If any website you use supports strong authentication with multi-factor (token code, Duo Security, Clef etc) use that instead of just a plain password. Most sites will let you stay authenticated for a long time if you use these mechanisms, or at least will only require a push auth or something. EBay, Paypal, and most of the usual suspects support this. Amazon do not, to their shame, although it's available in the US so presumably will be coming to the UK eventually.im a lastpass guy, so what solution is better?
If any website you use supports federated sign-on from someone like Google, Facebook, Github, Microsoft Live etc. use that instead of a separate password. Make sure you turn on multi-factor for these, they all support it. For other purposes you can buy a Yubikey, which is a 'something you have' token that cost about £20-50 depending which version you go for. A lot of websites and security solutions support this.
For any remaining passwords, there are a few different password managers out there:
Keepass: an oldy but goody. You create a local keyfile which can be secured with passphrase, certificate file, or strong auth. this file can be stored on a cloud drive (GDrive, OneDrive, Dropbox S3 etc) if you need multi-device access There are third party browser extensions for this, but they are of dubious quality and could potentially have similar issues to LastPass.
Enpass: Similar to Keepass, you create a local keyfile (optionally they have a nice cloud integration for OneDrive and the rest) which can likewise be protected with passphrase, key, or strong auth. Also has a first-party browser extension, although this has a more secure operating mode - you have to manually click on the extension and re-auth before it will enter passwords into websites for you.
1Password: Basically the same as LastPass, although they seem to have a better reputation. No idea if this is warranted or not. Does not support U2F, which is worrying.
Dashlane: Same model as LastPass and 1Password. U2F token is only available if you spend money on the premium version, which is a bit disappointing.
Then there are a bunch of solutions targeted at enterprises like Okta and Onelogin, I'm not sure how cheap they are for home use. Both of these authenticate you on their platform so your passwords are not exposed in your browser, but you are relying on their platforms being secure.
If you have the skills (and money) you could create your own reverse proxy authentication server, protect it with something like ADFS, tie it in to Duo Security, and have awesome push auth, U2F auth and call back support for every website you ever authenticate to.
 
	 
  
 
		 
 
		
 
 
		 
 
		 
 
		 
 
		 
 
		