Password manager

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
MrJones
Posts: 775
Joined: Sat Mar 18, 2017 2:23 am

Re: Password manager

Post by MrJones »

Gadget wrote: Sat Jan 23, 2021 10:20 am
MrJones wrote: Sat Jan 23, 2021 1:43 am The cool thing about BitWarden is, it's open source. That really matters with anything related to security.

https://bitwarden.com/open-source/

I believe the free version lets you share passwords with one another user. My experience with it overall has been excellent on Android, Mac, Windows.
While I like open source software and promote Bitwarden myself as the best free password manager, I don't like the narrative that open source software is more secure.

The one big plus for open source software is that you know that the company making it is transparent and didn't put any backdoors in their software on purpose. So if you don't fully trust the company making the software, this is a big plus.
It's not a narrative, but simply an obvious conclusion that it's impossible to examine closed source software for either inadvertent or deliberate backdoors.

For things like a widely used password manager, it is also so much easier for hackers to target vulnerabilities because the source is available. This leads to a quicker hacking and hardening cycle, and in many cases, a benign hacker gets to it earlier.

I'd argue that nobody should trust the company making the software that saves their passwords. Companies change hands, companies' motivations change, engineers in companies change. Instead, trust the code, which is the ultimate truth of a security product.

LastPass was sold to Logmein in 2015, and then changed hands again, this time to private equity in 2020. It's even harder to tell what the new owners' motivations are, given they are private. I wouldn't trust Bitwarden's owners either, and that's the cool thing - I don't have to.
whatshappeninman
Posts: 54
Joined: Thu Aug 24, 2017 11:52 pm

Re: Password manager

Post by whatshappeninman »

I use Linux on the desktop - in fact, I have no Windows running bare-metal on any hardware I own.

I use QTPass, which is a graphical front end over the open source (pass) tool that uses GPG, an excellent encryption tool.

https://qtpass.org/

This tool also has binaries available for Windows and Mac.

It's open source and the tools are among the standard password management tools used for the Linux desktop.

On the one hand, I don't believe it supports MFA, but on the other, the passwords are stored entirely on your own equipment on your own terms - they're not on third party equipment.
tzydzy
Posts: 23
Joined: Wed Mar 19, 2014 1:14 pm

Re: Password manager

Post by tzydzy »

I have Password Safe, which runs on the desktop to save everything and also use Dashlane (Free and one device only), McAfee TrueKey and just installed LastPass (Free). True Key is bundled with McAfee Total Protection and some of their other anti virus packages and I get it for $5-10 per year when the packages go on sale at Office Depot. Always Black Friday and throughout the year. I have several tablets and phones, so a multi device sync feature is needed, thus TrueKey and based on PC Magazine's review, Last Pass is being tested. I also have Norton subscriptions which included a password manager but haven't used it in years.
tm3
Posts: 777
Joined: Wed Dec 24, 2014 6:16 pm

Re: Password manager

Post by tm3 »

softwaregeek wrote: Tue Jan 19, 2021 10:08 pm I've been in the security industry for a while and this is something I feel very passionate about.
Thanks for chiming in. I appreciate it when professionals bring their expertise to the table.

After using Bitwarden for a while, and being very pleased with it, I have a question.

How does one handle an account such as, say, Hulu which requires login, and sometimes repeat logins, from a Roku device (or similar)? It is a real PITA to type in a 16 character password (that contains upper and lower case, ~!#$%^, and numbers) using the scroll key on a remote control. I think your answer is going to be "just suck it up and do it" but I figured it would not hurt to ask.
HawkeyePierce
Posts: 2352
Joined: Tue Mar 05, 2019 9:29 pm
Location: Colorado

Re: Password manager

Post by HawkeyePierce »

tzydzy wrote: Sun Jan 24, 2021 3:21 am I have Password Safe, which runs on the desktop to save everything and also use Dashlane (Free and one device only), McAfee TrueKey and just installed LastPass (Free). True Key is bundled with McAfee Total Protection and some of their other anti virus packages and I get it for $5-10 per year when the packages go on sale at Office Depot. Always Black Friday and throughout the year. I have several tablets and phones, so a multi device sync feature is needed, thus TrueKey and based on PC Magazine's review, Last Pass is being tested. I also have Norton subscriptions which included a password manager but haven't used it in years.
I would not trust anything from McAffee or Norton.
softwaregeek
Posts: 951
Joined: Wed May 08, 2019 8:59 pm

Re: Password manager

Post by softwaregeek »

HawkeyePierce wrote: Sun Jan 24, 2021 11:52 am
tzydzy wrote: Sun Jan 24, 2021 3:21 am I have Password Safe, which runs on the desktop to save everything and also use Dashlane (Free and one device only), McAfee TrueKey and just installed LastPass (Free). True Key is bundled with McAfee Total Protection and some of their other anti virus packages and I get it for $5-10 per year when the packages go on sale at Office Depot. Always Black Friday and throughout the year. I have several tablets and phones, so a multi device sync feature is needed, thus TrueKey and based on PC Magazine's review, Last Pass is being tested. I also have Norton subscriptions which included a password manager but haven't used it in years.
I would not trust anything from McAffee or Norton.
It’s kaspersky I wouldn’t trust. No evidence, but constant rumors about involvement with the Russian government. I have no idea if true, but I stay away anyways.
softwaregeek
Posts: 951
Joined: Wed May 08, 2019 8:59 pm

Re: Password manager

Post by softwaregeek »

tm3 wrote: Sun Jan 24, 2021 10:50 am
softwaregeek wrote: Tue Jan 19, 2021 10:08 pm I've been in the security industry for a while and this is something I feel very passionate about.
Thanks for chiming in. I appreciate it when professionals bring their expertise to the table.

