Poll Password Manager Poll (2022)

[piquiteco]

@R2D2 It's complicated if you used LP Authenticator, if it was just saved locally no problem, but sync in the cloud from the same company as Laspass that suffered a breach? For sure I would switch too, I don't think I would trust Lastpass and its products anymore, it lost credibility. If your master password is strong, I don't think you would need to panic anytime soon, the problem that Lastpass is closed source, and maybe they are not being transparent in this incident, maybe they are minimizing the worst, so it is better to reset the passwords of the most important accounts first little by little. I used to use Authy Authenticator(Twilio) that also suffered a breach a few months ago, now I migrated and started using Aegis Authenticator, it was the best thing I did, it doesn't sync in the cloud, but gives you option for backup, Authy was convenient, it synced on all devices, Aegis you have to export manually, then you have to import into another device, if you use 2 devices, it will be a little inconvenient. I prefer it this way.

I wouldn't be so sure about that.

Password Managers.

Thanks! for sharing, very good, I read the article, knowledge is never too much.

 

[R2D2]

It's complicated if you used LP Authenticator, if it was just saved locally no problem, but sync in the cloud from the same company as Laspass that suffered a breach? For sure I would switch too, I don't think I would trust Lastpass and its products anymore, it lost credibility. If your master password is strong, I don't think you would need to panic anytime soon,

Yes of course I had a strong password as did my family members. And I am a low value target from the PoV of a hacker. That said, I do get annoyed at myself because I trusted LP and their authenticator with my 2FA tokens even after the Aug break-in..remember I was taking it for a test drive. Yes, it was backed up to the cloud, itself a large contributor to deep concerns about my data. Just hope it was encrypted.

I have switched to BW and 1PW and burned bridges with LP for keeps. I'm sure there are many like me who gave LP the good ol' heave-ho. Not sure if I'd be be able to trust them ever again.

 

[HarborFront]

Yes of course I had a strong password as did my family members. And I am a low value target from the PoV of a hacker. That said, I do get annoyed at myself because I trusted LP and their authenticator with my 2FA tokens even after the Aug break-in..remember I was taking it for a test drive. Yes, it was backed up to the cloud, itself a large contributor to deep concerns about my data. Just hope it was encrypted.

I have switched to BW and 1PW and burned bridges with LP for keeps. I'm sure there are many like me who gave LP the good ol' heave-ho. Not sure if I'd be be able to trust them ever again.

You talked of better security in the use of PW managers. How about the privacy aspects of such PW managers?

It's similar to choose a VPN. Not choosing one based in the 5-eye countries.

 

[R2D2]

You talked of better security in the use of PW managers. How about the privacy aspects of such PW managers?

It's similar to choose a VPN. Not choosing one based in the 5-eye countries.

What options do we have? There can't be many. Yes I have Yandex authenticator and I trust that less than a product frrom a company based in a 5/14 eye country. Enpass authors are based in India...and I am not sure about how much spying/monitoring the Indian Govt does for the US and vice versa. If I had to select a 'neutral' solution it would have to be a FOSS app like Keepass or similar. Sticky Password (lifetime subs) is based in the Czech republic...that's an option too and something I am considering seriously for its local sync option.

 

[HarborFront]

What options do we have? There can't be many. Yes I have Yandex authenticator and I trust that less than a product frrom a company based in a 5/14 eye country. Enpass authors are based in India...and I am not sure about how much spying/monitoring the Indian Govt does for the US and vice versa. If I had to select a 'neutral' solution it would have to be a FOSS app like Keepass or similar. Sticky Password (lifetime subs) is based in the Czech republic...that's an option too and something I am considering seriously for its local sync option.

How about this? FI, I am NOT using it.

Psono - Self Hosted and Open Source Password Manager for Companies

Free open-source password manager for businesses with SAML, LDAP, audit logs, and compliance policy features. Supports Windows, Linux, Mac.

psono.com

 

[Azure]

The secret key seems interesting. I wonder if other companies could implement something better.

Not in a million years: It can take far less to crack a LastPass password | 1Password

How 1Password goes above and beyond to protect you in the event of a data breach.

blog.1password.com

Secret Key: What is it, and how does it protect you? | 1Password

The Secret Key is a unique feature that protects you if 1Password’s servers were to be breached. Read here to learn more about the benefits of the secret key.

blog.1password.com

 

[valvaris]

Hello to all,

after that LP stuff - I got rly paranoid with my Passwords.

Left 1password and switched over to KeePassXC (Now my stuff is local...) - The thing is where to put Data? - I know Passwords are a special case but still so is important Data.

Time to go Local again? (Y/N) - Seems that Cloud Providers get infiltrated much more lately...

We could go all Day with - What if? - Scenarios but what is realistic possible?!

I have a different setup then most here for a Private Person:
- Sophos XGS Firewall with Sandboxing, SSL-Inspection, Application Control and so on...
- Sophos Intercept X Adv. with XDR (With Black and Whitelisting of allowed Applications)
- Separate Networks where Dataflow is very restricted (Example: LAN to NAS with only SMB Port) (And IP MAC Binding)
- and more...

For now, I keep my stuff local not even use OneDrive or such to synchronise.

Best regards
Val.

 

[YuanJiawj]

Hello to all,

after that LP stuff - I got rly paranoid with my Passwords.

Left 1password and switched over to KeePassXC (Now my stuff is local...) - The thing is where to put Data? - I know Passwords are a special case but still so is important Data.

Time to go Local again? (Y/N) - Seems that Cloud Providers get infiltrated much more lately...

We could go all Day with - What if? - Scenarios but what is realistic possible?!

I have a different setup then most here for a Private Person:
- Sophos XGS Firewall with Sandboxing, SSL-Inspection, Application Control and so on...
- Sophos Intercept X Adv. with XDR (With Black and Whitelisting of allowed Applications)
- Separate Networks where Dataflow is very restricted (Example: LAN to NAS with only SMB Port) (And IP MAC Binding)
- and more...

For now, I keep my stuff local not even use OneDrive or such to synchronise.

Best regards
Val.

KeePassXC has support for import data from 1P?

 

[valvaris]

KeePassXC has support for import data from 1P?

Yes, it worked for me with all the TOTPs intact as CSV Export. Just had to adjust the Import from CSV with the Columns assigned. But after all that a few settings and it works much better then 1password because of the Autotyping.

I have some Password Fields that need OTP within the Password field.
Example: {USERNAME}{TAB}{PASSWORD}{TOTP}{ENTER}

Works like a charm.... Wished 1password had that feature...
Windows Hello works with KeepassXC too. (Was by chance...)

Sincerely
Val.

 

[YuanJiawj]

Yes, it worked for me with all the TOTPs intact as CSV Export. Just had to adjust the Import from CSV with the Columns assigned. But after all that a few settings and it works much better then 1password because of the Autotyping.

I have some Password Fields that need OTP within the Password field.
Example: {USERNAME}{TAB}{PASSWORD}{TOTP}{ENTER}

Works like a charm.... Wished 1password had that feature...
Windows Hello works with KeepassXC too. (Was by chance...)

Sincerely
Val.

Thank you! I'll give a try for testing its features

 

[military]

Interestingly, but no one considers Avira Password Manager as a password manager?

 

[Divine_Barakah]

One other thing you can do, if you don't trust cloud based password manager or for other reasons, or because you are a little bitparanoid, you just store a part of your password in your password manager, not everything for example: let's say your password for your account is this

Spoiler

@wR69Y3&N$e6UY4

you save that password in your password manager and add + something for example:

Spoiler

<+A9*03=(5)

you memorize just this one

Spoiler

<+A9*03=(5)

and the other one which would be this

Spoiler

@wR69Y3&N$e6UY4

you leave it saved inside your password manager, if your password manager is compromised like what happened with Lastpass recently it will be useless to a hacker, with only the first password he won't be able to access any of your accounts, because it will be incomplete, the other part only you know. I had seen this somewhere I do not remember where, I do not remember type password + Salt something like that.

Thanks for the tip. One more thing is never to store 2FA keys in your password manager or at least on the same vault.

I have two vaults in Enpass, one for the passwords and the other for 2FA with completely different master passwords.

Interestingly, but no one considers Avira Password Manager as a password manager?

Personally, I am not a fan of using password managers offered by security vendors. I prefer the ones offered by companies specialised in developing password managers only. Those tend to listen to feedback and feature suggestions.

 

[piquiteco]

Interestingly, but no one considers Avira Password Manager as a password manager?

Yes, I consider Avira Password Manager as a password manager, and by the way is very good, I have tested. Due to an incident recently with Lastpass a well-known cloud password manager, many people are opting for an offline password manager, or that resides locally or that synchronize only via WiFi/LAN.

Thanks for the tip. One more thing is never to store 2FA keys in your password manager or at least on the same vault.

I have two vaults in Enpass, one for the passwords and the other for 2FA with completely different master passwords.

