What is everyone else using these days?
I also use iTerm2's system-wide hotkey  to quickly show/hide a dedicated terminal window that I use for retrieving passwords.
I've been using this setup for years now and I absolutely love it. The only downside is no access from my phone, but I always have my laptop with me and I memorize passwords that I frequently use.
On Android, I use Password Store to sync my `pass` directory and use it from the phone. It a very high quality app, I had no issues after years of usage.
If that's not a problem for you, KeePassX is definitely a solid password manager!
For iOS: https://github.com/mssun/passforios works really well and it's open source.
The deal breaker for me before vs 1PW was that I would store quite a bit of info in 1PW for some logins. Filling out a whole sign up form might include birthday security question/answer, name, and more. For various reasons, I don't always use real info so having this info automatically saved or easily added as new fields is great. I know Lastpass has a few extra field options and a notes section within each login, but the fields aren't enough and I don't want to have to manually add all the info into the notes like some people I know do. I'd rather pay a few dollars more a month and get the convenience and time saved.
I'm sure it makes up for the extra ~$25 a year. And the family plan at $60 a year for up to 5 family members isn't a bad deal in my opinion either if that can work for you. I know it sucks compared to buying the apps one time, but I don't feel it is as bad the outcry was/still is.
I guess I'm looking at this strictly in terms of what is best for my day to day life. It's not worth it worrying about a few extra dollars a month when I only have a handful of subscriptions as it is.
I'm not going to go into details, sorry.
I would recommend 1password over lastpass as well. First reason being the security issues of lastpass chrome extension. Though claimed it is fixed now they have claimed before on other issues only to be proven wrong after. I simply don't trust them anymore with my data.
But even more I would choose 1password over its usability. I used lastpass before but switched during the past few security issues reported. I have never looked back. 1Password is much better integrated in your mobile devices. The app feels more robust and is easier to operate. In addition the whole process of setting up your devices felt easier and more secure using 1password.
Second. My wife understands it which is a big plus. She doesn't complain anymore about the cumbersome lastpass. We keep a shared vault as well. That alone is worth every penny and maybe the only reason I keep with a commercial password manager. I don't think she will use the alternatives.
I would strongly advice you to at least try it. It claims to be able to import your lastpass though personally I didn't try as my lastpass was a bit of a mess.
I don't see how that would make it better for me to not comment at all.
Apparently you have knowledge on the subject so a sentence or five would have helped everybody reading this thread. In fact, it is what I would expect from an HN comment. I usually read the comments before the article as on HN there is often more information than the actual article. Most often different sides of the coin are in enlightened in the comments bringing insight in the otherwise one-sided monologue in the article.
for a real link to the same article
- compatible with pass
- support for multiple stores
- store binary data (e.g. QR codes for seeding 2FA) : upcoming
- report / track issues on github.com/justwatchcom/gopass/issues
- more details here : https://www.justwatch.com/gopass/docs/
$ pass insert -m mybinarysecret <secret.png
$ pass show mybinarysecret >secret.png
In your .gpg-id file, simply list the keys you want to encrypt for on separate lines. Every file below that .gpg-id file in the directory hierarchy will be encrypted for any of those keys to unlock.
If you want more granular key strategy, look at gopass , which is a pass-compatible binary that gives a little more granular control over key usage (IIRC), and is written in Go.
Since I don't have the one time pass anymore the encrypted file is not usable anymore and I have the same key to both machines.
Please explain any holes with that flow.
I also use Arq  to automatically backup to S3 every hour, and I also do manual backup to my external backup drives once in a while.
I don't, and wouldn't, use dropbox or any other non-free non-self-hosted system to manage the storage or synchronisation of my secure data, so it's unison(rsync) and/or ssh'd between desktop and laptop.
For everyone else KeePassXC is really nice.
I really like that there are so many "clones" and variants that can read/write the file format natively: https://en.wikipedia.org/wiki/KeePass#Unofficial_KeePass_rel...
