The best and most secure password manager

[fluidistic]

LastPass tech suppoty tried to blame YubiKey, but YubiKey tests all pass. They are back to "disable MFA"...days pass.." enable MFA"....days pass. It's really hard to conclude that anyone there has a clue.

Any suggested alternatives?

What about keepassxc? It's open source. I understand that you won't get a quick response if at all in case of a problem, no ensured technical support, but you might not need it.
Also, I don't understand how people can ''trust'' Yubikeys (closed source hardware in a security scheme? What could go wrong...?). There are examples where millions of people trusted the company who later betrayed them shamelessly (Ledger, I am looking at you).

 

[Wrichik Basu]

Any suggested alternatives?

I have been using Bitwarden Premium for three years now. It was (and still is) the cheapest among all the cloud password managers available — USD 10.00 annually is a great price IMO. You get the option of YubiKey OTP for 2FA if you have premium. The best thing is that I can also store all the authenticator codes along with the logins, so I can easily access 2FA codes from the browser even if I do not have the mobile. Being open-source adds another layer of security — hundreds of eyes have probably gone over their code, so loopholes, if any, are definitely found faster than a closed-source password manager. Premium also allows you to take advantage of their data breach monitors to see if any of your current passwords have been leaked.

N.B.: I don't use the YubiKey 2FA, so can't say anything about just that particular feature. Otherwise, it works good, at least for me.

 

[Vanadium 50]

What could go wrong

What could go wrong?

Not using the YubiKey is like leaving a door (one of several in series) open. Is that better or worse than having your locksmith keep a copy of your key to that one door?

 

[fluidistic]

What could go wrong?

Not using the YubiKey is like leaving a door (one of several in series) open. Is that better or worse than having your locksmith keep a copy of your key to that one door?

My point is that there are alternative open source hardwares with an equivalent security, where you do not have to trust a 3rd party.

 

[Vanadium 50]

Update. LastPass support told me to...and I am not making this up... install a keylogger and then enter my master password.

 

[Vanadium 50]

OK, after more than a month, I told them to close the ticket and I was going elsewhere.

I suspect - but do not know - that LastPass' response to their woes was to fire their technical staff and just rake in the money from past development.

 

[WWGD]

This discussion is not increasing my confidence in password managers. I think I'll stick with my physical notebook.

May want to keep a copy in a bank vault or trusted source in case of fire, water, wear and tear of the writing , etc. A problem with this approach, assuming you're using a pen or other manual writing device, other than the wear and tear, is being able to write clearly-enough to tell appart the o's ( letter) from the 0's(number); the m's from the n's, u's from v's, etc. I've had trouble telling them appart at times in my own class notes.

 

[WWGD]

On a different issue, maybe a naive take and just a small slice of the attack surface, why do sites allow ( seems many do) seemingly-endless attempts to enter the right password? Why not block the IP address block for 5 minutes after 5 wrong attempts, then 30 minutes, and ultimately a perma ban? Wouldn't this go a long way towards restricting hacking attempts? I get this is just a single aspect and not a global solution, but it may help, though we may need measures to prevent the actual user to be locked out, and maybe other DOS -related issues. Yes, the hacker may go about rotating between sites, but it may lower the odds.

Besides, given many, most maybe, are motivated by money, is it reasonable to believe that those with the most advanced hacking, overall technical skills, would be working well-paid legitimate jobs, so that black hat hackers are 2nd-3rd tier, in terms of said skills? If I was had amazing technical skills and wanted to become wealthy, I'd choose a legitimate job over the mediocre return and potential legal nightmare of getting caught? Does this sound reasonable, given the ability to work remotely?

 

[harborsparrow]

May want to keep a copy in a bank vault or trusted source in case of fire, water, wear and tear of the writing , etc. A problem with this approach, assuming you're using a pen or other manual writing device, other than the wear and tear, is being able to write clearly-enough to tell appart the o's ( letter) from the 0's(number); the m's from the n's, u's from v's, etc. I've had trouble telling them appart at times in my own class notes.

When writing important things, I learned to use the European digit handwriting conventions: zeroes have a slash through them. ones consist of two lines (an upstroke and a downstroke, looks kind of like an inverted V). This makes the letter L distinguishable from digit 1, and the letter o distinct from digit 0. For added safety, you can also underline your capitals.

 

[WWGD]

When writing important things, I learned to use the European digit handwriting conventions: zeroes have a slash through them. ones consist of two lines (an upstroke and a downstroke, looks kind of like an inverted V). This makes the letter L distinguishable from digit 1, and the letter o distinct from digit 0. For added safety, you can also underline your capitals.

Wish others had done the same so I could tell it's Chicago Ill(Illinois), and not Chicago 3. Confusing for a 12 year old.