Yeah I am also thinking about moving back to Lastpass. It just worked. This master pass entering on BW on every session is extremely annoying.
You can easily disable it. Every client has a setting for it, it's just not enabled by default. Which is just as well, since it's a security risk. The default should be less risky options.
If you're using windows 10, you can use windows hello pin or a fingerprint reader. Haven't tried it yet though.
To answer the original question of this thread, I had been using LastPass for a long time. Recently switched to BW after their pricing policy change.
I personally accept the risk that goes with storing banking passwords in the password manager. I have always done so. The reason being that otherwise I keep forgetting it.
Also, a banking account has multiple passwords linked with it, login password, transaction password, ATM PIN, UPI PIN, etc. Remembering all that for multiple banks is near impossible for me. I just end up having to reset it. And given the fact that banks like HDFC charge you to change your ATM PIN through internet banking, this is not a very sound approach.
The reason I store password is because these days hardly any of the transactions can be done without an OTP. So while the data can be lost, which is serious concern in itself, I still am not very likely to lose money.
A hybrid approach is also possible where you store a part of your password in the password manager. The other part can be common for all banks. So your passwords are unique, but you still have to remember only one password for all banks. This is sometimes referred to as peppering. For instance, your stored passwords can be like:
CITI Bank: Harry
HDFC Bank: Hermione
ICICI Bank: Dumbledore
while you actual passwords can be Harry-hagrid, Hermione-hagrid, Dumbledore-hagrid.
Your password manager fills in the first part, you type in the second part before submitting. So you remember only one password for all banks, but you still have strong, unique passwords for all and virtually no risk of being compromised.
Needless to say, even for other critical websites, you should enable 2FA wherever possible. It is unfortunate that none of banks in India have implemented standard TOTP based 2FA for login. SBI has one, but they have their own algorithm and therefore needs their own app to generate 2FA. This is too much of a hassle. SMS based 2FA is not as secure as most phones these days display the OTP on the lockscreen itself. Doubly useless for me because my phone notifications are mirrored on my laptop, so you don't even need the phone to see the 2FA password.
At the end of the day, convenience comes at the cost of security. The more secure you want to be, the less convenient it will be. Where you want to strike a balance depends on your personal preference and paranoia level. Keep in mind that it is equally important to maintain good habits with your passwords and computer. Most password leaks these days happen not because of attacks on servers, but because of Phishing attacks where users themselves reveal the password to the other party. Password managers can only protect you to one extent, the rest is on you.
techenclave.com
