The best and most secure password manager

[Vanadium 50]

Having one thing and knowing one thing is not inherently better or worse than knowing two things or having two things.

You can still lose or forget things. Many "security experts" are so worried about a bad actor coming in and depriving you of your stuff that they do not think about the risk of losing or forgetting the key, which also deprives you of use of your stuff.

The two solutions for this would be a "master key" which unlocks everything, which now has the risk that the master key can be stolen, and am authentication system that requires M out of N keys. As mention earlier, bank transactions sort of do this already.

 

[Vanadium 50]

Well, I am likely to switch from LastPass.

It's too secure. It's locked me out of my account several times. The issue is that it seems to be very fussy about using a YubiKey. You need to give your master password, wait for the YubiKey prompt, tell it not to use the YubiKey (!) but to use a different MFA, then remove and replace the YubiKey, and then enter the PIN and touch the YubiKey. You have five shots to get this right, and in the right order.

My LastPass support ticket has been in the works for a week. I don't think they even understand the symptoms yet. There is a one-day turnaround, and every day they want a screenshot or description of something that has already been described. There is no "try this" from them at this time.

Unless there is a fast turnaround, I think I'll be switching.

 

[Tom.G]

I'm wondering if the popularity of Password Security Software is based on angst, personal insecurity, corporate decrees, or actual need... as perhaps national security reasons.

A FIrewall/Virus Scanner/Sandbox approach is quite protective... and A LOT less intrusive!

 

[Vanadium 50]

A FIrewall/Virus Scanner/Sandbox approach is quite protective... and A LOT less intrusive!

Huh?

They do different things.

I don't want to use the same password for an online store as my bank. If the store has a security leak, I don't want to give the crooks access to my bank account too. Further, I want to use more secure passwords. Qwerty is a bad passsword. B4y%mnyHCgrcUAWH is better. Well, at least it used to be before this post. A password manager makes it easy to use stronger passwords.

 

[Vanadium 50]

Update: LastPass asked me if I wanted to give up troubleshooting. They haven't yet said "Try X and let us know what happens". (Other than "reinstall everything and see if it helps" which I did before I contacted them.

 

[Tom.G]

Huh?

They do different things.

I don't want to use the same password for an online store as my bank. If the store has a security leak, I don't want to give the crooks access to my bank account too. Further, I want to use more secure passwords. Qwerty is a bad passsword. B4y%mnyHCgrcUAWH is better. Well, at least it used to be before this post. A password manager makes it easy to use stronger passwords.

Ahh, OK.

I interpreted your use of passwords as when you operate locally, as booting or running specific software. I agree passwords are useful and necessary when interacting with various sites that have personal information.

Sorry for the confusion.

Cheers,
Tom

 

[Vanadium 50]

They haven't yet said "Try X and let us know what happens"

Well, they just did. They said to shut all the MFA off except for YubiKey and see what happens. What happens is exactly what you expect - I was locked out.

1Password? BitWarden?

 

[Vanadium 50]

LastPass tech suppoty tried to blame YubiKey, but YubiKey tests all pass. They are back to "disable MFA"...days pass.." enable MFA"....days pass. It's really hard to conclude that anyone there has a clue.

Any suggested alternatives?

 

[Tom.G]

Any suggested alternatives?

Don't do anything on-line that is sensitive enough to require a password!

(I know, not real practical/convenient for many folks.)

 

[Vanadium 50]

Yeah, that's not really practical.

 

[fluidistic]

LastPass tech suppoty tried to blame YubiKey, but YubiKey tests all pass. They are back to "disable MFA"...days pass.." enable MFA"....days pass. It's really hard to conclude that anyone there has a clue.

Any suggested alternatives?

What about keepassxc? It's open source. I understand that you won't get a quick response if at all in case of a problem, no ensured technical support, but you might not need it.
Also, I don't understand how people can ''trust'' Yubikeys (closed source hardware in a security scheme? What could go wrong...?). There are examples where millions of people trusted the company who later betrayed them shamelessly (Ledger, I am looking at you).

 

[Wrichik Basu]

Any suggested alternatives?

