Password Manager Programs Advice

Topic

New Reply

[LHiggins]

Hello!

I’m sure this topic has been discussed here, but I wanted to bring it up again to ask about recommendations for a Password Manager program. I have been thinking that it is probably time to find something more secure for my passwords, and have started to investigate such programs, but hoped to find some advice here.

I have two laptops that are used interchangeably, so I would want something that has the capability of being used on both so that all log ins are protected.

I run Win 10 Pro on both laptops, and use both Chrome and FF on both of them. I also use Thunderbird on both for email.

And is it possible to also use such a program on my phone – limited use of internet, but some passwords are used on a couple of sites that I access using the phone.

I really have little knowledge of this type of program and how they work, and would welcome any advice anyone might have.

Thanks so much!

ETA: I am looking at NordPass – some good deals at Newegg this weekend – but I am interested in anyone’s opinion/experience with this or others.

• This topic was modified 3 months, 1 week ago by LHiggins. Reason: Added info

Reply | Quote

Replies

Microsoft Authenticator is a free password manager for Android, iOS and Chrome or Edge with password sync and autofill:

How to Turn Microsoft Authenticator Into Your Password Manager

How to use Microsoft Authenticator as your password manager

Did You Know You Can Use Microsoft Authenticator as a Password Manager?

1 user thanked author for this post.

LHiggins

Reply | Quote

Thanks. Will look into this.

Do some of the commercial password managers like NordPass work with all browsers – and will they save passwords used in separate browsers all in the same place – or does FF need a different one than Chrome?

ETA: And I guess a question – how does this type of software work with several computers – are passwords stored locally or on the password manager’s servers?

Reply | Quote

I’ll never trust online or cloud-based password managers. My company mandates the use of a certain one, and that’s fine since my work logins are part of their accounts.

For my personal stuff, I use an offline password manager and happily accept the inconvenience of having to copy the database (via local methods) to back it up and make it available on more than one device.

By the way, once upon a time (4+ years ago) NordPass left user credentials exposed.
https://www.verdict.co.uk/unsecured-databases-nordpass/

1 user thanked author for this post.

LHiggins

Reply | Quote

SB9K wrote:

I’ll never trust online or cloud-based password managers… For my personal stuff, I use an offline password manager and happily accept the inconvenience of having to copy the database (via local methods) to back it up and make it available on more than one device

Yes, I have concerns about the cloud issue as well.

So – how does an offline manager work with 2 computers? How do you move the database from one to another? Is it via USB? And how often do you backup and share the data. If I purchased one with several licenses for more than one computer – would I install it on both and then just move the database between them whenever I need to update it on one or the other?

Thanks for the link, too. If the manager isn’t ever using cloud-based storage, is there still a danger that it could be hacked somehow?

Reply | Quote

The database is included in my regular backups of personal files. Also, since I’m well past the initial frenzy of populating it with all of my logins, I may immediately copy it to another device right after I make a change in it. That usually depends on what was changed. And to avoid mix-ups, I trained myself to only update the database on my main PC.

As for the method of copying, no surprises here: thumb drive or file sharing via local networking. Though my phone is not one of the devices. I don’t like the idea of connecting any accounts to the most fragile, losable, and easy to steal device I own.

With the database being offline, if we rule out someone tricking me with phishing or social engineering, hacking it means breaking into my home, defeating the hardware and software security of my PC, and then successfully decrypting the database itself. None of that stuff is infallible, of course, but it would take long enough that I’d definitely catch them. Though, like many people, my accounts are not worth anywhere near that level of effort.

1 user thanked author for this post.

LHiggins

Reply | Quote

You could try using  KeePass Password Safe

This is the official website of KeePass, the free, open source, light-weight and easy-to-use password manager.

https://keepass.info/index.html

Also:

https://sourceforge.net/projects/keepass/

KeePass is available in two different editions: 1.x and 2.x.
They are fundamentally different (2.x is not based on 1.x).
They mainly differ in portability and functionality:

* KeePass 1.x: Runs on all Windows systems without any prerequisites.
Does not need to be installed; is portable. Fewer features than 2.x.

* KeePass 2.x: Runs on all Windows systems with Microsoft .NET Framework 2.0 or higher. Does not need to be installed; is portable.

Version 2.x uses a different file format (.kdbx) than version 1.x (.kdb)

I personally use Version 2.x (currently KeePass-2.57.1.zip) – No licensing issues.

I have been using KeePass for more than 16 years and have never had a problem.

 

2 users thanked author for this post.

BobbyB, LHiggins

Reply | Quote

Yeah I ran the Orig. Keypass for a few years it was totally rock solid, but I moved on to KeypassXC. Its more user intuittive, can import the Keypass database, cross platform (which I need) MacOS (intel and Apple Silicon), Android, and the inevitable Windoze. All gloriously free. You can install “Autofill” for all the regular Browsers, I hesitate to use that funcion as quite often you need to leave the application open  in the background, to auto fill. As I am quite often sidetracked while working its not good for security.

 

1 user thanked author for this post.

LHiggins

Reply | Quote

You don’t import the database, you just open it. (File > Open)
Same with any of the other KeePass compatible apps.

cheers, Paul

1 user thanked author for this post.

LHiggins

Reply | Quote

Good morning! Thanks so much for all of this info – still digesting it all.

