Password Manager Discussion.

Discussion in 'other software & services' started by Mayahana, Jan 28, 2015.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,165
    Location:
    The Netherlands
    I downloaded LastPass via SnapFiles and it only seems to install browser extensions. The LastPass pocket app seems to be for desktops, but it's quite bare bones. I assumed that all big name password managers offered a desktop app, weird. I would like to keep a copy of my passwords offline.
     
  2. Soft Life

    Soft Life Registered Member

    Joined:
    Aug 10, 2018
    Posts:
    85
    Location:
    United States
    I use two password managers now.
    Keepass2 is my master place to store. And then I use Bitwarden on a separate browser, in this case I chose Vivaldi which works great with it, and I use it for all of my forum logins and some emails. But I don't go all over the net browsing with this browser. Bitwarden is also locked down with a Yubikey.

    I tell you Bitwarden is super smooth and I find myself reaching for it more than I do Keepass. While I do keep most of my banking on Keepass2 I have moved one of my banks to Bitwarden. I feel like I am taking steps in trust to using it.

    But in the end I will probably always keep Keepass2 for my main money accounts and leave them there only. But all my emails and forum stuff and minor banking will go to Bitwarden. I believe it is a very solid application. And with Keepass2 you can always count on that to keep things close to your chest for that intimate feeling.
     
  3. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,891
    Location:
    localhost
    Download links for LastPass for application can be found here: https://support.logmeininc.com/lastpass/help/use-lastpass-for-applications-lp010059

    This is the closer to a desktop application you can get from LastPass.
     
  4. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,942
    Location:
    USA
  5. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
  6. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,891
    Location:
    localhost
    Correct, but you can use it also for the rest of the logins. Of course, you can't autologin on websites with this.
    I personally use it to access files attached to login entries which from time to time fail to open via the browser.
     
  7. max2

    max2 Registered Member

    Joined:
    Sep 22, 2011
    Posts:
    362
    Password Managers are insecure.
     
  8. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,736
    Thanks a lot for the profoundness and richness of detail in your argumentation.
     
  9. Soft Life

    Soft Life Registered Member

    Joined:
    Aug 10, 2018
    Posts:
    85
    Location:
    United States
    Keeping passwords in your head or on paper for you to think as you type won't work since they can read your mind as you type with the upcoming 5g possibly.

    But lets face it: If the government wants your passwords they can get them several ways. But they really don't want them per say. They want to know about all of your life and those websites that you share all of your life they already tapped backdoors around your passes.

    Password managers just need to be hack safe for the kiddies or seasoned hackers from stealing them. And they work at that for the time being.
     
  10. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,942
    Location:
    USA
    lol. I was thinking of asking him if he'd like to be a little more specific ;)
     
  11. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,785
    No pwdmgr is perfectly secure and we've seen many vulns found in major pwdmgrs, some of which could lead to complete compromise. It's true if he was blackhat, there should have been real damages and we have to say it was lucky that they were whitehat.

    But it's still MUCH securer than most people's pwd practice. But for those who know well about pwd security, pwdmgr is not security tool but it's utility tool which enhances not security but productivity and convenience.
    I use KeePass (local only & store only partial pwds) tho actually I don't NEED it, 'cause autotyping to any apps or sites is convenient and it also make accounts management easy.

    Often seen argument that nobody can remember... is somewhat exaggerated. No, you don't need to be savant. There're some ways you can store dozens of pwds more safely w/out pwdmgr. One example is combining passwordcard or diceware with a note in one of dozens of notebooks (only you know where it is written). Even if someone find the note, he'll only find meaningless numbers (you can camouflage even better with some tricks if you want) Then some ppl say you can't as you want to login to accounts everywhere. I don't and think having too many accoounts itself can be potential risk. But maybe having the note in wallet may solve this (backup copy should still be in you notebooks). Another is well-known core pwd method but not with prefix nor suffix, rather you should transform core pwd entirely using site-specific words (or better, associated image only you know) so that core pwd itself vary on every sites.

    Everyone can remember at least a dozen or so 100+ bits entropy pwd (actually I do even w/out above method) if they practice repeatedly, but most ppl don't want to.

    Some pwdmgr also checks against haveibeenpwned, it can be another merit.
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,165
    Location:
    The Netherlands
    OK so you can manage all of the web-passwords with this app, that is what I'm looking for, thanks. I'm planning to install LastPass for other people who need easy access to certain websites. A tool like KeePass is too complicated for them.
     
