The best and most secure password manager

  • Thread starter Thread starter EngWiPy
  • Start date Start date
Click For Summary
Using a password manager can enhance security by allowing users to create and store strong, unique passwords without needing to remember them. Popular options include LastPass and 1Password, both of which offer features like auto-generation of passwords and secure storage across devices. While some users express concerns about the security of cloud storage, encrypted password managers are generally considered safer than browser storage, which can be vulnerable. Writing down passwords on paper is another method some prefer, though it carries its own risks. Ultimately, choosing a password manager involves balancing convenience with security needs.
  • #61
elusiveshame said:
DB queries are held in memory until it's no longer needed, Windows passwords are hashed in memory until a reboot, and if you use cookies - your hash, or some authentication, is in memory (of some form). Remember - you have to authenticate every page load to ensure you have the proper access. Can't do that if something isn't in memory stating you have permission.
The reason for the question raised by @Vanadium 50 had more to do with whether the DPAPI is adequately protective against someone who is in possession of the machine. The later part of the discussion was regarding whether the hash of the Windows login password could be retrieved from a physical search of the HDD, and used to produce passwords secured by the DPAPI. There is an opacity component of the DPAPI that is intended to make that difficult. For my part, just how possible or difficult that might be remains to be seen.
 
Computer science news on Phys.org
  • #62
How secure is the encryption used for password protected zip files? If it's good enough, you could zip a text file with some random text patterns embedded along with the actual password info.
 
  • #63
7-zip is open source, and can use AES-256, which is strong.
 
Reply
  • Like
Likes elusiveshame
  • #66
I don't consider the LastPass breach as terribly dangerous. Did they get any master passwords? No. (And they can't, since LastPass doesn't know them. This has other issues, but this isn't one) Did they get any credit cards? No. Did they get any client PII? Again, no. Might they have gotten some code? Yes. The idea behind public-key encryption is not to rely on "security by obscurity" so in principle the code is unhelpful. In practice, it's hard to say.

They got access somehow to a development system, presumably through carelessness, malice or greed on the part of an employee. Thing is, I don't think this is something that can easily be protected against. Does Company X have better employees than Company Y? How would you even tell.

The Authy breach looks more troublesome.
 
  • #68
Vanadium 50 said:
I don't consider the LastPass breach as terribly dangerous...
My understanding is, they copied a portion of the source code. That would certainly be enough to cause me to stop using the product at this time, in an abundance of caution.
 
  • #69
harborsparrow said:
My understanding is, they copied a portion of the source code. That would certainly be enough to cause me to stop using the product at this time, in an abundance of caution.
I don't think I would worry too much about that. Some of these systems are open source and it is not a problem. Just don't download a new version from an unsafe source.
 
  • #70
FactChecker said:
I don't think I would worry too much about that. Some of these systems are open source and it is not a problem. Just don't download a new version from an unsafe source.
The accounts I have read all emphasize that some of the IP (intellectual property) of the company was also stolen, and researchers have specifically warned that they expect information from the breach will be used to further probe the company's defenses. I take that seriously. It clearly wasn't just the open source portions of the code that were taken. https://www.darkreading.com/cloud/lastpass-data-breach-source-code-stolen
 
Reply
  • Informative
Likes FactChecker
  • #71
harborsparrow said:
The accounts I have read all emphasize that some of the IP (intellectual property) of the company was also stolen, and researchers have specifically warned that they expect information from the breach will be used to further probe the company's defenses. I take that seriously. It clearly wasn't just the open source portions of the code that were taken. https://www.darkreading.com/cloud/lastpass-data-breach-source-code-stolen
Good point. It might help them to get other information from a website that has passwords. My point about open source is that the code alone is probably not a problem, whether open or proprietary.
 
Reply
  • Like
Likes harborsparrow
  • #72
This is why "security by obscurity" is a bad idea. One should design a system that is secure even if a bad actor has the complete source code. Because sooner or later, he will.
 