After using Bitwarden for a while, and being very pleased with it, I have a question.

How does one handle an account such as, say, Hulu which requires login, and sometimes repeat logins, from a Roku device (or similar)? It is a real PITA to type in a 16 character password (that contains upper and lower case, ~!#$%^, and numbers) using the scroll key on a remote control. I think your answer is going to be "just suck it up and do it" but I figured it would not hurt to ask.
Just suck it up and do it.
Target2019
Posts: 904
Joined: Sat Mar 03, 2007 4:30 pm

Re: Password manager

Post by Target2019 »

k b wrote: Sat Jan 23, 2021 3:45 pm
Target2019 wrote: Sat Jan 23, 2021 3:28 pm
k b wrote: Sat Jan 23, 2021 2:49 pm
I use a Firefox add-on. Tried again this morning and I was actually able to see my password on the screen! About to switch on 2FA.
Make sure you are using the official 1Password extension.
I do not see my master password on the screen when I login through the extension.

I think I figured it out. The browser extension has a 'LOCK' feature. Previously the extension was 'unlocked'. Once I clicked on the LOCK feature, the PW did not 'reveal'.

If you want to try this out, unlock the extension and look for the reveal password feature.

Feeling much better now!
I am still confused by what you are saying. I have 1Password X version 1.22.3 installed in FireFox 84.0.2. What do you have?

When I first encounter the extension it appears as toolbar button with overlaid lock. When I click that I see no password and enter my master password to open the vault. I never see my master password, and it was blanked out as a I typed it. Now the extension appears as a button with no lock. There is no way to show my master password.

If I click or right click the extension I never see my master password. I can right-click and select Lock from a context menu. But I never see my master password.

You probably have a setting turned off that should be turned on.
Topic Author
k b
Posts: 173
Joined: Tue Oct 15, 2013 8:43 pm

Re: Password manager

Post by k b »

When you right click and 'unlock' the extension, hover over the password area. You will see an option to REVEAL.
User avatar
jhfenton
Posts: 4754
Joined: Sat Feb 07, 2015 10:17 am
Location: Ohio

Re: Password manager

Post by jhfenton »

tm3 wrote: Sun Jan 24, 2021 10:50 am
softwaregeek wrote: Tue Jan 19, 2021 10:08 pm I've been in the security industry for a while and this is something I feel very passionate about.
Thanks for chiming in. I appreciate it when professionals bring their expertise to the table.

After using Bitwarden for a while, and being very pleased with it, I have a question.

How does one handle an account such as, say, Hulu which requires login, and sometimes repeat logins, from a Roku device (or similar)? It is a real PITA to type in a 16 character password (that contains upper and lower case, ~!#$%^, and numbers) using the scroll key on a remote control. I think your answer is going to be "just suck it up and do it" but I figured it would not hurt to ask.
1. Often, using the Roku remote app on my iPhone will allow me to "paste" passwords into the onscreen keyboard from my iOS password manager (LastPass).
2. Constrain those passwords to character sets that are easier to type onscreen. They can still be long and sufficiently complex.
ikowik
Posts: 392
Joined: Tue Dec 23, 2014 5:52 pm

Re: Password manager

Post by ikowik »

tm3 wrote: Sun Jan 24, 2021 10:50 am
softwaregeek wrote: Tue Jan 19, 2021 10:08 pm I've been in the security industry for a while and this is something I feel very passionate about.
Thanks for chiming in. I appreciate it when professionals bring their expertise to the table.

After using Bitwarden for a while, and being very pleased with it, I have a question.

How does one handle an account such as, say, Hulu which requires login, and sometimes repeat logins, from a Roku device (or similar)? It is a real PITA to type in a 16 character password (that contains upper and lower case, ~!#$%^, and numbers) using the scroll key on a remote control. I think your answer is going to be "just suck it up and do it" but I figured it would not hurt to ask.
I have a Roku app installed on my iPhone, it functions as remote control once paired with the Roku device. Much easier to type passwords on my phone.
User avatar
fetch5482
Posts: 1722
Joined: Fri Aug 15, 2014 4:55 pm

Re: Password manager

Post by fetch5482 »

jhfenton wrote: Mon Jan 25, 2021 10:59 am
tm3 wrote: Sun Jan 24, 2021 10:50 am
softwaregeek wrote: Tue Jan 19, 2021 10:08 pm I've been in the security industry for a while and this is something I feel very passionate about.
Thanks for chiming in. I appreciate it when professionals bring their expertise to the table.

