I've not used 1Password, but given that it's not opensource, it's published by a for-profit company, and free to download, I wouldn't trust it.
If it's freely available and published by a for-profit company, you've gotto question why they release the software for free–perhaps they just want to world to use encrypted and strongly generated passwords, but perhaps there's a backdoor in the program delivering your password to them–either way, you don't know because nobody can review the code.
There are many forks of KeePass for basically every platform you can think of. KeePassX works on Mac; or if you want to run the original, KeePass works well through Wine.
I'm using KeePassX on Linux AND Windows and I keep my passwords on a dropbox account. Why does everyone think KeePassX doesn't work on Windows? What am I missing here? KeePassX Downloads
That is what password safes are for. Use them! A cross-platform piece of software I have used for years now: keepassx. You could place the passwordfile/safe in dropbox :).
I keep my password files for KeePass on it. It is less than a meg so syncing is very fast and I get it on all my machines including my phone. So I have my passwords with me at all times and it is encrypted so I do not have to trust Canonical to not pry.
I also keep a few hundred wallpapers that I rotate on most of machines.
I'll give some advice on how I secure my account, which I'd think hackers would try to steal if they were looking to (Diamond MMR, I have beta stuff, Pax TF, Ice toboggan corki, rusty blitz etc etc).
Since there is no two-step auth for LoL, do this:
Download KeePassX, you can find it here: http://www.keepassx.org/
Create a strong password for your database of passwords, one that you REMEMBER. It's okay if you write your password for your keepass database down literally on paper somewhere, store it safely if you suck at remember passwords.
Sign up for a gmail email address, set up two step authentication on that email address. Create an extremely secure password for your gmail account as well (use Keepass to generate and store it).
Change your LoL account's email address to your new gmail account, and never ever use that new gmail address for anything but this LoL account.
Change your LoL account password to an extremely secure password using your new Keepass database.
This one is important, save your keepass database.
Back up your keepass database somewhere.
--- Why is this so awesomely secure? ---
Keepass databases are encrypted with your keepass database password. Even if someone gets on your computer, or steals your keepass database file, they can't get your passwords.
With Keepass, you never see or actually type your password. No one can snoop on you on stream, or keylog you.
Gmail is way more secure than LoL, so there are really no weak links in this equation. It's also relatively easy to recover a gmail account if you are the legit owner.
Agreed. Definitely not as good as the Windows clients. I tried one on the Mac for a while before moving to the one I currently use, KeePassX. For basic reading/writing/finding, it's OK. But it has no support for plugins.
I'll give some advice on how I secure my account:
Since there is no two-step auth for LoL, do this:
Download KeePassX, you can find it here: http://www.keepassx.org/
Create a strong password for your database of passwords, one that you REMEMBER. It's okay if you write your password for your keepass database down literally on paper somewhere, store it safely if you suck at remember passwords.
Sign up for a gmail email address, set up two step authentication on that email address. Create an extremely secure password for your gmail account as well (use Keepass to generate and store it).
Change your LoL account's email address to your new gmail account, and never ever use that new gmail address for anything but this LoL account.
Change your LoL account password to an extremely secure password using your new Keepass database.
This one is important, save your keepass database.
Back up your keepass database somewhere.
--- Why is this so awesomely secure? ---
Keepass databases are encrypted with your keepass database password. Even if someone gets on your computer, or steals your keepass database file, they can't get your passwords.
With Keepass, you never see or actually type your password. No one can snoop on you on stream, or keylog you.
Gmail is way more secure than LoL, so there are really no weak links in this equation. It's also relatively easy to recover a gmail account if you are the legit owner.
Just going to throw this out there, since everyone's all "crazylongpasswordjoke!"
Use a (local) password tool's phonetic password generator!
Here are a few examples, from KeePassX, though it probably uses the same library as many others.
These are super memorizable after only a few uses, and the ones above all have 65 bits of entropy. Throw on some extra digits or numbers if you'd like, for more bits. This compares very favorably to the XKCD approach - which is also very good!
KeePassX only supports kdb database (version 1.0) and KeePass offers more security and lock downs than KeePassX
KeePassX Author has starting working on KeePassX 2.0 which would support kdbx database. You can read his blog post here
> Originally KeePassX was called KeePass/L for Linux since it was a port of Windows password manager Keepass Password Safe. After KeePass/L became a cross platform application the name was not appropriate anymore and therefore, on 22 March 2006 it has been changed.
Source: http://www.keepassx.org/
> KeePassX (for Linux / Mac OS X; compat. with KeePass 1.x) > Note that KeePass 2.x runs under Linux / Mac OS X, too; see Running KeePass under Mono.
Source: http://keepass.info/download.html
So basically KeePass didn't work on Linux when it was lower than version 2.x and KeePass/L or KeePassX filled that gap. Now KeePass can run on Linux with Mono, but KeePassX is still around (and does not depend on Mono).
or KeepassX. I've always used X, as that is what is in the Ubuntu repositories, and didn't know until now that it was a fork of the original (to bring cross-platform support.)
Anyway, it's a great tool for generating and storing complex passwords. Plus, since it's stored locally, you don't have to worry about lastpass's security, just your own.
I use KeePass 2 on Windows, KeePassX 2.0 on my Macbook, and KeePassDroid on my Moto X!
Bam! Suddenly how many passwords you have or how complicated they are doesn't matter anymore :) This, or something like it, is kind of becoming a requirement to use the internet. And since it allows very neat organization of stuff, I personally don't mind.
Fuck 1Password.
$49.99 for Windows
$49.99 for Mac OS X
$19.99 for iOS
No official client for Linux.
Limited Android support.
