Best password manager?

As a follow-up to my other thread about improving overall security: what do people here recommend for password management? A cloud service like LastPass or similar? A self-hosted password manager? Something else? What exactly?

Not sure if it relates to this or not, but I'm pretty keen to get a yubicon for 2FA on critical internet accounts, like email and banks. Maybe even amazon and ebay. Well, heck, why not everything, including mysensors.org? According to my chrome browser, openhardware.io was hacked and passwords revealed. So, yes, I did change my password for openhardware.io, but remembering the new, more secure password isn't easy. I suppose home network security might also benefit from 2FA, but AFAIK it's really "in addition to" rather than "instead of" a password manager for remembering long, randomly generated keys.

I read somewhere that the average person these days has around 85 passwords they need to remember. That seems like a high number to me, but whatever it is, it's definitely far greater than 7 plus or minus 2. And if you have a unique password for every device and virtual machine on your network, the numbers get big in a hurry, let alone the need to keep track of it all and rapidly access the passwords when needed.

@NeverDie said in Advisory: put IOT devices on a separate LAN/vLAN for better security:

@monte https://www.ebay.com/itm/X10SLH-N6-ST031-Supermicro-E3-1200-v3-LGA1150-Motherboard-3x-X540-T2-6x-10GbE/184546263249?hash=item2af7d080d1:g:CCUAAOSwoP1gSWhO

Lest I mislead anyone, I subsequently contacted to the seller and, despite the wording, it doesn't include an E3-1200 with the board. He just meant that as shorthand to refer to the processor family that's compatible with the board. That said, there are a ton of inexpensive used LGA1150 CPU's on ebay that could serve the purpose.

@monte said in Advisory: put IOT devices on a separate LAN/vLAN for better security:

Intel DQ77KB

It doesn't support ECC memory, but maybe it makes no difference, since each packet would contain its own error correction anyway.

What kind of switches are you using to create and manage your vlans? In an earlier post I mentioned I was planning to use relatively cheap 1gbe managed netgear switches, but if I could get 10gbe transfer rates using the ebay supermicro boards for just a little more money plus some memory and a powersupply, I'm inclined to do it. I could certainly live with 1gbe, but to speed along backups or vme migration or restoration from a backup server, 10gbe would be a nice luxury because it's a good match for the read/write rates of pci-e 4.0 nVME drives. Or, some of these older ebay Supermicro boards can be had with gobs of ram (128GB or even 192GB of RAM), where you could easily run entire virtual machines inside of just RAM. Then there's no nVME drive to wear out, and you could pretty much transfer files or VM's as fast as the ethernet will carry it. Or a file server with such outlandish amounts of RAM could have a positively enormous RAM cache to facilitate ultra fast file transfer rates. Then maybe you don't need much nVME on the local machine and just boot from the network instead. It might be a good way to amortize the cost of the RAM expenditure. I don't know for sure how well it would work in real life, as I haven't tried it, but that's the theory. Anyway, for doing those kinds of things, 1gbe just wouldn't be fast enough compared to local nvme, but 10gbe just might be, even after deducting for the ~20% ethernet overhead. This back of the envelope calculation assumes no meaningful network contention, but I'm comfortable with that assumption, because on a home network there wouldn't be.

@monte https://www.ebay.com/itm/X10SLH-N6-ST031-Supermicro-E3-1200-v3-LGA1150-Motherboard-3x-X540-T2-6x-10GbE/184546263249?hash=item2af7d080d1:g:CCUAAOSwoP1gSWhO

@skywatch said in Advisory: put IOT devices on a separate LAN/vLAN for better security:

@NeverDie Quite a lot of this thread is very interesting even though it all goes way over my head. Do you think one of these would do?

https://www.ebay.co.uk/itm/HPE-Synergy-12000-10x-480-Gen10-Platinum-D3940-38TB-SSD-2x-40GB-16GB-FC-Frame/283693062050?hash=item420d6c97a2:g:XK0AAOSwbqdd4Rl0

:}

No.

My plan is to put pfSense onto this Supermicro motherboard, which has 6 software programmable gigabit ethernet ports plus a seventh for IPMI access:
https://www.supermicro.com/products/motherboard/atom/x10/a1srm-ln7f-2758.cfm

I'm not sure what "software programmable" means in this context, but it connotes that maybe not everything needs to be routed through the CPU.

