Password managers

[CaptHaddock]

But we now know that the NSA specifically uses backdoors in software implementations of encryption algorithms.

Keeping one's passwords in the cloud in any form, including in encrypted software, is very foolish. Encryption is not a fool-proof safeguard. It only buys time. You will never know who may have access to your files in the cloud or what resources will be available to an attacker. You will never be able to assess that risk.

There is no evidence that mainstream encryption algorithms such as AES can be cracked (assuming the implementation is not broken). If you encrypt files locally before sending them to the cloud nobody can access them.

[THAIPHUKET]

I wish NSA lots of fun reading my dirty emails :-) , doesn´t worry me a bit. I´m not a hypochondriac person, nothing is 100% safe.

But reasonable safety from crooks is my goal.

One specific example= I want to pay an airline ticket online with my Visa card using Andriod. How can I transmit my credit card details safely?

[THAIPHUKET]

I wish NSA lots of fun reading my dirty emails :-) , doesn´t worry me a bit. I´m not a hypochondriac person, nothing is 100% safe.

But reasonable safety from crooks is my goal.

One specific example= I want to pay an airline ticket online with my Visa card using Andriod. How can I transmit my credit card details safely?

[THAIPHUKET]

Well, if Twitter sees the need to change it´s encryption , I wonder how safe is ASE http://goo.gl/a3Ltcw

[Crushdepth]

But we now know that the NSA specifically uses backdoors in software implementations of encryption algorithms.

Keeping one's passwords in the cloud in any form, including in encrypted software, is very foolish. Encryption is not a fool-proof safeguard. It only buys time. You will never know who may have access to your files in the cloud or what resources will be available to an attacker. You will never be able to assess that risk.

There is no evidence that mainstream encryption algorithms such as AES can be cracked (assuming the implementation is not broken). If you encrypt files locally before sending them to the cloud nobody can access them.

That's why I recommended Password Safe, since the original developer is a well-known cryptographer/security guy with a reputation to protect (it would destroy his career, business and all his crypto work), and other open source products where you can build it yourself if you want to.

[SooKee]

I find 1Password excellent. Cross platform and the current Android, viewer only, version is too be replaced by a fully functioning Android App.

[justsumhelp]

Just out of curiosity what good is the password when the data itself can be intercepted down the pipe? Have an awesome gmail password, SMTP sends the content of the message upstream, easily interceptable by anyone with the means to do so. Anyways, your serious about security sending all your communication via PGP or even better Openpgp, very serious about communication.... So when, where, and how did you register the email address your using as transit provider (maybe Lavabit for shits and giggles). Ok providing every trace leading up to the account that is protected by the awesome password generator has been registered via (TOR,VPN, public wifi, etc...) what can you do with such a service that takes such extreme measure to access and register with?

For the people using lastpass, keepass, etc.. GOOD repeated passwords are easy targets and very bad practice, these programs offer a great deterrent from picking off the lowest hang in fruit.

Anyone thinking that a password manager no matter what the encryption level or promises it provides will make you safe on the internet, much less once put on a server outside of your immediate control is a fool...

[NeverSure]

There are only so many ways to be "safe" and nothing is perfect. I have a friend who keeps all of his passwords in a notepad file in "My Documents." You could create an encrypted vault in a partition on your HDD and open it to get passwords, but then it would be available only for that computer and if it was lost, stolen, or the HDD failed you'd lose them.

Having one password for everything isn't wise.

I'm satisfied with the free version of LastPass. I tell it to not remember my banking, ebay, paypal, and one other account which I then remember myself. Everything that's not important such as this site it logs into automatically.

It will quickly work on another computer simply by installing it and entering my master password. I can't lose my passwords.

[wooloomooloo]

There are only so many ways to be "safe" and nothing is perfect.

Agreed. Certainly nothing perfect in today's online world.

It's now two weeks since I subscribed to LastPass and really didn't realise how many separate passwords I require.

I paid for subscription so that I can also utilise LastPass on my iPhone.

I have a sixteen character master password that I won't forget and have certainly increased my online security rather than decreased it.

[Phil Conners]

+1 for KeePassX on Linux - KeePass 2 if you're on Windows.

It's possible to run KeePass 2 on Linux using Mono but frankly it's so buggy its better to use KeePassX. There are Android versions of either so just pick what you use.

LastPass may be easier to get started with, but (1) they charge for the mobile client and (2) I'm not really comfortable having all my passwords in a known location that I'm sure hackers are doing everything they can to get into (and have in the past been at least partially succesfull). Of course my KeePass data are also on the Internet, dropbox in fact, but I save the file with an obscure extension in a location with many other files, documents and images of low interest, so a hacker wouldn't know off the cuff that it's a password safe, it all just looks like low-interest personal stuff.

[thaimite]

+1 for KeePassX on Linux - KeePass 2 if you're on Windows.

It's possible to run KeePass 2 on Linux using Mono but frankly it's so buggy its better to use KeePassX. There are Android versions of either so just pick what you use.

LastPass may be easier to get started with, but (1) they charge for the mobile client and (2) I'm not really comfortable having all my passwords in a known location that I'm sure hackers are doing everything they can to get into (and have in the past been at least partially succesfull). Of course my KeePass data are also on the Internet, dropbox in fact, but I save the file with an obscure extension in a location with many other files, documents and images of low interest, so a hacker wouldn't know off the cuff that it's a password safe, it all just looks like low-interest personal stuff.

I agree with regard to lastPass and keeping the file on their server. I much prefer keepass as I can specify the location of the file (for example Wuala) which is (supposedly) more secure than DropBox. In addition KeePass is free as stated.

As for KeePass2 in Linux, I also agree that the Mono version is not that good, although it is getting better and changing fonts helps some. I understood that keePassx files are not compatible with Keeppass 2 files and as there are some features of KeePass2 I like I have had to go with the mono version but would love to see a native Linux client, or an upgrade to keePass X to support the v2 features.

[Phil Conners]

You and me both, but last update was KeepassX 2 alpha 4 released in spring sometime, so I wouldn't sit up waiting for it. To be honest, I live fine without the 2.0 features, whatever they are, not a big problem for me. The problems I had with Keepass 2 under Mono wasn't just font releated, thought that was one of the issues. There are quite a few gotcha's, try for example to select a couple of keys and move them to a different group, can't do. Overall KeypassX just feels much faster/smoother and native to Linux imo.

[dansan]

For me it's Roboform all the way.

Worth it's weight in gold and the app for Android or iPhone is a doozy. Plus it integrates with browsers on Android devices.

Been using it for years and you would have to tear it from my cold dead hands

I'd be lost without it. But thankfully they also have a cloud Sync option so nothing is ever lost.

[dansan]

Oh and it also has the ability to hold multiple Identities which is real handy if you have multiple companies, addresses and the like.

[dansan]

Personally though I never keep Paypal, Bank or other details in password managers like this. I still can't bring myself to enter that kind of data to the cloud.