I realize all this requires a great deal of trust in the maker of 1Password having done things right and currently I have that trust. This may change in the future of course.
I sent an email to the support team at the time asking some technical questions that the security report raised for me, and wondering how the team was planning to evolve the product going forward. They sent back a very in depth, detailed answer that included info about some of the experiments they were doing to decrease the amount of time passwords were decrypted in memory, along with looking into Rust for better direct memory management than they could get with C# or Swift. All in all, the care and quality of the response gave me a great impression of the team and of their approach to user interactions.
[1]: https://www.securityevaluators.com/casestudies/password-mana...
Also Apple buying into using 1Password company wide helps gain some trust (I am sure there was some serious auditing): https://medium.com/enrique-dans/apple-and-1passwords-deal-sh...
Huh! One would assume, they use Keychain with iCloud?
In other words, I am somewhat scared, but the usability is so fantastic that I find the compromise reasonable, especially with 2FA (TOTP or U2F using YubiKey).
Now, if only Apple finally learned that prompting me for my Apple ID password in a modal popup whenever they feel like it, without the ability to auto-fill is a no-no...
However, if it's the latter, KeePassXC now knows how to read the .opvault format: https://github.com/keepassxreboot/keepassxc/issues/1462 I could imagine teaching it to write their opvault file format, too, but at the time it wasn't a use-case that I needed
I would actually suspect teaching KeePassXC to read the 1Password.com cached vault would be even easier, since they now use sqlite3 for storage, but it would still -- afaik -- be confined to your local machine since their web API is undocumented
When adding an account to 1pass, it's important to click [save] before closing the tab, otherwise it's lost. (Having to pull passwords out of the PW generator history is a hack.) (It does support my belief/their claim that the pw decryption is done locally though.) To be fair, it used to be that you could accidentally click on the left pane and lose the unsaved account - they've fixed that in the latest of the 1PasswordX extension.
I haven't moved my entire life to 1password, so I don't have, eg, my passport or SSN or any outdoor license's in the system, and the inclusion of such things degrades my user experience - imo the new button should make a new login, with a button on that panel/page to change type, rather than making me pick which type of secret I'd like to create when I hit the [+].
I have, however, added my credit cards, but as far as UX, in the main UI, I click on the credit card category, then click on the search and try to search for a website login, only to have 0 results. Not surprising, I don't have an ycombinator credit card, but search results pane could surface hits in other categories if there are zero hits in the selected category - most (all?) of the data in 1 password is text, so I'm doubtful that full-text search is that expensive.
1PasswordX (the obvious chrome extension to install) doesn't work with TouchID without some extra configuring. (I set that for less technical people in my life, and that only came up after asking them why they stopped using 1pass.)
I'll give them a bit of pass on the difficulty of adding accounts on ios, but where many/most websites use email as username these days, maybe that could be autofilled when adding/creating logins manually?
And for my gripe about cloudification - I'm reasonably happy to pay a subscription (I currently pay for one, and am hopeful they're working on ^ UX issues), but every time I add something to 1pass, I question if adding secrets to a cloud/SaaS app, is going to royally fuck me over if AgileBits ever shuts down. Being able to save file-based backups to various places was reassuring. (Yes, this is a UX issue - it's not great if a customer questions if they want your product, each time they make the product more useful for themselves.) (See also: Trying to choose a Netflix title to watch, and giving up in disgust.)
TBC, I'm a (reasonably) happy customer, but I wouldn't hold up their UX as "well polished". I don't use it as a selling point when trying to convert people, certainly. At least I don't have to interact with it for the most part - I click into a password field, authenticate, and click autofill.
I'm sure I'll have to cave at some point what with the ongoing march of progress, but it leaves a bad taste in my mouth whenever a previously purchased product (i.e. 1Password) suddenly is asking for more money with no perceived benefit to me, other than getting to continue using a product I already bought.
I never really understood how it "syncs" but it's just git! Push and pull to update on every device. I use a private repo since site names are still metadata. You could put the whole directory tree in a tomb as well but that extension is only supported on mac only or something.
