Password Managers 2019

vaccineboy

vaccineboy

Level 3
Verified
Well-known
Sep 5, 2018
144
Umbra said:
Hotspotshield is an ad bomber (at least for the free version) and its security/privacy is subpar from what I read/heard.
Click to expand...
True for the free version. I can testify not true for the premium version. As far as speed goes, in my limited trial of VPN services, it is the fastest.

Edit: It uses its own proprietary protocol instead of OpenVPN or IKEv2 like all others and claims this is the reason for its superior speed. Security? it was under audit recently (before the sale) if I recall correctly. Whether the audit is reliable? I have no idea.
 
Last edited:
  • Like
Reactions: Venustus, [correlate] and harlan4096
L

liffew

New Member
Oct 23, 2019
5
gmaister22 said:
Hello

I have been using 1Password couple years now, but I feel sadly for a change. What do you recommend? What is the state of Password Managers at 2019?

I see password managers like Keeper and Dashlane getting bigger? While Lastpass seems to have really slow development?
Click to expand...

Password managers are great. But password managers themselves need to be super secure. Of course, if they are hacked, all your passwords are there for attackers to see and that would be a disaster.

So major password manager firms will be feeling the heat today after a report from Independent Security Evaluators (ISE) found fundamental flaws that expose user credentials in the computer memory while locked. According to researchers, this renders them “no more secure than saving passwords in a text file”.

The ISE evaluated 1Password, Dashlane, KeePass, and LastPass, which are used by a total of 60 Million users and 93,000 Businesses globally. It found that all the products failed to provide the security to safeguard a user’s passwords “as advertised”.

According to the ISE. Worryingly, the researchers found that in some circumstances, the master password was residing in the computer’s memory in a plain text readable format. And once the master password is available to the attacker, they can decrypt the password manager database.
 
  • Like
Reactions: Protomartyr, Venustus, CyberTech and 3 others
vaccineboy

vaccineboy

Level 3
Verified
Well-known
Sep 5, 2018
144
liffew said:
Password managers are great. But password managers themselves need to be super secure. Of course, if they are hacked, all your passwords are there for attackers to see and that would be a disaster.

So major password manager firms will be feeling the heat today after a report from Independent Security Evaluators (ISE) found fundamental flaws that expose user credentials in the computer memory while locked. According to researchers, this renders them “no more secure than saving passwords in a text file”.

The ISE evaluated 1Password, Dashlane, KeePass, and LastPass, which are used by a total of 60 Million users and 93,000 Businesses globally. It found that all the products failed to provide the security to safeguard a user’s passwords “as advertised”.

According to the ISE. Worryingly, the researchers found that in some circumstances, the master password was residing in the computer’s memory in a plain text readable format. And once the master password is available to the attacker, they can decrypt the password manager database.
Click to expand...
Oh sh!t?
 
  • Like
Reactions: Venustus and [correlate]
upnorth

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
blackice said:
These vulnerabilities were in the desktop apps and fixed quickly if I remember correctly.
Click to expand...
I suspect the same, but to confirm it one have to backtrack updates, and because that report ( very interesting read ) is from February this year I rather pass and take a cup of coffee instead. :D :coffee:

Here's the link for anyone that's curious.
www.ise.io

Password Managers: Under the Hood of Secrets Management - Independent Security Evaluators

Password managers allow the storage and retrieval of sensitive information from an encrypted database. Users rely on them to provide better security guarantees against trivial exfiltration than alternative ways of storing passwords, such as an unsecured flat text file. In this paper we propose...
www.ise.io
 
  • Like
Reactions: Protomartyr, Venustus, [correlate] and 4 others
blackice

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,882
upnorth said:
I suspect the same, but to confirm it one have to backtrack updates, and because that report ( very interesting read ) is from February this year I rather pass and take a cup of coffee instead. :D :coffee:

Here's the link for anyone that's curious.
www.ise.io

Password Managers: Under the Hood of Secrets Management - Independent Security Evaluators

Password managers allow the storage and retrieval of sensitive information from an encrypted database. Users rely on them to provide better security guarantees against trivial exfiltration than alternative ways of storing passwords, such as an unsecured flat text file. In this paper we propose...
www.ise.io
Click to expand...
I’m just remembering, possibly incorrectly, from reading the responses from the companies to the press. I could be conflating it with a different issue.
 
  • Like
Reactions: Venustus, [correlate], roger_m and 1 other person
N

ng4ever

Level 17
Verified
Feb 11, 2016
800
Does anyone know if Bitwarden will ever become more polished ? I know you don't know what I am talking about I am talking about the GUI.

I want sections for license keys for my software.
 
  • Like
Reactions: Venustus and [correlate]
F

ForgottenSeer 823865

ng4ever said:
Does anyone know if Bitwarden will ever become more polished ? I know you don't know what I am talking about I am talking about the GUI.

I want sections for license keys for my software.
Click to expand...
what you mean? you want create a space in the vault to keep your license keys? you can do it already, just create a folder and inside make an entry for each software, then put the license keys in the note area..
 
  • Like
Reactions: Protomartyr, Venustus, [correlate] and 1 other person
reystar

reystar

Level 3
Thread author
Verified
Feb 4, 2014
106
liffew said:
Password managers are great. But password managers themselves need to be super secure. Of course, if they are hacked, all your passwords are there for attackers to see and that would be a disaster.

So major password manager firms will be feeling the heat today after a report from Independent Security Evaluators (ISE) found fundamental flaws that expose user credentials in the computer memory while locked. According to researchers, this renders them “no more secure than saving passwords in a text file”.

The ISE evaluated 1Password, Dashlane, KeePass, and LastPass, which are used by a total of 60 Million users and 93,000 Businesses globally. It found that all the products failed to provide the security to safeguard a user’s passwords “as advertised”.

According to the ISE. Worryingly, the researchers found that in some circumstances, the master password was residing in the computer’s memory in a plain text readable format. And once the master password is available to the attacker, they can decrypt the password manager database.
Click to expand...

True, but, all these password managers nowadays use 2FA, 1Password uses 3FA...

One is the master password
One is the Secret Key
One is the one time password from Google Authenticator, Authy, etc...

What about that scenario?
 
  • Like
Reactions: Venustus, CyberTech and [correlate]
Threadripper

Threadripper

Level 9
Verified
Well-known
Feb 24, 2019
408
liffew said:
Of course, if they are hacked, all your passwords are there for attackers to see and that would be a disaster.
Click to expand...
This is the whole point of end-to-end encryption and hashing. Your "vault" is encrypted with your master password, only you know this password, the server sees a hashed version of it that your local client sends. In the case of Bitwarden it's hashed again server-side before checking if the hashes match.

I'll use Bitwarden as an example:

Bitwarden salts and hashes your master password with your email address on the client (your computer/device) before it is transmitted to our servers. Once the server receives the hashed password from your computer/device it is then salted again with a cryptographically secure random value, hashed again and stored in our database. This process is repeated and hashes are compared every time you log in.

The hashing functions that are used are one way hashes. This means that they cannot be reverse engineered by anyone at Bitwarden to reveal your true master password. In the hypothetical event that the Bitwarden servers were hacked and your data was leaked, the data would have no value to the hacker.

Does Bitwarden use a salted hash for my password?
Click to expand...
 
  • Like
Reactions: Venustus, CyberTech and [correlate]
Threadripper

Threadripper

Level 9
Verified
Well-known
Feb 24, 2019
408
gmaister22 said:
True, but, all these password managers nowadays use 2FA, 1Password uses 3FA...

One is the master password
One is the Secret Key
One is the one time password from Google Authenticator, Authy, etc...

What about that scenario?
Click to expand...
Your OTP won't protect you if your password manager is hacked, or anything is hacked for that matter. Once the database is local your "vault" is encrypted with your master password in most password managers, and secret key as well in 1Password.

Without going too deep into AES and KDF I'll keep it simple. A secret key is a pretty neat idea, but in reality, if your master password is good then it's not going to make that much of a difference. It is in theory more secure, but as long as your master password is genuinely good the secret key will be more of an inconvenience, or at least that's how I found it when I tried 1Password.

Your master password is absolutely crucial. Make it good, don't use it anywhere else and never store it anywhere else unless it is physically secure. If you do this, you'll be fine assuming your password manager implemented everything accordingly.
 
  • Like
Reactions: Venustus and roger_m
N

notabot

Level 15
Verified
Oct 31, 2018
703
Threadripper said:
This is the whole point of end-to-end encryption and hashing. Your "vault" is encrypted with your master password, only you know this password, the server sees a hashed version of it that your local client sends. In the case of Bitwarden it's hashed again server-side before checking if the hashes match.

I'll use Bitwarden as an example:
Click to expand...

If you're hacked you're done, they take all the passwords from your local machine when you decrypt them with your master password - not from the remote server. To mitigate this

1) never store your 2FA codes for your accounts on the same password manager you use for your passwords (I'd go as far as don't use the same machine, to maximally decouple the 2nd factor from your passwords)
2) take measures to secure the machine to avoid compromise
3) don't sweat over it, if they only have the passwords without the 2FA codes for your logins nothing can happen and if you use a good security product this should not happen in the first place.
 
  • Like
Reactions: ForgottenSeer 85179, Protomartyr, Venustus and 3 others
blackice

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,882
notabot said:
If you're hacked you're done, they take all the passwords from your local machine when you decrypt them with your master password - not from the remote server. To mitigate this

1) never store your 2FA codes for your accounts on the same password manager you use for your passwords (I'd go as far as don't use the same machine, to maximally decouple the 2nd factor from your passwords)
2) take measures to secure the machine to avoid compromise
3) don't sweat over it, if they only have the passwords without the 2FA codes for your logins nothing can happen and if you use a good security product this should not happen in the first place.
Click to expand...
I have 2FA even on my old throw away yahoo account. Someone finally tried to access it and I got an alert and denied it. Never seen it in action before other than authenticating a session I initiated, pretty useful.
 
  • Like
Reactions: Venustus, roger_m and upnorth

Similar threads

oldschool
    • Like
    • Applause
Security News Passkey technology is elegant, but it’s most definitely not usable security
Replies
4
Views
1,513
Security News
Wrecker4923
Wrecker4923
L
    • Like
Advice Request What are some secure password manager options for Windows, Android and IOS?
Replies
26
Views
2,480
Passwords and passkeys
sophiakaile
sophiakaile
BigWrench
    • Like
Trying out Password Boss
Replies
5
Views
833
Passwords and passkeys
outlawxtorn
O

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top