Password Manager Discussion.

Regarding the LastPass browser plugins there have been some "proof of concept" demonstrations of vulnerabilities, but to my knowledge no compromises in the wild; is that your understanding? Also, there was a security breach at the LastPass site in 2015, but again no significant compromise resulted because the user databases are encrypted locally before being uploaded. Although not perfect the system has withstood hacking attempts to date, unlike quite a few other websites where a great deal of user data has been stolen ( can you say Equifax? )

 

Is there a reason why you didn't use Password Safe on them all?
https://www.pwsafe.org/
There is also a cloud sync Android companion app called PasswordSafe Sync by Jeff Harris.
https://play.google.com/store/apps/details?id=com.jefftharris.passwdsafe.sync
The same developer who maintains Password Safe on Android.
Here is some of the other ports and supported systems.
https://www.pwsafe.org/relatedprojects.shtml

 

Sorry the Password Safe I have installled is by Robert Ehrhardt

 

Yes, that's my understanding thus said they're suffice. But I feel most people don't know these facts, so I mentioned that for informed decision, as he seems to care security much.

 

In my opinion KeepassXC is not faster than Keepass2. Much more important to me are other features. It's good that the latest beta of KeepassXC now supports KDBX4, Argon2 and Chacha. But support for plugins and scripting is still missing. The only real advantage of KeepasXC on Linux is that mono is not needed. But at the bottom line I see no reason why I should switch. This might change in the future, though.

 

Oh ok, I thought you meant the one designed by Bruce Schenier, by the same name.

 

A desktop version of Bitwarden has been released recently:

Bitwarden v1.0.5 Released (February 28, 2018)
"A secure and free password manager for all of your devices"

Download (Desktop, Webbrowser, Mobile, ...)
Github

Bitwarden Desktop App released
March 01, 2018
https://www.ghacks.net/2018/03/01/bitwarden-desktop-app-released/

 

Hello!

I switched because while using GlassWire firewall I noticed Bitwarden was broadcasting to google analytics. I didn't notice using their plug-in for my browser. I noticed when they released their windows desktop version only a week ago.

They sold out to google and are sending back to google where you go. Keepass does not use a browser plugin. And Keepass can be blocked from the poutside world. This thing is noice.

 

or you know, the whole app is chromium based
but hey, conspiracy theories amiright?

 

@ClaytonThomas thank you !

do you trust to upload the database to dropbox or box via plugin like KeeAnywhere or kpdatasave?
thanks

 

I don't use Dropbox, Google Drive or any US based service. I backup those on my thumbdrive. If I want an alternative to Dropbox, I prefer uploading to disroot.org, which is a Netherlands based service. Just upload using my Firefox browser.

 

Hi all,

I cannot figute out which password manager to prefer - is there a substantial differences how these programs copy/paste the password in the required fields?

E.g. KeePass enables the user to copy the password to the clipboard and then paste it in the required fields of a website. After 12 seconds data is being deleted from the clipboard. Frankly speaking, on an infected machine this doesn't sound very secure.

Does anyone know whether other applications such as Keeper or Dashlane do the copy/pasting more secure?

Thanks,
Alex

 

Bitwarden for example does not copy and paste the username and password as far as I know. If it is on the right page (that is registered in the extension) it just fills the appropriate fields. I guess that is the standard practice for most extension based password managers. Keepass is what I understand not an extension to the browser so I guess that is why it has to use the clipboard.

But I understand that Keepass has some setting called "Password obfuscation" that protects the password while in the clipboard.
https://superuser.com/questions/635098/how-to-use-password-managers-without-using-the-clipboard

 

This has also always bugged me, that's why I use SpyShelter to block clipboard monitoring of unauthorized tools, but it's probably not foolproof.

 

Your concerns about copy paste password managers are valid ones.
I would never use a copy paste password manager because every running process has access to the clipboard.
Some password managers use their own built in soft keyboard which I believe is about as secure as your going to get given the state of system security as it is.
I recommend Bruce Schneier's Password Safe for the following reasons.
1) Bruce Schneier is an expert in cryptography
2) He has been very outspoken against surveillance, the NSA and their efforts to break and subvert consumer level encryption and privacy.
3) Password Safe uses the twofish encryption algorithm he designed, that has never even come close to being broken by any known cryptanalysis.
4) Password Safe is free and open source.
5) Password Safe has a built in soft keyboard with special keys to send the username, password, etc to the login dialogue the same as if you typed them.
https://www.pwsafe.org/

 

KeePass offer Two-channel autotype obfuscatior which foils most known keylogger, and its autotype is very configurable so I don't use copy & paste.

