I use privacy.com and Lastpass to help with this problem. Any time there is a service I have to have a business relationship with that I don't trust to keep my info secure, I use a unique password and a unique credit card number with a tight limit. What's nice is that they tie the card to a single vendor too.
For example, the water company. I know the water bill is usually $50 or less, so I set the limit to $60/mo. As it turns out, they did get breached. I got an alert about someone who isn't the water company trying to hit the card for 80 cents. Most card runners use amounts under $1 because most credit card spending alerts have a $1 minimum. But privacy.com warned me, so I warned the water company, who was very thankful. Turns out their 3rd party provider had been breached and they were grateful for the alert too. Ended up saving a few thousand of my neighbors a lot of headache.
Lastpass has been going downhill with every acquisition and had gotten to the point where autofill failed on the majority of sites and the "copy password" menu item disappeared, bringing clicks-to-login from 1 to ~10.
A few weeks ago I saw bitwarden finish their third party security audit and took the opportunity to jump. Couldn't be happier. Autofill fails less, the "copy password" menu works, the mobile experience isn't intentionally broken to sell an app, and export->import went without a hitch. Better, actually: it is the first time I have done an export/import and had the resulting data immediately work better in the second app. There's also the hope-springs-eternal factor of bitwarden giving me the option to host the sensitive stuff myself once I get off my butt and set up that server I've been meaning to for a while now.
If you're thinking about lastpass, save yourself the trouble and try bitwarden first. Or something else, but bitwarden has been good to me and lastpass, well, hasn't, to put it politely :)
LastPass is one of my least liked most used tools. Everything about the implentation feels second rate; slow, unreliable login capture, unreliable form fill, occasional inability to edit records, buried password copy, clunky UI, inappropriate modal nagging in browser and app... Most times I use it I am cursing it.
I tried to switch to pass, and I'm not sure if it was something to do with how I imported but it didn't list my passwords and the browser plugin was clunky and didn't work. Anyone had success with pass/gopass.
Bitwarden seems like a happy Medium, I'd rather not do my password ops. The pricing seems fair (and rather optional). I'll try it, thanks.
It is puzzling. My feeling is that for quite some time they had a lead on features (cross-platform, browser overlay, secret sharing) - particularly the combination of features whereas competitors always seemed to have a subset. That's what reluctantly kept me with them. The software quality does just seem quite bad though.
Check out Keepass! Rather than syncing directly into a Cloud, it allows you to store a database file into any location. It supports MFA (e.g. by combining a password with a secret file, or a Yubikey). And everything is open-source.
I like the model a lot, because it solves the "database ownership" issue, where your Password provider (be it LastPass, 1Password, etc) becomes in itself a weak link.
I used to use KeePass but the lack of a proper crossplatform UI eventually broke it for me; KeePassX on linux looked and performed terribly, the Android app was just bad, etc etc etc.
I switched to 1password which - at least at the time - offered a web-based fallback hosted from your own dropbox. Plus at the time you owned the data and were responsible for storing and syncing it. Dropbox support came out of the box but if you want you can use a local file.
Yeah you're right, I believe it's based on .NET so on Linux you'll have to use Mono. For the plugin ecosystem, that's suboptimal because you'll have to rebuild a lot of plugins from scratch.
I used to be a 1password user, but they were pushing their premium, cloud-based offering a lot and lacked Yubikey support so I switched away.
I'm in the same boat. The user experience on it is terrible now.
The worse thing that happens to me is if I generate a password, and then Lastpass doesn't save it! It feels like a 50% shot it will actually save the generated password.
I have nearly 1000 passwords stored in it now, so it's going to be a huge pain to migrate.
This is by far the worst. I have LP set up with a shortcut + fingerprint tap on my MBP, which works great until I'm generating a password, which never gets saved. I have to remember to get my vault page open ready to fill in before I generate the password, because if I generate one from the toolbar dropdown I'll never see it again. Ugh.
LastPass Mobile UI seems to be intentionally crippled ( https://vgy.me/9r29bm.jpg ) I assume because they want you to download the app, pushing you to purchase their license.
If you load the same site using "load desktop site" the UI gets fixed.
Bitwarden is best. I hope they will not get bankrupt from free users. Its funny it is cheapes but also works the best out off all managers i tried. Dashlane is good but its so much more expensive. Bitwarden will slowly kill most of the managers if they keep up the great work.
I will add this to my password manager binge (because I know how to party). I did find the NPM build a bit frightening though - module 956/1xxx built...
Also that site looks like it should be selling something but I see no money hole - should I be worried?
We have a tendency to compare opaque with transparent and balk at what we find, but I question what you would feel if you could see through the opaque.
