password managers

After too many years of not getting around to it, I've decided to implement a free password manager, and I need reccomendations. I took very brief looks at several, about 3 years ago, but didn't follow through.

I only need to protect my desktop, and although I'm technically competent, I'd like something that is not overly complex, and is straightforword to use.

Thanks in advance.

There are many options – none of them is perfect or “best” for all users. Each has its advantages and disadvantages, as well as its fans and detractors.

Some have had their own major security breaches:

https://www.theverge.com/2023/9/7/23862658/lastpass-security-breach-crypto-heists-hackers

Here are some reviews and ratings, offered strictly “as is”:

https://www.pcmag.com/picks/the-best-password-managers

https://www.cnet.com/tech/services-and-software/best-password-manager/

https://www.wired.com/story/best-password-managers/

https://www.techradar.com/best/password-manager

I expect that other forum members will have other/different advice about this.

I've decided to implement a free password manager...

Many are excluding LastPass from their decision.  Perhaps you should follow their lead.

HTH

I've been using Roboform for many years. Not the prettiest, but works great.

Thanx all

Since you specifically mentioned "free" and "desktop", I personally would consider the offline PWM Keepass.  It's open-sourced, has lots of features, and you are primarily responsible for protecting your own vault file.  The annoyance for me would probably be having to constantly typing in the master password, but you probably can alleviate this somewhat by using a shorter master password + key file.

If you plan to conveniently use the passwords on other platforms (typically, your phone), I would think about Bitwarden.  It's open-sourced, has nice integration with email alias services, has biometric/PIN unlock (easier than a master password) and it's really pretty much free among all the cloud-based PWMs.  The Wikipedia article https://en.wikipedia.org/wiki/Bitwarden captures brief descriptions of the features well.  The primary drawbacks would be you would share security responsibility with the company, and it has quirks that you have to get used to.  It also is not a grandma's product, you have to pay attention and take steps to make it secure and always accessible.

If you definitely don't care about other platforms beyond the desktop, I would say Keepass.  It's easy to export Keepass data to create a Bitwarden's vault if your needs change.

Edited by Dill2046, 06 January 2024 - 01:48 PM.

I'm leaning towards Bitwarden.

OK.  Here are some tips and resources.

Tips:

1. Pick at least a 4-word passphrase (I'd go all lower characters separated by space, preferably 5 words and above) for the vault, making sure your write it down. (https://bitwarden.com/password-generator/)
2. Use 2FA, also writing down a 2FA recovery code.  Note that you can use a hardware key or your computer as a WebAuthn/FIDO2 key.
3. Use a separate/unique email for BW, this will prevent your account from being attacked by credential stuffings and giving you a scare.  You can use a real email address, an alias (like SimpleLogin, ProtonMail), or a +address (https://gmail.googleblog.com/2008/03/2-hidden-ways-to-get-more-from-your.html).
4. The subreddit https://www.reddit.com/r/Bitwarden is superactive.  You can get many answers in minutes. 

Here are some more links:

• https://bitwarden.com/learning/getting-started-as-an-individual-user/
• https://bitwarden.com/blog/7-tips-to-protect-your-bitwarden-account/
• https://bitwarden.com/blog/3-tips-for-extra-security-with-your-bitwarden-account/

Good luck and enjoy.

Edited by Dill2046, 06 January 2024 - 06:14 PM.

@MoxieMomma

No, just a user.  I am not an employee of a tech corporation.  Don't own any direct stocks.  BW is just one of almost completely free cloud-based PWMs.  I did propose an alternative that is even more free.

Im using KeePass for years now. However I still dont know how malwares and any attacks work. So for example if some steal my master password it can just get all my password stored inside this program? I know all info stored in a file, had to save it after a unrepairable system crash I had.

I keep BitWarden on my PC and have logged into it, created an Account with a password and log in, every now and again.

However, it is a distraction. I keep my passwords, based on the Registration Numbers of the Cars, Vans and Taxis that I have driven throughout  my life

So for example if some steal my master password it can just get all my password stored inside this program? I know all info stored in a file, had to save it after a unrepairable system crash I had.

Starting off, on a Windows PC, it's best to keep the malware off your system, which means knowing what files not to download, what links not to click, not falling for scams, etc.  This is because Windows security model is weak, and a malware can do all sorts of damages, especially if you are specifically attacked.

The kind of malware you are thinking of is probably, they exfiltrate your vault file, somehow knowing your master password.  Yes, they will absolutely be able to get everything in the file easily.  No additional tools (beyond installing the program) is required.

Other ways to get your secrets include:

• Getting your vault file, without your password.  If you have a weak master password, they might be able to crack it.   Some experts nowadays recommend using randomly generated 6-word passphrase, or randomly generated 12+ character password.  This apparently happened in the LastPass data breach.
• When your password file is unlocked (i.e. you have entered the password), they can read the unencrypted content from memory.  They may be able to read your master password.
• They can install a keylogger and logs all your keys.
• They can install a clipboard reader and reads all your clipboard contents.
• They can exploit OS/program vulnerabilities. 

Keepass has the option to use a keyfile in addition to your password to protect your vault.  This will increase your security (especially if you use weak password), at the price of higher chance of losing access to your vault because you can additionally lose your keyfile.

Edited by Dill2046, 07 January 2024 - 06:21 PM.

Thanks for your detailed description Dill2046.

Yeah I try to keep malwares and viruses at bay. Firewall, Antivirus, Sandboxie, Firefox what got hardened, VirusTotal to check sites and files. Sane behavior on web, so dont click mindlessly.

I just wondered about basicaly Keepass in some point store all the info in one place for easy steal. Anyway in my logic if a keylogger set in place then no matter how difficult password you generate.

I never leave KeePass opened after use, also set the program to delete clipboard.

Edited by Erunosta, 08 January 2024 - 10:22 AM.