P@s$w0rdz: Password Managers | CommuniCrossings

"Pros & Cons of Password Managers"
by wisdomplexus is licensed under CC BY-SA 2.0

Introduction

"One Ring to rule them all." ~Lord of the Rings
"Passwords are one of the primary pain points in our modern digital existence."
~Why You Need a Password Manager
From the course intro:
"Reduce stress and declutter your brain by remembering just 1 primary password;
a "password manager" app can store, encrypt and fill-in all of your online logins;
in particular, I will demonstrate 1Password (mostly on the Mac & iPad)."
"The menus and commands for 1Password on different platforms
(Android, ChromeOS, iOS, Linux, Mac, Windows) and browsers
should be almost identical in user interface and functionality."
"For other password managers, the concepts and features should be very similar,
but students will have to locate the analogous menus and commands themselves."
Disclaimers: ever-changing versions & features,
user interface & platform differences, pricing, ...
-- and of course reviewers' biases, and users' preferences & working styles.
Features vary over time between browser extensions and full apps.
Current versions (9/18/2023): macOS 11.7.10; iOS 15.7.9 (iPhone) -- 1Password 8.10.16;
iOS 12.5.4 (iPad) -- 1Password 7.10.2
Screenshots (~2021): macOS 11.5.1; iOS 14.7.1 (iPhone), 12.5.4 (iPad) -- 1Password 7.8.6
Screenshots and command sequences here differ from later versions.
Behavior may change after PM and OS updates and for different web sites!
Which features? How to choose: # of positive reviews? security?
company reputation? platforms? price? Steve's opinion?
Five reasons why you need a password manager
1. Browser Integration; 2. Password Generation; 3. Phishing Protection;
4. Cross Platform Access; 5. Surveillance Safeguard;
plus debunking these beliefs: "I'm not a target.";
"I already have a perfectly good system for managing passwords.";
"If someone steals my password file, they have all my passwords.";
"I don't trust someone else to store my passwords on their server."

Pricing

Pricing depends on number of users, number of devices, features, ...
Free. Most PMs offer free trials;
some offer free versions, but with limited features or support
Purchase. Software license for each user and/or device? major upgrade more $?
currently, most PM vendors promote subscriptions; 1Password no longer offers individual licenses.
Subscription. Plans usually include software licenses, updates, upgrades,
support and cloud storage. # users? #devices?
Some PMs offer Business plans -- not covered here.
A Family plan enables users to share some password entries in a shared vault -- or directly with other users;
remaining entries for each user are stored in a separate private vault, each with its own primary password.
May support primary password recovery for and emergency access to other accounts.
If all family passwords can be shared in a single vault with the same primary password,
and login entries for same site are differentiated with labels or tags for each user,
sharing an individual plan may suffice (and save $1-2/mo.)

Top Recommendations

Most often mentioned and rated highest: 1Password (1PW), Bitwarden, Dashlane
Available for all major OS platforms: Android, iOS, Mac, Win, ChromeOS, Linux;
some even support Apple watchOS, e.g., as token to unlock vault, display MFA codes, etc.
Supported for all major browsers: Chrome, Edge, Firefox, Opera, Safari; others?
Pricing below for subscriptions (monthly rate if billed annually); free trials available.
1Password [developer: AgileBits]
Individual: 1 user, all devices; $3/mo.
Families: 5 users, all devices; $5/mo.
25% first-year discount [last checked: 5/6/2023];
Tidbits members get 6 months free
Tutorials ; Videos; Refs; Take Control of 1Password (ebook)
BitWarden [open source]
Personal: 2 users share 1 vault, unlimited devices; free
Premium: Personal plus other authentication/security features; $0.83/mo.
Family: Premium, for up to 6 users; $3.33/mo.
Help; Refs
Dashlane [developer: DashLane]
Individual: 1 user, 1 device, 50 passwords; free
Advanced: 1 user, 2 devices, unlimited passwords; $2.75/mo.
Premium: 1 user, all devices; $5/mo.; incl.: VPN, cloud storage
Family 10 users, all devices; $7.50/mo.
Support; Refs
In addition to the Top 3 (1Password, Bitwarden, Dashlane), there are many other password managers,
some free, some with additional features/services, others more limited, less polished, security problems, e.g.:
Dropbox Passwords; Enpass; iCloud Keychain (only Apple devices, discussed earlier);
KeePassX ; Keeper; LastPass; NordPass; Password Boss; RoboForm; Sticky Password
These are discussed and reviewed in the ebook: Take Control of Your Passwords;
see also: Refs: Product Reviews / Comparisons
LastPass? Some who've taken my course may wonder why I no longer recommend LastPass.
LastPass has had several serious data breaches, including actual password vaults.
Although LastPass vaults are encrypted, it's possible that they might be cracked someday
-- providing hackers access to all of your accounts.
Given their track record, I lack confidence in LastPass's ability to prevent/minimize future breaches.
If you'd prefer to use LastPass, I recommend that:
you change your main ('master') password on any vaults
you change the passwords on any important accounts, e.g., email, financial,
and use multi-factor authentication when available and secret answers to security questions.
you continue to monitor news about future security breaches
you consider migrating to a different password manager

