In 50 years time, who knows if any of these companies will be around. But I’m pretty sure that my grandchildren, should they want to, will be able to open a gpg encrypted gzipped file (with the passphrase I’ll leave them) containing my passwords in a csv file.
Given how I have experienced technology up until this point, my assumption is that everything I will create for work or for pleasure, is more or less ephemeral. It has certainly proven true for work.
As long as an open source (or at least open specification) exist, these files will remain being openable. ...or at least until curious minds are able to crack them!
Just like it's fairly easy for us to even run software from 50 years ago thanks to emulation. As long as your software run on a platform popular enough to have a good emulator. But for PDF and zip and jpeg reading software that will definitely be the case.
I.e, we will still be able to store and transfer sequences of bytes conforming to some specification (file format), and we will be able to attach names to those blobs in some namespace. The concept is too general to ever lose its usefulness.
There are a few key things I have learned in the third of a century that I've been working with data: Data lives longer than apps and longer than people. We will always need units of data that have their own life cycle and are reasonably self describing and self contained (i.e meaningful without resolving external references).
Everybody has a different idea of what long term means, but I think of it as millennia from now. The kind of time frame that the Long Now Foundation talks about.
It’s their No. 1 selling point.
> In 50 years time, who knows if any of these companies will be around
1Password has local clients. If you have the password, you should be able to unlock the vault locally.
I have installed the "1password-cli" package on my airgapped linux machine with no network access ('op --version' gives me 2.30.3).
If I run 'op vault list', it tells me I have to add an account. When I run 'op account add' it tries to connect to 1password's servers and won't let me proceed without internet.
I don't see how this "local client" is helping if all the auth infrastructure goes through their servers.
Is it possible to export as a file, take that with you on whatever medium (eg. USB key, CD-ROM, future isolinear chip), put it on a brand new PC you built from scratch and never connected to the internet, and open it in some kind of standalone viewer?
Originally it was an app with no remote component. The vault was yours to look after. Most people kept it in Dropbox to make it accessible anywhere. The vault itself actually had an html file in it that you could open in a pinch that was able to decrypt secrets (only for reading, from memory).
1Password as a service came later.
Dropbox came later and security minded folks were wary. Honestly, I trust 1Password sync more than an encrypted db on a general purpose cloud file sync, but maybe that’s naive.
Super contrived, but you could probably just copy the sqlite dbs of your vault it creates locally to another PC along with the 1Password installer and it might let you sign in with just your master key.
It's truly local first and will work fine in an airgapped situation.
It's also designed to be self-hostable[2], is open source [3] and the API is well documented[4].
[1] https://saveoursecrets.com/ [2] https://saveoursecrets.com/docs/cli/self-hosting/ [3] https://github.com/saveoursecrets/sdk [4] https://docs.rs/sos-sdk/latest/sos_sdk/
Passwords, even ssh keys and passkeys, are little pieces of plain text. If you think needing a specialised sdk or cli to retrieve plain text is a good software architecture, I think we see the world quite differently.
We clearly see things differently but I think using computers to make our lives easier is worthwhile and storing/managing our secrets securely, effectively and conveniently is better managed by software than some ad-hoc setup.
Nitpick, passkeys are not text, they are binary blobs.
Because I feel pretty confident that gpg will still be around (though hopefully long deprecated), that gzipped files would still be able to be opened, and everyone would still be able to open a csv file. Without any specialised software, sdk or whatnot.
If this scenario doesn’t concern you, that’s fine, 20 years ago it wouldn’t have been my concern either. But the older I’ve become, the more I think about this stuff.
Pick the formats your storing and handle security at the container. This might be an encrypted system that is copied and updated over decades or a physical storage safe or box.
