by bishala on 9/8/19, 6:56 AM with 192 comments
by kennu on 9/8/19, 2:48 PM
I realize all this requires a great deal of trust in the maker of 1Password having done things right and currently I have that trust. This may change in the future of course.
by spondyl on 9/8/19, 8:55 AM
I never really understood how it "syncs" but it's just git! Push and pull to update on every device. I use a private repo since site names are still metadata. You could put the whole directory tree in a tomb as well but that extension is only supported on mac only or something.
Pass is the one thing that seems fairly universal I think and it's all just text files which makes things really nice. No worrying about will it work on mobile or if the browser extension is useless without an application.
For example, 1Password X is a standalone extension so you could use it on Linux while Dashlane requires the desktop application running on the host. The connection works but isn't always reliable when running non-natively ie WINE
As for security, they're all fairly well audited I think? Remembear and 1Password both have external audits they pass, and provide remediation plans for any findings. Probably the same with Lastpass. Personally, I don't really think about it that much so I don't have a good answer. You can interpret that as me trusting providers but I have no real idea. I mainly just focus on the usability hah
by sdan on 9/8/19, 8:34 AM
I moved from Lastpass to pass(https://www.passwordstore.org/). It's by far the best decision I've made in a long time (I've moved a lot of services over to my servers and self host pretty much everything)
I use Mac, but it works on any machine to my knowledge and the great thing is:
1. Use your keys, so ONLY YOU can only decrypt it (gpg keys)
2. Has Chrome/Firefox extensions that automatically fill out passwords
3. Can upload the encrypted passwords to git to use on other machines (presumably)
4. Dead simple to use (go on terminal and generate random passwords, bunch of other goodies)
5. As said previously, it's all on your machine, no one else having access.
by nickjj on 9/8/19, 10:23 AM
I just use https://www.passwordstore.org/ and it works great (I have 300+ passwords stored for years). It's a local command line driven password manager and it's pretty great for developer based workflows because you can save multi-line strings which makes it perfect for saving API keys and other sensitive stuff, along with the password you used to sign up to the site.
It's also smart enough to copy the first line of a multi-line entry to your clipboard, so you can access your passwords to login on a site within a few seconds. Especially since you can navigate your entries on the command line with auto complete.
It also leans on GPG encryption instead of trying to invent its own security mechanism.
by dancek on 9/8/19, 1:46 PM
1. My browser vendor can access my browser passwords anyway.
2. It's better to trust fewer vendors and pieces of software.
3. Copying passwords to clipboard is awfully insecure.
4. Trying to remember all passwords is also awfully insecure.
I do not save any money-related passwords. I do dream of switching to pass from time to time.
by the8472 on 9/8/19, 10:29 AM
If both were provided by the same vendor then security motivations would not align. E.g. the vendor could reason that it's ok to do server-side encryption instead of client-side for whatever reasons. Or they could capture your master keys and decrypt old backups long after you have deleted things when compelled by a secret court order.
Separating storage and software means the software developer should consider the storage provider as potentially hostile and design the password manager accordingly.
Additionally a separate solution also increases data mobility. You can use your home server instead of cloud providers, you can move vendors instead of being locked into a single ecosystem.
That said, storing your key files offline is still another layer of security that has to be breached, storing it publicly accessible means you are only as safe as your hashed password.
Another concern, unrelated to the cloud aspect, is browser integration for password managers. It's something one should avoid since the browser extensions closely interface with the websites. It increases the risk that a bug in the extension allows a site to trick them into revealing the wrong secrets in an automated fashion.
by probably_wrong on 9/8/19, 9:03 AM
For other people, such as family members: I totally recommend it. It is way better than whatever password reuse they are doing now, and the chances of a breach are low enough.
My point being: I think they are overall better than not using anything, but if you have the knowledge and diligence to keep an offline encrypted file (and its backup!) up to date, then I would suggest doing that instead.
by kapep on 9/8/19, 9:24 AM
I have a KeePass file and use Syncthing to share it across all my devices. The keyfile is not synced and I manually send to any new device. Syncthing works well and most KeePass clients can nicely merge two KeePass databases in case of conflicts. Firefox integration with Kee.pm is really convenient.
For me this works really well. It was easy to setup and in my opinion it is very much worth it if you want to avoid third-party hosting.
by lukasm on 9/8/19, 10:03 AM
The final password is 12-16 random characters for LastPass + 3 chars Nonce that I generate from the service name (in my head) and a short 5 character password.
If LastPass leaks the secrets no one is able to take over the accounts easily.