A few questions – first – if KeePass is kept on a thumb drive and is portable, then can it only be run on one computer at a time – wherever the thumb drive is? What I mean is – if I am using it on my laptop and my husband is using his laptop without it – will the passwords be accessible for him without having the thumb drive in place? Or can the same KeePass program be installed on two thumb drives and each used separately?

Guess I am confused as to how we both would be able to access any password manager on both computers at the same time if we aren’t using a cloud-based program.

Also – I am wondering if spending time to rework my passwords based on a three word type of process, keeping that database in an offline and accessible place if needed, and setting up 2 factor for as many sites as have that might be a better approach in the long run? Time consuming, but I think any process of updating passwords would be as well.

Thoughts?

Thanks again for the help and info!

 

 

Reply | Quote

You can have as many copies of the Keepass program as you want, on the laptop, on the desktop and on one or more thumb drives.

The database file needs to be available to the program when it is run. That means that you should keep as many copies of the database as you have programs. However, this increases the possibility that when changes are made in one copy of the database, the others will be out of sync, i.e. you need to keep all the copies up to date.

I handle this by keeping one database per user. Each user can update their own database freely and once a week I synchronize all the copies.

This is only one way to handle the databases. You could put a master database in cloud storage and allow each user to download a copy to use it. Be creative!

I hope this helps.

 

 

2 users thanked author for this post.

windbg, LHiggins

Reply | Quote

SB9K wrote:

I’ll never trust online or cloud-based password managers.

Yep.

Human, who sports only naturally-occurring DNA ~ oneironaut ~ broadcaster

1 user thanked author for this post.

LHiggins

Reply | Quote

SB9K wrote:

I’ll never trust online or cloud-based password managers.

I’m not so adamant about that as I used to be.

Personally, I use KeePass with no cloud backup, but I could never get my friends and family to warm to it. They’d just say, “Yeah, maybe someday.” Five years later, I was still the only one using a password manager.

OTOH, I’ve had less trouble convincing them to try Bitwarden — I guess because syncing the db with desktop computers, laptops, and phones involves low friction.

I ran into the same problem with 2FA — everyone acknowledged it was a good idea in theory, but I was the only one actually using it. (Well, me and my wife, because I forced her to use it … but she hated it.)

Bitwarden is free for single-user, personal use, but the “Premium” plan ($10/yr or $40 for 6 users) adds the TOTP (2FA) function and unlimited password sharing between users.

So I bought the Bitwarden family plan ($40/yr for 6 users) and in no time we filled all 6 slots. That also solved the problem with 2FA adoption, making it easy enough that now the whole family is using 2FA wherever it’s offered.

Logically, I’d prefer my password db and my 2FA db to be separated and not in the same app, but if it comes down to putting them together like Bitwarden or my family not using them at all, I’m good with Bitwarden.

Ultimately, the best password manager is the one you’ll actually use.

IMHO, Bitwarden is only slightly less secure than KeePass, but precisely because of that syncing ability. Bitwarden does not know your vault password, and cannot see anything in your encrypted vault without the password, cloud or not.

But because the encrypted database is in the cloud, that makes it more critical to use a good, strong master password. A strong password is also good policy for KeePass, but is arguably less critical than it is for Bitwarden or any other cloud-based password manager.

There’s also the vulnerability to consider from spyware or programs on your computer that can see the vault items when your vault is unlocked on your computer … but then, the same vulnerability exists for KeePass or any other password manager, cloud-based or not.

Also, vaults accessed via a browser extension are inherently less secure than something like KeePass, which is its own stand-alone app.

But again, it comes back to what people will actually use. My family all use Bitwarden, with 2FA built-in, via a browser extension. That’s still better than nothing at all, which is how it used to be.

 

1 user thanked author for this post.

LHiggins

Reply | Quote

dg1261 wrote:

Ultimately, the best password manager is the one you’ll actually use.

Thanks so much for this great info about Bitwarden – I hadn’t even considered that one, but I am going to look into it after reading your report on it. It does sound like it is easy to use and as you say – that is the key to it. If it is too complicated, it won’t get used as it should.

Thanks so much!!

1 user thanked author for this post.

dg1261

Reply | Quote

LHiggins wrote:

It does sound like it is easy to use

I can’t say I’m a big fan of their user interface, but my family seems to like it. It seems easy enough for them. I do think it’s easier to use than KeePass or Lastpass, but I still think the interface could be better. Different strokes for different folks, I guess.

I would suggest you give the free version a trial run. It’s easy to import or export your database items from or to another password manager, so there’s nothing to lose by testing it out. The free version is still a fully functioning password manager, not merely a crippled, time-limited trial version. The non-free versions are the same password manager with some added bells and whistles, such as the aforementioned 2FA/TOTP add-on, but if you don’t need that you can continue to use the free version forever.

I had a couple family members who were using Lastpass, but to get them away from that security clown show I convinced them to try Bitwarden free. They really liked it. They could have stayed on a free account, but when I saw they were going to keep using it I opted for Bitwarden’s family plan so I could steer them toward 2FA, as well. They convinced the rest of the family to take the leap, too, so now I’m happy.

As I said, I think KeePass is arguably a bit more secure, but that’s a non-starter for my family. If the choice is going to be Bitwarden or nothing, I’m happy my family is using Bitwarden.

