Best password manager?
-
All password managers are a compromise between security and convenience. Those integrated into browsers seem to distinctly favor convenience. Yes, Chrome may sync the credentials encrypted to the Google cloud and they may be locally secured via the OS account login, etc. But did you ever need to authenticate if you tried to access those passwords? Firefox isn't much different - once you're logged into the OS, all Firefox-managed passwords are just three clicks away (unless you opt in to use a master password).
I'd be surprised if someone or something (like malware) that has access to your PC won't be able to read and copy credentials from a browser, at least while the browser is running. Browsers store the credentials in the same location on all PCs, so I assume there is already specialized malware that automatically crawls those locations and kindly "asks" the browsers through their APIs to decrypt them.
I guess it's worth mentioning that dedicated password manager application that you keep running and unlocked in the background all the time, might also leak some confidential data into memory under certain circumstances. Here's a case study that examined how 1Password, Dashlane, KeePass and LastPass could leak data: https://www.ise.io/casestudies/password-manager-hacking/
-
I can see now why Google Chrome isn't considered a secure password manager. I tested out a different password manager just now, and it was able to import all of my google chrome passwords in about 1 second. I presume a piece of malware could do the same?
The keylogers I mentioned are either usb plug extensions(hard-ish to spot) or Bluetooth dongles that listen to wireless keyboards, some of them use very weak or no keyboard<->dongle authentication.
Intercepting passwords between browser and website/server is possible but requires:
a: MITM attack => access to local network easy peasy on café WIFI
or
b: DNS poisoning => admin access to ISP infrastructure or local network router.On top of that stupid/not paying attention user who will ignore lack of SSL/https connection or add exception to accept website certificate signed by ROOT CA not trusted by os/browser.
Or physical access to victim's computer to add own ROOT CA to trusted CA's database, malware can do it too.
Only way to rule user error, malware or physical access out it to fake ROOT CA and sign certificate to dodgy server, but it's not possible without access to some serious brute forcing compute power - we are talking exascale supercomputer for couple of years here.
It is very personal attack, and unless you are VIP you can forget about it anyway.I'm not so sure about forgetting...No password manger is safe on a machine crawling with malware, Antivirus/antimalware are a must!!!
Although there is a plugin for original keepass that auto-types password out of order to fool potential malware keyloggers. It's called floating panel.AFAIK all browser password managers use windows user password to encrypt them, and changing password automatically changes encryption key too SIC!!
Considering that one can overwrite windows password or disable it temporarily for covert hack!! in 30 seconds with simple bootable usb stick(windows password unlocker) such form of encryption is more than useless in stolen laptop scenario. And Mac's have passwords reset feature baked into o/s so resetting it is even easier.From time to time there is malware/loophole in browser that leaks passwords, last one was opera on the news.
NEVER USE BROWSER SAVE PASSWORD FEATURE! -
All password managers are a compromise between security and convenience. Those integrated into browsers seem to distinctly favor convenience. Yes, Chrome may sync the credentials encrypted to the Google cloud and they may be locally secured via the OS account login, etc. But did you ever need to authenticate if you tried to access those passwords? Firefox isn't much different - once you're logged into the OS, all Firefox-managed passwords are just three clicks away (unless you opt in to use a master password).
I'd be surprised if someone or something (like malware) that has access to your PC won't be able to read and copy credentials from a browser, at least while the browser is running. Browsers store the credentials in the same location on all PCs, so I assume there is already specialized malware that automatically crawls those locations and kindly "asks" the browsers through their APIs to decrypt them.
I guess it's worth mentioning that dedicated password manager application that you keep running and unlocked in the background all the time, might also leak some confidential data into memory under certain circumstances. Here's a case study that examined how 1Password, Dashlane, KeePass and LastPass could leak data: https://www.ise.io/casestudies/password-manager-hacking/
@BearWithBeard said in Best password manager?:
Here's a case study that examined how 1Password, Dashlane, KeePass and LastPass could leak data: https://www.ise.io/casestudies/password-manager-hacking/
That's a rather damning report. Thanks for posting it. If even those password managers all have glaring holes in them, it casts a dark cloud of doubt over the entire category.
