Talk to me about password managers
-
@LB_ said in Talk to me about password managers:
, it looks like LastPass supports 2FA and U2F.
Oh, right! Yes, I have 2FA set up for my LastPass. I have it set to remember me on my home PC, so I rarely remember, but on strange PCs I need to use my Google Authenticator on my phone to get in.
-
@Dreikin said in Talk to me about password managers:
KeePass is pretty good, and it works on Android as well.
I found the UI (on Windows 7 at least) to be confusing and awful. It kept nagging me about concepts it'd never explained to me before forcing me to engage with them. I recall the first-run experience being it screaming at me to create a "vault" which apparently also is a "database", because the developers never bothered to even get their jargon straight among themselves. Natch there was no explanation of what a "vault" was, where it should go on disk, why the heck I'd ever want more than one, etc. And just as a pro-tip rule-of-thumb, if you show the word "database" to and end user, and your product isn't a DBMS, you probably fucked-up the UI something fierce.
It's cluttered as hell, uses a tiny-ass font by default and looks like a Windows 98 app. Here's the screenshot they use to promote it:
TO PROMOTE IT. That's the best view of the product they can come up with. That's the sizzle-reel.
I like the little red circular close box in the upper right of the toolbar, attached to absolutely nothing close-able. Is that like a backup of the one in the window titlebar? When I get to work I'll have to click it and see what happens. No doubt it'll delete all my passwords with no confirmation.
Oh but don't worry, it's open source OSI certified!!!!! Which a shocker: a open source product (so proud of being open source that it got some kind of certificate verifying that) which has a terrible UI. Who'da seen that coming.
-
@flabdablet When I started using KeePass, I had it show cleartext passwords in the GUI and then I had it sort on that column. First of all it was amazing how many accounts I had. Second, it was kind of sad that I think just about everything had one of the same 3-4 passwords.
-
@flabdablet said in Talk to me about password managers:
it makes passwords like fxwze.afqsy.nslio.dfezp.zvuzf that are hella strong but super easy to transcribe.
You obviously do not have dyslexia.
-
@LB_ said in Talk to me about password managers:
I've heard about that, but that's not 2FA, that's just a second password. Can't it be copied, potentially without my knowledge?
All 2FA is essentially a second password. Usually it's stored inside a microchip designed to make it hard to extract, but it's still possible.
Most Android phones have one of those, so it shouldn't be impossible to somehow store the password there. But as you said:
In fact if I want to avoid losing it I would have to copy it.
And that's why true 2FA is impossible. By definition it has to rely on a physical thing that you have, but physical things can be lost.
The best compromise is to print a paper copy of your private key and store it on a secure place.
-
@blakeyrat I have rather low expectations of cryptography software UI
The font seems to be the same size as explorer, though. But you have things zoomed in or magnified or something, right? I guess this is another one that doesn't respond correctly to that, if that's the case.
Checking the options, it looks like the defaults are
Microsoft Sans Serif / Regular / 8andCourier New / Regular / 8.@blakeyrat said in Talk to me about password managers:
I like the little red circular close box in the upper right of the toolbar, attached to absolutely nothing close-able. Is that like a backup of the one in the window titlebar? When I get to work I'll have to click it and see what happens. No doubt it'll delete all my passwords with no confirmation.
It closes the currently selected tab. No, that's not intuitive at all and I have no idea
they were thinking doing it like that.
-
@Dreikin said in Talk to me about password managers:
It closes the currently selected tab. No, that's not intuitive at all and I have no idea they were thinking doing it like that.
You believe there was thought put into this?
I don't even understand why you'd ever want more than one vault (considering they have sections and subsections and subsubsections, as shown), much-less why you'd want more than one vault in a single window. They could just open each vault in its own window and simplify the UI (and their own code!) tremendously for the 0.05% of the population who needs more than one. Why is there tabs at all? Just because Firefox did it?
