Do you trust Avira Password Manager for saving passwords ?

No

@electrineer why

@dIREsTRAITS don't trust anything that's not open source.

@tosensei don't trust anything

@jonas-w don't

I don't even trust my self with passwords, definitely not random services.

I use them, but only to remember randomly generated passwords, a few secure important ones I only store on my head

Bitwarden

Defined not. I store my passwords as NFTs in the Solana network and use the most popular shitcoin of the hour to buy them back from random venture capitalist hipsters whenever I need to login to pinterest.

We are not the same

I browse to plenty of websites and I can't create a strong password and remember it, in this case what is the best alternative that is trusted?

@tosensei d

.

​

@tosensei yeah no, can't beat that

@Ranchonyx you would've won by not sending a message

@electrineer see I considered that, but meh.

@Marethyun KeepassXC is a modern version that's not "non-sexy" IMHO. even does TOTP

@dIREsTRAITS put a quote as password when need it search and copy paste it
You add number and symbols to increase the strength further

@tosensei please don't put your TOTP codes with your passwords.... thats a single point of failure all over again.

@dIREsTRAITS Mobile phone antivirus = instant bloatware.

For their iOS app alone:

- Anti theft - location finder for a phone, everyone else calls it "find my phone by Apple"

- VPN, so now they want all my internet traffic to

- network scanner, now they want to know every device around me

- IOS updater... WHAT IN THE FUCK? This is a standard feature

And you want to hand over your passwords to this lot?

Use an open source password manager, xKeyPass, bitwarden, etc. and use a TOTP app separately, ideally not cloud based but that depends on your needs and risks.

@C0D4 I searched too much for any information regarding avira password manager being hacked, hijacked through browser, or data leaked... I do feel okay to use their solution can you prove that I'm wrong

@dIREsTRAITS I'm just curious why you need all that bloatware for a password manager?

What makes you trust Avira over open source solutions that are simply password managers?

@C0D4 thing is: i don't fucking care about 2fa, i don't want it. i'm only using it where i am forced to use it by customers in such a fucking idiotic way that it's effectively 6-factor-authentication, and it would literally take 10 minutes to log in via separate devices (which would, in addition, require me to provide my _private_ phone number to the customer) - 10 minute per service, that is, because "LULZ, what is single sign on?"

and in the end, 2fa is a single point of failure for "me being utterly and completely unable to log in and do my fucking job". with the addition of the customers IT-support being so slow, you can add "for at least half a year, if things go quickly" to that.

@tosensei it's not supposed to be user friendly, users get there own passwords wrong as it is, and they type that shit in every day.

SSO is only as good as that password and 2/MFA in the first place.

Once your in, your fucking in, gain access to a privileged account and there's not much left on the table to worry about.

@C0D4 the thing is: if it's not user friendly - it won't work. period.

the pro-users usually keep their stuff secure enough, anyway, and the noob-users keep screwing everything up, anyway.

and no: there is no inbetween.

@tosensei let them bitch, throw a security compliance waiver on their desk and have the CEO sign off on it.

They'll either comply or be out of a job for not doing it, granted the head hunchos aren't dumb fucks too.

@C0D4 the customer i'm talking about is a corporation..... it's dumb fucks all the way up. and down. and sideways.

@C0D4 if Bitwarden is open source why you wouldn't trust it in the cloud?
A password manager just makes your life easier, wouldn't it?

Do you think Avira can use your passwords and steal your data?

@dIREsTRAITS anything that's "in the cloud" is out of your control.

@dIREsTRAITS bitwarden is in the cloud, and I trust it a lot more then most other services, the code base is in GitHub so you can self host / review it if you wanted to.

What or who's to say they can't?

Avira state on their website they encrypt your master password and store it on their servers, if this isn't E2E encryption, and they hold the key, then they can access the passwords in the manager if they wanted too.

For example, how bitwarden actually handle the passwords:

https://bitwarden.com/blog/...

https://bitwarden.com/help/...

@C0D4 I guess you are wrong, it's what avira stated unless you can prove the opposite

check this

I trust no one, I store the passwords in a keepass database and sync it with Mega.

@lbfalvy apparently you trust Mega

@vintprox I trust them to copy a meaningless blob of cyphertext across my devices.

@lbfalvy fair

@vintprox Also, Mega never receives the files they're storing in cleartext, even if I didn't encrypt the database explicitly. This is actually a cornerstone of their operation; they collect low trust storage providers, guarantee service via redundancy and the protocol dictates that Mega never receives any of your data, so the only aspect in which I'd have to trust them is production quality - only that the protocol is indeed secure and not that they aren't abusing data they have.

Because I don't even want to do that, I use the well-known keepass format the security of which is more a subject of public discourse.

@dIREsTRAITS 🤷‍♂️you do you.

You asked, we answered, your still floating in the same boat you started. That's fine by me.

@lbfalvy you got me pumped for that great combo. Recently, redundancy and federation are very selling points for me.

@C0D4 but you mentioned wrong details

@vintprox I trust it a bit too much, that database file and its password are starting to become a gateway to my entire online presence and both are accessible to an attacker who holds root on my laptop for over a day.

I'm investigating options to verify credentials of extreme importance that I enter rarely with a second capability, possibly even a paper notebook, just to introduce an unbridgeable air gap.

@vintprox But yeah, as far as trusted hosts go this is a really good combo.

Also, because of the above mentioned principle of operation, Mega is by far the cheapest cloud storage provider per volume, so if you're looking for paid file storage you don't need another provider.

@dIREsTRAITS I can't find what I saw last night, maybe I read something wrong, but the underlying issue remains. Avira is a closed source company. How can you verify what they are saying?

I can't even find an audit or compliance report for them, so no publicly available 3rd party checks either 🤷‍♂️

@C0D4 At this point I agree with you, it's almost impossible to know if what they claim is true however I've never read of any security breach or exploit, anyway i do trust them on random websites where you create a complex password and save it with them, the problem with self hosted password manager is that they are not going to be available for you when you need them in case the machine you are hosting them in is out of service, shutdown, drive crash, OS issue... and again if you host it in a vps yourself how can you be sure that you made it secure? ...