Password Managers

In recent years, online password managers have become a thing. Most of us
have so many online accounts for banking, shopping, and any number of other
types of sites. My personal account list numbers in the two hundred range.
A lot of those were maybe one time things so far, but the point is that I
had to register an account and establish a password. And if I need to use
it again later, would rather not have to go through the lost password
procedure every single time.

In a previous post, I detailed my use of a password managing application.
I use Keepass to maintain all of this information. This means I need to have
access to my database file and the Keepass application wherever I want to
use it. That's not so bad for my home PC which is only one computer and where
I do the vast majority of my online access requiring passwords. But what about
the occasional access from an iPad, a smartphone or someone else's computer like
when visiting relatives perhaps? Maybe you carry it around on a USB stick too?
Now you have a bit of a logistical nightmare to keep the file synced across the
various places. So you either spend time periodically copying the "master" file
to the other devices or find yet another service to automatically sync it for you.

You may consider using a cloud-based storage service to solve this, but that just
puts the file in your hands. You still need to install the application to access
it. And once you do get into the file, you have to copy/paste the passwords to
the web browser or other application. That's easy on a full PC with a keyboard
and mouse, but becomes a usability nightmare on touch-based devices like tablets
and phones.

So some folks have developed applications to specifically address this situation.
One of the most popular and the one I happened to choose is LastPass.
You still have to install the LastPass application on each device, but after that,
it's very simple. Your account and password information is stored in the cloud
and thus automatically synced. The application has explicit support for helping
you more easily copy your information and automatically fill in related information
particularly in web browsers which is the most frequent type of use. This is
especially useful on the touch devices.

So why would you not just automatically choose this? Security. Look at the track
record of so many major stores of online data (merchants, credit cards, the OPM)
and we see a trend of no confidence. So you have to trust that the password
managing application's site and storage do not get hacked. If they do, someone
could possibly get all your account names and passwords. That is far worse than
losing one site to a hack where all they have is what you stored there. They
now have *all* your sites with legitimate access. No further hacking required.

My personal choice is a hybrid strategy. I make a reasonable gamble by only use
LastPass for a small number of sites that I tend to want to access from the other
devices. The vast majority are only in the local Keepass file on my PC.

In a following post, I will talk about improving security by enabling two-factor
authentication on both of these applications using a Yubikey.