Poll Password Manager Poll (2022)

Which Password manager do you use?(Poll)

  • KeePass

    Votes: 36 16.3%
  • NordPass

    Votes: 3 1.4%
  • Sticky password

    Votes: 9 4.1%
  • LastPass

    Votes: 15 6.8%
  • Bitwarden

    Votes: 112 50.7%
  • Dashlane

    Votes: 6 2.7%
  • Firefox

    Votes: 3 1.4%
  • 1Password

    Votes: 18 8.1%
  • Kaspersky Password Manager

    Votes: 8 3.6%
  • Roboform

    Votes: 11 5.0%

  • Total voters
    221

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
@R2D2 It's complicated if you used LP Authenticator, if it was just saved locally no problem, but sync in the cloud from the same company as Laspass that suffered a breach? For sure I would switch too, I don't think I would trust Lastpass and its products anymore, it lost credibility. If your master password is strong, I don't think you would need to panic anytime soon, the problem that Lastpass is closed source, and maybe they are not being transparent in this incident, maybe they are minimizing the worst, so it is better to reset the passwords of the most important accounts first little by little. I used to use Authy Authenticator(Twilio) that also suffered a breach a few months ago, now I migrated and started using Aegis Authenticator, it was the best thing I did, it doesn't sync in the cloud, but gives you option for backup, Authy was convenient, it synced on all devices, Aegis you have to export manually, then you have to import into another device, if you use 2 devices, it will be a little inconvenient. I prefer it this way. (y)

I wouldn't be so sure about that. ;)
Thanks! for sharing, very good, I read the article, knowledge is never too much. (y)
 
Last edited:

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
270
It's complicated if you used LP Authenticator, if it was just saved locally no problem, but sync in the cloud from the same company as Laspass that suffered a breach? For sure I would switch too, I don't think I would trust Lastpass and its products anymore, it lost credibility. If your master password is strong, I don't think you would need to panic anytime soon,
Yes of course I had a strong password as did my family members. And I am a low value target from the PoV of a hacker. That said, I do get annoyed at myself because I trusted LP and their authenticator with my 2FA tokens even after the Aug break-in..remember I was taking it for a test drive. Yes, it was backed up to the cloud, itself a large contributor to deep concerns about my data. Just hope it was encrypted.

I have switched to BW and 1PW and burned bridges with LP for keeps. I'm sure there are many like me who gave LP the good ol' heave-ho. Not sure if I'd be be able to trust them ever again.
 

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,158
Yes of course I had a strong password as did my family members. And I am a low value target from the PoV of a hacker. That said, I do get annoyed at myself because I trusted LP and their authenticator with my 2FA tokens even after the Aug break-in..remember I was taking it for a test drive. Yes, it was backed up to the cloud, itself a large contributor to deep concerns about my data. Just hope it was encrypted.

I have switched to BW and 1PW and burned bridges with LP for keeps. I'm sure there are many like me who gave LP the good ol' heave-ho. Not sure if I'd be be able to trust them ever again.

You talked of better security in the use of PW managers. How about the privacy aspects of such PW managers?

It's similar to choose a VPN. Not choosing one based in the 5-eye countries.
 

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
270
You talked of better security in the use of PW managers. How about the privacy aspects of such PW managers?

It's similar to choose a VPN. Not choosing one based in the 5-eye countries.
What options do we have? There can't be many. Yes I have Yandex authenticator and I trust that less than a product frrom a company based in a 5/14 eye country. Enpass authors are based in India...and I am not sure about how much spying/monitoring the Indian Govt does for the US and vice versa. If I had to select a 'neutral' solution it would have to be a FOSS app like Keepass or similar. Sticky Password (lifetime subs) is based in the Czech republic...that's an option too and something I am considering seriously for its local sync option.
 
  • Like
Reactions: piquiteco

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,158
What options do we have? There can't be many. Yes I have Yandex authenticator and I trust that less than a product frrom a company based in a 5/14 eye country. Enpass authors are based in India...and I am not sure about how much spying/monitoring the Indian Govt does for the US and vice versa. If I had to select a 'neutral' solution it would have to be a FOSS app like Keepass or similar. Sticky Password (lifetime subs) is based in the Czech republic...that's an option too and something I am considering seriously for its local sync option.

How about this? FI, I am NOT using it.

 
  • Like
Reactions: piquiteco and R2D2

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,714
The secret key seems interesting. I wonder if other companies could implement something better.


