Author Topic: Recommend a password manager (Read 1721 times)

Beardy · « **on:** 10 February, 2020, 12:26:14 pm »

Afternoon all,

With Dr Beardy (Mrs)' little book of passwords filling up I thought i'd introduce her to the joys of password managers, and while I'm about it, I thought I'd update as well. I've been using 1Password for a number of years, but there latest offering is a cloud based service so I lose one of the key aspects that's been keeping me using it. It would be nice to retain control of my own password file syncing, but with Dr B's devices coming into the fray, it's not essential any more.

We use primarily Mac's and iOS devices, but we both use a PC for work.

Any recommendations and brickbats gratefully accepted.
TinA
Beardy

Jaded · « **Reply #1 on:** 10 February, 2020, 12:57:57 pm »

I use 1Password and, yes, it is pushing the subscription model. It is so embedded in what I do that it is hard to resist the subscription...

ian · « **Reply #2 on:** 10 February, 2020, 01:00:13 pm »

I just use the Keychain, it syncs between all my Apple devices (my only gripe is that it doesn't autocomplete non-browser password fields like the Cisco VPN so I have to open Keychain and copy and paste the password between the two). Won't work for PCs of course. Chrome has it's own password manager which is cross-platform.

fuaran · « **Reply #3 on:** 10 February, 2020, 01:09:38 pm »

Password Safe. https://pwsafe.org/
I am using this on Windows and Android, works fine. Free/open source. All stored on your computer, so can copy it where you like. Or has options for syncing on Dropbox etc.
There is a compatible version for Mac OS / iOS. Not used that myself. Think it costs a few quid, one-off payment. https://pwsafe.info/

Regulator · « **Reply #4 on:** 10 February, 2020, 01:17:51 pm »

I use Dashlane. Works fine for me.

Mr R uses LastPass.

fimm · « **Reply #5 on:** 10 February, 2020, 01:31:22 pm »

I use https://keepass.info/ on Windows. Works fine for me.
I can't comment on Mac etc compatibility.

Phil W · « **Reply #6 on:** 10 February, 2020, 02:27:32 pm »

I use Keepass on the PC, iPad and my Android phone. A nice touch on my new iPad is that Keypass can be opened using touch ID (finger print). I synchronise the password database via Dropbox. Since the file is encrypted with my master phrase, no worries about it existing in the Dropbox cloud.

Ham · « **Reply #7 on:** 10 February, 2020, 05:13:08 pm »

Keepass is as far as I have found out the most supported cross platform password manager, but it does need some investment of time to set up properly the first time.

To synch across devices, the encrypted file needs to be held somewhere. While other options are available, Dropbox (as per Phil W) seems to be the easiest. as you can see here, https://keepass.info/download.html there are a wealth of options, Keepass2Android* along with the Windows distro are the ones I use.

*which seems to be a creation of a one man band who invites you to buy him a beer.

drossall · « **Reply #8 on:** 10 February, 2020, 07:42:13 pm »

I also use Keepass. I don't sync the file as such, just copy it from time to time to my Android devices.

grams · « **Reply #9 on:** 10 February, 2020, 08:30:01 pm »

I use 1Password and use the local Wi-Fi sync option it miraculously still has (twixt iOS and Mac). No interest in their cloud offering.

Bluebottle · « **Reply #10 on:** 11 February, 2020, 12:25:45 am »

+1 for Lastpass here. Works across different operating systems. I have the free version, never really had any issue.

If you are using something free to aggregate passwords, you might want to check their security ratings.

Ham · « **Reply #11 on:** 11 February, 2020, 10:18:13 am »

The problem with Lastpass and all its kind is that it depends on a remote service/server that must have vulnerabilities. Even if you are not too concerned about the encrypted hashes stored on their server, the app depends on constant traffic of those usernames and passwords transiting from your device to their systems. Each layer presents a potential vulnerability: the app, your device, the https protocol, the intermediate devices, for example spoofing the server. Again, trusting the app allows it access to all pages you visit which again provides an attack vector. And, being used by so many it makes it an obvious target for criminals.

They have avoided major issues to date, that is no guarantee of protection in the future. You have to ask, what incentive is there for any free service to ensure the very highest security, as opposed to, say, paid services from the likes of Google, Microsoft, others - and they struggle sometimes.

You pays your money (or not) and you makes your choice.

