Security Software Which password manager is the best?

I use Google chrome to store email, social media and web log in passwords. :p Do I need an upgrade ?
Your data including passwords saved in chrome can be read by any of the 1000s of programs running on your computer. It's as simple as that.

If you ever had shared a random folder from C drive then your passwords can be read through network too.

Microsoft and google believe in security based on honor.

I thought that requires the actor to have write access to your system which implies your entire system is vulnerable at that point.
"Bad" actor can be any one of 1000s of background programs running on the computer.
 
Your data including passwords saved in chrome can be read by any of the 1000s of programs running on your computer. It's as simple as that.

If you ever had shared a random folder from C drive then your passwords can be read through network too.
Chrome always asks for a password to read the stored passwords. So these programs can read the password without entering the chrome password?
I haven't shared any C drive folder so that is not an issue so far.
 
Chrome always asks for a password to read the stored passwords. So these programs can read the password without entering the chrome password?
Have you installed a different browser on your system and did that browser offer you to import bookmark, password from the chrome? Wondered how could it just do that?

I haven't saved passwords in chrome for a few years so maybe my info is out of date but that password you are entering is probably for the syncing your data with the cloud.
 
"Bad" actor can be any one of 1000s of background programs running on the computer.
Then nothing can save you! If a system is compromised then whatever you do on the system is not safe. You have a much lower attack surface with local password manager. Your attack surface doubles with a web based password manager. You have to protect your system from being compromised and those web services themself from being exploited.
 
I thought that requires the actor to have write access to your system which implies your entire system is vulnerable at that point.
It does.
"Bad" actor can be any one of 1000s of background programs running on the computer.
By security standards the KeyPass "vulnerability" is not really a vulnerability if it needs write access and if there's a bad actor/program on your system then you're essentially screwed and KeePass is just one of the things which may be compromised.
 
Have you installed a different browser on your system and did that browser offer you to import bookmark, password from the chrome? Wondered how could it just do that?

I haven't saved passwords in chrome for a few years so maybe my info is out of date but that password you are entering is probably for the syncing your data with the cloud.
Yup, you are right. Chrome asks for pc password, so if a pc is without a password then the access is granted. I never thought that the passwords are so easily available for any program to access from a browser. I thought the password is only available to the user and not to other background programs. The browsers always ask to store the password and I did that many times. I never stored any banking or other important password in browsers but looks like we should not store our passwords at all in browsers.
 
Then nothing can save you! If a system is compromised then whatever you do on the system is not safe.
I think you guys misunderstood my point.

System can get compromised even if one is safe and using only paid, highly known softwares. It is hard to do but there's still some chance. Coding and open source have become complex over the years. Even well known open source software or libraries are found to have malicious code in them. Your boss sends you an excel file with big vba code inside. And you have no option but to work it. Shit happens. My beef isn't with all that. I have problem with Microsoft's attitude of leaving everything out in the open. Providing all of the resources to all of the running programs is dangerous. I feel more comfortable running a shady program on my android mobile than on my computer because I know how good is android's sandboxing. It completely isolates the program. Why can't microsoft do it with their windows? It's very easy to do something malicious on windows. Takes only a few lines of codes. It's not the same on android. Why doesn't windows ask me before giving full permission of webcam and mic to the chrome? How can Edge easily see the history or passwords saved in chrome? Why can't windows block applications from peeping into each other?

We have to live in real world and it's not an ideal place to live. Anything can happen. You are driving down the road, minding your business, driving carefully. Still some drunken driver in his car crashes into you. It's not your fault. In such situation you do have basic safety like seat belt, airbags that can save you, don't you? Or do you say, hey somebody crashed into me, it's a game over and now I must die?

We get such safety on Android but why not on Windows? I hope you get my point.

KeePass is just one of the things which may be compromised.
I haven't fully read the article. I hadn't heard of this password manager before this thread. I thought it might be relevant so I shared.

Yup, you are right. Chrome asks for pc password, so if a pc is without a password then the access is granted.
Ok. I initially thought you were talking about google's password that's needed for syncing. But you are talking about having to use pc user's password to view passwords in chrome. On windows, yes chrome relies on windows encryption to save stuff. What google has done is that they have delegated the security to Microsoft. They have transferred the blame on the microsoft. If tomorrow, some big hacking happens, google's gonna point the finger at microsoft. At least they are doing something now. Few years ago, chrome was saving passwords in a plain text file.

Now, you might ask, hey at least now my passwords are safe right? Well, no! This windows encryption is practically useless. Anyone can bypass it super easily. If you have another user added on your system, go to their user directory. Windows will warn you hey this thing is encrypted, you don't permission and crap. You just have to press ok. It'll take a few seconds and voila that users directory is now unencrypted.

Use bitwarden as your password manager. It doesn't rely on windows for its security.
 
I run BitWarden on my Pi, by creating a self signed certificate. Will sync the mobile app with my Pi server when ever I'm home. No tension.
 
We get such safety on Android but why not on Windows? I hope you get my point.
Legacy architecture. People buy Windows for backward compatibility and android / iOS level of sandboxing / MAC will just kill Windows. Windows have and is improving their security inspite of the legacy architecture. It's much better compared to other desktop oses out there especially Linux. https://madaidans-insecurities.github.io/linux.html

There are things which you can do to further harden Windows. I use a WDAC policy which is default deny for all apps unless the cert is whitelisted. https://learn.microsoft.com/en-us/w...plication-control/wdac-and-applocker-overview

You can use WDAC toolkit to make these policies with ease.

wdac-wizard-template-selection.png


That being said nothing touches Android and iOS in terms of security. But you cannot do a lot on these OS in terms of productivity and development.
 
There's also one thing we can do. We can protect the chrome folder so that no one but chrome can access it. This setting is in under ransomware protection. I have enabled this setting on several important folders.
 
My beef isn't with all that. I have problem with Microsoft's attitude of leaving everything out in the open. Providing all of the resources to all of the running programs is dangerous
Mac:
1. We control the hardware
2. We make the software for it and we can make it as secure as possible
3. We can stop supporting an application and you would still buy it

Microsoft:
1. Microsoft has to support your Mom's PC running on intel core 2 duo and my Ryzen 7900 across hundreds of different Mobo and PC component manufacturers. Think about it almost all hardware from the last 15 years.
2. Imagine I run a factory and I bought tons of Windows licenses to run my assembly line inspection software in 1992, my factory makes blue ray disks. I assure you that the factory is still running that software and Windows is happily supporting it,
3. Industry moves a lot slower than end users like us
4. My organization pays $200,000 to RedHat every year for our most critical Linux servers (We do run Debian/Alma/AmazonLinux) for that 10+2 years of LTS and Extended-LTS support. That's how Linux development is possible, people paying money for it. We have pushed RedHat and Oracle to update and fix core kernel libraries on more than a few occasions now. So as long as there is at least one paying customer from 1990, they can not drop legacy support, (even if they do, they will have to provide a 100% working alternative and technical/field support for the upgrade) because contractual obligation is a b**ch. Legal will eat Microsoft for breakfast if they do.
5. So it's a two-edged sword at this point, cuts both ways.

The bottom line (literally)is all we can do at this point is to be vigilant and follow good security practices.

and in the name of God and all that's holy please switch from chrome's built-in password manager. KeePassXC/Bitwarden/xxxxx whatever you feel comfortable with.
 
Last edited:
For somebody who wants to use portable version of KeePassXC and their browser is also portable version, most probably will face issues with browser integration.
Below link can help them -
 
Back
Top