
Ask HN: How comfortable do you feel using cloud-based password managers? - bishala
Even though cloud based password managers have been around for a long time now, I never felt comfortable using them - the idea of handing over my important login details to some third party company seemed really weird to me. Most people might not care but the HN crowd are generally security conscious or say paranoid about security(for good reasons). But from password managers related threads, its apparent that many of you use them. So I wanted to get a general idea of how HN users feel about them.
======
kennu
1Password has always offered the best usability for me. Many other password
managers (eg LastPass) have failed, for instance, to work with the AWS sign in
page and some other tricky websites. 1Password UX is also well polished in
other ways and is nice to use. I consider this kind of good usability to
significantly increase my quality of life, since I login to various online
services all the time and I want to eliminate as much hassle as possible.

I realize all this requires a great deal of trust in the maker of 1Password
having done things right and currently I have that trust. This may change in
the future of course.

~~~
benhurmarcel
The main issue of 1Password is the subpart Linux support (there only are
browser extensions).

~~~
mdaniel
It becomes hard to discuss "1Password for Linux" without knowing if you mean
1Password.com or the old 1Password, with .opvault locally and/or synced to
Dropbox-esque

However, if it's the latter, KeePassXC now knows how to _read_ the .opvault
format:
[https://github.com/keepassxreboot/keepassxc/issues/1462](https://github.com/keepassxreboot/keepassxc/issues/1462)
I could imagine teaching it to write their opvault file format, too, but at
the time it wasn't a use-case that I needed

I would actually suspect teaching KeePassXC to read the 1Password.com cached
vault would be even easier, since they now use sqlite3 for storage, but it
would still -- afaik -- be confined to your local machine since their web API
is undocumented

------
spondyl
I've used pretty much every password manager under the sun at one point or
another. Lastpass, 1Password, Bitwarden, Dashlane, Remembear, KeePass(X) and
I've finally settled on regular ol' pass.

I never really understood how it "syncs" but it's just git! Push and pull to
update on every device. I use a private repo since site names are still
metadata. You could put the whole directory tree in a tomb as well but that
extension is only supported on mac only or something.

Pass is the one thing that seems fairly universal I think and it's all just
text files which makes things really nice. No worrying about will it work on
mobile or if the browser extension is useless without an application.

For example, 1Password X is a standalone extension so you could use it on
Linux while Dashlane requires the desktop application running on the host. The
connection works but isn't always reliable when running non-natively ie WINE

As for security, they're all fairly well audited I think? Remembear and
1Password both have external audits they pass, and provide remediation plans
for any findings. Probably the same with Lastpass. Personally, I don't really
think about it that much so I don't have a good answer. You can interpret that
as me trusting providers but I have no real idea. I mainly just focus on the
usability hah

~~~
tbrock
Sadly this isn’t a modern solution. People have smartphones and occasionally
have to login to Windows (without WSL).

While I’d love for everything I use to provide an easily accessible *nix shell
it just isn’t practical for phone use or modern computing environment where
you can access cloud data using web services from any internet connected
computers/devices.

~~~
Gorgor
I have a smartphone and use pass via the app Android Password Store [1]. You
have to set up your GPG key of course and also an SSH key for the sync with
the remote repository, but once that’s done, it works perfectly fine.

[1] [https://github.com/zeapo/Android-Password-
Store](https://github.com/zeapo/Android-Password-Store)

------
sdan
Never.

I moved from Lastpass to
pass([https://www.passwordstore.org/](https://www.passwordstore.org/)). It's
by far the best decision I've made in a long time (I've moved a lot of
services over to my servers and self host pretty much everything)

I use Mac, but it works on any machine to my knowledge and the great thing is:

1\. Use your keys, so ONLY YOU can only decrypt it (gpg keys)

2\. Has Chrome/Firefox extensions that automatically fill out passwords

3\. Can upload the encrypted passwords to git to use on other machines
(presumably)

4\. Dead simple to use (go on terminal and generate random passwords, bunch of
other goodies)

5\. As said previously, it's all on your machine, no one else having access.

~~~
bagacrap
What support does it have for mobile?

~~~
333c
There are iOS and android apps. I can't speak for the android apps, but I use
an open-source client on iOS.

[https://itunes.apple.com/us/app/pass-password-
store/id120582...](https://itunes.apple.com/us/app/pass-password-
store/id1205820573?mt=8)

~~~
sdan
I recently had to uninstall it because passwords weren't syncing with Apple
Keychain. Should Pass for iOS sync with Apple Keychain in the first place?

------
nickjj
I would never trust them, but more importantly I don't want to have to waste
brain cycles thinking that the 300+ passwords I have saved could be
compromised due to neglect that's out of my control.

I just use [https://www.passwordstore.org/](https://www.passwordstore.org/)
and it works great (I have 300+ passwords stored for years). It's a local
command line driven password manager and it's pretty great for developer based
workflows because you can save multi-line strings which makes it perfect for
saving API keys and other sensitive stuff, along with the password you used to
sign up to the site.

It's also smart enough to copy the first line of a multi-line entry to your
clipboard, so you can access your passwords to login on a site within a few
seconds. Especially since you can navigate your entries on the command line
with auto complete.

It also leans on GPG encryption instead of trying to invent its own security
mechanism.

~~~
BozeWolf
Does not work on mobile, right? How do you handle passwords there? Copy/paste
between mac/iphone (might be insecure). And what if you did not bring your
laptop?

~~~
Leace
Works on mobile. See countless comments here.

