How reliable are server side password managers?

mocacinno

legendary

Activity: 3402

Merit: 5004

https://merel.mobi => buy facemasks with BTC/LTC

Maybe relevant to this thread, since it specifically is about lastpass, which was the initial topic of discussion:

https://www.theverge.com/2021/12/28/22857485/lastpass-compromised-breach-scare

Sure, it was a scare... but if you didn't trust a thirth party to begin with, there would have been nothing to be scared about Grin

... if you keep your passwords on your own device (maybe even offline), there is nobody to send you e-mails, try to send you to a phising site, databases to be hacked,...

SmokerFace

sr. member

Activity: 958

Merit: 265

Well, it totally depends upon the requirements and also owns satisfaction. In my opinion, you can use any password manager which suits your requirements.
Also as about my own experience, I had LastPass & Bitwarde. Both were up to the mark as per requirements.
Never faced any issues while using them. Bitwarde was the first one that I had used now shifted myself to LastPass. Highly recommended.

libert19

hero member

Activity: 2464

Merit: 934

Quote from: Husires on December 15, 2021, 12:51:17 PM

Copy and paste: Copying and pasting words and always needing to connect to the Internet are all gaps that need someone who understands the basics of online security.

I turn off the Internet before copying anything sensitive, is it good enough?

Edit: oh you mean, while saving passwords pwd manager needs to be connected to Internet (at least lastpass). Regarding this I use app that blocks Internet access to apps except ones I allow to.

Quote

If there was a well-reviewed open source option out there, it might be the best choice.

Bitwarden, keepass have been suggested. Leaning to keepass more.

Husires

legendary

Activity: 1582

Merit: 1284

Quote from: libert19 on December 15, 2021, 04:35:50 AM

I use LastPass since several years, most of info is there and it would be hard to migrate it. How reliable are these pwd managers, especially the ones who store info on their servers?

Using any Online tool requires:

Being open source: You must make sure that what you claim that the services you provide are true and that no one can see the things you save.
Synchronization issues: Synchronizing between multiple devices can allow multiple scammers to access your passwords.
Add-on installation: Installing add-ons always gives a loophole that enables many hackers to access your currencies
Copy and paste: Copying and pasting words and always needing to connect to the Internet are all gaps that need someone who understands the basics of online security.

If there was a well-reviewed open source option out there, it might be the best choice.

NeuroticFish

legendary

Activity: 3668

Merit: 6382

Looking for campaign manager? Contact icopress!

I use Bitwarden (personal free). Of course, not for seed/private key. And of course, most of those services I keep the passwords for have 2FA which I've clearly enabled.
Bitwarden is also open source, also uses AES-256 end-to-end encryption; I find it a good option. You can also export the passwords ("vault") - encrypted or unencrypted.

https://bitwarden.com
https://github.com/bitwarden

libert19

hero member

Activity: 2464

Merit: 934

Quote from: ranochigo on December 15, 2021, 04:47:46 AM

That being said, it isn't difficult to migrate from LastPass. I don't see the need for a cloud password storage personally, it introduces an additional attack surface even if the convenience outweighs the risks. I'm currently using KeePass and migrating from LastPass was easy and straightforward.

Aight, I thought one has to migrate in data entry way, didn't know export existed.

ABCbits

legendary

Activity: 2870

Merit: 7490

Crypto Swap Exchange

According to https://restoreprivacy.com/password-manager/reviews/lastpass/, there are some serious privacy concern and past data breach. LastPass collect some user data and based in US.

If you really need online password manager, consider BitWarden instead which is open-source and have better security history. Otherwise, i would recommend KeePassXC instead.

mocacinno

legendary

Activity: 3402

Merit: 5004

https://merel.mobi => buy facemasks with BTC/LTC

Quote from: ranochigo on December 15, 2021, 04:47:46 AM

--snip--

I'm currently using KeePass and migrating from LastPass was easy and straightforward.

Keepass +1

I've been using it for a long, long time... It's a well described format, there are (open source) tools to read a keepass database for about any OS you can imagine, offering various feature sets (like auto filling passwords, merging databases,...).

I tried trezor's password manager for a while, but i found it a tad bit "clumsy" (for the lack of a better word) for everyday use... Plus, at that time, they did require a cloud connections... I have no idear if they improved their password manager, i only tried it out when it first hit the market, and moved straight back to keepass after a couple of weeks...

I'm actually entertaining the idear of running vault, probably on an rPi or on my NAS... But for the time being, i'm loving keepass

BlackHatCoiner

legendary

Activity: 1512

Merit: 7340

Farewell, Leo

In my opinion, most are not. LastPass specifically isn't open source which would be the main discouragement to use it. I highly recommend against on using a software that uses cryptography and isn't open source.

There have been times when messages got unencrypted due to poor usage of cryptography. The users are forced to trust the programmers; having the source code available for anyone to check, shows a form of dignity across the users.

ranochigo

legendary

Activity: 2954

Merit: 4158

If the code for your password manager is open source, you can verify that the data sent to the server is encrypted, and that they don't have your plain-text passwords. That is pretty much it, so it is safe as long as they don't get hacked and you don't use some ridiculously weak master password.

I'd say password managers are secure *enough*. They are competent in ensuring your security, more so than the average user and the risk of a catastrophic failure is low. That being said, it isn't difficult to migrate from LastPass. I don't see the need for a cloud password storage personally, it introduces an additional attack surface even if the convenience outweighs the risks. I'm currently using KeePass and migrating from LastPass was easy and straightforward.

mocacinno

legendary

Activity: 3402

Merit: 5004

https://merel.mobi => buy facemasks with BTC/LTC

Quote from: libert19 on December 15, 2021, 04:35:50 AM

I use LastPass since several years, most of info is there and it would be hard to migrate it. How reliable are these pwd managers, especially the ones who store info on their servers?

IIRC, lastpass uses aes-256 encryption, and apparently your key never leaves your local system (the encryption should happen on your system before the encrypted data is sent to lastpass). If this is true, their security model would be reasonably safe...

However, i would NOT use an online password manager for keeping seed phrases or private keys... But that's just my personal opinion... I would never store something that important on a cloud server, no matter how good their scheme is... If somebody gets their hands on your master password, or if your browser is compromised, or if you fall victim to a MITM, or if the encryption scheme is ever broken your passwords are up for grabs...

Also, this is just lastpass, it does not mean other online password managers are equally safe... And i did not check lastpass'es sourcecode, so i'm just believing what they tell me...

libert19

hero member

Activity: 2464

Merit: 934

I use LastPass since several years, most of info is there and it would be hard to migrate it. How reliable are these pwd managers, especially the ones who store info on their servers?

Topic: How reliable are server side password managers? (Read 121 times)