Getting Started: Some Initial Steps

Select a password manager to try out
-- at a minimum, make sure it's available for all your devices and preferred browsers;
price: usually 30-day free trial; discounts often available: special, or for annual plan
1Password (1PW): Support; Refs
Take Control of 1Password (ebook)
Tutorials: general, Android, ChromeOS / Linux, iOS, Mac*, Windows
*install from 1Password's own "Password Store": Get the 1Password apps
or Apple's Mac "App Store" [on right]?
same version, but 1Password Store version may offer prompter upgrades,
more flexibility for subscription upgrades/downgrades? it's possible to change versions later:
How to install the 1Password app from 1Password.com after installing it from the Mac App Store
Videos: general; ChromeOS / Linux; Mac
1PW videos from enthusiastic users: Getting Started 5:18;
Beginners Guide To 1Password 27:20;
Why 1Password is the best proprietary password manager 27:19
Refs: Other Product Reviews / Comparisons
Download and install PM app from App Store for your first device's OS ,
or the vendor's site: e.g., 1Password, BitWarden, Dashlane
[info above for 1Password; on right: after installation, macOS Launchpad: 1Password app icon]
Which device to start with?
A desktop or laptop is easiest for adding/updating accounts initially,
especially with its display and physical keyboard.
A tablet would be next choice;
less integration in iOS/iPadOS 14 (or earlier) due to system constraints
-- means more switching between PM and browser.
A smartphone will work but it will take longer to enter passwords,
due to its smaller onscreen keyboard and display -- especially if < iOS 15.
Finally, whichever device you start with, you can install PM
on another device later and sync passwords between them.
If you're not using Safari or have a 2nd browser,
install browser extension for Chrome, Edge, Firefox
Either Get started with 1Password in your browser or
1Password (app) > Install Browser Extensions
displays page to download official extension from the browser's "extension store"
1Password 8 implements the Safari extension via a separate app:
"1Password for Safari" in Apple's App Store
A browser extension is more convenient than the full app for most common functions.
The extension and app share access to the same vaults,
so you can create or update a login entry from either.
Make sure the extension is enabled in your browser, e.g.,
Safari > Preferences > Extensions [top right]
1Password: Safari in iOS & iPadOS 15
Firefox > Tools > Add-ons and Themes > Extensions [above right]
Chrome > More (3 dots) > More tools > Extensions
If 1Password browser extension successfully installed,
a small icon appears in browser tool bar area,
e.g., Safari [above right], Firefox [on right]
Some possible installation-related issues:
Updating 1Password itself -- while it's still open, i.e., "Quit 1Password Completely"
Incomplete install
Browser extension can't connect to the app
You may need to reboot.
To avoid multiple apps intefering with each other when saving your logins:
Disable any other password manager, you were using,
i.e., in browser settings where you just enabled 1Password (above)
If any browser was saving passwords ('autofill'),
export existing login entries from browser, remove entries,
and disable autofill, see earlier Browser: Autofill section;
also: 1Password: Turn off the built-in password manager in your browser
Individual or Family plan -- do you need to keep passwords separate?
Simplest to start with Individual plan (1 user); you can upgrade to Family later if desired.
Setup an account -- usually cloud subscription
Create and save primary password -- at least an initial one;
you can replace it with a stronger one later.
Save "private key" (extra security) if provided
-- store in PM, and create emergency kit [on right], e.g., for SD box.
1PW Emergency Kit is also useful for setting up 1PW on other devices.
1PW video: Sign-up for 1Password
1PW videos: To migrate existing 1Password entries from an app
to a subscription (1password.com) account: iOS; Mac; Windows
Optional: if you had been using another password manager,
or used your browser to save and autofill logins -- and you had exported them,
you can save setup time by importing these entries into your new PM.
1Password: import from other PMs or spreadsheet
1Password > File > Import: (format) [on right]
remember later to delete or encrypt any files with passwords remaining outside the PM!
You can also import .csv (comma separated values) on 1password.com web site (where you setup account)
Specify whether file contains Logins, Credit Cards or Secure Notes;
e.g., for logins, indicate which columns contained title, username, password, URL, notes (if any)
Pick some less important sites to start with / practice on.
When you login to a site for the first time,
if 1Password does not yet have your username and password,
you need to enter these from memory or from a scrap of paper or...
1Password should display a prompt offering to Create New or Update Existing login entry.
If no prompt appears, e.g., some sites not recognized or in older iOS,
manually create entry: 1PW (app) > File > New Login:
Title; username, password, website (home or login URL)
If login or password update failed, click "Not Now" and try again
Click "Update Existing" to list existing logins for that site;
if you changed the password successfully, select an existing login entry from the list to update;
if none listed or it's a new account, add a title and click Create New.
With subsequent logins to that account, 1Password should autofill.
Other ways to see which login entries (accounts) have already been added:
the popup menu lists accounts when you click on a password or username field in a login form for a site
browser extension lists entries for the current domain, or enter a name, e.g., "OLLI" in the search box
As you change a password on a site,
PM should offer to update existing vault entry;
section:P@s$w0rdz: Updating: How (includes manual updates)
1PW video: Change your passwords and make them stronger
Explore features; re-read more sections here;
vendor sites: FAQs, tutorials, videos, support articles/forums
Add / update more sites...; section: P@s$w0rdz: Updating: Strategy
Stronger primary password?
[below right: Mac: 1Password > Preferences > Accounts > Change Master Password] ???
Install PM on another device? [on right: 1Password in iOS App Store]
Configure PM on new device
[below right: Mac: 1Password > Preferences > Accounts > Set up other devices];
1PW Emergency Kit (form) [earlier image] is useful both as backup and for setting up other devices.
Give yourself a pat on the back, sleep better at night,
and enjoy your PM whenever you login to or manage a site.
How to Get Your Family to Actually Use a Password Manager
start small with secure sharing of popular accounts, such as streaming services or news subscriptions;
set up a shared document with crucial info for your executor/heirs;
extra protection (MFA) for your email, financial info, health info;
subscription family password manager vs. individual plan vs. more technical hands-on solutions;
leverage finances, budgeting, and other life skills; incentives? be persistent; Wired; 10/5/2021