After using Bitwarden for a while, and being very pleased with it, I have a question.

How does one handle an account such as, say, Hulu which requires login, and sometimes repeat logins, from a Roku device (or similar)? It is a real PITA to type in a 16 character password (that contains upper and lower case, ~!#$%^, and numbers) using the scroll key on a remote control. I think your answer is going to be "just suck it up and do it" but I figured it would not hurt to ask.
1. Often, using the Roku remote app on my iPhone will allow me to "paste" passwords into the onscreen keyboard from my iOS password manager (LastPass).
2. Constrain those passwords to character sets that are easier to type onscreen. They can still be long and sufficiently complex.
This is what I do with my Nvidia shield TV (Android TV): use their phone app to paste password. The phone app connects to the console using bluetooth. Works great every time for me. I'm sure Roku and AppleTV have something similar.
(AGE minus 23%) Bonds | 5% REITs | Balance 80% US (75/25 TSM/SCV) + 20% International (80/20 Developed/Emerging)
tm3
Posts: 777
Joined: Wed Dec 24, 2014 6:16 pm

Re: Password manager

Post by tm3 »

jhfenton wrote: Mon Jan 25, 2021 10:59 am
tm3 wrote: Sun Jan 24, 2021 10:50 am
softwaregeek wrote: Tue Jan 19, 2021 10:08 pm I've been in the security industry for a while and this is something I feel very passionate about.
Thanks for chiming in. I appreciate it when professionals bring their expertise to the table.

After using Bitwarden for a while, and being very pleased with it, I have a question.

How does one handle an account such as, say, Hulu which requires login, and sometimes repeat logins, from a Roku device (or similar)? It is a real PITA to type in a 16 character password (that contains upper and lower case, ~!#$%^, and numbers) using the scroll key on a remote control. I think your answer is going to be "just suck it up and do it" but I figured it would not hurt to ask.
1. Often, using the Roku remote app on my iPhone will allow me to "paste" passwords into the onscreen keyboard from my iOS password manager (LastPass).
2. Constrain those passwords to character sets that are easier to type onscreen. They can still be long and sufficiently complex.
Great idea! Thanks!
albireo13
Posts: 129
Joined: Wed Jun 24, 2015 6:35 am

Re: Password manager

Post by albireo13 »

I have been a happy user of eWallet now for 3 years.
Wizze
Posts: 39
Joined: Wed Mar 17, 2010 3:45 pm

Re: Password manager

Post by Wizze »

This seems like a silly question considering I haven’t seen a mention of it at all in this thread, but is iCloud Keychain that terrible? I have been using it solely due to the convenience, and it has met my expectations...but perhaps my expectations are not what the should be! Should I be ditching Keychain for one of these other password managers?
User avatar
F150HD
Posts: 3926
Joined: Fri Sep 18, 2015 7:49 pm

Re: Password manager

Post by F150HD »

k b wrote: Thu Jan 14, 2021 12:40 pm We use 2FA, but the second level of authentication is linked to our cellphones. A code is sent to the cellphone and is valid for 30 minutes.
https://fraud.org/port_out_alert/

unless you're already aware....many (try to) avoid this due to port-out scams (well, I do)
User avatar
F150HD
Posts: 3926
Joined: Fri Sep 18, 2015 7:49 pm

Re: Password manager

Post by F150HD »

dboeger1 wrote: Tue Jan 12, 2021 8:33 pm They have similar free tiers. The biggest difference, and the reason I went with Bitwarden, is that they have free native desktop clients.
Bitwarden - does the desktop app have an actual password generator?

Articles I've read seem to imply you need the web app for that?
dboeger1
Posts: 1411
Joined: Fri Jan 13, 2017 6:32 pm

Re: Password manager

Post by dboeger1 »

F150HD wrote: Wed Feb 03, 2021 10:48 pm
dboeger1 wrote: Tue Jan 12, 2021 8:33 pm They have similar free tiers. The biggest difference, and the reason I went with Bitwarden, is that they have free native desktop clients.
Bitwarden - does the desktop app have an actual password generator?

Articles I've read seem to imply you need the web app for that?
I believe it does, but I don't know off the top of my head, as I mostly use the browser extension now. I remember all the different clients seeming like they had feature parity.

I recommend just trying them out and seeing which you prefer. It should only take a few minutes. One feature I never even considered was auto-filling on mobile. To be honest, I don't even know if Bitwarden has that, because I use the native app on mobile, but I just recently saw a video of someone using LastPass with that feature, and it blew my mind because I find using the Bitwarden app on mobile to be a hassle. I'll probably just keep doing what I'm doing because I got used to it and I frequently need to use the app in cases where I suspect auto-fill won't suffice, but if I was starting out again, that's one thing I would check for.
dboeger1
Posts: 1411
Joined: Fri Jan 13, 2017 6:32 pm

Re: Password manager

Post by dboeger1 »

Wizze wrote: Wed Feb 03, 2021 9:08 pm This seems like a silly question considering I haven’t seen a mention of it at all in this thread, but is iCloud Keychain that terrible? I have been using it solely due to the convenience, and it has met my expectations...but perhaps my expectations are not what the should be! Should I be ditching Keychain for one of these other password managers?
I personally wouldn't use it because I care about cross-platform support and storing my passwords "in the cloud" so I can easily access it anywhere with a connection. If you don't value those things, I guess whatever Apple provides is fine. Does KeyChain "sync" across devices? If not, I would be very wary of generating passwords and not remembering them, because if you lose the device storing them, you lose your passwords. I honestly have no idea how KeyChain stores passwords. I also had a terrible experience with KeyChain getting corrupted on my work laptop, but I can't really say if that was specific to me or likely to affect others.
tm3
Posts: 777
Joined: Wed Dec 24, 2014 6:16 pm

Re: Password manager

Post by tm3 »

Wizze wrote: Wed Feb 03, 2021 9:08 pm This seems like a silly question considering I haven’t seen a mention of it at all in this thread, but is iCloud Keychain that terrible? I have been using it solely due to the convenience, and it has met my expectations...but perhaps my expectations are not what the should be! Should I be ditching Keychain for one of these other password managers?
I fiddled with Keychain while auditioning various PW managers. I can't quote chapter and verse but there were several things about Keychain that made it more cumbersome and I liked Bitwarden much better.

There is another long thread here about PW managers and one of the security experts points out some specific shortcomings of Keychain.
bluebolt
Posts: 2137
Joined: Sat Jan 14, 2017 8:01 am

Re: Password manager

Post by bluebolt »

dboeger1 wrote: Wed Feb 03, 2021 11:39 pm
Wizze wrote: Wed Feb 03, 2021 9:08 pm This seems like a silly question considering I haven’t seen a mention of it at all in this thread, but is iCloud Keychain that terrible? I have been using it solely due to the convenience, and it has met my expectations...but perhaps my expectations are not what the should be! Should I be ditching Keychain for one of these other password managers?
I personally wouldn't use it because I care about cross-platform support and storing my passwords "in the cloud" so I can easily access it anywhere with a connection. If you don't value those things, I guess whatever Apple provides is fine. Does KeyChain "sync" across devices? If not, I would be very wary of generating passwords and not remembering them, because if you lose the device storing them, you lose your passwords. I honestly have no idea how KeyChain stores passwords. I also had a terrible experience with KeyChain getting corrupted on my work laptop, but I can't really say if that was specific to me or likely to affect others.
Keychain syncs across devices.
Topic Author
k b
Posts: 173
Joined: Tue Oct 15, 2013 8:43 pm

Re: Password manager

Post by k b »

F150HD wrote: Wed Feb 03, 2021 10:19 pm
k b wrote: Thu Jan 14, 2021 12:40 pm We use 2FA, but the second level of authentication is linked to our cellphones. A code is sent to the cellphone and is valid for 30 minutes.
https://fraud.org/port_out_alert/

unless you're already aware....many (try to) avoid this due to port-out scams (well, I do)
Thank you. I hadn't logged in for a while. Just saw this.

So, 2FA with an Authy is better than 2FA with one's cellphone TO AVOID GETTING LOCKED OUT IF THE CELLPHONE NUMBER IS HIJACKED by a scammer? And this hijacking risk can be mitigated by setting up a PIN with the carrier?

Plus, by complicating my pw for my Fidelity account (as an example) using 1password AND adding 2FA via cellphone, I think I am somewhat better protected than I was a month ago!

But thanks for alerting me. I do have a pin with my cellphone carrier, but need to complicate THAT a bit!!
User avatar
fetch5482
Posts: 1722
Joined: Fri Aug 15, 2014 4:55 pm

Re: Password manager

Post by fetch5482 »

F150HD wrote: Wed Feb 03, 2021 10:48 pm
dboeger1 wrote: Tue Jan 12, 2021 8:33 pm They have similar free tiers. The biggest difference, and the reason I went with Bitwarden, is that they have free native desktop clients.
Bitwarden - does the desktop app have an actual password generator?

Articles I've read seem to imply you need the web app for that?
The browser add-on most definitely has a password generator; so does the Android mobile app and web app.

On the browser -- You can even set keyboard shortcut to autofill password on a page (CTRL+SHIFT+L by default) and generate new password and save to clipboard (CTRL+SHIFT+9 by default, followed by CTRL+V to paste the generated password).

On Android -- you can set quick notification buttons (scroll down from top and hit a button) to do both these operations. Very helpful & nifty in my opinion. I rarely open the bitwarden app directly - I just use this two notification buttons 99% of the time.
(AGE minus 23%) Bonds | 5% REITs | Balance 80% US (75/25 TSM/SCV) + 20% International (80/20 Developed/Emerging)
Topic Author
k b
Posts: 173
Joined: Tue Oct 15, 2013 8:43 pm

Re: Password manager

Post by k b »

1Password (desktop version and browser extension) offers an OPEN AND FILL option. So, no need to write out username and password.

Bitwarden doesn't seem to offer this, though it offers a launch option that opens the site in question. Is this right? Or am I not looking properly? New to Bitwarden.

Thanks.
User avatar
fetch5482
Posts: 1722
Joined: Fri Aug 15, 2014 4:55 pm

Re: Password manager

Post by fetch5482 »

k b wrote: Sun Feb 21, 2021 4:27 pm 1Password (desktop version and browser extension) offers an OPEN AND FILL option. So, no need to write out username and password.

Bitwarden doesn't seem to offer this, though it offers a launch option that opens the site in question. Is this right? Or am I not looking properly? New to Bitwarden.

Thanks.
Somewhere in the bitwarden browser addon options there is a setting to enable auto-fill on page load (disabled by default). If you enable that setting, the launch webpage option will work similarly (i.e. it'll launch and fill the user/pass).
(AGE minus 23%) Bonds | 5% REITs | Balance 80% US (75/25 TSM/SCV) + 20% International (80/20 Developed/Emerging)
thenextguy
Posts: 717
Joined: Wed Mar 25, 2009 12:58 am

Re: Password manager

Post by thenextguy »

squirm wrote: Tue Jan 12, 2021 3:13 pm I use lastpass for years and happy with it. i see no reason to switch, plus it would be a pain.
It's not really a pain. I switched from Last Pass to Bitwarden for security reasons a month or so ago. You export your passwords from LastPass, pick a few settings in Bitwarden, and you're up and running. Took me about 1/2 hour.
Topic Author
k b
Posts: 173
Joined: Tue Oct 15, 2013 8:43 pm

Re: Password manager

Post by k b »

gas_balloon wrote: Sun Feb 21, 2021 5:04 pm
k b wrote: Sun Feb 21, 2021 4:27 pm 1Password (desktop version and browser extension) offers an OPEN AND FILL option. So, no need to write out username and password.

Bitwarden doesn't seem to offer this, though it offers a launch option that opens the site in question. Is this right? Or am I not looking properly? New to Bitwarden.

Thanks.
Somewhere in the bitwarden browser addon options there is a setting to enable auto-fill on page load (disabled by default). If you enable that setting, the launch webpage option will work similarly (i.e. it'll launch and fill the user/pass).
Found it! Available in the Firefox browser addon. I was using the Bitwarden website yesterday. Don't think it's available there.

Thanks.
MrJones
Posts: 775
Joined: Sat Mar 18, 2017 2:23 am

Re: Password manager

Post by MrJones »

dboeger1 wrote: Wed Feb 03, 2021 11:34 pm One feature I never even considered was auto-filling on mobile. To be honest, I don't even know if Bitwarden has that, because I use the native app on mobile, but I just recently saw a video of someone using LastPass with that feature, and it blew my mind because I find using the Bitwarden app on mobile to be a hassle.
BitWarden has the same feature, using the same Android mechanism for auto filling. I forget what settings need to be enabled, but it should be easy to figure it out.
User avatar
fetch5482
Posts: 1722
Joined: Fri Aug 15, 2014 4:55 pm

Re: Password manager

Post by fetch5482 »

MrJones wrote: Mon Feb 22, 2021 2:32 pm
dboeger1 wrote: Wed Feb 03, 2021 11:34 pm One feature I never even considered was auto-filling on mobile. To be honest, I don't even know if Bitwarden has that, because I use the native app on mobile, but I just recently saw a video of someone using LastPass with that feature, and it blew my mind because I find using the Bitwarden app on mobile to be a hassle.
BitWarden has the same feature, using the same Android mechanism for auto filling. I forget what settings need to be enabled, but it should be easy to figure it out.
Hmm.. I've been using bitwarden for a while, I don't think I've seen it autofill a native app. If the app supports biometric, that's the best way to login.. Otherwise I have to click on the notification to have bitwarden fill the password.

If the autofill feature is available I'd love to know how to enable it.
(AGE minus 23%) Bonds | 5% REITs | Balance 80% US (75/25 TSM/SCV) + 20% International (80/20 Developed/Emerging)
MrJones
Posts: 775
Joined: Sat Mar 18, 2017 2:23 am

Re: Password manager

Post by MrJones »

gas_balloon wrote: Mon Feb 22, 2021 3:24 pm Hmm.. I've been using bitwarden for a while, I don't think I've seen it autofill a native app. If the app supports biometric, that's the best way to login.. Otherwise I have to click on the notification to have bitwarden fill the password.

If the autofill feature is available I'd love to know how to enable it.
Main page -> Settings -> Auto-fill Service -> Enabled
https://bitwarden.com/help/article/auto-fill-android/

You need a relatively new Android version, I forget how new.
User avatar
fetch5482
Posts: 1722
Joined: Fri Aug 15, 2014 4:55 pm

Re: Password manager

Post by fetch5482 »

MrJones wrote: Mon Feb 22, 2021 4:10 pm
gas_balloon wrote: Mon Feb 22, 2021 3:24 pm Hmm.. I've been using bitwarden for a while, I don't think I've seen it autofill a native app. If the app supports biometric, that's the best way to login.. Otherwise I have to click on the notification to have bitwarden fill the password.

