Question Best password manager ( Free & Paid ) & why ?

[SeriousHoax]

Yeah, I had a similar issue with Google's Smart Lock getting into YouTube/Gmail and had to resort to using my old phone to access my accounts. On my primary phone, the app would just constantly crash and was unable to get into it. Luckily, it's linked to my old phone as well, and that's how I got into it.

Hell, I only use the 2FA for emails, which I think is the only thing you should be concerned about. If your email is compromised, all the accounts linked to it are as well. Sometimes people link other email accounts to their primary ones, which in turn can be used to recover those as well.

2FA is a very good form of extra security. I have it on all my emails, social media accounts and some other things which I consider to be important for me. I was specifically talking about Bitwarden Password Manager forcing 2FA on their service. It should be an option of course but should not be forced IMO, since losing 2FA of your password manager could lead into losing all your passwords. I have two sets of backups of my 2FAs at the moment. One is saved in Ente Auth's account (since yesterday) and the other one is in KeePassXC. I don't like using a 2FA service that does not offer backup function either automatic or manual and bound to a device like a smartphone. I also dislike hardware based 2FA solutions like YubiKey since it's so easy to lose such a small thing.
I also have recovery codes of important accounts backed up.

 

[partha_roy]

I like DualSafe Password Manager too and use it occasionally; the free version does suffice as per my requirements and works really well

 

[zidong]

If pc is infected/compromised and you don't know about it, how 3rd party password manager would help? At the moment you unlock it to login in site A, B or C, all saved passwords are compromised + cookie stealers? If you know that your pc is infected then first thing to do is to change all important passwords and do clean install.
In both cases I don't see much benefit from 3rd party password managers.
Important passwords - 7zip encrypted .txt file saved on offline flash drive.
Not important 200+ passwords are saved in browser password manager.
When I do clean install I just export passwords and bookmarks offline and save them on flash drive.

 

[Sorrento]

I tend to zip my passwords in txt files with a good password I appreciate it's not for everyone & does create a bit of hassle at times as I save no cookies ever, but....It does work well for me - And it's always in my complete control & not having to rely on outside means.

 

[partha_roy]

If pc is infected/compromised and you don't know about it, how 3rd party password manager would help? At the moment you unlock it to login in site A, B or C, all saved passwords are compromised + cookie stealers? If you know that your pc is infected then first thing to do is to change all important passwords and do clean install.
In both cases I don't see much benefit from 3rd party password managers.
Important passwords - 7zip encrypted .txt file saved on offline flash drive.
Not important 200+ passwords are saved in browser password manager.
When I do clean install I just export passwords and bookmarks offline and save them on flash drive.

What if the malware deletes the 7 zip encrypted file or encrypts the already encrypted file stored on your computer? What if your flash drive where you'd save the file gets corrupt or stolen? Look, there will always be "what ifs" in everything

If you exercise just a basic level of caution, it would make it very difficult for your pc to get infected these days even if you use the default protection of Windows..

Password managers make lives a little easier and I appreciate their purpose; that said, I understand that you would have a different preference and that's fine

 

[zidong]

@partha_roy, I store my passwords on three flash drives and decrypt 7zip file when I'm offline. Before that I scan my pc with NPE, EEK and MD.
When I said ''you'', I meant all users who use PM, not just you. May bad. Maybe I'm looking for a reason to try 3rd party PM and waiting someone to convince me of its advantages over the standard PM

 

[partha_roy]

@zidong, Don't worry, I didn't take your question personally! I'm happy to recommend Bitwarden as one of the most reliable and user-friendly password managers but then ultimately, the choice is yours.

You mentioned being concerned about losing passwords if malware infiltrates your system. With Bitwarden, even if the relevant cookies were stolen, it wouldn't give the hacker access to your creds

Here's a link to their policy around cookies - Bitwarden Cookie Policy.

 

[rashmi]

they use PBKDF2 in sha512 form with 320,000 rounds, it's good and industry-accepted, but in my testing, the autofill of enpass is super weak and the apps are not polished. they don't do audits that much the apps got reviewed 2 years ago, the latest review is from 2023, and is not the apps, their hub. they have a feature named key file which is a file that you need to have next to your master password, this method is good and makes the attack on the master password not that successful but is not convenient like 1passwords secret key. It is actually the equivalent of secret key in 1Password. A thing I need to have more research on is that they use sha1 for their message authentication, sha1 is old and is somehow deprecated not that secure compared to others.

their apps were buggy when I was testing it , the import from other password managers did not work ok too. pricing and etc , 1password beats it.

Thank you for the details. Enpass couldn't import the Sticky Password database file correctly. Do you have any information about Sticky Password and Password Boss?

 

[Game Of Thrones]

Thank you for the details. Enpass couldn't import the Sticky Password database file correctly. Do you have any information about Sticky Password and Password Boss?

you're welcome. I tested them quickly and found that compared to 1Password or bitwarden or proton pass they are actually much less professional. When there is bitwarden or 1password or proton pass, there is no reason to use these lower level products. password manager is a critical and sensitive software(service) you should pick one which is more trusted, gets audited routinely, is a known brand, has a good and detailed whitepaper about its security and how it works, how they are gonna react in breaches, what encryption they are using with what parameters, has an active page about their app changelog, adding features from time to time etc.
password managers are not like other normal software we use every day, they are critical and should be chosen carefully. they are not like for example a media player which you can test and choose or have them side by side and don't care about its company,coding,whitepaper etc. you are putting your lives secrets in their hands so I myself choose with care and thoroughly researching and testing them.
for free I would go bitwarden + enter auth ,you can pay the 10$ and make bitwarden your 2fa keeper too so no need for ente auth. there is not that much risk if you make your master password secure.i advice you to go to bitwarden web vault and change the salting from Pbkdf2 to argon2id. you get much better security.

