pull down to refresh
21 sats \ 5 replies \ @winteryeti 5 Dec \ parent \ on: What password manager do you like and why? tech
I'm not recommending a PWmanager, period. I'm simply giving an example of how I manage my passwords manually with an emphasis on max protection, not trusting a third party. And no, I will not "just use a password manager" because it's in vogue. Sometimes a basic hammer is still the best tool to use to hit a nail.
KeepassXC is not hosted. You are not trusting a third party at all.
But the good hosted tools can't read your passwords by design. They are encrypted by your key and they can't decrypt them. Bitwarden for example does this and you can self host Vaultwarden and you aren't trusting them for sync.
The spreadsheet approach as a few negative tradeoffs and few positive ones.
Mostly posting this for others following along.
There are also CLI local only tools like pass that use gpg and you don't have to decrypt ALL you passwords at once of that is a concern.
I do find it odd when bitcoiners (others I have encountered) trust encryption with their money which is spread out across the Internet but don't trust encryption with passwords. Its kinda odd to me.
reply
To be honest, it comes from experience. Just about every third party tool I've used that stored PW online or had an online connection has been compromised or hacked. Maintaining control of my info myself hasn't failed in two decades. That's not to say it's perfect; it's not as you pointed out. But that's because I manually engage. Personally, I think relying on tools blindly for protection is being lazy. I have no issue manually referring to my own encrypted database regularly and then, even if I have to copy, immediately copying something else or purging the temporary copy to block stuff sitting in my flash memory or browser memory and being grabbed via a script.
reply
That's interesting. LastPass is the only (once good) service I've heard of being compromised. If it's done right the data at rest and transit should be safe even if publicly available. Which no one does.
There are crappy password managers but ones like Bitwarden have a big juicy target on them and haven't been compromised.
Whatever works for you, but most people are more likely to lose, expose, or reuse passwords without a good tool. Most people have crappy passwords they reuse. These people are easy prey. Most people are just fine using Bitwarden or 1Password.
reply
I think relying on tools blindly for protection is being lazy.
Is that what using a password manager is, though? Just a dumb reliance on tools?
Personally I have carefully picked KeePassXC because it suits my situation. I know it in and out, and I have a sound backup regime for it. I'm not some confused cargo cultist who does strange things I don't understand because experts on the internet told me to – and I doubt many such people exist.
reply
Is that what using a password manager is, though? Just a dumb reliance on tools?
Its not. Just using any password manager is dumb. They are not all the same. Open source matters. How tested and used it is matters. It's track-record matters. It takes knowledge to evaluate any tool. The more complex the tool the harder that is.
I'm not some confused cargo cultist who does strange things I don't understand because experts on the internet told me to – and I doubt many such people exist.
They are a small minority. The majority don't use anything. They reuse bad passwords and get hacked when a site they use has a breech. They don't use 2FA. They need well designed tools that dont require a ton of training to use. This attitude I sense is elitist and also poor security / UX.
I do wonder how this file is being encrypted as well. It is possible and not hard to encrypt a file but most people have never heard of pgp let alone use it.
I am not an encryption expert but I know enough to know the right questions to ask and who to listen to. Some of the tools mentioned have been tested by entire teams of security specialists.
I'm all for everyone doing whatever they want to do but tools are good tools when they solve problems. Password managers that are well done do this.
There is a contrarian attitude that I battle in myself. There for sure are cargo cults in tech but password managers are not a cargo cult.
The problems with password managers are adoption and crappy apps. Few people use them. And even fewer are equipped to pick a good one.
Hence passkeys being pushed which actually are making it even more confusing for average people.
reply