

Ask HN:  Password manager? - Mister_Snuggles

With the recent news about Heartbleed and the advice to change all passwords (which should be done periodically anyway), I figure it&#x27;s time to look at the state of password manages again.<p>I&#x27;ve got a general set of requirements, but I&#x27;m also interested in what HN likes in general.<p>My general requirements are:<p>- MacOS&#x2F;iOS&#x2F;Linux support<p>- Cross-platform syncing, but not reliant on a specific service provider (e.g., WebDAV sync or folder sync is preferred over Dropbox sync)<p>- Encryption done locally - the syncing should really just send a blob of encrypted data.<p>- The usual browser integration, password generation, storage of metadata (password last changed, notes, etc) stuff.<p>So far 1Password with WiFi sync looks like the closest fit, but I&#x27;m curious to know what else is out there.
======
caleb23
I would recommend using LastPass as a password manager. Here is some advice I
recently wrote up on passwords.

In regards to Heartbleed, the Security Check that LastPass offers will help
with that in terms of notifying you of the sites that you should change your
passwords on since they were vulnerable to Heartbleed, but really all sites
could be vulnerable to it, so I would recommend changing all your passwords
fairly frequently over the next few months.

As long as the password is not contained within a list of commonly used words
and isn't in the dictionary, length is the most important thing. The second
most important thing I would say is using the widest variety of characters
possible including lowercase letters, uppercase letters, numbers, and special
characters.

You want to generate a secure password from a password generator such as GRC's
Password Generator. I always generator my passwords to be 50+ characters but
everything over 15+ characters will be fine.

Also, make sure you change your passwords every 3 months and don't share your
password with anyone. Lastly, store your passwords securely using a password
manager such as LastPass ([https://lastpass.com/](https://lastpass.com/)). You
should have a strong master password with LastPass and use two factor
authentication. You should also use two factor authentication with all of your
other accounts that offer it.

If a site requires a secret question, make sure the answer to that question no
one else would know or make it a password or phrase that you would remember.
Don't reuse passwords on other things as well (only use the same password
once).

Make sure when you are logging in that the site is using HTTPS (the browser
addon HTTPS Everywhere can help with that) and you aren't logging in from a
public network such as from Starbucks. Even if you are logging in from a
private network, I recommend using a VPN that uses encryption such as proXPN.
For your home or office network that you are logging in from make sure it is
using WPA2 encryption, it has a random network name, a secure password, you
have changed the default credentials for the network settings to something
secure, you have disabled WPS, etc.

That is all I can think of right now in terms of password security, but those
are the main things that you should focus on in terms of secure passwords.

------
ScottWhigham
You might want to also check the site search for past entries. This question
comes up at least monthly here in an Ask HN: format. Heartbleed hasn't changed
which password manager I've used but that's b/c mine is offline. It may have
changed some other folks' though.

~~~
Mister_Snuggles
I actually did a couple of searches and only came up with stuff from years
ago. What terms did you use?

~~~
ScottWhigham
With the new search engine, you can easily add "ask hn" to any keyword you
want and just use that as a filter -

[https://hn.algolia.com/?q=password+manager#!/story/forever/0...](https://hn.algolia.com/?q=password+manager#!/story/forever/0/password%20manager%20%22ask%20hn%22)

------
palcu
I'm an OSX and Android user. My current setup is to use MacPass on my laptop
and KeePasDroid on my phone. The database is synced using Dropbox. The only
problem might be browser integration, but I'm not that lazy and I can copy-
paste the password from the app.