Gasman · « **Reply #12 on:** 14 February, 2020, 07:37:47 pm »

I can also recommend Keepass. Keep the password file in a Dropbox folder and it's accessible from all my various devices and permanently synced. Don't know about iPhone but it's available for Android and Windows. Nothing specific for Mac or Linux but the windows version can be used via Mono (Mac) or WINE/PlayonLinux.

drossall · « **Reply #13 on:** 15 February, 2020, 10:06:37 am »

Quote from: Ham on 11 February, 2020, 10:18:13 am

The problem with Lastpass and all its kind is that it depends on a remote service/server that must have vulnerabilities.

Yes, I don't store my Keepass file in Dropbox for that reason. No reflection on Dropbox, just principle. So that's why I work by copying my file manually to my Android devices. I also use Keepass at work, and I'm specifically not authorised to store my employer's information on Dropbox.

Ham · « **Reply #14 on:** 15 February, 2020, 11:30:25 am »

Quote from: drossall on 15 February, 2020, 10:06:37 am

Quote from: Ham on 11 February, 2020, 10:18:13 am
The problem with Lastpass and all its kind is that it depends on a remote service/server that must have vulnerabilities.
Yes, I don't store my Keepass file in Dropbox for that reason. No reflection on Dropbox, just principle. So that's why I work by copying my file manually to my Android devices. I also use Keepass at work, and I'm specifically not authorised to store my employer's information on Dropbox.

Hey, don't get me wrong, you are welcome to take whatever precautions you want, (and I really don't want this to sound snotty or as if this is a personal slight) but don't confuse risk management with paranoia. Let me explain.

A 256 bit encrypted file with a long passphrase is only crackable by brute force and the power needed (not just computing, electricity) is not available to anything but the very largest corporations and governments. Even then, the power and time needed to crack is mind blowing, there is little chance of that changing unless quantum computing achieves what it aims for and then becomes accessible to common people, we are just nowhere near that at the moment. For that reason you can consider the encrypted file itself secure. You could leave it printed out in public without the slightest risk.

However, systems are vulnerable (as opposed to the file), there are numerous attack vectors and - given the potential prize - millions of people's usernames and passwords, you can see that it will form a target and using it is an unnecessary risk.

The two are not comparable.

Quote

and I'm specifically not authorised to store my employer's information on Dropbox.

An encrypted file is unlikely to be covered by that (although you may just have a blanket ban, for clarity)

ETA: may be clearer to summarise like this: Dropbox is not secure, your encrypted file does not need to be secure. If you think it needs to, you can't use the Internet for anything that needs security as everything else is far less secure.

Phil W · « **Reply #15 on:** 15 February, 2020, 11:55:47 am »

Quote from: Gasman on 14 February, 2020, 07:37:47 pm

I can also recommend Keepass. Keep the password file in a Dropbox folder and it's accessible from all my various devices and permanently synced. Don't know about iPhone but it's available for Android and Windows. Nothing specific for Mac or Linux but the windows version can be used via Mono (Mac) or WINE/PlayonLinux.

KeePass Touch for iPhone / iPad

vorsprung · « **Reply #16 on:** 15 February, 2020, 12:44:41 pm »

Keepass here, Mac / Linux / Android

orienteer · « **Reply #17 on:** 15 February, 2020, 01:49:50 pm »

No-one has mentioned Lockwise, Firefox's system for making sign-ons available across operating systems. Is there something I should know about it?

Ham · « **Reply #18 on:** 15 February, 2020, 03:13:46 pm »

Lockwise, Chrome Password Manager, all of those are like LastPass, central password repositories that are subject to vulnerabilities and exploits, eg

You pays your money and you takes your choice. Personally I use password managers like that for (a) sites where I don't really give a toss and use a common password and (b) sites where I use a unique password but have 2FA implemented.

drossall · « **Reply #19 on:** 15 February, 2020, 05:31:38 pm »

Quote from: Ham on 15 February, 2020, 11:30:25 am

A 256 bit encrypted file with a long passphrase is only crackable by brute force and the power needed (not just computing, electricity) is not available to anything but the very largest corporations and governments.

I know all that. And it's true, provided that there are no errors in the implementation, and I don't make a mistake and reveal the master password.

Nonetheless, I choose not to put such files into file sharing systems. And you're right, at work it's a blanket ban.

Author Topic: Recommend a password manager (Read 1721 times)

ian

Phil W

Phil W