Password Manager Discussion.

They are turning it over because they don't have a choice. If the government came to you and demanded the data you would give it to them also, because it is better than the consequences of refusing.

 

There is always a choice. If my companies aren't willing to put up a fight, I won't use them or their services.

http://www.theguardian.com/commentisfree/2014/may/20/why-did-lavabit-shut-down-snowden-email

and/or..

More recently, meanwhile, Avira CEO Travis Witteveen reported, in a letter to Bits of Freedom, that his company likewise had no time for state-sponsored malware, and said the company would change its headquarters to a foreign country if the German government ever ordered it to ignore any type of malware. Likewise, the CEO of BitDefender, speaking by phone, said that his company had never received a copy of the letter from Bits of Freedom, but that his company would never -- and had never -- whitelisted any form of malware. The company plans to soon publish a more detailed statement on its website.

 

Lastpass is also setting up servers in the EU... But its a cat and mouse game...
https://lastpass.com/use_eu.php

 

I read the Lastpass quote (your post #108) in a different way to you. If ordered by law they have to hand it over but all they can give is a blob of encrypted data (which can only be decrypted by brute force). There is no mention of "willingness" or "lack of resistance", it is just a plain statement of fact based on the laws that exist in their country (or countries) of operation. We are of course all free to use products from any company or country that we wish.

 

With a "local" judge order in whichever "local" country, you must provide the data... the issue is not much about lastpass that has no access to your master key but all the other services storing unencrypted data...

 

That too.. But also a companies 'resistance' to such measures should be factored, should they not? I read that some companies are lowering their govt. bully surface by opening branches in other jurisdictions, so if the need arises, they can simply close up shop in the compromised jurisdiction. Makes sense really.

 

They should but they should also provide realistic claims or promises. Lastpass management clearly provided their position towards NSA (LastPass and the NSA Controversy) and beta testing EU servers to give options to users (https://lastpass.com/use_eu.php) but they are realistic to say that they may have to comply with legal requirements. IMO a balanced and honest approach. No point to promise something that you are not able to hold under all circumstances.

 

Good enough with some flaws. Autofill of passwords works good, but autofill of personal information I found really lacking compared to Dashlane. Adding the extension to web browsers had some bugs saying it couldn't find the browsers (or they weren't installed, when in fact they were), and that ~ Snipped as per TOS ~ me off. Visually it's not pretty either. Exporting passwords to other managers are basically impossible, when I reverted to Dashlane I had to write them in manually.

 

I agree with your assessment. I purchased the 'lifetime' for $29, and found it is an 'acceptable' product, better than LastPass in many ways, but far behind Dashlane in overall usability. As you noted, the form filling is pretty lousy, also there isn't any TFA with it. Overall, not happy with the purchase, and I will likely request a refund. Back to Dashlane!

 

Thanks to stapp, here the old thread about mitro:

https://www.wilderssecurity.com/threads/mitro-another-password-manager.353135/

 

Another big strike against Stickypassword - flawed uninstaller. Seems to hang often on uninstall, and sometimes fail to uninstall. I think when we evaluate a product we should evaluate all aspects, including 'removal' of it.

It's not difficult to script a good uninstaller for a product, and StickyPassword is epic fail in this respect.

 

Dashlane is really good, almost perfect.

I turned 'Improve Experience' OFF on it. However, Dashlane sends hundreds, if not thousands of logs out per day to an Irish IP address. I can block the IP, IP-Range, and/or DDNS. Not an issue, but I wonder - what is Dashlane doing, and why?

From 12 noon today to 6PM I logged almost 1000 polls to logs.dashlane.com.. So far they haven't answered me. I consider this excessive, and ridiculous. I appreciate the need to gather logs, but do they really need to be gathered every 15 seconds?

 

Dashlane just sent this string - unencrypted, over the WAN.. Well - I am blocking it on the WAN and running packet captures.. This would have gone out in plain text. (I changed my actual username below to match this one, but it was my actual DL username)