 

1 user thanked author for this post.

windbg

Reply | Quote

LHiggins wrote:

Also – I am wondering if spending time to rework my passwords based on a three word type of process, keeping that database in an offline and accessible place if needed, and setting up 2 factor for as many sites as have that might be a better approach in the long run? Time consuming, but I think any process of updating passwords would be as well.

I don’t think it is worth the effort. One of the main reasons the three word method is recommended is to make your passwords “easy enough” to remember. But with a password manager, you only need to remember one – the one to your database. Use the three word method for that one, if you prefer.

If, as part of this process, you find other reasons to update/change many of your passwords, I simply suggest generating the longest and most complex passwords possible. The maximum length will vary from system to system, though, and often isn’t documented.

2 users thanked author for this post.

dg1261, LHiggins

Reply | Quote

Yes, I think that my idea is a lot more work than makes sense – and I probably would get “tired” of the process well before I finished the task.

I am going to look into the several programs discussed here and hopefully make a decision to try on and see if it is a good option.

Thanks for your help and ideas – much appreciated!

Reply | Quote

JC Zorkoff wrote:

I handle this by keeping one database per user. Each user can update their own database freely and once a week I synchronize all the copies.

That sounds like it makes perfect sense – thanks so much for the explanation of how it could/should work. I guess if I have two copies of the database – one for each computer – as long as they are updated as needed, it should work!

Thanks for the help!

Reply | Quote

I abandoned LastPass when they completely (and ironically) failed at security, and switched to Bitwarden.    I think that was in early 2023, and I soon upgraded from Bitwarden free version to the $10 per year version.   They say that they make their real money from selling the enterprise versions.

Bitwarden has been working fine for me.  I use it on 2 Windows PCs, 2 iPhones, 2 iPads  and 1 Chromebook.  I have yet to experience any difficulty.   In the beginning I made a long password with some foreign language items, numbers, and punctuation to protect my vault.  I use their built-in password generator frequently to make long and complex passwords.

I can open the vault in a couple of seconds with FaceID on my iPhone.    They support Passkeys as well, not just for logging in to the program, but you may store your passkeys for other websites within the Bitwarden vault if you wish.

I make frequent use of the Notes field so that I can store comments that are relevant to a particular item.

The Bitwarden program gets an update approximately monthly.

I do not use their TOTP feature, because I have a standalone app that I like for that purpose.

There are many competitors out there, and I cannot say if they are worse or better, I am simply reporting that I have a solution that is working fine for me.

2 users thanked author for this post.

opti1, LHiggins

Reply | Quote

Just one additional thought – question. My passwords are not great – and probably should be changed to be more secure. From what I’ve read – a password manager doesn’t change any – it just secures those that are already in use.

So – when I would go to any site with the password manager – if it is still using my old password, won’t that possibly still be subject to some cyber issues? So it seems that I am still going to be faced with the task of updating and changing passwords that can then be used by the password manager and be more secure.

Is there any way to streamline that process or is it something that has to be done one by one – which brings me back to my earlier question/idea:

LHiggins wrote:

Also – I am wondering if spending time to rework my passwords based on a three word type of process, keeping that database in an offline and accessible place if needed, and setting up 2 factor for as many sites as have that might be a better approach in the long run? Time consuming, but I think any process of updating passwords would be as well.

Thanks for all of the input so far!

Reply | Quote

dg1261 wrote:

I would suggest you give the free version a trial run. It’s easy to import or export your database items from or to another password manager, so there’s nothing to lose by testing it out. The free version is still a fully functioning password manager, not merely a crippled, time-limited trial version. The non-free versions are the same password manager with some added bells and whistles, such as the aforementioned 2FA/TOTP add-on, but if you don’t need that you can continue to use the free version forever.

Thanks! And a question – so if I have one “account” – can it be used on several devices at the same time? The Bitwarden info says that both the free and premium accounts can have 2 users and 2 collections. If both my husband and I used the computers interchangeable – would that be considered one user? And could it also be used on a phone if the same “user” is using it? Guess I am a little confused about how to manage using it over 3 devices and 2 people – but in actuality only one account or user since we’d both be using the same info?

Sorry – can’t quite explain what I mean.

And – if I gave the free version a try and changed any passwords while using it – if I stopped using it, would those revert to the original passwords or stay as the new one?

I appreciate the help! All new to me, so I want to be sure I understand how it all works!

 

Reply | Quote

LHiggins wrote:

Is there any way to streamline that process

Generally not, because each site has a different password change mechanism.
I would start with my important sites, banking etc, then maybe update the others.

LHiggins wrote:

If both my husband and I used the computers interchangeable – would that be considered one user?

I get around any user issues by using the same database for everything so only have one user.
Having the same password database on multiple devices is one user and you can use them at the same time.

LHiggins wrote:

if I stopped using it, would those revert to the original passwords

No, the password is set on the site.
You can export your vault data (database) – usually in CSV – to import into whatever you end up using.

cheers, Paul

1 user thanked author for this post.

LHiggins

Reply | Quote

LHiggins wrote:

The Bitwarden info says that both the free and premium accounts can have 2 users and 2 collections.

IMHO, the Bitwarden documentation is one area they need to work on. The info you’ve cited is a constant source of confusion — particularly the definitions of “accounts”, “users”, and “collections”.

An “account” is a single vault (consisting of unlimited items), with a single vault username and single password. “Items” are the username/pswd combos of the individual websites to which you login. If two (or more) people are sharing the same name/pswd pairs (items) to all of their websites, they can simply use the same BW acct. IOW, both of you will use the same BW name/pw to open the one BW vault.

One acct can be used for free on unlimited devices. In contrast, some BW competitors (Lastpass, for instance) sometimes charge extra to use multiple devices.

The vault username (i.e., your BW “account”) is an email address, and you’ll need access to that email account to authenticate creation of a new BW account. After that, the email address is just a label to your account — i.e., you don’t need constant access to that email address just to open an existing BW vault. That makes it easy for both of you to share the same BW acct. Note the acct password is what you’ll create for your BW acct, and does not refer to your email password, even though the acct name is your email address.

The BW vault is encrypted and stored in the cloud. When you open your vault, the encrypted blob is downloaded to your computer and unlocked there, not in the cloud. If you make changes to any vault items, the blob is reencrypted and uploaded back to the cloud. BW does not have your pswd, so cannot see (or leak) anything in your vault. But because the vault is stored in the cloud, you must consider the possibility that your vault could be leaked. It’s encrypted, so is of no use to thieves without your master pswd, so accordingly, make sure you use a good, strong master pswd.

If two users are not sharing 100% of the same login items, sharing a single BW acct is not practical. In that case, you can create two free BW accts and selectively share only some items with each other. By “users”, BW is referring to accounts. The 2-user limit applies only to free accts. Premium accts can have more than two BW accts selectively sharing items.

Technically, BW doesn’t share individual items, it shares “collections”. To share a website login, you must create a “collection”, move the login item to the collection, and then share the collection with another BW acct. The other acct will have access to everything in the collection, not just some items. It won’t have access to items in your vault that you haven’t put into the collection.

Think of the implications of that strategy. Let’s say, for example, that you want to share some items with your spouse, some items with your children, and some items with both spouse and children. You’ll have to create three separate collections and invite your spouse into one collection, your children into another, and both into the third. (This is one area where I think BW could do better. It’s just confusing.)

The 2-collection limit also applies to free accts. Premium accts can have unlimited collections — which is a good thing, considering the wonky “collection” strategy.

FTR, a BW “family plan” is simply 6 Premium accts for a discounted price. Each acct under a family plan is no different from a Premium acct, and you don’t need to actually be “family”.

 

LHiggins wrote:

if I gave the free version a try and changed any passwords while using it – if I stopped using it, would those revert to the original passwords or stay as the new one?

The websites you visit don’t know or care if you’re using a password manager. When you change a pswd you’re permanenty changing it on the website. Whether or not you continue to use a pswd mgr, the website doesn’t care and will still require the new pswd on subsequent logins.

Think of a pswd mgr like a paper notebook in which you write down all your pswds. If you manually change a website’s pswd and forget to update your pswd mgr, it’s like forgetting to cross out the old pswd in your notebook and writing in the new one. (Fortunately, if you manually change a pswd on some website and don’t update your BW vault, BW will pop-up a notification when it sees you login with the new pswd and ask, “Is this a new pswd I should be remembering?”)

A pswd mgr doesn’t take over control of what pswds are on each site, it’s just a memo pad that helps you keep track of what pswds you created for each site.

 

 

4 users thanked author for this post.

opti1, LHiggins, windbg, PL1

Reply | Quote

dg1261 wrote:

If two users are not sharing 100% of the same login items, sharing a single BW acct is not practical.

I should clarify that doesn’t mean you and your husband can’t have separate accts to the same websites in the vault — such as separate email accts, for instance. You can create two different login items in the same BW vault, one for your email and one for his, as long as you understand that both of you will technically have access to each other’s login credentials. If that’s okay with you, you can get away with using a single BW acct even though each of you logs into a different web acct.

With two accts to the same website in a single vault (such as two gmail accts, for example), when you go to the gmail login page BW will add a little drop-down menu in the gmail username field for you to select which gmail acct to which you want to login.

I just wanted to make it clear that you don’t necessarily have to have two BW accts if you don’t want to.

What I meant by “not practical” is if you have items you don’t want the other person to have access to. If so, then a single BW acct won’t be the answer.

 

 

1 user thanked author for this post.

LHiggins

Reply | Quote

dg1261 wrote:

BW does not have your pswd, so cannot see (or leak) anything in your vault

Not strictly true because they have a recovery process, so they must hold data that allows credential recreation.
I use KeePass which does not have recovery. If you lose / forget the password you cannot access your data.

cheers, Paul

1 user thanked author for this post.

LHiggins

Reply | Quote

dg1261 wrote:

BW does not have your pswd, so cannot see (or leak) anything in your vault.

Paul T wrote:

Not strictly true because they have a recovery process, so they must hold data that allows credential recreation.

I think you’re misinterpreting the scope of Bitwarden’s “Recovery Code”.

Bitwarden does not have a recovery process for your vault password. See the first question on BW’s FAQ page.

The “Recovery Code” is limited to bypassing 2FA if you’ve enabled 2FA on your BW accct and have lost your authentication device. You still have to know your master password.

 

2 users thanked author for this post.

Paul T, LHiggins

Reply | Quote

Paul T wrote:

I get around any user issues by using the same database for everything so only have one user. Having the same password database on multiple devices is one user and you can use them at the same time.

Thanks – that is my situation, so as long as I update the passwords that need updating first, then both computers can use them.

Sounds like I have a little work to do first – LOL!

Thanks again for all of your help. Much appreciated!

Reply | Quote

Thanks so much for the great tutorial on how BW works!

dg1261 wrote:

If two (or more) people are sharing the same name/pswd pairs (items) to all of their websites, they can simply use the same BW acct. IOW, both of you will use the same BW name/pw to open the one BW vault.

dg1261 wrote:

When you open your vault, the encrypted blob is downloaded to your computer and unlocked there, not in the cloud. If you make changes to any vault items, the blob is reencrypted and uploaded back to the cloud.

Great! That is the case now, but I sometimes make changes on one computer and then need to be sure to update the info on the other one. Seems this will streamline that.

And sorry – one other question. Right now I have passwords autofill on both computers on FF and Chrome – are those all imported into BW in one database? If I visit a site using Chrome, and my husband visits the same site on FF – the log-in is the same, but accessed on different browsers. Sometimes – like with Gmail, there isn’t any log in as long as we don’t “log out” – so will that still be the case with BW as well.

Thanks again for the great help. I need to print this whole discussion to make myself a crib sheet going forward. Sounds like I have some work to do with the passwords, but using BW seems like a great way to keep track of it all.

Reply | Quote

LHiggins wrote:

autofill on both computers on FF and Chrome

The browser data can be imported by any password manager.

If the manager integrates with your browsers then it can auto-fill the credentials. This is usually done with a browser add in so you would need to install it in each browser.

KeePass does not have its own browser add in (there are 3rd party ones) so I use Auto-Type, which mimics you typing the data. It is manually initiated, which I prefer as I don’t always want to login. Auto-Type also allows you to enter your details into any app.

cheers, Paul

1 user thanked author for this post.

LHiggins

Reply | Quote

LHiggins wrote:

I sometimes make changes on one computer and then need to be sure to update the info on the other one. Seems this will streamline that.

Yes. Since each computer and/or browser is drawing from the same cloud vault, they should all stay in sync. Syncing will be cross-computer (laptop, desktop, etc) and cross-browser (Chrome, Firefox, etc).

Syncing happens automatically in the background, though on occasion there may be a delay. If it’s necessary to have changes propagated ASAP, the BW UI does have a “Sync Now” button.

 

LHiggins wrote:

Sometimes – like with Gmail, there isn’t any log in as long as we don’t “log out” – so will that still be the case with BW as well[?]

The pswd mgr only steps in when it sees a login page. If you’re staying logged in, it’s because you’ve got active cookies keeping you logged in across browser sessions. The cookies mean the browser will skip gmail’s login page, and so the pswd mgr won’t be awakened to do its thing.

 

I skipped this in my earlier posts, but as Paul T points out, most people will use BW via a browser extension. BW does have a stand-alone app (like KeePass) if one prefers, but the browser extension enables so many useful features that it will be the way most people will use BW. There are browser extensions for Chrome, Firefox, and their variants. The extension needs to be installed on each installation of each browser.

(FTR, keep in mind that while it does make it a lot easier to use, this browser integration does arguably make it a bit less secure than a stand-alone app. Many may deem the tradeoff worthwhile, but security purists may disagree.)

 

You don’t have to update all your pswds before introducing a pswd mgr into the mix. Once you create an acct and install the browser extension, BW will thereafter be on the lookout for any new or changed items to add to your vault.

Even if you login to a website via your old methods, BW will pop up and ask if you want this saved to your vault. And if you subsequently change a website’s pswd, BW will pop up and ask if you want the change updated in your vault.

(FWIW, this is the way some of my family members populated their BW vaults, instead of via a db import. They just installed BW and went about their daily routine, and answered “yes” every time BW saw a new login and asked if it should be saved. Gradually, their new vault got completely populated.)

And like any decent pswd mgr, BW also has a pswd generator that can suggest a good, strong pswd for you. You might find that helpful during the process of changing a website’s pswd.

 

I’d suggest installing BW free now and importing everything as is. Then, as Paul T mentioned earlier, start with your bank and other high-value targets first and gradually change everything to better pswds, letting BW save the updates along the way. There’s no reason you have to do it all in one sitting.

If after using it for awhile you decide that BW isn’t your cup of tea, export your db and import it into another pswd mgr to try. Remember, your websites don’t care which pswd mgr you’re using — or if you’re using any at all.

 

 

1 user thanked author for this post.

LHiggins

Reply | Quote

Thanks to you both for the very helpful and detailed lessons on how to use a password manager (and your continued patience with my many questions). It is becoming clearer to me how it does work and the advantages. I certainly had the wrong idea about what a password manager does and how to use one.

Paul T wrote:

If the manager integrates with your browsers then it can auto-fill the credentials. This is usually done with a browser add in so you would need to install it in each browser.

dg1261 wrote:

I skipped this in my earlier posts, but as Paul T points out, most people will use BW via a browser extension. BW does have a stand-alone app (like KeePass) if one prefers, but the browser extension enables so many useful features that it will be the way most people will use BW. There are browser extensions for Chrome, Firefox, and their variants. The extension needs to be installed on each installation of each browser. (FTR, keep in mind that while it does make it a lot easier to use, this browser integration does arguably make it a bit less secure than a stand-alone app. Many may deem the tradeoff worthwhile, but security purists may disagree.)

Good points – and shows that I still have a lot to learn about this whole process!

dg1261 wrote:

Once you create an acct and install the browser extension, BW will thereafter be on the lookout for any new or changed items to add to your vault. Even if you login to a website via your old methods, BW will pop up and ask if you want this saved to your vault.

