would just use a solution completely offline and always available:

    • Just remember one password ever
    • Add extra characters to your one password to make variants based on the website like some have suggested (e.g. My$ecurePW+twitter2021, My$ecurePW+ozbargain2020), really doesn't matter where you add the extra characters or how you add them (front or middle or end). The year bit is for situation you want to change your password each year. Or if you like, you can also add in the month. Heaps better than to just append 1, 2, 3, 4… to remember something extra for every site.
    • Most important step, HASH it! Use any one-way hash function to hash the resulting string. That hash becomes your password for that website. If you do not hash it but just use My$ecurePW+twitter2021 as your password directly, what if you later join an insecure website and they got hacked, turns out they simply store customer passwords in plaintext and your one password and your variant pattern are revealed just like that. Hashing it makes the resulting password impossible to be reversed back to its original form (hence one-way).
    • Still, don't pick anything simple to be your one password! Hashing functions are deterministic, meaning same input gives same output, always. If some website got hacked and your password is found to be the same to some known combination, then your one password and your variant pattern are also revealed.
    • I will have the little program to compute the hash with me on my desktop, as a browser plugin and on my mobile. Again, I may not trust anyone offering me that program so probably I will write one myself, like a little gadget.
    • Whenever I need to login, I open up the little program, type in my one password and the extra bits, hash it, copy back to the login field.
    • The little program will have no idea about my password, it is just a tool to compute the hash, so no risk at all if my little program is stolen, in fact, anyone can use it. Most likely I may just use MD5 in case I don't have my computer nor my phone with me but I still need to login somewhere.