Password Manager Suggestions?
6I currently use LastPass for my password manager needs.
However, I have decided to go back to looking for an alternative.
Requirements:
- Open Source.
- Ability to save database to any chosen location.
- App fill for Android (though I believe all of the well known ones support this anyways).
- Android Wear extension (I don’t always have my phone near me, so this is would be nice.)
- Pasword generator.
I’m sure I’m forgetting details, but eventually I’ll remember them.
The three apps which I’m alternating between are Enpass, SafeInCloud, and LastPass.
However, none of them completely meet all of my requirements (those mentioned, as well as those not mentioned).
Suggestions?
- 15 comments, 53 replies
- Comment
This interests me too. I love all you techy people here.
Ideally the Android Wear app shouldn’t store the passwords locally, but connect to the internet.
(After all, I want the wifi in my watch to actually be useful.)
If not, it’s not a deal breaker I guess because I keep my watch on my wrist anyways.
What’s lacking for you re lastpass?
@f00l
Although I commend them for their being receptive to acknowledging exploits and patching them fast (as opposed to other companies who would delay).
Not open source.
No Android Wear support (even though they keep on talking about it). I get why they wouldn’t have necessarily focused so much while Android Wear 1.X was common, but now that Android Wear 2.0 which supports standalone apps is rolling out (or will be rolling out, depending on the watch), this support is kind of more important.
@someRiverNoise
How essential is that feature to you, for now?
Re pwds.
I don;t even store mine in lastpass, to degree. I store some that dont matter much, and I store more complicated and evocative hints.
And I store one or two where the asshole site makes creating and changing a pwd so complicated that Its necessary to store that pwd somewhere in order to function.
And no my pwds are not all identical, tho a few that I haven’t gotten wround to changing out yet are.
@f00l
Right now, it’s not essential, but the rest of the criteria are.
Like I said, I’ve also been playing with SafeInCloud and Enpass.
@someRiverNoise Have you considered the fact that bugs in LastPass are showing up because an expert-level person is looking for them, and not necessarily because it’s poorly made? (As a related point, this doesn’t mean other password managers are any better (or maybe worse)- just that they haven’t had a trial by fire yet).
@dashcloud
Of course I have.
My whole point is is that I’d rather not have all of my passwords stored in a place susceptible to these things.
Which is why I preferably would want all of my passwords not kept in a data center somewhere, but in the place of my choosing for starters.
@dashcloud if you think tavis is only looking at lastpass you’re mistaken.
I use 1pasword with my family mainly because of the ability to share credentials. It isn’t open source tmk. The families cloud based version does have an Android auto fill ability, I’m not sure about the non cloud option. It has a pretty great user interface, and the price point isn’t terrible.
@LordSalem
I’ve seen other people use it, and I happen to like the layout.
I like that they’re already dealing with Android O.
Still no Android Wear support.
I’m just trying to think if going from LastPass to 1Password would be a lateral move.
Me too.
Padlock seems to fit most of the qualifications. It’s free/open source software, allows easy import and export, and has a password generator. They also publish and respond to security audits: https://padlock.io/docs/padlock-pentest-1604.pdf
I’ve only been using Chrome’s password management, but I’m trying out Padlock now.
@trisk
Does it have autofill?
(With the framework in Android O to improve autofill, this is even more important than ever before which is strange because it was already important anyways.)
@someRiverNoise Sadly, it looks like the Android app doesn’t do autofill (and the UI tempts you to copy passwords to the clipboard, which isn’t always safe).
I’ve found bitwarden, which is another free/open source password manager that does appear to support autofill on Android (via a notification currently).
Unlike Padlock (which uses paid or self-hosted sync), their cloud sync service is also free. The catch is bitwarden currently doesn’t have a password generator, though there’s an open feature request for one.
I’m wrong, the bitwarden app has a big Password Generator button.
@trisk
I decided to try bitwarden.
Initial setup relatively simple, but when I imported my passwords, everything but the associated URLs got setup.
@PlacidPenguin I did an import from Chrome on the desktop, and it’s working fine for me. Just cleared my Chrome/Google saved passwords and using the bitwarden browser extension and app now.
@trisk
I’ve been in touch with bitwarden about this.
@trisk
Ok. So now I have these choices:
Send them the CSV with sensitive info removed so that they could troubleshoot.
Open it up in Excel, remove all but the first row, import the data, and see it the URL goes. If it does, then continue with the 2nd line and so on until I reach a line which gives issues.
Setting up an account after 2 AM may not have been a wise idea necessarily.
I can’t remember my master password…
I had fingerprint setup, although now that I by mistake logged out fully, I can’t get back in. (And I didn’t have a hint setup, so…)
@PlacidPenguin If you can easily make a censored version of the data that is still recognisable, such as replacing all letters and numbers with the same character, that might be worth submitting to them. Of course, that still leaks partial passwords.
btw, CSV files are plain text, and if you’re not making changes across columns, using a text editor is safer than Excel, which may make incompatible changes to the formatting when you export the data.
@trisk
Well I can’t get into my account, so this whole thing is pretty much moot anyways at this point.
@trisk
Got my account deleted so that I could create a new one.
