97 comments

[ 2.2 ms ] story [ 157 ms ] thread
Looks nice but only has a Chrome extension at the moment. Also the browser extension requires the desktop app be installed.
It has a Safari extension too. The blog article says it doesn't, but it's available via the install process.

The Apple Keychain import needs some work though - it didn't pick up the vast majority of the logins I have stored in there.

If any of the Remembear developers read this, I'd love to put in a request for a Linux client!
Seems to be yet another proprietary walled garden. No thanks.
Can you recommend any reputable open source password managers?
KeePassX?
Why is this downvoted? is there something wrong with KeePassX?
It hasn't been receiving improvements or maintenance for almost two years, and as a result, it has been forked and is actively developed by a different team under the name of KeePassXC. So nothing inherently wrong with KeePassX but you need to be aware that it is almost abandoned at this point and that there is a better alternative
KeePassX is not actively maintained, as already mentioned but the original KeePass project (https://keepass.info/) that KeePassX was based off and the new cross-platform fork KeePassXC (https://keepassxc.org/) are both active and highly recommended.
I don't know whether [LessPass](https://lesspass.com/) is reputable, but it's notable for its approach.

It's primarily a password generator, rather than a password manager. It reproducibly generates difficult-to-guess passwords, using as input: the site's URL, your username and a master password. You save, sync and retrieve your passwords using your browser's built-in password manager.

I never previously used a password manager because I wanted to ensure I would always have access to my passwords. I started using LessPass because:

* When I need to log in on a non-synced device (such as someone else's computer), I can read the site's password from Firefox on my phone and transcribe it. * If I lose all of my devices, I can still retrieve my existing passwords, because the password generation algorithm uses only my master password as salt.

bitwarden is good and open source.
It is from tunnelbear. If you are releasing it for free, why isn't the code public?
Ooh, what a great example of a brand extension.

When I saw "new password manager" in the headline, my first thought was "those guys are fucked". What people want with a password manager is trust and stability, two things not associated with startups. But these folks have millions of users, strong app store ratings, and solid reviews. Going from "trust us with your data and privacy" to "trust us with your passwords" is not a big step.

I'd give my current password manager, LastPass, a C- on usability, so I'll be keeping an eye on this. I'd love to have something better to recommend to novices, and might even switch myself.

What differentiates RememBear from other password managers? After looking through the blog and website it's not immediately clear to me. What makes (or will make) RememBear better than, say, 1password, which appears to have the same features, is also easy to use, and has a long history with which to work out issues?
I disagree that 1Password is easy to use. It’s easy enough for me to use, but trying to get my parents through the setup and UI has not been an easy task. It could be far more simple and straightforward.
I would like to see a version of 1Password that 1) did only passwords - no fishing licenses and secure notes, which adds UX complexity 2) did not distinguish between passwords and logins, which causes endless confusion for my users 3) knew and managed the text requirements for the top 1000 websites so the app could generate legitimate passwords and not ask users to manage password complexity
Ohh I like the idea of knowing the password requirements for the top 1000 websites!
Would it be wrong to wish this could (or should?) be standardized? That is, for example, one upper case letter, same special characters, etc. The lack of a standard seems to hurts users more than hackers. The hackers know it and adjust. User just get confused and default to overly simplistic and common PWs.
There should be a "robot.txt" for passwords. ie: /password.txt

This file could define the accepted password format. Password managers could retrieve that file and know exactly how to generate a password.

no. if you're going to go through the trouble to do that, just fix your bullshit broken fucking password requirements.
The password - as currently implemented - is a fax machine (read: dated technology). Anyone reasonable sees it's far from ideal. Yet there seems to be little _significant_ innovation on solving this problem with something better.

I can order a pizza via Twitter, but I'm still using passwords?

NIST recently updated their standard guidance to no specific characteristics requirements, just long and unique. But no doubt it will take a while to trickle down to many websites that they don’t need this craziness any more.
Many such efforts exist, but getting universal consensus let alone adoption isn't easy.
What if there were a protocol for password management, such that you never had to use a signup form again? Kind of like OAuth, but for a password generator/manager. It would support password changing (with an e-mail confirmation), so that it would be extremely easy for people to convert from manually managed passwords to automatically managed.
Stupid awful password requirements are terrible (an upper case character, lowercase, number, symbol, also no spaces or colons or commas or semicolons or quotes) but the variance does serve to force people to not use the same password for every site.
Such a protocol would be a great place to encode the user-facing aspects of NIST's recommendations.
This would be quite hard to maintain.

Instead they could create a "password complexity requirement specification" to allow sites to embed a universally machine readable description of their requirements, which all password managers and users could benefit from. I don't know if any such effort exists already.

Quite. I have stopped recommending 1Password to non technical family and friends. Not one of them ever managed to figure it out for themselves, so I had to run through it with them on their PCs, Macs, iPads and phones. Then they forgot how to use it, and none of them continued with it. Then I had to remind them to cancel their subscriptions —- most would have continued for life paying but not using.

Many ordinary people have no idea whatsoever of the relationships between clients and servers, and less still of that between different clients (what is a web app? Is gmail my search engine?). Throw in an interposing piece of software that not only manages but duplicates login credentials for these various mysterious entities, and they are completely and utterly despondent, hopeless and lost.

1password could be improved to be sure, but looking at RememBear didn't give me the impression they are competing on ease-of-use as compared to 1password. The UI is pretty similar.
I feel the company's modus operandi is to have easy and cute UX to simplify using security tools.

Their VPN software is apparently very easy to use (from reddit comments). The same will probably apply to the password manager. They also seem to have a good marketing and PR team since I see them around quite a bit in youtube videos (Linus' being the most prominent one) and ads thinly veiled as articles. These two points alone have the ability to make the difficult mainstream user market to use it.

If all your security tools had similar UX and only a single login (what we see as single point of failure is usually seen as convenience), then you'll get many people to use it.

I use TunnelBear, and I can say it works beautifully. It really is just turn on, turn off.
But it does not work very well. Often it does not connect at all, is very slow, and it blocks many things like TeamSpeak and torrents, for example.
That's probably true...

I use it for very basic things, so I guess I wouldn't know.

I use 1Password, and the only incentive which make me switch is completely open source good quality UX solution.
Raise your hand if you want to spend your free time writing that
No, but I am sure that there're people who do.
So.. KeePassXC?
Browser integration is poor at best. I've given it multiple goes and walked away disappointed every time.
I'm working on that (https://passit.io) and I'm curious what your opinion of good UX is. Many here mention vulnerabilities from web extension autofill (domain matching issues, etc). Do you have any opinion between:

A) No autofill. Copy and paste (but good simple shortcuts). Least attack vectors, but least convenient.

B) Autofill but only when user prompts (with shortcut). This avoids having to inject js into web pages. The web extension needs less overall permissions this way. It avoids certain attack vectors. Features would be less discoverable - you have to know to hit the shortcuts or click a browser icon.

C) Prompts to Autofill in the page. This is the most common technique, lastpass does it. Vulnerable against domain matching misparsing. It's a big attack vector but there are plenty of common password manager vulnerabilities that can be studied and mitigated against.

Or something else? Also what issues do you have with current open source password managers?

Personally, I prefer no autofill. I always turn it off.
Autofill with shortcuts would be my vote.
From the Cure53 report: the version tested had a terrible vulnerability (unfortunately somewhat common to password managers): it tries to match passwords to subdomains, and in doing so misparses domains, allowing it to be tricked into giving passwords to bogus almost-look-alike domains. Yikes.

Meanwhile: they've got a crypto protocol tunneled over TLS "to avoid heartbleed" and some other convoluted stuff the auditors complain about. You really want to see a password manager get the basics right.

Notice also that the end of the Cure53 report complains about the project scope and the amount of time given. This is pretty unusual for Cure53, who have a reputation for being a bit effusive about the products they're paid to review. I'm not sure I've ever seen them throw shade before.

The trouble I had with 1password is that it's secure in stupid ways.

Every time I log on a new device in there's SIX factor authentication and that's just too much work to get into my fap sites on my wankbook.

They also had 3 'Critical' vulnerabilities reported by Cure53 in their extension VPN offering last year.

https://cure53.de/summary-report_tunnelbear.pdf

To be fair though, as per the report all of these "Critical" vulnerabilities were fixed by mid-2017. So they're listening, at least.
(comment deleted)
And I bet the critical sub-domain vulnerability was fixed too.

The problem is that they are going to keep adding code, but won't get a security audit with every update. So all it takes is a slight mistake for it to be vulnerable again. What you need is a strong in-house pentesting team to be sure about there not being any new vulnerabilities with each release. Or atleast a bug bounty starting with beta releases, and let them bake before releasing them publicly.

The fact that such serious vulnerabilities come up at the time of an audit shows that they don't have one.

That report: https://cure53.de/pentest-report_remembear.pdf

> It can be observed that since the algorithm is removing up to two top level domains, it actually treats victim.co.uk, victim.com, victim.de and even test.victim.co.at as if they were identical

> it has been noticeable that the development process of the RememBear suite was affected by tight deadlines. Evidencing this was the fact that builds were generally provided only one or two days before actual testing started, leaving little room for in-depth reconnaissance

TunnelBear's pull-quote @ https://www.remembear.com/blog/remembear-security-audit/:

> we’re proud to share that no critical security issues were discovered

I'd consider putting credentials on an incorrect domain a showstopper for a password manager, but whatever.

It's got to at least be in the top 3 problem-domain-specific vulnerabilities you can have in a password manager, that's at least for sure.
What password manager do you recommend?
I feel OK talking about the audit report, the basics of security for password managers, and the dynamics of using an audit report to market a product, and I feel OK talking about what my preferred password manager is, but it occurred to me I wasn't psyched about doing both on the same thread.

It's not hard to figure out, but it's not a conversation I want to have on this thread. Thanks in advance!

Get over yourself
I don't understand this response. Why would it be improper to discuss alternative products?

I don't know you, so I guess you have a vested interest? Is that it?

Bitwarden is open-source and has been working well for me as a LastPass replacement so far.
A few quotes from it:

> As far as the actual five security vulnerabilities discovered during testing are concerned, one important point to make is that not a single problem was deemed to be of a “Critical” severity or security implications. For the two issues ranked as “High”, the first problem had to do with a design flaw around the autofill functionality and incorrect handling of top level domains

> They are grounded in the deployment of libsodium, which is a state-of-the- art cryptographic library. While various notes and suggestions were collected during the cryptographic analysis, no severe implementation-related vulnerability was spotted. In other words, it is believed that a real-world attacker would remain powerless in face of the employed defense mechanisms

> All in all, the RememBear is a robust and promising project.

> This is pretty unusual for Cure53, who have a reputation for being a bit effusive about the products they're paid to review. I'm not sure I've ever seen them throw shade before.

Yes, and it's getting really old. I'm tired of seeing security consulting firms wax poetic about how good the client's security is in their reports, then bend over backwards to frame obviously serious findings in the best possible light. That's not their job, their job is to report security vulnerabilities objectively, with sufficient coherence, context and reproduction steps so as to make the problem evident and motivate a solution.

Naturally, as soon as Cure53 decided to politely categorize what are clearly critical vulnerabilities as high severity, Remembear took to Twitter to crow about how much of a success the security audit was - "No critical findings!" I have serious reservations about the incentives at play between companies and the consultants paid to (security) review their products, especially when the report is publicized.

In my opinion, companies should not be using security consulting firms as a component in a press release. It encourages a mischaracterization of the state of the company's security and the severity of findings, and it puts a pressure on other security consulting firms to "play ball" and gush about their clients' products in publicized reports.

This person gets it. At least NCC doesn't pretend to say something is secure or not. People are getting used to Cure53 reports like they're normal.
NCC writes public-facing reports. They're antiseptic, and rarely make overt endorsements, but it's the whole practice of public-facing reports that needs to end, not just one particularly theatrical subset of them.
> ...with Safari and Firefox coming very soon.

I’m holding my breath...

Props for using 'effusive' and 'throw shade' in contiguous sentences.
It isn't open source, it doesn't support Linux, it doesn't have new features compared to KeepassX, why the hell I've to use it instead of other alternatives and why the hell they put lot of efforts developing it?
Tunnelbear's user agreement makes me uneasy.
It might be a good alternative to Enpass. They use Rust and libsodium, which is a good sign.

But browser integration is the trickiest part in a modern password manager, yet what makes a password manager actually usable for most people.

So, give it some time before using the browsers (currently only Chrome) extension. Virtually all other password managers had security issues here.

Making these extensions smart (able to guess where login and password fields are, when passwords are being updated, etc) is also far from trivial. It's actually way more complex than password storage.

Gonna stick with Enpass for now, but that's definitely a project to watch.

> So, give it some time before using the browsers (currently only Chrome) extension. Virtually all other password managers had security issues here.

Do you have a source for that? We are currently using teampasswordmanager.com and I was wondering if there are any known security issues I have not heard about.

Altgough the author refused to provide the sourcee, I had a look at the Chrome Extension anyway, but any additional info would be great.

I don't get it at all. How on earth i will give someone (encrypted or not) my passwords? If you want to give convenience, make it local and secure with easy interface and charge money for your work. I will buy instantly well designed and secured product. This no.
Great name! So much more evocative than "Remembr".

Let's hope they succeed, and inspire other companies to append a penultimate "a" after the penultimate "e", instead of just removing the penultimate "e".

I'm glad that that fad is... mostly(?) over.
Highlights for me:

- Written in Rust. Cool.

- Cool marketing.

- Cool name.

- Online only. Not gonna trust my passwords with anyone, sorry (even encrypted).

- Good (upcoming) crossplatform support.

Looks like they are competing with LastPass and not the 1Password (Desktop) and Keepasses of the world.

>Where does RememBear store my passwords and how are they protected?

>RememBear encrypts your passwords using both your Master Password and a unique device key generated by the application. It stores your passwords in an encrypted file on your device and on our secure servers for sync and backup purposes. However, RememBear will only encrypt and decrypt the items on your physical device. This means that your passwords and other items are always encrypted during syncing and remain encrypted when in storage on our secure servers. You and ONLY you are ever able to access your items as long as you keep your master password private.

Proprietary sync, no thanks.

I'm currently using LastPass and their macOS app seriously annoys me (why do I have to click an OK button every time I save a new password?).

They seem to get their UI right at least. Plus, bears are cute.

Edit: No support for folders/categories it seems. That sucks a bit.

Is there a reason you don't use the browser extension?
Bears are very cute. Can't go wrong with that!

Jokes aside, this would be interesting to compare to 1Password once it matures a little. So far it looks very similar.

"Subscription pricing"... if anyone is looking for an actual good business model, is for the upcoming "1password refugees"... and all we want is the same stuff, but not subscription based.
check out https://pwdsafe.com It's not as convenient as many other options, but somewhat pure, fast and does all the basics well without sacrificing security for convenience.
It would be great if they can clearly tell how they differentiate from 1Password.