~~~
BozeWolf
Aha! Have to check it out then.

------
dancek
You could say I put a lot of trust in Google, as I use the built-in password
manager in Chrome. My rationale is the following:

1\. My browser vendor can access my browser passwords anyway.

2\. It's better to trust fewer vendors and pieces of software.

3\. Copying passwords to clipboard is awfully insecure.

4\. Trying to remember all passwords is also awfully insecure.

I do not save any money-related passwords. I do dream of switching to pass
from time to time.

~~~
pinusc
1\. Is not necessarily true. If you use an open source browser like firefox,
your browser vendor would absolutely not be able to access your passwords
(...without creating a huge scandal where users would catch up immediately)

3\. Can actually be mitigated, or other options can be used. For example, in
my browser I disabled JavaScript clipboard access, so that random websites
can't access my passwords. You mention pass, aan excellent non cloud option,
which I personally use with a script that types in the password as if it was a
keyboard - but Firefox and chrome plugins with autofill are available, and
those are offline.

~~~
bagacrap
Your browser sends and receives tons of packets to addresses owned by the
browser vendor and third party sites. After all that's its main function. Your
open source browser is millions of lines of code. You think it would not be
possible to exfiltrate passwords without your notice? It seems a much more
practical approach to assume your browser vendor is a "good guy", as the
alternative model is that you choose to do all your most sensitive computing
via an adversary.

~~~
benburleson
I think the premise is we would know if it already did that, and incremental
code changes can be inspected to see it isn't added. So yeah, it's pretty safe
to say open source makes it trustable.

~~~
dancek
That's pretty reasonable, but if I were a malicious actor looking to do
something like this, I'd try to introduce different bugs at different times
that combine to leak passwords. That would give plausible deniability, too.
Not saying it's an easy scheme to engineer.

------
the8472
I think conceptually cloud-based password storage is trustworthy if you
separate the cloud storage from the password manager software.

If both were provided by the same vendor then security motivations would not
align. E.g. the vendor could reason that it's ok to do server-side encryption
instead of client-side for whatever reasons. Or they could capture your master
keys and decrypt old backups long after you have deleted things when compelled
by a secret court order.

Separating storage and software means the software developer should consider
the storage provider as potentially hostile and design the password manager
accordingly.

Additionally a separate solution also increases data mobility. You can use
your home server instead of cloud providers, you can move vendors instead of
being locked into a single ecosystem.

That said, storing your key files offline is still another layer of security
that has to be breached, storing it publicly accessible means you are only as
safe as your hashed password.

Another concern, unrelated to the cloud aspect, is browser integration for
password managers. It's something one should avoid since the browser
extensions closely interface with the websites. It increases the risk that a
bug in the extension allows a site to trick them into revealing the wrong
secrets in an automated fashion.

------
probably_wrong
For me: I don't trust them. You know how people often say "if you didn't want
it to be public you shouldn't have put it on the internet"? Well, that. If
there's anything worse than a breach that reveals my secure password it's a
breach that reveals all of my passwords at once.

For other people, such as family members: I totally recommend it. It is way
better than whatever password reuse they are doing now, and the chances of a
breach are low enough.

My point being: I think they are overall better than not using anything, but
if you have the knowledge and diligence to keep an offline encrypted file (and
its backup!) up to date, then I would suggest doing that instead.

------
kapep
I also never felt comfortable using cloud password managers. I used to have a
KeePass file on Dropbox (with an offline key file) to stay a little more in
control. Synchronization worked quite well but some month ago I switched to
following setup to avoid Dropbox or similar services:

I have a KeePass file and use Syncthing to share it across all my devices. The
keyfile is not synced and I manually send to any new device. Syncthing works
well and most KeePass clients can nicely merge two KeePass databases in case
of conflicts. Firefox integration with Kee.pm is really convenient.

For me this works really well. It was easy to setup and in my opinion it is
very much worth it if you want to avoid third-party hosting.

~~~
juangacovas
+1 for the sync/conflicts resolution of Keepass. Also I think that putting a
shared database (file) on a shared folder at the office if needed is an
overlooked feature..

------
lukasm
I use a hybrid approach with Lastpass used as a password entropy storage. For
important services like Github I only store half of the password in LastPass.
Then I add a nonce and a generic short password.

The final password is 12-16 random characters for LastPass + 3 chars Nonce
that I generate from the service name (in my head) and a short 5 character
password.

If LastPass leaks the secrets no one is able to take over the accounts easily.

For services that don't matter much I just store the whole password in
LastPass.

~~~
kilroy123
This is a great idea, but doesn't it involve a lot of manual work? Or is there
some kind of automated way to do this?

~~~
lukasm
It requires no extra work. Lastpass automatically fills out the creds, I have
to type a few extra characters in password input and press login. Only tiny
annoyance is pressing No in Lastpass "Do you want to update your password?".

------
tejado
I would trust them but I don't take the risk of "trust". There could be always
issues which are out of your or the Password Managers control, e.g. crypto
issues and also long term issues like quantum computing.

Due to this, I keep all of my passwords offline, as far as possible. For
mobility and comfort reasons, I developed Authorizer
([https://github.com/tejado/Authorizer](https://github.com/tejado/Authorizer)):

"A Password Manager for Android with Auto-Type over USB and Bluetooth, OTP and
much more.

The idea behind Authorizer is, to use old smartphones as a hardware password
manager only. To avoid manual typing of long and complex passwords everytime
you need them, Authorizer provides Auto-Type features over USB and Bluetooth.
It pretends to be a keyboard (e.g. over an USB On-The-Go adapter) and with a
button press inside the app, it will automatically type the password for you
on your pc, laptop, tablet or other smartphone."

------
franga2000
It took me a while to come around, but Bitwarden finally convinced me. Both
the clients and servers (there are third-party implementations) are open-
source and besides the security audit they had some time ago, I also checked
some components myself to reassure myself that all outgoing data is in fact
encrypted and that the decryption is done client-side.

The only way I can see someone getting to my passwords is by getting malicious
code into the browser extension and/or mobile app. That means the only viable
attacks are through Mozilla and Google, who I already have to trust for my
browser and mobile OS.

