But if I use a password manager on my own phone, it will be still a hassle to write complex passwords. Yes, it can handle TOTP codes, at least they are six digits, but my usual passwords which I use for my personal accounts are at least 24 chars. I am using 1Password for my personal accounts, but for business it is still problematic.
I downloaded portable version of Keepass now, didn’t install any addons, but I couldn’t find OTP field
I wouldn’t use your own account/vault on a business machine especially they’re running all the things you described in your original post. They will most certainly know if you’re using a portable password manger. Cortex XDR has a feature called “jumplists” which show all the executables run on the system. Those other endpoint security products Xagt which appears to be FireEye EndPoint Agent probably do as well.
It seems a bit weird they have that many end point security tools on the one device. Have they thought about using Yubikeys I wonder.
Well the main issue is that might be detected. I wouldn’t use Keepass for anything really, try KeepassXC that is what we recommend on the site, is included with Tails, Whonix etc and has TOTP.
Keepass.info is the official project.
In the end, its up to your company to allow or prevent you from using these software. If you use them without permission, this could cause you a lot of problem. You could be liable if there is a leak or other sort. You could have personally consequence for going against the word of your boss and security team, including being fired or going to defend yourself against justice.
Its very unfortunate, but your security team and your comoany does not allow you to use any password manager and that’s the end of it.
Keepass.info is the project site for the original “Keepass” these days though nobody really uses that and instead KeepassXC is used. It is the default in Tails and Whonix.
Agreed, I wouldn’t be circumventing it by trying to use portable apps on their device. They have enough endpoint products there you can assume they know every website you’re visiting and executable you’re running. Weirdly it seems there is some overlap between those products almost as if the multinational IT company doesn’t really know what they are doing in terms of security.
If they are concerned about people remembering passwords, then they should be adopting certificates for authentication coupled with strong two factor security keys. My guess is they have some crappy old product which “can’t do that”, and have somehow convinced management to accept that it is “employee fault” for not remembering passwords.
I really do not agree with you here, sorry. The original KeePass is used in basically every government body and several corporates I worked for/with. I am not challenging that KeePassXC is a good project/fork whatever, but to just put keepass.info away like this is really discrediting the project.
That could quite well be because some old documents/manuals practices mention it. It does seem some of the recent releases is a gradual modernization of it though.
You could make them passphrases! Most password managers let you generate those, and you can have the words be separated by numbers and symbols as well as capitalizing one of the words to fulfill strength requirements. Not necessarily to memorize them, but to make them far easier to type when referring to your phone.
International, 5000+ employees company, with strong focus on security, moved from original KeePass to KeePassXC some time ago, due to some security issue (probably it was mentioned here also). Though, If I recall correctly, that vulnerability can be exploited only if the machine is already compromised. But anyway, I prefer XC version, so I like this change.
So I found the behavior of OPs company really weird, if their IT security team is not just not recommending usage of password managers, but actually prohibiting it.
Browser Password Manager ? If possible, try locking it with a pin. But if your company is against password managers, you can’t be expected to remember all your passwords. Ask your colleages what they do. If available, contact your union as this is an undue workload (imagine a truck company prohibting drivers from using GPS…). Seek legal advise in last resort.
The issue is that those corporates structure don’t want you to take initiatives. Heck, if they got hacked, you shouldn’t care shit. Management is responsible for safeguarding, not you.
Yeah. I feel like I just gave this advice to someone else…