Discussion in 'polls' started by Tyrizian, May 1, 2016.
I used lastpass for years until they were bought by logmein.
If one regularly images then, IMO, a keylogger is the deadliest infection of them all -- bar none! My password manager is a key factor in protecting my login information from any keyloggers that might get past my other security apps. And a primary question about my password manager is: HOW does it transmit login information from itself to the website that I am logging into? Thus, it is wise to select a password manager that does not ever involve use of the clipboard or (of course) the keyboard.
Unfortunately, KeePass makes momentary use of the clipboard when sending login information. IMO, that is a significant vulnerability.
LOL Bitwarden not even listed...
you have browser extensions (Chrome, FF, and Edge), android version, etc...
not sure if it becoming too mainstream is a good thing
I use Keepass2. I tried many of the others including Bitwarden. I like Keepass because I know the file is only on my PC and my USB portable drive that I can carry if I so need to access passwords from somewhere. It has many options built into it that help make it secure and i feel as safe as I can, well I feel safer knowing its locked on my PC and even blocked with my firewall. I don't have to worry about a company not being truthful as you do with many managers.
If I were to use one other than Keepass2 I would use Bitwarden and lock it with a yubi key. Yes if you download BW to desktop it does broadcast to google analytics which might offend some as it does me but even so I'd trust Bitwarden over other managers just because of the open source. BW also has a long code you can use to gain access to your account if you so lock yourself out even if you have a lock on it with your yubi key or other two factor authorization.
Keepass2 is the winner for me as it stays in my hands and gives me the most peace of mind. I use it in collaboration with Spyshelter anti-key logger with also watches my clipboard where I transfer passwords.
1. Whatever password manager you use, you must always login first. Thus, if you have a keylogger on your computer it can catch your master password. Game over.
2, Keepass2 has Two-Channel Auto-Type Obfuscation. It makes most keyloggers useless which try to spy out your clipboard.
In your comment, it's the 2 words "most keyloggers" that are THE problem. KeePass acknowledges that 2-channel obfuscation is not totally effective. Actually, the only keyloggers that would be deterred by this process are those keyloggers developed by script kiddies.
Try this. Pretend you are the IT for a major corporation that wants to stop leaks of secret company information via computers used by employees. One of the safeguards you would almost certainly install would be an enterprise-grade keylogger. Keyloggers are actually "legal" under certain caveats.
So.. go shopping for a keylogger. You will find several "for sale" that guarantee they are stealthy enough to get past firewalls & many AVs. They certainly would have zero difficulty with KeePass's little 1-trick pony.
That site says:
So it seems that a very specialized keylogger would be needed.
This must be a peculiar major corporation which doesn't recoil from using such a keylogger against their employees but allows them to use non-authorized programs at the same time.
So the crucial step is: Don't install a keylogger. And if you find that difficult to prevent on Windows ... well, I remember that you were interested in using Linux some time ago. Go for it! It's the solution. Seriously.
Browser is needed for work in most companies and at the same time can be used to do personal stuff.
But I also don't believe in securing computer that has already keylogger managed by IT staff. Effective monitoring would need to log a lot of details about what websites you visit, intercept TLS connections to see what did you entered onto website forms (including passwords) and what files was sent. You just can't trust that computer.
The only thing I think can increase security a little bit is 2FA, especially YubiKey, but still this configuration leaves a lot to be desired.
Sure. What I meant: Do you really think that a company that deems it necessary to keep their employees under surveillance by means of a keylogger will allow them to install, e.g., Keepass?
Don't use personal password managers at work. case solved. And if you are finding it really really hard to not pick up diseases on the internet like extravagant keyloggers and state of the art viruses then use live Linux USB boot drive so its fresh each time you use it with your manager. Stick in the bootable Keypass2 thumb drive and there you go. Now all you have to do it hope the Russians don't hack your router.
Ah, a universal negative -- it is functionally impossible to prove that, sans omniscience. (BUT I do hope they are right.)
1 This could be blocked with an anti-logger that provides keystroke encryption and protects against clipboard hooking.
2 I have never been able to figure out how to make this work and like Bellgamin said, it's not fool proof.
In case anyone is interested, there are deals for lifetime subscriptions, multiple devices, currently being offered on Stacksocial (https://stacksocial.com/collections/software/security) for Password Boss and Sticky Password - the latter expires in 18 hours, and the former in 5 days.
1- if you aren't dumb, you would use 2FA
2- you don't have to type your master password every time, i hope you don't let anyone use your Windows account.
Not entirely true,
Kaspersky password manager for Android can be accessed either with Master password or fingerprint.
With Bitwarden you can use a Yubikey or U2F security keyswhere even if I told you my password you won't access me. I use it and like it. I use a combo of Keepass2 and Bitwarden. There is no game over if someone gets your password with Bitwarden if you use the yubikey
With Bitwarden you can add two keys or more. I have a U2F security key and a yubikey that you can both add. As such if I told you my login name and password on this forum you still could not access me.
No security software is 100% effective, but it adds an additional layer of protection and yes, most malware is actually made by script kiddies using simple malware generators.
Everytime you are creating an entry, you have to tick it to enable it (it is disabled by default), then you have to use autotype (CTRL+V) to enter the password.
You're being overly optimistic about hackers ability with yubikeys. It is safe and if you have sort of story or what they say, "proof" then let it lay. But you are the type of person to say unplug the network from the PC. Yea I agree but then what? Not happening man.
Thanks! Herewith I confirm officially that I'm dumb. It's because I'm very confident that I don't have any keylogger on my Linux system. Which probably makes me even dumber, I'm afraid ...
My point is: If this is really an advanced and specialized keylogger it might also be able to get access to the password managers's database once it has the master password.
This is also possible with KeePass.
Nothing is safe, using 2FA cost you nothing, just don't lose your phone LOL
hence 2FA. and don't store passwords locally.
Does pencil and paper count?
I am using the built-in Mozilla Password Manager with a Master Password enabled for not-so-important logins and a txt file locked in 7z archive with a strong password for my other stuff.
Btw the Mozilla's password manager passed my tests against the Nirsoft and the SecurityXploded tools. I know that Google refused to add a master password to force the users to use a different solution but in my opinion the Master Password feature is a way better decision than to store the passwords in plain text like in Google Chrome. I'm thinking of trying the Kaspersky Password Manager 2020 but I read that it doesn't provide 2-way authentication...
I can't find a definite answer but if they are still just rebranding Sticky Password then Sticky Password is usually cheaper and gets more updates. At least that was my experience with it in the past. I bought it once and realized my mistake. Research before you buy.
Separate names with a comma.