Jump to content

Best Password Manager?


Vectre
 Share

Recommended Posts

For around a year I've been using Dashlane's Premium tier however my subscription has recently run out and before I spend another $40 I want to be sure there are no better alternatives.

I was looking at Lastpass as a replacement but with the upcoming acquisition by Citrix, I'm not to keen on what they might be planning for the service. I am keen on open source software and tend to use them whenever possible but in all honesty, I want to hear your experiences with the different software options available.

For me I consider syncing between devices quite important however I understand this usually comes with a cost and it's normally only available on proprietary software so I am happy to sacrifice this for open and free alternatives.

Cheers!

Link to comment
Share on other sites

Unless your 'devices' include a phone, I'd say have a look at qtpass. It's a Qt front-end over the 'pass' program, which uses gpg for encryption and git for syncing (optional - you can just put the files on a usb stick or whatever). It uses the pinentry command for receiving your passphrase, which can be made to (also) do 2FA with, say, a YubiKey.

All open source, all free.

Link to comment
Share on other sites

  • 1 month later...
  • 6 months later...

For me this question is relevant! It is important to remember that some password managers store your credentials locally, others rely on cloud services for storage and synchronization, and still others take a hybrid approach. Some of the options using local storage (such as KeePass and 1Password) still support synchronization through Dropbox or other storage services. Deciding which password manager is best for you will come down to features and ease of use, as well as to whether you're comfortable storing your passwords on the Internet. Just wanted to share this article about most useful password managers  https://www.cleverfiles.com/howto/top-5-password-managers-mac.html :cool:

Link to comment
Share on other sites

I haven't heard any leaks or vulnerabilities; or really anything about https://saaspass.com/. Maybe it's flown under whoevers radar giving me a subtle warm feeling.

Plus it's used by NASA

/salt

https://saaspass.com/images/authh.png

Edited by Spoonish
Graphics!!!1
Link to comment
Share on other sites

I use LastPass. My understanding regarding the Citrix involvement is that LogMeIn, who own LastPass, have also acquired a Citrix property (GoTo), rather than LastPass being acquired by Citrix. That said, the acquisition by LogMeIn did raise some concerns when that occurred, because many users didn't feel that LogMeIn had the credibility to be trusted with a vault of all of their secrets. There were also issues with LogMeIn dropping support for the freemium model on their other products historically, leaving users in the lurch. I've stayed with it because it fits my use case well and I haven't had any issues.

Often, discussion of LastPass leads to mention of Tavis Ormandy, who has had a lot of success finding significant vulnerabilities in LastPass, including those which disclose passwords and those which lead to code execution if you had the binary component installed. If my threat model included people dropping 0day to read my emails, or a rogue Tavis Ormandy, I wouldn't be using a cloud password manager at all and would likely use a KeePass-based system. I'm doubtful that LastPass is unique in having critical vulnerabilities in their codebase, and what Tavis's testing has illustrated is that LastPass's vulnerability resolution timeline is very acceptable, even with very complex cases. I don't have any insight into the vuln resolution practices of other vendors, so it's hard to quantify whether I'd gain anything by moving to an alternative provider of the same kind of system.

  • Upvote 1
Link to comment
Share on other sites

14 hours ago, JBNZ said:

My understanding regarding the Citrix involvement is that LogMeIn, who own LastPass, have also acquired a Citrix property (GoTo), rather than LastPass being acquired by Citrix. That said, the acquisition by LogMeIn did raise some concerns when that occurred...

Yeah, my bad I got some of that wrong but this basically says my concerns. In fact, since the original post I've moved from Dashlane to LastPass as, in all honesty, it just works...really well.

Link to comment
Share on other sites

  • 1 month later...
2 hours ago, Broti said:

 

My favourite password manager: KeePass. Open source and it supports different systems 

 

KeePass is really awesome. Just make sure an attacker using Empire doesn't get a shell on your system. It includes a module called KeeThief which can display your master password in cleartext. 

Link to comment
Share on other sites

  • 4 weeks later...

Has any one else tried SaasPass? I went from writing all mine down in a book to SaasPass so my experience is limited. Coupled with my limited knowledge of what qualifies as a quality Password manager, i could be skinny dipping in a swamp. I would enjoy hearing another forum members thoughts or experiences on it.  

Tangent: any one have any thoughts on Steve Gibson's SQRL that he's been working on? Some people think of him as a turd; similar to Ken Rockwell with some photographers. I like them both, very knowledgable. But they both go well with small doses of salt.

