Best password manager?
-
Almost 1.5k passwords? That's crazy! :D I guess I'm slightly above average with my 99 passwords.
LastPass? Haven't they been hacked multiple times? Their browser addons leaked passwords, too. They also seem(ed) to (have) expose(d) potentially sensitive data in clear text when you stored a website.
KeePass is my preferred password manager. It's free, open source, recommended by a couple of European IT / security authorities, has been audited at least twice, and most importantly:
It doesn't require any accounts, cloud or internet connection whatsoever. Your stuff is stored locally in an encrypted database. The downside is that KeePass is most likely not as "easy" or user friendly to use as LastPass. You have to take care of syncing your database across devices yourself, e.g. by using a self hosted NextCloud or with triggers.
KeePass is natively available on all desktops, there are ports for smartphones and many plugins for different use cases - private key management, QR codes, backup and sync, ...
-
-
@mfalkvidd said in Best password manager?:
Bitwarden
Bitwarden self hosted works very well for me. Definitely a strong candidate for best password manager.:+1:
-
I moved from keepass to Bitwarden self hosted. For a while I used both in parallel and now I have fully moved to Bitwarden self hosted. It integrates very well with everything- iOS, Safari on Mac and other browsers
-
Almost 1.5k passwords? That's crazy! :D I guess I'm slightly above average with my 99 passwords.
LastPass? Haven't they been hacked multiple times? Their browser addons leaked passwords, too. They also seem(ed) to (have) expose(d) potentially sensitive data in clear text when you stored a website.
KeePass is my preferred password manager. It's free, open source, recommended by a couple of European IT / security authorities, has been audited at least twice, and most importantly:
It doesn't require any accounts, cloud or internet connection whatsoever. Your stuff is stored locally in an encrypted database. The downside is that KeePass is most likely not as "easy" or user friendly to use as LastPass. You have to take care of syncing your database across devices yourself, e.g. by using a self hosted NextCloud or with triggers.
KeePass is natively available on all desktops, there are ports for smartphones and many plugins for different use cases - private key management, QR codes, backup and sync, ...
@BearWithBeard said in Best password manager?:
Haven't they been hacked multiple times?
As I understand it, as long as your master password is both unique and strong enough, it shouldn't matter if LastPass or similar were hacked, since it's a hash of your password that gets stored, not the password itself. On the other hand, if you had a weak master password, then an attacker could probably crack it from knowing the hash, and, at that point, you might well be in serious trouble.
I only just learned that Google chrome allegedly uses your Microsoft Windows 10 password to secure your chrome passwords. Well, a lot of people (like my wife) don't even have a Windows 10 password, to make logging in faster and easier when powering up the computer. So, in their case, I wonder if Chrome, which has nicely collected their passwords, offers any protection at all. Anyhow, now that I know, I need to fix this, in some way or another, even though my wife won't like the inconvenience.
-
@BearWithBeard said in Best password manager?:
Haven't they been hacked multiple times?
As I understand it, as long as your master password is both unique and strong enough, it shouldn't matter if LastPass or similar were hacked, since it's a hash of your password that gets stored, not the password itself. On the other hand, if you had a weak master password, then an attacker could probably crack it from knowing the hash, and, at that point, you might well be in serious trouble.
I only just learned that Google chrome allegedly uses your Microsoft Windows 10 password to secure your chrome passwords. Well, a lot of people (like my wife) don't even have a Windows 10 password, to make logging in faster and easier when powering up the computer. So, in their case, I wonder if Chrome, which has nicely collected their passwords, offers any protection at all. Anyhow, now that I know, I need to fix this, in some way or another, even though my wife won't like the inconvenience.
-
@BearWithBeard said in Best password manager?:
Haven't they been hacked multiple times?
As I understand it, as long as your master password is both unique and strong enough, it shouldn't matter if LastPass or similar were hacked, since it's a hash of your password that gets stored, not the password itself. On the other hand, if you had a weak master password, then an attacker could probably crack it from knowing the hash, and, at that point, you might well be in serious trouble.