Pass is the one thing that seems fairly universal I think and it's all just text files which makes things really nice. No worrying about will it work on mobile or if the browser extension is useless without an application.
For example, 1Password X is a standalone extension so you could use it on Linux while Dashlane requires the desktop application running on the host. The connection works but isn't always reliable when running non-natively ie WINE
As for security, they're all fairly well audited I think? Remembear and 1Password both have external audits they pass, and provide remediation plans for any findings. Probably the same with Lastpass. Personally, I don't really think about it that much so I don't have a good answer. You can interpret that as me trusting providers but I have no real idea. I mainly just focus on the usability hah
With regards to Bitwarden, it has a wordphrase on the account which only you know. You can verify this when you connect to the cloud. You can run the server within your own cloud.
With the cloud, you can assume that the government has access to the encrypted database. If you have a strong password, it will take them longer to brute-force your database. We are talking about two governments here: the US government (most password managers are from US companies and are hosted in US clouds) and your own (who can attempt to ask for the data), this is no issue, but I believe you should by default not trust them. This is important because it should be part of your risk assessment.
It would probably be easier to attempt a MITM (with help of the password manager sysadmin). I've once seen a fake Lastpass login page (back when I used Lastpass).
Almost all password managers can import/export their database to CSV. This allows you to avoid a vendor lock-in.
For me there is a tradeoff. On one hand, Bitwarden's online offering where you trust them with your data is convenient, but also a single point of failure. If their server goes offline, you can't access your passwords (And servers do go down). On the other hand you can repair your own instance if it goes down and have full control over it. The only caveat with self-hosting being the overhead. Regular non-techie people just don't have the time or intellectual curiosity to experiment with self-hosting. For me personally I just sync a Keepass database with Dropbox and call it a day.
If it were just the risk of brute-forcing, I have a hard time believing this to be a real problem. Use a secure enough passphrase etc (and if that's not good enough, they could also just brute force into most of your accounts anyway). IMO the relevant thread model is more that they can convince / coerce / do it themselves the provider to change the javascript that does the client side decryption.
I use bitwarden for a good fraction of my login data, because I don't currently consider this part of my thread model...
I'm not fully convinced by bitwarden, especially the 2nd factor integration IMO isn't good enough. But I've not had enough to time to look much further.
I wish there were something that used (as a second round of encryption) a key residing on a yubikey to decrypt the password of individual entries, without going through gpg. Going through gpg just seems to complicated and fragile to me, and has annoying restrictions like not really allowing multiple yubikeys.
Just thought I'd stick that here to save others the googling.
Edit: to export the public key you can search Google, I'd recommend saving it in a yubikey or in a usb with encryption.
Personally, I use OpenKeychain[1] on Android, Kleopatra[2] on Linux, GPG Suite[3] on macOS and Pass[4] for iOS/iPadOS
Phew, that's a lotta apps but you can just pick and choose whatever you prefer. I have no idea about Windows myself. Once I imported my keys (public + private) into each application, I never really had to touch them again.
As I mentioned, I use my GPG key for signing my commits. I think I saved my password to my laptops keychain so it automatically signs my commits without my interaction.
Similarly, Pass automatically encrypts and decrypts everything without my interaction. Whether that's a good idea security wise aside, it works fairly seamlessly. Pass on my iPad is quite literally just a pull to refresh. I would have thought it'd be much more painful with all the GPG nonsense in play!
So, back to your questions:
> Does your setup require copying the same key to each device?
Yes but only once. It may also require entering your password anywhere from everytime to never depending on your settings. For my android device, I have to do it once every restart but after that, a process keeps my "store" open for example.
> What would happen if someone got your gpg key?
Presumably they could take all of my passwords and sign my Git commits as if they were me.
Personally, I have no strong investment in my GPG key, nor am I someone well known so this would have little to no effect beyond being a big annoyance. I would still own my email account so I'd still be able to reset the majority of my passwords.
