Password Manager Apps

Error 304, turn it on and off again.
Post Reply
elgaucho
Posts: 259
Joined: Mon Aug 13, 2018 7:50 am

Password Manager Apps

Post by elgaucho » Sat Oct 24, 2020 10:26 am

So i've been forced to upgrade my iphone 6 this week after the battery regulating module seems to have failed absolutely these last few weeks, with my phone sometimes not turning on for days at a time.

However, that comes with the usual "you app isn't available on the app store" issues, which means my password manager app needs to be replaced as i can't install it.

I used an awesome little app called iAccounts for many years.

In particular i liked that:
  • it was a one time purchase
  • it wasn't cloud based
  • had a desktop app for backup and restore


Now i'm looking for a replacement app.

90% of recommendations I'm finding are for recurring subscription models which i'm never going to choose.

BitWarden looks promising, but seems to use web authentication to access your vault. I don't want external dependencies, and I don't want proprietary third parties storing my password database, encrypted or not.

KeePassXC doesn't seem to have an iOS option.

The best option i see is SafeinCloud Pro, which is excellent. It's a one time purchase for the pro version, with a file stored in DropBox or GoogleDrive for syncing.

However, I use safeincloud for shared family support accounts, so I can't use it in this case without replacing the database, i don't think.

So does anyone have any other recommendations that aren't subscription based, and don't require third party web / server authentication? Secured file on cloud based storage, as long as it's encrypted, is acceptable to me.

Thanks!
Image
Proud PW Member since 15/10/2003
A lurktastic 2678 posts!

User avatar
DjchunKfunK
Bar Staff
Posts: 2197
Joined: Thu Aug 09, 2018 9:02 am

Re: Password Manager Apps

Post by DjchunKfunK » Sat Oct 24, 2020 10:31 am

I have been using LastPass for a number of years now and not had any issue with it.

elgaucho
Posts: 259
Joined: Mon Aug 13, 2018 7:50 am

Re: Password Manager Apps

Post by elgaucho » Sat Oct 24, 2020 10:59 am

DjchunKfunK wrote:
Sat Oct 24, 2020 10:31 am
I have been using LastPass for a number of years now and not had any issue with it.
It's a very reputable app. My issue with it is that the database is still stored by LastPass in their 'vault', as far as I can determine. And while AES-256 encryption is secure today (and for the foreseeable future), the day it's not, and that data is centrally stored somewhere, it's all compromised.

I know my requirement is above the standard requirement, but an AES-256 ecnrypted data file stored on a tertiary, non centralised solution would further reduce risk, at least in my view. I don't like cloud apps, and i certainly don't trust any business with more data than they need from me when i don't have a choice.
Image
Proud PW Member since 15/10/2003
A lurktastic 2678 posts!

User avatar
Rusty
Posts: 815
Joined: Fri Aug 10, 2018 3:21 pm
Location: Plymouth, Devon

Re: Password Manager Apps

Post by Rusty » Sat Oct 24, 2020 4:37 pm

I too love Lastpass and use it on all my personal devices. My work ones can't install it as it's been black listed by our security guys.
-- To be completed at some point --

User avatar
Drarok
Posts: 940
Joined: Tue Aug 14, 2018 10:12 pm

Re: Password Manager Apps

Post by Drarok » Sat Oct 24, 2020 9:00 pm

elgaucho wrote:
Sat Oct 24, 2020 10:59 am
And while AES-256 encryption is secure today (and for the foreseeable future), the day it's not, and that data is centrally stored somewhere, it's all compromised.
That's not how this sort of thing works though. Unless there's some horrific back-door or massive fuck up, your data doesn't suddenly become readable to any Tom, Dick, and Debbie at the drop of a hacker's black hat.

If you use a strong master password (and an extra factor such as a private key for example), you needn't worry who has your encrypted data. If you're planning to put it on Dropbox or similar anyway then your hesitance to use a cloud-based solution makes literally zero sense.

LastPass is fine, probably. Personally, I hate it. It's a really fucking ugly piece of software, and its integration is crap. I use 1Password, and it's like a breath of fresh air in comparison.

All that said, I think KeePass does what you want? They do offer iPhone/iPad options, but they're unofficial, see the list at https://keepass.info/download.html
Raid wrote:
Thu Jan 28, 2021 2:24 pm
And that's the story of why I'm not allowed near pregnant women for the next few weeks.

elgaucho
Posts: 259
Joined: Mon Aug 13, 2018 7:50 am

Re: Password Manager Apps

Post by elgaucho » Sun Oct 25, 2020 5:36 am

Oh I know I'm being unreasonable, and that my expectation is higher than I reasonably need. :lol: I understand that just because my vault file might be accessed, that it doesn't mean my data is, and that accessing that is still a whole other ball game.