Curious, how is Excel encryption? That may be a more approachable format than CSV GPG, and though technically the CSV GPG is more simpler, it may be less familiar to users in 100 years. Excel will still be around ;)
They apparently use AES-128. Not quite the level of Bitwarden, which uses hashing (argon2 or PBKDF2) and AES-CBC-256 simultaneously.
technical possibilities aside, do you presume your grandchildren will be technically apt?
I am pretty sure 99% of people would halt at 'gpg' , and that's now -- not 60 years from now.
I know reading the docs is considered uncool for some reason, but it really does work.
The AI model will be of certified provenance and run on attested hardware [0] so this won't be as much of a security issue as you might expect. Naturally the various three letter agencies will have full hardware access including query history.
Periodically, hardware zero days will drop and all hell will break loose.
Alright that's enough speculative dystopian fiction for me for today.
First result with simple command. I went from KeePassXC to `pass` & back to KeePassXC. But I question the integrity and/or motive of people like you.
Don't take security advice from an AI.
In fact, if you consider the impact fully, the best way of managing passwords still seems to be writing them down on a post-it note and keeping it in your wallet - hell, even sticking it to your screen doesn't look so bad these days, compared to alternatives.
Modern infosecurity is absurdly counter-intuitive at high level. Consider that your Google account or your WhatsApp (or Signal) chats are much more secured than your medical data or bank accounts or anything that predates Google. For anything in the real world, there is always a recovery procedure, no matter how much bad luck you had or how badly you screwed up. In the worst case, you might end up needing to chase some documents to authorize or notarize other documents, or show up in court, but you can get your access back. It's insane to imagine the world, in which a single fuckup could wipe out your medical history, your bank account, or any proof of your existence in government systems - and yet, this is exactly what is the case with any modern SaaS that follows "best security practices".
There's literally nothing else in this world that's so easy to mishandle as security in commercial software services.
It's kinda ludicrous to think we'll lose the ability for something so simple.
Sorry, but I already have to google each time I want to figure out how to open various file formats.
"Google, what ffmpeg flags do I use to convert this .flv file to .mp4", "what are the flags to losetup or kpartx to mount 'disk.img' as a loopback device?", "how do I extract an '.ab' backup from 'adb backup'?"
These are all things I googled before llm.
LLM entities have bills to pay too.
Please do not mock gpg.
I have been using gpg for 25 years now (and PGP before that). It works. It encrypts. It decrypts.
It is in vogue to mock gpg on HN and recommend more modern solutions. As an experiment, I tried adding one of those modern tools (rage) to my ansible configurations, just so that they get regularly installed and maintained on my servers (without actually being used). The setup broke within less a year.
Are the modern tools more cryptographically secure? Undoubtedly. Does it matter in practice for me? Not at all.
Longevity is a big deal and is under-appreciated.
Filippo nailed it with this piece: https://words.filippo.io/giving-up-on-long-term-pgp/
My kids? I really am not so sure at all. Still too early to tell for sure but so far I don't think any will be as technically savvy as I am. I really doubt they'd know what GPG (or PGP) are and how to use it.
Technically I think I could drop the trigger if the desktop app would open by making a temporary file copy and syncing back (ironically Keepass2Android is very good at this).
https://www.f-droid.org/packages/com.kunzisoft.keepass.libre...
Though the tooling isn’t great – I’ll probably switch to Vaultwarden sometime this year.
I’d strongly prefer an open source and selfhostable option, but each time I’ve evaluated Bitwarden in the past, it was a big enough downgrade from 1Password that I didn’t think switching was a good option.
If the experience ever becomes as seamless, I’ll be switching.
That is particularly true for anything dealing with security. I evaluated both BitWarden and 1Password when we wanted to migrate away from LastPass. My recommendation was to eventually go with BW. Its open-source nature was a factor, but for a corporate use the UX factors were even more prominent.
Over a course of a month, I ran into several subtle footguns with 1P. Search included only some of the fields. Password reset/rotation flow was easy to mess up (thanks to the confusing + inconsistent "copy field" functionality) and get into a situation where the generated password that was stored in the vault was different from the one that was set: in my tests there was 50/50 chance of accidentally regenerating the password before the vault storage step after submitting the new one for a remote service.
