Password Manager choices

[serenacat 83]

This article prompted me to review my password handling:

http://arstechnica.com/security/2016/10/breach-exposes-at-least-58-million-accounts-includes-names-jobs-and-more/?comments=1&start=40

Requirement are:

1. Open source with ability to build from source for MS Windows 7+, Linux Mint 18 (ubuntu, debian), Android 5.1+.

May well have to trust crypto library.

2. Cross platform portability of encrypted store between above 3 at least, requires compatible crypto implementations. Synchronisation via cloud okay.

3. Reasonable ease of use in Firefox, Chromium web browsers, without opaque addon.

4. Addition of extra text for free form security questions, notes, other interaction refs, etc.

5. Reasonable installed base and updates and support facilities rather than likely orphan.

 

After a bit of brain numbing research, I am leaning toward KeePass http://keepass.info/

I did search Air forums for "Password Manager" but nothing found ...

Without "giving away" exactly what you do and use, does anyone have useful info about KeePass or alternatives ?

[me.moo@posteo.me 80]

For what its worth I use msecure because it was the only one that ticked all my boxes at the time - mainly because it works on Windows & Android and synchronizes automatically using dropbox or wifi. It isn't open source. I wasn't using Linux then and unfortunately there isn't a Linux version. So I run Win7 in a VM solely for the purpose of running msecure and it syncs through dropbox perfectly and quick.

[OpenSourcerer 1450]

KeePass was installed on the notebook I got from my company. I'm using it but it's rather a reminder what password I used where. You can probably extend it with sync and all the features you want by adding plugins.

[serenacat 83]

"KeePass was installed on the notebook I got from my company." - that is a positive recommendation.

I have noted that KeePass development appears to be in Germany, and Awards has

"KeePass is the recommended password manager in the BSI Cyber Security Recommendations BSI-E-CS 001/003 1.4 by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik)."

Also the Keepass2Android port is developed in Germany.

In addition to what appears to be expert professional developers without a marketing/venture capital dominance (like what has happened to AVG), it appears to fall outside the shadowy USA world of FISA and NSA etc, and odd American psychoparanoidsexualpoliticoaggros (hi Donald, potus in the pussy).

[OpenSourcerer 1450]

"KeePass was installed on the notebook I got from my company." - that is a positive recommendation.

 

Just to agree with your positive recommendation, consider that my company sees it as absolutely mandatory to apply full disk encryption on all devices used inside the company's WAN and full disk erasion when you don't want, need or can't use your device any more (usually done with dban).

 

A few notes regarding password managers on Android. I read somewhere to avoid them, I think it was because of how all of them, including KeePassAndroid, operate. Not sure if it was an OS restriction...

Can you believe that? I've got a full browsing history started more than two years ago and I can't find shit if I accessed something more than six months ago. Rip.

[Chino 2]

Well, I usually do recommend KeePass to my familie and friends.

You can use it crossplatform on Linux (KeePassX), Windows (KeePass 2.x) and Android (Keepass2Android). For Desktop OS there is also an Firefox plugin. I don't recommend that because of some risk (I can't remember right now, but you can look it up yourself).

​Also you should reconsider cloud storage. Giving all your passwords away (even if encrypted) is a risk.

​

​

A few notes regarding password managers on Android. I read somewhere to avoid them, I think it was because of how all of them, including KeePassAndroid, operate. Not sure if it was an OS restriction...

Maybe it had something to do with Android Keyboard remembering all your text. Also I do not trust Google. They may have a backdoor to get on all that contend as well. I recently found out all my voice to text messages where saved in my Google Account. Who knows what else they save. You can't know for sure.

[OpenSourcerer 1450]

I recently found out all my voice to text messages where saved in my Google Account

 

If you use Google TTS, yes. It's even preinstalled on the smallest GApps packages for custom ROMs... Pico doesn't do that but it's of course inferior to Google.

[Guest]

I personally use http://www.passwordsafe.de/ primarily due to it being local and not sync'd to a server or something including it being able to sync to your mobile devices as they have an app for it there too

[serenacat 83]

From the Keepass2Android more details:

https://play.google.com/store/apps/details?id=keepass2android.keepass2android

"A German research team has demonstrated that clipboard-based access of credentials as used by most Android password managers is not safe: Every app on your phone can register for changes of the clipboard and thus be notified when you copy your passwords from the password manager to your clipboard. In order to protect against this kind of attack, you should use the Keepass2Android keyboard: When you select an entry, a notification will appear in the notification bar. This notification lets you switch to the KP2A keyboard.

..."

But who knows if Google give themselves the privilege of copying the entries, possibly with an api facade shim ?