Actually, I don't know my email password (since it's randomly generated) so I'd have to cross my fingers and hope the attacker hasn't revoked any of my sessions. Once again, no different than any other password manager. At least losing the key would be my fault, and not that of a third party I suppose.
> What would happen if you lost the key?
Presumably I'd lose all of my passwords but once again, that's no different than the single master password setup of those cloud based password managers.
I didn't realize until I looked it up just now but you can apparently generate a revocation certificate, separate from your key. From what it says on the tin, I imagine you can keep that safe and if you did lose your key, use it to tell any of the popular key servers that it's gone.
That wouldn't do anything to get your password back though, it would just signal to anyone looking up your key, that they shouldn't trust it.
Anyway, that was a bit of a tangent but the best way to learn is to just play around with GPG keys. The only reason I know the little I do is purely through making mistake :) I went through heaps of keys myself (I forget why) before I finally settled on my current one. You can even see some revoked ones here http://keys.gnupg.net/pks/lookup?search=marcus%40thingsima.d...
[1] https://www.openkeychain.org/ [2] https://www.openpgp.org/software/kleopatra/ and https://kde.org/applications/utilities/org.kde.kleopatra [3] https://gpgtools.org/ [4] https://github.com/mssun/passforios
While I’d love for everything I use to provide an easily accessible *nix shell it just isn’t practical for phone use or modern computing environment where you can access cloud data using web services from any internet connected computers/devices.
FWIW, using Termux on Android enables practical phone use of many command line programs.
Since I absolutely need a cross platform password manager, especially on mobile, I felt this to be the most logical solution.
https://itunes.apple.com/us/app/pass-password-store/id120582...
Yes, the code is open source, but unless you download the code yourself and compile it, which not many people do on desktop and no one does for mobile clients, you have to trust the deploy process of a random group of people. None of the people even have to be malicious. They just have to have an insecure deploy process (which allows an attacker to insert code), which is extremely common in open source. Very few if any open source projects have audited their deploy process and have monitoring for vulnerabilities or exploits happening. It's just too time intensive/expensive for a side project someone isn't getting paid for.
I prefer to trust an organization that has gone through tons of audits. Not just on whether the client is secure (can encrypt securely), but that their software development lifecycle is secure. They also have a huge financial incentive to keep things secure, which is not the case in open source.
while long for a shell script, that's pretty easy reading for a password manager, and easy enough to understand.
I moved from Lastpass to pass(https://www.passwordstore.org/). It's by far the best decision I've made in a long time (I've moved a lot of services over to my servers and self host pretty much everything)
I use Mac, but it works on any machine to my knowledge and the great thing is:
1. Use your keys, so ONLY YOU can only decrypt it (gpg keys)
2. Has Chrome/Firefox extensions that automatically fill out passwords
3. Can upload the encrypted passwords to git to use on other machines (presumably)
4. Dead simple to use (go on terminal and generate random passwords, bunch of other goodies)
5. As said previously, it's all on your machine, no one else having access.
Currently using keepass. I would migrate to pass since I enjoy managing data via command line, but what I don't like is depending on a gpg key being installed in order to use it.
https://itunes.apple.com/us/app/pass-password-store/id120582...
I just use https://www.passwordstore.org/ and it works great (I have 300+ passwords stored for years). It's a local command line driven password manager and it's pretty great for developer based workflows because you can save multi-line strings which makes it perfect for saving API keys and other sensitive stuff, along with the password you used to sign up to the site.
It's also smart enough to copy the first line of a multi-line entry to your clipboard, so you can access your passwords to login on a site within a few seconds. Especially since you can navigate your entries on the command line with auto complete.
It also leans on GPG encryption instead of trying to invent its own security mechanism.
1. My browser vendor can access my browser passwords anyway.
2. It's better to trust fewer vendors and pieces of software.
3. Copying passwords to clipboard is awfully insecure.
4. Trying to remember all passwords is also awfully insecure.
I do not save any money-related passwords. I do dream of switching to pass from time to time.
