The best password managers

"Bitwarden stores credentials securely in the cloud"

Heck of a misnomer. A lot of people, including businesses, are getting duped by this one. "cloud" and "secure" in the same sentence. LOL... Put your passwords on the internet so every hacker in the world has a chance at it. /facepalm
"And if you don’t want to store anything on Bitwarden servers (cloud), you can host your own Bitwarden instance."
 
I'm still waiting for a password manager company to get hacked. What then?
I'm still waiting for a password manager company to get hacked. What then?
LastPass has been hacked, had outages, and other major issues pop up at least a half dozen times over the last ten years, including very recently, but I'm sure LP is not the only one and others have also been hacked and/or had major issues, I'm just not aware of them or forgot because it did not affect me. I would think a quick search would turn up more instances.
 
Most web browsers offer to store your passwords for you. This might seem like an ideal way to keep track of your passwords – but it’s actually a bad idea. Here are some reasons why:

The password security on browsers isn’t that great – even if you are using a secure browser. Usually, these passwords are stored in plaintext. There are also tools available online that can give hackers access to your computer (either physically or remote access schemes) and view/steal passwords stored in the browser.
Passwords usually aren't stored in plaintext. For example, even if you choose not to use the sync passphrase feature on Chrome (not using the sync passphrase is the default setting for Chrome), your passwords are encrypted before they are stored in your synced devices or Google servers.

There are two major downfall for this approach, compare to standalone PMs. One of them is (possibly) weak encryption key. It will use your Google username and password as an encryption key. Since your Google username/password is definitely one of the prime phishing targets and you probably use your Google account often (thus you probably don't want to use something like 98 letters password which has 500-ish bits of entropy), it's not good idea to encrypt your whole password database with your google username/password. However, you can (somewhat) tackle this problem with the sync passphrase feature (or master password feature for FireFox).

Another downfall is that, there is an alternative way to view or recover the stored passwords without the actual encryption key itself. If an attacker know the account/password of your host (or hijacking your-already-logged-in-sessions of your host computer), the attacker can view the password regardless of your host OS. Hence, if your hosts have been compromised, your passwords are also compromised. But your standalone password managers are not that ahead in this regard. Because if you have a compromised host, it usually means all bets are off. (For example, as soon as you access the password database on your compromised host, every contents of your database are no longer yours).

Your browser will only record the username and password you enter into a web page. It won’t help you generate a password, or tell you if the password is strong, or remind you that you already used this same password on 10 other pages.
Last time I checked, Chrome, Firefox and Safari w/Keychain all have built-in password generator, and most of them will tell you how strong your passwords are, and how many times you've used the same password. It's true that you'll have somewhat limited features with your browsers. For example, if you use the sync passphrase on Chrome, you only have a password generator and lose the ability to check password reuses (or weak passwords) since you cannot access to the Google's password manager (passwords.google.com) which provides you those features.
 
Did LastPass get hacked?
A quick search reveals LastPass has had breaches, hacks, outages, lockouts, etc occur at some point in 2011, 2014, 2015, 2016, 2017, 2018, 2019, and a major outage Jan 20, 2020 as well as the Chrome Browser extension not working just a couple of days ago. To be fair they are the not the only ones, but I found more for LP than any other PM by far. Also LP claimed no data was compromised in most cases, but they recommended users to change their passwords "just to be sure". They also denied an outage just last week until it was widely reported on the web by so many users. I did not read the details of each occurrence but the articles still exist online. I had a paid LP account until 2015 when my master password no longer worked and I lost all of my data. Their customer support is almost nonexistent, unfriendly, and unhelpful. I now use BitWarden for my family and could not be happier. YMMV
 
in this case, IMO, convenience == enhanced, unnecessary risk. As stated earlier, ANY breach in the convenience and all your accounts are instantly at risk.

I've choosen to protect my assets, but you can assess your risk (as it should be) for yourself. Notice --- IMO is all over the subject.
It's not like that. You gain some with a password manager while you lose some, and the convenience is not the only thing you gain. You gain some in respect of SECURITY, even though you still lose some in repsect of SECURITY. Usually, you gain more security than you lose with a password manager, and that's the reason why many people recommend a password manager.

The single worst thing you can do is password reuse, because your password (either in plaintext or hash) is almost guaranteed to be leaked somewhere. FYI, big players like Adobe, Dropbox, LinkedIn, MySpace, tumblr and Zynga have leaked anywhere from 65 million to 359 million accounts and password (hash)s. Once your reused password is leaked in plaintext (or recovered from leaked hash), you have whole bunch of compromised accounts.

