Password Managers

Easto · Post by **Easto** » Tue Jul 06, 2021 9:30 am

I have been using KeePass as my password manager for several years. I am very happy with it and I find that it does exactly what I need in a password manager. Usually when searching for a list of reliable password managers KeePass would always show up on someone's list of the "10 best". Today I was doing a search and it appears that it has either dropped out of favor or is being pushed aside by subscription options. I was just wondering if anyone had any insight as to why KeePass doesn't seem to be in the ratings any longer? Did something adverse happen to their program that would have thrown it out of favor?

Post by **Philip** » Tue Jul 06, 2021 12:28 pm

Just want to chime in to mention many of those "Top 10" sites exist simply for the affiliate links, they get a couple of cents when you buy something.. So they have no interest in ranking any freeware/opensource software.
When I need to compare software, I usually go to some site like alternativeto.net and look there, as it is based on actual user feedback, rather than some random editor.
https://alternativeto.net/software/keepass/

I would prefer a local/open source manager, KeePass seems pretty capable and it is being updated. In general many password managers are ok as long as the password file/database is locked, and vulnerable to exploits while it is unlocked.

Easto · Post by **Easto** » Tue Jul 06, 2021 7:30 pm

I have noticed that there seems to be way too many "affiliate" sites popping up everywhere. One of the dead giveaways is the generic was they present their opinions. Basically a cut and paste job.

When I use KeePass I only have it open long enough to grab the password I need and then it gets closed. It is never left open for convenience. It seems like it really is a great manager, it's just that most of the bad mouthing is from people saying it's just to difficult to use and learn.

Post by **Philip** » Tue Jul 06, 2021 9:40 pm

There are some trojans that can grab unlocked password files from common password managers if/when they are open.. Kind of a mute point if your PC is clean of malware.

Post by **YeOldeStonecat** » Wed Jul 07, 2021 10:45 am

Bitwarden

Easto · Post by **Easto** » Thu Jul 08, 2021 10:02 am

YeOldeStonecat wrote:Bitwarden

Thank you for the tip. I highly regard your suggestions and will take a look at this. I'm currently going through their "help" videos to see if this is a direction I'd like to go. I'm sure it probably does what I need it to do but I'll withhold any comments until I get a chance to go through it all.

For the record, can you elaborate as to why you pick Bitwarden?

Post by **YeOldeStonecat** » Fri Jul 09, 2021 3:03 pm

Easto wrote: For the record, can you elaborate as to why you pick Bitwarden?

Have seen it recommended by many other IT people...
Open source...so has community coding eyes on it to keep it robust.
Excellent browser plugin if you want
You can self host. Or use their cloud services.(I use the cloud version)
Basic version is free, they do have a professional version that you can use, VERY low cost, can have separate vaults. Such as if for a company.
Supports TOTP for MFA on things like Office 365 logins. While not a big deal for single users, for businesses with multiple people needing to access things that are MFA'd...this is excellent! For example, at our office, there are 6x of us. Many of us have a need to sign into many different secure portals. All can have a login with Bitwarden, and access to the TOTP code for a particular site they're logging into.

At our office we now use HUDU for this, but it's because HUDU is also an excellent documentation system designed for IT companies and it also integrates into our RMM, SyncroMSP.

I still use Bitwarden for my personal stuff.

Post by **Philip** » Sun Jun 05, 2022 3:28 pm

I was looking for something slightly different: to encrypt and password-protect sensitive info in a certain folder on removable media (USB flash drives, sdcard, laptop, etc.)

requirements:
- portable, easy to run/use stand-alone without installation on the host OS (run directly from USB drive?)
- software that is not proprietary, i.e. freeware/open source/low-cost, something with a long-standing track record of being updated, audited
- using modern industry-standard encryption and hashing algorithms, e.g. AES, sha-512 or sha-3, etc.
- ability to easily encrypt a single folder with multiple files

preferences:
- create encrypted file/folder rather than a whole drive/partition
- not using password-protected zip/rar files as a container
- cross-platform? Windows/Android/iOS if need be
- usable for cloud storage?
- easy enough to recommend to non tech-savvy users?

After a bit of searching and reading, seems the space is not large, and the only popular non-proprietary software I found that hits most of those points is TrueCrypt (no longer developed), and it's successor VeraCrypt.
The only downside seems a bit cumbersome for USB drives. For example, you can't simply associate an encrypted file/extension to the VeraCrypt application, and have it auto-mounted. Instead, you have to find/launch the program, then choose the encrypted file, then choose what drive-letter to mount it as, finally enter password and only then you can gain access to your files. I'd much rather have preset all that so I can double-click, be prompted for a password and open the volume quickly.
There are a few other peculiarities I am not completely happy with, for example when I mount a volume as removable, then I can't unmount it safely without doing it through the program... The volume is fixed size, which is not ideal for uploading to cloud storage, it has to sync the whole volume after changes. In general it works ok, but a bit cumbersome UI.

Alternative I plan to look into: Cryptomator (github)

Anyway, I am just wondering what others are using, if anything.

Post by **YeOldeStonecat** » Mon Jun 06, 2022 12:02 pm

I used to use TrueCrypt years ago, before Bitlocker got so easily centrally managed via Microsoft 365.
But as you noted...since it's 3rd party (thus..outside of the OS)...you have a few hoops to jump though..it does need to be installed locally on the computer to be able to mount folders.

Since any clients I have that would need security, I have Bitlocker managed on their laptops/desktops, further encrypting folders another layer on their computer isn't necessary. They have OneDrive to protect their files. (and anything you keep in 365 is bitlockered up in the cloud)

For portable drives, I like the "hardware encrypted" drives that have the keypads built into them. Like Apricorn FIPS2 drives
https://apricorn.com/
No software needed.

Post by **Philip** » Mon Jun 06, 2022 7:24 pm

Yeah, I get Bitlocker I suppose, it's just Microsoft proprietary. VeraCrypt and Cryptomator seem to have options to unlock files/folders on different OS, and somewhat simple small software can be ran to encrypt/decrypt. They have portable versions that can be ran from a flash drive, some Android apps, etc.

After playing with both, seems Cryptomator is simpler and more targeted towards encrypting files in cloud storage, while VeraCrypt is more of a local full volume/partition encryption.

The hardware encrypted USB drive seems interesting, thanks for the link.

Post by **Philip** » Sun Dec 25, 2022 9:13 am

Seems LastPass not only got hacked, but their customers' password vaults got stolen as well :/
https://www.speedguide.net/news/lastpas ... sword-7973