What password manager do you use?

Discussion in 'polls' started by Tyrizian, May 1, 2016.

?

What password manager do you use?

  1. I don't use a password manager

    22 vote(s)
    15.6%
  2. LastPass

    41 vote(s)
    29.1%
  3. KeePass

    39 vote(s)
    27.7%
  4. Dashlane

    2 vote(s)
    1.4%
  5. 1Password

    7 vote(s)
    5.0%
  6. Roboform

    8 vote(s)
    5.7%
  7. Intel True Key (aka - PasswordBox)

    0 vote(s)
    0.0%
  8. Enpass

    7 vote(s)
    5.0%
  9. Sticky Password

    9 vote(s)
    6.4%
  10. Norton Identity Safe

    0 vote(s)
    0.0%
  11. Webroot SecureAnywhere Password Manager

    4 vote(s)
    2.8%
  12. Zoho Vault

    1 vote(s)
    0.7%
  13. Password Boss

    0 vote(s)
    0.0%
  14. Password Genie

    0 vote(s)
    0.0%
  15. Other password manager (not listed in poll)

    11 vote(s)
    7.8%
  16. Other password manager, provided by security package (not listed in poll)

    2 vote(s)
    1.4%
  17. Built-in password manager (Chrome, Firefox, IE, Edge, Vivaldi, Opera, etc.)

    10 vote(s)
    7.1%
  18. Password Safe

    5 vote(s)
    3.5%
  19. KeePassX

    8 vote(s)
    5.7%
  20. Gryptonite (aka - GPassword Manager)

    0 vote(s)
    0.0%
  21. MyPasswords

    0 vote(s)
    0.0%
Multiple votes are allowed.
  1. Alchemy

    Alchemy Registered Member

    Joined:
    Aug 27, 2015
    Posts:
    3
    Keepass.

    I used lastpass for years until they were bought by logmein.
     
  2. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,067
    Location:
    Hawaii
    If one regularly images then, IMO, a keylogger is the deadliest infection of them all -- bar none! My password manager is a key factor in protecting my login information from any keyloggers that might get past my other security apps. And a primary question about my password manager is: HOW does it transmit login information from itself to the website that I am logging into? Thus, it is wise to select a password manager that does not ever involve use of the clipboard or (of course) the keyboard.

    Unfortunately, KeePass makes momentary use of the clipboard when sending login information. IMO, that is a significant vulnerability.
     
  3. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,621
    Location:
    Europe then Asia
    LOL Bitwarden not even listed...

    you have browser extensions (Chrome, FF, and Edge), android version, etc...
     
  4. mekelek

    mekelek Registered Member

    Joined:
    May 5, 2017
    Posts:
    346
    Location:
    Hungary
    not sure if it becoming too mainstream is a good thing
     
  5. Soft Life

    Soft Life Registered Member

    Joined:
    Aug 10, 2018
    Posts:
    10
    Location:
    United States
    I use Keepass2. I tried many of the others including Bitwarden. I like Keepass because I know the file is only on my PC and my USB portable drive that I can carry if I so need to access passwords from somewhere. It has many options built into it that help make it secure and i feel as safe as I can, well I feel safer knowing its locked on my PC and even blocked with my firewall. I don't have to worry about a company not being truthful as you do with many managers.

    If I were to use one other than Keepass2 I would use Bitwarden and lock it with a yubi key. Yes if you download BW to desktop it does broadcast to google analytics which might offend some as it does me but even so I'd trust Bitwarden over other managers just because of the open source. BW also has a long code you can use to gain access to your account if you so lock yourself out even if you have a lock on it with your yubi key or other two factor authorization.

    Keepass2 is the winner for me as it stays in my hands and gives me the most peace of mind. I use it in collaboration with Spyshelter anti-key logger with also watches my clipboard where I transfer passwords.
     
  6. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,369
    I disagree.

    1. Whatever password manager you use, you must always login first. Thus, if you have a keylogger on your computer it can catch your master password. Game over.
    2, Keepass2 has Two-Channel Auto-Type Obfuscation. It makes most keyloggers useless which try to spy out your clipboard.
     
  7. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,067
    Location:
    Hawaii
    In your comment, it's the 2 words "most keyloggers" that are THE problem. KeePass acknowledges that 2-channel obfuscation is not totally effective. Actually, the only keyloggers that would be deterred by this process are those keyloggers developed by script kiddies.

    Try this. Pretend you are the IT for a major corporation that wants to stop leaks of secret company information via computers used by employees. One of the safeguards you would almost certainly install would be an enterprise-grade keylogger. Keyloggers are actually "legal" under certain caveats.

    So.. go shopping for a keylogger. You will find several "for sale" that guarantee they are stealthy enough to get past firewalls & many AVs. They certainly would have zero difficulty with KeePass's little 1-trick pony.
     
  8. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,369
    That site says:
    So it seems that a very specialized keylogger would be needed.

    This must be a peculiar major corporation which doesn't recoil from using such a keylogger against their employees but allows them to use non-authorized programs at the same time. :confused:

    So the crucial step is: Don't install a keylogger. And if you find that difficult to prevent on Windows ... well, I remember that you were interested in using Linux some time ago. Go for it! It's the solution. Seriously.
     
    Last edited: Aug 11, 2018
  9. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    580
    Location:
    Member state of European Union
    Browser is needed for work in most companies and at the same time can be used to do personal stuff.

    But I also don't believe in securing computer that has already keylogger managed by IT staff. Effective monitoring would need to log a lot of details about what websites you visit, intercept TLS connections to see what did you entered onto website forms (including passwords) and what files was sent. You just can't trust that computer.
    The only thing I think can increase security a little bit is 2FA, especially YubiKey, but still this configuration leaves a lot to be desired.
     
  10. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,369
    Sure. What I meant: Do you really think that a company that deems it necessary to keep their employees under surveillance by means of a keylogger will allow them to install, e.g., Keepass?
     
  11. Soft Life

    Soft Life Registered Member

    Joined:
    Aug 10, 2018
    Posts:
    10
    Location:
    United States
    Don't use personal password managers at work. case solved. And if you are finding it really really hard to not pick up diseases on the internet like extravagant keyloggers and state of the art viruses then use live Linux USB boot drive so its fresh each time you use it with your manager. Stick in the bootable Keypass2 thumb drive and there you go. Now all you have to do it hope the Russians don't hack your router.
     
  12. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,067
    Location:
    Hawaii
    Ah, a universal negative -- it is functionally impossible to prove that, sans omniscience. (BUT I do hope they are right.)
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,682
    Location:
    The Netherlands
    1 This could be blocked with an anti-logger that provides keystroke encryption and protects against clipboard hooking.
    2 I have never been able to figure out how to make this work and like Bellgamin said, it's not fool proof.
     
  14. LM1

    LM1 Registered Member

    Joined:
    Nov 7, 2004
    Posts:
    35
    In case anyone is interested, there are deals for lifetime subscriptions, multiple devices, currently being offered on Stacksocial (https://stacksocial.com/collections/software/security) for Password Boss and Sticky Password - the latter expires in 18 hours, and the former in 5 days.
     
  15. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,621
    Location:
    Europe then Asia
    1- if you aren't dumb, you would use 2FA
    2- you don't have to type your master password every time, i hope you don't let anyone use your Windows account.
     
  16. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,494
    Not entirely true,
    Kaspersky password manager for Android can be accessed either with Master password or fingerprint.
     
  17. Soft Life

    Soft Life Registered Member

    Joined:
    Aug 10, 2018
    Posts:
    10
    Location:
    United States
    With Bitwarden you can use a Yubikey or U2F security keyswhere even if I told you my password you won't access me. I use it and like it. I use a combo of Keepass2 and Bitwarden. There is no game over if someone gets your password with Bitwarden if you use the yubikey

    With Bitwarden you can add two keys or more. I have a U2F security key and a yubikey that you can both add. As such if I told you my login name and password on this forum you still could not access me.
     
    Last edited: Aug 12, 2018
  18. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,032
    Location:
    Slovakia
    No security software is 100% effective, but it adds an additional layer of protection and yes, most malware is actually made by script kiddies using simple malware generators. :D

    Everytime you are creating an entry, you have to tick it to enable it (it is disabled by default), then you have to use autotype (CTRL+V) to enter the password.
     

    Attached Files:

  19. Soft Life

    Soft Life Registered Member

    Joined:
    Aug 10, 2018
    Posts:
    10
    Location:
    United States
    You're being overly optimistic about hackers ability with yubikeys. It is safe and if you have sort of story or what they say, "proof" then let it lay. But you are the type of person to say unplug the network from the PC. Yea I agree but then what? Not happening man.
     
  20. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,369
    Thanks! Herewith I confirm officially that I'm dumb. It's because I'm very confident that I don't have any keylogger on my Linux system. Which probably makes me even dumber, I'm afraid ... :eek:
    My point is: If this is really an advanced and specialized keylogger it might also be able to get access to the password managers's database once it has the master password.
     
  21. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,369
    This is also possible with KeePass.
     
  22. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,621
    Location:
    Europe then Asia
    Nothing is safe, using 2FA cost you nothing, just don't lose your phone LOL

    hence 2FA. and don't store passwords locally.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.