It consumes at most 20 watts when under load, but, IIRC, roughly 6 or 8 watts when idling. The Intel atom processor is built-in to the motherboard. The atom doesn't have much single thread oomph, but it does have 8 cores and all the features required to run a hypervisor, which might be worthwhile, especially if it turns out that the software programmable ethernet ports can be configured to manage all the routing on their own.

If I didn't already own this board, I'd probably pick up a similar Supermicro board that has six 10-gigabit ports on it. Right now there are a ton of used ones on ebay for around $80 per board, some including an E3-1200 processor in the $80 price. i.e. they cost even less than the pcengine board. Probably more than 20 watts TDP, but considering its a SuperMicro motherboard and each of the six ports supports RJ45 10gbe.... Heck, at that price for a 10Gbe node, I should buy 3 and build an HA ProxMox cluster.

Two things convinced me to have a box dedicated to pfsense (or whatever I end up using):

1. @monte 's earlier advice on the subject, and
2. The need for it to keep working during a lightning storm, during which I typically unplug any expensive or delicate machines but also during which I still want to maintain wifi internet access. Meaning: it could still get nuked by an electrical surge from a nearby lightning strike, but at least the replacement cost would be low. Hmmm... I suppose better still would be switching to some kind of completely wireless internet access during such storms, by maybe converting my cell phone into a hotspot or using a Verizon jetpack.... In that case, having the router be low power would be very nice indeed, because then it could run on batteries during the storm and thereby have no lightning risk at all.

@Thomas-Weeks said in Advisory: put IOT devices on a separate LAN/vLAN for better security:

@NeverDie I wouldn't.. check out this dedicated/embedded hardware.. used in many pieces of high end network appliances:
https://pcengines.ch/apu4d4.htm

T.Weeks

You wouldn't... what? The pcengine you linked appears to be a 4 port router. What should I be learning/realizing from or doing with that piece of information? Is it meant for creating vlans or is it meant for getting the time from an atomic clock somewhere on the internet? Or something else?

I've solved the dependency error and the package compiles fine, but I had no time for testing yet.
If you're willing to test: Download

Reporting Back: Good news! Rather than use iSCSI, I found that I could create a SAMBA mount point and then use that to connect with a ZFS dataset on TrueNAS, running on a virtual machine within ProxMox. This allows ProxMox to backup VM's to that as a regular ZFS dataset without having to pre-allocate storage, as was the case with a ZVOL. I've tested this out, and it works. So, it's all good now. I'm once again happy with Proxmox.

BTW, running a SAMBA share has the added advantage of being easily accessible from Windows File Explorer, making it an attractive bonus. Once set up, I'm finding that SAMBA (aka SMB) on TrueNAS for a mix of Linux and Windows machines on one network provides easy file sharing.

An unrelated but good find: BTRFS on regular linux works great, especially when combined with TimeShift for instant snapshot and rollbacks. A rollback does require a reboot to take effect, but it's nonetheless better than no rollback ability at all.. BTRFS is one of the guided install options on both Ubuntu and Linux Mint Cinnamon. For Microsoft Windows users, I think you'll find that the GUI on Linux Mint Cinnamon is a good match for your Windows intuitions. I'll probably settle on Mint Cinnamon for its stability and intuitive ease of use. The pre-configuring that went into Mint makes it much easier for new Linux users to pick up and immediately start using, as compared to a plain vanilla Debian install, which was my previous go-to because of Debian's high stability.

Of greater relevance: "Viritual Machine Manager" (VMM) is a QEMU-KVM hypervisor GUI that runs on Mint which looks strikingly similar to ProxMox during the process of configuring a new VM. I was looking into VMM as a BTRFS hypervisor alternative to ZFS ProxMox, and though not exactly apples-to-apples, on first-look VMM does look quite capable. Also, in some ways the VMM GUI looks both more detailed and more polished than ProxMox's GUI. I also looked very briefly (maybe too briefly) at Cockpit and at Gnome Boxes, but my first-impression was both looked like work-in-progress. Are there any other hypervisors, not already mentioned on this thread, that runs on top of BTRFS and is worth considering?