Yes, correct if you store the 2FA keys in your password manager and it gets hacked, and the hacker somehow gains access, the purpose of two-step verification 2FA ceases to exist and game over for you.

 

[HarborFront]

Yes, I consider Avira Password Manager as a password manager, and by the way is very good, I have tested. Due to an incident recently with Lastpass a well-known cloud password manager, many people are opting for an offline password manager, or that resides locally or that synchronize only via WiFi/LAN.

Sticky Password also has this capability of secure local WiFi/cloud/secure offline

 

[piquiteco]

Sticky Password also has this capability of secure local WiFi/cloud/secure offline

Yes, I posted in another article about the Sticky Password.

Spoiler: Synchronization Cloud/Wi-Fi and other local networks/Disabled/Secure offline

TBH this double exercise feels like a ton of bricks on my shoulder right now but there's no option. #*#^* u LP thanks for letting us subscribers & users down. I am p1$$ed.

That was the website All Things Secured - Double blind password I remembered now and found he is called Josh. And the video explaining is this

---

Spoiler: Double blind password

 

[HarborFront]

Yes, correct if you store the 2FA keys in your password manager and it gets hacked, and the hacker somehow gains access, the purpose of two-step verification 2FA ceases to exist and game over for you.

I might be wrong. Correct me if I'm wrong, for I'm considering the use of a Password Manager

Of course, everything can be hacked regardless of 2FA/MFA. What we want is to make things difficult to hack the Password Manager

2FA deploys say a master password and a TOTP code send to your phone

A TOTP code is useless to be used a second time since it'll expire after say 30 sec or 60 sec. You'll need to generate another TOTP if it expires

As for the master password, you need to physically key in and that's where a keylogger can capture it. To strengthen it, you'll need to use a randomized virtual onscreen kb with delay key setting and anti-screen capture/anti-clipboard capture or encrypted keystrokes/hidden keystrokes etc to key the master password each and every time. The weakness is that if your master password is of 80 characters, and you need to access 50 websites every day, then it becomes an issue to remember and a hassle to use.

Looks like a new kid in the block. Anyone using it?

Liso - Encrypted Private Vault

Protect your valuable data from prying eyes. Liso's secure data vault is the perfect place to keep passwords, files, and any other data you need to keep safe.

liso.dev

It's at github

GitHub - Liso-Vault/app

Contribute to Liso-Vault/app development by creating an account on GitHub.

github.com

 

[piquiteco]

I might be wrong. Correct me if I'm wrong, for I'm considering the use of a Password Manager

Yes, you are right, the password manager was created to make it more convenient, instead of remembering dozens of passwords, you need to remember only one that, only you know the master password of your PM.

Of course, everything can be hacked regardless of 2FA/MFA. What we want is to make things difficult to hack the Password Manager

Yes everything can be hacked, especially internet connected devices, yes 2FA can be bypassed and circumvented, either by using reverse proxy or stealing your cookies with your saved session.

A TOTP code is useless to be used a second time since it'll expire after say 30 sec or 60 sec. You'll need to generate another TOTP if it expires

Yes, correct TOTP is time based so it expires after 30 seconds or 60 seconds. I would not say that, if I were you, that TOTP is useless for a hacker after the token expires, depending on many of the circumstances, today we have security key like Yubikey, proving that TOTP can be ignored. Many companies and people use security key. If the hacker wants and you are an important target, somehow he will achieve his goal, which is to gain access to everything and steal whatever he wants and then leave without you having noticed.

As for the master password, you need to physically key in and that's where a keylogger can capture it. To strengthen it, you'll need to use a randomized virtual onscreen kb with delay key setting and anti-screen capture/anti-clipboard capture or encrypted keys/hidden keys etc to key the master password each and every time. The weakness is that if your master password is of 80 characters, and you need to access 50 websites every day, then it becomes an issue to remember and a hassle to use.

Yes, the master password is physically typed of course, yes correct, a keylogger can capture it when you type your password from your keyboard, I suppose everyone who uses a PM knows this, or am I wrong? I always enter my master password only on my device that I use, like on my laptop, desktop, on my phone, which I know is trusted and is clean of malware, keylogger etc. I will never use my PM on a stranger's machine, even on my father's computer I think ten times before entering my password. Wait... there is maybe use yes @simmerskool sends a hug! I enter my master password in the Keepass Secure Desktop and the Keylogger is useless and will not capture my master password when I type it.