So I can start with ones that I visit often, and if I don’t want to add them to the vault, I just click “no” on the pop up?

As to changing and updating passwords – beyond the obvious banking and credit card log-ins (which BTW I never have automated in either Chrome or FF – I always enter those manually) – I can see in Chrome the list of weak and compromised passwords according to them. Maybe the first thing to do is go through that list and just delete log-ins that I don’t even use anymore and narrow down the list of what I actually use/need.

dg1261 wrote:

…this is the way some of my family members populated their BW vaults, instead of via a db import. They just installed BW and went about their daily routine, and answered “yes” every time BW saw a new login and asked if it should be saved. Gradually, their new vault got completely populated.)

And so maybe just populating it this way with the most critical ones first is the way to get started. Can I always just log-in as usual if I don’t want to include a site in the BW database?

ETA: And one other question – will I later be able to see the list of passwords once they are saved to the vault? And can BW create a good password if I want it to – and will I be able to see that?

Again, thanks so much for all of the help and advice – very very much appreciated. I am hoping to give this all a try – maybe over the weekend after I take a look at some of the ones I don’t need anymore and whittle down my list a bit. I’m sure I’ll have more questions along the way – but all of this has been very helpful and has given me a lot of info on a process that I really have very little understanding of. 🙂

 

 

Reply | Quote

LHiggins wrote:

So I can start with ones that I visit often, and if I don’t want to add them to the vault, I just click “no” on the pop up?

Yes.

 

LHiggins wrote:

I can see in Chrome the list of weak and compromised passwords according to them. Maybe the first thing to do is go through that list and just delete log-ins that I don’t even use anymore

Understand that what Chrome is warning you about is weak passwords in your Chrome pswd vault. If you mean merely deleting the entry from Chrome, that’s not solving the problem because the weak pswd will still be out there, associated with an acct of yours on a particular website.

OTOH, if you mean logging in to those websites and deleting your acct with them, then yes, that would be the proper mitigation for websites you don’t use anymore.

(FTR, most pswd mgrs will have a similar feature to advise you which pswds in your vault it thinks are weak.)

 

LHiggins wrote:

Can I always just log-in as usual if I don’t want to include a site in the BW database?

Absolutely. Remember, a pswd mgr is just an assistant, it doesn’t take over for you. It semi-automates what you can still do manually if you choose.

OTOH, keep in mind that one of the advantages to a pswd mgr is you can start using long, unmemorizable pswds that would be difficult to enter manually. A pswd mgr will either populate the entry fields for you on the website’s login page, or it will give you a copy button so you can paste the pswd yourself, without having to type it in character by character. So if you’re using super-strong, random pswds, that will make it harder to login the fully manual way anymore.

 

LHiggins wrote:

will I later be able to see the list of passwords once they are saved to the vault?

You can see a list of every login item in your vault, and you can view or edit every field, including any login item’s pswd. This can be done either in a small window in the BW browser extension, or in a larger window by going to the BW website and browsing your BW vault there.

 

LHiggins wrote:

can BW create a good password if I want it to – and will I be able to see that?

Yes. Remember, it’s not taking over for you, but the password generator can give you one or more good suggestions you may choose to use on a website.

 

As I suggested, just jump in and start with a free BW acct. Don’t look at it as a permanent commitment.

For instance, you can start by using a single BW free acct for you and your husband, and after gaining some experience with it you might decide you’d rather have separate accts, or you might decide you want to upgrade to get integrated 2FA/TOTP functionality. (Note: there are stand-alone TOTP apps for phone and desktop, so you can still do 2FA with a BW free acct, just not in a single app.)

Or maybe you’ll decide the slightly better security of the KeePass model is more important to you than BW’s cloud syncing and slicker auto-fill.

Whatever, if you subsequently decide you’d rather try something else, you can export your db to import into the other, and delete your BW acct. No harm done.

Many pswd mgrs have the same basic features, but bells and whistles may set them apart. At the very least you’ll gain a better idea of how you may want a pswd mgr to fit into your personal security strategy, and what bells and whistles may be of value to you personally.

 

1 user thanked author for this post.

LHiggins

Reply | Quote

I have EVERY password in my manager and only remember the manager password. There is no point in using more than one app to remember your passwords (e.g. browser and head and manager). Put everything in one place, back it up and test recovery.

I also store everything else in my manager. Passport / license details, tax data, hardware and software purchased, insurance policy numbers and details…
Everything in one place, one strong password to protect the lot.

cheers, Paul

2 users thanked author for this post.

AlphaCharlie, LHiggins

Reply | Quote

Here is one way to manage two humans using one BitWarden (BW) vault.

First install the BW browser extension into your browser or browsers.
Then click on that BW icon and open the vault with the long and complex BW password that you created when you opened the BW account.
For this example we will pretend that you chose “No1WillEver-Raisethe1912Titanic#”
Remember that this password is used ONLY for the BW vault and for no other purpose.

Now go to a website used by both people, lets use “MyFavoriteBank.com” for this example.

The first person (call her Mary) logs in to the bank site using the username that she usually uses at that site.
For example,  the username she uses might be an email address, such as “MarysMail01@gmail.com”,
and the password she uses at that site might be “4Mary2BankBig$”

If she opened the BW vault before visiting that website, BW will see that this site does not yet exist in the vault, and it will offer to remember those credentials.

