undefined | Better HN

0 pointsTheDong5y ago0 comments

Presumably the alternative to 'a password manager as a service' is 'a local password database and password manager which is not a service'.

This can be something like password store, or keepass, where the attacker needs both your password database unlock key / gpg passphrase, but also needs access to the database / gpg keys, which means either physical access, or at least access to your local files.

I think there is some merit to pointing this out. If 1password allows anyone to make login attempts against their service, that means some bored teenager with a botnet can make attempts at your password.

I use password-store, and I could tell you my gpg passphrase right now, but you still couldn't access any of my passwords. You'd need to get access to my yubikey and my psasword repository before you could do anything with that passphrase at all.

I think it's true that a setup like mine, which requires a physical hardware token to decrypt my passwords, is more secure than a password service, however I also think the parent comment is totally wrong. 1password without a hw token isn't the most secure option, but it's way better than password reuse on random sites.

0 comments

adambyrtek5y ago

I've never used 1Password, but both LastPass and Bitwarden support hardware tokens like Yubikey for two-factor authentication. Keeping the encrypted store locally might give you some edge, but I personally need to be able to access secrets from more than one device, and once you allow external access then the advantage of your solution compared to hosted services disappears.

TheDongOP5y ago

I don't think the advantage completely disappears.

Let's look at one possible attack: the attacker knows all my passwords, and they manage to steal my laptop from my car. What can they do in each scenario?

In the case of lastpass, bitwarden, or keepass, the attacker now has all my passwords. The 2fa token was used once in the past, so all the passwords are stored on the device, protected only by a password at most.

In the case of password-store with my gpg-private-key on the yubikey, the attacker still can't decrypt anything unless they also stole my yubikey, which I never leave unattended.

The fact that my private key on my yubikey isn't just required to sync or login (like it is for the 2fa case), but is rather where the actual decryption is done every single time I access a password, does have a difference.

I don't think the difference is very large though, no.

gilrain5y ago

> If 1password allows anyone to make login attempts against their service, that means some bored teenager with a botnet can make attempts at your password.

They would need to guess both your master password and your 128 bit secret key.

https://support.1password.com/secret-key-security/

eigenspace5y ago

I can agree that a 'password manager' as a service is less secure than a 'local password database that's not a service', but that's not the comparison the OP made.

They compared passwords as a service to reusing a single password and said it was the same, which IMO is foolish.

j / k navigate · click thread line to collapse