Export thread

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

Password managers

#1

A

a viewer

Been using 1password almost since its inception. Though I'm not aware of any issues with it, we know in the world we live in. So probably there will be a hole to be found that won't be patched. I'm on 1p 7 and it's the end of the line for their offline version. Guess I can understand their change since it is a constant monthly income

Having an offline manager is no guarantee for security. Having your offline password file should be much less enticing than there being one huge repository of passwords. Last Password has demonstrated even with good curating, there are always issues. Then there is the added risk when companies change owners or management. Also being proprietary code, you don't always guarantee that data is really not viewable by anyone. Like apple having access to your icloud data

Guess I lucked out with agilebits, but time to look for a replacement. The king is dead, long live the king?

I found 2 solutions that should work

Two that isn't clear if these are offline or cloud

I need to play with all these, but was wondering if anybody has played with them? I know bitwarden, which is a sponsor of the show, so it gets brownie points for being indirectly recommended by Steve.


#2

miquelfire

miquelfire

I'm VERY skeptical of NordPass. And I'm fairly certain that it's a cloud based password manager since they have monthly plans, or at least advertise a monthly price.


#3

P

PHolder

BitWarden is not designed to be used offline, near as I can tell. You can theoretically host your own server, but that code is not open source, I don't think (it's distributed in a binary form inside of a docker container) and they require a license key (which implies ongoing payments) for the version that supports all features.


#4

D

dg1261

It's unclear to me what you're looking for -- a cloud password manager or an offline manager? If you don't like cloud managers, why are you looking at KeeWeb instead of KeePass? KeePass is a solid, respected offline password manager. It's my manager of choice, and can be kept on a flash drive and launched from there, "portable" style. It even supports TOTP codes so it can be used in lieu of Google Authenticator, et al.

However, being offline, it's not as convenient to use as a browser extension like LastPass or Bitwarden. Browser extensions can recognize password fields on a webpage, and optionally auto-fill them from your unlocked vault.

KeeWeb appears to be an enhanced front end to turn a KeePass vault into a cloud vault. But if you wanted a cloud vault, what's wrong with Bitwarden or LastPass? They integrate very well with your browser and are designed from the ground up to work seamlessly with the cloud. And if in fact you don't want cloud, then just stick with KeePass, not KeeWeb.

Last Password has demonstrated even with good curating, there are always issues. Then there is the added risk when companies change owners or management. Also being proprietary code, you don't always guarantee that data is really not viewable by anyone.

If you mean LastPass, I don't believe the "issues" were ever related to the security of your password vault. The issues were with the stewardship of your master password, stored in LP's cloud, not with the "blob" that is your vault. If you used a good master password, or if you changed it after notice of a breach, you were okay. I believe Steve was impressed with the code behind LP's vault when he got a chance to privately review it, but the security of your master password can be a different matter.

If done right, the fact your vault may be in the cloud shouldn't be inherently riskier than an offline vault kept on a USB stick. After all, you can lose a USB stick. I believe LP and Bitwarden have both done the vault part right, and I have no delusions KeePass' vault code is any better, so I don't consider one better than the others in that regard.

If done right, neither LP nor Bitwarden have access to the contents of your vault. The contents are unlocked on your computer, not in the cloud.

But therein lies the rub -- and your point with regard to changing ownership is well taken. What guarantees do we have that a new owner won't secretly change the browser extension so that when you unlock your vault, the vault's contents aren't leaked by the extension? Or what guarantees do we have that a browser flaw won't cause the extension to spill its secrets?

There's an element of trust there, but it's a question of how much you trust the extension, not an issue with the security of the vault. And with LP's "musical chairs" ownership of late, I'd consider Bitwarden to be the more trustworthy, between those two.

OTOH, that's where the offline nature of KeePass might be more secure -- with no online component and nothing in the cloud and no integration with your browser. But that also makes it less convenient to use.

So take your pick. I trust KeePass for myself, but recommend Bitwarden for friends and family. KeePass is just too geeky for them, and a password manager -- no matter how secure -- is of little use if they avoid using it.


#5

A

a viewer

Thanks, everybody. This doesn't seem as easy as having lucked out when choosing a password manager many years ago. Still in development, and seemed rather good.

I'm VERY skeptical of NordPass
Will take it off the short list, thanks

a cloud password manager or an offline manager?
An offline manager as 1password used to be. Will certainly take a look at KeePass. Thought the other was also offline. A TOTP is a requirement too, since been using it every time more with 1p.

Steve did mention being impressed with how they handle the issues they have. Being open and responsive is very crucial. Having a local application with a local db doesn't guarantee that you won't run into issues. Guess I'm just uncomfortable with storing my db somewhere else. 1Password uses a similar scheme. Unlocking the data on your machine.

