Which password manager to plump for?
I've finally decided to give in - but which password manager is the choice of the Regerati?
During its incessant web crawling, Google's search engine constantly encounters credentials dumped by hackers or left exposed by the careless. And because it can, the ad confectionery copies and encrypts these spilled usernames and passwords. Armed with this info, the Chocolate Factory directed its software engineers, in …
If it's just for you, definitely Bitwarden. If you want a family account (which allows easy secure "sharing" of passwords between, say parents, or parent and child) then 1Password (this is a subscription, but IMO it's worth it).
AC because I don't want to give away information about which Password Manager I'm using, obvs.
(same AC as posted about BitWarden and 1Password)
In that case, compare prices and factor in BitWarden is open source (more easily auditable). It wasn't around/mature/as multiplatform when I invested in getting other half and childen to use 1Password, but I probably would have done had it been. One thing 1Password does which I haven't seen in other managers I've used, is the addition of a super-strong generated additional key used in conjunction with your (one strong) password. That's needed to connect to your 1PW account from any new device (as well as your username and password).
The other option possibly worth mentioning is Enpass which is free on most platforms with one-off payment for Android/iOS app, but has the distinction of using /your/ cloud storage of choice in /your/ storage account (e.g. Google Drive, iCloud etc).
I broke down and installed the unfortunately named KeepAss a while ago. It seems to work well enough, it usually just fills in the username/password automatically. It doesn't seem to like every site though. Nothing fancy. But some of the plugins are nice. Things like making remote backups when you add or change a password. I can't remember if it supports mobile devices or not--if that's something you care about, be sure to look for it. Bonuses: It's free, and I don't have to keep my passwords on someone else's hardware.
I still don't completely trust it though, so all of the really important ones go into an encrypted OneNote tab. Only slightly higher tech than a notebook by the computer labeled "Passwords"
What you do with your donkey is none of our business...
1Password is good, although I currently use LastPass.com.
At my last employer we used an offline password vault (Keepass) for all company passwords - they had contract clauses with many customers that didn't allow sensitive information to be stored in the cloud.
Another used encrypted directories on Linux, with each user having a personal key and their key was added to each password file that they should have had access to. Worked reasonably well, but a real pain when a new admin started or left the company and you had to visit each file individually and add/remove a key from the access list, for example.
I can recommend pass. Open-source (it's just a bash-script), usually available in the repositories (so easy to install), works with GPG (so you can use it with a hardware-token) and integrates nicely with git (for syncing the database over multiple machines).
notepad is my 2nd choice, my first choice is good old MS Word (doc). And if you're in any doubt whether I value my privacy, no, it's not a printout, hidden in one of the books that nobody would ever touch (ot taped over my screen), it's all over my computers, so no-one has to search too long to find it. Helpfully, I also gave it a title ("my passwords") to make it easy to remember, although, in the moment of unfounded paranoia, I changed the title to something's that not in English. Also, I recommend my method to all my friends who believe I'm a "computer specialist" because I know how to enter bios. And the best part is that it's not a windup. There, I confessed. Anonymously. Huge relief!
Keychain works quite well for Safari users.
I end up with too many options on my work machine - and crazy situations where I go to open a shell to a remote system.
- It kicks off a browser for authentication
- That requires me to log into a system
- The password for which is handled by a password manager
- The password for the password manager is handled by a different password manager
- Which then has its password saved.
So it all 'just works' but it could trigger an epileptic whilst it cycles through everything it needs to do to let me log in.
The number of forums that forced me to register for a single comment or to view an image every now and then and the number of small online shops I might buy something from once every three years or so are legion. Due to their number there's no way in hell I'll ever use distinct passwords for each, not even through some "schema". Also due to their number it's basically a given that at any particular moment in time whatever password I used with more or less all of them is already compromised. I would not be able to update them all before the new one would leak too from whichever of them is the weakest link - even if I would remember every single one of these places, which I don't come anywhere even close to.
It's a lost battle I'm not in the mood of fighting so no password managers for me - not that anyone would seem to bother posting in my name anywhere (or to they? Is this the real DropBear?!? Dun-dun-dun...) or buying me anything (card numbers are not involved - I only ever buy CoD at these shops, the whole point is that they are country-local). Yes, there are some higher value accounts, less than a dozen, that I do try looking after slightly better - but they are a drop in the ocean compared to the rest, and funnily enough their passwords tend to stay un-compromised. Regardless, most (that allow it) already also use 2FA anyway (TOTP if it's up to me; SMS if it's up to my bank - thanks a lot...)
All in all, a password manager - either online or offline - just sounds like such a catastrophic single point of failure (and such a juicy target to grab for anyone ever driving by - which is 100% a "when" not an "if") that I just can't stomach using one - at least this way my small collection of more precious passwords is only stored in my brain...
Yes, something like KeePassX can put all your candy in one jar, so if that jar gets stolen and opened then your candy is free for the taking. But the KeePassX database is encrypted, and the bad actors have to get to it before they can steal it and try to break the encryption.
To my mind, it's all about degrees of risk and degrees of effort. For example:
If a nation-state wants your candy, for some reason, then they will get your candy. That's the highest level of attack, but, for most of us, the most unlikely.
If a script-kiddy wannabe is trying to get into your system, you're probably OK with basic security measures -- and you could probably store your passwords in a plain-text file, because the kid won't get onto your machine anyway. Low risk attack, but the attempt is not at all unlikely.
I'm not telling you anything you don't already know, right? There is no absolute security. But for you and me, it's usually good enough to be just a little too hard to crack.
I agree, too many accounts and too many passwords. So I keep all my "candy" in KeePassX, encrypted with a long password but one with a pattern I can remember. The other passwords vary in difficulty -- the one for my email is crazy long and jumbled, the one for the hiking forum shorter and simpler.
But a password database like KeePassX can also store names, telephone numbers, addresses, account info, and so forth. So I use it like my mum used her address book -- anything I want to remember about stuff goes in there.
Yes, all the candy is in that jar. But I'm less worried about someone stealing and then decrypting that file than I would be if those notes were scattered around various text and spreadsheet files. And I know if I just write them down on papyrus I'll lose them.
That's my two scents.
KeePass works well enough for me.
It's a little bit of a pain as you can't create / add new passwords to it in iOS, you need to do that on the desktop version and sync them across, but for managing your existing passwords, i find it to be pretty good.
Free, locally stored encrypted database (i keep mine in dropbox so i can access it from multiple devices without having to constantly update various local copies).
From being a corporately captured and managed asset to becoming a digital input is not so big a jump. Doublethink is actually simpler and life outside gridlock is a lie.
I first saw the PR in Trusted Reviews. It great how we can tell everyone what we are so they can simply be serviced. There was nothing in that article that hinted at being captured. At least the Register allows some indication of the underlying nature of 'trusting' Google with all your passwords - albeit without alarm, outrage, warning or protest.
It isn't that privacy is possible - so much as proportionate checks and balances against acquiring undue and overwhelming influence.
It would seem that there is great willingness to get in the nice man's car because he gives away sweeties.
I remember the Internet - before A.I took over...
My employer insisted we use it - 1 keepass per customer, only teams working with that customer even have access to the file.
I use it at home too - Linux, Windows and 'droid versions. Same method applies though, sites for me are in one file, sites to share (eg utilities, joint accounts) are in another. The only 'droid device with it on is a tablet that never leaves the house, just to be sure.
Like single signon, it does mean all your eggs are in one very tasty basket, but at least this way I can maintain random passwords for each account. And yes, the keepass file is backed up offline, and not even kept in the house in case something really entertaining happens with the kids chemistry set.
The only other option is the little black book [with my poems in] but you can't copy/paste and if you lose it you're seriously screwed.
A remarkably sound assessment & highly recommended approach to google: always treat google like a highly-skilled pickpocket. Or a bank. They will try to siphon up your property, and do it with a robo-smile, claiming it's all for your own good.
I used to use and recommend Roboform, until they made it increasingly difficult to host your own keys and insisted on driving everyone into their cloud. I might even have persisted with that, had they responded intelligently to my request for sight of their security audit or equivalent, and details of the security structure which would prevent them (or anyone else) getting at my key collection. Instead they responded with marketing hype.