EDIT: I just realized:
@Dreikin said in Talk to me about password managers:
Checking the options, it looks like the defaults are Microsoft Sans Serif / Regular / 8 and Courier New / Regular / 8.
I was kind of joking when I said it was a Windows 98 app, but I think those were the default system fonts in Windows 98. Hahaha. 8-point works on a 15" 800x600 screen like we all had in 1997. Less-so in 2017 with 1080p monitors.
-
@blakeyrat said in Talk to me about password managers:
I don't even understand why you'd ever want more than one vault
Some people in this thread have mentioned the idea of having more than one so if one is compromised you haven't lost all of your passwords. Seems needlessly paranoid to me but then "needlessly paranoid" is bound to be a bigger percentage of the audience for a password manager than of the general population
-
@blakeyrat I put it to you, sir, that in this as in so many other things, the fault lies not in the tools your workplace requires you to use, but in the fact that it doesn't allow you to choose your own. You don't have shit tools, just shit management.
-
@blakeyrat said in Talk to me about password managers:
I don't even understand why you'd ever want more than one vault
Work/Personal seems like the most likely reason, although I imagine some people want to keep separate identities in separate files.
-
@flabdablet What are you talking about, you crazy-person nut-case? Nobody required me to use KeePass.
I used it because we were doing a long setup process requiring a complex password I wasn't able (at that time) to change myself, and I didn't want to hold-up the entire process by spending 45 minutes memorizing it or make myself look like a insecure goober by printing a copy of it out. I used KeePass because it was there, not because I was required to.
If I had known its first-run was a horrible wizard with about 57 incomprehensible steps, I probably would have just pasted it into a Notepad doc. But I do not have any forms of ESP, alas.
@flabdablet said in Talk to me about password managers:
You don't have shit tools, just shit management.
No I don't, fuck you.
-
@Jaloopa said in Talk to me about password managers:
"needlessly paranoid" is bound to be a bigger percentage of the audience for a password manager than of the general population
I think "needlessly paranoid" is the primary userbase for KeePass.
-
@blakeyrat said in Talk to me about password managers:
When I get to work I'll have to click it and see what happens. No doubt it'll delete all my passwords with no confirmation.
No, it closes the database you're currently working with and allows you to open a new one.
Many of the complaints you have about the KeePass UI don't apply to the 1.x series, which is less cluttered and has fewer features; that's another reason I prefer it.
-
@Dreikin said in Talk to me about password managers:
Work/Personal seems like the most likely reason, although I imagine some people want to keep separate identities in separate files.
Right; but you're kind of missing my point. Is it so important that they be in the same window that it's worth the UI confusion (and development time!) of creating a tabbed interface instead of simply opening a new window? They could have spent that development time on making the first-run experience not-awful, for example. Does that trade-off seem worthwhile to you? Not to me.
-
@blakeyrat said in Talk to me about password managers:
You obviously do not have dyslexia.
Quite so.
I do, however, have eyeballs that skid over graphical elements in much the same way I gather yours skid over lettering, which is why I loathe and detest The Ribbon to such an extreme extent but don't mind KeePass in the slightest.
-
@blakeyrat said in Talk to me about password managers:
I don't even understand why you'd ever want more than one vault (considering they have sections and subsections and subsubsections, as shown), much-less why you'd want more than one vault in a single window. They could just open each vault in its own window and simplify the UI (and their own code!) tremendously for the 0.05% of the population who needs more than one.
My "work" tab contains only accounts which I need when I am at the office, and that file uses a different pass phrase from the "personal" one. Each of the two files is independent, is stored separately, and it is up to me which ones I want to keep open at any given time.
If it were necessary, I wouldn't feel that badly about sharing the "work" list with my coworker or replacement, although that is absolutely not true about the contents of the "personal" one which is mostly
goat pornemail accounts, forums, games and other stuff which nobody gets without having a lawyer reading a copy of my will first.I can also distribute other specialized lists like "All remote console passwords in London" or "Just the admin account to the stuff that the overnight support team needs to manage" without having any concern about mixing them in with anything more sensitive.
