More Password Managers

I’d add the following features that I did not see among the ones you listed:

  • Securely share secrets (login credentials, software license keys, numbers for drivers license, passport, etc.) that are in the Vault with others, and
  • Emergency access by others in the event of death or incapacitation.

Yes, but with the obvious caveat that commonly used phrases from history (“fourScoreAndSevenYearsAgo”), literature (“itWasTheBestOfTimesItWasTheWorstOfTimes”), and popular cryptographic examples (“correctHorseBatteryStaple”) should be avoided despite their length. :wink:

1 Like

Yes, but with the obvious caveat that commonly used phrases from history

Yep…should have noted that as well…I’ve been using the words with symbols and digits for decades instead of the substitutions like 3 for e and @ for a and so on. I’ve got a standard format I use and it just makes them so much easier to type in the event it is needed.

I too have used 1Password for years, until the recent changes others have mentioned (subscription, VC-owned) plus their customer (dis)service—non-answers, pressure to subscribe, hiding the full non-subscription version (moot now with V8.)
I see only one comment on Minimalist, a simple password manager that intrigues me. Anyone here have any experience with Minimalist or its parent company, located in Canada?

2 Likes

Thanks @jonmcintosh and @gdevoe1 for your mention of Minimalist … I’ve been a 1Password user since it was “1Passwd” (tried a few others since then, and still also use iCloud Passwords), always stuck to it but recently have become a little dissatisfied … trying out Minimalist now!

1 Like

My New Years resolution was to sort out the password gunk I have accumulated over the (many) years. I had been looking at 1Pswd alternatives, and my future solution was to be Minimalist as it was well integrated with Apple stuff, was available as a one-time purchase and fairly reasonable at $60 for mac and iOS functionality. A couple of days before Christmas I went to purchase from within the app. Price was now $100! Same at app store.The 66% price increase felt a little too much so I waited to see if it would come down. The answer was NO. It is now subscription only. I do not consider myself a freetard, but that is not in my budget. I have instead bought the KeePass based Strongbox currently $59.

bought the KeePass based Strongbox currently $59

I’m looking at that myself if/when 1PW 7 quits working…as well as Enpass. I need attachments and secure notes and would prefer to have DropBox in addition to iCloud and it doesn’t seem to do either that or secure notes…there is a notes field but it doesn’t appear to allow formatting. Enpass has all the features in 1PW 7 that were removed…DropBox, non subscription, secure notes, attachments, and auto backup so it’s currently my on deck option…but Strongbox would also do the job…and most of the secure notes with formatting rent password related so I could move them to encrypted Notes if I had to. I’m currently paying the sub fee for 1PW since standalone licenses are gone now…but there’s nothing on their server outside of the basic account and the only vault there is the shared 911 we got run over by the bus one for our executor.

What’s your working definition of long enough?

I‘ve arbitrarily asserted that strings of 35+ random characters (drawn from uppercase and lowercase letters, numbers, and symbols) are sufficient.

I wonder how practical passwords that long are if you ever have to enter them manually. I’ve found that for more than about 15 digits it’s hard to get though the whole string without an error. That’s about what we have for WiFi network router passwords, and I would hate to have to do a big batch of such passwords if a password manager lost its data file.

I have switched to Strongbox and am using it with Dropbox. So far, it is working fine although not as polished as 1Password — hopefully it will evolve over time

I noted in another reply just now that 20 characters (which is less than I use) with 5 each upper, lower, digits, and symbols when attacked at 1 trillion guesses per second takes 11.52 thousand trillion centuries to crack…so really in 2022 20 is probably enough. Definitely more than 17 because that forces you (if running Windows) into NTLM2 instead of NTLM and that’s a more secure algorithm. My masters are more than 25 but really going to 35 is just overkill…36 characters gives you 5.07 hundred billion trillion trillion trillion centuries to search the password space.

Of course…the average time to crack is only half the total time…but that’s still a really long time.

This is why you don’t need to use random gibberish.

Thames&pUppy&griGio12345…that’s 24 long and since it’s to random gibberish it’s easy to type…one can just use the same symbol all the time and capitalize the 1st, 2nd, and 3rd letters of the 3 words respectively followed by a random 5 digit number that is easily remembered by the user but not easily guessable…for instance use your high school girlfriend’s birthday or something the you’ll remember but nobody can easily guess.

I gotta agree…random gibberish is a lot harder to type accurately…particularly on an iDevice…and once you push the hacker into brute force words are no less secure than gibberish.

Problem is, if you use the same construction technique everywhere, and a weak site or two are hacked for passwords, then your technique could be analyzed and vastly reduce the solution set for the important sites.

The WiFi network router password uses words and random numbers, which makes it somewhat manageable. It’s also a case where entering passwords needs to be somewhat manageable because it’s all too easy to get bumped off the network and have to reenter the password.

Only if those sites stored the passwords in clear text, which in this day is nearly unheard of. More likely, the weak sites would only give up hashed versions of your password, analysis of which would yield zero information about your password construction technique.

1 Like

Ok, how about an insider threat, being able to see plaintext passwords?

In any event, if you use a human designed “system” you are making life easier for crackers. So, public/private encryption and/or totally random generated passwords is the best available today, including using public domain highly tested and evaluated code to do the encryption/decryption/generation . DON’T try to “roll your own”.

1 Like

If I understand you correctly, your scenario proposes a single insider who can see two or more of your plaintext passwords for different sites. If so, the only place I can think where two of your passwords to different sites could possibly appear together is in a password manager. But then, one would have to assume all your passwords would be there as well, and therefore deciphering your password creation technique would be of no additional benefit to the cracker. (Not to mention that your plaintext password is never persisted to disk in any reputable site, and certainly not in any password manager.)

To me, if there is an additional benefit in using a random password generator vs. a well-constructed human creation scheme (such as the one proposed by @neil1), it pales in comparison to the benefit of being able to more easily remember your password. Personally, I think there is no additional benefit, but good people can (and do) come to different conclusions in this debate. :slight_smile:

1 Like

If you’re a high-enough value target that someone is targeting your specifically (vs. attacking everybody in a data breach), then yes this is a concern. But if someone is targeting you directly, then quite a lot of common practices won’t be sufficient.

I wouldn’t worry about this if you’re not being targeted directly. It’s not worth a criminal’s time to perform this kind of analysis unless they believe there is a massive payoff for success.

3 Likes

FWIW, I’m currently evaluating Enpass. It ticks the most important boxes for me. The import process from my LastPass export was nearly flawless (they don’t have a couple categories LP does, and vice versa, but just a minor inconvenience). I’d have to give their tech support a B- so far. They posted incorrect instructions on their web site for erasing synced data from iCloud (I wanted to re-start my eval with a clean slate). They responded w/in 24hrs to my email with better instructions, but still not entirely accurate or complete. Overall impression is positive; unless I hit a roadblock, I will likely switch over before my LP renewal is up.

1 Like

Would you be willing to share your selection criteria and which boxes are tucked?