Best Password Managers on Android/ PC

[47Moritz]

Hi everyone, due to the recent security breaches with Last Pass i want to change to a different service and so i was wondering if anyone can recommend me anything. 

I´d like to use biometric authentication for all devices.( Windows Laptop and two android Devices)

Paid options are fine for me.

Has anyone got some experience with 1Password? 

Thank you in advance! 

[Oshino Shinobu]

I personally use a KeePass database stored on OneDrive. That way have access to it from anywhere but not trusting a 3rd party with securing the password or data. If OneDrive gets compromised, they'll only have an encrypted database.

 

There's loads of clients available for Android and Windows. I use biometrics on my Android client. Not sure about Windows, but I imagine at least some work with Windows Hello.

[Jinchu]

9 minutes ago, Oshino Shinobu said:

I personally use a KeePass database stored on OneDrive. That way have access to it from anywhere but not trusting a 3rd party with securing the password or data. If OneDrive gets compromised, they'll only have an encrypted database.

 

There's loads of clients available for Android and Windows. I use biometrics on my Android client. Not sure about Windows, but I imagine at least some work with Windows Hello.

Are using KeePass or the community edition? I have KeePassXC on OneDrive as well. I never understood the difference between XC and non-XC variant so it is probably safe either way. I like that I don't have to pay for the cloud sync as I already have that OneDrive

[thekingofmonks]

a physical notebook that you don't show to anyone

[Eigenvektor]

1 hour ago, thekingofmonks said:

a physical notebook that you don't show to anyone

It is an effective low-cost method for many case. However, it's not something you can access on the go unless you remembered to bring it along, it doesn't support 2FA (like TOTP) and regular backups are somewhat difficult.

 

If you are comfortable hosting your own server, you can self-host (e.g. Vaultwarden), but you want a solid backup strategy and you want a good understanding of how to secure your server. Otherwise you're going to be the next LastPass.

 

Then there are other services like Bitwarden, but they all share the same risk: The more customers they have, the more lucrative a target they become.

[Oshino Shinobu]

1 hour ago, Jinchu said:

Are using KeePass or the community edition? I have KeePassXC on OneDrive as well. I never understood the difference between XC and non-XC variant so it is probably safe either way. I like that I don't have to pay for the cloud sync as I already have that OneDrive

I use KeePassXC on Windows and Keepass2Android on Android.

 

I've had no issues with it on OneDrive so yeah, it's nice to have a free, essentially hosted service.

[f23948]

I use 1Password app.

What is your favorite password manager? provider please post it here

[Hassan170]

On 1/22/2023 at 10:05 PM, Oshino Shinobu said:

I use KeePassXC on Windows and Keepass2Android on Android.

 

I've had no issues with it on OneDrive so yeah, it's nice to have a free, essentially hosted service.

I've used keepass but I found the setup and running it to be a quite finicky, how does it work on android and windows?

Does it work the same as say BitWarden or Microsoft Authenticator?

Currently using MSA and i like the tie-in with windows, I'm quite fond of it and i like the convenience

not so fond of Microsoft having my passwords but hey, it works...for now.

 

might have to switch tho sometime...just in case.

[Oshino Shinobu]

1 hour ago, Hassan170 said:

I've used keepass but I found the setup and running it to be a quite finicky, how does it work on android and windows?

Does it work the same as say BitWarden or Microsoft Authenticator?

Currently using MSA and i like the tie-in with windows, I'm quite fond of it and i like the convenience

not so fond of Microsoft having my passwords but hey, it works...for now.

 

might have to switch tho sometime...just in case.

Works flawlessly for me, I just keep the kdbx database in my OneDrive and then point my KeePass applications at it.

 

I've never used BitWarden and only ever used Microsoft Authenticator for MFA tokens, didn't even know it had a password manager

[AyaanMAG]

I use roboform, it's pretty good, supports all platforms and all

[W1T3C]

Bitwarden + yubikey/software token generator

[CottonUntwist]

KeePassXC

[Dat Guy]

+1 vote for KeePass (any implementation). Never store your passwords on other people's computers unless you can encrypt them on your own computer before uploading.

[dilpickle]

On 1/22/2023 at 5:55 AM, Oshino Shinobu said:

I personally use a KeePass database stored on OneDrive. That way have access to it from anywhere but not trusting a 3rd party with securing the password or data. If OneDrive gets compromised, they'll only have an encrypted database.

Except that's exactly what happened with the LastPass breach. So you're just doing more work for the same level of security. 

[Oshino Shinobu]

9 minutes ago, dilpickle said:

Except that's exactly what happened with the LastPass breach. So you're just doing more work for the same level of security. 

It's really not. With LastPass they got access to LastPass's S3 Buckets and then targeted a DevOps engineer's personal computer in order to obtain decryption keys for the previously obtained buckets.

 

They installed a keylogger on the engineer's computer and captured the master password as it was entered. Without the second, very targetted attack, they would have just had encrypted S3 buckets with no way to access them, which is what would happen if the KeePass database got stolen in a OneDrive compromise.

[Dat Guy]

3 hours ago, dilpickle said:

Except that's exactly what happened with the LastPass breach.

 

LastPass is not end-to-end encrypted. KeePass is.

[dilpickle]

5 hours ago, Oshino Shinobu said:

It's really not. With LastPass they got access to LastPass's S3 Buckets and then targeted a DevOps engineer's personal computer in order to obtain decryption keys for the previously obtained buckets.

 

They installed a keylogger on the engineer's computer and captured the master password as it was entered. Without the second, very targetted attack, they would have just had encrypted S3 buckets with no way to access them, which is what would happen if the KeePass database got stolen in a OneDrive compromise.

The password vaults were encrypted. The only thing the hacker can do is brute force them. There is no master decryption key.

 

This is no different than the scenario you describe if your onedrive is compromised.

[dilpickle]

2 hours ago, Dat Guy said:

 

LastPass is not end-to-end encrypted.

Yes it is..

[Oshino Shinobu]

5 hours ago, dilpickle said:

The password vaults were encrypted. The only thing the hacker can do is brute force them. There is no master decryption key.

 

This is no different than the scenario you describe if your onedrive is compromised.

My bad on this one, misread/understood the details. The vaults themselves are indeed still encrypted and could be attempted to be brute forced, but unlikely with AES 256

[Dat Guy]

20 hours ago, dilpickle said:

Yes it is..

 

They tell you so. Given the several data breaches, I wouldn't trust them.

[dilpickle]

12 minutes ago, Dat Guy said:

 

They tell you so. Given the several data breaches, I wouldn't trust them.

Ok now you change your story?

 

End to end encryption does not prevent breaches. The breach in fact proved that they do have E2EE.

 

Btw KeePass by definition doesn't have E2EE since there is only one "end" involved. The vault is on your local system. 

 

[Dat Guy]

12 minutes ago, dilpickle said:

Btw KeePass by definition doesn't have E2EE since there is only one "end" involved.

 

Yes and no. You "end-encrypt" your KeePass database automatically. The other end might be a web browser or a second computer.