You can deal with this issues probably in three different ways.

1. Tiered password reusing structure (such as pswd1234 for weak websites which can't cause you any harm to you even if it's leaked, lrfebjdbwhwz for medium websites which can cause you some harm but not grave harm, oIiskIFoy8@uHmOl%k&!%w@Vg for emails and bankings)

2. Salting the strong base password for each websites (For example, if your base password is P@V0sYz$@%9ufMEOZI|1I|jIljl|iIlI|ljIjii|Ii|li1jlI, TcSoP@V0sYz$@%9ufMEOZI.com|1I|jIljl|iIlI|ljIjii|Ii|li1jlIeHpT for techspot.com, GoLP@V0sYz$@%9ufMEOZI.com|1I|jIljl|iIlI|ljIjii|Ii|li1jlIoGe for google.com)

3. Creating unique passwords using certain easy-to-memorize and easy-to-lookup methods (For example, google.com is consist of 7, 15, 15, 7, 12, 5, ., 3, 15, 13th alphabet, hence using the last word on page 7, 15, 15, 7, 12, 5, ., 3, 15 and page 13 of the book Harry Potter and the Prisoner of Azkaban as your password), or using randomly created unique passwords and write these things down in your diary

All of above have significant disadvantage compare to a decent password manager.

For method #1, there are two major problems. One of them is a leakage of high tier passwords, since big players are not immuned to those password leaks. The other problem is you can't remember everything. For example, how many accounts have you accumulated over the last few decades? Is it 397 or 401? If you can't answer the question correctly to the last digit, you don't know your password distribution. In other words, you can't figure out which has been compromised or not, even if you have the real time knowledge of every leaks in the globe. Also, even if you do remember everything, it's definitely no easy feat to change the passwords of hundreds or thousands of accounts.

In case of method #2, you need to develop a strong salting methodology, because otherwise your salting is useless. For example, if an attacker knows you've used TcSoP@V0sYz$@%9ufMEOZI.com|1I|jIljl|iIlI|ljIjii|Ii|li1jlIeHpT for techspot.com, it's no hard to guess your salting method, hence all of your accounts become vulnerable.

The problem is that it's very difficult to develop a strong salting methodology that works all the time, due to all kind of password restrictions enforced on each websites. For example, some websites only accept 12 letters passwords. Which means, if you're using above mentioned salting mechanism, you have all salt no password for abcdefgh.com, and you have broken salt for abcdefghi.com.

For #3, most password creation methods (especially if it's an easy-to-memorize and easy-to-lookup method) usually give you a lot weaker, low entropy passwords compare to what random password generator can offer, and plaintext password written in your diary (or encrypted in your way) is usually a lot weaker than encrypted password manager database stored in offline devices (anyone who lives in your house probably can easily hack into your accounts using your plaintext diary, but cracking the encrypted database is no easy task even for the FBI with a search warrant).

Of course it's true that those password managers are anothher weak point which you can lose many accounts and passwords at once, but like you've said, you can't lose accounts which you haven't registered to that password manager.

Just adding minor accounts to the weaker, cloud-based, easy-to-access password managers and add serious accounts to the stronger, offline, hard-to-access password managers. In this way, you can benefit increased security as well as convenience while minimizing the risk.
 
I used to use 1password, but didn't like it enough that I swapped after much cringing (changing is a pain). I changed to Lastpass, and like it. I haven't had a single problem with it, despite the listed 'major outages' listed above, which I had to read about after the fact, because they had no effect on me. I'm still wondering what the definition of 'major' is. Not even the hack, of which I'm only aware of one, which had no consequence. It does everything that's listed above, and does it well enough that I use it on my phone, tablet and 3 computers.
I like Keepass, too, and have been using that for even longer, but it's not my primary manager.
 

jobeard

Posts: 13,970   +1,778
You gain some with a password manager while you lose some, and the convenience is not the only thing you gain. You gain some in respect of SECURITY, even though you still lose some in repsect of SECURITY. Usually, you gain more security than you lose with a password manager, and that's the reason why many people recommend a password manager.
...
...
Very verbose but not convincing. As stated at the beginning (and incontrovertible imo) once the password manager is breached, all your accounts are at risk and it has happened. I'll go quietly on my own, thank you.
 

Jeff Re

Posts: 226   +202
Seriously people, you all need to read threads before posting the same response ten times. Also, I'm sorry people don't understand sarcasm in response to the happenings in the previous sentence.