/1/softwarelog/create action=logOnline&code=2TYPE_KW_EX_NO_TYPE&file=kwexternlib%5C%5Ciniconfig%5C%5Ckwmainconfig.cpp&functionName=KW_EXTERN::KWMainConfig::KWMainConfig&legacy=false&line=103&message=should%20not%20happen%20-%20C:%5C%5CUsers%5C%5CMayahana%5C%5CAppData%5C%5CRoaming%5C%5CDashlane%5C%5C3.2.5.82904/config/dashlaneconfig.json%20should%20exist%20-%20_2%0AgetKwiftDataFolder_all%20content:%20%0AC:%5C%5CUsers%5C%5CMayahana%5C%5CAppData%5C%5CRoaming%5C%5CDashlane%5C%5C3.2.5.82904%0A%0AgetKwiftDataFolder_all/config%20content:%20%0AC:%5C%5CUsers%5C%5CMayahana%5C%5CAppData%5C%5CRoaming%5C%5CDashlane%5C%5C3.2.5.82904/config%09%0ADashlane.ini%20-%20cleaningHasBegun:%20false%20-%20from%20KWUtil_win::logRegError_s&osVersion=81&stack=%5BFUNCTIONNAME%5D%20KW_EXTERN::KWMainConfig::KWMainConfig%0A%5BFILENAME%5D%20kwexternlib%5C%5Ciniconfig%5C%5Ckwmainconfig.cpp%0A%5BLINENUMBER%5D%20103%0A%5BPRECISION%5D%20C:%5C%5CUsers%5C%5CMayahana%5C%5CAppData%5C%5CRoaming%5C%5CDashlane%5C%5C3.2.5.82904/config/dashlaneconfig.json%20should%20exist%20-%20_2%0AgetKwiftDataFolder_all%20content:%20%0AC:%5C%5CUsers%5C%5CMayahana%5C%5CAppData%5C%5CRoaming%5C%5CDashlane%5C%5C3.2.5.82904%0A%0AgetKwiftDataFolder_all/config%20content:%20%0AC:%5C%5CUsers%5C%5CMayahana%5C%5CAppData%5C%5CRoaming%5C%5CDashlane%5C%5C3.2.5.82904/config%09%0ADashlane.ini%0A%0A&timeSinceLaunch=26&type=plugin_win&version=3.2.5.82904&

Mostly general stuff.. But sending usernames, and paths over plain text for a password manager? Over the last hour I have captured nearly 122 telemetry sends. It's all probably fairly innocent, but it doesn't give me confidence in the product at this point, and much if it seems reckless..

Another security flaw? Dashlane stores website icons in unencrypted form OUTSIDE of the password database. Hence, it would give someone an 'idea' of what website passwords are within the product. Those should be encrypted within the database - at the least.

 

Ditched Dashlane due to security issues. I am consulting with Dashlane on the issues I found, and cannot disclose them right now. Simple put - I wouldn't trust it at this time. I've removed my passwords from it and terminated my account.

One of the IT Security Engineers at work recommends 1Password. He claims it's one of the most vetted, and the company is very open. He uses 1Password, with the database dropped into Dropbox, then TFA installed on Dropbox to add an additional layer. To 'fully' compromise - someone would need to compromise TFA locked Dropbox. THEN they'd need to brute force the database. Which is highly unlikely. So Dropbox actually provides additional security layers, and doesn't vendor-lock you with the password managers own cloud sync.

Also I have done sniffing on 1Password, and can find absolutely NO anomalies, or unexpected traffic. It's form fill is reliable, and effective. We will see how it shapes up.

 

Just wanted to bump this since no one has replied.

I have been looking through the 1Password forum and found this request

https://discussions.agilebits.com/discussion/26014/character-1-3-and-7-of-your-password

It would seem that 1Password has no means of coping with this situation. Does this also apply to other managers. I have found that more financial sites are requesting this.

 

I don't think lastpass can do what you suggest, at least I didn't figure it out yet.
The only password manager I know that can is Password Depot .... but not in a super intuitive way.

 

Thanks for that. I have since discovered that Keepass can do it but I have yet to figure out how to do it. Link here

https://sourceforge.net/p/keepass/discussion/329220/thread/a0570a28/

 

Tried Password Depot, and Keepass, both were kludges.

 

Why is Keepass a kludge, you avatar happy Wilderer.

 

This is your point of view, i'am really happy with keepass 1.29. And now iam totally agree with you about Dashlane (strange security issue and uninstall problem for me).

Rules.

 

@Mayahana I bet that after this your long journey you will end up back home: Lastpass.

 

First Mailbird and now Dashlane. I have a curse with using programs sending strange logs without my permission.

 

Well it does work, see example
http://keepass.info/screenshots/windows_vista/comboboxform_big.png

it took me a long time to work out how it is done. Surely you should not have to write scripts to get it to work.

 

Well, at least in password depot you do not need a script. Just creating X entries (=number of characters) within the selected website and then in password depot you will have a drop down menu to select which one (one by one). But it is a long time I am not using it, so things may have changed!

 

Well, you already disclosed in some detail the matter of the numerous "telemetry sends". Are there other issues that you can't disclose? When you say you're consulting with Dashlane does that mean they have responded to your concerns and that you expect an additional response from them? You initially came out very strongly in favor if Dashlane and now you're implying that its' unsafe. It would be good to have some more factual information.