The best and most secure password manager

  • Thread starter EngWiPy
  • Start date
In summary: For a long time, 1Password has been considered one of the best password managers available. It is very secure and has a free trial so you can see if it is the right solution for you.
  • #71
harborsparrow said:
The accounts I have read all emphasize that some of the IP (intellectual property) of the company was also stolen, and researchers have specifically warned that they expect information from the breach will be used to further probe the company's defenses. I take that seriously. It clearly wasn't just the open source portions of the code that were taken. https://www.darkreading.com/cloud/lastpass-data-breach-source-code-stolen
Good point. It might help them to get other information from a website that has passwords. My point about open source is that the code alone is probably not a problem, whether open or proprietary.
 
  • Like
Likes harborsparrow
Computer science news on Phys.org
  • #72
This is why "security by obscurity" is a bad idea. One should design a system that is secure even if a bad actor has the complete source code. Because sooner or later, he will.
 
  • Like
Likes fluidistic, FactChecker and harborsparrow
  • #73
Here's a passage from the linked article.
"An additional consequence that can occur from stolen or leaked source code is that this code can disclose secrets about an application's architecture," he said via an emailed statement. "This may reveal information about where certain data is stored and what other resources an organization may use. These factors could then equip bad actors to inflict additional harm on an organization after the fact."
Hasn't it been the mantra of security experts since the dawn of time that security via obscurity doesn't work? If it's really secure, the source code could be published. That view is subject to criticism, but so is the opposite view that stolen or leaked code must be a risk.

Edit: I see that two others posted that point before I did. Oh well.
 
  • Like
Likes Vanadium 50 and FactChecker
  • #74
There are good reasons to keep the source code private - e.g. "we plan to sell the object code". Security is just not one of them.
 
  • Like
Likes FactChecker and anorlunda
  • #75
sysprog said:
7-zip is open source, and can use AES-256, which is strong.
7 zip used to be insecure (main programmer wouldn't fix old security flaws regarding encryption). I would suggest the use of a password manager instead.

Passwords are becoming obsolete nowadays. At the very least, I suggest using 2FA or MFA for important accounts, like your email account from which a malicious hacker could get the control over most of your accounts. Do not use SMS authentification, rather use a hardware dongle with FIDO capability.
 
  • Like
Likes Wrichik Basu
  • #76
fluidistic said:
Do not use SMS authentification, rather use a hardware dongle with FIDO capability.
I get your point — even the phone can be hacked, and then the SMS or email authentication will not provide any safeguard. But a physical key has a few limitations. First, the cost. Secondly, there is a finite probability of losing it, which means that it will be safer to attach two keys to each account so that there will be one for backup. But that adds more to the cost.
 
  • #77
harborsparrow said:
My understanding is, they copied a portion of the source code. That would certainly be enough to cause me to stop using the product at this time, in an abundance of caution.
When you find a perfect system free from risks, be sure to let us know.
 
  • Like
Likes Vanadium 50, Wrichik Basu and pbuk
  • #78
fluidistic said:
I suggest using 2FA or MFA .
The problem with 2FA is that most use your cell phone, which makes losing it even more of a crisis.

There is a complex optimization problem involving security, convenience, reliability, cost, etc.
 
  • #79
The problem with sms as 2FA is not getting your phone stolen (after all, it should be encrypted unless you're Evo Morales), it's that you open yourself to sim swapping attacks, where a malicious person impersonate you in a phone call, saying he lost his phone, and he then gets a new sim card with your number, gaining access to your second FA.

Yes, getting a dedicated hardware for security isn't free, maybe from around 20 usd up to 250 usd. But it may still be worth it. There are several types of.them, and losing one of them may have different consequences.

I use one such hardware, it's just password plus having to press a button on that hardware. If I lose my cell phone, I don't lose any access to any of my account. If I lose this special hardware, I'd need to buy a new one (and insert a seed phrase that I backed up in different physical places in case of a H bomb attack).
 
  • Informative
  • Like
Likes FactChecker and Wrichik Basu
  • #80
harborsparrow said:
My understanding is, they copied a portion of the source code. That would certainly be enough to cause me to stop using the product at this time, in an abundance of caution.
What would give me pause about using Lastpass is the number of security issues the company has had over the last decade or so.

https://en.wikipedia.org/wiki/LastPass#Security_issues

Perhaps it's unfair of me, but it doesn't inspire confidence in the security of their code.
 
