Originally published at: https://boingboing.net/2019/07/17/this-top-rated-password-manage.html
…
digitally encrypted
Oh so not with analog?
Nitpicks aside, maybe mention how they encrypt the data on the back end?
Proper security should be open to review. Clearly labeled with the algos used so all can see.
If you are nervous about publishing these details, your security design is flawed.
Oh fuck no!
Keeper is crapware developed by utter incompetents. This Google Project Zero issue report is a good example of how utterly bad they are (made a profoundly incompetent mistake, patched it, then made the same profoundly incompetent mistake again a few months later): https://bugs.chromium.org/p/project-zero/issues/detail?id=1481&desc=3
On top of that, rather than admit their error, they filed a fucking SLAPP suit against a reporter for publishing an article about it. (But not against the Project Zero researcher whose issue report formed the factual basis for the article, because they’d rather pick on a resource-constrained reporter than fuck with Google’s legal team.) Here’s a news article on the lawsuit: https://www.techdirt.com/articles/20180308/18090539393/keeper-security-reminds-everyone-why-you-shouldnt-use-it-doubles-down-suing-journalist.shtml When it became clear they were going to lose spectacularly, Keeper voluntarily dismissed and ran home with their tail between their legs.
It really bothers me to no end that BoingBoing is flogging insecure shovelware written by incompetent assholes who file SLAPP suits when someone points out how incompetent they are. Cory ought to feel ashamed for letting this one by.
(Just in case said incompetent SLAPP-happy assholes happen to read this and start feeling SLAPP-happy again: Bring it on, bitches. I am a lawyer. I’ll crush you as easily as Ms. Spears did, but I won’t be so gracious as to let you go without paying my fees.)
You shouldn’t be. See my other post.
I sometimes put “Password Manager” in the “job title/description” box of online surveys.
Should we not be using the “Saved Passwords” feature that’s built in to Firefox?
(Asking for a friend)
No, you shouldn’t be. Nor should you be using a password manager with any sort of browser integration. Browsers are are too big and too complex to ever get all the vulnerabilities ironed out. You really, really don’t want to be creating a situation that escalates a browser vulnerability into a “steal all your passwords” vulnerability.
For that matter, I’d also insist that password managers are a class of software that absolutely must be open-source. Period. The risk of deliberate backdoors or developer incompetence is just too high to tolerate closed-source in this situation. (It’s not just Keeper; developer incompetence is a rampant problem in the proprietary password manager field.)
Also, cloud storage in a password manager is a needless, stupid risk. Sync your encrypted password file between computers you own via a pen drive. If you really, really need to access your passwords on computer you don’t own, install your password manager to a pen drive in portable mode together with a copy of your encrypted password file trimmed down to include only the passwords you expect to need in such situations.
If you want my advice, use PasswordSafe. If you can’t stand PasswordSafe’s oh-so-90’s UI, then use KeePass WITHOUT the optional browser integration.
Terrible UI, terrible browser extension, terrible app, and, as someone else already mentioned, they treat security the worst way possible. Even if you don’t go the super secure route and want a browser extension and a phone app and cloud syncing, this is the worst possible one to use. LastPass is also terrible, and some of their practices around 2fa and business integration make it possible to permanently lose your passwords. 1password UI is also terrible. I’m currently evaluating Dashlane and keepass, but either seem better than the alternatives at this point.
I use LastPass. Any comments, as I’m really curious if I should switch to something else.
I have considered offline hardware managers in the past. Pitbull wallet looked perfect but sadly did not get funded. Any recommendations for a similar product?
I used LastPass for many years (and paid for the subscription). Their software deteriorated over the years.
I now use BitWarden - it’s free, open source and you can pay $10/year if you want some fancy sharing options. I paid it just to support the developer, who in return gives excellent responsive support.
Thanks for the reply. Will look into it. Would be nice if I could transfer data from LastPass.
Yes you can transfer data. You can export your entire LastPass database and import it into BitWarden. That’s exactly what I did and even though I kept LastPass around for a while in case Bitwarden didn’t work I never had to go back to LastPass.
THAT SAID! BE AWARE!
-
The exported passwords from LastPass are in cleartext - make absolutely sure that the file is properly deleted and shredded from your hard drive once you imported to Bitwarden
-
Even better - generate new random passwords to your important sites after migrating to Bitwarden. That way even if the export file is leaked you should be safe since the passwords there would be irrelevant.
And in general - use 2FA in every site which supports it (I use Authy for that). BTW Bitwardens fingerprint authentication is fantastic for quick access on the phone without people around you seeing your master password.
I’m using LessPass which is portable, free and doesn’t store any actual passwords. Any issues with that that you’re aware of?
My general impression is that LastPass suffers from developer competence problems, though not as horrific as Keeper. A good trick for getting a quick sense about any given password manager is to do a Google/Startpage/DuckDuckGo search for “Tavis Ormandy {name of password manager}.” Mr. Ormandy is probably the world’s best bug-hunter in the field of password managers. Doing so with respect to LastPass gets us, for instance, this 2016 bug and this 2017 bug.
That’s good advice, though I was talking about LessPass. Interestingly, if I duckduckgo “Tavis Ormandy lesspass” I just get results about LastPass
I’m not knowledgeable on the details of various hardware password managers since, at least for my use case, they add little benefit over a software password manager that is properly implemented, fully offline (i.e., no cloud crap), and fully standalone (i.e., no browser integration).
The capabilities required of an attacker to get into such a software password manager are a high enough bar that you’re probably already screwed if an attacker attains those capabilities. At that point, even if your hardware password manager is totally impregnable, they’d likely be in a position to snag each password as you use it. So it only helps if you have high-value passwords that you use so rarely that you’d have a chance of detecting and ejecting the attacker in the interim.
Assuming you do have such high-value, rare-use password to protect: The one must-have feature for hardware password managers is an absolute requirement that you MUST press a physical button on the hardware password manager once per password you want it to poop out. That prevents an attacker who’s compromised your PC and keylogged the master password from programmatically hoovering out the hardware password manager. Without that feature, it’s no harder to get at than the well-implemented, offline, standalone software password manager.
I’m sorry. I totally misread your post. I don’t know enough about LessPass to form an opinion.
This topic was automatically closed after 5 days. New replies are no longer allowed.