Comment

Comment on My new favourite password manager

Synnr@sopuli.xyz ⁨11⁩ ⁨months⁩ ago

Yup, I have been using KeePassXC locally since the first big LastPass breach. I thought “password manager company… they know encryption” and then kept some of the most important things stored in my vault including notes of Bitcoin seedphrases etc. Thought "even if they get hacked, they wouldn’t let anyone exfil the huge amount of data from the USER VAULT SERVER… thought “my passphrase is like 25-30 chats long, nobody will crack that”…

5 years after my last login and I find out the breach happened, user vaults were exfil’d, the encryption was absolute shit, and the notes weren’t even encrypted.

I don’t trust cloud companies to keep promises or know what they’re doing today. and anything self-hosted isnt Internet accessable unless it’s on dedicated hardware subnetted off and wouldn’t matter if it got hacked.

source

Sort:hotnew top

Appoxo@lemmy.dbzer0.com ⁨11⁩ ⁨months⁩ ago
Bitwarden for example does public reports and is pretty cheap at 10€ per year. But the base (free) offering is more than enough. The fee is only to have TOTP and a bit of encrypted cloud storage. bitwarden.com/help/is-bitwarden-audited/

source
- dan@upvote.au ⁨11⁩ ⁨months⁩ ago
  
  The fee is only to have TOTP and a bit of encrypted cloud storage.
  
  And to keep the company alive. It’s cheap enough that IMO it’s worth paying for if you get a lot of value from it, even if you don’t need the paid features.
  
  source
Quacksalber@sh.itjust.works ⁨11⁩ ⁨months⁩ ago
In theory at least, online services would be more safe than a locally decrypted vault. If your computer is compromised, the bad actors can pull your encrypted vault for an unlimited brute force attack. Of course, this can be mitigated by increasing the decryption time. However, if your vault is already decrypted, then bad actors can just pull all your password from your memory.

I, for one, am decrypting my vault once when I start my PC. In theory, if I were to use an online solution, bad actors wouldn’t be able to pull my vault from memory.

source
- Synnr@sopuli.xyz ⁨11⁩ ⁨months⁩ ago
  
  In theory, if I were to use an online solution, bad actors wouldn’t be able to pull my vault from memory.
  
  It’s the same issue once you login to your vault via browser extension. Even if they don’t store your vault password in memory, they either store the entire vault (unlikely for size reasons) or a more temporary key to access the vault. Local compromise is full compromise already.
  
  source