Kitz Forum
Computer Software => Security => Topic started by: kitz on June 29, 2021, 02:55:21 AM
-
Wondering if those that previously used Lastpass have had to revisit their choice of password manager.
One of the main benefits of a password manager is being able sync between my phone, tablet & desktop, but a couple of months ago Lastpass changed the ability to do so for their free users. I mostly do everything on the PC, but there have been occasions where I've been caught out and forced to use my mobile.
Has this change has made anyone else reconsider choice of password manager, or if you have ended up paying the $36 per year.
I've noticed that google chrome has recently started to suggest using their password manager to check strength of my passwords etc as it seems to have a record of 4 accounts that I must have let chrome save at some point despite the fact that Firefox is my main browser.
Has anyone tried Firefox lockwise? I do have some doubts about this though as the standard Firefox browser doesnt seem to cope too well with certain logins such as my Visa... nor my banking which tend to ask for say 1st,2nd,3rd letters of my password before going through to other checks... but no idea if lockwise will have the same limitations.
Any other recommendations welcomed please?
-
Let's be honest, there's a lot of logins its fine to save but your bank/CC is probably not a great idea anyway.
I save my account number but am fine filling in the rest myself, wouldn't want it to save everything as that's such an insane security risk.
That said, I mostly use my phone as I can login with a fingerprint. Anyones guess how safe that is.
-
I've got so many different logins that its impossible to remember them all. When I was in hospital I couldnt even remember my password for this site to be able to log in. I havent a hope in hell of remembering some of the more secure passwords I have.
As regards to Bank, no those details are not saved anywhere aside from in my head... but it really did my head in yesterday trying to check my banking, make a payment to my credit card.. and change details of new debit card where I frequently shop. Must have taken me the best part of an hour to do something that should only have taken 10mins at the most. I felt like I was having to jump through hoops simply because I got a new card and involved about half a dozen of those one time PINs they send to your phone. My Visa log in has now got to the point I do have to refer to something 'on paper' as a reminder.
My Bank account requires memorising a 10 digit no, entering a 3 random chars from my password, entering 2 security words, then using a small card size token generator (its like a tiny calculator) for which I have got through about another 2 steps one of which is entering my PIN, before I get a token code to enter into the website. Yet despite going through all that I still ended up with them sending me passcodes to my phone. Its almost like they are trying to discourage web logins on a desktop and want you to use their app on your phone.
It does worry me with having a neuro disease, and days when I cant remember certain words never mind passwords, that at some point I will forget and not be able to log in when I need to. :/
-
i dumped Lastpass when they recently changed to charigng users to use mutiple devices.
i now use Bitwarden, and it seems that almost everyone you jumped shipped from Lastpass has moved over the Bitwarden
it was extremely easy to export the lastpass data to a CSV file and import it into bitwarden.
-
I've been using https://keepass.info/ for years - it's free. It uses a secure file on your PC (not a cloud service). I use it not only for website passwords, but other personal info such as my NINO, NHS number, WiFi passwords. I have it on multiple PCs (desktop & laptop), and on my phone I use Keepass2Android (https://play.google.com/store/apps/details?id=keepass2android.keepass2android). All the copies are kept in sync via Google drive. It's not straight forward setting up the linking, but once done it works really well.
Edit: it has import from Lastpass CSV and from Bitwarden JSON and many more.
-
I've used paid Roboform for years at home, took out I think it was a 5 year family plan a couple of years ago, so all the family use it.
I only use Lastpast at work, and that's purely on the PC, had I needed it on mobile I would have changed to something else.
-
i dumped Lastpass when they recently changed to charigng users to use mutiple devices.
i now use Bitwarden, and it seems that almost everyone you jumped shipped from Lastpass has moved over the Bitwarden
it was extremely easy to export the lastpass data to a CSV file and import it into bitwarden.
Thanks, Chenks.
Probably didn't look at my Lastpass emails properly as still using Lastpass on an iMac and my Android phone, but might be paying through the nose for the pleasure. Will take a look at Bitwarden.
