Password managers

This post isn’t finished. Keep that in mind. Also, These are my ideas.

Time by time, you can see that a lot of websites have become compromised and the password hashes have been made public (or sold) by the hackers. But how can you be sure, that if one of your accounts might get compromised, that others won’t get hacked too?

One of the main things in cybersecurity (about passwords) is that you don’t:

• Share your passwords
• Reuse your passwords
• Make them easily guessable

Sure… But why should you use a password manager?

Because humans make easily guessable passwords, or- they think of a password that you won’t remember. If you’re asking, what could be a “perfect password”, it should:

• Be longer than 16 symbols
• it should contain numbers, letters (capital and normal ones), symbols (!@#$%^&* e.c.)
• Totally random (it shouldn’t have constant meaning, like having numbers in order (123456)
• “For the love of everything that is holly for you, it shouldn’t be in this list

Okay, so why password managers?

Easily- they can do the hard work for you, like remembering passwords and generating them, which could be hard to guess.

Popular password managers

Bitwarden

One of the most popular password managers which could be seen on the internet. It allows to save its vault locally or on its cloud host. It has three plans:

• Free plan - it will allow using its services for free (password generation, usage of its apps, cloud hosting), but premium functions, like Two-step login with Yubikey, U2F, Duo are left out.
• Premium ($10/year) - will allow all the previous features, but also will give you Vault health reports, emergency access and priority support (also, those two-step login possibilities which I mentioned before). It also has 1Gb Personal encrypted file attachment possibility.
• Families ($40/year) - everything from premium, but it can access 6 users.

Looking at bitwardens compliance/audits/certifications Seems that it takes security seriously- it has GDPR compliance, CCPA, HIPAA SOC 2 Type 2 (which is similar to ISO 27001), SOC 3 certification. Its code is also possible to see in its GitHub account It uses Microsoft Azure as its cloud service. Bitwarden uses AES-CBC 256-bit encryption for vault data and PBKDF2 SHA-256 to derive your encryption key. As their documentation says, the password is always hashed before sending it to their servers. For encryption, they are using Web Crypto, Forge, Node.js Crypto, (for browser extension, desktop and cli) , CommonCrypto (apple), Javax.Crypto and bouncyCastle It’s available on CLI, Android, Apple, Browsers, Linux, Windows (10), and Mac’s. Previously, there hasn’t been any security incidents public for Bitwarden. But there are some comments, which could be a problem in future, if it’s true. (take this with grain of salt)

Enpass

Less known password manager ( at least in Latvia), but similarly good.

There are 3 plans:

• Individual Plan (1.79 EUR/mo) - for for personal use, with unlimited vaults/devices. And has alerts for website breaches
• Family plan (2.69 EUR/mo) - for families (6 people): basically, everything what individual plan provides
• One-time payment (71.19 EUR) provides basically what individual plan provides.

There is a whitepaper for enpass and also it has a security assessment. It’s available on linux, Windows, mac, Iphones and Android.

Enpass is pretty new, so, this is a small warning. I wouldn’t trust it so much as other companies.

Dashlane

The most popular password manager that youtube adverises. soo… lets see… Basically:

• U.S.-patented security architecture
• Security dashboard
• Policy management
• Advanced reporting
• Directory integration
• Group sharing
• Two-factor authentication (2FA)

… nothing much from a provider.. Still- for 5 EUR for standard an 8 EUR for business. It feels basic.

Nordpass

So… Nordpass. It doesn’t look that bad for an service, which was created in 2019. First off, some things it provides:

• You can keep credit card information
• You can make some notes in this aplication
• Works on Windows, Linux, MacOS, Android and works basically on all browsers
• It has free tier (which will allow you to use it only on 1 device (so if you’re using it on phone and PC, you’re kind of out of luck))
• It has Premium tier for 1.99 EUR a month (which you can use for 6 connected devices, Secure item sharing, Data Breach Scanner
• it uses XChaCha20 encryption. (rarely heard encryption, but seems it’s pretty ok)
• provides 2FA (nothing talked about MFA like yubikey)

As far as I can see, it doesn’t allow to download or host your own password manager file locally.

Keepass

Keepass is the password manager I daily use, so take this information with a grain of salt. For me, the main features of it are that it’s for free, and the source code is available on github

• Works on basically every OS (operating system) and works on Android/iOS.
• Is free
• Your database is saved locally and can be saved anywhere- AWS/google drive/email/whatever.
• Encrypts passwords in AES-256.

To be fair, it’s easily usable, and is usable on every device… and the code is freely visible for everyone. Currently to sum it all up: use something between Bitwarden or keepass. Why? because- bitwarden allows you to save your files locally and allows your files to be synced in every place. Keepass is basically open source and everyone can say anything about it on github. You can save it anywhere and… yeah. If you have any questions, let me know.