Is keepass 2 the most secure password manager?

keepassxc > keepass2

>if I'm fishing for a vulnerability then a couple of grand isn't going to convince me

Top prize is €25,000 though
Plus as an EU programme you know it isn't just a front for the NSA to hoover up some 0-days for their own use

based and dare I say, redpilled

not for windows

yes
zdnet.com/article/critical-vulnerabilities-uncovered-in-popular-password-managers/
news.softpedia.com/news/major-security-vulnerability-found-in-top-password-managers-for-windows-10-525028.shtml
bit-tech.net/news/tech/software/researchers-warn-of-serious-password-manager-flaws/1/

>security "flaws"
>if you leave it open, someone with local access can sniff your master password from your RAM.
Oh wow it's fucking nothing

>For some operations, KeePass must make sensitive data available unencryptedly in the process memory. For example, in order to show a password in the standard list view control provided by Windows, KeePass must supply the cell content (the password) as unencrypted string (unless hiding using asterisks is enabled).
given that it's windows it's not all that bad.

it seems the problem here is not the program but WINDOWS. what a surprise windows api is leaking data no matter what settings you turn off.

don't use garbage os

>it's a "if a hacker has root he could hack you!" episode

it's also available for linux but uses mono

How come?

cuz it's actually really good on windows. keepassxc is better for linux cuz it was made with linux in mind.

But in what way, "good" "better" and "made for it" aren't that indicative of the pros and cons of each one.

the only difference is ui and i guess it depends on taste but i like how entries in db are ordered by the time they were added to said db by default. it wasn't the case for keepassxc when i tried it. probably not a dealbreaker, though. also, keepass is the reference implementation so if there's some exploit it's gonna be the first one to receive the update to fix it.

implying I meant 2FA

you give a plaintext password the website
if website gets hacked, attacker has your password. hashing the password in database is somewhat a solution, but it can still leak on logs and poorly implemented web stack
if you give the same password to multiple websites, you increase the chance of the password leaking

this risk is completely unnecessary
password managers address it by allowing you to auto-generate a random password or each website separately. It brings a lot of annoyance because it fails when the file they are stored in get corrupted or you accidentally delete it

there is a simple solution that still allows you to use central password for everything, but no website ends up knowing it at any point and there is no file to be corrupted. and it's a known solution for over 2 decades.

Isn't XC a complete rewrite meaning it would probably not share vulnerabilities?

I use keepassx
because it's like keepass, but with an x

they still use the same database and rewriting that would be kind of dumb because of all the cryptography which is hard to get right but i honestly don't know.

Attached: 1494883431_f3d.jpg (477x480, 21K)

Not quite. If you don't know the logins to websites and instead save everything in a password manager, then you can never be forced to login to something, say by the police, because you don't actually know it. If you use your brain as your password manager, however, then you can be forced.

so, in other words, it's every closed source software on windows.

What is the difference between Keepass and KeepassX?

most of these exist becuase compiler designers and OS designers are fucking idiots

>there is a simple solution that still allows you to use central password for everything, but no website ends up knowing it at any point and there is no file to be corrupted. and it's a known solution for over 2 decades.
What is it?

Are you gonna tell us what it is or..?

no, but you can read the Security in Plan 9 paper, totally unrelated

Based city more litty than a pair of double d titties

Keepassx is a port of keepass for Linux and OSX. Then there’s keepassxc which is a fork of keepassx because development had kind of stalled on keepassx. You can get keepass2 on Linux but it doesn’t run as well as keepassx or xc as it has to use mono to run on Linux since it’s meant for windows. You can see all the different ports on their download page:

keepass.info/download.html

Wrong
The human brain is utterly incompetent at generating random values and remembering large strings of meaningless characters

I think "pass" is significantly easier to audit and presumably safer.

passwordstore.org/

what are RATs

>bloat maymay

Upgrade from your T60 shit computer.

Evil maid attack.

compiler designer? wtf can a compiler designer do about your unencrypted password storing program?
>OS designers
what can an OS designer do, if you are that stupid to run everything on windows with root privileges?

I am not surprised with any of your(plural) dumb answers here
Jow Forums has a tendency to blame others for their own incompetence.
The program that you are shilling is shit. it's not the OS's fault that you store your master password in a plain format. It's not the language you use to blame for your incompetence to secure your runtime and your data. It's fucking (You).
Neither Rust, nor Go or any other [s]/o/[y] language will give you skills that you don't have.
I can imagine your disappointment, because one of your(plural again) meme languages, C shit, with all those retard guards, still failed to babysit you.

Bitwarden is superior

>not using your own script
PLEB!

