Best password manager?
-
Reporting Back: I'm not liking the OnlyKey. I have to enter a 7 - 10 digit password on it to activate and make use of it. And the buttons are just tiny touch sensors, with no tactile feedback. More to the point: In a home environment I don't feel that I need that type of physical security on a 2FA device. So, in retrospect, maybe a Yubico would have been a better choice. I could be wrong, but I don't get the impression that a yubikey has to be manually unlocked every time before using it.
I'll try the Thetis next.
-
As near as I can tell, the Yubikey 5C is the most capable, in that it can do the most things:
MULTI-PROTOCOL SUPPORT: The YubiKey USB authenticator has multi-protocol support including FIDO2, FIDO U2F, Yubico OTP, OATH-TOTP, OATH-HOTP, Smart card (PIV), OpenPGP, and Challenge-Response capability to give you strong hardware-based authentication.So, I ordered one of those to take for a test drive. Anyone here curious about anything that you would like me to try with it and report back?
Allegedly Google distributed these types of keys to all 85,000 of its employees years ago and didn't have any account takeovers ever since. So, in at least an empirical sense, they seem to be highly effective as authenticators.
-
I'm not prioritizing to look at the whole video, and the link to the list of commands used requires a login, but ecc ssh keys can be compared to a randomly generated password of 27 lower case characters, or a randomly generated password with 21 alphanumeric characters in lower and upper case.
To brute force such a password (or the comparable key) by trying 1,000 logins per second (which assumes your server doesn't use sshguard which would lock out such attempts) would take about 50 trillion trillion centuries on average.
I use ssh keys daily. Not really because the are more secure, but because they are more convenient. As long as you use sufficiently long passwords, password login is as secure as key login. If you use shorter passwords, ssh keys will give better protection.
Here is a guide to use a Yubikey for ssh login: https://developers.yubico.com/yubico-pam/YubiKey_and_SSH_via_PAM.html I used it myself on a test server back in 2007, but I have not used it after that.
+1 to keepass, store your database on Google drive/Dropbox/nextcloud and secure it with password+ yubikey and you have bulletproof solution. Just remember to have clone youbikey in a safe.
Keepassxc on windows/Linux, keepas2android and keepasium on Android and iPhone respectively.@mfalkvidd ever heard of hardware keyloggers? You can buy ones that log every keystroke on any wireless keyboard(wired too).
That's why I'm using yibikey and keepass. Even if my master pass leaks out it's useless without youbikey. And stolen/lost yubikey without pass is just a piece of plastic.
-
+1 to keepass, store your database on Google drive/Dropbox/nextcloud and secure it with password+ yubikey and you have bulletproof solution. Just remember to have clone youbikey in a safe.
Keepassxc on windows/Linux, keepas2android and keepasium on Android and iPhone respectively.@mfalkvidd ever heard of hardware keyloggers? You can buy ones that log every keystroke on any wireless keyboard(wired too).
That's why I'm using yibikey and keepass. Even if my master pass leaks out it's useless without youbikey. And stolen/lost yubikey without pass is just a piece of plastic.
@Sasquatch said in Best password manager?:
ever heard of hardware keyloggers? You can buy ones that log every keystroke on any wireless keyboard(wired too).
You've put your finger on exactly the thing I've always wondered about: similar to a keylogger, would not a blackhat piece of attack software also be able to intercept and record a password after it has been retrieved from its password vault, just prior to its being sent as an authenticator?
Which is why I'm looking into these FIDO2 devices, which can at least mitigate against such things happening by converting the user's remembered password into more of a single use password (through usage counts, time stamping, and whatever else).
-
After watching a number of youtube reviews of a whole spectrum of password managers, I think I've narrowed it down to either KeepassXC or maybe bitwarden. Both are open source, but Keepass appears to be completely free. I can't yet say for sure, but keepass might also be easier to self-host as well. Because keepass has a database key that's different from the master key, it appears that I might be able to simply put the database file on a commonly accessible drive on the local area network be done. No need to mess with a docker based server, as bitwarden seemingly requires (plus a $10 license fee). For these reasons, I'm presently leaning toward keepassXC.
-
Almost 1.5k passwords? That's crazy! :D I guess I'm slightly above average with my 99 passwords.
