Time for new Password Manager

Status
Not open for further replies.

Paul.R

Level 17
Verified
Well-known
May 16, 2013
844
Bitwarden is sponored by Microsoft BizSpark program thats why is free.

I remove it from my systems and I add KeePassXC for macOS/Windows and Kypass for iOS with cloud sync.
 

Garzaman

Level 3
Verified
Well-known
Nov 14, 2017
126
Moving from Bitwarden to LastPass.

Last week I tried, just for fun, some password managers and it was impossible for me to create a CSV file with Bitwarden to export my vault. The resulting file had empty the "URL address" field, so I could not import data from any.

I have returned to LastPass because it seems to me better debugged, but that's just my opinion

Greetings
 
Last edited:
  • Like
Reactions: Solarlynx
F

ForgottenSeer 58943

Thanks for this update. I signed up for a Bitwarden account and paid $10 to experience their premium service for a year. So far so good.

Are you going to use 2FA and TOTP? Also, try their support, it's fast and effective.
 
F

ForgottenSeer 58943

Moving from Bitwarden to LastPass.

Last week I tried, just for fun, some password managers and it was impossible for me to create a CSV file with Bitwarden to export my vault. The resulting file had empty the "URL address" field, so I could not import data from any.

I've had no import/export issues with Bit Warden. In fact, it's one of the best for importing from other managers. Did you reach out to support?
 

Garzaman

Level 3
Verified
Well-known
Nov 14, 2017
126
I've had no import/export issues with Bit Warden. In fact, it's one of the best for importing from other managers. Did you reach out to support?

No, The truth is that I just installed LastPass and I have been capturing the different passwords. I will try it again and if not, I will do what you recommend me and I will go to its support.

Thanks for answer @ForgottenSeer 58943

Greetings
 
  • Like
Reactions: Solarlynx

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
267
Moving from Bitwarden to LastPass.

Last week I tried, just for fun, some password managers and it was impossible for me to create a CSV file with Bitwarden to export my vault. The resulting file had empty the "URL address" field, so I could not import data from any.

I have returned to LastPass because it seems to me better debugged, but that's just my opinion

Greetings

Did not have any issues importing from Roboform 8, LastPass 4 and Dashlane 5. The whole process was pretty straightforward. The only thing one may need to do is to sort the logins and other objects manually into separate folders. Give BW some time I am sure the author will iron out the issues. Frankly, as much as I like Lastpass I am beginning to think the sudden arbitrary increase in subscription fees from $12 to 24 per year doesn't lend itself to happy users and renewals. Dashlane @ $40/year is a rip off in comparison

Are you going to use 2FA and TOTP? Also, try their support, it's fast and effective.

Yes, I have 2FA and TOTP enabled. Not required any tech support yet. :)
 
Last edited:
  • Like
Reactions: Solarlynx
F

ForgottenSeer 58943

Did not have any issues importing from Roboform 8, LastPass 4 and Dashlane 5. The whole process was pretty straightforward. The only thing one may need to do is to sort the logins and other objects manually into separate folders. Give BW some time I am sure the author will iron out the issues. Frankly, as much as I like Lastpass I am beginning to think the sudden arbitrary increase in subscription fees from $12 to 24 per year doesn't lend itself to happy users and renewals. Dashlane @ $40/year is a rip off in comparison



Yes, I have 2FA and TOTP enabled. Not required any tech support yet. :)

Kyle over at Bit Warden started the company because he was a devout Last Pass user. He didn't like the closed source, multiple compromises/issues, and the ever increasing yearly fee. So he put together a concept and got a BizSpark grant through Microsoft via their Azure. He then spent every night for a year finishing off the product.

He shares my distrust of AWS and AWS Crypto's and won't use them. He opensourced it and asked the community to help with regular code reviews and pen-testing. Hopefully with the Freemium and Corporate business model he can continue to grow it. I know its under very active development right now.

I did a 'test' of Bit Warden, off the record in August.. I pretended to lose my Master Password and begged him for recovery. After my pestering I offered him $1,000 to recover it and he said he can't because there is no way to decrypt. I didn't find the same level of security with Stickypassword who offered me a method to recover my master password *IF* I had access to the APPDATA folder untouched, on the original PC Sticky as installed on. Does anyone else find that a bit concerning? I kept the emails with them about this.

