At the moment the attacker has access your device its game over anyway.
3 Likes
Everything could be cracked into, the thing is how easily and how many people can actually pull it off and will they? I think for the vast majority of the population, there is no need for extreme measurements, and if you value information you possess on such a high level that you would not store it on a computer because it could be compromised, I suggest learning memory techniques and store everything within your mind because that is the best-encrypted vault that is far from being cracked into in the near future… if you exclude some sophisticated torture 
1 Like
That’s true, but if the app has a severe vulnerability then it’s something different, and you are risking ALL your passwords.
Yes, everything within my mind.
Thats the thing, it doesn’t matter at all how secure the app itself is, as long as the crypto has been done well, which is the case with keepass.
1 Like
Then it could be something less complicated (and maybe more secure because it’s not an app) as a text file with your passwords and you encrypt it with AES256, like I do with my files before uploading to some cloud or save them in external hard disks and usb pendrives.
The point is that I don’t trust in only 1 app with ALL my passwords. And maybe you only need to crack the password of the app. You crack 1 password and you have them all.
Encrypting is exactly what it is, a password manager just makes an encrypted file in which you store your passwords, and because you need to remember only one secure password, means you can use way stronger passwords for everything. Sure a keylogger can intercept the encryption, but at that point intercepting your passwords normally is possible too.
1 Like
I mean that a text file and a command in Terminal is simpler and I’m sure that less vulnerabilities.
Anyway, another thread should be: can we trust in passwords only?
Kee Pass has embedded protection against keyloggers.
When typing the master password : Tools / Options / Security / Enter Master Key on Secure Desktop = Yes. (Incredibly, this option is not enabled by default – and buried deep. At least it wasn’t last time I checked.)
When Auto-Typing username and password : Edit Entry / Auto-Type / Two-Channel Auto-Type Obfuscation = Yes. (Needs to be enabled for each entry separately. Not enabled by default, because some sites won’t accept it. Very few of them, in my experience.)
2 Likes
Even if you have, a memorable password is not a good password, even if you have the best system ever 
Deal breaker. I had not understood that. It makes Less Pass impossible to use, in practice. Unless you envision never to change your master password, but that would be a stupid assumption to make.
In fact, Less Pass-type programs have always looked to me as challenging intellectual games for crypto-minded people. It’s fun science. Practical tools ? Not so much.
2 Likes
I can see a system where you would be able to remember passwords that are not rememberable on first sight, the same way you are able to learn to remember dozens of numbers via the techniques.
Like for example “kloning-FLOWN~&88–namaste” would be in my opinion very strong password and I can imagine having a memorizing technique for remembering such passwords.
When Lastpass got purchased by Logmein for $125M I switched to Bitwarden instead…figuring it’s open source and how are Logmein going to make that $125M back + profit on a free password manager? (Probably by selling info).
As it stands I use a somewhat complicated password, I don’t use 2FA because it requires a smartphone - I use a phone that could have been made in the early 90’s, because I think smartphones are already compromised when they are sold - people are paying $1000 for a tracking device. I might get a dongle of some kind for 2FA though.
However 0day is always a worry no matter what you do and then we found out about how access to computers is enabled through Ring bus regardless of your OS… I figure everything you do is vuln now and I just try not to be low hanging fruit for “l3370 scr1ptk11d13s” or whatever they call themselves these days.
As for site passwords they are all like 30 char’s with a load of symbols…if I ever lost access to my BW account I would be screwed.
About the 2fa thing, if you have a spear computer laying around, you can use TOTP based 2FA with KeepassXC on a computer.
Also, welcome to our forum!
1 Like
I don’t think that is true. As @Zlivovitch pointed out, reputable password managers have protections for keyloggers. Password managers are more likely to build in protections for the common user (URL detection to protect against phishing, etc.) then a text file and terminal program.
Theoretically, this might be true, but I don’t think it’s realistic. I probably have 200 passwords in my manager. Some of which I probably haven’t used since I created them. It’s not realistic for me to remember all of them until I need them again.
I think we’re talking about different things. What I mean is something easy: only decipher a text file to check a password from time to time and nothing else, and as simple as a Terminal and a file. A password manager works different and it has many features, and so more programming language and sooner or later vulnerabilities, as we have already seen in the past. Anyway I can’t trust in 1 single program to manage all my passwords. Of course you are free to do it.
Lets put it like this: if the vast majority of security experts advise you to do something, it typically becomes a good idea to follow that advice.
2 Likes
Probably by selling Lastpass Premium subscriptions, and password management services to enterprises? Not everything is a conspiracy!
That being said, Bitwarden is still probably the better choice 
4 Likes