Poll Password Manager Poll (2022)

Which Password manager do you use?(Poll)

  • KeePass

    Votes: 36 16.3%
  • NordPass

    Votes: 3 1.4%
  • Sticky password

    Votes: 9 4.1%
  • LastPass

    Votes: 15 6.8%
  • Bitwarden

    Votes: 112 50.7%
  • Dashlane

    Votes: 6 2.7%
  • Firefox

    Votes: 3 1.4%
  • 1Password

    Votes: 18 8.1%
  • Kaspersky Password Manager

    Votes: 8 3.6%
  • Roboform

    Votes: 11 5.0%

  • Total voters
    221

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,158
One question on unlocking and accessing a PM.

On desktop, the emphasis is to use master password to unlock and access your PM. Not sure biometrics or pin code is available for convenience.

But on mobile, for convenience the practice is to use biometrics or pin code to unlock your PM. Using master password is there as well.

Do you, out of convenience, use biometrics or pin code for both if both are available and used? If yes, then hacking the laptop/PC and phone would be easier here, right?
 

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
Do you, out of convenience, use biometrics or pin code for both if both are available and used? If yes, then hacking the laptop/PC and phone would be easier here, right?
Yes, on my phone I use iris reader or biometrics to unlock my PM for convenience. Only once in a while my PM asks me to enter my master password for security reasons. Yes, on both my phones. I believe that your master password is stored somewhere on your temporary device, just to provide an authentication for convenience while you use biometrics, PIN code, face unlock or iris. The answer to this question is yes, but you are unlikely to be hacked or be a risk factor, because an attacker needs to have physical access to your device to gain access to your password.(y)

It took me a while to understand the content of the post because I was watching it in a translated state:ROFLMAO:
It was just a joke, I just hope you don't take me wrong, I understand almost nothing in Japanese. But I really admire the Japanese dialect and have a lot of respect for people from Japan and the Asian continent. Your culture is on another level.

Actually jokes aside it's true. Because there are characters in some European, E Asian (Chinese Japanese Korean), Indian and Arabic languages that will nearly never be used by hackers. Hackers normally default to English either US or UK.
I tested it on keepass created a database and used that word as the master password in Japanese and it keepass accepted, probably if @show-Zi uses a PM, his master password will be impossible to crack by brute force attack. You have to have a Japanese keyboard or it will be difficult to type. I was just kidding, and worse, you can create master passwords in those languages. See the screenshots below in the spoiler. If I knew Japanese, my PM master password would probably look like this.
マルウェアのヒント
😉
1672814947984.png
1672815164898.png
 

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
270
TBH I'd been completely lost if I had to use anything but a UK/US English keyboard. :) Yes of course there are those soft foreign language keyboards but those characters aren't easy to decipher.
 
  • Like
Reactions: piquiteco

Divine_Barakah

Level 33
Verified
Top Poster
Well-known
May 10, 2019
2,289
One question on unlocking and accessing a PM.

On desktop, the emphasis is to use master password to unlock and access your PM. Not sure biometrics or pin code is available for convenience.

But on mobile, for convenience the practice is to use biometrics or pin code to unlock your PM. Using master password is there as well.

Do you, out of convenience, use biometrics or pin code for both if both are available and used? If yes, then hacking the laptop/PC and phone would be easier here, right?
If you use a PIN or biomitrics, the master pssword is “securely” stored on the device. I have no idea how secure that would be, but personally I keep entering the master password. I know it is a little inconvenient, but it helps make sure you never forget the master password.
 

Ink

Administrator
Verified
Jan 8, 2011
22,490
Not sure biometrics or pin code is available for convenience.
It may be available through Windows Hello or Touch ID (Mac keyboard). Where possible, Biometrics over Master Password. Exposing your master passwords is dangerous.

Under Desktop tab:
 

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
869
Where possible, Biometrics over Master Password. Exposing your master passwords is dangerous.
This may be true for 1st world countries where abuse of power and violence are looked down upon and you have human rights, but in most of the 3rd world they have no problems breaking the law and your legs to get your password from your face/finger when your unconscious from being hit with a $5 wrench.

The reason you have a strong and long master password is that it buys you some time so someone can remotely wipe the device while they are trying to crack your device, and it gives you something to negotiate with if you're in a jam.
 

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
I have no idea how secure that would be, but personally I keep entering the master password. I know it is a little inconvenient, but it helps make sure you never forget the master password.
Your master password is the only one you need to memorize. Mine I write down in a notebook, just in case. If your master password for your PM is less than 256 characters, I see no problem with typing it every time in your PM to unlock your vault. 😉
 

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,158
It may be available through Windows Hello or Touch ID (Mac keyboard). Where possible, Biometrics over Master Password. Exposing your master passwords is dangerous.

Under Desktop tab:
So, to summarize

Log in to BW requires the master password

Unlock the vault can use biometrics and/or pin code

Anyway to remember and quicken the physical keying in of 50 characters master password to log in to BW? That's my concern.
 
  • Like
Reactions: piquiteco

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
Log in to BW requires the master password
Yes
Unlock the vault can use biometrics and/or pin code
Yes
Anyway to remember and quicken the physical keying in of 50 characters master password to log in to BW? That's my concern.
Yes, this. BW saves a session in your browser and adds your device as trusted, when you set up a PIN. So it is secure. I will make a more direct comparison, don't you have browser cookies? when you log into MT? or another site like google where you check the "Stay signed in" box so that is how a PM works. When you set up a PIN, Biometrics, Iris reader or facial unlock on a PM, being on mobile or computer, it automatically marks your device as trusted. Some PMs like Roboform, SafeiCloud, etc. you can set to ask for your master password every 30 days for security reasons and so you don't forget your master password too.
1672886766453.png
1672887584092.png

The majority of people use Bitwarden because it is free. If it was not, the whole thing would be different.
Yes, I agree, BW is free and can be installed on unlimited devices. Most people use Bitwarden because of cloud synchronization, and not only that, because it syncs with all your devices like on cell phones. Do you have a cell phone? I think everybody has a cell phone these days. Unfortunately the SP and other PMs that I tested the WiFi/LAN syncing did not work as it should, and when it did you sometimes had to pull a "Sync Now" lever. It is a manual type of sync and not an automatic sync like many PMs do in the cloud.
One thing we can do is help and donate to Keepass so that it can make Android and iOS apps.
Yes, keepass deserved a version for android and iOS and synchronization via WiFi/LAN. You did you check the voting and how many votes keepass got? It came in second place only behind BW. Due to the Lastpass fiasco, even though many people continue to use BW or another cloud PM, everyone is thoughtful after the LP incident.

Where do you get the info on their website? Thanks
He must have received by email this information, all SP users who have the premium version, get 1 Year of Dark Web Monitoring for free. I received his e-mail from SP yesterday see the screenshot in the spoiler. ;)

1672892431880.png

For those who have a lifetime licesne, the initial year of this service is going to be free. After that lifetime users will have to pay to use the service (dark web monitoring).
No, all SP users who have the premium version, get 1 Year of Dark Web Monitoring for free. I received the SP email from them yesterday.
1672892952341.png

TBH I'd been completely lost if I had to use anything but a UK/US English keyboard. :) Yes of course there are those soft foreign language keyboards but those characters aren't easy to decipher.
You are right, after reading this article Are A Mix Of Non-English Passwords More Secure? | Password Bits I have changed my mind, it is unnecessary to use a master password in Japanese or any other language, you should stick with your native language in most situations. :)
 

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
Create Account Success! LP Master password used is weak.

I had commented on another post, but decided to test in practice if LP would allow or notify me that the master password used is weak.

I created a Lastpass test account using the LP's minimum requirements of a master password with at least 12 characters and the LP accepted it, even though the strength indicator was orange.
1673063706533.png
After I created an account, LP issued no warning that my master password was weak. This is quite worrying. It is obvious that most users who know how a PM works and value their security will not use a weak master password in their vault.
1673069186181.png

I tried to create an account on Bitwarden using this 12 character master password and BW issued a Popup saying that my master password is weak.

1673064559214.png
If I click YES on that notification box of course BW will accept that password, but the user will be aware that his password is weak. All the PMs I have tested that I can remember never accepted to use a weak master password.

Conclusion: It seems to me that the LP is more concerned about the number of users and does not take user security seriously. Draw your own conclusions.

1673070724837.png
Note: I am only showing facts to warn and not to defame the company behind the LP.
 
Last edited:

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
270
Were you able to change all your PM passwords?
Well, yes, changed passwords to all sites that mattered for sure. And reset 2FA tokens + recovery codes to boot. The remainder I really don't care about. The process helped me weed out about 80-90 redundant passcards/entries going back a decade or more.
 
  • Like
Reactions: Azure and piquiteco

CyberTech

Level 44
Verified
Top Poster
Well-known
Nov 10, 2017
3,250
Well, yes, changed passwords to all sites that mattered for sure. And reset 2FA tokens + recovery codes to boot. The remainder I really don't care about. The process helped me weed out about 80-90 redundant passcards/entries going back a decade or more.
Hope you enter Password & 2FA code on every website as test before delete it.
 
