More Password Managers

I can make a list of features that are important to me and LastPass has them.

My problem with LastPass is not features; it’s security, which as you pointed out most TidBITS users (including me) can not evaluate for themselves.

My master password is strong but that’s not sufficient because of security implementation issues, some of which security experts have known about since at least 2015.

I feel like a features analysis is not enough; I need to check for security issues as well.

Can you recommend a trustworthy source for security reviews of password managers?

UPDATE January 2, 2023 2:13 AM

Apparently, one of the security features to look for is FIDO’s Universal 2nd Factor (U2F)
as opposed to One-Time Password (OTP) in order to prevent the user mistakenly typing a OTP into a phishing site thereby facilitating a Man-In-The-Middle (MITM) attack.

LastPass current supports OTP but neither U2F nor the newer WebAuthn, which underpins macOS 13 Ventura’s Passkeys.

The main one for me, being a twice-burned LastPass customer, is no third-party managed storage of the password vault. Or at least, not a third-party that I don’t already trust; in my case, I’m using iCloud to sync the vault between devices. Another would be entire encryption of the vault, not just usernames and passwords. And after that, good integration with Safari on macOS and iOS, support for multiple users of the same vault and support for multiple vaults, and decent tech support.

Did you just straight out ask them?

I assume you mean whether the entire Vault is encrypted? It’s in their docs and FAQs. For example, this quote from their docs on “Vault”:

Vault in Enpass is a secure place where all the data is kept in encrypted format.

As a very long time 1Password user & advocate, from v2 or maybe even v1, and PasswordWallet before that - I’ve seen PasswordManagers grow to better fit the use cases.

1Password has been almost perfect. In the past I have recommended 1P to thousands of people. … until v8 when they removed important features, required all passwords to be stored in their cloud, making it impossible for security professionals and similarly minded folks to continue using it. So sad, as 1P has been one of my very favorite & most used softwares.

Moving forward, I’m very interested to hear everyone’s experiences with the other available password managers that still include a full feature set as 1P v6 & 7 did.

I’m still new to it, but Enpass.io is looking pretty good so far. AFAIK; Local storage, multiple vaults, multiple clouds supported, full vault encryption, browser plug-ins, mobile app, cross platform, speedy, templates, tags, notes, local backups, no back door, strong security, WiFi-sync, backwards compatibility for several years of OS versions, etc.

As I understand, Enpass itself does not support any method of Muti-Factor Authentication (MFA).

As mentioned in the reference you cited, Enpass is used locally, on the machine you have it on. What scenario do you envision where MFA should be used?

MFA is useful whenever an imposter has the password, which could result from theft or phishing. Yes, MFA based on OTP or SMS are not sufficient.

Ideally, you should have a FIDO2 compliant (U2F) hardware key standing between your passwords and the world, including you (to prevent falling victim to a man-in-the-middle attack).

Compare and contrast the August 2022 attacks on Twilio vs Cloudflare.

How would a hardware key work with web sites that don’t apparently support them, like Social Security, Medicare, many major banks, etc.? I’m genuinely curious here–I can see using HW keys with specialized applications requiring very high security, but I don’t see their use with the sort of mass sites I mention above. But if there’s a way, I’d like to know it.

Yes, you are correct; U2F hardware keys can’t be used to log into sites that don’t support them. (That’s why I prefaced the remark you quoted with the word “Ideally,” which you did not include in your quote.)

Nevertheless, U2F may still help prevent unauthorized logins to your account on sites that do not support U2F. (Please note that I said “may”—as in “under some circumstances”—and not “will.”)

Did you read either of the articles that I linked to? Here’s the TL;DR synopsis.

Even if your Enpass password can’t be cracked, the passwords (to websites that do not support U2F) in your vault are still vulnerable to phishing attacks on YOU, the person who knows the Enpass password.

If such an attack involves a MITM, then U2F may thwart the attack and thus help secure your password to a website that does not support U2F.

For details, please see this article that I cited and scroll down to “U2F and Security Keys,” which begins with:

If the human is the biggest vulnerability in a phishing attack, then we should just remove the human in the process.
This is what U2F tries to do. We relieve the human the burden of identifying between fake and real sites. This is going to be taken care of by the YubiKey and the browser working together.

And later on:

The browser checks the certificates of the website, before it asks the security key to generate any codes. It makes sure doesn’t allow our fake websitelastpass.com.es to get codes for lastpass.com . This makes it difficult for a hacker to do a MITM attack. The site not only has to look like the legitimate site, but it also has to have to correct certificates.

And that’s why, in the article I cited, Twillio, which used OTP, was breached in August 2022 but Cloudflare, which used U2F, wasn’t.

If the password to the vault is good and the cryptography is implemented correctly, then the human who knows the vault password is the weak link. All that’s needed is a website login page that looks legitimate and this human will reveal the sought-after website password (even without a wrench ).

In such cases, the risk is not whether the vault is in the cloud; the vault can not be cracked (without a quantum computer),

The risk is the human being phished.

Has anybody experience with PasswordBoss? How does it compare to those discussed here? I have been using PasswordWallet for years for local storage and KeyShare for passwords I need on multiple devices, but am looking at alternatives to have only a single program.

