Password managers - recommendations?

Being as how I have 3 macs and an iphone or two and although I still use the manager I mentioned above, I have, over the past couple of years, also begun to use the built-in Keychain. It generates a complicated password for every new site that requires one, but not as complicated as the ones generated by Wallet. Its a lot easier to deal with, BUT if you don’t use Safari, whilst not totally useless, not as convenient as one of the others

I have been using Lastpass for about 5 years. I need the ability to sync my password manager to W11 and W10 PC;s, a PC running Linux MInt, an iPhone and an iPad. I also need auto fill; it will put your name, email address, residential address, your debit and credit cards, phone number, bank account numbers, passport info, and any other info you want. It is protected by a 256 bit encryption and I also have all my drives including my USB keys protected with bitlocker. I have a three level firewall, one on the router, one on the system and one on the modem. I have a two factor login for the important on line facilities and really everyone should have a 2 factor login. I run spybot, Malwarebytes and Acronis and have my backups do an auto update each day and place one copy off line and one copy in a sandbox. I lectured in computer systems since 1974 and still maintain an interest in systems integrity. I pay for each application as there is always something missing in free software. I also use spamex.com to generate disposable email addresses and my email goes through a mailwasher application that allows my to bounce unwanted emails. A bit over the top? Bloody crazy really.

I’m much like you, but not the teacher part, first I ditch the iPhone 4 and never looked back since I saw the writing on the wall for the IOS and its spyware. I have used the macOS for more than 10 years and Linux over the years, my entire network is locked down with its own search engine as well it own DNS server. As for password, 1password or Keepassxc are very good, wouldn’t touch LastPass since it source code has been hacked.

When choosing a password manager, the choice is either in the cloud or on the computer, my choice is on the computer, never trust the cloud with personal material, just too dangerous.

2 Likes

Not at all. I was doing similar when I was a Windows user up to and including Mailwasher. I became really fed up with it and switched to Mac. Never looked back

1 Like

If you get a chance ditch MS Office for Thunderbird, excellent in the macOS, as for the “iCloud Private Relay”, block the iCloud Private Relay since Apple will know everything you do on the internet.

Whether Apple snoops or not, I can’t afford the product thats required so I’ll keep using my own VPN as needed, which I already paid for.

Banks and other institutions can be obstructive in providing access to accounts. They have no further need or interest in satisfying a dead customer! That is why I am providing my login details to my executors. It just makes life a little simpler.

No one has mentioned that Google Chrome and Firefox have their own built-in password managers Is that because no one considers it serious enough to trust? My intuition is that I need to trust the company that owns the password manager, both their technical ability and their integrity. As my son has pointed out, if a product is free then we are the product! In this case, we provide an extensive user base that enables the developers to sell a more robust solution to business users. As others have commented, I would not entrust bank details or other crucial financial details to a password manager.

1 Like

Of course if someone who is not you uses your login details that would be considered a breach of security, and probably a violation of conditions of usage.

Just give your executor the account details, not the login facility. Banks and other organizations will deal with these things when they see the appropriate documents.

2 Likes

When last I looked at the Mozilla Thunderbird password manager, which I am just assuming is the same as or very similar to the Mozilla Firefox password manager, the Thunderbird password manager was well short of current best-practice cryptography.

That means that it is still much better than storing passwords in plaintext but may not survive attack by a motivated attacker.

2 Likes

If there is no master password set for Firefox the data is still stored in plaintext. At around 2017-2018 their app ‘lockbox’ (their add on at the time that was the work behind the newer encryption) was using a SHA-1 single pass encryption of the master password. Industry standards are and were requiring vastly higher numbers of iteration than that and even back then 10,000 was considered a minimum. Firefox (using it with a Master Password) now uses 256-bit AES.for encrypting the vault with decently higher iterations to resist brute force attacks.

Firefox Sync still has issues.

5 Likes

As I have said before, I’m happy to have an app on my devices which stores info in an encrypted database. If I need it on more than one device, I am also happy to have that database on an “independent” site, eg Dropbox and its ilk (or manually transfer between devices). I will never store my passwords on a site like LastPass (which I joined to have a look) which it seems has been hacked yet again.

4 Likes

The database that has the stored passwords has not been compromised . It remains secure in that it requires an individual’s Master password/passphrase to unencrypt an individual’s repository. LastPass”s owners do not have access to that information, if a user loses their password/passphrase then their data is unrecoverable. More at risk or has been stolen is the intellectual property of the company.

4 Likes

OK, but nonetheless I lack faith in keeping my “stuff” with an online db. (Except in the circumstances I mentioned). I never keep CC or personal info in any.

3 Likes

That’s where Thunderbird still is today.

SHA-1 (no iterations as such) is used to derive a decryption key from the master password. The decryption key is then used to decrypt the master key using 3DES. The master key is then used to decrypt any actual stored passwords using 3DES. 3DES is well well past its use-by date and SHA-1 is not ideal (and certainly not ideal without iterations and lots of them).

The integrity check is not ideal either.

That’s more like it.

As far as I am aware it is a single interation at the compression phase for SHA-1. Brute force attacks easily deal with it. The hash produced is weak to attack.

1 Like

SHA1 is considered broken and should not be used. DES was broken long ago, and 3DES is just a slow bodge and now deprecated in favour of AES.

1 Like

To summarise … Thunderbird Password Manager is an anti-recommendation.

While it is much better than storing in plaintext, it is far far short of current best practice.

We are in furious agreement with the general observation that “it is not great”.

What it lacks in iterations, you can make up with by master password entropy. I can assure that even if you can try 10 billion passwords per second, it will still take you a trillion years to brute force my Thunderbird master password.

Anyways … you can see the exact details for the Thunderbird Password Manager encryption logic here: https://raw.githubusercontent.com/lclevy/firepwd/master/mozilla_pbe.pdf

I can confirm that as of a few years ago that diagram was accurate enough to write a program that prompts for the Thunderbird master password and dumps out the decrypted stored mail account passwords. Or you can use the code already in that github repo.

5 Likes

… never ‘if’, always ‘when’ …

3 Likes