About the size of my master password is my secret that only I know, and your secret too that we can't reveal, I will not tell you how many characters I use my master password, but it is huge, long and tedious to type, probably much more than 80 characters just multiply 80x7 and you will know the size. If you have a PM and are going to use a weak master password, then it doesn't make sense to use a PM, it's better to leave it saved in the browser. I was talking to @R2D2 about "Double blind password" just a suggestion, that I had seen a few years ago, I didn't tell him to use it that way, it makes it a little inconvenient, having to type a password + a suffix or prefix but there are people who use it that way, as Lastpass suffered a violation, he got a little thoughtful, and the master password he uses according to him reported is strong, I believe in what he said, but and Lastpass is being transparent with their users? Note: I am not defaming Lastpass just commenting on the incident, don't get me wrong folks.

@HarborFront was nice talking to you, just hope you do not take me wrong, suddenly I wrote something that you may think I am offending, but I am not, I have great respect for you and many members here in MT you are veteran here, I do not want to make enmity with anyone and not violate the rules of the forum for God's sake.

 

[HarborFront]

Yes, you are right, the password manager was created to make it more convenient, instead of remembering dozens of passwords, you need to remember only one that, only you know the master password of your PM.

Yes everything can be hacked, especially internet connected devices, yes 2FA can be bypassed and circumvented, either by using reverse proxy or stealing your cookies with your saved session.



Yes, correct TOTP is time based so it expires after 30 seconds or 60 seconds. I would not say that, if I were you, that TOTP is useless for a hacker after the token expires, depending on many of the circumstances, today we have security key like Yubikey, proving that TOTP can be ignored. Many companies and people use security key. If the hacker wants and you are an important target, somehow he will achieve his goal, which is to gain access to everything and steal whatever he wants and then leave without you having noticed.



Yes, the master password is physically typed of course, yes correct, a keylogger can capture it when you type your password from your keyboard, I suppose everyone who uses a PM knows this, or am I wrong? I always enter my master password only on my device that I use, like on my laptop, desktop, on my phone, which I know is trusted and is clean of malware, keylogger etc. I will never use my PM on a stranger's machine, even on my father's computer I think ten times before entering my password. Wait... there is maybe use yes @simmerskool sends a hug! I enter my master password in the Keepass Secure Desktop and the Keylogger is useless and will not capture my master password when I type it.

About the size of my master password is my secret that only I know, and your secret too that we can't reveal, I will not tell you how many characters I use my master password, but it is huge, long and tedious to type, probably much more than 80 characters just multiply 80x7 and you will know the size. If you have a PM and are going to use a weak master password, then it doesn't make sense to use a PM, it's better to leave it saved in the browser. I was talking to @R2D2 about "Double blind password" just a suggestion, that I had seen a few years ago, I didn't tell him to use it that way, it makes it a little inconvenient, having to type a password + a suffix or prefix but there are people who use it that way, as Lastpass suffered a violation, he got a little thoughtful, and the master password he uses according to him reported is strong, I believe in what he said, but and Lastpass is being transparent with their users? Note: I am not defaming Lastpass just commenting on the incident, don't get me wrong folks.

@HarborFront was nice talking to you, just hope you do not take me wrong, suddenly I wrote something that you may think I am offending, but I am not, I have great respect for you and many members here in MT you are veteran here, I do not want to make enmity with anyone and not violate the rules of the forum for God's sake.

My main gripe in the use of Password Manager is to key in the long master password. Imagine keying in 80 characters for 20 sign-in websites

I think I may have found a program which can simplify this

How Neo’s SafeKeys v3 Works

Neo’s SafeKeys v3 protects you from keyloggers, clipboard loggers and screenloggers in the following ways: Keylogger protection: What are keyloggers? There are two main types of keyloggers &#…

www.aplin.com.au

It can keep your password if you enable the feature so that the same password (in this case the master password) can be used repeatedly

Quote

Keep password after drag-drop

If this is enabled, all text in the password box will remain after it’s been dragged and dropped to another application.

If this is not enabled, the text will be cleared after every drag-drop.

Unquote

I hope it meets my need in not keying in the master password repeatedly

 

[piquiteco]

@HarborFront Interesting about SafeKeys, I didn't know that one. Thanks for sharing! Another day we'll talk more, tomorrow I'll be here giving a Happy New Year to all MT Members and friends.

 

[mkoundo]

My main gripe in the use of Password Manager is to key in the long master password. Imagine keying in 80 characters for 20 sign-in websites

In bitwarden browser extension you can set it up so that you key in a short code, say a 4 digit pin on that particular browser to access the PW extension. It can be setup such that the PW manager remains open until you close the browser, so entering the master password repeatedly is unnecessary.

Spoiler: bitwarden_example