Vectre

Best Password Manager?

28 posts in this topic

For around a year I've been using Dashlane's Premium tier however my subscription has recently run out and before I spend another $40 I want to be sure there are no better alternatives.

I was looking at Lastpass as a replacement but with the upcoming acquisition by Citrix, I'm not to keen on what they might be planning for the service. I am keen on open source software and tend to use them whenever possible but in all honesty, I want to hear your experiences with the different software options available.

For me I consider syncing between devices quite important however I understand this usually comes with a cost and it's normally only available on proprietary software so I am happy to sacrifice this for open and free alternatives.

Cheers!

0

Share this post


Link to post
Share on other sites

Unless your 'devices' include a phone, I'd say have a look at qtpass. It's a Qt front-end over the 'pass' program, which uses gpg for encryption and git for syncing (optional - you can just put the files on a usb stick or whatever). It uses the pinentry command for receiving your passphrase, which can be made to (also) do 2FA with, say, a YubiKey.

All open source, all free.

0

Share this post


Link to post
Share on other sites

Sounds like the perfect replacement! Going to have to take a look and test it out. Thanks for the suggestion. :)

0

Share this post


Link to post
Share on other sites

I use Password Gorilla on my Mac and PasswdSafe on my Android. They both use the same database format, which I sync between them via Dropbox. Both are free.

Just make sure that the password that protects your databaseis your strongest one, ok? ;)

0

Share this post


Link to post
Share on other sites

For me this question is relevant! It is important to remember that some password managers store your credentials locally, others rely on cloud services for storage and synchronization, and still others take a hybrid approach. Some of the options using local storage (such as KeePass and 1Password) still support synchronization through Dropbox or other storage services. Deciding which password manager is best for you will come down to features and ease of use, as well as to whether you're comfortable storing your passwords on the Internet. Just wanted to share this article about most useful password managers  https://www.cleverfiles.com/howto/top-5-password-managers-mac.html :cool:

0

Share this post


Link to post
Share on other sites

apart from the fact that you need to have access to the connector and insert it between  keyboard and computer

https://github.com/thirdpin/pastilda 

looks like a interesting solution.  

What do you think?

yak

 

0

Share this post


Link to post
Share on other sites

Posted (edited)

I haven't heard any leaks or vulnerabilities; or really anything about https://saaspass.com/. Maybe it's flown under whoevers radar giving me a subtle warm feeling.

Plus it's used by NASA

/salt

https://saaspass.com/images/authh.png

Edited by Spoonish
Graphics!!!1
0

Share this post


Link to post
Share on other sites

I use LastPass atm. Works very well. Not sure about this Citrix stuff your talking about though, that's news to me.

0

Share this post


Link to post
Share on other sites

I use LastPass. My understanding regarding the Citrix involvement is that LogMeIn, who own LastPass, have also acquired a Citrix property (GoTo), rather than LastPass being acquired by Citrix. That said, the acquisition by LogMeIn did raise some concerns when that occurred, because many users didn't feel that LogMeIn had the credibility to be trusted with a vault of all of their secrets. There were also issues with LogMeIn dropping support for the freemium model on their other products historically, leaving users in the lurch. I've stayed with it because it fits my use case well and I haven't had any issues.

Often, discussion of LastPass leads to mention of Tavis Ormandy, who has had a lot of success finding significant vulnerabilities in LastPass, including those which disclose passwords and those which lead to code execution if you had the binary component installed. If my threat model included people dropping 0day to read my emails, or a rogue Tavis Ormandy, I wouldn't be using a cloud password manager at all and would likely use a KeePass-based system. I'm doubtful that LastPass is unique in having critical vulnerabilities in their codebase, and what Tavis's testing has illustrated is that LastPass's vulnerability resolution timeline is very acceptable, even with very complex cases. I don't have any insight into the vuln resolution practices of other vendors, so it's hard to quantify whether I'd gain anything by moving to an alternative provider of the same kind of system.

0

Share this post


Link to post
Share on other sites
14 hours ago, JBNZ said:

My understanding regarding the Citrix involvement is that LogMeIn, who own LastPass, have also acquired a Citrix property (GoTo), rather than LastPass being acquired by Citrix. That said, the acquisition by LogMeIn did raise some concerns when that occurred...

Yeah, my bad I got some of that wrong but this basically says my concerns. In fact, since the original post I've moved from Dashlane to LastPass as, in all honesty, it just works...really well.

0

Share this post


Link to post
Share on other sites

Rackspace is a good tool to manage your passwords and accounts. 

0

Share this post


Link to post
Share on other sites

My favourite password manager: KeePass. Open source and it supports different systems 

0

Share this post


Link to post
Share on other sites
2 hours ago, Broti said:

 

My favourite password manager: KeePass. Open source and it supports different systems 

 

KeePass is really awesome. Just make sure an attacker using Empire doesn't get a shell on your system. It includes a module called KeeThief which can display your master password in cleartext. 

0

Share this post


Link to post
Share on other sites

I am using LassPass, which is quite good and cheaper than 1Password.

