Password Manager Discussion.

Discussion in 'other software & services' started by Mayahana, Jan 28, 2015.

  1. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,887
    Location:
    Stockholm Sweden
    Looks very interesting. Lots of features, nice looking GUI too.
    I hope all the other password managers has the feature that they dont leave any traces of logins in the memory and have clipboard protection too like this one. I kind of like the key file idea, and of course, as I understand it: the user has control of the database file. I will give this one a try.. for the free 30 days, if its good I´ll pay for it.

    *edit*
    So, I downloaded the software, installed it. It is not clear how to activate the 30 day trial for the full program. You can ask for an activation key, but for unlocking the software so it will import more than 20 passwords you need a unlock key too, but you wont get a unlock key unless you pay for the program :/

    Anyway, I imported *.csv from my Enpass. It only imported 20 password entries - without the passwords! I dont know what I did wrong. It should be a nobrainer to import from an csv file...

    *edit hours later*
    Been trying to get it to work for a couple of hours now. In addition to the already mentioned problems (I even exported my old Lastpass vault to a csv since I´ve never had any problems with its export to other PW managers) I cant get the chrome extension to work. First it says that PW depot main program isnt started (it is) and after that it doesnt react, it wont fill in the password. Nothing happens when I click on the extension icon in the browser. So I am giving up on this one. Too bad, I really liked what it had to offer if it only had worked as it should. Maybe I´ll try it in the future...
     
    Last edited: Feb 10, 2018
  2. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    9,365
    Location:
    USA
    I am. Still no complaints other than them doubling the price of the paid version.
     
  3. ClaytonThomas

    ClaytonThomas Registered Member

    Joined:
    Feb 4, 2018
    Posts:
    20
    Location:
    Sofia, Bulgaria
    As for me,
    Was using: Last Pass. Deleted the account in 2017.
    What I am using: KeepassXC and Keepass 2.

    Keepass 2 / XC has minor issue such as the database was corrupted sometimes, but it can be fixed by changing the master password to less strict. If I used special characters, like $ or & in the master password, then expect the database to corrupt. But, if I use alphanumeric only, then it is fine.

    There's no need to make the master password for the KDBX files to be too strict because all data are stored locally in my PC.
     
  4. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,907
    Location:
    localhost
    Solid application, used it for many years (before moving to lastpass). I have not used the last two/three major releases.
    My problem was the limited support to onedrive and no reliable auto-fill when needed. But may be these issues have been addressed meanwhile or you don't care about them.:):thumb:
     
  5. ProTruckDriver

    ProTruckDriver Registered Member

    Joined:
    Sep 18, 2008
    Posts:
    1,467
    Location:
    "An Apple a Day, Keeps Microsoft Away"
    Just started LassPass and on the Premium Trial version until March 7th. I'm only using "Sites" and "Secure Notes" now. That's all I need to use since I'm not putting it on any mobile devices. Just have it on 3 computers. What's the difference between Free and Premium? The only thing I see is Faster Support and Sharing Center. Do I need Premium?

    Btw: I got AOL Mail working now with LassPass. Had some trouble in the beginning that was my fault, but working now.
     
  6. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    9,365
    Location:
    USA
    I think the differences you mentioned are pretty much it at this point. There used to be more differences. I don't know that I won't just go with the free one when my paid version expires.
     
  7. ProTruckDriver

    ProTruckDriver Registered Member

    Joined:
    Sep 18, 2008
    Posts:
    1,467
    Location:
    "An Apple a Day, Keeps Microsoft Away"
    Thank you Jack. :)
     
  8. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,449
    When I was still using LastPass Premium one of the “perks” was being able to use a YubiKey for better 2FA.
     
  9. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,684
    Yup. What did you switch to might I ask?
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    18,484
    Location:
    The Netherlands
    OK thanks for letting me know. I have found another much simpler one, I will play a bit with it:

    http://www.s10soft.com/passwordvault.htm

    Yes, the security features also caught my eye. Thanks for the review.
     
  11. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,449
    1Password.
     
