undefined | Better HN

0 points40four4y ago0 comments

An “Ask HN” was just trending about this yesterday (https://news.ycombinator.com/item?id=29705957). Sounds like a good reason not to trust any third party service with my password database to me.

I’ve always taken the route of managing my own local Keepass DB & key files. Sure it’s more cumbersome, but it prevents me from having to decide whether or not to trust some third party vendor or not.

I know 100% that I’m in full control and I’ve never put my DB or key file in the cloud. I can sleep sound knowing that whatever password service, or file sharing service, somehow getting compromised, cannot endanger one of my most valuable assets

0 comments

phs318u4y ago

I recommend this every time a similar news item gets posted. Password Safe (designed by Bruce Schneier). I use the iOS and Linux apps and keep them synced via DropBox. Been around for years (I've been using it almost as long). Still getting updates. Still works. https://pwsafe.org

lelandfe4y ago

Do they ever have a third party audit their code?

renata4y ago

Also my password manager of choice. There's an Android app as well: https://play.google.com/store/apps/details?id=com.jefftharri....

bennysomething4y ago

I've been doing this for years too. I recently bought two yubi keys and now don't rely on a master password for it. However now I'm scared I could lose my yubi keys.

Not sure what I can do about that.

OOPMan4y ago

Buy more keys, configure them as dupes and store somewhere secure but accessible given a day or so?

thayne4y ago

For a personal password manager, that works ok, although syncing between multiple devices can be complicated and is sort of what I do, but it is much more difficult when you need to manage shared password for a team. At the very least you need some sort of locking mechanism to prevent accidentally overwriting someone else's change. And you also probably want an audit log, admin override capabilities, ability to grant different levels of access to different groups, etc.

Pass with a git repo satisfies some of those requirements, but it isn't very user friendly for non-technical users, and fine grained access controls and groups is tricky.

gruez4y ago

>I know 100% that I’m in full control and I’ve never put my DB or key file in the cloud. I can sleep sound knowing that whatever password service, or file sharing service, somehow getting compromised, cannot endanger one of my most valuable assets

What's the risk of keeping the keyfile/password on your device(s) but uploading the database to the cloud? Assuming your keyfile has enough entropy (eg. 256 bits), your database is good as useless without the corresponding key file.

fragmede4y ago

Because something like this break will happen, and the fewer suspects the better. Maybe the code to upload the encrypted version is buggy, maybe the code hits a bug that uploads the private key to Dropbox... there are all sorts of "maybes", no matter how remote. If the file never touches, eg, Dropbox's servers, then there's zero possibility the break happened because of something related to Dropbox. Maybe the keys used are weak in some manner that is later discovered.

Do you own assessment of all of the "maybes", and come up with your own conclusion and practices. Someone else's hard drive is not to be trusted, but it is convenient.

XorNot4y ago

I use KeePass with Syncthing, which works across all my PCs + Android. It's a good option if you don't want to use Dropbox or similar.

toyg4y ago

I wish there was an integrated solution for this approach. Both programs are relatively hard to use in isolation, for "civilians"; combining them is pretty hard.

Password management, afaik, still needs a zero-knowledge cloud-agnostic solution that is easy to set up and run. There are the big boys (1password, bitwarden, LastPass) and then there are local-only solutions; in between, where the sweet spot should be, there is only a bunch of hacks. The issue is monetization - the incentives for that side are towards centralizing.

perlpimp4y ago

Still using 1password6 not trusting the cloud store.

j / k navigate · click thread line to collapse