Passwordmanager

info

date: 2021-08-21 08:18:12

tags: OSX and MacOS Tools

category: Test of Tools

originally posted on: boesebeck.name

Created by: Stephan Bösebeck

logged in

ADMIN


Passwordmanager

1Password

I've been using 1Password for a long time and I've always been happy with it. However, there are now some reasons that speak in favor of switching to something else (purely subjective, everyone can evaluate things differently):

  • The costs: you switch from the normal "I buy a software" model to the "I rent a software" model. Which is understandable, but the prices are increasing dramatically. the OSX version
  • There is no lifetime license. That means I have to take out a subscription if I want to use 1Password V8!
  • The two points would still be bearable if they weren't for the quasi-online compulsion. Sure, there is no compulsion, I can choose not to use the features that I paid for. : smirk: And to save my passwords, no matter where, online, together with thousands or millions of others? What makes this particularly exciting for hackers. I renounce ...
  • And last but not least, new "features" have been added that somehow just get on your nerves. The 1Password extension for Safari now shows an input dialog for every form - and most of them in such a way that the field can no longer be operated. That used to be better.

But don't forget what's good about 1Password:

  • clearly the "prettiest" of the password managers
  • the operation is simple and the sync works flawlessly
  • good support in the browsers and also in iOS

Change to where?

So, it's time to look for a decent password manager. The following is important (to me):

  • Offline! He should put a file down for me somewhere that I can open even when the internet is not working. And ideally even without the software! This is practically impossible to find at all at the moment, as well as all password managers only work online.
  • Possibility to sync via e.g. iCloud, or DropBox or Mega - but encrypted please! If the password store is encrypted on the iCloud drive, that should be enough
  • Reasonably usable surface - although I also like to mean the shell (see below)
  • iOS client! And the sync should also work there.
  • and it should be possible to import the data from 1Password more or less completely. I have some data in here, not just passwords. That doesn't exactly make it easier.

Importing data from 1Password can work in more or less 2 ways:

  1. export / import of the "1Password-Export-Format" named 1pif. This is recommended, as attachments are also included
  2. export / import in CSV or tab-separated text format. Information can be lost in the process. In particular the attachments, but also with certain data types, the export becomes difficult.

The problem with the 2nd variant is that they strongly differentiate the fields between the different types:

  • a credit card has a PIN but not necessarily a password
  • A bank account has no password at all, but has an owner
  • A login requires a URL

The fields are therefore different and the import is therefore really difficult. The only reasonably useful solution is to export the categories individually with the fields that are important for this type and then assign them accordingly in the "recipient program".

candidates

With these prerequisites there aren't that many left, because I also exclude those who also have an offline mode. I can therefore assume that they will soon completely jump into the online bandwagon.

But a few are left after all:

KeePassXC

This is one of the programs from the KeePass family. They are all opensource and relatively powerful. However, also relatively ugly. Also, unfortunately, they can't do a lot.

The security features leave little to be desired, for example you can define a key file, specify the encryption algorithm, the bit width and and and ... this is really exemplary, albeit complex.

Most KeePass clients do not offer any import for 1Password files, with KeePassXC there is an import of" 1Password Vaults ", but I have no idea what I have to select for it to import something. I didn't get it going.

But there are also quite a few clients for iOS and extensions for most browsers.

The import of CSV files works and you come up against other limits: I didn't manage to import the different files that I exported into _ the same_ database. A new DB is created each time it is imported. I guess I'll do something there, but the bigger problem is that a lot of things can't be imported properly because everything is seen as a password.

You can theoretically create your own fields, but this is only possible for each individual entry and not e.g. for a group and not during the import. There you feel f...ed

Conclusion

Pro: security features, client diversity, open source Con: Looks from super gruesome to ugly, import of non-password data not really possible, import of 1 password not easily possible

Therefore, after a few days of trying around, I refrained from using KeePass. Especially because I just couldn't get the data in.

Enpass

I probably bought Enpass ages ago - and luckily, because as a former "Pro" user I can now enjoy Enpass without having to take out a subscription.

Basically, however, this is to be rated rather negatively, here too they switched back to the subscription model and just didn't want to scare away their existing customer base. Who knows whether it will stay that way and whether it won't change at some point. We also know similar statements from 1Passwort and a few years later it was no longer worth anything.

The costs with Enpass are significantly cheaper than with 1Password (about half) and there is (still) a lifetime license! Since Enpass works completely offline, it is definitely worth considering. I have also not read anything that they want to offer any online service that can only be used as a subscription. So in this respect it is still a good alternative, even if you are not a pro user.

As far as security is concerned, we are also at the forefront here, as a key file can also be used here, which increases security even more (for example, it could be stored on a secured USB storage device or something).

There is also synchronization. This does not work via its own server but via iCloud, Dropbox and similar services.

You can also create several "vaults", e.g. to separate work from private life.

And there we are already at a catch: for the synchronization via iCloud of 2 safes you need 2 iCloud accounts. This is a bit strange, but it probably has a technical background. This is not really important to me, I never used this functionality with 1Password either, but I can imagine that it is a no-go for some.

The import of the data from 1Passwort was ... complicated to say the least:

  • the export file in 1PIF format was not recognized by enpass. Something has changed, because these 1pif files are not files but directories (similar to the photo media library or something).
  • you have to copy the data out of the 1pif directory (right click -> show package contents), enpass then name the directory in which these files are located.
  • but that didn't work for me for everything ("found nothing to import"). I had to export all categories separately again, then it worked.

Now I have all the data from 1Password in Enpass, including the attachments and the bank accounts or notes!

Conclusion

Pro: Cheaper than 1Password, lifetime license, import of 1Password works including the non-password data types, iOS clients, good browser support, iCoud Sync Con: the look could be better, sometimes quite slow, subscription model - who knows how long the lifetime licenses will still work, strange iCloud connection to the account, sometimes extremely slow (search takes longer than 5secs)

Enpass is really worth considering and I'll be looking at the password manager for a while. But right now it's one of my favorites.

Secrets

Also a nice app, straight from the app store and also offers an iOS counterpart. The prices are one-time prices, not a subscription model. Secrets also looks quite appealing, is prettier than Enpass.

Secrets also works really fast, much faster than Enpass.

The sync with iOS went smoothly.

The import of the 1password data went smoothly, there is also a browser plug-in, the sync works via the iCloud. All in all, a really solid password manager.

However, there was little that I could find out about how secrets worked on the website. It appears to work completely offline and synchronize via the iCloud if necessary. How and which encryption is used is also not mentioned. The site has little information in general.

Conclusion

Pro: nice GUI, fast, easy to use, one time payment Con: a few entry types are missing, the searches are somewhat limited, the browser plug-in can fill out logins, but not save them

It's super easy to use, it's free in the app store and can be made "pro" with a one-off payment. The iOS app costs the same.

pass - Unix passwordstore

One is a "weird" among the password managers, but a really interesting one. pass is actually nothing more than a shell script. But one thing that has it all. But I have to go back a little.

GPG

the "Gnu Privacy Guard" was created a few years ago as an open source counterpart to "PGP" (Pretty good privacy) and is particularly popular when sending emails.

GPG or PGP rely on the so-called "public key" procedure. You don't have one, but 2 keys. One of the keys (public key) can be used to encrypt and the counterpart to decrypt. So everyone can get the one key (hence the name public key) and encrypt data / texts that can only be decrypted with the associated private key.

Pass now makes use of this functionality: it uses the commandline version of gpg to securely encrypt the passwords.

The passwords are encrypted with the public key, similar to an email to me. I am the only one who has the associated private key and only I can decrypt these password files.

The encryption methods on which GPG is based are still considered extremely secure even after years and are therefore superior to the other, symmetrical encryption methods (such as AES256) in this case.

So if you want to use GPG for the safe filing of important information, you can do it "like this" even without aids. The command line tool simply takes any text and encrypts it with the public key - this is also what the mailers that support GPG do.

These tools now use pass to store passwords securely. And that works amazingly well. But not only that. Because Pass "only" deals with encrypted text files, you can save any content. The only rule: the first line is the password, then you can enter fields in the format Name: Value. Multi-line values ​​also go with:

Name: Line 1>
  Line 2>
  Line 3
OtherName: Value2

It is important to stick to this syntax, then you can also use the Pass-App for Ios. There are also implementations for Android.

For synchronization, pass uses thegit actually intended for developers. There are umpteen public servers, or you can create your own somewhere. If it is also secured via SSH or other mechanisms, it can simply be backed up. And is completely transparent. The nice thing about it is that you automatically get a history of the passwords and - if you are familiar with git - you can restore an old version at any time. It can also be used to share the password store with others. More complicated setups are also possible with several sub-Git repositories, e.g. to separate common passwords in the company from private ones, etc.

That’s what I like best about pass: it stores sensitive data and so it is only of course an advantage if it is based on standards that are known to be secure. And I have more freedom, somewhere else ...

In theory, with this approach, I can put everything down securely. And if I want, I put my private key on a USB drive and voila - nobody can turn it unless the USB drive is connected.

The operation in the command line is of course a bit cumbersome (but also practical if you need a password in the shell). But there are some tools that will help you enter the passwords. I myself wrote a Workflow for Alfred that helps you to pass and find the passwords you need.

Importing into 1Password was also something like that ... actually not possible. I also helped myself and wrote a small script that imports a 1pif file exported by 1password.

Conclusion

Pro: OpenSource, uses known standards, very powerful, iOS support, very flexible, very secure Cons: complex setup, not really easy to use, hardly any iOS support, no real GUI, sync infrastructure has to be set up first, without experience in the shell it is not advisable

You can say that pass is clearly not for beginners. But the technologies and the possibilities speak for themselves. I will also use pass for a while.