56 comments

[ 3.8 ms ] story [ 108 ms ] thread
What password managers do HN readers recommend?
I use pass with git for synchronization. It's simple, and portable (passwords are gpg-encrypted plain text files)
Can't recommend Pass enough. It is great. Also you can use it with a smartcard.
I'd recommend Keepass.
Thoughts on LastPass? Good? Bad? Cromulent?
Don't know if Last pass is good since I've never used it. I know its closed source and it has had numerous security exploits with it, though they seem to get fixed in a timely manner. That's just the negatives though it may be a good password manager for all I know about it. https://en.wikipedia.org/wiki/LastPass#Security_issues
The biggest benefit I see to KeePass over LastPass is sync/cloud choice. LastPass I file in the category of password managers [1] that are more new-user-friendly than KeePass because they directly handle cross-device sync on their own cloud offerings.

However, I like the flexibility to use any "file sync" tool I want to pass KeePass files around between my devices (or none at all, depending on the threat model of individual password files). That opens up flexibility to use things like Keybase File Share and Resilio Sync Encrypted Shares where you have additional options in in-transfer and at-rest encryption of your files.

[1] In that category some security-minded friends that I trust have done their own research on the subject recommend Dashlane over LastPass.

Windows and Android KeePass apps interoperate well over Dropbox.
There have been security issues with LastPass. When Firefox switched to webextensions and broke lastpass, I switched to bitwarden, on the recommendation of other HN users
These days I just go to Wirecutter with any such questions: https://thewirecutter.com/reviews/best-password-managers/
It seems they only considered fancy-UI lots-of-features browser-integrated commercial password managers. I would never use any of those.

For a graphical password manager, consider instead PasswordSafe, KeePass, KeePassXC. They're not complicated. Don't look for or enable any integrations. Manually copy your encrypted password database to google drive or dropbox. It's simple and secure.

Anything more automated and "easy" is almost always found to be vulnerable. LastPass and OnePass have both had problems with their fancy online accounts and recovery systems and browser integrations. Just don't bother with all that crap, you don't need it.

I use KeePass and KeePass Touch because I'm not paying some service to store my password for me.
I use pass(1) personally. It's just a shell wrapper for vim and gpg.

But I'd recommend keepass if you want something graphical.

Pass has QTPass, if you want to use it with a GUI!
Enpass, it's well integrated into browser and doesn't force to trust some random cloud
I use 1Password but AgileBits's push to cloud services is troubling — will definitely move to something else if they remove local vaults.
You want KeePassXC https://keepassxc.org/
What is the benefit of KeePassXC over KeePass[X]?

I just tried it and the lack of plugin or sync support was a deal-breaker for me. I have plugins for syncing to cloud storage, for browser integration, for OTP generation, etc., none of which it seems to support?

KeepassXC is the active fork of KeepassX. KeepassX/C are cross-platform Qt apps that use the same vault format as Keepass, a Windows app that apparently will run under Mono as well.
Do you know what he thinks of 1Password? e.g. I've seen this comment [1] on 1Password, but do you know what his actual thoughts are? He's not fond of it, but does he have anything concrete to say about it as to why? I have friends using 1Password and I would like to be able to tell them and give them concrete reasons to switch to KeePass if there are security issues with it.

[1] https://twitter.com/taviso/status/760231214812844032

There aren't security issues with 1Password really, but there are other issues, mostly around the company AgileBits. From my other comment on this thread:

These days AgileBits(the 1password people) are doing everything they can to get everyone onto a subscription plan, and are breaking local vaults slowly. Most people don't seem to recommend it anymore.

The only security issue really is the online vault(which isn't a security issue per-say, but is a security weakness since your passwords are no longer under your direct control). This may or may not be an issue for you, depending on your security posture.

Thanks! So would you know what he meant with that tweet? Was he just annoyed at the subscription plan...? It seems out of place given that he's a security researcher from what I gather?
No, and that tweet was from Aug. 2016 with nothing further from him about 1password, unless I missed it, so clearly he didn't feel compelled to either continue his research or he didn't find anything worth disclosing. Your guess as to which is meant.

But other researchers have played with 1password and most have historically had good things to say about it, except recently when they started pushing everyone to the online vaults like I mentioned.

And yes, he is a security researcher for Google.

Anecdotally, I haven’t had any problems with my local vaults (yet), though I rarely use 1Password on Windows.
I just type a long string of random crap into the password field on sign-up and recover it with my 2-factor protected gmail account every time i actually need to log-in. In practise for the services I use this is almost never.

