Password Managers

[Condobloke]

1. Show us what you have got and why you chose it
Is it free?...or does it cost?
Is it straightforward to install, does it generate passwords for you
Does it automatically either put the password in for you, or have the password easily and quickly accessible from the browser you are in ?

2. Is it reliable?

3. Is it cross platform?

4. Is it secure.....Why?....what makes it so secure?

5. easy to install, easy to import passwords etc from previous passport manager used ?

6. Easy to maintain?...is any maintenance necessary?

7. Does it sync accurately between pc and mobile and/or other device

When passwords are sent to your Bank (or other financial institution) how safe is the transmission of those passwords....are they encrypted using your choice of password manager.....or are they sent as plain text

Keep your answers neat rather than rambling

 

[MatsuShimizu]

I am using KeepassXC, Bitwarden to store passwords. Both are free and open-source. I use paper sometimes to write master password hints or 2FA backup codes. KeepassXC to store anything related to banking. As for less important logins, I use Bitwarden.

On Ubuntu, both of them are available with AppImage program, Ubuntu Software Center, PPA (KeepassXC) and deb file (Bitwarden).

Both KeepassXC and Bitwarden are encrypted with standard 256-bit AES.

As for Bitwarden, yes the password is encrypted/hashed locally on my PC before being sent to the server.

You can test it at home if you want from a Chrome/Brave browser by following the video below. The same instruction is also available here on Reddit:

From the Bitwarden encryption article page:
Bitwarden uses AES-CBC 256-bit encryption for your Vault data, and PBKDF2 SHA-256 to derive your encryption key.

You can also read the details in their whitepaper. https://bitwarden.com/help/article/bitwarden-security-white-paper/

What is AES 256 bit-encryption - This video explains in an easy-to-understand manner

SHA-256 Simplified: What Is It And Why It Is So Secure

Now, what is PBKDF-2? This video explains what it is

 

[wizardfromoz]

Brian I am moving this to Security.

@MatsuShimizu take note

Wiz

 

[craigevil]

I use the Bitwarden extension in my browsers. and the Bitwarden app on my Android devices.
It is open source and free to use. They do have a Premium that you can addon but it is only $10/yr.
With the premium you can use a hardware key like Nitro or Yubikey.
I used Chrome for years, when I switched to using Bitwarden I copied all of my passwords from Chrome then I deleted all of them from Chrome.
For 2fa I just use the Google Authenticator. I would use something else but I haven't found a way to import all of my accounts to a different app.

 

[Tolkem]

I use KeepassXC to store my "not so important" login data for the websites I use/visit the most as well as the built-in the browsers(Firefox and Chromium) My banking stuff is all in paper. I like KeepassXC since it stores everything locally.

 

[stan]

There is no one-size-fits-all to password managers. What is a "Pro" for one is a "Con" for another... such as cloud storage and synchronization. Some users demand it, and I won't use a product that supports it. Clearly a night and day difference of opinion.

This 4-yr old article lists 9 password managers that have been hacked. This article (with a 2021 update) lists 14 or 15 that have been hacked, including KeePass. I should clarify that KeePass was not technically "hacked," but it's noted that it is vulnerable to a special malware hacking tool, called KeeFarce, that can scoop up your entire vault and save it as plain text for the hacker to retrieve it. In spite of this threat, KeePass is what I use.

While KeeFarce specifically targeted KeePass, the concept is a simple one to which everyone is vulnerable... that is, if you allow malware to infect your system, all bets are off. If your password manager is open on your system, it is unlocked so that you can see your usernames and passwords, or change them, or add new ones. If your computer has been compromised, the bad guys can likely see your information too.

All the hype about the "strong encryption" used by password managers seems (to me) to be about protecting that cloud storage and synchronization feature... the feature I refuse to use. Of course it applies to protecting the local vault storage also. Whether you use a browser extension, or whether you manually copy/paste your username/password into a bank login screen, you are pasting as plain text. The password input boxes often provide a little "eye" icon that you can click on to see your password instead of stars or dots that mask it (from people looking over your shoulder).

