Objective: Secure & private password management, prevent anyone from stealing your passwords.
Option 1: Store Keepass PW file in personal cloud service like OneDrive/GoogleDrive/etc , download file, use KeepassXC to Open
Option 2: Use ProtonPass or similar solution like Bitwarden
Option 3: Host a solution like Vaultwarden
Which would do you choose? Are there more options ? Assume strong masterpassword and strong technical skills
I use option 1 with Syncthing for a distributed cloud solution
Keepass + syncthing.
Don’t let your vault go unencrypted through the cloud.
Your vault is always encrypted very securly except when in RAM. There is no security concern with uploading it directly to the cloud.
It’s encrypted at rest with a passphrase. Syncthing encrypts it at transit with a random key.
There is a huge difference on the security of those.
Keepass allows you to use a passphrase in combination with a randomly generated keyfile. You only need to copy the keyfiles to your devices once (not via cloud services, obviously). Your actual database can then be synchronized via any cloud provider of your choice (hell, you could even upload it publicly for everyone to see) and it would still be secure.
I’ve used Option 1 with my Nextcloud and it works perfectly. Other options seem more apropriate when you need scale, many user each with their own vault.
To improve security of option 1 you could use a keyfile, that is either only transferred manually to devices or stored at a second cloud provider.
Option 1, with manual copying to mobile. I tried syncthing in the past but had problems with corrupted files
Option 3: Vaultwarden + Wireguard.
I don’t have to worry about attacks from the internet. And a single wireguard connection on my phone sometimes doesn’t even appear on the battery stats.
Edit: Browser addons need valid ssl certificates, which I get by dns challenge.
could you expand a bit on your edit? so bitwarden extensions need a valid ssl certificate for the domain where the server is hosted? how do you get that for (i assume) a local domain? thank you for your time!
DNS-01 challenge allows for domain ownership verification without open ports and instead looks for a txt record. Using a tool like lego[1] with the respective dns provider’s API automatically creates and deletes the txt record after generating a certificate.
Because ownership is verified by dns txt entry, the (sub-)domain doesn’t have to point to a publicly routable host. This allows for using any IP, so I’m using a local ip only available through wireguard or my local network (E.g. bitwarden.example.com points to 192.168.1.123).
The disadvantage is that the provider has to be supported and you have to store an API key for your domain on the server.
For highest security don’t store in cloud or multiple places. Memorize them or keep a separate device that has no intermet access and keep them on that device encrypted/locked
Memorizing passwords just leads to passwords that are easy to attack with dictionary attacks and to password reuse.
I memorize the random generated ones, you type it in enough it becomes muscle memory.
My password database contains a few hundred entries. Good luck memorizing that.
I like Enpass. $25 lifetime sub via Stack social. Does the trick. If they ever pull the rug out on lifetime folks, I would go to Bitwarden.
I ended up scoring a free lifetime membership years ago, but is their stuff open source? I never fully trusted it, so I didn’t end up using it for anything
Enpass uses the open source library sqlcipher (which is an sqlite fork with encryption). So while Enpass as a whole is not fully open source, you can still exfiltrate your passwords with open source tools, should they ever vanish or radically change their business model. You can then use for example enpass-cli.
That gives me enough confidence to trust in Enpass, since they can’t easily hold my data hostage.
I never understood how storing your password in an unified storage is better than just remembering it yourself
Pease be satire! 😐
I keep my passwords in Google. Unencrypted of course