This technique might not work so well for people who actually have to share devices, log out of things, etc.

So wait... you don't remember any of your passwords or write them down and hope you can recover them whenever you need them?
KeePass + VeraCrypt container, never failed me. Before that I used TrueCrypt but it is no longer trustable.
What's the VeraCrypt container for? Isn't the DB already encrypted?
Yes but because I sync KeePass over Dropbox I want to hide the true content of my data and + it adds another security layer to break before getting to my Password vault.
> Before that I used TrueCrypt but it is no longer trustable.

Really? Why?

Well unless you are talking about TrueCrypt "next" - https://truecrypt.ch/ then yeah I guess this one is safe but I was talking about the original version from - http://truecrypt.sourceforge.net/

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

This page exists only to help migrate existing data encrypted by TrueCrypt.

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

Oh, I did mean the original version. I was just asking because as far as I know, nobody has found any serious flaw in it. The developers have only stated that it may contain unfixed security issues because they are no longer supporting it. Consider that if any security issue was fixed in any of TrueCrypt's forks, then people would be saying TC is known to be insecure, and as far as I know this is not the case. So if you expect there to be any vulnerabilities in TC, you should also expect the same to be true for VC or TC.next, etc.
(Pasting an old comment as reply, hope it's helpful!)

If you're just starting, here's some guidance on setting up a password manager.

First of all: Don't be afraid of using one. It's not just more secure, it's super convenient. Never again will you ask yourself: Did I make an account for this website/service? What email did I use? Never again will you have to remember a password. Using a password manager is a quality of life improvement.

KeepassXC is what I recommend to people at this point. It's free and you own your data (your passwords). They live wherever you want them to live. There are plenty of online services that are supposedly more convenient but I have to say I trust them less -- YMMV (1Password is the best I'm aware of).

https://keepassxc.org

If you do use keepassxc, you get the added benefit of being able to store 2FA settings in it as well (if you store them in the same database as your passwords, be aware that you lose the security benefit of a second factor, however it is still more secure than not having 2FA enabled due to the One-time password component).

Put every account you ever made and ever make into keepass. Enable 2fa wherever you don't have it enabled. Add login URLs and notes. Generate your passwords from keepass itself; the password generator is really powerful and lets you very easily deal with site-specific shitty password limitations. I'm telling you this because, seriously, it's incredibly convenient to have this stuff as long as you're rigorous about maintaining it.

Oh, also, keepass has the full history of all your passwords. Need to look up an old password? Go into details and look at "History". You can also attach files to items (items don't have to be accounts at all, you can use keepassxc as a simple encrypted storage db).

Mobile support: Keepass2Android. Best android client, with google drive support. iOS I have no idea, suggestions welcome.

IMPORTANT: BE STUPIDLY PARANOID AND RIGOROUSLY CAREFUL ABOUT YOUR MASTER PASSWORD. That thing, together with your keepass database, unlocks all your accounts ever. Use a really long passphrase that you will never have to write down (if you do decide to write it down because you don't trust yourself, store it in a safety deposit box, don't put it in a bloody drawer). Make sure the device you unlock the database on is malware-free.

PS: Wondering what's up with Keepass vs. KeepassX vs. KeepassXC? Keepass is the original app, written in .NET but with poor multi-platform support. KeepassX is a rewrite in Qt and is a fantastic password manager, but has gone unmaintained recently. The open source community picked up the slack in the KeepassXC fork (after continuing countless attempts to upstream the patches) and has implemented lots of powerful features. I've switched to it and at this point I strongly believe it's the better client.

1password used to be the best paid solution out there, and Keepass(in various versions) the best free/OSS version.

These days AgileBits(the 1password people) are doing everything they can to get everyone onto a subscription plan, and are breaking local vaults slowly. Most people don't seem to recommend it anymore.

Now you have other options:

* KeepassXC (the latest seemingly well-recommended keepass variant - but there are a bunch of them)

* Bitwarden (it's OSS and can support author(s) with payment. Can run on your own server/machine while still supporting cross device sync)

* Pass (and the go variant, and the Qt variant) uses GPG under the hood, basically just a directory/git repo full of encrypted text files. Sync across devices is your problem.

I'm seriously evaluating Bitwarden to replace 1Password as it's pretty simple to understand and has a similar strategy as 1Password security wise, but is OSS.

Guess it's good I remove it in my deployments. Microsoft seems to be throwing good sense out the window in Windows 10. A number of items I remove get reinstalled during updates. Options I turn off get turned on as well.

