Then how ?
Security Software Which password manager is the best?
- Thread starter adventureguy
- Start date
Titokhan
Forerunner
@Ramadhir Singh
Kindly take a look at the FAQ I linked in the previous post - it's all there. In case you need a little deep dive into password hashing, then see here.
On another note, I really like your new persona.
Kindly take a look at the FAQ I linked in the previous post - it's all there. In case you need a little deep dive into password hashing, then see here.
On another note, I really like your new persona.
Yeah I don't use password managers nor browser based either.
I've just got myself signed up with firefox monitor service.
For important logins I use unique passwords and 2fa with backup recovery codes if available.
That is a nice link posted about password hashing.
It's cryptographic strength and one way hashing algorithms.
One way means you can generate a hash from a password text in a straight forward manner but cannot calculate the password from a given hash in the opposite direction.
Cryptographic strength means many things like the chance of collision or two different text resulting in same hash value is practically impossible. But some older algorithms like MD5 message digest version 5 or SHA-1 secure hash algorithm are now considered weak (ish) and software uses newer ones like SHA256.
Hashing is a key component of digital signatures too.
But there is constant risk to crypto due to advance in computing technologies like high speed GPU based brute force password guess or quantum computing.
Dang this is a vast topic and very interesting stuff if you care to read up online.
I've just got myself signed up with firefox monitor service.
For important logins I use unique passwords and 2fa with backup recovery codes if available.
That is a nice link posted about password hashing.
It's cryptographic strength and one way hashing algorithms.
One way means you can generate a hash from a password text in a straight forward manner but cannot calculate the password from a given hash in the opposite direction.
Cryptographic strength means many things like the chance of collision or two different text resulting in same hash value is practically impossible. But some older algorithms like MD5 message digest version 5 or SHA-1 secure hash algorithm are now considered weak (ish) and software uses newer ones like SHA256.
Hashing is a key component of digital signatures too.
But there is constant risk to crypto due to advance in computing technologies like high speed GPU based brute force password guess or quantum computing.
Dang this is a vast topic and very interesting stuff if you care to read up online.
Last edited:
Synth-Pop
Guide
Same here, I too don't use any manager, the best is to memorize and stay safe.
Like anyone else I too can forget so to retrieve I do set not only one but multiple recovery emails, mobile nos, security questions.
So in unlikely event of forgetting something, multiple options to recover comes handy. for instance to recover my email I've set another 4 emails and security questions and 2 phone numbers.
same for other accounts like it's jumbled and I'm not lost. and I can't forget it all together
Like anyone else I too can forget so to retrieve I do set not only one but multiple recovery emails, mobile nos, security questions.
So in unlikely event of forgetting something, multiple options to recover comes handy. for instance to recover my email I've set another 4 emails and security questions and 2 phone numbers.
same for other accounts like it's jumbled and I'm not lost. and I can't forget it all together
CapriAnupam
Guide
I use KeePass. Very reputed and trusted password manager. I have accounts on so many sites, can't remember them all. Password manager is necessary therefore. I don't trust browsers to store passwords for sites which I consider sensitive.
buzz88
Forerunner
Bitwarden looks good, but Keepass has been rocksolid for me for years, so I don't feel the need to change.
Also, some services like password managers can do with the minimalistic approach and work well with only a couple of features. The fewer, the better. Keepass lets me store my passwords in an encrypted XML database, which i can store on Google Drive, Onedrive or similar cloud. I keep its hashkey (it can be a PDF or a JPG, so no one know it's in fact a key) on another cloud service. To open the database, I need the hash key and a password which only i know. This way I only have to remember this one password. This method has worked well for me for years, as I don't have to rely on any third party to store my passwords. There is no fear of losing them all as the database and the key are separately stored on cloud as well as a personal flash drive which i keep in my safe. Even if i lose the flash drive or get my cloud hacked, one can't open the database without my password.
Also, some services like password managers can do with the minimalistic approach and work well with only a couple of features. The fewer, the better. Keepass lets me store my passwords in an encrypted XML database, which i can store on Google Drive, Onedrive or similar cloud. I keep its hashkey (it can be a PDF or a JPG, so no one know it's in fact a key) on another cloud service. To open the database, I need the hash key and a password which only i know. This way I only have to remember this one password. This method has worked well for me for years, as I don't have to rely on any third party to store my passwords. There is no fear of losing them all as the database and the key are separately stored on cloud as well as a personal flash drive which i keep in my safe. Even if i lose the flash drive or get my cloud hacked, one can't open the database without my password.
dopplenoob
Contributor
Dashlane is available at Rs. 499 per year. It's even cheaper for family subscriptions which is around 1k INR for 6 premium accounts and free VPN.
Excellent price and good alternative for Lastpass.
Excellent price and good alternative for Lastpass.
nithin1992
Discoverer
Are password managers better than let's say Chrome or iOS passwords managers? If so, what are the benefits and when do you go for one?
