a quick note on password managers

[kaberett]

These being a technology I considered suspiciously newfangled, and generally regarded with deep distrust: when I started out with KeePass, with me_and holding my hand, I explicitly did not try to shift everything over into it all in one go.

Instead, I gave myself the opportunity to hate it.

I set things up with the password database and a key file both stored in Dropbox. And then I started out with two passwords in it: my institutional password, which needs changing regularly but typing infrequently, and a financial password, which needs typing fairly frequently but which I wanted to be much higher security than I was managing with just trying to keep everything in my head.

And then every time I needed to log into something that, well, I don't need to log into terribly often -- every time I ended up grumpily hitting the forgot-my-password link -- I generated a new password with KeePass, and gradually moved things over that way.

It is now several years on and... almost everything is now in my password manager. The executive function involved in switching to (and logging into) another program every time I wanted to log in somewhere was a big conceptual barrier to me getting started, but at this point I've got the keystrokes sufficiently ingrained and enough of my life shifted over that, well, it is definitely less hassle than regular password resets were.

I am happy to answer questions about my personal experiences with & approach to all of this if you have any! But my advice basically boils down to "make it as low-stakes as possible, and as easy to back out of as you can, and take it from there".

Comments

[momijizukamori]

Does KeePass support imports from other managers? I imported my old (plaintext) Firefox username/password into LastPass very easily, which was nice.

(Props for managing to get used to KeePass - I tried at one point and called it quits within an hour. I think I'd go with BitWarden if I was setting up now, but the activation energy to swap out of LastPass isn't worth it to me right now)

[kaberett]

Yep!

Curious about what tripped you up with it, ooi? Obviously I had someone v familiar to handhold me through it and that was Better than Unfamiliar Tech, but.

[momijizukamori]

The UI annoyed my design sensibilities, and having to switch between programs constantly was Too Much Effort for me at the time (and still would be, honestly - browser integrations are a must for me)

[catyak]

I'm not convinced by the browser integration. Does it prompt you to approve the password fill or is it possible for a nefarious add-on to transparently use the browser add-on to slurp password? At least switching to a different window to active the C&P means you're very aware of the need to use a password at that point. I guess it's the age-old conflict between security and convenience.

I started using Keepass recently, work started mandating a few things and while my passwords have been distinct for a long while, they weren't consistently in line with what they wanted so I opted for the password manager (which is one of the ones they suggested was OK). I've also recently started using it at home, also building it up a few at a time.

[momijizukamori]

You have to specifically select the fill - it adds a dropdown to fields it recognizes as being username/pw fields, to select from. So that bit's about as safe as C&P from a different program (and sometimes I have to use C&P from the addon menu because a site has like five different login subdomains and the fill was originally saved on a different one, so it's not recognizing the current one as matching)

[jesse_the_k]

I'm glad that the transition was doable.

My memory is so bad that I was writing stuff on paper next to my computer, so I bought in to 1Password in 2011. Back then I only had around 20 passwords -- now I've got > 300, and I'm confident that I don't need to remember a single one of them.

[kaberett]

Yessss. I mean, I say "almost entirely switched over" because I keep periodically going "oh fuck, do I have an account there?" for stuff I haven't logged into for three years... but hey, progress is being made, we're getting there.

[catyak]

I have been known to try a login and guess the password used. I recently dug up an old financial account that I haven't touched for many years, found some paper with enough information on it to get it to remind me of the username and that still had an old password that I guessed. That was from before I used different ones (something like 14 years ago) so it's now changed.

Now I assume my procedure is to go check KeePass and if it's not in there, try to guess based on my old scheme.

[madgastronomer]

Oh, that's such a smart way to switch, I'll have to try that, I've been meaning to switch over to one.

[kaberett]

Oh I am delighted to be helpful! Good luck. :)

[ewt]

Thank you for this! I have been Avoiding using a password manager because the idea of transferring everything over is terrifying and because I'm not sure how it works for things I routinely use on more than one machine. But this sounds like a useful approach.

[kaberett]

You are very welcome! I am happy to do more detailed cheerleading/descriptions/etc if useful. Swapping over gradually was in fact The Best Thing I Could Possibly Have Done, I think.

There is of course the issue that Dropbox now limits people to "three devices" if they're not paying, which is Deeply Frustrating, but.

[jesse_the_k]

Some of the password managers offer their own cloud sync, which makes it easier to support multiple platforms--that's the case with 1Password. I resisted that for 10 years, because I believed it was more secure if I controlled it all.

Then I was away from all my devices and was able to login and see my passwords from a library computer, and that was NICE.

[catyak]

You can copy the database to other machines if necessary (and in at least one other place would be a good idea) and if you don't want to leave it laying around in the cloud somewhere. Of course, you then have to be able to sync them all. I have been known to resort to doing a quick ssh/vnc into my main machine from elsewhere in the world to extract a password that way.

[redsixwing]

That's great!

As A Security Professional, I very much support the use of password managers. There's plenty of research out there to back them up, and the ease of use thing is a big deal.

I'm really glad you have found yours an improvement.