They're obviously playing on the majority of users' ignorance. This is despicable.

I've personally heard of two separate companies looking to transition away from Windows to Linux desktops for employees (one of whom I spoke with personally).

I think this might be an indicator of a larger trend that's at its tipping point.

This is exactly the reason I will never use Windows again.
The last big Windows 10 update I did the other day completely reset me installation to stock. Wiped all my drivers including GPU, all my settings, reinstalled everything I'd tweaked over the months/years, the works.

I've been meaning to ditch Windows (again) for a while and this is the final straw.

> completely reset me installation to stock

I'm picturing a very upset buccaneer.

yep, the day Candy Crush reinstalled itself and re-appeared in my start menu after I explicitly removed it was the day I removed Windows on every single one of my machines, and it's never, ever coming back

MS have always been known for producing poor quality software, but they'd never been actively untrustworthy and hostile to the end-user... that completely changed with Windows 10

2.5 years later and I don't feel as if I've lost anything, I guess it was the push I finally needed to dump Windows forever

> MS have always been known for producing poor quality software,

The core thing imho is: the software quality has gone up

- security - just remember Win9x which didn't even have security as a concept and exploit-ridden WinXP

- native Linux subsystem, ssh server

- decent shell if you care enough to learn Powershell

- a well set up AD/Exchange is blowing away all FOSS comparables due to the insane level of integration - it all feels like it's cut out of the same block, from an admin POV

What has gone downhill is the lengths of where MS decided to go to earn money. The market for selling an OS just isn't as huge as before - Apple provides OS upgrades for free since 2013, Linux was free the whole time and Googles Chromebooks don't need any major OS as they're essentially Chrome-in-a-box - and selling Office also went downhill since the competition in form of Google Docs and Libre/OpenOffice became actually usable even for corp and government environments. In addition, revenue from Bing fell through the roof because Googles dominance keeps growing and growing.

The direct consequence is that MS must keep earning money somehow: corps and governments will continue to be the biggest buyers (but the numbers are set to fall, given the rise of Apple but also the trend towards Linux in governments), but ordinary people? MS has to compete with Apple and Google's "free", and so has to subsidize with ads and boatloads of tracking.

Anyway I've gone off the rails a bit - what MS, or rather, power users, desperately need is Win 10 LTSB actually available for sale and not just for embedded stuff. Plain good old Windows Classic UI, no ads, no "magically appearing" "features"... aka Windows 7, only with optional features like the Linux subsystem.

> The core thing imho is: the software quality has gone up

did we read the same article?

there is no security as it's not your machine, it is under Microsoft's control and now they've been caught installing unwanted crapware with 16 month old vulnerabilities

(not to mention the OS is infested with undisablable adware, spyware and other unwanted uninstallable applications)

lip service to developers (bundled openssh et al.) doesn't hide that the core of the company is now demonstrably rotten

Yes. This however is an exception when it comes to security issues, I don't really like to think back to the WinXP days when people caught viruses left-and-right. It does happen, of course, but IMHO on a way, way smaller intensity.

> (not to mention the OS is infested with undisablable adware, spyware and other unwanted uninstallable applications)

This is why I advocate for something like W10 LTSB - free of the experiments, but paid. If I had the option to switch to paid and only get security updates but no "features", I'd do so in an instant. I don't want to be forced to trade privacy for being able to use the OS.

> the OS is infested with undisablable adware, spyware and other unwanted [non-?]uninstallable applications

Can you please provide at least a few citations? I've run ShutUp10 after the installs and upgrades and I don't recall seeing much of anything of what you report.

I love how everyone tells you "Windows 10 is just fine" every day EXCEPT when a new, huge, leak or mistake comes out. Then they go silent for a day.

... then they go back to telling you "I've never had a problem with it."

I use Windows 10. I support it professionally. The underlying system is good. And then someone at Microsoft decided to completely fill all of those kernel upgrades, with a gigantic pile of spyware, adware, and useless crap. (4 GB+ of Windows Store videogames?!)

One of my laptops is a "windows 10 ready" work laptop with a 5400 RPM hard drive. Between defender, indexing, telemetry, and app compatibility scans, it takes over 60 seconds to get to desktop. If you load the task manager, the disk usage is 100% for hours. And any time Windows decides to install or compile something (without warning or even a notification, like rebuilding .NET) the entire computer becomes a useless brick. I used to be able to make the machine functional by turning off unnecessary, bloated services like Defender and Telemetry. Except every Windows Creators update they not only reset my settings, its disable Classic Shell, UNINSTALLS Core Temp and a WindowsGadgets re-enabling tool because they're "not compatible" (even though they work fine), and... they change the menus so that it's harder to find the button to disable Defender, and they make it harder (if not impossible) through Group Policy changes to disable those very same, taxing, services.