  • Wow
Likes Wrichik Basu
  • #81
vela said:
is the number of security issues the company has had over the last decade or so.
Would it make you feel better if they didn't report them?
 
  • Like
Likes pbuk
  • #82
I've said this before: by nature, a password manager company has a big red target painted on it because of the high value of the data it is managing. As vela wrote, I too find it appalling that they allowed their code to be grabbed. Somebody just screwed up, big time.
 
  • #83
harborsparrow said:
I've said this before: by nature, a password manager company has a big red target painted on it because of the high value of the data it is managing. As vela wrote, I too find it appalling that they allowed their code to be grabbed. Somebody just screwed up, big time.
It's a trade-off. Using one main password to encrypt many diverse passwords (I have over 100 of them) can have some security benefits. IMO, it is inevitable for an average person with a large number of passwords to get a little careless with them. A password manager company can use some very good methods to protect the set of passwords. For instance, they could use a master password that is over 50 random characters long and only stored on the user's computer.
 
  • Like
Likes harborsparrow
  • #84
FactChecker said:
IMO, it is inevitable for an average person with a large number of passwords to get a little careless with them.
As a sysadmin and programmer, I am "an average person" with literally hundreds of passwords, some really important. When the world got to where we had to use unique passwords everywhere, I started using a system of templates and hints that is entirely personal to me. I don't think it likely that anyone will be able to decipher my system, and they allow me to use complex, unique passwords for everything. I write my hints down publicly, but I've never told a single soul what they mean.

I debated the password manager but it just doesn't make sense, IMO, to put all one's eggs in one basket. And, I want this information under MY control rather that some anonymous programmer. I am forced to change passwords from time to time, and so far, my hint system has help up.

To each their own in this matter!
 
  • #85
Many security systems use publically available algorithms to encrypt their data. Keeping the algorithm secret is not essential for their success. Their strength is in things like using random keys that are very unlikely to be guessed, multi-factor authentication, public/private key encryption, etc. I believe that some companies are already adopting methods to prevent quantum computers from breaking their codes.
 
  • #86
Why should their code even be stored on an internet-accessible computer? Yes, it would be less convenient for programmers, but if I were managing such a company, that code would not have been stored anywhere that it COULD be stolen without physical access. Of course, we don't know how it was stolen, but just saying.
 
  • Like
Likes Wrichik Basu
  • #87
harborsparrow said:
Why should their code even be stored on an internet-accessible computer? Yes, it would be less convenient for programmers, but if I were managing such a company, that code would not have been stored anywhere that it COULD be stolen without physical access. Of course, we don't know how it was stolen, but just saying.
At the same time, we also have open-source password managers like Bitwarden. So, security can be tight even if the code is public. But if the code is regarding something on their server setup (for example), then that definitely shouldn't be kept on a server that has internet access.
 
  • Like
Likes FactChecker and harborsparrow
  • #88
  • Wow
Likes harborsparrow
  • #89
The report back in August was dire enough due to this phrase: "cloud storage access key and dual storage container decryption keys were obtained"

This tells me off the bat that they are using the cloud, which frankly I find horrifying. How much software exists in the cloud that is not under LastPass control? How can they advertise that their product is secure if they are using cloud-based servers? It boggles the mind.
 
  • #90
I use KeepassXC since 2015.
 
  • Like
Likes harborsparrow and jack action
  • #91
I feel better and better about my hardcopy notebook. :smile:
 
  • Like
Likes harborsparrow and DaveE
  • #92
harborsparrow said:
This tells me off the bat that they are using the cloud, which frankly I find horrifying.
Oh no, a cloud-based password manager is using the cloud: why weren't we told? Good job we are safe on forums like PhysicsForums, no cloud-based nonsense here. Connecting computers together and storing stuff on them is all very well, but it would be stupid to allow anyone to access any of it.

Oh wait.
 
  • Like
Likes vela
  • #93
phyzguy said:
I feel better and better about my hardcopy notebook. :smile:
You mean the one in your desk drawer where you probably didn't write out the whole pw anyway? Like this?

PXL_20221223_232409402.jpg


So you're in Uzbekistan or Panama and want my passwords? You might have to come here and break into my house. Sure, the NSA can get in, but it isn't as easy as it looks. You may find it easier to work on getting a whole boatload of passwords at once. You know, like, from the cloud.