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    12,444
    Location:
    Here
    1Password now works with Password Autofill on iOS 12
    https://9to5mac.com/2018/09/17/1password-password-autofill-ios-12/
     
  14. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,785
    KeePass is surely not for those who want install-n-forget solution, but this complexity is at the same time its advantage as it allows you to autotype in virtually everything. Not only local apps, but you can e.g. automate ticking/unticking "sign in anonymously" or "keep logged in" type of checkbox, and even pull down. Some online bank have quite complex forms and I don't know if major pwdmgr support every single online banks around the world. KeePass can fill it w/out problem except for 2FA code - I don't store 2FA code in pwdmgr anyway (and actually don't use online bank).
    In my case, I only store part of username and part of pwd in it, so I want my cursor returns to username box after autotype so that I can continue to type rest of username, then rest of pwd. Then,
    Code:
    {UserName}{TAB}{Password}+{TAB}{RIGHT}
    is enough. But it's true even after you have learned how to use it it requires some chores. You have to register windows to KeePass entries and sometimes make custom autotype. So I understand even geeks do not always like KeePass.
     
  15. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,785
    I found a great tool for those who're not very comfortable to totally rely on pwdmgr.
    OffTheGrid
    How to
    This was already posted, but OP used it to encrypt message. But OTG can be used paper-based pwdmgr as Aaron in above link suggests and its advantage over PasswordCard is memorability. You don't need to remember raw and symbols, instead just remember starting raw, the number of characters of the domain you want to use, and a ratio to each char (& optionally additional rules if you wanna customize). Other than that, it's similar to PwC, make backup copy in safe and carry it in your wallet. Even if it's stolen, it's non-trivial to guess your pwd especially if you customized.
    It may look complicated at 1st glance, but actually not. As to consecutive numbers Aaron questioned, actually there're many ways to handle it, e.g. just skip to the next letter, change numbers into alphabets, etc. It all depends on your idea. Tho other Aaron's criticism are mostly valid for average Joe, but those who wanna go with manual way knowing all pwd cracking techniques and pros & cons of pwdmgr won't care, and I think he missed that remembering some rules is much easier than dozens of combination of raw & symbols.
     
  16. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,785
    Another topic: this may be more interesting for most ppl. Aaron has audited & ranked many pwd generator and published the results. Some major players are included.
    I think his scoring is understandable and reasonable. TBH pwggens which don't use unbiased CRNG are ********. It must be amateur's work who don't know crypto. If you use one of such, stop it and move to better one.
     
  17. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    433
    Location:
    USA
    It's nice when you see your password manager in the top tiers of a study like this :)
    (I use Roboform)
     
  18. Soft Life

    Soft Life Registered Member

    Joined:
    Aug 10, 2018
    Posts:
    85
    Location:
    United States
    I tried this program and had to load my back up OS over top of my hard drive because this thing would not remove no matter what I did. It leached onto my Windows 10 so hard I had to get rid of the whole thing. Never again.
     
  19. SnowWalker

    SnowWalker Registered Member

    Joined:
    Apr 2, 2012
    Posts:
    279
    Location:
    USA
    It's been years, but I also could never trust Roboform's developers because of the way they reneged on their "lifetime" licenses.
     
  20. SnowWalker

    SnowWalker Registered Member

    Joined:
    Apr 2, 2012
    Posts:
    279
    Location:
    USA
    Here is an old thread on the way Siber Systems (Roboform) handled it: https://www.wilderssecurity.com/threads/ai-roboform-7-1-0-final.288309/

    And an article form Softpedia on "How Not to Change a Licensing Model: https://news.softpedia.com/news/How-Not-To-Change-A-Licensing-Model-171188.shtml

    Given all the other options, I wouldn't trust my passwords, or money, with them.
     
  21. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    433
    Location:
    USA
    <shrug> Go with what works for you and what you like.
     
  22. SnowWalker

    SnowWalker Registered Member

    Joined:
    Apr 2, 2012
    Posts:
    279
    Location:
    USA
    Well, thanks for your permission. :rolleyes:
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,376
    Location:
    U.S.A. (South)
    Thanks for the references on this one. It's always been worth any extra time weighing pros vs cons and especially on programs that can be considered sensitive to users/customers in any form.
     
  24. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    433
    Location:
    USA
    :p
    You're quite welcome. :argh:
     
    Last edited: Oct 5, 2018
  25. Soft Life

    Soft Life Registered Member

    Joined:
    Aug 10, 2018
    Posts:
    85
    Location:
    United States
    One thing to keep in mind about browser add ons like Bitwarden is if you use a VPN it probably blows your cover if you was looking for that. Keepass2 you are safe in that respect.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.