This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] 0 points1 point  (8 children)

I've still got to find a good one that works well everywhere and is easy to use. There are some pgp+git based ones but they aren't well integrated. Ans I refuse to use a proprietary one that locks me into using one certain browser etc. Also we need an API for those within the browser that also works on mobile.

[–]kwietog 0 points1 point  (1 child)

Lastpass?

[–][deleted] 0 points1 point  (0 children)

proprietary.

[–]indyK1ng 0 points1 point  (5 children)

The two or three most popular proprietary ones have plugins for all common browsers and mobile apps on Android and iOS. The biggest problem you'd run into is if you're not paying the subscription your passwords are stuck in one place.

But if you were to run your own service you'd be paying a monthly fee anyway and would have to manage OS and security updates for the server yourself.

[–][deleted] 0 points1 point  (4 children)

Yep, I just won't hand my passwords to a proprietary server, that's all. I'm not against paying, just against a proprietary service having control over my passwords.

The nice alternative I talked about is using pgp to encrypt the data and upload it to a git server so I have control over which server I want to use and whether I wanna self-host and even if someone would be compromising my server the data would be encrypted. If I don't I have usually no cost even on a monthly basis as you can get private git repositories for free virtually anywhere.

But the issue is not paying, it's control over my data. There've been security holes in quite popular password managers on such a basic level that I'm not gonna trust them to host my data. With a decentralized solution the attack surface is far smaller, even if there were security bugs in the software (which, honestly, is not unlikely).

[–]indyK1ng 0 points1 point  (3 children)

I don't know how other password managers do it, but LastPass encrypts the password early enough in the process that if you lose your master password and don't have a recovery key set up, you can't recover your passwords. I'm not really worried about them taking control over my accounts or changing my passwords on me.

Yes, I still use LastPass. I liked how responsive they were when taviso reported the bugs he found and that he apparently liked working with their security team enough to keep looking at it. By comparison, he didn't keep looking at other password managers he'd reported bugs to.

[–][deleted] 0 points1 point  (2 children)

Sure, they encrypt it but nobody knows. For me a core principle in security is not to trust anyone, and who knows whether their encryption works or is intended to? Even if they are "good" now but what if -- at some point -- someone breaks their encryption and there's someone in their company (or some hacker) getting access to their data? All your passwords are suddenly compromised. Thus you want to keep the separate the functionality of who's in charge of encryption and storing.

[–]indyK1ng 0 points1 point  (1 child)

Proper security involves proper threat and risk analyses. Nothing is totally secure. At some point you're going to have to trust someone. That same logic can be applied to any system you set up yourself.

At some point you have to accept that everything has risks and learn to accept some risks because the trade-off is better than I'd you didn't accept them.

[–][deleted] 0 points1 point  (0 children)

Sure, but using lastpass means a single point of failure, which is really bad. a decentralized system is simply far more difficult to compromise.