Which password manager do you use?

  • Bitwarden

    Votes: 33 33.3%
  • LastPass

    Votes: 26 26.3%
  • Keeper

    Votes: 0 0.0%
  • Dashlane

    Votes: 3 3.0%
  • Sticky Password

    Votes: 11 11.1%
  • RoboForm

    Votes: 2 2.0%
  • 1Password

    Votes: 4 4.0%
  • Zoho Vault

    Votes: 0 0.0%
  • Provided by my security software (F-Secure, Avast, Trend Micro, Kaspersky etc. leave a comment)

    Votes: 3 3.0%
  • Other (leave a comment)

    Votes: 17 17.2%
  • Total voters
    99

mlnevese

Level 16
Verified
I use stickypasword. My brain.exe is not compatible with 200+ different logins and credentials all using different passwords :)
 
  • Like
Reactions: harlan4096

vinylmeister

Level 2
Can you explain why it's not safe ?? in what you base??
Webinterface: The problem is that the encryption and decryption of the password database is done by JavaScript. JavaScript and security are two parameters that are mutually exclusive. You could perhaps overlook this, but not by integrating JavaScript code from other domains into the context of the highly sensitive environment.

The content security policy of the Bitwarden web interface is structured as follows:
Code:
Content-Security-Policy:
default-src 'self';
script-src 'self' 'sha256-ryoU+5+IUZTuUyTElqkrQGBJXr1brEv6r2CA62WUw8w=' https://js.stripe.com https://js.braintreegateway.com https://www.paypalobjects.com;
style-src 'self' 'unsafe-inline' https://assets.braintreegateway.com https://*.paypal.com; img-src 'self' data: https://icons.bitwarden.net https://*.paypal.com https://www.paypalobjects.com https://q.stripe.com https://haveibeenpwned.com https://www.gravatar.com;
child-src 'self' https://js.stripe.com https://assets.braintreegateway.com https://*.paypal.com https://*.duosecurity.com;
frame-src 'self' https://js.stripe.com https://assets.braintreegateway.com https://*.paypal.com https://*.duosecurity.com;
connect-src 'self' wss://notifications.bitwarden.com https://notifications.bitwarden.com https://cdn.bitwarden.net https://api.pwnedpasswords.com https://twofactorauth.org https://api.stripe.com https://www.paypal.com https://api.braintreegateway.com https://client-analytics.braintreegateway.com https://*.braintree-api.com;
object-src 'self' blob:;
In particular, the script-src line is thought-provoking, since, among other things, the reloading of JavaScript from third-party sources is permitted. With each resource that Bitwarden integrates into the context of the web interface, the site enters into a trust relationship with the respective source or domain. This in turn also means that the actual control over the delivered resource lies solely with the third-party provider. If, however, the third-party provider is compromised or hacked in any way, this can possibly lead to the attacker modifying the resource to be delivered and, for example, a malicious JavaScript code being delivered to the user instead of a harmless one.

Android app: The Android app (version 1.21.0) also includes three trackers:

Google Analytics
Google Firebase Analytics
hockey app

In a practical exam I was able to discover two of these trackers. Immediately after opening the app, data is transferred to Google Analytics and Google Firebase Analytics - regardless of whether the user has agreed or not. While Google Firebase Analytics might still be a failure to deactivate, Google Analytics Tracker was deliberately integrated. In an app context that manages such sensitive data as passwords, trackers have basically lost nothing - such "mistakes" are hard for me to understand. After all, tracking can be deactivated via the options.

Furthermore, I was a bit surprised that my master password obviously goes over the line - albeit in a somehow hashed format [POST Request]:

Code:
grant_type=password
&username=XY
&password=DkSSVh%2FsNxf6s8qOIO5apW9mQzWit65H99TAZItZMps%3D
&scope=api+offline_access
&client_id=mobile
&DeviceType=Android
&DeviceIdentifier=02efaea0-6d37-4a51-b868-279eab44ab70
&DeviceName=Redmi+Note+4&DevicePushToken=
Here I would have wished for a separation between authentication and the encryption of the password database. Maybe a master key or something similar is derived from the master password. You would have to have a closer look at the source code.

Source: Kuketz-Blog
 

RodM1956

Level 3
I would say Lastpass is the easiest, and most convenient. It is web based, BUT I'm not sure this is a bad thing, they endeavor to make their server (hard drive) secure, just like you do your own.

2nd would be Dashlane, same as Lastpass, as far as convenience, but it is not web based, your passwords are on your PC.

IF I couldn't have Last Pass, or Dashlane, my 3rd choice would be Sticky Password.... It is secure like Dashlane, and passwords reside on your PC, BUT it is not as polished as LastPass or Dashlane, as far as web form fill...