Yeah, the KeePass database is encrypted and I secure it with both password and keyfile, but I still want something that won't leave my database "out there" available for bruteforce attempts or other attempts at it.
I don't trust the servers (Dropbox or my), and thus I want it encrypted on my computer prior to sending it out on the Internet.
My Dropbox is secured by MFA, with the Dropbox password itself being a random password within the KeePass keyfile. I store the whole Keepass program for Windows inside the same Dropbox account, feel free to indicate that as a security gap. On mobile I use the KeePass2Android app.
I think the feeling is the same as the feeling of just leaving your SSH private key "out there". Sure, it's protected with a passphrase, but I still don't want to do that.
Can you trust Dropbox would never have security issues? See https://blogs.dropbox.com/dropbox/2011/06/yesterdays-authent...
Didn't matter if you have MFA or use a secure password.
Crashplan is my backup tool of choice and also backs up the Dropbox, just in case...
password = b64encode(hashlib.pbkdf2_hmac(
(master_password + '/' + domain).encode(),
100000 + n
)).decode()[0:16] + 'Aa$1'
domain = domain name for the service in question, e.g. 'facebook.com'
n = the nth password being generated for the domain (typically 0)
The 'Aa$1' is to ensure satisfaction of stupid password rules on various websites.
- Open source. You don't have to use some random person's password manager software that you have no clue how or where the passwords are being stored or the trustability of the people who wrote the software.
- Portability. You can run this on any OS including a phone with a Python implementation, and it's pretty easy to port the above to any other language with a hash library.
- No files to lose. You don't need to worry about losing a password manager's database, you don't need to worry about syncing the database across machines, and you can compute the above on any machine that you own and trust. Kernel panics while you're on vacation? No worries! Reformat your PC with a fresh Ubuntu install and compute the above to get access to your bank account, plane tickets, and e-mail again.
"You must use one of these special characters: %^&*()"
This is what your scheme doesn't address.
- You have to keep track of n for every site.
- If the master password is compromised, you have to change each password manually.
- Not well-integrated with browsers.
- Far less convenience on a phone.
I consider this far better than having to keep a password manager's database. n = 0 for the vast majority of sites without sensitive personal data. For the small handful that need to change, I usually sync them all to the same value of n about once or twice a year.
> - Not well-integrated with browsers.
I use Chrome's password-saving feature for websites that don't store sensitive personal data. For websites that I consider sensitive, I actually like that it isn't integrated with the browser.
> - Far less convenience on a phone.
This is true. If my laptop can act as a bluetooth keyboard to my phone it might make life easier.
- If last few recent n's don't work, I just reset the password to the most recent n.
- There are browser extensions
- There are apps, and my web UI (https://ph.leftium.com) works OK (and a bookmarklet adds more convenience)
Keep in mind that most password managers also encrypt your password database with your master password, so my solution isn't any worse than those.
Memorizing a even a 16-character (upper/lower + symbols) random string as your master password would be 16*6 = 96 bits of entropy which is more than enough.
Dealing with memorizing ONE good 16-character random string is within the abilities of most people. Dealing with multiple ones is what is hard.
For me, playing around with hashcat, was an eye opening experience and I truly believe in the Schneier quote from above.
When an attacker acquires a leaked database, they're not cracking high entropic passwords.
Also, a character has at most 8 bits of entropy, not 64. If you use base 64 its only 6 bits of entropy. 16 x 6 = 96 bits is still more than enough though.
A downside if everyone used this scheme would be parallelized attacks on reversing the hash for the key. If you find a key that, with this scheme, creates a password for your service, you found the corresponding secret key. This then compromises all of that users passwords.
I actually am not a fan of 2nd-factor authentication (e.g. phone). If you lose the physical thing or it gets leaked to a stranger, gunman who mugs you, leaked by security holes in the thing's own embedded OS, it's no longer helping your security. I'd rather authentication depend on only what's in my mind and body and nothing external. Also, I lose stuff and forget stuff pretty easily, so I often just avoid carrying anything.
