What's the best way of storing many passwords? I use LastPass, but i feel really insecure with it, which may be completely unjustified. Are there better alternatives?

Well I'm going to say the obvious and honestly best way - offline, written down and kept somewhere quickly accessible, having none of it stored on your actual computer. This is hands down the best method.

With that said:


There's always using oneway cryptographic hash functions, storing the compiled hash values in a txt file, then if needing to remember your now-hashed passwords later - there's relatively small few-line scripts that can do the comparison, but for the comparison script to work you'd need to have wrote in/supplied the table of hashed passwords and their given plaintext equivalent within the script for it to even do the comparison against your pswd file w/ the given hashes and to retrieve the plain-text values.

(*Only reason I mentioned this is because I know you've talked about the fact you code, so yeah)

^^^ Using this comparison script is only for if you would need to retrieve the given plaintext - in say you forget a given password and can't remember - then you could run the comparison script against your txt file of pre-compiled pswd hashes.

Though this could be seen as overwork/overkill just to see your plaintext passwords if you'd happen to forget one of them - you'd have to create your own comparison script.

---

A really sound way imo/ime is using a AES encrypted usb drive stick. The best program out there for this ime is veracrypt [a fork from truecrypt].

You can use veracrypt to instantiate a usb flashdrive container - allowing an encrypted volume to be created so that whenever you decide to plug in & mount the usb drive - you can select an open slot in veracrypt, then select the path of your usb drive to mount, enter your passphrase, then decrypt the container/volume, then there's your plaintext pswds.

Btw when you have veracrypt open and the usb drive mounted - add w/e plaintext passwords you have - then once within the given volume/container they'll be automatically encrypted, then dismount, unplug usb, done. Then to retrieve - you just do what I said above. And obviously you want to keep the usb stick somewhere readily accessible && [hopefully] secure.

##!

If you really want to enhance vc to it's full potential - you can instantiate an encrypted volume within an encrypted volume - with the underlying volume hidden (i.e. the one that would contain your sensitive data). The outer volume you can throw in w/e BS files you'd like, anything to throw the person off if they happened to get the outer volume's key/passphrase - though when they'd access this outer volume all they'd see is your mach-files, with the inner volume completely hidden from view.

The only way said person would get to access your inner volume is if they knew the passphrase for that inner volume. But the whole point of having a volume within a volume is to fake the said person into believing they'd accessed 'your actual passwords/sensitive data' - when in reality you'd have given them only the outer volume passphrase - which is just essentially a honeypot of sorts, a dummy setup.

---

I know you said you use linux, so vc is worth looking into. I think it's out for windows too, but not entirely sure.

---

I use a usb stick with vc w/ the hidden volume.

The pswd manager itself uses the companies server for much of the extensions functionality, though the extension itself has several fallbacks to server provided pages for a few of it's provided features. For example - one of these fallbacks on the extension is the 'account settings' which redirects you to a web-interface page hosted by last passes server, bypassing the extension itself.

There's been past flaws in the several APIs

** getdata & keyplug2web

It was found that the response to these API calls contained your local encryption key - which could potentially be used to decrypt all pswds server-side. Random websites used to be able to access these APIs, not sure how buttoned-down this is now, but I think now only the lastpass domains can trigger these calls. Lastpass blocks the calls now from any domains outside of the former.

Though the subdirecs/pages within lastpass domain seemed to also be vulnerable under certain circumstances - there apparently used to be a breach notifier [i think there still might be] that lastpass server would send to the client if such a thing came up with the server, containing a short message with a link for the client - in which case if the client clicks the supplied link then the API keyplug2web would become unlocked - giving access to all the given passwords.

---

There's been numerous reports of lastpass's autofill functionality being exploitable.

One instance was a section of the code that parsed the URL to figure out the specific domain the browser was currently at, then it would fill in the given credentials due to a flaw in the URL encoding - which could be displayed on the subsequent get/post requests on the following page/s. (& with minor tweaking of the URL itself).

---

The master password could also potentially be bruteforced. I think lastpass uses pbkdf2 algorithm for derivation of the key from the master password. This algorithm has one major property of being fairly slow, so ppl trying to pswd guess locally can be slowed down a bit.

This 'time required' is proportional to the # of iterations for the algorithm, meaning an icnreased number of iterations would consequently lead to a significantly tougher time to guess the password. Lastpass's # of iterations used to be around 4000 or so, though as of last year they apparently up'd the # of iterations to 12000, which is s nice jump, and helps adding additional security.

---

There's a few other troublesome areas with lastpass in terms of the local encryption scheme. There's a number of occasions where the extension will expose your local encryption key to lastpass's servers:

opening account settings
security challenge
history
bookmarklets
linking a personal account
adding an identity
printing all sites

Thanks for the info, some really informative stuff.


I'm not tech savvy enough to use all that stuff, but i did find this:

https://masterpassword.app/






It does have limited functionality compared to LastPass, like autofilling, but seems way more secure.

If you're interested there's fairly straightforward articles on doing the encrypted volume/s and/or usb approach, but it's understandable if you'd rather not mess with it.

&&

Limited functionality is a good thing in alot of cases haha, at least in terms of things surrounding passwords. Small surface area as far as offensive attacks go, though the premise of 'small surface area' only stands really if this supposed limited surface area design is true to it's underlying tenets/framework.

Appears this is just a cryptographic hash calculator with some added inherent functionality.

Seems like an interesting app

after using Several password managers at last i found keepass2 better than other even 1password . its open source (You can be sure there is no malicious code) and multi platform i'm using it for 2 years now with no problems.
if you have confidential files i suggest to you use linux .
i have one hard drive For these things. i setup linux and encrypt all the hard drive (linux has security option in installation)

hope this helps

Most password recommendations are created for ordinary Internet users who only need medium levels of security - enough to keep script kiddies away from your email.

My (unqualified, personal) opinion is that these recommendations may not be sufficient for Nexus users. When the stakes are high and the adversary is strong, higher levels of security are required.

Consider the unthinkable - memorizing a new, really long and strong password (say, 12 to 20 random uppercase and lowercase letters, numbers, special symbols) every year. Do not trust any tool or website - just roll the dice. No, it is not easy, and it takes some practice, but an average human can do it. To ensure there is an emergency backup in case your memory fails, split that password into parts and write them down somewhere (never together / in one place).

If you are in the US, do not rely on your fingerprints to unlock your encrypted phone. The Fifth Amendment protects your right not to disclose your password, to anyone, ever, unless you are granted immunity from prosecution. Your fingerprints are not protected at all.

Hey
Personnaly i use an encrypted partition and a keepass (using keepassxc because it's open source) database stored on the computer. It's synced on a nextcloud instance (a personnal server, with encrypted drive).
All password are auto generated by keepass at least 64bits caracters (128 / 256 if app accept it).
I just know 2 nice passpjrase to have access to all my passwords.
Something to consider is a regular backup to protect all your data.
It's some habits to change.
Otljer things to consider is to think to close / restart your computer to prevent potential memory leak from website (see spectre and other flaws )
Cheers

I highly suggest this.

On ss64.com there is a password generator. You remember a single password and it will generate complex passwords for you. Whatever the algorithm is it remains the same so as long as you remember your master password you can fetch all of your passes on any device connected to the internet.

It's not a bad approach.

+1 for https://www.ProtonMail.com/
They also fought off the largest DDOS attack in Europe's history.
Proton Mail's underground bunker: