Jump to content
The Dark Mod Forums
Sign in to follow this  
STiFU

What password managers do you use?

Recommended Posts

I recently learned from https://haveibeenpwned.com/ that my login data has been compromised. It is probably outdated, but regardless, it is out there somewhere in the web. Breaches on pupolar websites like Facebook etc. are inevitable. So, as an individual, there is nothing you can do about that, your login data will get compromised eventually. The only thing you can do is, setting up unique passwords for each web-service (and changing them upon breaches), so that an attacker only gains access to one service, instead of all of them. To implement that, you need a photographic memory, or a password manager (PM). Since I am not that smart, I am going for the latter. I have been planning to setup a PM for a long time, but never found the motivation to do so. I guess a compromised login is motivation enough now. 🙂

In this very good (but German) article, some security concerns of password managers are discussed and recommendations/solutions are provided.

  • Trust: You have to trust the company that they did not install any backdoors in their software / servers, and that it is vulnerability free. Solution: Open-Source
  • Forgetfulness: What happens if you lose your master password? You lose access to all your accounts. Solution: Regularly print out all your passwords.
  • Hackers: A weak masterpassword can be quickly hacked, especially with hirable computational power. This probably only applies to high-value targets like CEOs etc. Recommendation: Do not use cloud-based PMs, but file-based password databases.
  • Cloud: What happens if the PM-host is not reachable or blocked by a certain country? What if the connection is not secure? Solution: Open-Source and file-based password database.

After this initial research, I set out to find the ideal password manager. My requirements are: complex password-generation, multi-platform (Android, iOS, Windows), multi-device (cloud-based or file- sync based), ease of use (browser-autofill etc.) and open-source. So far, "Bitwarden" checks most of these requirements. It is cloud-based, but you can optionally host your own server. According to this list on wikipedia, there are actually no real alternaives to Bitwarden. "Mitro" has been continued as "Passopolis", but then discontinued with the recommendation to migrate to Bitwarden. "Password Safe" does not offer android and iOS apps natively. However, there are clones that do, but I don't know about interaction between these clones. So, I guess I will simply use Bitwarden.

But before I go ahead and just setup Bitwarden (which will be a lot of work), I wanted to hear from you guys: what PMs do you use and why?

Share this post


Link to post
Share on other sites

Funny but we had a training from the ODIHR of the OSCE on digital security, tracing, VPN, metadata and all that jazz.

They've suggested to use KeePass. Freeware, open source program which also has a portable version for your USB/phone when you have no access to the internet. This means you can keep all your passwords there too. You can encrypt it if you want as well for more security with something like Vera Crypt.

 

Downside is that there is a master password involved. But this is acceptable to me because the previous method of keeping in mind over 99999 passwords is brain cancer for my mind. I'll never keep track of all the variations of my passwords. Therefore KeePass is so awesome in that you just generate random passwords and keep track of them in a centralized manner.

 

What you inevitably come down to is that if government agents want to hack you, they probably have the resources to do it anyway, unfortunately. So if someone in Transnistria arrests me and they want to get all the digitally immortalized info on me, they probably could do it. Especially if loved ones are at risk. But that's why there's double step authentication just in case.

 

For the phone there is also the Umbrella app: https://secfirst.org/umbrella/

If you're a security buff it has options such as masking your current activity into a calculator such as if you are at a customs zone and not in a free country, but you need to film videos. The app constantly gets updates, there's new tips so that you're always on your toes because danger is everywhere in the human rights field since it was never popular with dictatorships.

Edited by Anderson
Grammar edits.

"I really perceive that vanity about which most men merely prate — the vanity of the human or temporal life. I live continually in a reverie of the future. I have no faith in human perfectibility. I think that human exertion will have no appreciable effect upon humanity. Man is now only more active — not more happy — nor more wise, than he was 6000 years ago. The result will never vary — and to suppose that it will, is to suppose that the foregone man has lived in vain — that the foregone time is but the rudiment of the future — that the myriads who have perished have not been upon equal footing with ourselves — nor are we with our posterity. I cannot agree to lose sight of man the individual, in man the mass."...

- 2 July 1844 letter to James Russell Lowell from Edgar Allan Poe.

Share this post


Link to post
Share on other sites

I'm a bit old-school.  For the longest time, I've always just encrypted a simple text file with gnupg by hand.  I use this for more than just storing passwords so I prefer this way.  I keep this file in sync with various devices with syncthing (distributed/p2p file sync protocol).  This doesn't "integrate" with anything, but really, this file is only for the most important stuff I want to save/remember.

For the browser I use firefox and I just use its features to manage password.  I use firefox accounts to keep passwords in sync.  I have multiple accounts (I separate general browsing and personal browsing (like banking)) using firefox profiles to switch between.

My way is certainly not centralized or necessarily convenient at times, but I like the separation and the, from my point of view, simplicity.

Share this post


Link to post
Share on other sites

I'm trying Lastpass since the one thing they have over all the others is zero cost. It's virtually free for pretty much every feature you could want, including sync between IOS and browser, which is what I want most in a secure vault offering.