So Mary could call that item “MarysBank”.  Once she is logged in, she uses the website normally and logs out when she is finished.  At this point the Bitwarden icon at the top of the browser will show a tiny “1” to indicate that it knows one way to log in to the MyBank website.

Now comes the second person (call him Robert).  Robert, and confirms that the BW Vault is open, by noticing that tiny “1”.  If he is using a different session or a different browser, he first opens the vault with its password “No1WillEver-Raisethe1912Titanic#”
When he then goes to the bank website he will see the tiny “1”

He logs in to the Bank website as he normally would. Lets say he uses username “BobsMail77@yahoo.com”  and his password for the bank is “$BobBucks4Torontonian”.

When he logs in, BW will recognize the website, and it will also recognize that a new set of credentials has been used.  So it will offer to remember this new item, which he might name “BobsBank”.  After that, the BW icon will have a tiny “2”, indicating that it remembers two different ways to log in to the site.

So when you have BW installed on different browsers and on different machines, you always log in to BW vault using that single vault password.  For the rest of that browser session, BW will watch your URLs and allow you to choose which of the remembered items to use for logging in to any site that you have stored in the vault.

If either person opens the vault, and searches for “MyFavoriteBank”  it will show the two items.  In other words, the vault will offer to use either BobsBank or MarysBank.  In this example of using one vault, both Robert and Mary have access to every item in the vault..

I hope this is helpful.

3 users thanked author for this post.

LHiggins, dg1261, Paul T

Reply | Quote

AlphaCharlie wrote:

Here is one way to manage two humans using one BitWarden (BW) vault.

Thanks so much for this very helpful explanation!! Perfect timing, too, since I am hoping to get to trying it this weekend, and I do want one account to be able to work across two laptops and various sites.

One question – can the same account also be used in this way on a phone? I have a few sites that I access from my phone that use a password – not sure if I can also add the phone to the laptops in the account, or if I should just continue to use a manual password there. Nothing sensitive like banking, but do require a log in.

Thanks again for the very helpful information!

Reply | Quote

Yes. A phone is just another device where you use your passwords.

cheers, Paul

1 user thanked author for this post.

LHiggins

Reply | Quote

Yes, once the Bitwarden app is downloaded to the phone, the entire vault is available to you.

I think it would be more complicated if you did not want the entire vault to be available on each machine.  I daresay you would have to set up a separate BW account and vault for each device.  That would be too complex for my old brain.  In fact, I like the ability to log in to any of my sites from any device.

But perhaps someone with more BW experience can answer this one.

Since I use an iPhone, I can open the vault in 2 seconds using FaceID, so I do not have to type my very long vault password on the tiny phone keyboard, and get it wrong.
You may also set “session timeout” to 1 minute, 5 minutes, or longer if you wish.  That would close the vault automatically for you.

Other managers may have similar features, I only use Bitwarden now.

1 user thanked author for this post.

LHiggins

Reply | Quote

AlphaCharlie wrote:

I think it would be more complicated if you did not want the entire vault to be available on each machine.

Yes, that’s my question at this point. I like your idea of how to populate the vault, and would probably want to start out with just the most used or the most sensitive passwords in the vault rather than everything at once. And on the phone, I only need a couple, so maybe I’d just hold off on putting Bitwarden on the phone, too.

Does anyone know if the phone would need to always be on wifi to actually use Bitwarden on it?

I spend a good amount of time yesterday working on just updating some of the passwords and making sure they work on both laptops. I am using the Chrome password manager alert page to see which have the same password and which have passwords that may be compromised, and changing them first before doing anything with BW. I’m using their password testing tool and password generator to create the new passwords where needed.

That process may take a couple of days before I am ready to try BW – but from everything I’ve read here, I can always make changes once BW is up and running.

AlphaCharlie wrote:

…That would be too complex for my old brain.  In fact, I like the ability to log in to any of my sites from any device.

That about sums up how I feel too, LOL!! Some of this is pretty mind-bending for us age-challenged folks! 😉

Thanks for the help and have a great day!

Reply | Quote

LHiggins wrote:

That process may take a couple of days before I am ready to try BW

Go straight to BW and do the work there. You will learn BW quickly doing this.

Put BW on the phone and use it, you will be pleased you did.

cheers, Paul

1 user thanked author for this post.

LHiggins

Reply | Quote

LHiggins wrote:

I spend a good amount of time yesterday working on just updating some of the passwords and making sure they work on both laptops. I am using the Chrome password manager alert page to see which have the same password and which have passwords that may be compromised, and changing them first before doing anything with BW.

I realize everybody has their own way of working that makes them comfortable, but IMHO you’re going about it backwards. You’re trying to make everything perfect before importing into BW. But when you eventually do the import you’re going to have to review and delete duplicates anyway, so it’s not going to be perfect.

Using Chrome on one laptop, go to Settings and export your Chrome password vault to a csv file (e.g., “Chrome1.csv”) on a USB stick. Go to Chrome on the other laptop, export that laptop’s pswd vault to “Chrome2.csv” on the same USB stick. Do the same for your desktop. Do the same for Firefox or other browsers, if you’ve saved pswds there, too.

Now go to bitwarden.com and open your BW vault on their webpage. Import “Chrome1.csv” from your USB stick. Import “Chrome2.csv”. Repeat for “Chrome3.csv”, “Firefox1.csv”, etc.