For services that don't matter much I just store the whole password in LastPass.
by tejado on 9/8/19, 9:26 AM
Due to this, I keep all of my passwords offline, as far as possible. For mobility and comfort reasons, I developed Authorizer (https://github.com/tejado/Authorizer):
"A Password Manager for Android with Auto-Type over USB and Bluetooth, OTP and much more.
The idea behind Authorizer is, to use old smartphones as a hardware password manager only. To avoid manual typing of long and complex passwords everytime you need them, Authorizer provides Auto-Type features over USB and Bluetooth. It pretends to be a keyboard (e.g. over an USB On-The-Go adapter) and with a button press inside the app, it will automatically type the password for you on your pc, laptop, tablet or other smartphone."
by franga2000 on 9/8/19, 10:30 AM
The only way I can see someone getting to my passwords is by getting malicious code into the browser extension and/or mobile app. That means the only viable attacks are through Mozilla and Google, who I already have to trust for my browser and mobile OS.
by acd on 9/8/19, 2:33 PM
Lastpass has has intrusion in the past 2015 and are closed source.
Site below has a list of some security incidents related to password managers. https://password-managers.bestreviews.net/faq/which-password...
A secure password manager would need to have the decryption keys offline client side save from central attacks.
by Twisell on 9/8/19, 10:07 AM
I mean as far as I already trust their OS nothing can really protect me from being spied by them if they are ill intentioned, so as long as they are serious and patch their security flaw on a timely manner I can live with that. Beside it come as a free plan if you don't need more than 5GB of iCloud storage.
I'd figure using an external password manager just add another third party I need to trust and the fact that 1Password offer browser app interface (on top of native) don't reassure me in any way.
Of course if I'd ever need to reassess my threat model because I can't trust Apple anymore, I will quit iCloud service at the same time as their OS and go full FOSS.
by lmedinas on 9/8/19, 8:47 AM
I prefer to store KeePass encrypted dB on Dropbox than going for 1Password cloud.
Plus Keepass is opensource...
by salex89 on 9/8/19, 2:31 PM
Just because of the LastPass experience I'm not sure would I try something else.
by jen729w on 9/8/19, 8:44 AM
At work I’ll see people — the security team, usually — taking some already-encrypted thing and re-hardening it to the nth degree. I think that’s stupid. If you don’t trust your encryption, don’t bother using it. If you do trust it, stop there. It’s maths. It’s proven.
I feel the same about 1Password. I trust that they encrypt my stuff with trusted encryption. That’s it.
by CM30 on 9/8/19, 10:54 AM
Additionally, I also believe that:
1. I should have access to all my passwords without a working or stable internet connection
2. And that I should leave as few ways for social media/cancel culture pressure to affect my life as possible.
Hence offline systems like KeePass work fine for me. I can trust they're not providing backdoors, I don't have to worry about a third party server getting hacked, they're accessible offline and if I end up in a controversy, my enemies can't do anything to get my account suspended or terminated.
by jchw on 9/8/19, 3:44 PM
And of course, Keepass XC is always a very formidable password manager.
by kalleboo on 9/8/19, 11:19 AM
by VvR-Ox on 9/8/19, 11:06 AM
We all know how just after some years all encryption can be rendered useless by some technical advancement or mathematical brake-through (potentially).
In my opinion you are far better off with some device (mooltipass, yubikey) that holds your credentials because you have physical control over it and the chances your encrypted passwords are stolen are much lower than going with the cloud option.
This isn't about being paranoid but about minimizing the risk of ones credential being exposed/compromised.
We trust entities far too much for my taste and next to credentials I also don't feel comfortable with private pictures and videos of/with me being uploaded to some cloud.
1. Something could go wrong while transport (poor SSL/TLS, compromised devices in between (MITM) & weak crypto) 2. Something could go wrong on the companies side (failure to implement crypto properly, usage of weak crypto, bad server security) 3. Most encryption can be broken and it probably will be broken. This isn't about the fear of quantum computing but plain logic. Crypto often relies on some mathematical assumption that states that no one can break something in a realistic amount of time (e.g. discrete logarithms) which is rendered useless by superior equipment/power to calculate. Then there is implementation details which are too complex (or the people who implement it just don't take enough care) to be executed in the correct (=secure) way, easily.
