How secure are free Password Managers

Are you using a password manager?

  • Yes

    Votes: 54 90.0%
  • No

    Votes: 6 10.0%
  • No, but will start using one soon

    Votes: 0 0.0%

  • Total voters
    60

Divine_Barakah

Level 29
Thread author
Verified
Top Poster
Well-known
May 10, 2019
1,854
These days it is very rare to find someone who does not use a password manager. It quite fair that Bitwarden, being open-source and free, is one of the most used password manager out there. That fact makes me believe that it is targeted by hackers more than any other password manager right? How will Bitwarden and any other password manager survive hackers attacks? How do they keep our data safe. Please note I am not asking about their claims in their website. I am here asking a real world question in case of a major breach or something like that. Thank you
 

Threadripper

Level 9
Verified
Well-known
Feb 24, 2019
408
Bitwarden is probably the least targeted "known" password manager, if you use 2FA and a good master password (which are vital, of course) and change your KDF iterations to a million, good luck to any attacker. Every password manager I've ever known uses 100K KDF iterations, and I'm aware of none that allow you to change that figure other than Bitwarden. Open source, audited, it's the best you're going to get.

Premium is also cheap at $10/year which allows you to use hardware 2FA (Yubikeys, etc.) and 1GB of secure cloud storage where I house my recovery codes (as well as locally), it also allows you to store your TOTP keys there to replace any 2FA app you use. Top notch.
 

Divine_Barakah

Level 29
Thread author
Verified
Top Poster
Well-known
May 10, 2019
1,854
Bitwarden is probably the least targeted "known" password manager, if you use 2FA and a good master password (which are vital, of course) and change your KDF iterations to a million, good luck to any attacker. Every password manager I've ever known uses 100K KDF iterations, and I'm aware of none that allow you to change that figure other than Bitwarden. Open source, audited, it's the best you're going to get.

Premium is also cheap at $10/year which allows you to use hardware 2FA (Yubikeys, etc.) and 1GB of secure cloud storage where I house my recovery codes (as well as locally), it also allows you to store your TOTP keys there to replace any 2FA app you use. Top notch.

I don't get "Bitwarden is probably the least targeted "known" password manager" it is free and widely used, so it is a good target for hackers. Honestly, I have tried many password manager: Sticky Password, Dashlane, Enpass, 1Password, Roboform, lastpass and Kaspersky Password Manager to name some. I am currently using Kaspersky Password Manger in the hope that Kaspersky is a security company and they know what they're doing. Anyway, I really like Bitwarden and its pricing $10/year but it being free and widely used sets me away.

Regarding (KDF iterations), it is stated on Bitwarden settings dashboard that "Setting your KDF iterations too high could result in poor performance when logging into (and unlocking) Bitwarden on devices with slower CPUs. We recommend that you increase the value in increments of 50,000 and then test all of your devices. " To what extent should this affect performance?
 

Threadripper

Level 9
Verified
Well-known
Feb 24, 2019
408
I don't get "Bitwarden is probably the least targeted "known" password manager" it is free and widely used, so it is a good target for hackers. Honestly, I have tried many password manager: Sticky Password, Dashlane, Enpass, 1Password, Roboform, lastpass and Kaspersky Password Manager to name some. I am currently using Kaspersky Password Manger in the hope that Kaspersky is a security company and they know what they're doing. Anyway, I really like Bitwarden and its pricing $10/year but it being free and widely used sets me away.

Regarding (KDF iterations), it is stated on Bitwarden settings dashboard that "Setting your KDF iterations too high could result in poor performance when logging into (and unlocking) Bitwarden on devices with slower CPUs. We recommend that you increase the value in increments of 50,000 and then test all of your devices. " To what extent should this affect performance?
Compared to LastPass, 1Password, Dashlane, and the others owned by big corps who spend lots of $ on advertising Bitwarden is hardly used. Using a closed source and unaudited password manager (Kaspersky) is really taking backward steps, take a look at the Bitwarden audit and code yourself. You can even selfhost it should you feel the need.

Unless you have a really low-end system you won't struggle with 1 million KDF iterations, that warning is there as well as the 1 million limit to prevent people from bricking their accounts who just set it to the highest number they can think of. You won't notice it, and if you do it's merely a few seconds unless devices like your phone are old or low-end.

EDIT: It seems Kaspersky Password Manager doesn't even have 2FA...
 