Security

One of the major reasons you'd want a password manager.
Your very strong, memorable password -- known only by you (not even by PM vendor)
encrypts (AES-256) all passwords (and other info) in a secure vault on your device and/or cloud.
Local vault still accessible, even without internet connection.
Sync/backup vaults securely between devices,
usually via 1Password cloud account -- safe, since vault still encrypted;
older versions of 1Password may still support sync via other cloud services,
e.g., Dropbox, iCloud, ... or manually (no cloud): WLAN (Wi-Fi)
1PW tutorial: Sharing vaults with your family
Move/copy items between different vaults: 1PW video; 1PW tutorial
Backup of vault probably not necessary if using cloud sync;
however, backup at least the primary password & device passwords
that you're remembering, e.g., safety deposit box, trusted friend in their PM.
It is possible to export entries from 1Password if you decide to use a different password manager.
1Password > (pick vault) > File > Export > Selected/All Items: (format) [right]
Some may want to Print entries on paper or save as a .pdf, perhaps as another form of backup?
Take special care with sensitive info that's now outside the secure PM
-- in spreadsheet, paper or .pdf form -- by deleting after temporary use, encrypting it or storing somewhere else secure.
What if you do forget your primary password?
Several password managers (Bitwarden, Dashlane, Keeper, RoboForm) have an emergency access feature;
beforehand, you designate one or more emergency contacts; later, they can gain access to your account;
1Password is working on this feature.
1Password Families currently supports sharing of your key passwords with other trusted persons.
You can also print out and store an emergency kit.
Travel Mode: Remove (hide) sensitive data from your devices when you cross borders;
restore access with a click when you arrive.
How often do you want to enter your primary password?
Convenience vs. security tradeoff: when leaving device or travelling,
lock vault manually, or automatically via timer preference or device sleep.
macOS: 1PW (app): Preferences > Security: Lock on sleep; Lock after computer is idle for __ minutes; etc. (on right)
To lock 1Password manually:
macOS: 1Password (app) > Lock
Win: 1Password (1PW7) | Account Name > Lock
To unlock 1Password (besides entering primary password):
Apple Watch, Touch ID, Windows Hello
For iOS, depending on your device model,
you can enable PIN, TouchID, or FaceID
for convenience.
You can force primary password prompt
with incorrect PIN/scan, or Lock Now
-- especially important to do for 4-digit (weak!!) PIN
before walking away from device.
iOS (iPhone7): 1PW: Settings > Security: Lock Now; Lock on Exit; Auto-Lock __ Minutes; TouchID (on far right)
iOS (Pad Air): 1PW: Settings > Security: Lock Now; Loc on Exit; Auto-Lock __ Minutes; PIN Code (above right)
video: Use Touch ID to unlock 1Password on your iPhone or iPad
Generate & Store very strong, random passwords of different types:
numbers (PIN), phrases, complex character sequences -- section Generating Passwords
Generate & Store unique usernames, e.g., anonymous, linked email addresses
1PW video: Create Masked Email -- section User Names
Generate & Store Time-Based/Temporary One Time Password (TOTP) codes
-- a more secure alternative to SMS texting; see MFA section
Check for vulnerable, weak, compromised passwords; see Updating Passwords
Even more secure: 1Password accounts (and Dashlane) support Multi-Factor Authentication.
If you already have a separate private key, it might not be necessary. It's more complex to set up and use;
the extra code needed might not be accessible from that device's own PM (since you need to login first -- with a code!).
You could use another authenticator app, e.g., Authy, another device,
or a special USB key, e.g., YubiKey to generate the TOTP code.