However, if I have a master vault with everything, I still feel more comfortable having absolute control over where it's stored and how it can be destroyed, and proprietary hosting doesn't do that for me. I also can't stand these subscription models popping up everywhere. I don't know if you're on a legacy 1password service, but they ONLY seem to offer a sub service at the moment. I just don't think it's value added enough to justify it, and it breaches my core requirements.

I had missed the keepass iOS compatible services, but you're right - it DOES look like what I want. I'm exploring a few clients now. So thanks! :D

Regarding last pass - i said they were reputable earlier. They've in fact had several breaches over the years. While technically not a wholesale breach, they are nevertheless enough of the kind of issues I'm concerned about:

https://en.wikipedia.org/wiki/LastPass
2011 security incident
On Tuesday, May 3, 2011, LastPass discovered an anomaly in their incoming network traffic, then a similar anomaly in their outgoing traffic. Administrators found none of the hallmarks of a classic security breach (for example, a non-administrator user being elevated to administrator privileges), but neither could they determine the anomalies' cause. Furthermore, given the size of the anomalies, it was theoretically possible that data such as email addresses, the server salt, and the salted password hashes were copied from the LastPass database. To address the situation, LastPass took the "breached" servers offline so they could be rebuilt and, on May 4, 2011, requested all users change their master passwords. They said that while there was no direct evidence that any customer information was compromised, they preferred to err on the side of caution. However, the resulting user traffic overwhelmed the login servers, and company administrators—considering the possibility that existing passwords had been compromised was trivially small—asked users to delay changing their passwords until further notice.[27][28]

2015 security breach
On Monday, June 15, 2015, LastPass posted a blog post indicating that the LastPass team had discovered and halted suspicious activity on their network the previous Friday. Their investigation revealed that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised; however, encrypted user vault data had not been affected. The company blog said, "We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed."[29][30]

2016 security incidents
In July 2016, a blog post published by independent online security firm Detectify detailed a method for reading plaintext passwords for arbitrary domains from a LastPass user's vault when that user visited a malicious web site. This vulnerability was made possible by poorly written URL parsing code in the LastPass extension. The flaw was not disclosed publicly by Detectify until LastPass was notified privately and able to fix their browser extension.[31] LastPass responded to the public disclosure by Detectify in a post on their own blog, in which they revealed knowledge of an additional vulnerability, discovered by a member of the Google Security Team, and already fixed by LastPass.[32]

2017 security incidents
On March 20, Tavis Ormandy discovered a vulnerability in the LastPass Chrome extension. The exploit applied to all LastPass clients, including Chrome, Firefox and Edge. These vulnerabilities were disabled on March 21, and patched on March 22.[33]

On March 25, Ormandy discovered an additional security flaw allowing remote code execution based on the user navigating to a malicious website. This vulnerability was also patched.[34][35]

2019 security incidents
On Friday, August 30, 2019, Tavis Ormandy reported a vulnerability in the LastPass browser extension in which Web sites with malicious JavaScript code could obtain a username and password inserted by the password manager on the previously visited site.[36][37] By September 13, 2019, Lastpass publicly announced the vulnerability, acknowledging the issue was limited to the Google Chrome and Opera extensions only; nonetheless, all platforms received the vulnerability patch.[38] [39]
Image
Proud PW Member since 15/10/2003
A lurktastic 2678 posts!

User avatar
DjchunKfunK
Bar Staff
Posts: 2197
Joined: Thu Aug 09, 2018 9:02 am

Re: Password Manager Apps

Post by DjchunKfunK » Sun Oct 25, 2020 9:50 am

I don't think you are going to find a reputable password manager that hasn't experienced some kind of attack, what you need to worry about is did the attack lead to information actually being access.

User avatar
Drarok
Posts: 940
Joined: Tue Aug 14, 2018 10:12 pm

Re: Password Manager Apps

Post by Drarok » Mon Oct 26, 2020 1:12 pm

"1Password has never been hacked"
Source.
Raid wrote:
Thu Jan 28, 2021 2:24 pm
And that's the story of why I'm not allowed near pregnant women for the next few weeks.

elgaucho
Posts: 259
Joined: Mon Aug 13, 2018 7:50 am

Re: Password Manager Apps

Post by elgaucho » Tue Oct 27, 2020 6:09 pm

Drarok wrote:
Mon Oct 26, 2020 1:12 pm
"1Password has never been hacked"
Source.
That it hasn't doesn't eliminate the risk that it won't. The article is a good one and justifies reasonably well why I'm over and above on my requirements. Nevertheless, that's my choice and the standard for my personal data i want to hold to, so it's a no go for me! :P
Plus 1password is mandatorily subscription based, at least for new clients.

I've finally migrated all of my 400+ passwords to Keepass / KeepassXC, and trialling the strongbox variant to sync to iOS. It's never fun using a new tool when you're so used to the old one, but I'm happy with it. I'll probably explore some of the mods / addons for it and see if anything else is needed, but the whole things works, which is the key thing. Thanks for your comments and suggestions.
Image
Proud PW Member since 15/10/2003
A lurktastic 2678 posts!

Post Reply