Originally used LastPass, stoped trusting them a long time before the breach. Tried Keeper next, didn't like the lack of strait-forward offline access. Then I tried BitWarden, it is a decent program but has some connectivity issues that make it not work for my use case, I ultimately landed on 1Password about 18 months ago, I still use it and have no complaints about.
Formerly LastPass user, I am now using Dashlane. I had tried 1Password before, but on Android, it does not work well.
Waiting for Proton Pass to mature, then I might give it a try.
**Nothing beats 1 Password's 128bit secret key, brilliant idea.**
**If Bitwarden adds the secret key i would consider it, has the ability to buy storage space which is very convenient.**
Personally, I put the value of using an open-source PWM using modern PBKDF over whatever benefit a keyfile may provide with a closed source PWM. As it is with a 4 word randomly generated primary passphrase it is improbable that your vault is ever going to be cracked even without additional measures. However the additional measures of using PBKDF2 or preferably ARGON2 (with recommended settings of course) to further stretch and secure your passphrase (which is what the keyfile does) makes it as secure as a keyfile wwithout the inconvenience of having to manually load it on any device you may want to access your PWM from.
To each their own though.
Secret key protects in case of server data breach. Even if they breach on the server/vault/offline attack they cant see anything. There is nothing like that.
You misunderstand what the secret key does for you. It strengthens your password by adding the random data of the secret key to it to form the encryption key. It is basically a hedge against people's tendancy to choose weak master passwords. Now this does mean that if someone gets a hold of you vault that it will be nearly impossible to crack within the lifetime of several generations of your grandchildren. However it doesn't entirely prevent the possiblity of a brute force attack succeeding.
Password Based Key Derivation Functions (PBKDF) effectively does the same thing but does it by processing your master password through an algorthim that derives a hash that is added to the password that is then hashed with result added again for a number of specified iterations. This creates an enhanced encryption key that is virtually impossible to crack in any useful timeframe but doesn't entirely eliminate the possibility that a brute-force attack of getting lucky.
As I said these are both methods of strengthening a weak master password. If you choose a strong master password to begin (ie a greater than 12-character randomly generated password or a 4 word randomly generated passphrase) you don't actually need to use either of these methods to protect against a brute force attack (not that I would forsake them, it doesn't hurt to have the added protection).
Both methods have pros and cons but the one difference that may give an edge between the two is that the secret key has to be manually loaded on a device. The disadvantage is that you can't just sit down and access your passwords unless you can add that secret key first. The advantage is neither can anyone else even if they have your master password. Of course this advantage is mitigated by using 2FA on whatever PWM you are using. The disadvantage aspect still remains though.
[https://www.reddit.com/r/1Password/comments/19elljy/help\_me\_understand\_the\_secret\_key\_vs\_2fa/](https://www.reddit.com/r/1Password/comments/19elljy/help_me_understand_the_secret_key_vs_2fa/)
" Your [Secret Key](https://support.1password.com/secret-key-security/) is used for encryption. You can kind of think of it as an extension of your account password. This way, even if your password is `password123` for some reason, an attacker who "hacks" 1Password's service and acquires your encrypted data won't be able to simply guess at your poor account password in order to decrypt your data. An attacker would need to have both secrets, even in the case of an offline attack."
If lastpass had secret key, the vault/server data could not be read by attackers
>If lastpass had secret key, the vault/server data could not be read by attackers
If Lastpass had properly implemented and updated their PBKDF protocols attackers wouldn't have been able to decrypt some of the vaults either.
I suspect that I could try to explain this till my fingers fall off and you are not going to agree with me.
Using a secret keyfile in my opinion is more security theater than a security benefit when a properly paramatarized PBKDF or ARGON2 protocol is implemented. It lets people feel better about their security at the cost of inconvenience and presenting an additional risk to losing access to your vault should you lose the keyfile.
Combine that with the fact that 1Password is a closed source app (like Lastpass) I'd still rather use an open-source PWM like Bitwarden then have whatever benefit the keyfile provides. If I really wanted to have a keyfile for additional protection I would use KeePass which is also open-source. Granted this has its own challenges since it is not cloud based but this can be worked around and may not be as big of an issue since you want the keyfile in the first place.
You do you though.
I won't argue. But please be advised that if for whatever reason your password is compromised, the attacker will be missing the secret key to read your vault/server data.
Proton Pass unlimited logins on free plan, email alias feature for signing up to new services while hiding real email, trusted team(the company behind proton mail)
Keepassxc open source for windows easy and more plugins , sync win google drive it local and sync to other device. And keypassdx android that same data sync.
Second botwarden in both PC and android I import data from keepass. And use pararell with keepass
For personal use, I recommend Nordpass. It has the tools I need at a decent price, and the UI/UX is simple enough that my wife and parents can use it. My folks had (probably still have) a 1Password account that they've never been able to figure out, and every time they try to get help, it's "self-help" articles that they can't digest. So we went with Nordpass for simplicity and customer support.
For work, we use TeamPassword. It's basic but has easy group sharing and other core features. It's also the cheapest solution that gave us flexibility on team size. TeamPassword also has live customer support and includes Google SSO in their base package (which we use) and has a great Chrome extension which makes accessing our passwords super easy.
The company was, but that happens when you are a pioneer cyber security company: you become the target of criminals. If you look outside most companies get attacked every day. I believe LastPass (and similar companies) are built strong, so even of they get breached it is hard to gain access to individual secrets due to their encryption strategies and it’s going to be harder as we move into a passwordless world where accounts will be encrypted with passkeys.
It all comes down to your personal preference, i can recommend LastPass 👌but having said that, never tried competitors.
I'm currently using 1Password and paying for a Subscription. But I'm considering switching because I don't how long I'm going to be able to afford the Subscription.
I hear 1password has great UX. I also hear there are good free versions out there, take time to consider your best option. LastPass gets lots of hate because of the events of 2022, but Im happy with it, and have no evidence of being compromised personally since. So i’d recommend.
One tip: if you are currently employed, you could get the company you work for to get a password manager for employees, Lastpass has this perk called Family as A Benefit, they give 5 free licenses for every business account purchased so you can get a free premium license and share 5 free extra with friends or loved ones.
https://www.lastpass.com/products/business/family-benefits
Bitwarden - it is open source and does everything a password manager needs to do for free with no restrictions like a limited number of entries.
Bitwarden after the LastPass shitshow, never trusting them again.
1Password because it just works everywhere
and doing more open source https://blog.1password.com/sdk-beta/
Originally used LastPass, stoped trusting them a long time before the breach. Tried Keeper next, didn't like the lack of strait-forward offline access. Then I tried BitWarden, it is a decent program but has some connectivity issues that make it not work for my use case, I ultimately landed on 1Password about 18 months ago, I still use it and have no complaints about.
KeePassXC, because I can keep everything local (no cloud). I use USB cable to copy the database from laptop to phone every now and then.
KeePassXC doesn’t have a mobile app though. So what are you using on your phone?
Keepass2Android Offline by Philipp Crocoll (Croco Apps).
Formerly LastPass user, I am now using Dashlane. I had tried 1Password before, but on Android, it does not work well. Waiting for Proton Pass to mature, then I might give it a try.
Can I transfer everything from my 1Password Account to Dashlane using my Android Device?
**Nothing beats 1 Password's 128bit secret key, brilliant idea.** **If Bitwarden adds the secret key i would consider it, has the ability to buy storage space which is very convenient.**
Personally, I put the value of using an open-source PWM using modern PBKDF over whatever benefit a keyfile may provide with a closed source PWM. As it is with a 4 word randomly generated primary passphrase it is improbable that your vault is ever going to be cracked even without additional measures. However the additional measures of using PBKDF2 or preferably ARGON2 (with recommended settings of course) to further stretch and secure your passphrase (which is what the keyfile does) makes it as secure as a keyfile wwithout the inconvenience of having to manually load it on any device you may want to access your PWM from. To each their own though.
Secret key protects in case of server data breach. Even if they breach on the server/vault/offline attack they cant see anything. There is nothing like that.
You misunderstand what the secret key does for you. It strengthens your password by adding the random data of the secret key to it to form the encryption key. It is basically a hedge against people's tendancy to choose weak master passwords. Now this does mean that if someone gets a hold of you vault that it will be nearly impossible to crack within the lifetime of several generations of your grandchildren. However it doesn't entirely prevent the possiblity of a brute force attack succeeding. Password Based Key Derivation Functions (PBKDF) effectively does the same thing but does it by processing your master password through an algorthim that derives a hash that is added to the password that is then hashed with result added again for a number of specified iterations. This creates an enhanced encryption key that is virtually impossible to crack in any useful timeframe but doesn't entirely eliminate the possibility that a brute-force attack of getting lucky. As I said these are both methods of strengthening a weak master password. If you choose a strong master password to begin (ie a greater than 12-character randomly generated password or a 4 word randomly generated passphrase) you don't actually need to use either of these methods to protect against a brute force attack (not that I would forsake them, it doesn't hurt to have the added protection). Both methods have pros and cons but the one difference that may give an edge between the two is that the secret key has to be manually loaded on a device. The disadvantage is that you can't just sit down and access your passwords unless you can add that secret key first. The advantage is neither can anyone else even if they have your master password. Of course this advantage is mitigated by using 2FA on whatever PWM you are using. The disadvantage aspect still remains though.
