

Brief overview of Password Managers (I'd really love criticism if I'm wrong). - dfischer
http://blog.danielfischer.com/2011/05/12/its-time-to-start-using-a-password-manager/

======
armored
I'm using Keypass with Dropbox to sync the db files. Without 2 factor. If you
don't want to put all your eggs in one basket, I'd suggest using separate
databases. One for each client is a good method. You have to remember more
passwords so your secretpass+clienthash method.

One thing about using a password manager is that it needs to be easily
accessible or you will fail to enter all your assets in it, and it becomes
less valuable. That's why I use Keypass & Dropbox which makes my passwords
available on my Win7 workstation, my Android phone and my iBook.

~~~
dfischer
So in the case of someone getting your master password and access to your file
you'd be open to someone stealing all your credentials. That doesn't bother
you? Especially since you're probably more exposed to attack vectors by being
on a Windows machine and having your local file system compromised in some
way?

~~~
armored
It's not perfect, but that's not what I'm after. Password authentication is
horribly broken and it always has been. I need a solution that is reasonably
secure and helps me manage hundreds of passwords. I need these passwords to be
available to others in the event of my death or dismemberment.

If you store a key on that same compromised Windows machine you are still
screwed. End of story. Even if you store it on removable media they just grab
it & your password at the time of access.

------
stock_toaster
I would love a password manager that supported HOTP[1] or TOTP[2] (in
conjunction with something like google authenticator). My mobile is pretty
much always with me, and works well as a software based dongle (with OTP
generators).

[1]: HMAC-Based One-time Password

[2]: Time-based One-time Password

~~~
dfischer
I love the Google 2 step process. It would be _amazing_ if someone included
this (I'd say either Lastpass or Passpack).

~~~
AdamGibbins
A yubikey and master password is pretty much the same as this, if not more
secure due to needing a physical token?

Both Lastpass and Passpack currently support Yubikeys.

~~~
dfischer
This is true, your phone is also a physical token. I just like the fact that I
can use something I already have instead of having to buy a yubikey.

