Figuring I need to get a bit smarter about internet security. Currently I use about four or five passwords across all my accounts, ideally I'd like to have unique passwords per account to minimise some risk.

Ideally I'd like to a single password store that securely auto populates my passwords, retains a cloud store of what I have but is very secure. Need something that works in IE, Firefox and iOS.

Any thoughts or experiences on a good option?

You can use patterned passwords. They are easy to remember and if the pattern is complex enough very secure. You can have one core part of the password, modified/extended by e.g. website's URL, color, subject, etc.

look at 1Password. it encrypts anything you put into it with a master password to unlock it, and can autofill browsers if you want. if you put the database on dropbox (it's encrypted, so there's very little risk), it will sync with mac and windows as well as ios and android devices. make a change on one and it's pushed to the rest.

another option is lastpass but it won't sync across devices.

Incorrect. I use Lastpass exclusively. It syncs across all your devices.

It generates arbitrary-length random passwords (things like fjFJ38f;dnep0S_) and stores them encrypted on LastPass's servers. They never see your password; all encryption/decryption is done on your computer. There are browser plugins for Chrome, IE, and Firefox, and there are apps for iOS and Android. It syncs your passwords across all your devices, will auto-fill login forms, and makes it about as easy as possible to have a different random password for every site.

It even supports two-factor auth, one time passwords, and other fun things for the truly paranoid (like me).

CHeck it out!

is there a local copy or is it entirely on their servers?

what i like about 1password is that there's a local copy, so you don't need connectivity to access anything and if you don't have connectivity, updates to/from other devices are deferred until you do.

There's a local cached copy that the browser will use if you happen to be offline.

On the mobile apps (or at least on the Android one, which is the only one I've used), there's an option to force a local logon and just use the cached info.

Other than that, it's seamless. Your description of 1password is how LastPass works, too.

I think you need lastpass premium ($1 a month) for the mobile devices, etc. right?

-David

Thanks all. Had a look at both 1password and Lastpass, quite like the fact that Lastpass stores the passwords locally which feels a tad more secure that 1password approach. Other than that both look spot on for what I need.

I'll give Lastpass a trial on the free version and see how I get on. You need the pro version at $1 a month to try mobile.

Thanks for the help, great suggestions for what I was looking for.^

1password also stores everything locally. I don't know what approach you are talking about. 1password can sync the local files over wifi, or you can choose to auto-sync them using dropbox, but the only thing that gets exposed to dropbox, if you choose to use it, are the encrypted files. But using dropbox is by far the easiest method because its completely automatic and seamless and the fact that the only thing they expose to dropbox (if you chose to use it) are encrypted files means its reasonably secure.

I don't think there's anything wrong with either one, but if you're going to choose one over the other, at least make sure it's for an accurate reason. lastpass pro supports a lot more mobile devices than 1password does, that would be a good reason to choose it IMO. The other reason is that you have to pay for the apps with 1password (once for the mac app, once for the pc app, once for the ios app) vs the $1 a month charge for lastpass pro. ("once" means for any number of those devices/OS).

-David

Lastpass stores encrypted passwords on their servers, but each device you have maintains a local cache. As a whole, I've been impressed with LastPass's dedication to security and openness when things go wrong. Several months ago, for example, a routine audit of their systems showed that someone may have been able to download encrypted hashes of people's passwords and the server salt. If it actually happened (they weren't sure), then at most 50-100 accounts would have been compromised if they were using weak passwords. So LastPass made all users change their master passwords, thereby making the purported theft, if that's what it was, useless.

Another vote for lastpass.

I recommend a "base" password plus some sort of modifier based on the sites domain. I take a hash of the domain, use a certain part of it and insert it into my root password.

This cartoon makes an interesting point. Longer passwords are inherently more secure than short, complex passwords. Unfortunately, some web sites limit password length and others have complexity requirements. So although "correcthorsebatterystaple" is now a password I will never forget, it is an impractical choice. And before anyone says it, yeah, you could perform a limited size dictionary attack against that particular password fairly efficiently.

I wrote my own Visual C++ app to maintain a password repository, along with some other usual functions. Honestly, I feel for non-IT folks when it comes to passwords. I currently have 82 separate accounts I have to keep track of. Products like the ones mentioned upthread are probably a must in this day and age.

I personally use KeePass, and keep my database saved in a dropbox folder. I use an Android phone and can access my passwords off-line, and I assume iOS has similar applications.