Randomly choose 6 words from a 10k English dictionary and you're set. Hell, make it 12 words. Still insanely easier to remember than a 12 character alphanumeric/symbol password, and much more difficult to crack.
It has 50,105 words. Gets you an extra 2.3 bits per word.
Not exactly true if they are separate words. In a word-based password scheme, you are treating entire words, not characters, as units. The chance of fire, truck, and firetruck appearing in one password in that sequence, given a 10K word dictionary, is 1/(10K^3). The miniscule possibility of this speaks to the fact that there actually is a large entropy.
"green rubber yellowed out inside the 1st horizon"
I make random passwords like that (though usually 6+ words) all the time. I admit I can't remember all of them, but I can remember up to ten or twelve. Which is enough passwords to cover all the important services I use.
The big pain with that is that some services don't allow more than N characters for passwords (looking at you, 20-characters-limit-PayPal), some services don't allow spaces and whatnot, so you have to adapt.
Plus, you should enable 2FA wherever possible. You don't really need a super strong password once you have 2FA, so for those cases you can resort to OP solution of having "master_password + 'whatever' + domain" with master password being one of those ten you can actually remember and not even having to encrypt the whole thing.
I've got to offer one on my website (gimme all your passwords, mwahahaha!)
Before reading this I was convinced that stateless deterministic approaches like these was the ideal. But some arguments in that post changed my mind.
16 characters + 'Aa$1' has universally satisfied every website I have used to date except Baidu (which imposes a maximum of 16 characters total on passwords). The number of exceptions to this is probably miniscule.
> Deterministic password generators cannot handle revocation of exposed passwords without keeping state
That's what 'n' is for. Either you can keep 'n' as a state variable which is much easier to manage (and if you lose the file, you can try a few values of n and get yourself back into those websites without much hassle), OR sync the values of n every several months on the sites that use it.
> Deterministic password managers can’t store existing secrets
This is orthogonal to the password problem. I store sensitive files that aren't passwords in a GPG-encrypted tarball on Dropbox.
> Exposure of the master password alone exposes all of your site passwords
This is true of stateful password managers as well, if you backup your database on anywhere insecure or any device (e.g. laptop) that could potentially be mugged at gunpoint, confiscated by border control, leaked by buggy software, etc.
# requires: sudo apt-get install xautomation for 'xte'
from subprocess import Popen, PIPE
macro = ""
for char in password:
if char == '$':
macro += "keydown Shift_L\nkey 4\nkeyup Shift_L\n"
elif char == '+':
macro += "keydown Shift_L\nkey equal\nkeyup Shift_L\n"
elif char == '/':
macro += "key slash\n"
macro += "keydown Shift_L\nkey %s\nkeyup Shift_L\n" % char
elif char.islower() or char.isdigit():
macro += "key %s\n" % char
print("Entering password in 3 seconds ... [^C to abort]")
One of the biggest drawbacks of this approach is that you are stuck with your master-password. You can't change it without modifying those for all the websites.
I also keep a list of the "domains" along with plaintext comments for each of them (username, email I used, etc) that are not strictly required (so still portable) but just make it a little more useful when it's synced.
The big downside I've found is lack of apps. Sure it would run on any phone, but I haven't managed to get it to run on the phones conveniently. So if I'm without a laptop right now for the most part I'm locked out.
"Your password is too long"
So I needed some additional piece of information, namely how many times I've had to change passwords, so a new function argument.
Eventually I gave up and started using a password manager.
This is unlike a stateful password manager. There the security of the system is related to the strength of your password + the strength of the security of the place you store your password db. If you pick a place that is serious about security, your almost certainly better off. Critically, a compromise of some random forum you signed up for doesn't impact the security of your bank account in any way.
Not exactly. It's equal to the strength of your master password only. Even if one of your passwords leaked, this function does not compute fast enough in the forseeable future to brute force your master password, as long as your master password is strong.
> And GPUs are pretty good at brute forcing PBKDF2 - so it has to be really strong.
