Which Password Manager do you use in 2019?

Which password manager do you use?

  • Bitwarden

    Votes: 34 34.0%

  • LastPass

    Votes: 26 26.0%

  • Keeper

    Votes: 0 0.0%

  • Dashlane

    Votes: 3 3.0%

  • Sticky Password

    Votes: 11 11.0%

  • RoboForm

    Votes: 2 2.0%

  • 1Password

    Votes: 4 4.0%

  • Zoho Vault

    Votes: 0 0.0%

  • Provided by my security software (F-Secure, Avast, Trend Micro, Kaspersky etc. leave a comment)

    Votes: 3 3.0%

  • Other (leave a comment)

    Votes: 17 17.0%
  • Total voters
    100
mlnevese

mlnevese

Level 28
Verified
Top Poster
Well-known
May 3, 2015
1,760
I use stickypasword. My brain.exe is not compatible with 200+ different logins and credentials all using different passwords :)
 
  • Like
Reactions: harlan4096
vinylmeister

vinylmeister

Level 2
Verified
Jan 29, 2015
96
lobo001 said:
Can you explain why it's not safe ?? in what you base??
Click to expand...

Webinterface: The problem is that the encryption and decryption of the password database is done by JavaScript. JavaScript and security are two parameters that are mutually exclusive. You could perhaps overlook this, but not by integrating JavaScript code from other domains into the context of the highly sensitive environment.

The content security policy of the Bitwarden web interface is structured as follows:
Code: 
Content-Security-Policy:
default-src 'self';
script-src 'self' 'sha256-ryoU+5+IUZTuUyTElqkrQGBJXr1brEv6r2CA62WUw8w=' https://js.stripe.com https://js.braintreegateway.com https://www.paypalobjects.com;
style-src 'self' 'unsafe-inline' https://assets.braintreegateway.com https://*.paypal.com; img-src 'self' data: https://icons.bitwarden.net https://*.paypal.com https://www.paypalobjects.com https://q.stripe.com https://haveibeenpwned.com https://www.gravatar.com;
child-src 'self' https://js.stripe.com https://assets.braintreegateway.com https://*.paypal.com https://*.duosecurity.com;
frame-src 'self' https://js.stripe.com https://assets.braintreegateway.com https://*.paypal.com https://*.duosecurity.com;
connect-src 'self' wss://notifications.bitwarden.com https://notifications.bitwarden.com https://cdn.bitwarden.net https://api.pwnedpasswords.com https://twofactorauth.org https://api.stripe.com https://www.paypal.com https://api.braintreegateway.com https://client-analytics.braintreegateway.com https://*.braintree-api.com;
object-src 'self' blob:;

In particular, the script-src line is thought-provoking, since, among other things, the reloading of JavaScript from third-party sources is permitted. With each resource that Bitwarden integrates into the context of the web interface, the site enters into a trust relationship with the respective source or domain. This in turn also means that the actual control over the delivered resource lies solely with the third-party provider. If, however, the third-party provider is compromised or hacked in any way, this can possibly lead to the attacker modifying the resource to be delivered and, for example, a malicious JavaScript code being delivered to the user instead of a harmless one.

Android app: The Android app (version 1.21.0) also includes three trackers:

Google Analytics
Google Firebase Analytics
hockey app

In a practical exam I was able to discover two of these trackers. Immediately after opening the app, data is transferred to Google Analytics and Google Firebase Analytics - regardless of whether the user has agreed or not. While Google Firebase Analytics might still be a failure to deactivate, Google Analytics Tracker was deliberately integrated. In an app context that manages such sensitive data as passwords, trackers have basically lost nothing - such "mistakes" are hard for me to understand. After all, tracking can be deactivated via the options.

Furthermore, I was a bit surprised that my master password obviously goes over the line - albeit in a somehow hashed format [POST Request]:

Code: 
grant_type=password
&username=XY
&password=DkSSVh%2FsNxf6s8qOIO5apW9mQzWit65H99TAZItZMps%3D
&scope=api+offline_access
&client_id=mobile
&DeviceType=Android
&DeviceIdentifier=02efaea0-6d37-4a51-b868-279eab44ab70
&DeviceName=Redmi+Note+4&DevicePushToken=

Here I would have wished for a separation between authentication and the encryption of the password database. Maybe a master key or something similar is derived from the master password. You would have to have a closer look at the source code.

Source: Kuketz-Blog
 
  • Like
Reactions: JB007, Thales, harlan4096 and 1 other person
R

RodM1956

Level 4
Verified
Feb 1, 2019
184
I would say Lastpass is the easiest, and most convenient. It is web based, BUT I'm not sure this is a bad thing, they endeavor to make their server (hard drive) secure, just like you do your own.

2nd would be Dashlane, same as Lastpass, as far as convenience, but it is not web based, your passwords are on your PC.

IF I couldn't have Last Pass, or Dashlane, my 3rd choice would be Sticky Password.... It is secure like Dashlane, and passwords reside on your PC, BUT it is not as polished as LastPass or Dashlane, as far as web form fill...

LastPass, does EVERYTHING for you, remembers history, passwords, fills forms ETC.
 
Thales

Thales

Level 15
Verified
Top Poster
Well-known
Nov 26, 2017
732
vinylmeister said:
Webinterface: The problem is that the encryption and decryption of the password database is done by JavaScript. JavaScript and security are two parameters that are mutually exclusive. You could perhaps overlook this, but not by integrating JavaScript code from other domains into the context of the highly sensitive environment.