LastPass? Haven't they been hacked multiple times? Their browser addons leaked passwords, too. They also seem(ed) to (have) expose(d) potentially sensitive data in clear text when you stored a website.
KeePass is my preferred password manager. It's free, open source, recommended by a couple of European IT / security authorities, has been audited at least twice, and most importantly:
It doesn't require any accounts, cloud or internet connection whatsoever. Your stuff is stored locally in an encrypted database. The downside is that KeePass is most likely not as "easy" or user friendly to use as LastPass. You have to take care of syncing your database across devices yourself, e.g. by using a self hosted NextCloud or with triggers.
KeePass is natively available on all desktops, there are ports for smartphones and many plugins for different use cases - private key management, QR codes, backup and sync, ...
-
@BearWithBeard I've been using Last Pass for a year and a half and didn't know about those leaks...
These articles make me wanna move to another service@LiamW I don't know how one could decide whether LastPass has more problems than the others or whether it's just making an effort to be more transparent about problems if they are found. Or perhaps LastPasss has more problems that have been found (and fixed) because it's more popular, making it better scrubbed down than the ones you hear nothing about? So, perhaps that makes it more robust? Again, how can one evaluate one way or the other? Even if the crypto analysis says it's secure, the implementation (browser extensions in particular) will, I imagine, have some bearing on how bullet proof a particular password manager really is overall.
Which company has the largest bug finding bounty? If it's large but goes unclaimed, then maybe that's at least some tangible evidence as to whether a particular implementation is secure. But then again, maybe the very next maintenance patch might undo all that by inadvertently introducing a new weakness, and so do we ever really know? I mean even if software claims to have been security audited, who knows how thorough that audit was or whether the people conducting it were capable? It's obviously easy to generate a report which says "No problems found." If security audits really worked, then how come vulnerabilities sometimes get discovered even after an audit has blessed it?
-
@LiamW I don't know how one could decide whether LastPass has more problems than the others or whether it's just making an effort to be more transparent about problems if they are found. Or perhaps LastPasss has more problems that have been found (and fixed) because it's more popular, making it better scrubbed down than the ones you hear nothing about? So, perhaps that makes it more robust? Again, how can one evaluate one way or the other? Even if the crypto analysis says it's secure, the implementation (browser extensions in particular) will, I imagine, have some bearing on how bullet proof a particular password manager really is overall.
Which company has the largest bug finding bounty? If it's large but goes unclaimed, then maybe that's at least some tangible evidence as to whether a particular implementation is secure. But then again, maybe the very next maintenance patch might undo all that by inadvertently introducing a new weakness, and so do we ever really know? I mean even if software claims to have been security audited, who knows how thorough that audit was or whether the people conducting it were capable? It's obviously easy to generate a report which says "No problems found." If security audits really worked, then how come vulnerabilities sometimes get discovered even after an audit has blessed it?
-
@NeverDie absolutely agree, man. But a year ago when I was searching for a pass manager, it was just the first thing to pop up. Maybe they're just trying to rank in Google without caring of their customers...
@LiamW The way I look at it, you or I don't have the time or resources to do proper due diligence, let alone constantly monitor. Major corporations do though. So, which password managers do major corporations pick? I'd like to know. They're in a better position to get answers to the critical questions, and so in this case I think following their lead would make sense.
-
I can see now why Google Chrome isn't considered a secure password manager. I tested out a different password manager just now, and it was able to import all of my google chrome passwords in about 1 second. I presume a piece of malware could do the same?
-
All password managers are a compromise between security and convenience. Those integrated into browsers seem to distinctly favor convenience. Yes, Chrome may sync the credentials encrypted to the Google cloud and they may be locally secured via the OS account login, etc. But did you ever need to authenticate if you tried to access those passwords? Firefox isn't much different - once you're logged into the OS, all Firefox-managed passwords are just three clicks away (unless you opt in to use a master password).
I'd be surprised if someone or something (like malware) that has access to your PC won't be able to read and copy credentials from a browser, at least while the browser is running. Browsers store the credentials in the same location on all PCs, so I assume there is already specialized malware that automatically crawls those locations and kindly "asks" the browsers through their APIs to decrypt them.