Interesting, thanks for telling me this. But how much better? I mean, a GPU with 1024 CUDA cores surely cannot surpass 1024 CPUs. So all we need to do is bump up 100000 to a slightly higher number to make it GPU-proof if that's the case, no?
> There the security of the system is related to the strength of your password + the strength of the security of the place you store your password db. If you pick a place that is serious about security, your almost certainly better off.
The problem is that it's difficult to find some places that is serious, and that you trust to be serious. Most people will end up putting it on Dropbox or Google Drive because there isn't anything else that is accessible to them and easy to use on a phone. Also, what if you're on vacation, PC rendered in an unbootable state, and you need to reinstall your OS? This has happened to me at least 3 times.
The weakness of PBKDF2 is that it requires a small fixed amount of memory to run, making it ideal for brute forcing with a GPU. Algorithms like Scrypt / Argon2 are designed to counter this by requiring lots of memory to run. Best reference I could find or current best GPU brute forcing speed is https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a27... - which seems to say that the test system could do like 100-200k password guesses / sec with PBKDF2-Sha256 @ 100,000 iterations (extrapolating from the numbers given).
The arithmetic then looks like this:
(7776 ^ 6) = 221073919720733357899776, because there are 7776 words in the diceware list.
(7776 ^ 6)/(10^12) = 221073919720 seconds to try all such password if the imagined hardware accelerated hash cracker can do one trillion hashes per second. In years this is:
(7776 ^ 6)/(10^12)/(365 * 24 * 60 * 60) = 7010 years.
So on average, it will take about 35 centuries to brute force the password when using hardware that can try one trillion guesses per second.
You are using "n" to differentiate from multiple accounts on "domain", right?.. or am I misunderstanding?
I suppose I could also do it as master_password + '/' + domain + str(n) or something like that.
Edit: nevermind, this would prevent you from retrieving the password - I had in mind a password generator, sorry.
For consumer use cases, you should use sources of noise for this, such as microphone noise, mouse movements, fluctuating voltages, etc. If you wanted to be super-secure you would use a quantum random number generator, which is truly random, but unnecessary for the threat models of most consumer uses. Just use anything but date/time. The random number generators of most modern languages and operating systems already have such measures in place.
Free to use, auto password generation, has an iOS app with thumb print unlock (saves you from typing in a long master password).
I personally really enjoy it.
Basically their web add-ons are extremely buggy. I was using Firefox and after many issues tried Chrome version, that one looks nicer but is similar POS and similarly had its own set of issues. Perhaps I would be happier if there was just a standalone app that I would only fire up when I need it.
I stayed with LastPass through the various security incidents they've suffered, but recent UI updates finally made me cancel my paid subscription and switch to 1Password -- a standalone app that integrates with the browser through a very lightweight plugin.
The worst bugs in LastPass are:
1. Four months ago a bug was discovered by project zero about how all of your passwords can be stolen just by making a user visit a webpage. Moreover, any code can be executed remotely, compromising your entire computer. Discussion
2. Later on the day vulnerability (1) was published, another was found. Project zero bug report. 
3. Last year a software engineer who wasn't a security researcher found a bug, which again, gives all your passwords.
4. The bug in (3) wasn't fixed properly, which lead to this 
Other bugs, but not as terrible as the ones I listed above
Jul 27 2016 
Mar 25 2017 
Jun 17, 2015 
Nov 17, 2015 
You are also forgetting a whole another class of attacks -
I switched to 1Password because the quality of support for Dashlane just kept getting lower and lower, and 1Password started getting some really nice features.
Some day I might switch over to `pass` as it's free.
I use 1Password and I don't pay a subscription. I pay them outright, per platform, and call it a day until they give me a reason to do something else. I've also set up other recently in similar patterns. If OP's only issue is the subscription, they may now be aware that there are non-subscription options.
Here is some documentation on the Dropbox sync for example:
I get that they want to transition people to that revenue model for their own benefit, but they haven't made a convincing argument that it's in our interests and they've definitely made those of us "offline" customers feel like second-class citizens. Normally, I'm all for subscription services, but password management is one area that I want complete control over and if they keep pushing me towards a model that requires their online presence, I'll end up switching.
