Password Managers 2023

[Stopsignhank]

I looked and the last thread about this was a year ago. Are there any good password managers? We currently have LastPass but not liking what I am reading with the hack attempts. It would be best if it could be used on a computer and iPhone. It also needs to be easy to use because my wife will use it. She hates this type of thing and uses the same password for all of her accounts. Any help would be appreciated.
Thanks.

 

[balloonshark]

I'm still using keepass because its open source. I use it on Windows and I use keepassdroid by Brian Pellin on android. It looks like there are several iphone versions.

I'm not sure if I would consider it easy to use. Certainly much easier than typing each username and password.

Downloads - KeePass

keepass.info

 

[Muadib]

Take a look at Bitwarden. I gave up on LastPass after the last time they were hacked. Bitwarden has been great so far. They make it easy to transfer your LastPass info into Bitwarden. Bitwarden works with iOS and Windows.

 

[mikeymikec]

She hates this type of thing and uses the same password for all of her accounts. Any help would be appreciated.

Maybe I'm misunderstanding you, but:

Until she's ready to move on from "I try to use the same password for everything because it's easier", IMO you're fighting a losing battle trying to get her to evolve her password security and continuing to attempt to convince her might make her position more entrenched. Her system nullifies the point of using a password manager and it also doesn't really improve her online security in any meaningful fashion, because you know, "same password for everything".

IMO she needs to be at the point of acknowledging the many flaws in her method of password management as well as being interested in potential solutions to address those flaws.

If I'm correct in what I'm saying about your situation I'd still agree with the idea of looking into password management software because if she does turn the corner on this topic and you're ready to make a suggestion for a solution that you've got plenty of experience with, the more likely she'll get on board with it.

I realise I'm not giving you the kind of suggestions you asked for, but then I don't really trust password management software myself 🙂 It's all on my computer.

 

[CodeBeholder]

I'm a computer security researcher and I use 1password and my company uses BitWarden.

I previously used PasswordSafe because it is open-source, peer-reviewed and doesn't itself involve any cloud storage, but the ease of use of services like 1password is worth the trade off in my opinion.

 

[Stopsignhank]

Thanks all. Let me ask another question. Why is open source better?

I dislike researching the different options and everyone talks about how great the free options are. I want a good password manager and want to pay for it to make sure it is a good one.

Mike, my wife is on board. I talked about her to show that I need something that is easy to use so something like KeePass is not something that she would use. And if she will not use it then it won't work for me. Kind of like what they say is the best car wax to use. The answer is whatever works for you and that you will use it.

 

[CodeBeholder]

For a password manager, or really any product where security matters (like an operating system), it being open source is what enables people to review the code for bugs and security issues that can allow someone to exploit the code.

In your case though, if the WAF (wife approval factor) is an issue, I would steer away from the open source offering I mentioned, it is definitely less user-friendly. I would suggest trying out 1password.

 

[mikeymikec]

Thanks all. Let me ask another question. Why is open source better?

The argument goes along the lines that independent review is trivially possible and that basically anyone can contribute to it: Many eyes on the job rather than a few. With closed-source you can end up with situations like the organisation's claims for the product (e.g. how secure its encryption/database is) don't bear out in reality, and if that happens it usually happens in a rather dramatic fashion. A more benign example is when Dropbox claimed that all user data is encrypted, then... it wasn't. Internal organisation politics can trump doing the job as well as can be done, that's just aside from NDAs etc. Of course politics occur in open source projects too, but when the whole thing is playing out in public to begin with, there's less potential for rot to spread because it's not in secret.

Rot can occur in other forms too, such as a project that ought to be innovating rather than stagnating. OpenOffice stagnated because Oracle is Oracle, and because the project is open-source, the org that is now The Document Foundation forked it and the software (well, LibreOffice) is flourishing.

 

[balloonshark]

Thanks all. Let me ask another question. Why is open source better?

Most password generators can actually generate 'random' passwords. I want many eyes on how that process is accomplished instead of just a few. I don't some company having a magic key that can access all my sites.

Companies are motivated by profit and not your interests. They can also be bought and sold. If you store your database in the cloud it could theoretically belong to another company at any time. Passwords also protect access to our privacy, shopping, financial accounts and intellectual property. Would you feel more comfortable with one or two people working on the code or hundreds or thousands?

 

[Brainonska511]

I use KeePass on my desktop to store all my passwords. I manually transfer stuff to my Android phone's password manager as needed, though, this process is a slight pain.

 

[Stopsignhank]

Thanks. I totally understand that having more eyes look at something is better. When I ran the safety committee at work I loved having office people inspect the production floor. Having fresh eyes look at something and say "why are you doing this?" can be great. But is it not counterintuitive to have security software be open source? Isn't that like showing the bad guys the security system plans to the bank? Have any of you looked at the source code of the password manager that you use?