Reply
  • Like
Likes fluidistic, FactChecker and harborsparrow
  • #73
Here's a passage from the linked article.
"An additional consequence that can occur from stolen or leaked source code is that this code can disclose secrets about an application's architecture," he said via an emailed statement. "This may reveal information about where certain data is stored and what other resources an organization may use. These factors could then equip bad actors to inflict additional harm on an organization after the fact."
Hasn't it been the mantra of security experts since the dawn of time that security via obscurity doesn't work? If it's really secure, the source code could be published. That view is subject to criticism, but so is the opposite view that stolen or leaked code must be a risk.

Edit: I see that two others posted that point before I did. Oh well.
 
Reply
  • Like
Likes Vanadium 50 and FactChecker
  • #74
There are good reasons to keep the source code private - e.g. "we plan to sell the object code". Security is just not one of them.
 
Reply
  • Like
Likes FactChecker and anorlunda
  • #75
sysprog said:
7-zip is open source, and can use AES-256, which is strong.
7 zip used to be insecure (main programmer wouldn't fix old security flaws regarding encryption). I would suggest the use of a password manager instead.

Passwords are becoming obsolete nowadays. At the very least, I suggest using 2FA or MFA for important accounts, like your email account from which a malicious hacker could get the control over most of your accounts. Do not use SMS authentification, rather use a hardware dongle with FIDO capability.
 
Reply
  • Like
Likes Wrichik Basu
  • #76
fluidistic said:
Do not use SMS authentification, rather use a hardware dongle with FIDO capability.
I get your point — even the phone can be hacked, and then the SMS or email authentication will not provide any safeguard. But a physical key has a few limitations. First, the cost. Secondly, there is a finite probability of losing it, which means that it will be safer to attach two keys to each account so that there will be one for backup. But that adds more to the cost.
 
  • #77
harborsparrow said:
My understanding is, they copied a portion of the source code. That would certainly be enough to cause me to stop using the product at this time, in an abundance of caution.
When you find a perfect system free from risks, be sure to let us know.
 
Reply
  • Like
Likes Vanadium 50, Wrichik Basu and pbuk
  • #78
fluidistic said:
I suggest using 2FA or MFA .
The problem with 2FA is that most use your cell phone, which makes losing it even more of a crisis.

There is a complex optimization problem involving security, convenience, reliability, cost, etc.
 
  • #79
The problem with sms as 2FA is not getting your phone stolen (after all, it should be encrypted unless you're Evo Morales), it's that you open yourself to sim swapping attacks, where a malicious person impersonate you in a phone call, saying he lost his phone, and he then gets a new sim card with your number, gaining access to your second FA.

Yes, getting a dedicated hardware for security isn't free, maybe from around 20 usd up to 250 usd. But it may still be worth it. There are several types of.them, and losing one of them may have different consequences.

I use one such hardware, it's just password plus having to press a button on that hardware. If I lose my cell phone, I don't lose any access to any of my account. If I lose this special hardware, I'd need to buy a new one (and insert a seed phrase that I backed up in different physical places in case of a H bomb attack).
 
Reply
  • Informative
  • Like
Likes FactChecker and Wrichik Basu
  • #80
harborsparrow said:
My understanding is, they copied a portion of the source code. That would certainly be enough to cause me to stop using the product at this time, in an abundance of caution.
What would give me pause about using Lastpass is the number of security issues the company has had over the last decade or so.

https://en.wikipedia.org/wiki/LastPass#Security_issues

Perhaps it's unfair of me, but it doesn't inspire confidence in the security of their code.
 
Reply
  • Wow
Likes Wrichik Basu
  • #81
vela said:
is the number of security issues the company has had over the last decade or so.
Would it make you feel better if they didn't report them?
 
  • #82
I've said this before: by nature, a password manager company has a big red target painted on it because of the high value of the data it is managing. As vela wrote, I too find it appalling that they allowed their code to be grabbed. Somebody just screwed up, big time.
 