Interestingly, during my August testing of supposed zero-knowledge products/services, I found a method to gain access to encrypted Tutanota accounts. So that's one service I will never use, they also lowered their encryption to AES-128. No thanks.
 

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
267
Kyle over at Bit Warden started the company because he was a devout Last Pass user. He didn't like the closed source, multiple compromises/issues, and the ever increasing yearly fee. So he put together a concept and got a BizSpark grant through Microsoft via their Azure. He then spent every night for a year finishing off the product.

He shares my distrust of AWS and AWS Crypto's and won't use them. He opensourced it and asked the community to help with regular code reviews and pen-testing. Hopefully with the Freemium and Corporate business model he can continue to grow it. I know its under very active development right now.

I did a 'test' of Bit Warden, off the record in August.. I pretended to lose my Master Password and begged him for recovery. After my pestering I offered him $1,000 to recover it and he said he can't because there is no way to decrypt. I didn't find the same level of security with Stickypassword who offered me a method to recover my master password *IF* I had access to the APPDATA folder untouched, on the original PC Sticky as installed on. Does anyone else find that a bit concerning? I kept the emails with them about this.

Interestingly, during my August testing of supposed zero-knowledge products/services, I found a method to gain access to encrypted Tutanota accounts. So that's one service I will never use, they also lowered their encryption to AES-128. No thanks.

Whoa! Thanks for sharing these insights on Stickypassword and Tutanota! And yes, I do find this a bit disconcerting.

I've been using Netaddress (AKA usa.net) in its various avatars as my primary email provider since 1997-98. It's difficult to move away after 2 decades but I need to select a backup provider especially a secure one. I believe Netaddress is anything but secure.

Did a fair bit of reading on the 'net and narrowed it down to Tutanota, Protonmail, Lavabit (of Snowden fame) & Posteo (based in Germany) as good candidates. I chose to subscribe to Lavabit (using a promo code received after its resurrection in early '17) and Posteo's premium service. Now that Tutanota is considered a risk any thoughts on Protonmail, Posteo and Lavabit?
 
  • Like
Reactions: Solarlynx
F

ForgottenSeer 58943

Whoa! Thanks for sharing these insights on Stickypassword and Tutanota! And yes, I do find this a bit disconcerting.

I've been using Netaddress (AKA usa.net) in its various avatars as my primary email provider since 1997-98. It's difficult to move away after 2 decades but I need to select a backup provider especially a secure one. I believe Netaddress is anything but secure.

Did a fair bit of reading on the 'net and narrowed it down to Tutanota, Protonmail, Lavabit (of Snowden fame) & Posteo (based in Germany) as good candidates. I chose to subscribe to Lavabit (using a promo code received after its resurrection in early '17) and Posteo's premium service. Now that Tutanota is considered a risk any thoughts on Protonmail, Posteo and Lavabit?

Posteo - has a poor interface and overly aggressive 'default' spam filter that actually intercepts SOME emails they deem guaranteed spam and never alerts you to this.. So hence, you never have a chance to actually see for yourself, they make that decision for you. Also, if I remember back there were security issues with their password system. So I wrote them off. I wasn't happy about 'disappearing' emails they deemed spam when I was EXPECTING those emails..

Tutanota - there is a unknown albeit not horrendously risky backdoor method to regain access to email accounts you've lost the password for. It's a pretty lame backdoor to be honest. Also without a 'search' function it's pretty annoying to use. They've reduced encryption to AES128 and nobody knows why. Otherwise the service is decent.

Protonmail - I won't use them.. They got honeypotted by the Mossad and NSA awhile back with that staged DDOS attack. Then 'Radware' was ready and stepped in to rescue them with their Anti-DDOS pipe redirection crap through Radware controlled pipes. The problem is, Radware IS an Israeli Intelligence operation, has been implicated in spreading malware/MITM attacks, and has littered with Unit8200 Cyber Experts. The theory some have is this was the method used to get at least some access, metadata or otherwise to a system that was frustrating authorities.

Currently I consider email privacy in the following order;

Zoho - Best general email, not requiring serious privacy/security but a GREAT Gmail replacement.