There were a whole load of "features" that didn't make any sense. The UI for 1P was a real mess. The feeling I got from it was that their product had been captured by Product Managers[tm] desperate to justify their own existence by shipping ever more Features[tm] without considering the impact on the core functionality.
BW's UI is by no means perfect, and their entry editing flow is far from ideal. But at least most of the actual usability snags in their browser extension have a common workaround: pop the BW overlay out from the browser, into a separate window. Their open-source nature and availability of independent implementations mean that there will be alternatives, should BW go down the same features-features-and-more-antifeatures hellhole in their race to eventually appease their VC backers.
Less is more.
Sounds like our experience with it could not be more different.
> The UI for 1P was a real mess.
In what way? You described how you feel about the UI, but I’m curious about actual specifics.
It’s entirely possible that I’m just too accustomed to it because I’ve been using it for many years, but what you’re describing is how I felt about Bitwarden.
I can completely see choosing BW in a corporate setting for a host of other reasons. But for me personally, the priority is a tool that gets out of my way and just works.
The tool that has done that is 1P.
> Less is more.
That really depends. If less means that the password manager doesn’t get used, then less is less.
I check BW every so often but it always feels less polished UI wise. For all the complaints people had about 1P moving to electron, it’s UX is still the best out there.
Why would someone make a feature like this?
I'm confused why some companies (including Amazon and Steam) insist on family features. The mental model behind this is more prescriptive than descriptive - it doesn't match to how users and their families function; rather, it insists on some activities to a) exist in family, and b) be not allowed outside of family.
Or simply: how many people have actual family listed in their Steam / Amazon "family sharing"?
I use family sharing with actual family for my Steam account and all video streaming services. Am I weird? The reason is because streaming services allow sharing under a single paid account, and my wife & kids don’t want to pay for separate accounts, and don’t want to have to authenticate separately on shared devices (TVs, game consoles, iPads, etc). Steam family sharing works across different Steam accounts, and sharing a single account doesn’t work, so Steam isn’t particularly relevant to the discussion of family sharing of passwords. Steaming accounts, on the other hand, all assume they’re being used by a whole family, and the main reason is because of shared devices; the family TV itself logged in. So, they all offer profiles under a single account. Netflix clarifies that family sharing means the people in a single household, maybe others are similar.
We use password family sharing as well. My wife and I share bank and credit card accounts. My wife needs my accounts sometimes to do certain things — you might be surprised how many banks do not offer joint accounts and still treat wives as second class citizens. We share the Netflix & Amazon accounts with the kids so they can use them. I pay for a 1Password family account and share it with my aging father who’s been losing passwords. These things are all pretty useful for me.
I guess you’re making me wonder why someone wouldn’t make a family sharing feature, when it solves real problems and users are asking for it?
But yeah, it's a content and positioning call for the product and marketing teams to make.
Bitwarden doesn’t have families per se, it’s got “organisations”. You can setup unlimited number of organisations and users can get invited and join them. Which is very handy for example my wife and I can login and order our groceries from the supermarket using the same account. Or that we can both login and use our electricity company’s web portal which only allows one account per household. All without needing to send each other passwords and updated passwords back and forth.
For what it’s worth Bitwarden doesn’t use that term, they call it Organisation. Personally I feel like ‘Group’ is actually the better term.
[1]: https://berthub.eu/articles/posts/you-can-no-longer-base-you...
I was a Protonmail founding member. I used and evangelised them for years until I realised that they are more interested in chasing the next shiny thing (hey we have a crypto wallet now!) instead of fixing longstanding bugs and performance issues in their mail client.