This is a problem we can see on many waypoints in these scenarios and this fact for itself increases the risk of being compromised in a scale I'll always try to weigh in and to minimize.
by jedimastert on 9/8/19, 3:08 PM
It's my opinion that you end up having to trust someone, and having a password manager that I can arbitrarily make new identities with secure passwords automagically outweighs the small (imo) chance that the password manager is untrustworthy.
by marc3842h on 9/8/19, 9:09 AM
by pmontra on 9/8/19, 10:31 AM
by pndy on 9/8/19, 10:38 AM
I'm not a fan of cloud storage that much anyway - not after Dropbox invited C. Rice to board of directors. [1]
[1]- https://en.wikipedia.org/wiki/Criticism_of_Dropbox#April_201...
by alkonaut on 9/8/19, 9:30 AM
It’s the same with backups. I can’t be trusted with my own data. I’d rather let someone else keep.
by sys_64738 on 9/8/19, 3:04 PM
by JohnBerea on 9/8/19, 5:37 PM
by mongol on 9/8/19, 8:55 AM
Passwords are too important to evaluate a manager on convenience primarily. I think it is a little strange that banks do not work to get in this area. You trust your bank or else you would not keep your money there. I know too little about the main password manager companies to know if they are trustworthy.
I guess this is too small domain for banks but I think it would be interesting to see what happened if they moved into it.
by katzeilla on 9/8/19, 11:47 AM
The biggest issue for me is transparency and complexity, most of them are just as "blackbox" as any other service.
I am using KeePassX with git + gpg on my own server for extra encryption and sync, this solution is simple and future-proof.
and I might switch to my own script in future, dir + txt + git + gpg should be enough.
Need a random password? cat /dev/urandom | base64 | cut 1-64
Grouping? Just different directories.
Please also remember, there is no cloud, just other people's computer.
by benologist on 9/8/19, 3:07 PM
by alpaca128 on 9/8/19, 10:01 AM
Keepass does everything I need and supports all platforms I use. Sync isn't comparable but then again I don't register new accounts or change passwords every single day, so this is an area where sync features beyond what I get with syncthing are pretty irrelevant to me.
by ggm on 9/8/19, 7:24 AM
I used to use rsync (bittorrent-sync) to keep my own hosts up to date against each other. This was painful to manage so I accepted the bitwarden cloud model.
The risks are there, for sure. If you doubt the crypto behind your keystore, where it is should worry you little because how insecure it is should not be about where it is: its about how its shrouded, and how what is shrouded can be revealed.
My belief in the shroud protecting my secrets is my belief in their ability to code to the spec. it wasn't founded in my use of a private filestore to back the keystore, although I did, and I prefer private files, to private cloud files, to cloud files hosted by some intermediary, to public cloud.
Bitwarden is a private cloud file, hosted by some intermediary. The risk here is twofold: the intermediary is broken and its persisting filestore is readable, and bitwarden is broken and its interior private view becomes visible.
My best belief is that no part of my interactions depend on bitwarden knowing the interior state of my keys, they only handle shrouded data, and either I run apps which decode locally, or I run javascript which decodes locally, but I do not expect or believe any transit of the un-shrouded state of my data routinely has to flow through their hands. And the persistence of that belief is because they say the limits to how they can help recover my keystore, if I lose critical information. if they are truthful here, they cannot help me if I lose the escrow passphrase, because nothing they hold is the decrypt of my shroud. I have to give permission to de-shroud there side, the protecting key. its otherwise only used locally to me. (if somebody breaks the .js code, then the filestore being in the cloud is irrelevant)
1Password made the same kinds of commitment to me. As do LastPass and a number of other people. They all have to be comparable in this regard because its the fundamental business model.
At one stage, there was some leakage in the model for some keystores. The file names un-necessarily encoded revealing parts of the URLs they related to. I think thats changed now. It was scary. I had assumed everything was shrouded, it turned out for some period of time, only passwords and identity inside the URL had been fully protected. They changed that. I think it was 1password, it might have been lastpass. It wasn't bitwarden because I moved to them earlier this year and that was 2-3 years ago or more.
If I have misunderstood and sometimes my data is visible to them in clear, on their machines, I'd love to know.
by cygned on 9/8/19, 9:15 AM
The reason I went with the cloud sync is that I have to share secrets over multiple companies with all kinds of people and 1Password is simply the best compromise of convenience and security I found.
by geofft on 9/8/19, 9:30 PM
1. All my important stuff has two-factor auth, so a malicious password manager company couldn't get in anyway.
2. If you're using one of the major vendors with a reputation and a paid service, that produces a fairly strong incentive for them to not be intentionally malicious - if they were caught distributing an update that made it possible for the companies to see your passwords, nobody would ever use them.
(All the major password managers do client-side encryption; they don't store plaintext passwords themselves. They do distribute the client that lets you decrypt passwords, but that's it.)
