This is a most excellent place for technology news and articles.
Many providers promise absolute security
This struck me as wrong, because that would be a technically impossible and liability-inviting thing to promise.
And after checking the homepages of the 3 services they tested, yep, none of them promise “absolute security.”
I use local for important stuff (financial) and online ones for things that are not to important.
Would having a synced Keepass database with a composite key protect against this?
When I made my database I created a composite key file that never goes online. I locally copy it to any device that needs to access the database. The idea was even if the password got compromised you can't access the database without the key file
What if you have a house fire and lose all devices with the key
What if there's a nuclear war end the house gets vaporized?
To protect against this scenario I have this small portable computer that I keep in my pocket. They're quite popular these days.
i really wasnt expecting a password manager related tech fearmongering on lemmy today
Don't store your stuff in the cloud unless you don't mind someone else accessing it.
If you store things in the cloud that you don't want other people to access, you better be encrypting it yourself and only opening it locally.
This has been a cardinal rule since day 1.
I don't want people to access my files but I wouldn't really care if they did. I don't understand people who keep things like compromising photos of themselves online, who's benefit is that for, and why do you need quick access to your nudies?
“We want our work to help bring about change in this industry,” says Paterson. “The providers of password managers should not make false promises to their customers about security but instead communicate more clearly and precisely what security guarantees their solutions actually offer.”
Great.
Now which password vault was the most cooperative and clear in their security communication and which one wasnt?
The author said that they have given the providers time to fix the issues. Now highlight the ones that did it the best.... >_>
They did gove some advice. They said to go with a vendor that is transparent about problems and reveals the results of their third party security audits. I’m sure if you read between the lines it means they likely reviewed several vendors and chose to spend their time attacking ones that are opaque about their security stance and used outdated encryption or bad implementations of E2E encryption. So all three are likely suspect. Like if 1Password were developed similarly to LastPass wouldn’t they have spent time attacking it?
Edit: https://support.1password.com/security-assessments/
1Password are posting the results of their external pen testing now.
About 1password publishing their pentesting results. Why put it behind a 'give me your email address' wall?
That alone is enough for me to instantly disregard them as an option.
Bitwarden did so too.
But IMO your assumption is a bit of interpreting bad/malicious faith into it.
I see it more like they are the more publicly known brands/services that do this and underwent the audit.
I have read the TLDR by the authors (linked a few times in the comments) and the answer by bitwarden.
Bitwarden said the, fixed the issue, are in the progress of doing it or are accepting it as "this is intended/a trade-off".
What is a bit sad is that they had more vulnerabilities than other vendors. But I trust them more as they are mostly OSS.
With pretty much every major company being hacked at some point, credit card companies being hacked, everyone selling our details and data, doge and palantir. Feels like post it notes under the keyboard isn’t that bad of an idea.
If someone breaks into my house to read them I have big problems already.
You have no idea how many times I’ve made that exact statement.
Let's start a club
Post its have their problems but at least they can’t be read half a globe away
That's why mine is a physical book.
Really depends on your threat model whether this is a good idea. If cops raiding your home is part of it, a physical book might not be your best bet.
If you're at the point where that's a possibility that you need to defend against then you probably already have better security than using a password manager.
I use one of the password managers mentioned in the article, purely for the convenience of apps on all my devices, syncing and complex individual passwords. Should I be looking to move to self hosting something instead? Would my host (likely a synology Nas or raspberry pi) not then have the same risks?
I self host via vault warden. And I have it locked behind tailscale vpn. Aside from your server itself getting hacked, which is a risk, this is more secure than having passwords on the public internet.
I host a pi hole via diet pi already, vault warden is packaged for diet pi already, project for the weekend!
Love the raspis, just make sure the passwords are not stored on the sd card because those fail all the time hah.
Good shout! Easy to mount a folder from my Nas on it though
Security through layers. The flaws found here are about compromised server, so hosting your own server is a good first step. Next step is making the server only accessible via your own VPN. And of course hardening the server.
I believe Proton Pass does not have the design flaws shown in the article. For instance, if you lose your password, you lose your data. Your data is encrypted and decrypted on your device.
This is what all the listed password manager claim.
What was done here was tricking the client through the server to do things. So the fixes went into the client application.
I'm slowly moving over to my own manager, I'm still struggling to get it to all work properly on all my devices though.
Use a offline password manager. Problem solved.
Solves the security issue. Destroys the accessibility part
Just use Syncthing with your trusted host
I just sync it using my Nextcloud instance. No issues.
I use an offline password manager, and sync an encrypted database with nextcloud. It's convenient enough, and secure enough for me. Easy to sync between my phone, desktop, and laptop. And I only need to remember two passwords, the nextcloud one, and the manager one. I don't think you can have it more secure and convenient all the same, at least not with current tech.
Bitwarden with a vaultwarden docker container on my home server. Access over a VPS.
Many will argue that they need the convenience of an online password manager not knowing that what you stated is the safest form
I pitty the fool that stores anything important on ~~the cloud~~ somebody elses computer.
