Which Password Manager?

[Saracen999]

I don't think we've done this subject for a while, and as goalposts keep moving (thanks, Lasspass ) I thought maybe now was a suitable time.

And in one of those weird and utterly coincidental coincidences, I'm in the final stages of testing to make sure my new one isn't going to bite me in the rear end.

As changing (thanks again, Lastpass) can be a right pain, I thought I'd also bounce my choice off you guys (using the term in a gender-neutral way) in case there's a gotcha I've missed.

So what do you prefer, and why?

My criteria were :-

- prefer free, but will buy if need be to get the right package. This is important.
- I hate subscription services
- I loathe credit card auto-renewal
- I will do both the above if it's really necessary,
- obviously, reliability and security are critical for a PW manager
- I want my password database held locally, not on a rempte server.
- must support 2FA. In my case, Yubikey.

So, I tried all sorts but as my old one effectively died (development ceased years ago) I finally bit the bullet, runnaged around and it looks like being KeepassXC.

Prime candidates included Bitwarden, Roboform and a number of others.

Anyone know of a good reason not to settle on KeepassXC? Got any better suggestions. I'd rather change tack now than get everything set up and tested then have to do it again (third and last time for .... thanks ever so much, Lastpass, which I had just finished setting up when you messed it up for me).

[kalniel]

Changing from LastPass is pretty painless actually - it exports a database in CSV I think and just about every other manager can import that database.

For your needs I'd tend to agree about KeepPassXC - in particular your requirement for a locally held database. Others, like Bitwarden, Google, Firefox, Roboform etc. store it remotely, which is a boon for synch'ing across multiple devices but that's not your use case.

[Saracen999]

The CSV thing doesn't always go smoothly, though, and can lead to a fair bit of tidying up. But in my case, most of my stuff was still in the manager that stopped developing years ago, and that I was in the process of moving to Lastpass. But there's a lot of dross in there too, so I'm doing it all manually in order to, first, weed out the stuff I no longer need, and second re-visit my idea of suitable passwords, especially given the Yubikey, so I want to manually reverify each login as I set it up. I'll end up with a more secure password in use, and at the same time, thin down what I actually need in there. It's a pain, but way overdue.

[kalniel]

Makes sense, as per another Hexite's experience, be careful with whatever editing tool you're using to make sure it doesn't do any autocorrection/formating! Depending on the UI, it might be better to do the clean out within LastPass or KeepPassXC instead.

[Saracen999]

Going old school, Kal .... manually with Ctrl-C and Ctrl-V.

[Xuse]

I don't use the online ones. I use KeePassXC I find it pretty good, and have been using it for a while now. You can set it up to autofill on browser etc, but I mostly don't bother. I say stick with it. You can even set it up to support 2FA on sites so you don't need to use a phone / authy, but I've never tried that feature.

[spacein_vader]

KeePassXC with Yubikey is what I've been using the past few years, never had a reason to change.

[ik9000]

pen and paper? statistically safer than storing digitally I'm told - so long as not kept in your actual wallet when you're out and about.

[Apex]

KeePassXC for me.

[Saracen999]

pen and paper? statistically safer than storing digitally I'm told - so long as not kept in your actual wallet when you're out and about.

I hear you, and yeah, probably safer .... sorta. But, where do you keep the paper? If not in a safe it's not .... ummm .... safe? And if it is, I'm supposed to unlock the safe every time I want to i-visit a site that requires login credentials?

So yeah, I'm naturally sympathetic to that but, unfortunately, I'm also turning into a lazy barsteward in my dotage and I think in that case, the balance between safety and convenience doesn't go quite that far towards safety.

But that is one reason )though not the only one) for a decent modern PW manager - a honking great long password for sites (one each, I mean), and a substantial one with 2FA to get into the PW manager in the first place.

[Xuse]

I actually had an idea to engrave the more important stuff on a piece of metal. Making it at the very least fire resistant.

Then I realized I don't actually have anything of value to do that on. £200 of BTC doesn't really count.

[spacein_vader]

I hear you, and yeah, probably safer .... sorta. But, where do you keep the paper? If not in a safe it's not .... ummm .... safe? And if it is, I'm supposed to unlock the safe every time I want to i-visit a site that requires login credentials?

So yeah, I'm naturally sympathetic to that but, unfortunately, I'm also turning into a lazy barsteward in my dotage and I think in that case, the balance between safety and convenience doesn't go quite that far towards safety.

But that is one reason )though not the only one) for a decent modern PW manager - a honking great long password for sites (one each, I mean), and a substantial one with 2FA to get into the PW manager in the first place.

Also manually generated passwords tend to be a lot less random than computer generated ones.