3. Can actually be mitigated, or other options can be used. For example, in my browser I disabled JavaScript clipboard access, so that random websites can't access my passwords. You mention pass, aan excellent non cloud option, which I personally use with a script that types in the password as if it was a keyboard - but Firefox and chrome plugins with autofill are available, and those are offline.
Also it's quite difficult to keep up with all the apps on my system and all of them can follow the clipboard. I didn't even consider random websites.
I save all money related passwords... Much safer than my faulty memory or having them listed in a doc somewhere.
3. Copying passwords to clipboard is awfully insecure.
Normally when you use a password manager you have to trust the password manager, the browser and the OS. By copying to clipboard you have to trust every piece of software you ever installed and every update they later got.
So you remember unique, high entropy passwords for all your money related sites? If not, you might be putting yourself at greater risk than syncing the passwords.
But yes, I do remember a bunch of important unique passwords, and I do have to reset them occasionally by physically visiting and showing my id.
https://www.reddit.com/r/Bitcoin/comments/cxtfak/coinomi_wal...
TL;DR; Someone in google is sniffing autocorrect text and when they find 12 word bitcoin seed phrases they are stealing the bitcoin. This is a serious breach of trust. If someone from Google is reading this please take it seriously.
EDIT: On further research it may not categorically be someone in google if the autocorrect text is sent in plain text. Autocorrect text should not be sent in the clear though. See here for more information: https://avoid-coinomi.com
This[1] report on this incident (commissioned by the wallet creators) makes me skeptical that autocorrect or Google was involved at all. I think some sort of malware or phishing to steal the seed was a much more likely attack.
[1] https://medium.com/@cipherblade/how-not-to-react-when-your-c...
If both were provided by the same vendor then security motivations would not align. E.g. the vendor could reason that it's ok to do server-side encryption instead of client-side for whatever reasons. Or they could capture your master keys and decrypt old backups long after you have deleted things when compelled by a secret court order.
Separating storage and software means the software developer should consider the storage provider as potentially hostile and design the password manager accordingly.
Additionally a separate solution also increases data mobility. You can use your home server instead of cloud providers, you can move vendors instead of being locked into a single ecosystem.
That said, storing your key files offline is still another layer of security that has to be breached, storing it publicly accessible means you are only as safe as your hashed password.
Another concern, unrelated to the cloud aspect, is browser integration for password managers. It's something one should avoid since the browser extensions closely interface with the websites. It increases the risk that a bug in the extension allows a site to trick them into revealing the wrong secrets in an automated fashion.
For other people, such as family members: I totally recommend it. It is way better than whatever password reuse they are doing now, and the chances of a breach are low enough.
My point being: I think they are overall better than not using anything, but if you have the knowledge and diligence to keep an offline encrypted file (and its backup!) up to date, then I would suggest doing that instead.
I have a KeePass file and use Syncthing to share it across all my devices. The keyfile is not synced and I manually send to any new device. Syncthing works well and most KeePass clients can nicely merge two KeePass databases in case of conflicts. Firefox integration with Kee.pm is really convenient.
For me this works really well. It was easy to setup and in my opinion it is very much worth it if you want to avoid third-party hosting.
The final password is 12-16 random characters for LastPass + 3 chars Nonce that I generate from the service name (in my head) and a short 5 character password.
If LastPass leaks the secrets no one is able to take over the accounts easily.
For services that don't matter much I just store the whole password in LastPass.
Due to this, I keep all of my passwords offline, as far as possible. For mobility and comfort reasons, I developed Authorizer (https://github.com/tejado/Authorizer):
"A Password Manager for Android with Auto-Type over USB and Bluetooth, OTP and much more.
The idea behind Authorizer is, to use old smartphones as a hardware password manager only. To avoid manual typing of long and complex passwords everytime you need them, Authorizer provides Auto-Type features over USB and Bluetooth. It pretends to be a keyboard (e.g. over an USB On-The-Go adapter) and with a button press inside the app, it will automatically type the password for you on your pc, laptop, tablet or other smartphone."
The only way I can see someone getting to my passwords is by getting malicious code into the browser extension and/or mobile app. That means the only viable attacks are through Mozilla and Google, who I already have to trust for my browser and mobile OS.
I don't really mind having my passwords hosted somewhere else by someone else. I don't really trust myself to do it properly and I have a lot of other things to worry about. If I ever end up being an "important" person I can always export my passwords and save them locally. Or more likely run my own instance of Bitwarden.
NOTE: Reading through most of the answers here makes me think that everyone is hording state secrets or has billions of $$$ in the bank. I just want to log into my airline and check in for my flight, or comment on HN. I'm not trying to keep a state actor at bay.
Lastpass has has intrusion in the past 2015 and are closed source.
Site below has a list of some security incidents related to password managers. https://password-managers.bestreviews.net/faq/which-password...
A secure password manager would need to have the decryption keys offline client side save from central attacks.
I mean as far as I already trust their OS nothing can really protect me from being spied by them if they are ill intentioned, so as long as they are serious and patch their security flaw on a timely manner I can live with that. Beside it come as a free plan if you don't need more than 5GB of iCloud storage.
I'd figure using an external password manager just add another third party I need to trust and the fact that 1Password offer browser app interface (on top of native) don't reassure me in any way.
Of course if I'd ever need to reassess my threat model because I can't trust Apple anymore, I will quit iCloud service at the same time as their OS and go full FOSS.
I prefer to store KeePass encrypted dB on Dropbox than going for 1Password cloud.
Plus Keepass is opensource...
I also find it extremely important for my password manager to be available on EVERY platform I might use. Not just the popular ones a company can make a business case to support. Historically this has been a bigger issue than at present, but its still a big one to me.
Just because of the LastPass experience I'm not sure would I try something else.
About a month ago I switched to BitWarden and it's been phenomenal. The UI is great, as is their mobile application. I've also heard good things about KeePass.
At work I’ll see people — the security team, usually — taking some already-encrypted thing and re-hardening it to the nth degree. I think that’s stupid. If you don’t trust your encryption, don’t bother using it. If you do trust it, stop there. It’s maths. It’s proven.
I feel the same about 1Password. I trust that they encrypt my stuff with trusted encryption. That’s it.
If you are encrypting a password store and using the cloud only for sync, you're trusting an encryption standard.
If you are using a cloud based password manager from a service provider, they may be using encryption, but your trust has to be in the company and their employees.
It's a rather large distinction.
No they are not. That’s one of the things that makes designing correct crypto systems difficult. Going the wrong way through most cryptographic trap doors is conjectured to be difficult but I’m unaware of a single one that’s proven.
Given a ciphertext, the only information available is its length.
For example, some backup providers will encrypt your data for transport to their machines and then reencrypt them for storage. Would you trust TLS implementations in the path and provider's application to protect your data? Or would you rather encrypt yourself and only then let the provider handle it?
Additionally, I also believe that:
1. I should have access to all my passwords without a working or stable internet connection
2. And that I should leave as few ways for social media/cancel culture pressure to affect my life as possible.
Hence offline systems like KeePass work fine for me. I can trust they're not providing backdoors, I don't have to worry about a third party server getting hacked, they're accessible offline and if I end up in a controversy, my enemies can't do anything to get my account suspended or terminated.
And of course, Keepass XC is always a very formidable password manager.
We all know how just after some years all encryption can be rendered useless by some technical advancement or mathematical brake-through (potentially).
In my opinion you are far better off with some device (mooltipass, yubikey) that holds your credentials because you have physical control over it and the chances your encrypted passwords are stolen are much lower than going with the cloud option.
This isn't about being paranoid but about minimizing the risk of ones credential being exposed/compromised.
We trust entities far too much for my taste and next to credentials I also don't feel comfortable with private pictures and videos of/with me being uploaded to some cloud.
1. Something could go wrong while transport (poor SSL/TLS, compromised devices in between (MITM) & weak crypto) 2. Something could go wrong on the companies side (failure to implement crypto properly, usage of weak crypto, bad server security) 3. Most encryption can be broken and it probably will be broken. This isn't about the fear of quantum computing but plain logic. Crypto often relies on some mathematical assumption that states that no one can break something in a realistic amount of time (e.g. discrete logarithms) which is rendered useless by superior equipment/power to calculate. Then there is implementation details which are too complex (or the people who implement it just don't take enough care) to be executed in the correct (=secure) way, easily.
This is a problem we can see on many waypoints in these scenarios and this fact for itself increases the risk of being compromised in a scale I'll always try to weigh in and to minimize.
It's my opinion that you end up having to trust someone, and having a password manager that I can arbitrarily make new identities with secure passwords automagically outweighs the small (imo) chance that the password manager is untrustworthy.
I'm not a fan of cloud storage that much anyway - not after Dropbox invited C. Rice to board of directors. [1]
[1]- https://en.wikipedia.org/wiki/Criticism_of_Dropbox#April_201...
It’s the same with backups. I can’t be trusted with my own data. I’d rather let someone else keep.
Do you pore through all the logs on your system every few minutes looking for anomalies? Do you inspect every line of code before it gets anywhere near production?
Passwords are too important to evaluate a manager on convenience primarily. I think it is a little strange that banks do not work to get in this area. You trust your bank or else you would not keep your money there. I know too little about the main password manager companies to know if they are trustworthy.
I guess this is too small domain for banks but I think it would be interesting to see what happened if they moved into it.
That being said, I do have a safe deposit box with backups of important documents and a KeePass DB. The KeePass DB isn't synced as often as my local copies, but does get synced whenever I change passwords on any crucial site. I do have a copy on onedrive, but if I lose access to my password manager I won't be able to login to onedrive to access it. It's a little bit of work, but there are certain things that are definitely worth backing up in a secure location. Plus, there's a printed copy of my KeePass credentials and access information for relatives in case I'm gone.
The biggest issue for me is transparency and complexity, most of them are just as "blackbox" as any other service.
I am using KeePassX with git + gpg on my own server for extra encryption and sync, this solution is simple and future-proof.
and I might switch to my own script in future, dir + txt + git + gpg should be enough.
Need a random password? cat /dev/urandom | base64 | cut 1-64
Grouping? Just different directories.
Please also remember, there is no cloud, just other people's computer.
Keepass does everything I need and supports all platforms I use. Sync isn't comparable but then again I don't register new accounts or change passwords every single day, so this is an area where sync features beyond what I get with syncthing are pretty irrelevant to me.
I used to use rsync (bittorrent-sync) to keep my own hosts up to date against each other. This was painful to manage so I accepted the bitwarden cloud model.
The risks are there, for sure. If you doubt the crypto behind your keystore, where it is should worry you little because how insecure it is should not be about where it is: its about how its shrouded, and how what is shrouded can be revealed.
My belief in the shroud protecting my secrets is my belief in their ability to code to the spec. it wasn't founded in my use of a private filestore to back the keystore, although I did, and I prefer private files, to private cloud files, to cloud files hosted by some intermediary, to public cloud.
Bitwarden is a private cloud file, hosted by some intermediary. The risk here is twofold: the intermediary is broken and its persisting filestore is readable, and bitwarden is broken and its interior private view becomes visible.
My best belief is that no part of my interactions depend on bitwarden knowing the interior state of my keys, they only handle shrouded data, and either I run apps which decode locally, or I run javascript which decodes locally, but I do not expect or believe any transit of the un-shrouded state of my data routinely has to flow through their hands. And the persistence of that belief is because they say the limits to how they can help recover my keystore, if I lose critical information. if they are truthful here, they cannot help me if I lose the escrow passphrase, because nothing they hold is the decrypt of my shroud. I have to give permission to de-shroud there side, the protecting key. its otherwise only used locally to me. (if somebody breaks the .js code, then the filestore being in the cloud is irrelevant)
1Password made the same kinds of commitment to me. As do LastPass and a number of other people. They all have to be comparable in this regard because its the fundamental business model.
At one stage, there was some leakage in the model for some keystores. The file names un-necessarily encoded revealing parts of the URLs they related to. I think thats changed now. It was scary. I had assumed everything was shrouded, it turned out for some period of time, only passwords and identity inside the URL had been fully protected. They changed that. I think it was 1password, it might have been lastpass. It wasn't bitwarden because I moved to them earlier this year and that was 2-3 years ago or more.
If I have misunderstood and sometimes my data is visible to them in clear, on their machines, I'd love to know.
The reason I went with the cloud sync is that I have to share secrets over multiple companies with all kinds of people and 1Password is simply the best compromise of convenience and security I found.
1. All my important stuff has two-factor auth, so a malicious password manager company couldn't get in anyway.
2. If you're using one of the major vendors with a reputation and a paid service, that produces a fairly strong incentive for them to not be intentionally malicious - if they were caught distributing an update that made it possible for the companies to see your passwords, nobody would ever use them.
(All the major password managers do client-side encryption; they don't store plaintext passwords themselves. They do distribute the client that lets you decrypt passwords, but that's it.)
So that leaves accidental risk (bad crypto, hijacked update chain, client-side vulnerabilities). Out of the options, I'm comfortable with the track record of 1Password in particular.
I'm very interested in open-source options, but the major ones are all proprietary and the open-source ones are all volunteer-driven and I think the risk tradeoff is wrong. It's not a decision I feel 100% comfortable about but between the options of proprietary-but-professionally-maintained and open-source-but-hobbyist-maintained the former seems vaguely preferable for security-sensitive software, especially given that one of my requirements is I want to use a password manager extension.
Shameless plug, I have a personal digital security podcast and we took a look at various password managers and their security track records recently: https://looseleafsecurity.com/episodes/password-manager-secu...
Passwords are those little peckers, that make everyday's life with a computer uncomfortable. So it would make a lot of sense to sync them between all the machines I use. But it's never going to happen, that I store my passwords on your computer!
You must rip them out of my dead, cold hands!
Locally, I use KeePass and KeePassX on Windows, Android and Linux and Keychain on macOS.
I haven't done an organized comparison of password managers.
I use KeePass, well now I guess it's KeePassXC, and I keep up with my onsite backups. There have been way, way more problems with 3rd party and cloud based services than I've had with my private system.
I've survived a couple of hardware failures, a few problems I created myself, and effortlessly migrated from Windows to MacOS to Linux in the meantime.
Also, the 1password support guy was super super super nice to me. Well, the Bitwarden support guy/gal (i don't remember that one) was nice too.
Speaking of trust, I mean that's quite complicated, right? No matter what justification I give, there is some risk and a lot of technicalities which I am not aware of.
I have personally read through keepassxc source - haven't read the Android client. I have syncthing on my todo list.
Key design: encryption/decription happens locally, using standard open-source tools such as GnuPG. The cloud provider cannot _possibly_, ever know your actual contents - they only store them so you can't get locked out (which is a very real risk with `pass`; safeguarding our underlying private keys is currently completely left up to us).
Also some a conveniece layer could be offered on top of GnuPG; that should be open source, distributed as a non-binary and paid via honor system (also one can pay just for the mentioned hosting).
For company use, I do use online password managers (1password), as they generally offer a good UX experience for less technical users, and there isn't strong rationale to believe companies focussed on password storage/transfer have bad practices in place. I also place some of my passwords in these password managers, generally passwords that don't do high amounts of damage if compromised.
Totally given the choice for a technical team, as many others have pointed to, I like pass or gopass as a team password mechanism, synchronizing passwords over git which is encrypted locally.