Because Keepass can keep any number of tabs open at once, and treats them all as a single database, I (Or rather the Keyfox extension, most of the time) am shown the correct password the moment I request it, without having to worry about which list it's in. It's really a nice feature, and I would miss it if it were gone.
If my sole use case for Keepass were just sorting all of my logins for the various
My Little Pony Slash archivesvibrant social media hubs I belonged to, then yes having multiple password files would be pointless but handling multiple lists with differing expectations for privacy and concurrency makes it quite useful.That may make me part of the 0.05%, but I'm okay with that.
-
@blakeyrat said in Talk to me about password managers:
@Dreikin said in Talk to me about password managers:
Work/Personal seems like the most likely reason, although I imagine some people want to keep separate identities in separate files.
Right; but you're kind of missing my point. Is it so important that they be in the same window that it's worth the UI confusion (and development time!) of creating a tabbed interface instead of simply opening a new window? They could have spent that development time on making the first-run experience not-awful, for example. Does that trade-off seem worthwhile to you? Not to me.
Nah, I didn't miss it, I didn't dispute it. It doesn't seem like that much of a development effort to add a tab interface, but I've not done any real GUI work yet, so what would I know. From what little I have done, it seems harder to me to mess up the close tab feature the way they did than to implement tabs at all. Isn't that just a setting on the tab control or something?
Btw, why do you think the UI is cluttered? Explorer in details view wouldn't look terribly different - just the addition of the toolstrip and tabs (which don't show up if you have only one db open).
-
@flabdablet said in Talk to me about password managers:
I do, however, have eyeballs that skid over graphical elements in much the same way I gather yours skid over lettering, which is why I loathe and detest The Ribbon to such an extreme extent but don't mind KeePass in the slightest.
KeePass has a lot fewer words in its toolbar than the Ribbon does. I mean like what you want and hate what you want, but at least have good reasons.
@DCRoss said in Talk to me about password managers:
Because Keepass can keep any number of tabs open at once, and treats them all as a single database,
But it... doesn't? At least there's absolutely no UI indication that it does. (For a good example of how to do that, take a look at OneNote.)
And additionally: having multiple windows wouldn't prevent that functionality from working, either. Again: there wouldn't be any UI that the databases are treated as merged, but there isn't now! so I don't see that as a drawback.
@Dreikin said in Talk to me about password managers:
It doesn't seem like that much of a development effort to add a tab interface,
Well maybe not for them, because they did a really fucking shoddy job of it.
@Dreikin said in Talk to me about password managers:
Isn't that just a setting on the tab control or something?
Yeah; it's just a checkbox in Visual Studio that says, "do all the work to make tabs for me and also do all the usability testing and all that stuff". You check it and it all works as if by magic. You sure nailed it.
@Dreikin said in Talk to me about password managers:
Btw, why do you think the UI is cluttered?
Look.
If you like that UI, fine. Like it. You don't have to Do The Boomzilla and ask me like 374327 leading questions until you've "convinced" me to like it too. It's a waste of both our time. Ok? You can like it and I can not like it and somehow the world keeps spinning.
If anybody knows of a password management program that actually has a good UI, and also works with stuff like Windows Phones and Amazon Fires and Xbox Ones, let me know. I doubt one exists. But who knows, hope springs eternal.
-
@blakeyrat said in Talk to me about password managers:
KeePass has a lot fewer words in its toolbar than the Ribbon does.
I don't use its toolbar. I appreciate its small size for the lack of distraction.
-
@flabdablet said in Talk to me about password managers:
I don't use its toolbar. I appreciate its small size for the lack of distraction.
So you're not saying KeePass is good because it's not like the Ribbon, you're saying it's good because while their toolbar is more icon-y than the Ribbon's, you just don't happen to use it.