~~~
Corrado
I too, resisted the urge to go with a password manager for a long time and
finally ended up with Bitwarden. I like that its OSS and I have the option of
running it myself, if necessary. More importantly, I can pay someone to run it
for me; hopefully this means they will stick around.

I don't really mind having my passwords hosted somewhere else by someone else.
I don't really trust myself to do it properly and I have a lot of other things
to worry about. If I ever end up being an "important" person I can always
export my passwords and save them locally. Or more likely run my own instance
of Bitwarden.

NOTE: Reading through most of the answers here makes me think that everyone is
hording state secrets or has billions of $$$ in the bank. I just want to log
into my airline and check in for my flight, or comment on HN. I'm not trying
to keep a state actor at bay.

------
acd
Bitwarden is open source.

Lastpass has has intrusion in the past 2015 and are closed source.

Site below has a list of some security incidents related to password managers.
[https://password-managers.bestreviews.net/faq/which-
password...](https://password-managers.bestreviews.net/faq/which-password-
managers-have-been-hacked/)

A secure password manager would need to have the decryption keys offline
client side save from central attacks.

------
Twisell
I tried 1Password but finally resolved to use iCloud keychain after watching
this BlackHat 2016 video
[https://youtu.be/BLGFriOKz6U](https://youtu.be/BLGFriOKz6U).

I mean as far as I already trust their OS nothing can really protect me from
being spied by them if they are ill intentioned, so as long as they are
serious and patch their security flaw on a timely manner I can live with that.
Beside it come as a free plan if you don't need more than 5GB of iCloud
storage.

I'd figure using an external password manager just add another third party I
need to trust and the fact that 1Password offer browser app interface (on top
of native) don't reassure me in any way.

Of course if I'd ever need to reassess my threat model because I can't trust
Apple anymore, I will quit iCloud service at the same time as their OS and go
full FOSS.

------
lmedinas
Sometime ago, I bought 1Password for iOS, then Mac, mostly for convenience and
I was happy with it until I got no viable way to use it on Windows simply
because their client still in early development sucked. After some time again
they stopped caring about the local db feature and for me that was it. I Moved
immediately to Keepass and never looked back. The reason was because I can
find a client for nearly every platform possible and because I store MY OWN
database where I want.

I prefer to store KeePass encrypted dB on Dropbox than going for 1Password
cloud.

Plus Keepass is opensource...

~~~
octorian
This is also what I do. Password managers are one of those few applications
where I find it vitally important to not be subject to the whims of a
particular company. Even semi-abandonware (like some things I used pre-
KeePass) is preferable to an actively maintained product, if said abandonware
is open source and something I can keep tweaking into working.

I also find it extremely important for my password manager to be available on
EVERY platform I might use. Not just the popular ones a company can make a
business case to support. Historically this has been a bigger issue than at
present, but its still a big one to me.

------
salex89
My company uses some enterprise Lastpass, and I would never give a dime for it
myself. Not because of the quality, but because if the UX. I constantly have
issues to find credentials shared with me, the plug-in is constantly
interrupting my usual flow, and so on. Just not a fan. Personally I use
KeePass. I know there are some security concerns with the application itself,
but it has served me well.

Just because of the LastPass experience I'm not sure would I try something
else.

~~~
chias
This is exactly the boat that I was in for a number of years. I also have a
few security concerns regarding bad practices of theirs that they essentially
told me they didn't care about.

About a month ago I switched to BitWarden and it's been phenomenal. The UI is
great, as is their mobile application. I've also heard good things about
KeePass.

------
jen729w
Same way I feel about security domains at work: you either have to trust
encryption, or never use any network. It’s that binary.

At work I’ll see people — the security team, usually — taking some already-
encrypted thing and re-hardening it to the nth degree. I think that’s stupid.
If you don’t trust your encryption, don’t bother using it. If you do trust it,
stop there. It’s maths. It’s proven.

I feel the same about 1Password. I trust that they encrypt my stuff with
trusted encryption. That’s it.

~~~
swiley
>maths. It’s proven.

No they are not. That’s one of the things that makes designing correct crypto
systems difficult. Going the wrong way through most cryptographic trap doors
is conjectured to be difficult but I’m unaware of a single one that’s proven.

~~~
mjlee
The one-time pad has been proven to have perfect secrecy.

