Don't use the internal browser of your password manager, no matter which one you use. There's too much that can go wrong, and the small convenience just isn't worth it.
If I use the clipboard, many apps can read it (there's no foreground-only clipboard permission on Android).
If I let the password manager be my accessiblity service, I've given it power to do literally anything on my phone, and introduced a new interface between it and other apps (which can try to exploit it by producing confusing screen layouts).
If I let it be my keyboard, I'm giving it everything I type. This might be the least bad option of the three.
Are there any other options?
In any case, it is a nifty feature that I think more Android apps should support.
(Speculation; I haven't built a mobile password manager before)
FWIW, I'm using the horribly klunky PasswordWallet because to this day, it's still the only app I know which has auto-type in macOS which I prefer to an extension or copy/paste.
There should be a capability or access control to let apps securely pass data to a specific other app. Does this already exist in another form on iOS and Android?
But I would love such an API, for reasons like this. Clipboard / custom keyboard / etc are horrific alternatives when you could e.g. do an oauth-like app-redirect. Both sides can validate each other, and the user just has to hit yes/no/choose the account.
Password management is not equivocal to automated password input. Even if that seems to be the primary feature of many password management apps.
I think the bigger win of using a password manager is being able to use different random passwords for each site, rather than using particularly long ones. That alone gives you sufficient entropy to beat brute force attacks and isolation of your other accounts from a single site leaking your password from their end.
The norm is 95 values. That's the all ASCII printable characters, or just count them on your keyboard.
(I'm not sure if that includes the <space> character.)
That word doesn't mean what I think you think it means.
Unfortunately, Firefox can't be trusted with passwords (its password store is secured by your password, which Mozilla can snarf if they wish, or are compelled to do).
I don't normally use a password manager on Android, but when I do I use the clipboard, because I have very very few apps installed, and I mostly trust them. But I'm not happy about it.
> its password store is secured by your password, which Mozilla can snarf if they wish, or are compelled to do
If you're talking about the Firefox Sync password, it's being derived and what Mozilla gets is not your password. Locally Firefox encrypts those passwords using a "Master password" you have to set and which never gets transmitted.
And any password manager can "snarf your password", all it takes is a targeted update, which on present day mobile devices will be automatic. If you can't trust an open-source application managed by a reputable non-profit, then you definitely can't trust your operating system either, in which case it is better to not have a smartphone at all.
I don't trust Firefox with my passwords either, but that's because ensuring the security of that database isn't what Mozilla sells and browsers have been known to be very insecure in handling those passwords. The first thing I do whenever I install a new browser is to disable the "Remember logins for sites" settings.
> If you can't trust an open-source application managed by a reputable non-profit, then you definitely can't trust your operating system either, in which case it is better to not have a smartphone at all.
Firefox Sync functionality is integrated in the browser and not served on demand.
Firefox for Android is also capable of running the LastPass extension for anyone using that combination.
The reason I want to migrate is that what I've been using used to have no cloud storage component at all. You could synchronize your devices over your local network and that was that. I never wanted any of this data on the cloud. Well, these guys decided to --without giving users a choice-- migrate data to the cloud.
As issues with the top password managers have come up from time to time on HN I have hesitated to migrate to any of them. Frankly, it's confusing.
All I want is secure encrypted LOCAL password and data storage. This includes typical password type applications but there are other bits of data one might want to store, for example, your passport number, company legal information, etc.
I don't want any of this data on the cloud. Nobody wants to wake up to a data breach that could potentially expose your data for hundreds of websites. Every single one of my logins is different, this would be a nightmare scenario. If the data isn't in the cloud the likelihood of that nightmare breach is reduced exponentially.
It's not sexy or slick, but it works for me.
If you want to sync passwords from your local storage to another local device, you can use LAN sync mode for that purpose.
Their online version also supports self hosted services
* 2016-08-22 Vulnerability Discovered
* 2016-08-24 Vulnerability Reported
* 2016-09-06 Vulnerability Fixed
At least for proprietary apps, security is about trust. Given their other slip ups in the past, along with present design choices like making certain administration tasks available only through the web interface, I wonder how people can trust LastPass.
Of course, it's better than not using a password manager at all. But one has to admit the bar for that is pretty low.
I believe LastPass app encourages you to NOT do this.
This obviously doesn't excuse the implementation (it shouldn't of gotten past CR). Just pointing out the attack vector is not as severe as it seems (at least from the issue's title).
My password is 24 chars in length, includes digits and special characters and isn't made of dictionary words. Typing such a password on my laptop with a normal keyboard is fine, because I touch type, but typing it on my phone every time I need it is simply not doable. Using a PIN on the other hand is easy and should be fairly secure if the app is designed to fallback to the master password after X failures, preferably with hardware support.
So in all fairness, not only did they screw up a basic feature, but this also encourages people to use weaker master passwords.
I was a premium member up until my subscription expired last week. It used to be required in order to use the mobile app. Now it's not, apparently, and given the mobile app experience I've been having lately it's not worth it. I've been passively looking for a self-hosted alternative I can switch to.
 - https://owncloud.org/features/
How does it not work? Confidentiality and data integrity are essential for password managers; they can't work most of the time in those regards.
That said, KeePass 2.x (which came out in 2010/2011, but some people still use the old version) has synchronization built-in, and on top of that, there are plugins to make it keep backups or update a secondary database. It's the KeePass clones that have their own implementation of the internals where you can run into problems.
The recommended iOS app (MiniKeepass) doesn't support Touch ID to unlock the database (a PITA with a long master password, which I already have to unlock my device), so I'm using keepass touch, which is a MiniKeepass fork, but with ads, and they've been ignoring my requests for source code (MiniKeepass is GPL).
Browser integration is a pain; you haveto install an extension to Keepass, and then to your browser, and set them up correctly. Steps are at 
It works, but is a lot more hassle (which as a result means I'm more likely to skip it and use an insecure password) than Lastpass was.
I just tried creating a new vault and it created a .opvault. It became the default with version 6.1, released in Nov 2015 https://app-updates.agilebits.com/product_history/OPI4#v6100...
yea, but still the problem is that all users who created a vault before Nov 2015 never got any message neither is their database upgraded automatically. They will unknowingly keep using the old database format.
Seems alarming for a company who's business is security/privacy.
I was clearly only responding to this part, which is still useful information. Nowhere I said there is no issue, there is no need to always nitpick on everything. I'll go back to not commenting on anything for another year.
I agreed with your post and was just supplying additional info.
The android, iphone, and osx apps are so clean and awesome, and then everyone else just gets crap that's 2 versions behind.
AFAICT they burned time going down a rathole with a UWP app that they have now abandoned, accounting for the delay/lag on the Windows side.
Edit: Thanks for the informative replies, the links, and the advice. I'm going to explore all of my options and re-think this.
2) The analysis was done for Android applications, I suspect that on desktop the situation is generally bit better. I doubt you are doing PGP encrypted files on Android..
3) KeePass is notably absent from the list. I suppose its presence on Android might be bit smaller than on desktops, but considering how well-known it generally is I find the omission bit surprising.
4) Continuing with KeePass, afaik it has been fairly thoroughly scrutinized and the findings I've heard of have left a positive impression
Pass also supports using git for change management.
SyncThing has the benefit of transparently handling the synchronisation behind the scenes for me. Whenever I place something in pass in the 'shared' subdirectory, it will end up in her database as well as soon as both our devices are online.
Right now I'm ginning something up based on the PasswordSafe format and the pass interface, but it'd be great not to have to reimplement the wheel.
I have a GPG file in Emacs, too. Just want to see what flow people use to deal with encrypted passwords.
Any thoughts on Bruce Schneier's PasswordSafe password manager?
"The Emperor’s New Password Manager: Security
Analysis of Web-based Password Managers"
I posted it on here the other day but it didn't go far. It's like youtube-dl but instead of downloading videos it changes your password on various online services. If you get your password compromised by vunlerabilities or whatnot it makes it easy to mass-rotate your passwords. Could use some help adding support for more websites if you're interested.
But I still expect that storing the master password locally is secure, otherwise why the fuck am I paying them for?
Speaking of LastPass, I've noticed them doing stupid things like this in the past and the problem is that I feel those bugs wouldn't have been discovered and made public if they weren't so popular. And I expect such a company to take security seriously, because this is what they sell. Hard-coding a symmetric encryption key isn't a minor slip up, this is the kind of mistake that I for one couldn't do, even though I'm no security expert. If they could do such an obvious mistake, then I can't trust them, regardless of their response time.
That's not to say other solutions can never be as secure, but it's a fairly good design nevertheless.
Is this like a "belief" in the healing power of crystals, or of the bumps on your head being indicative of your personality, or do you have something substantial to share?
Seriously though, I'm more interested in the assertion that any password manager can never be as secure as iCloud, even ones which don't upload data to the 'cloud'.
I noticed their website is made entirely in php. Not that php is bad, but this is possibly the worst choice for a web platform that holds secrets. At only $12 a year, they probably aren't trying very hard.
>you can find the link to open a support ticket in the bottom right of this FAQs page under "New Ticket".
I use Bitwarden for some things (lots of testing, nothing serious). Given its OSS nature, i thought it might have had more traction.
For reference: https://github.com/bitwarden