Password Managers 2019

vaccineboy

Level 3
Verified
Well-known
Sep 5, 2018
125
Hotspotshield is an ad bomber (at least for the free version) and its security/privacy is subpar from what I read/heard.
True for the free version. I can testify not true for the premium version. As far as speed goes, in my limited trial of VPN services, it is the fastest.

Edit: It uses its own proprietary protocol instead of OpenVPN or IKEv2 like all others and claims this is the reason for its superior speed. Security? it was under audit recently (before the sale) if I recall correctly. Whether the audit is reliable? I have no idea.
 
Last edited:

liffew

New Member
Oct 23, 2019
5
Hello

I have been using 1Password couple years now, but I feel sadly for a change. What do you recommend? What is the state of Password Managers at 2019?

I see password managers like Keeper and Dashlane getting bigger? While Lastpass seems to have really slow development?

Password managers are great. But password managers themselves need to be super secure. Of course, if they are hacked, all your passwords are there for attackers to see and that would be a disaster.

So major password manager firms will be feeling the heat today after a report from Independent Security Evaluators (ISE) found fundamental flaws that expose user credentials in the computer memory while locked. According to researchers, this renders them “no more secure than saving passwords in a text file”.

The ISE evaluated 1Password, Dashlane, KeePass, and LastPass, which are used by a total of 60 Million users and 93,000 Businesses globally. It found that all the products failed to provide the security to safeguard a user’s passwords “as advertised”.

According to the ISE. Worryingly, the researchers found that in some circumstances, the master password was residing in the computer’s memory in a plain text readable format. And once the master password is available to the attacker, they can decrypt the password manager database.
 

vaccineboy

Level 3
Verified
Well-known
Sep 5, 2018
125
Password managers are great. But password managers themselves need to be super secure. Of course, if they are hacked, all your passwords are there for attackers to see and that would be a disaster.

So major password manager firms will be feeling the heat today after a report from Independent Security Evaluators (ISE) found fundamental flaws that expose user credentials in the computer memory while locked. According to researchers, this renders them “no more secure than saving passwords in a text file”.

The ISE evaluated 1Password, Dashlane, KeePass, and LastPass, which are used by a total of 60 Million users and 93,000 Businesses globally. It found that all the products failed to provide the security to safeguard a user’s passwords “as advertised”.

According to the ISE. Worryingly, the researchers found that in some circumstances, the master password was residing in the computer’s memory in a plain text readable format. And once the master password is available to the attacker, they can decrypt the password manager database.
Oh sh!t?
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
These vulnerabilities were in the desktop apps and fixed quickly if I remember correctly.
I suspect the same, but to confirm it one have to backtrack updates, and because that report ( very interesting read ) is from February this year I rather pass and take a cup of coffee instead. :D :coffee:

Here's the link for anyone that's curious.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,730
I suspect the same, but to confirm it one have to backtrack updates, and because that report ( very interesting read ) is from February this year I rather pass and take a cup of coffee instead. :D :coffee:

Here's the link for anyone that's curious.
I’m just remembering, possibly incorrectly, from reading the responses from the companies to the press. I could be conflating it with a different issue.
 

ng4ever

Level 16
Verified
Feb 11, 2016
789
Does anyone know if Bitwarden will ever become more polished ? I know you don't know what I am talking about I am talking about the GUI.

I want sections for license keys for my software.
 
F

ForgottenSeer 823865

Does anyone know if Bitwarden will ever become more polished ? I know you don't know what I am talking about I am talking about the GUI.

I want sections for license keys for my software.
what you mean? you want create a space in the vault to keep your license keys? you can do it already, just create a folder and inside make an entry for each software, then put the license keys in the note area..
 

reystar

Level 3
Thread author
Verified
Feb 4, 2014
105
Password managers are great. But password managers themselves need to be super secure. Of course, if they are hacked, all your passwords are there for attackers to see and that would be a disaster.

So major password manager firms will be feeling the heat today after a report from Independent Security Evaluators (ISE) found fundamental flaws that expose user credentials in the computer memory while locked. According to researchers, this renders them “no more secure than saving passwords in a text file”.