Accessing Sites

Saved login credentials may be accessible via several different interfaces.
1. Within a page's login form, click on username or password field.
PM offers list of credentials matching that site;
you may need to open PM first with your primary password.
on right: form popups in Mac Safari.
2. Browser extension (via icon in browser toolbar)
or system extension (via icon in system's menu bar).
This 'mini-app' provides most of the features you need.
-- on right: Mac mini-app via Safari toolbar.
Before iOS/iPadOS 15, extensions behaved differently from desktop.
video: Use the 1Password extension to save and fill passwords
on your Mac or Windows PC
3. Regular app, with possibly different user interface and additional features,
e.g., creating secure non-login items; autofill in selected apps (not just browsers); sorting;
persistent local storage; Watchtower access; syncing locked/unlocked state between browsers
Navigate to correct site; automatically fill-in userid and password for most sites
-- via browser extension or app;
Some situations may require a manual copy/paste step, e.g.:
entering password into an app (not browser), e.g., Dropbox, Skype, Zoom
a page containing multiple forms can conflate username & fields
for both new accounts and existing users, and confuse PM;
a form on a page may require other fields,
e.g., zipcode or secret answer to a security question
financial institutions may have multi-page logins, with user name on first page, then password, security questions and/or MFA code on subsequent pages
-- with maybe a CAPTCHA puzzle thrown in.
some sites may unfortunately prevent paste/autofill
-- requiring keyboard or menu
often you can resolve confusion by manually editing the PM's site item
to replace an obsolete login or initial account registration page
You do need to click Login or Submit manually to complete a site's login process.
1Password no longer has an option to "auto-submit" after auto-filling credentials
to avoid security problems, e.g., hackers harvesting credentials from fake login pages.
If your PM has an auto-submit feature, disable it.
If site mismatches domain for account,
e.g., URL typos or possible phishing links, 1PW provides an alert and does not autofill.
Log into PM once, then access many sites easily,
e.g., downloading monthly statements
Login to a site or update password on a site -- PM creates a new, or updates an existing, vault entry
1PW video: Change your passwords and make them stronger
Same login entry works for subdomains, e.g., example.com, xxx.example.com
Login entry can store multiple URLs using same unique credentials,
e.g., appleid.apple.com, icloud.com
Multiple accounts for same site would be separate entries,
stored in shared vault or different family member's vault,
differentiated by name label, e.g., OLLI Joe, OLLI Jill
You could also associate a local "file URL" with a login entry,
i.e., where on your computer you store monthly downloaded .pdf statements
from that bank, utility, credit card company, etc.
Setup local file URL in 1Password on Mac
Finder: (select folder) > File > Get Info > (select ‘Where’ field contents) > Copy
or ctrl-click folder in Path Bar (Finder window bottom) > Copy folder as Pathname
1Password > (login entry); Edit
locate last (template) "website" field, say, website 2: https://example.com/
replace "website 2" (title) with "Local Archive"
replace https://example.com/ (value) with folder path, i.e., Paste;
value would look like: /Users/account/Documents/Finance/Bank1/Statements
add file:// at the beginning; value would then look like:
file:///Users/account/Documents/Finance/Bank1/Statements
Save login entry
Use local file URL
Login to site and download statement file
1Password: (login entry) > Local Archive (field) > Open and Fill no Fill occurs
New Finder window opens, directly showing the destination path and folder
Drag downloaded file to that folder.