Guess the next step is to start trying out the different programs. Will give KeePass a look, thanks


#6

rfrazier

rfrazier

I tried Bitwarden briefly and even have exported my LP passwords to an account there. But, when I tried using the plugin in my browser (Brave), I immediately started having problems. Got on their forums and posted a message for help and got no response. Noted many other people having problems. The product didn't seem quite baked yet. So, I'm still with LP on the free plan. I used to pay but the price seemed to keep rising. Not sure where I'll end up, but it works and it has been for a decade or more for me.

May your bits be stable and your interfaces be fast. :cool: Ron


#7

A

a viewer

Not sure where I'll end up
If you don't mind the online approach, you can take a look at 1p. They have plugins for most of the major browsers (chrome/brave has one), and their customer support is good


#8

rfrazier

rfrazier

Interesting option. Thanks. I don't mind online if properly done. But, I like the option to login offline from a spare copy of the database if the provider or the internet is down. Speaking of which, I should probably test that feature of LP. Not sure if it works in free mode.

May your bits be stable and your interfaces be fast. :cool: Ron


#9

Barry Wallis

Barry Wallis

if the provider or the internet is down.
Pardon me if I am dense. If the Internet is down, I don't think having access to your passwords will help. :)


#10

D

dg1261

Pardon me if I am dense. If the Internet is down, I don't think having access to your passwords will help. :)

My KeePass database contains much more than merely website passwords. I also store bank info, credit card numbers and CSVs, login credentials to specialty software, the "secret answers" telephone reps sometimes ask for, to verify I am who I say I am, etc.

There are many times I need access to these secrets, irrespective of internet availability. That's the main reason I use an offline manager for myself. It's not that I don't trust the cloud (I do, and am comfortable recommending a cloud manager for friends and family), it's that I sometimes need access to my secrets even when I don't have internet access.


#11

R

Ralph

The first and only password manager I've used is BitWarden primarily from SN's endorsement. I used the browser extension in Firefox for a while then de-installed it. I found the extension didn't auto fill all my sites, plus an unsupported mistrust of using my browser with passwords that way.

I run a small Pi based server and installed a self hosted version of Bitwarden on it. My reason was simply to have a second functional copy should something go haywire with the online one. Check out

http://6nvbx6guu5beqj5ggalzhscvrxbgbnin4wauyntgssnfb7gyn5jt2kqd.onion/#/marketplace/vaultwarden

and see if it serves your purpose. It is renamed to Vaultwarden, and since my server runs thru TOR the above is an 'onion' link, but can probably be found without TOR, The version from the link is self hosted and free. SInce it does not support importing the encrypted database from my Windows BW (a Bitwarden limitation I believe) I had to export the database of my primary BW unencrypted then import it to the self hosted one. To me that's not a big deal since I don't update BW very often. I keep an encrypted version of the database in the cloud as well.

Although BW can be used for free, I do pay for the Windows version. $10 per year is quite reasonable plus you get access to a few good reports. I like to support freeware I find useful and use a lot.


#12

Barry Wallis

Barry Wallis

My KeePass database contains much more than merely website passwords. I also store bank info, credit card numbers and CSVs, login credentials to specialty software, the "secret answers" telephone reps sometimes ask for, to verify I am who I say I am, etc.

There are many times I need access to these secrets, irrespective of internet availability. That's the main reason I use an offline manager for myself. It's not that I don't trust the cloud (I do, and am comfortable recommending a cloud manager for friends and family), it's that I sometimes need access to my secrets even when I don't have internet access.
Got it. Thanks!


#13

miquelfire

miquelfire

Pardon me if I am dense. If the Internet is down, I don't think having access to your passwords will help. :)
I have a use case where I might need access to my secrets for my local NAS or some other server that is on the same side as me as the modem that is not allowing me internet for some reason (like it can't connect to the servers for some reason)

You might also be in a position where you have your password vault on a device without internet, but you have access to another device with internet, but no means to get your vault on the device (like it doesn't allow custom software, like some IOT style device that has an interface to do stuff)


#14

A

a viewer

That is a good point, maybe will add a 9 on the end to make super safe! No one should be able to crack that, even with 4 Q bits.
bad news

This password has been seen 16,629,796 times before​


If you add a 0 at the end, https://haveibeenpwned.com/Passwords hasn't seen it (yet) lol

Hilariously, if you add a dash (and plus sign) hoping to improve the trustworthiness of your password (always use a special character) those have been seen lol Funny what people think of secure or not

As to the search of a replacement, bitwarden is out. You need to have a server or use theirs. These two work locally though; Enpass and Keeweb(!). Both do totp, but need to play more. Still have some time, since 1p7 still seems to be fine


#15

A

a viewer

Well got to finally give the alternatives a go. Well 1p started misbehaving, and figured it was time.

