Suggestions for a free, or one-time purchase lifetime license password manager.

Digerati

Digerati

Moderator
Hardware Expert
Microsoft MVP (Ret.)
Staff member
Joined
Aug 28, 2012
Posts
5,024
Location
Nebraska, USA
To be sure, I love my current password manager. It is SplashID. Why? I think I paid $10 for a lifetime license way WAY back in 2001 and used it to maintain all my PWs and synchronize them, via USB cable to my Palm Pilot. Today, since Palm Pilots are long gone, I use it on this PC and my laptop.

Its advantages were, and still are plentiful.

The Windows app is stand-alone. It does not require an internet connection. The 256-bit PW database is stored locally on my system. It stores nothing in "the cloud". It does not require an internet connection (worth repeating). It stores nothing in "the cloud" (worth repeating even more). I've been using this version (V4.16) for over 20 years. I originally got it because it would "HotSync" with my PalmPilot PDA. I only use the Windows version now. If I lived on my smart phone, I might like that it syncs with that but that is not a high priority for me for I use my cell phone for silly things like phone calls and texts - and emergencies.

If the syncing with cell phone option is available, once again, it must not "require" internet connection. Transfer over wifi or direct USB connection is just fine with me.

I currently have over 700 passwords, credit card numbers, account numbers. kid and grandkids SSN numbers and more, all secured by 256bit encryption, in my Splash ID manager.

The problem? Time. I'm now 73, have wetMD in one eye and use trifocals in the other - though legally, I can drive without glasses! Go figure!. Just stay out of my way! And use your turn signals. And stop at stop signs and red lights or you are going to have an angry 73 year old, grumpy retired Air Force Master Sergeant, with a big full sized 4x4 truck mad on you. You don't want that.

Why is my age a problem? Because the font used by this PW manager is too small and fixed :(. There is no way to zoom in or enlarge the font. :( To be able to do that, I must upgrade to a new version of Splash ID that is based on a recurring renewal fee - which, as I hopefully you understand by now, is totally unacceptable.

Sadly, like so many other companies, when they mean lifetime license, they don't really mean forever. In this case, they moved to V5.x, all V4.x "lifetime" licenses essentially became null and void. :mad:

There should be a law about that. I wrote my representatives on that. I hope you have too. Lifetime should mean MY lifetime - not the life of a specific version number. :( :mad::mad::mad:

For now, I can see well enough to read and copy and paste my PWs into the PW fields of sites, but it is getting more difficult.

So, I am researching new PW managers and here are my inflexible, must have, don't even suggest if not there, requirements. It absolutely MUST:

Be Stand-alone. That is, it must NOT depend on an internet connection or store anything in "the cloud" or the companies servers. Nothing. Period. If I am off-line, I still expect access to my passwords.

If it costs money, they MUST offer a one-time, truly lifetime license option. I refuse to take on another subscription, even if once a year or once every 10 years. Anything that requires a renewal fee is a "bill". And I've worked too hard and too long all my life to pay down or to take on another bill. So one-time fee, or free, or fuhgeddaboudit. If you suggest one that is based on recurring fees, you go on my sh!t list. Note free "trial" periods that revert to limited features once expired do nothing but P!$$ ME OFF! Please don't P!$$ ME OFF!

Unlimited passwords. I have seen several "free" versions but they only let you save a limited number of PWs, like 100 or even 10? If not unlimited, fuhgeddaboudit! I am working on culling out those I have that are no longer applicable. But that is a long arduous process and I've found, just because I don't visit that site anymore, it still does not mean I don't have an account there. Me culling out the PW does not make it go away.

I must be able to use this one license on at least 3 devices. This, and future "personal" (NOT for commercial use) PCs, my laptop, and 1 more computer that I own and use in my home only for non-commercial uses And I must be able to synchronize the PW database between those 3 computers, easily. I am fine with copying the database to a flash drive and transfer by sneakernet to the other computers, or attaching via email, or just by shared folders over my own LAN.

