I’m tech illiterate compared to you lot.
What is this Russian trying to do? Log in and post something? Why can’t he just do that?
Yes; nowadays most likely selling fake passports. He can’t post (or do anything else) because we have a final manual approval step.
1Password looks nice, but it is $36/year as a baseline. Also it now stores all the passwords on their server (“the cloud” 
) so that’s yet another single point of failure. They can’t hash them because most web servers need the full password and compute the hash on the server, so if somebody hacks the 1p server, you have lost absolutely everything, including all your banking logins, and since this is precisely the sort of app people will use for banking logins, if anybody hacks their server they will go straight for the bank accounts… More e.g. here.
I use 1Password v4. It is free and stores data on Dropbox and, of course, all your devices connected to Dropbox.
I swear by it.
Peter wrote:
if anybody hacks their server they will go straight for the bank accounts
1Password, as well as LastPass, encrypt / decrypt locally and only store the encrypted password data on their server.
I don’t know the details of 1Password, but LastPass uses a key which is generated from your master password, and that key and your master password never even get transmitted to their servers, let alone stored.
They have an account recovery mechanism, which is based on an encrypted version of your key (not your password) being stored on their servers, but it is encrypted with a strong, random key which is stored on your local machine only. That account recovery uses two-factor authentication via e-mail or SMS; and if you set it up, a third factor is required (e.g., Google Authenticator)
So to use account recovery for an attack, the attacker would have to have access to your computer, AND access your mobile phone, AND access to, say, your Google Authenticator app. If you are worried about that, you can turn off account recovery, and take the risk that if you forget your master password, your other passwords are irretrievably lost.
For those who are interested:
Lastpass Whitepaper
Fully relying on cloud password storage is dangerous even if perfectly encrypted: if you lose access to the server for any reason, you are simply out of luck. To avoid it, always keep a local copy of the encrypted file. I would actually use the local file as a master copy, and back it up to the cloud every time it is changed.
Indeed, so Timothy’s dropbox distribution is ok because the way dropbox works is that you have a copy on each device which is synced to dropbox. So if dropbox went belly up you would still have your copy.
There is a fun gotcha here: in a surprisingly aggressive move, dropbox has just started limiting the maximum number of devices to just 3 (in its free version; the paid version is not exactly cheap). If you had more linked, you can keep them linked. Of course there are alternatives, including DIY-hosted ones like the Synology Cloudstation, but the Q is whether you get the client integration which dropbox does very well.
I’m pretty sure that with KeePass you can use a variety of remote storage solutions, including cloud (google, dropbox, etc) and more standardized (sftp, https, etc).
I’ve been using Splashdata product SplashID for over 10 years. I bought a lifetime licence at one point for an unlimited number of devices. I’m very happy with it as it is extremely stable and just never crashes. All I need to remember now is the single master password to access the safe.
They offer a cloud based subscription for sync of all devices. But there is a config option to not use the cloud, and that option allows local wifi sync which is all that I use. I’ve set up my PC as master and all mobile devices as slave. That is, the master always overwrites the slave. There other other config options to sync both ways, but I’ve made a decision to only modify the master so I always have a fixed reference point. Sync is initiated by the slave and is a manual event. While not as convenient as an automatic sync of all devices across the cloud, it has the advantage that I have total control of my data and it only exists on my devices. I make a backup copy regularly, and sync from the master to all mobile devices when I’ve made enough changes to make it worthwhile or maximum about once a month. It just takes a few minutes.
It generates passwords if one wants, defaulting to 8 chars (configurable to generate upper and/or lower and/or nums and/or special chars) up to a max of 70 chars which should easily confound the most powerful hacker system ever created. I never used the feature for a long time, but almost every web site needs a login to do anything useful so now I don’t bother manually creating passwords and just let the generator to do it for me….. much more secure and quick. I keep the app open and handy to then retrieve a password when I need it.
If you want to do this sort of thing (a “master password” solution) there are loads of options. Many programmers use Truecrypt or Veracrypt and this creates a highly secure encrypted partition on your HD, which mounts as a logical drive, so you enter your password and up comes say drive x: and you have access to all the confidential data in there. You keep passwords in plain text in a file there and copy/paste them. You can keep all sorts of stuff there e.g. certificates. This isn’t “transparent” but sidesteps various vulnerabilities of the slick integrated products which inject the password in for you, as a browser plug-in. It is completely futureproof too.
I still wonder who would have wanted to destroy that pilot shop?
