topic Re: What is the password manager that I should use? in Tech Talk

What is the password manager that I should use?

Pienske8500 — Mon, 09 Oct 2023 10:31:44 GMT

Hello,

I am wondering if there is a advice about the use of a password manager on workstations.

What is the most secure password manager that you would use?

We have the once in our browser that propose to save the password for every website that you use.

But also the ones that you can install on you machine and then is holding a local database for example the Keypass, 1Password applications.

What password manager is used for each OS (MacOS, Windows, Linux)?

Any recommendations on this?

Thanks for your help.

Re: What is the password manager that I should use?

Caute_cautim — Mon, 08 May 2023 20:30:52 GMT

Hi @Pienske8500

I work in an enterprise with 450,000 staff globally, we all use 1Password for Windows End Points, MacOS and Linux Machines.

It works very well indeed, it is stable and works very well indeed.

Regards

Caute_Cautim

Re: What is the password manager that I should use?

denbesten — Tue, 09 May 2023 00:01:22 GMT

I have used a few:

BitWarden is my current favorite, paying for the $10/year tier.
LastPass lost me as a (paying) customer when they changed their pricing and I started realizing that their data protection practices did not meet my requirements.
Keypass was a reasonable choice, but found its autofill features lacking, especially on mobile devices. Also, sync was not inbuilt and often ran into replication conflicts when used on multiple devices.
Brower password stores were my initial solution, but became disillusioned by browser lock-in.

From a risk perspective, make sure the following are on your radar:

You are entrusting confidential data to the vendor. Do you have reason to trust their programming, development and business practices?
When syncing your vault to the vendor cloud, is it fully encrypted on the client? Is the key kept local (should be)?
Are there protections against a malicious web site gaining access to the vault?
What happens if the app/vendor bricks? Is there a mechanism to retrieve your data (e.g. an occasional unencrypted csv export stored on a thumb drive in a physical safe)?
Is there a mechanism so your heirs/employer can gain control when appropriate?

Re: What is the password manager that I should use?

ericgeater — Tue, 09 May 2023 01:50:33 GMT

First, cloud-based password managers seem like very bad ideas, period. What SLA will you rely on for making you whole after losing every password because that company failed to find that one big vuln?

So if you're wandering from WS to WS and you need access to a small password stash, encrypt a USB stick with BitLocker and throw Keepass on it. BitLocker requires a password. Keepass requires a password.

Use long passwords, and make certain they're not the same at all.

Re: What is the password manager that I should use?

Caute_cautim — Tue, 09 May 2023 20:20:10 GMT

@ericgeaterI agree, but if it is hosted within the main providers environment globally within their own Data Centres and fully supported including compliant to SOX on a 24x365 day basis. It works, and there is plenty of resilience, and assurance. Especially when there is a huge financial penalty hanging over the CEO's head every 90 days.

Regards

Caute_Cautim

Re: What is the password manager that I should use?

ericgeater — Wed, 10 May 2023 01:37:27 GMT

@Caute_cautim Yes, but, it's a level of unnecessary complexity. I'm certain that there's use cases which benefit from having an accessible password manager in the cloud layer, but I'm too paranoid to transfer that particular type of risk. At the very least, and if I were required to use such a service, I'd probably compose all my passwords so that they all share the same last ten characters. And then I would store passwords with that bit missing. Anyone who may find my treasure trove would have incomplete data.

Besides, the OP described activity moving from workstation to workstation, so theirs probably isn't a good example of cloud-stored passwords, anyway.

Re: What is the password manager that I should use?

denbesten — Wed, 10 May 2023 21:29:25 GMT

@ericgeater wrote:
I'd probably compose all my passwords so that they all share the same last ten characters. And then I would store passwords with that bit missing.

The phrase I hear for this is "salting your passwords", in remembrance of the days when UNIX crypt() reigned supreme. It seems to be a common and effective response to lack of complete trust in a password manager -- which in some cases is well deserved. In effect, it is a poor man's 2fa -- the vault has the first part and you know the salt.

cloud-based password managers seem like very bad ideas, period

Are you referring just to a web-app, where everything lives in the cloud, or do you also eschew installed apps that use the cloud to sync an encrypted vault? Also, do you draw a distinction between public and private cloud in your risk analysis?

My risk tolerance varies greatly between those cases.

With respect to the USB option, I do like Portable Apps, but I do get concerned about storing data on USB due to the difficulty in automating backups. USB drives live a tough life; they get lost, broken and corrupted.

Re: What is the password manager that I should use?

ericgeater — Wed, 10 May 2023 23:07:53 GMT

@denbesten said: Are you referring just to a web-app, where everything lives in the cloud, or do you also eschew installed apps that use the cloud to sync an encrypted vault? Also, do you draw a distinction between public and private cloud in your risk analysis?

Neither appeal to me in the slightest. The idea of my passwords, my passphrases, my secret questions and secret answers, and backup tools for my 2FA accounts feel unsettling enough to be stored in a "password manager"... but I sure as shootin' won't place that basket of eggs into someone else's computer.

At the heart of these concerns, all of this is just a management problem. I'm not a high-value target, but I also don't draw a red circle around myself, either.

Many, many years ago, I was in a class where the instructor said, "Never give away what you can't take away later". He was talking about administrators who grant permissions too freely, but this indelible statement applies neatly to my basic online behaviors. Thank you, LastPass, but you can't have my Netflix password.

You've got good points about automation, but I kinda just grew up into this world. One day I was listening to Denis Leary's "No Cure For Cancer" comedy album, and the next thing you know I'm managing over 300 online accounts, all in a hodgepodge of slap-dash protection solutions, by a variety of different companies with different mission statements and differing approaches to cybersecurity. Automation be cursed, because I have walked through the Valley of the Shadow of Due Diligence.

Re: What is the password manager that I should use?

denbesten — Thu, 11 May 2023 03:37:59 GMT

@ericgeater wrote:
but I sure as shootin' won't place that basket of eggs into someone else's computer.

Both Keepass and Bitwarden have PortableApps [k] [b] that can sync to your own server [k] [b], helping address both the attack-surface and backup concerns.

Credential management is one of those areas where there are lots of alternatives to choose from, making it much easier to balance one's risk tolerance vs their convenience goals.