The content security policy of the Bitwarden web interface is structured as follows:
Code: 
Content-Security-Policy:
default-src 'self';
script-src 'self' 'sha256-ryoU+5+IUZTuUyTElqkrQGBJXr1brEv6r2CA62WUw8w=' https://js.stripe.com https://js.braintreegateway.com https://www.paypalobjects.com;
style-src 'self' 'unsafe-inline' https://assets.braintreegateway.com https://*.paypal.com; img-src 'self' data: https://icons.bitwarden.net https://*.paypal.com https://www.paypalobjects.com https://q.stripe.com https://haveibeenpwned.com https://www.gravatar.com;
child-src 'self' https://js.stripe.com https://assets.braintreegateway.com https://*.paypal.com https://*.duosecurity.com;
frame-src 'self' https://js.stripe.com https://assets.braintreegateway.com https://*.paypal.com https://*.duosecurity.com;
connect-src 'self' wss://notifications.bitwarden.com https://notifications.bitwarden.com https://cdn.bitwarden.net https://api.pwnedpasswords.com https://twofactorauth.org https://api.stripe.com https://www.paypal.com https://api.braintreegateway.com https://client-analytics.braintreegateway.com https://*.braintree-api.com;
object-src 'self' blob:;

In particular, the script-src line is thought-provoking, since, among other things, the reloading of JavaScript from third-party sources is permitted. With each resource that Bitwarden integrates into the context of the web interface, the site enters into a trust relationship with the respective source or domain. This in turn also means that the actual control over the delivered resource lies solely with the third-party provider. If, however, the third-party provider is compromised or hacked in any way, this can possibly lead to the attacker modifying the resource to be delivered and, for example, a malicious JavaScript code being delivered to the user instead of a harmless one.

Android app: The Android app (version 1.21.0) also includes three trackers:

Google Analytics
Google Firebase Analytics
hockey app

In a practical exam I was able to discover two of these trackers. Immediately after opening the app, data is transferred to Google Analytics and Google Firebase Analytics - regardless of whether the user has agreed or not. While Google Firebase Analytics might still be a failure to deactivate, Google Analytics Tracker was deliberately integrated. In an app context that manages such sensitive data as passwords, trackers have basically lost nothing - such "mistakes" are hard for me to understand. After all, tracking can be deactivated via the options.

Furthermore, I was a bit surprised that my master password obviously goes over the line - albeit in a somehow hashed format [POST Request]:

Code: 
grant_type=password
&username=XY
&password=DkSSVh%2FsNxf6s8qOIO5apW9mQzWit65H99TAZItZMps%3D
&scope=api+offline_access
&client_id=mobile
&DeviceType=Android
&DeviceIdentifier=02efaea0-6d37-4a51-b868-279eab44ab70
&DeviceName=Redmi+Note+4&DevicePushToken=

Here I would have wished for a separation between authentication and the encryption of the password database. Maybe a master key or something similar is derived from the master password. You would have to have a closer look at the source code.

Source: Kuketz-Blog
Click to expand...

Well, maybe I should go back to KeepassXC...
 
Last edited:
  • Like
Reactions: harlan4096 and Gandalf_The_Grey
Oxygen

Oxygen

Level 44
Verified
Feb 23, 2014
3,327
Bitwarden since 2016 and I have not looked at another password manger since as it does everything I would expect a password manager to do. No major issues while using it all these years.

Previously I was using LastPass from 2013-2016 but I'm not sure how they are doing today because I stopped using them due to a decision they made a few years ago.
 
  • Like
Reactions: CyberTech, Thales, Weebarra and 1 other person
IkariGradius

IkariGradius

Level 2
Verified
Jan 17, 2019
70
After trying most password managers, I'm now using 1Password. It's rock solid, even on PC and Android (they used to be mostly focused on Apple products, but most platforms are on par now). If i had to change, i would probably use Bitwarden.
 
  • Like
Reactions: CyberTech, Weebarra and Oxygen
M

Mops21

Level 36
Verified
Honorary Member
Content Creator
Oct 25, 2014
2,503
Hi all

Why did not some peoples use Sticky Password any more

I have send the some questions and have any answers of them for you

1. Any infos about a new Version available when yes which infos and when
comes the new Version

2. Will you continue the Develop of Sticky Password

3. Where can I find the Changelog of Sticky Password

And the answers

1. A new update of Sticky Password is currently being prepared for a release, which should occur in circa 2 weeks from now

2. Yes, Sticky Password is being developed continuously

3. You can find the complete list of changes made in the past updates of Sticky Password in the Release notes sections accessible from our download page; https://www.stickypassword.com/download

With best Regards
Mops21
 

Similar threads

lokamoka820
    • Like
Serious Discussion Do You Use a Backup Password Manager, or You Just Rely on Your Primary One?
Replies
34
Views
1,571
Passwords and passkeys
lokamoka820
lokamoka820
giulia
    • Like
Question what do you use to store and keep very secure offline your password?
Replies
7
Views
473
General Security Discussions
McLovin
McLovin
blackice
    • Like
  • Poll
Poll What Browser(s) are you using in 2024?
Replies
40
Views
3,751
Other Browsers
MyMW_Tips_logon
M

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top