Password Managers
-
@scottalanmiller said in Password Managers:
You are asking them to store the ENCRYPTED data of your passwords. You don't have to trust anyone. You should still use a vendor you trust, of course, but there's no need for trust. That's the point.
If you use an online password manager or anything not open source you still have to trust them.
Because you don't know what they do with your master password, encryption keys and other things.
Lastpass for example have passed security audits but still have had multiple breaches. There also have been examples of malicious browser extensions grabbing passwords.
As with anything, "safe" doesn't really mean safe, it means a little bit safe. And often safe enough - depending on what you are protecting.
-
@pete-s said in Password Managers:
Because you don't know what they do with your master password, encryption keys and other things.
Last I seen, LastPass doesn't have your master password.
LP stores a hash of your email address and master password on your computer (not its servers), which it uses as an encryption key to encode your log-in details for other sites (with a 256-bit AES cypher), before storing them on its servers.
They don't know your details or encryption key, so create a unique ID token for you by hashing your password and local encryption key together. That ID token is then hashed with a random number when you create your account.
-
@obsolesce said in Password Managers:
Last I seen
So you have validated their source code? Or did you read it from their webpage?
Just to be clear, I'm not saying Lastpass doesn't do what they say they do. I only state that you don't know.
I'm sure their intensions are good but software is not perfect. That why there are plenty of vulnerabilities and bugs in everything.
-
@pete-s said in Password Managers:
That why there are plenty of vulnerabilities and bugs in everything.
You can't take from them something they don't have...
-
@pete-s said in Password Managers:
If you use an online password manager or anything not open source you still have to trust them.
You still have to simply trust open source.
Can you read all the code and know that their encryption is valid? That there are no exploitable bugs?
-
@jaredbusch said in Password Managers:
@pete-s said in Password Managers:
If you use an online password manager or anything not open source you still have to trust them.
You still have to simply trust open source.
Can you read all the code and know that their encryption is valid? That there are no exploitable bugs?
True, but it a lot easier to put more trust in something that is completely transparent and can be verified by independent sources.
-
For what it's worth: https://github.com/bitwarden
-
@eddiejennings said in Password Managers:
For what it's worth: https://github.com/bitwarden
Yeah, that's what makes it my top choice today, I think.
-
People that are using bitwarden, are you self-hosting?
-
-
@krzykat no
-
@krzykat said in Password Managers:
People that are using bitwarden, are you self-hosting?
No, but it is on our radar to consider soon as we keep growing and it becomes more important, and more cost effective, once you get to any size.
-
New gig is using Bitwarden, converting from Zoho Vault
-
@jt1001001 said in Password Managers:
New gig is using Bitwarden, converting from Zoho Vault
Interesting. Is it self-hosted? Do you know the reason for the move?
-
Yet another +1 for using Bitwarden and not self-hosting. I actually did self-host it for a bit a couple of years ago, but changed my mind and moved to their hosted service.
-
@Pete-S I have no idea why they moved. I guess the higher ups want to migrate? Cost I think is about the same. We are not self hosted only 15 users so far
-
Bitwarden for home, and Dashlane at work currently
-
So I have been using BitWarden since this conversation started. I have to say I like it. I think I am ready to remove all the saved passwords from Edge and Chrome. Would this be the next step?
It's a wee bit scary. But BitWarden does claim to have the same number of passwords as my Edge and Chrome, and the BitWarden password tool is working!
-
@JasGot said in Password Managers:
So I have been using BitWarden since this conversation started. I have to say I like it. I think I am ready to remove all the saved passwords from Edge and Chrome. Would this be the next step?
It's a wee bit scary. But BitWarden does claim to have the same number of passwords as my Edge and Chrome, and the BitWarden password tool is working!Delete them all from the browser! Ja ha ha ha ha! Then, when you run into that one obscure site that you can't remember the password to, you can just use Bitwarden for it after doing the forgot password.
-
@dafyre Bitwarden has been great here we migrated the whole company over to using it and forced password changes on the coupel external sites we control. So far no issues.
