Password Managers

[MondSemmel]

After the RPS forums were hacked at some point in November or January or something, I procrastinated for months on changing my passwords. At some point I decided I didn't want to manually think up new passwords and change them for my 50++ accounts on various Internet forums, websites and services.

So, password managers sounded like a good idea. Are they actually? I have no deep knowledge of computer security, I'm afraid. In the discussions about hacked passwords, I never even understood what "hashed and salted" passwords were. So can anyone explain in simple terms whether password managers are secure, whether they are worth using, and what not to do in order not to compromise its security? (I hope this topic is interesting enough to be beneficial to more people than just myself.)

Some potential password managers I found include:
KeePass
LastPass (free or Permium)
Roboform
1Password
Clipperz
and gazillions more, I fear.

Any recommendations? Right now I'd tend to LastPass, I think, but without any background knowledge I cannot be sure that this is a safe choice. Is it?

Your help is much appreciated.

[Wolfenswan]

I'd suggest you read http://en.wikipedia.org/wiki/Password_manager

Password managers are as secure as the password you pick to access them. The password for my Keepass database is a) unique and b) probably the longest and weirdest password I'll ever have to remember.

I've been using Keepass for ages (though not nearly all of it's features) but have no experience with the others. I keep my Keepass database on a secured dropbox folder (which could be truecrypt encrypted but i'm not *that* paranoid) to share it between my Windows und Linux systems.

I use short, randomized passwords for forums or other low priority stuff I don't need to remember on a daily basis and store the longer but more complicated phrases I use for stuff I access more regularly as well.

But honestly, I consider my password manager a convenient way to store many unique passwords so I don't have to use samey passwords for each forum, mail-account etc. The security aspect comes second.

[Goateh]

They're as secure as anything else. All the main ones store passwords in such a way that, assuming your password for the database is strong, noone will realistically get them.

I used LastPass for a while but changed to KeePass since LastPass was dependant on an online database and I occasionaly want passwords when offline. I use a cloud storage system to store the password database so I can access it from all my machines so it's effectively online with the capability of working offline.

The security side of using different passwords helps but mostly I like that it keeps the number of things I need to remember to a minimum. I know passwords to a few important things (banking in its various guises seems to need an ungodly number) but when it comes to most sites I just look it up in the manager.

Roboform is good too, but Keepass is free!

As an aside, be careful with getting carried away. It wasn't until after I moved to a password manager that I realised how badly lots of sites handle things like long passwords (18+ chars) and non alphanumeric characters. I've fallen victim quite a few times to having my passwords randomly trimmed and cut because it couldn't handle a { in the password or it thought that 25 was a length noone would pick for a password.

[Bobtree]

I'm using Keepass and picked the 1.x branch for portability.