See
Password Managers.
lock.cmpxchg8b.com
Opinion piece by Google security researcher Tavis Ormandy.
deusExMachina
Explorer
There are 3 things you need to (imo) watch out for in case of password managers
So, if you keep these catches in mind. The password safe increases security in the following ways:
@Ramadhir Singh ,
Data breeches happen, nothing is perfect. Most places store passwords in a one way hash ( you can generate a string from the plain password, but you can't extract the password from the string). While they can't extract your password from the string, they can brute force it by generating the hash from all possible combinations and comparing with the leaked data. The brute forcing is much faster after a data leak because you don't have 'retry timeouts' or input delays, because the hash data is local.
Long story short, it's a ticking time bomb and it's best to quickly change your password before the hash gets cracked. Detecting the leak early is just as important as trying to prevent it (you can't do anything to make it 100% safe).
- How well is it implemented. From what I've read over the years, the math in the cryptography is pretty solid but a lot of implementations have vulnerabilities that can be used to by pass that security. So it's important to have a crypto expert involved in the implementation too. PasswordSafe is audited by Bruce Sheneier, the dude who invented Blowfish.
- This is sort of related to pt1, but try to minimize the attack surface. So, while a web based one is more convenient, its interface is vulnerable to crapware that could be lurking in your browser. Unlike the regular viruses of the past, these days the attacks are increasingly coming via the web and it's hard to defend against. Browsers are cross-platform and have a ton of scripts running on each page (modern webdesign seems to be clunky as hell)
- Physical / local access risks : These are basic stuff, don't leave the password safe open for anyone to access on your computer. If your system is crawling with malware, it's probably a bad idea to unlock the db etc.
So, if you keep these catches in mind. The password safe increases security in the following ways:
- You can use a unique key for every website that you log in to. So, if there is a password breach in one website, your other logins aren't vulnerable.
- It allows you to use large, complex passwords without straining your memory.
- It's much easier to implement a password expiry scheme where you change your password at regular intervals (say every quarter).
@Ramadhir Singh ,
Data breeches happen, nothing is perfect. Most places store passwords in a one way hash ( you can generate a string from the plain password, but you can't extract the password from the string). While they can't extract your password from the string, they can brute force it by generating the hash from all possible combinations and comparing with the leaked data. The brute forcing is much faster after a data leak because you don't have 'retry timeouts' or input delays, because the hash data is local.
Long story short, it's a ticking time bomb and it's best to quickly change your password before the hash gets cracked. Detecting the leak early is just as important as trying to prevent it (you can't do anything to make it 100% safe).
SleepyK
Contributor
Bitwarden FTW. Using it for critical stuff and Chrome's built-in password manager for routine stuff.
Use Bitwarden presently and shifted to it from KeePass for compatibility and ease of use across platforms. I think a lot of people miss the point of using password managers which is to generate random long passwords that can be used only through the password manager and is impossible to brute force.
If you have a large number of logins and you are using your head, then it implies you are using fewer easy to remember passwords which greatly increases the risk if even one is compromised.
If you have a large number of logins and you are using your head, then it implies you are using fewer easy to remember passwords which greatly increases the risk if even one is compromised.
A bit late to the party but I use Bitwarden. It's free and it's great! Also, if you're really paranoid about your passwords being read, you can consider adding a salt phrase to your passwords.
Your actual password would be password + salt phrase. Then you'll only need to remember your salt phrase + the password you chose for your manager app (in case it's MS Word, you're good to go with just a salt phrase)
Your actual password would be password + salt phrase. Then you'll only need to remember your salt phrase + the password you chose for your manager app (in case it's MS Word, you're good to go with just a salt phrase)
Prisoner627
Contributor
Strange Keepass is not/least recommended, any update for lastpass vs keypass in 2022?
Keepass doesn't have official clients for all platforms or extensions for browsers. This means that setting it up is a hassle. I have to look for a client for each platform I'm using. And as it often happens with unofficial clients, they will keep going under and you'll have to switch every once in a while.
This also means that experience will be inconsistent on different platforms as the UI/Ux will not be the same.
These are the major reasons I have personally never considered Keepass as an option. There's increased security, but it's not at par with cloud based ones like Bitwarden.
+1 for Keepass. I am using the Windows client and Android offline client for many years. I just sync up the databases periodically and it works really well. I do not trust Third Party cloud services nor any browser extensions.
Here is a little dated but interesting study on password managers -
Password Managers: Under the Hood of Secrets Management
Password managers allow the storage and retrieval of sensitive information from an encrypted database. Users rely on them to provide better security guarantees against trivial exfiltration than alternative ways of storing passwords, such as an unsecured flat text file. In this paper we propose...
www.ise.io
Last edited:
enthusiast29
Innovator
Bitwarden IMO