1password is great. On OSX, I have one long, nice password and on iOS I can use Touch ID to open it (typing in that password on an iPhone was a pain). It syncs across devices over wifi, Dropbox, or iCloud.

There are versions for Windows and Android as well. I've used the Windows version a little bit and it's pretty much the same.

Initially the $50 was painful, but I've since happily paid for all the upgrades and for family members license' too - encouraging good password hygiene!

1password is vulnerable to hackers because they rely on third party storage via dropbox. I wouldn't trust my sensitive info with them.

Second, the data stored in dropbox is encrypted by a key that only you have. Dropbox has no way to see what is inside that bundle without your long password.

How often do you have to log into it? Is it specific to a device?

I'd skip lunch for a day to pay for it.

I do have Google Authenticator tied to it, so logging in once a day is a little annoying, but overall it is a good experience.

I have the phone app (LastPass Premium) and while it is fine, it is a little buggy/annoying/meh. I haven't decided if I'm going to renew or not. I don't really blame the company for the limitations, they're trying to work around heavy app sandboxing, but after it all the user experience remains subpar.

Overall I would recommend it. In particular if you use Google Authenticator with it and a very solid master password.

It works well enough to have convinced me to buy Premium on my personal account.

I haven't tried this for a long time, but the last time someone shared a password with me through LastPass, I was able to easily grab the plaintext just by watching the network traffic with dev tools. So this feature seems questionable to me.

I use a key file and a passphrase to secure my keepass database. The database is stored on dropbox, the keyfile is stored elsewhere.

The only legitimate security gripe I've ever read about LastPass (and people have focused its security a LOT) is that a bad guy can modify the JavaScript utilised by the extension if they took control of LastPass's servers, and have your plain text master password sent to a third party (assuming no cross-site protections).

The actual password database is fairly secure. As is the login process (which can further be strengthened with 2F and various options in the account settings).

I use a sometimes-synced copy of the database on KeePassDroid on my Android phone. Actually, the user experience of KeePassDroid can only be described as vile, but that it works at all (allowing me to have all of my passwords securely available on my person) is awesome enough.

But in retrospect I don't know if this makes any real difference from something like keepass. My encrypted file is transferred over some secure socket, so an attacker can at least a copy of the encrypted file if they either hack the cloud storage provider or somehow hijack my connection.

It's not exactly super portable but for sites I care about, I wouldn't log onto them on untrusted computers anyway.

I got to think of another way!

I use this to my advantage with passwords: When I need to generate a new one, I play a "song" into Notepad (or vim as the case may be). Not a known song, but a seemingly random string of glyphs that make sense in my head at the time.

Practicing typing that string forms a powerful association with that account/website and that "song," and my hands remember it for the rest of my life.

The one big drawback to this is that it's nearly impossible for me to enter passwords on my phone without having a keyboard handy and arduously trying to recreate the string. Also, changing a password (not that I usually need to) is a little difficult because I have to retrain myself.

The advantages are: They're not written down anywhere; I don't have to struggle to remember which permutation of some base string I used this time; they don't follow any sort of pattern.

It's fantastic, free, simple and works across multiple platforms.

I also set up a simple web front-end for it, so I can use it from my phone: https://pw.mkn.io/

Repeatedly? Only at my work do I ever have to retype my password. My home is logged in and my phone has a pin.

What repeatedly is driving you away?

PS Lastpass is best in class for me

EDIT: I never memorize my passwords for sites. After having friends who were penetration testers I never do anything half-way secure. I actually can't wait till I have some kind of rfid of some sort to access lastpass.

I've tested just about every password manager because it was up to me to choose the most secure one for my company after we noticed some suspicious activity going on.

There a few products I liked, but I can say unequivocally that Keeper is the best solution for IT folks. It's hands down the most secure and it's the most intuitive for people of all backgrounds.

Keeper generates 256-bit encryption keys using PBKDF2 with HMAC-SHA256 and a minimum of 1,000 rounds, and user data is encrypted with 256-bit AES ciphers. They're a zero knowledge platform, so the cipher keys to encrypt and decrypt user records are not stored or transmitted to the cloud.

Works on every browser and platform, including Linux.