As for hosted outside the US, I’m pretty sure the vaultvarden instance running under my desk is also hosted outside the US (unless I’ve somehow been magically transported to the US). Plus, I get to physically lock the door when I leave the house and my cat usually sleeps on top of the sever which adds a level of furry protection which proton pass could never achieve
After having used Bitwarden for more than 4 years, I only switched last week, so I'm still in the honeymoon phase. But it has everything I used in Bitwarden and more, most notably all the usability features that I was missing in Bitwarden.
Lastpass had one job and failed it. Unforgivable that they knew their users' master passwords are not secure enough, but chose not to be vocal or proactive about it.
If you're using Lastpass right now, move to more trustworthy options like 1Password, Bitwarden or Keepass. Do it today. And change all passwords, that are meaningful to you.
https://www.courtlistener.com/docket/66607916/debt-cleanse-g...
You'd have to go study the case, but it's a class action case, so it'll hurt if they lose (and even if they don't). The court appears to be consolidating cases into this one, because LastPass has been sued in federal court 15 times so far:
https://www.courtlistener.com/?q=lastpass%20AND%20(caseName%...
I love it because Strongbox also has its own cloud feature (optional) that is just a hosted KeePass DB which makes it easy to have a shared DB with my partner.
The only downside for me: there isn’t a universal search that searches all DBs for credentials. So if you are in a browser and trying to autofill, you need to select the DB you want it to populate from.
Yeah that's when I left 1P after having bought hundreds of dollars of licenses for myself and my family (for multiple OS).
The other big thing was self hosting the vault. You used to be able to sync the vault with Dropbox and access it from a browser but at some point Dropbox killed public folders. It would have cost 1P pennies to store the vaults of paying customers in S3 buckets. Instead they decided to use that as leverage to force people into subscriptions.
Very happy with Bitwarden now.
The rich entry types from 1P and LP are nearly all converted to Notes in Bitwarden. Great product otherwise.
Their whole raison d'etre is protecting your passwords. If they start selling people out, their business implodes.
They also keep adding thoughtful tweaks and new features. A couple years back I thought I'd give it a few years and then hop from 1Password to Bitwarden. But Bitwarden's UI and UX is still subpar (doesn't even support drag 'n drop..)*. All Bitwarden does is invest in enterprise features, which mean jack for the average user.
*dragging items from one vault to another, not a hugely important feature but Bitwarden has a thousand of these kind of paper cuts compared to 1Password
What should Apple have done? Defy the government's order? Shut down entirely? They're already fighting it in court.
The new features released since I bought version 6 has me more than satisfied.
Also using a password manager is one of the most effective things you can do to protect yourself and paying a few bucks a month seems like a steal.
That creates distrust in me, so I swapped to BitWarden and haven't looked back.
So the way that I understand 1Password to work is that the decryption key is split in two: the user's single password + a secret key. You need both to decrypt the vault. The secret key is, again according to my understanding, generated randomly and is like 128bits? Once 1Password generates it and sends it to you (maybe they don't even send it and it is generated locally, I don't know), they never see it again. Thus, even if your vault were stolen, the thieves would need to crack your password (very likely not that secure) but also the 128 bit secret key so you would have a minimum of 128bit security which seems fine?
What's different about LastPass? Were the secret keys stolen somehow too? Were the targets of the stolen vaults then hit with further attacks to extract the secret keys? Does LastPass not use a similar structure as 1Password? Or am I actually not as safe as I thought using 1Password?
[1] https://palant.info/2022/12/28/lastpass-breach-the-significa... [2] https://support.lastpass.com/s/document-item?language=en_US&...
See a vault with just a facebook.com and google.com login? Skip it. See a vault with coinbase and 10 other crypto sites in it? Spend a few thousand trying to crack it.
Source: https://github.com/cfbao/lastpass-vault-parser/wiki/LastPass...
There's a tourist experiencing this scenario probably every minute.
How you choose to safeguard it depends on your preferences and your "threat level".
For example, you can keep it in a bank vault or print multiple copies to store it under your pillow, taking a picture, or save it in your email, etc.
But what's also hard to believe is that people storing millions of dollars of "collectables" would not change their passwords on at least a yearly basis.
I know that password rotation for its own sake is no longer best practice, but in this case it still seems quite prudent. No?
And I don't know how we get back to a simple state; Let's say you're a family of three with shared services and accounts:
Keeping everything under Keepass means handling the file sync between all the devices and OSes, with potentially your credentials flying through third party sync services, thus negating most of the advantages of Keepass.
Moving to something like a self-hosted Bitwarden instance should be the way, but then one member of the family becomes a dedicated lifetime sysop making sure that instance is secure while being accessible anytime from everywhere.
If everyone has only apple devices (iphones + macbooks), then you can use a shared iCloud sync'd folder.
Except that doesn't actually work because the majority of iOS apps are incapable of using a shared iCloud folder correctly (including apple's notes app, most of apple's apps) because apple tries to hide the filesystem so much, that even saving a file into a folder is basically impossible for most apps.
That also doesn't work if anyone uses linux or windows because apple refuses to play nice with other ecosystems.
If everyone _doesn't_ use iOS devices, there are dozens of solutions that work well, from a shared google drive folder, to syncthing, but if even one person uses an iOS device, then suddenly none of the shared folders work, because apple has made it so creating a shared folder on iOS is bad for iCloud, but even worse for any third party app (be it google drive, syncthing, an FTP based solution, etc etc).
I guess what I'm saying is that apple tried to kill the filesystem, and in doing so has made it so the very idea of just sharing a folder of files securely seems like a per-app luxury.
Instead you need a shared photo album for photos, a shared notes folder for notes, a shared "apple invites invite" for a calendar event, etc etc. Apple has a lot to pay for, and a hatred for folders that has caused the entire industry to move away from simple secure app-independent sharing is one of them.
Instead, we have a jumble of apps being forced to implement their own sharing concepts poorly and often insecurely.
The trio mostly succeeded, which is a big part of why modern computing sucks so badly, and is more confusing for non-tech people than what came before, rather than less.
The whole point of a password manager is to be reliable when shit hits the fan. If my phone dies I want every changes to be available to the other synced devices, especially when it has been away from home for a while (losing newly created accounts or passwords during a trip is just miserable)
My phone doesn't have my main password safe. I don't trust that thing. If a stupid app decides to log me out, I can't login until I'm back home. I never created an account "on the go", but I had to do a password reset once. I will use a standard password until I'm back and change it to a randomly created one. I can't even login to my bank without a special token device. I don't have that with me either.
A different life is possible. That's all I'm saying.
I'm in a area where my phone might suddenly outlive my house, so we have very different life choices indeed.
It went down the drain when I switched to android and the kid to a Chromebook.
This is the proverbial strategy tax working out, where the strong ecosystem play is biting us hard enough. Moving to Windows+WSL actually made my life easier, even as the other member still have some Apple devices.
I have used Keepass since before lastpass existed and sync with multiple machines/locations via syncthing (originally synced with rsync)
That being said, not an approach useful for all and a good mental model and sharing system with redundant copies on flash media / live systems/ mobile devices can be an effective strategy.
Use case: 10+ year keepass user, never lost a credential or had one compromised that affected more than one account due to breach. Thank you Keepass devs!
Well, worst case is your account with Google, which you can kiss goodbye.
But as we all know, that’s security. If the account recovery is the weakest link, it gets attacked.
In the real world, there's always a recovery procedure. It might involve visiting a court or some local administrative offices, but you can always recover access to anything that's important.
Not so with Google, or other on-line services that came from the tech industry side. Cybersecurity "best practices" is basically giving you a razor blade, and kicking you out if you hurt yourself with it.
