undefined | Better HN

0 pointsmgsouth3y ago0 comments

The database is encrypted when at rest; i.e., no plaintext is stored on Dropbox. Assuming your master password is decent, you could plaster the database on a billboard and it would be safe. LastPass, on the other hand, encrypts some information (the actual passwords). The URLs and other sensitive information is stored in plaintext in the cloud. [Final edit. I swear.] As you note, as long as the entire blob is encrypted it doesn't really matter how it's replicated; BitWarden's one-stop-shopping can certainly be more convienent.

0 comments

lolinder3y ago

But that is the same claim that Bitwarden and 1Password make. Both insist that they don't ever see your master password, which means that your vault security depends entirely on it being good enough. And both encrypt everything.

Assuming that I trust Bitwarden not to lie about their security model, what do I gain by piecing together multiple tools to accomplish the same thing?

mgsouthOP3y ago

(Sorry, I turned around and made an edit, but not before you replied.) KeePass encrypts the entire database, all fields, as one giant blob. LastPass stores URLs and other fields as plaintext; these too can contain critically sensitive information. [Edit: (See I flagged it)] As far as know it wasn't LastPass's client that was compromised--it was their servers/data store.

lolinder3y ago

Haha, the edits got very confusing but I think we're now on the same page.

dzikimarian3y ago

Their software does see your master password. It may process it locally, it may not. If it's run in web client inside browser, that may change at any second. This may happen due to attack, their mistake, their dependency vulnerability or plain lie on their part. Fundamentally you need to trust them.

In case of keepass and independent sync(doesn't have to be Dropbox), software that sees master password doesn't need access to the internet. Can be even airgapped if you are extra paranoid.

So to sum it up: keepass + sync is better, because there's no single party that is even able to screw up you to the point of leaking your passwords. "Impossible to fail" is better than "they are doing their best, pinkie promise".

Also - why pay recurring fee for yet another cloud storage, when I just need plain encryption software.

1 more reply

j / k navigate · click thread line to collapse

0 comments

lolinder3y ago

Assuming that I trust Bitwarden not to lie about their security model, what do I gain by piecing together multiple tools to accomplish the same thing?

mgsouthOP3y ago

lolinder3y ago

Haha, the edits got very confusing but I think we're now on the same page.

dzikimarian3y ago

In case of keepass and independent sync(doesn't have to be Dropbox), software that sees master password doesn't need access to the internet. Can be even airgapped if you are extra paranoid.

Also - why pay recurring fee for yet another cloud storage, when I just need plain encryption software.

1 more reply

j / k navigate · click thread line to collapse