Given a ciphertext, the only information available is its length.

~~~
swiley
This makes a lot of assumptions:

You have a way to securely exchange or store the one time pad (at that point
just use slices of the pad as passwords)

The pad is sufficiently random

This was how RC4 was used to encrypt things; RC4 is fundamentally a random
number generator. To use it you throw away the first so many bytes (because
they could be used to recover the state of the machine.) and then the rest was
used as a pad. Unfortunetly patterns in the data can make it easy to recover
the raw RC4 pad (uncompressed blank bitmaps for example) and this can be used
(again) to recover the state of the machine generating the numbers. On top of
that it turns out RC4 is a lot more predictable than people originally
thought.

Essentially all a one time pad does is move the problem somewhere else, often
that other place isn't great.

------
CM30
I'm not comfortable at all using them. For one thing, I can't tell how they're
really storing the passwords, or what kind of encryption they're using there,
so I end up being forced to merely trust they're doing the right thing rather
than giving backdoors to others or rolling out their own crypto or using some
setup that can be reversed on their side.

Additionally, I also believe that:

1\. I should have access to all my passwords without a working or stable
internet connection

2\. And that I should leave as few ways for social media/cancel culture
pressure to affect my life as possible.

Hence offline systems like KeePass work fine for me. I can trust they're not
providing backdoors, I don't have to worry about a third party server getting
hacked, they're accessible offline and if I end up in a controversy, my
enemies can't do anything to get my account suspended or terminated.

------
jchw
If it helps, Bitwarden, including server, is open source. Of course that isn't
a panacea by any means, but you can at least build it yourself and glance over
the code. For me I prefer it to closed source for sure, and honestly even if
the UI isn’t as pretty Bitwarden checks all of my boxes and tends to work
really well across the platforms I use it on, including Linux, and it doesn’t
have the same extension security troubles as many other password managers have
had (1password prior to 1password X suffered due to communication with a
desktop app and the complications that brings. Lastpass doesn’t do that, but
has had arbitrary code execution vulnerabilities in their extension.)

And of course, Keepass XC is always a very formidable password manager.

------
kalleboo
I've been using Apple's iCloud Keychain since it was first released 6 years
ago. It's well-integrated so I don't need to think about it. I'm already
trusting their OS, and if it gets compromised, at least I won't be alone.

------
VvR-Ox
I think it's just stupid to trust anyone with your passwords even when they
are encrypted.

We all know how just after some years all encryption can be rendered useless
by some technical advancement or mathematical brake-through (potentially).

In my opinion you are far better off with some device (mooltipass, yubikey)
that holds your credentials because you have physical control over it and the
chances your encrypted passwords are stolen are much lower than going with the
cloud option.

This isn't about being paranoid but about minimizing the risk of ones
credential being exposed/compromised.

We trust entities far too much for my taste and next to credentials I also
don't feel comfortable with private pictures and videos of/with me being
uploaded to some cloud.

1\. Something could go wrong while transport (poor SSL/TLS, compromised
devices in between (MITM) & weak crypto) 2\. Something could go wrong on the
companies side (failure to implement crypto properly, usage of weak crypto,
bad server security) 3\. Most encryption can be broken and it probably will be
broken. This isn't about the fear of quantum computing but plain logic. Crypto
often relies on some mathematical assumption that states that no one can break
something in a realistic amount of time (e.g. discrete logarithms) which is
rendered useless by superior equipment/power to calculate. Then there is
implementation details which are too complex (or the people who implement it
just don't take enough care) to be executed in the correct (=secure) way,
easily.

This is a problem we can see on many waypoints in these scenarios and this
fact for itself increases the risk of being compromised in a scale I'll always
try to weigh in and to minimize.

------
jedimastert
I'm currently using LastPass, keeping my bank, anything that can control my
bank, and my email(s), but I wouldn't mind switching to something less
centralized.

It's my opinion that you end up having to trust someone, and having a password
manager that I can arbitrarily make new identities with secure passwords
automagically outweighs the small (imo) chance that the password manager is
untrustworthy.

------
marc3842h
I only trust them when they're open-source and I can self-host it on my own
hardware. That's why I settled for Bitwarden (or to be more exact, bitwarden-
rs).

------
pmontra
I don't trust any company with my passwords. I use keepassx and sync from my
laptop to my Android devices using Syncthing. Ideally I could use a self
hosted cloud password manager, but it's a larger attack surface than a local
one.

------
pndy
After I lost one copy of my passwords database in Dashlane, I've moved to
Firefox Sync. Then years later, after switching to Vivaldi I've pick offline
Enpass but I still have KeepassX as backup solution if they would decide to
abandon their business.

I'm not a fan of cloud storage that much anyway - not after Dropbox invited C.
Rice to board of directors. [1]

[1]-
[https://en.wikipedia.org/wiki/Criticism_of_Dropbox#April_201...](https://en.wikipedia.org/wiki/Criticism_of_Dropbox#April_2014_Condoleezza_Rice_appointment_to_board_of_directors)

------
alkonaut
I don’t trust them 100% but I don’t trust myself to keep a file-based one
(such as keepass) working without losing the file either.

It’s the same with backups. I can’t be trusted with my own data. I’d rather
let someone else keep.

------
sys_64738
The only way to protect your information from being stolen is to not store it
on somebody else's server. Every 'cloud' server is on compromise away from
draining your bank account.

~~~
tatersolid
Your local machine or private server is far more likely to be compromised by
malware, IoT bug, or the unpatched zero-day of the week than infrastructure
run by a professional security team with 24x7 staffing and TEXA$ to lose if
they screw up.

Do you pore through all the logs on your system every few minutes looking for
anomalies? Do you inspect every line of code before it gets anywhere near
production?

------
JohnBerea
I just use KeePass, and Syncthing to automatically sync its encrypted password
file (and other files I care about) to my android phone and all my windows
computers. No cloud needed.

~~~
elkos
Is this actually so simple?

~~~
dole
Not as simple as just using Dropbox, but it's probably simpler than you think.
Was using LastPass and configuring Syncthing (on Windows) seemed daunting
until someone here on HN mentioned SyncTrayzor. Syncthing runs as a Windows
Service and you access it through a local webapp; SyncTrayzor wraps it into a
much friendlier tray/desktop accessible app.

[https://github.com/canton7/SyncTrayzor](https://github.com/canton7/SyncTrayzor)

------
mongol
Not very. I use pass together with a self-hosted git repo.

Passwords are too important to evaluate a manager on convenience primarily. I
think it is a little strange that banks do not work to get in this area. You
trust your bank or else you would not keep your money there. I know too little
about the main password manager companies to know if they are trustworthy.

I guess this is too small domain for banks but I think it would be interesting
to see what happened if they moved into it.

~~~
zrobotics
Considering that my bank (Wells Fargo) has the crappiest password policy of
any site I use, I wouldn't trust them to handle my passwords. Passwords will
be accepted case-insensitive, so they're losing entropy and likely have the
password stored plaintext somewhere.

That being said, I do have a safe deposit box with backups of important
documents and a KeePass DB. The KeePass DB isn't synced as often as my local
copies, but does get synced whenever I change passwords on any crucial site. I
do have a copy on onedrive, but if I lose access to my password manager I
won't be able to login to onedrive to access it. It's a little bit of work,
but there are certain things that are definitely worth backing up in a secure
location. Plus, there's a printed copy of my KeePass credentials and access
information for relatives in case I'm gone.

------
katzeilla
I will never use any cloud based PM.

The biggest issue for me is transparency and complexity, most of them are just
as "blackbox" as any other service.

I am using KeePassX with git + gpg on my own server for extra encryption and
sync, this solution is simple and future-proof.

and I might switch to my own script in future, dir + txt + git + gpg should be
enough.

Need a random password? cat /dev/urandom | base64 | cut 1-64

Grouping? Just different directories.

Please also remember, there is no cloud, just other people's computer.

------
benologist
I use [https://app.keeweb.info/](https://app.keeweb.info/) but I host the data
itself, it's actually just a static page until you connect it to your
preferred data store. I like it because the page and data caches for use
offline and it's multi-device. I just copy/paste the hard way to fill forms
and even transcribe from my phone on devices I don't trust.

------
alpaca128
I don't trust them as much as an offline solution, and as enough solid offline
solutions are available I avoid these cloud-based services.

Keepass does everything I need and supports all platforms I use. Sync isn't
comparable but then again I don't register new accounts or change passwords
every single day, so this is an area where sync features beyond what I get
with syncthing are pretty irrelevant to me.

------
ggm
I have used 1password. I only moved to Bitwarden because I decided that if the
PM was going to demand cloud backing I might as well pay cloud cost to an
open-source entity. 1password is faster.

I used to use rsync (bittorrent-sync) to keep my own hosts up to date against
each other. This was painful to manage so I accepted the bitwarden cloud
model.

The risks are there, for sure. If you doubt the crypto behind your keystore,
_where it is_ should worry you little because _how insecure it is_ should not
be about where it is: its about how its shrouded, and how what is shrouded can
be revealed.

My belief in the shroud protecting my secrets is my belief in their ability to
code to the spec. it wasn't founded in my use of a private filestore to back
the keystore, although I did, and I prefer private files, to private cloud
files, to cloud files hosted by some intermediary, to public cloud.

Bitwarden is a private cloud file, hosted by some intermediary. The risk here
is twofold: the intermediary is broken and its persisting filestore is
readable, and bitwarden is broken and its interior private view becomes
visible.

My best belief is that no part of my interactions depend on bitwarden knowing
the interior state of my keys, they only handle shrouded data, and either I
run apps which decode locally, or I run javascript which decodes locally, but
I do not expect or believe any transit of the un-shrouded state of my data
routinely has to flow through their hands. And the persistence of that belief
is because they say the limits to how they can help recover my keystore, if I
lose critical information. if they are truthful here, they cannot help me if I
lose the escrow passphrase, because nothing they hold is the decrypt of my
shroud. I have to give permission to de-shroud there side, the protecting key.
its otherwise only used locally to me. (if somebody breaks the .js code, then
the filestore being in the cloud is irrelevant)

1Password made the same kinds of commitment to me. As do LastPass and a number
of other people. They all have to be comparable in this regard because its the
fundamental business model.

At one stage, there was some leakage in the model for some keystores. The file
names un-necessarily encoded revealing parts of the URLs they related to. I
think thats changed now. It was scary. I had assumed everything was shrouded,
it turned out for some period of time, only passwords and identity inside the
URL had been fully protected. They changed that. I think it was 1password, it
might have been lastpass. It wasn't bitwarden because I moved to them earlier
this year and that was 2-3 years ago or more.

If I have misunderstood and sometimes my data is visible to them in clear, on
their machines, I'd love to know.

~~~
tdurden
1password can still be ran locally w/o use of cloud backing. That is the only
way I have ever used it actually.

------
cygned
Not so comfortable. However, I trust the 1Password guys, I had some contact
with the founders a couple of years ago, they even gifted me the iOS and Mac
version, and found them competent and trustworthy.

The reason I went with the cloud sync is that I have to share secrets over
multiple companies with all kinds of people and 1Password is simply the best
compromise of convenience and security I found.

------
geofft
0\. If the FBI/Mossad/etc. want my passwords, they can threaten to cut my toes
off one by one and I'll just give them the passwords. So they're outside of my
threat model.

1\. All my important stuff has two-factor auth, so a malicious password
manager company couldn't get in anyway.