I only just learned that Google chrome allegedly uses your Microsoft Windows 10 password to secure your chrome passwords. Well, a lot of people (like my wife) don't even have a Windows 10 password, to make logging in faster and easier when powering up the computer. So, in their case, I wonder if Chrome, which has nicely collected their passwords, offers any protection at all. Anyhow, now that I know, I need to fix this, in some way or another, even though my wife won't like the inconvenience.
@NeverDie Yes, LastPass vaults may have been secure as long as the master password couldn't be cracked, but it could have been worse, too. And who knows if (or when) they will be hacked again.
Maybe I'm too paranoid here, but I think data stored in someone else's public network is inherently insecure. You have to trust that a company protects some of your most valuable data, that they are not deceiving you with false promises and that their security engineers are more skilled than the black hats.
Remember the Ubiquiti hack recently? Attackers gained access to customers' cloud managed devices, by gaining root access to Ubiquiti's AWS cloud instances and S3 buckets via credentials stored in an IT employee's LastPass cloud account. What could happen if a key LastPass employee becomes a victim of a social engineering attack? Do they really have no master key or other way of decryption? With upwards of 25 million users storing their login credentials, LastPass is an attractive target for hackers.
Sure, a cloud-based password manager is still much safer than using the same password everywhere. The question is, where are your passwords more secure? In the hands of a company that can hire highly skilled security experts to protect the data of millions publicly, or in our own incompetent hands, stored locally, below the radar level of hackers and where nobody other than us has access to - well, unless we are directly targeted of course. Both ways have their own set of risks.
I personally prefer self-hosted, local or offline solutions over anything cloud- or account-coupled wherever that's an option.
Bitwarden has been mentioned a few times now. Apparently it can be self-hosted, too. Guess I should have a look at it sometime!
-
I keep thinking about the special chip used in the circuit design of a proper mysensors wireless sensor that securely holds the wireless password keys for connecting with the mysensors gateway. As I understand it, even if the mysensors node fell into the hands of a bad guy, the bad guy wouldn't be able to extract the password. In this way, your mysensors network remains secure.
I've forgotten he particulars, but that's roughly the gist of it, isn't it? Yet the mysensor node's software is able to make use of that hidden password anyway, right?
So, barring any major conceptual disconects, I would think that there could exist something analogous for holding passwords to websites, where by design it's simply impossible for the actual secret password to be leaked or otherwise discovered.
Could it actually work like that? Or, am I misrepresenting the facts, or oversimplifying, or otherwise glossing over too many important details?
-
I keep thinking about the special chip used in the circuit design of a proper mysensors wireless sensor that securely holds the wireless password keys for connecting with the mysensors gateway. As I understand it, even if the mysensors node fell into the hands of a bad guy, the bad guy wouldn't be able to extract the password. In this way, your mysensors network remains secure.
I've forgotten he particulars, but that's roughly the gist of it, isn't it? Yet the mysensor node's software is able to make use of that hidden password anyway, right?
So, barring any major conceptual disconects, I would think that there could exist something analogous for holding passwords to websites, where by design it's simply impossible for the actual secret password to be leaked or otherwise discovered.
Could it actually work like that? Or, am I misrepresenting the facts, or oversimplifying, or otherwise glossing over too many important details?
-
@NeverDie Yes, LastPass vaults may have been secure as long as the master password couldn't be cracked, but it could have been worse, too. And who knows if (or when) they will be hacked again.
Maybe I'm too paranoid here, but I think data stored in someone else's public network is inherently insecure. You have to trust that a company protects some of your most valuable data, that they are not deceiving you with false promises and that their security engineers are more skilled than the black hats.
Remember the Ubiquiti hack recently? Attackers gained access to customers' cloud managed devices, by gaining root access to Ubiquiti's AWS cloud instances and S3 buckets via credentials stored in an IT employee's LastPass cloud account. What could happen if a key LastPass employee becomes a victim of a social engineering attack? Do they really have no master key or other way of decryption? With upwards of 25 million users storing their login credentials, LastPass is an attractive target for hackers.
Sure, a cloud-based password manager is still much safer than using the same password everywhere. The question is, where are your passwords more secure? In the hands of a company that can hire highly skilled security experts to protect the data of millions publicly, or in our own incompetent hands, stored locally, below the radar level of hackers and where nobody other than us has access to - well, unless we are directly targeted of course. Both ways have their own set of risks.