 

valvaris

Level 6
Verified
Well-known
Jul 26, 2015
263
Hello to all,

after that LP stuff - I got rly paranoid with my Passwords.

Left 1password and switched over to KeePassXC (Now my stuff is local...) - The thing is where to put Data? - I know Passwords are a special case but still so is important Data.

Time to go Local again? (Y/N) - Seems that Cloud Providers get infiltrated much more lately...

We could go all Day with - What if? - Scenarios but what is realistic possible?!

I have a different setup then most here for a Private Person:
- Sophos XGS Firewall with Sandboxing, SSL-Inspection, Application Control and so on...
- Sophos Intercept X Adv. with XDR (With Black and Whitelisting of allowed Applications)
- Separate Networks where Dataflow is very restricted (Example: LAN to NAS with only SMB Port) (And IP MAC Binding)
- and more...

For now, I keep my stuff local not even use OneDrive or such to synchronise.

Best regards
Val.
 

YuanJiawj

Level 12
Verified
Top Poster
Well-known
Oct 9, 2014
583
Hello to all,

after that LP stuff - I got rly paranoid with my Passwords.

Left 1password and switched over to KeePassXC (Now my stuff is local...) - The thing is where to put Data? - I know Passwords are a special case but still so is important Data.

Time to go Local again? (Y/N) - Seems that Cloud Providers get infiltrated much more lately...

We could go all Day with - What if? - Scenarios but what is realistic possible?!

I have a different setup then most here for a Private Person:
- Sophos XGS Firewall with Sandboxing, SSL-Inspection, Application Control and so on...
- Sophos Intercept X Adv. with XDR (With Black and Whitelisting of allowed Applications)
- Separate Networks where Dataflow is very restricted (Example: LAN to NAS with only SMB Port) (And IP MAC Binding)
- and more...

For now, I keep my stuff local not even use OneDrive or such to synchronise.

Best regards
Val.
KeePassXC has support for import data from 1P?
 

valvaris

Level 6
Verified
Well-known
Jul 26, 2015
263
KeePassXC has support for import data from 1P?
Yes, it worked for me with all the TOTPs intact as CSV Export. Just had to adjust the Import from CSV with the Columns assigned. But after all that a few settings and it works much better then 1password because of the Autotyping.

I have some Password Fields that need OTP within the Password field.
Example: {USERNAME}{TAB}{PASSWORD}{TOTP}{ENTER}

Works like a charm.... Wished 1password had that feature...
Windows Hello works with KeepassXC too. (Was by chance...)

Sincerely
Val.
 

YuanJiawj

Level 12
Verified
Top Poster
Well-known
Oct 9, 2014
583
Yes, it worked for me with all the TOTPs intact as CSV Export. Just had to adjust the Import from CSV with the Columns assigned. But after all that a few settings and it works much better then 1password because of the Autotyping.

I have some Password Fields that need OTP within the Password field.
Example: {USERNAME}{TAB}{PASSWORD}{TOTP}{ENTER}

Works like a charm.... Wished 1password had that feature...
Windows Hello works with KeepassXC too. (Was by chance...)

Sincerely
Val.
Thank you! I'll give a try for testing its features :)
 

Divine_Barakah

Level 33
Verified
Top Poster
Well-known
May 10, 2019
2,289
One other thing you can do, if you don't trust cloud based password manager or for other reasons, or because you are a little bitparanoid, you just store a part of your password in your password manager, not everything for example: let's say your password for your account is this
@wR69Y3&N$e6UY4
you save that password in your password manager and add + something for example:
<+A9*03=(5)
you memorize just this one
<+A9*03=(5)
and the other one which would be this
@wR69Y3&N$e6UY4
you leave it saved inside your password manager, if your password manager is compromised like what happened with Lastpass recently it will be useless to a hacker, with only the first password he won't be able to access any of your accounts, because it will be incomplete, the other part only you know. I had seen this somewhere I do not remember where, I do not remember type password + Salt something like that. ;)
Thanks for the tip. One more thing is never to store 2FA keys in your password manager or at least on the same vault.

I have two vaults in Enpass, one for the passwords and the other for 2FA with completely different master passwords.

Interestingly, but no one considers Avira Password Manager as a password manager?
Personally, I am not a fan of using password managers offered by security vendors. I prefer the ones offered by companies specialised in developing password managers only. Those tend to listen to feedback and feature suggestions.
 