If any here have any experience with any PW manager/safe that is either totally free with no PW limit restrictions, or requires a single, one time, lifetime license fee, please let me know. I am not desperate - yet. But if my eyes degrade further, I might be.

Oh, and please don't suggesting using some browser's manager. Not going to happen.

Thanks.
 
Everybody laughs at me when I say I use AOL. Last Past Premium is one of the perks of about $12.00 per month membership. It meets your criteria except I can't find out if it uses the cloud for storage. Other "bennies" include free AARP membership, $750 computer parts covering breakdowns, Life Lock for 2 people and too many to mention here. Besides the freebees, many other discounts and actual live persons to help.
 
Keepass
 
In addition to @xrobwx71 I'm using KeePassXC which is also open source with a comprehensive guide to compile your own build without any networking code! But the GUI could be an issue due to visibility and the lack of options to set fonts or resize the GUI. However, it is something to take a look at I guess.
 
Corday said:
Last Past Premium is one of the perks of about $12.00 per month membership. It meets your criteria
Click to expand...

Ummm, not even.

Digerati said:
If it costs money, they MUST offer a one-time, truly lifetime license option. I refuse to take on another subscription
Click to expand...
I maybe could consider paying a $144 ONE TIME fee for a LIFETIME license. But at $144/year? Year after year? Sorry but no way.

That said, I used to recommend Last Pass, but no longer. Due to its popularity, it has been the target of state-sponsored Chinese hackers multiple times. While supposedly, they have not gained access to users passwords, they have been successful hacking the site. Not worth the risk to me.

And yes, it uses cloud storage. One of its "marketed" advantages is you can access and sync your PWs from anywhere. And the only way that is possible is through cloud storage.

I forgot about KeePass. I remember checking it out years ago but found it too clumsy. Splash ID is really simple (but then I am very used to it too). I will have to check out KeePass again. I never heard of KeePassXC. Will have to check that out too. A quick check of reviews say KeePassXC has fewer features but a nicer and easier UI to navigate.

Maxstar said:
But the GUI could be an issue due to visibility and the lack of options to set fonts or resize the GUI
Click to expand...
If the font size if fine with the default setting, I don't need to change it.

My problem with Splash ID is the font looks like this.

A single line I can read fine, but when among a list of 100s of other lines, then I have problems.

Thanks all.

Still open to more suggestions.
 
KeePassXC would be my recommendation as well, I used to use it and it meets all your criteria
  • Free and open source, so no cost to buy or recurring subscriptions
  • The file format is the same as "official" KeePass, so even if KeePassXC is abandoned you'll still be able to find other apps that can read the file format
  • No cloud requirement, and the database is a single file that's easy to copy and sync manually between devices
  • If it's useful, there are mobile apps that can read the KeePass file format too
  • The UI respects Windows font size and display scaling (and there are ways to increase the size too by setting an environment variable in Windows to force the app to scale larger)
I ended up moving to Bitwarden recently as I wanted some of the cloud features they offered, but used KeePass and KeePassXC for years and had no issues.
 
Thanks.

I am sure Bitwarden is an excellent manager. I checked it out before and didn't like it. Just tried again and still don't like it for a couple reasons.

First, it requires you log in with a valid email address. Why? They don't need my email address.

I tried a fake address but it checked to see if a valid domain and rejected it. Again, why do they need my email address?

They don't - except to spam me with ads and promotions I don't want, and/or sell my address to more spammers.

Second, the install routine does not give the option to install the program in a location other than the default. I like to install all my programs on my D drive. Bitwarden does not provide that option. It is going on C whether I want it there or not. So that one's out.

And Nordpass - try to just simply download the manager install. You can't do it. They also want an email address and will accept a fake one, but then insist you install a browser extension. I stopped and moved on.

Password Managers should NOT "need" me to create an account with them before being able to install or use the program.

If the install routine is not simple and intuitive, I don't want it. That's in part because I just don't want the hassles but also because folks with little to know computer experience come to me asking for suggestions. Using a PW manager is so important, I don't want them getting frustrated before getting started, then reverting back to writing their passwords on index card in a card box they keep next to their computer!