I guess it's worth mentioning that dedicated password manager application that you keep running and unlocked in the background all the time, might also leak some confidential data into memory under certain circumstances. Here's a case study that examined how 1Password, Dashlane, KeePass and LastPass could leak data: https://www.ise.io/casestudies/password-manager-hacking/
-
I can see now why Google Chrome isn't considered a secure password manager. I tested out a different password manager just now, and it was able to import all of my google chrome passwords in about 1 second. I presume a piece of malware could do the same?
The keylogers I mentioned are either usb plug extensions(hard-ish to spot) or Bluetooth dongles that listen to wireless keyboards, some of them use very weak or no keyboard<->dongle authentication.
Intercepting passwords between browser and website/server is possible but requires:
a: MITM attack => access to local network easy peasy on café WIFI
or
b: DNS poisoning => admin access to ISP infrastructure or local network router.On top of that stupid/not paying attention user who will ignore lack of SSL/https connection or add exception to accept website certificate signed by ROOT CA not trusted by os/browser.
Or physical access to victim's computer to add own ROOT CA to trusted CA's database, malware can do it too.
Only way to rule user error, malware or physical access out it to fake ROOT CA and sign certificate to dodgy server, but it's not possible without access to some serious brute forcing compute power - we are talking exascale supercomputer for couple of years here.
It is very personal attack, and unless you are VIP you can forget about it anyway.I'm not so sure about forgetting...No password manger is safe on a machine crawling with malware, Antivirus/antimalware are a must!!!
Although there is a plugin for original keepass that auto-types password out of order to fool potential malware keyloggers. It's called floating panel.AFAIK all browser password managers use windows user password to encrypt them, and changing password automatically changes encryption key too SIC!!
Considering that one can overwrite windows password or disable it temporarily for covert hack!! in 30 seconds with simple bootable usb stick(windows password unlocker) such form of encryption is more than useless in stolen laptop scenario. And Mac's have passwords reset feature baked into o/s so resetting it is even easier.From time to time there is malware/loophole in browser that leaks passwords, last one was opera on the news.
NEVER USE BROWSER SAVE PASSWORD FEATURE! -
All password managers are a compromise between security and convenience. Those integrated into browsers seem to distinctly favor convenience. Yes, Chrome may sync the credentials encrypted to the Google cloud and they may be locally secured via the OS account login, etc. But did you ever need to authenticate if you tried to access those passwords? Firefox isn't much different - once you're logged into the OS, all Firefox-managed passwords are just three clicks away (unless you opt in to use a master password).
I'd be surprised if someone or something (like malware) that has access to your PC won't be able to read and copy credentials from a browser, at least while the browser is running. Browsers store the credentials in the same location on all PCs, so I assume there is already specialized malware that automatically crawls those locations and kindly "asks" the browsers through their APIs to decrypt them.
I guess it's worth mentioning that dedicated password manager application that you keep running and unlocked in the background all the time, might also leak some confidential data into memory under certain circumstances. Here's a case study that examined how 1Password, Dashlane, KeePass and LastPass could leak data: https://www.ise.io/casestudies/password-manager-hacking/
@BearWithBeard said in Best password manager?:
Here's a case study that examined how 1Password, Dashlane, KeePass and LastPass could leak data: https://www.ise.io/casestudies/password-manager-hacking/
That's a rather damning report. Thanks for posting it. If even those password managers all have glaring holes in them, it casts a dark cloud of doubt over the entire category.
In addition to that, the Brave Browser's docmentation pretty much confirmed what I suddenly suspected about browser extensions: "Are Chrome extensions safe? Not only could a browser extension track every page you visit, download your passwords, and your personal information, but by downloading a dangerous extension, you could inadvertently download malware, adware, and trojan horse viruses. " [source: https://brave.com/learn/browser-extension-safety/]
So, after reading that, I removed all extensions from my browsers except for the password manager. For convenience sake, that's the one extension that I'm allowing to remain. The Brave browser claims to be more secure than the other popular browsers, but I notice that both Google Chrome and Firefox do offer stronger browser settings, which happen to be turned off by default.. I suspect Google Chrome has a conflict of interest regarding browser security: since Chrome is the most popular browser, if Google were to lock down their Chrome to a greater degree by default, it might amount to shooting Google in the foot if it were to interfere with users receiving advertisements or interfere with whatever invasive tracking Chrome otherwise allows. For that reason, I'm reluctantly going to abandon Google Chrome. Brave, on the other hand says it's built on Chrome but also claims to be more secure and run 3x faster, so I'll give it a try. Firefox has settings which allow for greater security, so I'll also try browsing with those settings turned up and see how it goes.