I personally prefer self-hosted, local or offline solutions over anything cloud- or account-coupled wherever that's an option.
Bitwarden has been mentioned a few times now. Apparently it can be self-hosted, too. Guess I should have a look at it sometime!
@BearWithBeard said in Best password manager?:
Bitwarden has been mentioned a few times now. Apparently it can be self-hosted, too. Guess I should have a look at it sometime!
I notice there's some banter on youtube about using Bitwarden in conjunction with two factor authentication.
I just today ordered a couple of different 2FA key fobs to see if maybe either one holds any promise:
https://www.amazon.com/gp/product/B0821TDLP4/ref=ppx_yo_dt_b_asin_title_o00_s00?ie=UTF8&psc=1
and
https://www.amazon.com/gp/product/B06Y1CSRZX/ref=ppx_yo_dt_b_asin_title_o00_s00?ie=UTF8&psc=1
In addition to 2FA, these fobs allude to things like one time passwords, and perhaps even becoming "passwordless." Although both are essentially just a shot in the dark for me, one has to start somewhere. If anyone here is further along in this and has any particular favorites, I'd be very interested to hear which devices you currently like the most.
-
@BearWithBeard said in Best password manager?:
Bitwarden has been mentioned a few times now. Apparently it can be self-hosted, too. Guess I should have a look at it sometime!
I notice there's some banter on youtube about using Bitwarden in conjunction with two factor authentication.
I just today ordered a couple of different 2FA key fobs to see if maybe either one holds any promise:
https://www.amazon.com/gp/product/B0821TDLP4/ref=ppx_yo_dt_b_asin_title_o00_s00?ie=UTF8&psc=1
and
https://www.amazon.com/gp/product/B06Y1CSRZX/ref=ppx_yo_dt_b_asin_title_o00_s00?ie=UTF8&psc=1
In addition to 2FA, these fobs allude to things like one time passwords, and perhaps even becoming "passwordless." Although both are essentially just a shot in the dark for me, one has to start somewhere. If anyone here is further along in this and has any particular favorites, I'd be very interested to hear which devices you currently like the most.
@NeverDie I have a few Yubikeys. They are the first such devices I heard about that aren't tied to a specific service (ebay and paypal had their own fobs but they only worked on their respective services). I bought my first in 2007.
Some models have support for nfc, so they work with a phone.
They support U2F which probably will be the basis for webauthnYou can also build your own U2F device: https://github.com/conorpp/u2f-zero which has been replaced by https://github.com/solokeys/solo
I tried to build one a few years ago, but my SMT solderings skills were not good enough. -
@NeverDie Yes, LastPass vaults may have been secure as long as the master password couldn't be cracked, but it could have been worse, too. And who knows if (or when) they will be hacked again.
Maybe I'm too paranoid here, but I think data stored in someone else's public network is inherently insecure. You have to trust that a company protects some of your most valuable data, that they are not deceiving you with false promises and that their security engineers are more skilled than the black hats.
Remember the Ubiquiti hack recently? Attackers gained access to customers' cloud managed devices, by gaining root access to Ubiquiti's AWS cloud instances and S3 buckets via credentials stored in an IT employee's LastPass cloud account. What could happen if a key LastPass employee becomes a victim of a social engineering attack? Do they really have no master key or other way of decryption? With upwards of 25 million users storing their login credentials, LastPass is an attractive target for hackers.
Sure, a cloud-based password manager is still much safer than using the same password everywhere. The question is, where are your passwords more secure? In the hands of a company that can hire highly skilled security experts to protect the data of millions publicly, or in our own incompetent hands, stored locally, below the radar level of hackers and where nobody other than us has access to - well, unless we are directly targeted of course. Both ways have their own set of risks.
I personally prefer self-hosted, local or offline solutions over anything cloud- or account-coupled wherever that's an option.
Bitwarden has been mentioned a few times now. Apparently it can be self-hosted, too. Guess I should have a look at it sometime!
@BearWithBeard said in Best password manager?:
I personally prefer self-hosted, local or offline solutions over anything cloud- or account-coupled wherever that's an option.
