Have you heard of the "Fappening"...? I wouldn't store anything important on the "cloud." Create, and manage, your own passwords.

Since the cloud is NOT in my protective watch, I do not put things there. I also do NOT put things there because it is NOT my hardware.

I use Keepass. Open source and it simply works plus you can use your own icons if you please.

When I worked for the city they were using eWallet or something. They had looked at Keepass, but since it was open source, they had nobody to yell at when it broke, so they went with the ewallet instead and they were very happy with it. It allows you to make walls inside and give access to certain parts and by certain people, but the entire file can be distributed. That is kind of a nice idea if you have a larger organization.

I personally use Keepass though.

i use lastpass with everything short of financials. its just too easy to use across platforms.

remember than they did get hacked awhile back.

It's called my brain.

I actually played with Keepass for a while but I don't like the fact that it doesn't auto fill for you. Otherwise I'm all for open source.

One password stores your passwords at a local level which is fantastic. The only thing I don't like about it right now is the new price structure

I guarantee that you re-use passwords and use weak passwords due to the memory of your brain.

No I have a system that uses 8 or more characters using Capital and Lowercase letters, numbers and symbols in EVERY password that is different at every site yet easy to remember.

Password protected .xlsx... as always.

protected xls files are just one step above writing them on a piece of paper and keeping that paper under your keyboard.

check out an encrypted local app if you want to secure your passwords but dont want them stored in the cloud.

I have been using LastPass for the past few years, and we use LastPass Enterprise within our department. I think it's a great user friendly solution to password management, but from the Enterprise standpoint, it's not great out of the box. There's a lot of things we haven't had time to write, such as pulling audit logs from LastPass and inserting it into our Elasticsearch cluster.

We also haven't written the tools to automatically rotate root passwords on servers and then update it in LastPass (API).

Thycotic is probably one of the more well-known Enterprise level password management tools because they've been hardcore pitching their service (and have working ties with other vendors such as Qualys), and it does a lot of the password rotation tasks (that's one of the primary selling points).

As far as storing in the cloud, it's a simple matter of adjusting with the times. All the older folks in my organization were hesitant to do adopt cloud-anything for a long time. For the most part, cloud services are no-less secure than rolling it yourself. You're simply moving liability from one place to another.

Now going back to LastPass, you can set it up with Two-Factor authentication and they support a lot of mechanisms. I use Duo Security two-factor for both my personal and Enterprise LastPass accounts, with YubiKeys as additional/backup tokens on both accounts.

Note: LastPass did get compromised in a limited fashion a year or two back where they were able to get some master passwords (passwords to vaults). One of the opponents to using LastPass in our organization was eager to point this out to us after we adopted it, but our (Security Team) response is that we require 2-factor auth to even have a LastPass account in our Enterprise platform.

I used to do this prior to adopting LastPass. The problem is that if you were able to compromise the password databases for two services that I used (e.g. two independent web forums, retail sites, etc), you would be able to figure out my password for every other service I had an account with.

I honestly think that Federated authentication is probably the best solution out there. Google OAuth is probably most 'popular' (widest userbase). If people simply used Google as their OAuth for all other services (and assuming websites accepted Google OAuth for authentication and attribute assertions), we wouldn't have to worry about various small databases (e.g. some small mom-and-pop webstore) having their user+pass databases compromised. Of course, people will argue that having Federated auth with SSO for all services means you have a single point of failure, but you mitigate this with other things like 2-factor auth. Seriously, who here in a medium to large organization isn't using CAS and/or SAML for their applications?

text file, but I enter them down incorrectly and have a system to decode them into the proper ID and PW.

The thought of storing them in a giant cloud repository, with a target on it's back, makes little sense to me.

I also use Keepass . Great app and it's also available on mobile devices.

A lot of companies enforce the "special characters, capitals, and numbers" thing but it's flawed reasoning. Adding a number to your password only adds 10 more possible options per space, insignificant for software trying to brute force crack a password. Specials add another 30 or so, also insignificant.

This comic explains it really well:


And if you feel like testing your password strength:

There are 18,170,005,425,000 possible combinations using 8 characters...Good luck trying to figure out my personal algorithm out of 18 TRILLION possible combinations.