What benefit does a password manager have, over using lengthy, unique passwords for sites/services that have 2FA and block login attempts after 5 or 10 tries?
Genuine question. I get that it can be helpful for people who can't remember passwords (not an insult, I understand that), and for shitty things that don't have 2FA and let you try a dozen times every few minutes.

>OS provides no reliable way for volatile memory pages
>OS happily writes your memory on swap with no reliable way to lock memory pages
>OS happily writes your keys into core dumps
>compiler provides no way for reliably clear memory
>compiler provides no way for preventing the keys leaking on stack
sure thing bud, let's call everyone stupid and shift it into language flamewar

Main problem with pass is that it leaks entry names (i.e. filepaths), which commonly include stuff like website address and username.

>Genuine question.
That's doesn't really sound like a legit question. In fact, it sounds quite bait-y, but since I'm bored, I'll bite.

>What benefit does a password manager have, over using lengthy, unique passwords[?]
The point of a password manager is literally to facilitate using lengthy, unique passwords. Most people will have a problem with either lengthy or unique passwords (it's easy to remember one huge ass password, or a bunch of small ones). The password manager will not only help with the memorization part, but also with the typing part, as it usually can input the password for you automatically.
They also usually include a random password generator that will save you the trouble of smashing your keyboard to make a unique password when creating an account.
>tl;dr: it's an automated way of doing the same thing.

>and block login attempts after 5 or 10 tries?
No one is going to brute force a password live. They do it on database leaks so they can try as many times as they want. Having a really long random password will prevent it from being brute forced this way. Having a unique password means that even if the retards that got their database leaked also kept all the passwords in plaintext, all you other accounts would still be safe. But I'm sure you know all that already.

>2FA
If you can use 2FA, you probably should. Regardless of using a password manager or not.

>compiler provides no way for preventing the keys leaking on stack
how the fuck is the compiler able to know that you are storing sensitive data.
is it the compiler's job to provide a cryptographic algorithm?
>compiler provides no way for reliably clear memory
what the fuck means clearing memory?
a compiler has nothing to do with memory. it just replaces some alloc with with assembly that and a syscall that tells your system's library how much memory it needs. the compiler doesn't fucking know if the memory will be allocated on ram, on the system's disk, or on a different directory in a different machine over the network.
you don't even know what a compiler should do.
>OS happily writes your keys into core dumps
yes, a core dump is exactly what core dump means. dump any info to find the problem. leaving sensitive data plain somewhere it's the programmer's fault.
>OS happily writes your memory on swap with no reliable way to lock memory pages
there are no locks in ring 0, you can do whatever the fuck you want. stop loggin in as administrator on windows.
>OS provides no reliable way for volatile memory pages
you forgot to finish the sentence here but anyhow I assume that you mean something about encryption.
even if the OS encrypts each memory space for every program, the kernel should have accessibility on the encryption and decryption keys, which means that when you run everything as administrator, every program will have access to those keys.
memory encryption is heavily supported in vms. hypervisors encrypt all the data from one vm to another in order to avoid cross-contamination in systems where multiple vms are spawned. AMD's PSP is a crypto-core that accelerates such operations.
if you want a per-application sandbox, you'd better use something like cubes OS, where every program runs in its own VM.
if your program wants to run under the same sandbox along with other programs and want to hide sensitive data, it better fucking encrypt it.

What's your recommended android password manager

Keepass2Droid

No. The most secure password manager is a pen and paper. Add in a lockable fireproof box and I LMAO @ your shitty "high tech" software.

Can't hack a pen and paper nerds.

I'm guessing some sort of zero-knowledge proof. Fiat-Shamir or whatever it's called.

Or for that matter many other assymetric cryptographic concepts, like digital signatures for example: register your public key as your identity, then to log in sign a challenge with your private key. Your key is never transmitted anywhere, and provided the protocol isn't trivially stupid (e.g. prevents replay attacks using a good timestamp and/or a proper nonce as part of the challenge) no external party, whether server or eavesdropper, will be able to ever get any hints to it meaning reuse should be entirely safe - provided the underlying cryptographic primitive, e.g. RSA, is secure.

Keepass DX.

Isn't that how sqrl works? Too bad no site will ever use that.

see

However the password manager needs a password to protect it, which is store in your brain. Therefore according to you, they can force this single password out.

>how the fuck is the compiler able to know that you are storing sensitive data.
currently if doesn't, because it doesn't provide any concept of sensitive data in despite that being in high demand
>is it the compiler's job to provide a cryptographic algorithm?
there was nothing about algorithms, you just made this up
>what the fuck means clearing memory?
rewrite it with zeros or random data
>a compiler has nothing to do with memory
dead store elimination, again hard to reliably bypass because compilers provide no concept of sensitive data
>there are no locks in ring 0, you can do whatever the fuck you want. stop loggin in as administrator on windows.
why are you so stupid and angry
>you forgot to finish the sentence
no, there is subject, verb and object. it's a sentence
OS doesn't provide any API to zero memory page when program finishes with that. Though this could be done in program, because of dead store eliminations, this is often done nowhere.
>even if the OS encrypts each memory space for every program
solution is simpler
buf = safe_alloc(size)
safe_free(buf)

safe_alloc() requests a standalone memory page (potentially even guarded by inaccessible guard pages) and requests it to be marked as non-swappable
safe_free() zeros the buffer (or whole mempage since there is nothing else in it) and compiler guarantees to never eliminate this write
such thing is already implemented in libsodium with tons of per-platform workarounds
doesn't solve the temporal store on stack, that would require harder support from compiler
>starts talking about VMs
programs on same machine are often higher risk

>a vast majority of password manager users use a third party cloud service like LastPass or 1Password to store passwords

please don't do this.

website_password = hash(master_password + website_name)

w-what about bitwarden

>In fact, it sounds quite bait-y
Just because you are convinced of an idea, doesn't mean everyone automatically is. Thanks for still taking the time though.
>tl;dr: it's an automated way of doing the same thing.
Yeah I figured. Is there -any- risk to using a password manager though? Other than writing your master password down like a moron.
>No one is going to brute force a password live. They do it on database leaks so they can try as many times as they want. Having a really long random password will prevent it from being brute forced this way.
Now that makes sense. Hadn't really thought about that. Makes it all the worse when a company doesn't immediately inform users of (known, obviously) leaks so they can change their password, right?

Another question for that brute forcing then. I assume it'll try most used passwords first, and then words and dates etc, right?
Is a 15-20 character password, unique and with a handful of special characters/numbers safe enough against brute forcing, compared to a "truly random" one generated by a password manager?

Yes. There is no better alternative.

>I'M A DROOLING MORON WHO GIVES ALL OF MY PASSWORDS TO A THIRD PARTY PIECE OF PROPRIETARY SOFTWARE THAT PROCEEDS TO UPLOAD ALL OF MY INFO TO AN UNENCRYPTED CLOUD FOR EVERYONE TO ACCESS

I seriously hope you guys don't ever do this.

Attached: havin a real think.png (603x460, 327K)

based retarded user

It's already a lot more secure than stuff like LastPass because it doesn't store the passwords in the "cloud".

>Thanks for still taking the time though.
No problem.
>Is there -any- risk to using a password manager though?
Well, obviously it depends on the password manager. There's a wide range of solutions from the uber botnet ones that store all your passwords on someone else's computer probably in plaintext, to auditable open-source ones even without any networking capabilities. You could always write your own as well. In any case, you should always have a threat model and figure out the best solution to it.
>Makes it all the worse when a company doesn't immediately inform users of (known, obviously) leaks so they can change their password, right?
A password manager can help you there too as you can set expiration dates for your passwords to remember to change them often. Again, nothing that a calendar reminder wouldn't do, but it's convenient to have all in one place, specially the ability to instantly generate long random passwords.
>Another question for that brute forcing then. I assume it'll try most used passwords first, and then words and dates etc, right?
Dates would be very easy to crack. But yes, password cracked often have a dictionary containing large amounts of words and phrases that are commonly used, so even a long but trivial password, something like "thisisnotmypassword" which should have a lot of entropy because of its length, will probably be cracked in seconds once the cracker has the database. Crackers will also use rainbow tables which are lists of pre-hashed passwords that can make the search even faster as long as the passwords in the database don't have any salt.
>Is a 15-20 character password, unique and with a handful of special characters/numbers safe enough against brute forcing, compared to a "truly random" one generated by a password manager?
Long passwords should be safe enough as long as they don't have any recognizable patterns, including words that go together. But random and preferably extended ASCII passwords are way better.

Cheers bro.
The reason I asked at first is because most posts/threads are just advertising the use of password managers and making them sound like they're absolutely necessary.
You explained reasonably why people can (and often should, sure) use them, rather than "must" use them.
I appreciate it.

No, LessPass is providing you don't use it on a networked device. But this is more secure if you do.

Keep Ass 2????

>Is a 15-20 character password, unique and with a handful of special characters/numbers safe enough against brute forcing, compared to a "truly random" one generated by a password manager?
"A 15-20 character password" means nothing. What you want to know is the entropy. If you choose "aaaaaAAAAA11111!!!!!" as your password, it's gonna be weak as fuck. Well, in practice, maybe you'll get lucky and whoever is trying to brute force you won't have any sort of heuristic making that easier to find, but maybe you'll also get unlucky and they will.
So the question then is, how do you generate your 15-20 key password, as opposed to using a random generator? By taking a long word and l33t-spe&king it? By mashing your hands on the keyboard? By going to random.org and setting the range from 1 to (26 + 26 + 10 + I dunno, 15 symbols?) and clicking "generate" 15 times?