(Apparently, you could just stop using the Ribbon in Office altogether and you'd be immensely happy with that product, too. But we'll ignore that little logical conclusion right now.)
Sure. Fine. Whatever.
There's nothing worse than talking to geeky geek developers about user interfaces.
-
@flabdablet said in Talk to me about password managers:
KeePassDroid
DansGame
Keepass2Android is amazing. Auto-syncs with Dropbox, a quick unlock feature (you have a single attempt to type the last x characters of your KeePass password, defaulting to 3) a keyboard so you don't even have to copy the password to the clipboard, and it looks great.
-
@blakeyrat said in Talk to me about password managers:
the Ribbon
Look.
If you like that UI, fine. Like it. You don't have to Do The Boomzilla and ask me like 374327 leading questions until you've "convinced" me to like it too. It's a waste of both our time. Ok? You can like it and I can not like it and somehow the world keeps spinning.
-
@flabdablet Like I said above: I don't care if you don't like the Ribbon. I only care that you gave a really badly-thought-out reason why you don't like the Ribbon. It makes me think you don't like it because your knee-jerked, not because you've actually rationally thought about it at all.
My goal here is to get people to use their brain to think about things, and not just knee-jerk hate everything that's different than the thing that came before.
-
@blakeyrat said in Talk to me about password managers:
you're saying it's good because while their toolbar is more icon-y than the Ribbon's, you just don't happen to use it
No, I'm saying I like it because it's completely usable via menus and context menus without me ever having to engage with its toolbar, which is (unlike the Ribbon) an adjunct to menus rather than a replacement for them, and unobtrusively small besides.
-
@blakeyrat said in Talk to me about password managers:
It makes me think you don't like it because your knee-jerked, not because you've actually rationally thought about it at all.
I could make exactly the same claim about why you don't like stuff with CLIs, and it would be equally vacuous.
-
@flabdablet said in Talk to me about password managers:
and context menus
Most of my computers have touch screens, making this a really shitty way of engaging with the program.
PLEASE NOTE THAT I DID NOT ASK YOU ANY QUESTIONS IN THIS POST!!!
-
@blakeyrat said in Talk to me about password managers:
Is it so important that they be in the same window that it's worth the UI confusion (and development time!) of creating a tabbed interface instead of simply opening a new window?
I know multiple people who consider it a cardinal sin for software to open a new window instead of a new tab. I guess it just boils down to personal preference, and to satisfy both cases you'd need to do more programming.
-
@LB_ The role of a good designer is to make choices like that for the user, not to try to make everybody happy. Because that'll never happen anyway.
Very few of the applications I consider to have good UIs, the Office applications for example, support tabs. (OneNote does-- Excel kind of does but they're tabs within a single document.) It became trendy in web browsers, and I believe lazy developers without any UI chops just started copying Firefox.
The real problem is putting tabs inside the application window isn't even the right way to implement them-- the tabs should be in the window manager, like they were in BeOS. So I could tab together a web browser and a Word document because both are related to the same task. In an ideal world, I'd much rather see no applications support tabs, but every window manager do.
But anyway, this is all off-topic. If there's a password manager with a good UI, let us know.
-
@blakeyrat said in Talk to me about password managers:
Yeah; it's just a checkbox in Visual Studio that says, "do all the work to make tabs for me and also do all the usability testing and all that stuff". You check it and it all works as if by magic. You sure nailed it.
Stop listening to your shoulder aliens. I was talking about the presence of the close tab [x] button, not the rest of that.
@blakeyrat said in Talk to me about password managers:
Look.