For anonymous, highly secure email I like:
Startmail
StartMail - Private & encrypted email made easy
Msgsafe.io
Most secure email - Free end to end encryption | MsgSafe.io
Lavabit
Securely Encrypted Email by Lavabit

Msgsafe is very interesting and the interface is fantastic. It shows country of origin icon on each email and allows you to trace email path with a single click. Their server farms are WAY out of reach of any relevant authority or jurisdiction and falls in Curacao which has one of the strongest privacy based constitutions in the world. Try it out, it's free and quite interesting - and safer than Tutanota and Protonmail IMO.
 

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
267
@ForgottenSeer 58943, thanks once again for the additional insights & helpful advice. I already have an account with Lavabit and so need to check out Msgsafe & Startmail.

Cheers!
 

Node

Level 3
Verified
Aug 6, 2017
100
KeePassXC is a nicely maintained version developed by the community, and it's completely free.
 
  • Like
Reactions: Solarlynx

Danielx64

Level 10
Verified
Well-known
Mar 24, 2017
481
I didn't find the same level of security with Stickypassword who offered me a method to recover my master password *IF* I had access to the APPDATA folder untouched, on the original PC Sticky as installed on. Does anyone else find that a bit concerning? I kept the emails with them about this.
Are you able to share the details about that issue? I would like to test it myself and ask support about it. I was about to pay for their lifetime version.
 
F

ForgottenSeer 58943

Are you able to share the details about that issue? I would like to test it myself and ask support about it. I was about to pay for their lifetime version.

Sticky is still very safe IMO, in fact it's still high on my recommendation list. Recovery method given was to disable TFA for password recovery by using an obscure method requiring specific conditions and physical access to the machine. Only in rare cases could it be used, in my case at the time it wouldn't work. Keep in mind there has never been a hack/compromise with Sticky so it's widely considered to be a very secure if not the most secure password manager. Most of my friends/family use it and I have no desire to migrate them away from it.

So yeah, go ahead and enjoy a lifetime license for it IMO and don't worry about some ridiculous method for TFA removal and MP recovery that would never fall into place in 99.999% of cases.
 

Danielx64

Level 10
Verified
Well-known
Mar 24, 2017
481
Sticky is still very safe IMO, in fact it's still high on my recommendation list. Recovery method given was to disable TFA for password recovery by using an obscure method requiring specific conditions and physical access to the machine. Only in rare cases could it be used, in my case at the time it wouldn't work. Keep in mind there has never been a hack/compromise with Sticky so it's widely considered to be a very secure if not the most secure password manager. Most of my friends/family use it and I have no desire to migrate them away from it.

So yeah, go ahead and enjoy a lifetime license for it IMO and don't worry about some ridiculous method for TFA removal and MP recovery that would never fall into place in 99.999% of cases.
Thank you for the head up, at least it not as easy as I was thinking :) WIth that said I will ask a question about what happens if they go out of business, with version 7 I could install and use the program without needing access to the internet, but with version 8 that is not quite possible.
 
  • Like
Reactions: mlnevese
F

ForgottenSeer 58943

Thank you for the head up, at least it not as easy as I was thinking :) WIth that said I will ask a question about what happens if they go out of business, with version 7 I could install and use the program without needing access to the internet, but with version 8 that is not quite possible.

Sticky still has local access even without a connection. However you are correct that the current versions REQUIRE an internet connection for activation. In such cases, I recommend doing a 'weekly' dump of your database onto a secured USB device and encrypt it.

What I do is;

1) Every 6-12 months physically PRINT my password database, then roll it up and drop it into my fireproof floor safe under a hidden door under the floor.
2) Every month (or two) I dump the database, encrypt it in a crypto-cascade algorithm - Blowfish-AES-Twofish-Serpent-CAST6-IDEA Three independent keys, each with six different ciphers uses symmetric encryption with 6720-bits.

Then that encrypted dump is stored onsite (USB in hidden Wall Safe).
It is also stored offsite at Sync.com zero knowledge cloud drive. 2048 bit RSA, 256 bit AES, SSL and TLS encryption.

That way I have some redundancy in the event of any catastrophic loss, company folding up, or serious database disaster. No possible way for my redundancy to be compromised, period.
 

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
267
@ForgottenSeer 58943, which tool do you use for the 'crypto-cascade' encryption?

