Password managers - are they truly secure ?

Sounds like a recipe for disaster letting some software control and dictate passowrds, but it apppears pleanty use them...

So, good or bad ?

It is getting harder and harder to remember all the PWs these days....

Yes password managers are a very good idea
No they are not perfect, they do not solve every password related security issue, and they do introduce thier own risks, but they eliminate more.

The only thing i can think of that would be a worse idea than 'letting software control and dictate passwords' would be letting people do it

The real danger is having your email account compromised thereby allowing any malicious actor to reset every account associated with that. 2FA on one's email is so vital I would say anyone that does not do this is careless in the extreme.

Storing passwords in browsers is the other fad. However, anyone with access to the computer can just copy the user profile and then has all your logins.

Encrypt your drives.

I swear, LastPass is one of the greatest tools out there.

LastPass has incredible browser plugins and phone apps. If your phone has a fingerprint sensor, LastPass is brilliant. I don't know about iOS, but on Android it will detect the login form in other apps and fill it in for you after you authenticate with your fingerprint. It works flawlessly 90% of the time, and the other 10% you can just open the LastPass app and copy/paste the password manually without ever typing it.

Meaning you never even see your own passwords, and so you can make them as insanely complicated as you like without worrying about remembering them.

Other features I like are the security audit, which will warn you to change passwords you use on multiple sites, and the automatic password changer which can do a password change on the common sites (amazon, ebay, farcebook etc) with one click.

You can also nominate another person to hand over all your passwords to if you croak.

If you need to share passwords with families, there's a paid version which supports that. There's also a paid team version for business use, but I've never tried it.

KeePass (free) works ok for teams. It's not a web/cloud tool, it just stores all your passwords in an encrypted file, which you can share with others. If one person in the team changes a password, anyone else using the file will be notified that it's changed and can reopen the file. Not sophisticated, but it works. It's free, that's the main thing.

It's functionality v security that's the key difference.

With premium you get 2FA and with free apparently you get some adverts which might concern me as ads are typically never, ever, a good thing in security terms.

I use 1Password.

Free is all I've ever used. Seriously, try it. I've never seen an advert. (EDIT: I found the adverts. They're only on the webapp, and adblock takes care of them).

2FA would be a bonus, but if you don't have it you can still:

Always lock your workstation (this is good habit)
- Use a hot corner on OSX to lock the screen
- Ctrl-Alt-Del then Enter every time you leave a windows PC

Use your phone's lock features. Decide for yourself based on the handset model which is the most secure for you.

Set a really long master passphrase on LastPass, and require it to be re-entered once an hour.

Require LastPass to always re-prompt for particular sites/payment details.

I would change if I was you. Excel files are not particularly difficult to crack but apart from anything else a proper password manager is full of useful functionality which makes it a much better and more useful choice. They can fill in passwords for you, generate random ones and so much more besides. And they're more secure.

Also I'm assuming someone theoretically could see your passwords on the screen with an excel file (unless you hide them). Password managers don't do this unless you tell it to.

If you're au fait with docker and running your own server or have a synology nas, take a look at bitwarden on github.

Same here.

The file that stores all your passwords is encrypted with military-grade encryption. If you are extra-paranoid you can keep it on a secure USB stick so that it never goes on the cloud, although I choose to put it on my DropBox so I can access it from multiple devices.

As you say, it is not as convenient to use or as integrated, but I consider it to be more secure.