Password Manager Recommendation?

Discussion in 'privacy technology' started by java dude, Aug 5, 2011.

Thread Status:
Not open for further replies.
  1. java dude

    java dude Registered Member

    Joined:
    Aug 5, 2011
    Posts:
    76
    Hey all! I've been a frequent guest of this forum for ages and finally decided to register an account!

    I was just wondering what password manager you guys recommend using for Windows? I've been using Lastpass for over a year now, and while I've felt pretty confident in its security, I haven't been 100% confident. I still choose to remember more important passwords, like banking passwords, instead of saving them in Lastpass.

    Recently I've been wondering if I should keep using Lastpass, or switch to another password manager like 1Password, without the sync feature. I only have 1 pc at the moment, so sync isn't that important. Even if I had two pcs, I could manually copy over the password data to other PCs, right?

    My story: awhile back I had an email account hijacked, and ended up having my LP account compromised. It was a mess. Since then I've paid for LP premium and bought a Yubikey, set up a special email account just for the LP security email and really made a huge attempt at securing all of my accounts. So far, so good, but I'm really unsure about storing my data in the cloud now. I keep opening my browser, expecting to find my email and LP accounts cracked open again -- I know, it's stupid, but taking my passwords out of the cloud seems like a good solution, and will probably put (some) of my fears to rest.

    So, what do you guys recommend for a good password manager? Thanks!
     
  2. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    Keepass, it's free and open source.

    my favorite though is S10 Password Vault.
     
  3. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    KeePass, with its secure desktop and two-channel auto-type obfuscation features, seems well-equipped to combat keyloggers. And no cloud. All data stored locally. :)
     
  4. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,098
    Location:
    USA
    Would you be willing to elaborate how a compromised email account could affect LP? I cannot envision how this is possible...
     
  5. java dude

    java dude Registered Member

    Joined:
    Aug 5, 2011
    Posts:
    76
    Keypass looks great, and free is always a plus! Does Keepass integrate with Chrome and FF? Is it easy to import a LP CSV file into it?

    The hijacker got into my email account by brute forcing my security answer, and then he reset my Lastpass password using the email recovery method. I didn't have a "security email" setup for my account, so the email went right to my compromised email account. He reset my LP password and got everything. o_O

    I'll never make those mistakes again, but I've already lost confidence in the cloud.

    Thanks guys!
     
  6. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Import info

    Regarding browser integration, see here.
    But heed the warning... plugins offered are developed by different, independent authors.
     
  7. java dude

    java dude Registered Member

    Joined:
    Aug 5, 2011
    Posts:
    76
    Are the plugins trustworthy, or do you recommend against using them?
     
  8. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    I can't make that call.
    That's an individual thing.
    I don't use any of them.
    Maybe that is an indication.
    But that is borne out of an awareness I have garnered here at Wilders about trying to keep attack surfaces to a minimum.
    :doubt:
    If I don't have to have 'em, I leave 'em alone.
     
  9. box750

    box750 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    261
    I use StickyPassword but itsn't free and itsn't open source, in honesty, the developers gave me a free license in exchange for something I did for them, feature wise it is pretty much the same, IMO, but I like much more the password management interface, particularly the instant search, and it works very well with my main browser, Opera.

    I believe KeePass developers have a warning about the plugins on their site, nobody reviews the plugins, and while nothing has happened yet, you probably don't want to be the first ocurrence, a password manager is something too important to run risks with third party plugins.
     
    Last edited: Aug 9, 2011
  10. java dude

    java dude Registered Member

    Joined:
    Aug 5, 2011
    Posts:
    76
    Well, I've installed Keepass and imported all of my account info into a new database - that was easier than I thought it would be!

    Good point about the plugins... I agree that it would be best to keep the passwords separated from my browsers (which I run sandboxed) in case of a vulnerability. I'll get used to the extra step of opening the DB, finding the entry and using the autotype feature.

    I like how KP locks the database after a length of time. It might seem like a pain to reenter the password and/or key but it really isn't, considering most of the time I only need a handful of passwords during a typical browsing session.

    Any tips for newbies to KeePass?
     
  11. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    My 2 favorite:

    1 - A pencil and piece of paper + a good hiding spot

    2 - My head
     
  12. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Glad to hear you are using KeePass and it's working well for you.
    As for tips, just two, if you haven't already applied them...