Proton Pass requires an account. They are out.

LogMeOnce requires an account. They are out.

None of these should require users have accounts.

I get they are "free" and the developers need to eat, and feed and shelter their families. That's why I am willing to pay, but only once for a lifetime license.

Note Password Safe, which has been around over 20 years is an excellent option too. I have used it in the past - might just go back to it.
 
All the 'expert' reviews based on an (clickbait) 'The best free password managers (name the year)' are useless to look at!. And many of them will redirect you or lead to an affiliate marketing network in another way.

Basically each user should bear in mind the following:

1. Use a complicated master password for your vault / DB (minimal 20 chars) a combination of chars to avoid dictionary attacks.
2. Use unique passwords for each site even when you use the same name / nick!
3. Never reuse passwords you have used before with the same e-mail-adress: Have I Been Pwned: Check if your email address has been exposed in a data breach
4. Make use of different e-mail providers to keep things separate for personal and other sites arround the internet!
 
All great advice but I can tell you right now, most will never use anything close to 20 characters for their master password. If they have to type that every time they need to access a site, it will turn them off after about the 2nd time. :(

That said, for the typical home user, I'm not sure it is that necessary to have such a super strong PS - if they follow the rest of your advice AND keep their OS and security current AND avoid being click-happy on unsolicited links.

For sure, don't use 1234 or Fido or 3208 (my street address) or anything simple to guess associated with you. But I believe something like T%z9 would be enough to thwart most bad guys who would have physical access to your computer without your knowledge.

Is 15 - 20 characters better? Absolutely! But it has to be practical too, or users will starting writing them down again.

Now if your computer is left in a public place where many have physical access, or if you have multiple users of your computer that you may not trust completely, then a much stronger master PW would be advisable, for sure.
 
I would not be surprised. I mentioned my street address because I have seen that. I've also seen (and guessed - to the client's amazement) pet's names, kids names, spouse's birthdate, anniversary and other easy to guess words.

Perhaps surprising to some is simple long phrases are typically harder to crack than short PWs with upper and lower case, numerals and special characters. That is,

"Mary had A l1ttle lamB" is harder to crack than "Ki4(2D&ac".
 
Digerati said:
All great advice but I can tell you right now, most will never use anything close to 20 characters for their master password.
Click to expand...

Indeed and the LastPass data breach some years ago demonstrate that, where it was possible to use "Brute Force" attacks to guess the master password. A Security Researcher from the Uk did some tests as PoC - CHANGE ALL YOUR LASTPASS PASSWORDS! | Pedro Ribeiro

Digerati said:
Is 15 - 20 characters better? Absolutely! But it has to be practical too, or users will starting writing them down again.
Click to expand...

As you have shown with the example: "Mary had A l1ttle lamB" (22 chars including spaces) it shouldn't be too difficult to remember as master passphrase. However the PW generator of KeePassXC says it's weak, another example like this: "My F1r$t B1K3 w@s GR33N and St0len!" seems to be much stronger. But I agree that many users choose for simplicity instead of security!

A fun anecdote though is the example of one my neighbours many many years ago, they had some issues with their WiFi, so I asked for their SSID and PW and they were the same, "StreetnameHousenumber" #doublefacepalm! 🤐
 
Maxstar said:
another example like this: "My F1r$t B1K3 w@s GR33N and St0len!" seems to be much stronger.
Click to expand...
Oh sure. 35 characters vs 22 would clearly be stronger.

But again, most, if not all users would quickly tire of typing that in every time they needed access to their PW manager.

Hmmm, twice now Sticky Password has nagged me to upgrade to the Premium version. :( I currently am using a 30 day trial of it. I can find no comparison between the Premium version and... well don't even see a on-premium version. I guess it just stops working when 30 days is up.

And they are offering a "limited time" 70% off lifetime license for $60 - down from $200. I wonder how limited that time is?

