More than $35 million has been stolen from over 150 victims since December — ‘nearly every victim’ was a LastPass user::Security experts believe some of the LastPass password vaults stolen during a security breach last year have now been cracked open following a string of cryptocurrency heists
Any obvious holes in keeping a text file on my laptop that I encrypt when not using it? Using ccrypt on linux.
I do not want my passwords - even encrypted - on the cloud or at the mercy of a 3rd party in any fashion.
Use KeePass.
My concern with using a text file is you have to defrost it to use it and whenever it’s not encrypted it’s potentially exposed. You are also vulnerable to keyloggers or clipboard captures
KeePass works entirely locally, no cloud. And it’s far more secure/functional than a text file.
I personally use KeePass, secured with a master password + YubiKey.
Then I sync the database between devices using SyncThing over a Tailscale network.
KeePass keeps the data secure at rest and transferring is always done P2P over SSL and always inside a WireGuard network so even on public networks it’s protected.
You could just as easily leave out the Tailscale/SyncThing and just manually transfer your database using hardware air-gapped solutions instead but I am confident in the security of this solution for myself. Even if the database was intercepted during transit it’s useless without the combined password/hardware key.
Is there a recovery process if your yubikey breaks?
There is no recovery if you have a single hardware token in use only. But that’s a structional issue with your concept.
Instead, it is recommended to have two (or more) identical Hardware Tokens to replace one that dies.
It is also smart to keep the seeds for things like 2fa in some secure backup with schizophrenic paranoia proof Security measures.
Man am I glad that I picked KeypassXC as my password manager some years ago. Super safe, easy to use, costs nothing, not dependant on internet/cloud, can export data to another app at any time, transparent because open source.
I’m using Syncthing to synchronize across devices which arguably took some fiddling to set up but I only had to fiddle once and haven’t touched the configuration since; it just works automagically in the background.
Keepassxc and syncthing? Are you a clone of myself? :D
Same setup, working as a charm
It’s a pretty common setup to be clear, easy setup, works like a charm.
Just keep in mind that it’s not a backup solution, my Homeserver does that for me.
I use KeepPass, what’s the difference?
Nothing major as far as I can tell. Here’s an overview via SuperUser. KeePassXC might be a better option for some use cases if you’re mostly not on Windows as it does not require .NET. Note that “KeePassXC does not support plugins at the moment and probably never will”, but it does have built-in support for some things you might want a plugin for in KeePass2.
.net is cross platform and has been for a while
They say that but I can’t help but feel it sucks on Linux. Especially their GUI Apps.
That’s an average of over 200k each. I’m wondering how they managed to target people with so much money.
People with less might just not complain loudly
All that promotion/awards tagging as best password manager for nothing. Glad I picked up KeyPassXC and KeyPassDX and sync between my phone and PC with gdrive
At first I was confused about why this was being downvoted, but then I noticed the “gdrive”. You’re using a different cloud to avoid this specific cloud.
Not really a problem until aes-256 is broken, especially with an extra pass file and/or hardware Tokens.
But yeah that’s suboptimal
Bitwarden or keepass ftw
There’s no such thing as an impenetrable password manager. I keep my most secure passwords in my head, and so should everyone.
Even if the software were perfect, people aren’t. Anyone can be fooled under the right circumstances. It’s better to expose one service than all of them at once.
Your head cannot be securely backed up, and you are not resistant to major thread actors (torture, and so on)
instead of using a password manager managed by a PRIVATE ENTITY people should start using bitwarden … its opensource, free and much more secure and reliable
I prefer local password managers. Synchronisation is achieved with a syncing service of our choice.