I have been using Bitwarden Premium for three years now. It was (and still is) the cheapest among all the cloud password managers available — USD 10.00 annually is a great price IMO. You get the option of YubiKey OTP for 2FA if you have premium. The best thing is that I can also store all the authenticator codes along with the logins, so I can easily access 2FA codes from the browser even if I do not have the mobile. Being open-source adds another layer of security — hundreds of eyes have probably gone over their code, so loopholes, if any, are definitely found faster than a closed-source password manager. Premium also allows you to take advantage of their data breach monitors to see if any of your current passwords have been leaked.

N.B.: I don't use the YubiKey 2FA, so can't say anything about just that particular feature. Otherwise, it works good, at least for me.

 

[Vanadium 50]

What could go wrong

What could go wrong?

Not using the YubiKey is like leaving a door (one of several in series) open. Is that better or worse than having your locksmith keep a copy of your key to that one door?

 

[fluidistic]

What could go wrong?

Not using the YubiKey is like leaving a door (one of several in series) open. Is that better or worse than having your locksmith keep a copy of your key to that one door?

My point is that there are alternative open source hardwares with an equivalent security, where you do not have to trust a 3rd party.

 

[Vanadium 50]

Update. LastPass support told me to...and I am not making this up... install a keylogger and then enter my master password.

 

[Vanadium 50]

OK, after more than a month, I told them to close the ticket and I was going elsewhere.

I suspect - but do not know - that LastPass' response to their woes was to fire their technical staff and just rake in the money from past development.

 

[WWGD]

This discussion is not increasing my confidence in password managers. I think I'll stick with my physical notebook.

May want to keep a copy in a bank vault or trusted source in case of fire, water, wear and tear of the writing , etc. A problem with this approach, assuming you're using a pen or other manual writing device, other than the wear and tear, is being able to write clearly-enough to tell appart the o's ( letter) from the 0's(number); the m's from the n's, u's from v's, etc. I've had trouble telling them appart at times in my own class notes.

 

[WWGD]

On a different issue, maybe a naive take and just a small slice of the attack surface, why do sites allow ( seems many do) seemingly-endless attempts to enter the right password? Why not block the IP address block for 5 minutes after 5 wrong attempts, then 30 minutes, and ultimately a perma ban? Wouldn't this go a long way towards restricting hacking attempts? I get this is just a single aspect and not a global solution, but it may help, though we may need measures to prevent the actual user to be locked out, and maybe other DOS -related issues. Yes, the hacker may go about rotating between sites, but it may lower the odds.

Besides, given many, most maybe, are motivated by money, is it reasonable to believe that those with the most advanced hacking, overall technical skills, would be working well-paid legitimate jobs, so that black hat hackers are 2nd-3rd tier, in terms of said skills? If I was had amazing technical skills and wanted to become wealthy, I'd choose a legitimate job over the mediocre return and potential legal nightmare of getting caught? Does this sound reasonable, given the ability to work remotely?

 

[harborsparrow]

May want to keep a copy in a bank vault or trusted source in case of fire, water, wear and tear of the writing , etc. A problem with this approach, assuming you're using a pen or other manual writing device, other than the wear and tear, is being able to write clearly-enough to tell appart the o's ( letter) from the 0's(number); the m's from the n's, u's from v's, etc. I've had trouble telling them appart at times in my own class notes.

When writing important things, I learned to use the European digit handwriting conventions: zeroes have a slash through them. ones consist of two lines (an upstroke and a downstroke, looks kind of like an inverted V). This makes the letter L distinguishable from digit 1, and the letter o distinct from digit 0. For added safety, you can also underline your capitals.

 

[WWGD]

When writing important things, I learned to use the European digit handwriting conventions: zeroes have a slash through them. ones consist of two lines (an upstroke and a downstroke, looks kind of like an inverted V). This makes the letter L distinguishable from digit 1, and the letter o distinct from digit 0. For added safety, you can also underline your capitals.

Wish others had done the same so I could tell it's Chicago Ill(Illinois), and not Chicago 3. Confusing for a 12 year old.