And shameless plug for my own cross-platform powershell-based 1Password client, which can read both formats of local vaults: https://github.com/latkin/1poshword
My workaround was to write a small utility that I run on both my Mac and Windows boxes that sits in the background and keeps the two clipboards synchronized. So I just copy from Mac 1p and paste in Windows. Not ideal, since it makes the browser extension useless, but it works well enough for the few times that I need to enter passwords on that box. But on the plus side, I can also use it for entering commands in cmd.exe and Powershell too.
Nothing about that made me happy.
Funny enough, 1P6 worked fine with my local/Dropbox vault during beta, then the app stopped letting me update my vault when it left beta. :\
I use the open source version on Linux and Windows, and https://pwsafe.info on Mac and iOS, all syncing through Dropbox.
* relatively weak/old passwords for sites I don't care about and would lose nothing if they were compromised (vast majority)
* a couple relatively strong passwords for the 5-6 sites I don't want compromised, but wouldn't have huge consequences and could be email recoverable.
* unique strong passwords for a couple vital services such as email account.
The re-use depends somewhat on how much I trust the site's security. Also I cycle occasionally by introducing new passwords at the "top" and moving those passwords "down" to less important sites.
Works every time.
But yeah, it works in most cases.
I love 1Password but the lack of linux support is irritating. (I know about the web client)
I use gopass for everything that's company internal.
FWIW You can do this with 1Password. Preferences > Sync > Sync with Dropbox
You can still purchase a Mac license there. I don't see a Windows option, but I'm viewing this from a Mac, so not sure if they're just hiding it. (Some people in this thread have said that there's no longer a non-subscription version for Windows.)
A few of the issues:
- It crashes periodically on Linux. Though it has never wedged the database.
- On ChromeOS, it is "supported" via the Android app, which does not integrate with the Browser plugin from what I can tell. I was really hoping for something that would work there.
- You can't have multiple password databases at all, from what I can tell. I'd really like something that could manage my personal passwords, work passwords that I share with 2 other people at work, and family passwords that are shared with my fiance'.
For the last decade I used a gpg encrypted file on my laptop, combined with passwords saved in the browser on my encrypted file-system. That worked fairly well, until I was in Mexico and my laptop decided to take a vacation too. I couldn't access ANY of my passwords until I got home and could get to my desktop or move my drive to another machine.
Enpass has some benefits:
- The syncing using Google Drive works well.
- Fingerprint unlocking of the vault on my phone works well.
- I've always had a pain point with apps on my phone that update and then need the password again (front door smart lock, car, bank), and I can't access them anymore until I get to my laptop and type in the 30 character random password.
- You can add fields to the records, the default "login" record has "security question" and answer, but for sites that have 3 security questions I can add them as custom fields. (My mothers maiden name? It's "mCxK7JszjJ5Mq29")
- It is available on Linux and Android and kinda on ChromeOS.
I do feel like a web-based one would work better with ChromeOS, but I'm still experimenting with whether ChromeOS can replace my laptop. I'm typing this on my laptop, so...
 https://www.youtube.com/watch?v=Yy1JEyxRzIc&t=23m42s (@ 23 minutes and 42 seconds)
I use HashiCorps vault running on a micro EC2 with a small API written around it. Then I access it using a CLI I built and a key pair.
- I don't pay for a service (the ec2 instance was already running)
- I don't use someone else's software that is hopefully secure
- I got to play with Vault for an afternoon
- I've probably done something wrong and I'll end up paying for it the hard way eventually
- I had to spend about an hour building something
100% local storage, or sync the encrypted file via Dropbox.
Here's a nice example from a few years ago - https://www.reddit.com/r/Bitcoin/comments/1ptuf3/brain_walle... where "a line from an obscure poem in Afrikaans" was considered secure.
Granted, your password hash isn't going to get as much effort as BTC brainwallet cracking, but phrases/lines from common poems are going to be in bruteforcer lists.
