Currently I am using Roboform Everywhere on my Windows 10 and Android tablet. On Windows it works fine most of the time. On Android they have their own browser - which obviously has its limitations when comparing it to 'dedicated browsers', like Dolphin, Firefox, Chrome. Most of the time I use Dolphin, it is very fast, a lot of settings and above all, users can actually contact the developers by mail! One way or the other Roboform does not work properly anymore when used within either one of the above browsers. Uninstalling and re-installing everything does not help. Uninstalling and reinstalling both all browsers as well as the Roboform app. After spending a lot of time on getting it to work, I now tend to give up on Roboform (which I have been using for many, many years) and consider another password manager. So, I went on checking many reviews and often see LastPass #1 rated. I am not sure about LastPass though, considering it has been hacked last year and email addresses, password hings and encrypted master password were exposed. Also LogMeIn has bought LastPass, which -may- be okay, maybe not, I don't know what to think of it. Anyway, LastPass is somewhat lower on my wishlist so to say, or better said: I'd like to check out other password managers first. On AndroidCentral http://www.androidcentral.com/best-password-managers-android I read a review where it says that 1Password is considered the 'Best Overall'. For me, aside of the software to be user friendly, one of the most important things is that it is impossible to decrypt the login-id's and passwords because they are encrypted and you need the master password to decrypt them. Roboform encrypts the logins and password with a key derived from the master password. It seems that LastPass did not have such system in place. Vainly searched for a comparision review where specifically encryption is taken into account. Most, if not all, reviews are just saying how great each tool is. Great this, great that, used by many people, bla bla. So.. bottom line you still don't know what to choose then. However.. regretfully they hardly ever review the encryption, storage and transmission methods. Appreciate users views here, specifically on this encryption stuff. Up front, sorry, to say, but just "I use Product X" - well, frankly, I am afraid it does not help. No doubt expert users here have considering things very carefully before choosing. Many thanks in advance!! -->Sorry for the long post =From the Roboform site= If you are using the Master Password option, RoboForm stores your login credentials including usernames and passwords in encrypted files called Logins. Those Logins are encrypted using military grade AES encryption with the key that is derived from your RoboForm Master Password. The only way to unlock one of your Logins is by using your Master Password. This means that absolutely nobody, including Siber Systems, can access your Logins or other RoboForm data without knowing your Master Password. Transferring Data Between RoboForm and RoboForm Online is Secure RoboForm uses Secure Sockets Layer (SSL), a cryptographic protocol which provides secure communications on the Internet, when transferring your encrypted data files directly between your computer and the RoboForm Online servers. Using SSL, which is implemented on both your computer and our server, your Internet communications are protected and transmitted in encrypted form. Information you send can be trusted to arrive privately and unaltered to the server you specify and no other. =
Hi. LP actually encrypt credentials before transmission (and ofc use TLS), but there's still flaw. LP is not special, search for Tavis Ormandy's Twitter and you'll find he find many vulns in others too, including Dashlane, Keeper, 1Password. Not sure if Roboform is included, but sorry I won't be surprised if it also has vuln. Basically I avoid any web-based password manager as they have plenty of attack surfaces (especially if auto-fill is enabled). Modifying browser addon is much easier than stand alone native application. I'm also indifferent about that kind of reviews, what I care are if it is open-source, if audited, and how it implement encryption. This HN thread will give you great info w/ useful links. I recommend KeePass (for Android, its fork KeePass2Android Offline). It's Open source, got so-so result in past scrutiny (within above link, https://www.cs.ox.ac.uk/files/6487/pwvault.pdf you can find some more audit paper from above link), and will be thorougly audited. Android folk have integrated keyborad which may prevents clipboard sniffer. Regardless of platform you use, I recommend to increase iteration count (default is 6000) unless you use 40+ char random password (optionally w/ keyfile). If you need sync, you can use Dropbox or whatever for its database file.
