Can you use a free password manager, or must you pay?

Topic

New Reply

PUBLIC DEFENDER By Brian Livingston We all face security threats on the Internet. A common recommendation by tech pundits is this: at each website whe
[See the full post at: Can you use a free password manager, or must you pay?]

9 users thanked author for this post.

jburk07, fisher75, lmacri, opti1, T-J-N, Norio, SueW, rc primak, DLivesInTexas

Reply | Quote

Replies

Long ago, I started with KeePass and it still does the job perfectly for me.

3 users thanked author for this post.

WSlagunacreek, WSJahnTee, Fred

Reply | Quote

Re. KeePass: There was an open-source fork called KeePassX. Development on that password manager stopped in Dec., 2021.  A related project, KeeePassXC, is still maintained. This program has the advantage of allowing a local or private Cloud-based database. (In other words, you create the encrypted database locally, then upload it to a Cloud provider of your choice). The program is security audited from time to time.

https://keepassxc.org/ 

-- rc primak

5 users thanked author for this post.

wavy, Kobac, windbg, Norio, clossonl

Reply | Quote

Thanks for mentioning that, rc primak.  I use KeePassXC.  I find it easier to use than KeePass, and it is more secure and more stable.  Remember those exploits last year that hit many password managers?  KPXC was not affected.

Reply | Quote

KeePass can store your database in the cloud as well.

Saving your database in the cloud has the downside of not being able to get to it if you have a problem with your internet connection / access to the cloud store. I always store (and backup) my database locally and have a copy in the cloud.

cheers, Paul

2 users thanked author for this post.

TechTango, windbg

Reply | Quote

I use KeePass on our Windows 10 Pro PC and KeePassXC on our Linux Mint Cinnamon PC. One nice thing is that the format for each program’s database is compatible, so I can copy a password database from, say, our Windows PC to our Linux PC and it’ll work.

1 user thanked author for this post.

jburk07

Reply | Quote

Brian,

Let me add to your password heresy, based upon numerous experiences with clients recently. Writing down passwords in a notebook is fine provided one can read one’s own writing, and one makes a clear distinction between letters and digits that have a similar appearance, for example zero (0) and the upper case letter O. The lower case g and the digit 9 is another source of confusion. Many people today have become keyboard-centric, which means their ability to write individual letters clearly has become diminished. I have to struggle to print letters and numbers myself, even though I had a pre-CAD high school drafting class that made clear printing mandatory.

So here is what I tell my clients:
1. Make up a document containing all the necessary information to log into one’s website. It can be free-form with Word or the now-deprecated Notepad, or, better, maintained in an Excel spreadsheet.
2. Print out this information for future reference.
3. Zip up the file of passwords and give the ZIP file a misleading name, just in case hackers hack a system. Or, copy the file to a USB flash memory stick, and put the stick in a safe place. No matter what, do not leave the file in plain sight.

The clear advantage of this approach over handwritten passwords is clear. The information is perfectly legible. One can also copy and paste a password from the document into the password field to log in.

My point about password legibility was driven home recently when a client brought over a laptop for service and kindly wrote down the password to log into the system. I called to ask that the password be repeated to me over the phone, because his printed password was well nigh impossible to decipher.

5 users thanked author for this post.

jburk07, opti1, rizzquery, n0ads, DLivesInTexas

Reply | Quote

A trick I use so I remember exactly which characters are which when writing something that contains a mix of upper/lower case letters, spaces and numbers is…

Write the letters in ALL CAPS and place a line ¯ above each capital letter/blank space and a crossbar thru capital Z.

Write the digits one & seven “European style” (i.e. with a serf at the top of 1 and a crossbar thru 7) and always write zero with a slash thru it.

1 user thanked author for this post.

rizzquery

Reply | Quote

I use KeePass and chose Monaco as the default password font because it displays a zero with the slash through it.

I also use Monaco for certain lists in MS Word that contain alphanumeric serial numbers.

Reply | Quote

I use Consolas font.

cheers, Paul

Reply | Quote

Make up a document containing all the necessary information… It can be free-form with Word… Zip up the file of passwords.