That is true, but at least they have code review and multiple people ;) I'm just estimating from my experience that after a certain point, most companies start writing automated tests.
And if you look at their jobs page, one of the job description points is "Create unit tests for existing code to run faster and more reliably.": https://1password.com/jobs/droid-builder/
They might even have a few QA people AFAIK!
I understand why the single founder / engineer of bitwarden doesn't have tests. When you're a startup not writing tests can speed you up significantly. But after a certain point they are going to need automated testing, especially for something as vital as this.
For me, the lack of open source in 1p has been a sticking point, and I was planning to migrate after the audit. But seeing no tests, 1p documenting their security model and bitwarden not being good enough compared to 1p in UI has me sticking to 1p for now. I have high hopes that bitwarden will get to that maturity point one day.
I found the same thing with their client apps, should have checked core to see if there weren't any there as well.
I switched over about a week ago and find it pretty solid, but it's missing alot of the quality of life features that last pass had. You can't just hit command + c whilst on a entry and have it copy the password, they haven't implemented the new ios 12 features that make password managers much better on ios.
I'm running them both right now as I'm not fully committed to the switch over, but I'll see how the features get added over time.
I moved from LastPass to 1Password recently. Had been using LastPass for several years, but filling failures, the lack of copy password in FF (and no binary workaround for Linux), and generally unhelpful support when I contacted them prompted me to move.
Very happy with 1PasswordX (the browser-only version) - filling is much better, copy is supported out of the box, support have been very helpful when I've reached out. Much better customer experience.
I was a 1Password fan for many years, until the big push to go subscription. For now I'm just using Apple's keychain until I decide what tool to use next. If you're in Apple's ecosystem, keychain actually works pretty well.
You can still purchase a standalone license, even for v7. Sure they want you to rent access to your data, but that's not the only path. I also recently taught KeePassXC to read the 1P on-disk vault format, so you can continue to use 1P even in Linux, and even if AgileBits goes under.
I have been using Pass [0] with passff [1] and been pretty happy about it. Simple and offline password management where passwords live in gpg encrypted files. Additional features I like are tracking changes with git, bash completion and copying passwords to clipboard for few seconds temporarily, and a few very useful extensions.
Pass is awesome. I use it in combination with a YubiKey to store the pgp key. Because every password is stored in an independent encrypted file and every decryption needs a press on the YubiKey even a stolen database and keylogger does not provide access to all passwords.
I use pass with keyboard Maestro on the mac it just gets a autofill input for the password I want, them opens a terminal and asks for the master password if needed and puts in the clipboard. Very friendly way to use it.
Yep, I use KeePass synced over my selfhosted nginx server. But you can use Dropbox/Google Drive/etc. just as easily.
I would like to also recommend the Firefox extension 'Kee' for autofill. On Android there is the 'Keepass2Android' app. Both are open source and work well.
I also recommend the KeePass plugin 'Yet Another Favicon Downloader'. It downloads favicons from websites for your password entries.
Also 'Keebuntu' is a plugin that makes 'minimize to tray icon' work for me on Linux.
I've thought about setting up a personal NAS for this purpose.
But I'm concerned about having a single point of failure/loss in the event of a house fire or burglary.
Any chance you've addressed this risk in your implementation?
I'm also a happy Bitwarden customer. I especially like that it is all Free Software (combination of GPL 3 and AGPL across various parts), which to me is important for security and privacy related software. I've also had good experiences with Bitwarden support from Kyle, the lead developer and founder.
I tried that on Win10, and it didn't work for me. It was the last straw. Honestly, why on earth do they need it anyway? HTML5 has had a Clipboard API for a while now.
I've used both extensively and Bitwarden is just a dramatically higher-quality app it's not even funny.
I recall that the initial release of the Web Extension support was a bit threadbare, and/or that they had to change the extension ID or something of that sort, but it's also possible it was left out for existing design reasons/as a cudgel. In either case this whole thread has been useful for alerting me that I should re-evaluate if Lastpass is the optimal solution for me.
I switched to LastPass from 1Password because I hated their whole mobile sync thing where you had to be on the same wifi and start your Mac app to sync etc. I understand that it's more secure that way, but that trade-off was not worth for me. Has that changed in the meantime?
I migrated over from Lastpass to Dashlane a few years ago. Couldn't be happier. It integrates with everything and as far as I understand their encryption is better than Lastpass, although I couldn't say how.
I do love lastpass but since switching to Firefox 100% away from Chrome, the lack of copying a password to the clipboard without seeing it first really stings. What if someone is sitting next to me, or someone is grabbing screenshots or streaming my screen? It's like having this super secure electrified iron door installed but neglecting to lock it.