[ik9000]

Well that's your problem right there. Just use the same 3 digit password for all sites then it's easy to remember. Something that you're not likely to forget like "the" or "and" etc. Things starting with a are best cos then if you forget it somehow you have a better chance of brute forcing it using a script that you can find online. So handy what you can do these days.

[Saracen999]

pen and paper? statistically safer than storing digitally I'm told - so long as not kept in your actual wallet when you're out and about.

I do actually keep a couple of pn codes written down.

But .... not it a way that will mean anything to anybody else. Picture it this way .... a block of random numbers 50 columns wide, and 50 columns deep. In there is a PIN. But it is not necessarily in a block of four, not necessarily read left to right, and there isn't just one block of 50x50 numbers. And they're in a safe.

I think that's pretty secure ... for PINs.

Mostly, I use these PINs from memory. But some aren't used very often, and I have had occasions in the past where I struggled to remember an infrequently used one. Hence ... written down. But first, someone has to know they exist. I guess shot that one down with this post. Second, I didn't say where the safe is. Hint - not at my home. Third getting into the safe. Fourth, picking the right sheet for the PIN to be in it. And fifth, picking the correct location in that block of 2500 numbers, for each digit. And knowing how many digits. And in which order.

Those last few bits aren't written down anywhere. They are in my head. Which you might think is kinda circular, since it was failing to remember the numbers that started me down this rabbithole in the first place. However, I am not hugely good at it but I use the memory-palace idea to remember how to find the correct number in the correct sequence. I'm not good enough to remember the damn numbes, but I am good enough to remember the clues I use for positioning, if that makes sense. It's all agigantic pain in the rear end.

Also, this is viable for remembering a PIN if my memory fails me, but if used for everyday passwords to websites or online services would be the password equivalent of the HHGTTG locating of plans for the hyperspace bypass in a planning department in the town hall of an alien department in a far-flung star system, in a third level sub-basement behind the door marked "Beware of the Panther".

For my day to day needs, I start from a couple of premises. First, I'm protecting against casual hackers, maybe even passing fairly serious criminal hackers but I'm not protecting against state level actors. If the NSA or some inimical other intelligence agence with access to bleeding edge supercomputer power really want to crack the encryption to my password manager, they probably can, but the cost in electrical power tobthem of doing so is going to exceed anything thwey can rip off from me, unless their target is my recipe collection and access to my grandma's secret bked bean casserole recipe.

For anybody else, my logic is that they won't have access to the computing power necessary (if even the NSA have it, which I don't know but wouldn't assume they don't) to crack the password manager's encryption, then there is a relatively small attack surface to get at the passwords. Two weaknesses exist. First, somehow getting in-between my password manager and the login dialog when the password manager accesses a given service, and second, getting the PW manager's master password. That latter is, needless to say, as secure as I can get it while still being practical for me to access (and hence, Yubikey and/or other TFA, etc).

Ultimately, 100% security doesn't exist. You can only even remotely sensibly only go so far. I mean, I could copy my PiN codes onto paper, encase that in plastic, put it inside a stainless steel box, insde a tupperware container and bury it in the back garden. Of my neighbour. It'd be pretty secure, but a bit of a nuisance to access.

My biggest single premise for security is that I don't have anything sufficently worth protecting to keep out the kind of people likely to be able to get through a decent PW manager, and those that might try (casual passing hackers) can't, and almost certainly won't have physical access to get at my written backup, even if they knew it existed and how to use it if they did.

In other words, those that maybe could have no reason to want to, and those that maybe have reason to want to, can't.

[AmazingGoose]

I used to use LastPass Free for years until they recently made it more limited to a single device type, and I use password managers on my phone and laptop/PCs.

If I paid for one it would probably be Bitwarden, but I looked around a bit more and found BitwardenRS, a third party implementation that you can host in your own server/PC.

This has now been renamed to VaultServer. There is a Docker container for it to make it super easy to set up.

I run it on my home server and use an nginx reverse proxy with HTTPS with an auto renewed free Lets Encrypt SSL certificate.

On my phone I have the standard Bitwarden app, and on my laptops and PCs I use the standard browser extension.

You can specify in the app/extension to point it at your own Bitwarden server, i.e. the hostname associated via nginx, and hey presto, free password manager, available remotely, hosted at home, sync'd to your devices.

[Saracen999]

An interesting option I hadn't considered. I think my only reservation would be about the third party in "third party implementation". But unless it's an entirely open source product heavily scrutinised by the community, that will be a reservation for any product (short of writing it myself). That was the mistake LastPass (IMHO) made, just as WhatsApp did, driving loadsa people to Signal, Telegraph, etc .... user trust, user confidence, whatever you call it. For a password manager, who do you trust?