undefined | Better HN

0 pointsadambyrtek5y ago0 comments

I've never used 1Password, but both LastPass and Bitwarden support hardware tokens like Yubikey for two-factor authentication. Keeping the encrypted store locally might give you some edge, but I personally need to be able to access secrets from more than one device, and once you allow external access then the advantage of your solution compared to hosted services disappears.

0 comments

TheDong5y ago

I don't think the advantage completely disappears.

Let's look at one possible attack: the attacker knows all my passwords, and they manage to steal my laptop from my car. What can they do in each scenario?

In the case of lastpass, bitwarden, or keepass, the attacker now has all my passwords. The 2fa token was used once in the past, so all the passwords are stored on the device, protected only by a password at most.

In the case of password-store with my gpg-private-key on the yubikey, the attacker still can't decrypt anything unless they also stole my yubikey, which I never leave unattended.

The fact that my private key on my yubikey isn't just required to sync or login (like it is for the 2fa case), but is rather where the actual decryption is done every single time I access a password, does have a difference.

I don't think the difference is very large though, no.

j / k navigate · click thread line to collapse