In addition to that, the Brave Browser's docmentation pretty much confirmed what I suddenly suspected about browser extensions: "Are Chrome extensions safe? Not only could a browser extension track every page you visit, download your passwords, and your personal information, but by downloading a dangerous extension, you could inadvertently download malware, adware, and trojan horse viruses. " [source: https://brave.com/learn/browser-extension-safety/]
So, after reading that, I removed all extensions from my browsers except for the password manager. For convenience sake, that's the one extension that I'm allowing to remain. The Brave browser claims to be more secure than the other popular browsers, but I notice that both Google Chrome and Firefox do offer stronger browser settings, which happen to be turned off by default.. I suspect Google Chrome has a conflict of interest regarding browser security: since Chrome is the most popular browser, if Google were to lock down their Chrome to a greater degree by default, it might amount to shooting Google in the foot if it were to interfere with users receiving advertisements or interfere with whatever invasive tracking Chrome otherwise allows. For that reason, I'm reluctantly going to abandon Google Chrome. Brave, on the other hand says it's built on Chrome but also claims to be more secure and run 3x faster, so I'll give it a try. Firefox has settings which allow for greater security, so I'll also try browsing with those settings turned up and see how it goes.
I had thought that running a browser inside a virtual machine would offer a true bulletproof isolation sandbox, but this idea is already well researched and I was surprised to read it actually isn't bulletproof.
Snowden recommended Tails, but a lot of time has passed and I suspect his insights are probably lagging the current reality. Is Tails still the best option available, or is there now something newer/better than Tails?
-
Yeah well. Some of those "holes" in password managers are conceptual. You can't display a password or copy it to a clipboard without exposing it. I guess we have to accept that no software is 100% secure and that nobody can ever guarantee such a thing. A lot has to come together before those flaws become a serious threat - and what's the alternative anyway?
Regarding browser extensions: While it's true what Brave is saying, I think it's the wrong conclusion to ditch extensions altogether. Websites themselves, even trustworthy ones, can be malicious. That is because most websites today load content from third parties like advertising or content distribution networks, for tracking purposes and to deliver targeted ads, regionally cached versions of the website or frequently used JS libraries like jQuery. If any of those third parties / CDNs gets compromised, attackers can inject harmful javascript into countless websites. The NYT, Yahoo and Spotify were rather famous
victims* spreaders. Even Google's DoubleClick, one of the leading ad servers, has served malware before. (see malvertising on wikipedia).I understand that there are website owners who rely on ads to fund their projects, and one can always make exceptions for them or compensate through different means (subscriptions, donations,..), but I would never use a browser without any sort of ad- or scriptblocker like uBlock origin or uMatrix these days. I prefer to know and decide on my own which resources and from where they are loaded. They also help to restrict cross site tracking.
Another nice side effect - which may confirm Brave's "3x faster" than Chrome claim - most websites load much faster. Take the NYT frontpage as an example:
No blocker: transferred 28MB in 356 requests, which took 4.43s to load; keeps loading in new images, videos and other resources from third parties every minute
With Blocker: 4.14MB in 58 requests, which took 1.76s; does not load anything from third parties afterwardsIt's either that or disable javascript entirely in the browser, which will render many websites useless.
* I'm reluctant to call a website a victim in this case if they knowingly load content from third parties, accepting all the risks involved, but deny any responsibility in case they in turn cause harm to their customers / visitors.
-
@NeverDie said in Best password manager?:
Here's a case study that examined how 1Password, Dashlane, KeePass and LastPass could leak data: https://www.ise.io/casestudies/password-manager-hacking.
As I said before no password manager is safe on machine crawling with viruses and/or malware
That's where antivirus software comes to play if you skip that there is no escape from being eventually "hacked".Main advantage of password manager is not reusing passwords for different services. When one gets compromised it's that. One password leaked, one account compromised, rest is safe. Alternative would be pen and paper notepad, reusing one password, or using memorable password combinations all bearing much greater risks than any decent password manager.
IMHO you are getting a bit paranoid, I do agree with BearWithBeard, use as few extensions as practical.
Firefox+adblockplus+kepassxc+cookiecleaner is my "daily driver"
For weird side of internet I use TOR browser.
For testing downloads use VM.
Plus good paid antivirus, so far so good. -
@NeverDie said in Best password manager?:
Here's a case study that examined how 1Password, Dashlane, KeePass and LastPass could leak data: https://www.ise.io/casestudies/password-manager-hacking.
As I said before no password manager is safe on machine crawling with viruses and/or malware
That's where antivirus software comes to play if you skip that there is no escape from being eventually "hacked".Main advantage of password manager is not reusing passwords for different services. When one gets compromised it's that. One password leaked, one account compromised, rest is safe. Alternative would be pen and paper notepad, reusing one password, or using memorable password combinations all bearing much greater risks than any decent password manager.
IMHO you are getting a bit paranoid, I do agree with BearWithBeard, use as few extensions as practical.
