I’ve been looking at Bitwarden and 1Password. Any thoughts/recommendations?

I’ve had 1Password for…8 or 9 years. Obviously, I must be pretty happy with it.

I’ve been using OneSafe+ for a number of years. I have waaay too many top secret passwords. Works for me.

I use SpashID. I migrated to it years ago from I don't remember what, one reason was it was able to import my old data. I keep using it out of momentum I guess. I'm satisfied with it, it works for me. I also have a ton of passwords.

I keep a handwritten password book with backup copies in the safe. I prefer to keep all passwords separate from the computer and thus any possibility of computer hacking.

I also do not use the same user name nor password ... each access is totally different.

Handwritten, in codes, on a single page.

I've been using one-or-another implementation of Password Safe on everything (home computers, work computers [when still employed], Android mobile devices, now Apple mobile devices) for years.

It's free. It's secure. It doesn't rely upon somebody's implementation of cloud storage. It's open source, so there's no wondering what is or isn't in it, you don't have to worry about somebody going out of business leaving you high and dry, and there are implementations for pretty much every extant platform on the market.

In all the years I've used it I've yet to have seen a single security advisory relating to it.

Only disadvantage is I have to manually copy the database between iCloud (in my case) and my home computer to keep mobile devices and desktop in sync. A minor inconvenience.

My wife's using it on her Apple mobile devices, too.

I could probably find someone’s* answer someplace on the ’net, but as the SIGforum is my first go-to, why do we believe that a list of passwords that are managed via the Internet is more secure than anything else that can be accessed through the Internet? What makes a PW manager special and immune to something that seems to happen regularly, including to organizations that should be as secure as it’s possible to be?

Although I have tried with my very limited knowledge of such things to imagine the answer myself, I’ve obviously been unsuccessful. Can someone set me straight? (A PW manager was recently recommended to me as a must-have in this day and age.)

* Someone in the business of managing passwords—?

quote:

My wife's using it on her Apple mobile devices, too.

I was relatively satisfied with just using Apple’s keychain, but I find that it does not always sync well between devices; especially GMail.

I pay for the $10/year Bitwarden service. I’m eventually going to move to a self-hosted vault but i haven’t yet.

Bitwarden is well vetted and very secure.

quote:

Originally posted by sigfreund:
I could probably find someone’s* answer someplace on the ’net, but as the SIGforum is my first go-to, why do we believe that a list of passwords that are managed via the Internet is more secure than anything else that can be accessed through the Internet? What makes a PW manager special and immune to something that seems to happen regularly, including to organizations that should be as secure as it’s possible to be?

Although I have tried with my very limited knowledge of such things to imagine the answer myself, I’ve obviously been unsuccessful. Can someone set me straight? (A PW manager was recently recommended to me as a must-have in this day and age.)

* Someone in the business of managing passwords—?

Something like Bitwarden is encrypted locally and even if someone wants to force Bitwarden to give their files even Bitwarden couldn’t decrypt them.

I personally wouldn't trust a password manager, so I keep mine in a passworded file that has no back door on my cell phone, which is also passworded and erases after 10 bad guesses at the password.

Pop quiz:

Q: If you store your passwords online, who has access to them?

A: Other people

encrypted, decrypted, recrypted whatever -crypted you got. If you store it online, other people have access to it.

quote:

Originally posted by sigfreund:
... why do we believe that a list of passwords that are managed via the Internet is more secure than anything else that can be accessed through the Internet?

Well, for starters: My password database is not accessed through the Internet. The database is stored locally on each device.

True: It is sync'd between my Apple mobile devices via iCloud storage, but, the database is transferred between devices and iCloud in it's encrypted form and it's re-encrypted, making it doubly-encrypted, in iCloud storage.

(If I wanted to be really paranoid about it, I could always disable the iCloud syncing and move it between everything manually. I'm pretty paranoid, but, not that paranoid )

quote:

Originally posted by sigfreund:
What makes a PW manager special and immune to something that seems to happen regularly, including to organizations that should be as secure as it’s possible to be?