CB, yes the WAF factor is high. I like the idea that when a site gets hacked and we get the notice that they have been hacked and are giving us one free year of credit monitoring service we just change the password in the password manager and don't have to worry about it. I can change the password and she does not have to get involved. This is making her sound bad, she is incredibly smart and a wonderful person. She just hates this kind of stuff.

BS, love your avatar.

 

[mikeymikec]

Thanks. I totally understand that having more eyes look at something is better. When I ran the safety committee at work I loved having office people inspect the production floor. Having fresh eyes look at something and say "why are you doing this?" can be great. But is it not counterintuitive to have security software be open source? Isn't that like showing the bad guys the security system plans to the bank? Have any of you looked at the source code of the password manager that you use?

When a big-name organisation wants to employ a particular security solution, they often want to see the source code. For example, the US government has been granted access to review the code in Windows a fair few times over the years. Similarly, if a major client wants to store something extremely valuable with a particular bank, they will want to review the bank's security. If the bad guys want to look at closed-source code, they will find a way. There are always poorly-paid employees to exploit, for example; IIRC Western Digital is currently reeling from a major system compromise with tonnes of data stolen. But having access to source code does not mean one's product is inherently less secure, if it did then OSS software would be constantly reeling from major compromises.

The problem with closed source in this respect is that company X will be claiming that their product is bulletproof, people will be therefore assuming that the product is decent because they haven't heard anything to the contrary, and the black hats will be laughing their asses off and use what they know for maximum profit (which may end up being your organisation's data, along with a multitude of others). With open source, chances are everyone will know already whether that software has been reasonably well designed.

Flaws are found in software all the time. If a flaw is found in one OSS project, there's a decent chance for a conversation about such-and-such attack technique that other projects should be aware of. Flaws in shared OSS libraries might mean that a tonne of other projects get patched automatically as soon as the shared library's issue has been fixed. With closed source, if a new technique of attack is found, the details of that may or may not be published, one company whose software is vulnerable might keep it to themselves while black hats are doing drive-bys on similar software. The reaction for positive change therefore far slower.

There's also that whole stupid business where some companies try to attack the messenger that their software has bugs in, because closed source encourages secrecy, and the CEO can't keep beating the drum that their software is amazing when flaws are exposed that made it look like a toddler made a plasticine key to open the lock, figuratively speaking.

 

[Stopsignhank]

WOW, what a fantastic and well written post. Thanks for that.

 

[ScottAD]

I run BitWarden from my home server. Works for everything I need.

 

[ch33zw1z]

I having been using Safe-in-Cloud for a long time (7 years or so). I like it quite a bit. It's cloud options are personal storage. Data is not being stored at some corp. like LastPass. I keep my db on an account with a nice hardened password and 2FA (like any account I have now). It's very user friendly, so even the less techie people can be comfortable using it after a bit.

 

[VirtualLarry]

I like the idea that when a site gets hacked and we get the notice that they have been hacked and are giving us one free year of credit monitoring service we just change the password in the password manager and don't have to worry about it.

This is not necessarily true, btw.

 

[Hotrod2go]

It's amazing how some today think storing all their passwords on or in digital anything is safe n' secure - well as much as it can be. Call me old fashioned but I've never been down this road & I use diff passwords for every site I have an interest in. Never forget any of them either.
Writing stuff down somewhere & physically hiding it or committing to memory is the best way imo.
I'd never trust anything like password managers ever. As long as its stored in electronic format like digital its always "hackable".

 

[ch33zw1z]

It's amazing how some today think storing all their passwords on or in digital anything is safe n' secure - well as much as it can be. Call me old fashioned but I've never been down this road & I use diff passwords for every site I have an interest in. Never forget any of them either.
Writing stuff down somewhere & physically hiding it or committing to memory is the best way imo.
I'd never trust anything like password managers ever. As long as its stored in electronic format like digital its always "hackable".

Always is a bit of hyperbole. Yes, there’s not a zero chance of any password management system, be it digital or physic, to be compromised.

In both, you can take steps to reduce the likelihood to near zero.

 

[Muadib]

It's amazing how some today think storing all their passwords on or in digital anything is safe n' secure - well as much as it can be. Call me old fashioned but I've never been down this road & I use diff passwords for every site I have an interest in. Never forget any of them either.
Writing stuff down somewhere & physically hiding it or committing to memory is the best way imo.
I'd never trust anything like password managers ever. As long as its stored in electronic format like digital its always "hackable".

You need a site that offers two factor authentication. I use bitwarden, and they now offer no password authentication. I have to check it out, but I'm in no rush. With 2FA I have no worries.

 

[Hotrod2go]

You need a site that offers two factor authentication. I use bitwarden, and they now offer no password authentication. I have to check it out, but I'm in no rush. With 2FA I have no worries.

2FA can be compromised, on smartphones only 2 OS lead the charge, so because of the lack of diversity in OS, criminals have more chance of cracking codes & breaking in unaware from the end user. Having only 2 targets makes it easier for them.