As an individual citizen, the unknown potential for abuse or hacking seems nasty, but how do large enterprises such as Citibank or Siemens deal with this ?

[OpenSourcerer 1450]

Thank you, serenacat, this was it!

[serenacat 83]

Just logged in to Airvpn using the KeePassX OpenURL/Autotype commands to Firefox on Linux Mint on VirtualBox using the database created with KeePass on Windows7. Not using any FF addon.

The database is in a folder under my C:\Users on ntfs, mounted as a shared folder by VB for Linux access, so no synch required. Concurrent access is assumed ok, and not really contention. Neatas.

Linux Mint 18 Software Manager found keepassx in its repositories and no fuss install. The Windows version is 2.34, and KeePassX says it's version is 2.0.2 but they may be forked ?

Setting up on Android may provoke some more sniffing and poking about.

[Chino 2]

Originally KeePassX was called KeePass/L for Linux since it was a port of Windows password manager Keepass Password Safe. After KeePass/L became a cross platform application the name was not appropriate anymore and therefore, on 22 March 2006 it has been changed.

​Since KeepassX is a port version numbers differ a bit. Both have version 2.x in common. KeePass version 1.x handles .kdb files. Keepass v2.x can additionally handle the .kdbx files.

[pr1v 36]

Password Manager choices?: my mind is the best

I can't trust in password managers, if this only password is cracked then all my passwords are exposed.

[Chino 2]

if this only password is cracked then all my passwords are exposed.

That is why you should choose an extra strong passphrase. On the other hand, you can't remember strong passwords for every site you signed in. So overall you win more than you could possibly loose.

[pr1v 36]

 

if this only password is cracked then all my passwords are exposed.

That is why you should choose an extra strong passphrase. On the other hand, you can't remember strong passwords for every site you signed in. So overall you win more than you could possibly loose.

I remember them and I always use 2FA. Passwords only is not a good choice nowadays.

[serenacat 83]

This OpenURL, Autotype facility makes it too easy to login and turn a forum into a chat room, but the topic is relevant for security aware users.

The original ars technica article prompted me to review my previous method which was to note login names, passwords, and other details in the Properties/Description field of my Firefox bookmarks.

Convenient but different bookmark files for W7, LM, Android browsers, and no use of cloud sync but local file transfer for security.

But inconvenient for more frequent password changes, and difficult Android use.

I encoded ids and passwords using my own transposition cipher between keyboard key positions, held in my head, so not completely weak.

I had started this technique in client sites as a software development contractor 30 years ago because it did not require any software running on their systems, so worth a mention. Even wrote a program run at home to encrypt pasted text or file and print as a weird page of ascii printables for any info.

[Chino 2]

​

I remember them

 

​I've well over hundred entrys in my KeePass, every password at least 16 digits and every entry has a strong unique password. Good job trying to remember them all.

​
OTP is a good way of securing some important accounts, but not every site provides that. It's more the contrary. There is a website with a collection of all of the sites with 2FA. Their list is not very long. Matter of fact, I don't think even here you can have 2FA. -> Looked it up: No you can't.
​ https://twofactorauth.org/

I think also this is a good read. It's what opened my eyes regarding this topic:
https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

[pr1v 36]

Think about it: only 1 vulnerability in your password manager and all your passwords will be exposed. Is it hard to find vulnerabilities in programs today?, it has happened and it will happen again.

[Chino 2]

While this is true, it is a bad way to look at things. If everything that could be breached "someday" is bad, it doesn't make sense to use it at all. This can be expanded to almost all things in life. Like don't go out on the street, you could have an accident.

With pw-managers off course you need to be caucious where to store your encrypted file. This is why I didn't recommend putting it up on Dropbox for example. As another example, I would never open my keepass file in Windows. But thats just me.
Everyone should decide for theirselfs which software they trust and how high their security requirements are.

For most security software you can say: ​If you use it smart, it will enhance your security.

[pr1v 36]

 

While this is true, it is a bad way to look at things. If everything that could be breached "someday" is bad, it doesn't make sense to use it at all. This can be expanded to almost all things in life. Like don't go out on the street, you could have an accident.

 

 

 

No, because we're talking about ALL your passwords being exposed/stolen, with 1 only vulnerability in 1 only program. Does it worh it?, I don't think so. Recently it happened. And we are talking about many important services: banks, stores, etc... being stolen by 1 only program vulnerable. Anyway I always use 2FA in all my services (email, bank, stores, etc).

[boblyrobly 1]

http://masterpasswordapp.com

[OpenSourcerer 1450]

http://masterpasswordapp.com

 

This sounds interesting. Going to try this out. Thank you very much!