Password Manager Expert Needed?

[Ice Tea]

FireFox addon PfP: Pain-free Passwords

Quote from the addon page and his homepage

No need to trust us, your data stays on your device (safely encrypted) - Most passwords never stored but generated when needed

Generated passwords aren't saved to disk but rather calculated whenever they are needed

I was just about to signup to lastpass and while looking for their addon i came across the above firefox extension and the above quotes makes my head hurt.

Does it make sense to anyone , at a guess is he saying that all passwords are never stored as plain text on disk or in memory?

 

[james.miller]

Yes, sounds like they use an algo to generate the password on request. Good idea as long as that addin isnt compromised in some way, but then the same goes for anything i guess.

 

[touch]

Sounds like you store 1 strong password (which you dont use for any website accounts) and each other password for your accounts get generated from that main password.

 

[kindai]

Just use lastpass tbh.

Tried and tested.

 

[touch]

Just use lastpass tbh.

Tried and tested.

I would agree with this.

There are advantages and disadvantages to each approach though:
LastPass allows you to create your own passwords for each site you use. That means it has to store them in a database somewhere - and have it available online if you want to use it across all your devices. It's tried and tested, as you say, but it's also a massive target for hackers.

Using generated passwords means you have 1 very strong password to remember. You can use this across all your devices without needing online storage for it because every individual password is based on some clever calculation of your main password. Your passwords are not stored anywhere so there is zero chance of hackers stealing all your passwords from a database. The downside is that if a few of the sites you use get hacked and your password is leaked, they may be able to use those to reverse engineer your master password and then they can generate your passwords for all other sites.

 

[Deleted member 651465]

1Password here.

Too many data breaches for LastPass for me to ever trust them.

 

[Simon42]

I use KeePass and in two ways depending on the nature of the password data, either syncing to a file on my local file server (from local devices or via VPN to home) or syncing to a KeePass file on a general cloud storage provider. Using it in a synchronisation mode allows for use offline with updates automatically merged from all sources when online.

I don't like the potential for LastPass/1Password or similar to be hacked either from an internal source (developer or general employee) or an external source. Even when I used a cloud storage provider to store a KeePass file at least this isn't a known service and endpoint that people will be trying to hack continually. For the really paranoid like me, as KeePass is open source I also review the code and compile it myself to ensure it's safe.

 

[kindai]

Too many data breaches for LastPass for me to ever trust them.

Thats a little disingenuous is it not.

 

[Ice Tea]

Thanks all for the feedback and thanks to the Mod for moving this to a better section.

I know local manager like keepass would be more secure but i plan on using an online password manager for convenience though i'm undecided which one , 1Pass vs last vs dashlane seems to cause lots of arguments online.

I didn't plan on using the one in the original post , the description just confused me that's all...

 

[kindai]

1Pass vs last vs dashlane seems to cause lots of arguments online.

Best advice is to try them all and see which you prefer.

I tried 1pass and lastpass equally, but I found lastpasses integrations better and more intuitive to use personally.

You cant go wrong with either.

 

[Glanza]

Bitwarden is my goto password manager made the migration from Lastpass and not looked back.

 

[Simon42]

I know local manager like keepass would be more secure but i plan on using an online password manager for convenience though i'm undecided which one , 1Pass vs last vs dashlane seems to cause lots of arguments online.

KeePass can be used like an online password manager using any standard cloud storage for the data file (so just a little extra setup) without the risk of a global service.

 

[Lagmeister]

Been using lastpass, which I haven't had an issue with so far, but have been mulling over moving to BitWarden, but wanted it to get a bit more maturity under it's belt first, use 2FA when possible for everything as well though.

 

[Deleted member 651465]

Thats a little disingenuous is it not.

Issues in 2011, 2015, 2016 and 2017.

Disingenuous or factual?

 

[kindai]

Issues in 2011, 2015, 2016 and 2017.

Disingenuous or factual?

Maybe I am recalling incorrectly that despite "issues" there hasnt been any evidence to suggest any vaults were ever compromised. It's a bit harsh to imply they shouldn't be trusted when by all accounts the product is still a very good one.

 

[Glanza]

Maybe I am recalling incorrectly that despite "issues" there hasnt been any evidence to suggest any vaults were ever compromised. It's a bit harsh to imply they shouldn't be trusted when by all accounts the product is still a very good one.

For me it was the constant downtime they kept having over several weeks last year than made me look at other managers and settled on Bitwarden.

 

[Ice Tea]

Bitwarden is my goto password manager made the migration from Lastpass and not looked back.

Looks interesting , does the developer host his own cloud for the free users?

 

[Glanza]

Looks interesting , does the developer host his own cloud for the free users?

Default is cloud saving, you can host your own server if you wished.

 

[Ice Tea]

Default is cloud saving, you can host your own server if you wished.

But what cloud does it go to , is it one hosted by the developer or a commercial one like Amazon?

 

[Glanza]

But what cloud does it go to , is it one hosted by the developer or a commercial one like Amazon?

From their FAQ = Bitwarden processes and stores all data securely in the Microsoft Azure cloud using services that are managed by the team at Microsoft.