Post by J. ClarkePost by Dorothy J HeydtPost by Torbjorn LindgrenSo unless you don't have more than 3-5 accounts in total the only good
option is some kind of Password Manager. Could be a free local one
like KeePass (which I use), the free tier of an online password
manager service or a paid premium service.
Would you care to explain how a password manager works and how to
find one?
It keeps your passwords in an encrypted file with a copy on your
computer and a copy on the vendor's web site. I want to log into a
web site, the password manager pops up and with permission fills in
login name and password. It can also fill in address and other
information. When you create an account it will generate a string of
random characters for a password (or for a login for that matter), so
every account has a different password and none of them are
susceptible to social engineering or dictionary attacks.
That's the modern online version, the older type of Password managers
use an encrypted file instead that the owner control.
I use KeePass which is of that type, and use Dropbox to make that
encrypted file available on all my devices, if I edit it in multiple
places while they're offline Keepass merges the edits as long as
they don't edit the same entry (at which point I have manually merge).
Obviously the web versions require less knowledge (even if they do
very similar things internally) and like this all? work even offline
(by cacheing).
Post by J. ClarkeThe password manager has a master password--that's the only one that
you have to remember--use a passphrase, where you use the first (or
second, or third, or last, or whatever) letter of each word, and
substitute numbers or symbols where they fit.
Yeah, it needs to be emphasised that the various companies do NOT have
access to your passwords and can't help you if you loose that, the
encryption protects the data even from them (and thus also from
untrustworthy employees, hackers and various other things).
Since loosing access to all your passwords would be bad for many
people they all suggest various solutions to this, one I remember gave
you a long list of numbers to print out and hide in a safe, others
suggest hiding the actual master password in that same safe.
The same applies if other things happen, the canonical example is if
someone dies, some kind of back-door access if often desired but needs
to be strictly controlled.
Of course adding two-factor authentication (IE a physical dongle or
mobile app) can be used to further improve security if desired, and
secure it against "safe raiding" if necessary.
Whether that's due to forgetting the password or other
causes (including things like dying).
Post by J. ClarkeThe one that my employer (Fortune 100 financial services, 3/4 trillion
in assets under management--whole floor of a large building devoted to
data security) provides is LastPass, which works on Windows, OS/X,
IOS, and versions of Android prior to 11 (it kind of works on 11 but
not well). LastPass has recently been bought up by another company
that has tripled the price and eliminated most of the utility of the
free tier, so I do not recommend it. But have not found a completely
satisfactory replacement either.
AFAIK LastPass is the market leader for both private and business by a
substantial margin with 1Password being the second largest player.
1Password doesn't seem to offer a free option at all which is probably
why LastPass felt safe to reduce their free offering to just "one
device *type*" (IE either one or more PC/Mac/Linux OR one or more
Mobile phone/tablet/smart watch) which for many isn't enough (they
need both). And their respective paid tiers are fairly similarly
priced now too.
Dashlane, Bitwarden and Keepass seems to be other common password
managers mentioned.
Bitwarden is opensource and probably the best free online password
manager option since their free tier doesn't seem to have any
limitations on count or types of devices but it does gets criticized
for being "less polished" than the other ones.
Dashlane's is more of a business oriented one and their free tier is
limited to one device (the most limited of the free ones).
Keepass I mentioned above, completely free but doing it on multiple
devices "do it yourself" so it's more for techies.
Most (all?) of them provides various Family account which are much
cheaper per user and can sometimes offer additional (optional)
solutions to the "what if I loose the password" scenario while still
stopping free or unnoticed access.
I've not read up enough on this on any of them to have a good opinion
whether that's something people should enable or not (may well vary
between the products). So do read up on it if someone is looking for
that.