I keep a some sensitive info in a password protected Word document.  Setting a password  for the Word DOCX files adds SHA-256 encryption to the document.  Viewing it with HEX reader reveals nothing but gibberish.  Not so using a HEX reader to view a DOCX file with no password.

Zipping the SHA-256 encrypted Word DOCX file with 7-zip adds another layer.

I feel comfortable with this.  Am I missing something?

 

 

Desktop Asus TUF X299 Mark 1, CPU: Intel Core i7-7820X Skylake-X 8-Core 3.6 GHz, RAM: 32GB, GPU: Nvidia GTX 1050 Ti 4GB. Display: Four 27" 1080p screens 2 over 2 quad.

Reply | Quote

TechTango wrote:

Am I missing something?

Only the ability to easily enter that data into sites. Managers make it easy to find the data and enter it in your browser / app.
And generate one time passwords.
And list poor passwords and duplicates.
And check your passwords against HIBP.
…

cheers, Paul

2 users thanked author for this post.

tom m, TechTango

Reply | Quote

Thanks, Paul T.

I neglected to mention that I do use a password manager and that the encrypted SHA-256 encrypted Word DOCX file is an independent secure reference, not a daily go-to.

Desktop Asus TUF X299 Mark 1, CPU: Intel Core i7-7820X Skylake-X 8-Core 3.6 GHz, RAM: 32GB, GPU: Nvidia GTX 1050 Ti 4GB. Display: Four 27" 1080p screens 2 over 2 quad.

Reply | Quote

I attach files to entries in my password manager if I need to secure them. Obviously not big files. 🙂

cheers, Paul

Reply | Quote

I’ve used the open-source “passwordsafe” for a very long time and I wonder why it is never mentioned in comparisons of password managers.   I like it very much — it is simple, secure and does everything that I need

1 user thanked author for this post.

Keith Chuvala

Reply | Quote

Open-source projects are usually ignored by the for-profit tech press. Money talks, as in any for-profit business community.

-- rc primak

1 user thanked author for this post.

rizzquery

Reply | Quote

The original author of PasswordSafe is Bruce Schneier, so that program has a lot of cred.  He still recommends using it.

1 user thanked author for this post.

rizzquery

Reply | Quote

Same here.  I’ve used Password Safe (pwsafe.org) for a long, long time, and think it’s terrific.  It’s small, fast, portable, has every feature I need, and is available in Android and IOS versions as well as Windows.   That’s particularly handy, because I always have it with me if I have my phone.

I keep my password safe in OneNote, and so have it available anywhere I need it (including the above-mentioned phone!)  I also keep the Password Safe portable application in OneNote so that even on a “strange” computer I have the ability to open, manage, and otherwise make use of my password database.

It’s been a terrific solution for my password generation and management needs.

 

Reply | Quote

Why isn’t Keepass discussed more?  It is free.  Password file is encrypted.  The sole vulnerability (not sure a real world vulnerability) was recently patched.  I store the database on my google drive and have multiple device access…every PC, laptop and phone has full access.  I get it’s not “visually” pretty, but cost is perfect and by every review it is secure.  So why not regularly recommended?  The only complaint I’ve ever seen is it’s not “simple” – who cares…its SECURE and works perfectly…what am I missing?

2 users thanked author for this post.

WSlagunacreek, Kobac

Reply | Quote

Has anyone but me ever heard of Secret! by LinkeSoft????

It is old-fashioned SHAREWARE, so, you can try it out for free and the price is EXTREMELY reasonable.  I think I have spent less than $25 on both desktop and phone versions including purchasing both Android and Apple at various times.

LinkeSoft is a German company and seems to be a “family” operation.

I use Secret! which is an encrypted database file ON MY COMPUTER with a synchronized file on my smartphone.  Because it is a simple database file, I use it for more than passwords – – information about my car: VIN, license plate . . .; Insurance information . . . . I can safely back up the data file, or copy it to another computer for a second installation because it is an “encrypted” file.

It is not “pretty” and taking the time to synchronize regularly might be a pain for some, but it has been working for me for close to 25 years and the “support” is fantastic! Because of the “time difference,” I usually have a reply in less than 24 hours.