Robert

Just to mention this, because I don’t think that it really has been in this thread. If you are using only Apple OS devices and don’t use anything like Windows or Linux or Android, and you have iCloud turned on for your account, just need to store passwords and 2FA time-based token keys, I would consider, if you were switching from anything else, and you want something simple and reliable, thinking about just using the built-in password manager in iOS, iPadOS, and MacOS Safari (e.g., iCloud Keychain.) It uses strong end-to-end encryption, uses either your device password or biometrics to unlock, and is otherwise invisible to apps, Apple, etc., it suggests strong passwords, it’s super-simple to add two-factor TOTP keys from either a QR code or the actual key (e.g., use either the camera or right-click the QR code to add it to the password store). I’m still using and happy with 1Password, but for people who are less technical especially, who don’t want to fiddle with a third-party app and hope it works properly, it’s a really good choice these days.

I agree that SMS is insufficient. Mostly due to the possibility of a SIM swap attack, where an attacker convinces your wireless carrier to transfer your phone number to his phone. He then gets your 2FA codes.

But I think OTP systems (like Google Authenticator) are just fine. You just need to be careful about what you click on and pay attention to the information your browser makes available (including the URL and the associated security certificates) so you don’t go providing it (along with your password) to a bogus site.

If you also use a password manager, it won’t provide a password to a fake site. Don’t second-guess it and manually type in anything if this happens and you won’t get far enough for it to ask for an OTP code.

The article you cite points this out as well.

I agree that taking the human out of the equation is a good idea for most people, who can’t or don’t want to go through the effort of being careful. This is most important for IT people, who manage less-capable users and can impose a policy on them.

For an individual, I think someone who understands the issue enough to want U2F for himself is also going to be careful enough to be OK with OTP.

But that’s just my opinion.

That’s a lot of “ifs” there. How many people do you know who are exclusively Apple users, who don’t have any other computers and don’t use any other web browsers?

For me, these missing features eliminate iCloud Keychain from consideration:

1. Emergency Access by someone with power of attorney or other designation in case of injury, illness, stroke, etc. (Access by a Legacy Contact “requires a death certificate.”
2. Legacy Access for an estate executor. (“A Legacy Contact beneficiary [does not gain] access to … the decedent’s … iCloud Keychain.”)
3. Securely Sending or Sharing items in Keychain is not supported (as far as I know).
4. Data Types Other than Passwords is are not supported (as far as I know). And not all credit cards can by added to the Wallet app and not all websites support  Pay.
5. Autofill is Restricted to Login Credentials and does include credit cards (as far as I know).

These are the requirements that push me into a paid service.

I’m learning toward Bitwarden but would accept other suggestions enthusiastically.

Well, me. Plus my wife, both my kids. My two sisters. Really, most of my family. A few people use Windows computers at work, but that’s a whole different thing.

I use Chrome for some things on my Mac (mostly just to access some Google accounts that I use less and less frequently, plus for an organization that I’m chair of the board, and my one professional client that I access maybe one day a month if something goes wrong) but it’s easy to copy and paste a password if I needed to. I also have FF on my Mac, just in case Safari isn’t working right and I want to check with another browser. Same, copy and paste would work fine, probably faster than keeping a physical notebook of written down passwords and looking them up.

Anyway, I’m thinking a lot of people who post here are Apple-only.

Even outside this forum these days fewer people even own computers and just use a phone and maybe a tablet as well. I know quite a few of those people. (Mostly my kids’ age.)

After hearing BitWarden mentioned a number of times recently here & elsewhere, I took it for a spin. It does have useful features, it is open source, & peer reviewed. The quick deal-breaker for me was that (practically speaking) it requires you to put all your data in their cloud. As LastPass, 1Pv8 & many others do. You can’t maintain full control of your data as you can with a local data file. Some people (especially security professionals, but what do they know?) have mandates that do not permit their passwords to be stored in a cloud server. Whereas most of the commercial password managers currently available require that.

To be complete - BitWarden does offer an optional self-hosting server which I also looked at. But there is no BW Mac server version, only Linux & Windows, and almost all users will not have the skill set to install & maintain it. That why I say that practically speaking, the BW self-hosting option is off the table for almost everybody.

Enpassdoes let you maintain control over your passwords by saving your data in a local file. EnPass also supports many popular cloud services, folder sync, or local wifi sync. Your choice. Your passwords are never stored in a Enpass cloud. “Self-hosting” Enpass is trivial, just save the file to your local hard drive.

I’m trialing Enpass now and it has a full feature set. Many of the features that 1Password offers, except you can keep full control of your data if you want to. That’s a big one for me. I’m surprised that I haven’t seen Enpass mentioned more or more often reviewed against BitWarden & 1Password, actually I only heard of Enpass last week for the first time. I welcome other input pro or con, especially as I work toward making my selection of next password manager.

As a career IT professional managing thousands of passwords & data bits, I can’t afford for my password manager to be breached and I also need a strong useful feature set.

Actually that would be me. I have several Macs, an iPhone, iPad and Apple Watch. I have Firefox on my M1 MBP but honestly can’t remember ever using it.

Having said that, I use 1PW v7 but would prefer to not need it.

For what it’s worth, me too. I use two Macs (MacBook Pro and iMac Pro), an iPhone and an iPad Pro. My wife uses only an iPhone. I rarely use any browser other than Safari. (Of course I don’t rely solely on keychain – I use 1Password 8, and am happy with it.) I am retired so I don’t have a separate work computer.

I actually know quite a number of people who use only Apple devices.

Type “Enpass” in the search window and at least a dozen threads discussing the app will pop up.

Perhaps this year-old comparison of StrongBox, Bitwarden, and Enpass would interest you.

https://www.reddit.com/r/selfhosted/comments/t4lsx2/why_i_chose_strongbox_as_my_new_password_manager/

As I understand, Enpass has published only one security assessment by an independent party and it was of versions 5 and 6 for Android and Windows in 2018. As an IT professional, are you concerned with this level of transparency, especially given the errors disclosed in the report?