Password managers

[a viewer]

Been using 1password almost since its inception. Though I'm not aware of any issues with it, we know in the world we live in. So probably there will be a hole to be found that won't be patched. I'm on 1p 7 and it's the end of the line for their offline version. Guess I can understand their change since it is a constant monthly income

Having an offline manager is no guarantee for security. Having your offline password file should be much less enticing than there being one huge repository of passwords. Last Password has demonstrated even with good curating, there are always issues. Then there is the added risk when companies change owners or management. Also being proprietary code, you don't always guarantee that data is really not viewable by anyone. Like apple having access to your icloud data

Guess I lucked out with agilebits, but time to look for a replacement. The king is dead, long live the king?

I found 2 solutions that should work

Password Management for Individuals and Families | Bitwarden

Generate, store, and secure your most important digital assets with Bitwarden, the end-to-end encrypted password management solution for you and your family.

bitwarden.com

Enpass - Password Manager for iOS, Android, Linux, Windows, Mac

Enpass is an offline-first password manager. Keep your passwords, logins, credit cards, driving licenses, and other important files safe in one place.

www.enpass.io

Two that isn't clear if these are offline or cloud

Free Password Manager Compatible with KeePass: KeeWeb

keeweb.info

Securely Store, Manage & Autofill Passwords

NordPass password manager remembers complex passwords, auto-fills logins and online forms and lets you access it all from anywhere. Even when you’re offline.

nordpass.com

I need to play with all these, but was wondering if anybody has played with them? I know bitwarden, which is a sponsor of the show, so it gets brownie points for being indirectly recommended by Steve.

 

[miquelfire]

I'm VERY skeptical of NordPass. And I'm fairly certain that it's a cloud based password manager since they have monthly plans, or at least advertise a monthly price.

 

[PHolder]

BitWarden is not designed to be used offline, near as I can tell. You can theoretically host your own server, but that code is not open source, I don't think (it's distributed in a binary form inside of a docker container) and they require a license key (which implies ongoing payments) for the version that supports all features.

 

[dg1261]

It's unclear to me what you're looking for -- a cloud password manager or an offline manager? If you don't like cloud managers, why are you looking at KeeWeb instead of KeePass? KeePass is a solid, respected offline password manager. It's my manager of choice, and can be kept on a flash drive and launched from there, "portable" style. It even supports TOTP codes so it can be used in lieu of Google Authenticator, et al.

However, being offline, it's not as convenient to use as a browser extension like LastPass or Bitwarden. Browser extensions can recognize password fields on a webpage, and optionally auto-fill them from your unlocked vault.

KeeWeb appears to be an enhanced front end to turn a KeePass vault into a cloud vault. But if you wanted a cloud vault, what's wrong with Bitwarden or LastPass? They integrate very well with your browser and are designed from the ground up to work seamlessly with the cloud. And if in fact you don't want cloud, then just stick with KeePass, not KeeWeb.

Last Password has demonstrated even with good curating, there are always issues. Then there is the added risk when companies change owners or management. Also being proprietary code, you don't always guarantee that data is really not viewable by anyone.

If you mean LastPass, I don't believe the "issues" were ever related to the security of your password vault. The issues were with the stewardship of your master password, stored in LP's cloud, not with the "blob" that is your vault. If you used a good master password, or if you changed it after notice of a breach, you were okay. I believe Steve was impressed with the code behind LP's vault when he got a chance to privately review it, but the security of your master password can be a different matter.

If done right, the fact your vault may be in the cloud shouldn't be inherently riskier than an offline vault kept on a USB stick. After all, you can lose a USB stick. I believe LP and Bitwarden have both done the vault part right, and I have no delusions KeePass' vault code is any better, so I don't consider one better than the others in that regard.

If done right, neither LP nor Bitwarden have access to the contents of your vault. The contents are unlocked on your computer, not in the cloud.

But therein lies the rub -- and your point with regard to changing ownership is well taken. What guarantees do we have that a new owner won't secretly change the browser extension so that when you unlock your vault, the vault's contents aren't leaked by the extension? Or what guarantees do we have that a browser flaw won't cause the extension to spill its secrets?

There's an element of trust there, but it's a question of how much you trust the extension, not an issue with the security of the vault. And with LP's "musical chairs" ownership of late, I'd consider Bitwarden to be the more trustworthy, between those two.

