Password Manager with easy Android Integration (and YubiKey)

Emmia

NorthernGuy said:

Thanks for the replies.  When we signed up with LastPass, maybe 15 years ago, I'm not sure authenticators were a common thing.  I'm not certain we had smartphones then, either.

The obvious Achilles Heel of any password manager, especially one synced to the cloud as most are, is that anyone who cracks it has all your passwords in one go.  I do realise how strong AES 256 etc are to brute force attacks, the weaknesses usually lie in lower grade attacks.  Spyware captures your keystrokes, for example.  Or a physical keylogger is placed on the back of your work PC to record them.  Or a camera has view of your keyboard & screen as you log in.  Then they are in.

So at that time, the early two factor authentication of YubiKey was very appealing.  Especially a physical thing someone must take from you.  When my wife's phone without warning died completely a few weeks ago (motherboard failure) we were reminded how tough life is without a one.  Trying to use a laptop whilst awaiting phone repair, many sites wanted to SMS a login code for 2FA, one she could not receive.  But she could still login to LastPass with her YubiKey.

Correct me if wrong here, but if someone steals your phone, they are in a position to use the authenticator app on it.  Then we're back to just the security of your master password.  A physical key (could be a removable USB keyfile) is then the second defence they cannot breach.  A lost YubiKey can be deregistered.

I wasn't trying to argue the pros & cons of YubiKeys, which I note are used in some of the highest security companies.  The CIA software expert turned whistle-blower Edward Snowden had one on the documentary Citizenfour about his revelations a decade ago.   But having several YubiKeys, I have no good reason to step back to a phone authenticator.  Most password managers seem to accept YubiKeys in their non-free versions.  As for Google Password manager, I don't know how good it is now.  But back 15 years ago when registering with LastPass, its party trick (by way of warning) was to decrypt browser stored passwords and show you them in plain text.

So my question is, which password manager works flawlessly with browsers on an Android phone, so she's not tempted to revert to bad ways?

Google password manager works flawlessly especially on Chrome

It may not be as secure as Yubi keys (I'm not familiar with them though) I think Google have spent quite a bit of time in the last 15 years upgrading password manager.

flaneurs_lobster

NorthernGuy said:

So my question is, which password manager works flawlessly with browsers on an Android phone, so she's not tempted to revert to bad ways?

As ever, it depends. If by flawlessly you mean always auto-filling user id/password fields then I'd say none of them.

There are too many variations of ways to code a login webpage for every quirk and downright perversion to be catered for, some sites seem to have been designed with the express purpose of making them hard to use with a password manager (yes you Santander).

I've got the login credentials of over 1000 sites in Bitwarden, recon 70% are just fine, the others will force you to swap between a Bitwarden vault page and the input screen to manually cut'n'paste entries. 

Eyeful

PWM I suggest you look into are
Bitwarden
1Password
RoboForm
KeePassXC

MattMattMattUK

NorthernGuy said:

Correct me if wrong here, but if someone steals your phone, they are in a position to use the authenticator app on it.  Then we're back to just the security of your master password.  A physical key (could be a removable USB keyfile) is then the second defence they cannot breach.  A lost YubiKey can be deregistered.

Only if they also have access to you, as the Authenticator app and the Google password manager use biometrics, you can override that with your master password and other 2FA options but you should never be using your master password in a public place anyway. 

Ultimately with enough effort anything can be breached apart from a One Time Pad system that is perfectly implemented, however Google password manager, biometrics on a phone etc. are "Information Theoretically Secure" which is the standard needed.

alanwsg

sausage_time said:

Are you using this version on Android?

https://play.google.com/store/apps/details?id=com.jefftharris.passwdsafe

Click the help "?" icon on the password.screen.for details.

Well Well, I never noticed that before.

But now I'm not sure about using it - If I use my fingerprint to unlock the phone and then the same fingerprint to unlock Password safe, it seems significantly less secure that having to use the master password as well.

flaneurs_lobster

alanwsg said:

sausage_time said:

Are you using this version on Android?

https://play.google.com/store/apps/details?id=com.jefftharris.passwdsafe

Click the help "?" icon on the password.screen.for details.

Well Well, I never noticed that before.

But now I'm not sure about using it - If I use my fingerprint to unlock the phone and then the same fingerprint to unlock Password safe, it seems significantly less secure that having to use the master password as well.

Swings & Roundabouts. Fingerprints (or other biometrics) are pretty robust these days on modern kit and are quite hard to crack (the movie favorites of Sellotape or a photograph probably won't work). Typically your application has a password (hopefully long and complicated) as well - fingerprint readers fail, need to access on a non-biometric device, re-activate after device reset - so you can always use that instead of/as well.

It's the convenience of biometrics that in many ways is its strength, people are much more likely to use a decent security measure if it is easy to use rather than having to enter a 20 character random password.

Personally I'm happy that the same fingerprint that I use to unlock my phone also unlocks my banking apps.*

The passwords/passcodes to do this all differ.

*minimal in number, most of these are on a second housebound phone.

An aside, worst security risk on a mobile device? Google Mail - can't secure access to the app (or uninstall it) on an Android device. And a lot of people use Gmail as their primary (& only) mail service. I know why, but just don't use it for the important stuff.

