Am I being overly paranoid? How should I be approaching the issue of trusting the developers of password managers?
Hmm. Maybe? The trouble is at some point you have to trust someone and there isn't a good way to measure this. Even if the source of the iOS app was open (I don't know if it is, just a hypothetical) there is no guarantee that the source you looked at is the same that was used to compile the binary itself.
I use one for iOS. I sure hope it's trustworthy. But if it isn't...well I don't really know where to turn to. LastPass? I tried them before but was amazing at how awful the UX was and I was too paranoid that someone would eventually find a flaw, get in and expose everyone's passwords ever because it's a cloud service...I am likely too paranoid.
The new fork is intriguing. Need to take a closer look.
I upload my keepass and key file to Dropbox (I know, I know) and then export them to MiniKeePass from the Dropbox app. MiniKeepass auto-associates the key file with the kdbx if it has the same filename as the kdbx, but with a .key extension. I can even edit the DB with Minikeepass and upload it back to Dropbox. It's not as sexy as an Android setup, but it works quite well for me.
You can disable an app's ability to connect via mobile data in Settings, though that doesn't solve the issue for using the app + wifi.
Does anyone know what happens if you remove the permission from an APK's manifest with apktool etc?
For piece of mind it'd be nice to disable Internet access for certain apps.
EDIT: I know there are solutions when rooted, and also virtual VPN solutions when not rooted. However, in the latter case you have to trust the VPN with all your traffic.
[edit]: oops, confused osx and ios. I'm not a mac person.
I would love to audit it but I lack both the time and knowledge. How would I verify that what I've audited is the source for the actual binary that the App Store delivers to my phone?
Personally, to me that sort of integration has always seemed like a bad idea. I'm glad that my password database can't talk to my browser programmatically. One less thing to go wrong.
It takes passwords and makes them "unphishable", because the manager knows what domain you're on.
Of course it's also the largest attack surface. Personally, I think that tradeoff is worth it - assuming competent development.
...of every other extension that you use. That is a very bad assumption to make.
That said, I do use Lastpass myself and in fact have a premium membership.
> From the text it looks like one of the selling points is integration with apps like browsers so you don't have to copy/paste passwords, as with KeePassX.
Can you provide source please? thank you.
This [1] says the opposite: (quoting from the github issue):
"I removed the milestone for now since we are not sure if we actually want our users to expose their passwords over a network protocol with questionable security record. The security of both KeePassHTTP and KeePassRPC is doubtable and in their current state we would prefer not to have them as part of the main KeePassXC product.
This doesn't mean KeePassXC will never support it, it only means that at the moment we don't have immediate plans and an implementation needs further discussion."
[1] https://github.com/keepassxreboot/keepassxc/issues/88#issuec...
What's ugly about it, besides (I guess) .NET part?
Personally the best feature I'm using KeePassXC for is the auto-reload feature. I sync my kdbx file with Tresorit across couple computers, and the auto-reload feature ensures that I'm always modifying the latest version.
This is something lacking in the original KeePassX.
I keep my KeePass database in my Dropbox, behind 2FA, with the main Dropbox password being a random string stored within the KeePass database. I have KeePass itself stored on my Dropbox as well, so I don't even need to install it to other Windows PCs, simply run the program. And the KeePass2Android app works quite well with this configuration.
Sometimes I get conflict files in the Dropbox folder. Not often, but a few times over the last year.
On iOS I have to open Dropbox and re-export the database file to see new entries. If I ever want to add or change an entry on mobile I have to manually export the file back into Dropbox. If the database in the app wasn't up-to-date, that will loose any entries added on desktop.
The KeeFox extension for Firefox works but is unreliable, especially on Linux.
But... HackerNews hates LastPass for some reason... still haven't quite figured out why. (= It's a great service.
If someone gets my keychain they own me completely and can quite possibly ruin my life.
I would consider that a negative, not a positive, for security.
At this point we'd even go so far as just using a good Keepass Client that comes with a comfortable "send encrypted password blob to xy email, than call him and tell him this decryption password"-function.