I use Cryptomator an open source encryption tool for cloud/mobile access, instead of Axcrypt & Boxcryptor which are subscription based, and Kryptel Enterprise or Kruptos 2 Pro for any USB or desktop file/folder encryption including artefacts/dumps from my password manager(s) which are in turn stored locally (NAS/USB drives) and in the cloud (Sync.com and Spideroak). No hardcopies/printouts just yet.

My redundancy plan comprises of a handful of password managers just in case one or more go out of business. When I see some companies offering freebies or very low priced software I can't help but wonder how long they'll last. :)
 
F

ForgottenSeer 58943

@ForgottenSeer 58943, which tool do you use for the 'crypto-cascade' encryption?

I use Cryptomator an open source encryption tool for cloud/mobile access, instead of Axcrypt & Boxcryptor which are subscription based, and Kryptel Enterprise or Kruptos 2 Pro for any USB or desktop file/folder encryption including artefacts/dumps from my password manager(s) which are in turn stored locally (NAS/USB drives) and in the cloud (Sync.com and Spideroak). No hardcopies/printouts just yet.

My redundancy plan comprises of a handful of password managers just in case one or more go out of business. When I see some companies offering freebies or very low priced software I can't help but wonder how long they'll last. :)

Like Password Box, they sold tons and tons of lifetime licenses at the same time they were shopping for a buyer. They sold out to Intel who renamed it 'TrueKey' and gave all of the lifetime people a 6 month TrueKey subscription. (LOL) Most of these products appear to be short term operations.

My limited ability to trust keeps me having backups of all of this using my own cryptos. If any PW manager I used died tomorrow, I'd still be able to recover. My severe distrust of all-things AWS have me always seeking non-AWS services (which is getting very hard), or to make sure it's heavily encrypted using non-AWS Crypto API. Not a week goes by without AWS issues.. Granted, many of them are configuration errors, but how can you be sure what you trust to AWS won't have bugs or configuration errors? That US-Intel assisted AWS Crypto API I surely wouldn't trust.

Massive US military social media spying archive left wide open in AWS S3 buckets

ABC leaks thousands of user passwords in AWS S3 error
 

Thales

Level 15
Verified
Top Poster
Well-known
Nov 26, 2017
708
Posteo - has a poor interface and overly aggressive 'default' spam filter that actually intercepts SOME emails they deem guaranteed spam and never alerts you to this.. So hence, you never have a chance to actually see for yourself, they make that decision for you. Also, if I remember back there were security issues with their password system. So I wrote them off. I wasn't happy about 'disappearing' emails they deemed spam when I was EXPECTING those emails..

Tutanota - there is a unknown albeit not horrendously risky backdoor method to regain access to email accounts you've lost the password for. It's a pretty lame backdoor to be honest. Also without a 'search' function it's pretty annoying to use. They've reduced encryption to AES128 and nobody knows why. Otherwise the service is decent.

Protonmail - I won't use them.. They got honeypotted by the Mossad and NSA awhile back with that staged DDOS attack. Then 'Radware' was ready and stepped in to rescue them with their Anti-DDOS pipe redirection crap through Radware controlled pipes. The problem is, Radware IS an Israeli Intelligence operation, has been implicated in spreading malware/MITM attacks, and has littered with Unit8200 Cyber Experts. The theory some have is this was the method used to get at least some access, metadata or otherwise to a system that was frustrating authorities.

Currently I consider email privacy in the following order;

Zoho - Best general email, not requiring serious privacy/security but a GREAT Gmail replacement.

For anonymous, highly secure email I like:
Startmail
StartMail - Private & encrypted email made easy
Msgsafe.io
Most secure email - Free end to end encryption | MsgSafe.io
Lavabit
Securely Encrypted Email by Lavabit

Msgsafe is very interesting and the interface is fantastic. It shows country of origin icon on each email and allows you to trace email path with a single click. Their server farms are WAY out of reach of any relevant authority or jurisdiction and falls in Curacao which has one of the strongest privacy based constitutions in the world. Try it out, it's free and quite interesting - and safer than Tutanota and Protonmail IMO.

I'm willing to switch from posteo to something else but still searching...

Indeed, if you do not care privacy or security then go to Zoho. I used it and liked it but suddenly my account was locked and the support didn't want to respond.
Unfortunately msgsafe.io doesn't work with thunderbird.
I'm using startpage but I'm not sure about startmail.
 
Last edited:
  • Like
Reactions: Solarlynx
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top