[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Password Manager opinions and recommendations

On Sun 25 Mar 2018 at 11:52:13 -0400, rhkramer@gmail.com wrote:

> I started reading up on password managers in order to consider using one.  
> Up until now, I've made up passwords myself, and stored them in an encrypted 
> file.  Some of the drawbacks include: 
>    * I keep the passwords on the short side

The PIN for my credit card has only four digits.

>    * I don't change the passwords as often as I should

There isn't and never has been a need to do this. Passwords don't
deteriorate with age.

>    * I sometimes use the same password on more than one site

Tut, tut.

> All of the above because it is not convenient enough for me to do better.
> My head is just not "into" reading about password managers--it just seems to 
> be too boring to really get into, so, I thought I'd try posting here to get 
> opinions and recommendations from the list.  (I am continuing my effort to 
> read--maybe I'll get a renewed burst of enthusiasm after I send this ;-)
> Here are some of what I think are my criteria for a password manager:
>    * encrypted storage on my own machines (no storage "in the cloud")

Definitely done by


It is designed that way.

>    * ability to transfer to other devices, including Android tablets and 
> phones--either all the passwords or just one for some special logon on a 
> machine I don't normally use.  Currently I do almost everything (that requires 
> a password) on one of my desktop computers.  I have a laptop that I use very 
> occasionally.  Occasionally I've had to go to a library (or similar) to use a 
> Windows machine.  I do have an Android tablet and phone, and, in general, I 
> don't use that for confidential type stuff (no banking, for example), but that 
> could change if either I feel very secure or in some sort of extreme 
> emergency.

I don't use such such exotic devices but see how



>    * (a repeat of part of the previous bullet) a means to easily take an 
> individual password to another machine for occasional use of another machine 


has only one password; you can take it anywhere you want.

>    * a means to recover all the passwords if the password manager becomes 
> defunct (and this also implies backup and restore capabilities)

Not too sure about this but, provided you have the app, you have the
ability to (re)generate all your passwords.

>    * a means to automatically generate secure passwords



>    * a means to automatically update passwords on the target websites (to 
> facilitate regular / frequent password changes)--this is probably a stretch--I 
> mean something that would work its way through the various screens and prompts 
> to change a password with a minimum of manual intervention by me

See above. A waste time.

> As an alternative to a password manager, I may create my own memorizable 
> password generator "algorithm" that I can mostly use "in my head".  For 
> instance, it could be something like this:

Don't bother.


got there before you. And does it better than you and I could ever do.

>    * think up a multiword phrase, possibly with a mnemonic connection to the 
> target website (or, have a means to extract them from a book, e.g., the 3rd 
> sentence of the 5th chapter of War and Peace--or maybe the first sentence in 
> the book that contains the word bank would become the passphrase for my bank).
>    * have a consistent substitution algorithm, which might do things like 
> this:
>       * capitalize the nth letter of each word (or the nth letter of the first 
> word, the (n+1)th letter of the 2nd word, ...
>       * substitute (or insert) a punctuation mark for (like above) the mth 
> letter of each word (or the mth letter of the first word, the (m+1)th letter of 
> the 2nd word, ... --the puntuation might be selected in, for example, keyboard 
> order (or reverse keyboard order) across the numeric keys (e.g., !@#$%^&*() 
> (although maybe some of those might be invalid in (some?) passwords)
>       * some other similar generation rules
> Obviously, having "published" these ideas, my actual implementation will be 
> somewhat different ;-)   

masterpasswordapp is a deterministic password generator. Such things
sometimes get a bad press. In this case, much of the criticism is
unjustified. Documentation and support for it is excellent.

Brian. (Who doesn't have any commercial connection with

Reply to: