Password Managers 2023

[Red Squirrel]

SMS I'm ok with, at least it's mostly device/app agnostic, but it's supposedly super insecure so I don't use it unless the site forces 2FA then I pick that option. Email works ok too.

The issue I have with apps is that you're locked into a black box, there is no way to back it up or do anything with it. Like what happens if your phone dies or you get a new phone? All the sites I've run to want you to download their own proprietary app so not like you can pick which one, they are all different. Some apps may offer a way to back up the data but not all, so it really depends on the site and their app. I run a custom rom now days so won't be able to get any of these apps anyway. If there was a way to emulate Android in a VM on a PC I would maybe go that route, then I can just backup the entire VM. I just hate to rely on anything that I can't make a reliable backup of that I have full control over. Actually upon quick google search it does seem there are ways, just not sure how it would work for accessing things like a camera (ex: to read QR code).

 

[ch33zw1z]

@Red Squirrel - look into Authy, it does the things you’re looking for.

I will only use SMS if there’s no other option

 

[Red Squirrel]

Not all sites that use 2FA use Authy though, Some use google, some use their own app or what not. Some may have multiple options though. Either way depending on how many sites you use 2FA with you still end up with a bunch of different apps. I run a custom rom now days so wouldn't be able to install these anyway. It's one of the downsides of running a custom rom is I am limited in what apps I can install. There is a way to setup google play on the custom rom but I feel it kind of defeats the purpose of running a custom rom. (privacy)

There is one thing at my work that at one point required me to setup an authenticator app so I did it on my old phone that ran stock android so any time I need to authenticate I have to pull it out. I rarely use that though, it's basically for if I want to do training videos off the corporate network. For on the corporate network they don't go through the auth app.

It looks like Authy does have a Linux version though so if I run into a site that has that as an option it would work for me.

 

[ch33zw1z]

Not all sites that use 2FA use Authy though, Some use google, some use their own app or what not. Some may have multiple options though. Either way depending on how many sites you use 2FA with you still end up with a bunch of different apps. I run a custom rom now days so wouldn't be able to install these anyway. It's one of the downsides of running a custom rom is I am limited in what apps I can install. There is a way to setup google play on the custom rom but I feel it kind of defeats the purpose of running a custom rom. (privacy)

There is one thing at my work that at one point required me to setup an authenticator app so I did it on my old phone that ran stock android so any time I need to authenticate I have to pull it out. I rarely use that though, it's basically for if I want to do training videos off the corporate network. For on the corporate network they don't go through the auth app.

My guy, they can say to use Google, but Authy works the same just fine. Scan the QR code to add the account and voila, 2FA up and running.

You can run the Authy software on phones and windows desktop. Maybe more, haven’t check their site in sometime. It has backup, unlock credentials, etc…

I have all my 2FA in authy. But for any sites that can make use of this type of 2FA, there’s typically backup codes. When u setup the account, grabs those codes to a text file and save for later just in case you need them

I have never encountered a site that uses their own app, which site(s) is this?

 

[Red Squirrel]

Wait so you can scan the QR code with Authy even if it's meant for another app? I always assumed they used their own protocol, or does Authy just support a lot of different ones? It seems all the sites I run into that offer 2FA have their own app, or use Google, I think I ran into one that used Authy. The one at my work uses one made by Computer Associates. So this would actually all work with Authy so I can only need one app? Even ones that use Google?

I'd have to figure out if there is a way to get it on my custom rom, or failing that will use desktop version.

 

[ch33zw1z]

Wait so you can scan the QR code with Authy even if it's meant for another app? I always assumed they used their own protocol, or does Authy just support a lot of different ones? It seems all the sites I run into that offer 2FA have their own app, or use Google, I think I ran into one that used Authy. The one at my work uses one made by Computer Associates. So this would actually all work with Authy so I can only need one app? Even ones that use Google?

I'd have to figure out if there is a way to get it on my custom rom, or failing that will use desktop version.

Yes, it definitely works for me. Authy support in link below.

https://support.authy.com/hc/en-us/articles/360006343394-Which-Accounts-Can-I-Secure-with-Authy-2FA-

I havent run into any sites that use their own apps

 

[mxnerd]

Another open source self hosted 2FA app. Using Laravel, php, sqlite

GitHub - Bubka/2FAuth: A Web app to manage your Two-Factor Authentication (2FA) accounts and generate their security codes

A Web app to manage your Two-Factor Authentication (2FA) accounts and generate their security codes - Bubka/2FAuth

github.com

 

[Red Squirrel]

So these type of authenticators are all compatible with each other? I always assumed QR codes sites give you only worked for whatever app it says it's for. Ex: if it says Google you need to use Google, if it says Authy you need to use Authy, if it says some other app.. etc. I'm finding lot of authenticators on the CalyxOS store but not Authy, I wonder if any of those would work with all the sites that use apps. Though that web based one looks very intriguing too. I like the idea of self hosting on a normal PC based server and being able to access from a browser then it's device/OS agnostic.

i've always kept away from 2FA as I didn't want to have to rely on specific proprietary apps but if that's not the case then I may start to take it more seriously and start actually using it when I see it as an option.

 

[ch33zw1z]

Post 31 has a link to Authy support. It explains that Authy supports Google open source authentication and Authy authentication.

I won’t say they’re all compatible, just that I have about 40 accounts in Authy, haven’t run into an account yet that wasn’t supported in authy

 

[mxnerd]

Check out open source Aegis 2FA Authenticator. FAQ

Aegis vault can be backed up to the cloud automatically with Android Storage Access Framework service. (Nextcloud, ex.)

Aegis Authenticator

Aegis Authenticator is a free, secure and open source app for Android to manage your 2-step verification tokens for your online services.

getaegis.app

 

[Red Squirrel]

Aegis is in F-droid so I'm able to get it. Will have to play around with that now that I know these are universal, I didn't realize that originally.

 

[Red Squirrel]

Well what do you know it seems it works! I was able to use Aegis with my google account even though it says to use Google Authenticator. So guess this really is universal then. Well that's good to know, I always dismissed app based authentication before as I figured you had to use whatever app the site tells you. Since I run a custom rom I do not have play store so can't download most of those. Well now that I know I'll start actually using app based 2FA when offered. Aegis does also support exporting, which was my big concern as well, so as long as I do an export every time I add an account I can save it on my server and not have to worry if something happens to my phone.

 

[mxnerd]

Maybe the flowchart and video here explain 2FA authentication more in details.

The difference between two-factor and two-step authentication.

No lengthy article this time folks, just a flow diagram to demonstrate the differences between two-factor authentication and two-step verification. (full size) Why isn't an OTP via SMS a 2nd factor? At first glance, the mobile phone appears to be "something we have" (one of 3 factors necessary

paul.reviews

totp.sh script mentioned in video https://github.com/jakwings/totp

related links

Generate QR Codes for Google Authenticator

Tool to encrypt and decrypt text using the simple ROT13 algorithm

dan.hersam.com

RFC 6238: TOTP: Time-Based One-Time Password Algorithm

This document describes an extension of the One-Time Password (OTP) algorithm, namely the HMAC-based One-Time Password (HOTP) algorithm, as defined in RFC 4226, to support the time-based moving factor. The HOTP algorithm specifies an event-based OTP algorithm, where the moving factor is an event...

datatracker.ietf.org

Does Google Authenticator Work Offline?

Google authenticator is a great way to keep your email accounts secure. Can you use it when you're not connected to the internet? Yes!

pragmaticparanoia.com

 

[Red Squirrel]

Interesting, so it's basically like RSA tokens but standardized. I think this is the biggest take away for me, that it's a standard. I always just assumed each site did their own thing.

Though there is a site at work I don't really use anymore but they use a push notification so I suspect that one might be different. I still have it on my old phone and if I do need to login to it, it's the only way for me to do so. If I access it from within the corporate network I don't need it though.

 

[Scarpozzi]

I'm still using keepass because its open source. I use it on Windows and I use keepassdroid by Brian Pellin on android. It looks like there are several iphone versions.

I'm not sure if I would consider it easy to use. Certainly much easier than typing each username and password.

Downloads - KeePass

keepass.info

I use this too because it's essentially an encrypted, password protected database. I don't use any mobile versions. I just use it at work and on my PC at home with backups of the databases. My idea is that if it's only local, it's likely more secure since my home PC isn't on all the time and my work PC is quite firewalled.

 

[NDPTAL85]

Interesting, so it's basically like RSA tokens but standardized. I think this is the biggest take away for me, that it's a standard. I always just assumed each site did their own thing.

Though there is a site at work I don't really use anymore but they use a push notification so I suspect that one might be different. I still have it on my old phone and if I do need to login to it, it's the only way for me to do so. If I access it from within the corporate network I don't need it though.

Hey Red Squirrel,

I am a LONG time lurker (over 20 years) and I subscribed to help you and others out on this topic. 2FA apps are an Open Source standard either TOTP or HOTP as has been noted earlier in the thread. There are probably 2 dozen 2FA apps that can use these 2FA seeds (thats what each six digit code is per website). I'll list a few below.

For both iOS and Android there are:
1. Google Authenticator <---- Fine. The one I use. Its now secured with biometrics and able to be backed up to a Google account. But if you lose your phone and your Google accounts have 2 Factor Setup, You'll never be able to restore from that cloud backup. So its important to have a local backup of your Google Authenticator Export stored in an encrypted Disk Image stored in multiple places inside and outside your home.
2. Authy <------ Had a breach a few months ago. The only option that also has desktop apps.
3. 2FAS <----- Most Highly Recommended. Can accept imports from Google Authenticator
4. Duo <---- Parent company Cisco. Solid app but some in the hacker world aren't comfortable with how close Cisco is with the US Federeal Government. Since I'm not a criminal, this doesn't bother me one bit.

iOS Only
1. Ravio Great App

Android Only
1. Ageis Great App

Whatever 2FA you use, as an extra level of redundancy that may save your bacon someday you should install it on every mobile device in your possession. So if you have a Smartphone AND a Tablet put the 2FA apps on both devices and make sure they all have the same 2FA seeds. Also setup the biometric security on all 2FA apps you use (Face ID or Touch ID) to protect them from someone else accessing those seeds.

 

[NDPTAL85]

Since this thread is about Password Managers, it helps that I have done an a bit of an intensive breakdown of password managers that are available today. I've placed them into 3 categories and listed important things about each one. I hope you find it useful.


High Quality Password Managers

1. BitWarden (Great Free Tier) Located in Santa Barbara, California with a Globally Distributed Team. BitWarden under goes third party audits.
2. 1Password (Default Upon Install Built in 2 Factor with Security Key and Emergency Kit) Located in Toronto, Ontario. 1Password under goes third party audits.
3. Zoho Vault (Great Free Tier, Based in India). Can’t find information on Third Party Audits.
4. Keeper (Ridiculously High Federal Standards. Only option IMO for US Based Defense Contractors and Finance Companies) Chicago Headquarters, California Software Development, Ireland EMEA Business Sales and Philippines for Customer Service. Keeper undergoes third party audits. Also includes popups to show user how to use the service. Very useful.
5. ProtonPass (Brand New, Don’t Use Till 2029. Great Free Tier) Switzerland Headquarters. ProtonPass under goes third party audits. No Web Vault or Desktops Apps Yet but they are coming! Based on how the browser plugins look, I expect the web vault and desktop apps to be gorgeous…. once they actually exist.
6. EnPass (Business Plan starts at $10/month for 10 users) Haryana, India headquarters. EnPass under goes third party audits.
7. RoboForm (Tried and True, one of the Oldest to never have a breach) Fairfax Virginia Headquarters, Iseaki Gunma Japan Sales Office. RoboForm under goes third party audits. VERY competitive business pricing for large businesses.
8. PassBolt. Luxembourg, Europe. Has both on premises and cloud versions. Open source. Has a free tier for teams. Not for individuals. Have to be confident in running a server with Docker to run this and to secure it properly.
9. StrongBox. UK company. Modern interface for Password Safe and KeePass.
10. Codebook. Bridgewater, New Jersey HQ. One time purchase for each app. $10 iOS/Android, $20 Mac/Windows. Local sync only.
11. SplashID Pro 9. Los Gatos, California HQ. I used to use SplashID during the Palm OS / early iPhone days. Great app. Sadly no business plans.
12. Buttercup Password Manager. HQ Location Espoo, Finland. Completely Free Open Source. Been around since 2017, won an FOSS Award in 2023. Mac, Linux, Windows , iOS and Android apps.
13. AuthPass like Strongbox is a frontend for KeePass. Unknown Headquarters Location. Completely Free Open Source. Apps for Windows, Mac, iOS and Android.
14. Minimalist based in Canada. Apple Devices Only. Gorgeous. $19 a year.
15. Secrets. Lisbon Portugal HQ. Apple Devices Only. Also Gorgeous.
16. mSecure very affordable, supports all major OS’s. Portland, Oregon HQ.
17. Elpass. Headquarters location unknown. Apple Devices Only. Looks a lot like 1Password. No free option.
18. pCloud Pass. Switzerland HQ. Apps for all OS’s. Limited Free Version.
19. Passwarden. NYC Headquarters. $19 per year. $99 lifetime licence. Looks a LOT like 1Password.
20. Norton Password Manager. Totally Free. US Company. Browser Plugins for Desktop, iOS and Android Apps. Not a ton of features, but handles the basics well.
21. Avira Passowrd Manager. Started as a German company, now US Owned. Totally Free. Browser Plugins for Desktop, iOS and Android Apps. Not a ton of features, but handles the basics well. Has a Pro version with extra features for a price.
22. Locker. Headquarters in Hanoi, Vietnam. On August 3rd, 2023 it went Open Source. Free tier allows 3 devices to sync with 100 passwords. Premium is $15.48 a year. Has Mac, Windows and Linux desktop apps and apps for iOS and Android.

Password Manager With Potential

1. NordPass. Very buggy right now (2023). Based in Panama. Uses the XChacha20 Encryption Cypher.
2. Sticky Password. Headquarters in the Czech Republic. Free tier is very limited.
3. Synology C2 Password. Great Free Tier. Taiwan Headquarters with the option to store your data on a Seattle US, Frankfurt Germany or Taiwan Asia Pacific server. As of (2023) Buggy and slow.
4. Psono a German company. Uses Curve25519 and Salsa20 encryption ciphers. Great Free Tiers. No desktop apps, no single sign on support. Locally hosted.
5. Total AV. Venice, California company. No desktop apps. Consumer only plans.
6. KeeWeb. MacOS/Windows. Netherlands HQ. Uses KeePass databases.
7. Padloc.app. Germany HQ. Smartphone apps and desktop apps. Free account doesn’t have 2FA.
8. Clipperz Online Web Based Only.
9. Elepass Corporate plans only. Free for an individual person. $25 month for entire companies. Insanely good value. Windows, iOS and Android apps only. No Mac app. They do have browser plugins for Chrome though so you could use it on a Mac that way.
10. ExpressVPN Keys. Can only be used with an ExpressVPN Subscription.
11. Dashlane. New York US Based. Doesn’t have Desktop Apps, Very Expensive. No Free Tier. This is safe to use, its just unreasonably expensive considering the lack of desktop apps.
12. KeePass. This is a very safe but ancient password manager. UI is too antiquated. A modern interface is available via StrongBox or AuthPass.


NEVER USE THESE PASSWORD MANAGERS

1. Kaspersky Password Manager. It’s based in Russia. Nuff Said.
2. LastPass (Hacked 7 Times In The Last Decade). US Based but who cares, they’re incompetent.
3. LogMeOnce. Virginia US Based. Has a Free Tier that is ad sponsored. Ads are a vector for malware. Couldn’t find apps in Mac or Microsoft app stores either.
4. Password Boss. US Based in Florida. Has no free tier. Costs $30 a year. Apps are not in Mac or Windows app stores.

 

[Brainonska511]

5. KeePass. This is a very safe but ancient password manager. UI is too antiquated. A modern interface is available via StrongBox or AuthPass.

That's kind of a specious reason to put this on the "never use" list.

 

[NDPTAL85]

That's kind of a specious reason to put this on the "never use" list.

I'm open to changing its status. I just don't know why anyone would use a PW Manager with such an antiquated UI.

 

[Brainonska511]

I'm open to changing its status. I just don't know why anyone would use a PW Manager with such an antiquated UI.

It's not unsafe to use. And the interface is fine - that's really subjective.

 

[NDPTAL85]

It's not unsafe to use. And the interface is fine - that's really subjective.

In my list I did state it was safe to use. I'd be willing to put it in the yellow 'Password Manager With Potential' category but considering its hard to get people to use a password manager in the first place, having it have a good UI needs to be a priority. A tool isn't able to keep a person safe if they won't use it and the UI Is an issue I've found with people I've tried to recommend it to.

 

[Brainonska511]

In my list I did state it was safe to use. I'd be willing to put it in the yellow 'Password Manager With Potential' category but considering its hard to get people to use a password manager in the first place, having it have a good UI needs to be a priority. A tool isn't able to keep a person safe if they won't use it and the UI Is an issue I've found with people I've tried to recommend it to.

The UI is simple and old style, but it is functional.

Your list is just faulty because you put it under "never use", as if there was something functionally wrong with using it as a password manager.

 

[NDPTAL85]

The UI is simple and old style, but it is functional.

Your list is just faulty because you put it under "never use", as if there was something functionally wrong with using it as a password manager.

I've placed it in the yellow category. I edited the list if you take a look at it again.

 

[ch33zw1z]

safe in cloud isn’t even on this guys radar . I am jack’s sadness

 

[balloonshark]

Keepass gives its users tons of options compared to the other "dumbed down" password managers. Give me safety and options over a pretty UI any day of the week.