Last edited:

Andrew3000

Level 11
Verified
Top Poster
Malware Hunter
Well-known
Feb 8, 2016
516
The way they work is to create the database encrypted on the local computer. This encrypted DB is synchronized between every device and cloud, so password managers can't see the contents. If you lose your master password you can't recover it, generally password manager don't know your passwords.

The important thing is the master password, the stronger the risk of data theft is reduced, and obviously the 2FA activated on the account.

Most password managers have a specialized team for bug and vulnerability hunting. An example was a lastpass vulnerability that was fixed in less than two days after it was discovered.

You can deepen here: How Do Password Managers Work? 3 Methods Explained
 

Divine_Barakah

Level 29
Thread author
Verified
Top Poster
Well-known
May 10, 2019
1,854
Compared to LastPass, 1Password, Dashlane, and the others owned by big corps who spend lots of $ on advertising Bitwarden is hardly used. Using a closed source and unaudited password manager (Kaspersky) is really taking backward steps, take a look at the Bitwarden audit and code yourself. You can even selfhost it should you feel the need.

Unless you have a really low-end system you won't struggle with 1 million KDF iterations, that warning is there as well as the 1 million limit to prevent people from bricking their accounts who just set it to the highest number they can think of. You won't notice it, and if you do it's merely a few seconds unless devices like your phone are old or low-end.

EDIT: It seems Kaspersky Password Manager doesn't even have 2FA...

I have created a Bitwarden account and I will give it a try for a few days and see how it goes with it. Regarding Kaspersky Password Manager, it is protected by two passwords: Your My.Kaspersky account password and your master password. I don't know if this is considered 2FA but it is better than nothing. I also really like 1Password but its price is insane. Finally, I think self hosting Bitwarden is a bit complicated, at least for me. I really liked how you could use your own cloud (like Koofr in my case) to store your enpass vault using WebDav connection.
 

Threadripper

Level 9
Verified
Well-known
Feb 24, 2019
408
I have created a Bitwarden account and I will give it a try for a few days and see how it goes with it. Regarding Kaspersky Password Manager, it is protected by two passwords: Your My.Kaspersky account password and your master password. I don't know if this is considered 2FA but it is better than nothing. I also really like 1Password but its price is insane. Finally, I think self hosting Bitwarden is a bit complicated, at least for me. I really liked how you could use your own cloud (like Koofr in my case) to store your enpass vault using WebDav connection.
They use AES and PBKDF2 so only one of those passwords is going to be of any use, a second password isn't even close to the security of 2FA seeing as we humans are awful with passwords.
 

Divine_Barakah

Level 29
Thread author
Verified
Top Poster
Well-known
May 10, 2019
1,854
They use AES and PBKDF2 so only one of those passwords is going to be of any use, a second password isn't even close to the security of 2FA seeing as we humans are awful with passwords.

I have always wondered why a security company (Kaspersky) have not deployed 2FA yet. One last question if you don't mind. Do you find it a good idea to use Bitwarden to store 2FA for other services? I mean using it as authenticator.
 

Divine_Barakah

Level 29
Thread author
Verified
Top Poster
Well-known
May 10, 2019
1,854
Kaspersky is a rebranded, older version of Sticky Password.

Bit Warden is very secure.

I don't think KPM is rebranded SP anymore. They have optimised the product and added the ability to access your vault online. KPM is more stable than SP and consumes less resources. KPM does not slow down browsers (SP did some time ago). SP, on the other hand, offers lifetime license and supports more browsers than KPM does.
 

Threadripper

Level 9
Verified
Well-known
Feb 24, 2019
408
I have always wondered why a security company (Kaspersky) have not deployed 2FA yet. One last question if you don't mind. Do you find it a good idea to use Bitwarden to store 2FA for other services? I mean using it as authenticator.
Because I know how secure Bitwarden is I feel like using it as an authenticator is best and I have premium.
Use Keepass Safe. Offline , secure.
Multi-device though.
 

Divine_Barakah

Level 29
Thread author
Verified
Top Poster
Well-known
May 10, 2019
1,854
One thing that I don't like about Bitwarden is that it does not offer to save login details. You have to manually add them, am I wrong in that regard or missing sth?
 
  • Like
Reactions: JB007

L0ckJaw

Level 19
Verified
Content Creator
Well-known
Feb 17, 2018
870
I use Avira Password Manager Pro, love the app and the way it logs in on websites.
It works brilliant. I bought cheap Avira Internet Security licenses online and only use the Password manager.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top