So that leaves accidental risk (bad crypto, hijacked update chain, client-side vulnerabilities). Out of the options, I'm comfortable with the track record of 1Password in particular.
I'm very interested in open-source options, but the major ones are all proprietary and the open-source ones are all volunteer-driven and I think the risk tradeoff is wrong. It's not a decision I feel 100% comfortable about but between the options of proprietary-but-professionally-maintained and open-source-but-hobbyist-maintained the former seems vaguely preferable for security-sensitive software, especially given that one of my requirements is I want to use a password manager extension.
Shameless plug, I have a personal digital security podcast and we took a look at various password managers and their security track records recently: https://looseleafsecurity.com/episodes/password-manager-secu...
by zmix on 9/8/19, 6:30 PM
Passwords are those little peckers, that make everyday's life with a computer uncomfortable. So it would make a lot of sense to sync them between all the machines I use. But it's never going to happen, that I store my passwords on your computer!
You must rip them out of my dead, cold hands!
Locally, I use KeePass and KeePassX on Windows, Android and Linux and Keychain on macOS.
by LocalMan on 9/8/19, 12:30 PM
I haven't done an organized comparison of password managers.
by Quequau on 9/8/19, 10:45 AM
I use KeePass, well now I guess it's KeePassXC, and I keep up with my onsite backups. There have been way, way more problems with 3rd party and cloud based services than I've had with my private system.
I've survived a couple of hardware failures, a few problems I created myself, and effortlessly migrated from Windows to MacOS to Linux in the meantime.
by sharcerer on 9/8/19, 6:20 PM
Also, the 1password support guy was super super super nice to me. Well, the Bitwarden support guy/gal (i don't remember that one) was nice too.
Speaking of trust, I mean that's quite complicated, right? No matter what justification I give, there is some risk and a lot of technicalities which I am not aware of.
by moeffju on 9/8/19, 12:55 PM
by Normal_gaussian on 9/8/19, 10:56 AM
I have personally read through keepassxc source - haven't read the Android client. I have syncthing on my todo list.
by m-p-3 on 9/8/19, 11:26 PM
by taurath on 9/8/19, 8:58 AM
by bestouff on 9/8/19, 9:00 AM
by vemv on 9/8/19, 10:11 AM
Key design: encryption/decription happens locally, using standard open-source tools such as GnuPG. The cloud provider cannot _possibly_, ever know your actual contents - they only store them so you can't get locked out (which is a very real risk with `pass`; safeguarding our underlying private keys is currently completely left up to us).
Also some a conveniece layer could be offered on top of GnuPG; that should be open source, distributed as a non-binary and paid via honor system (also one can pay just for the mentioned hosting).
by kevin_nisbet on 9/8/19, 3:39 PM
For company use, I do use online password managers (1password), as they generally offer a good UX experience for less technical users, and there isn't strong rationale to believe companies focussed on password storage/transfer have bad practices in place. I also place some of my passwords in these password managers, generally passwords that don't do high amounts of damage if compromised.
Totally given the choice for a technical team, as many others have pointed to, I like pass or gopass as a team password mechanism, synchronizing passwords over git which is encrypted locally.
I'm pretty sure my reluctance or hesitation around cloud password managers stem from, it's hard to know who to trust. Companies pretty much universally have poor practices, missing controls, and will miss-represent or be susceptible to internal dogma about how good the tools and practices are. Allowing online sync of passwords increases the surface area, more things have to be perfect to prevent a compromise than non-online systems.
The really difficult part though, is it doesn't mean the cloud based manager is actually less secure than a more traditional app, a decent amount of the surface area of both applications intersect. Think of things like a compromise of the build server, unless you're running the app totally isolated from the internet, both online and offline apps can get compromised in the same way, and pick you're favourite offline app may have higher risk then pick your favourite cloud app based on internal controls that aren't talked about.
So with this in mind, for me it comes down to making a choice of trust on very imperfect information, only really with the public history of a vendor and how they present themselves externally. So given that imperfect information, I tend to place a higher weight on solutions with less surface area, there are less pieces for the vendor to get perfect to protect the system. And even with online password managers, I never install the browser autofill extensions, again to limit surface area.
That said, with password handling the choice of password manager and how it operates is also likely a smaller concern. As in most companies have bad password rotation practices when say an employee quits, or their laptop is compromised, etc. It would be cool to see a standard protocol for a password manager to be able to go in and rotate passwords automagically, and continue to see progress towards SSO and U2F/FIDO2 security keys universal adoption.
by davuinci on 9/8/19, 9:43 AM
Additionally, using an open-source password manager that you can audit alleviates any further paranoid concerns you may have. If you also worry about the cloud provider suffering a severe outage then you can always keep offline backups. Assuming that you have the expertise and time you can implement a solution yourself but it always depends on your threat model and your level of paranoia.
by Xelbair on 9/9/19, 7:46 AM
Plus it is a huge registry of metadata - any site that i store a password for gives them knowledge that i do use that site.
