vaccineboy

Level 2
Hotspotshield is an ad bomber (at least for the free version) and its security/privacy is subpar from what I read/heard.
True for the free version. I can testify not true for the premium version. As far as speed goes, in my limited trial of VPN services, it is the fastest.

Edit: It uses its own proprietary protocol instead of OpenVPN or IKEv2 like all others and claims this is the reason for its superior speed. Security? it was under audit recently (before the sale) if I recall correctly. Whether the audit is reliable? I have no idea.
 
Last edited:

liffew

New Member
Hello

I have been using 1Password couple years now, but I feel sadly for a change. What do you recommend? What is the state of Password Managers at 2019?

I see password managers like Keeper and Dashlane getting bigger? While Lastpass seems to have really slow development?
Password managers are great. But password managers themselves need to be super secure. Of course, if they are hacked, all your passwords are there for attackers to see and that would be a disaster.

So major password manager firms will be feeling the heat today after a report from Independent Security Evaluators (ISE) found fundamental flaws that expose user credentials in the computer memory while locked. According to researchers, this renders them “no more secure than saving passwords in a text file”.

The ISE evaluated 1Password, Dashlane, KeePass, and LastPass, which are used by a total of 60 Million users and 93,000 Businesses globally. It found that all the products failed to provide the security to safeguard a user’s passwords “as advertised”.

According to the ISE. Worryingly, the researchers found that in some circumstances, the master password was residing in the computer’s memory in a plain text readable format. And once the master password is available to the attacker, they can decrypt the password manager database.
 

vaccineboy

Level 2
Password managers are great. But password managers themselves need to be super secure. Of course, if they are hacked, all your passwords are there for attackers to see and that would be a disaster.

So major password manager firms will be feeling the heat today after a report from Independent Security Evaluators (ISE) found fundamental flaws that expose user credentials in the computer memory while locked. According to researchers, this renders them “no more secure than saving passwords in a text file”.

The ISE evaluated 1Password, Dashlane, KeePass, and LastPass, which are used by a total of 60 Million users and 93,000 Businesses globally. It found that all the products failed to provide the security to safeguard a user’s passwords “as advertised”.

According to the ISE. Worryingly, the researchers found that in some circumstances, the master password was residing in the computer’s memory in a plain text readable format. And once the master password is available to the attacker, they can decrypt the password manager database.
Oh sh!t?
 

upnorth

Level 35
Verified
Trusted
Content Creator
These vulnerabilities were in the desktop apps and fixed quickly if I remember correctly.
I suspect the same, but to confirm it one have to backtrack updates, and because that report ( very interesting read ) is from February this year I rather pass and take a cup of coffee instead. :D :coffee:

Here's the link for anyone that's curious.
 

blackice

Level 12
Verified
I suspect the same, but to confirm it one have to backtrack updates, and because that report ( very interesting read ) is from February this year I rather pass and take a cup of coffee instead. :D :coffee:

Here's the link for anyone that's curious.
I’m just remembering, possibly incorrectly, from reading the responses from the companies to the press. I could be conflating it with a different issue.
 

ng4ever

Level 11
Verified
Does anyone know if Bitwarden will ever become more polished ? I know you don't know what I am talking about I am talking about the GUI.

I want sections for license keys for my software.
 

Umbra

Level 11
Verified
Does anyone know if Bitwarden will ever become more polished ? I know you don't know what I am talking about I am talking about the GUI.

I want sections for license keys for my software.
what you mean? you want create a space in the vault to keep your license keys? you can do it already, just create a folder and inside make an entry for each software, then put the license keys in the note area..
 

gmaister22

Level 2
Password managers are great. But password managers themselves need to be super secure. Of course, if they are hacked, all your passwords are there for attackers to see and that would be a disaster.

So major password manager firms will be feeling the heat today after a report from Independent Security Evaluators (ISE) found fundamental flaws that expose user credentials in the computer memory while locked. According to researchers, this renders them “no more secure than saving passwords in a text file”.

The ISE evaluated 1Password, Dashlane, KeePass, and LastPass, which are used by a total of 60 Million users and 93,000 Businesses globally. It found that all the products failed to provide the security to safeguard a user’s passwords “as advertised”.

According to the ISE. Worryingly, the researchers found that in some circumstances, the master password was residing in the computer’s memory in a plain text readable format. And once the master password is available to the attacker, they can decrypt the password manager database.
True, but, all these password managers nowadays use 2FA, 1Password uses 3FA...

One is the master password
One is the Secret Key
One is the one time password from Google Authenticator, Authy, etc...

What about that scenario?
 

Threadripper

Level 8
Of course, if they are hacked, all your passwords are there for attackers to see and that would be a disaster.
This is the whole point of end-to-end encryption and hashing. Your "vault" is encrypted with your master password, only you know this password, the server sees a hashed version of it that your local client sends. In the case of Bitwarden it's hashed again server-side before checking if the hashes match.

I'll use Bitwarden as an example:

Bitwarden salts and hashes your master password with your email address on the client (your computer/device) before it is transmitted to our servers. Once the server receives the hashed password from your computer/device it is then salted again with a cryptographically secure random value, hashed again and stored in our database. This process is repeated and hashes are compared every time you log in.

The hashing functions that are used are one way hashes. This means that they cannot be reverse engineered by anyone at Bitwarden to reveal your true master password. In the hypothetical event that the Bitwarden servers were hacked and your data was leaked, the data would have no value to the hacker.

Does Bitwarden use a salted hash for my password?
 

Threadripper

Level 8
True, but, all these password managers nowadays use 2FA, 1Password uses 3FA...

One is the master password
One is the Secret Key
One is the one time password from Google Authenticator, Authy, etc...

What about that scenario?
Your OTP won't protect you if your password manager is hacked, or anything is hacked for that matter. Once the database is local your "vault" is encrypted with your master password in most password managers, and secret key as well in 1Password.

Without going too deep into AES and KDF I'll keep it simple. A secret key is a pretty neat idea, but in reality, if your master password is good then it's not going to make that much of a difference. It is in theory more secure, but as long as your master password is genuinely good the secret key will be more of an inconvenience, or at least that's how I found it when I tried 1Password.

Your master password is absolutely crucial. Make it good, don't use it anywhere else and never store it anywhere else unless it is physically secure. If you do this, you'll be fine assuming your password manager implemented everything accordingly.
 

notabot

Level 14
This is the whole point of end-to-end encryption and hashing. Your "vault" is encrypted with your master password, only you know this password, the server sees a hashed version of it that your local client sends. In the case of Bitwarden it's hashed again server-side before checking if the hashes match.

I'll use Bitwarden as an example:
If you're hacked you're done, they take all the passwords from your local machine when you decrypt them with your master password - not from the remote server. To mitigate this

1) never store your 2FA codes for your accounts on the same password manager you use for your passwords (I'd go as far as don't use the same machine, to maximally decouple the 2nd factor from your passwords)
2) take measures to secure the machine to avoid compromise
3) don't sweat over it, if they only have the passwords without the 2FA codes for your logins nothing can happen and if you use a good security product this should not happen in the first place.
 

blackice

Level 12
Verified
If you're hacked you're done, they take all the passwords from your local machine when you decrypt them with your master password - not from the remote server. To mitigate this

1) never store your 2FA codes for your accounts on the same password manager you use for your passwords (I'd go as far as don't use the same machine, to maximally decouple the 2nd factor from your passwords)
2) take measures to secure the machine to avoid compromise
3) don't sweat over it, if they only have the passwords without the 2FA codes for your logins nothing can happen and if you use a good security product this should not happen in the first place.
I have 2FA even on my old throw away yahoo account. Someone finally tried to access it and I got an alert and denied it. Never seen it in action before other than authenticating a session I initiated, pretty useful.