I am a security researcher and I’d been using LastPass from 2009 until 2018. I also used the GeoLocation function on LastPass before. Currently, I am using Bitwarden, KeepassXC, Keepass 2, and Authy on Backbox Linux.
I think should answer some of the issues being mentioned above.
As for the MITM part, @tgreer already answered the same issue here on this thread.
Your real passwords in the Bitwarden app or browser won’t be sent to the server. Only the modified (hashed/encrypted) version of your password will be sent, not your real password.
Should your internet connection is being intercepted by a man-in-the-middle, he will see only the modified/encrypted version of your password and not your real password.
You can test that at home by using the Chrome/Brave browser. Just follow this video:
@Keepasser
Keepass and Lastpass have security flaws in the past. For example, a report found a vulnerability that affected several major password managers (1Password, Dashlane, KeePass, and LastPass), potentially leaving your master password exposed in clear text in computer memory.
But that applied to Windows 10 users so if you are on Linux you should be fine.
You can read the full report here and the news on Forbes here.
For the list of the best password managers, you can check out this list: Best Password Managers in 2024 (Only 5 Passed Our Tests)
They can do that. I browsed a hacking forum in the darknet where the hackers sell emails, passwords, Facebook data, user’s location in that forum.
This is how they can do it:
- Users exposed their location, password, email on social sites like Facebook. Even if they don’t expose their location, Facebook will log their real IP and that will expose their real country.
- Then, the Facebook website was breached/hacked. Lots of data from Facebook, including countries and emails are exposed and sold in the darknet.
- Once the hacker gets your info, like your email, location, country, etc, they can use those to hack your other accounts, including your email account and the password manager account. Even if you turned on the Geolocation blocking, they can use a VPN to bypass that, because they have your country/location information anyway.
- For your information, hackers don’t use their real IP to hack, because it is illegal. If they use their real IP, the authorities can easily trace them down. They would use proxies, TOR, VPN etc to hack.
Some of you might not know this, but Facebook was breached many times in the past. Gmail, Twitter, Dropbox, and many others were also breached in the past.
List of all known data breaches here: List of data breaches - Wikipedia
Facebook data breach news here.
You can try this tool: https://breachchecker.com
That website will expose when and where your email was exposed.
Bitwarden app also has a function where it can detect a breached password. Enter any password in the app/vault and then click the checkmark icon.
- Use a separate email only for security and password manager. Like Tutanota Mail, Protonmail.
- If you need to register multiple websites, you can use email forwarding like simplelogin.io and anonaddy. Use these services to create email aliases and then forward the emails to your real inbox. You can use email aliases to replace your real email on Facebook, Youtube etc.
- Use unique usernames for forums, social sites etc.
- Use unique passwords and store those credentials in a password manager.
- Lock your password manager account with a strong password.
- You can use 2FA, but make sure that you don’t lose the app/device. I highly recommend using 2FA app on a laptop like Authy. I am not a fan of the 2FA app on smartphone.
- Always monitor your main email should someone tries to hack into your BW account. If someone log into your BW account from a new device, you should receive an email.
But, you can get the same by turning on Bitwarden 2FA via email. Also, if that hacker already had your Lastpass email, the first thing he would do is to hack your email. That will save himself the time because most people are not using password manager anyway. He can also reset your LastPass password by hacking your email.
If you need this function badly, you can pay $10/year for Premium. Bitwarden already has that feature, but for premium users.
See the pricing here: Bitwarden Password Manager Pricing & Plans | Bitwarden
See the list of 2FA logins here: Two-step Login via FIDO2 WebAuthn | Bitwarden Help Center
Many people do not know this, but KeepassXC has the 2FA function, known as TOTP and you can integrate it with any online account that you want.
You can set up 2FA with KeepassXC by following this instruction.
Once you set up the 2FA with KeepassXC, you can copy the Keepass database file (KDBX) into a pen drive and then use it anywhere.
If you are on Windows and want to use KeepassXC anywhere on a Windows PC, you can install KeepassXC Portable.
If you are on Linux and want to run KeepassXC anywhere on Linux computers, you can use the App image program.