LastPass, does EVERYTHING for you, remembers history, passwords, fills forms ETC.
 

Thales

Level 5
Webinterface: The problem is that the encryption and decryption of the password database is done by JavaScript. JavaScript and security are two parameters that are mutually exclusive. You could perhaps overlook this, but not by integrating JavaScript code from other domains into the context of the highly sensitive environment.

The content security policy of the Bitwarden web interface is structured as follows:
Code:
Content-Security-Policy:
default-src 'self';
script-src 'self' 'sha256-ryoU+5+IUZTuUyTElqkrQGBJXr1brEv6r2CA62WUw8w=' https://js.stripe.com https://js.braintreegateway.com https://www.paypalobjects.com;
style-src 'self' 'unsafe-inline' https://assets.braintreegateway.com https://*.paypal.com; img-src 'self' data: https://icons.bitwarden.net https://*.paypal.com https://www.paypalobjects.com https://q.stripe.com https://haveibeenpwned.com https://www.gravatar.com;
child-src 'self' https://js.stripe.com https://assets.braintreegateway.com https://*.paypal.com https://*.duosecurity.com;
frame-src 'self' https://js.stripe.com https://assets.braintreegateway.com https://*.paypal.com https://*.duosecurity.com;
connect-src 'self' wss://notifications.bitwarden.com https://notifications.bitwarden.com https://cdn.bitwarden.net https://api.pwnedpasswords.com https://twofactorauth.org https://api.stripe.com https://www.paypal.com https://api.braintreegateway.com https://client-analytics.braintreegateway.com https://*.braintree-api.com;
object-src 'self' blob:;
In particular, the script-src line is thought-provoking, since, among other things, the reloading of JavaScript from third-party sources is permitted. With each resource that Bitwarden integrates into the context of the web interface, the site enters into a trust relationship with the respective source or domain. This in turn also means that the actual control over the delivered resource lies solely with the third-party provider. If, however, the third-party provider is compromised or hacked in any way, this can possibly lead to the attacker modifying the resource to be delivered and, for example, a malicious JavaScript code being delivered to the user instead of a harmless one.

Android app: The Android app (version 1.21.0) also includes three trackers:

Google Analytics
Google Firebase Analytics
hockey app

In a practical exam I was able to discover two of these trackers. Immediately after opening the app, data is transferred to Google Analytics and Google Firebase Analytics - regardless of whether the user has agreed or not. While Google Firebase Analytics might still be a failure to deactivate, Google Analytics Tracker was deliberately integrated. In an app context that manages such sensitive data as passwords, trackers have basically lost nothing - such "mistakes" are hard for me to understand. After all, tracking can be deactivated via the options.

Furthermore, I was a bit surprised that my master password obviously goes over the line - albeit in a somehow hashed format [POST Request]:

Code:
grant_type=password
&username=XY
&password=DkSSVh%2FsNxf6s8qOIO5apW9mQzWit65H99TAZItZMps%3D
&scope=api+offline_access
&client_id=mobile
&DeviceType=Android
&DeviceIdentifier=02efaea0-6d37-4a51-b868-279eab44ab70
&DeviceName=Redmi+Note+4&DevicePushToken=
Here I would have wished for a separation between authentication and the encryption of the password database. Maybe a master key or something similar is derived from the master password. You would have to have a closer look at the source code.

Source: Kuketz-Blog
Well, maybe I should go back to KeepassXC...
 
Last edited:

Oxygen

Level 42
Verified
Bitwarden since 2016 and I have not looked at another password manger since as it does everything I would expect a password manager to do. No major issues while using it all these years.

Previously I was using LastPass from 2013-2016 but I'm not sure how they are doing today because I stopped using them due to a decision they made a few years ago.
 

IkariGradius

Level 1
Verified
After trying most password managers, I'm now using 1Password. It's rock solid, even on PC and Android (they used to be mostly focused on Apple products, but most platforms are on par now). If i had to change, i would probably use Bitwarden.
 

Mops21

Level 27
Verified
Trusted
Content Creator
Hi all

Why did not some peoples use Sticky Password any more

I have send the some questions and have any answers of them for you

1. Any infos about a new Version available when yes which infos and when
comes the new Version

2. Will you continue the Develop of Sticky Password

3. Where can I find the Changelog of Sticky Password

And the answers

1. A new update of Sticky Password is currently being prepared for a release, which should occur in circa 2 weeks from now

2. Yes, Sticky Password is being developed continuously

3. You can find the complete list of changes made in the past updates of Sticky Password in the Release notes sections accessible from our download page; https://www.stickypassword.com/download

With best Regards
Mops21