Introducing Remembear, new password manager

From the Cure53 report: the version tested had a terrible vulnerability (unfortunately somewhat common to password managers): it tries to match passwords to subdomains, and in doing so misparses domains, allowing it to be tricked into giving passwords to bogus almost-look-alike domains. Yikes.<p>Meanwhile: they&#x27;ve got a crypto protocol tunneled over TLS &quot;to avoid heartbleed&quot; and some other convoluted stuff the auditors complain about. You really want to see a password manager get the basics right.<p>Notice also that the end of the Cure53 report complains about the project scope and the amount of time given. This is pretty unusual for Cure53, who have a reputation for being a bit effusive about the products they&#x27;re paid to review. I&#x27;m not sure I&#x27;ve ever seen them throw shade before.

It might be a good alternative to Enpass. They use Rust and libsodium, which is a good sign.<p>But browser integration is the trickiest part in a modern password manager, yet what makes a password manager actually usable for most people.<p>So, give it some time before using the browsers (currently only Chrome) extension. Virtually all other password managers had security issues here.<p>Making these extensions smart (able to guess where login and password fields are, when passwords are being updated, etc) is also far from trivial. It&#x27;s actually way more complex than password storage.<p>Gonna stick with Enpass for now, but that&#x27;s definitely a project to watch.

I think they are burying the lede, and being a little disingenuous with the big &quot;Get Started, It&#x27;s Free&quot; button.<p><i>we will be introducing subscription-based pricing when RememBear leaves the public beta phase. </i><p><a href="https:&#x2F;&#x2F;help.remembear.com&#x2F;customer&#x2F;en&#x2F;portal&#x2F;articles&#x2F;2890744-how-much-does-remembear-cost-" rel="nofollow">https:&#x2F;&#x2F;help.remembear.com&#x2F;customer&#x2F;en&#x2F;portal&#x2F;articles&#x2F;28907...</a><p>A non-subscription product would be one thing that would get me to move off 1password.

What differentiates RememBear from other password managers? After looking through the blog and website it&#x27;s not immediately clear to me. What makes (or will make) RememBear better than, say, 1password, which appears to have the same features, is also easy to use, and has a long history with which to work out issues?

I &lt;3 pass [1]. Earlier discussion [2] on pass here.<p>[1] <a href="https:&#x2F;&#x2F;www.passwordstore.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.passwordstore.org&#x2F;</a><p>[2] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=14819136" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=14819136</a>

Seems to be yet another proprietary walled garden. No thanks.

Great name! So much more evocative than &quot;Remembr&quot;.<p>Let&#x27;s hope they succeed, and inspire other companies to append a penultimate &quot;a&quot; after the penultimate &quot;e&quot;, instead of just removing the penultimate &quot;e&quot;.

I use 1Password, and the only incentive which make me switch is completely open source good quality UX solution.

If any of the Remembear developers read this, I&#x27;d love to put in a request for a Linux client!

I&#x27;m currently using LastPass and their macOS app seriously annoys me (why do I have to click an OK button every time I save a new password?).<p>They seem to get their UI right at least. Plus, bears are cute.<p>Edit: No support for folders&#x2F;categories it seems. That sucks a bit.

Looks nice but only has a Chrome extension at the moment. Also the browser extension requires the desktop app be installed.

&quot;Subscription pricing&quot;... if anyone is looking for an actual good business model, is for the upcoming &quot;1password refugees&quot;... and all we want is the same stuff, but not subscription based.

Ooh, what a great example of a brand extension.<p>When I saw &quot;new password manager&quot; in the headline, my first thought was &quot;those guys are fucked&quot;. What people want with a password manager is trust and stability, two things not associated with startups. But these folks have millions of users, strong app store ratings, and solid reviews. Going from &quot;trust us with your data and privacy&quot; to &quot;trust us with your passwords&quot; is not a big step.<p>I&#x27;d give my current password manager, LastPass, a C- on usability, so I&#x27;ll be keeping an eye on this. I&#x27;d love to have something better to recommend to novices, and might even switch myself.

&gt;Where does RememBear store my passwords and how are they protected?<p>&gt;RememBear encrypts your passwords using both your Master Password and a unique device key generated by the application. It stores your passwords in an encrypted file on your device and on our secure servers for sync and backup purposes. However, RememBear will only encrypt and decrypt the items on your physical device. This means that your passwords and other items are always encrypted during syncing and remain encrypted when in storage on our secure servers. You and ONLY you are ever able to access your items as long as you keep your master password private.<p>Proprietary sync, no thanks.

It would be great if they can clearly tell how they differentiate from 1Password.

Electron?

It is from tunnelbear. If you are releasing it for free, why isn&#x27;t the code public?