Password Managers, Anti-Virus & VPN software

I have a very safe password for this site. Random generated. So don’t pull back my powers I need them!

 

I can never remember my password, so I take it with me wherever I go.

Note: This is my actual license plate!

 

Coming back here after asking about VPNs. I took @Merrick route and went with Mullvad. Other ones might have better pricing for Black Friday deals, but I really like how easy it is to use Mullvad. The auto-generate account # where you keep this info (and not Mullvad) is a nice touch for security. I also didn't want to pay for a whole year, so I did the month by month approach so if I hate it then I can stop using it without losing too much money.

Of course if you are in the US and you want to use Mullvad, be aware of the EUR > US conversion rate. If you pay with PayPal, their own EUR > US conversion rate is not accurate and you will be charged a little bit much. If you have a foreign transaction fee free (No FTF) credit card, you can use it to pay it by the month or whatever with Mullvad. I just use that No FTF credit card with Mullvad and call it a day. If hackers someone get my CC info, easy to stop the fraud transactions with Chase and get another credit card no biggie.

 

Cool, look what I found:

https://superbestaudiofriends.org/index.php?account/two-step

I assume it was added after SBAF was hacked and defaced, although I guess it's possible that it's always been there and I just never noticed.

It's TOTP (time-based password, through an authenticator app), so not quite as unphishable as WebAuthn. But it'll protect your sneaker and cocktail photos -- or whatever else you post here -- better than just a password, especially if you share passwords across multiple accounts.

 

F*** Cloud Based Password Managers, & The Subscription Model They Road in On (Killing Time On A Saturday Edition)
I don't trust commercial cloud based solutions, nor am I overjoyed to be forced into a subscription model. Why risk your most sensitive data to external publicly accessible third party hands, when you can just keep it locked up tight locally, and synced in a way of your choosing or with internet access firewalled incase of compromise. For free. Easily doable on a Desktop OS, but not really on a Mobile OS.

Real world examples of cloud based risks:
https://arstechnica.com/gadgets/202...rate-password-manager-and-steal-customer-data
https://www.hackread.com/lastpass-hacked-this-time-for-good/

Forcing everyone into a subscription model with cloud as justification is just too lucrative for these commercial products to pass up so there aren't a lot of options. There's the free and open source Keepass and its derivatives, Enpass, and some AV vendors package them in. Bitwarden self-hosted is an option too but looks like a major pain in the butt, and though you have control it still isn't offline.

Ultimately I will probably choose two of the methods I've identified on Android as my primary and use one for most of the data and another to separate master info like recovery codes for two factor and email, and do periodic manual backups to secondary devices.


Desktop OS
On computer OS's the only solution I'm happy with so far is to use the original Keepass, or a derivative with some background check of the developer, level of GitHub contributor activity, and how a given Linux OS handles their repositories. Then block it in a software firewall. To go a step further you could put it in a Linux VM and disable network access in that and block the VM in a firewall.


iOS
With iOS you have no app level WiFi network access control. The least bad option has been to either use Apple's keychain offline (which you can't easily backup offline if at all) or a keepass derivative called Strongbox. Group Policy Management software doesn't appear to be give granular enough control, and isn't really accessible to individual users, same with Android.


Android
You have some network access control, sort of. The options are pretty flawed but you can at least ringfence a little.

Password Managers
The two most promising KeePass derivates are Keepass2Android Offline and KeepassDX. The latter has a version on F-Droid so it's gone through some level of audit as everything on F-Droid is compiled from publicly available source code. Unfortunately KeepassDX stores the keyfile anywhere except its protected data folder. Storage Access Framework was introduced in Android 11 and locks down file system access requiring granular permissions, and prevents app data folder access to other apps. But legacy apps that need storage access can still access everything else for the time being, exposing your keyfile. But you can also install them into an isolated work profile, setup using the Shelter or Island app.

Virtual Machines
To go a step further you can run Keepass, KeepassX, or KeepassXC in a Linux VM on Limbo x86 PC Emulator via F-Droid. Installation is slow but I've found it useable with a light GUI on a top end SoC circa 2019. Alternatively you can use scripts from Andronix or AnLinux to install Linux distros on top of Android with Termux and access via a VNC remote desktop app, but I'm wary of trusting the scripts.

Local VPN-based Firewalls
Then to block network access there are local VPN based firewalls. Real firewalls aren't possible without root access. The best of which is Netguard, also available on F-Droid, which can additionally be setup with a host file to block privacy related IPs. The problem is that these types of firewalls do not work 100%. They don't block DNS so can be bypassed via DNS Tunneling and apps can still access the internet via system apps if they are made to. For example some google and other big companies' apps go right around the VPN.

Rooting
You can install a real firewall if you root your OS. But assuming you can do it you're trusting the person who developed the exploit and it prevents you from installing security updates.

Custom ROMs
They lack any kind of security auditing. The biggest of them LineageOS does so for the core software but each individual version that is compiled for a phone is developed by all but random individuals with no oversight, though it is compiled from those contributors' uploaded source. There are some security focused OS' like GrapheneOS but they're too restrictive all around.

-

A Note on Open Source Software Security & Privacy
Although this can have a number of benefits it really depends on how many people are involved developing and using the software, and what if any resources are available to them. So there is absolutely no inherent guarantee that something is secure or privacy respecting. It is no guarantee of audit, or even anyone at all looking over the code. Certainly not for every update that gets pushed. There is also no knowledge of a developers own security practices. Nor would most even have the resources to do any of those things.

It has also become more of a target. There have been cases of people posing as contributors and getting malicious code into software posing as bugs, and then that software propagating through computers around the world via updates to software dependencies.


A Quick Note on Privacy VPN's & AV
There have been a number of reports on customer data privacy having been abused with some of these Privacy VPNs, regardless of what they claim, and even a few for AV. I don't have the links to hand, but they should be a Google away.

-

TL;DR
Capitalism sucks. Open Source isn't magically safe. Use a Keepass derivative anyway and block its internet access. Trust no one, srutinize everything.

 

I agree with you in principle (and I tested and REALLY liked Strongbox—excellent features, super responsive dev, purchase option is reasonable for what you get), but in the end I needed something that is both convenient in the moment and something my wife will use. WAF is real in password management as it is in hifi! I settled on Bitwarden, not self hosted, because it was the best balance between features, price, UI, and usability. It’s big enough that I know it won’t go belly up in a year. Of course that does make it a bigger target for hacks but in theory if someone cracks Bitwarden’s database it shouldn’t matter because all vaults should be encrypted and require the master password and 2FA if set up to decrypt.

I recognize that this is not the maximum security one can have. I have created maximum security setups to test them and quite frankly they’re a pain to use. And since I’m not a freedom fighter or human rights journalist or high stakes lawyer I recognize my threat model is mainly going to be from broad hacks of companies I’ve interacted with, which means Bitwarden’s security measures should be sufficient.

 

Bingo. Anything more than Bitwarden with 2FA becomes more of a burden on me than on a putative hacker. I figure that if someone manages to get all my passwords from Bitwarden with 2FA, they've earned it. And even then, all my critical accounts have 2FA on them as well, giving me a good safety margin to recover.

A much more likely scenario for my stuff becoming unsecure is someone hitting me on the head with a brick, and using my thumb to unlock my phone. That's the keys to the entire kingdom right there.

 

Joke's on them. My hands are so dry and cracked from the winter, my phone doesn't recognize my fingerprint anymore.