The problem of extension based pwdmgr is, as already noted in this thread, remoter attacker can compromise it even w/out full browser sandbox bypass, as shown by Tavis Ormandy more than twice.

It's nitpicking and not opposition nor denial, but there's a chosen plain-text attack (truncated differential cryptanalysis) against full round of Twofish which Schneier himself explained well to get rid of suspicion. The thing is, as always, it requires impossible situation. Yeah, if you're omnipotent, you can break every encryption.

 

@yuki Are you talking about Moriai and Yin's paper? I read about that on Schneier's blog and like you said, the plaintext attack is not reasonable because even if it were possible it would require trillions of chosen plaintexts.

 

Yes, that shows how difficult it is to break modern encryption, it's just my bad habit to wanna make things precise. As you know, Twofish have more security margin than AES so it potentially can be securer. I think there're 2 more things which should be noted about Twofish.

1. Twofish will be faster than AES256 if CPU don't support AES-NI (but slower than AES128, this is one reason it didn't get that many votes on AES competition. But nowadays AES256 becoming standard and there're still CPUs don't support AES-NI).
2. Twofish & Camellia use Feistal network structure which is different from SPN used in AES and Serpent. This makes sense if you cascade encryption, as whole point of cascading is to prepare unknown vulnerability in an algorithm. Once vuln is found in AES, it might affect Serpent too (not necessarily tho). So I always combine cryptos of different structure for cascading.

 

@yuki that's not a bad habit, I like things to be accurate and yes, I had always felt the AES competition was weighted in favor of the faster algorithm which was understandable when you consider the computing power of the time.
I think all the entries should be re-evaluated because what might have been considered too slow back then, would be by comparison, lightning fast on even the lowest spec hardware today.

 

Folks, I'm looking to upgrade my password management setup. Looking through a lot of the thread above tells me I'm in the correct place for advice!

Here is my wishlist / specification for a password management solution:
1. password management
2. hardware device (not software-only)
3. USB3 preferred - Type C or micro USB connector which works with adapter from / to both (e.g. usable on both PC and phone)
4. functional on Windows and Android
5. no software installation required upon inserting the device into host system
6. multifactor authentication (something like U2F)
7. local-only password vault (NO CLOUD STORAGE)
8. FIPS 140-2 (minimum) compliance
9. testing / certification to FIPS by independent lab preferred
10. AES 256 minimum
11. ability to backup password database
12. feature to generate master randomized passwords for new login accounts

I used an IronKey previously, but it crapped out after many years of use. I like the Yubico devices, but they are multi-factor authentication devices only with no integrated password manager on-board.

Does anyone have a suggestion for a product(s)?

Pan

 

I think I have finally found my KeePass replacement, the GUI is so smooth, I'm in love! Did you guys know about this app?

https://www.ghacks.net/2016/02/25/keeweb-self-hosted-keepass-web-and-desktop-client/
https://keeweb.info/

 

Never heard of it but looks good. No mobile apps I guess?

 

I take it @Rasheed187 all comments on that page about this program was taken into consideration.

Hope it's as safe as it can be, obviously runs well yet then again, there's always some useful debate if it's indeed protected or if something else can be added to further it's security.

Password online transit is always in question but it's something everyone looks to make the best possible choice on.

Hope your new one is a satisfactory find for ya

 

I use Oubliette Vers. 1.9.5.159. Works on Win XP and Win 7 and also can run it from a USB stick. Can choose IDEA algorithm. Very reliable. Can only recommend it, tough it may seem to be a bit outdated. Obviously, not to be used on the cloud or for Android devices.

 

I didn't see any outbound connections being made, so that gives me confidence that the app doesn't try to act all funny. It seems to have all important features from KeePass. It also has a cool demo mode.

No extensions, but you can use the web app. Personally I'm not interested in this, I just want a good offline password manager. Although, in the future I might switch to a password manager that provides browser extensions.