If you like that UI, fine. Like it. You don't have to Do The Boomzilla and ask me like 374327 leading questions until you've "convinced" me to like it too. It's a waste of both our time. Ok? You can like it and I can not like it and somehow the world keeps spinning.I'm not, I'm actually interested in your opinion on that and not trying to convince or argue with you that it's great (my personal opinion is "meh - it does what it needs to and doesn't look terribly out of place"). Whether or not I end up agreeing with what you think, you obviously have strong, consistent opinions about UI that are also often reasonable expectations. Given that I intend to produce at least a few GUI apps, I try to pay attention to that so I at least have an idea of what to think about when designing them.
ETA:
I don't have terribly high personal expectations for interface beauty or aesthetics1 - I use git, for example - but I don't want the things I make to be just okay for me. I want them to be good in both my particular case and in the general case of being attractive and usable by other people. So I do actually pay attention when you grip about stuff like this, or programs not dealing with high-DPI/magnified screens correctly, or having unintuitive behaviors, not doing usability testing, etc., because it gives me stuff to think about and look out for when I go about doing that.
1: To the extent of whether I consider it useful/usable for me. I can still think it's crap or whatever independently of that.
-
@blakeyrat said in Talk to me about password managers:
the tabs should be in the window manager, like they were in BeOS
KWin supports this (or at least it did when I last used it). It's the only thing I really miss about KDE.
-
@Dreikin said in Talk to me about password managers:
It closes the currently selected tab. No, that's not intuitive at all and I have no idea
they were thinking doing it like that.I realized what it was for right away when I started using the app. I thought its placement was a bit odd, but if it didn't close the current tab, then I would've been confused.
-
@Dreikin said in Talk to me about password managers:
Stop listening to your shoulder aliens. I was talking about the presence of the close tab [x] button, not the rest of that.
If the close tab button operates on the tab, it should be located somewhere in the tab. Preferably where the close button would be were the tab a window. Kind of like how... hm, Chrome, Skype, Steam IM, etc. all already do it.
Ideally, every operation that only affects one tab should be inside the tab. Again, Chrome does this correctly but I remember the huge outcry when they changed it.
-
This post is deleted!
-
@Adynathos said in Talk to me about password managers:
@LB_ They protect you against forgetting the passwords.
@anonymous234 said in Talk to me about password managers:
@Adynathos But they create the possibility of losing all passwords at once.
If you only had one password before, then when you lose that one, you lose them all at once.
Solution:
Fuck passwords, they suck.
I just end up using the forget password link most of the time anyway.
-
@blakeyrat said in Talk to me about password managers:
@Dreikin said in Talk to me about password managers:
Stop listening to your shoulder aliens. I was talking about the presence of the close tab [x] button, not the rest of that.
If the close tab button operates on the tab, it should be located somewhere in the tab. Preferably where the close button would be were the tab a window. Kind of like how... hm, Chrome, Skype, Steam IM, etc. all already do it.
Ideally, every operation that only affects one tab should be inside the tab. Again, Chrome does this correctly but I remember the huge outcry when they changed it.
Yeah, and I thought that you could at least get the button like that without having to do much, but at least in WPF it appears you have to go about making the whole thing yourself. I expected you'd have to do all the wiring up to make it useful, but I'm surprised that just making it be present doesn't appear to be part of the toolkit.
This is getting rather off-topic. Perhaps it should be Jeffed elsewhere.
-
@xaade said in Talk to me about password managers:
I just end up using the forget password link most of the time anyway.
What you're effectively doing there is using your email client as a comparatively shitty and inconvenient password manager.
Which, if it floats your boat and meets your security needs, is fine - though learning KeePass would almost certainly let you waste less time on this part of your life.
-
@Dreikin Naw, it's a @blakeyrat derail and therefore on-topic by definition.
-
@flabdablet I do use KeePass. Just, forget to add the password sometimes. Slowly absorbing site after site.
Outside of KeePass, that's what ends up happening.
What's frustrating is platforms that KeePass don't work on, like my console. (Well, theoretically, put on my phone and then view the password manually, then type it in, blarg).
tl;dr
Passwords suck.