-
i dumped Lastpass when they recently changed to charigng users to use mutiple devices.
i now use Bitwarden, and it seems that almost everyone you jumped shipped from Lastpass has moved over the Bitwarden
it was extremely easy to export the lastpass data to a CSV file and import it into bitwarden.
+1 for Bitwarden here :) already use at work, after migrating from LastPass (before all the latest changes) and like chenks says, the import/export was simple.
Will be moving my personal stuff there too when time allows!
-
Does Bitwarden work when you have no Internet connection?
-
Does Bitwarden work when you have no Internet connection?
I can't speak for the mobile app, but the desktop app does.
-
Does Bitwarden work when you have no Internet connection?
yes, as the data is sycned to devices, the only time it uses the cloud is to check for changes.
-
Just switched to Bitwarden from 1Password as the former is free.
I think 1Password is slicker and I love their team but money saved is money saved.
-
bitwarden also gives you the option to self host rather than use bitwardens cloud service.
-
RoboForm has been great for me over Windows and Apple devices.
-
I've been using https://keepass.info/ for years - it's free. It uses a secure file on your PC (not a cloud service). I use it not only for website passwords, but other personal info such as my NINO, NHS number, WiFi passwords. I have it on multiple PCs (desktop & laptop), and on my phone I use Keepass2Android (https://play.google.com/store/apps/details?id=keepass2android.keepass2android). All the copies are kept in sync via Google drive. It's not straight forward setting up the linking, but once done it works really well.
Edit: it has import from Lastpass CSV and from Bitwarden JSON and many more.
This as well, seems everyone wants to use cloud based services, I prefer local services that done use the internet at all.
-
But if your syncing via Google drive then you are using the cloud.
Also, if your device fails then surely you want your passwords saved somewhere to be able to restore them
-
I dont put password file on there either, but it is a good point to others who may not realise that.
When I found out my chrome had shared a lot of old passwords with google cloud services I wasnt very happy.
-
I've been using https://keepass.info/ for years - it's free. It uses a secure file on your PC (not a cloud service). I use it not only for website passwords, but other personal info such as my NINO, NHS number, WiFi passwords. I have it on multiple PCs (desktop & laptop), and on my phone I use Keepass2Android (https://play.google.com/store/apps/details?id=keepass2android.keepass2android). All the copies are kept in sync via Google drive. It's not straight forward setting up the linking, but once done it works really well.
That is exactly what I do. I chose KeePass a long time ago when it was the only (?) file based app that was available on Linux, Android and Windows.
-
When I found out my chrome had shared a lot of old passwords with google cloud services I wasnt very happy.
I use Chrome as a password manager. Can you say more about how Chrome had shared your passwords?
-
It does worry me with having a neuro disease, and days when I cant remember certain words never mind passwords, that at some point I will forget and not be able to log in when I need to. :/
I'm not sure its still the case, but my mum went through a period where every single time she needed to login to her bank she had to reset the password as she had forgotten it, even though she writes them down (with nothing to indicate which is which).
She doesn't use any password manager though as shes wary of them. So there's only Netflix, Disney+, etc that I saved for her as they are my accounts.
-
But if your syncing via Google drive then you are using the cloud.
Also, if your device fails then surely you want your passwords saved somewhere to be able to restore them
So if you don't trust Google etc. use your own FTP site with synchroniser apps to update the local copies.
-
I use Chrome as a password manager. Can you say more about how Chrome had shared your passwords?
Yeah sure.
So I used to use chrome years ago and was letting it store (some, I never let browsers store banking/finance passwords) my passwords, then earlier this year, I decided to let google's android password manager store 2 passwords on a new phone for a couple of apps, then shortly after that google sent me an email they had found compromised passwords, from all sorts of accounts, and after a while I figured out what happened is they were checking the passwords I stored in chrome ages ago as i noticed many were out of date and no longer worked.
-
Aren't the password stores on Choogle and Grome the same thing?
-
So if you don't trust Google etc. use your own FTP site with synchroniser apps to update the local copies.
i wasn't commenting about trust.
was simply commenting that the original post said it didn't use the cloud, yet later on said it sycned to google drive (which is the cloud).
-
Aren't the password stores on Choogle and Grome the same thing?
i would have thought so, as all that chrome is doing is sycning your data to your google account.
-
It only syncs to Google if you put the file on a Google drive directory (or OneDrive etc) - it only uses what it sees as local files. I've only started syncing between devices recently, before then it was on my NAS.
-
Aren't the password stores on Choogle and Grome the same thing?
They are but that wasnt obvious to me. e.g. on my phone I was never told it would be using a cloud sync service, therefore I assumed it was only locally stored.
I am aware of course chrome offers a sync service for the browser configuration. That was typically disabled, but there was one occasion when I was trying to migrate a profile to another pc (they now block just copying your userprofile folder offline), I tried to use the sync service which failed miserably, I expect however it was that moment when those passwords got uploaded, this was several years ago now, and google waited until I authorised the password save on the android device to alert me to what they did.
-
Our family all use Dashlane (https://www.dashlane.com/plans/family?utm_source=msn&utm_campaign=UK_Search_Brand_Exact&utm_medium=4353370468&utm_term=dashlane&msclkid=14b4e780246b1995995c875c55db2be5), works pretty well on most platforms. Its syncs well and has a good password sharing system so you can manage passwords you have shared with other users and has browser integration across different browsers
Couldn't do without it tbh
It's not free unless you use for one device and less than 50 passwords though
-
Our family all use Dashlane (https://www.dashlane.com/plans/family?utm_source=msn&utm_campaign=UK_Search_Brand_Exact&utm_medium=4353370468&utm_term=dashlane&msclkid=14b4e780246b1995995c875c55db2be5), works pretty well on most platforms. Its syncs well and has a good password sharing system so you can manage passwords you have shared with other users and has browser integration across different browsers
Couldn't do without it tbh
It's not free unless you use for one device and less than 50 passwords though
sounds pretty much identical to Bitwarden, except Bitwarden is completely free and open source.
-
I've been watching this with interest. One thing does anyone where have any experience of KeePassXC? it seems to be a *nix version with a QT interface.
Stuart
-
I use keepassxc. It's available for Windows, MacOS and Linux. I think there may be a compatible app for Android, but I'm not certain about that.
As far as I'm concerned, it's just what I need, but I don't use any of its advanced features.
-
I also use KeePassXC, having migrated from Lastpass in 2015 after they had a security breach and I decided it perhaps wasn't the best idea to have a database of all my passwords online. I'm pretty happy with it. The only more advanced feature I use is the built-in timed-OTP store, which is pretty handy for a few websites that insist on two factor authentication but, in my opinion, don't really warrant it (the browser extension can fill in username, password and one-time-password in one fell swoop, saving having to mess around with my phone). I believe other password managers are starting to have this feature now too though. I use Keeper at work (which my employer pays for) which also has TOTP support.
-
Isn't fully automating OTP weakening its security?
-
Isn't fully automating OTP weakening its security?
Absolutely! I'm well aware that if my password database is compromised, full access to the sites within will be gained. My personal use case for this is for websites that insist on two-factor authentication, but in my opinion do not warrant it (e.g. online forums). I do not use it for online banking (which uses SMS to my phone for OTPs) or Gmail (which uses push notifications to my phone) for example.
I would add that it is relatively unlikely the database will be compromised, as it is protected by a strong diceware passphrase and is stored locally on my desktop PC which has full disk encryption (using another strong diceware passphase) and is locked in my house. It is perhaps also of note that TOTP isn't technically 'something you have' for two factor authentication, as it is merely a long passphrase that is used along with the current time by an algorithm to generate the codes you see. Anyone that has the passphase, of which unlimited copies could be made (or in principle it memorised by someone) can generate the OTP codes. A better example of 'something you have' would be a private key on a smart card, which in principle cannot be duplicated.
-
Indeed its quite amusing as I believe a couple of MMORPG games have better OTP security (as you can order such a device) than far more important services.