Best password manager?
-
Answering my own question about Tails, it seems that Kodachi might be a successor: https://distrowatch.com/dwres.php?resource=ratings&distro=kodachi
So, for browsing, I'll probably run Kodachi in a VM and call it a day. That and use a different computer altogether that's reserved for access to financial accounts. That and locking down whatever websites are possible with yubikeys, and I figure this should be good enough security without causing much inconvenience. Even just moving off of Windows as much as possible would probably be a big improvement just by itself.
Along the same line of thinking: using a separate, dedicated computer for network security and IoT control probably makes sense as well, in addition to using vlans (as discussed in the other thread). I figure doing it that way should further increase isolation by physical means rather than just spinning up another VM. Or, maybe still do it as a VM, but be sure to have whatever computer is used for browsing be its own standalone machine on its own vlan, or else perhaps on even its own isolated physical lan. Yeah, come to think of it, that ought to do it, as a blunt Keep-It-Simple method, even if the primary defense gets breached.
-
I use KeePass (KeepassXC). Datafile synced with all my devices via ResilioSync (ex BTSync).
@KooLru said in Best password manager?:
I use KeePass (KeepassXC). Datafile synced with all my devices via ResilioSync (ex BTSync).
Are you completely happy with it? Any downsides you've noticed?
-
@Sasquatch said in Best password manager?:
As I said before no password manager is safe on machine crawling with viruses and/or malware
Is anti-virus recommended for Linux as well?
@NeverDie Linux and antivirus... I say no since only one I can recommend is only available for windows and mac.
@mfalkvidd said in Best password manager?:
@NeverDie for travel, I would say the largest risk is a border search. US does it, so I would suspect Russia does as well. Good guide: https://www.eff.org/document/eff-border-search-pocket-guide
Say whaat? Border officials in US can confiscate my laptop willy nilly? I'm glad I have no plans to travel there, and if I do I'll encrypt the hell out of everything I carry, even my wrist watch will need password to show time ;)
-
Perhaps I'm naïve, but border agents aren't the people who worry me. I'd be more concerned about hackers on a hotel's internet connection, or in an internet cafe, or on free wifi at the airport, or similar.
-
Regarding antivirus. I'd say no, you don't need antivirus software on Linux. To my best knowledge, viruses and malware for Linux are still very, very rare, due to the Linux desktop / end user market share being tiny. No big malware campaign would specifically target Linux users, since the potential targets shrink from something like a 90% Windows userbase to like 1% Linux users. Unless you install software from shady repositories (think pirated software) or are directly targeted (as in they're specifically after your stuff, not someones), the risk of getting a virus should be pretty low. Follow best practices like avoid loging in as root / super user, compare checksums, think twice before granting programs elevated privileges, install updates regularly, etc.
Linux seems to be rather well protected against threats anyway. Almost all network equipment runs on some sort of Linux. Most webservers are running a Linux. Maybe I'm wrong, but I bet most of them don't deploy a dedicated anti virus software, other than maybe for file or mail servers, to protect Windows clients.
Wikipedia keeps a list of known Linux malware and points out that "few, if any are in the wild, and most have been rendered obsolete by Linux updates or were never a threat".
On Windows, I'd say you're generally good if you use the Defender / Windows Security that comes with it. It provides more or less the same protection against threats as the big name commercial products and doesn't come with tons of bloatware, AI-based voodoo, invasive DLL injections into other software and stuff or accompanying browser extensions, which unnecessarily increase the system's attack surface.
I guess it's worth mentioning, that antivirus software can be harmful, too. Security software isn't safer or more bug-free than other software. And since many antivirus suites integrate deeply into the OS, malware targeting antivirus software has an easy job infecting the system.
Independently from the chosen OS, the best protection is to keep it and all software up-to-date so that known vulnerabilities can be closed or at least mitigated as soon as possible.
-
It looks as though the Linux distro "Qubes OS" has already been configured to do sandbox isolation for nearly anything, including browsers, along similar lines to what I was thinking, by using VM's via the Xen Hypervisor: https://www.qubes-os.org/ . The first Qubes distro was released years ago, and so Qubes has already been extensively reviewed, and likewise it's also easy to learn about.
There are some special hardware requirements that are worth paying attention to. For instance, Qubes recommends avoiding nvidia graphics cards and using Intel IGP instead of a graphics card. Also recommended is hardware TPM with proper BIOS support. Also recommended is "a non-USB keyboard or multiple USB controllers," and I'm not sure yet exactly what's driving that recommendation, except that I read Qubes assigns even the USB port to its own virtual machine in order to isolate it (presumably against self executing Usb files?). So maybe one USB controller wouldn't be enough to connect a keyboard, but with multiple USB controllers maybe one could be mapped to a keyboard and the other USB controllers passed through and isolated in the VM? So, in practical terms, to avoid all that, maybe this means using a bluetooth keyboard just to keep things simple. Anyhow, I have a spare 6th generation Intel NUC, and I believe it meets all these requirements, so I'll probably spin Qubes up for a test drive.
@bearWithBeard, thank you for the good suggestions. :-)
-
It's topical. Google just announced that it will soon be "automatically" enabling two factor authentication on "appropriately configured" google accounts. So, soon the only question may be what type of two factor authentication you have on your account, not whether you have it or not.
https://9to5google.com/2021/05/06/google-two-factor-authentication/
I view this as a good thing, because it will probably stimulate other websites to consider doing the same. The more, the merrier. Once you're set up for 2FA on one website with one of the better yubikeys, it's very easy to add any additional websites that may demand it. So, this will likely help prime the market for the transition to better tech.Maybe that's why the inventory of the best Yubikeys on amazon suddenly dried up. I went to buy some more and suddenly it would take a month to get them instead of one or two days. :face_with_rolling_eyes:
-
Reporting back for the final time: I tried Qubes, but it runs rather slow on a 6th generation NUC, so it's a hassle to use. Not sure, but maybe on a super fast computer it would be more tolerable.
Anyhow, I think the idea has merit, but I'm not a fan of the Qubes distro. It's fine as a proof of concept, but its choice of apps really limits its fresh-out-of-the-box appeal. If there were something equivalent that ran under ProxMox, I'd probably like it better. From what I've read, ProxMox hypervisor can manage virtual TPMs (or, alternatively, pass through hardware TPMs to virtual machines), and I'd be interested in giving that a try (as it seems like a good idea in any case). So unless there's a reason to think that Xen is inherently more secure than ProxMox, maybe the same general idea (minus the color coding) could be approximated in ProxMox without much effort.
Anyhow, thank you everyone for your suggestions. Though everyone may have their own favorites and good reasons for them, it was useful to compare notes. Ultimately, it seems like
the sort of thing you just have to try for yourself to know whether you like a particular app or not, but starting with a solid list of candidates in the first place really helps a lot. -
I've purchased the family plans for both LastPass and Bitwarden. I'm torn between the two. I've been alternating back and forth between using them and I much prefer LastPass. Family sharing in Lastpass is vastly superior and easier to use. Bitwarden does family sharing in a clunky and disjointed fashion. Family sharing of some sites is especially important to us. My wife is not technical at all and has learned to effectively use Lastpass over the last 12 years. I've not even shown her how Bitwarden works yet, and I know what her response will be.