If the autofill feature is available I'd love to know how to enable it.
Main page -> Settings -> Auto-fill Service -> Enabled
https://bitwarden.com/help/article/auto-fill-android/

You need a relatively new Android version, I forget how new.
I have all of that enabled. I guess their defintion of "Auto-fill" is that you get a notification to fill the password (either using accessibility service or keyboard suggestion). I was expecting Auto-fill to fill the password with no interaction from my end (kinda like what happens when I open a web page in browser that requires a password - bitwarden just fills the user/pass without me doing anything if I have enabled the "auto fill on page load" option).
(AGE minus 23%) Bonds | 5% REITs | Balance 80% US (75/25 TSM/SCV) + 20% International (80/20 Developed/Emerging)
Vanguard Fan 1367
Posts: 2139
Joined: Wed Feb 08, 2017 2:09 pm

Re: Password manager

Post by Vanguard Fan 1367 »

I took a long time to decide to go with a password manager. Bitwarden's free version has worked well for me.
John Bogle: "It's amazing how difficult it is for a man to understand something if he's paid a small fortune not to understand it."
_james
Posts: 54
Joined: Tue Sep 13, 2011 5:13 am

Re: Password manager

Post by _james »

I've used BitWarden free for many years and works very well across all my devices. BitWarden premium is $1 a month and LastPass is $3 if you choose to go with that.

LastPass is changing the free offering so it only works on 1 device type. So if you use it on your phone it won't sync to your computer. If you choose to use it on your computer it won't work on your phone. Here's their official release about it:

https://blog.lastpass.com/2021/02/chang ... pass-free/
MrJones
Posts: 775
Joined: Sat Mar 18, 2017 2:23 am

Re: Password manager

Post by MrJones »

gas_balloon wrote: Mon Feb 22, 2021 4:18 pm I have all of that enabled. I guess their defintion of "Auto-fill" is that you get a notification to fill the password (either using accessibility service or keyboard suggestion). I was expecting Auto-fill to fill the password with no interaction from my end (kinda like what happens when I open a web page in browser that requires a password - bitwarden just fills the user/pass without me doing anything if I have enabled the "auto fill on page load" option).
Hmm, I'm not sure what you're missing, but I'm definitely not using a notification to Autofill. Bitwarden's definition of "Auto-fill" is no different from LastPass' definition, because that Autofill is an Android feature that password managers simply use.

Do you have your "auto-fill accessibility autofill service" turned on? (It needs to be turned off in Bitwarden, so the newer Android Autofill can be used).
What version of Android are you using?
What version of the Bitwarden app are you using?
User avatar
fetch5482
Posts: 1722
Joined: Fri Aug 15, 2014 4:55 pm

Re: Password manager

Post by fetch5482 »

MrJones wrote: Tue Feb 23, 2021 5:06 am Hmm, I'm not sure what you're missing, but I'm definitely not using a notification to Autofill. Bitwarden's definition of "Auto-fill" is no different from LastPass' definition, because that Autofill is an Android feature that password managers simply use.
I've never used LastPass so I honestly don't know how to compare. So may be my expectations are just incorrect..
Do you have your "auto-fill accessibility autofill service" turned on? (It needs to be turned off in Bitwarden, so the newer Android Autofill can be used).
Yes, it's turned on.
What version of Android are you using?
What version of the Bitwarden app are you using?
Both are latest. I'm on Pixel 4XL, updated to the latest build (Feb 2021 security update) of Android 11 and newest Play store version of bw.

What happens is whenever I visit a mobile site or app with username/password, there are 3 ways to login:
1) when I click the username field, a little popup overlay is shown to fill with bw. I click that and then select the username (if there are multiple for the site), then bitwarden fills the username and password.
2) on the gboard, the username is shown as a type-ahead recommendation by bw. I click that and the user/pass are filled
3) Very occasionally (esp. with old apps like morgan stanley stock plan connect), neither 1 or 2 are shown. In this case, I scroll down from the top to reveal the quick notification bar, click the fill with bw quick icon, select the username, and bitwarden fills both fields for me.

My expectation is that there would be no interaction, i.e. the last used username/password should get automatically filled without me needing to do anything.
(AGE minus 23%) Bonds | 5% REITs | Balance 80% US (75/25 TSM/SCV) + 20% International (80/20 Developed/Emerging)
MrJones
Posts: 775
Joined: Sat Mar 18, 2017 2:23 am

Re: Password manager

Post by MrJones »

gas_balloon wrote: Tue Feb 23, 2021 10:16 am What happens is whenever I visit a mobile site or app with username/password, there are 3 ways to login:
1) when I click the username field, a little popup overlay is shown to fill with bw. I click that and then select the username (if there are multiple for the site), then bitwarden fills the username and password.
2) on the gboard, the username is shown as a type-ahead recommendation by bw. I click that and the user/pass are filled
3) Very occasionally (esp. with old apps like morgan stanley stock plan connect), neither 1 or 2 are shown. In this case, I scroll down from the top to reveal the quick notification bar, click the fill with bw quick icon, select the username, and bitwarden fills both fields for me.