I know I am a Luddite and and antique.  But I really prefer having all this  information ON MY COMPUTER, not on someone else’s server!  And I know that if something happens to me, my family (who all have the master password) can log into that file and find EVERYTHING they need to handle my affairs.  And it will not be lost due to non-payment of monthly fees or other issues that might affect a file not held locally.

https://www.linkesoft.com/secret/

Reply | Quote

Hang on. Brian promises to do an upcoming article about password managers which store your database locally.

-- rc primak

3 users thanked author for this post.

wavy, Kobac, clossonl

Reply | Quote

Secret! seems fine but it uses less secure (not by much) 128 bit encryption and doesn’t seem to have any way to enter data into sites / apps without using the clipboard (clipboard use is  generally frowned upon because it’s relatively easy to intercept the data).

cheers, Paul

Reply | Quote

I think the biggest problem with a stolen password notebook is that the thief can access those protected websites (and change the username/password) a lot faster than you can recover your backup copy and manual change each and every one of those passwords. Unless those websites have 2-factor authentication, I wouldn’t recommend this storage method.

Reply | Quote

Propje wrote:

Long ago, I started with KeePass and it still does the job perfectly for me.

Keepass2 is good. Encrypts on the pc (Windows, Mac, Bsd, Android, Linux, ((phone and tablet));
the encrypted database can be stored seperately in a online cloud (pCloud or Dropbox , whatever), or local on a Usb-drive at your keyring.
Encrypts with a password And with a 2nd decryption-secret if you like.

* _ ... _ *

1 user thanked author for this post.

clossonl

Reply | Quote

KeePass does not have a 2nd decryption secret. It has only one master key.

cheers, Paul

1 user thanked author for this post.

windbg

Reply | Quote

One issue I’d like to see addressed for these password managers is the ability import and export passwords.  I have over 1000 passwords between personal and business accounts.  While I’m not currently looking to change my password manager I have changed in the past.

Sometimes it was easy but other times the old manager was so protective that it wouldn’t export.  Sounds like Password Kludge 1.0!

I also store other sensitive information in my password manager such as account numbers, credit card numbers, or other passwords that I want to reference while I’m on a site.  Do any of the recommended password managers have this capability?

Thanks for the articles!

Reply | Quote

KeePass imports about 40 formats and there are advanced CSV imports if your format isn’t supported.

cheers, Paul

Reply | Quote

Brian,

BIG ISSUE FOR YOUR ENTIRE TEAM…  and not just about Password Managers…

Like you, some years ago, I bought what everyone in software said was the “best” password manager.  Until the company stopped making it!

Which, as in your personal story, meant hours of copy, paste and re-enter data.

POINT:  When I read the “consensus” recommendations in your article, I find myself wondering “how many of these small companies will still be in business in five years???”

How do we get recommendations that are not simply “the best for today,” but are somewhat prophetic in terms of looking forward (if possible) — and at least only recommend products that have “export” functions or future migration paths.

When Microsoft Money was discontinued, it took be several days (literally) to migrate thousands of entries in dozens of accounts to Quicken.  Who’d have thunk that Microsoft would abandon the best designed product in that space.  But they did!

AGAIN… Would you please share this point with all of your colleagues – it’s not just about what’s the best “today.” It’s about longevity and what will still be “available” and properly supported for the future.  If it is even possible to know that.

Would love any kind of response, either to email address above, or in future article.  I’m a “lifetime” subscriber.

Thank you!

 

 

Reply | Quote

> It’s about longevity and what will still be “available” and properly supported for the future.

No one can predict the future. But I believe that password managers with top ratings from several independent test labs have a greater chance of long life than apps with no top ratings.

A long life is especially likely for apps that have both a free version and a paid version. The free version ensures that many people will try the app. The paid version gives the developer a flow of revenue that encourages the continued development of the code. (The code could even be turned over to a third party for maintenance and support, if there’s sufficient annual revenue to justify a third party taking responsibility for the code.)

Reply | Quote

Brian – thanks for tackling this important but often overlooked subject, which has many pitfalls as you’ve ably described.  I used to subscribe to Dashlane but it became prohibitively expensive.  When I finally cancelled to go for an able but much less expensive alternative, it managed to secrete itself on my computer and popped up at the most inappropriate times.  I really had to hunt in all sorts of places to finally get rid of all the vestiges that not even Revo Uninstaller got rid of.

