Mastodawn

War on the Castle, Peace in the Valley🛡️🍉🇵🇸 🏳️‍🌈 🇺🇦Dec 20, 2022

Apologies to all who voted I ommitted #Bitwarden which is a very important PWM and that reset the poll wiping out 22 votes. Did not know that would happen but you can vote again if you already did.

Bitwarden was a sponsor of a recent free online seminar on zoom which I was lucky enough to attend. Kevin Mitnick spoke at length as well as a roster of speakers from EFF, Protonmail and Bitwarden.

I tried migrating my PWM data into Bitwarden and it was not difficult. It is free and out of gratitude for their cosponsorship I am willing to take a hit on the launch of this poll. It had only been up for about 15 minutes before the edit so not a big deal.

🏴 Greg Sideyr

@theghostoftomjoad does this answer it? Lol https://infosec.exchange/@andraste/109372933665644334

🏴 Greg Sideyr :nonbinary_heart: (@[email protected])

Keep yourself secure by having logins saved 3 different places that all pop up when you try to log in, none of which are correct *taps head* #InfosecTips

Infosec Exchange

WaLLy3K

@theghostoftomjoad No Bitwarden? I think that'll split up results between Other Free and Paid, since it's $10 p/y for the premium features like OTP.

War on the Castle, Peace in the Valley🛡️🍉🇵🇸 🏳️‍🌈 🇺🇦Dec 20, 2022

@wally3k I ommitted and I actually am using Bitwarden myself.

kpolley Dec 20, 2022

@theghostoftomjoad 1password but really, password managers failed to reach the average user. It's time for the industry to adopt WebAuthN/passwordless auth. It's looking very promising so far 🤞

zeno's paradox speedrunner Dec 20, 2022

@theghostoftomjoad keepassxc

BeegyPsi Dec 20, 2022

You're missing BitWarden, which I'd argue is too large to shove into other.

Also, the poll only allows for one answer... I use a combination of BW and KeePassXC.

War on the Castle, Peace in the Valley🛡️🍉🇵🇸 🏳️‍🌈 🇺🇦Dec 20, 2022

@BeegyPsi
Good point I edited the poll and added Bitwarden. BTW I also use more than one initially I was going to write "as your primary PWM" but in the interest of brevity left that out.

I use that and another commercial PWM and also keep a KeePass around for backup. I keep thinking of permanently migrating to KP but the commercial blobs have a lot to offer...like OS's pure open source is more an ideal than a reality.

BeegyPsi Dec 20, 2022

I use #KeePassXC with a #YubiKey for my highest priority passwords (financial, legal, etc.) which is kept offline.

Then I use #BitWarden for online management of all the rest.

In theory, BW is zero-knowledge so I shouldn't have to worry. But security is best with a dose of paranoia. 😉

War on the Castle, Peace in the Valley🛡️🍉🇵🇸 🏳️‍🌈 🇺🇦Dec 20, 2022

@BeegyPsi Mitnick praised Yubikey and keeps the important ones in his head, which also I do.

Teresa 👩🏼‍🦯Dec 20, 2022

@theghostoftomjoad I voted for one, but really, i like Apple's model of using fingerprint or Face iD. I look forward to the time when there's a common infrastructure for this.

Clay Rosenthal Dec 20, 2022

@theghostoftomjoad I’m shocked how popular last pass is, I changed to 1Password after they were hacked this year. Made me lose faith. And 1Password has been much smoother and can store ssh keys easily

War on the Castle, Peace in the Valley🛡️🍉🇵🇸 🏳️‍🌈 🇺🇦Dec 20, 2022

@clayrosenthal
But afaik it does not offer a free option on the terms LP offers. Which are contracting. Some people prefer anything free over something that might be locked if their credit card transaction does not go through. I know, the risks are far greater the other way but consumers are people...

Clay Rosenthal Dec 20, 2022

@theghostoftomjoad ok that’s fair. I started paying for lastpass and then couldn’t justify paying for a potentially compromised system

DarkUFO 👽Dec 20, 2022

@clayrosenthal @theghostoftomjoad same 👍👍

Jose

@theghostoftomjoad I voted for my favourite, but in reality I use a combo of a few. Also, I love using hardware authentication devices where ever possible.

War on the Castle, Peace in the Valley🛡️🍉🇵🇸 🏳️‍🌈 🇺🇦Dec 20, 2022

@j2e Mitnick likes the Yubikey, which makes a lot of sense.
I thought I was a bit of an odd case using multiple PWMs but always felt that if one failed it would be good to have a backup.

OTOH if they are both on the same browser that can work but there is too much conflict.

I just got back into Qubes and look forward to running parrallel PWMs on the same browser in different VMs. That will be fun. And wise.

Jose

@theghostoftomjoad yubikeys are awesome and yup for sure PWMs fight each other a lot in the browser. What I do is bind them to keyboard shortcuts instead of automatically letting them pop up. That's my default tbh, I don't like the intrusion of automatic pop ups or injected icons in the html.

Phil Harrison Dec 20, 2022

@theghostoftomjoad I'm using @bitwarden.

Ben Dec 20, 2022

@theghostoftomjoad quite surprised BitWarden is ahead even though it's the best I've used personally. Just didn't think it was that popular!

Artemis Dec 20, 2022

which option would Apple's keychain app/service fall under?

War on the Castle, Peace in the Valley🛡️🍉🇵🇸 🏳️‍🌈 🇺🇦Dec 20, 2022

@artemissian
Would have to be other/comment.
Might have added that and also Yubikey.