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
Interestingly, but no one considers Avira Password Manager as a password manager?
Yes, I consider Avira Password Manager as a password manager, and by the way is very good, I have tested.;) Due to an incident recently with Lastpass a well-known cloud password manager, many people are opting for an offline password manager, or that resides locally or that synchronize only via WiFi/LAN.(y)

Thanks for the tip. One more thing is never to store 2FA keys in your password manager or at least on the same vault.

I have two vaults in Enpass, one for the passwords and the other for 2FA with completely different master passwords.
Yes, correct if you store the 2FA keys in your password manager and it gets hacked, and the hacker somehow gains access, the purpose of two-step verification 2FA ceases to exist and game over for you.☹️
 

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,158
Yes, I consider Avira Password Manager as a password manager, and by the way is very good, I have tested.;) Due to an incident recently with Lastpass a well-known cloud password manager, many people are opting for an offline password manager, or that resides locally or that synchronize only via WiFi/LAN.(y)

Sticky Password also has this capability of secure local WiFi/cloud/secure offline
 

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
Sticky Password also has this capability of secure local WiFi/cloud/secure offline
Yes, I posted in another article about the Sticky Password. (y)
1672374253414.png
1672375650733.png

TBH this double exercise feels like a ton of bricks on my shoulder right now but there's no option. #*#^* u LP thanks for letting us subscribers & users down. I am p1$$ed. :mad:
That was the website All Things Secured - Double blind password I remembered now and found he is called Josh. And the video explaining is this

 
Last edited:

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,158
Yes, correct if you store the 2FA keys in your password manager and it gets hacked, and the hacker somehow gains access, the purpose of two-step verification 2FA ceases to exist and game over for you.☹️
I might be wrong. Correct me if I'm wrong, for I'm considering the use of a Password Manager

Of course, everything can be hacked regardless of 2FA/MFA. What we want is to make things difficult to hack the Password Manager

2FA deploys say a master password and a TOTP code send to your phone

A TOTP code is useless to be used a second time since it'll expire after say 30 sec or 60 sec. You'll need to generate another TOTP if it expires

As for the master password, you need to physically key in and that's where a keylogger can capture it. To strengthen it, you'll need to use a randomized virtual onscreen kb with delay key setting and anti-screen capture/anti-clipboard capture or encrypted keystrokes/hidden keystrokes etc to key the master password each and every time. The weakness is that if your master password is of 80 characters, and you need to access 50 websites every day, then it becomes an issue to remember and a hassle to use.

Looks like a new kid in the block. Anyone using it?


It's at github

 
Last edited:

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
I might be wrong. Correct me if I'm wrong, for I'm considering the use of a Password Manager
Yes, you are right, the password manager was created to make it more convenient, instead of remembering dozens of passwords, you need to remember only one that, only you know the master password of your PM.(y)
Of course, everything can be hacked regardless of 2FA/MFA. What we want is to make things difficult to hack the Password Manager
Yes everything can be hacked, especially internet connected devices, yes 2FA can be bypassed and circumvented, either by using reverse proxy or stealing your cookies with your saved session.

A TOTP code is useless to be used a second time since it'll expire after say 30 sec or 60 sec. You'll need to generate another TOTP if it expires

Yes, correct TOTP is time based so it expires after 30 seconds or 60 seconds. I would not say that, if I were you, that TOTP is useless for a hacker after the token expires, depending on many of the circumstances, today we have security key like Yubikey, proving that TOTP can be ignored. Many companies and people use security key. If the hacker wants and you are an important target, somehow he will achieve his goal, which is to gain access to everything and steal whatever he wants and then leave without you having noticed.

As for the master password, you need to physically key in and that's where a keylogger can capture it. To strengthen it, you'll need to use a randomized virtual onscreen kb with delay key setting and anti-screen capture/anti-clipboard capture or encrypted keys/hidden keys etc to key the master password each and every time. The weakness is that if your master password is of 80 characters, and you need to access 50 websites every day, then it becomes an issue to remember and a hassle to use.