Try this: Install Windows 10, upgraded from 7/8/old-10. See Windows.old on your C:\? That's your old windows copy. Try to delete it. After all, it's useless right?--and takes over 20GB. Nope. Sorry. You don't have permission to delete it. That's right. Your own hard drive you don't have permission to touch. And, laughably, Windows will tell me "You're running out of HDD space, want to delete the old folder?", I say "Yes." Then nothing happens and the message appears again.

I tried taking "ownership", used admin account, I tried changing permissions. Nothing. A professional windows IT support employee should not have to look up countless articles TO DELETE A FREAKING DIRECTORY. Even after I took "complete" ownership of all that, many files still didn't set, and I couldn't delete the whole thing.

I'm half tempted to boot into a Linux Live USB and delete it by force. But then I realize, "I'm going to download an ISO for another OS, burn it to a USB, then shut down my machine and reboot it... JUST TO DELETE A FOLDER?!"

Oh, and this is Enterprise edition. So I'm running the edition that everyone says "if you care about tuning Windows, you should have already bought Enterprise." Thanks for that lie.

> If you load the task manager, the disk usage is 100% for hours.

Load the performance monitor (button on the Performance tab in task manager), go to Disk and see what process is doing it. You may have something like full disk indexing going.

Regarding Windows.old,isn't that supposed to auto - clear after ~30 days? Also, the first two articles on a search for "remove windows.old" appear to confirm my expectation that the disk cleanup tool will remove it, possibly without even running it as administrator. Frankly this sounds like it's getting into "respect mah authoritah" territory.

For the games, are those preinstalled? I haven't seen such, but most of the Win10 systems in dealing with so far are either upgrades or business class machines. If you're getting Enterprise systems preinstalled with 4gb of games someone needs to talk to your supplier.

I said what was using disk usage.

App telemetry, defender, compatibilty, etc.

>Frankly this sounds like it's getting into "respect mah authoritah" territory.

Yeah, it must really suck to have the burden of being able to delete files that aren't in use on your machine that you own, run, and paid Enterprise edition for.

What possible use could a professional system administrator need for changing files on a machine... except the exact use I just mentioned.

If you can't understand why having admin file access is important, then I suggest you never try Linux (or... Windows 7... or any IT job) because you will be horrified by the potential control you have over your system.

> JUST TO DELETE A FOLDER?!

The standard solution to that is compeltely anticlimactic. Just run the disk cleanup program (diskmgr), and there’ll be an option to remove “previous windows installations”.

It IS possible to manually delete it, but you would need to do the “take ownership” thing; being an admin user does not immediately give you permission to override security on files owned by TrustedInstaller, but you COULD still take ownership.

That being said, the last time I checked it wasn’t easy to get the “take ownership” thing work recursively.

It seems to me that under the hood, Windows is actually reasonably good. But the user experience had been slowly going downhill for a while since Windows 8, even though IMO it’s still okay-ish, despite Windows 10’s many annoyances.

>If an outsider can find a bug similar to the 16-month-old vulnerability so quickly and easily, it stands to reason people inside the software company should have found it long ago

While true, it should be noted that Tavis Ormandy is not just any "outsider" and is something of a god when it comes to finding vulnerabilities.

I find this line of thinking pervasive among criticisms of all kinds of developers. Especially in video game forums!

"If they did it, then our game dev can too!" Like large programs are just some kind of widget you can just move from place to place.

It's the general direction of the software industry to neglect non-functional requirements.

I make functional requirement emphasizers starting by product managers directly responsible for this.

Their fantasy is to be the next Steve Jobs' era Apple but usually they first become the next Equifax.

Windows 10 LTSB (long term servicing branch) should have been the original win10 release, with "add-ons" of the extra junk... instead they give you the most junk filled os and make you pay a premium (and very limited availability) for LTSB to strip it out and slow down the patches so they aren't forced down whenever ms wants.

Good like buying it easily if you not a premier partner or msdn subscriber.

We just qualified for our new client machine builds and will be providing that to customers only going forward for win10 requests.

Have not checked if this password keeper still gets deployed, will have to check monday. If it's distributed part of Windows store, then it won't be cause that's stripped out itself