I'm pretty sure my reluctance or hesitation around cloud password managers stem from, it's hard to know who to trust. Companies pretty much universally have poor practices, missing controls, and will miss-represent or be susceptible to internal dogma about how good the tools and practices are. Allowing online sync of passwords increases the surface area, more things have to be perfect to prevent a compromise than non-online systems.
The really difficult part though, is it doesn't mean the cloud based manager is actually less secure than a more traditional app, a decent amount of the surface area of both applications intersect. Think of things like a compromise of the build server, unless you're running the app totally isolated from the internet, both online and offline apps can get compromised in the same way, and pick you're favourite offline app may have higher risk then pick your favourite cloud app based on internal controls that aren't talked about.
So with this in mind, for me it comes down to making a choice of trust on very imperfect information, only really with the public history of a vendor and how they present themselves externally. So given that imperfect information, I tend to place a higher weight on solutions with less surface area, there are less pieces for the vendor to get perfect to protect the system. And even with online password managers, I never install the browser autofill extensions, again to limit surface area.
That said, with password handling the choice of password manager and how it operates is also likely a smaller concern. As in most companies have bad password rotation practices when say an employee quits, or their laptop is compromised, etc. It would be cool to see a standard protocol for a password manager to be able to go in and rotate passwords automagically, and continue to see progress towards SSO and U2F/FIDO2 security keys universal adoption.
Additionally, using an open-source password manager that you can audit alleviates any further paranoid concerns you may have. If you also worry about the cloud provider suffering a severe outage then you can always keep offline backups. Assuming that you have the expertise and time you can implement a solution yourself but it always depends on your threat model and your level of paranoia.
Plus it is a huge registry of metadata - any site that i store a password for gives them knowledge that i do use that site.
I tried few local solutions - sadly for my use case they both need to work in a shared way(some passwords are used by multiple colleagues at work for example, as they are company wide accounts for external sites that do not support individual accounts), and they do need to work on windows in a non cumbersome way.
Prior to doing this (requirement for my job) I didn't have any particular set up, so in comparison this feels really good.
Main grumble is I don't pay for Dropbox so have a device limit, so end up just downloading database onto extra devices which mostly works but sometimes requires redownloading to get latest and potentially uploading to Dropbox if I have created a new password. Maybe I will pay for Dropbox sometime (as let's face it, it is useful beyond this case).
I would be interested in hearing how many passwords / accounts people have. I am well above 100, i think in the 200 range, so the idea that i could have different passwords, and remember them, is just silly. Password management has to happen, and the best way i can think is to store a majority in a very well encrypted file.
I do memorize a few key accounts.
I don't mean to hijack the thread, but allow me to ask what you guys use within you company, if anything. Do you use a cloud solution, something self-hosted, or nothing?
I have considered encrypted notes for low security passwords, but find the sort and too easily editing function of notes not great for copying and pasting.
I want to use iCloud KeyChain, but I like having a desktop client to manage passwords — but I found it I created a password set on macOS it wouldn’t appear in iOS keychain — anyone know why?
So the passwords in pass itself are protected by gpg. The Google instance is protected using ssh. Amazon drive is protected using 2-factor auth.
No single cloud provider can get at the passwords, but the password database is backed up at multiple locations.
I would generally trust them to want to do the right thing, but software vulnerabilities or crypto bugs (weak IV initialization or so) are reasons to not do this. Unlikely, but the impact is large. But the chance (and impact) of losing all your passwords is even larger.
I trust them.
That said, I use my own remote storage (not cloud) with keepass's sftp plugin.
My current setup:
On non-critical services(social media etc.) or websites with U2F, I reuse passwords.
For everything else, I use Purse[0] with Yubikey.
1. I don't trust my mobile device
2. I don't like the odds of it being stolen or lost
3. I don't need the constant distractions anyway
I use Codebook which provides phone and desktop apps, and allows database syncing over LAN. It’s the best solution that gives you both ease of use and syncing.
1Password, for instance, has a pretty good security doc about it: https://1password.com/files/1Password%20for%20Teams%20White%...