Also, for any targeted attacks, everything from every poet or band you've ever liked on facebook or mentioned in any online resource are going to be used against you, so you better use poetry from authors that you don't like or ensure that you have never talked about which authors you like (easier said than done). Checking every line from e.g. Shakespeare is easy.
I have a manually maintained database with a bash one-liner for password generation; primarily I rely on my browser's password manager.
I use it for all my passwords but crucially also as a SSH Agent for Bash, Git, Pycharm and WinSCP. My SSH keys are in Keepass and it gets used by Git, Pycharm and WinSCP. So all I need to do is unlock the database and it just works when using SSH in Bash or Pycharm or WinSCP or Git.
Anyway, the setup was a bit tricky to find out but it works very well (for me) now. I have documented it here because it might be useful to others:
Negatives: I can't do backups, easily migrate to another supplier and it won't work automatically with other browsers. And it's Google (feels privacy invasive)
I don't hash it via a software algorithm, it is a system simple enough to do in my head.
I basically only have to keep track of the counter for the few websites that have forced me to change password.
The counter exist both as a number and spelled out, ensuring that changes in password differs enough for websites that require new passwords to not be similar to old passwords.
It is as secure as any 8-10 character password, except if a person is targeting me, and manages to get 2 or more passwords, there is a chance that they'll notice the system.
But if I am targeted by someone who can crack multiple of my online passwords, then I have pretty much given up hope for my safety.
My host of devices includes multiple laptops (Linux, OS X) and many different phones - both Android and iOS. Since Firefox runs everywhere, this works nicely. Firefox Sync has end-to-end encryption, but data stored at-rest on devices is guarded purely by physical access, which is fine for my use cases.
I'm unhappy with support for windows/linux/chromeos, so I was already looking for alternatives.
I manage certain passwords (PGP keys, some very high privilege accounts, etc.) separately (primarily offline, and some split).
Considering building/paying to have built something that truly meets my needs, since my needs are fairly general.
Being able to use different shared password vaults has helped us a lot. As our business entails going through lots of quick sites before moving on to new ones, along with working with different partners.
Sure it still isn't "cheap", but I get a good app and browser plugins on all major platforms.
I highly prefer 1PW to Lastpass because it is much easier to get a lot of different form fields saved into 1PW along with easily adding any number of your own. Lastpass plugins also aren't the greatest.
I'd move to KeePass if I hadn't to stop using 1PW. But I doubt I'll switch while doing business. Shared repos integrated tightly into the UX is too helpful.
Plus, syncing is done right automatically. Sure, AgileBits could go out of business and I'd not be able to use 1password anymore. That's fine. It took one day to switch from LastPass. The lock-in is minimal. I'd rather not continue using a piece of security software without updates being released.
(Even if they did, I have a gut feeling they are classy enough to open source the server, though. It looks like the app already is built with the possibility of connecting to 3rd party sync servers.)
And it looks like a real solution is in the works for Linux finally, so there's that.
This scheme has the obvious single point of entry weakness and a further keystroke logger vulnerability. I have never had any of the 360+ accounts and logins compromised.
It is very important to not use the browser for secure activity if one has been browsing Internet junk recently. I have no doubt that all kinds of keystroke logging scripts do get started. I occasionally run rkhunter and top looking for intrusions and compromises.
Script for making big batches of passwords:
File of passwords. First 99 are lettes usable for names, next 100 is pasword strings. 1-6-2008
Here is the command line:
(/usr/bin/apg -a 1 -n 99 -m 11 -x 13 -M CL; /usr/bin/apg -a 1 -n 100 -m 17 -x 23 -M NCL ) | cat -n
Works great as long as you can resist the urge to tell other people about your system!
It uses Alfred to get fast, autocompleted access to passwords.