Laurent Dec 20, 2022

@theghostoftomjoad I've been using Bitwarden for a while now, and very happy with it. My company switched to it recently for all our shared passwords.

My only complaint is that it requires the premium membership for the OTP feature. That's something that should used as much as possible, and making it a paid feature discourage that.

Jim Dec 20, 2022

@theghostoftomjoad Where is 'Post-It note on my monitor'?

blerg Dec 20, 2022

@sullybiker @theghostoftomjoad and under the keyboard for the admin pw

blerg Dec 20, 2022

@theghostoftomjoad I would've loved to have the poll multiple choice. I too use different PWM for different occations. Like browser PWM for trivial accounts like news sites, keepass (+ yubikey + password) for important ones. I add a once random PW I memorized to the stored ones for the VIAs.

suldrew 🚲🏳️‍🌈Dec 20, 2022

@theghostoftomjoad Google Chrome, which is great except I have to copy/paste between systems and my iPhone

ricardo

@theghostoftomjoad Bitwarden or bust!

alcinnz Dec 20, 2022

@theghostoftomjoad Personally I don't feel much of a need to sync passwords, but I do have a password vault on my computer. Should I vote "None" or "Other - Free"?

jukey Dec 20, 2022

@theghostoftomjoad I am using ‚pass‘ on my desktop computer. There is also a great iOS app. Both are using a git repository to store the encrypted passwords. https://www.passwordstore.org/

Pass: The Standard Unix Password Manager

Pass is the standard unix password manager, a lightweight password manager that uses GPG and Git for Linux, BSD, and Mac OS X.

🇨🇦 CowMan 🇪🇺 🇺🇦 🇲🇽Dec 20, 2022

@theghostoftomjoad I use bitwarden also, paid.

JRaccoon Dec 20, 2022

@theghostoftomjoad Not surprised to see Dashlane to be the least popular. We use it at work and it used to be the best one for sharing passwords across the organization but nowadays it sucks, especially the browser addon is horrible to use.
Once our subscription expires we'll probably look into self hosting Bitwarden

RamsHornStudios Dec 20, 2022

@theghostoftomjoad PasswordSafe for me.

mav

@theghostoftomjoad i'm not sure whether i should be happy that bitwarden and keepass seem to be both insanely popular here, or just assume that everyone answering this poll is nerds. Probably that last thing.

Anders Borch Dec 20, 2022

@theghostoftomjoad I'm on Cryptomator - mounts as a filesystem. Encrypted as files on local disk.

Theo Crow Dec 20, 2022

None, because I don’t trust *any* online service with all my passwords being locked by only one master password. The ‘Forgot password’ link is my best friend, and my memory.

crumbcake Dec 20, 2022

@theghostoftomjoad I use BitWarden premium

🍄🌲Emmycelium🔪🫀Dec 20, 2022

@theghostoftomjoad pass + dmenu lol

admin Dec 20, 2022

@theghostoftomjoad After the recent security issues I wouldn't trust lastpass as far as I could spit a rat lol

Bitwarden seems to work well so far

Alex Granford Dec 20, 2022

@theghostoftomjoad My journey so far, over the past 10 years:

LastPass -> 1Password -> Bitwarden -> 1Password

Wanted to like Bitwarden but very clunky, slow and featureless clients for both desktop and mobiles. 1Password 8 is nice and sleek 👍

jorge fernando Dec 21, 2022

@theghostoftomjoad NordPass and iCloud Keychain as a backup

Josh McKinnon Dec 21, 2022

@theghostoftomjoad does nobody use iCloud Keychain? I thought it would be pretty popular, since it’s automatically there for Apple users.

Steve Wildsmith Dec 21, 2022

@theghostoftomjoad what about Google? Works not only in Chrome, but also for apps on my phone, and syncs automatically between devices. And free.

David Senk Dec 21, 2022

@theghostoftomjoad I used #KeePass for years before switching to #BitWarden!

Brian Best Dec 21, 2022

@theghostoftomjoad
1Password for one org
LastPass for a different org
😅 I have two (very) different “last passwords”

David Singer Dec 21, 2022

1Password, with some low-value passwords also stored in the Apple keychain for convenience (it's convenient until I have to change one of them).

Hadi Dec 21, 2022

@theghostoftomjoad @bitwarden really needs a virtual keyboard in their Android and iOS apps to be reliable.

War on the Castle, Peace in the Valley🛡️🍉🇵🇸 🏳️‍🌈 🇺🇦Dec 21, 2022

@hadilq @bitwarden
What #android password apps have a #virtualkeyboard. if any?

Also, is the point so that user-created passwords can be more accurately typed or is it that they are less likely to be compromised?

europlus

Dec 21, 2022

@theghostoftomjoad Keychain more and more on iOS and macOS - especially since I can get Authenticator codes on there that autofill on a lot of sites (and I recommend to those it doesn't work on, such as Webmin, where it's rolled out because of my suggestion!) - so convenient! I use Chrome passwords for the moment for work, but we're looking at a "proper" PWM atm.

Scenario Dec 21, 2022

@theghostoftomjoad I don’t use a password manager other than my iCloud Keychain. But, I also operate my own email server and use one email alias per web service, to track down any spammers or hackers.

Kaylie Fox Dec 21, 2022

@theghostoftomjoad Personally, I keep my passwords in my head with a specific pattern to each one so I don't lose them or forget.

I don't trust something like a 3rd party manager to keep track of something. If it's out of my head and floating around in cyberspace or in the physical world, there's a chance someone else could get hold of it, even if it is a very tiny chance.

No one has access to the inside of my head. (YET)