Self-host Nextcloud and use the Keeweb app with Keepass encrypted databases - https://apps.nextcloud.com/apps/keeweb
Run your own Firefox accounts server, and let FF store all your passwords - https://docs.services.mozilla.com/howtos/run-fxa.html
A quick google search also turns up Passbolt (https://www.passbolt.com/).
I cannot comment on either of them as I have not used them myself, but I would be interested if anyone has.
https://www.passwordstore.org/
I've been using it for a few years. Works for me.
I did find one major annoyance; the forced-use of colours for the "Directory" names. I did some digging and found out that within the program it calls the external program 'tree' for the display.
I edited the file (/usr/local/bin/pass) from: tree -C -l to tree -n -l
It was much easier then I expected, and I was pleased I didn't need to use a Hex-editor.
(in two locations)
But I really get where you are coming from, as we are also a SaaS Shop that has to walk that particular line.
You could probably even script a KeePass plugin to automate several of those steps.
How well specified is the kdbx format? Is there a console client? Is the code readable? Keepass seems to have spawned an entire ecosystem of tools and clients, so I'm curious which of these tools are actualy usable.
It is nothing more than a script that calls the GnuPG binary and the tree command line utility for displaying a tree of files. It uses your GPG-keypair to encrypt text files. You can add as much info as you like, but by convention the first line of each file is assumed to be the password:
# Generate a 32-character random password.
pass generate sites/news.ycombinator.com 32
# Copy the password to the clipboard; this will ask you to unlock your GPG-key.
pass -c sites/news.ycombinator.com 32
# Find stuff.
pass find news
# Edit the file (e.g., add the username).
pass edit sites/news.ycombinator.com 32
There is a rather sweet feature you can use to share some passwords with someone. You can add a list of GPG key IDs in a file called .gpg-id in any of the subdirectories of your password store, and share that subdirectory using a syncing tool such as SyncThing². My partner and I each have our own password store, but share a directory called 'together' via SyncThing. All passwords stored there are encrypted using both our GPG-keys by pass, whilst our private entries remain encrypted just for our own respective keys.
However the lack of a good mobile client is starting to nag me. There are ones that sort of work but appear to be quite clunky.
I'm looking seriously at Enpass[1] as an alternative since it has good multi-platform support (I use desktop Linux, Windows and Mac plus Android).
• You get a proper password generator out of the box.
• Vim's encryption is awful: The current default method is documented to be feasible brute-forceable on a Pentium 133 MHz, and the optional "strong" setting is Blowfish (with an undocumented key-derivation function which is presumably awful as well), which Schneier wanted to have phased out 10 years ago – and by now we're seeing an increasing amount of successful attacks. Do not use VimCrypt if you want your data safe. (If you happen to have GPG set up on all your devices anyway, it can be a decent alternative.)
• Never underestimate convenience when it comes to security. Anything that makes it harder for someone to use their password manager increases the risk of password reuse.
It's popular because it's the least common denominator for "cross-platform portable encrypted key-value local storage". The sync support missing is actually a feature for most users. There are much better alternatives when you trust a third-party server.
You could do almost all of that with a plain text encrypted file, but KeePass keeps it all neat and sorted.
You can even implement the algorithm yourself if you don't trust the app (which does not require any permissions on Android).
* What happens when you need to change any single one of those passwords? Don't you need to change all of them?
[0]: https://news.ycombinator.com/item?id=12889807
edit: "any single..." includes the master password itself & any of the individual site passwords for that master password.
Note that the algorithm/app I mentioned does use the salt mentioned at the end as a possible solution. The counter problem is still there, but I don't feel it is a big issue.
There also is a counter used for hashing. So for a new password you just increment the counter. Remembering the counter for every site sounds too complicated, but you could store that in a file without losing much (any?) protection.
[0] https://chrome.google.com/webstore/detail/password-hasher-pl...
* No way to change password without storing things
* No way to handle site-specific rules without storing things
* No way to store auxiliary data (URLs, usernames, etc.)
* No way to see which sites you have accounts on
On the other hand, I can change my Lastpass/Keepass password regularly, denying a cracker access to my accounts in the future.
The security of any password manager, including hashers, is not only how secure it is against attacks, but how secure it is after it has been successfully attacked and how easy it is to recover full security without losing too much data.
It uses a git repo as storage, gpg encrypts passwords, provides perfect completion and there is an android app. Everything is dead simple and open source.
--------------------
The community has even produced a cross-platform GUI client, an Android app, an iOS app, a Firefox plugin, Chrome plugin, a Windows client, a pretty Python QML app, a nice Go GUI app, an interactive console UI, Alfred integration (1) (2) (3), a dmenu script, OS X integration, git credential integration, and even an emacs package.
--------------------
If this weren't the case, I'd agree :-)
Makes me think of DOS software from 1998.
(My second peeve is that the "type the password" feature types the username and password, making it useless for the more annoying disabled-paste password prompts.)
You can also customize the auto-type on a per site basis. Only the default types U + P. It can be anything you want it to be.
I'm very interested in trying it, just a little worried about it's stability. I guess I'm slightly biased against Electron apps due to some bad experiences.
I'm just worried it will corrupt the database or something.
Have you experienced anything like that?
(Used KeePassX in both contexts previously)
How has been your experience?
KeePassXC is a community fork of KeePassX which aims to incorporate stalled pull requests, features, and bug fixes that have never made it into the main KeePassX repository.
There should be a clear and visible Github banner or big link with the logo.
Why should I move from KeePass2 to this? Prettier GUI under Linux?
R: NO, https://github.com/keepassxreboot/keepassxc/issues/148
> Why should I move from KeePass2 to this?
R: KeePass 1.x and 2.x are the official KeePass releases, KeePassX is a community port in C++ originally built for Linux/Unix but now it includes builts for Windows too. Most people that recommend KeePassX over KeePass 2.x is because they are (.NET/Mono)fobics, plain paranoids or just haters of microsoft. KeePassX and KePassXC aren't improved versions of KeePass they are just ports to C++ (for Linux and Windows) of KeePass.
Not yet, but it's planned for the next release https://github.com/keepassxreboot/keepassxc/issues/148
https://github.com/PixelPaws/KeePass-Desktop https://www.pixel-paws.de/en/
But I agree, they should definitely link to it from the FAQ, since a lot of people are going to look there first.
The two primary issues I have with KeeWeb on mobile are:
- Typing my master password every time is tedious on a touchscreen, I really miss LastPass's fingerprint reader integration here.
- The back button closes the app entirely, making me have to enter that tedious password again. This can be fixed be reworking the webapp to use the HTML5 history API, but just hasn't been done yet. Issue here https://github.com/keeweb/keeweb/issues/331
Even if the data is encrypted, by using 3rd party services such as DropBox you risk someone trying to crack your passphrase without you noticing.
It's not one multiplatform app, but there's an equivalent format app on every platform.
I hope developing an official Android and iOS app is on the list. There are third party alternatives (such as the one I just mentioned), but if the goal is to be completely cross-platform then let's push those out too.
On the flip side, if the file in question contains an account to a questionable site, could you withhold the key/password to it under the clause against self-incrimination? I.e. you're sued for insulting Donald J. Trump's itty bitty tiny handsy-wandsies, but you also have an account at buymarijuanaonline.com, so you can't give them access to your password database, because you'll incriminate yourself in a different crime.
It is rather worrying that they mention "keypasshttp" as being one of the pull request which was never merged, although it is all about functionality and not security, just to point out a few months after in another issue that users should stop using this plugin because of a vulnerability: https://github.com/keepassxreboot/keepassxc/issues/147#issue...
I don't really know how secure KeepassX is, but this fork doesn't look like it is any more secure, at least for the time being.
https://www.ghacks.net/2016/11/22/keepass-audit-no-critical-...
But I get:
> You have OS X 10.11.6. The application requires OS X 10.12 or later.
??
Edit: Looks like this is a known issue[1].
The last password program I used had often, very often a corrupted database.