Can someone in the know indicate how to BEST manage passwords for different services in a secure way in 2016? Should I be using password managers (à la 1Password, LastPassword and others), or use something like Keychain Access on Mac OS X (what are the Windows equivalents?), anything else? It's important to note that not everyone is well-educated on the matter, despite the fact that most people on HN are technical people.
EDIT: Thanks everyone for your answers, this is a good example of the power of communities.
Secure the password manager itself with a long password. Put your logins into it, and generate a unique random password for each one, then go to the website in question and change the password to the new one.
When you want to login to that website, open your password manager, copy the password to your clipboard and paste it in. Remove the password from the clipboard (Keepass does this automatically after about 10 seconds).
That is ALL you need to do. You could get into using keys, etc, to secure the password manager but if you have a long, unique password for the password manager, it shouldn't be necessary. I'm sure others can provide you with info on how to finesse the process using online password managers, etc, but what I've just described is the basics. Start simple, ramp it up later if you're the paranoid type (which you should be ;)
EDIT: Another thing, if you can use two-factor authentication, do it. I use this on my Google accounts, Paypal and my bank.
Another edit: You can store more in the password manager than just passwords. I keep a scan of my signature in there in case I have to put it into one of those (admittedly insecure) PDF-type forms to "verify" I've signed something. I also make up stupid answers to password hint questions and these also go in the password manager, e.g. "First school" -> "Dr Magnus Pike's School for Aspiring Arsonists". Too easy for people to work out what my real first school is called.
Yeah, I've been doing that same thing with security questions, except I just generate a new random password for each. I really wish that field was automatically blocked from view without the master password like the passwords themselves are when you toggle that (excellent) option.
Is Keychain Access from OSX a safe password manager?
Also, how comes all security-aware people trust 1Password and LastPass, even though they are not open source? Isn't that one of the rules of security, publish the source so we can trust it?
Another "rule of security" is that taking one step forward is better than nothing at all. So theoretically, a proprietary password manager could have a backdoor which could be used by the vendor or security services. But that's a relatively small group of people compared to "the whole world" which is where most people are with easily-guessed passwords which get reused everywhere.
Also, the idea that an army of trained security professionals is ready and able to scan open-source software for vulnerabilities isn't true - I think there was a study a few years ago which proved these security checks often didn't happen, people just assumed they did. The OpenSSH (secure shell) software was compromised for years and nobody noticed, and it is true open source and a critical part of people's systems as well.
You're looking to mitigate risks. A password manager is a step in the right direction. If you are truly paranoid (good for you) something like this, based on GPG, might be the right answer for you:
Personally I prefer not to use cloud-based password managers because I don't know what their backend security is like. But those more knowledgeable than me might say "they're fine" because of the way the encryption is structured.
>all security-aware people trust 1Password and LastPass
I don't think this is true at all. Many people do not recommend using these services for exactly that reason. Plenty of so-called experts make lots of compromises in their choices and recommendations for various reasons.
Password manager + two factor authentication whenever possible. As for the former: Opinions here differ but my recommendation would be not to trust a "cloud" password manager and employ an offline password manager instead. KeePass works great for instance and is open source and cross-platform.
While an offline password manager is inherently more secure, at some point you're either going to have to store the database on a cloud somewhere or worry about constantly keeping your databases in sync. Whether you store it in Dropbox/OneDrive/Google/etc. or use LastPass or another service, there's always going to be some risk.
At present I still recommend LastPass because that way you can easily have everything synced on your computers, phone, etc., and it's easier to convince people to remember one strong password and let LastPass handle remembering all the other strong passwords no matter what device you're on.
Sure, with an offline password manager backups and synchronization are up to you, but even if you end up relying on cloud storage it's a different story; for instance, if you store your KeePass database on a Dropbox account and said Dropbox account gets breached, at least you know that unless there's a flaw in the encryption algorithm used by KeePass, the password database cannot be decrypted without the master password (and brute forcing it should be very impractical if the master password is good enough).
If you use service like LastPass or 1Password you can never be entirely certain that a breach or a security flaw in any of these services isn't going to expose your passwords. I'm sure they use the proper encryption measures, but like the Dropbox breach shows, shit happens and companies get hacked.
I'm not saying never use a cloud password manager, but understand that the added convenience comes with added risk; I would definitely not make my company depend on them.
There's really not much of a difference between syncing via Dropbox (or similar products) and cloud services with the following characteristics:
- Client-side encryption, meaning the service has no way to obtain your cleartext passwords (short of planting a backdoor, which is a vector that applies to all password managers).
- Full offline support, with the ability to export your database. This becomes relevant when the service is down, you're running into billing problems, or if the company goes out of business entirely.
- Availability of a native client (as opposed to web apps or extensions that act as a thin layer on top of a web app). Planting a backdoor that leaks your secrets is significantly harder when you also need to compromise the vendor's signing key, as opposed to just breaching their web server and adding some JS file.
I just sync my 1Password via WiFi between my phone, work computer and personal computer. It's really not that much work either. Well worth keeping the vault of the internet.
I’ve always been under the impression the most secure and (technically) simple solution is to use the local system, like Keychain Access.
I wrote a small program that generates a list of random passwords. I just open terminal and type password, then copy/paste one of the outputs and allow Keychain Access to remember it. I do this for every service, the only manual password I use is for my actual computer, which is rotated periodically. You’ll need to manually backup your keychain file though.
I use 1Password and I'm fairly happy with it. I also use dropbox for sync, since other methods suck. I didn't had a Dropbox account in 2012 so I'm not sure if I'm affected, but anyway, my 1Password chain should be secure even if stolen/accessed... That's what encryption is all about anyway.
I really dislike password managers and there's good news: you don't need one to have unique password per site. A good password algorithm is very useful:
The article is dated. I'd suggest a longer minimum and 2 factor for services that support it. The advantage is unique passwords that you don't have to look up.
I used to do this before switching to a password manager; the problem with pattern-based passwords is that while in paper it sounds better than password reuse (unique passwords for each site/service while still being able to remember them, yay!) in practice you are still using the same pattern for all of them. A potential smart adversary could figure out the pattern used and then apply it to every site/service much like if the password was reused. E.g., if your facebook password is "j0hnf4c3b00k83", an adversary could easily guess that you are using a site/service pattern, and that your google password is "j0hng00gl383".
Of course, the pattern doesn't have to be that simple, but even if it were incredibly complex, at the end of the day you are still relying on one single pattern for all your passwords.
Right. But the idea does take advantage of the fact that some kinds of patterns are more obvious to humans and some to machines. Most people's threat model is a massive data breach rather than a determined single attacker focused on them who actually uses a smart human brain to analyze the passwords.
Exactly. If someone goes after you personally, they'd need several of your password (at least three or four) if you have a decent algorithm. Then they'd have to find that pattern.
Most password leverage comes from breaches and people running larger scale operations for scamming and spamming.
EDIT: Thanks everyone for your answers, this is a good example of the power of communities.