>how do you generate your 15-20 key password, as opposed to using a random generator? By taking a long word and l33t-spe&king it?
Partially this. I have no issue remembering dumb shit, especially if I made it up myself.
I'll use words or sentences as the "base" password, easy to remember for myself but illogical enough to prevent it from being guessed. Usually it's something I think of when the site/service is mentioned.

Rather than just changing "E" into "3" or "€", I change different characters based on crap in my head. For example (not used, obviously), a T gets changed into 800 (Terminator) or F into 16 (F16). These changes aren't always applied, depending on where the letters are or what other changes are already applied.

For example, instead of Password, I wouldn't use P@ssw0Rd, which I can imagine would be brute forced easily because it's pretty "logical" l33tspeak.
Instead it might be Ver800&$LauraCel0.

The base is Overtakexcel (Pass = Overtake and Word = Excel, simplistic as fuck but you get the idea).
T becomes 800 (Terminator model)
Ex becomes Laura
Ak becomes 47 (AK47)
Any "segment" of the password that is two numbers (47 in this case) become the special characters, reversed.
Capital letters for each "segment".
First vowel (except U) gets removed, and it's "l33tspeak" version added at the end.

These aren't changes I use for any real password because I'm paranoid like that, but you get the idea.
And yes, I am autistic beyond belief.

>attention whoring tripfag
>this stupid
Why am I not surprised

And yet you reply

As long as you use it on a Foss desktop.

It's not as bad as it could be. However, the problem with all such methods is that if someone ever decided to add it to their bruteforcer, security would be significantly weakened. In your case, it's probably autistic enough that you'd need someone to target you personally to ever bother.
I think there are a couple of things you could improve. There's the old passphrase method: if you randomly select a word out of a dictionary of 10,000 (which is few enough that you should be able to keep only short words in there), and make a password out of six such words, you get ~80 bits of entropy which is pretty much all you'd ever need. And almost certainly a good bit more than your method.

More to your personal autism though, have you considered mental hashing? For instance, a guy called Blum made an algorithm that's supposedly cryptographically secure, and lets you generate a password for any website in 20-30 seconds with some practice, remembering only a couple of master mappings. Here's an article talking about it: scilogs.spektrum.de/hlf/mental-cryptography-and-good-passwords/

>and make a password out of six such words, you get ~80 bits of entropy which is pretty much all you'd ever need. And almost certainly a good bit more than your method.
Could've told me that 15 years ago. Interesting, though. Cheers.
>More to your personal autism though, have you considered mental hashing? For instance, a guy called Blum made an algorithm that's supposedly cryptographically secure, and lets you generate a password for any website in 20-30 seconds with some practice, remembering only a couple of master mappings. Here's an article talking about it: scilogs.spektrum.de/hlf/mental-cryptography-and-good-passwords/
Also definitely interesting.
I never really thought about how/why I've been creating my passwords, I just started doing it at some point and found them very easy to remember. Might take a little bit to adjust to another way but it's totally worth investigating.
Much obliged!

No problem. The biggest disadvantage with your method is that it's susceptible to social engineering, if anyone wanted to target you in particular: if they manage to learn a bit about your life, your habits, your way of thinking, then I'm pretty sure the possible permutations would be lowered considerably. Conversely, the advantage of using a random or cryptographic method is that no matter how much information about you an attacker has, even if they know exactly how you generate your password, they won't gain any advantage.

Which in principle is a very important security principle. In practice I wouldn't panic about the method you described: it's autistic enough that, while you could do better, it's probably just fine.

Having to carry around a database of passwords on every machine, synced together so I can access the sites when needed, sounds like a real pain.

Sure, I could make a local database file and rsync/unison between machines with key-based SSH but that sounds extremely annoying.

I'll just keep my rotation of a few passwords and 2FA, because at least then I can access my sites from any machine if necessary.

How does Bitwarden hold up?
If I'm remembering correctly, I passed on it a while ago because it had some potential flaws, but it seems to be reviewed pretty well now.

>is keepass 2 the most secure password manager?
no
zx2c4 pass is better
you're welcome

>TFW I couldn't prevent the neuron rot
I used to have a really good chess puzzle rank on lichess, now it has collapsed.
I feel like I'm decaying into worthlessness

Keepass is unironically the most secure password manager. For some reason it's the only one that clears the master password from memory.

I host my database on an SSH server, then use SSHFS to access it. Perfect sync.
Could also VPN/whatever into the database, or simply HTTP it like a madman. Not two way over http though. Or FTP like a madman.