The ISE evaluated 1Password, Dashlane, KeePass, and LastPass, which are used by a total of 60 Million users and 93,000 Businesses globally. It found that all the products failed to provide the security to safeguard a user’s passwords “as advertised”.

According to the ISE. Worryingly, the researchers found that in some circumstances, the master password was residing in the computer’s memory in a plain text readable format. And once the master password is available to the attacker, they can decrypt the password manager database.

True, but, all these password managers nowadays use 2FA, 1Password uses 3FA...

One is the master password
One is the Secret Key
One is the one time password from Google Authenticator, Authy, etc...

What about that scenario?
 

Threadripper

Level 9
Verified
Well-known
Feb 24, 2019
408
Of course, if they are hacked, all your passwords are there for attackers to see and that would be a disaster.
This is the whole point of end-to-end encryption and hashing. Your "vault" is encrypted with your master password, only you know this password, the server sees a hashed version of it that your local client sends. In the case of Bitwarden it's hashed again server-side before checking if the hashes match.

I'll use Bitwarden as an example:

Bitwarden salts and hashes your master password with your email address on the client (your computer/device) before it is transmitted to our servers. Once the server receives the hashed password from your computer/device it is then salted again with a cryptographically secure random value, hashed again and stored in our database. This process is repeated and hashes are compared every time you log in.

The hashing functions that are used are one way hashes. This means that they cannot be reverse engineered by anyone at Bitwarden to reveal your true master password. In the hypothetical event that the Bitwarden servers were hacked and your data was leaked, the data would have no value to the hacker.

Does Bitwarden use a salted hash for my password?
 

Threadripper

Level 9
Verified
Well-known
Feb 24, 2019
408
True, but, all these password managers nowadays use 2FA, 1Password uses 3FA...

One is the master password
One is the Secret Key
One is the one time password from Google Authenticator, Authy, etc...

What about that scenario?
Your OTP won't protect you if your password manager is hacked, or anything is hacked for that matter. Once the database is local your "vault" is encrypted with your master password in most password managers, and secret key as well in 1Password.

Without going too deep into AES and KDF I'll keep it simple. A secret key is a pretty neat idea, but in reality, if your master password is good then it's not going to make that much of a difference. It is in theory more secure, but as long as your master password is genuinely good the secret key will be more of an inconvenience, or at least that's how I found it when I tried 1Password.

Your master password is absolutely crucial. Make it good, don't use it anywhere else and never store it anywhere else unless it is physically secure. If you do this, you'll be fine assuming your password manager implemented everything accordingly.
 

notabot

Level 15
Verified
Oct 31, 2018
703
This is the whole point of end-to-end encryption and hashing. Your "vault" is encrypted with your master password, only you know this password, the server sees a hashed version of it that your local client sends. In the case of Bitwarden it's hashed again server-side before checking if the hashes match.

I'll use Bitwarden as an example:

If you're hacked you're done, they take all the passwords from your local machine when you decrypt them with your master password - not from the remote server. To mitigate this

1) never store your 2FA codes for your accounts on the same password manager you use for your passwords (I'd go as far as don't use the same machine, to maximally decouple the 2nd factor from your passwords)
2) take measures to secure the machine to avoid compromise
3) don't sweat over it, if they only have the passwords without the 2FA codes for your logins nothing can happen and if you use a good security product this should not happen in the first place.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,730
If you're hacked you're done, they take all the passwords from your local machine when you decrypt them with your master password - not from the remote server. To mitigate this

1) never store your 2FA codes for your accounts on the same password manager you use for your passwords (I'd go as far as don't use the same machine, to maximally decouple the 2nd factor from your passwords)
2) take measures to secure the machine to avoid compromise
3) don't sweat over it, if they only have the passwords without the 2FA codes for your logins nothing can happen and if you use a good security product this should not happen in the first place.
I have 2FA even on my old throw away yahoo account. Someone finally tried to access it and I got an alert and denied it. Never seen it in action before other than authenticating a session I initiated, pretty useful.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top