Did password import, it worked fine this time.
@PlacidPenguin Glad to hear it worked out! I’ve been pretty happy with the experience using bitwarden so far. On the desktop I’m getting used to right-clicking to see saved passwords, and on my phone it’s able to perform autofill in every Android app I use, unlike Google’s Smart Lock.
Low tech - Excel spreadsheet.
@Kidsandliz
@jqubed @Kidsandliz
I suppose I could have a triple encrypted spreadsheet containing my passwords…
@someRiverNoise Breaking Excel encryption is an absolute joke.
@jbartus
Unless they use a different encryption for the spreadsheet.
@PlacidPenguin I am referring to Excel’s built in encryption. Obviously if you start involving outside software it changes matters.
I use
@lilsrm123
While that does look appealing, there would be some downsides to that.
@lilsrm123 Whoa, flashing back to the Franklin Spelling Corrector we all coveted in elementary school!
@someRiverNoise If you misplace it, you lose all your password!
It takes 3 AAA batteries.
You have to hold shift and stretch to push a letter, or turn on caps lock turn off caps lock to capitalize one letter. grrr.
Other than that I do not have any other complaints!
And I’ve had it for 2 years on one set of batteries.
There are 568 reviews and 100 answers you can check on amazon.
KeePass is the program you want. Take a close look and you will see what a great Open Source program it is.
@walt7871
Looked at it several times. Then I looked several times for a decent Android port. Gave up after a while.
@walt7871
Isn’t there a Keypass and a Keepass 2? I’m not sure about the diff …
@someRiverNoise There are several, but I know nothing about Android.
http://keepass.info/download.html
@f00l I use KeePass in Win 7 and use 2.35 Portable.
I’ve used 1.32 and I’m not sure of the difference. It’s a fantastic program once you get use to it.
@someRiverNoise I like Keepass2Android it’ll read local and remote files. There is an offline version also that doesn’t request or use internet access. You can sync the encrypted database however you like.
I like it, I’d say give it a look.
I generate mine with the unix pwgen command. I store them on a secured home server either in an unencrypted or GPG encrypted file depending on how “dangerous” they are. When I need one remotely I SSH in from my phone.
@awk
Hmmm… I have most of those things available already.
I may have to get back to you on this.
@awk
@mfladd I’ll translate!
@awk has a server at home, possibly running the UNIX operating system. On UNIX systems, there is a command named ‘pwgen’ that generates a password.
Depending on how worried he is (or isn’t) about a given password falling into the wrong hands, @awk digs out his trusty GPG decoder ring (or the electronic equivalent thereof) and uses it (or doesn’t) to encode the password so that even if someone got hold of the file it would be useless to them.
The server is accessible from outside of @awk’s home so that, when out and about, he can connect to the server and retrieve whatever password he needs. provided he remembers the password to connect to the server.
@mfladd
Skipped out on school and hacking, huh?
@mfladd
@f00l School no, hacking yes. That’s why I went into healthcare. Yes, scaaaaaaary thought.
@jbartus or encode them using the old tick tack toe kids code.
Except we continued with the system used for A through R rather than use the X for the last 8 letters.
As a kid I could write in that “code” really quickly (could also write in mirror writing really quickly as well - the stupid things we practice doing as kids LOL). We’d pass notes in grade school/junior high in class that way and really frustrate the teacher when we were caught as she’d have no idea what we were writing.
@Kidsandliz I was just making a joke poking a bit of fun @mfladd’s way. Figured decoder rings were old tech enough. Good ol’ cereal box prizes.
@mfladd
Then I recommend the resources in the back of a Superman comic book, or perhaps those found in a Cracker Jacks box.
I use LastPass, but I’m just a casual user.
@jsh139
I only use it at 4:20 every day.
Did you know if you type in your password it just shows asterisks? This is my meh password ************. Pretty cool huh? Now you try!
.
.
.
.
.
I am kidding don’t do this please.
@caffeine_dude
Gotta love how if someone has their passwords saved to Chrome, and you right click the box, click inspect, and change
to
then it would show the password.
@PlacidPenguin
My sweet little perfectly secure browsers do not save my passwords. No no no!
@PlacidPenguin or you can go into settings scroll down to auto fill, click manage saved passwords and view them all with their corresponding usernames and websites
@jbartus
If it’s not my laptop/pc and the user has a password, I’d need a password to easily access passwords.
One password to rule them all…
@PlacidPenguin have they secured it finally? It used to be laughable on Firefox and Chrome to get that stuff.
@PlacidPenguin Crap, that sucks.
I’m a heavy lastpass user, the recent vulnerabilities do give me pause.
That said, it’s being handled responsibly and acknowledged, which is encouraging.
I just write them on bathroom walls. The sleazier the better.
@f00l
Phone numbers as well?
@PlacidPenguin 867-5309
@PlacidPenguin
ButOfCourse
(202) 456-1111
@f00l
@PlacidPenguin
I just hide behind a potted palm in the corner at that place. Nobody seems to notice me, and all the calls for me seem to come in about 3am and concern getting me to me go to a meetup in a rent-by-the-hour hotel anyway …