  • #83
harborsparrow said:
I've said this before: by nature, a password manager company has a big red target painted on it because of the high value of the data it is managing. As vela wrote, I too find it appalling that they allowed their code to be grabbed. Somebody just screwed up, big time.
It's a trade-off. Using one main password to encrypt many diverse passwords (I have over 100 of them) can have some security benefits. IMO, it is inevitable for an average person with a large number of passwords to get a little careless with them. A password manager company can use some very good methods to protect the set of passwords. For instance, they could use a master password that is over 50 random characters long and only stored on the user's computer.
 
Reply
  • Like
Likes harborsparrow
  • #84
FactChecker said:
IMO, it is inevitable for an average person with a large number of passwords to get a little careless with them.
As a sysadmin and programmer, I am "an average person" with literally hundreds of passwords, some really important. When the world got to where we had to use unique passwords everywhere, I started using a system of templates and hints that is entirely personal to me. I don't think it likely that anyone will be able to decipher my system, and they allow me to use complex, unique passwords for everything. I write my hints down publicly, but I've never told a single soul what they mean.

I debated the password manager but it just doesn't make sense, IMO, to put all one's eggs in one basket. And, I want this information under MY control rather that some anonymous programmer. I am forced to change passwords from time to time, and so far, my hint system has held up.

To each their own in this matter!
 
Last edited:
  • #85
Many security systems use publically available algorithms to encrypt their data. Keeping the algorithm secret is not essential for their success. Their strength is in things like using random keys that are very unlikely to be guessed, multi-factor authentication, public/private key encryption, etc. I believe that some companies are already adopting methods to prevent quantum computers from breaking their codes.
 
  • #86
Why should their code even be stored on an internet-accessible computer? Yes, it would be less convenient for programmers, but if I were managing such a company, that code would not have been stored anywhere that it COULD be stolen without physical access. Of course, we don't know how it was stolen, but just saying.
 
Reply
  • Like
Likes Wrichik Basu
  • #87
harborsparrow said:
Why should their code even be stored on an internet-accessible computer? Yes, it would be less convenient for programmers, but if I were managing such a company, that code would not have been stored anywhere that it COULD be stolen without physical access. Of course, we don't know how it was stolen, but just saying.
At the same time, we also have open-source password managers like Bitwarden. So, security can be tight even if the code is public. But if the code is regarding something on their server setup (for example), then that definitely shouldn't be kept on a server that has internet access.
 
Reply
  • Like
Likes FactChecker and harborsparrow
  • #88
Reply
  • Wow
Likes harborsparrow
  • #89
The report back in August was dire enough due to this phrase: "cloud storage access key and dual storage container decryption keys were obtained"

This tells me off the bat that they are using the cloud, which frankly I find horrifying. How much software exists in the cloud that is not under LastPass control? How can they advertise that their product is secure if they are using cloud-based servers? It boggles the mind.
 
  • #90
I use KeepassXC since 2015.
 
Reply
  • Like
Likes harborsparrow and jack action

Similar threads

Dealing with the new security règime
  • · Replies 6 ·
Replies
6
Views
1K
Enforce the use of different sets of characters for passwords?
  • · Replies 12 ·
Replies
12
Views
2K
The Virtues and Vicissitudes of Passwords
  • · Replies 84 ·
3
Replies
84
Views
6K
Passkeys replacing Passwords
  • · Replies 2 ·
Replies
2
Views
303
Changing Skype password directs me to Microsoft: confusion
  • · Replies 4 ·
Replies
4
Views
2K
Amazon's Kindle security isn't top
  • · Replies 27 ·
Replies
27
Views
5K
Trouble installing MySQL on Ubuntu 20.04 — asks for root password
  • · Replies 6 ·
Replies
6
Views
9K
Old Unwanted Internet Accounts are a Pain
  • · Replies 44 ·
2
Replies
44
Views
5K
Recommendations for free browser-independent bookmark managers
  • · Replies 7 ·
Replies
7
Views
3K
Suspicious & Threatening Emails: How to Stop It?
  • · Replies 14 ·
Replies
14
Views
2K