undefined | Better HN

0 pointswhereismyacc2y ago0 comments

Wouldn't transferring the keys around just massively increase the attack surface? There's a security reason why we want them stored on-device and never moved, right?

0 comments

shepherdjerred2y ago

Think of all of the password leaks you've heard of. How many were due to syncing password vs password reuse, poor site security (e.g. storing in plaintext, weak encryption, etc.)

I'm not saying syncing is 100% secure (nothing is), but for most people it's not the main attack surface to be concerned about.

bradley132y ago

The KeepassXC file is encrypted (granted, only with a password). Sure, that file is now on multiple devices, so somewhat more vulnerable.

The problem with storing on-device comes when you use multiple devices. I have three devices (PC, laptop and phone) that I use regularly and interchangeably. What am I supposed to do, if the keys are tied to a single device? Worse, what do I do if that device dies, or is stolen?

j / k navigate · click thread line to collapse

0 comments

shepherdjerred2y ago

Think of all of the password leaks you've heard of. How many were due to syncing password vs password reuse, poor site security (e.g. storing in plaintext, weak encryption, etc.)

I'm not saying syncing is 100% secure (nothing is), but for most people it's not the main attack surface to be concerned about.

bradley132y ago

The KeepassXC file is encrypted (granted, only with a password). Sure, that file is now on multiple devices, so somewhat more vulnerable.

j / k navigate · click thread line to collapse