Password managers

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

a viewer

Active member
Sep 30, 2020
39
5
Been using 1password almost since its inception. Though I'm not aware of any issues with it, we know in the world we live in. So probably there will be a hole to be found that won't be patched. I'm on 1p 7 and it's the end of the line for their offline version. Guess I can understand their change since it is a constant monthly income

Having an offline manager is no guarantee for security. Having your offline password file should be much less enticing than there being one huge repository of passwords. Last Password has demonstrated even with good curating, there are always issues. Then there is the added risk when companies change owners or management. Also being proprietary code, you don't always guarantee that data is really not viewable by anyone. Like apple having access to your icloud data

Guess I lucked out with agilebits, but time to look for a replacement. The king is dead, long live the king?

I found 2 solutions that should work

Two that isn't clear if these are offline or cloud

I need to play with all these, but was wondering if anybody has played with them? I know bitwarden, which is a sponsor of the show, so it gets brownie points for being indirectly recommended by Steve.
 

miquelfire

I like red!
Sep 26, 2020
93
11
www.miquelfire.red
I'm VERY skeptical of NordPass. And I'm fairly certain that it's a cloud based password manager since they have monthly plans, or at least advertise a monthly price.
 

PHolder

Well-known member
Sep 16, 2020
965
2
402
Ontario, Canada
BitWarden is not designed to be used offline, near as I can tell. You can theoretically host your own server, but that code is not open source, I don't think (it's distributed in a binary form inside of a docker container) and they require a license key (which implies ongoing payments) for the version that supports all features.
 

dg1261

Member
Oct 22, 2020
14
7
It's unclear to me what you're looking for -- a cloud password manager or an offline manager? If you don't like cloud managers, why are you looking at KeeWeb instead of KeePass? KeePass is a solid, respected offline password manager. It's my manager of choice, and can be kept on a flash drive and launched from there, "portable" style. It even supports TOTP codes so it can be used in lieu of Google Authenticator, et al.

However, being offline, it's not as convenient to use as a browser extension like LastPass or Bitwarden. Browser extensions can recognize password fields on a webpage, and optionally auto-fill them from your unlocked vault.

KeeWeb appears to be an enhanced front end to turn a KeePass vault into a cloud vault. But if you wanted a cloud vault, what's wrong with Bitwarden or LastPass? They integrate very well with your browser and are designed from the ground up to work seamlessly with the cloud. And if in fact you don't want cloud, then just stick with KeePass, not KeeWeb.

Last Password has demonstrated even with good curating, there are always issues. Then there is the added risk when companies change owners or management. Also being proprietary code, you don't always guarantee that data is really not viewable by anyone.

If you mean LastPass, I don't believe the "issues" were ever related to the security of your password vault. The issues were with the stewardship of your master password, stored in LP's cloud, not with the "blob" that is your vault. If you used a good master password, or if you changed it after notice of a breach, you were okay. I believe Steve was impressed with the code behind LP's vault when he got a chance to privately review it, but the security of your master password can be a different matter.

If done right, the fact your vault may be in the cloud shouldn't be inherently riskier than an offline vault kept on a USB stick. After all, you can lose a USB stick. I believe LP and Bitwarden have both done the vault part right, and I have no delusions KeePass' vault code is any better, so I don't consider one better than the others in that regard.

If done right, neither LP nor Bitwarden have access to the contents of your vault. The contents are unlocked on your computer, not in the cloud.

But therein lies the rub -- and your point with regard to changing ownership is well taken. What guarantees do we have that a new owner won't secretly change the browser extension so that when you unlock your vault, the vault's contents aren't leaked by the extension? Or what guarantees do we have that a browser flaw won't cause the extension to spill its secrets?

There's an element of trust there, but it's a question of how much you trust the extension, not an issue with the security of the vault. And with LP's "musical chairs" ownership of late, I'd consider Bitwarden to be the more trustworthy, between those two.

OTOH, that's where the offline nature of KeePass might be more secure -- with no online component and nothing in the cloud and no integration with your browser. But that also makes it less convenient to use.

So take your pick. I trust KeePass for myself, but recommend Bitwarden for friends and family. KeePass is just too geeky for them, and a password manager -- no matter how secure -- is of little use if they avoid using it.
 

a viewer

Active member
Sep 30, 2020
39
5
Thanks, everybody. This doesn't seem as easy as having lucked out when choosing a password manager many years ago. Still in development, and seemed rather good.

I'm VERY skeptical of NordPass
Will take it off the short list, thanks

a cloud password manager or an offline manager?
An offline manager as 1password used to be. Will certainly take a look at KeePass. Thought the other was also offline. A TOTP is a requirement too, since been using it every time more with 1p.

Steve did mention being impressed with how they handle the issues they have. Being open and responsive is very crucial. Having a local application with a local db doesn't guarantee that you won't run into issues. Guess I'm just uncomfortable with storing my db somewhere else. 1Password uses a similar scheme. Unlocking the data on your machine.

Guess the next step is to start trying out the different programs. Will give KeePass a look, thanks
 

rfrazier

Well-known member
Sep 30, 2020
479
137
I tried Bitwarden briefly and even have exported my LP passwords to an account there. But, when I tried using the plugin in my browser (Brave), I immediately started having problems. Got on their forums and posted a message for help and got no response. Noted many other people having problems. The product didn't seem quite baked yet. So, I'm still with LP on the free plan. I used to pay but the price seemed to keep rising. Not sure where I'll end up, but it works and it has been for a decade or more for me.

May your bits be stable and your interfaces be fast. :cool: Ron
 

rfrazier

Well-known member
Sep 30, 2020
479
137
Interesting option. Thanks. I don't mind online if properly done. But, I like the option to login offline from a spare copy of the database if the provider or the internet is down. Speaking of which, I should probably test that feature of LP. Not sure if it works in free mode.

May your bits be stable and your interfaces be fast. :cool: Ron
 

dg1261

Member
Oct 22, 2020
14
7
Pardon me if I am dense. If the Internet is down, I don't think having access to your passwords will help. :)

My KeePass database contains much more than merely website passwords. I also store bank info, credit card numbers and CSVs, login credentials to specialty software, the "secret answers" telephone reps sometimes ask for, to verify I am who I say I am, etc.

There are many times I need access to these secrets, irrespective of internet availability. That's the main reason I use an offline manager for myself. It's not that I don't trust the cloud (I do, and am comfortable recommending a cloud manager for friends and family), it's that I sometimes need access to my secrets even when I don't have internet access.
 

Ralph

Well-known member
Sep 24, 2020
110
17
The first and only password manager I've used is BitWarden primarily from SN's endorsement. I used the browser extension in Firefox for a while then de-installed it. I found the extension didn't auto fill all my sites, plus an unsupported mistrust of using my browser with passwords that way.

I run a small Pi based server and installed a self hosted version of Bitwarden on it. My reason was simply to have a second functional copy should something go haywire with the online one. Check out

http://6nvbx6guu5beqj5ggalzhscvrxbgbnin4wauyntgssnfb7gyn5jt2kqd.onion/#/marketplace/vaultwarden

and see if it serves your purpose. It is renamed to Vaultwarden, and since my server runs thru TOR the above is an 'onion' link, but can probably be found without TOR, The version from the link is self hosted and free. SInce it does not support importing the encrypted database from my Windows BW (a Bitwarden limitation I believe) I had to export the database of my primary BW unencrypted then import it to the self hosted one. To me that's not a big deal since I don't update BW very often. I keep an encrypted version of the database in the cloud as well.

Although BW can be used for free, I do pay for the Windows version. $10 per year is quite reasonable plus you get access to a few good reports. I like to support freeware I find useful and use a lot.
 

Barry Wallis

Magician in Training
My KeePass database contains much more than merely website passwords. I also store bank info, credit card numbers and CSVs, login credentials to specialty software, the "secret answers" telephone reps sometimes ask for, to verify I am who I say I am, etc.

There are many times I need access to these secrets, irrespective of internet availability. That's the main reason I use an offline manager for myself. It's not that I don't trust the cloud (I do, and am comfortable recommending a cloud manager for friends and family), it's that I sometimes need access to my secrets even when I don't have internet access.
Got it. Thanks!
 

miquelfire

I like red!
Sep 26, 2020
93
11
www.miquelfire.red
Pardon me if I am dense. If the Internet is down, I don't think having access to your passwords will help. :)
I have a use case where I might need access to my secrets for my local NAS or some other server that is on the same side as me as the modem that is not allowing me internet for some reason (like it can't connect to the servers for some reason)

You might also be in a position where you have your password vault on a device without internet, but you have access to another device with internet, but no means to get your vault on the device (like it doesn't allow custom software, like some IOT style device that has an interface to do stuff)
 

a viewer

Active member
Sep 30, 2020
39
5
That is a good point, maybe will add a 9 on the end to make super safe! No one should be able to crack that, even with 4 Q bits.
bad news

This password has been seen 16,629,796 times before​


If you add a 0 at the end, https://haveibeenpwned.com/Passwords hasn't seen it (yet) lol

Hilariously, if you add a dash (and plus sign) hoping to improve the trustworthiness of your password (always use a special character) those have been seen lol Funny what people think of secure or not

As to the search of a replacement, bitwarden is out. You need to have a server or use theirs. These two work locally though; Enpass and Keeweb(!). Both do totp, but need to play more. Still have some time, since 1p7 still seems to be fine
 
  • Like
Reactions: JimWilliamson

a viewer

Active member
Sep 30, 2020
39
5
Well got to finally give the alternatives a go. Well 1p started misbehaving, and figured it was time.

Keeweb didn't had an import for 1p (at least not from a cursory search). So the only option that seems to be offline was enpass. Coming from 1p, the interface is clunky, but was able to import my 1p db (though it needs the db to be explorted in clear text). Opening it is slower. The stored 2fa and included files seem to have migrated fine.

Regret moving over to enpass, but the days of 1p7 are numbered.

If anyone else is in a similar situation, there seems to be a 50% for a lifetime premium license. Strangely, they don't describe the differences between the paid and free.


On the negative side, seems you need to have the enpass application running all the time. The browser extension don't run without it. 1p has a helper process running on the background

Also it doesn't restore the previous content of the clipboard after sanitizing it. 1p would restore the clipboard after storing something
:(
 
Last edited: