

Ask HN: Recommend a secure password manager - otar

This week alone we&#x27;ve been discussing:<p>* KeePass – questionable security<p>https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=9727297<p>* LastPass Security Notice<p>https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=9721212<p>I currently use KeePassX which is synced on my Dropbox and also have a key file on my USB.<p>From your experience, which password manager is the good choice? And what syncing, additional security layers (like key files, YubiKey...) could be used to gain maximum protection of the sensitive information?
======
NeutronBoy
> From your experience, which password manager is the good choice? And what
> syncing, additional security layers (like key files, YubiKey...) could be
> used to gain maximum protection of the sensitive information?

Every time someone asks 'which one has the best security', the first question
you need to ask is - what's your threat model? Because that will impact what
your requirements are. Personally, my threat model includes people physically
getting hold of my laptop or phone, people using my computer when I'm not
around, keylogging/malware, or websites having their passwords breached. It
doesn't include the NSA, nation-state adversaries, spear-phishing attacks.

This impacts which software I use, how I've set it up, and my use cases.

------
Blackthorn
I don't really see anything wrong with Lastpass. The secrecy of your vault
(the encrypted passwords) depends on the strength of your master password. If
you have a strong master password, the fact that someone managed to make off
with some hashes should not bother you. To use a horrible simile, it's like
when you have a bank vault filled with a lot of valuable stuff and three
doors. Someone tried to rob it, put a dent in the first door, but couldn't get
through them. Some people are flipping out that the door got banged on, but I
don't really understand that because the door is still doing exactly what it
was designed to do.

Maybe there's something I'm missing here, but I don't really see the trouble
right now.

------
J_Darnley
Password Safe? [http://pwsafe.org/](http://pwsafe.org/) Originally designed by
Bruce Schneier:
[https://www.schneier.com/passsafe.html](https://www.schneier.com/passsafe.html)

I have found it to be good enough for me but then I only use it on one Windows
desktop with occasional syncing to a laptop.

------
otar
Links to related threads:

* KeePass – questionable security

[https://news.ycombinator.com/item?id=9727297](https://news.ycombinator.com/item?id=9727297)

* LastPass Security Notice

[https://news.ycombinator.com/item?id=9721212](https://news.ycombinator.com/item?id=9721212)

~~~
sarciszewski
The first one is KeePass2.

KeePassX is still good.
[https://github.com/keepassx/keepassx](https://github.com/keepassx/keepassx)

~~~
detaro
[https://news.ycombinator.com/item?id=9727592](https://news.ycombinator.com/item?id=9727592)
?

------
stephenr
What are your platform (OS/device) use requirements?