BTW, go ahead and guess. Sell it in Russia. I don't care. That device is history. I'll buy disk drives from WD, but I'm not really on speaking terms with their other business units.
 
  • Like
Likes harborsparrow and phyzguy
  • #94
DaveE said:
You mean the one in your desk drawer where you probably didn't write out the whole pw anyway? Like this?
Exactly! That's exactly what I do. Even if someone somehow got the notebook(unlikely), they would still need to decipher the missing characters that I don't write down.
 
  • #95
vela said:
Perhaps it's unfair of me, but it doesn't inspire confidence in the security of their code.
Apparently, my lack of confidence wasn't misplaced.

Jeremi Gosney summarizing the situation with LastPass

It looks like LastPass can definitely be crossed off the candidate list of the best and most secure password managers.
 
  • Like
Likes harborsparrow
  • #96
vela said:
It looks like LastPass can definitely be crossed off the candidate list of the best and most secure password managers.
Ouch. I've been a satisfied LastPass customer for several years. But after reading that blog post, I'm going to switch.
 
  • Like
Likes harborsparrow
  • #97
vela said:
Apparently, my lack of confidence wasn't misplaced.

Jeremi Gosney summarizing the situation with LastPass

It looks like LastPass can definitely be crossed off the candidate list of the best and most secure password managers.
Very well. I have been using Bitwarden for quite some time after LastPass limited free users to either the PC or phone. I bought the paid version of Bitwarden last month, and the primary reason was that it was OSS, and then it was fa cheaper compared to others.

Even then, I didn't delete my LastPass account. I read the article you linked in #88, and decided it was time to delete my account. After reading the article you linked, it seems I took the right decision. Now it also seems that I should change my passwords as well, which is frustrating.
 
  • #98
Don't forget that you should have your most secure accounts (banks, investments, email, ...) should be protected with multi-factor authorization. If they are, a hacker who cracks your password still can't get in, and you may get notified if he tries.
 
  • Like
Likes harborsparrow
  • #99
vela said:
It looks like LastPass can definitely be crossed off the candidate list of the best and most secure password managers.
Why?

I am annoyed with them too (and there are unquestionably things it does poorly), but not for this breach.
  • Password Managers will always be targets. Popular password managers will always be big targets,.
  • Passwords are not compromised. Worst case, billing information was stolen. Just like at Target. And Facebook. And Yahoo. And linkedIn. And Marriot.
  • There is some evidence that this was partly an "inside job". That will always be hard to protect against. If the US Department of Defense can't, why should we expect anyone else to?
Password Managers might make you 10x or 50x as secure. It's in my view a mistake to avoid them because 10 is not infinity.
 
  • #100
Vanadium 50 said:
Password Managers might make you 10x or 50x as secure. It's in my view a mistake to avoid them because 10 is not infinity.
I'm not suggesting avoiding password managers in general, just LastPass as the company has repeatedly made poor choices. Use a password manager from a company or project that takes security seriously.
 
  • Like
Likes Wrichik Basu
  • #101
Regarding Lastpass, it looks like malicious actors got access to a database contaning uncrypted info (company names, end user names, billing addresses, telephone numbers, email addresses, IP addresses which customers used to access LastPass,website URLs from password vault), as well as the entire encrypted vault of people, meaning that if they could crack the master password, they would gain access to the personal info of people. And this is what happened to several people, some of them actually stored their Bitcoin's information (as a general rule, one should never, ever, put this info on a computer connected to the Internet...).
There's a dude who lost several Bitcoin suing Lastpass for this.
https://news.bitcoin.com/lastpass-d...y-hack-may-be-worse-than-they-are-letting-on/

https://grahamcluley.com/lostpass-after-the-lastpass-hack-heres-what-you-need-to-know/
 
  • Wow
Likes harborsparrow and Wrichik Basu
  • #102
I think it's worth backing up a step and asking what problem a password manager is trying to solve. I see two:
  1. Using the same password in many places (like having your car keys open your house)
  2. Lousy passwords like 'qwerty'.
They are not trying to:
  1. Keep yout computers safe from attacks by major world governments
  2. Keep your credit card and similar information secure once the vendor has it.
Would it be nice lf these happened too? Sure. But it's not reasonable to expect a PWM to do these things, and it sure does not make any sense not to use one because it is only 99.9999% effective.