 

[ch33zw1z]

2FA can be compromised, on smartphones only 2 OS lead the charge, so because of the lack of diversity in OS, criminals have more chance of cracking codes & breaking in unaware from the end user. Having only 2 targets makes it easier for them.

Ok, explain how 2FA is compromised, a detailed explanation for each type of 2FA is best

Also keep in mind that 2FA isn’t smartphone dependent. So for each type of 2FA, please also detail how each can be compromised by OS

 

[ScottAD]

It's amazing how some today think storing all their passwords on or in digital anything is safe n' secure - well as much as it can be. Call me old fashioned but I've never been down this road & I use diff passwords for every site I have an interest in. Never forget any of them either.
Writing stuff down somewhere & physically hiding it or committing to memory is the best way imo.
I'd never trust anything like password managers ever. As long as its stored in electronic format like digital its always "hackable".

There are risks with physical storage too, writing it down and someone finding it is a simple threat. What if the user forget where they put the book due to some medical condition.

The reality is no method is perfect but I prefer a self-hosted Bitwarden solution.

 

[Red Squirrel]

Ok, explain how 2FA is compromised, a detailed explanation for each type of 2FA is best

Also keep in mind that 2FA isn’t smartphone dependent. So for each type of 2FA, please also detail how each can be compromised by OS

Most of them are phone dependent though. Would be nice if sites did offer non phone options. I have seen some that use email though. That's fine, since it's device agnostic, no propriety app to install. Ideally it would be nice if they just use some sort of standard instead of their own app. I want something that I can easily back up that runs on PC. Not some black box app that stores data who knows where or how.

I think the most likely way for 2FA to be exploited is through a vulnerability in the site itself and not an individual device though. If they're going to try to hack that they'll go for the gold. Ex: a way to just bypass it altogether. In an ideal scenario this cannot happen, but nothing is 100% secure. I imagine most sites have some way to recover your account if you lose or change your phone, so that would probably be the main attack surface.

As for password manager I ended up writing my own, I wanted something that is web based, but self hosted, couldn't find anything, so wrote it. It's probably not super secure compared to something written by cryptography experts but if someone gains access to it it means they're on my network so I have bigger issues to worry about. Whatever time it takes to brute force AES256 should buy me enough time to change all my passwords if they did in fact manage to get the database.

 

[Hotrod2go]

There are risks with physical storage too, writing it down and someone finding it is a simple threat. What if the user forget where they put the book due to some medical condition.

The reality is no method is perfect but I prefer a self-hosted Bitwarden solution.

That's right, life is full of risks. In the end though, its an estimation of those risks & one's ability to control them.

 

[ch33zw1z]

Most of them are phone dependent though. Would be nice if sites did offer non phone options. I have seen some that use email though. That's fine, since it's device agnostic, no propriety app to install. Ideally it would be nice if they just use some sort of standard instead of their own app. I want something that I can easily back up that runs on PC. Not some black box app that stores data who knows where or how.

Ok, what your talking about here is a couple things, using the term "most" is subjective too. "most" of mine are not setup thru SMS.

1. SMS 2FA - I agree this is the worst option, and the mostly like to be compromised. You're not describing compromising it. Very few of my accounts are SMS 2FA. It's still better than nothing.

2. proprietary app - I really am not sure what you referring to. I have used a few different 2FA apps, none of which were required for a particular account or config. Feel free to elaborate, as I'm always up for learning more about what other's are required to do.

3. I mainly use Authy as my 2FA app. It's runs on both my phone and desktop.

4. I use Safe In Cloud as my password manager. It gives me the flexibility I'm looking for without my account info being stored on a particular vendors website (such as LastPass). The account this is sync'd to is 100% locked down as hard as configurable. Very long password, 2FA enabled. Even in the event, however unlikely, this account the database is sync'd to is compromised....the Safe in Cloud database is still 256 bit AES encrypted. A Bad actor would still require my database password to unlock it. This is another unique password that is NOT written anywhere, only I know it.

I think the most likely way for 2FA to be exploited is through a vulnerability in the site itself and not an individual device though. If they're going to try to hack that they'll go for the gold. Ex: a way to just bypass it altogether. In an ideal scenario this cannot happen, but nothing is 100% secure. I imagine most sites have some way to recover your account if you lose or change your phone, so that would probably be the main attack surface.

So not really a failure of 2FA itself, but lackluster security on a website. This is plausible, as we've seen time and time again.

We touched on most 2FA's here except for HSK's like yubikey.

As for password manager I ended up writing my own, I wanted something that is web based, but self hosted, couldn't find anything, so wrote it. It's probably not super secure compared to something written by cryptography experts but if someone gains access to it it means they're on my network so I have bigger issues to worry about. Whatever time it takes to brute force AES256 should buy me enough time to change all my passwords if they did in fact manage to get the database.

Right, gotta accept your own level of risk.