undefined | Better HN

0 pointsawelxtr4y ago0 comments

> A lot of people (do not trust password managers, case in point the recent last pass scare.

That's no excuse. KeePass allows having the database file locally where it's you duty to manage it.

It might be less convenient, maybe. But I don't see valid excuses for people to not start using a password manager, even less the less tech savvy people.

0 comments

shepherdjerred4y ago

It’s completely valid to distrust password managers. No software is free from bugs, or accidentally exposing your passwords. It might take a lot of work, but it’s certainly possible.

There’s also the possibility of mismanaging your password database and losing all of your data.

witrak4y ago

> It’s completely valid to distrust password managers.

Is it, really? And at the same time to trust one's memory? For memorizing hundreds of long passwords? Don't think so...

shepherdjerred4y ago

Distrusting password managers does not implicitly trust your own memory.

There are alternatives to programmatic password managers or human memory, e.g. a paper notebook and a safe. That's not an approach I would personally take, but I imagine it's a reasonable option for someone who sees the potential danger of trusting any program for sensitive data.

awelxtrOP4y ago

> There’s also the possibility of mismanaging your password database and losing all of your data.

The alternatives are same password everywhere or keeping a paper around with the passwords written in plain text. Both are equally disastrous (unless you work at home and don't ever get robbed)

gokdisjtrdcvv54y ago

I would say having it written is more secure. If you hide it in a good spot no robber is going to find it and even if they do you will almost certainly know you’ve been robbed so you can change the passwords. Not only that but I bet 99% of robbers wouldn’t have an effective plan to sell or use the passwords. Digital on the other hand has a significant chance to go undetected for a while and certainly know exactly what to do with them.

jjk1664y ago

Or finding a good mix between entropy and memorability so you can keep lots of strong passwords in your head, like the featured article discusses.

1 more reply

aeternum4y ago

Keeping a local database file secret is a pretty difficult task. You introduce a wider attack surface vs. a memory-based password.

bigiain4y ago

Keeping it secret isn't as critical as you make it sound.

KeePass is open source. You can review the crypto, or pay somebody competent to review the crypto, or trust that the project or some 3rd party has done so.

I wouldn't go out of my way to publish my KeePass file publicly, but any attacker who can break the 256 bit AES encryption, or brute-force/dictionary-attack it's key that's using Argon2 KDF with enough rounds to take 1 second per key transform on my laptop, is well into the "I stand no chance against state level actors specifically targeting me" category, and I'll just assume I've lost to them already. In the immortal words of James Mickens: "If your adversary is the Mossad, YOU'RE GONNA DIE AND THERE'S NOTHING THAT YOU CAN DO ABOUT IT." If ASIO/CSIS/GCHQ/GCSB/NSA want access to my accounts, it's unlikely having passwords that are only in my memory is going to make much difference to my personal outcome. If a driveby teenaged script kiddie hits a zero day on one of my devices and pops my KeePass file, I'm not even sure I'd bother changing the passwords.

I'm happy enough storing the KeePass file on my (encrypted) laptop hard drives. I'm OK with using iCloud to sync it to my phone. I'm fine with it being part of my regular TimeMachine backups to a pair of external usb (encrypted) drives, and for a copy of that usb drive backup to be synced to an encrypted S3 bucket.

j / k navigate · click thread line to collapse

0 comments

shepherdjerred4y ago

It’s completely valid to distrust password managers. No software is free from bugs, or accidentally exposing your passwords. It might take a lot of work, but it’s certainly possible.

There’s also the possibility of mismanaging your password database and losing all of your data.

witrak4y ago

> It’s completely valid to distrust password managers.

Is it, really? And at the same time to trust one's memory? For memorizing hundreds of long passwords? Don't think so...

shepherdjerred4y ago

Distrusting password managers does not implicitly trust your own memory.

awelxtrOP4y ago

> There’s also the possibility of mismanaging your password database and losing all of your data.

The alternatives are same password everywhere or keeping a paper around with the passwords written in plain text. Both are equally disastrous (unless you work at home and don't ever get robbed)

gokdisjtrdcvv54y ago

jjk1664y ago

Or finding a good mix between entropy and memorability so you can keep lots of strong passwords in your head, like the featured article discusses.

1 more reply

aeternum4y ago

Keeping a local database file secret is a pretty difficult task. You introduce a wider attack surface vs. a memory-based password.

bigiain4y ago

Keeping it secret isn't as critical as you make it sound.

KeePass is open source. You can review the crypto, or pay somebody competent to review the crypto, or trust that the project or some 3rd party has done so.

j / k navigate · click thread line to collapse