The best and most secure password manager

  • Thread starter EngWiPy
  • Start date
  • #71
FactChecker
Science Advisor
Gold Member
7,305
3,140
The accounts I have read all emphasize that some of the IP (intellectual property) of the company was also stolen, and researchers have specifically warned that they expect information from the breach will be used to further probe the company's defenses. I take that seriously. It clearly wasn't just the open source portions of the code that were taken. https://www.darkreading.com/cloud/lastpass-data-breach-source-code-stolen
Good point. It might help them to get other information from a website that has passwords. My point about open source is that the code alone is probably not a problem, whether open or proprietary.
 
  • Like
Likes harborsparrow
  • #72
Vanadium 50
Staff Emeritus
Science Advisor
Education Advisor
2021 Award
28,810
13,847
This is why "security by obscurity" is a bad idea. One should design a system that is secure even if a bad actor has the complete source code. Because sooner or later, he will.
 
  • Like
Likes fluidistic, FactChecker and harborsparrow
  • #73
anorlunda
Staff Emeritus
Insights Author
10,869
8,177
Here's a passage from the linked article.
"An additional consequence that can occur from stolen or leaked source code is that this code can disclose secrets about an application's architecture," he said via an emailed statement. "This may reveal information about where certain data is stored and what other resources an organization may use. These factors could then equip bad actors to inflict additional harm on an organization after the fact."
Hasn't it been the mantra of security experts since the dawn of time that security via obscurity doesn't work? If it's really secure, the source code could be published. That view is subject to criticism, but so is the opposite view that stolen or leaked code must be a risk.

Edit: I see that two others posted that point before I did. Oh well.
 
  • Like
Likes Vanadium 50 and FactChecker
  • #74
Vanadium 50
Staff Emeritus
Science Advisor
Education Advisor
2021 Award
28,810
13,847
There are good reasons to keep the source code private - e.g. "we plan to sell the object code". Security is just not one of them.
 
  • Like
Likes FactChecker and anorlunda
  • #75
fluidistic
Gold Member
3,876
212
7-zip is open source, and can use AES-256, which is strong.
7 zip used to be insecure (main programmer wouldn't fix old security flaws regarding encryption). I would suggest the use of a password manager instead.

Passwords are becoming obsolete nowadays. At the very least, I suggest using 2FA or MFA for important accounts, like your email account from which a malicious hacker could get the control over most of your accounts. Do not use SMS authentification, rather use a hardware dongle with FIDO capability.
 
  • Like
Likes Wrichik Basu
  • #76
1,926
1,836
Do not use SMS authentification, rather use a hardware dongle with FIDO capability.
I get your point — even the phone can be hacked, and then the SMS or email authentication will not provide any safeguard. But a physical key has a few limitations. First, the cost. Secondly, there is a finite probability of losing it, which means that it will be safer to attach two keys to each account so that there will be one for backup. But that adds more to the cost.
 
  • #77
anorlunda
Staff Emeritus
Insights Author
10,869
8,177
My understanding is, they copied a portion of the source code. That would certainly be enough to cause me to stop using the product at this time, in an abundance of caution.
When you find a perfect system free from risks, be sure to let us know.
 
  • Like
Likes Vanadium 50, Wrichik Basu and pbuk
  • #78
Vanadium 50
Staff Emeritus
Science Advisor
Education Advisor
2021 Award
28,810
13,847
I suggest using 2FA or MFA .
The problem with 2FA is that most use your cell phone, which makes losing it even more of a crisis.

There is a complex optimization problem involving security, convenience, reliability, cost, etc.
 
  • #79
fluidistic
Gold Member
3,876
212
The problem with sms as 2FA is not getting your phone stolen (after all, it should be encrypted unless you're Evo Morales), it's that you open yourself to sim swapping attacks, where a malicious person impersonate you in a phone call, saying he lost his phone, and he then gets a new sim card with your number, gaining access to your second FA.

Yes, getting a dedicated hardware for security isn't free, maybe from around 20 usd up to 250 usd. But it may still be worth it. There are several types of.them, and losing one of them may have different consequences.

I use one such hardware, it's just password plus having to press a button on that hardware. If I lose my cell phone, I don't lose any access to any of my account. If I lose this special hardware, I'd need to buy a new one (and insert a seed phrase that I backed up in different physical places in case of a H bomb attack).
 
  • Informative
  • Like
Likes FactChecker and Wrichik Basu
  • #80
vela
Staff Emeritus
Science Advisor
Homework Helper
Education Advisor
15,577
2,218
My understanding is, they copied a portion of the source code. That would certainly be enough to cause me to stop using the product at this time, in an abundance of caution.
What would give me pause about using Lastpass is the number of security issues the company has had over the last decade or so.

https://en.wikipedia.org/wiki/LastPass#Security_issues

Perhaps it's unfair of me, but it doesn't inspire confidence in the security of their code.
 
  • Wow
Likes Wrichik Basu
  • #81
Vanadium 50
Staff Emeritus
Science Advisor
Education Advisor
2021 Award
28,810
13,847
is the number of security issues the company has had over the last decade or so.
Would it make you feel better if they didn't report them?
 
  • #82
harborsparrow
Gold Member
619
158
I've said this before: by nature, a password manager company has a big red target painted on it because of the high value of the data it is managing. As vela wrote, I too find it appalling that they allowed their code to be grabbed. Somebody just screwed up, big time.
 
  • #83
FactChecker
Science Advisor
Gold Member
7,305
3,140
I've said this before: by nature, a password manager company has a big red target painted on it because of the high value of the data it is managing. As vela wrote, I too find it appalling that they allowed their code to be grabbed. Somebody just screwed up, big time.
It's a trade-off. Using one main password to encrypt many diverse passwords (I have over 100 of them) can have some security benefits. IMO, it is inevitable for an average person with a large number of passwords to get a little careless with them. A password manager company can use some very good methods to protect the set of passwords. For instance, they could use a master password that is over 50 random characters long and only stored on the user's computer.
 
  • Like
Likes harborsparrow
  • #84
harborsparrow
Gold Member
619
158
IMO, it is inevitable for an average person with a large number of passwords to get a little careless with them.
As a sysadmin and programmer, I am "an average person" with literally hundreds of passwords, some really important. When the world got to where we had to use unique passwords everywhere, I started using a system of templates and hints that is entirely personal to me. I don't think it likely that anyone will be able to decipher my system, and they allow me to use complex, unique passwords for everything. I write my hints down publicly, but I've never told a single soul what they mean.

I debated the password manager but it just doesn't make sense, IMO, to put all one's eggs in one basket. And, I want this information under MY control rather that some anonymous programmer. I am forced to change passwords from time to time, and so far, my hint system has help up.

To each their own in this matter!
 
  • #85
FactChecker
Science Advisor
Gold Member
7,305
3,140
Many security systems use publically available algorithms to encrypt their data. Keeping the algorithm secret is not essential for their success. Their strength is in things like using random keys that are very unlikely to be guessed, multi-factor authentication, public/private key encryption, etc. I believe that some companies are already adopting methods to prevent quantum computers from breaking their codes.
 
  • #86
harborsparrow
Gold Member
619
158
Why should their code even be stored on an internet-accessible computer? Yes, it would be less convenient for programmers, but if I were managing such a company, that code would not have been stored anywhere that it COULD be stolen without physical access. Of course, we don't know how it was stolen, but just saying.
 
  • Like
Likes Wrichik Basu
  • #87
1,926
1,836
Why should their code even be stored on an internet-accessible computer? Yes, it would be less convenient for programmers, but if I were managing such a company, that code would not have been stored anywhere that it COULD be stolen without physical access. Of course, we don't know how it was stolen, but just saying.
At the same time, we also have open-source password managers like Bitwarden. So, security can be tight even if the code is public. But if the code is regarding something on their server setup (for example), then that definitely shouldn't be kept on a server that has internet access.
 
  • Like
Likes harborsparrow

Suggested for: The best and most secure password manager

Replies
84
Views
921
Replies
20
Views
435
Replies
3
Views
333
  • Last Post
Replies
4
Views
563
Replies
13
Views
546
Replies
23
Views
859
  • Last Post
Replies
3
Views
478
Replies
27
Views
1K
Top