1. 19
  1. 10

    I was pleased to see that this article wasn’t yet another rant on the evils of cloud based password management, and instead laid out some very common sense goals (one of which happened to be “no third parties” which I can totally respect) and detailed how they built a solution.

    I’m far too lazy for this approach. I’m more than willing to trade off having my passwords stored at a third party for the ultra convenience something like 1Password offers, and I’m grateful that the folks at AgileBits really care about things like cross platform support including first class Linux clients.

    1. 5

      Me too on all the points. The only part I do sometimes get concerned about is what happens in the event of a 1password bug that causes data loss. This fear is less about trusting 1password, and more about the impact of losing access to everything. But I generally answer that with the same logic that I’m glad I can pay someone to have to deal with that issue rather than taking it upon myself.

      1. 3

        Thank you for prompting me to explore 1Password’s data export functions :)

        Seems like you can export your entire password vault to a local file in several different formats.

        1. 2

          Thank you for the nightmare about which I can do nothing for the next 10h (in a bus) =P

      2. 8

        I use the excellent https://github.com/dani-garcia/vaultwarden project. It is compatible with all bitwarden apps/browser-/android-extensions and just works. No cloud involved. I even run it on my local network that can only be reached over a wireguard tunnel.

        1. 4

          I use passwordstore.org too and because of the existence of the Android app that is mentioned in the article it ends up working really well. The only drawback I noticed is that the filenames give away which website the passwords are off. A while back when I was trying out wayland I wasn’t able to get rofi-pass to work with ydotool because I was unable to configure ydotool properly but maybe that has changed now. Apart from that it works very nicely. I sync my password repository to three remotes and have a periodic local backup. Have a backup of my gpg key as well. Not sure if I can do anything else to be sure.

          1. 1

            file sizes also give hints as to the length of the passphrase, unless you make a point of padding the files with arbitrary data at the end to make them consistent (I’d love an automatic way to do this in pass…) I guess an attacker might look at the file sizes to determine which one they’d have the best shot at cracking.

            1. 1

              It’s not easy to infer always. As there is additional information stored in the encrypted text file aside from the password.

              1. 1

                As there is additional information stored in the encrypted text file aside from the password.

                maybe. pass doesn’t store any additional info in the file by default (i.e. when you use pass generate). in any case, it’s another interesting “leak” of possibly useful info about what is stored there, like the website name in the file.

          2. 3

            This is similar to my setup, just with my own hand-rolled password manager that uses age instead of gpg.

            I could rant at length about my distaste for gpg, but I’ll save it.

            1. 3

              I just have a keepass file that I sync across all my devices with Syncthing, no browser plugins or anything like that. The rofi-pass thing is neat, maybe I’ll hack something up with bemenu and some keepass cli for my desktop.