If you’re still keeping track of your passwords on sticky-notes (please tell us you’re not sticking them to your monitor???), or (equally terrifying) as entries in the contact list in your phone (completely unprotected), why not make 2020 the year you start using a password manager? With apps like LastPass, you no longer have an excuse. It’s free (for 1 person) and you only need one “Master password” to get into LastPass. After that, who cares if you have 100 or 1000 passwords?! LastPass is managing it all for you — in an encrypted “vault.” So every time you go back to a site to log on, once you’ve done it once with LastPass, you’ll never have to remember that password again. LastPass will even generate strong passwords for you, taking away all the stress — so you don’t have to spell your cat’s name backward ever again. RoboForm does the same thing (only charges you a bit). Most of these apps can sync passwords (and secure notes) across devices, too, meaning that, once you enter a website and corresponding password into your laptop, you’ll be able to do the same using your phone — except your phone will already *know* the password (via the password app). With LastPass being free, tell us… why WOULDN’T you want to ratchet up your security a notch?
https://lastpass.com/create-account.php
(Note: We aren’t making any kind of affiliate payment or getting any kickback from LastPass. We’re just one beggar telling another beggar where to find bread.)
Also horrifying — keeping your password list in either a word processing document or in a spreadsheet. Even more horrifying is the practice of using the same password for everything (or slight variants from site to site). Unfortunately, we’re now to the point where computing power is enough that it’s very difficult to get a password (or better, passphrase) that’s both easy to remember and difficult for a computer to guess.
There’s a lot of password keeping tools out there. LastPass is one among many. There’s also multiple approaches. One is in having a store that’s kept on your local computer, another is for keeping stuff on cloud server. There’s also a question of whether you need your password store for just your browser (or just one browser) and other applications.
With any keeping tool there is a question of how secure it is — if it gets hacked, the the intruders have access to *everything*. And for local-only storage, backups are essential. If you lose your store, or lose access by forgetting the password, then you’re in trouble. With cloud-based storage, one of the things that services are promoting is multi-device access, where you can get to your store not only from your computer (or even multiple computers), but also your cell phone or tablet.
LastPass is a cloud-based service, where your password collection is stored on their server. I believe it’s possible to get to your data with local copies (and without Internet connectivity), but they clearly expect you to be working online. It’s worth noting that several years ago, LastPass was hacked, and for a few hours, the intruders had access — not to users’ actual passwords, but the files with password collections. The users that were vulnerable were the ones that had weak access passwords.
Besides LastPass, several of the competing vendors are 1Password and RoboForm. All have entry levels of service that are free, and higher tiers with more services that are paid.
There’s a lot of non-cloud tools out there, as well. Some are excellent, some may be questionable, and what’s essential is making sure that stores are properly encrypted — and that you have strong access passwords.
One standalone tool that’s popular is KeePass (and a fork project, KeePassXC). Besides the basics of storing user ID, password and URL, and auto-type, it’s got a lot of useful additional tools, such as the capacity for note-keeping, random password generation, and the ability to use with multiple browsers and applications. Ultimately, it’s typical for an open-source tool in that it has lots of features and the UI had XP vintage graphics. Thus, it’s not entirely friendly for a non-technical user.
One other consideration about LastPass — the company that owns it, LogMeIn (which also owns products like GoToMeeting, GoToMyPC, GoToWebinar, etc.) has recently been sold to private capital investors. In a couple of tech forums that I hang out in, there has been discussion about the long-term focus, whether the investors intend to continue products as they are, or make substantial changes, either to the products themselves (as a way of generating higher revenue streams), or discontinuing or divesting specific product lines. Thus, there has been some discussion of “what’s a good alternative for LastPass users?”
In any case, it’s essential to be using a password manager. There’s just too many user IDs to keep track of, and it’s too difficult to come up with effective passwords that you can remember.