    KeePass secure desktop setting.jpg
    KeePass obfuscation setting.jpg
     
  13. java dude

    java dude Registered Member

    Joined:
    Aug 5, 2011
    Posts:
    76
    Thanks for that! Is there any way to enable the two channel obfuscation for all accounts, or does it need to be done manually for each one?

    I was also reading your other thread, there's some great info in there. :)

    I wish I had switched to KeePass before wasting money on a yubikey - $25 down the drain! :(
     
  14. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    AFAIK you have to set the obfuscation manually in each entry.
    Glad you're getting some use out of the configuration thread.
    Man, I absolutely love this program.
    And I'm a newbie myself, java dude, having only used KeePass for about two weeks now.
    ;)
     
  15. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i still haven't seen a password manager handle custom fields as elegantly as S10 Passsword Vault.

    a few folks here seems to want to avoid it because it is not open source which is why i recommended Keepass, although i use S10.

    still, Keepass is a great app.
    a lot better than most paid for software.
     
  16. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    @ moontan
    Your recs for S10 Passsword Vault mean a lot.
    Especially coming from a user who is familiar with and fond of KeePass.
    I can't bring myself to try it right now, though.
    I'm too in love impressed with KeePass for the time being. :cool:
     
  17. java dude

    java dude Registered Member

    Joined:
    Aug 5, 2011
    Posts:
    76
    S10 Does looks nice, but some posts around the forum seem to point to the anti-keylogger feature being buggy. That might have been fixed now, though. I also really like that Keepass is open source. :)

    Would you guys recommend keeping banking account passwords in Keepass, or is that a bad idea? I feel safer with Keepass holding my passwords that I did with Lastpass, and it seems like it'd be safer to keep them in Keepass rather than typing them in manually because of the two-channel autotype obfuscation.
     
  18. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    I'm okay with bank account passwords in KeePass.
    The secure desktop and obfuscation appear to be very secure.
    But the rest of one's security layers enter into the equation too, right?
    Since I have configured restricted internet and start/run access in Sandboxie, along with DropRights, and Online Armor's noted antilogger capabilities & HIPS, etc... I'm not stressing about banking passwords. :)
     
    Last edited: Aug 9, 2011
  19. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i would certainly trust Keepass with your banking passwords.
    more than i would a cloud-based alternative.

    the database is encrypted and the anti-keylogging/obfuscation is an added bonus. :)
     
  20. java dude

    java dude Registered Member

    Joined:
    Aug 5, 2011
    Posts:
    76
    Thanks guys for confirming my thoughts! I'm loving Keepass more each day I use it!

    @Page42 - I've been running Sandboxie for a few months now and really like it -- I can't browse without it! I've had the drop rights setting enabled since I instealled SB, but I never looked into 'hardening' it until I read your post... but after reading through some older posts on SB around the board I learned about restricting the start/run/internet access settings. This forum is full of so much excellent info! :D
     
  21. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    I agree about Wilders, and Sandboxie, and KeePass. :thumb:
    I PMd you a link to a pretty informative SBIE thread.
    Cheers
     
  22. java dude

    java dude Registered Member

    Joined:
    Aug 5, 2011
    Posts:
    76
    Is it possible to make Keepass autotype only the password field of an entry? Some sites (google, amazon) sometimes have you sign in again with only your password (no field for your username), and at the moment I need to copy my password and paste it into the browser field, which kinda defeats the purpose of anti-keylogging. :p
     
  23. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    That's a good question.
    I hope someone knows how to do it.
    If there is no way, then we have to try to influence it on the website end of it, like by not logging in until ready to checkout... then maybe we only get asked for the password one time. :doubt:
    I do know what you mean about Amazon asking again for just the password.
    It happened to me last night when I was ordering some items.
     
  24. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    why don't you just 'drag n'drop' it into the browser field?
     
  25. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    I definitely can't d&d KeyPass usernames or password into Chrome or IE.

    Thinking the issue may be due to Sandboxie, I opened Chrome outside of Sandboxie, but KeePass still won't let me d&d anything... even into an unsandboxed browser.

    Sandboxie does play a role with d&d.
    Forex, I can't d&d from Chrome onto my desktop (as a test) unless I open Chrome outside of a sandbox.

    But from KeePass to Chrome, sandboxed or unsandboxed, no d&d takes place.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.