Your master password is remembered visually, instead of as an arbitrary string. My contention is that you're less likely to forget specific spots on distinct images than an arbitrary sequence of characters. The method has worked perfectly for me since I began using it, but only one other person I know uses it, and it has NOT been audited or scrutinized by an expert in the field. Nonetheless, check it out. It's free, being more of an idea than a technology. Besides, I can't charge you for something you've stored in your own visual cortex!
I also didn't feel much attachment to the image - which could be addressed and has got me more interested about. Memory palaces. Genius loci - ancient way of remembering things using space, places. This works in a similar way, images exist on 2D space - the genius loci work best when the mental image is something you know well, that you remember well.
Thanks for sparking some ideas in my head!
Usually I use the Chrome extension, but when that fails I built a more user friendly web interface: https://ph.leftium.com
To avoid having to change all my passwords at once when one password must be changed, I suffix my master password with a sequential suffix. In the worst case, the last few suffixes don't work and I use the service's password reset feature to update the password to the latest suffix.
See https://github.com/dannysu/hash0 for comparison of other similar sites that all have the same flaw and the reason I coded hash0 (no longer maintained though).
But to be honest, if a hacker specifically targets you, you will probably be compromised, no matter how strong a hash function you use. (They will probably just use one of the many other attack vectors.)
And there's that joke about two guys running from a bear. "I don't have to outrun the bear; I just have to outrun you"
PwdHash lets me have unique, non-trivial passwords for every site with minimal fuss. There will be probably lots of lower hanging fruit before hackers start targeting PwdHash-generated passwords.
I use the Chrome ChromIPass plugin for user/passwords autofill. There is also a FF plugin, but I usually stick with Chrome these days.
I tried to switch to Lastpass but I found that a) the plugin was a terrible resource hog and b) would make some sites unusable due to ridiculous page load times. Obviously it works for some people, but the attack vector of sites like LastPass are so large, I was never comfortable following the masses.
For those in need of a cross-platform (Windows, Mac, Linux), open source 1Password CLI client, check out https://github.com/latkin/1poshword (disclaimer: my project)
I don't use random passwords, I use (mostly) memorable ones. I mount the disk image only when I forget one. It's an aid to help me memorise passwords and keep track of important information (reference numbers etc), not a single point of failure without which I can't get into anything.
Details on how Secrets store data: https://outercorner.com/2016/08/01/storage_format.html
My laptop is my primary device so I'm not too concerned with logging into accounts on mobile, but if I really needed to get my passwords without my laptop, I could get use the keeweb web app with my gdrive backup.
Each account has a unique email address, and important accounts have a unique password element added.
I use firefox bookmarks to note down in a cryptic manner any variations to the common themes I use. The bookmarks are synced across computers.
The upshot is I always use firefox bookmarks to log in to a site, which means I am not clicking links from emails and I am always in an extension free browser.
Or search the news for LastPass security issues:
I couldn't find one that matched my requirements so I build one myself:
You can have this on MacOS, Windows, your smartphone.
Great when you only have your phone with you and you need to login somewhere to do stuff.
I feel like I should move to Keepass at some point, but it's one of those cases where if I'm apathetic long enough, Keepass will be gone and I'll still have my Emacs setup.
(cl-defun gk-org-decrypt-element ()
"Decrypt the element under point, show in a new buffer."
(let ((transient-mark-mode t))
(let ((decrypted-elem (org-get-heading t t))
(switch-to-buffer (get-buffer-create "*Org Secret*"))
(insert ">>> " decrypted-elem " (" bufnam ")")
(insert ">>> Hit `Q' in order to *kill* this buffer.")
(local-set-key [?Q] 'kill-this-buffer))))))))
print ((rand * 1_000_000_000).to_i.to_s + \
("a".."z").to_a.sample(10).join + \
("A".."Z").to_a.sample(10).join + "_")
As for keeping the passwords around, you can do one of a couple things, but I generally just forget the password after logging in with it everywhere. I'm signed into chrome, so what's the point in remember the password myself? Unless it's something sensitive I don't bother. It's easier to generate a new one than to dig it up.
> What is everyone else using these days?
I use a self made password matrix in paper.