Your bank does not use or understand each and every password manager, nor do they use each and every encryption algorithm that is available. What protects your bank transaction is not your password manager... it is TLS (Transport Layer Security). TLS, now at version 1.3, typically relies on trusted certificate authorities and is the successor to SSL (Secure Sockets Layer). TLS is the cryptographic protocol behind your HTTPS secure connection to your bank. This is the encryption that protects you, and it is also not flawless. This is one of the prime reasons you should always use the latest version of your preferred web browser. But you can only hope that your bank (and others you trust with TLS) will also do their part to apply patches and updates to keep their servers secure.

 

[Lord Boltar]

I use Password Dragon which is java based with BlowfishJ encryption, but I use it only for remembering and storing passwords - I do not allow it to access websites or anything else simply use it for storage of passwords in case I forget it. I always type in password and have the browser set to never store it or remember them.

 

[MatsuShimizu]

KeeFarce, that can scoop up your entire vault and save it as plain text for the hacker to retrieve it.

Just to clear things up. KeeFarce works on Windows and can hack Windows users only. Since we are on Linux, we should be fine. Yes, it can hack Keepass just like being described by @stan. This is how it works:

KeeFarce extracts KeePass information straight from memory - gHacks Tech News

The proof-of-concept program KeeFarce allows you to extract KeePass information straight from memory on Windows devices.

www.ghacks.net

For those who are looking for Google Authenticator alternatives, these are the list

On Desktop: Authy, KeepassXC. Authy will sync your accounts online and you can restore them as long as you have your phone number. KeepassXC can be backed up into a USB drive and you can restore your accounts later on.
On Android: Authy, Aegis. All these apps allow backups. Authy will backup your 2FA accounts online, while as for Aegis, you can export them into a .json file and backup.
Learn more about Authy backup here.
Learn more about KeepassXC 2FA TOTP here.

AES vs Blowfish for file encryption. Which one?

AES vs Blowfish for file encryption

I want to encrypt a binary file. My goal is that to prevent anyone to read the file who doesn't have the password. Which is the better solution, AES or Blowfish with the same key length? We can as...

stackoverflow.com

 

[Condobloke]

Blowfish....by Bruce Schneier.....no effective cryptanalysis of it has been found to date.
He designed it in 1993

 

[KGIII]

Bruce himself recommends migrating to twofish. Bluefish has some known vulnerabilities.

 

[MatsuShimizu]

Sorry for digging an old thread. But I found 2 new Linux password managers.

1. AuthPass password manager:
This one has the potential to replace KeepassXC. But I will stay with KeepassXC for a while.

Advantages over Keepass/KeepassXC:
- Encrypt and upload to the cloud.
- Integration with Dropbox, Google Drive, WebDAV.
- Upload the password to Authpass.App.
- Cross platform and available on F-Droid/Android too.

Pros:
It has most, if not all the functions of KeepassXC.
- You can choose to use it offline only.
- Or, if you want to upload online, it will encrypt your passwords locally before uploading to Dropbox.
- It uses KDBX just like Keepass. So if you have a Keepass database, you can open with this program.
- It comes with 2FA TOTP just like Keepass.
- Beautiful interface.
- You can add and arrange groups and select icons for Groups/Entries. Double-click on the entry to change the icon.
- You can unlock the database with a key file. But I don't see any option to choose or create a key file when creating the database for the first time.

Cons:
No password strength meter. KeepassXC has this function.

Full review:

AuthPass is an open source, cross-platform password manager that supports KeePass database files - gHacks Tech News

AuthPass is an open source password manager that supports KeePass database files. It is available for Windows, Mac, Linux, Android and iOS.

www.ghacks.net

Installation:

sudo add-apt-repository ppa:codeux.design/authpass
sudo apt-get update
sudo apt-get install authpass

Documentation and link to support forum: https://authpass.app/docs/

Github page: https://github.com/authpass/authpass/releases/tag/v1.9.22.

Screenshot:

2. Buttercup Password Manager.
The pros:
- Open-source.
- Beautiful interface.
- Integration with Dropbox, Google Drive, WebDAV.
- Can import from other password managers like Keepass, Bitwarden, Lastpass, 1Password.
- Cross-platform.

