Password managers: online? offline?

I’m still managing my accounts the bad way, that is without a password manager.

The reason why I don’t use a password manager is because:

  • I don’t trust online password managers. At some point, someone will breach into one of them and steal information from hundreds of thousands of accounts (it’s my optimistic side at work, as you can see).
  • Offline password managers are annoying when you need to sync them between devices, especially when one of them is a mobile device.

So what is your way to deal with password managers? If you use an online one, aren’t your concerned about security nor privacy? If you use an offline one, how do you keep it synced between devices?

Discuss! (and thanks for the feedback :))

I use pass, with a little menu made with rofi; I sync between devices with Dropbox, and on Android to receive the passwords I use DropSync and Password Store. This is a bit of a techie-person’s lashup, though, and it was a pain in the earhole to set up; it’s not something I’d recommend to, say, my parents. But it works for me, now that it’s set up.

1 Like

I use KeePass.
It’s a windows GUI program, although it’s open source and runs through Wine nicely.
I’m writing a command line interface to it to export keys into bash environment variables for my command line scripts

…edit
Also to answer the question of syning. In my team i’m the person that sets up most of the passwords for servers and databases etc, so I mainly upload the encrypted database file to a shared server.
I think KeePass has a save to server plugin (although I haven’t tried it yet).

Chrome & its built in smart lock for all my unimportant passwords (like to my Bad Voltage community account :slight_smile:

important passwords saved offline in a lock box buried in my back yard.

3 Likes

Not sure I’d call my Bad Voltage password unimportant, I’m here every day.

I keep passwords to stuff which can cost me money written down in a locked box and don’t store them anywhere else. My other passwords are stored locally on my PC or phone. I would not keep them online as its only one account that needs to be hacked to get all my passwords.

3 Likes

I don’t use one either. I really shouldn’t, but I find myself more and more just using a google sign in for things I consider a password to be nothing more than a form of verification of identity. Yeah, I really shouldn’t because, I mean, it’s google and all that (that being said, they’ve always offered me a snack every time I’ve worked a physical security contract for them…so I will say that for them…) Everything else I let firefox remember a wrong password once and type the real one by hand each subsequent time. I don’t do online banking or anything. Important passwords I write in the physical book I’m reading at the time. So, for example, my copy of Talbot’s The Holographic Universe from a few years ago has my bytemark vmadmin root, nginx, redis, etc. etc. info in it because at the time I was running federated instance of pump.io and GNU mediagoblin (poorly!).

2 Likes

Thanks everyone for your answers!

@sil, your solution is something I had thought about, but as you say it’s a bit overkill (even though I guess once it’s setup, you’re all good).

My real, physical keyring has a USB drive attached to. I was wondering if I could use KeePassX’s encrypted database file and store one copy of it on my desktop (something that never leaves my home) and keep an updated copy on my keyring USB drive.

Another option would be to copy the encrypted database on my Android device so I can use it with KeePassDroid.

Check-out a solution from PasswordMaker.org.

The idea is instead of remembering passwords to all the sites you visit you use a formula to consistently re-generate the password every time you visit (typically a hash of the URL) so you only have to remember your master password and couple other settings.

The biggest issue I’ve had is sites that know better than you what a good password is and need a different combination of parameters than every other site. The worst offenders are sites that limit you to 10 characters or less; or can’t handle certain characters in the password!!!

Ok, shall I represent the heathans then?
I use an online one (LastPass), and do trust it because I listened to an (independant) podcast about how it works.

The password store is encrypted on device (e.g. in the browser) with your password, which they don’t store. If their servers get hacked, the hackers would have to brute force your password which is hashed with bcrypt (a very slow algorithm, no matter the CPU power). So if you have a half decent password it would take centuries to break into.

I am trusting that LastPass don’t deliberatly take my password from the plugin, but providing this service is their reason for existing, so doing that would be suicide.

On the downside researchers like Tavis Ormandy have found issues.
On the upside, researchers like Tavis Ormandy have found issues and they have been fixed.

I have about 700 accounts in there, I cannot be arsed managing all that crap. I have 2 factor on the important ones (and not using Lastpass’s app), so there is some independance there as well.

4 Likes

… and that’s an industry aswell.

passwoerdScreenshot_20170926_233122

… sigh.

I use Apple’s inbuilt system for safeguarding and using sensitive information, it’s better than nothing and it helps me from reusing some important passwords or remembering new ones. Before that I was using KeePassX; it worked but it was a bit clunky and cumbersome.

However, I don’t have anything of extraordinary value on the net that can be stolen and abused against me by retrieving the information saved in my passwords file. The things that matter can be disabled in a matter of minutes, I also have multiple levels of security for them, such as rescue codes, safety questions, two-factor authentication, and e-id systems.

I use KeePassX. All changes are saved the main file to my desktop and I periodically copy to my usb key on my keychain. I also maintain a 3rd offline backup stored in a fireproof safe that gets updated once a year.

I use a waterproof LaCie PetiteKey because it’s predecessors died in the laundry and when I went swimming one summer.

I just ordered a Yubikey since they had 50% off sale so will be upgrading to 2 factor authentication soon.

Are there any good reasons to NOT use either KeePass (via wine if needed) or KeePass X?
I worked at a company a few years ago and they standardised on KeePass.
Surely most people in this thread know how to setup a subdomain on an Apache/Nginix server to host the BD.
The DB is encrypted so what if soemone else downloads the file

down at synaptic - they call it KeePass 2 :old_key:

keepasssynaptic

I’ve used KeePass2 and KeePass2Android for years and years. I also integrate KeePass2 with Firefox using the KeeFox extension (it’s in a PPA for Ubuntu fans). I also use the TrayTOTP plugin for all my Google Authenticator needs too. I sync the files via Dropbox, but have also used NextCloud and SFTP (because I wanted to be edgy and cool :wink: )

I’ve found the ChromeIPass plugin to not be anywhere near as flexible as KeeFox, and I also find it much more annoying.

1 Like

installed keefox , but it requires mono & still doesnot work.

Any chance you could give me a clue instead of wading thru forums ?

keepass-screenshot-debian8

So, you need to have installed keepass2. It will install mono (as Keepass2 uses Mono, because it’s the same binary as the windows version). If you have problems getting it working from there, please don’t hesitate to give me a shout off here (my details are in the top box of my blog).

I just use KeePassX and KeePassDroid, transferring my database between the two every so often via a usb cable. For integration with various web browsers I use Alt-Tab

1 Like
Please respect our code of conduct which is simple: don't be a dick.