:confused: Hmmm. Odd. I am looking at two screens at the same time. This one says 70% off for $59.99 but this one says 60% off for $79.99.

As far as hiding (not broadcasting) SSIDs, I personally don't care, one way or the other. When I search for wifi networks in my neighborhood, I see only 6 and knowing my neighbors, and their setups, I can easily figure out who they are.

Sadly, 3 of my neighbors simply used the default SSID set by the device maker. Fortunately for my neighbors, one has a Netgear, another a TP-Link, and the 3rd has Linksys.

The point is, the SSID protocol never intended for the SSID to be hidden. In fact, the original 802.11 wireless spec actually required access points to broadcast their network name, or SSID. Therefore, it is not and never was considered a "security" feature.

If you hide it, any amateur snoop can easily find it with simple sniffer program like inSSIDer running on their laptop. Also, some devices, like my LG "smart" TV for example, needs to see the SSID or it will not even list it as an available network. So I cannot connect it until I broadcast the SSID. I have a tablet that lets you manually enter the SSID if it does not show up on the list. I just keep mine enabled.

Maxstar said:
their SSID and PW and they were the same
Click to expand...
:eek: In no way would I ever accept (or understand!) having the SSID and the passphrase the same. That's crazy! I think I might see if I can access the neighbors on either side of me by seeing if their passphrase is the same as the SSID.
 
Digerati said:
Oh sure. 35 characters vs 22 would clearly be stronger.
Click to expand...
But only when you use a combination of different letters (upper and lower case) random numbers and special chars etc! A password phrase with 50 characters can be more sensitive than one containing 20 characters which is more hardened with special chars... In my opinion, many users are not very familiar in creating unique passwords to be safe!

Digerati said:
Hmmm, twice now Sticky Password has nagged me to upgrade to the Premium version.
Click to expand...
Free as Freemium, that seems to be the main purpose of developing software these days. 1) We have a free version, but.... 2) we will annoy users with deals (popups / nag screens) or even worse spam with BF deals etc....
 
Maxstar said:
But only when you use a combination of different letters (upper and lower case) random numbers and special chars etc!
Click to expand...
I agree and I always recommend using upper and lower case, numbers and special characters too, regardless the length.

But genuine human bad guys (not talking about nosy neighbors) aren't manually guessing, right? They are using some software designed to hack passwords. If one were to use a long phrase with only upper and lower case letters, would the software know to not even try numbers and special characters? IDK.

If one wants to just use letters, it might be good to still throw the bad guy off by starting the PW with &1 just to make them think special characters and numbers may be used throughout. That should then take them at least an extra 10 minutes to crack it! ;)

I note another bump in the road here is many sites only allow a small handful of special characters. I have an account on a government site that forces users to change their PW every 60 days. And it must be between 15 and 128 characters, at least 1 upper and 1 lower case letter, at least 1 number, no spaces, and at least 1 of these special characters: @_#/,;~`%&=':!$*+().{}|?><^[]-"\

Oh and at least 8 of the characters must be different from your last 10 passwords. So it is not like you can rotate characters through the PW each time. You can't have $R0b1nHoOd this time and &HoOdR0b1n next.

I have used several password generators and if you tell them to include special characters, they invariably include 1 or more not allowed for that site. For example, I can't use £ or µ or Ω, or any foreign letters.

Fortunately, the site usually highlights what is wrong or missing from password when changing it. But it still is a real PITA to keep coming up with unique passwords that meet all that criteria - even with a PW generator.

Oh well. Such is life.
 
Digerati said:
Hmmm, twice now Sticky Password has nagged me to upgrade to the Premium version. :( I currently am using a 30 day trial of it. I can find no comparison between the Premium version and... well don't even see a on-premium version. I guess it just stops working when 30 days is up.
And they are offering a "limited time" 70% off lifetime license for $60 - down from $200. I wonder how limited that time is?
Click to expand...

They should have the comparison page, I remember it.
And I say that I remember it because they opened stickypassword.IT since some years and I am redirected there...