Firefox+adblockplus+kepassxc+cookiecleaner is my "daily driver"
For weird side of internet I use TOR browser.
For testing downloads use VM.
Plus good paid antivirus, so far so good.@Sasquatch said in Best password manager?:
As I said before no password manager is safe on machine crawling with viruses and/or malware
Is anti-virus recommended for Linux as well?
-
Yeah well. Some of those "holes" in password managers are conceptual. You can't display a password or copy it to a clipboard without exposing it. I guess we have to accept that no software is 100% secure and that nobody can ever guarantee such a thing. A lot has to come together before those flaws become a serious threat - and what's the alternative anyway?
Regarding browser extensions: While it's true what Brave is saying, I think it's the wrong conclusion to ditch extensions altogether. Websites themselves, even trustworthy ones, can be malicious. That is because most websites today load content from third parties like advertising or content distribution networks, for tracking purposes and to deliver targeted ads, regionally cached versions of the website or frequently used JS libraries like jQuery. If any of those third parties / CDNs gets compromised, attackers can inject harmful javascript into countless websites. The NYT, Yahoo and Spotify were rather famous
victims* spreaders. Even Google's DoubleClick, one of the leading ad servers, has served malware before. (see malvertising on wikipedia).I understand that there are website owners who rely on ads to fund their projects, and one can always make exceptions for them or compensate through different means (subscriptions, donations,..), but I would never use a browser without any sort of ad- or scriptblocker like uBlock origin or uMatrix these days. I prefer to know and decide on my own which resources and from where they are loaded. They also help to restrict cross site tracking.
Another nice side effect - which may confirm Brave's "3x faster" than Chrome claim - most websites load much faster. Take the NYT frontpage as an example:
No blocker: transferred 28MB in 356 requests, which took 4.43s to load; keeps loading in new images, videos and other resources from third parties every minute
With Blocker: 4.14MB in 58 requests, which took 1.76s; does not load anything from third parties afterwardsIt's either that or disable javascript entirely in the browser, which will render many websites useless.
* I'm reluctant to call a website a victim in this case if they knowingly load content from third parties, accepting all the risks involved, but deny any responsibility in case they in turn cause harm to their customers / visitors.
@BearWithBeard said in Best password manager?:
would never use a browser without any sort of ad- or scriptblocker like uBlock origin or uMatrix these days.
Ah, good, now that we're getting down to brass tacks, thanks for naming names. The one time I tried using an adblocker I quickly ran into a wall: many sites would detect it and refuse to display content until I disabled it. So, I installed PiHole, which they can't detect, and with one stroke it benefits my entire family. That said, it's only as good as its database, so something nefarious could conceivably slip through. Consequently, I should add something more to cover that possibility. Are the script blockers you named detectable by visited websites? If even the New York Times is a spreader, then you just have to assume any website with advertising might also be. Maybe even non-advertising websites (like the many honeypots offering free this or that) could be bad in that respect, and PiHole would be of no benefit there.
-
@NeverDie said in Best password manager?:
Here's a case study that examined how 1Password, Dashlane, KeePass and LastPass could leak data: https://www.ise.io/casestudies/password-manager-hacking.
As I said before no password manager is safe on machine crawling with viruses and/or malware
That's where antivirus software comes to play if you skip that there is no escape from being eventually "hacked".Main advantage of password manager is not reusing passwords for different services. When one gets compromised it's that. One password leaked, one account compromised, rest is safe. Alternative would be pen and paper notepad, reusing one password, or using memorable password combinations all bearing much greater risks than any decent password manager.
IMHO you are getting a bit paranoid, I do agree with BearWithBeard, use as few extensions as practical.
Firefox+adblockplus+kepassxc+cookiecleaner is my "daily driver"
For weird side of internet I use TOR browser.
For testing downloads use VM.
Plus good paid antivirus, so far so good.Also, my wife sometimes travels overseas, and this creates online vulnerabilities. This time it will be Russia, so, yeah, time to take it seriously. In addition to password manager and yubikeys, I'm thinking VPN so she can simply tunnel out of there and let her firewall reject any attacks from her local network.
-
Also, my wife sometimes travels overseas, and this creates online vulnerabilities. This time it will be Russia, so, yeah, time to take it seriously. In addition to password manager and yubikeys, I'm thinking VPN so she can simply tunnel out of there and let her firewall reject any attacks from her local network.
-
@BearWithBeard said in Best password manager?:
would never use a browser without any sort of ad- or scriptblocker like uBlock origin or uMatrix these days.
