Dear Linkedin,

:: (1Password) is one solution to
:: managing web site passwords.

So use LastPass, then.


I don't pay for them. $WORK pays for them.

If you're complaint is about 1Password not running on your particular operating systems, then pick a solution that *does* run on your OS. There are several open source alternatives you can use.

Use lastpass, or maybe Password Gorilla (uses an encrypted local file but you could stick that on a dropbox space or SpiderOak space).

:: Password Manager for Families, Enterprise & Business | 1Password (1Password) is one solution to
:: managing web site passwords.

Only if you have an OS you have to pay for: apple or ms.

The 1password password store has a perfectly usable local-only HTML
app that lives in its data folder.

It works perfectly well from Linux and other OSes.

I keep hoping for a free full-fledged Linux desktop port a la the
android one :wink:

[Or for seahorse integration, or whatever - I'm as big an open source
advocate as nearly anyone, but having 1P on windows, osx, my droid, my
ipad, and usable from my linux and solaris desktops... well, it's just
too good not to give them a little money and a lot of respect for a
good application.]



My biggest problem still is the multiple computer issue. I am on at least 3-5 physical computers and 1-20 virtual machines, and 2 cellphones a day. I honestly do not want to store a database of passwords encrypted or not on an open service.

As I have never had a virus or malware on any of my computers in the last 20 something years I trust my local machine/network more. The problem is it creates a distribution problem that is painful and tedious to deal with.

So I stick with 10-15 long reasonably secure passwords that get used for stuff that just doesn't matter because there is an assumed no security (facebook, linkedin, whatever, and honestly who cares if this stupid stuff is hacked, its really just to avoid the hassle it would cause) and 1 unique password per critical sites (bank, benefits, financials). I store them on a local 3x3 levels of encrypted virtual drives with (2) 32-48 remembered passwords to access them just in case I forget any.

Then I lock the 2 passwords up in a safe in a sealed envelope just in case something happens to me.

If you are cautious on what and where you use them you honestly only need to change the criticals once a year or if there is a security event, heck outside of the bank account, I almost never login to any of the other accounts except to change the password.

And for all other internet stuff, who cares, the assumption is it will be hacked, don't put stuff on the open internet that you don't want the entire world to know.

Security is all about trade-offs. In this case it's the trade-off between
storing an excrypted password database on a 3rd party server, v's re-using
passwords and having (potentially) weaker passwords as a result of not
doing so.

Personally I use KeePass, with the database stored on a cloud-synced
directory. To decrypt the KeePass database requires both a Passwords AND a
Key file, which is NOT synced to the cloud.

IMHO this gives the best of both worlds - easy syncing between multiple
computers and the ability to use unique, very strong passwords with all
websites. But also very strong security in the case that the KeePass
database is somehow compromised from the cloud service, as both the
password and keyfile would be required to decrypt.



Security is all about trade-offs. In this case it's the trade-off between
storing an excrypted password database on a 3rd party server, v's re-using
passwords and having (potentially) weaker passwords as a result of not

Yes. Using an encrypted online password vault is a trade-off.

Risks that are unaffected:
   o A randomly generated password might be more guessable than a
human-created password, if generated by an insecure PRNG, for example,
if the possible generation outcomes for given input parameters can be
predicted through analysis.
   o A password can easily be stolen by malware on a computer the
password is typed on that logs keystrokes and mouse clicks (even a
vault's master password).
   o A password can easily be stolen if transmitted to a remote site
unencrypted, by a computer on the local or remote LAN with malware
infection (even a switched LAN).
   o If either endpoint's SSL certificate (or a CA) is compromised,
a MITM attack can be used to learn the contents of encrypted
   o A password can be stolen by malware if stored temporarily at rest or
        temporarily in RAM in an unencrypted format.
   o A password can be stolen if stored at rest in unencrypted format.
   o A password can be stolen, even if encrypted, if the symmetric
        key can also be stolen.

New risks increased in magnitude:
   o If malware running on a computer is aware of the password vault
      it may be able to maliciously modify the executable code of the
password vault
      application in memory, resulting in data compromise.

   o Your password data is vulnerable to local compromise if your
master pw is guessed or stolen. (Use a vault with multi-factor
authentication to mitigate).
   o If password vault data is stolen, the thief has a convenient
list of accounts. Risk can be reduced by using multiple vaults of
different types for different security levels/use frequency.
   o If the password vault software fails, DB is corrupted, or the
online password vault service goes offline, you can lose access to
your accounts, because you don't remember the passwords.

   o The pass vault is an additional piece of software; if the
software developers' systems
       are compromised, it might be possible for malicious code to be
inserted in the
       password vault application.
   o If the password vault software has a bug, the encryption doesn't
work properly, or fails to maintain good security hygene, all your
passwords may be vulnerable.

For example, if you keep a GPG encrypted list of passwords, and you
create a "temporary plain text file" when re-encrypting to
create a new encrypted list, passwords are vulnerable to theft during
this process, and afterwards via latent disk analysis techniques.

Examples of Risks mitigated by online encrypted password vault VS
shared or similar
passwords that are memorized:
    o Reduced risk of loss of access to account, resulting from
forgetting which
         password was selected for a particular account, or adverse
password changes
         enforced by "password setting" or "mandatory password
change" policies.
    o No need to use short/guessable passwords (less than 16 characters);
         high-entropy passwords can be chosen which can only be attacked
         by brute force, and which will take massive amounts of money or time
         to successfully attack.
    o If the login password to one site is compromised, guessed, or
         disclosed by any means; many of your accounts are
         at increased risk.

Risks eliminated pw vault VS passwords written down on a slip of paper:
    o No risk of losing the paper, resulting in account compromise
and loss of access
    o No risk of a piece of paper being stolen.
    o No need to use short passwords (less than 32 characters)
         that can easily be written down