Keeweb didn't had an import for 1p (at least not from a cursory search). So the only option that seems to be offline was enpass. Coming from 1p, the interface is clunky, but was able to import my 1p db (though it needs the db to be explorted in clear text). Opening it is slower. The stored 2fa and included files seem to have migrated fine.

Regret moving over to enpass, but the days of 1p7 are numbered.

If anyone else is in a similar situation, there seems to be a 50% for a lifetime premium license. Strangely, they don't describe the differences between the paid and free.


On the negative side, seems you need to have the enpass application running all the time. The browser extension don't run without it. 1p has a helper process running on the background

Also it doesn't restore the previous content of the clipboard after sanitizing it. 1p would restore the clipboard after storing something
:(


#16

A

a viewer

did a little looking up, and seems that enpass is more or less ok


Not sure if this is encouraging or worrisome. They haven't reported any vulnerabilities since 2015


The competition has more recent flaws
lastpass
1p
bitwarden


#17

P

PHolder

The competition has more recent flaws
A comparison like this is only useful if you know that all being compared have been treated equally from an inspection and reporting perspective. If no one uses one of the items, or if they don't offer a bug reporting process, or bounty, or other ways they can differ, and the same team has not inspected all of them [equally] then you're really not gaining valuable insight by such a comparison. You can't prove a negative.


#18

A

a viewer

That is why I'm concerned that there are no reports since 2015!

Probably more to reassure myself that enpass isn't a bad choice lol Especially since it seems to be my only choice left without using the cloud to store data.

Been using it for the last week. The interface is a bit more clunky than 1p, but seems to be working well with the imported data. Heard that it might go on sale for $20 during black friday?!?!


#19

Bruce

Bruce

If you want an offline one, I do not see that anyone has mentioned this one which I have used for years and it is still maintained:


Originally designed by the famous Bruce Schneier who Steve has mentioned many many times. There are Android and Apple versions, supports Ybico as well. Totally free. Same database works on my phone and on Win 10.


#20

D

Darcon

If you want an offline one, I do not see that anyone has mentioned this one which I have used for years and it is still maintained:


Originally designed by the famous Bruce Schneier who Steve has mentioned many many times. There are Android and Apple versions, supports Ybico as well. Totally free. Same database works on my phone and on Win 10.
The iPhone version is no longer free for modern versions of iOS. But $2 isn't bad.
The Mac version was $20 a few years back.
The PC version is free.

This is my manager of choice to share passwords across 8 devices. Much easier than syncing databases monthly.


#21

R

Ralph

I was going to mention Password Safe but see it was brought up already. I installed it on my Windows machine but really haven't tried using it. If it can, I will try to import my BitWarden info into it. Having a portable version of PS is the main reason I started looking at it, plus Bruce Schneier being involved with it.


#22

Lob

Lob

LastPass seems to have had data lifted based on some secrets that were lifted when they suffered a breach in August.

A little embarassing: https://www.bleepingcomputer.com/ne...hackers-accessed-customer-data-in-new-breach/

Quack quack oops! :eek:


#23

C

CredulousDane

LastPass seems to have had data lifted based on some secrets that were lifted when they suffered a breach in August.

A little embarassing: https://www.bleepingcomputer.com/ne...hackers-accessed-customer-data-in-new-breach/

Quack quack oops! :eek:

Yeah :( - and not much info yet. I'm a premium user but I am beginning to consider BitWarden. I know LastPass say they have zero knowledge of our passwords but with today's developing computational power, if a password vault is stolen then it's definitely very, very bad. Hoping to hear more from LastPass very soon!


#24

R

Ralph

I just installed Proton's password manager for Windows, Proton Pass. They have had browser plug ins, but this is a desktop version for Windows, other OS's to follow. After a very quick install it was set to go. Two things I liked right away was the option to make it available offline and it's ability to use a Yubikey for unlocking.

I've been using Bitwarden and have no plans to stop, but as with most things a backup manager seems to be a good idea. Functionally it works very similar to Bitwarden with one exception which is minimizing the manager's window after copying a field so it's out of the way for the paste. There are quite a few import/ export options which may come in handy.

I currently have Password Safe as a strictly offline manager as my backup on a flash drive, but due to formats it doesn't import Bitwarden's data. I did copy/ pastes to populate PWS initially but it is a long process and updates are a pain.

If anyone is curious get the install file from Proton, and if anyone is using Proton Pass already what do you think of it.


