Pages:
Author

Topic: Do you use a Password Manager? Which one is better? (Read 528 times)

hero member
Activity: 1274
Merit: 681
I rather die on my feet than to live on my knees
I read the full security article but to be honest I couldn't fully understand the table presented there. What means "Present", "Interacted", "YES", "NO" (2 last columns)? I'm not sure this means YES it was tested and Protected or YES it was tested and is vulnerable, or what... The other terms should also be explained. After reading the table I can only make assumptions about the meaning of each term used!

Anyway, thanks to @Pmalek that searched and found interesting info.

Now more important than that, and knowing that that article was posted around February 2019, it would be nice to know what (if any) efforts were made to improve security risks presented on that article!

darkV
jr. member
Activity: 236
Merit: 4
I've used Lastpass for years and love it. I haven't experienced anything wrong with their services
legendary
Activity: 1624
Merit: 2481
You guys are making it easy for hackers to find their potential targets. By posting in this thread, you are effectively telling hackers what password manager you are using and he does not have to search for ideal targets.

That's nonsense.
This does not give an potential attacker any advantage at all.

He'd still need to compromise my system.
And once my system is compromised, he can scan all my files for which password manager i use and choose his malware accordingly.


Despite that if the machine is compromised, you have more to worry than 'just' your password manager which might or might not be exploitable.



So let's say this hacker knows about some exploit in one of these password managers and you post that you are using it, then he or she can just focus their phishing emails or hacks on you as a easy target.  Roll Eyes

Phishing is an completely social aspect.
If you fall for it, you fall for it. Doesn't matter which password manager you are using.

If your device is compromised, your password manager is too (at least after being opened the next time).

Which PW manager you use has no influence on the social aspects of phishing. I'd rather focus on the technical aspects in this discussion.
legendary
Activity: 2730
Merit: 7065
Really interesting... Isn't there anything like that regarding LastPAss?
A search led me to another security test that reviewed 1Password, Dashlane, KeePass and LastPass.

The full article is available here:
https://www.helpnetsecurity.com/2019/02/20/flawed-password-managers-allow-malware-to-steal-passwords-from-computer-memory/

The article mentions:
Quote
...they found that standard memory forensics can be used to extract the master password and other passwords/secrets these applications are supposed to guard when in the “running and locked” state.



Quote
Unfortunately, all the tested managers failed in at least one aspect of the protection they should provide.

The article ends with a suggestion that users need to make sure to completely shut down password managers when they are not being used and use full disk encryption to prevent the possibility of a memory dump and other leakages.

There is also a quote from LastPass CTO Sandor Palfy who says:
Quote
To mitigate risk of compromise while LastPass for Applications is in a locked state, LastPass for Applications will now shut down the application when the user logs out, clearing the memory and not leaving anything behind

The full article is available here:
https://www.helpnetsecurity.com/2019/02/20/flawed-password-managers-allow-malware-to-steal-passwords-from-computer-memory/
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
You guys are making it easy for hackers to find their potential targets.

I think you're exaggerating with this, it is all about passwords manager in general, and I doubt that any info presented here can help hackers to select a specific target. If any hacker know how to use some exploit in most popular password managers, then anyone using such software will be in danger.

I did not see that anyone is posting e-mails in this thread, but some members have them shown in their profiles which is not smart move for sure. I'm glad hackers will not get my passwords, then first need to send me e-mail and ask me to deliver them my papers Roll Eyes
legendary
Activity: 3542
Merit: 1965
Leading Crypto Sports Betting & Casino Platform
You guys are making it easy for hackers to find their potential targets. By posting in this thread, you are effectively telling hackers what password manager you are using and he does not have to search for ideal targets. So let's say this hacker knows about some exploit in one of these password managers and you post that you are using it, then he or she can just focus their phishing emails or hacks on you as a easy target.  Roll Eyes

Let's not make it easier for hackers to find their targets, by revealing sensitive information like this on a public forum.  Roll Eyes
hero member
Activity: 1274
Merit: 681
I rather die on my feet than to live on my knees
I personally use Keepass. I personally like their autotype feature to input your user name and password. It defeats keyloggers because it inputs random characters while typing in characters.
I researched Keepass in connection to keyloggers and found a test performed by malwaretips.com in 2015. They suggest that Keepass users should switch to Secure Desktop and use two-channel auto-type obfuscation whenever possible.

Without Secure Desktop several keyloggers were able to capture whole or parts of the passwords.

More about that here:
https://malwaretips.com/threads/keepass-vs-keyloggers.45891/





Really interesting... Isn't there anything like that regarding LastPAss?
hero member
Activity: 2268
Merit: 669
Bitcoin Casino Est. 2013
I never used password managers, but I am inclined to use now.
Me too, I never used any password managers at all and I may/will consider using any password managers you have mentioned because I also read good comments about the password managers stated in the op but I will only use it to get password generated by the password manager.

What do you guys think is better to use? It would be nice if I didn't need to download one more add-on (I try to be minimalist with apps/add-ons).
I really don't know about which password manager is better to use when I also did not use any password manager. So, what I did is I only create my own password and if I can't think of any password, not strong password or very weak password then I will search passwords on the internet to get ideas on what password I will make or I will consider using password managers to generate different complex password and I will write it down on a paper then cover it with plastic cover or using a clear/transparent tape. The paper you use that you have written with your password will be strong and the paper won't be teared easily with the help of tape and that's what I do to help me remember my password if I happened to forgot my password.
legendary
Activity: 1624
Merit: 2481
Also, one more question for you guys who knows a lot of this geek stuff. Should I use on my Android the Bitwarden App, or the Bitwarden Addon for firefox android? Any security or convenience difference?

I don't see big differences regarding the security.

The sensitive information is encapsulated, either in the datafolder of the bitwarden app itself, or in the data folder of firefox.

One argument against the firefox addon might be an exploit in the browser which would allow a malicious website to eventually access some data.
I believe this would be slighly harder to accomplish using the application.

But that's more of a theoretical aspect. I don't think this plays a role practically.
mk4
legendary
Activity: 2870
Merit: 3873
📟 t3rminal.xyz
I was too dependent on password manager, with chrome. Now I cannot remove it from my life. But I think with the 2fa security code I can be safe with my money and accounts. I can't remember my passwords now LOL

Using password managers shouldn't be that bad, as long as you keep your device secure and your master password hard to guess and brute-force enough. I don't remember any password either besides my master password, as I use generated passwords for every single one of my online accounts anyway.
full member
Activity: 317
Merit: 100
https://leasehold.io/
I was too dependent on password manager, with chrome. Now I cannot remove it from my life. But I think with the 2fa security code I can be safe with my money and accounts. I can't remember my passwords now LOL
mk4
legendary
Activity: 2870
Merit: 3873
📟 t3rminal.xyz
Also, one more question for you guys who knows a lot of this geek stuff. Should I use on my Android the Bitwarden App, or the Bitwarden Addon for firefox android? Any security or convenience difference?
https://play.google.com/store/apps/details?id=com.x8bit.bitwarden
http://addons.mozilla.org/en-us/android/addon/bitwarden-password-manager/

I'm not sure about the security part, but the app version has a convenience advantage. With the Mozilla plugin, you can only use autofill on websites that you're opening through Mozilla Firefox, whereas the app, you can also use the autofill for the logins of the applications installed on your phone.
legendary
Activity: 2212
Merit: 7064
I tried a bunch of password managers do far,
and I did not found KeePass to be good enough for me.

There is also Android version KeePassDX
last updated November 1, 2018
https://www.keepassdx.com/

There is also KeeWeb
that is updated, and support all platforms + offline web.
Open Source
https://keeweb.info/
https://github.com/keeweb/keeweb/releases
 
Last option is  Buttercup
All platforms supported + browser extensions
Open Source
https://buttercup.pw/
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
KeePassXC > KeePassX

I decided to download KeePassXC and migrate all my password data there.
But I am having some troubles:

https://keepassxc.org/download/
No android version on the website.