Cons:
- No 2FA TOTP function. KeepassXC has this. The same goes for Bitwarden Premium.
Download the .appimage file from the Github page here: https://github.com/buttercup/buttercup-desktop/releases/tag/v2.10.0

Homepage: https://buttercup.pw/

Full review:

Buttercup is an open source password manager for Windows, macOS, Linux, - gHacks Tech News

Buttercup is an open source password manager that is available across popular platforms. It is available for Windows, macOS, Linux, Firefox and Chrome.

www.ghacks.net

 

[dcbrown73]

I use BitWarden. I used to use LastPass, but I started working with LogMeIn the company that owns LastPass. Not really a fan of them and when they decided to forced you to start paying for LastPass. I switched to BitWarden and then freely paid BitWarden.

LastPass' integration is more polished than BitWarden, but it is what it is.

 

[KGIII]

Sorry for digging an old thread.

This is exactly the type of old thread to dig up. It helps to keep the information in one place, where people searching can find it.

 

[MihaiXSS]

1. Show us what you have got and why you chose it
Is it free?...or does it cost?
Is it straightforward to install, does it generate passwords for you
Does it automatically either put the password in for you, or have the password easily and quickly accessible from the browser you are in ?

2. Is it reliable?

3. Is it cross platform?

4. Is it secure.....Why?....what makes it so secure?

5. easy to install, easy to import passwords etc from previous passport manager used ?

6. Easy to maintain?...is any maintenance necessary?

7. Does it sync accurately between pc and mobile and/or other device

When passwords are sent to your Bank (or other financial institution) how safe is the transmission of those passwords....are they encrypted using your choice of password manager.....or are they sent as plain text

Keep your answers neat rather than rambling

U can use https://passwordsgenerator.net/ and then save them on text file this could be a another method

 

[Sudo It]

Sorry for digging an old thread. But I found 2 new Linux password managers.

1. AuthPass password manager:
This one has the potential to replace KeepassXC. But I will stay with KeepassXC for a while.

Advantages over Keepass/KeepassXC:
- Encrypt and upload to the cloud.
- Integration with Dropbox, Google Drive, WebDAV.
- Upload the password to Authpass.App.
- Cross platform and available on F-Droid/Android too.

Pros:
It has most, if not all the functions of KeepassXC.
- You can choose to use it offline only.
- Or, if you want to upload online, it will encrypt your passwords locally before uploading to Dropbox.
- It uses KDBX just like Keepass. So if you have a Keepass database, you can open with this program.
- It comes with 2FA TOTP just like Keepass.
- Beautiful interface.
- You can add and arrange groups and select icons for Groups/Entries. Double-click on the entry to change the icon.
- You can unlock the database with a key file. But I don't see any option to choose or create a key file when creating the database for the first time.

Cons:
No password strength meter. KeepassXC has this function.

Full review:

AuthPass is an open source, cross-platform password manager that supports KeePass database files - gHacks Tech News

AuthPass is an open source password manager that supports KeePass database files. It is available for Windows, Mac, Linux, Android and iOS.

www.ghacks.net

Installation:

sudo add-apt-repository ppa:codeux.design/authpass
sudo apt-get update
sudo apt-get install authpass

Documentation and link to support forum: https://authpass.app/docs/

Github page: https://github.com/authpass/authpass/releases/tag/v1.9.22.

Screenshot:

2. Buttercup Password Manager.
The pros:
- Open-source.
- Beautiful interface.
- Integration with Dropbox, Google Drive, WebDAV.
- Can import from other password managers like Keepass, Bitwarden, Lastpass, 1Password.
- Cross-platform.

Cons:
- No 2FA TOTP function. KeepassXC has this. The same goes for Bitwarden Premium.
Download the .appimage file from the Github page here: https://github.com/buttercup/buttercup-desktop/releases/tag/v2.10.0

Homepage: https://buttercup.pw/

Full review:

Buttercup is an open source password manager for Windows, macOS, Linux, - gHacks Tech News

Buttercup is an open source password manager that is available across popular platforms. It is available for Windows, macOS, Linux, Firefox and Chrome.

www.ghacks.net

I've been using keepassxc for a long time and it's the best PW manager I could find. never can trust about online services when it comes to sensitive information

 

[BoringZombie]

I use KeePassXC on an encrypted rugged flash drive. And I keep the password to KeePassXC and the key file on another encrypted rugged flash drive. Both flash drives are encrypted using VeraCrypt.