• Ad4mWayn3@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    I’m probably an ignorant paranoid about them, I know I should google a bit of them, but instead I’m going for the ol’ trusty ask the community.

    Do they save your passwords locally or in the cloud? If locally, what if I want to sign in in another device? What if I lose the device I have my passwords on? What if they hack my device? If in the cloud: How can I know the service is not stealing my information? If I can access it anywhere, wouldn’t that mean it also needs a password? Wouldn’t that make it twice as unsafe as it would only take one password to access the rest?

    Edit: Damn, I got extremely useful answers, I’m starting to like lemmy!

    • Hexarei@programming.dev
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      1 year ago

      I use KeepassXC on desktop and KeepassDX on Android, and I’ll step up to your questions for it, specifically:

      Do they save your passwords locally or in the cloud?

      Locally, as a file. I sync my file to a selfhosted Nextcloud instance so I can use it across devices. Other folks use Syncthing or even less-trustworthy services like Google Drive or Dropbox. The file is encrypted with a password, so as long as you choose a nice long encryption key phrase (Such as a long sentence or string of 10-15 random words).

      If locally, what if I want to sign in on another device?

      Do I own that device and trust it? If so, I just get the file from Nextcloud (either via sync or via browser download).

      Do I not own that device and trust it? If so, still a couple of options. If you’re on Android and rooted, there are various tools that will let you plug your phone into a USB port, pretend it’s a USB keyboard, and auto-type your passwords. Even some non-root options for having your phone pretend it’s a bluetooth keyboard to do the same. There’s also devices like http://inputstick.com/ that don’t require root.

      Personally, though? I just show the password on my phone and type it out. I rarely ever need to do that kind of thing, so it doesn’t affect me much.

      What if I lose the device I have my passwords on?

      Sync the file, not a problem. Assuming you have your phone setup with a screen lock and device-level encryption.

      What if they hack my device?

      Who is “they”? There’s no “they” to get access with Keepass, so I’m going to assume you just mean “a bad actor”. In that case, if someone gets access to your device, you should assume you’re pwned, and follow your plan for when/if that happens (You do have an “I was pwned” plan, right? right?).

      That said, the encrypted password database remains encrypted at rest on your disk - And thus it’s highly unlikely for someone to gain access to your password database even if they get access to your device. They are much likely to pilfer browser cookies for access tokens and the like.

      If in the cloud: How can I know the service is not stealing my information?

      Keepass: File is encrypted, good luck to the cloud storage service.

      Others, cloud-based: The “trustworthy” among these cloud services encrypt the file client-side, and only use the server-side as a place to store an encrypted database file and/or for features like sharing passwords (usually by splitting out a copy into a “partial” database and sharing that). I would feel comfortable telling a family member to pay for and use an open-source service like Bitwarden, because that’s what it does. I, however, am more paranoid than that and refuse to use such a service.

      Primarily because they could, at any time, decide to sneak in some kind of backdoor that would ship my passwords to them unencrypted… and no thanks.

      If I can access it anywhere, wouldn’t that mean it also needs a password?

      Of course. That’s why you make your password manager password something super long and memorable for you but hard to guess for others. My current passphrase, for example, is a 19-word description of a memorable event that occurred during a tabletop RPG session, followed by the numerical date of that session. Completely unguessable for others, very easy for me to remember.

      Wouldn’t that make it twice as unsafe as it would only take one password to access the rest?

      Only if your master password is easily guessed or cracked. In most cases, the master password is used as an encryption key, so the longer the better - Which is true regardless of whether the file is local or through a cloud service.

      Many (keepass included) also have support for requiring physical 2FA keys, or specific GPG encryption keys or the like. This is, I think, the least of your worries tbh.

    • Schooner@lemmy.ml
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago
      1. There are managers that will store them on their servers and others that are local.
      2. You can sync it through something like Google drive/Nextcloud.
      3. You should back up your password vault.
      4. Your device may be compromised, but your vault is still encrypted. Really depends on what kind of hack it is.
      5. You don’t really unless they’re an open source one like Bitwarden.
      6. Yes. Instead of remembering a lot of passwords, you remember the master password to your vault
      7. No. Because randomly generated passwords gated behind one secure password you remember is better than reusing the same/variations of one password.

      You can try Bitwarden if you want a hosted solution that’s easy to use. Or, use KeePassXC and compatible mobile apps while syncing it through a cloud service. I do the latter.

    • AniDanny@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I’ve only used BitWarden, so this may not be a universal answer, but… you do access your password vault with a single password. Make sure it’s complex but memorable. “WayneCommaAdam42069LOL!” for instance. Nobody’s going to brute force that, but you’ll also be able to remember it. Then once you’re past that, you’ll have a list of each login you save (each entry can include website, username, password, personal notes, etc). You can randomly generate a password, so that (for example) your lemmy.world password generates as “L812#zksKa01S@ks” and you can just copy/paste from your vault into the login page without having to remember that string of characters.

      As for how BitWarden secures your passwords, since they’re available to view after you get past the initial login… I’ve got no idea but a lot of people seem to vouch for it, so if BitWarden (or the other big trusted equivalents) gets compromised, we’re all in a lot of trouble.

      And of course, each site you log into will still have its own password recovery, 2FA, etc options. So even if something happens to BitWarden and you can’t log into your bank account, you can still call up your bank and get your password reset.