Ah, good, now that we're getting down to brass tacks, thanks for naming names. The one time I tried using an adblocker I quickly ran into a wall: many sites would detect it and refuse to display content until I disabled it. So, I installed PiHole, which they can't detect, and with one stroke it benefits my entire family. That said, it's only as good as its database, so something nefarious could conceivably slip through. Consequently, I should add something more to cover that possibility. Are the script blockers you named detectable by visited websites? If even the New York Times is a spreader, then you just have to assume any website with advertising might also be. Maybe even non-advertising websites (like the many honeypots offering free this or that) could be bad in that respect, and PiHole would be of no benefit there.
@NeverDie I'm not sure how exactly those anti blocker services work, but I think they watch the browser environment, DOM tree or the loaded resources for changes and if they detect deviations from the expected state, they can conclude that some sort of blocker is installed.
So yes, uBlock origin can be detected, as should be any extension that actively modifies websites, depending how good they are in this cat-and-mouse game. But it's impossible for me to tell how much that affects your daily browsing experience, since you and I are most likely visiting different websites. For me, there's actually only one regularly visited website that doesn't let me in unless I disable uBlock.
I'd recommend uBlock origin over others, because it's fast and easy on hardware resources. It has more options and features than Adblock Plus (whose filter syntax it supports), as it doesn't only use filter lists, but can also block scripts and network requests to third party servers and you are free to adjust that for every site individually. It's easy to use, with optional advanced features and has a decent documentation.
uMatrix could be considered a browser-based firewall which allows you to define rather granular rules for different content types (including cookies) per domain. It's definitely not a tool for non-technical users, as it breaks a lot of websites per default. uBlock origin includes a simplified form of uMatrix's features, but it's optional to use them. uMatrix doesn't seem to be in active development for more than a year as I just found out. Still works great though.
-
Answering my own question about Tails, it seems that Kodachi might be a successor: https://distrowatch.com/dwres.php?resource=ratings&distro=kodachi
So, for browsing, I'll probably run Kodachi in a VM and call it a day. That and use a different computer altogether that's reserved for access to financial accounts. That and locking down whatever websites are possible with yubikeys, and I figure this should be good enough security without causing much inconvenience. Even just moving off of Windows as much as possible would probably be a big improvement just by itself.
Along the same line of thinking: using a separate, dedicated computer for network security and IoT control probably makes sense as well, in addition to using vlans (as discussed in the other thread). I figure doing it that way should further increase isolation by physical means rather than just spinning up another VM. Or, maybe still do it as a VM, but be sure to have whatever computer is used for browsing be its own standalone machine on its own vlan, or else perhaps on even its own isolated physical lan. Yeah, come to think of it, that ought to do it, as a blunt Keep-It-Simple method, even if the primary defense gets breached.
-
I use KeePass (KeepassXC). Datafile synced with all my devices via ResilioSync (ex BTSync).
@KooLru said in Best password manager?:
I use KeePass (KeepassXC). Datafile synced with all my devices via ResilioSync (ex BTSync).
Are you completely happy with it? Any downsides you've noticed?
-
@Sasquatch said in Best password manager?:
As I said before no password manager is safe on machine crawling with viruses and/or malware
Is anti-virus recommended for Linux as well?
@NeverDie Linux and antivirus... I say no since only one I can recommend is only available for windows and mac.
@mfalkvidd said in Best password manager?:
@NeverDie for travel, I would say the largest risk is a border search. US does it, so I would suspect Russia does as well. Good guide: https://www.eff.org/document/eff-border-search-pocket-guide
Say whaat? Border officials in US can confiscate my laptop willy nilly? I'm glad I have no plans to travel there, and if I do I'll encrypt the hell out of everything I carry, even my wrist watch will need password to show time ;)
-
Perhaps I'm naïve, but border agents aren't the people who worry me. I'd be more concerned about hackers on a hotel's internet connection, or in an internet cafe, or on free wifi at the airport, or similar.
-
Regarding antivirus. I'd say no, you don't need antivirus software on Linux. To my best knowledge, viruses and malware for Linux are still very, very rare, due to the Linux desktop / end user market share being tiny. No big malware campaign would specifically target Linux users, since the potential targets shrink from something like a 90% Windows userbase to like 1% Linux users. Unless you install software from shady repositories (think pirated software) or are directly targeted (as in they're specifically after your stuff, not someones), the risk of getting a virus should be pretty low. Follow best practices like avoid loging in as root / super user, compare checksums, think twice before granting programs elevated privileges, install updates regularly, etc.