Yeah, I think I share this preference. The only advantages I can think of for storing a password vault in the cloud are:
- Presumably, it's backed up often and regularly by whichever vendor you pick.
- Perhaps it's easier to share keys across different, distant platforms. In my case, I don't forsee much need for this.
- If it perhaps comes with very good software and extensions/integrations that makes it more convenient and/or easier to use (especially for a spouse or son/daughter to use) than alternatives. I don't see anything that inherently requires a cloud for that, but competition among password companies and the money they rake in obviously helps in getting it built and maintained, let alone well documented and supported.
On the other hand, I think for local network passwords, of which there can be many, there's an obvious advantage to not depending on the cloud for password management, since you will still want access even if your internet connection goes down. So, based on the helpful feedback here (thanks everyone!), I'll probably look into Bitwarden also.
I have no evidence for it, but given the choice, I think I'd rather have the password vault stored in some kind of specialized security chips that were cleverly designed for that purpose. Somehow, anything on a general purpose computer just seems inherently more vulnerable, even if it's on a local network rather than on a cloud computer. So, if there's any truth to that, I imagine there are already specialized devices on the market which cater to that. At this point I just need to learn enough so that I at least become aware of what the essential features are to look for.
Anyhow, I could imagine that in the end I may (probably) end up with two separate, non-overlapping methods for "access management" (for lack of a better term). The first would be for those websites or network devices that are of the more primitive, password-oriented type (as described by @mfalkvidd t above), because if that's what they use exclusively, there's just no getting around it. The second would be a method better suited for devices/websites that can be accessed using more sophisticated, non-exclusively password methods that are just better and much more secure than resorting to passwords. In this way, one uses the best of what's available, and it should still be manageable because there are just two schemes to consider.
And I would "turn on" 2FA and use it whenever possible. I'm finding that in many instances it is already supported as an option for banks, brokerages, email, even if it's not currently required. Though not a secret, most often its existence is poorly advertised. However, now that I'm looking for it, I'm finding that a lot of sites have it. :sunglasses:
-
@BearWithBeard said in Best password manager?:
I personally prefer self-hosted, local or offline solutions over anything cloud- or account-coupled wherever that's an option.
Yeah, I think I share this preference. The only advantages I can think of for storing a password vault in the cloud are:
- Presumably, it's backed up often and regularly by whichever vendor you pick.
- Perhaps it's easier to share keys across different, distant platforms. In my case, I don't forsee much need for this.
- If it perhaps comes with very good software and extensions/integrations that makes it more convenient and/or easier to use (especially for a spouse or son/daughter to use) than alternatives. I don't see anything that inherently requires a cloud for that, but competition among password companies and the money they rake in obviously helps in getting it built and maintained, let alone well documented and supported.
On the other hand, I think for local network passwords, of which there can be many, there's an obvious advantage to not depending on the cloud for password management, since you will still want access even if your internet connection goes down. So, based on the helpful feedback here (thanks everyone!), I'll probably look into Bitwarden also.
I have no evidence for it, but given the choice, I think I'd rather have the password vault stored in some kind of specialized security chips that were cleverly designed for that purpose. Somehow, anything on a general purpose computer just seems inherently more vulnerable, even if it's on a local network rather than on a cloud computer. So, if there's any truth to that, I imagine there are already specialized devices on the market which cater to that. At this point I just need to learn enough so that I at least become aware of what the essential features are to look for.
Anyhow, I could imagine that in the end I may (probably) end up with two separate, non-overlapping methods for "access management" (for lack of a better term). The first would be for those websites or network devices that are of the more primitive, password-oriented type (as described by @mfalkvidd t above), because if that's what they use exclusively, there's just no getting around it. The second would be a method better suited for devices/websites that can be accessed using more sophisticated, non-exclusively password methods that are just better and much more secure than resorting to passwords. In this way, one uses the best of what's available, and it should still be manageable because there are just two schemes to consider.