OTOH, that's where the offline nature of KeePass might be more secure -- with no online component and nothing in the cloud and no integration with your browser. But that also makes it less convenient to use.

So take your pick. I trust KeePass for myself, but recommend Bitwarden for friends and family. KeePass is just too geeky for them, and a password manager -- no matter how secure -- is of little use if they avoid using it.

 

[a viewer]

Thanks, everybody. This doesn't seem as easy as having lucked out when choosing a password manager many years ago. Still in development, and seemed rather good.

I'm VERY skeptical of NordPass

Will take it off the short list, thanks

a cloud password manager or an offline manager?

An offline manager as 1password used to be. Will certainly take a look at KeePass. Thought the other was also offline. A TOTP is a requirement too, since been using it every time more with 1p.

Steve did mention being impressed with how they handle the issues they have. Being open and responsive is very crucial. Having a local application with a local db doesn't guarantee that you won't run into issues. Guess I'm just uncomfortable with storing my db somewhere else. 1Password uses a similar scheme. Unlocking the data on your machine.

Guess the next step is to start trying out the different programs. Will give KeePass a look, thanks

 

[rfrazier]

I tried Bitwarden briefly and even have exported my LP passwords to an account there. But, when I tried using the plugin in my browser (Brave), I immediately started having problems. Got on their forums and posted a message for help and got no response. Noted many other people having problems. The product didn't seem quite baked yet. So, I'm still with LP on the free plan. I used to pay but the price seemed to keep rising. Not sure where I'll end up, but it works and it has been for a decade or more for me.

May your bits be stable and your interfaces be fast. Ron

 

[a viewer]

Not sure where I'll end up

If you don't mind the online approach, you can take a look at 1p. They have plugins for most of the major browsers (chrome/brave has one), and their customer support is good

 

[rfrazier]

Interesting option. Thanks. I don't mind online if properly done. But, I like the option to login offline from a spare copy of the database if the provider or the internet is down. Speaking of which, I should probably test that feature of LP. Not sure if it works in free mode.

May your bits be stable and your interfaces be fast. Ron

 

[Barry Wallis]

if the provider or the internet is down.

Pardon me if I am dense. If the Internet is down, I don't think having access to your passwords will help.

 

[dg1261]

Pardon me if I am dense. If the Internet is down, I don't think having access to your passwords will help.

My KeePass database contains much more than merely website passwords. I also store bank info, credit card numbers and CSVs, login credentials to specialty software, the "secret answers" telephone reps sometimes ask for, to verify I am who I say I am, etc.

There are many times I need access to these secrets, irrespective of internet availability. That's the main reason I use an offline manager for myself. It's not that I don't trust the cloud (I do, and am comfortable recommending a cloud manager for friends and family), it's that I sometimes need access to my secrets even when I don't have internet access.

 

[Ralph]

The first and only password manager I've used is BitWarden primarily from SN's endorsement. I used the browser extension in Firefox for a while then de-installed it. I found the extension didn't auto fill all my sites, plus an unsupported mistrust of using my browser with passwords that way.

I run a small Pi based server and installed a self hosted version of Bitwarden on it. My reason was simply to have a second functional copy should something go haywire with the online one. Check out

http://6nvbx6guu5beqj5ggalzhscvrxbgbnin4wauyntgssnfb7gyn5jt2kqd.onion/#/marketplace/vaultwarden

and see if it serves your purpose. It is renamed to Vaultwarden, and since my server runs thru TOR the above is an 'onion' link, but can probably be found without TOR, The version from the link is self hosted and free. SInce it does not support importing the encrypted database from my Windows BW (a Bitwarden limitation I believe) I had to export the database of my primary BW unencrypted then import it to the self hosted one. To me that's not a big deal since I don't update BW very often. I keep an encrypted version of the database in the cloud as well.

Although BW can be used for free, I do pay for the Windows version. $10 per year is quite reasonable plus you get access to a few good reports. I like to support freeware I find useful and use a lot.

 

[Barry Wallis]

My KeePass database contains much more than merely website passwords. I also store bank info, credit card numbers and CSVs, login credentials to specialty software, the "secret answers" telephone reps sometimes ask for, to verify I am who I say I am, etc.

There are many times I need access to these secrets, irrespective of internet availability. That's the main reason I use an offline manager for myself. It's not that I don't trust the cloud (I do, and am comfortable recommending a cloud manager for friends and family), it's that I sometimes need access to my secrets even when I don't have internet access.

Got it. Thanks!

 

[miquelfire]

Pardon me if I am dense. If the Internet is down, I don't think having access to your passwords will help.

I have a use case where I might need access to my secrets for my local NAS or some other server that is on the same side as me as the modem that is not allowing me internet for some reason (like it can't connect to the servers for some reason)

You might also be in a position where you have your password vault on a device without internet, but you have access to another device with internet, but no means to get your vault on the device (like it doesn't allow custom software, like some IOT style device that has an interface to do stuff)

 

[a viewer]

That is a good point, maybe will add a 9 on the end to make super safe! No one should be able to crack that, even with 4 Q bits.

bad news

This password has been seen 16,629,796 times before​

If you add a 0 at the end, https://haveibeenpwned.com/Passwords hasn't seen it (yet) lol

Hilariously, if you add a dash (and plus sign) hoping to improve the trustworthiness of your password (always use a special character) those have been seen lol Funny what people think of secure or not

As to the search of a replacement, bitwarden is out. You need to have a server or use theirs. These two work locally though; Enpass and Keeweb(!). Both do totp, but need to play more. Still have some time, since 1p7 still seems to be fine

 

[a viewer]

Well got to finally give the alternatives a go. Well 1p started misbehaving, and figured it was time.

Keeweb didn't had an import for 1p (at least not from a cursory search). So the only option that seems to be offline was enpass. Coming from 1p, the interface is clunky, but was able to import my 1p db (though it needs the db to be explorted in clear text). Opening it is slower. The stored 2fa and included files seem to have migrated fine.

Regret moving over to enpass, but the days of 1p7 are numbered.

If anyone else is in a similar situation, there seems to be a 50% for a lifetime premium license. Strangely, they don't describe the differences between the paid and free.

Enpass Password Manager Individual Plan: Lifetime Subscription | StackSocial

Achieve both convenience & security for all your digital life

stacksocial.com

On the negative side, seems you need to have the enpass application running all the time. The browser extension don't run without it. 1p has a helper process running on the background

Also it doesn't restore the previous content of the clipboard after sanitizing it. 1p would restore the clipboard after storing something

 

[a viewer]

did a little looking up, and seems that enpass is more or less ok

https://dl.enpass.io/audit/reports/ENP-01-report.pdf

https://dl.enpass.io/audit/reports/ENP-01-report.WP1.pdf

Not sure if this is encouraging or worrisome. They haven't reported any vulnerabilities since 2015

NVD - Results

nvd.nist.gov

The competition has more recent flaws
lastpass
1p
bitwarden

 

[PHolder]

The competition has more recent flaws

A comparison like this is only useful if you know that all being compared have been treated equally from an inspection and reporting perspective. If no one uses one of the items, or if they don't offer a bug reporting process, or bounty, or other ways they can differ, and the same team has not inspected all of them [equally] then you're really not gaining valuable insight by such a comparison. You can't prove a negative.

 

[a viewer]

You can't prove a negative.

That is why I'm concerned that there are no reports since 2015!

Probably more to reassure myself that enpass isn't a bad choice lol Especially since it seems to be my only choice left without using the cloud to store data.

Been using it for the last week. The interface is a bit more clunky than 1p, but seems to be working well with the imported data. Heard that it might go on sale for $20 during black friday?!?!

 

[Bruce]

If you want an offline one, I do not see that anyone has mentioned this one which I have used for years and it is still maintained:

Password Safe

Originally designed by the famous Bruce Schneier who Steve has mentioned many many times. There are Android and Apple versions, supports Ybico as well. Totally free. Same database works on my phone and on Win 10.

 

[Darcon]

If you want an offline one, I do not see that anyone has mentioned this one which I have used for years and it is still maintained:

Password Safe

Originally designed by the famous Bruce Schneier who Steve has mentioned many many times. There are Android and Apple versions, supports Ybico as well. Totally free. Same database works on my phone and on Win 10.

The iPhone version is no longer free for modern versions of iOS. But $2 isn't bad.
The Mac version was $20 a few years back.
The PC version is free.

This is my manager of choice to share passwords across 8 devices. Much easier than syncing databases monthly.