Their corp did get hacked some years ago, but they seem to get on top of patching vulnerabilities very quickly, and they recommend the highest security such as MFA, which most people probably don't bother enabling.

 

Share this post


Link to post
Share on other sites

In Firefox I still find it rather disturbing that you can simply display all saved passwords. Of course, one would have to get physical access to your browser, but still this is a feature that I think should not exist. If you want to see for yourself, just go to options, select "privacy and safety" (or something similar? My version is German, so I am not 100% sure how it is called in the English version), then "credentials and passwords" (as above not 100% sure if this is the correct translation) and hit the "Saved Credentials" (see above) button. There you will find a button with someting like "Display saved passwords" and you can just review all passwords saved in Firefox. So, if you are interested in learning the passwords of any family members that use the same machine, this is the way to go.

Share this post


Link to post
Share on other sites
On 8/25/2019 at 4:55 PM, Anderson said:

They've suggested to use KeePass. Freeware, open source program which also has a portable version for your USB/phone when you have no access to the internet. This means you can keep all your passwords there too. You can encrypt it if you want as well for more security with something like Vera Crypt.

I might have to check that out because keeping the passwords localized instead of on a server would be my preferred choice. It's either this, or buying a Pi to setup my own Bitwarden server.

I don't understand why you would want to encrypt the database using Vera Crypt. It is encrypted already by KeePass, isn't it?

  • Like 1

Share this post


Link to post
Share on other sites

paper notebook, therefore not online, not hackable, not on phone which is also hackable due it being free with sim card.

Share this post


Link to post
Share on other sites
1 hour ago, stumpy said:

paper notebook, therefore not online, not hackable, not on phone which is also hackable due it being free with sim card.

I use a notebook too, but it's not convenient when I need a password and I'm out of the house.

 

Share this post


Link to post
Share on other sites

Something I read recently as a tip is using a first part of a password that is the same for all the sites you use and then adding the website behind it.

For example: passwordTDM.

When you then change your password you can add a number to it.

Share this post


Link to post
Share on other sites

I tested both Bitwarden and KeePass now. The latter is - out of the box - a usability nightmare. You'd have to install tons of thirdparty plugins, to make it useable. Many of them have been discontinued etc. Bitwarden on the other hand is highly polished, integrates well with all common browsers, and the android app also works very good. So next, I will have to test setting up my own server. 

Share this post


Link to post
Share on other sites
On 8/27/2019 at 11:58 AM, STiFU said:

 

I don't understand why you would want to encrypt the database using Vera Crypt. It is encrypted already by KeePass, isn't it?

Yes, KeePass features encryption but it never hurts to have more security if you need it on purpose. Vera Crypt is one of the options, it is given as an example because it is as well open source.

Presumably open source software is harder to crack because the more people use it, the more feedback it gets, the better its functionality.

5 hours ago, STiFU said:

I tested both Bitwarden and KeePass now. The latter is - out of the box - a usability nightmare. You'd have to install tons of thirdparts plugins, to make it useable. Many of them have been discontinued etc. Bitwarden on the other hand is highly polished, integrates well with all common browsers, and the android app also works very good. So next, I will have to test setting up my own server. 

KeePass is available for ages. I tried to get the Google plugin but didn't get around to enabling it yet. But the portable version and the offline functionality is just what I need with no security on the next day.

Maybe there will be something good tomorrow, maybe something bad.

Edited by Anderson
Adding that Kee Pass has offline functionality.

"I really perceive that vanity about which most men merely prate — the vanity of the human or temporal life. I live continually in a reverie of the future. I have no faith in human perfectibility. I think that human exertion will have no appreciable effect upon humanity. Man is now only more active — not more happy — nor more wise, than he was 6000 years ago. The result will never vary — and to suppose that it will, is to suppose that the foregone man has lived in vain — that the foregone time is but the rudiment of the future — that the myriads who have perished have not been upon equal footing with ourselves — nor are we with our posterity. I cannot agree to lose sight of man the individual, in man the mass."...

- 2 July 1844 letter to James Russell Lowell from Edgar Allan Poe.

Share this post


Link to post
Share on other sites

Apparently, the BitWarden Server stack requires an x86 processor architecture, which means hosting it on a Pi is not possible. I have searched the web for single-board x86 PCs and found the LattePanda, a good alternative to the Pi. It does have quite the price tag, though.

However, reading up on BitWarden's security mechanisms, their servers actually seem trustworthy. I am no security expert, but what they are saying is:

  • All data on servers is encrypted using a key derived from your master-password.
  • Encryption is carried out locally on the user-side so that no transmission with critical data can be intercepted
  • Your master-password is salted and one-way-hashed before being transmitted to and stored on the server. This process ensures that the master-password cannot be reverse engineered.

In conclusion, even if the server was breached, hackers would only get encrypted data. So, as long as you have a strong master-password, everything should be fine.

I'll have to sleep on this, but I think I am just gonna go the easy route for once. 🙂

  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...