It is absolutely true that a bad actor can steal your laptop, remove the hard disk, find the erased swap file, potentially remove it, and knowing something about the PWMs data structures, recover one or more of the individual passwords. It is also true that some PWMs make this easier than others. So what? If they can do this, they can also get into your Quicken data and collection of cat videos. That's hardly the PWM's problem.

Can the PWM company lose their customer data. Sure. Every company can, many have, and those that haven't just haven't yet. Many, likely most of these, have had an "inside man", so it's only a matter of time. That's certainly a problem, but it's not the PWM's problem. Maybe it's PWM Corps's problem, but so long as they don't keep your master password (I don't believe any of the major PWMs do) it's not a PWM problem.

So use a PWM so you can use OOgs1h6&LgXkDlrC5zzUxiZ instead of qwerty. Don't sweat the details.

Can the CIA still break into your laptop. Probably. But don't sweat it; you aren't that important.
 
  • Like
Likes pbuk and anorlunda
  • #103
Vanadium 50 said:
They are not trying to:
  1. Keep yout computers safe from attacks by major world governments
  2. Keep your credit card and similar information secure once the vendor has it.
Many online shopping carts don't actually store your credit card details to help them defeat hackers - the average website is not as secure as your bank's system. They transfer you to a much more secure credit card processing company which complies with all the local laws on security and that's where you enter the card details. These are companies that work world wide with the big credit card suppliers and are trusted because their security gets checked regularly, and they can afford to invest money in keeping it secure.
I know this because I had to find out how a cart that didn't store your card details was having its customers' card details stolen. Just THREE lines of extra code were added by a hacker! And they were three very simple lines of code. It took me seconds to realise what it did, although it took ages to find. The shop in question now pays to use one of these card processing specialists and the company that they use to keep themselves secure.

But I do agree with the rest of Vanadium 50's comments in that post.

PS I think you might be more at risk of a vendor storing your card details if they are a BIG company, as they tend to think their systems are better than those of a small shop making only 10 to 50 online sales a week.

PPS A friend worked on creating one of the first online banking systems. When it was finished, they were challenged to move a real £1,000,000 from one account to another, both accounts being set up and checked by the directors. Embarassingly, they succeeded! (They were surrounded by security guards from several different companies to avoid collusion with a dishonest individual). This delayed the launch of the system by a couple of months...
 
  • Like
Likes Wrichik Basu
  • #104
Vanadium 50 said:
I think it's worth backing up a step and asking what problem a password manager is trying to solve.
I mostly agree with this, however when LastPass refers to something as my "vault" I did expect that it would be encrypted. The fact that the web sites I use, my email addresses as well as other personal information in notes was stored in plain text and may now be easily available to bad actors is unforgivable.

It is IMHO unfortunate that the appallingly bad technical decisions taken by LastPass were not better publicised: I believe that a significant factor in this is the "Chicken Licken" reaction of the press (and posters on this website who should know better) to the concept of a password manager distracting attention from weaknesses in LastPass's specific implementation.
 
Last edited:
  • Like
Likes harborsparrow, vela and Wrichik Basu
  • #105
DrJohn said:
PS I think you might be more at risk of a vendor storing your card details if they are a BIG company, as they tend to think their systems are better than those of a small shop making only 10 to 50 online sales a week.
You certainly are, although it's not about how good they think they are, its about compliance with the PCI standards.

In practice for most online merchants in first world countries the cost of payment gateways such as Stripe is now less than the cost of a merchant account so there is no benefit to be gained by setting up a PCI compliant system so that you can process payments yourself.
 

Similar threads

Enforce the use of different sets of characters for passwords?
Replies
12
Views
1K
The Virtues and Vicissitudes of Passwords
3
Replies
84
Views
4K
Changing Skype password directs me to Microsoft: confusion
Replies
4
Views
444
Amazon's Kindle security isn't top
Replies
27
Views
4K
Trouble installing MySQL on Ubuntu 20.04 — asks for root password
Replies
6
Views
7K
Old Unwanted Internet Accounts are a Pain
2
Replies
44
Views
4K
Recommendations for free browser-independent bookmark managers
Replies
7
Views
2K
Suspicious & Threatening Emails: How to Stop It?
Replies
14
Views
2K
How can I reset my Windows 10 password without a password reset disk?
3
Replies
73
Views
6K
Why is the Dominos Pizza Website not Secure?
Replies
31
Views
3K

Hot Threads

Recent Insights

Back
Top