1password Keepass

[Hermila Farquhar]

I am trying to migrate my keepass data to 1 password using the "keepass XML 2.x" export option. However the file attachments was not exported unlike Usernames, passwords, urls, notes etc... Is there any way to export these file attachments as well along with the above data. Tried exporting csv but still no luck.

I was following the 1 support KB's like -keepass/

but they haven't mentioned anything with respect to file attachments. I found an option to manually upload the attachments to 1 password but we do have some 500 accounts and we do have 10 of databases so manually uploading each file would take enormous efforts and it is next to impossible.

it was stored in a shared O365 folder, configured to always be able locally, in case of network failure or anything, we all keep a local copy, also I used to manually create a copy weekly to my local laptop.

Personally I use Bitwarden, never had a problem with it. They also offer a self hosted option, for those who are really paranoid about holding passwords in the cloud

-your-own-open-source-password-manager/

1Password is the best I find, Can have it on my phone, PC, remote if needed. It is very secure. You can set up multifactor authentication with hardware tokens and key generation. Unless you have a specific device, plus a physical token, plus a generated key, good luck trying to get in

At some point, you have to trust something, having the same admin password on all your servers is worse than having all your passwords in a password manager. Someone will do something bad on your network getting a bad actor access before 1password get hacked most likely. Once they are in your NW, they can do lateral movement and gain access pretty quick. At a minimum unique passwords everywhere should slow them down.

1Password can crank your complexity as high as you want, and auto fill everything too which is nice. Install the browser plugins, app, yadda yadda, I sound like a sales guy. Plus if you convince your work to get it you can get a free personal edition.

I mainly use Keepass with Remote Desktop Manager as it can pass credentials for me on logins to any servers I have configured which are many. Other than that I use Dashlane in Edge for autofill of passwords, etc.

Additionally, on their own website they compare themselves to many other password manager but exclude Bitwarden. I found this interesting because it seems as though their comparison perhaps intentionally stacked their product up against solutions that they knew they could compete and potentially win over? For the record, this is pure conjecture and am happy to retract said statement if there is valid reason for excluding Bitwarden but including LastPass (a company that has been absolutely dragged by the privacy/security community due to their atrocious breaches that took place over 2022).

In their compliance section it says that they are working on a Whitepaper that will publicly present their architecture, which is to say there is not currently an explanation of the architecture despite the fact that this service has been around for at minimum 2 years (based on what I could find). HeyLogin also appears to be more geared towards businesses interested in Enterprise level solutions than individual users.

Again, I am not an expert at evaluating service like these. Just providing my insight based on the brief 15-20 minutes I spent looking at HeyLogin after seeing this post. If you decide to try them and have a great experience, be sure to post here again because I would love to hear more from someone that has experience with their solution. Best of luck!

I recommend you read the 1password white paper, it can explain it better than I can, but it details what would happen if someone accessed AgileBits servers and stole the encrypted data. (Story 1 in the whitepaper)

From what I understand when a file is saved on a hard drive, then there will sometimes (often?) be copies of the file in the memory and maybe even other places on the hard drive. When one enters a password/key phrase in a program to unlock a database I guess that the password will live in the memory for at least a short period of time. I had heard about the audit of VeraCrypt and that one problem was the use of memset when clearing sensitive data from the memory (page 9 here).

My general question is: How do programs like VeraCrypt, 1password, keepass, GPG, LastPass, AES Crypt, and many others deal with these issues of multiple copies of files and having a copy of the password/key/data in the memory or other places of a hard drive? Are these things even a security concern?

You are mixing separate things here, namely encryption software and password managers. For both tho, there is no way around storing the key in memory and the problems can be reduced to one:

In either case the password will be in memory for a finite time and you need to overwrite it after using it in order to make sure it doesn't stay there. If you simply reallocate the memory, it's not guaranteed to be overwritten ever.

memset can set a memory block to whatever you want it to be, so it could help us here. Problem: If you use compiler optimizations, the compiler might think memset is useless and remove it for more efficiency.

In the latest audit of VeraCrypt it was revealed that there is one occasion where burn is called after a code segment where a TC_THROW_FATAL_EXCEPTION can be thrown, thus leading to sensitive data remaining in memory.

How do programs like VeraCrypt, 1password, keepass, GPG, LastPass, AES Crypt, and many others deal with these issues of multiple copies of files and having a copy of the password/key/data in the memory or other places of a hard drive?

Yes and no. It's often important to put security questions into context. Having extra copies of a password database isn't ideal, as it makes information disclosure more likely, but if appropriate protections are in place for the files, and the database is encrypted, it's unlikely to be exploited.

It does imply a certain risk of disclosing that data - namely, leaving a temporary copy after the memory is deallocated and then possibly allocated to another process; or if the memory area is swapped out to disk, but these can be mitigated with reasonably simple technical measures, e.g. overwriting the memory area after use and before deallocation, and marking the memory page so it won't be available for swapping respectively. When developing such software, you need to ensure that these steps have been taken and that sensitive data doesn't "leak" in this manner.

Outside of that, OS will enforce process isolation so that this sensitive data (as all other data) is not accessible for other processes. You should still take steps to minimize the time that sensitive data is in memory to reduce the risks in case of a compromise in your software or the OS (e.g. the "heartbleed" openssl vulnerability), so it's a security concern but it's acceptable and secure practice to keep sensitive data in memory when necessary.

Beyond the above, as two-factor auth has taken off 1password has been a godsend in collocating those rotating 2fa codes alongside passwords and automagically pasting them to the clipboard as needed. No dedicated authenticator app required. (And many thanks to Adam for turning me onto this feature a year or so ago!)

Got a Pixel 4a (Android 11) to replace my Moto G6 (Android 9) and now can sync with 1Password WLAN server on my Mac. AgileBits have not been very helpful. Trying to push me to a subscription instead. Only sync method w/o subscription on 1Password for Android now is WLAN server. No option to import a vault.

3a8082e126