Objective: Secure & private password management, prevent anyone from stealing your passwords.

Option 1: Store Keepass PW file in personal cloud service like OneDrive/GoogleDrive/etc , download file, use KeepassXC to Open

Option 2: Use ProtonPass or similar solution like Bitwarden

Option 3: Host a solution like Vaultwarden

Which would do you choose? Are there more options ? Assume strong masterpassword and strong technical skills

      • shastaxcEnglish
        31 year ago

        Realistically, I only see 3 risks using Keeper: my device has malware which lets them grab my passwords from my clipboard as I copy them, malware that lets them take control of my device after I’ve unlocked my password manager, or if the cloud storage is completely wiped out in some freak accident.

        1 and 2 are risks for anyone using any password manager. And 3 is extremely unlikely since they use AWS for storage wirh multi-zone and multi-region redundancy, and certainly much more reliable than self hosting.

        The risk of actually having your passwords cracked, even if the cloud data is leaked, is practically 0 as long as you have a decent complexity and length master password and 2FA enabled. And the risk is just as low with a MITM attack or other network based interceptors because of the ZK architecture (as you mentioned) and high encryption used.

        Anyone promoting other password managers as more secure either aren’t considering the risks to data loss due to self hosting or are buying too much into their password manager’s marketing. I think it’s totally reasonable to prefer other options due to feature support or subscription price though. A couple of features that Keeper had that made me choose it were:

        • Ability to create Records which allows me to store anything including files. This allows me to upload sensitive records like tax returns or other documents you’d traditionally keep in a safe or filing cabinet.
        • Family plan that makes it easy for me to share passwords with people on my plan (great for things like streaming services). This brought the price to a reasonable level.

        There might be other password managers now that support these features, as I haven’t kept up with them. I subscribed to Keeper about 6 years ago and haven’t had a reason to switch. I’m open to suggestions if people know of other managers with better features.

  • @keyez@lemmy.worldEnglish
    21 year ago

    Been using option 3 but with Bitwarden for almost 5 years at this point. First started out on a VM in a cloud provider. Now it’s in a VM on unraid behind a local HAProxy or Cloudflare tunnel for remote access.

    Bitwardens full docker stack provides great daily backups which I’ve had to restore on occasion or go back to one from months ago to dig out a password for my wife.

    Been testing and hoping to move to the unified-container from them soon, assuming I can replicate encrypted backups like their solution.

  • @Boring@lemmy.mlEnglish
    51 year ago

    I use keepassXC and sync across my devices with nextcloud and VPN to my home network with wire guard and this setup has never failed me.

    I’ve toyed around with passbolt, and I really want to try because it just looks cool to me, but I keep having trouble with it playing nice with my reverse proxy.

    My personal preference is hosting it myself on my own server and using a VPN to get to it. It gives me peace of mind because I’m not a big enough target for someone to try that hard to get my passwords and I’m not exposed to bitwarden or dashlane getting breached.

    • @Mio@feddit.nuEnglish
      41 year ago

      Keepassxc + syncthing to phone in read only mode and to other machine. So 3 copies on different machine, while one of them is on me

  • @BastingChemina@slrpnk.netEnglish
    61 year ago

    Bitwarden for me. My password manager is not just for me, it’s also a crucial component of my family life so if something happened to me I want my next of kin to be able to access it

    For that it needs to be an easy to access solution.

    • @danieldigital@lemmy.worldEnglish
      11 year ago

      Same, I’m all for complicated things that only I know how to use but the keys to the kingdom shouldn’t be one of those when there are laypeople relying on me.

      I still have to figure out how to let those people in when needed, I’m thinking writing the master password and the backup code on a paper that lives in a drawer, maybe in a “break in case of emergency” box, etc.

      Curious what’s the best way to mitigate the wrong person getting that, but I think if you have to worry about someone breaking in your house who is also looking for that info, then you have a different threat profile to consider, and the above calculus doesn’t apply.

      • @BastingChemina@slrpnk.netEnglish
        21 year ago

        Bitwarden offer the option to set up an emergency contact.

        You choose someone to be an emergency contact, it means that if they want they can request access to view your passwords.

        When they send a request you receive several emails to warn you and after X (you can choose the amount) days if you don’t do anything they get access to your account.

  • @fireshell@lemmy.worldEnglish
    11 year ago

    I’m currently using KeePassXC. The setup that I created below gives me 3-backups of my passwords, but it’s a bit to manage.

    Computer

    On my computer, I have my keepassxc database and key file stored in a veracrypt container. Next to my computer, I have a piece of paper that has the password for my keepassxc database and the password for my veracrypt container.

    computer -> veracrypt container -> keepassxc database AND keepassxc key file

    paper -> keepassxc database pw AND veracrypt pw

    KeePassXC Export File (text file that contains all of my login information)

    I store this file inside of a veracrypt container, on my USB LUKS. Next to my USB LUKS, I have a piece of paper that has the associated veracrypt password.

    usb luks -> veracrypt container -> keepassxc export file

    paper -> veracrypt pw

    Cloud

    I store my database in cloud service a.

    I store my key file in a veracrypt container, in cloud service b.

    On a piece of paper, I have the login information to both of these cloud accounts and the password for the veracrypt container.

    • Big PEnglish
      51 year ago

      Because humans are generally unable to remember passwords varied enough to be secure.

    • ferretEnglish
      51 year ago

      Your vault is always encrypted very securly except when in RAM. There is no security concern with uploading it directly to the cloud.

      • @marcos@lemmy.worldEnglish
        11 year ago

        It’s encrypted at rest with a passphrase. Syncthing encrypts it at transit with a random key.

        There is a huge difference on the security of those.

        • @pchem@feddit.deEnglish
          31 year ago

          Keepass allows you to use a passphrase in combination with a randomly generated keyfile. You only need to copy the keyfiles to your devices once (not via cloud services, obviously). Your actual database can then be synchronized via any cloud provider of your choice (hell, you could even upload it publicly for everyone to see) and it would still be secure.

  • ChewyEnglish
    61 year ago

    Option 3: Vaultwarden + Wireguard.

    I don’t have to worry about attacks from the internet. And a single wireguard connection on my phone sometimes doesn’t even appear on the battery stats.

    Edit: Browser addons need valid ssl certificates, which I get by dns challenge.

    • @binom@lemmy.worldEnglish
      11 year ago

      could you expand a bit on your edit? so bitwarden extensions need a valid ssl certificate for the domain where the server is hosted? how do you get that for (i assume) a local domain? thank you for your time!

      • ChewyEnglish
        21 year ago

        DNS-01 challenge allows for domain ownership verification without open ports and instead looks for a txt record. Using a tool like lego[1] with the respective dns provider’s API automatically creates and deletes the txt record after generating a certificate.

        Because ownership is verified by dns txt entry, the (sub-)domain doesn’t have to point to a publicly routable host. This allows for using any IP, so I’m using a local ip only available through wireguard or my local network (E.g. bitwarden.example.com points to 192.168.1.123).

        The disadvantage is that the provider has to be supported and you have to store an API key for your domain on the server.

        [1] https://github.com/go-acme/lego

        • @binom@lemmy.worldEnglish
          11 year ago

          that’s genius. i have never even considered that you could use a (sub)domain with a local ip like that to get a certificate from a trusted ca. i ma not sure i understand the neccessity for api access to your dns service. is the txt record for LE different every time you have to pass a challenge? otherwise i imagine you could just set and forget the record.

          thank you for the explanation, well appreciated!

          • ChewyEnglish
            21 year ago

            Yes it’s awesome. I never even considered that it’s possible to add not publicly routable IP’s to public DNS server, until I recently read a post about dns-01 challenge.

            I believe the txt record is different every time.

      • @tuhriel@infosec.pubEnglish
        21 year ago

        Not the one who wrote initially, but i have the same setup (mostly).
        I went with a self signed certificate. So the server is running with a certificate i have signed with my own certification authority certificate (ca-cert) .
        That means I have to install the ca-cert on all devices to get vaultwarden to accept it.

        The alternative is a let’s encrypt cerrtificate, which are free, but you need to open port 80 (and another one if I remember correctly) for it to work (at least every 3 months)

        • @xinayder@infosec.pubEnglish
          41 year ago

          If you own a domain name you can use the DNS-01 challenge instead of hosting a web server to serve the challenge response.

          With DNS-01 it will add a TXT record to your DNS zones and check if the record exists to verify that you own the domain and then issue the certificate.

          Depending on which tool you use, they usually support DuckDNS and some other free DDNS providers. If you have your domain on a registrar, chances are that it’s also supported.

          • @tuhriel@infosec.pubEnglish
            21 year ago

            Yep that would be a good alternative…I don’t have an official domain for it, so I went the self-signed way

            Which enables me to provide tls/https for all my local services. And it was a fun experience to learn

  • @BCsven@lemmy.caEnglish
    -31 year ago

    For highest security don’t store in cloud or multiple places. Memorize them or keep a separate device that has no intermet access and keep them on that device encrypted/locked

    • @taladar@sh.itjust.worksEnglish
      71 year ago

      Memorizing passwords just leads to passwords that are easy to attack with dictionary attacks and to password reuse.

      • @BCsven@lemmy.caEnglish
        -11 year ago

        I memorize the random generated ones, you type it in enough it becomes muscle memory.

        • @aksdb@feddit.deEnglish
          41 year ago

          My password database contains a few hundred entries. Good luck memorizing that.

          • @BCsven@lemmy.caEnglish
            11 year ago

            Thats why my second suggestion was a secondary device with no internet access. And a hardware key gor additional security is a good idea.

  • @TechieDamien@lemmy.mlEnglish
    71 year ago

    Option 4: levy existing tools such as gpg and git using something like pass. That way, you are keeping things simple but it requires more technical knowledge. Depending on your threat model, you may want to invest in a hardware security key such as a yubikey which works well with both gpg and ssh.

    • @KairuByte@lemmy.dbzer0.comEnglish
      41 year ago

      Why use tools not meant for password management, when alternative tools explicitly meant for password management, which have similar levels of security, work just fine?

      You’re essentially saying “instead of driving down the road, I like to ride my bike with rollerblades.”

      • @TechieDamien@lemmy.mlEnglish
        21 year ago

        It is just how I prefer to do my computing. I tend to live on the command line and pipe programs together to get complex behavior. If you don’t like that, then my approach is not for you and that’s fine. As for your analogy, I see it more as “instead of driving down the road in a car, I like to put my own car together using prefabs”.

      • bnjmnEnglish
        21 year ago

        I have a set up like this (age, passage, & git). Bitwarden’s browser integration works just fine, for the most part. The thing is, some of my passwords are not browser-based, and I spend large amounts of time in the terminal. Using a CLI-tool in this case lets me save a bit of time

          • bnjmnEnglish
            21 year ago

            Ah I didn’t know that! Thanks, will be checking it out for sure

  • @Still@programming.devEnglish
    21 year ago

    I do 3 and have encrypted backups to Dropbox so I can easy restore/spin up a cloud server if I need to