Is anyone aware of a technical reason that copy to clipboard is absent in Firefox, or is just laziness? If laziness, I'll dump them tomorrow.
I'm using lastpass with firefox nightly and I don't have this issue. copying the password to clipboard without seeing it works out of the box using the browser extension.
I've never used any other password manager but just wanted to say I love Lastpass. It very rarely fails on autofill for me, it saves all my passowords nicely, has secure notes, organizational sharing for teams. I find it to be really great.
Hmmm, I have been using the Keepass + Dropbox combo. Wanted to change to a more streamlined experience. The current choices of 1Password, LastPass and Dashlane didn't seem to attract me.
This is what I do too. Biggest complaint is the lack of official apps for mobile devices. I’ve used MiniKeePass in the past but am hesitant because there doesn’t seem to be much active development and I don’t see the source code anywhere.
Do you access kbdx files on mobile devices? If so, what do you use?
The biggest problem with MiniKeePass, in my opinion, is that it doesn't support the new iOS autofill API and that it doesn't support even basic syncing. You always have to make a manual copy of the database file and you can't really create logins on mobile because of that.
There's a fork of MiniKeePass called KeePass Touch, but they don't publically host the source code anywhere. You have to email them to ask for a copy of the source code, which is technically GPL-compliant, but a bit annoying.
+1 for bitwarden. Not a security professional, but it seems to be a good tradeoff between security and usability. Definitely better than lastpass on both counts.
I've been looking into password managers for my team/department, and bitwarden has some good looking stuff, but they seem to only invoice in USD, which creates constant friction for recurring IT bills at my company.
I looked over privacy.com - specifically their security page[0] which reads impressively. As I looked at my "dashboard" I couldn't help but notice (according to uBlock Origin) that privacy.com, ironically, connects to facebook (.net) and google (fonts, apis, gstatic).
I'm certain none of those 3rd-party connections are necessary and yet... like muscle-memory... devs continue to thoughtlessly invite tracking.
I've seen people include such tags on the logged in areas for cancer patients in medical websites without batting an eye and wondering why that's a bad thing.
Haven't looked very closely, but how do you think they make money by offering virtual credit cards for free? I bet they will track all your purchases and resell them for marketing later.
Fonts and other stuff from google and facebook is just a small piece of the puzzle.
I use keepassx, a local password manager. I don't trust centralized online password managers with browser extensions. Huge attack surface. I copy and paste usernames and passwords.
Same. Where do you keep the db file? Mine's in the cloud and I can't help but think it reduces security, but then I need access to this data from various locations.
I worry about this too. I store the database itself in Dropbox, and I also use a keyfile alongside the password to open it. I can easily recreate the keyfile on any computer, but it never goes anywhere near the internet.
In addition to that, for my really critical "gatekeeper" accounts, I don't put the full password in the database. Just a reminder that this is a "special" password, which needs to be combined with another bit of info in order to work.
I just live with the fact that I can't use this system on my phone, and for my usage patterns, that's fine. There's nothing I need to do that's so urgent that it can't wait until I'm back in front of my computer.
I use BitWarden, and they let you self host the service if you want. I haven't done it yet, but I'm definitely considering it. However, passwords are encrypted on your machine then uploaded, so it's a bit more secure than them managing everything on the server.
I also do that (almost, keeweb + dropbox) and copy paste logins, but a serious problem is that you need to clear the clipboard after, otherwise any other site you visit can read it.
Its unfortunate that privacy.com is only for US residents. Does anyone know of a similar service that's available for Europeans as well? Specifically the virtual card feature. Most of the services that I've seen to offer something like this are for EEA residents only. This seems to be a new restriction imposed by Visa/MasterCard.
What makes you trust LastPass that they won't sell/leak/expose your passwords from some backdoor or under the table deal? I'm asking because this is not a public company or an entity that can be held responsible in any way for such an act. It's just another startup obligated to make their investors 10X returns. I haven't read their agreements but I'm pretty sure any lawyers of such companies have enough clause to absolve them of any such acts.
They do store your "vault" on their server. It's encrypted though using key that doesn't leave your computer. However I can easily imagine deliberate as well as innocent "mistakes" in browser plugins and other weak links in architecture that would expose the master key and hence your vault.
They don't, officially. Nothing is stopping them from updating the client to siphon your passwords or the encryptuon key, though. This is a problem all password managers have.
It would be nice to have some kind of communication protocol that could be provably restricted from passing whatever the company wants.
I’m using two personal domains fo host my own email. One domain is purely for registration/junk purposes and it forwards *@junkemail.com —> junk@myemail.com.
The same server uses nextcloud for calendar/contacts/webdav
I use the password manager Enpass which can sync via webdav across my devices.
Everything selfhosted and emails/credit cards disposable
What bank/card allows you to create unique credit cards with separate limits? The one I was using (Swedbank/visa/mastercard) stopped providing this service last year.
Privacy.com allows you to create virtual credit cards once you connect a source of payment to your account. Can be bank or debit card. I personally create one credit card for every paid subscription I have with the limit set on the amount that's supposed to be debited (eg. Monthly limit on Tidal charging $20).
Privacy is a game changer for online transaction security imo. An additional benefit is the ability to subscribe to "try free for a month but oh wait we need your credit card info first so when you forget to cancel we'll keep charging you". Simply create a virtual card with single time spend limit $1 less than the monthly subscription charge, and you can rest assured that your one month trial is a one month trial.
In order to use Payment Services, you must be at least 18 years old. You confirm that you are either a legal resident of the United States, a United States citizen or a business entity authorized to conduct business by the state(s) in which you operate and that you are an authorized signatory for the business you represent.
Citibank offers virtual credit cards. Once they are used by one merchant, they can not be used by any other merchant. On top of that, you can optionally give them money and time limits.
I rather like this feature from CitiBank. I hate the interface, but the feature is great. I can use it to sign up for monthly services that I'm unsure about. If I don't want to go through the hassle of canceling the service, I just don't renew the cards.
I also use it with sites I don't necessarily trust, like a random auto parts store. If it were a tad easier to use, I'd use it for nearly everything.
Revolut standard account (w/o monthly fees) gives you a Virtual Card which I use when I don’t trust the site I’m buying from and after the purchase I just freeze it.
With the premium cards on top of other perks there’s also Disposable Cards which creates a virtual card for every transaction you want and as soon as that card gets used, it’ll destroy it and create one brand new.
For separating limits you can create multiple virtual cards each with limits once met will freeze the card.
LastPass is not helping you with privacy here. From their tos
tos:
> You may use our Services only as permitted in these Terms, and you consent to our Privacy Policy at https://www.logmeininc.com/legal/privacy, which is incorporated by reference.
pp:
> When you use our Services, we receive information generated through the use of the Service, either entered by you or others who use the Services with you (for example, schedules, attendee info, etc.), or from the Service infrastructure itself, (for example, duration of session, use of webcams, connection information, etc.) We may also collect usage and log data about how the services are accessed and used, including information about the device you are using the Services on, IP addresses, location information, language settings, what operating system you are using, unique device identifiers and other diagnostic data to help us support the Services.
> Third Party Data: We may receive information about you from other sources, including publicly available databases or third parties from whom we have purchased data, and combine this data with information we already have about you. We may also receive information from other affiliated companies that are a part of our corporate group. This helps us to update, expand and analyze our records, identify new prospects for marketing, and provide products and services that may be of interest to you.
> Location Information: We collect your location-based information for the purpose of providing and supporting the service and for fraud prevention and security monitoring. If you wish to opt-out of the collection and use of your collection information, you may do so by turning it off on your device settings.
> Device Information: When you use our Services, we automatically collect information on the type of device you use, operating system version, and the device identifier (or "UDID").
and
> Some specific examples of how we use the information:
> * Conduct research and analysis
> * Display content based upon your interests
> * Market services of our third-party business partners
and
> 4. Information Sharing
> ... We may share your personal information with (a) third party service providers; (b) business partners; (c) affiliated companies within our corporate structure and (d) as needed for legal purposes.
and
> Examples of how we may share information with service providers include:
The traditional pitch from security experts is "Using a password manager is better than reusing the same password on lots of sites, or using low entropy passwords, or saving your passwords in an excel spreadsheet, which is what you were probably doing before"
Apart from shoulder-surfing wouldn't an encrypted spreadsheet be equivalent (not Excel, as I imagine MS might randomly send that data home, eg of there's a crash)?
In both cases once there's physical compromise, if they have the "master" password you're screwed?
I presume they use clipboards for the pasting, or do typing that could be captured bya keylogger.
I have a hard time trusting _any_ of the password services that host my passwords.
Single point of failure. Even if they claim they're "encrypted so that even THEY can see them", it's so easy to mess up encryption, it makes it a single point of failure.
I still share passwords between my devices though, but instead I use KeePass along with the Android app. For less critical passwords I let Chrome keep them; I _mostly_ trust Google, and non-critical passwords are exactly my level of trust of Google.
And I also trust Google to share my (encrypted) KeePass file with my devices. But now it's two points of failure: Someone would have to break into a private Google Drive, get my KeePass file, and break the KeePass encryption.