2\. If you're using one of the major vendors with a reputation and a paid
service, that produces a fairly strong incentive for them to not be
_intentionally_ malicious - if they were caught distributing an update that
made it possible for the companies to see your passwords, nobody would ever
use them.

(All the major password managers do client-side encryption; they don't store
plaintext passwords themselves. They do distribute the client that lets you
decrypt passwords, but that's it.)

So that leaves accidental risk (bad crypto, hijacked update chain, client-side
vulnerabilities). Out of the options, I'm comfortable with the track record of
1Password in particular.

I'm very interested in open-source options, but the major ones are all
proprietary and the open-source ones are all volunteer-driven and I think the
risk tradeoff is wrong. It's not a decision I feel 100% comfortable about but
between the options of proprietary-but-professionally-maintained and open-
source-but-hobbyist-maintained the former seems vaguely preferable for
security-sensitive software, especially given that one of my requirements is I
want to use a password manager extension.

Shameless plug, I have a personal digital security podcast and we took a look
at various password managers and their security track records recently:
[https://looseleafsecurity.com/episodes/password-manager-
secu...](https://looseleafsecurity.com/episodes/password-manager-security-
model.html)

------
zmix
Zero. Nada. Njet!

Passwords are those little peckers, that make everyday's life with a computer
uncomfortable. So it would make a lot of sense to sync them between all the
machines I use. But it's never going to happen, that I store my passwords on
your computer!

You must rip them out of my dead, cold hands!

Locally, I use KeePass and KeePassX on Windows, Android and Linux and Keychain
on macOS.

------
LocalMan
I've been using Lastpass for years now. It's good but not perfect.
Occasionally I have to fiddle with it. There are a few web sites that Lastpass
can't deal with. I opt for big passwords so I'm sure it's more secure than
trying to use my memory and/or some ad hoc scheme.

I haven't done an organized comparison of password managers.

------
Quequau
I don't.

I use KeePass, well now I guess it's KeePassXC, and I keep up with my onsite
backups. There have been way, way more problems with 3rd party and cloud based
services than I've had with my private system.

I've survived a couple of hardware failures, a few problems I created myself,
and effortlessly migrated from Windows to MacOS to Linux in the meantime.

------
sharcerer
So, I am a student. Recently started using 1password. 2 years ago, I used
Lastpass. It's UI sucked. Even for Logging in, the 2-3 clicks irritated me,
since I was distrustful of extensions. After logging in, more irritation. Now,
I don't know what changes they've done Then recently used Bitwarden(open-
source) for a few months. It was nice, but wasn't enough for me, I have
3-digit # of accounts. I also wanted different vaults for different email IDs.
Finally got 1password. And UI wise, 1password is just the best. Just lovely
design. I use a combination of Google's Saved Logins, 1password.

Also, the 1password support guy was super super super nice to me. Well, the
Bitwarden support guy/gal (i don't remember that one) was nice too.

Speaking of trust, I mean that's quite complicated, right? No matter what
justification I give, there is some risk and a lot of technicalities which I
am not aware of.

------
moeffju
I don't use them because I couldn't trust them. I'm currently using KeePass
synced with Dropbox. Works fine on Android, Mac and Windows. IPhone is a bit
annoying, so I store some stuff in iCloud Keychain. I've tried pass and I want
to try Bitwarden, but this setup works for me. KeePassXC even supports TOTP.

------
Normal_gaussian
KeepassXC, synced with syncthing on my synology AND on gdrive. Android client
and linux client. Databases for personal, personal extra secure, and work. My
partner can get into personal, but not work or extra secure.

I have personally read through keepassxc source - haven't read the Android
client. I have syncthing on my todo list.

------
m-p-3
I use KeePass stored in a cloud storage provider. As long as I control the
encryption ke, it doesn't concern me too much if someone manage to grab the
KDBX file, as I know the password is quite secure (over 32 characters, with
symbols) and has never been used anywhere else.

------
taurath
Plenty comfortable with LastPass here.

~~~
tim333
I use LastPass. I think a case of “The best is the enemy of the good.” It's
probably not perfectly secure but good enough and the time you might spend
trying to do something better might be more productively spent on something
else.

------
bestouff
I'm using a self-hosted Nextcloud which stores my passwords. There are 'apps'
for Firefox and Android. They're not perfect but work quite well for my use, I
have both the benefit of cloud-based, centralised passwords and nobody-else-
but-me can touch them.

------
vemv
As an idea, someone could implement a middle ground solution between `pass`
([https://www.passwordstore.org](https://www.passwordstore.org)) and a cloud
solution.

Key design: encryption/decription happens locally, using standard open-source
tools such as GnuPG. The cloud provider cannot _possibly_, ever know your
actual contents - they only store them so you can't get locked out (which is a
very real risk with `pass`; safeguarding our underlying private keys is
currently completely left up to us).

Also some a conveniece layer could be offered on top of GnuPG; that should be
open source, distributed as a non-binary and paid via honor system (also one
can pay just for the mentioned hosting).

------
kevin_nisbet
I'm not entirely comfortable with online password managers either.

For company use, I do use online password managers (1password), as they
generally offer a good UX experience for less technical users, and there isn't
strong rationale to believe companies focussed on password storage/transfer
have bad practices in place. I also place some of my passwords in these
password managers, generally passwords that don't do high amounts of damage if
compromised.

Totally given the choice for a technical team, as many others have pointed to,
I like pass or gopass as a team password mechanism, synchronizing passwords
over git which is encrypted locally.

I'm pretty sure my reluctance or hesitation around cloud password managers
stem from, it's hard to know who to trust. Companies pretty much universally
have poor practices, missing controls, and will miss-represent or be
susceptible to internal dogma about how good the tools and practices are.
Allowing online sync of passwords increases the surface area, more things have
to be perfect to prevent a compromise than non-online systems.

The really difficult part though, is it doesn't mean the cloud based manager
is actually less secure than a more traditional app, a decent amount of the
surface area of both applications intersect. Think of things like a compromise
of the build server, unless you're running the app totally isolated from the
internet, both online and offline apps can get compromised in the same way,
and pick you're favourite offline app may have higher risk then pick your
favourite cloud app based on internal controls that aren't talked about.

So with this in mind, for me it comes down to making a choice of trust on very
imperfect information, only really with the public history of a vendor and how
they present themselves externally. So given that imperfect information, I
tend to place a higher weight on solutions with less surface area, there are
less pieces for the vendor to get perfect to protect the system. And even with
online password managers, I never install the browser autofill extensions,
again to limit surface area.

That said, with password handling the choice of password manager and how it
operates is also likely a smaller concern. As in most companies have bad
password rotation practices when say an employee quits, or their laptop is
compromised, etc. It would be cool to see a standard protocol for a password
manager to be able to go in and rotate passwords automagically, and continue
to see progress towards SSO and U2F/FIDO2 security keys universal adoption.

------
davuinci
The only thing that (hopefully) is stored in the cloud with respect to
password managers is the encrypted vault containing your passwords. Securing
your vault with a strong master password in addition to a U2F like YubiKey
seems to me a pretty safe way to store your important data.

Additionally, using an open-source password manager that you can audit
alleviates any further paranoid concerns you may have. If you also worry about
the cloud provider suffering a severe outage then you can always keep offline
backups. Assuming that you have the expertise and time you can implement a
solution yourself but it always depends on your threat model and your level of
paranoia.

------
Xelbair
I won't trust any cloud-based password storage, especially not a proprietary
one - even audits do not change my opinion about that - as the main attack
vector isn't form the hacking side, but from 3 letter agencies and governments
instead.

Plus it is a huge registry of metadata - any site that i store a password for
gives them knowledge that i do use that site.

I tried few local solutions - sadly for my use case they both need to work in
a shared way(some passwords are used by multiple colleagues at work for
example, as they are company wide accounts for external sites that do not
support individual accounts), and they do need to work on windows in a non
cumbersome way.

------
scraft
Keepass for me, on Android I access via finger/thumb print scanner and on
desktop I use Firefox with master password enabled. Database stored in Dropbox
which is synced to work, home and phone.

Prior to doing this (requirement for my job) I didn't have any particular set
up, so in comparison this feels really good.

Main grumble is I don't pay for Dropbox so have a device limit, so end up just
downloading database onto extra devices which mostly works but sometimes
requires redownloading to get latest and potentially uploading to Dropbox if I
have created a new password. Maybe I will pay for Dropbox sometime (as let's
face it, it is useful beyond this case).

------
bbulkow
I use 1pass like many here, but don't use the cloud service and am not happy
doing so. My passwords are in a file which i share using a file share service,
but i know it is all encrypted with my master password, which is my primary
live off defense.

I would be interested in hearing how many passwords / accounts people have. I
am well above 100, i think in the 200 range, so the idea that i could have
different passwords, and remember them, is just silly. Password management has
to happen, and the best way i can think is to store a majority in a very well
encrypted file.

I do memorize a few key accounts.

------
dmarlow
I personally use KeePass and Dropbox.

I don't mean to hijack the thread, but allow me to ask what you guys use
within you company, if anything. Do you use a cloud solution, something self-
hosted, or nothing?

~~~
unoti
At my company, we use Azure Keyvault to hold certificates and other secrets
used between applications. [https://azure.microsoft.com/en-us/services/key-
vault/](https://azure.microsoft.com/en-us/services/key-vault/)

------
rmk2
I'm not a big fan of putting my password (encrypted or not) somewhere where I
don't have control. Therefore, I am using Passbolt[0] at work, since that gets
me a browser addon plus web ui, while it also allows me to host it myself,
i.e. where I can physically check what ends up written where in the database.
Passbolt is open-source, encryption and sharing is GnuPG-based, and they have
paid plans available.

[0]: [https://www.passbolt.com/](https://www.passbolt.com/)

~~~
Boulth
Too bad that Passbolt doesn't use native GnuPG for decryption. This is
technically possible as evidenced by Mailvelope.

~~~
remy_
Passbolt team was actually part of the Mailvelope project that did this.
Integration setup is not easy / very user friendly, that's why it's not the
default on Mailvelope.

------
nytesky
I store my passwords in an encrypted Numbers spreadsheet which I store in
iCloud. Thus you need iCloud access and the spreadsheet password to access.

I have considered encrypted notes for low security passwords, but find the
sort and too easily editing function of notes not great for copying and
pasting.

I want to use iCloud KeyChain, but I like having a desktop client to manage
passwords — but I found it I created a password set on macOS it wouldn’t
appear in iOS keychain — anyone know why?

------
msravi
I use pass and use a free Google instance to run git to which it's synced. I
sync using git to all devices. The git database is also synced to Amazon drive
periodically.

So the passwords in pass itself are protected by gpg. The Google instance is
protected using ssh. Amazon drive is protected using 2-factor auth.

No single cloud provider can get at the passwords, but the password database
is backed up at multiple locations.