Another free option is proton pass + ente auth if you are not okay with paying for proton pass which I myself don't pay when I can buy something like 1Password.
in paid services nothing beats 1password, they are in a different league. its just 35$ per year which is a logical price for a top notch service.

 

[partha_roy]

In line with what Game of Thrones said, enabling the 2-factor authentication will make it even more secure

 

[toto_10]

I switched from Bitwarden to Proton Pass and plan to give it a try for a couple of months.

In Bitwarden, there's a shortcut for automatically inserting passwords. When I try using a similar shortcut in Proton Pass, it only opens the extension in the top-right corner of the browser. Can anyone confirm if Proton Pass currently lacks this functionality?

Also I noticed that Proton Pass's auto log-off feature has a maximum timeout of 1 hour. Unlike Bitwarden, it doesn’t allow you to set it to log off when the browser closes - I miss this function.

 

[Dark Knight]

Bitwarden paid.
1.) Because it is better than most other password managers and well worth the $10 a year
2.) Open source
3.) 2FA

 

[Jonny Quest]

I switched from Bitwarden to Proton Pass and plan to give it a try for a couple of months.

In Bitwarden, there's a shortcut for automatically inserting passwords. When I try using a similar shortcut in Proton Pass, it only opens the extension in the top-right corner of the browser. Can anyone confirm if Proton Pass currently lacks this functionality?

Also I noticed that Proton Pass's auto log-off feature has a maximum timeout of 1 hour. Unlike Bitwarden, it doesn’t allow you to set it to log off when the browser closes - I miss this function.

I apologize that I may not understand, but what is the shortcut?

And you're right, the longest is one hour, and the shortest one minute. It also auto locks when you close the browser, at least it does for me on Windows PC's with Chrome and Brave.

 

[SeriousHoax]

Also I noticed that Proton Pass's auto log-off feature has a maximum timeout of 1 hour. Unlike Bitwarden, it doesn’t allow you to set it to log off when the browser closes - I miss this function.

This is something I also miss but there's a wordaround as shown in @Jonny Quest's screenshot. You have to enable unlock with pin code option in the Proton Pass browser extension's security settings. Set your pin and your desired Auto-lock timer and from now on, if you close the browser/disable the extension, the next time you open your browser, Proton Pass would require you to enter the pin to unlock.
This is not a direct alternative to what Bitwarden and I assume some other password managers have but that's how it is with them and based on their comments on Reddit, they don't intend to change this behavior at the moment. Regarding the pin, the pin only works on devices where you have already logged in before. For a new device, you'll still have to enter the password. So, someone else cannot login from another device if they learn your pin.

 

[Jonny Quest]

This is something I also miss but there's a wordaround as shown in @Jonny Quest's screenshot. You have to enable unlock with pin code option in the Proton Pass browser extension's security settings. Set your pin and your desired Auto-lock timer and from now on, if you close the browser/disable the extension, the next time you open your browser, Proton Pass would require you to enter the pin to unlock.
This is not a direct alternative to what Bitwarden and I assume some other password managers have but that's how it is with them and based on their comments on Reddit, they don't intend to change this behavior at the moment. Regarding the pin, the pin only works on devices where you have already logged in before. For a new device, you'll still have to enter the password. So, someone else cannot login from another device if they learn your pin.
View attachment 286779

LOL...yes, that's why it's doing it, I forgot to mention that I had enabled the 6 digit Pin code. Thank you for following up with that
And the rest of your post is spot on. For someone who just started looking into it, using it, well done @SeriousHoax

And if the shortcut is to autolog into a website as soon as you hit it, is a "security" precaution to verify you're where you want to be and the website. I believe 1Password also has the option to not autologin, but to use the icon prompts for the same reason. Granted, if it were the wrong website, but close to it, it wouldn't autologin, but still I agree with the concept.

 

[toto_10]

I apologize that I may not understand, but what is the shortcut?

By pressing "Ctrl + B" the username and password are automatically filled in, eliminating the need to manually click on the extension or use any other method to log in a website.

You can see shortcuts here: edge://extensions/shortcuts

Proton Pass has only the first one "Activate extension".

 

[Jonny Quest]

By pressing "Ctrl + B" the username and password are automatically filled in, eliminating the need to manually click on the extension or use any other method to log in a website.

You can see shortcuts here: edge://extensions/shortcuts

View attachment 286781
Proton Pass has only the first one "Activate extension".

Very cool, thanks for the image post

 

[lokamoka820]

By pressing "Ctrl + B" the username and password are automatically filled in, eliminating the need to manually click on the extension or use any other method to log in a website.

You can see shortcuts here: edge://extensions/shortcuts

View attachment 286781
Proton Pass has only the first one "Activate extension".

Isn't the default shortcut is "Ctrl + Shift + L", did you change it to what shown in the screenshot?

 

[toto_10]

Isn't the default shortcut is "Ctrl + Shift + L", did you change it to what shown in the screenshot?

I don't remember the default shortcut, sorry. I always set mine to Ctrl + B

 

[lokamoka820]

@Jonny Quest, @SeriousHoax can you please tell me what you liked in Proton Pass that is not available in Bitwarden? I'm interested at least as a backup solution because KeePassXC is a hassle for me as a backup, so I'm thinking to use 2 online password managers.