My argument is that a chain is only as strong as the weakest link in the chain.
After all, what's the alternative?
- Remembering all of your (strong, unique) passwords?
Impossible.
- Using a single password, or a system for deriving "unique" passwords to make them easy to memorize?
More insecure than an cloud-based password manager. People forget and get injured.
- Using an offline password manager such as KeePass?
Doable, but you trade one set of concerns for another. How many NPM packages have been compromised, stealing data from developer machines? How many people get knowingly, or unknowingly infected? Are you certain that the likelihood of your own machine getting compromised is lower than that of e.g. Bitwarden? Furthermore, if you use something like DropBox to sync your "offline" vault across devices, you're once again trusting someone else to keep the vault safe.
Your risk of a targeted attack might be lower with offline storage, but your risk of an automated attack is significantly increased, because most people don't know how to properly secure their $5 VPS or Raspberry Pi that they're using to self-host their password manager.
You claimed that using any cloud-based password manager is a bad idea, I disagree.
Password managers are not made equal so it's important to do some research and pick one that undergoes extensive security audits, is preferably open source and use a strong passphrase to secure it.
A password manager that fits this criteria will produce a vault file that would take hundreds of years to crack, even if their servers get breached and all data is stolen. This was notably not the case with LastPass. It was neither properly implemented, nor (properly) audited, nor open source.
Use keepass and don't upload your password in cleartext to someone who just tells you they are encrypted.
Trust someone else with your passwords is 99% the weakest link.
>Your risk of a targeted attack might be lower with offline storage,
We don't talk about targeted attacks, but a breach of every user who uses the service, are you from marketing? Because you really try to justify uploading your passwords to a 3rd party with proprietary software is a good thing, are you absolutely out of your mind??
If you have told anyone in the year 2000 to upload all your passwords to a service, in clear-text but who tells you it's absolutely safe and everything gets encrypted, you would have been laughed out of the room, so you should today.
>to self-host their password manager.
Gosh, are we really that far from commonsense that we think we have to host a personal password manager??? It's an encrypted file basta. It's like unix never existed and now we need an oracle database and php to "host" our 20 passwords...bravo. Hey why not install github-enterprise so we can use git?
Feel free to respond if you're willing to address any of my points in good faith. I've made it abundantly clear I only believe in audited, well behaving and open source solutions. I'm not advocating for sending your passwords off to an unknown entity in clear text.
My point about self-hosting password managers was aimed at a relatively common (but in my opinion, unwise) advice for people to just host their own instances of vaultwarden[1], but it also applies to file-based storage such as KeePass.
After all, what's the alternative?
- Remembering all of your (strong, unique) passwords?
Impossible.
- Using a single password, or a system for deriving "unique" passwords to make them easy to memorize?
More insecure than an cloud-based password manager. People forget and get injured.
- Using an offline password manager such as KeePass?
Doable, but you trade one set of concerns for another. How many NPM packages have been compromised, stealing data from developer machines? How many people get knowingly, or unknowingly infected? Are you certain that the likelihood of your own machine getting compromised is lower than that of e.g. Bitwarden? Furthermore, if you use something like DropBox to sync your "offline" vault across devices, you're once again trusting someone else to keep the vault safe.
Your risk of a targeted attack might be lower with offline storage, but your risk of an automated attack is significantly increased, because most people don't know how to properly secure their $5 VPS or Raspberry Pi that they're using to self-host their password manager.
You claimed that using any cloud-based password manager is a bad idea, I disagree.
Password managers are not made equal so it's important to do some research and pick one that undergoes extensive security audits, is preferably open source and use a strong passphrase to secure it.
A password manager that fits this criteria will produce a vault file that would take hundreds of years to crack, even if their servers get breached and all data is stolen. This was notably not the case with LastPass. It was neither properly implemented, nor (properly) audited, nor open source.