There is no such thing as "immune" in this context. Period. Full stop. You can safely ignore anybody who tells you any differently.

It helps to know how a lot of that happens. Without going into a pages-long dissertation on all the different ways such databases get 0wn3d, suffice it to say my password databases are not subject to those attack vectors.

What could happen is somebody could get a copy of my encrypted database. Being as I take great care in my selection of the platforms I use and how I use them, I believe that risk to be acceptably small.

Even then they'd be faced with brute-force attacks against the very long passphrase that protects it. Sure: They could--with enough resources and/or time would--eventually break it. I regard the risk of that equally small.

In the end it's a question of balancing risk against need. My current digital keyring has 466 entries in it. Far, far too many to be practical to keep track of with pen or pencil and paper.

Why so many keychain entries? I only rarely reuse usernames and always use a unique tagged email address for every account, everywhere, no matter how insignificant. I always use a different pseudo-randomly-generated password, passphrase, or PIN for everything, everywhere. There are never any shared patterns in the passwords, passphrases, or PINs.

Lastly: I use 2FA (two-factor authentication) where offered and feasible.

Btw: Here's something you can do with a password manager you can't do with paper: I never hand-type URLs to sensitive account sites. I open my keyring and copy-n-paste them. That way I will never inadvertently typo a URL, be led to a look-alike credentials-stealing site, and give credentials away.

https://xkcd.com/538/


For the record, I use 1Password.

quote:

Originally posted by parabellum:
Pop quiz:

Q: If you store your passwords online, who has access to them?

A: Other people

encrypted, decrypted, recrypted whatever -crypted you got. If you store it online, other people have access to it.

Perhaps. Still, the security most of the popular programs employ are more secure than the note book in your desk drawer. The popular Last Pass program recently had a security breach. The actor gained access to some files, but all they got was 256-bit AES encrypted data that is totally useless as user's master password is needed to decipher this.

I've used Dashlane for about 6 years. Very full featured with auto fill once you put in your master password (which I change monthly). About $80 a year as I recall.

quote:

Originally posted by parabellum:
Pop quiz:

Q: If you store your passwords online, who has access to them?

A: Other people

encrypted, decrypted, recrypted whatever -crypted you got. If you store it online, other people have access to it.

A & B. The people that own the balloon.

quote:

Originally posted by NavyGuy:
Still, the security most of the popular programs employ are more secure than the note book in your desk drawer.

Well, I don’t store my list of passwords in a desk drawer that a bunch of co-workers or janitorial staff has access to. I haven’t even been able to do that since before computer passwords were something to have and keep secure.

But I can see how a manager could be important for many people, and thanks for all the replies and sort-of explanations. I understood some of what was explained, but not all, and therefore I would need a few more details if I were to seriously consider such a service for myself.

And for that consultant who was annoyed that I didn’t have them all memorized or at my fingertips via a manager when she wanted me to sign into an account from a different device that I never used, soon those of us like that won’t be around any longer to annoy you with our ancient ways. In fact, I’m a very unusual anomaly to be working at my age as it is, so if you want what I can give the organization, you’ll just have to put up with it.

quote:

Originally posted by parabellum:
Pop quiz:

Q: If you store your passwords online, who has access to them?

A: Other people

encrypted, decrypted, recrypted whatever -crypted you got. If you store it online, other people have access to it.

If you mean yours is stored only on a device in your control, I'd be interested in what you recommend. Not meaning to sound flippant, I'd genuinely like to know.

To answer the OP, I use "Keeper" and sign in with a bio-metric currently.

Serious questions: Since we are using our login info online, then aren't all passwords essentially stored online at one point or another by definition?
Is there some way to have more control of the third parties' access and use?

b-folders is what I have used for the last 15 years or so. I have evaluated and tried pertty much every password vault implementation I have become aware of, and b-folders has always come out on top. Only downside I have found is that there is no IOS version, prob. because Apple doesn't want competition to their embedded app.