0

Share this post


Link to post
Share on other sites

Has any one else tried SaasPass? I went from writing all mine down in a book to SaasPass so my experience is limited. Coupled with my limited knowledge of what qualifies as a quality Password manager, i could be skinny dipping in a swamp. I would enjoy hearing another forum members thoughts or experiences on it.  

Tangent: any one have any thoughts on Steve Gibson's SQRL that he's been working on? Some people think of him as a turd; similar to Ken Rockwell with some photographers. I like them both, very knowledgable. But they both go well with small doses of salt.

0

Share this post


Link to post
Share on other sites

My suggestion is to not have all your eggs in one basket. Personally, I think the idea of a master vault, is the wrong approach with respect to things like passwords and sensitive materials. Tavis Ormandy for example, has a habit of breaking password managers, mainly to help make them more secure, but nothing is beyond the end user to mess up somewhere, even when using password managers, and this only controls one facet of security from login using a password, where logging in on a system might be bypassed altogether, the vault is only safeguarding one part of the equation. Also, if someone guesses the password without using exploits to access a password manager, there isn't anything you can do to fix that issue once it's discovered, since it's not a flaw, just a weak master password.

That said, I think a multi-layered approach, and if required to use  password vault, more than one vault kept in different locations with separate password categories in each is a better idea. If that means as simple as an encrypted archive stored remotely or on other hardware separate from your local everyday workstation, then so be it. Add in a Yubi key to the mix, more layers. The more the better, but I can almost guarantee, no one here is doing 100% best practices at all times. We're human, and we screw up all the time.

Ideally, you'd memorize them, but we all know that isn't always possible, as well as not always our choice when system passwords are sometimes setup for us in advance. Safeguarding passwords at the end of the day is as much about self diligence as it is how to store them securely, because if you can't keep your passwords or data safe without a password vault, chances are there are other things you need to look into securing as well.

Best password manager? The one you've kept out of public hands at all times and with no access from anyone other than yourself, which goes to say, vault or no vault, no one should know where or what your passwords are stored in, including advertising what you use here.

 

0

Share this post


Link to post
Share on other sites

Ive for the most part given up on remembering new passwords and now barge the opposite direction with a long as possible high entropy string contrived with the help of grc.com(https://www.grc.com/passwords.htm).  The wife stopped asking me for login/passwords. Silver lining..?

0

Share this post


Link to post
Share on other sites

My 2 cents - I don't use password managers.

I've never seen the appeal of having passwords either stored locally on a computer (whether encrypted or not), or under someone else's control using their application or service.

No thanks.

The best manager? The human brain. Secure as it can get.

1

Share this post


Link to post
Share on other sites
On 6/14/2017 at 8:17 PM, haze1434 said:

My 2 cents - I don't use password managers.

I've never seen the appeal of having passwords either stored locally on a computer (whether encrypted or not), or under someone else's control using their application or service.

No thanks.

The best manager? The human brain. Secure as it can get.

It's amazing what can be deduced from a few words. What you're telling everyone is you either have a great memory or not have many passwords which means a hack-one-hack-them-all type deal, unless of course you have a rhythm of linking your passwords to the name of the website hosting your account or other rhythm. Either way, dangerous. Password managers are for people who either can't be bothered remembering passwords or have too many to remember and don't want to go through 30 in their head figuring out which one goes where.

I can vouch for LastPass. It's occasionally annoying in browser with autofilling (sometimes gives you some random password for some other thing that you have, completely off) but notes-wise it is good (just turn off autofill).

0

Share this post


Link to post
Share on other sites

Posted (edited)

4 hours ago, Dave-ee Jones said:

It's amazing what can be deduced from a few words. What you're telling everyone is you either have a great memory or not have many passwords which means a hack-one-hack-them-all type deal, unless of course you have a rhythm of linking your passwords to the name of the website hosting your account or other rhythm. Either way, dangerous. Password managers are for people who either can't be bothered remembering passwords or have too many to remember and don't want to go through 30 in their head figuring out which one goes where.

I can vouch for LastPass. It's occasionally annoying in browser with autofilling (sometimes gives you some random password for some other thing that you have, completely off) but notes-wise it is good (just turn off autofill).

203D3536BD62AD33AC70B7EA3D4F5E10B6D52EBD0CB7582841A053AEBB7186A3

Good memory, and tricks on creating long, but memorable passwords [1] [2]. People should take the time to learn their passwords, the same they do with phone numbers, addresses, exams etc.

I don't write mine down, but one could also argue pen and paper is safer than storing your password on a computer [3] [4] [5] [6] , even if it's hashed. Pen and paper has an air gap, password managers do not. I'd trust my password on some paper more than I'd trust someone else's program.

Edited by haze1434
0

Share this post


Link to post
Share on other sites

I can barely remember my own phone numbers...

2

Share this post


Link to post
Share on other sites
11 hours ago, barry99705 said:

I can barely remember my own phone numbers...

Haha, yeah, I know the feeling..

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.