  • Like
Reactions: Nevi and piquiteco

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
270
Yes of course I do test a login process with the new password 2FA code before deleting the old one :) I maintain multiple 2FA apps on my phones - if I delete a token in one of them the other is a standby just in case. Once the login is successful and all goes according to plan, I delete the token in app 1 (Authy has a 48 hour wait before its actually deleted) and proceed to reregister 2FA at the site, scan the new code with both apps so there's always a backup.

Tokens are backed up to cloud (Authy) and iCloud (Raivo). Raivo backups can be imported into Aegis/2FAS for Android, resulting in backups on multiple handsets, it's like having 2 Yubikeys around 1 primary the other a spare. :)

It's a bit convoluted at times but I won't get caught without my TOTP codes.
 
  • Like
Reactions: Nevi and piquiteco

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
Well, yes, changed passwords to all sites that mattered for sure. And reset 2FA tokens + recovery codes to boot. The remainder I really don't care about. The process helped me weed out about 80-90 redundant passcards/entries going back a decade or more.
I know how laborious it is even using PM to generate the passwords, imagine without using a PM. When I activated the 2FA for my accounts in early 2021 it took weeks. Imagine changing +300 passwords and revoking the 2FA one by one and saving the recovery codes, it is an arduous and tedious process.(y)
 

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
270
@piquiteco I had about 800+ logins and about 100 TOTP tokens. As I mentioned earlier, the critical and important ones are done. For the rest well, I'll take a chance. This has been an awful experience TBH lasting about 2.5 weeks.
 
  • Like
  • Wow
Reactions: Nevi and piquiteco

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,158
Do away with long and difficult to remember passwords. In comes passkey.

I wonder if use passkeys (biometrics + pin code + sliding pattern) would help to simplify our life if say you have 100 accounts?

Imagine 100 combinations of passkeys......? How to remember? I have 10 digits. Not sure which digit for which account.

🙄
 
Last edited:
  • Like
Reactions: Nevi and piquiteco

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
Hope you enter Password & 2FA code on every website as test before delete it.
I believe @R2D2 is a smart person, he must have tested the passwords and 2FA before deleting the old ones. I already realized that he is experienced person like you CyberTech. Unfortunately Lastpass failed him, and all his users, what happened to him could have happened to us too he put his trust in a big company, if he didn't do that who knows what would happen to his data and their accounts in the future by a hacker? Maybe only God knows. This thing that happened with Lastpass has opened our eyes. But just concluded my point of view, this tip goes to everyone, who already knows disregard this information, always keep the secure notes, recovery code, security questions, QRCODE everything offline, and then replicate in several backups and distribute in several devices, memory cards, external hd,etc. cloud too? yes, you can since you keep this backup encrypted. Use PM only to store passwords, the rest keeps offline and the backups, don't forget the backups, if one fails you have another one as an alternative. Use the Aegis app on your phone to generate the TOTPs or another trusted authenticator app, then export to a file and backup this file and save it in a safe place. On computer and notebook use keepass or keepassXC to generate TOTPs if your phone is not around, now sleep easy. :sleep:
 

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
270
@piquiteco perfectly put about Lastpass failing me and milions of subscribers/users. I had stored many (in 100s) of secure notes in my Lastpass account and regret it as do so many others. Several experts including Steve Gibson, Jeremi Gosny etc have made it very clear - move on from LP NOW and choose another PM. LP is beyond hope and will suffer the conseqeunces in due course unless there's a course correction that may be very painful. Lastpass' nonchalance, atleast on the outside, about this matter still shocks me leaving me one bitter customer who has zero goodwill for them. Every word that comes out of LP is vetted carefully by lawyers I am sure. I do feel bad for those noobs/non-geeks and the likes who are not aware of the seriousness of this issue and how to tackle it...their lack of knowledge leading them to seek guidance from the neighbourhood geek.

Anyways, all newly generated recovery codes are only stored locally and then encrypted using Cryptomator and stored in 4 cloud accounts. All secure notes will be deleted from my password managers shortly. Still debating about the credit cards and financial info.

The only way to store personal information relatively safely is locally and in an encrypted form using a tool of your choice. Other than the cloud backups I also back them up locally to my 2 NAS boxes and a USB HDD that are switched on only when required. You can't hack something that's powered off ;) It doesn't end there, TOTP tokens (authy etc) are also backed up. I don't take chances having suffered n number of data losses caused by hardware failures in the past.

PS - another dose of Lastpass related news LastPass hack: Cybersecurity experts sound the alarm over data breaches
 
Last edited:

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top