So, I'm doing my due diligence tonight and changing all the passwords I can get my hands on (see http://arstechnica.com/security/2014/04/dear-readers-please-change-your-ars-account-passwords-asap/). At the same time I've finally bit the bullet and decided to use a password manager.
Up until this point, I've used SuperGenPass, which honestly has worked fanatically up until this point, but has the fatal flaw of not being able to generate new password iterations (sure you can add a nonce to the password, but my memory is pretty terrible as it is).
So currently looking at two options. One is LastPass, which comes highly recommended by some friends, has been around forever and is one of the most proactive services I've seen in notifying users if one of the accounts they use may have been compromised. They also have a premium membership for $12/year, which honestly is probably worth it if just that it makes me a customer, not a user. It has a nice browser plugin for Chrome, support for several forms of multi-factor authentication (including Google Authenticator) and can do password generation for you. Downside is that their UI is a bit horrible - the number of times I've accidentally generated 6 passwords for a site tonight is pretty damming.
The other option is using Google Chrome's password manager. It's part of the browser (which makes a hell of a lot of sense), these days it integrates nicely with password vaults like GnomeKeyring, it will sync your passwords (though you really want to check that "encrypt my passwords" checkbox), if you use your Google sign-in then of course you can use Google Authenticator and as a nice feature, there's a password generator you can turn on. Downsides? Mainly that it's detection of password prompts is not always reliable. And that there's no way to manually get it to manually propagate a field or add a password by hand.
Honestly, secret management should be handled by the OS, but given I currently work on three different operating systems each day I can't really just jump on platform's solution. Thus password management at the browser level seems like the best bet.
Well, at least until something like BrowserID kills of passwords entirely. Can't wait for that day to arrive.
Up until this point, I've used SuperGenPass, which honestly has worked fanatically up until this point, but has the fatal flaw of not being able to generate new password iterations (sure you can add a nonce to the password, but my memory is pretty terrible as it is).
So currently looking at two options. One is LastPass, which comes highly recommended by some friends, has been around forever and is one of the most proactive services I've seen in notifying users if one of the accounts they use may have been compromised. They also have a premium membership for $12/year, which honestly is probably worth it if just that it makes me a customer, not a user. It has a nice browser plugin for Chrome, support for several forms of multi-factor authentication (including Google Authenticator) and can do password generation for you. Downside is that their UI is a bit horrible - the number of times I've accidentally generated 6 passwords for a site tonight is pretty damming.
The other option is using Google Chrome's password manager. It's part of the browser (which makes a hell of a lot of sense), these days it integrates nicely with password vaults like GnomeKeyring, it will sync your passwords (though you really want to check that "encrypt my passwords" checkbox), if you use your Google sign-in then of course you can use Google Authenticator and as a nice feature, there's a password generator you can turn on. Downsides? Mainly that it's detection of password prompts is not always reliable. And that there's no way to manually get it to manually propagate a field or add a password by hand.
Honestly, secret management should be handled by the OS, but given I currently work on three different operating systems each day I can't really just jump on platform's solution. Thus password management at the browser level seems like the best bet.
Well, at least until something like BrowserID kills of passwords entirely. Can't wait for that day to arrive.
