G+: So, I'm doing my due diligence tonight and …

David Coles
So, I'm doing my due diligence tonight and changing all the passwords I can get my hands on (see http://arstechnica.com/security/2014/04/dear-readers-please-change-your-ars-account-passwords-asap/). At the same time I've finally bit the bullet and decided to use a password manager.

Up until this point, I've used SuperGenPass, which honestly has worked fanatically up until this point, but has the fatal flaw of not being able to generate new password iterations (sure you can add a nonce to the password, but my memory is pretty terrible as it is).

So currently looking at two options. One is LastPass, which comes highly recommended by some friends, has been around forever and is one of the most proactive services I've seen in notifying users if one of the accounts they use may have been compromised. They also have a premium membership for $12/year, which honestly is probably worth it if just that it makes me a customer, not a user. It has a nice browser plugin for Chrome, support for several forms of multi-factor authentication (including Google Authenticator) and can do password generation for you. Downside is that their UI is a bit horrible - the number of times I've accidentally generated 6 passwords for a site tonight is pretty damming.

The other option is using Google Chrome's password manager. It's part of the browser (which makes a hell of a lot of sense), these days it integrates nicely with password vaults like GnomeKeyring, it will sync your passwords (though you really want to check that "encrypt my passwords" checkbox), if you use your Google sign-in then of course you can use Google Authenticator and as a nice feature, there's a password generator you can turn on. Downsides? Mainly that it's detection of password prompts is not always reliable. And that there's no way to manually get it to manually propagate a field or add a password by hand.

Honestly, secret management should be handled by the OS, but given I currently work on three different operating systems each day I can't really just jump on platform's solution. Thus password management at the browser level seems like the best bet.

Well, at least until something like BrowserID kills of passwords entirely. Can't wait for that day to arrive.

(+1's) 2
Matt Giuca
Good summary. I too use SuperGenPass (in fact I probably put you up to it) and it's great except when you have to change passwords.

I'm scared of a recurring fee for something as important as a password manager. I don't want to be held ransom. Does LastPass provide you with an encrypted file which you can decrypt without their software in case it goes away or stops working?

David Coles
+Richard Fuller  Storing passwords locally would be ideal (either in the OS or some tool like Password Safe). My main concern is that I switch PCs so often (Home, Work, Laptops, Australia, US, Japan) that keeping them all in sync would be a hassle. Will definitely take a closer look at Password Safe though - I mean it's by Bruce Schneier. ;)

The Chomium project also mentions "Browser sign-in + OpenID" as the end solution to passwords, but I can't find any specifics on their plan beyond http://www.chromium.org/developers/design-documents/password-generation

+Matt Giuca And yes, I'm pretty sure this was something that I started using after you did your full review of the system and that blog write up. I think I can thank you for much of my good taste in software.

Michael Poloni
I've been using KeePass to store my passwords for several years now.  There are Linux, Windows, MacOS, iOS and Android apps to read the database, which I store locally.  I don't like the idea of relying on someone else to store my password database.

I haven't yet moved to KeePass 2 because there's some features of the UI that I don't like.

Michael Poloni
Do you/we really need to go and change every password to every site?  Not all sites/services have been affected.  But maybe it's too much to assume that all who have been will tell us?

David Coles
+Michael Poloni Mainly I figured it was as good of a time as any to fix up some of my weaker passwords and to change some of the older ones that haven't been updated in a while. Because if not now, when else am I going to do it.