And I trust _both_ KeePass _and_ Google more than I trust Lasspass to get security right.
What about using a completely segregated secondary account? I have a Simple account, and that's all I use it. I only ever have a couple hundred in there at any time.
You also hit on a very easy solution to for those who aren't going to go to those extremes: be sure your notifications are set up. Getting an email within minutes of every purchase or paid bill has been great.
Interesting. I literally don't care if my CC information is stolen from a merchant -- I have zero liability for fraudulent use on all of my cards. Why do I want the friction of privacy.com?
The one thing that is cool, for items that don't have to ship in the mail, is the ability to use any name and address whatsoever with the merchant.
Given the shady things people have found their smart TVs doing, I'd feel about as safe typing a password into a smart TV as I would changing the password to "hunter2".
The TV should display (or maybe email) a link that I would visit with my primary web browser and grant it permissions - or ask for a password as a very last resort for users who have no computer/phone but somehow have Netflix.
Plex and Roku do this. They give you a simple one time URL like plex.tv\U23SL
That URL asks you to log in (on your computer) and once it's authorized, the Roku or Plex on your TV gets the signal and continues. Easier than typing on a TV device.
Haven't had to do that yet. My uh-oh case is VR. I just typed 5 chars at a time in the headset and then looked at my phone. The occasional cost is worth it though, only adding ~30 seconds
On my Android TV, I can use my phone as a remote keyboard and copy/paste. But there are some apps which design their own inputs incompatible with the remote keyboard. When this happens I can plug in my physical keyboard directly to the TV.
You could just use a normal Citi or BoA or any other card that generates virtual card numbers and that'll also lock it to that vendor after the first charge. So that they couldn't even hit it for $0.80 if they wanted to.
Last time I checked, both Citi and BofA give me virtual card numbers via a Flash plugin. I really have no desire to run Flash any more. Has that changed?
That's one good reason, another is probably pushback from merchants. Having these virtual cards completely shuts down the "free-trial-we-hope-you'll-forget-and-let-us-ding-you-for-a-month-or-two" business model that's so popular for online services.
Not sure you need merchant pushback there - if it leads to unexpected charges then it's more likely to lead to inability to pay, or short payment, which gives the credit card companies their chance to feed off the client.
Wouldn't the bank still know your full purchase history (since they know what numbers are tied to you)? So they'd in fact get a leg up on the competition, who get a more distorted view?
Unless they work with an analytics system that mastercard, visa & amex participate in to link card numbers to invoices for better advertising & affiliate data.
I know FB & Google purchase something like that from one or two credit card companies, so I wouldn't be surprised if merchants were in to it too.
Capital One gives virtual card numbers via a Firefox or Chrome extension, which you use on the check out page of the site where you want to use the virtual card. It is quite convenient.
The virtual cards don't have separate spending limits, though, so it is not quite as good as BofA or Citi for use with questionable sites.
the real feature of privacy.com is the ability to use any address. who cares if your CC is compromised? get one just for recurring balances and another for everything else.
I don't follow your argument. Yes, any merchant is going to get hacked. My argument is, I don't care a whit about my CC being stolen. My liability is zero and I can just get a new card. The only thing I care about is the hassle of setting up a new card for recurring balances. Hence, why I need at least 2 cards.
OTOH I do care about my name, address, and other PII being stolen. That is where privacy.com is a help. But not because it protects me from CC loss.
Was the water company thankful enough to compensate you for the $X,000 consulting services you provided because they didn't set up their own security monitoring?
Given their lack of security, I’m guessing they have no idea of the value that I provided.
It’s all good though. Knowing I helped thousands of my neighbors is compensation enough. Besides, if they gave me a credit, they’d have to hike everyone’s bill to compensate!
I guess the money diesn't matter to you personally at all, but they could pay a bonus from profits, or by cutting executives wages (if they're a non-profit). It's not like the only means of paying is gouging customers.
Yep! You can create "burner" cards that become invalid after one use. I actually never use that feature, because sometimes vendors screw up and have to put the charge through a second time or whatever. Instead I set a lifetime spending limit $1 higher than the purchase I'm making.
For example, the water company. I know the water bill is usually $50 or less, so I set the limit to $60/mo. As it turns out, they did get breached. I got an alert about someone who isn't the water company trying to hit the card for 80 cents. Most card runners use amounts under $1 because most credit card spending alerts have a $1 minimum. But privacy.com warned me, so I warned the water company, who was very thankful. Turns out their 3rd party provider had been breached and they were grateful for the alert too. Ended up saving a few thousand of my neighbors a lot of headache.