  12. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,684
    Nice same here. Though I am thinking about going back to Lastpass. :eek:
     
  13. majorpain

    majorpain Registered Member

    Joined:
    Jul 22, 2016
    Posts:
    40
    Location:
    tennessee
    if i use a U2F or TFA like ubikey what programs password managers allow this? also does it have encrypted virtual keyboard or anything to hide typing from say if a keylogger got installed on your machine without your knowledge?
     
  14. 142395

    142395 Guest

    I don't know what exactly you mean. Some pwdmgr support TOTP code but U2F key, by its nature, have to be plugged in to your computer (or connect through Bluetooth) so no pwdmgr can support it. But KeePass have plugin with which you can use U2F key as a 2FA for its master password. @deBoetie knows better about that. Also KeePass 2.x supports secure desktop on Windows which prevents most keylogger when you type master password in, and Two-Channel Auto-Type Obfuscation mitigate keylogger when you type it for your service, tho you have to set it up on every entry manually and it's still not perfect protection.
     
  15. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    6,339
    hi @ClaytonThomas

    may i know the advantage of keepassxc over keepass 2?
    thanks
     
  16. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    @142395 - Unlikely(!)

    The plugins I'm aware of for KeePass use either OTP (OtpKeyProv) or challenge-response HMAC - KeeChallenge (which hashes a secret on the key against a challenge using a hash), which is also what Password Safe and the Yubikey Windows login authenticator use. For PAM in Linux, there's both HMAC and OTP options, obviously somewhat depending on internet connection (which is why HMAC is sometimes better for this application).

    U2F also works on a challenge-response basis, normally this is defined for browser-server type operations. I'm not aware of any KeePass plugin for that, though there's no reason why it can't work. However, I have seen an implementation for PAM login using U2F but haven't tested it. U2F has a kind-of disadvantage/advantage for this purpose, that its secrets are not backup-able nor replicable. You'd then need to be able to have and register 2 U2F keys for resilience, or have recovery codes. With OTP and HMAC secrets (stored separately and securely), you can re-instantiate a new key with those values in it and carry on as normal.

    I wouldn't use a password manager without 2FA, since, although using secure desktop and keyscramblers helps against KSL, they are a partial defence. Of course, there is always going to be weakness in any scheme where passwords on their own are delivered, due to presence of secrets in RAM and logging of the output in the browser.

    I'm currently going through the joys of trying to increase the level of using native 2FA on selected websites, without losing friends and family. It's an interesting process, and I'd be happy to reflect on this, maybe in another thread, if anyone's up for it. There are quite a few challenges in how to configure the whole thing without ending up in the lowest common denominator (of weak things like SMS and so on). And what to do about smartphones - especially if you don't trust their environment. The level and sophistication of 2FA, even on big sites is commonly poor.
     
  17. 142395

    142395 Guest

    Thx for detailed explanation and my memory was wrong.
    I still am satisfied with just a key file, but your insight is appreciated. It's a pity so few sites support U2F but I found the number of sites which support 2FA is increasing, so I sometimes check my logins and add 2FA where applicable. One of them I recently added 2FA is Amazon, I didn't know it supports 2FA, tho SMS only(!). And as you suggested, some web sites originally only supported SMS have added more 2FA option (tho mostly - rather, all - are TOTP).
     
  18. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    I think Amazon also has a TOTP option, which I'm OK with if no U2F. You can get the Yubikey 4 to do TOTP with an authenticator using the CCID card part, either on PC or via NFC on suitable phones. Since the second factor secret is off the phone, I can live with that.

    Also, W3C are standardising an browser Api for authentication including U2F which should mean decent support in FF as well as Chrome.

    The most egregious situation is that of Paypal, whose only alternative to SMS is/was the old Symantec VIP fob - which is really a proprietary form of TOTP. But it's terribly disappointing (read negligent), that they now have neither "regular" OAUTH TOTP nor U2F - especially since they were a founder of Fido. Many other financial institutions are poor too, and worse, are going down the smartphone rabbit-hole.
     
  19. majorpain

    majorpain Registered Member

    Joined:
    Jul 22, 2016
    Posts:
    40
    Location:
    tennessee
    i actually have Bluetooth on my motherboard so a physical key i think would be great. is there any password managers other than keepass that has yubikey (psyical key) and uses some sort of protection against someone seeing what you type like maybe a virtual keyboard or idk not much of an expert in this area.

    how about dashlane, keeper, lastpass or sticky passwords do any of those have the features im looking for?
     