Now you’ll have all your pswds together in one vault. They won’t be merged yet, and you’ll have a separate BW login item for each individual entry imported from each csv file.

Review and edit the entry items in BW. Some will be duplicates (same url, username, and pswd) imported from the different browsers. Delete the duplicate item from your BW vault.

Some will legitimately be different login items — such as your gmail and your husband’s gmail. Keep them both, but edit the name field in BW so you can easily tell them apart.

Some may be duplicates with the same url and username, but different pswds. One of those must be out of date, so identify which is wrong and delete it.

Now you’ll have all your pswds merged and up to date.

Install the BW extension on each laptop, desktop, and phone. Login to BW on each, using your BW username and master pswd. Consequently, you’ll have all your updated pswds available on every device.

To avoid conflicts, go to browser Settings and turn off automatic logins from the browser’s pswd vault because you’re now going to auto-fill from BW. (You may eventually want to delete all pswds from the browser’s own vault, too.)

Spend a little time familiarizing yourself with BW’s settings in each browser — such as auto-fill, vault timeout, optional PIN, etc — and adjust to taste.

You can then tackle the problem of weak pswds at your leisure. From the BW webpage, select “Reports” to help identify pswds you may want to strengthen. Login to the respective websites (via BW, if you choose), update your pswd (BW has a pswd suggestion generator, too), and let BW save the change or manually update BW yourself.

The change will be synced across all devices, so you do not need to update things on each device. (There may be a slight delay in syncing, so if you want to immediately check logging in from another device, you might need to use the “Sync Now” button on BW’s browser extension.)

Note that BW also has a “Notes” field for each login item. That’s a convenient place to store “recovery codes” or the answers to secret questions for each website. I also record what email, phone number, or credit card I use with each website, if relevant.

 

 

1 user thanked author for this post.

wavy

Reply | Quote

Paul T wrote:

Go straight to BW and do the work there. You will learn BW quickly doing this.

dg1261 wrote:

I realize everybody has their own way of working that makes them comfortable, but IMHO you’re going about it backwards. You’re trying to make everything perfect before importing into BW. But when you eventually do the import you’re going to have to review and delete duplicates anyway, so it’s not going to be perfect.

Hello and thanks! You are right – I am doing more work and it will probably need to be reworked anyway, so I might as well bite the bullet and get started with BW.

Thanks for all of the info and the encouragement. It’s probably going to be a couple of days before I get back to this with the holiday things going on, but I will post back with other questions once I get started!

As to using it on my phone – I only have a couple of passwords that I’d need, so can they still be entered manually without having BW on the phone?

And when I do decide I may need it on the phone at some point – is it an app from the Playstore?

Thanks again for all of the help!

Reply | Quote

Install it on your phone! You can always take it off.

cheers, Paul

1 user thanked author for this post.

LHiggins

Reply | Quote

Just starting to get organized to give BW a try and I have a question about the Master Password. Is this password needed to unlock the vault each time I go to a website that needs a log in – on either computer? I guess my real question is if two people are using the same vault, which is how I want to start – then the password I create also needs to be something that my husband can remember when he needs to log into the vault. How long can the vault remain open and how often does that master password need to be used to open it – every browsing session, each day or at each site?

And from reading some of the BW info, if I have one site – like my main cell phone site, but have two different log in at that site – one for my phone and one form my husband’s – those need to be created as separate vault items? Like My Phone and Hubby’s Phone, each with the username and password even though they are both at the same website?

Thanks again for the help – sorting through all of the instructions and help articles at BW now!

 

Reply | Quote

How long can the vault remain open and how often does that master password need to be used to open it – every browsing session, each day or at each site?

That’s configured per browser. You can set the extension to either “lock” the vault or “logout” from the vault, in time intervals from immediately to never.

Note this is not a vault setting, it’s a setting in the extension, so you can use different timeout settings for each computer if you wish — and change them whenever you wish.

dg1261 wrote:

Spend a little time familiarizing yourself with BW’s settings in each browser — such as auto-fill, vault timeout, optional PIN, etc — and adjust to taste.

 

LHiggins wrote:

I have a question about the Master Password. Is this password needed to unlock the vault each time I go to a website that needs a log in – on either computer?

No. You need the master password to unlock the vault for use on any particular computer, but once open you do not need to repeat it for each vault item you use. See question above for how often you’ll need the master password.

 

I guess my real question is if two people are using the same vault, which is how I want to start – then the password I create also needs to be something that my husband can remember when he needs to log into the vault.

Correct. It has to be something you can remember, but it’s important that it also be long. Perhaps you may want to try the “three word” tactic you mentioned upthread.

Remember, you can always change your master password later, so perhaps you may want to start with something (long but) easy to enter, then beef it up later as you gain some experience in how often you’ll be using it.

 

from reading some of the BW info, if I have one site – like my main cell phone site, but have two different log in at that site – one for my phone and one form my husband’s – those need to be created as separate vault items?

Correct.

AlphaCharlie wrote:

The first person (call her Mary) logs in to the bank site using the username that she usually uses at that site. […] [BW] will offer to remember those credentials.

[…]

Now comes the second person (call him Robert). […] When he logs in, BW will […] offer to remember this new item, which he might name “BobsBank”.  After that, the BW icon will have a tiny “2”, indicating that it remembers two different ways to log in to the site.

1 user thanked author for this post.

LHiggins

Reply | Quote