Hello to you, many thanks for commenting. Really appreciate it. Right now I am not much in a hurry - I mean, I don't need to decide overnight. I found some interesting links of a reviewer on guidingtech.com moving from LP to 1Password and later moving to Dashlane. Peculiarly enough 1Password even didn't get thru to the PCMag 2016 Password Managers review .. http://www.pcmag.com/article2/0,2817,2407168,00.asp As a matter of fact, when checking out the ratings, at http://www.pcmag.com/products/28042?Editor Ratings=4.5 1Password even does not end up as 'Editors Choice' or as 'Excellent' Weird.. Ah well, thanks again for your comments. =
PCMag doesn't care product's own security much, they just judge based on functions, prices, ease of use etc (I admit ease of use is very important tho). Same as most other reviews, tho I didn't know guidingtech and will look at (that must be this). 1Password is only pwdmgr which is closed source but I can recommend, as they explain their crypt fairly well and looks better desigh (semi-offline). Tavis also examined it but didn't find serious vuln, and 1Password team seems to be very active about security discussion. Ofc security is not everything required to pwdmgr. You will find many more useful info from this thread.
Thanks again. I have by now brought back the selection to Dashlane and 1Password. For me, the price is not very relevant. More the user interface, how easy things work, Android support, online synchronization, so more, let's say, technical matters. I know on this forum Keepass is #1. I have read the other thread. However, when we just take out the price element and also take out open source element, then, probably the votes may be different. I mean to say, if users are allowed to select -any- password manager free of costs and ignore the open source thing, maybe Keepass wouldn't end up as #1. Now, I don't say Keepass is wrong, nothing like that, I am sure it is a good password manager. I believe there are no 'really bad' password managers around. But if users are allowed to choose from, let's say LastPass, Dashlane, 1Password, LogMeIn, etc. free of charge, as if it was freeware, then what... Would Keepass then still be ranked at #1 ? I don't know. As for me, I tend to 1Password: they have a good email support and a forum... Thanks again 142395!
Just to add to the mix, 2FA is essential in password managers, for me - so I'm quite happy with LP and Yubikey (also works with KeePass and Password Safe). But I'm not aware of any separate 2FA for Android, if any is available, it'll be asking you to trust biometrics and Android, which I do not. But, I do restrict web-based password managers only to normal purchasing and personal sites where I do not store credit card info, or do any financial transactions. It's my feeling that all web-based password managers will be similarly vulnerable. Probably, switching off autofill, and adding a Pin decoration which is not stored in the password manager will help.
not free for premium but sticky password is good and you dont need a subscription and they often you can find sales or deals https://www.stickypassword.com/
I read several papers about pwdmgr security and they suggests there can be 'bad' pwdmgr. And actually I'm willing to pay for good product, but care much if it's open source or not when it comes to crypt. Note paid or free is no relevant to security, it's only relevant to functions. So only pay when paid version has really worthful function will be good idea. As Bruce Shneier once told, open source is vital to crypt software. If I use proprietary crypt, at least I check if they're transparent about their crypt and that crypt doesn't have silly mistake. While confirming security is impossible for non-cryptexpert like me, finding silly mistake is much easier. I found Macrium, famous backup software, uses incredibly stupid crypt for their encrypted backups.
There are a couple of password management apps on the fdroid repository that manage passwords in a different way. You only need to remember one secret because these apps create a cryptographic hash of your secret combined with the website domain name which is then used as your password. One of those apps is called cryptopass. Your passwords do not need to be stored anywhere you just use the app to recalculate the hash each time you need it.
Yes, this is a problem that no one seems to be addressing. I think an additional device is needed to add a second factor when logging into LastPass on Android.
Most wellknown password managers work well as an add-on to the usual browsers. Fields are autofilled without problems. It is a PITA when it comes to working on your Android tablet though. In most (if not all) cases these password managers do not offer an add-on for Android based browsers, but offer their own browsers instead, being very limited in features. If an add-on is said to be available, such add-on is crappy at best. Sometimes I read that add-ons are not offered for 'security reasons'. Security reasons? Security Reasons? How about Windows then? Add-ons in the Windows based browsers, they are less secure then? At least I would expect that Google+Chrome+Android would offer a decent Android password manager: all this coming from the same company, but AFAIK if that isn't the case... I really wonder how others are browsing thru the various forums with all different log-in ID's and complicated passwords... =