Some other targets: everyone’s PII, info on friends, family, pets, answers to security questions, mobile IDs, PIN numbers, account numbers, signatures, photos, fingerprints, voice patterns, facial and retinal scans, gaits, DNA, mitochondrial RNA.
Right. Randomizing passwords doesn’t require centralization.
"Use random high entropy passwords for each account"
good
"Store them encrypted"
great
"In a computer publicly available on the internet"
wat
"Under an account that also handles your 2fa tokens"
c'mon now!
https://www.forbes.com/sites/daveywinder/2023/12/11/android-...
https://www.zdnet.com/article/hackers-stole-this-engineers-1...
The point is if they even have access to my encrypted data, they wouldn't be able to access the plaintext without the key (and yes the passphrase is not sufficient).
This is just lazy scaremongering.
LastPass e2ee was never the problem in the original story either.
Of those links you posted, two of them could've equally affected a password manager that was local. All password managers can be subverted by external threats whether using cloud storage or not.
My point is, properly implemented E2EE (hopefully vetted by cryptographers) is marginally different to a password manager using local storage. Sure having it cloud hosted can affect more than one user, but attacking the ciphertext data would be infeasible.
If insufficiently protected, any attack surface may be compromised. It’s just a matter of time, resources, and will.
“The only winning move is not to play.”
It also feels like there's a convenience tradeoff with a lot of solutions. I could keep a physical binder full of passwords in my home office but that would be a pain to look up and enter things every time (and a big risk for anyone with physical access to my place).
Ensure all your passwords get reset at some point after vaulting, long randomly generated from Bitwarden extension/app is easy enough. Ensure you enable strong 2FA at each service you have an account at too.
https://bitwarden.com/help/setup-two-step-login/ https://bitwarden.com/resources/guide-how-to-create-and-stor...
Keepass DB cloud synced, but the passkey file I use in conjunction with a p/w to open it never leaves the machine(s) it's on. Also, key file needs Admin rights to read, so KP is run privileged, which also protects its process memory space from user-land snooping.
* If 1 to N password(s) leak the pattern may be obvious leading to your other accounts being compromised
* Not all sites have the same password “rules” so there is no algorithm that works for all passwords without you being aware of the rules of the given site. Rules that only you only (may) have access to at signup time.
* Typing passwords out manually sucks (slow and error prone)
1) only matters if you're a very high value target who is being manually target. Doesn't apply to 99.999% of people, who only need to worry about credential stuffing and brute force.
2) Similarly, it's not hard to come up with an algorithm that satisfies 99.9% of websites.
3) To a lot of people, managing a password manager sucks.
I personally do use a password manager and automatically generated passwords, but also understand that for many people it's the better option.
Dedicated 2FA on a hardware device seems pretty resilient, I hope more banks incorporate it instead of SMS 2FA. Hosting vaultwarden also seems pretty good because it’s unlikely for you to be targeted, but requires selfhost maintenance.
## The password-management promise
> I don't buy the promise behind 1Password or LastPass.
> You only need to remember one password. The last password you'd need to remember.
> They don't tell you that you're also building a one-stop shop for hackers to steal it all at once.
> The solution?
> Store hints, not passwords.
> Don't reuse passwords. Use algorithmic passwords instead.
> Use passkeys and security keys.
https://sketch.nono.ma/the-password-management-promise
---
I've always preferred 1Password and Bitwarden to LastPass.
I still prefer to encrypt sensitive data and "secure notes" with custom workflows (GPG keys, for instance) instead of relying on third parties, and even more when the data would be store in the cloud, in a centralized location.
I can't imagine the nightmare of having all your secrets exposed, not just for the risk of it but for having to reset all your exposed accounts.
(+1 to GPG encryption.)
So even if they know my 1password username and password they still can't really do anything with it. And if they steal my device, they would need to know my login password. Or cut off a finger, I guess, but I've got bigger issues if that happens.
They don't all work this way, but 1Password seems to be by far the best and most secure option, and IMO the convenience of an online password vault simply outweighs the tiny risk with a proper vault like 1password.
