Do they work on all platforms (Linux, Windows, Android, MacOX and IOS)? Do they automatically sync (so I don't end up being locked out of one account)? Can I be sure they won't be shut down and thereby leave me cut of from all my online services?
And what do I do when the password manager is, inevitably, broken into?
It seems to me that a password manager is a great theoretical idea, but they don't really work in practice.
Have you used LastPass? It really works in practice. Syncs instantly to Windows, OSX, Linux, and all major mobile platforms. They were broken into sometime last year, but IIRC they handled the situation superbly, and no passwords were leaked thanks to client-side encryption.
You do need to remember a couple of passwords, though. Your LastPass password and your primary e-mail password (in the unlikely event that LastPass becomes unusable and you need to reset passwords on all of your other accounts).
1Password actually has, hidden inside the '1password.agilekeychain' folder, a file called 1Password.html, which can be opened in any modern browser. So you can actually get at your passwords from a Linux machine by opening this .html file and supplying your master password.
I think they call this feature "1Password Anywhere".. I'm surprised they don't talk about it more.
Yes, I love this. I store my 1Password file in Dropbox, so in a pinch, I can log into Dropbox on someone else's computer and grab any password I might need.
>> Can I be sure they won't be shut down and thereby leave me cut of from all my online services?
> Yes, if it syncs to something like Dropbox that has a local copy.
This isn't necessarily true. If Dropbox was legally coerced to do so, they have the technical means to erase any file in your Dropbox from each machine as it connects to the network. I believe they already do a best-effort version of this if someone stops sharing a folder with you. All it would take is a court order to remove a file and all its backups from Dropbox's server, which might happen without even targeting you specifically because Dropbox does deduplication and doesn't encrypt your data.
This may be very unlikely, especially with an encrypted password database unique to you, but it's not impossible. At least we can presume that a general takedown or Dropbox becoming unavailable for whatever reason won't cause this to happen.
Use a local pwd manager like KeePassX or KeePass2, and back up the database to a secure service like Tarsnap or SpiderOak (or both for redundancy).
That way you avoid storing your passwords in a huge hacking target like LastPass, but still get 90% of the utility (no web form autofill, gotta copy and paste, but that's not too intrusive since most sites keep you logged in indefinitely now).
>Do they work on all platforms (Linux, Windows, Android, MacOX and IOS)? Do they automatically sync (so I don't end up being locked out of one account)? Can I be sure they won't be shut down and thereby leave me cut of from all my online services?
Yes, yes, yes (make a text backup, another supported feature, also every device would have a local copy, etc, etc)
>And what do I do when the password manager is, inevitably, broken into?
Why? Because you left it open and unencrypted? How about, just not doing that? Mine is locked every time I close the browser. If you're paranoid only unlock it when you need to enter a site. Not only that, but even if your master password is "stolen" somehow... it's a single password to change and your other passwords are secure. Again, if you're paranoid, you'd at least have a list of the sites that you have to worry about.
>It seems to me that a password manager is a great theoretical idea, but they don't really work in practice.
It seems to me that you really don't understand what is out there or what you're talking about. These things are true of not just LastPass but other solutions as well.
You are right, I don't understand what I out there because I haven't look. Based on your response I have determined that it might be worth looking into, but I don't know which to choose.
But by broken into I mean hacked, as in 'due to $INSECURE_FEATURE $SOMEBODY copied the entire database and now have all your passwords'. If somebody breaks into my home and steals my computer, I can call the police (and activate the tracking beacon).
>But by broken into I mean hacked, as in 'due to $INSECURE_FEATURE $SOMEBODY copied the entire database and now have all your passwords'. If somebody breaks into my home and steals my computer, I can call the police (and activate the tracking beacon).
Like I said, it's all locally encrypted. I trust (at least LastPass's) model well enough that I'd be happy to let you have a copy of all the data LastPass has for me on their server.
And what do I do when the password manager is, inevitably, broken into?
It seems to me that a password manager is a great theoretical idea, but they don't really work in practice.