And I would "turn on" 2FA and use it whenever possible. I'm finding that in many instances it is already supported as an option for banks, brokerages, email, even if it's not currently required. Though not a secret, most often its existence is poorly advertised. However, now that I'm looking for it, I'm finding that a lot of sites have it. :sunglasses:
-
@NeverDie you mean there exists banks that don't require a second factor to login? My bank has required 2fa since I started using their web services in 1997.
@mfalkvidd Well, now that you mention it, I think the ones here do seem to require 2FA (usually typing in a number that they text to your telephone) if you try to log in with a new, "untrusted" device. But after doing it once, if you later use the same device (say, a PC or phone), then I guess the 2FA, if it still qualifies as that, is based on only just your password plus some kind of persistent cookie that they leave in your device cache. If you clear the cache, it suddenly thinks it's a new untrusted device, and then it's back to square one.
Anyhow, what I meant wasn't that, but rather the ability to use a yubicon type device. Is there specific terminology that would separate the older 2FA (e.g. text to your phone) from the new fancier way?
The devices from Amazon (linked above) that I ordered arrived a few minutes ago, so I hope to be giving them a test drive sometime soon.
This guy shows how to, for example, set up a linux server so that you can log-in using only just public and private keys:
5 Steps to Secure Linux (protect from hackers) – 23:15
— NetworkChuckIn fact, he completely disables regular password logins. On first glance it does looks intriguing, maybe even promising. But is it ultimately any better than just using a sufficiently strong password in the first place? That's the key question. He strongly implies that his method is more secure, but he presents no proof of that. Is it blindingly obvious? Well, not to me. And if it's more secure, is it just marginally more secure or is it a lot more secure--enough so to easily justify the effort and inconvenience of doing it? I'd certainly like to know. I would guess that since it's fairly simple it has been widely studied, and that there are reasoned assessments of it, and maybe even some empirical data as to how hack resistant it is in practice. Is there a commonly used name for his technique? If I knew at least that much, it would be a lot easier to check the literature.
-
@mfalkvidd Well, now that you mention it, I think the ones here do seem to require 2FA (usually typing in a number that they text to your telephone) if you try to log in with a new, "untrusted" device. But after doing it once, if you later use the same device (say, a PC or phone), then I guess the 2FA, if it still qualifies as that, is based on only just your password plus some kind of persistent cookie that they leave in your device cache. If you clear the cache, it suddenly thinks it's a new untrusted device, and then it's back to square one.
Anyhow, what I meant wasn't that, but rather the ability to use a yubicon type device. Is there specific terminology that would separate the older 2FA (e.g. text to your phone) from the new fancier way?
The devices from Amazon (linked above) that I ordered arrived a few minutes ago, so I hope to be giving them a test drive sometime soon.
This guy shows how to, for example, set up a linux server so that you can log-in using only just public and private keys:
5 Steps to Secure Linux (protect from hackers) – 23:15
— NetworkChuckIn fact, he completely disables regular password logins. On first glance it does looks intriguing, maybe even promising. But is it ultimately any better than just using a sufficiently strong password in the first place? That's the key question. He strongly implies that his method is more secure, but he presents no proof of that. Is it blindingly obvious? Well, not to me. And if it's more secure, is it just marginally more secure or is it a lot more secure--enough so to easily justify the effort and inconvenience of doing it? I'd certainly like to know. I would guess that since it's fairly simple it has been widely studied, and that there are reasoned assessments of it, and maybe even some empirical data as to how hack resistant it is in practice. Is there a commonly used name for his technique? If I knew at least that much, it would be a lot easier to check the literature.
I'm not prioritizing to look at the whole video, and the link to the list of commands used requires a login, but ecc ssh keys can be compared to a randomly generated password of 27 lower case characters, or a randomly generated password with 21 alphanumeric characters in lower and upper case.
To brute force such a password (or the comparable key) by trying 1,000 logins per second (which assumes your server doesn't use sshguard which would lock out such attempts) would take about 50 trillion trillion centuries on average.
I use ssh keys daily. Not really because the are more secure, but because they are more convenient. As long as you use sufficiently long passwords, password login is as secure as key login. If you use shorter passwords, ssh keys will give better protection.
Here is a guide to use a Yubikey for ssh login: https://developers.yubico.com/yubico-pam/YubiKey_and_SSH_via_PAM.html I used it myself on a test server back in 2007, but I have not used it after that.
