
Introducing Remembear, new password manager - anuragsoni
https://www.remembear.com/blog/remembear-introducing-the-new-bear/
======
tptacek
From the Cure53 report: the version tested had a terrible vulnerability
(unfortunately somewhat common to password managers): it tries to match
passwords to subdomains, and in doing so misparses domains, allowing it to be
tricked into giving passwords to bogus almost-look-alike domains. Yikes.

Meanwhile: they've got a crypto protocol tunneled over TLS "to avoid
heartbleed" and some other convoluted stuff the auditors complain about. You
really want to see a password manager get the basics right.

Notice also that the end of the Cure53 report complains about the project
scope and the amount of time given. This is pretty unusual for Cure53, who
have a reputation for being a bit effusive about the products they're paid to
review. I'm not sure I've ever seen them throw shade before.

~~~
robotcookies
What password manager do you recommend?

~~~
tptacek
I feel OK talking about the audit report, the basics of security for password
managers, and the dynamics of using an audit report to market a product, _and_
I feel OK talking about what my preferred password manager is, but it occurred
to me I wasn't psyched about doing both on the same thread.

It's not hard to figure out, but it's not a conversation I want to have on
this thread. Thanks in advance!

~~~
Spare_account
I don't understand this response. Why would it be improper to discuss
alternative products?

I don't know you, so I guess you have a vested interest? Is that it?

~~~
tptacek
No, I do not.

------
jedisct1
It might be a good alternative to Enpass. They use Rust and libsodium, which
is a good sign.

But browser integration is the trickiest part in a modern password manager,
yet what makes a password manager actually usable for most people.

So, give it some time before using the browsers (currently only Chrome)
extension. Virtually all other password managers had security issues here.

Making these extensions smart (able to guess where login and password fields
are, when passwords are being updated, etc) is also far from trivial. It's
actually way more complex than password storage.

Gonna stick with Enpass for now, but that's definitely a project to watch.

~~~
wntrmt
> So, give it some time before using the browsers (currently only Chrome)
> extension. Virtually all other password managers had security issues here.

Do you have a source for that? We are currently using teampasswordmanager.com
and I was wondering if there are any known security issues I have not heard
about.

Altgough the author refused to provide the sourcee, I had a look at the Chrome
Extension anyway, but any additional info would be great.

~~~
arkadiyt
Here's one example - LastPass had remote code execution as a result of their
browser extension:

[https://bugs.chromium.org/p/project-
zero/issues/detail?id=12...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1225&can=1&q=lastpass&desc=6)

------
WillPostForFood
I think they are burying the lede, and being a little disingenuous with the
big "Get Started, It's Free" button.

 _we will be introducing subscription-based pricing when RememBear leaves the
public beta phase._

[https://help.remembear.com/customer/en/portal/articles/28907...](https://help.remembear.com/customer/en/portal/articles/2890744-how-
much-does-remembear-cost-)

A non-subscription product would be one thing that would get me to move off
1password.

------
dwg
What differentiates RememBear from other password managers? After looking
through the blog and website it's not immediately clear to me. What makes (or
will make) RememBear better than, say, 1password, which appears to have the
same features, is also easy to use, and has a long history with which to work
out issues?

~~~
azinman2
I disagree that 1Password is easy to use. It’s easy enough for me to use, but
trying to get my parents through the setup and UI has not been an easy task.
It could be far more simple and straightforward.

~~~
hmahncke
I would like to see a version of 1Password that 1) did only passwords - no
fishing licenses and secure notes, which adds UX complexity 2) did not
distinguish between passwords and logins, which causes endless confusion for
my users 3) knew and managed the text requirements for the top 1000 websites
so the app could generate legitimate passwords and not ask users to manage
password complexity

~~~
azinman2
Ohh I like the idea of knowing the password requirements for the top 1000
websites!

~~~
chiefalchemist
Would it be wrong to wish this could (or should?) be standardized? That is,
for example, one upper case letter, same special characters, etc. The lack of
a standard seems to hurts users more than hackers. The hackers know it and
adjust. User just get confused and default to overly simplistic and common
PWs.

~~~
cmer
There should be a "robot.txt" for passwords. ie: /password.txt

This file could define the accepted password format. Password managers could
retrieve that file and know exactly how to generate a password.

~~~
cmrx64
no. if you're going to go through the trouble to do that, just fix your
bullshit broken fucking password requirements.

~~~
chiefalchemist
The password - as currently implemented - is a fax machine (read: dated
technology). Anyone reasonable sees it's far from ideal. Yet there seems to be
little _significant_ innovation on solving this problem with something better.

I can order a pizza via Twitter, but I'm still using passwords?

------
0xmohit
I <3 pass [1]. Earlier discussion [2] on pass here.

[1] [https://www.passwordstore.org/](https://www.passwordstore.org/)

[2]
[https://news.ycombinator.com/item?id=14819136](https://news.ycombinator.com/item?id=14819136)

------
craftyguy
Seems to be yet another proprietary walled garden. No thanks.

~~~
pault
Can you recommend any reputable open source password managers?

~~~
Santosh83
KeePass, pass, PasswordSafe, KeePassXC, bitwarden, enpass

~~~
resonanttoe
Sadly Enpass is not open source.

[https://discussion.enpass.io/index.php?/topic/210-open-
sourc...](https://discussion.enpass.io/index.php?/topic/210-open-source/)
[https://www.enpass.io/legal-end-user-license-
agreement/](https://www.enpass.io/legal-end-user-license-agreement/)

------
DonHopkins
Great name! So much more evocative than "Remembr".

Let's hope they succeed, and inspire other companies to append a penultimate
"a" after the penultimate "e", instead of just removing the penultimate "e".

~~~
ehxcaet
I'm glad that that fad is... mostly(?) over.

------
solomatov
I use 1Password, and the only incentive which make me switch is completely
open source good quality UX solution.

~~~
bufke
I'm working on that ([https://passit.io](https://passit.io)) and I'm curious
what your opinion of good UX is. Many here mention vulnerabilities from web
extension autofill (domain matching issues, etc). Do you have any opinion
between:

A) No autofill. Copy and paste (but good simple shortcuts). Least attack
vectors, but least convenient.

B) Autofill but only when user prompts (with shortcut). This avoids having to
inject js into web pages. The web extension needs less overall permissions
this way. It avoids certain attack vectors. Features would be less
discoverable - you have to know to hit the shortcuts or click a browser icon.

C) Prompts to Autofill in the page. This is the most common technique,
lastpass does it. Vulnerable against domain matching misparsing. It's a big
attack vector but there are plenty of common password manager vulnerabilities
that can be studied and mitigated against.

Or something else? Also what issues do you have with current open source
password managers?

~~~
solomatov
Personally, I prefer no autofill. I always turn it off.

------
ramidarigaz
If any of the Remembear developers read this, I'd love to put in a request for
a Linux client!

------
dom96
I'm currently using LastPass and their macOS app seriously annoys me (why do I
have to click an OK button every time I save a new password?).

They seem to get their UI right at least. Plus, bears are cute.

Edit: No support for folders/categories it seems. That sucks a bit.

~~~
perryprog
Bears are very cute. Can't go wrong with that!

Jokes aside, this would be interesting to compare to 1Password once it matures
a little. So far it looks very similar.

------
satysin
Looks nice but only has a Chrome extension at the moment. Also the browser
extension requires the desktop app be installed.

~~~
yegle
So it's not possible on ChromeOS?

~~~
ehxcaet
[https://chrome.google.com/webstore/detail/1password-x/aeblfd...](https://chrome.google.com/webstore/detail/1password-x/aeblfdkhhhdcdjpifhhbdiojplfjncoa)

1Pass X seems to be available on just Chrome? I'm actually quite interested to
learn how it works - from my knowledge it's the only standalone PM extension
right now.

------
5_minutes
"Subscription pricing"... if anyone is looking for an actual good business
model, is for the upcoming "1password refugees"... and all we want is the same
stuff, but not subscription based.

------
wpietri
Ooh, what a great example of a brand extension.

When I saw "new password manager" in the headline, my first thought was "those
guys are fucked". What people want with a password manager is trust and
stability, two things not associated with startups. But these folks have
millions of users, strong app store ratings, and solid reviews. Going from
"trust us with your data and privacy" to "trust us with your passwords" is not
a big step.

I'd give my current password manager, LastPass, a C- on usability, so I'll be
keeping an eye on this. I'd love to have something better to recommend to
novices, and might even switch myself.

------
phnofive
>Where does RememBear store my passwords and how are they protected?

>RememBear encrypts your passwords using both your Master Password and a
unique device key generated by the application. It stores your passwords in an
encrypted file on your device and on our secure servers for sync and backup
purposes. However, RememBear will only encrypt and decrypt the items on your
physical device. This means that your passwords and other items are always
encrypted during syncing and remain encrypted when in storage on our secure
servers. You and ONLY you are ever able to access your items as long as you
keep your master password private.

Proprietary sync, no thanks.

------
m3kw9
It would be great if they can clearly tell how they differentiate from
1Password.

------
Rjevski
Electron?

------
residude
It is from tunnelbear. If you are releasing it for free, why isn't the code
public?