My expectation is that there would be no interaction, i.e. the last used username/password should get automatically filled without me needing to do anything.
Ah, your steps are exactly what I get as well. I believe that's all Android lets you do, which means no other password manager can do better, though I might be mistaken.

Agree, zero interaction would be great. The good news is, most apps are starting to support this by turning on fingerprint locking.
Gadget
Posts: 1026
Joined: Fri Mar 17, 2017 1:38 pm

Re: Password manager

Post by Gadget »

This might be of interest to people with password managers:
https://www.theverge.com/2021/2/26/2230 ... ch-privacy

Looks like Lastpass has 7 trackers. Bitwarden has 2. Roboform and Dashlane have 4. Only 1Password has zero.

I was surprised Bitwarden had 2. Not surprised about Lastpass or 1Password's results though.

I'm not saying they are malicious trackers, but I bet they could introduce vulnerabilities in the future. It also likely gives insight into each companies business models. 1Password is solely subscription based, while the others rely on trackers with Google/Facebook/etc to sell user data.
User avatar
beyou
Posts: 6915
Joined: Sat Feb 27, 2010 2:57 pm
Location: If you can make it there

Re: Password manager

Post by beyou »

tm3 wrote: Thu Feb 04, 2021 9:28 am
Wizze wrote: Wed Feb 03, 2021 9:08 pm This seems like a silly question considering I haven’t seen a mention of it at all in this thread, but is iCloud Keychain that terrible? I have been using it solely due to the convenience, and it has met my expectations...but perhaps my expectations are not what the should be! Should I be ditching Keychain for one of these other password managers?
I fiddled with Keychain while auditioning various PW managers. I can't quote chapter and verse but there were several things about Keychain that made it more cumbersome and I liked Bitwarden much better.

There is another long thread here about PW managers and one of the security experts points out some specific shortcomings of Keychain.
I use Keychain for a few months now. The biggest drawback for an all apple user, I don’t see how to influence the pwd generation format. Many sites have rules violated by the default generated pwd, and the only other option seems to be manually create your own pwd. Not terrible but lastpass can do better in this way.

That said, for mac/iphone/ipad users it’s a seamless solution that I am happy with overall.
MrJones
Posts: 775
Joined: Sat Mar 18, 2017 2:23 am

Re: Password manager

Post by MrJones »

Gadget wrote: Sun Feb 28, 2021 6:33 am This might be of interest to people with password managers:
https://www.theverge.com/2021/2/26/2230 ... ch-privacy

Looks like Lastpass has 7 trackers. Bitwarden has 2. Roboform and Dashlane have 4. Only 1Password has zero.

I was surprised Bitwarden had 2. Not surprised about Lastpass or 1Password's results though.

I'm not saying they are malicious trackers, but I bet they could introduce vulnerabilities in the future. It also likely gives insight into each companies business models. 1Password is solely subscription based, while the others rely on trackers with Google/Facebook/etc to sell user data.
Very interesting, thanks for sharing! Yes, I too am surprised by BitWarden's two. They're:
- Google Firebase Analytics (Firebase gives you functionality like analytics, databases, messaging and crash reporting)
- Microsoft Visual Studio App Center Crashes
crash reporting: Automatically generates a crash log every time your app crashes

Neither are great from a purity of privacy perspective, definitely not the former.

Source: linked from the site you shared:
https://reports.exodus-privacy.eu.org/e ... /#trackers

Perhaps a privacy focused fork of BitWarden will be made, given it's open source.
User avatar
fetch5482
Posts: 1722
Joined: Fri Aug 15, 2014 4:55 pm

Re: Password manager

Post by fetch5482 »

MrJones wrote: Sun Feb 28, 2021 11:42 pm
Gadget wrote: Sun Feb 28, 2021 6:33 am This might be of interest to people with password managers:
https://www.theverge.com/2021/2/26/2230 ... ch-privacy

Looks like Lastpass has 7 trackers. Bitwarden has 2. Roboform and Dashlane have 4. Only 1Password has zero.

I was surprised Bitwarden had 2. Not surprised about Lastpass or 1Password's results though.

I'm not saying they are malicious trackers, but I bet they could introduce vulnerabilities in the future. It also likely gives insight into each companies business models. 1Password is solely subscription based, while the others rely on trackers with Google/Facebook/etc to sell user data.
Very interesting, thanks for sharing! Yes, I too am surprised by BitWarden's two. They're:
- Google Firebase Analytics (Firebase gives you functionality like analytics, databases, messaging and crash reporting)
- Microsoft Visual Studio App Center Crashes
crash reporting: Automatically generates a crash log every time your app crashes

Neither are great from a purity of privacy perspective, definitely not the former.

Source: linked from the site you shared:
https://reports.exodus-privacy.eu.org/e ... /#trackers

Perhaps a privacy focused fork of BitWarden will be made, given it's open source.
They have a F-Droid build that doesn't have trackers. https://mobileapp.bitwarden.com/fdroid/

They claim these are necessary to be listed on Google play store (see https://community.bitwarden.com/t/remov ... rden/18925), Although I don't understand how 1Password manages to not have them in their app on play store then.
(AGE minus 23%) Bonds | 5% REITs | Balance 80% US (75/25 TSM/SCV) + 20% International (80/20 Developed/Emerging)
MrJones
Posts: 775
Joined: Sat Mar 18, 2017 2:23 am

Re: Password manager

Post by MrJones »

gas_balloon wrote: Sun Feb 28, 2021 11:44 pm They have a F-Droid build that doesn't have trackers. https://mobileapp.bitwarden.com/fdroid/

They claim these are necessary to be listed on Google play store (see https://community.bitwarden.com/t/remov ... rden/18925), Although I don't understand how 1Password manages to not have them in their app on play store then.
I was just going to post this thread as well! So they use it for push notifications (sync) and crash reporting. Regardless, I already installed the FDroid version. Nice thing is, BW being open source and having an FDroid listing, because FDroid policies prevent apps that have trackers of any sort.
tm3
Posts: 777
Joined: Wed Dec 24, 2014 6:16 pm

Re: Password manager

Post by tm3 »

Gadget wrote: Sun Feb 28, 2021 6:33 am
I'm not saying they are malicious trackers, but I bet they could introduce vulnerabilities in the future. It also likely gives insight into each companies business models. 1Password is solely subscription based, while the others rely on trackers with Google/Facebook/etc to sell user data.
Just to play a little devil's advocate here ......

It's not clear that the presence of trackers makes use of the PW mgr unsafe, or if it is really a bad thing in any way. It sounds bad to me, but what do I know?

However this certainly could be used as marketing by 1Password which, unlike Bitwarden, is actively selling a product.
Gadget
Posts: 1026
Joined: Fri Mar 17, 2017 1:38 pm

Re: Password manager

Post by Gadget »

The Bitwarden trackers sort of make sense to me. Google and MS trackers. Not good for privacy advocates, but most likely harmless.

The Lastpass trackers are more like red flags. I'm not sure there is a good justification to those other than more income stream for Lastpass.
User avatar
fetch5482
Posts: 1722
Joined: Fri Aug 15, 2014 4:55 pm

Re: Password manager

Post by fetch5482 »

Gadget wrote: Mon Mar 01, 2021 9:22 am The Bitwarden trackers sort of make sense to me. Google and MS trackers. Not good for privacy advocates, but most likely harmless.
I'm in the same boat as you.. But I understand the skepticism from several people. Bitwarden (afaik) does not open source their client app code (iOS/Android/web/browser add-on); so I appreciate people finding and questioning these trackers and having options with F-Droid if they're not comfortable with it.
(AGE minus 23%) Bonds | 5% REITs | Balance 80% US (75/25 TSM/SCV) + 20% International (80/20 Developed/Emerging)
BusterMcTaco
Posts: 396
Joined: Tue Jul 11, 2017 6:36 pm

Re: Password manager

Post by BusterMcTaco »

LastPass was sold to Logmein in 2015, and then changed hands again, this time to private equity in 2020. It's even harder to tell what the new owners' motivations are, given they are private. I wouldn't trust Bitwarden's owners either, and that's the cool thing - I don't have to.
I noticed a decline in LastPass shortly after the 2015 sale. Nowadays, the plugin doesn't even work right on Chrome, and on top of that they want $3/month to work on both my desktop and mobile, whereas before that was free. That alone is reason enough to boycott the company. And, mind you, I used to pay for premium so I'm not (just) being cheap, it's the principle.
How does one handle an account such as, say, Hulu which requires login, and sometimes repeat logins, from a Roku device (or similar)? It is a real PITA to type in a 16 character password (that contains upper and lower case, ~!#$%^, and numbers) using the scroll key on a remote control. I think your answer is going to be "just suck it up and do it" but I figured it would not hurt to ask.
I don't think "just suck it up" is a good answer. You can always create a random phrase using https://xkcd.pw/ which is much easier to type in, and just as secure as gobbledygook.

ETA: You can also compromise on security for a password for a site like Hulu. As long as your payment information isn't easily obtainable (visible credit card number), what's the worst that can happen if it gets cracked? Desperate Housewives of Miami shows up in your recently watched list? Just use a unique, random password, but make it shorter. Like 10 characters all letters, all lowercase if they'll let you.

50-60 character randomness is for bank accounts :-)
pseudoiterative
Posts: 575
Joined: Tue Sep 24, 2019 6:11 am
Location: australia

Re: Password manager

Post by pseudoiterative »

jhsu802701 wrote: Thu Jan 14, 2021 4:12 pm I use KeePassXC (https://keepassxc.org/). It's free, open source, and available for Linux, MacOS, and Windows. No matter which OS you use, you're covered.
KeePassXC is great. But make sure you backup that password database file with some kind of offsite backup that can be accessed without any of the information in the password database! Bit of a mess if the password database is a file stored in a single drive, and that drive fails / gets stolen / is destroyed in a house fire, and there's no way to recover any of the passwords.
Post Reply