No idea why anyone has stayed with LastPass after the fiasco a couple years ago though.
Don’t have to hack crypto to steal all the crypto.
The PvP nature is continual demand
The victims did not practice proper key management. The victims got hacked because of their own insecure key management, not because of any vulnerability in Bitcoin.
To claim otherwise is like claiming that because people can steal improperly secured code signing or TLS certificate private keys, all code signing and TLS certificates are inherently, fundamentally, and automatically broken, which is really just a fundamental misunderstanding of cryptography 101.
Worldwide final clearance is a feature not a bug.
Yes and that bug is a risk I weigh when using those money transfer mechanisms
When it fits my risk profile I engage in that transaction
Not hard
Not a matter for an industry regulator or state
Just pure market choice
"On August 15, 2010, an anonymous hacker exploited a critical vulnerability in Bitcoin, allowing them to generate 184.467 billion Bitcoin."
To the moon.
Still grateful HN has enough crypto rationalists to push back on pyramid scheme noise.
Crypto could be useful — let’s build crypto apps with customer value.
Right now the customers are morally ambiguous nation states and criminals laundering money into real estate and back into fiat currency. Hold the bag.
> Reached for comment, LastPass said it has seen no definitive proof — from federal investigators or others — that the cyberheists in question were linked to the LastPass breaches. “Since we initially disclosed this incident back in 2022, LastPass has worked in close cooperation with multiple representatives from law enforcement,” LastPass said in a written statement. “To date, our law enforcement partners have not made us aware of any conclusive evidence that connects any crypto thefts to our incident. In the meantime, we have been investing heavily in enhancing our security measures and will continue to do so.”
So, there's slightly less than conclusive evidence, and how much evidence should you need anyway, given the alternative hypotheses?
Accept the responsibility and declare bankruptcy? No, if they care s little bit, they would have done that 10+years ago
So despite the messaging from LastPass about improving iteration count for existing users it wasn't always accurate.
[1] https://news.ycombinator.com/item?id=34152779
[2] https://www.reddit.com/r/Lastpass/comments/zuve7t/cracking_e...
https://soatok.blog/2023/01/21/how-you-respond-to-security-r...
Ok, Im not sure "1Password," qualifies as a single world. Oh yeah, 1Password.
PAKE has been around for about 25 years, and PassKey just works!
It’s 2025, and we have things like PassKey that connects to hardware devices with a challenge response rather than clear text passwords being sent to a website you THINK is the one you’re talking to.
https://www.cybersecuritydive.com/news/lastpass-ceo-reflects...
This was my gut response to password vaults when they were first implemented. I still find the idea of password vaults spooky.
Open source ones scare me because it seems easy to slip a compromised library. The XZ debacle can't be the only time that's been tried.
All of them scare me because a bad browser extension or a more minor hack, like a trojan, could likely compromise all passwords.
Games on steam sometimes have some ridiculously privileged anti-cheat software, run by who knows what company, some of which offer direct RCE, in a process that already looks into other processes memory.
Virus scanners routinely analyze every single file on a computer and maybe memory too.
It just seems so... possible.
I've never been hacked, never been locked out of any accounts.
I'm getting tired of being proven right about everything over and over after being downvoted. It's a very common pattern for me.
How long does it take you to enter several keys of 16+ length for a few sites you might to access? A password manager can autofill, retrieve and input keys, provide an OTP in a few seconds.
Where would you store your emergency codes and other secret-like artifacts?
It just seems impractical for a person, let alone edge cases like sharing, or usability concerns like working with secrets frequently throughout the day.
>I've never been hacked, never been locked out of any accounts.
Due to the strength of your system, general digital hygiene, or simple odds? If we're getting really contrived, how do you maintain confidence your heuristic can't be guessed from X plaintexts obtained from breached sites (highly common)? That's kind of like rolling your crypto, isn't it? -- doing it correctly is beyond almost all of us.