Go with <strong>KeePass</strong> or KeePassX with Dropbox.
Free for Windows
Free for Mac OS X
Free for iOS
Free for Linux
Free for Android
Another vote here for KeePass. I personally use KeePassX, because it works seemlessly cross platform.
For my personal passwords, I use LastPass Premium w/ YubiKey. The reason I don't use it for my clients is because I don't want their information being auto-populated everywhere I browse online.
You can also try KeePassX which is compatible and free software implementation of KeePass (without online functionality). You can use Dropbox, Gmail, etc. to sync your key database (use very strong password).
keepassx would work wonders for this.
http://www.keepassx.org/
you can make custom entries for users and password with an auto type shortcut.
here is the code you will need to use in the "comment section"
Auto-Type: {USERNAME}{TAB}{PASSWORD}{ENTER}
Auto-Type-Window: maindomain.com
Yup, I started on Password Safe many years ago on Windows, and was thrilled to find out that there was an open source cross platform password manager that was compatible with my already existing database from Password Safe.
You're looking for keepass or keepassx.
Truecrypt is rock solid, but there's a number of ways that using it like this could allow someone to get your passwords. It's all fairly paranoid of course, but keepass(x) is designed for the purpose, and mitigates a lot of the risks you leave yourself open to.
There's no inherent security problem with leaving a keepass database in dropbox or something.. up to you though.
> KeePass 2 support under Linux is bad.
Well, KeePassX 2.0 recently had an alpha release and it looks like it supports KeePass 2 databases.
KeePassX is awesome (and open source). Works with KeepassDroid databases too on Android. I just let it randomly generate a password as long and as complex as the site will accept. The funny thing is I generated a password like this once for one site, but I can't change my password now because it doesn't recognize the original password when I go to change it. I can login with the password, but I can't change it. WTF?
I use KeePassX (similar: KeePass Password Safe). It's an encrypted database secured with a master key, but then I very easily have a different (randomly generated in most cases) password for each site.
I much prefer keepassx, though I am curious to see how well KeePass 2.x runs under Mono. It seems odd to me that 1.x is still developed, considering the fact that it's a proprietary Windows-only application. Why anyone would develop Open Source Software for proprietary operating systems is really beyond me...
Just FYI, the developer of KeePassX posted an article about development of KeePassX2 which will be able to use the new kdbx format (I presume this is more secure). Not sure where he is with it, no comments about it in a long time, but he is working on something new.
not true, both KeePass and KeePassX use the .kdb extension so are usable with either version.
I use keepassx at home and work and can access with keepass on my droid
edit: found a nice discussion on the KeePassX forum, here
> debian/control
Did you mean the file called contril which is found in the debian folder of the source tarball? I reproduce the contents of the said control file below:
Source: keepassx Section: utils Priority: optional Maintainer: Reinhard Tartler <> Uploaders: David Valot <>, Felix Geyer <> Build-Depends: debhelper (>= 9), cmake, libqt4-dev, libgcrypt20-dev, zlib1g-dev, libxtst-dev, xvfb, xauth Standards-Version: 3.9.6 Homepage: http://www.keepassx.org/ Vcs-Bzr: https://code.launchpad.net/~keepassx/keepassx/debian
Package: keepassx Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends} Description: Cross Platform Password Manager KeePassX is a free/open-source password manager or safe which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key-disk. So you only have to remember one single master password or insert the key-disk to unlock the whole database. The databases are encrypted using the algorithms AES or Twofish.
>Remember to check both the dependencies and the build dependencies
Well, the build-dependencies are listed in the control file, aren't they?
As for the dependencies, where can I find them? I have searched KeepassX's website and the files in the source tarball without success.
I would appreciate further help from you.
> but I also want to access them at any time.
This is a bad idea. What do you mean, access it them at any time? I hope you are not talking about unlocking your online wallet at any malware infested public library computer that comes your way.
The way I see it, there is no substitute for the strategy of different tiers of bitcoin wallet. Here is how I do it:
Tier 0 - Long time storage
This is cold storage. I employ Electrum for that.
Tier 1 - Spending wallet
This is not cold storage and only holds as much money as I usually would be comfortable carrying around in my fiat-wallet too. Here I use Mycelium on my Android^tm smartphone.
Tier 3 - Online wallet/3^rd party wallet
This is every exchange or other service that holds the private keys for my bitcoins for me. Exchanges like bitstamp.net, or the tipping service changetip.com. Here I have only the bare minimum that I absolutely have to have there. Usually it's zero, as I immediately withdraw my bitcoins either to my Tier 0 or 1 wallet, as soon as I buy them.
The private keys/seeds must never touch untrustworthy devices. For the seed of my cold storage Electrum setup, that means any system that is or ever was connected to the Internet.
My Mycelium-Seed only is stored along my cold storage seed and on my smartphone. I would never type it into someone else' smartphone or computer.
And logging in on my Tier 3 accounts is always secured by 2FA, strong and individual passwords (I use a passwordmanager) and only done on trustworthy systems.
Use KeePassX to generate & store random passwords for different accounts. Keep encrypted password database file in your dropbox so that you can access it from any of your computers.
Dropbox also has versioning, so no need to worry about encrypted file getting corrupted.
I store all my passwords in one kdb file on my Dropbox (and backup up elsewhere). My preferred client is KeePassX on Windows and Linux, KeePassDroid on Android. It was a great feeling to centralise all my passwords, making them easily accessible to me anywhere, and above all being encrypted.
No, i want to use a long, randomly generated password which I'd just copy from keepass and paste into the login form. :)
Works with league of legends, but doesn't work with vindictus or dcuo, for example. And it's really annoying to discover this issue after generating and setting the password. ;)