Anyway, my new and very satisfactory password manager is Ashampoo’s Sticky Password, which often comes in a very good deal – with lifetime updates.  I’d love to see your verdict on this after a trial and review.

Thanks for all your great work and for making this comprehensible to us non-pros who try to keep up with all the changes in the software that runs our daily lives.

Best,

Eric

Reply | Quote

I use a Chrome browser called Slimjet. I downloaded and installed the BitWarden extension, but I find the instructions hopelessly confusing. Why do I need a BitWarden account? Why should I send my credentials over the web to someone I don’t know? I just want to save my credentials on my local computer and have the browser fetch them from my local computer, without saving those credentials within the browser itself. I downloaded the .pdf file “Password Manager Browser Extensions”, but I find the instructions impossible to understand. From where do I create a folder? There is no Settings tab. There is no “Folders” item from a “settings list”. What are they looking at that I can’t see? Why should this be so complicated? So far, I hate BitWarden and I don’t see how you can recommend it. I downloaded the Windows desktop portable app, but I don’t think I will install something that is 223 MB in size. Why so much bloat? All in all, this has been a bad experience. Can someone help me understand my failings? Thank you.

 

Reply | Quote

I keep my logins in a text file to copy and paste because long complex passwords are too difficult for me to enter manually. I keep the file on 2 encrypted flash drives that I insert when needed and eject when done, (the second is a backup copy). Is this a good practice?

Reply | Quote

It is not “bad” practice, just much less convenient than a password manager.

cheers, Paul

Reply | Quote

For the security paranoid, regardless of your chosen password storage method, you may want to consider including a “seed” constant that you can easily remember & type.  You include it as part of each of your passwords, but you never record it in your password “database”.  You can enter the constant-seed either before or after each stored variable-partial-password to complete each full-password.  If a hacker/thief somehow captures your recorded password stash, they’ll only have partial passwords without the additional “off-storage” seed.

 

 

2 users thanked author for this post.

wavy, TechTango

Reply | Quote

Good pair of articles.

I use, and find it useful, Mail from Vivaldi Browser and it has a password manager, which is fine as it recalls the password when I lose it. But not if I try to email from a browser page…..

However, I use Thunderbird for mail and it offers a manager but I have mislaid the access password!!!!

Life is a pain, isn’t it.;)

Reply | Quote

This is why one good password manager is better.
And if you sync it with your phone you have access to a copy if your PC dies.

cheers, Paul

Reply | Quote

Compass Bookmark Manager. Oldie but goodie, a small program that hasn’t been updated since 2001. It works well as a password manager AND also valuable for me as a complete bookmark note taking tool for every website I use.

Reply | Quote

Why is Outlook Notes a bad password depository? The Outlook environment can be quite secure, depending upon setup.  .ost files are quite secure. Outlook Notes can be in Cloud and local. For a decade we’ve been told it is about to be deprecated, and that hasn’t happened. It is always maligned, but I can’t find the actual weakness documented. Please enlighten me.

Reply | Quote

[Fred]

Paul T wrote:

KeePass does not have a 2nd decryption secret. It has only one master key.

cheers, Paul

I use it for years, the 2nd decryption factor, or do you state that this second necessity to encrypt/decrypt , based on “something you have” like a yubikey or any specific controlfile one chooses, is not true?

Plus one can combine this method with the PGP_encryption sequence one uses.
In case your expertise states that this is impossible, I use this PGPencryption for years too as an individual, just like Truecrypt that was banned by the Usa.

* _ ... _ *

• This reply was modified 1 year ago by Fred.
• This reply was modified 1 year ago by Fred.

Reply | Quote

You are adding more than one component to the “Master Key”.

Your comment read as “you can have a different decryption key”. English subtleties.  🙂

cheers, Paul

Reply | Quote

Fred wrote:

Truecrypt that was banned by the Usa

I don’t think so (I use Veracrypt without issue).

cheers, Paul

Reply | Quote

Paul T wrote:

You are adding more than one component to the “Master Key”.

