Password Manager with easy Android Integration (and YubiKey)

NorthernGuy

My wife & I are longterm LastPass users, sharing one account with two sub identities, which saves cost and can be useful if we ever need to log in for each other.  We have YubiKeys which add an extra, non password level of security, which I think is essential.  Especially since the poorly announced LastPass security breach a few years back.

But the Android mobile phone interface seems clumsy. She has quit using LastPass on her mobile, nowadays resetting her passwords when access is needed and then setting a simple, reused password she can remember.  A security nightmare, I know.

So I'm looking at alternatives where the Android interface is smooth & simple and she'll stop this bad habit.  One account with different identities would be nice, not essential though.

Any alternative needs to accept YubiKeys, I realise that probably means it'd be paid-for.

Emmia

Surely Google password manager would be better than her current approach?

B0bbyEwing

I've absolutely no idea if Bitwarden supports Yubikey or not but having tried Last Pass I have been a Bitwarden user for years now, having moved over from KeePass. 

sausage_time

Password Safe has an Android port which I believe supports Yubikey (as do the Windows and Linux versions).  I don't have one of the keys, I use my fingerprint to access the safe on my phone.

https://pwsafe.org/

Exodi

Emmia said:

Surely Google password manager would be better than her current approach?

Agreed. And it's free.

You can even create a 'google account' using your existing email, so no changes needed.

NorthernGuy said:

We have YubiKeys which add an extra, non password level of security, which I think is essential. 

Seems unnecessarily cumbersome, when you could just use an app-based Authenticator (plenty of options available).

If you suggest this is a security risk compared to a physical authenticator, I'd question how rational it is to plan around the risk of a perpetrator knowing your username and password to a specific site, simultaneously having physical access to your device for 2FA (since you'd be using an authenticator, not SMS, which is highly secure against spoofing), while knowing the PIN to your phone and knowing the PIN to your authenticator (or having the same face/fingerprints if biometrics are enabled) all while simultaneously having access to your emails (with the MFA requirements there) as most 'important' changes that a hacker might be interested in require verification by email.

In reality, the significant majority of cases aren't from nefarious actors sitting in dimly lit rooms typing gibberish into command prompt 'hacking' helpless unsuspecting victims, it's generally from either:

a) a website with poor security and encryption gets hacked and details of user accounts and passwords are stolen and published on the dark-web. Nefarious actors then scour through the list, trying the same details on other websites (mainly email providers) in the hope that they use the same email/password combo. This strategy not only relies on the victim re-using login details across websites, but also having no MFA on their email account (madness in my opinion, it's like leaving your front door unlocked).

b) the nefarious actor speaks to the victim and gets them to provide their email or password through various means. This can take the form of pretending to be from the bank and convincing the victim to send money to them. Or telling the victim you're from IT support and they're account has been hacked and you're helping them get it back. Or a whole host of different ways. 'Social engineering' as it's called is one of the most common methods nowadays as digital security has improved (some of this attributable to users like yourself, but mainly certain apps (e.g. banking) including additional security layers (e.g. secure keys, separate user IDs, additional verification to set up new payees, systems behind the scenes blocking suspicious transactions, etc).

These methods are significantly more common. 'Hacking' (as in what most people understand it as meaning - the 'brute force' approach where the victim was powerless to prevent it) is very uncommon considering the relatively simplicity of the alternatives, plus a simple authenticator, even if just on your email, halts most attempts in their track.

flaneurs_lobster

Can't comment on the user interface since I've not used Yubikey but a quick look at the Bitwarden Help says that it is supported as 2FA to access the vault, the integration seems to be supported on the paid-for versions only.

If your concern is the actual Android app for Bitwarden (rather than just the Yubikey integration) then why not just download the app and try it - free for single user.

Vitor

I use Bitwarden which syncs the vault across devices inc. Android and auto-fills logins on mobile apps and browser. The Bitwarden Vault can also hold Passkeys.

Modern systems that implement WebAuthn/FIDO2 properly can register multiple independent credentials for the same account. Each credential is its own key pair. The server does not care whether one lives in a hardware key and another lives in a synced passkey store, as long as each was registered legitimately.

So the following model is entirely valid:

• Passkey A generated and stored in Bitwarden and used on Android with a biometric to release the key.

• Passkey B generated and stored on a physical YubiKey and used on a PC or laptop.

Both authenticate the same account. Neither replaces the other. Neither needs to sync to the other.

NB for most users, hardware keys are overkill and create a lot of friction in use. The Authenticator apps already stop the dominant failure modes:

Password reuse after breaches

Credential stuffing

Basic phishing

Malware that only captures passwords

For the vast majority of users, TOTP via an authenticator app plus a unique password eliminates 95 percent of practical risk.

MattMattMattUK

Another vote for the Google password manager, especially for anyone on Android.

alanwsg

sausage_time said:

Password Safe has an Android port which I believe supports Yubikey (as do the Windows and Linux versions).  I don't have one of the keys, I use my fingerprint to access the safe on my phone.

https://pwsafe.org/

I've been using Password Safe for years, but I didn't know I could use my fingerprint to unlock it.
How do you set that up?
I don't see any mention of it in any of the menus.

NorthernGuy

Thanks for the replies.  When we signed up with LastPass, maybe 15 years ago, I'm not sure authenticators were a common thing.  I'm not certain we had smartphones then, either.

The obvious Achilles Heel of any password manager, especially one synced to the cloud as most are, is that anyone who cracks it has all your passwords in one go.  I do realise how strong AES 256 etc are to brute force attacks, the weaknesses usually lie in lower grade attacks.  Spyware captures your keystrokes, for example.  Or a physical keylogger is placed on the back of your work PC to record them.  Or a camera has view of your keyboard & screen as you log in.  Then they are in.

So at that time, the early two factor authentication of YubiKey was very appealing.  Especially a physical thing someone must take from you.  When my wife's phone without warning died completely a few weeks ago (motherboard failure) we were reminded how tough life is without a one.  Trying to use a laptop whilst awaiting phone repair, many sites wanted to SMS a login code for 2FA, one she could not receive.  But she could still login to LastPass with her YubiKey.

Correct me if wrong here, but if someone steals your phone, they are in a position to use the authenticator app on it.  Then we're back to just the security of your master password.  A physical key (could be a removable USB keyfile) is then the second defence they cannot breach.  A lost YubiKey can be deregistered.

I wasn't trying to argue the pros & cons of YubiKeys, which I note are used in some of the highest security companies.  The CIA software expert turned whistle-blower Edward Snowden had one on the documentary Citizenfour about his revelations a decade ago.   But having several YubiKeys, I have no good reason to step back to a phone authenticator.  Most password managers seem to accept YubiKeys in their non-free versions.  As for Google Password manager, I don't know how good it is now.  But back 15 years ago when registering with LastPass, its party trick (by way of warning) was to decrypt browser stored passwords and show you them in plain text.

So my question is, which password manager works flawlessly with browsers on an Android phone, so she's not tempted to revert to bad ways?

sausage_time

alanwsg said:

sausage_time said:

Password Safe has an Android port which I believe supports Yubikey (as do the Windows and Linux versions).  I don't have one of the keys, I use my fingerprint to access the safe on my phone.

https://pwsafe.org/

I've been using Password Safe for years, but I didn't know I could use my fingerprint to unlock it.
How do you set that up?
I don't see any mention of it in any of the menus.

Are you using this version on Android?

https://play.google.com/store/apps/details?id=com.jefftharris.passwdsafe

Click the help "?" icon on the password.screen.for details.