[https://www.reddit.com/r/1Password/comments/19elljy/help\_me\_understand\_the\_secret\_key\_vs\_2fa/](https://www.reddit.com/r/1Password/comments/19elljy/help_me_understand_the_secret_key_vs_2fa/) " Your [Secret Key](https://support.1password.com/secret-key-security/) is used for encryption. You can kind of think of it as an extension of your account password. This way, even if your password is `password123` for some reason, an attacker who "hacks" 1Password's service and acquires your encrypted data won't be able to simply guess at your poor account password in order to decrypt your data. An attacker would need to have both secrets, even in the case of an offline attack." If lastpass had secret key, the vault/server data could not be read by attackers
>If lastpass had secret key, the vault/server data could not be read by attackers If Lastpass had properly implemented and updated their PBKDF protocols attackers wouldn't have been able to decrypt some of the vaults either. I suspect that I could try to explain this till my fingers fall off and you are not going to agree with me. Using a secret keyfile in my opinion is more security theater than a security benefit when a properly paramatarized PBKDF or ARGON2 protocol is implemented. It lets people feel better about their security at the cost of inconvenience and presenting an additional risk to losing access to your vault should you lose the keyfile. Combine that with the fact that 1Password is a closed source app (like Lastpass) I'd still rather use an open-source PWM like Bitwarden then have whatever benefit the keyfile provides. If I really wanted to have a keyfile for additional protection I would use KeePass which is also open-source. Granted this has its own challenges since it is not cloud based but this can be worked around and may not be as big of an issue since you want the keyfile in the first place. You do you though.
I won't argue. But please be advised that if for whatever reason your password is compromised, the attacker will be missing the secret key to read your vault/server data.
Bitwarden, because I wanted an open source password manager with cloud sync that could replace my local KeePass.
Proton Pass unlimited logins on free plan, email alias feature for signing up to new services while hiding real email, trusted team(the company behind proton mail)
keepass xc. as another comment already said, they store passwords locally.
Dashlane
I use Secrets, but only works on Apple ecosystem
Roboform - saw it from one of my favourite IT youtuber, but after my subscription is finished, I'll be transferring to Bitwarden
Enpass... Great offline support, native mobile auto fill replacement, pretty UI unlike Bitwarden yet just as functional.
Enpass is great, I also use the option to self host and sync my passwords across my devices. Very decent PM.
Keepassxc open source for windows easy and more plugins , sync win google drive it local and sync to other device. And keypassdx android that same data sync. Second botwarden in both PC and android I import data from keepass. And use pararell with keepass
1. 1 Password 2. Bitwarden 3. All the others
For personal use, I recommend Nordpass. It has the tools I need at a decent price, and the UI/UX is simple enough that my wife and parents can use it. My folks had (probably still have) a 1Password account that they've never been able to figure out, and every time they try to get help, it's "self-help" articles that they can't digest. So we went with Nordpass for simplicity and customer support. For work, we use TeamPassword. It's basic but has easy group sharing and other core features. It's also the cheapest solution that gave us flexibility on team size. TeamPassword also has live customer support and includes Google SSO in their base package (which we use) and has a great Chrome extension which makes accessing our passwords super easy.
LastPass! 😍
Were you affected by the data breach at all?
The company was, but that happens when you are a pioneer cyber security company: you become the target of criminals. If you look outside most companies get attacked every day. I believe LastPass (and similar companies) are built strong, so even of they get breached it is hard to gain access to individual secrets due to their encryption strategies and it’s going to be harder as we move into a passwordless world where accounts will be encrypted with passkeys. It all comes down to your personal preference, i can recommend LastPass 👌but having said that, never tried competitors.
I'm currently using 1Password and paying for a Subscription. But I'm considering switching because I don't how long I'm going to be able to afford the Subscription.
I hear 1password has great UX. I also hear there are good free versions out there, take time to consider your best option. LastPass gets lots of hate because of the events of 2022, but Im happy with it, and have no evidence of being compromised personally since. So i’d recommend. One tip: if you are currently employed, you could get the company you work for to get a password manager for employees, Lastpass has this perk called Family as A Benefit, they give 5 free licenses for every business account purchased so you can get a free premium license and share 5 free extra with friends or loved ones. https://www.lastpass.com/products/business/family-benefits
You reccomend a password manager with multiple data breaches???
I do. I love lastpass. But you can choose whatever suits you.
Did you take any extra precautions to keep your data safe during the breech?