I hate having to log into my password manager first before I can log into the service... And I don't like having to adhere to the whims of the password manager about things like changing my password every 6 months or using certain characters... It's really none of their business to determine what level of security is appropriate for me when trying to access my Instagram account which I barely care about anyway. I'm not some billionaire with teams of hackers trying to crack into my account 24/7.
I hate it when I can't use certain passwords because the password manager thinks it should contain certain characters which I simply won't remember.
I hate when trying to log into LastPass with my master password and I can't remember my password and have to try like 10 permutations to find the one in the format that it forced me to use last time that it forced me to change my password.
I hate getting locked out of LastPass and having to go through its 'Forgot my password' flow only to find out that the password for my email account which receives the email password reset link is also controlled by LastPass... And it's only by the grace of god that I had not trusted LastPass to generate my email password for me and I was able to guess it and didn't end up fully locked out of all my services which I need for my work.
That last experience was so scary, I actually wrote down my LastPass master password on a piece of paper and put it in my desk drawers so that I would not forget it. I know this is insecure but that sort of risk profile is aligned with my current non-billionaire status. Somehow, I don't think North Korea is going to send spies to my house to peak into my desk drawers to break into my work accounts...
Also how is remembering a master password any different to remembering a secret heuristic.
In other words, no matter of how well 1Password handles the storing of your master password (encrypted/decentralized or what not), the fact that it does is inherently less secure than something that doesn't store anything at all, such as the case with a secret heuristic.
> In other words, no matter of how well 1Password handles the storing of your master password (encrypted/decentralized or what not), the fact that it does is inherently less secure than something that doesn't store anything at all, such as the case with a secret heuristic.
When I say 1P stores your master password encrypted, it usually does it as an item in the vault. You can easily remove it from the vault and therefore doesn't store it anymore, and you can have the same security as your secret heuristic. Storing it in your vault is of negligible concern.
If your master password is not stored anywhere, there is no way for 1P to know what your master password is - and so no way to validate what the correct password is to access your vault. Even if 1P doesn't store the master password on local disk, their servers, on a hard device, encrypted, unencrypted, or does it completely algorithmically or whatever... it is in fact stored somewhere outside your brain, and therefore more hackable than something that isn't stored anywhere other than your brain.
Given a sample set of passwords derived from a secret heuristic, it could be reversed. The secret heuristic isn't completely safe either. Moreover because it lives in your brain the algorithm is inherently low entropy and the resulting passwords will be as well. Furthermore the old adage applies, don’t roll your own crypto.
> Given a sample set of passwords derived from a secret heuristic, it could be reversed. The secret heuristic isn't completely safe either.
Sure but this isn't the argument being made. As an analogy, not using any E2E is inherently less secure than using some E2E encryption, but using E2E encryption doesn't automatically mean you're more secure. Simply put, you had asked "What's the difference between a master password and a secret heuristic?" And that difference is a master password (or ways to generate it) must be stored outside your brain, and doing this is inherently less secure than not doing this.
To give you a concrete example, 1Password doesn't guarantee you from say, being compromised by a keylogger, and someone stealing your master password (never mind the key which is in fact stored). A secret heuristic doesn't necessarily face such risks. Sure that doesn't automatically mean a secret heuristic guarantees you better security, but that's not the argument.
But the keylogger or malware argument is a lazy one tbh, not only does it affect your secret heuristic as any input password is affected, basically no software can be guaranteed to be safe from malware or keylogger except maybe that running in something like a Secure Enclave or if your OS supports secure entry on certain fields (1P on Mac does this). If you’re in that position you got bigger things to worry about anyway.
But anyways it all depends on implementation as I said. 1P also supports passkey unlock eradicating the need for the master password (secret key stays), so you can still have the security you desire, particularly if you use a FIDO2 security key like a yubikey.