I looked at firefox addons for mobile, and couldn't find it also.
https://addons.mozilla.org/en-US/android/search=?q=Keepass


So, this is a deal breaker to me. i need them on my android browser.

I will try bitwarden then.
I downloaded it for firefox android, and it is also marked as a recommend extension by Mozilla store.


Edit:
Also, one more question for you guys who knows a lot of this geek stuff. Should I use on my Android the Bitwarden App, or the Bitwarden Addon for firefox android? Any security or convenience difference?
https://play.google.com/store/apps/details?id=com.x8bit.bitwarden
http://addons.mozilla.org/en-us/android/addon/bitwarden-password-manager/
jr. member
Activity: 187
Merit: 3
I advise you to use Google chrome attached to g-mail - it will create an automatic password and if you connect your e-mail with validation key nobody will hack you Smiley
legendary
Activity: 1624
Merit: 2481
I definitely wouldn't use some browser-in-built password manager.

Why not?
Firefox has a masterpassword, so my password will be encrypted as well. Is it because it cannot generate new passwords randomly?

Mostly because on the one side browser are very prone to being exploited. I know, this theoretically applies to each software, but browsers are software used by everyone. They are targeted way often.

And on the other hand i don't want my password storage to directly be connected to internet.
A 0-day exploit in the browsers password manager could lead to all of my passwords being leaked by simply visiting a malicious website.
A 0-day exploit in a password manager, is not as severe as one in a browser. My machine would have to be compromised first. And in this case, i'd be already in trouble.

So basically.. the reason for me is security.



The reason i recommend KeePassXC over KeePassX because :
~snip~

Those are some good points.
I agree with you.

KeePassXC > KeePassX



I'm sure you prefer not to use outdated software Smiley

And you are definitely right.
I am going to migrate from KeePassX to XC. Thanks for the info  Smiley
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
I definitely wouldn't use some browser-in-built password manager.

Why not?
Firefox has a masterpassword, so my password will be encrypted as well. Is it because it cannot generate new passwords randomly?


This is something I did not like, and in addition to that I did not know how safe is to save my passwords in browser, so I decide to stop with that practice. I may be old-fashioned, but paper is still best option for such data.

But you will end up repeating a lot of passwords this way, and it is much more uncomfortable to reach your paper. Storing passwords in cloud is very comfortable as you can access your passwords on the phone, tablet, other computer you trust (like at work) etc


Thanks everyone for the answers, i will probably use keepass Smiley
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
I only use Firefox password manager for some time, and I was never hacked because of that. User can set master password, which you need to type first time you open browser and try to login to some site for which you save password. But after that if you leave your browser open and unattended, anyone can login to any site where you have saved password.

This is something I did not like, and in addition to that I did not know how safe is to save my passwords in browser, so I decide to stop with that practice. I may be old-fashioned, but paper is still best option for such data.
legendary
Activity: 2730
Merit: 7065
I personally use Keepass. I personally like their autotype feature to input your user name and password. It defeats keyloggers because it inputs random characters while typing in characters.
I researched Keepass in connection to keyloggers and found a test performed by malwaretips.com in 2015. They suggest that Keepass users should switch to Secure Desktop and use two-channel auto-type obfuscation whenever possible.

Without Secure Desktop several keyloggers were able to capture whole or parts of the passwords.

More about that here:
https://malwaretips.com/threads/keepass-vs-keyloggers.45891/



legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
If you use Linux or Mac OS, you definitely should choose KeePassXC over KeePass.

Or KeePassX (linux)  Smiley

The reason i recommend KeePassXC over KeePassX because :
1. KeePassX hasn't been updated since Sep 4, 2016 according to https://github.com/keepassx/keepassx/releases & https://www.keepassx.org/news
2. KeePassXC latest release is Jun 11, 2019 - 22:00 CEST according to https://keepassxc.org/blog/
3. KeePassXC have some difference, see https://superuser.com/a/879013

I'm sure you prefer not to use outdated software Smiley
Pages:
Jump to: