Password Security Catch-All Thread

DeThroned wrote:

What's the reason to have a paid Bitwarden account? Seems like the free would work for me (Currently on free LastPass and while it seems ok, I don't mind change either)

Convenience, to support the creator.

Or you could setup self-hosted.

I switched to BitWarden back when LastPass really sh*t the bed on Firefox support and it was essentially broken for months and their customer service was awful.

Even having a paid subscription to LastPass I made the switch and haven't looked back. They've just gotten progressively worse since they were acquired (by Logmein, I think?)

I remember one truly frustrating "feature" for LastPass was if you used two-factor, it didn't "fallback" to another method like almost any other sane implementation. Which baffles me why they let you setup multiple 2fa methods, but whatever.

The one feature I wish Bitwarden had is syncing your settings. If I install it on a new device/reinstall the browser extension I always have to go in and change the clear clipboard setting to 5 minutes instead of "never". I can't be the only person who finds never having their clipboard cleared uncomfortable.

*Legion* wrote:

Today I switched to a self-hosted Bitwarden environment, and it's pretty great so far. I appreciate how easily the browser extensions and desktop apps allow you to switch to a self-hosted environment, and how transparent it is once it is done.

That's good to hear! I haven't taken this leap yet.

What do y'all do for awful apps that still require you to manually type out passwords?

Whenever I have to relogin to Netflix, for example on a new device, sometimes it's such a f*cking hassle I temporarily change my password to something simple, login, then change it back.

How have these huge companies not switched to something more user friendly like just visiting a website and typing in a code?

I guess you could also use application specific or one-time passwords...

PaladinTom wrote:

Doing some searching I came across Authy. Anyone have experience with it? The thing I like is being able to use two devices instead of just one, although that seems like it would be another vector for attack.

Authy is arguably less secure because of the cloud syncing, but in actual real-world use it makes 2fa much, much, much, MUCH less annoying.

As someone who had to use 2fa on everything for work, the convenience was worth it, and one time when I accidentally wiped my phone (I was transferring to a new one and got careless) it really saved my ass from a world of hassle/pain.

I consider it like those awful IT department policies that make you change your password every six months. I have never worked a job like that where people didn't start putting their passwords on Post-It notes, infinitely less secure than just, well, keeping a good password longterm.

So with Authy, using 2fa is tolerable, and myself (and other folks/employees) were much more likely to actually enable it whenever possible.

So I guess it comes down to what your "threat model" is. For me, smaller individuals/groups of hackers/spammers/thieves are more of a concern than nations/states, so I consider it worth the extra vectors, so to speak.

You have an external attack vector in Authy, in that the encryption in their cloud storage could be flawed in some way, or they could be subject to a FISA order requiring them to share all your secret authentication keys with the government.

But, in exchange, you have the easy ability to have multiple devices. For instance, I'm using it on both my phone and my desktop. I can use my phone to take a picture of a QR code, add the account, and then it instantly shows up in the desktop version. Presumably, it would work in reverse, too, though since the desktop doesn't have a camera, I haven't bothered. If I lose either of them, AFAIK I can remotely de-authenticate it and render it incapable of authenticating anymore, and I still have a working authentication program that I can use to talk to my existing providers to change keys or whatever.

If you have a printer and the physical space, an even better approach is to print out each new QR code as you receive it, and store it in a secure place. This will let you use any authentication program, enrolling it even years later. Downside: don't lose those papers.

I just use Authy, personally, but if I were in a high-threat environment (like being a sysadmin in any kind of substantial company), I'd probably be using the printout backup approach instead, and sticking with an entirely self-contained authenticator.

Malor wrote:

Presumably, it would work in reverse, too, though since the desktop doesn't have a camera, I haven't bothered.

The vast majority of 2fa services I've used seem to offer a text-based alternative to QR codes you can use to add entries via the Desktop app. Then it just syncs back to your phone/other devices.

Which is extremely useful if you have to setup accounts for work, because you can do it while you're multitasking on your desktop.

Kind of a tangent, but something I really dig about the YubiKey software is you can actually take a screenshot to grab QR codes via the app.

Something I wish any of these authenticator apps did was sort your logins. It's completely nonsensical to have them in the order they're added.

With Authy you can re-arrange them but it's annoying to do manually. Why not just have the option to sort alphabetically by default? I've never understood why such a simple usability feature seems to be abhorred by YubiKey, Google, and Authy.

1Password does alphabetical and it has a very frictionless search. It lets you setup categories and favorites too I think but I never bothered since the search is easiest.

I've only added three things to Authy so far, and at least in the desktop version, they're alpha-sorted. I didn't add them in alpha order, either.

But on the phone version, they're just in order added across the bottom.

Looks like LastPass is changing how free access works. I guess I can understand the switch since I'm sure most people stayed on the free version since there was little incentive to get premium. I ahd premium for 6 months and never really used any of it's features in that time Now they are essentially forcing the issue:

What's changing in LastPass Free?

Beginning March 16, 2021, LastPass Free will include access on one device type of your choice. The first device you login with on or after March 16 will set your active device type.

If you choose computer as your device type, LastPass Free will work on all computers in your life:
If you choose mobile as your device type, LastPass Free will work on all mobile devices in your life:

Maybe I will toy with the idea of switching to OnePassword.

Bitwarden has been pretty great so far.

Lastpass just had a 25% off deal for a year that I kept getting notified about. I actually was trying to see if it would let me do that for a family account so that I could share all the streaming passwords easily but I never could figure out a way. Seems that's gone now that this announcement is out.

I used to pay for LastPass. I really don't have a problem doing so. But every time I start looking at paying for something, I will look at the other options again and see what they give me for my money instead.

MannishBoy wrote:

I used to pay for LastPass. I really don't have a problem doing so. But every time I start looking at paying for something, I will look at the other options again and see what they give me for my money instead.

This is my feeling as well. Just need to spend some time transferring to OnePassward to make use of the 14day Trial. OnePassword seems it will be .50c more per month with the current LastPass deal.

Keepass + Google Drive is still free as f*ck.

Yeah, it requires a little overhead on your part, but it works everywhere.

I need something that tech-unsavvy folks (wife/kids/parents) can use. LastPass is like right on the border of what they can manage; enough so that they won't use it to set anything new up - only the stuff that I set up for them initially.

merphle wrote:

I need something that tech-unsavvy folks (wife/kids/parents) can use. LastPass is like right on the border of what they can manage; enough so that they won't use it to set anything new up - only the stuff that I set up for them initially.

EvilDead wrote:

Bitwarden has been pretty great so far.

I actually find the interface much cleaner than Lastpass. Functionality it is essentially the same. And the basic account has most of the features and is free. I pay them $10 a year for authenticator stuff that I haven't used yet.

EvilDead wrote:
merphle wrote:

I need something that tech-unsavvy folks (wife/kids/parents) can use. LastPass is like right on the border of what they can manage; enough so that they won't use it to set anything new up - only the stuff that I set up for them initially.

EvilDead wrote:

Bitwarden has been pretty great so far.

I actually find the interface much cleaner than Lastpass. Functionality it is essentially the same. And the basic account has most of the features and is free. I pay them $10 a year for authenticator stuff that I haven't used yet.

How's the Android integration? LastPass is great...until it isn't. Then I have to go manually log into the app and either copy stuff in or have it magically start working again. Not a huge deal, but something that I doubt my wife or kid would like dealing with.

A lot of people seem to have a consensus that Bitwarden is great. Think I may go to that. The free version looks robust but I definitely don't mind paying $10 per year

MannishBoy wrote:

How's the Android integration? LastPass is great...until it isn't. Then I have to go manually log into the app and either copy stuff in or have it magically start working again. Not a huge deal, but something that I doubt my wife or kid would like dealing with.

I find it finicky on occasion but overall less finicky than when I used LastPass.

I have been using 1Password happily for years. It is simple and has good iOS integration. Ease of use is high on my list of priorities.

Wife and I have been using 1Password for a few years now as well. You can have shared vaults for things you want to jointly access, while keeping private vaults for stuff that doesn't need to clutter up the shared one. We bounce between Windows 10, macOS, iOS, and Android, and it works pretty flawlessly across all those devices.

How easy is it to swap from LastPass to 1password? Anyone have any experience with that?

Add me to the list of people who has to re evaluate their password manager options. I've been happy with last pass for years. But if I'm going to pay I'd want a family account.

*Legion* wrote:
MannishBoy wrote:

How's the Android integration? LastPass is great...until it isn't. Then I have to go manually log into the app and either copy stuff in or have it magically start working again. Not a huge deal, but something that I doubt my wife or kid would like dealing with.

I find it finicky on occasion but overall less finicky than when I used LastPass.

Same.

Tonic wrote:

Add me to the list of people who has to re evaluate their password manager options. I've been happy with last pass for years. But if I'm going to pay I'd want a family account.

LastPass does have a family (up to 6 people) premium pricing plan available. I think I'm probably just going to go this route for now. I did create a BitWarden account, at least to check out how it looks, and it doesn't seem that much better than LastPass - so, path of least resistance here.

Does Bitwarden store credit cards like LastPass? Briefly looked at the site and didn't see it.

EDIT: Never mind, looks like it kinda does.

https://bitwarden.com/blog/post/note...

NSMike wrote:

Keepass + Google Drive is still free as f*ck.

Yeah, it requires a little overhead on your part, but it works everywhere.

Does keepass now support google drive natively? Long long ago, when I started using keepass (I think predating google drive) dropbox really was the only "easy" way to sync online across devices and I have been on that since then. I don't mind it, but really at this point its the only reason I still have a dropbox account.

Carlbear95 wrote:
NSMike wrote:

Keepass + Google Drive is still free as f*ck.

Yeah, it requires a little overhead on your part, but it works everywhere.

Does keepass now support google drive natively? Long long ago, when I started using keepass (I think predating google drive) dropbox really was the only "easy" way to sync online across devices and I have been on that since then. I don't mind it, but really at this point its the only reason I still have a dropbox account.

yeah you can select any cloud drive to open a database from. I use it with OneDrive.

staygold wrote:

How easy is it to swap from LastPass to 1password? Anyone have any experience with that?

I haven't tried it yet but it seems like it is easy - outlined here

Bitwarden Is Now the Best Free Alternative to LastPass

I am debating switching.

However I am not sure the free version of LastPass won't be ok for me.

According to their explanation

Sarah is a LastPass Free user with Computers as their active device type. They can use LastPass on their laptop, desktop, and their dad’s laptop (anyone’s computer!), but they can’t use LastPass on their phone, tablet, or smart watch unless they upgrade to LastPass Premium or Families for unlimited device type access.

I am not sure that just having it on the computer wouldn't be good enough. I don't really access it on my phone or pads. Once in awhile but I don't know that I "need" it on those devices.

Part of what makes it worth it to me is that I use it on my personal PC's as well as my work laptop and phone. So either I start to pay for Lastpass (like I used to do), or I move to another service.

This reminds me of CrashPlan's shutting down for consumers in how my personal PC workflow/maintenance has to change.

I think LastPass's problem was they made the free plan TOO good for awhile. I think they did it to try to increase enterprise adoption by making it a widely known application. Probably didn't work. And in the meantime, the big buys like Google and MS started competing themselves.

Which reminds me, if you use MS Authenticator, it actually now includes a password vault. Seems to work on Android, too. And there's a Chrome extension. So I may look into that as I'm already using it with my employer and client.

If people decide to go with LastPass, I did get an email where they've currently got a discount that makes it $27/year, then it looks like Rakutan has a cash back of 20% that might apply.

farley3k wrote:

I haven't tried it yet but it seems like it is easy - outlined here

Bitwarden Is Now the Best Free Alternative to LastPass

I am debating switching.

Nothing's stopping you from exporting your passwords from LastPass and importing them into Bitwarden and having both browser extensions running so you can try them side-by-side.

MannishBoy wrote:

I think LastPass's problem was they made the free plan TOO good for awhile.

That sounds about right. I started out with the free plan, then happily moved to the paid tier when they added mobile apps. I was a paid subscriber for just a year or two before they moved all the features I used to the free tier.

And human psychology being what it is, their asking $3/month for what they've been providing free for years is a grave insult to me. So now I guess I'll check out Bitwarden.