#25

S

SeanBZA

Was still using Lastpass, sort of well the horse has already bolted, but got to update the hashing, and get a longer master password. But did install Bitwarden, but had not used it. Till something about Mozilla and lastpass borked, so was using the web version for a day, till I saw on Bitwarden they can actually import every last bit of the Lastpass stuff. So did that, and am slowly working my way through the list, should prune out old logins that are no longer needed, and already either had sites that had updated to 2FA, or I had changed passwords since the break, so should make the list smaller and better curated. Bonus is now the master password is still memorable by me, though it has grown a little more with the change, and now is over 30 characters, so might be safe for a few more years.

Lastpass took the export CSV file, and backed it up as well, in a zip that is password protected. One thing I do know is the lastpass Pocket does work, at least it does work under Linux, as I have used it to test, using an offline laptop, and I am able to get into the vault.


#26

R

Ralph

Bitwarden was my first manager and I still like it. I no longer use the browser plug in. When looking for an 'air gapped' manager as a backup Password Safe came up. I liked that it and it's data bases could be run from a flash drive and not reside on my laptop. Being able to enable a Yubikey as part of opening the program was another plus- in my mind at least.

I rarely open Password Safe except for a very occasional update. I haven't played around with Proton's new manager enough to get a really good feel for it, but for the most part it seems to function very close to Bitwarden. I like that the Proton manager can use a Yubikey to unlock the desktop app along with a password.


#27

A

anselboden

I just installed Proton's password manager for Windows, Proton Pass. They have had browser plug ins, but this is a desktop version for Windows, other OS's to follow. After a very quick install it was set to go. Two things I liked right away was the option to make it available offline and it's ability to use a Yubikey for unlocking.

I've been using Bitwarden and have no plans to stop, but as with most things a backup manager seems to be a good idea. Functionally it works very similar to Bitwarden with one exception which is minimizing the manager's window after copying a field so it's out of the way for the paste. There are quite a few import/ export options which may come in handy.

I'm currently using Password Safe as a strictly offline manager on a flash drive, but due to compatibility issues, it doesn't import Bitwarden's data. I initially used LastPass review to populate PWS, but the process is lengthy and updating is a hassle. I'm looking for a more seamless solution.

If anyone is curious get the install file from Proton, and if anyone is using Proton Pass already what do you think of it.
Hey, I'm having trouble with Samsung Pass not working on my new device. Coming from an iPhone, I'm used to having a built-in password manager, but what are some free alternatives available for Android? Any recommendations?


#28

P

PHolder

free alternatives available for Android
Have you looked at BitWarden ( https://bitwarden.com/download/#downloads-mobile )? I free for some things (has a premium model for all features) but I have been using it on the desktop as a free replacement for LastPass and have been very happy?


#29

f1assistance

f1assistance

One can NOT secure what they do NOT physically control! Convenience does NOT secure make, therefor Bitwarden is less secure by design (i.e., we've learned 'in the cloud' is NOT a place to lay ones trust). :cautious::cautious::cautious:


#30

cschuber

cschuber

True. At $JOB we are not permitted, by group policy, to add password manager extensions to our browsers. And, the proxy blocks those sites as well. They don't want passwords for internal services and cloud services we subscribe to (i.e. ServiceNow) on the Internet. They install keepass on our laptops.

Since discovering keepass those many moons ago, I installed it on my wife's Windows PC and I've installed keepassxc on my FreeBSD laptop. To back it up, just throw it onto a network share or external backup device.


#31

A

a viewer

True. At $JOB we are not permitted, by group policy, to add password manager extensions to our browsers. And, the proxy blocks those sites as well. They don't want passwords for internal services and cloud services we subscribe to (i.e. ServiceNow) on the Internet. They install keepass on our laptops.

Since discovering keepass those many moons ago, I installed it on my wife's Windows PC and I've installed keepassxc on my FreeBSD laptop. To back it up, just throw it onto a network share or external backup device.
would imagine people will go with the shortest possible password that fills the check-marks. I I certainly wouldn't want to type a 20+ character password every-time, nor have a different one for different uses. Even see them storing them in a file or something easy to copy

Learned early on, that people will either find the simplest password or write it down somewhere. We even had a card reader at one time, and people just canceled the registered credit card and left it at their desks :rolleyes:

I can see that extensions are a weak point, but if you trust the password manager, what makes the extension less secure than the password manager? Guess it is a compromise between security and people following good practices

Been using enpass, and though the ui isn't perfect (1p was much better), I refused to have a cloud based storage. 1p and bitwarden (i think) store the db encrypted (or so they claim). My local db is always a problem and might be stolen, but I'm small potatoes compared to attacking the cloud of any of them


#32

cschuber

cschuber

Learned early on, that people will either find the simplest password or write it down somewhere.
A lot of people write their password onto a post-it note, sticking to to the bottom of their keyboard. When I was still in the office I'd write down, "you won't find any password here," on a post-it note and stick it on the bottom of my keyboard. Kind-of like giving anyone who dared look the bird.