iOS/iPadOS

For iOS/iPadOS 15, 1Password behaves similarly to desktop version
1PW: Getting Started; Safari in iOS & iPadOS 15; Change Website Password
Older, more limited iOS/iPadOS extensions are discussed in this section.
Unfortunately, iOS (14 and earlier) doesn't recognize new or changed logins on a site;
add a site: create manually in 1PW app;
update a site: copy/paste info from site entry.
In even older versions of iOS and 1PW app,
you could click on login entry to open site in a mini-browser,
or you could manually copy credentials and switch to regular browser to paste.
These approaches still work but there are more convenient options.
Enable Autofill from browser (via kbd) on iPhone and iPad
set up: Settings > Passwords (& Accounts) > Autofill Passwords > 1Password: enable
use: tap 'key' icon on keyboard to open 1Password -- far right
Use the 1Password extension to fill in Safari and apps
set up: Safari (window) > ('share' icon w/ up arrow) > Edit Actions > 1Password: enable
use: tap (share icon) to open menu; select 1Password -- near right
Copy and fill passwords into apps that don't work with 1Password
Drag and drop (via multitasking) to fill in other apps on your iPad

Organize Logins, Other Info

Organize / access sites via menu, search, category / tag or favorites
1PW video: Organize with favorites and tags on your Mac
To reduce confusion / improve security,
remove regular browser bookmarks/favorites for any sites requiring login
Store other confidential info, e.g.,
video: Use 1Password to save and fill credit cards and addresses on your Mac
videos: How 1Password can replace your wallet; Create passport entry
'normal' & 'virtual' credit cards
1PW flags cards nearing expiration
Tag accounts that use that credit card, e.g., "VI-BofA" for autopay and recurring subscriptions
to make it easier to find and update those accounts with new credit card details.
virtual: create/login privacy.com account, linked to a debit card or bank account
create virtual card for specific account, e.g., merchant; one-off & recurring payments;
optional: link virtual card directly to 1Password (1PW);
'1Password X' browser extension required for Chrome, Firefox, and Edge;
if 1PW integration not yet available (mobile or desktop apps; Safari browser),
manually copy/paste virtual card from privacy.com into 1PW (or other PM)
How to Pay Using Virtual Credit Cards in 1Password LH; 9/24/2020
Identities, i.e., contact info (name, address); drivers licenses, passports
In Login entry's Note or additional fields: secret answers; site password rules; backup/recovery codes, etc.
In secure Note entry: device password, product model/serial numbers; hard drive encryption key, etc.
If you forgot your device password, you could access the note from 1Password on a different device,
or from your emergency info (backed up securely elsewhere) where you recorded the primary password for password manager, etc.
Include important files -- each 1Password user has 1Gb of cloud storage on 1password.com
If your document (or set of documents) would use too much storage,
encrypt the document (using Office, 7-Zip, etc.),
store it locally on your device and/or in another cloud account,
and save a local or cloud link in a secure Note along w/ the document password.
Software installation keys
Codes for garage, alarm; etc.
Use a password manager as a "digital will": 1Password