Link to comment
Share on other sites

My suggestion is to not have all your eggs in one basket. Personally, I think the idea of a master vault, is the wrong approach with respect to things like passwords and sensitive materials. Tavis Ormandy for example, has a habit of breaking password managers, mainly to help make them more secure, but nothing is beyond the end user to mess up somewhere, even when using password managers, and this only controls one facet of security from login using a password, where logging in on a system might be bypassed altogether, the vault is only safeguarding one part of the equation. Also, if someone guesses the password without using exploits to access a password manager, there isn't anything you can do to fix that issue once it's discovered, since it's not a flaw, just a weak master password.

That said, I think a multi-layered approach, and if required to use  password vault, more than one vault kept in different locations with separate password categories in each is a better idea. If that means as simple as an encrypted archive stored remotely or on other hardware separate from your local everyday workstation, then so be it. Add in a Yubi key to the mix, more layers. The more the better, but I can almost guarantee, no one here is doing 100% best practices at all times. We're human, and we screw up all the time.

Ideally, you'd memorize them, but we all know that isn't always possible, as well as not always our choice when system passwords are sometimes setup for us in advance. Safeguarding passwords at the end of the day is as much about self diligence as it is how to store them securely, because if you can't keep your passwords or data safe without a password vault, chances are there are other things you need to look into securing as well.

Best password manager? The one you've kept out of public hands at all times and with no access from anyone other than yourself, which goes to say, vault or no vault, no one should know where or what your passwords are stored in, including advertising what you use here.

 

  • Like 1
Link to comment
Share on other sites

Ive for the most part given up on remembering new passwords and now barge the opposite direction with a long as possible high entropy string contrived with the help of grc.com(https://www.grc.com/passwords.htm).  The wife stopped asking me for login/passwords. Silver lining..?

Link to comment
Share on other sites

My 2 cents - I don't use password managers.

I've never seen the appeal of having passwords either stored locally on a computer (whether encrypted or not), or under someone else's control using their application or service.

No thanks.

The best manager? The human brain. Secure as it can get.

  • Upvote 1
Link to comment
Share on other sites

On 6/14/2017 at 8:17 PM, haze1434 said:

My 2 cents - I don't use password managers.

I've never seen the appeal of having passwords either stored locally on a computer (whether encrypted or not), or under someone else's control using their application or service.

No thanks.

The best manager? The human brain. Secure as it can get.

It's amazing what can be deduced from a few words. What you're telling everyone is you either have a great memory or not have many passwords which means a hack-one-hack-them-all type deal, unless of course you have a rhythm of linking your passwords to the name of the website hosting your account or other rhythm. Either way, dangerous. Password managers are for people who either can't be bothered remembering passwords or have too many to remember and don't want to go through 30 in their head figuring out which one goes where.

I can vouch for LastPass. It's occasionally annoying in browser with autofilling (sometimes gives you some random password for some other thing that you have, completely off) but notes-wise it is good (just turn off autofill).

Link to comment
Share on other sites

4 hours ago, Dave-ee Jones said:

It's amazing what can be deduced from a few words. What you're telling everyone is you either have a great memory or not have many passwords which means a hack-one-hack-them-all type deal, unless of course you have a rhythm of linking your passwords to the name of the website hosting your account or other rhythm. Either way, dangerous. Password managers are for people who either can't be bothered remembering passwords or have too many to remember and don't want to go through 30 in their head figuring out which one goes where.

I can vouch for LastPass. It's occasionally annoying in browser with autofilling (sometimes gives you some random password for some other thing that you have, completely off) but notes-wise it is good (just turn off autofill).

203D3536BD62AD33AC70B7EA3D4F5E10B6D52EBD0CB7582841A053AEBB7186A3

Good memory, and tricks on creating long, but memorable passwords [1] [2]. People should take the time to learn their passwords, the same they do with phone numbers, addresses, exams etc.

I don't write mine down, but one could also argue pen and paper is safer than storing your password on a computer [3] [4] [5] [6] , even if it's hashed. Pen and paper has an air gap, password managers do not. I'd trust my password on some paper more than I'd trust someone else's program.

Edited by haze1434
Link to comment
Share on other sites

I used to use 1Password and was very happy with it, but it doesn't support all of the platforms I'm on.

Then I discovered Enpass.  It supports a ton of platforms.  I've been on it now for about six months, and I've been reasonably happy with it.  It's similar to 1Password in a lot of ways.  I had no trouble importing my data.  My password database is encrypted and stored locally on all of my machines.  It's also stored encrypted on my NextCloud, which is how they all stay in sync.

I currently have it running on Mac, Windows, and Linux.  I'll be adding it to my phone soon.  The desktop versions are free.  The mobile version is $10.

Here's a PC Magazine review from a couple of years ago.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...