Your comment read as “you can have a different decryption key”. English subtleties.  🙂

cheers, Paul

The text is: “Encrypts with a password And with a 2nd decryption-secret if you like.”

That line is not open for the (mis)interpretation you did, even in the American English tongue.
You are just wrong, and saying something like sorry might be polite.

Maybe this line is not correct too to your expertise standards; do you want me to explain in German, French, Dutch or ‘Kings’-English ?

ps: Truecrypt was forced to buildin backdoors, and they just didn’t comply. Might be nice to tell this story?

* _ ... _ *

Reply | Quote

You split the terms encryption and decryption, implying they were different. KeePass does not consider them different, hence the correction.

cheers, Paul

Reply | Quote

Paul T wrote:

You split the terms encryption and decryption, implying they were different. KeePass does not consider them different, hence the correction.

cheers, Paul

Fred wrote:

You are just wrong, and saying something like sorry might be polite.

, but you are the expert.

When you widen this subject a little more, for instance the PKI-encryptioninfrastructure comparing to this (deliberate?) misinterpretations of something that cannot be understood differently, than someone might learn something here.
🦧

* _ ... _ *

Reply | Quote

Nothing deliberate about the misunderstanding. Just the way I read it.

cheers, Paul

Reply | Quote

I have used the paid version of Last Pass Premium for approximately 15 years – because it synchs to all of the devices of both my wife & I.

Was shocked that it was not in the list of the best password managers.

Reply | Quote

WSStevenXXXX wrote:

I have used the paid version of Last Pass Premium for approximately 15 years – because it synchs to all of the devices of both my wife & I. Was shocked that it was not in the list of the best password managers.

It could be because of the security breach they had last year. Search Lastpass breach.

Reply | Quote

I am aware of that breach and their slowness to communicate a response to its users.

I am sure that affected its ranking. I guess more than I would have thought!

1 user thanked author for this post.

PL1

Reply | Quote

I see that you didn’t even mention RoboForm.  I’ve been using RoboForm since 2005, first on WinXP, then on both Windows 10 & my iPhone.  It was a one time purchase for WinXP.  However, when I wanted to sync both Windows 10 & my iPhone, I had to get a subscription.  Nevertheless, I have found it to work flawlessly & their support exceptional.  By the way, I tried LastPass Premium, but found it harder to use than RoboForm & their support slower.

2 users thanked author for this post.

PL1, Fred

Reply | Quote

I use a different email address/username at each website. Since time immemorial, I’ve paid $19.99 a year for Yahoo Mail Plus. This service enables me to create “customized” email addresses. I’ve made 400 customized email addresses. Bonus: If a site sells my email address to spammers, I disable the address and give the site a different one. I’ve only had to do this five times in 400 addresses. (Oddly, computer trade shows are the worst at selling the email addresses of registered journalists to spammers.)

I have done this same thing with Yahoo Mail Plus over many years and now have 350+ customized email addresses.  They are super handy and effective in all the ways you’ve mentioned including the computer trade shows issue.  Same thing here.

Desktop Asus TUF X299 Mark 1, CPU: Intel Core i7-7820X Skylake-X 8-Core 3.6 GHz, RAM: 32GB, GPU: Nvidia GTX 1050 Ti 4GB. Display: Four 27" 1080p screens 2 over 2 quad.

1 user thanked author for this post.

Fred

Reply | Quote

Password managers are all very well as long as they are secure, but what happens when they’re hacked? If you use a password manager you are placing a lot of trust in other peoples’ hands. In my view this is a problem which does not require an elegant software solution – quite the opposite.

I keep my passwords in a spreadsheet on Dropbox. The information in the spreadsheet is incomplete, so even if it fell into the wrong hands it would be useless. Hints such as “Jim’s birthday dd-MMM-yyyy” or “first car registration” are enough for me, and little use to anyone else outside my family.

Because they lack confidence with technical solutions I advise all my older friends to use an address book, and adopt the same strategy of writing hints for each password, rather than the complete text.

Important passwords which other people might need after my death are kept in plain text (typed and printed, not handwritten!) in a safe, accessible only by people I trust.

1 user thanked author for this post.

Sueska

Reply | Quote