I've been thinking it is time to upgrade to one of these password managers, but I'm not sure I want the workarounds that I've read about when using mobile devices. I use Chrome on my iPad and my wife uses Chrome on her Nexus 7. Ideally, one of these password managers could support Chrome whether on IOS, Android, or Windows and that would be the perfect solution for us.

None of them are there yet from what I see. If I'm wrong please share your opinions!

I use Roboform installed on my computer (PC running Chrome, Firefox & IE) and have mobile Roboform apps running on an iPad, Android 4.0 phone and Android 4.1 tablet. The passwords sync between the four devices regularly, so I've never encountered any issues with cross-platform use.

Most of these compromises are phishing attacks where they send an email that looks like it's from facebook or yahoo or google or whatever that links to a login screen that looks real but is actually on a fake site that grabs your password.

You might think only newbies would be fooled by such phishing attacks but frankly they're getting better and better at it. I've seen phishing attacks I could easily have fallen for even for sites I'm *extremely* familiar with.

The most important thing is to NOT use the same password for multiple sites. Once they have your password for one site they try it on every other site and immediately gain access to those sites.

Do use 2-factor authentication if it's available. Especially for email which is often a back door to your other accounts through "forgot my password" things.

Agreed. I've turned to two-step authentication for Gmail, Yahoo, Facebook and a few other sites. I wish more financial services sites would implement it, but of the many I use, only Chase seems to.

This particular attack used the last 4 digits of his credit card # - apparently recovered from Amazon - to social engineer Apple into resetting his iCloud account. Now the last 4 digits are the ones usually printed on receipts so that's no great security. Wired magazine has tried this since the story broke and the attack is still feasible.

http://www.wired.com/gadgetlab/2012/...honan-hacking/

BTW, I disagree with blaming Amazon - you could have done the same attack with the credit card receipt we all say 'no thank you' to at the store and let the clerk throw out...

I suppose it's worth pointing out that lots of password vault apps available for mobile devices actually do really dumb things that don't secure your passwords very well. Paid or free, quite a few of them make some really elementary crypto mistakes.

A few researchers from Elcomsoft sum it up well in this white paper:

http://www.elcomsoft.com/WP/BH-EU-2012-WP.pdf

There's lots of crypto-geek stuff in there, but if you're even moderately interested in the particulars, it's well worth your time.

Long story short, mobile password safes often have serious problems if an even moderately skilled and motivated attacker steals or confiscates your phone.

To echo what a few others have said, I highly recommend not using the same password value for more than one account or using your Facebook/Google/whatever account to authenticate to other services.

Thanks for letting me blather.

-p

LastPass works fine with Chrome for Windows.

How secure are these PW managers?

I read where Google has a printout of access codes for situations where you don't have access to your mobile phone (traveling overseas). Does Yahoo and Facebook have a similar workaround?

Most banks, cc, and similar financial services, will lock you out after three wrong password attempts--so a brute force attack, by trying lots of passwords won't work in this situation--why every site that requires a password doesn't have the same "three strikes and you're out" I don't know.
A while back, someone from Venezuela was able to "hack" my gmail acct and reset my password and locked me out--fortunately gmail has ways of letting the real user of a gmail acct back in.^ Since switching to 2-step verification, I haven't had a problem with gmail. [I don't know how they got into my acct in the first place.]
[PS: One nice feature gmail has, is that you can see the ip addresses of the last several logons to one's acct, so if your acct was breached you could see the source.]

I know lasspass locally encypts your passwords so it is pretty secure. I have heard that some of the mobile pw managers can be very unsecure however.

When you set up 2-step, you get a list of 10 codes, to be used if you don't have access to your cell phone or other method you chose.

There's more to it than just whether it encrypts or not, but how it manages the ability to decrypt. Lots of pw managers encrypt and use a strong algorithm to encrypt, but leave the key to decrypt under the proverbial doormat. Others make brute-force attacks comparatively easy (another poster talked about account lockout after so many invalid attempts, and this person is absolutely correct, but if I'm the bad guy and I can steal your password database from your smartphone app, I can basically ignore that requirement. See the LinkedIn password breach for another instance of how this can work).

Long story short, it's complicated and just because "it encrypts the passwords" doesn't mean it hasn't done something stupid and vexing.

That said, Lastpass does a lot of things reasonably well. It had a fun incident last year (http://www.theregister.co.uk/2011/05...assword_reset/), and it certainly makes you wonder about the idea of a *service* where some other company has so much control over your key credentials, but they should be pretty motivated to do things well.

I can't stress enough that you shouldn't use the same password for more than one thing, and really think long and hard about using your Facebook/Google/whatever account to authenticate to some other service.

Ok Thank You, But I am still usually very nervous about using these especially since there is no big corporation behind this. Whats the guarantee that they have good internal controls or their employees would not misuse the information. just my two cents

Do you really think you would have such a guarantee with Apple or IBM behind it?