I had thought that running a browser inside a virtual machine would offer a true bulletproof isolation sandbox, but this idea is already well researched and I was surprised to read it actually isn't bulletproof.
Snowden recommended Tails, but a lot of time has passed and I suspect his insights are probably lagging the current reality. Is Tails still the best option available, or is there now something newer/better than Tails?
-
Yeah well. Some of those "holes" in password managers are conceptual. You can't display a password or copy it to a clipboard without exposing it. I guess we have to accept that no software is 100% secure and that nobody can ever guarantee such a thing. A lot has to come together before those flaws become a serious threat - and what's the alternative anyway?
Regarding browser extensions: While it's true what Brave is saying, I think it's the wrong conclusion to ditch extensions altogether. Websites themselves, even trustworthy ones, can be malicious. That is because most websites today load content from third parties like advertising or content distribution networks, for tracking purposes and to deliver targeted ads, regionally cached versions of the website or frequently used JS libraries like jQuery. If any of those third parties / CDNs gets compromised, attackers can inject harmful javascript into countless websites. The NYT, Yahoo and Spotify were rather famous
victims* spreaders. Even Google's DoubleClick, one of the leading ad servers, has served malware before. (see malvertising on wikipedia).I understand that there are website owners who rely on ads to fund their projects, and one can always make exceptions for them or compensate through different means (subscriptions, donations,..), but I would never use a browser without any sort of ad- or scriptblocker like uBlock origin or uMatrix these days. I prefer to know and decide on my own which resources and from where they are loaded. They also help to restrict cross site tracking.
Another nice side effect - which may confirm Brave's "3x faster" than Chrome claim - most websites load much faster. Take the NYT frontpage as an example:
No blocker: transferred 28MB in 356 requests, which took 4.43s to load; keeps loading in new images, videos and other resources from third parties every minute
With Blocker: 4.14MB in 58 requests, which took 1.76s; does not load anything from third parties afterwardsIt's either that or disable javascript entirely in the browser, which will render many websites useless.
* I'm reluctant to call a website a victim in this case if they knowingly load content from third parties, accepting all the risks involved, but deny any responsibility in case they in turn cause harm to their customers / visitors.
-
@NeverDie said in Best password manager?:
Here's a case study that examined how 1Password, Dashlane, KeePass and LastPass could leak data: https://www.ise.io/casestudies/password-manager-hacking.
As I said before no password manager is safe on machine crawling with viruses and/or malware
That's where antivirus software comes to play if you skip that there is no escape from being eventually "hacked".Main advantage of password manager is not reusing passwords for different services. When one gets compromised it's that. One password leaked, one account compromised, rest is safe. Alternative would be pen and paper notepad, reusing one password, or using memorable password combinations all bearing much greater risks than any decent password manager.
IMHO you are getting a bit paranoid, I do agree with BearWithBeard, use as few extensions as practical.
Firefox+adblockplus+kepassxc+cookiecleaner is my "daily driver"
For weird side of internet I use TOR browser.
For testing downloads use VM.
Plus good paid antivirus, so far so good. -
@NeverDie said in Best password manager?:
Here's a case study that examined how 1Password, Dashlane, KeePass and LastPass could leak data: https://www.ise.io/casestudies/password-manager-hacking.
As I said before no password manager is safe on machine crawling with viruses and/or malware
That's where antivirus software comes to play if you skip that there is no escape from being eventually "hacked".Main advantage of password manager is not reusing passwords for different services. When one gets compromised it's that. One password leaked, one account compromised, rest is safe. Alternative would be pen and paper notepad, reusing one password, or using memorable password combinations all bearing much greater risks than any decent password manager.
IMHO you are getting a bit paranoid, I do agree with BearWithBeard, use as few extensions as practical.
Firefox+adblockplus+kepassxc+cookiecleaner is my "daily driver"
For weird side of internet I use TOR browser.
For testing downloads use VM.
Plus good paid antivirus, so far so good.@Sasquatch said in Best password manager?:
As I said before no password manager is safe on machine crawling with viruses and/or malware
Is anti-virus recommended for Linux as well?
-
Yeah well. Some of those "holes" in password managers are conceptual. You can't display a password or copy it to a clipboard without exposing it. I guess we have to accept that no software is 100% secure and that nobody can ever guarantee such a thing. A lot has to come together before those flaws become a serious threat - and what's the alternative anyway?
Regarding browser extensions: While it's true what Brave is saying, I think it's the wrong conclusion to ditch extensions altogether. Websites themselves, even trustworthy ones, can be malicious. That is because most websites today load content from third parties like advertising or content distribution networks, for tracking purposes and to deliver targeted ads, regionally cached versions of the website or frequently used JS libraries like jQuery. If any of those third parties / CDNs gets compromised, attackers can inject harmful javascript into countless websites. The NYT, Yahoo and Spotify were rather famous
victims* spreaders. Even Google's DoubleClick, one of the leading ad servers, has served malware before. (see malvertising on wikipedia).I understand that there are website owners who rely on ads to fund their projects, and one can always make exceptions for them or compensate through different means (subscriptions, donations,..), but I would never use a browser without any sort of ad- or scriptblocker like uBlock origin or uMatrix these days. I prefer to know and decide on my own which resources and from where they are loaded. They also help to restrict cross site tracking.
Another nice side effect - which may confirm Brave's "3x faster" than Chrome claim - most websites load much faster. Take the NYT frontpage as an example:
No blocker: transferred 28MB in 356 requests, which took 4.43s to load; keeps loading in new images, videos and other resources from third parties every minute
With Blocker: 4.14MB in 58 requests, which took 1.76s; does not load anything from third parties afterwardsIt's either that or disable javascript entirely in the browser, which will render many websites useless.
* I'm reluctant to call a website a victim in this case if they knowingly load content from third parties, accepting all the risks involved, but deny any responsibility in case they in turn cause harm to their customers / visitors.
@BearWithBeard said in Best password manager?:
would never use a browser without any sort of ad- or scriptblocker like uBlock origin or uMatrix these days.
Ah, good, now that we're getting down to brass tacks, thanks for naming names. The one time I tried using an adblocker I quickly ran into a wall: many sites would detect it and refuse to display content until I disabled it. So, I installed PiHole, which they can't detect, and with one stroke it benefits my entire family. That said, it's only as good as its database, so something nefarious could conceivably slip through. Consequently, I should add something more to cover that possibility. Are the script blockers you named detectable by visited websites? If even the New York Times is a spreader, then you just have to assume any website with advertising might also be. Maybe even non-advertising websites (like the many honeypots offering free this or that) could be bad in that respect, and PiHole would be of no benefit there.
-
@NeverDie said in Best password manager?:
Here's a case study that examined how 1Password, Dashlane, KeePass and LastPass could leak data: https://www.ise.io/casestudies/password-manager-hacking.
As I said before no password manager is safe on machine crawling with viruses and/or malware
That's where antivirus software comes to play if you skip that there is no escape from being eventually "hacked".Main advantage of password manager is not reusing passwords for different services. When one gets compromised it's that. One password leaked, one account compromised, rest is safe. Alternative would be pen and paper notepad, reusing one password, or using memorable password combinations all bearing much greater risks than any decent password manager.
IMHO you are getting a bit paranoid, I do agree with BearWithBeard, use as few extensions as practical.
Firefox+adblockplus+kepassxc+cookiecleaner is my "daily driver"
For weird side of internet I use TOR browser.
For testing downloads use VM.
Plus good paid antivirus, so far so good.Also, my wife sometimes travels overseas, and this creates online vulnerabilities. This time it will be Russia, so, yeah, time to take it seriously. In addition to password manager and yubikeys, I'm thinking VPN so she can simply tunnel out of there and let her firewall reject any attacks from her local network.
-
Also, my wife sometimes travels overseas, and this creates online vulnerabilities. This time it will be Russia, so, yeah, time to take it seriously. In addition to password manager and yubikeys, I'm thinking VPN so she can simply tunnel out of there and let her firewall reject any attacks from her local network.