  20. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    Password Safe.
     
  21. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Not clear about what bluetooth is significant for, unless you're thinking of the bluetooth u2f connection that Google is promoting for Android.

    For standalone pwm, I use Password Safe which has native Yubikey support on Windows. However, it does not support the Secure Desktop password entry that KeePass does. I think this is in fact more secure than doing things like virtual keyboards whose benefits are sometimes illusory - the process environment is not protected once the attacker has root. And if you have a second factor, then shoulder surfing is not effective; then that leaves the wrench ploy which would tend always to be effective!

    For browser based pwm, I use Lastpass, but only for "standard" accounts I'm not fussed about (this is most of them!). I suspect all browser mediated password managers are at risk from the browser process and flaws, especially in the era of Spectre. At least these pwm avoid having to use the clipboard. Lastpass supports a range of 2 factor including various authenticators, Duo, Transakt and paper OTP; and Yubikey OTP, fingerprint/smartcards and Sesame on their Premium accounts. You can register 5 Yubikeys for the account. There's also various schemes for account recovery and alerting, though care is needed not to introduce a weaker method which can be exploited for account hijack. You also need to configure it to NOT autofill because various nasty 3rd party scripts can potentially use that to harvest password info from Lastpass "filling in" those fields and that being harvested.

    If I could make a recommendation - try a couple out. Although the 2FA is frequently on a charged-for subscription, you should get a good idea of how they work on a test basis without that additional protection.

    PS - I trust you can see why the real solution is in fact to have the websites support 2FA natively, then it wouldn't matter so much if any point in the "terrifically weak" client got subverted, because there is a secret outside its address space. But progress on this has been glacial.
     
  22. ClaytonThomas

    ClaytonThomas Registered Member

    Joined:
    Feb 4, 2018
    Posts:
    20
    Location:
    Sofia, Bulgaria
    Keepass 2 has more features, but takes longer to setup and sometimes to load the database. For example, if you want this software to generate a password with special character, you need to use the password generator function and then save the profile first.

    Keepass XC is much faster to load and setup. If you want to generate password, you can easily customize that with a few clicks, somewhat similar to Last Pass.
     
    Last edited: Feb 24, 2018
  23. Anjoland

    Anjoland Registered Member

    Joined:
    Sep 21, 2015
    Posts:
    9
    Think I have resigned myself to the fact that Lastpass will be my primary password manager. Portability is big for me. Ive seen people say paper and pen or a excel spreadsheet is good enough for them but as long as you only use that at home. That method doesnt seem practical anywhere else. I have Password Safe on my android phone and Keepass on my PC's. But exporting from one to the other was very cumbersome. Using Keepass and some version of Keepass on android doesnt seem practical to me either. You still are end up using some form of the cloud to transfer the datatbase from device to device. So you have keepass, cloud storage, keepass on phone. Three different vendors, to many moving parts for me.
    Any important sites, like banking I store in LP for reference. So if my banks actual password is Password, I store it in LP as something like #Password12 so only I know what are the extraneous characters that arent part of the actual password.
     
  24. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    @Anjoland - I think Lastpass is a practical approach which is probably better than alternatives, for medium security sites. You can also "decorate" passwords by adding a pin that is not in the Lastpass database. I do not use if for banking though, nor do I use a general purpose system for that purpose - I boot off a usb live stick used only for that purpose.
     
  25. 142395

    142395 Guest

    Bitwarden also supports U2F and it's open source. But it doesn't have secure desktop. Many others such as 1Password have either secure desktop or other keylogger mitigation e.g. tunneling key strokes, but they don't support U2F. So AFAIK there's no perfect pwdmgr which meets all your requirements. Those browser-based pwdmgr such as LP, Dashlane, Keeper, etc. all have suffered several vulnerabilities which could allow compromise, but how much that mean depends on your threat model. I think for most user, they're suffice and as already mentioned, you can use decoration technique to mitigate such event.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.