Linux seems to be rather well protected against threats anyway. Almost all network equipment runs on some sort of Linux. Most webservers are running a Linux. Maybe I'm wrong, but I bet most of them don't deploy a dedicated anti virus software, other than maybe for file or mail servers, to protect Windows clients.
Wikipedia keeps a list of known Linux malware and points out that "few, if any are in the wild, and most have been rendered obsolete by Linux updates or were never a threat".
On Windows, I'd say you're generally good if you use the Defender / Windows Security that comes with it. It provides more or less the same protection against threats as the big name commercial products and doesn't come with tons of bloatware, AI-based voodoo, invasive DLL injections into other software and stuff or accompanying browser extensions, which unnecessarily increase the system's attack surface.
I guess it's worth mentioning, that antivirus software can be harmful, too. Security software isn't safer or more bug-free than other software. And since many antivirus suites integrate deeply into the OS, malware targeting antivirus software has an easy job infecting the system.
Independently from the chosen OS, the best protection is to keep it and all software up-to-date so that known vulnerabilities can be closed or at least mitigated as soon as possible.
-
It looks as though the Linux distro "Qubes OS" has already been configured to do sandbox isolation for nearly anything, including browsers, along similar lines to what I was thinking, by using VM's via the Xen Hypervisor: https://www.qubes-os.org/ . The first Qubes distro was released years ago, and so Qubes has already been extensively reviewed, and likewise it's also easy to learn about.
There are some special hardware requirements that are worth paying attention to. For instance, Qubes recommends avoiding nvidia graphics cards and using Intel IGP instead of a graphics card. Also recommended is hardware TPM with proper BIOS support. Also recommended is "a non-USB keyboard or multiple USB controllers," and I'm not sure yet exactly what's driving that recommendation, except that I read Qubes assigns even the USB port to its own virtual machine in order to isolate it (presumably against self executing Usb files?). So maybe one USB controller wouldn't be enough to connect a keyboard, but with multiple USB controllers maybe one could be mapped to a keyboard and the other USB controllers passed through and isolated in the VM? So, in practical terms, to avoid all that, maybe this means using a bluetooth keyboard just to keep things simple. Anyhow, I have a spare 6th generation Intel NUC, and I believe it meets all these requirements, so I'll probably spin Qubes up for a test drive.
@bearWithBeard, thank you for the good suggestions. :-)
-
It's topical. Google just announced that it will soon be "automatically" enabling two factor authentication on "appropriately configured" google accounts. So, soon the only question may be what type of two factor authentication you have on your account, not whether you have it or not.
https://9to5google.com/2021/05/06/google-two-factor-authentication/
I view this as a good thing, because it will probably stimulate other websites to consider doing the same. The more, the merrier. Once you're set up for 2FA on one website with one of the better yubikeys, it's very easy to add any additional websites that may demand it. So, this will likely help prime the market for the transition to better tech.Maybe that's why the inventory of the best Yubikeys on amazon suddenly dried up. I went to buy some more and suddenly it would take a month to get them instead of one or two days. :face_with_rolling_eyes:
-
Reporting back for the final time: I tried Qubes, but it runs rather slow on a 6th generation NUC, so it's a hassle to use. Not sure, but maybe on a super fast computer it would be more tolerable.
Anyhow, I think the idea has merit, but I'm not a fan of the Qubes distro. It's fine as a proof of concept, but its choice of apps really limits its fresh-out-of-the-box appeal. If there were something equivalent that ran under ProxMox, I'd probably like it better. From what I've read, ProxMox hypervisor can manage virtual TPMs (or, alternatively, pass through hardware TPMs to virtual machines), and I'd be interested in giving that a try (as it seems like a good idea in any case). So unless there's a reason to think that Xen is inherently more secure than ProxMox, maybe the same general idea (minus the color coding) could be approximated in ProxMox without much effort.
Anyhow, thank you everyone for your suggestions. Though everyone may have their own favorites and good reasons for them, it was useful to compare notes. Ultimately, it seems like
the sort of thing you just have to try for yourself to know whether you like a particular app or not, but starting with a solid list of candidates in the first place really helps a lot. -
I've purchased the family plans for both LastPass and Bitwarden. I'm torn between the two. I've been alternating back and forth between using them and I much prefer LastPass. Family sharing in Lastpass is vastly superior and easier to use. Bitwarden does family sharing in a clunky and disjointed fashion. Family sharing of some sites is especially important to us. My wife is not technical at all and has learned to effectively use Lastpass over the last 12 years. I've not even shown her how Bitwarden works yet, and I know what her response will be.
