TunnelBear makers launch password manager RememBear
The makers of the popular VPN solution TunnelBear, available as a free and paid version, have released a beta version of the company's upcoming RememBear password management service.
Password managers and services are a dime a dozen nowadays. Computer users can select between native browser solutions, browser extensions, desktop applications, online services, and whether they want syncing, additional features, and pay for the password manager.
While I use KeePass, a desktop password manager, others may prefer a solution that provides them with online access to their passwords, integrates better in browsers by default, or syncs passwords by default between all devices.
RememBear
RememBear is available as a beta version right now. It is available for Windows and Mac desktop systems, and iOS and Android mobile devices. The developers released a Chrome extension on top of that, and promise to release Firefox, Safari and Edge extensions soon as well.
RememBear is free to use right now in the beta. The team plans to release a free, limited version, and a paid version in the coming months.
The service supports the core feature set that the majority of online password management solutions support. It remembers and auto fills in user information (including credit card details), and syncs the data across all user devices.
The service uses end to end encryption (256-bit) to prevent anyone but the user from accessing the data. The creators paid for a security review of the service on top of that. The company that did the review, Cure53, found no critical vulnerabilities. The issues that were found were fixed before the public release of the first beta version of RememBear.
On a side note, I tried installing the program on a Windows 10 Pro 64-bit system and could not do so because of some dependency of a VC Runtime file. It is beta and all, but not really a promising start nevertheless. It did work fine on a machine running the latest Windows 10 Insider Build however.
You are prompted to create an account and a backup kit on first run on Windows or Mac, but not on mobile. The developers suggest you install the desktop app on either operating system to create the backup kit; it can be used to regain access to the data if you forget the master password.
The desktop application offers to scan the PC for passwords to add those to its database. You can import logins from Chrome, 1Password or LastPass as well when you load the main interface. I suppose that option will also be provided for other browsers once the extensions are released for these.
If you only use the desktop application, you don't get autofill functionality. It appears that you need to install the Chrome extension for that.
Closing Words
RememBear does a lot of things right; it supports creating a backup of the master password, supports strong encryption, and has been audited already for security issues.
It is a beta program on the other hand, and that shows in some regards like the inability to install the program on one system, and missing functionality such as one-time passwords, more authentication options and so on.
The developers have yet to announce how the free and paid plans will look like. A lot depends on pricing. I expect it to be in the range of comparable services such as LastPass.
local Password Safe by Bruce Schneier is the best.
Nice to see Password Safe x64 installer at version 3.44 since October. Somehow I trust this solution as a reasonable design implementation. Time will tell.
If it was a local vault I’d give a twirl but cloud + extension, no thanks. Good read
https://www.networkworld.com/article/3183675/security/stop-using-password-manager-browser-extensions.html
Agreed. Storing passwords on local device is a lot more secure than storing them in the cloud.
Interesting, thanks.
I use Enpass. It’s locally saved/encrypted and synced through the cloud service of your choice.
However, I was using their extension (which requires the app to be unlocked to work) until now.
Me too. I do have and used to use 1password but they kindly removed the option to use it on browsers not on their approved list, so no waterfox, chromium, iridium……
Sorry, I do not trust any of these solutions – there is always someone smarter than I or the developer who will defeat them when it is worth it to do so. And since when is 256 bit encryption secure?
Since AES256?
>online access to their passwords
Willingly giving away your passwords like this.. what this world has come to o.O
Seriously. What happened to good old pen and paper?
The main thing to worry about with cloud/extension managers isn’t the cloud storage itself but the extension and interface to it. Look how many critical security problems lastpass has had in them for example.
@PanPeper, it’s not “my progress”, it’s humanity’s. I’ll skip the irrelevant ramblings about “evil progress” and stick to the point: pen & paper vs. a *good* password manager (not *any* p.m.) for password storing and re-entering.
I’ll assume we are not talking about 4-5 passwords, but for the more common situation of dozens of logins, even hundreds for some.
Pen and paper: How will you generate so many safe passwords? Either with an evil password manager/creator or with a self-created system, which means there will be a similar pattern to all your passwords. Not really that safe. The risk of losing or having your piece of paper stolen is very real. The risk of your passwords being hacked is also real, since you will have to manually re-type them *every time*, right? Ever heard of keystroke logging? There are even more problems with pen & paper to list here.
Password managers: for non-cloud solutions, the main concern is that someone takes over your PC and steals your passwords. Sure, in theory it can happen. In practice, it’s extremely rare and it won’t happen to people that use standard security practices. Even if someone steals your PC (either physically or ‘digitally’) you still have the option to reset/annul your device via another device. You can’t do that with a lost piece of paper.
For cloud-based solutions, you are trusting a 3rd-party company. These solutions usually use encryption algorithms that are realistically almost impossible to currently crack so even if their website is compromised, your passwords will still be safe and can be changed. One needs to carefully select their cloud-based solution since there are indeed some dodgy ones that must be avoided.
Disasters can happen everywhere. A carefully selected and configured password manager is significantly safer for people who use multiple websites. For pen & paper to really work, you will a need a carefully planned password-generating system, a good memory, a limited number of logins and constant vigilance over that precious piece of paper.
@George
Yes, the blessing of your considered “progress” can be found every day in the news. We are living in a world full of password fetishism, excessive, unnesscary and dangerous. And we only know the the top of the iceberg of all these so immenslely secure and password protected catastrophes.
MdN is right, use pen and paper. No tracking, no cloud, no blocked access, etc. But of course then nobody could wiggle his or her new toy they bought for only $899. Which, by the way, will become a worthless brick or doorstopper within a few years. But, yes, ….. we call it progress that our privacy is out in the open, progress being tracked, profiled, evaluated, sold. Pen and paper would say we are stupid as hell letting this happen to us.
Progress happened. “Good old pen and paper” is a risky method to store and re-enter passwords. Way less secure than sanely using a good password manager.