Yes, the master password is physically typed of course, yes correct, a keylogger can capture it when you type your password from your keyboard, I suppose everyone who uses a PM knows this, or am I wrong? I always enter my master password only on my device that I use, like on my laptop, desktop, on my phone, which I know is trusted and is clean of malware, keylogger etc. I will never use my PM on a stranger's machine, even on my father's computer I think ten times before entering my password. Wait... there is maybe use yes @simmerskool sends a hug! I enter my master password in the Keepass Secure Desktop and the Keylogger is useless and will not capture my master password when I type it.;)

About the size of my master password is my secret that only I know, and your secret too that we can't reveal, I will not tell you how many characters I use my master password, but it is huge, long and tedious to type, probably much more than 80 characters just multiply 80x7 and you will know the size. If you have a PM and are going to use a weak master password, then it doesn't make sense to use a PM, it's better to leave it saved in the browser. I was talking to @R2D2 about "Double blind password" just a suggestion, that I had seen a few years ago, I didn't tell him to use it that way, it makes it a little inconvenient, having to type a password + a suffix or prefix but there are people who use it that way, as Lastpass suffered a violation, he got a little thoughtful, and the master password he uses according to him reported is strong, I believe in what he said, but and Lastpass is being transparent with their users? Note: I am not defaming Lastpass just commenting on the incident, don't get me wrong folks.(y)

@HarborFront was nice talking to you, just hope you do not take me wrong, suddenly I wrote something that you may think I am offending, but I am not, I have great respect for you and many members here in MT you are veteran here, I do not want to make enmity with anyone and not violate the rules of the forum for God's sake. (y)
 

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,158
Yes, you are right, the password manager was created to make it more convenient, instead of remembering dozens of passwords, you need to remember only one that, only you know the master password of your PM.(y)

Yes everything can be hacked, especially internet connected devices, yes 2FA can be bypassed and circumvented, either by using reverse proxy or stealing your cookies with your saved session.



Yes, correct TOTP is time based so it expires after 30 seconds or 60 seconds. I would not say that, if I were you, that TOTP is useless for a hacker after the token expires, depending on many of the circumstances, today we have security key like Yubikey, proving that TOTP can be ignored. Many companies and people use security key. If the hacker wants and you are an important target, somehow he will achieve his goal, which is to gain access to everything and steal whatever he wants and then leave without you having noticed.



Yes, the master password is physically typed of course, yes correct, a keylogger can capture it when you type your password from your keyboard, I suppose everyone who uses a PM knows this, or am I wrong? I always enter my master password only on my device that I use, like on my laptop, desktop, on my phone, which I know is trusted and is clean of malware, keylogger etc. I will never use my PM on a stranger's machine, even on my father's computer I think ten times before entering my password. Wait... there is maybe use yes @simmerskool sends a hug! I enter my master password in the Keepass Secure Desktop and the Keylogger is useless and will not capture my master password when I type it.;)

About the size of my master password is my secret that only I know, and your secret too that we can't reveal, I will not tell you how many characters I use my master password, but it is huge, long and tedious to type, probably much more than 80 characters just multiply 80x7 and you will know the size. If you have a PM and are going to use a weak master password, then it doesn't make sense to use a PM, it's better to leave it saved in the browser. I was talking to @R2D2 about "Double blind password" just a suggestion, that I had seen a few years ago, I didn't tell him to use it that way, it makes it a little inconvenient, having to type a password + a suffix or prefix but there are people who use it that way, as Lastpass suffered a violation, he got a little thoughtful, and the master password he uses according to him reported is strong, I believe in what he said, but and Lastpass is being transparent with their users? Note: I am not defaming Lastpass just commenting on the incident, don't get me wrong folks.(y)

@HarborFront was nice talking to you, just hope you do not take me wrong, suddenly I wrote something that you may think I am offending, but I am not, I have great respect for you and many members here in MT you are veteran here, I do not want to make enmity with anyone and not violate the rules of the forum for God's sake. (y)

My main gripe in the use of Password Manager is to key in the long master password. Imagine keying in 80 characters for 20 sign-in websites

I think I may have found a program which can simplify this


It can keep your password if you enable the feature so that the same password (in this case the master password) can be used repeatedly

Quote

Keep password after drag-drop

If this is enabled, all text in the password box will remain after it’s been dragged and dropped to another application.

If this is not enabled, the text will be cleared after every drag-drop.

Unquote

I hope it meets my need in not keying in the master password repeatedly
 
Last edited:

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
@HarborFront Interesting about SafeKeys, I didn't know that one. Thanks for sharing! Another day we'll talk more, tomorrow I'll be here giving a Happy New Year to all MT Members and friends.(y)
 

mkoundo

Level 8
Verified
Well-known
Jul 21, 2017
358
My main gripe in the use of Password Manager is to key in the long master password. Imagine keying in 80 characters for 20 sign-in websites


In bitwarden browser extension you can set it up so that you key in a short code, say a 4 digit pin on that particular browser to access the PW extension. It can be setup such that the PW manager remains open until you close the browser, so entering the master password repeatedly is unnecessary.

Untitled.png
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top