I tried few local solutions - sadly for my use case they both need to work in a shared way(some passwords are used by multiple colleagues at work for example, as they are company wide accounts for external sites that do not support individual accounts), and they do need to work on windows in a non cumbersome way.
by scraft on 9/8/19, 2:26 PM
Prior to doing this (requirement for my job) I didn't have any particular set up, so in comparison this feels really good.
Main grumble is I don't pay for Dropbox so have a device limit, so end up just downloading database onto extra devices which mostly works but sometimes requires redownloading to get latest and potentially uploading to Dropbox if I have created a new password. Maybe I will pay for Dropbox sometime (as let's face it, it is useful beyond this case).
by bbulkow on 9/8/19, 5:29 PM
I would be interested in hearing how many passwords / accounts people have. I am well above 100, i think in the 200 range, so the idea that i could have different passwords, and remember them, is just silly. Password management has to happen, and the best way i can think is to store a majority in a very well encrypted file.
I do memorize a few key accounts.
by dmarlow on 9/8/19, 2:31 PM
I don't mean to hijack the thread, but allow me to ask what you guys use within you company, if anything. Do you use a cloud solution, something self-hosted, or nothing?
by rmk2 on 9/8/19, 9:07 AM
by nytesky on 9/8/19, 3:16 PM
I have considered encrypted notes for low security passwords, but find the sort and too easily editing function of notes not great for copying and pasting.
I want to use iCloud KeyChain, but I like having a desktop client to manage passwords — but I found it I created a password set on macOS it wouldn’t appear in iOS keychain — anyone know why?
by msravi on 9/8/19, 11:46 AM
So the passwords in pass itself are protected by gpg. The Google instance is protected using ssh. Amazon drive is protected using 2-factor auth.
No single cloud provider can get at the passwords, but the password database is backed up at multiple locations.
by lucb1e on 9/8/19, 3:50 PM
I would generally trust them to want to do the right thing, but software vulnerabilities or crypto bugs (weak IV initialization or so) are reasons to not do this. Unlikely, but the impact is large. But the chance (and impact) of losing all your passwords is even larger.
by Thorrez on 9/8/19, 8:51 AM
by rsync on 9/8/19, 5:27 PM
by audente on 9/8/19, 9:37 PM
I trust them.
by gshdg on 9/8/19, 12:30 PM
by beamatronic on 9/8/19, 2:41 PM
by pteraspidomorph on 9/8/19, 9:09 AM
That said, I use my own remote storage (not cloud) with keepass's sftp plugin.
by Hoasi on 9/8/19, 9:42 AM
by tdurden on 9/8/19, 9:47 PM
by k_vi on 9/8/19, 2:12 PM
My current setup:
On non-critical services(social media etc.) or websites with U2F, I reuse passwords.
For everything else, I use Purse[0] with Yubikey.
by Jeaye on 9/8/19, 5:43 PM
1. I don't trust my mobile device
2. I don't like the odds of it being stolen or lost
3. I don't need the constant distractions anyway
by faebi on 9/8/19, 9:38 AM
by Const-me on 9/8/19, 3:15 PM
by JohnFen on 9/8/19, 7:56 PM
by WesternTelepwn on 9/10/19, 3:45 PM
by z3t4 on 9/8/19, 4:38 PM
by orev on 9/8/19, 4:57 PM
I use Codebook which provides phone and desktop apps, and allows database syncing over LAN. It’s the best solution that gives you both ease of use and syncing.
by banjar on 9/10/19, 12:31 PM
by babo on 9/8/19, 9:33 AM
by xupybd on 9/9/19, 4:18 AM
by saint_abroad on 9/8/19, 9:03 AM
by ishanjain28 on 9/8/19, 11:08 AM
by Havoc on 9/8/19, 9:48 AM
by kfrzcode on 9/8/19, 5:22 PM
by zacky777 on 9/10/19, 9:21 AM
by derpherpsson on 9/8/19, 8:21 AM
by nytesky on 9/8/19, 3:35 PM
by avl999 on 9/11/19, 9:21 AM
by bishala on 9/9/19, 2:05 PM
by hungryroark on 9/8/19, 4:48 PM
by diminoten on 9/8/19, 5:04 PM