Password Manager Suggestions

facade

With all the recent talk about scammers, and having had most of my details published by a hack to a utility website, I suppose it is time to move into the 21st century and get a password manager.

Obviously it has to be free, or very low cost  

I just want to prevent my browsers storing any passwords, and have the manager autofill the password when needed. (I imagine they all do this...)

I want local storage of my passwords (obviously encrypted) as I am a bit of a Luddite, and don't like the idea of my passwords being stored on t'interweb. Apart from not having control over who can steal them, if the storage site is down, or under attack I won't have access to my passwords. (I do know that if t'interweb itself is down I won't need them )

So, The Comics seem to recommend bitwarden - but that uses web storage.

A search on "best password managers that use local storage" suggests KeepassXC.

Does anyone have any suggestions?

k_man

Keepass (or one of the compatible forks) is the obvious choice if local database is a requirement.
I used it for many years before moving to a cloud based solution, to allow use on multiple devices, and mobile.

Just make sure you have a very robust backup strategy, otherwise a local PC/storage problem could lead you to be unable to login to any online services.

Also ensure credentials etc for your backup, are not in your password manager.

Finally while you are reluctant to use cloud based password managers, the choice of master password, and manager configuration (encryption settings and password iterations), should mean that even if the vault/database is stolen (from cloud, or your PC), the data is safe for a long enough period to allow you to take action.
Or to put it another way, you can should be just as vigilant if using a local database or cloud based.

mgfvvc

I've used variants of KeePass for years. You can get clients for PC, Mac and Android. I assume there are also iphone clients. It works fine for me, but I'm techie, so I can't say how a normal user would find the interface.

facade

Thanks both.

I think I'll go with Keepass then.

tbh, I'm not as concerned with the hosting site giving away my passwords as I am with it being down right when I need to log in somewhere

tacpot12

I, too, have been overhauling my security recently. I just wanted to put in a good word of Keeper, the password manager that I use. I have the Keeper app on my iPhone and this uses local storage on the iPhone so you always have access to your passwords even if you have no internet connection. It synchronises with the cloud-based vault seemlessly.

It also has a very good extension for Microsoft Edge, and supports a range of 2FA tokens for browser access on the PC. I agree with k_man's other comments re cloud-based password managers.

I actually wanted a pasword manager that had to be paid for because it means that the provider can afford to keep up to date with the latest threats and has a commercial obligation to do so, rather than a 'best-endevours' basis. A free service that doesn't have the backing of another signficant income stream seems likely to become  vulnerable over time.

I have recently switched from Google Authenticator to 2FAS Auth as part of my security upgrade, and use this when I access my password manager via a browser on a PC.  

I also use a FIDO (physical) USB token as a backup for the soft tokens provided by the Google/2FAS Authenticators.   

(I currently have 461 password in my Keeper vault!)

outtatune

Keepass for me too, with Keepass2Android for my phone.

stinky_daddy

I personally use Password Safe, make a new file (on my laptop) for any entries that I have added / updated and then copy that file into my google drive in order to access the new file on my android phone

HTH

s_d

400ixl

facade said:

tbh, I'm not as concerned with the hosting site giving away my passwords as I am with it being down right when I need to log in somewhere

Then go with Bitwarden which is the better choice. Yes it keeps a copy online, but it also keeps a sync'd copy to your devices so you are not dependent on the internet connectivity for it to work.

facade

400ixl said:

facade said:

tbh, I'm not as concerned with the hosting site giving away my passwords as I am with it being down right when I need to log in somewhere

Then go with Bitwarden which is the better choice. Yes it keeps a copy online, but it also keeps a sync'd copy to your devices so you are not dependent on the internet connectivity for it to work.

It does?

Bitwarden just bang on about the passwords being stored in the Microsoft Azure Cloud in the USA (if that isn't a red flag, I don't know what is )

I tried bitwarden, I logged on, but nothing seems to have happened. I probably need to RTFM .

flaneurs_lobster

400ixl said:

facade said:

tbh, I'm not as concerned with the hosting site giving away my passwords as I am with it being down right when I need to log in somewhere

Then go with Bitwarden which is the better choice. Yes it keeps a copy online, but it also keeps a sync'd copy to your devices so you are not dependent on the internet connectivity for it to work.

Don't think it does. It encrypts passwords (& other data) locally before moving it to the vault which is usually their cloud but can be your own server solution.

400ixl

You have to be logged into Bitwarden at the time that you are offline, but it will then continue to work. It does not store the master password on the local device which is required to login.

So yes it does keep a local copy of the passwords (encrypted), but not the master password. Gives a level of flexibility others don't but maintains the high level of security.

Obviously not entirely flawless in that if you haven't logged into Botwarden on the local device before going off line you won't get in, but for the vast majority of circumstances it works fine.

Better than manually copying vaults around between devies.