You can find a comparison here (my reply to the 14th question): Instead of dozens passwords, remember just one! FREE offer on GOTD!

Interesting question. I found this comparison (keepass versus stickypassword): https://www.slant.co/versus/2824/2826/~keepass_vs_sticky-password
Unfortunately, there is no date. Summarizing:

Licence:
keepass--> opensource gplv2
stickypassword--> freeware and premium (paid)

Supported platforms:
keepass--> GNU/Linux OSX, Windows, Windows Phone, Android
stickypassword--> Windows, Android, iOS, Mac OS X

Storage:
keepass--> local
stickypassword--> local, Local Wi-Fi Sync Across Devices, Cloud Sync Across Devices, Cloud Backup

Features of both software:
- Always free
- Autofills passwords securely
- Built-in history that tracks changes to individual credential entries
- Clear and concise user interface
- Does not depend on the cloud
- Extremely powerful encryption algorithm AES-256
- Intuitive categorization options and search for managing entries
- Multifactor authentication
- Nobody except you knows your master password
- Powerful built-in password generator
- Regular updates
- Reliable

Keepass PROS
- Allows storage of attachments such as pictures, documents and all kinds of files in general
- Allows useful scripting via KPScript plugin
- Blackberry support
- Can be used as a portable application
- Cross-platform desktop and mobile
- Customizable password records
- Extensive plugin and extension support
- Numerous apps for Android available
- Offers multiple sync options
- Opensource
- Recommended by a number of European governments and the EU
- Support in iOS Safari browser
- Various iOS clients available
- Works inside Android apps

Keepass CONS
- No good cross platform syncing ability
- Not particularly modern UI
- Officially supported only on Windows, Mono or Wine
- No true multi-user and logging
- Balkanized app ecosystem
- iOS support for syncing (not true -> KeePass Touch)
- It doesn't have stickypassword PROS


Stickypassword PROS
- Allows saving notes
- Automatic website registration
- Availaible since 2001
- Browser integration
- Can add notes about websites
- Can automatically back up your vault
- Can save bookmarks
- Can save password for apps
- Cross-platform syncing
- Environmentally conscious
- Expires password feature available
- Forms that don't get recognized to fill automatically can be set up manually
- Free mobile app
- Made by the team that brought you AVG
- Offers a lifetime license (compared to other non-free programs)
- Offline access
- Optional automatic website logins
- Pulls usernames and passwords from browsers
- Supports biometric authentication
- Supports fingerprint authentication
- Supports multiple accounts per website
- USB version
- WiFi synchronization
- Will show you weak passwords

Stickypassword CONS
- No linux support
- It doesn't have keepass PROS
Click to expand...

If you think you need the premium lifetime version, you can find it here for $24 (coupon code: take20): Sticky Password Premium: Lifetime Subscription | StackSocial
 
Last edited:
Digerati said:
I note another bump in the road here is many sites only allow a small handful of special characters. I have an account on a government site that forces users to change their PW every 60 days. And it must be between 15 and 128 characters, at least 1 upper and 1 lower case letter, at least 1 number, no spaces, and at least 1 of these special characters: @_#/,;~`%&=':!$*+().{}|?><^[]-"\

Oh and at least 8 of the characters must be different from your last 10 passwords. So it is not like you can rotate characters through the PW each time. You can't have $R0b1nHoOd this time and &HoOdR0b1n next.

I have used several password generators and if you tell them to include special characters, they invariably include 1 or more not allowed for that site. For example, I can't use £ or µ or Ω, or any foreign letters.

Fortunately, the site usually highlights what is wrong or missing from password when changing it. But it still is a real PITA to keep coming up with unique passwords that meet all that criteria - even with a PW generator.
Click to expand...



Typical of Uncle Sugar when site security is so important to them, they require 60 day PW change and then limit the characters. One problem with using extended ASCII is some sites allow it, but due to coding problems don't accept it when user tries to sign in.
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top