------
lucb1e
Online is better than not having a backup, so for your hypothetical mom it is
probably a good idea (unless you manage their backups).

I would generally trust them to want to do the right thing, but software
vulnerabilities or crypto bugs (weak IV initialization or so) are reasons to
not do this. Unlikely, but the impact is large. But the chance (and impact) of
losing all your passwords is even larger.

------
Thorrez
You mean like LastPass? I don't use it, but it seems pretty secure to me. The
passwords are encrypted with a password that only you the user know. So if
their servers are compromised, your passwords are not. Sure they can push out
a malicious update that steals your passwords, but so can any program you have
installed on your computer, it's just a bit harder.

------
rsync
I don’t use a password manager myself… However, of all the ones I’ve looked
at, Valt (Valt.io) seems the most interesting/unique...

------
audente
I'm using EnPass [https://www.enpass.io/](https://www.enpass.io/) They claim
to use "open source and peer reviewed cryptography libraries"and that "all
your data is with you only and nothing is stored on our servers". They sync
data among devices using Dropbox or iCloud.

I trust them.

------
gshdg
Nope, but the office uses them, so... whatever. I keep my own passwords in a
tool that can sync directly between my own devices.

------
beamatronic
Do you consider iCloud Keychain to be one?

------
pteraspidomorph
I think the important is for the client-side process to be fully trusted. If
only encrypted data is going to a remote location and there isn't a risk of
the process being hijacked on the client side you should be good to go.

That said, I use my own remote storage (not cloud) with keepass's sftp plugin.

------
Hoasi
Not at all. First of all, it's unnecessary, but the idea itself is not very
sound in the first place.

------
tdurden
I am not comfortable at all using a cloud-based password manager. That said,
one of the best options (1Password) does not force you to use their cloud --
they do seem to go out of their way to make this a less than obvious option
though, which is disappointing.

------
k_vi
I gave up on cloud-based password managers.

My current setup:

On non-critical services(social media etc.) or websites with U2F, I reuse
passwords.

For everything else, I use Purse[0] with Yubikey.

[0] [https://github.com/drduh/Purse](https://github.com/drduh/Purse)

~~~
billconan
but in case you have 3 computers, how to sync passwords?

~~~
k_vi
save the file created by Purse on public cloud.

------
Jeaye
Not comfortable at all. I use KeePassXC on my GNU/Linux machine and my mobile
device doesn't have any of my passphrases because:

1\. I don't trust my mobile device

2\. I don't like the odds of it being stolen or lost

3\. I don't need the constant distractions anyway

------
faebi
Keeweb has been my favourite so far. I have the client installed everywhere
and in worst case I can fallback to google drive and the keeweb website. The
compatibility with keepass is a plus for my corporate environment.

------
Const-me
I don't trust clouds either. Using offline desktop software, making backups on
HDDs and once in a few months on DVD-R. For data I don't care too much, like
game accounts, saving passwords in browser.

------
JohnFen
I'm not comfortable with them at all, so I don't use them.

------
WesternTelepwn
I have had good success with LastPass keeping it updated and using the
binaries on my devices. I don't fully trust anything but also using Authy 2FA
on whatever I can as well.

------
z3t4
I remember maybe 15 years ago a service for storing your passwords online.
They claimed they where unhackable and became very popular. Then they got
hacked and all passwords dumped.

------
orev
Will never use a cloud password store.

I use Codebook which provides phone and desktop apps, and allows database
syncing over LAN. It’s the best solution that gives you both ease of use and
syncing.

------
banjar
I wish I could entrust an entity with my passwords but I'm too paranoid. Now I
have several variations of a single password for general usage :/

------
babo
I'm more comfortable to store encrypted passwords at the cloud using a
service, whose core business is to make it secure than any homegrown solution.

------
xupybd
Basically it's one step up from using the same password every where. You still
have one point of failure but you assume descent security.

------
saint_abroad
The cloud is not the automatic solution to the problem of passwords- chiefly
that third parties cannot be trusted to keep them secure.

~~~
saint_abroad
update. LastPass leaks credentials from previous site:
[https://news.ycombinator.com/item?id=20983344](https://news.ycombinator.com/item?id=20983344)

------
ishanjain28
I have a self hosted bitwarden instance. I feel very comfortable using it and
encourage my friends and family to use it as well.

------
Havoc
Fine with Lastpass. It's not like I've got nuclear launch codes in there
anyway & the stuff that matters has 2FA.

------
kfrzcode
I don't. That's why I use unix pass.

------
zacky777
Not at all. First of all, it's unnecessary, but the idea itself is not very
sound in the first place.

------
derpherpsson
Answer: Its okay to store the encrypted passwords there. Since they are
encrypted.

~~~
wglb
But does the server have the ability to decrypt?

~~~
geofft
No, for all the major / well-respected password managers (and probably for all
the minor ones too), all the crypto is done client-side.

1Password, for instance, has a pretty good security doc about it:
[https://1password.com/files/1Password%20for%20Teams%20White%...](https://1password.com/files/1Password%20for%20Teams%20White%20Paper.pdf)

~~~
wglb
It is unclear if LastPass is well-respected, and if I recall correctly, at
least at one point, the master key was accessible by the server.

------
nytesky
No one uses Firefox Lockbox?

------
avl999
My password manager is the "Forgot your password?" link.

------
bishala
Thanks for the great responses!

------
hungryroark
Opinion on Lockwise?

------
diminoten
The reality is, if a cloud based password manager doesn't fit your threat
model, you probably need to adjust your threat model.