So then I did the research and went looking for any open source option which had not been caught with it's digital trousers around its ankles. That very quickly led me to Keepass.
It's probably perfect for most Reg readers because you're likely to be on the geek spectrum, but it's way over the heads of "normal" users, which is a shame because it offers very strong and configurable protection.
My only real beef with it was the absence of what I considered to be the most user-friendly feature of Roboform - it's ability to act as a bookmark database and, having found the bookmark, take you to the site and login automatically. (like the password managers built in to most browsers)
But then I found Tusk which does a reasonable job of imitating the Roboform functionality. I have it installed in both Firefox and Iron. Has its quirks and limitations but has done a good job of keeping the browser security under control without breaching the underlying "wallet".
Limitation example: it can't capture newly created credentials while in browser. You have to open up Keepass (separately) to access things like its password generator, then add the new "account" to Keepass and save it. Then you have to deselect the Keepass kdbx file from Tusk and reselect it to get the updated version.
That's a bit of a faff, especially if you're also a Sandboxie user. (has to be done outside the sandbox or it'll be forgotten at the end of the session)
That's the kind of thing that stops it being "user friendly" enough for mere mortals, but digital warriors like us will find it reassuringly difficult.
One other thing. Other Keepass commentards above have pointed out that its "non cloud". Which it is. But Tusk tries to nudge you into storing your keys in the cloud, so you can access them anywhere. It does have a "local file" option, which I use.
But I'm also happy with the security of the cloud provider sync.com and have a 1Tb account with them (they also do free 5Gb accounts) They're the only cloud service who have managed to convince me that they offer true blind encryption (even they cannot see what I store in their box)
So I'm happy to store my keyfile in Sync (stored as a "Local File"), where it's still protected by my strong password, but accessible from any of my devices.
Strongly recommended for those who object to Security Theatre.
it's way over the heads of "normal" users
I tend to disagree. Yes, it's highly configurable and extendable, and has advanced features that require some RTFM, but for a standard user all it takes is a few clicks to create a new entry and generate a unique secure password that will be accepted by most sites, which is all they need.
...LastPass but beware, it's auto fill has a VERY annoying issue with E-bay. You'll make a listing and fill in the description, only to be told there is script in it, that isn't allowed.
What are you banging on about? There is no script, I'm just trying to sell off my console retro collection. Then I look at the HTML code and sure enough, there's a big chunk of script.
Where did that come from?! LastPissingPass.
It's a known issue apparently and they say if you just whitelist the site, it doesn't auto fill in. But that doesn't work. I've had to turn off auto fill, but even that doesn't stop it injecting code into an e-bay listings description either. Annoying.
Other than that, appear useful.
The Register users understand the improved security 2FA delivers and that, implemented well, it doesn't make logging on more difficult, let's hope for greater uptake by end users and wider implementation by developers, however...
One problem with HaveIBeenPwned is that it doesn't link the user/password pairs so when it says password 123456 is compromised it may be (!) but perhaps never in combination with _your_ user ID. Obviously nobody would be stupid enough to give a site like HaveIBeenPwned a user/password pair to test (would they?) and even if they did a hacker would have to try it on a few million web sites. Google are proposing that those security concerns are addressed by their encryption & hashing approach (plus the assumption that we trust Google...).
That means that the Google system should give fewer but "better" alerts i.e. whereas HaveIBeenPwned would just tell you that password:123456 is compromised Google might alert for a user/password pair of john/123456 but not for rumpelstiltskin761/123456. (AC because rumpelstiltskin761/123456 of course!).
The next step would be to only alert if john/123456 is a compromised user/password pair on the site you are currently logging on to. Is my understanding correct that Google system doesn't (yet?) do that? I'd be relatively relaxed about even going that far if 2FA was more widely used.
This reminds me of the story of a guy who went in to his local bank branch to complain that he couldn't use the ATM. Unable to remember his 4 digit PIN, he'd written it on the bank's external woodwork which had now been repainted obscuring his PIN. It wasn't a security risk because the number was only valid in combination with a specific debit card and, in any case, all possible 0000 to 9999 potential combinations are "known" (and, in HaveIBeenPwned terms, "compromised").
Biting the hand that feeds IT © 1998–2019