They have all of the standard password management features as well, like autofilling logins, generating random, complex passwords, two-factor auth, fingerprint login, etc... It's made my life a lot easier.

alias getpass='_getpass() { _g=$(printf "sauce%s" "${*}" | md5sum | openssl enc -base64 | cut -c1-16); printf "%s" "${_g}"|xclip -selection clipboard 2>/dev/null|| printf "%s\\n" "${_g}"; }; _getpass'

like this:

$ getpass mail@domain.lts

$ getpass user@domain.lts #for ssh logins

Basically it's one base password and one repeating scheme, that gives me a unique complex password on every site, that's easy to remember, and doesn't require any special software to maintain!

Put another way, every time you sign up for a website with a derived password, you are giving out information about your base password.

Special software doesn't reveal any information about your base password and even if the base password is acquired, the attacker still needs access to your vault to do anything about it.

  $ vim passwords.gpg

a) automatically pipe *.gpg through gpg on open and write,

b) to not keep viminfo, swap files or undo history for these files, and

c) to close automatically if I leave this file open for longer than 10 seconds without cursor movement.

This modeline at the top of the file hides everything besides the first indentation level:

  # vim:set foldenable foldmethod=indent foldclose=all foldlevel=0 foldminlines=0 foldtext='\ \ (hidden)' fillchars+=fold\:\  :

For password security, I have different levels of passwords, for less important service, will just use less secure password and will not store in security DB.

I made a clone (lazypass.com) of passwordtable.com, so I could use a custom no-look-alike's character set (sans-"iILl1...o0O", etc.) and to improve lookups -- but the improvement, in practice, seems to be somewhat negligible.

I feel that important passwords should to be stored on paper or encrypted for a close friend/parent/spouse to recover should you get dead... is that kind of a similar concern?

1 Until they tell me to make a new one that can't be the same as the previous. :(

And it has plugins for FF and Chrome for auto entry on websites (Win only so far).

What I often use and enjoy a lot is it's import and export functionality. For example if I want to add URLs to get auto completion working and I want to do that in batch, I export a CSV, edit this in LibreOffice and import it back into Keepass.

( It would be cool if something like Keepass could be built around smartcards or these new-fangled U2F dongles... I've be come quite a convert to the smartcard approach after setting up my yubikey to work as an OpenPGP smartcard )

I use a chrome extension and an android app most of the time, and the "mobile" browser version when neither of those are handy.

I like the fact that nothing is ever stored anywhere. Feels clean.

I like the fact I can get to this from anywhere. Even from IE on my Windows Phone, if I need to copy+paste (e.g. to log into the Spotify app after installing it).

The few I use a different password for are gmail, steam, my bank and my work domain. Muscle memory kicks in quite quickly because they're all typed so often, so while I can't actually remember what my password is to say it, I can remember enough to start typing and the muscles take over.

I find when faced with a new password that just saying each character in my head as I type them helps memorize them.

[1 letter after domain][c is 3rd letter of alphabet][numeric letter representation][last 4 SSN][pseudo counter] It might not be as high tech as software, but I think it offers a reasonable security / ease of use combo.

Note: This is nowhere near my algorithm and tokens have been made up for the purposes of this example.

You can use it as a standalone generator, but also as a manager since it will generate the same password for the correct name + passphrase + output variables.

It's not much of a "useful" manager to me though, so I'm using Mnemosyne to generate the passwords and 1password to store them. Works like a charm!

But having a family and lots of other obligations, others in the household had to have an easy way of logging into sites (ie. financial).

Lastpass makes it easy. Just the one password for them. And I use the notes feature quite a bit due the mentioned reason above.

Two-factor on any site that allows it makes it a little tricky but that's all explained in my lastpass notes.

Currently still using DropBox to sync the password file and backups, but will switch soon to ownCloud with my own server.

The Firefox password manager contains copies of many of the passwords, but I don't sync those between machines.

Basic passwords I keep in lastpass. Important ones are in multiple keepass files - if an account requires two passwords I keep them in seperate files Super important ones I have written down in various places

I did back it up about three years ago with a photocopier. Probably about time to do that again.

with 1password: sites like paypal, social stuff, other e-mail accounts, etc.

and for the not really important sites 2 different "trash" passwords (and some combinations of them) only in my head