-
Reporting Back: I'm not liking the OnlyKey. I have to enter a 7 - 10 digit password on it to activate and make use of it. And the buttons are just tiny touch sensors, with no tactile feedback. More to the point: In a home environment I don't feel that I need that type of physical security on a 2FA device. So, in retrospect, maybe a Yubico would have been a better choice. I could be wrong, but I don't get the impression that a yubikey has to be manually unlocked every time before using it.
I'll try the Thetis next.
-
As near as I can tell, the Yubikey 5C is the most capable, in that it can do the most things:
MULTI-PROTOCOL SUPPORT: The YubiKey USB authenticator has multi-protocol support including FIDO2, FIDO U2F, Yubico OTP, OATH-TOTP, OATH-HOTP, Smart card (PIV), OpenPGP, and Challenge-Response capability to give you strong hardware-based authentication.So, I ordered one of those to take for a test drive. Anyone here curious about anything that you would like me to try with it and report back?
Allegedly Google distributed these types of keys to all 85,000 of its employees years ago and didn't have any account takeovers ever since. So, in at least an empirical sense, they seem to be highly effective as authenticators.
-
I'm not prioritizing to look at the whole video, and the link to the list of commands used requires a login, but ecc ssh keys can be compared to a randomly generated password of 27 lower case characters, or a randomly generated password with 21 alphanumeric characters in lower and upper case.
To brute force such a password (or the comparable key) by trying 1,000 logins per second (which assumes your server doesn't use sshguard which would lock out such attempts) would take about 50 trillion trillion centuries on average.
I use ssh keys daily. Not really because the are more secure, but because they are more convenient. As long as you use sufficiently long passwords, password login is as secure as key login. If you use shorter passwords, ssh keys will give better protection.
Here is a guide to use a Yubikey for ssh login: https://developers.yubico.com/yubico-pam/YubiKey_and_SSH_via_PAM.html I used it myself on a test server back in 2007, but I have not used it after that.
+1 to keepass, store your database on Google drive/Dropbox/nextcloud and secure it with password+ yubikey and you have bulletproof solution. Just remember to have clone youbikey in a safe.
Keepassxc on windows/Linux, keepas2android and keepasium on Android and iPhone respectively.@mfalkvidd ever heard of hardware keyloggers? You can buy ones that log every keystroke on any wireless keyboard(wired too).
That's why I'm using yibikey and keepass. Even if my master pass leaks out it's useless without youbikey. And stolen/lost yubikey without pass is just a piece of plastic.
-
+1 to keepass, store your database on Google drive/Dropbox/nextcloud and secure it with password+ yubikey and you have bulletproof solution. Just remember to have clone youbikey in a safe.
Keepassxc on windows/Linux, keepas2android and keepasium on Android and iPhone respectively.@mfalkvidd ever heard of hardware keyloggers? You can buy ones that log every keystroke on any wireless keyboard(wired too).
That's why I'm using yibikey and keepass. Even if my master pass leaks out it's useless without youbikey. And stolen/lost yubikey without pass is just a piece of plastic.
@Sasquatch said in Best password manager?:
ever heard of hardware keyloggers? You can buy ones that log every keystroke on any wireless keyboard(wired too).
You've put your finger on exactly the thing I've always wondered about: similar to a keylogger, would not a blackhat piece of attack software also be able to intercept and record a password after it has been retrieved from its password vault, just prior to its being sent as an authenticator?
Which is why I'm looking into these FIDO2 devices, which can at least mitigate against such things happening by converting the user's remembered password into more of a single use password (through usage counts, time stamping, and whatever else).
-
After watching a number of youtube reviews of a whole spectrum of password managers, I think I've narrowed it down to either KeepassXC or maybe bitwarden. Both are open source, but Keepass appears to be completely free. I can't yet say for sure, but keepass might also be easier to self-host as well. Because keepass has a database key that's different from the master key, it appears that I might be able to simply put the database file on a commonly accessible drive on the local area network be done. No need to mess with a docker based server, as bitwarden seemingly requires (plus a $10 license fee). For these reasons, I'm presently leaning toward keepassXC.