-
@flabdablet said in Talk to me about password managers:
And when my credit card expires, I just look in the "Has CC details"
Huh, TIL.
-
@flabdablet I use tags for the same idea.
-
@flabdablet said in Talk to me about password managers:
No, it closes the database you're currently working with and allows you to open a new one.
Hmm. That doesn't seem particularly obvious.
-
@FrostCat said in Talk to me about password managers:
@flabdablet said in Talk to me about password managers:
No, it closes the database you're currently working with and allows you to open a new one.
Hmm. That doesn't seem particularly obvious.
Looking at that again, not quite correct either. You can open another db whenever - each tab is a db. Closing one doesn't "allow" you to open a new one, you could always do that.
-
@xaade said in Talk to me about password managers:
What's frustrating is platforms that KeePass don't work on, like my console.
I got myself one of those cheap USB-stick-format Arduinos, and one day I'll get around to turning it into KeePass-on-a-USB-HID.
-
@flabdablet said in Talk to me about password managers:
@xaade said in Talk to me about password managers:
What's frustrating is platforms that KeePass don't work on, like my console.
I got myself one of those cheap USB-stick-format Arduinos, and one day I'll get around to turning it into KeePass-on-a-USB-HID.
If I need a password for my console, I'll open the database on my phone and put the password in cleartext mode and just type it. I use KeePassDroid on Android. For passwords I suspect I'll do this with, I'll use shorter and simpler passwords of say 15-20 chars.
-
@Dreikin said in Talk to me about password managers:
@FrostCat said in Talk to me about password managers:
@flabdablet said in Talk to me about password managers:
No, it closes the database you're currently working with and allows you to open a new one.
Hmm. That doesn't seem particularly obvious.
Looking at that again, not quite correct either. You can open another db whenever - each tab is a db. Closing one doesn't "allow" you to open a new one, you could always do that.
Sloppy wording on my part. Using the inner red X leaves KeePass running even after you've closed the last tab, after which its File menu still allows you to open another database; by contrast, the window manager's X quits the whole application.
-
@flabdablet said in Talk to me about password managers:
by contrast, the window manager's X quits the whole application.
I was about to say "well that can't be true, because what if you have two databases open in two windows?" but it turns out-- that's impossible in KeePass! WTF!
So not only did they implement crappy tabs, but you can't even use multiple windows if you want to. You're forced to use their crappy tabs.
Sigh. Not sure why this surprises me at all...
Also one of the default categories is named "Homebanking". No space, natch. (It allows spaces, the template category just doesn't have one. WTF?)
And another is named "eMail", so apparently it doesn't just look like Windows 98, but it's using a 1998-era style guide.
-
@blakeyrat said in Talk to me about password managers:
not only did they implement crappy tabs, but you can't even use multiple windows if you want to. You're forced to use their crappy tabs.
If that's really true, it only applies to KeePass 2.x. With 1.x you can have as many instances running as you like, each exposing one password database in one window.
There is a preference for forcing single instance, but it's off by default. Probably worth checking whether 2.x has a similar preference that's on by default.
-
After the discussion in this thread and some research of my own, I've decided to go with LastPass to cover accounts that don't support 2FA. From there I'll consider which of my 2FA-protected accounts I want to port. Thanks everyone for motivating me to finally research into this stuff longer than "there's contradictory information, I'll do it later".
-
I actually switched from KeePass to LastPass from all this. I like the centralized official browser addon solutions Lastpass has compared to KeePass (and KeePass browser addons on Linux I never got to work right...).
-
@flabdablet said in Talk to me about password managers:
If that's really true, it only applies to KeePass 2.x.
I don't think I've ever tried to open multiple things in 2.x, so I never knew there was any sort of tab thing going on. I don't really have any issues with...err...v2.25, but I remember the fonts and the widgets on an earlier version being really retarded. I'm pretty sure that was some sort of Mono / GTK / whatever issue. It seemed reasonable when I used it on Windows back then.