Exodi

NorthernGuy said:

Correct me if wrong here, but if someone steals your phone, they are in a position to use the authenticator app on it.  Then we're back to just the security of your master password.  A physical key (could be a removable USB keyfile) is then the second defence they cannot breach.  A lost YubiKey can be deregistered.

Not only would someone need to steal your phone, they would also need to be able to unlock it. Either they need to have the same fingerprints as you, or they need to know your PIN.

But let's say this perpetrator is not only lucky enough to know all your usernames and and passwords, but also has the good fortunes of living very close to you and is able to bump into you and swipe the phone from your hand while it is unlocked...

They'd still need to pass a second security prompt (again biometrics or another, hopefully different, PIN) accessing the authenticator.

Alternatively, if I happen to know someone's login details (because that's the premise here) and lived locally, I just need to steal their YubiKey. The same scenario above, just without the PIN/biometrics step (unless you have the YubiKey Bio where it's the same).

Correct me if I've misunderstood anything.

NorthernGuy said:

But having several YubiKeys, I have no good reason to step back to a phone authenticator.

I think it's apparent you're not keen to change, but it is a tad ironic using the phrase 'stepping back' while determined to maintain the status quo.

As you acknowledge, compromises are typically through things like social engineering. You can have your YubiKey stored in an underground vault in Timbuktu guarded by lasers and armed guards, yet your odds of being a victim remain virtually the same as someone without any of that just using an authenticator app on their phone.

Nonetheless, if it helps you sleep at night, so be it. It's not the first thread of it's nature, we've seen all sorts of silliness (separate devices which only have specific apps on them, stored in safes, not connected to wifi, running custom OS's - I've seen many threads like this, each comment one-uping the one before on adding another unnecessary level of security).

Yet the only threads we see of account compromises are where the OP didn't have 2FA set up and used the same login details across websites, or where they were socially engineered to do so (e.g. their 'bank' instructed them their account is compromised and to move the money into a 'safe' account') and as you can appreciate, having 7 additional security factors does not prevent this.

Vitor

The OP seems to be asking for a cross-platform password manager with Android autofill, where vault access can be gated by a hardware key rather than “something on the phone”.

IMHO the best option is Bitwarden + FIDO2 YubiKeys, one on the OP partner's keyring and one in a drawer. That gives Android autofill convenience without backsliding into reused passwords, and keeps the second factor genuinely separate. Note Bitwarden does not currently allow you to unlock the vault on first use solely with a YubiKey hardware key without also entering your master password.

That said, on Android, a password manager has to unlock frequently: browser launches, app logins, background autofill calls. Requiring a physical YubiKey insertion or NFC tap every single time would start to annoy me quite quickly compared to a biometric authentication.

TMSG

flaneurs_lobster said:

An aside, worst security risk on a mobile device? Google Mail - can't secure access to the app (or uninstall it) on an Android device. And a lot of people use Gmail as their primary (& only) mail service. I know why, but just don't use it for the important stuff.

Uninstalling GMail is often not an option but on all devices under my control I simple delete all data in Setting>>App>>Storage and then disable the app. One of the first things I do after initial setup (and also for a lot of the other Google crap like Maps and Youtube etc).

B0bbyEwing

Exodi said:

NorthernGuy said:

Correct me if wrong here, but if someone steals your phone, they are in a position to use the authenticator app on it.  Then we're back to just the security of your master password.  A physical key (could be a removable USB keyfile) is then the second defence they cannot breach.  A lost YubiKey can be deregistered.

Not only would someone need to steal your phone, they would also need to be able to unlock it. Either they need to have the same fingerprints as you, or they need to know your PIN.

But let's say this perpetrator is not only lucky enough to know all your usernames and and passwords, but also has the good fortunes of living very close to you and is able to bump into you and swipe the phone from your hand while it is unlocked...

They'd still need to pass a second security prompt (again biometrics or another, hopefully different, PIN) accessing the authenticator.

Alternatively, if I happen to know someone's login details (because that's the premise here) and lived locally, I just need to steal their YubiKey. The same scenario above, just without the PIN/biometrics step (unless you have the YubiKey Bio where it's the same).

Correct me if I've misunderstood anything.

NorthernGuy said:

But having several YubiKeys, I have no good reason to step back to a phone authenticator.

I think it's apparent you're not keen to change, but it is a tad ironic using the phrase 'stepping back' while determined to maintain the status quo.

As you acknowledge, compromises are typically through things like social engineering. You can have your YubiKey stored in an underground vault in Timbuktu guarded by lasers and armed guards, yet your odds of being a victim remain virtually the same as someone without any of that just using an authenticator app on their phone.

Nonetheless, if it helps you sleep at night, so be it. It's not the first thread of it's nature, we've seen all sorts of silliness (separate devices which only have specific apps on them, stored in safes, not connected to wifi, running custom OS's - I've seen many threads like this, each comment one-uping the one before on adding another unnecessary level of security).

Yet the only threads we see of account compromises are where the OP didn't have 2FA set up and used the same login details across websites, or where they were socially engineered to do so (e.g. their 'bank' instructed them their account is compromised and to move the money into a 'safe' account') and as you can appreciate, having 7 additional security factors does not prevent this.

This post doesn't have nearly as many likes as it deserves! 
Wish I could give 2! Lol.